npm - @alinsafawi/aegis-auth - Versions diffs - 0.1.0 - Mend

@alinsafawi/aegis-auth 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +1825 -0
package/package.json +36 -0

package/dist/index.js ADDED Viewed

@@ -0,0 +1,1825 @@
+#!/usr/bin/env node
+// src/commands/init.ts
+import * as p7 from "@clack/prompts";
+import chalk8 from "chalk";
+import fs from "fs-extra";
+import path from "path";
+import { execa } from "execa";
+// src/ui/display.ts
+import chalk from "chalk";
+import gradient from "gradient-string";
+var aegisGradient = gradient(["#06b6d4", "#3b82f6", "#6366f1"]);
+var c = {
+  brand: (s) => aegisGradient(s),
+  dim: (s) => chalk.dim(s),
+  bold: (s) => chalk.bold(s),
+  success: (s) => chalk.green(s),
+  error: (s) => chalk.red(s),
+  warn: (s) => chalk.yellow(s),
+  info: (s) => chalk.cyan(s),
+  muted: (s) => chalk.gray(s),
+  file: (s) => chalk.yellow(s),
+  cmd: (s) => chalk.greenBright(s),
+  role: (s) => chalk.magentaBright(s),
+  step: (s) => chalk.cyanBright(s),
+  bar: chalk.dim("\u2502"),
+  check: chalk.green("\u2713"),
+  cross: chalk.red("\u2717"),
+  warn_icon: chalk.yellow("\u26A0"),
+  arrow: chalk.cyan("\u2192")
+};
+function printBanner(version = "0.1.0") {
+  console.log();
+  console.log(
+    aegisGradient(
+      [
+        "  \u2584\u2580\u2588 \u2588\u2580\u2580 \u2588\u2580\u2580 \u2588 \u2588\u2580",
+        "  \u2588\u2580\u2588 \u2588\u2588\u2584 \u2588\u2584\u2588 \u2588 \u2584\u2588"
+      ].join("\n")
+    )
+  );
+  console.log();
+  console.log(
+    chalk.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500")
+  );
+  console.log(
+    `  ${chalk.white("The shield your Next.js app deserves")}` + chalk.dim(`          v ${version}`)
+  );
+  console.log(
+    chalk.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500")
+  );
+  console.log();
+}
+function printSection(title) {
+  console.log();
+  console.log(chalk.dim("  \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550"));
+  console.log(`  ${chalk.cyanBright.bold(title)}`);
+  console.log(chalk.dim("  \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550"));
+  console.log();
+}
+function printStatusList(items) {
+  for (const item of items) {
+    const icon = item.status === "ok" ? chalk.green("\u2713") : item.status === "error" ? chalk.red("\u2717") : item.status === "warn" ? chalk.yellow("\u26A0") : chalk.dim("\u2500");
+    const label = item.status === "error" ? chalk.red(item.label) : item.status === "warn" ? chalk.yellow(item.label) : chalk.white(item.label);
+    const detail = item.detail ? chalk.dim(`  \u2192  ${item.detail}`) : "";
+    console.log(`  ${icon}  ${label}${detail}`);
+  }
+}
+function printNextSteps(steps) {
+  console.log();
+  console.log(chalk.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log();
+  for (const step of steps) {
+    console.log(`  ${chalk.cyanBright.bold(`${step.n}`)}  ${chalk.bold(step.title)}`);
+    console.log();
+    for (const line of step.lines) {
+      console.log(`       ${line}`);
+    }
+    console.log();
+  }
+  console.log(chalk.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+}
+function printDone(appName) {
+  console.log();
+  console.log(chalk.dim("  \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550"));
+  console.log();
+  console.log(`        ${chalk.dim("\u256D\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256E")}`);
+  console.log(`       ${chalk.dim("\u2571")}                                         ${chalk.dim("\u2572")}`);
+  console.log(
+    `      ${chalk.dim("\u2571")}   ${aegisGradient(`Your shield is ready.`)}  ${chalk.cyan("\u{1F6E1}")}               ${chalk.dim("\u2572")}`
+  );
+  console.log(`      ${chalk.dim("\u2572")}                                           ${chalk.dim("\u2571")}`);
+  console.log(`       ${chalk.dim("\u2572\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2571")}`);
+  console.log();
+  console.log(chalk.dim("  \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550"));
+  console.log();
+}
+// src/prompts/project.ts
+import * as p from "@clack/prompts";
+import chalk2 from "chalk";
+async function promptProject(detectedPm) {
+  console.log(
+    `
+  ${chalk2.dim("A folder with your project name will be created in the current directory.")}
+`
+  );
+  const name = await p.text({
+    message: "Project name",
+    placeholder: "my-saas",
+    validate: (v) => {
+      if (!v) return "Required";
+      if (!/^[a-z0-9-]+$/.test(v)) return "Lowercase letters, numbers, and hyphens only";
+    }
+  });
+  if (p.isCancel(name)) process.exit(0);
+  const language = await p.select({
+    message: "Language",
+    options: [
+      {
+        value: "typescript",
+        label: "TypeScript",
+        hint: "typed permission keys, typed session \u2014 recommended"
+      },
+      {
+        value: "javascript",
+        label: "JavaScript",
+        hint: "same files, no type annotations"
+      }
+    ]
+  });
+  if (p.isCancel(language)) process.exit(0);
+  const pmOptions = [
+    { value: "pnpm", label: "pnpm", hint: detectedPm === "pnpm" ? "detected" : "" },
+    { value: "npm", label: "npm", hint: detectedPm === "npm" ? "detected" : "" },
+    { value: "yarn", label: "yarn", hint: detectedPm === "yarn" ? "detected" : "" },
+    { value: "bun", label: "bun", hint: detectedPm === "bun" ? "detected" : "" }
+  ];
+  const packageManager = await p.select({
+    message: "Package manager",
+    options: pmOptions,
+    initialValue: detectedPm ?? "npm"
+  });
+  if (p.isCancel(packageManager)) process.exit(0);
+  const database = await p.select({
+    message: "Database",
+    options: [
+      { value: "postgresql", label: "PostgreSQL", hint: "recommended for production" },
+      { value: "mysql", label: "MySQL" },
+      { value: "sqlite", label: "SQLite", hint: "great for local dev, swap URL when deploying" }
+    ]
+  });
+  if (p.isCancel(database)) process.exit(0);
+  return {
+    name,
+    language,
+    packageManager,
+    database
+  };
+}
+// src/prompts/app.ts
+import * as p2 from "@clack/prompts";
+import chalk3 from "chalk";
+async function promptApp(suggestedName) {
+  console.log(
+    `
+  ${chalk3.dim("Used in email subjects, the login page heading, and cookie names.")}
+`
+  );
+  const appName = await p2.text({
+    message: "App name",
+    placeholder: suggestedName ?? "My SaaS",
+    validate: (v) => !v ? "Required" : void 0
+  });
+  if (p2.isCancel(appName)) process.exit(0);
+  const suggested = appName.toLowerCase().replace(/[^a-z0-9]/g, "").slice(0, 16);
+  const cookiePrefix = await p2.text({
+    message: "Session cookie prefix",
+    placeholder: suggested,
+    initialValue: suggested,
+    validate: (v) => {
+      if (!v) return "Required";
+      if (!/^[a-z0-9_]+$/.test(v)) return "Lowercase letters, numbers, underscores only";
+    }
+  });
+  if (p2.isCancel(cookiePrefix)) process.exit(0);
+  console.log(
+    `
+  ${chalk3.dim(`Cookies:  ${cookiePrefix}_session  ${cookiePrefix}_csrf  ${cookiePrefix}_2fa_pending`)}
+`
+  );
+  const sessionDuration = await p2.select({
+    message: "Session duration",
+    options: [
+      { value: 2 * 3600, label: "2 hours", hint: "high-security \u2014 internal tools, finance" },
+      { value: 8 * 3600, label: "8 hours", hint: "recommended for most apps" },
+      { value: 24 * 3600, label: "24 hours", hint: "relaxed \u2014 consumer / low-risk apps" }
+    ],
+    initialValue: 8 * 3600
+  });
+  if (p2.isCancel(sessionDuration)) process.exit(0);
+  return {
+    appName,
+    cookiePrefix,
+    sessionDuration
+  };
+}
+// src/prompts/roles.ts
+import * as p3 from "@clack/prompts";
+import chalk4 from "chalk";
+async function promptPermissions() {
+  const mode = await p3.select({
+    message: "Permission model",
+    options: [
+      {
+        value: "all",
+        label: "Full access",
+        hint: "no permission checks \u2014 use for super-admins"
+      },
+      {
+        value: "none",
+        label: "Auth only",
+        hint: "just needs to be logged in, no granular permissions"
+      },
+      {
+        value: "static",
+        label: "Static",
+        hint: "you define permissions in auth.config.ts \u2014 type-safe"
+      },
+      {
+        value: "dynamic",
+        label: "Dynamic",
+        hint: "app admin creates permissions at runtime, no code changes"
+      },
+      {
+        value: "hybrid",
+        label: "Hybrid",
+        hint: "static base + app admin can add more at runtime"
+      }
+    ]
+  });
+  if (p3.isCancel(mode)) process.exit(0);
+  if (mode === "all") return "all";
+  if (mode === "none") return "none";
+  if (mode === "dynamic") return "dynamic";
+  const permissions = {};
+  console.log(
+    `
+  ${chalk4.dim("Define each permission. Press Enter on empty key when done.")}
+`
+  );
+  while (true) {
+    const key = await p3.text({
+      message: "Permission key  (leave blank to finish)",
+      placeholder: "manage_users",
+      validate: (v) => {
+        if (v && !/^[a-z0-9_]+$/.test(v))
+          return "Lowercase letters, numbers, underscores only";
+        if (v && permissions[v]) return "Key already defined";
+      }
+    });
+    if (p3.isCancel(key)) process.exit(0);
+    if (!key) break;
+    const label = await p3.text({
+      message: "Label",
+      placeholder: "Manage Users",
+      validate: (v) => !v ? "Required" : void 0
+    });
+    if (p3.isCancel(label)) process.exit(0);
+    const group = await p3.text({
+      message: "Group  (optional \u2014 leave blank to skip)",
+      placeholder: "Users"
+    });
+    if (p3.isCancel(group)) process.exit(0);
+    const defaultOn = await p3.confirm({
+      message: "On by default for new users?",
+      initialValue: false
+    });
+    if (p3.isCancel(defaultOn)) process.exit(0);
+    permissions[key] = {
+      label,
+      group: group || void 0,
+      default: defaultOn
+    };
+    const keys = Object.keys(permissions);
+    console.log(
+      `
+  ${chalk4.dim("Permissions so far:")}  ${keys.map((k) => chalk4.cyan(k)).join(chalk4.dim(", "))}
+`
+    );
+  }
+  return permissions;
+}
+async function promptRole(index, total) {
+  console.log(
+    `
+  ${chalk4.dim("\u2500")} ${chalk4.cyanBright.bold(`Role ${index} of ${total}`)} ${chalk4.dim("\u2500".repeat(46))}
+`
+  );
+  const id = await p3.text({
+    message: "Role ID",
+    placeholder: "admin",
+    validate: (v) => {
+      if (!v) return "Required";
+      if (!/^[a-z0-9_]+$/.test(v)) return "Lowercase letters, numbers, underscores only";
+    }
+  });
+  if (p3.isCancel(id)) process.exit(0);
+  console.log(
+    `
+  ${chalk4.dim(`Goes in the JWT:  session.role === '${id}'`)}
+  ${chalk4.dim("Cannot be renamed later without a data migration.")}
+`
+  );
+  const label = await p3.text({
+    message: "Display label",
+    placeholder: "Admin",
+    validate: (v) => !v ? "Required" : void 0
+  });
+  if (p3.isCancel(label)) process.exit(0);
+  const plural = await p3.text({
+    message: "Plural label  (optional)",
+    placeholder: `${label}s`
+  });
+  if (p3.isCancel(plural)) process.exit(0);
+  const prismaModel = await p3.text({
+    message: "Prisma model name",
+    placeholder: `${label.replace(/\s+/g, "")}`,
+    validate: (v) => {
+      if (!v) return "Required";
+      if (!/^[A-Z][A-Za-z0-9]+$/.test(v)) return "PascalCase required  e.g: AdminUser";
+    }
+  });
+  if (p3.isCancel(prismaModel)) process.exit(0);
+  console.log(
+    `
+  ${chalk4.dim("If this model already exists in your schema, Aegis adds the required auth fields to it.")}
+`
+  );
+  const loginField = await p3.select({
+    message: "Login identifier",
+    options: [
+      { value: "email", label: "Email address" },
+      { value: "username", label: "Username" },
+      { value: "either", label: "Either  (user can type both)" }
+    ]
+  });
+  if (p3.isCancel(loginField)) process.exit(0);
+  const signup = await p3.select({
+    message: "How do new users of this role join?",
+    options: [
+      {
+        value: "public",
+        label: "Open signup",
+        hint: "anyone can register themselves"
+      },
+      {
+        value: "invite-only",
+        label: "Invite-only",
+        hint: "you send time-limited invite links"
+      },
+      {
+        value: "disabled",
+        label: "Disabled",
+        hint: "created by a higher role only, no self-service"
+      }
+    ]
+  });
+  if (p3.isCancel(signup)) process.exit(0);
+  const singleton = await p3.confirm({
+    message: "Singleton?  (only one user of this role allowed)",
+    initialValue: false
+  });
+  if (p3.isCancel(singleton)) process.exit(0);
+  const permissions = await promptPermissions();
+  return {
+    id,
+    config: {
+      label,
+      plural: plural || `${label}s`,
+      prismaModel,
+      loginField,
+      homeRoute: `/${id}/dashboard`,
+      singleton,
+      signup,
+      permissions
+    }
+  };
+}
+async function promptRoles() {
+  console.log(
+    `
+  ${chalk4.dim("A role is a user type with its own login, permissions, and dashboard.")}
+  ${chalk4.dim("You can add more later with:  aegis-auth add-role")}
+`
+  );
+  const count = await p3.select({
+    message: "How many roles does your app have?",
+    options: [
+      { value: 1, label: "1" },
+      { value: 2, label: "2" },
+      { value: 3, label: "3" },
+      { value: 4, label: "4" }
+    ],
+    initialValue: 2
+  });
+  if (p3.isCancel(count)) process.exit(0);
+  const roles = {};
+  for (let i = 1; i <= count; i++) {
+    const { id, config } = await promptRole(i, count);
+    roles[id] = config;
+  }
+  return roles;
+}
+// src/prompts/features.ts
+import * as p4 from "@clack/prompts";
+import chalk5 from "chalk";
+async function promptFeatures(roleIds) {
+  console.log(
+    `
+  ${chalk5.dim("All features can be toggled later in auth.config.ts \u2192 features")}
+`
+  );
+  const selected = await p4.multiselect({
+    message: "Which security features do you want?",
+    options: [
+      {
+        value: "twoFactor",
+        label: "Two-Factor Authentication",
+        hint: "TOTP (Authy, 1Password) + backup codes"
+      },
+      {
+        value: "emailVerification",
+        label: "Email Verification",
+        hint: "6-digit code, 15 min expiry, resend flow"
+      },
+      {
+        value: "passwordReset",
+        label: "Password Reset",
+        hint: '"Forgot password" via email'
+      },
+      {
+        value: "accountLockout",
+        label: "Account Lockout",
+        hint: "per-account, not per-IP \u2014 locks after failed logins"
+      },
+      {
+        value: "apiKeys",
+        label: "API Keys",
+        hint: "users generate keys for programmatic access"
+      },
+      {
+        value: "auditLog",
+        label: "Audit Log",
+        hint: "records every auth event to a DB table"
+      },
+      {
+        value: "sessionTracking",
+        label: "Session Tracking",
+        hint: '"Sign out all devices" \u2014 without this, JWTs are stateless'
+      }
+    ],
+    initialValues: ["twoFactor", "emailVerification", "passwordReset", "accountLockout"],
+    required: false
+  });
+  if (p4.isCancel(selected)) process.exit(0);
+  const has = (f) => selected.includes(f);
+  let lockoutAttempts = 5;
+  let lockoutMinutes = 15;
+  let enforced2FARoles = [];
+  if (has("accountLockout")) {
+    console.log(
+      `
+  ${chalk5.dim("\u2500  Account Lockout Settings  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500")}
+`
+    );
+    const attempts = await p4.text({
+      message: "Lock after how many failed attempts?",
+      initialValue: "5",
+      validate: (v) => Number(v) < 1 || isNaN(Number(v)) ? "Enter a number \u2265 1" : void 0
+    });
+    if (p4.isCancel(attempts)) process.exit(0);
+    lockoutAttempts = Number(attempts);
+    console.log(
+      `
+  ${chalk5.dim("Recommended: 3\u201310. Too low causes accidental lockouts. Counter resets on successful login.")}
+`
+    );
+    const duration = await p4.select({
+      message: "Lock duration",
+      options: [
+        { value: 15, label: "15 minutes", hint: "recommended" },
+        { value: 30, label: "30 minutes" },
+        { value: 60, label: "1 hour" },
+        { value: -1, label: "Permanent", hint: "requires admin to manually unlock" }
+      ],
+      initialValue: 15
+    });
+    if (p4.isCancel(duration)) process.exit(0);
+    lockoutMinutes = duration;
+  }
+  if (has("twoFactor") && roleIds.length > 0) {
+    console.log(
+      `
+  ${chalk5.dim("\u2500  2FA Enforcement  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500")}
+`
+    );
+    console.log(
+      `  ${chalk5.dim("Enforced roles are redirected to 2FA setup on login and cannot")}
+  ${chalk5.dim("access the app until setup is complete.")}
+`
+    );
+    const enforced = await p4.multiselect({
+      message: "Require 2FA for any roles?  (cannot be skipped)",
+      options: [
+        { value: "__none__", label: "No role requires it" },
+        ...roleIds.map((id) => ({ value: id, label: id }))
+      ],
+      initialValues: ["__none__"],
+      required: false
+    });
+    if (p4.isCancel(enforced)) process.exit(0);
+    enforced2FARoles = enforced.filter((r) => r !== "__none__");
+  }
+  console.log(
+    `
+  ${chalk5.dim("\u2500  Password Policy  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500")}
+`
+  );
+  console.log(
+    `  ${chalk5.dim("NIST recommends 8+ chars. Avoid forcing complexity rules \u2014")}
+  ${chalk5.dim("they lead to weaker, more predictable passwords in practice.")}
+`
+  );
+  const minLen = await p4.text({
+    message: "Minimum password length",
+    initialValue: "8",
+    validate: (v) => Number(v) < 6 || isNaN(Number(v)) ? "Enter a number \u2265 6" : void 0
+  });
+  if (p4.isCancel(minLen)) process.exit(0);
+  const expiry = await p4.select({
+    message: "Password expiry",
+    options: [
+      { value: null, label: "Never", hint: "recommended for consumer apps" },
+      { value: 90, label: "Every 90 days", hint: "common for internal/enterprise tools" },
+      { value: 180, label: "Every 180 days" }
+    ],
+    initialValue: null
+  });
+  if (p4.isCancel(expiry)) process.exit(0);
+  const reuse = await p4.select({
+    message: "Prevent reusing old passwords?",
+    options: [
+      { value: null, label: "No" },
+      { value: 5, label: "Yes \u2014 remember last 5" },
+      { value: 10, label: "Yes \u2014 remember last 10" }
+    ],
+    initialValue: null
+  });
+  if (p4.isCancel(reuse)) process.exit(0);
+  return {
+    twoFactor: has("twoFactor"),
+    emailVerification: has("emailVerification"),
+    passwordReset: has("passwordReset"),
+    accountLockout: has("accountLockout"),
+    lockoutAttempts,
+    lockoutMinutes,
+    apiKeys: has("apiKeys"),
+    auditLog: has("auditLog"),
+    sessionTracking: has("sessionTracking"),
+    enforced2FARoles,
+    minPasswordLength: Number(minLen),
+    passwordExpiry: expiry,
+    preventPasswordReuse: reuse
+  };
+}
+// src/prompts/infrastructure.ts
+import * as p5 from "@clack/prompts";
+import chalk6 from "chalk";
+async function promptInfrastructure() {
+  console.log(
+    `
+  ${chalk6.dim("\u2500  Rate Limiting  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500")}
+`
+  );
+  const rateLimitProvider = await p5.select({
+    message: "Rate limiting backend",
+    options: [
+      {
+        value: "upstash",
+        label: "Upstash Redis",
+        hint: "recommended \u2014 serverless, free tier, survives restarts"
+      },
+      {
+        value: "memory",
+        label: "In-memory",
+        hint: "no external service \u2014 dev only, resets on restart"
+      },
+      {
+        value: "none",
+        label: "None",
+        hint: "not recommended \u2014 login endpoints unprotected"
+      }
+    ],
+    initialValue: "upstash"
+  });
+  if (p5.isCancel(rateLimitProvider)) process.exit(0);
+  if (rateLimitProvider === "upstash") {
+    console.log(
+      `
+  ${chalk6.dim("Needs:  UPSTASH_REDIS_REST_URL  UPSTASH_REDIS_REST_TOKEN")}
+  ${chalk6.dim("These will be added to .env.example for you.")}
+`
+    );
+  }
+  if (rateLimitProvider === "none") {
+    console.log(
+      `
+  ${chalk6.yellow("\u26A0")}  ${chalk6.yellow("Login and reset endpoints will be open to brute-force attacks.")}
+`
+    );
+  }
+  console.log(
+    `
+  ${chalk6.dim("\u2500  Email  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500")}
+`
+  );
+  const setupSmtp = await p5.confirm({
+    message: "Enter SMTP credentials now?",
+    initialValue: false
+  });
+  if (p5.isCancel(setupSmtp)) process.exit(0);
+  if (!setupSmtp) {
+    console.log(
+      `
+  ${chalk6.dim("All required SMTP variables will be added to .env.example with instructions.")}
+`
+    );
+    return { rateLimitProvider, setupSmtp: false };
+  }
+  const smtpHost = await p5.text({ message: "SMTP host", placeholder: "smtp.resend.com" });
+  if (p5.isCancel(smtpHost)) process.exit(0);
+  const smtpPort = await p5.text({
+    message: "SMTP port",
+    initialValue: "587",
+    validate: (v) => isNaN(Number(v)) ? "Must be a number" : void 0
+  });
+  if (p5.isCancel(smtpPort)) process.exit(0);
+  const smtpUser = await p5.text({ message: "SMTP username / API key" });
+  if (p5.isCancel(smtpUser)) process.exit(0);
+  const smtpPass = await p5.password({ message: "SMTP password" });
+  if (p5.isCancel(smtpPass)) process.exit(0);
+  const smtpFrom = await p5.text({
+    message: "From address",
+    placeholder: '"My App" <noreply@myapp.com>'
+  });
+  if (p5.isCancel(smtpFrom)) process.exit(0);
+  return {
+    rateLimitProvider,
+    setupSmtp: true,
+    smtpHost,
+    smtpPort: Number(smtpPort),
+    smtpUser,
+    smtpPass,
+    smtpFrom
+  };
+}
+// src/prompts/style.ts
+import * as p6 from "@clack/prompts";
+import chalk7 from "chalk";
+async function promptStyle() {
+  console.log(
+    `
+  ${chalk7.dim("Used on buttons, links, and focus rings in all scaffolded pages.")}
+  ${chalk7.dim("This becomes a CSS variable \u2014 change it any time in globals.css.")}
+`
+  );
+  const primaryColor = await p6.text({
+    message: "Primary color",
+    initialValue: "oklch(0.6 0.2 240)",
+    validate: (v) => !v ? "Required" : void 0
+  });
+  if (p6.isCancel(primaryColor)) process.exit(0);
+  console.log(
+    `
+  ${chalk7.dim("Accepts any CSS color:")}
+  ${chalk7.dim("  #3b82f6              (hex)")}
+  ${chalk7.dim("  hsl(220 90% 56%)     (HSL)")}
+  ${chalk7.dim("  oklch(0.6 0.2 240)   (recommended \u2014 perceptually uniform)")}
+`
+  );
+  const logoUrl = await p6.text({
+    message: "Logo path  (optional \u2014 leave blank to skip)",
+    placeholder: "/logo.svg"
+  });
+  if (p6.isCancel(logoUrl)) process.exit(0);
+  return {
+    primaryColor,
+    logoUrl: logoUrl || void 0
+  };
+}
+// src/generators/schema.ts
+import { resolvePermissionMode } from "@alinsafawi/aegis-auth-core";
+function roleModel(id, role, features) {
+  const f = role.fields ?? {};
+  const idField = f.id ?? "id";
+  const usernameField = f.username ?? "username";
+  const emailField = f.email ?? "email";
+  const hashField = f.passwordHash ?? "passwordHash";
+  const tfSecretField = f.twoFactorSecret ?? "twoFactorSecret";
+  const tfEnabledField = f.twoFactorEnabled ?? "twoFactorEnabled";
+  const emailVerifiedField = f.emailVerified ?? "emailVerified";
+  const mode = resolvePermissionMode(role);
+  const isStatic = mode === "static" || mode === "hybrid";
+  const storage = role.permissionsStorage ?? "json";
+  const lines = [
+    `model ${role.prismaModel} {`,
+    `  ${idField}                    String    @id @default(cuid())`
+  ];
+  if (role.loginField === "username" || role.loginField === "either") {
+    lines.push(`  ${usernameField}              String    @unique`);
+  }
+  if (role.loginField === "email" || role.loginField === "either") {
+    lines.push(`  ${emailField}                 String    @unique`);
+  }
+  lines.push(`  ${hashField}           String`);
+  if (features.emailVerification) {
+    lines.push(`  ${emailVerifiedField}         Boolean   @default(false)`);
+  }
+  if (features.twoFactor) {
+    lines.push(`  ${tfSecretField}        String?`);
+    lines.push(`  ${tfEnabledField}       Boolean   @default(false)`);
+  }
+  lines.push(`  requiresPasswordChange  Boolean   @default(false)`);
+  lines.push(`  createdAt               DateTime  @default(now())`);
+  lines.push(`  updatedAt               DateTime  @updatedAt`);
+  if (isStatic && storage === "columns" && typeof role.permissions === "object") {
+    for (const [key, perm] of Object.entries(role.permissions)) {
+      lines.push(`  ${key.padEnd(24)}Boolean   @default(${perm.default})`);
+    }
+  }
+  if (isStatic && storage === "json") {
+    lines.push(`  permissions             Json      @default("{}")`);
+  }
+  if (features.sessionTracking) {
+    lines.push(`  sessions                AuthSession[]`);
+  }
+  lines.push(`}`);
+  return lines.join("\n");
+}
+function generatePrismaSchema(opts) {
+  const { roles, database, features } = opts;
+  const hasDynamic = Object.values(roles).some((r) => {
+    const m = resolvePermissionMode(r);
+    return m === "dynamic" || m === "hybrid";
+  });
+  const sections = [
+    `// Generated by aegis-auth \u2014 do not edit manually`,
+    `// Add your own models below the aegis-auth section`,
+    ``,
+    `generator client {`,
+    `  provider = "prisma-client-js"`,
+    `}`,
+    ``,
+    `datasource db {`,
+    `  provider = "${database}"`,
+    `  url      = env("DATABASE_URL")`,
+    `}`,
+    ``,
+    `// \u2500\u2500\u2500 Aegis Auth \u2014 Role Models \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`,
+    ``
+  ];
+  for (const [id, role] of Object.entries(roles)) {
+    sections.push(roleModel(id, role, features));
+    sections.push(``);
+  }
+  sections.push(`// \u2500\u2500\u2500 Aegis Auth \u2014 Shared Tables \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`);
+  sections.push(``);
+  if (features.passwordReset) {
+    sections.push(
+      `model AuthPasswordResetChallenge {`,
+      `  id        String   @id @default(cuid())`,
+      `  roleType  String`,
+      `  userId    String`,
+      `  codeHash  String`,
+      `  expiresAt DateTime`,
+      `  usedAt    DateTime?`,
+      `  createdAt DateTime @default(now())`,
+      ``,
+      `  @@index([roleType, userId])`,
+      `}`,
+      ``
+    );
+  }
+  if (features.emailVerification) {
+    sections.push(
+      `model AuthEmailVerificationChallenge {`,
+      `  id        String   @id @default(cuid())`,
+      `  roleType  String`,
+      `  userId    String`,
+      `  codeHash  String`,
+      `  expiresAt DateTime`,
+      `  usedAt    DateTime?`,
+      `  createdAt DateTime @default(now())`,
+      ``,
+      `  @@index([roleType, userId])`,
+      `}`,
+      ``
+    );
+  }
+  if (features.accountLockout) {
+    sections.push(
+      `model AuthAccountLockout {`,
+      `  id             String    @id @default(cuid())`,
+      `  roleType       String`,
+      `  userId         String`,
+      `  failedAttempts Int       @default(0)`,
+      `  lockedUntil    DateTime?`,
+      `  updatedAt      DateTime  @updatedAt`,
+      ``,
+      `  @@unique([roleType, userId])`,
+      `}`,
+      ``
+    );
+  }
+  if (hasDynamic) {
+    sections.push(
+      `model AuthPermission {`,
+      `  id          String   @id @default(cuid())`,
+      `  key         String   @unique`,
+      `  label       String`,
+      `  description String?`,
+      `  group       String?`,
+      `  appliesTo   String[]`,
+      `  createdAt   DateTime @default(now())`,
+      ``,
+      `  grants AuthUserPermission[]`,
+      `}`,
+      ``,
+      `model AuthUserPermission {`,
+      `  id           String         @id @default(cuid())`,
+      `  permissionId String`,
+      `  permission   AuthPermission @relation(fields: [permissionId], references: [id], onDelete: Cascade)`,
+      `  roleType     String`,
+      `  userId       String`,
+      `  granted      Boolean        @default(true)`,
+      `  grantedById  String?`,
+      `  grantedAt    DateTime       @default(now())`,
+      ``,
+      `  @@unique([permissionId, roleType, userId])`,
+      `  @@index([roleType, userId])`,
+      `}`,
+      ``
+    );
+  }
+  if (features.twoFactor) {
+    sections.push(
+      `model AuthTwoFactorBackupCode {`,
+      `  id        String   @id @default(cuid())`,
+      `  roleType  String`,
+      `  userId    String`,
+      `  codeHash  String`,
+      `  usedAt    DateTime?`,
+      `  createdAt DateTime @default(now())`,
+      ``,
+      `  @@index([roleType, userId])`,
+      `}`,
+      ``
+    );
+  }
+  if (features.preventPasswordReuse) {
+    sections.push(
+      `model AuthPasswordHistory {`,
+      `  id        String   @id @default(cuid())`,
+      `  roleType  String`,
+      `  userId    String`,
+      `  hash      String`,
+      `  createdAt DateTime @default(now())`,
+      ``,
+      `  @@index([roleType, userId])`,
+      `}`,
+      ``
+    );
+  }
+  if (features.sessionTracking) {
+    sections.push(
+      `model AuthSession {`,
+      `  id        String   @id @default(cuid())`,
+      `  roleType  String`,
+      `  userId    String`,
+      `  token     String   @unique`,
+      `  userAgent String?`,
+      `  ip        String?`,
+      `  expiresAt DateTime`,
+      `  createdAt DateTime @default(now())`,
+      ``,
+      `  @@index([roleType, userId])`,
+      `}`,
+      ``
+    );
+  }
+  if (features.apiKeys) {
+    sections.push(
+      `model AuthApiKey {`,
+      `  id        String    @id @default(cuid())`,
+      `  roleType  String`,
+      `  userId    String`,
+      `  keyHash   String    @unique`,
+      `  label     String`,
+      `  lastUsed  DateTime?`,
+      `  expiresAt DateTime?`,
+      `  createdAt DateTime  @default(now())`,
+      ``,
+      `  @@index([roleType, userId])`,
+      `}`,
+      ``
+    );
+  }
+  if (features.auditLog) {
+    sections.push(
+      `model AuthAuditLog {`,
+      `  id         String   @id @default(cuid())`,
+      `  roleType   String`,
+      `  userId     String`,
+      `  action     String`,
+      `  resource   String?`,
+      `  metadata   Json?`,
+      `  ip         String?`,
+      `  userAgent  String?`,
+      `  createdAt  DateTime @default(now())`,
+      ``,
+      `  @@index([roleType, userId])`,
+      `  @@index([createdAt])`,
+      `}`,
+      ``
+    );
+  }
+  sections.push(`// \u2500\u2500\u2500 Your Models \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`);
+  sections.push(``);
+  sections.push(`// Add your own Prisma models here`);
+  return sections.join("\n");
+}
+// src/generators/config-file.ts
+import { resolvePermissionMode as resolvePermissionMode2 } from "@alinsafawi/aegis-auth-core";
+function serializePermissions(role) {
+  const mode = resolvePermissionMode2(role);
+  if (mode === "all") return `'all'`;
+  if (mode === "none") return `'none'`;
+  if (mode === "dynamic") return `'dynamic'`;
+  const perms = typeof role.permissions === "object" ? role.permissions : {};
+  const lines = Object.entries(perms).map(([key, p10]) => {
+    const def = p10;
+    return [
+      `      ${key}: {`,
+      `        label: '${def.label}',`,
+      def.group ? `        group: '${def.group}',` : null,
+      `        default: ${def.default},`,
+      `      },`
+    ].filter(Boolean).join("\n");
+  });
+  return `{
+${lines.join("\n")}
+    }`;
+}
+function serializeRole(id, role) {
+  return [
+    `    ${id}: {`,
+    `      label: '${role.label}',`,
+    role.plural ? `      plural: '${role.plural}',` : null,
+    `      prismaModel: '${role.prismaModel}',`,
+    `      loginField: '${role.loginField}',`,
+    `      homeRoute: '${role.homeRoute}',`,
+    role.singleton ? `      singleton: true,` : null,
+    role.canManage?.length ? `      canManage: [${role.canManage.map((r) => `'${r}'`).join(", ")}],` : null,
+    `      signup: '${role.signup ?? "public"}',`,
+    `      permissions: ${serializePermissions(role)},`,
+    `    },`
+  ].filter(Boolean).join("\n");
+}
+function generateAuthConfig(opts) {
+  const { appName, cookiePrefix, sessionDuration, roles, features, infra, style } = opts;
+  const ext = opts.language === "typescript" ? "ts" : "js";
+  const typeAnnotation = ext === "ts" ? ": AegisConfig" : "";
+  const importStatement = ext === "ts" ? `import { defineAuthConfig, type AegisConfig } from '@alinsafawi/aegis-auth-core'
+` : `const { defineAuthConfig } = require('@alinsafawi/aegis-auth-core')
+`;
+  const lockout = features.accountLockout ? `{
+      maxAttempts: ${features.lockoutAttempts},
+      lockDurationMinutes: ${features.lockoutMinutes},
+      notifyOnLock: true,
+    }` : "false";
+  return `${importStatement}
+${ext === "ts" ? `const config${typeAnnotation} = ` : `const config = `}defineAuthConfig({
+  appName: '${appName}',
+  session: {
+    secret: process.env.AEGIS_JWT_SECRET${ext === "ts" ? "!" : ""},
+    cookieName: '${cookiePrefix}_session',
+    csrfCookieName: '${cookiePrefix}_csrf',
+    pendingTwoFactorCookieName: '${cookiePrefix}_2fa_pending',
+    maxAge: ${sessionDuration},
+  },
+  roles: {
+${Object.entries(roles).map(([id, role]) => serializeRole(id, role)).join("\n\n")}
+  },
+  features: {
+    twoFactor: ${features.twoFactor},
+    emailVerification: ${features.emailVerification},
+    passwordReset: ${features.passwordReset},
+    accountLockout: ${lockout},
+    apiKeys: ${features.apiKeys},
+    auditLog: ${features.auditLog},
+    sessionTracking: ${features.sessionTracking},
+  },
+  passwordPolicy: {
+    minLength: ${features.minPasswordLength},
+    maxAgeDays: ${features.passwordExpiry ?? "null"},
+    preventReuse: ${features.preventPasswordReuse ?? "null"},
+  },
+${infra.setupSmtp ? `  email: {
+    host: process.env.AEGIS_SMTP_HOST${ext === "ts" ? "!" : ""},
+    port: Number(process.env.AEGIS_SMTP_PORT),
+    user: process.env.AEGIS_SMTP_USER${ext === "ts" ? "!" : ""},
+    pass: process.env.AEGIS_SMTP_PASS${ext === "ts" ? "!" : ""},
+    from: process.env.AEGIS_SMTP_FROM${ext === "ts" ? "!" : ""},
+  },` : `  // email: { host, port, user, pass, from }  \u2190 add when ready`}
+  rateLimit: {
+    provider: '${infra.rateLimitProvider}',${infra.rateLimitProvider === "upstash" ? `
+    upstash: {
+      url: process.env.UPSTASH_REDIS_REST_URL${ext === "ts" ? "!" : ""},
+      token: process.env.UPSTASH_REDIS_REST_TOKEN${ext === "ts" ? "!" : ""},
+    },` : ""}
+  },
+  ui: {
+    brandName: '${appName}',${style.logoUrl ? `
+    logoUrl: '${style.logoUrl}',` : ""}
+    primaryColor: '${style.primaryColor}',
+  },
+})
+export default config
+`;
+}
+// src/generators/env.ts
+function generateEnvExample(cookiePrefix, infra, features) {
+  const lines = [
+    `# \u2500\u2500\u2500 Aegis Auth \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`,
+    ``,
+    `# Generate with: openssl rand -base64 32`,
+    `AEGIS_JWT_SECRET=`,
+    ``,
+    `# Set to the previous secret when rotating \u2014 gives active sessions a grace period`,
+    `# AEGIS_JWT_SECRET_PREVIOUS=`,
+    ``,
+    `# \u2500\u2500\u2500 Database \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`,
+    ``,
+    `DATABASE_URL=`,
+    ``
+  ];
+  if (features.emailVerification || features.passwordReset || features.accountLockout) {
+    lines.push(
+      `# \u2500\u2500\u2500 Email (SMTP) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`,
+      ``,
+      `# Works with Resend, Sendgrid, Postmark, Gmail, etc.`,
+      `AEGIS_SMTP_HOST=`,
+      `AEGIS_SMTP_PORT=587`,
+      `AEGIS_SMTP_USER=`,
+      `AEGIS_SMTP_PASS=`,
+      `AEGIS_SMTP_FROM="My App <noreply@myapp.com>"`,
+      ``
+    );
+  }
+  if (infra.rateLimitProvider === "upstash") {
+    lines.push(
+      `# \u2500\u2500\u2500 Upstash Redis (rate limiting) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`,
+      ``,
+      `# Get these from upstash.com \u2014 free tier available`,
+      `UPSTASH_REDIS_REST_URL=`,
+      `UPSTASH_REDIS_REST_TOKEN=`,
+      ``
+    );
+  }
+  return lines.join("\n");
+}
+// src/generators/project-files.ts
+function generateRootLayout(appName, primaryColor, language) {
+  const ext = language === "typescript" ? "tsx" : "jsx";
+  return `import type { Metadata } from 'next'
+import './globals.css'
+export const metadata: Metadata = {
+  title: '${appName}',
+  description: '${appName}',
+}
+export default function RootLayout({
+  children,
+}: ${language === "typescript" ? "{ children: React.ReactNode }" : "props"}) {
+  return (
+    <html lang="en">
+      <body>${`{${language === "typescript" ? "children" : "props.children"}}`}</body>
+    </html>
+  )
+}
+`;
+}
+function generateGlobalsCss(primaryColor) {
+  return `@tailwind base;
+@tailwind components;
+@tailwind utilities;
+:root {
+  --primary: ${primaryColor};
+  --primary-foreground: white;
+  --background: white;
+  --foreground: oklch(0.15 0 0);
+  --card: oklch(0.98 0 0);
+  --border: oklch(0.9 0 0);
+  --input: oklch(0.92 0 0);
+  --muted: oklch(0.55 0 0);
+}
+@media (prefers-color-scheme: dark) {
+  :root {
+    --background: oklch(0.1 0 0);
+    --foreground: oklch(0.95 0 0);
+    --card: oklch(0.13 0 0);
+    --border: oklch(0.22 0 0);
+    --input: oklch(0.18 0 0);
+    --muted: oklch(0.55 0 0);
+  }
+}
+* {
+  border-color: var(--border);
+}
+body {
+  background: var(--background);
+  color: var(--foreground);
+}
+`;
+}
+function generateRootPage(loginRoute) {
+  return `import { redirect } from 'next/navigation'
+export default function RootPage() {
+  redirect('${loginRoute}')
+}
+`;
+}
+function generateMiddleware(cookiePrefix, language) {
+  return `import { createAuthMiddleware } from '@alinsafawi/aegis-auth-next'
+import config from './auth.config'
+export default createAuthMiddleware(config)
+export const config = {
+  matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
+}
+`;
+}
+function generateAuthLib(language) {
+  const ts = language === "typescript";
+  return `import { getSession, requireSession, requireRole, hasPermission } from '@alinsafawi/aegis-auth-next'
+import config from '../../auth.config'
+${ts ? `import type { AegisSession } from '@alinsafawi/aegis-auth-core'` : ""}
+export { hasPermission }
+${ts ? `export type { AegisSession }` : ""}
+export const auth = {
+  session: () => getSession(config),
+  require: () => requireSession(config),
+  requireRole: (role${ts ? ": string | string[]" : ""}) => requireRole(config, role),
+}
+`;
+}
+function generateLoginPage(appName, primaryColor, language) {
+  return `'use client'
+import { useState, useRef } from 'react'
+import { useRouter } from 'next/navigation'
+export default function LoginPage() {
+  const [identifier, setIdentifier] = useState('')
+  const [password, setPassword] = useState('')
+  const [error, setError] = useState('')
+  const [loading, setLoading] = useState(false)
+  const router = useRouter()
+  async function handleSubmit(e${language === "typescript" ? ": React.FormEvent" : ""}) {
+    e.preventDefault()
+    setError('')
+    setLoading(true)
+    const csrf = document.cookie
+      .split('; ')
+      .find((r) => r.startsWith('${appName.toLowerCase().replace(/[^a-z]/g, "")}_csrf='))
+      ?.split('=')[1]
+    const res = await fetch('/api/auth/login', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'x-csrf-token': csrf ?? '' },
+      body: JSON.stringify({ identifier, password }),
+    })
+    const data = await res.json()
+    setLoading(false)
+    if (!res.ok) { setError(data.error ?? 'Login failed'); return }
+    if (data.requiresTwoFactor) { router.push('/two-factor'); return }
+    router.push(\`/\${data.role}/dashboard\`)
+  }
+  return (
+    <main className="min-h-screen flex items-center justify-center p-4">
+      <div className="w-full max-w-sm">
+        <div className="text-center mb-8">
+          <h1 className="text-2xl font-bold">${appName}</h1>
+        </div>
+        <form onSubmit={handleSubmit} className="space-y-4">
+          {error && (
+            <div className="text-sm text-red-500 bg-red-50 border border-red-200 rounded-md p-3">
+              {error}
+            </div>
+          )}
+          <div>
+            <label className="block text-sm font-medium mb-1">Email or Username</label>
+            <input
+              type="text"
+              value={identifier}
+              onChange={(e) => setIdentifier(e.target.value)}
+              required
+              autoComplete="username"
+              className="w-full px-3 py-2 rounded-md border bg-[var(--input)] focus:outline-none focus:ring-2 focus:ring-[var(--primary)]"
+            />
+          </div>
+          <div>
+            <label className="block text-sm font-medium mb-1">Password</label>
+            <input
+              type="password"
+              value={password}
+              onChange={(e) => setPassword(e.target.value)}
+              required
+              autoComplete="current-password"
+              className="w-full px-3 py-2 rounded-md border bg-[var(--input)] focus:outline-none focus:ring-2 focus:ring-[var(--primary)]"
+            />
+          </div>
+          <button
+            type="submit"
+            disabled={loading}
+            style={{ background: 'var(--primary)', color: 'var(--primary-foreground)' }}
+            className="w-full py-2 px-4 rounded-md font-medium disabled:opacity-50 transition-opacity"
+          >
+            {loading ? 'Signing in\u2026' : 'Sign in'}
+          </button>
+          <div className="text-center">
+            <a href="/forgot-password" className="text-sm text-[var(--muted)] hover:underline">
+              Forgot password?
+            </a>
+          </div>
+        </form>
+      </div>
+    </main>
+  )
+}
+`;
+}
+function generateNextConfig() {
+  return `import type { NextConfig } from 'next'
+const nextConfig: NextConfig = {}
+export default nextConfig
+`;
+}
+function generateTailwindConfig() {
+  return `import type { Config } from 'tailwindcss'
+const config: Config = {
+  content: ['./src/**/*.{js,ts,jsx,tsx,mdx}'],
+  theme: { extend: {} },
+  plugins: [],
+}
+export default config
+`;
+}
+function generatePackageJson(name, packageManager) {
+  return JSON.stringify(
+    {
+      name,
+      version: "0.1.0",
+      private: true,
+      scripts: {
+        dev: "next dev",
+        build: "next build",
+        start: "next start",
+        lint: "next lint"
+      },
+      dependencies: {
+        "@alinsafawi/aegis-auth-core": "latest",
+        "@alinsafawi/aegis-auth-next": "latest",
+        "@prisma/client": "^5.0.0",
+        next: "^15.0.0",
+        react: "^19.0.0",
+        "react-dom": "^19.0.0"
+      },
+      devDependencies: {
+        "@types/node": "^20.0.0",
+        "@types/react": "^19.0.0",
+        "@types/react-dom": "^19.0.0",
+        prisma: "^5.0.0",
+        tailwindcss: "^3.4.0",
+        typescript: "^5.4.0"
+      }
+    },
+    null,
+    2
+  );
+}
+// src/commands/init.ts
+function detectPackageManager() {
+  if (process.env.npm_config_user_agent?.includes("pnpm")) return "pnpm";
+  if (process.env.npm_config_user_agent?.includes("yarn")) return "yarn";
+  if (process.env.npm_config_user_agent?.includes("bun")) return "bun";
+  return "npm";
+}
+function isExistingNextProject(dir) {
+  return fs.existsSync(path.join(dir, "next.config.ts")) || fs.existsSync(path.join(dir, "next.config.js")) || fs.existsSync(path.join(dir, "next.config.mjs"));
+}
+var STEPS = ["PROJECT", "APP", "ROLES", "FEATURES", "INFRA", "STYLE"];
+async function runInit() {
+  printBanner();
+  const mode = await p7.select({
+    message: "What would you like to do?",
+    options: [
+      {
+        value: "new",
+        label: "Create a new project",
+        hint: "start clean \u2014 auth included, all defaults removed"
+      },
+      {
+        value: "existing",
+        label: "Add to existing project",
+        hint: "wire auth into your Next.js app"
+      }
+    ]
+  });
+  if (p7.isCancel(mode)) {
+    p7.cancel("Cancelled.");
+    process.exit(0);
+  }
+  let targetDir = process.cwd();
+  let language = "typescript";
+  let packageManager = detectPackageManager();
+  let database = "postgresql";
+  let projectName;
+  if (mode === "new") {
+    printSection(`STEP 1 of ${STEPS.length}  \u25B8  ${STEPS.join("  \xB7  ")}`);
+    const project = await promptProject(detectPackageManager());
+    projectName = project.name;
+    language = project.language;
+    packageManager = project.packageManager;
+    database = project.database;
+    targetDir = path.join(process.cwd(), project.name);
+    if (fs.existsSync(targetDir)) {
+      const overwrite = await p7.confirm({
+        message: `Folder '${project.name}' already exists. Continue anyway?`,
+        initialValue: false
+      });
+      if (p7.isCancel(overwrite) || !overwrite) {
+        p7.cancel("Cancelled.");
+        process.exit(0);
+      }
+    }
+  } else {
+    printSection("Scanning your project...");
+    const checks = [
+      { label: "Next.js", status: isExistingNextProject(targetDir) ? "ok" : "error", detail: !isExistingNextProject(targetDir) ? "next.config.ts not found" : "" },
+      { label: "TypeScript", status: fs.existsSync(path.join(targetDir, "tsconfig.json")) ? "ok" : "warn", detail: "" },
+      { label: "Prisma", status: fs.existsSync(path.join(targetDir, "prisma")) ? "ok" : "warn", detail: !fs.existsSync(path.join(targetDir, "prisma")) ? "will be created" : "" },
+      { label: "Tailwind CSS", status: fs.existsSync(path.join(targetDir, "tailwind.config.ts")) || fs.existsSync(path.join(targetDir, "tailwind.config.js")) ? "ok" : "warn", detail: "" },
+      { label: "No aegis-auth found", status: fs.existsSync(path.join(targetDir, "auth.config.ts")) ? "warn" : "ok", detail: fs.existsSync(path.join(targetDir, "auth.config.ts")) ? "already installed \u2014 use upgrade instead" : "starting fresh setup" }
+    ];
+    printStatusList(checks);
+    language = fs.existsSync(path.join(targetDir, "tsconfig.json")) ? "typescript" : "javascript";
+    if (checks.find((c4) => c4.label === "Next.js")?.status === "error") {
+      p7.cancel(`No Next.js project found in ${targetDir}. Run from inside your project folder.`);
+      process.exit(1);
+    }
+    console.log(`
+  ${chalk8.dim("This wizard will:")}
+`);
+    console.log(`  ${chalk8.dim("\xB7")}  Generate Prisma models for your roles`);
+    console.log(`  ${chalk8.dim("\xB7")}  Create API route handlers  ${chalk8.dim("src/app/api/auth/**")}`);
+    console.log(`  ${chalk8.dim("\xB7")}  Scaffold auth pages  ${chalk8.dim("(login, 2FA, reset password, etc.)")}`);
+    console.log(`  ${chalk8.dim("\xB7")}  Create auth.config.ts`);
+    console.log(`  ${chalk8.dim("\xB7")}  Update .env.example
+`);
+  }
+  printSection(mode === "new" ? `STEP 2 of ${STEPS.length}  \u25B8  PROJECT \u2713  \u25B8  APP` : `STEP 1 of ${STEPS.length - 1}  \u25B8  APP`);
+  const app = await promptApp(projectName);
+  printSection(mode === "new" ? `STEP 3 of ${STEPS.length}  \u25B8  PROJECT \u2713  APP \u2713  \u25B8  ROLES` : `STEP 2  \u25B8  APP \u2713  \u25B8  ROLES`);
+  const roles = await promptRoles();
+  printSection(mode === "new" ? `STEP 4 of ${STEPS.length}  \u25B8  ...  ROLES \u2713  \u25B8  FEATURES` : `STEP 3  \u25B8  ROLES \u2713  \u25B8  FEATURES`);
+  const features = await promptFeatures(Object.keys(roles));
+  printSection(mode === "new" ? `STEP 5 of ${STEPS.length}  \u25B8  ...  FEATURES \u2713  \u25B8  INFRA` : `STEP 4  \u25B8  FEATURES \u2713  \u25B8  INFRA`);
+  const infra = await promptInfrastructure();
+  printSection(mode === "new" ? `STEP 6 of ${STEPS.length}  \u25B8  ...  INFRA \u2713  \u25B8  STYLE` : `STEP 5  \u25B8  INFRA \u2713  \u25B8  STYLE`);
+  const style = await promptStyle();
+  printSection("REVIEW  \xB7  Everything that's about to happen");
+  console.log(`  ${chalk8.bold("Configuration")}
+`);
+  console.log(`  App              ${chalk8.cyan(app.appName)}`);
+  console.log(`  Cookie prefix    ${chalk8.cyan(app.cookiePrefix)}`);
+  console.log(`  Session          ${chalk8.cyan(app.sessionDuration / 3600 + " hours")}`);
+  if (mode === "new") {
+    console.log(`  Language         ${chalk8.cyan(language)}`);
+    console.log(`  Package manager  ${chalk8.cyan(packageManager)}`);
+    console.log(`  Database         ${chalk8.cyan(database)}`);
+  }
+  console.log();
+  console.log(`  ${chalk8.bold("Roles")}`);
+  for (const [id, role] of Object.entries(roles)) {
+    console.log(`  ${chalk8.dim("\xB7")}  ${chalk8.magentaBright(id)}  ${chalk8.dim("\u2192")}  ${role.prismaModel}  ${chalk8.dim("(")}${role.loginField}${chalk8.dim(")")}`);
+  }
+  console.log();
+  const onFeatures = Object.entries(features).filter(([k, v]) => v === true && ["twoFactor", "emailVerification", "passwordReset", "accountLockout", "apiKeys", "auditLog", "sessionTracking"].includes(k)).map(([k]) => k);
+  console.log(`  ${chalk8.bold("Features")}  ${onFeatures.map((f) => chalk8.cyan(f)).join(chalk8.dim("  \xB7  "))}`);
+  console.log();
+  const confirm4 = await p7.select({
+    message: "Proceed?",
+    options: [
+      { value: "go", label: mode === "new" ? "Create project" : "Create files" },
+      { value: "dry", label: "Dry run \u2014 show me what will be created without writing" },
+      { value: "no", label: "Cancel" }
+    ]
+  });
+  if (p7.isCancel(confirm4) || confirm4 === "no") {
+    p7.cancel("Cancelled.");
+    process.exit(0);
+  }
+  const isDry = confirm4 === "dry";
+  printSection(mode === "new" ? `BUILDING  ${projectName}` : "INSTALLING");
+  const spin = p7.spinner();
+  async function writeFile(relPath, content) {
+    const full = path.join(targetDir, relPath);
+    if (isDry) {
+      console.log(`  ${chalk8.dim("+")} ${chalk8.yellow(relPath)}`);
+      return;
+    }
+    await fs.ensureDir(path.dirname(full));
+    await fs.writeFile(full, content, "utf8");
+  }
+  async function step(label, fn) {
+    spin.start(label);
+    await fn();
+    spin.stop(`${chalk8.green("\u2713")}  ${label}`);
+  }
+  if (mode === "new") {
+    await step("Scaffolding Next.js project", async () => {
+      await writeFile("package.json", generatePackageJson(projectName, packageManager));
+      await writeFile("next.config.ts", generateNextConfig());
+      await writeFile("tailwind.config.ts", generateTailwindConfig());
+      await writeFile("tsconfig.json", JSON.stringify({ compilerOptions: { target: "ES2017", lib: ["dom", "dom.iterable", "esnext"], allowJs: true, skipLibCheck: true, strict: true, noEmit: true, esModuleInterop: true, module: "esnext", moduleResolution: "bundler", resolveJsonModule: true, isolatedModules: true, jsx: "preserve", incremental: true, plugins: [{ name: "next" }], paths: { "@/*": ["./src/*"] } }, include: ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"], exclude: ["node_modules"] }, null, 2));
+      await writeFile(".gitignore", `node_modules
+.next
+dist
+.env
+.env.local
+*.tsbuildinfo
+`);
+      await writeFile(".env.local", "");
+      await writeFile("src/app/layout.tsx", generateRootLayout(app.appName, style.primaryColor, language));
+      await writeFile("src/app/globals.css", generateGlobalsCss(style.primaryColor));
+      await writeFile("src/app/page.tsx", generateRootPage(roles[Object.keys(roles)[0]] ? "/login" : "/login"));
+    });
+  }
+  await step("Generating Prisma schema", async () => {
+    const schema = generatePrismaSchema({
+      roles,
+      database: mode === "new" ? database : "postgresql",
+      features: {
+        twoFactor: features.twoFactor,
+        emailVerification: features.emailVerification,
+        passwordReset: features.passwordReset,
+        accountLockout: features.accountLockout,
+        apiKeys: features.apiKeys,
+        auditLog: features.auditLog,
+        sessionTracking: features.sessionTracking,
+        preventPasswordReuse: !!features.preventPasswordReuse
+      }
+    });
+    await writeFile("prisma/schema.prisma", schema);
+  });
+  await step("Creating auth.config.ts", async () => {
+    const config = generateAuthConfig({ appName: app.appName, cookiePrefix: app.cookiePrefix, sessionDuration: app.sessionDuration, roles, features, infra, style, language });
+    await writeFile(`auth.config.${language === "typescript" ? "ts" : "js"}`, config);
+  });
+  await step("Creating middleware", async () => {
+    await writeFile(`src/middleware.${language === "typescript" ? "ts" : "js"}`, generateMiddleware(app.cookiePrefix, language));
+  });
+  await step("Creating session helpers", async () => {
+    await writeFile(`src/lib/auth.${language === "typescript" ? "ts" : "js"}`, generateAuthLib(language));
+  });
+  await step("Scaffolding auth pages", async () => {
+    const e = language === "typescript" ? "tsx" : "jsx";
+    await writeFile(`src/app/(auth)/login/page.${e}`, generateLoginPage(app.appName, style.primaryColor, language));
+  });
+  await step("Updating .env.example", async () => {
+    await writeFile(".env.example", generateEnvExample(app.cookiePrefix, infra, features));
+  });
+  if (!isDry && mode === "new") {
+    await step(`Installing dependencies with ${packageManager}`, async () => {
+      await execa(packageManager, ["install"], { cwd: targetDir });
+    });
+  }
+  printDone(app.appName);
+  const cdStep = mode === "new" && projectName ? [{ n: 0, title: `cd ${projectName}`, lines: [] }] : [];
+  printNextSteps([
+    ...cdStep,
+    {
+      n: 1,
+      title: "Fill in .env.local",
+      lines: [
+        `${chalk8.cyan("AEGIS_JWT_SECRET=")}          ${chalk8.dim("\u2190 openssl rand -base64 32")}`,
+        `${chalk8.cyan("DATABASE_URL=")}`,
+        features.emailVerification || features.passwordReset ? `${chalk8.cyan("AEGIS_SMTP_HOST=")}` : "",
+        infra.rateLimitProvider === "upstash" ? `${chalk8.cyan("UPSTASH_REDIS_REST_URL=")}` : ""
+      ].filter(Boolean)
+    },
+    {
+      n: 2,
+      title: "Apply the database schema",
+      lines: [`${chalk8.green("npx prisma migrate dev --name init")}`]
+    },
+    {
+      n: 3,
+      title: "Create your first user",
+      lines: [`${chalk8.green("npx aegis-auth seed")}`]
+    },
+    {
+      n: 4,
+      title: mode === "new" ? "Start building" : "Start your dev server",
+      lines: [
+        `${chalk8.green(packageManager === "npm" ? "npm run dev" : `${packageManager} dev`)}  ${chalk8.dim("\u2192  http://localhost:3000")}`
+      ]
+    }
+  ]);
+  console.log();
+  console.log(
+    `  ${chalk8.dim("Commands available any time:")}
+`
+  );
+  console.log(`  ${chalk8.green("aegis-auth add-role")}    ${chalk8.dim("add a new role")}`);
+  console.log(`  ${chalk8.green("aegis-auth generate")}    ${chalk8.dim("regenerate TypeScript types")}`);
+  console.log(`  ${chalk8.green("aegis-auth validate")}    ${chalk8.dim("check config without hitting DB")}`);
+  console.log(`  ${chalk8.green("aegis-auth doctor")}      ${chalk8.dim("check env, DB, SMTP, Redis")}`);
+  console.log(`  ${chalk8.green("aegis-auth upgrade")}     ${chalk8.dim("update to a new version")}`);
+  console.log();
+}
+// src/commands/doctor.ts
+import chalk9 from "chalk";
+import fs2 from "fs-extra";
+import path2 from "path";
+async function runDoctor() {
+  printBanner();
+  printSection("DOCTOR  \xB7  Checking your Aegis setup");
+  const cwd = process.cwd();
+  const results = [];
+  const hasConfig = fs2.existsSync(path2.join(cwd, "auth.config.ts")) || fs2.existsSync(path2.join(cwd, "auth.config.js"));
+  results.push({
+    label: "auth.config.ts found",
+    status: hasConfig ? "ok" : "error",
+    detail: !hasConfig ? "run: npx aegis-auth init" : void 0
+  });
+  const hasSchema = fs2.existsSync(path2.join(cwd, "prisma", "schema.prisma"));
+  results.push({
+    label: "Prisma schema",
+    status: hasSchema ? "ok" : "warn",
+    detail: !hasSchema ? "prisma/schema.prisma not found" : void 0
+  });
+  const requiredEnv = ["AEGIS_JWT_SECRET", "DATABASE_URL"];
+  const optionalEnv = [
+    "AEGIS_SMTP_HOST",
+    "UPSTASH_REDIS_REST_URL",
+    "UPSTASH_REDIS_REST_TOKEN",
+    "AEGIS_JWT_SECRET_PREVIOUS"
+  ];
+  console.log(`
+  ${chalk9.dim("\u2500  Environment  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500")}
+`);
+  for (const key of requiredEnv) {
+    const val = process.env[key];
+    results.push({
+      label: key,
+      status: val ? "ok" : "error",
+      detail: val ? key === "AEGIS_JWT_SECRET" ? `set  (${val.length} chars${val.length >= 32 ? " \u2014 good" : " \u2014 too short, need \u2265 32"})` : "set" : "missing"
+    });
+  }
+  for (const key of optionalEnv) {
+    const val = process.env[key];
+    if (val) {
+      results.push({ label: key, status: "ok", detail: "set" });
+    } else {
+      results.push({ label: key, status: "skip", detail: "not set  (optional)" });
+    }
+  }
+  printStatusList(results);
+  const errors = results.filter((r) => r.status === "error");
+  const warns = results.filter((r) => r.status === "warn");
+  console.log();
+  if (errors.length === 0 && warns.length === 0) {
+    console.log(`  ${chalk9.green("\u2713")}  ${chalk9.green("Everything looks good.")}`);
+  } else {
+    console.log(
+      `  ${chalk9.red(errors.length)} error${errors.length !== 1 ? "s" : ""}` + (warns.length ? `  ${chalk9.yellow(warns.length)} warning${warns.length !== 1 ? "s" : ""}` : "") + ` found.`
+    );
+    console.log();
+    console.log(`  Fix the above, then re-run:  ${chalk9.green("npx aegis-auth doctor")}`);
+  }
+  console.log();
+}
+// src/commands/add-role.ts
+import * as p8 from "@clack/prompts";
+import chalk10 from "chalk";
+import fs3 from "fs-extra";
+import path3 from "path";
+async function runAddRole() {
+  printBanner();
+  printSection("ADD ROLE");
+  const cwd = process.cwd();
+  const configPath = fs3.existsSync(path3.join(cwd, "auth.config.ts")) ? path3.join(cwd, "auth.config.ts") : fs3.existsSync(path3.join(cwd, "auth.config.js")) ? path3.join(cwd, "auth.config.js") : null;
+  if (!configPath) {
+    p8.cancel("No auth.config.ts found. Run: npx aegis-auth init first.");
+    process.exit(1);
+  }
+  console.log(
+    `
+  ${chalk10.dim("Adding a new role to your existing setup.")}
+  ${chalk10.dim("You will need to run  npx prisma migrate dev  after.")}
+`
+  );
+  const { id, config } = await promptRole(1, 1);
+  console.log();
+  console.log(`  ${chalk10.green("\u2713")}  Role ${chalk10.magentaBright(id)} defined.`);
+  console.log();
+  console.log(`  ${chalk10.dim("Next steps:")}`);
+  console.log();
+  console.log(`  1  Add to auth.config.ts \u2192 roles:`);
+  console.log();
+  console.log(
+    chalk10.dim(
+      `     ${id}: {
+       label: '${config.label}',
+       prismaModel: '${config.prismaModel}',
+       loginField: '${config.loginField}',
+       homeRoute: '${config.homeRoute}',
+       permissions: ...,
+     },`
+    )
+  );
+  console.log();
+  console.log(`  2  Apply the schema:`);
+  console.log(`     ${chalk10.green("npx prisma migrate dev --name add-role-" + id)}`);
+  console.log();
+  console.log(`  3  Regenerate types:`);
+  console.log(`     ${chalk10.green("npx aegis-auth generate")}`);
+  console.log();
+}
+// src/commands/generate.ts
+import chalk11 from "chalk";
+import fs4 from "fs-extra";
+import path4 from "path";
+async function runGenerate() {
+  printBanner();
+  const cwd = process.cwd();
+  const outPath = path4.join(cwd, "src", "lib", "auth-types.generated.ts");
+  console.log(`
+  ${chalk11.dim("Regenerating TypeScript types from auth.config.ts...")}
+`);
+  const content = `// auto-generated by aegis-auth \u2014 do not edit
+// run: npx aegis-auth generate  to update
+import type { AegisSession } from '@alinsafawi/aegis-auth-core'
+export type { AegisSession }
+// Import your config to derive these types
+// import config from '../../auth.config'
+// export type RoleId = keyof typeof config.roles
+`;
+  await fs4.ensureDir(path4.dirname(outPath));
+  await fs4.writeFile(outPath, content, "utf8");
+  console.log(`  ${chalk11.green("\u2713")}  ${chalk11.yellow("src/lib/auth-types.generated.ts")}  updated`);
+  console.log();
+}
+// src/commands/seed.ts
+import * as p9 from "@clack/prompts";
+import chalk12 from "chalk";
+import fs5 from "fs-extra";
+import path5 from "path";
+async function runSeed() {
+  printBanner();
+  printSection("SEED  \xB7  Create your first user");
+  const cwd = process.cwd();
+  const hasConfig = fs5.existsSync(path5.join(cwd, "auth.config.ts")) || fs5.existsSync(path5.join(cwd, "auth.config.js"));
+  if (!hasConfig) {
+    p9.cancel("No auth.config.ts found. Run: npx aegis-auth init first.");
+    process.exit(1);
+  }
+  console.log(
+    `
+  ${chalk12.dim("This creates the first user account in your database.")}
+`
+  );
+  const role = await p9.text({
+    message: "Role ID to seed",
+    placeholder: "admin",
+    validate: (v) => !v ? "Required" : void 0
+  });
+  if (p9.isCancel(role)) process.exit(0);
+  const identifier = await p9.text({
+    message: "Email or username",
+    validate: (v) => !v ? "Required" : void 0
+  });
+  if (p9.isCancel(identifier)) process.exit(0);
+  const password3 = await p9.password({
+    message: "Password",
+    validate: (v) => v.length < 8 ? "At least 8 characters" : void 0
+  });
+  if (p9.isCancel(password3)) process.exit(0);
+  console.log();
+  console.log(
+    `  ${chalk12.yellow("\u26A0")}  ${chalk12.dim("Seed functionality requires your app to be running with Prisma connected.")}`
+  );
+  console.log(
+    `  ${chalk12.dim("Add this to a script in your project or run via ts-node:")}`
+  );
+  console.log();
+  console.log(
+    chalk12.dim(
+      `  import { PrismaClient } from '@prisma/client'
+  import { hashPassword } from '@alinsafawi/aegis-auth-core'
+  const prisma = new PrismaClient()
+  await prisma.${role}.create({
+    data: { email: '${identifier}', passwordHash: await hashPassword('${password3}') }
+  })`
+    )
+  );
+  console.log();
+}
+// src/index.ts
+import chalk13 from "chalk";
+var [, , command, ...args] = process.argv;
+var COMMANDS = {
+  init: runInit,
+  "add-role": runAddRole,
+  generate: runGenerate,
+  seed: runSeed,
+  doctor: runDoctor
+};
+var DESCRIPTIONS = {
+  init: "Set up auth in a new or existing project",
+  "add-role": "Add a new role to an existing setup",
+  generate: "Regenerate TypeScript types from auth.config.ts",
+  seed: "Create the first user in your database",
+  doctor: "Check env vars, DB connection, SMTP, and Redis",
+  upgrade: "Upgrade aegis-auth to the latest version",
+  status: "Print a summary of your current config"
+};
+async function main() {
+  if (!command || command === "--help" || command === "-h") {
+    printBanner();
+    console.log(`  ${chalk13.bold("Usage")}  ${chalk13.cyan("npx aegis-auth")} ${chalk13.yellow("<command>")}`);
+    console.log();
+    console.log(`  ${chalk13.bold("Commands")}`);
+    console.log();
+    for (const [cmd, desc] of Object.entries(DESCRIPTIONS)) {
+      console.log(`  ${chalk13.green(cmd.padEnd(14))}  ${chalk13.dim(desc)}`);
+    }
+    console.log();
+    console.log(`  ${chalk13.dim("Run")}  ${chalk13.cyan("npx aegis-auth <command> --help")}  ${chalk13.dim("for more info.")}`);
+    console.log();
+    return;
+  }
+  const handler = COMMANDS[command];
+  if (!handler) {
+    console.error(`
+  ${chalk13.red("Unknown command:")} ${chalk13.yellow(command)}`);
+    console.error(`  Run ${chalk13.cyan("npx aegis-auth --help")} for available commands.
+`);
+    process.exit(1);
+  }
+  await handler();
+}
+main().catch((err) => {
+  console.error(`
+  ${chalk13.red("Unexpected error:")} ${err.message}
+`);
+  process.exit(1);
+});