@augmenting-integrations/create-spoke 8.3.0

package/dist/cli.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":""}

package/dist/cli.js

@@ -0,0 +1,80 @@
+#!/usr/bin/env node
+
+// src/cli.ts
+import * as fs from "fs";
+import * as path from "path";
+import { fileURLToPath } from "url";
+import process from "process";
+function parseArgs(argv) {
+  const args = argv.slice(2);
+  let name;
+  let slug;
+  let subdomain;
+  for (const a of args) {
+    if (a.startsWith("--slug=")) slug = a.slice("--slug=".length);
+    else if (a.startsWith("--subdomain=")) subdomain = a.slice("--subdomain=".length);
+    else if (!a.startsWith("--")) name = a;
+  }
+  if (!name) {
+    console.error("Usage: create-spoke <name> [--slug=foo] [--subdomain=bar]");
+    process.exit(1);
+  }
+  const safeName = name.toLowerCase().replace(/[^a-z0-9-]/g, "-");
+  return {
+    name,
+    slug: slug ?? safeName,
+    subdomain: subdomain ?? safeName.split("-")[0]
+  };
+}
+function templatesDir() {
+  const here = fileURLToPath(import.meta.url);
+  return path.resolve(path.dirname(here), "..", "templates");
+}
+function ensureEmptyDir(target) {
+  if (fs.existsSync(target)) {
+    const entries = fs.readdirSync(target);
+    if (entries.length > 0) {
+      console.error(`Refusing to write into non-empty directory: ${target}`);
+      process.exit(1);
+    }
+  } else {
+    fs.mkdirSync(target, { recursive: true });
+  }
+}
+function replaceVars(content, flags) {
+  return content.replace(/__SPOKE_NAME__/g, flags.name).replace(/__SPOKE_SLUG__/g, flags.slug).replace(/__SPOKE_SUBDOMAIN__/g, flags.subdomain);
+}
+function copyTree(src, dst, flags) {
+  for (const entry of fs.readdirSync(src, { withFileTypes: true })) {
+    const srcPath = path.join(src, entry.name);
+    const baseName = entry.name.endsWith(".tmpl") ? entry.name.slice(0, -".tmpl".length) : entry.name;
+    const dstPath = path.join(dst, replaceVars(baseName, flags));
+    if (entry.isDirectory()) {
+      fs.mkdirSync(dstPath, { recursive: true });
+      copyTree(srcPath, dstPath, flags);
+    } else {
+      const raw = fs.readFileSync(srcPath, "utf8");
+      fs.writeFileSync(dstPath, replaceVars(raw, flags), "utf8");
+    }
+  }
+}
+function main() {
+  const flags = parseArgs(process.argv);
+  const target = path.resolve(process.cwd(), flags.name);
+  ensureEmptyDir(target);
+  const templates = templatesDir();
+  if (!fs.existsSync(templates)) {
+    console.error(`Templates directory missing at ${templates}. Re-install the CLI.`);
+    process.exit(1);
+  }
+  copyTree(templates, target, flags);
+  console.log(`Created spoke "${flags.name}" at ${target}`);
+  console.log("");
+  console.log("Next steps:");
+  console.log(`  cd ${flags.name}`);
+  console.log("  cp .env.example .env  # fill in tenant values");
+  console.log("  pnpm install");
+  console.log("  pnpm dev");
+}
+main();
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/cli.ts"],"sourcesContent":["import * as fs from \"node:fs\";\nimport * as path from \"node:path\";\nimport { fileURLToPath } from \"node:url\";\nimport process from \"node:process\";\n\n// =============================================================================\n// create-spoke -- scaffold a new product subdomain for an augint tenant.\n//\n// Usage:\n//   pnpm dlx @augmenting-integrations/create-spoke <name> [--slug=foo] [--subdomain=bar]\n//\n// Writes a minimal but deployable Next.js 16 app to ./<name>/ with:\n//   - package.json (latest @augmenting-integrations/* peer deps)\n//   - tsconfig.json + next.config.ts + .gitignore + .env.example\n//   - src/proxy.ts (default-export auth proxy)\n//   - src/lib/{auth,db,users}.ts wired to loadTenantConfig + canonical factory\n//   - src/app/{layout,page,Providers}.tsx with TenantBootScript + TenantProvider\n//   - src/app/api/auth/[...nextauth]/route.ts + /api/auth/me/route.ts\n//   - src/app/api/billing/* (route re-exports of the library factory)\n//   - prisma/schema.prisma with the canonical fragments\n//   - prisma/seed.mjs with the STAGE gate\n//   - README.md explaining \"fill in .env, run pnpm install, pnpm dev\"\n//\n// Out of scope (manual follow-up, documented in the generated README):\n//   - template.yaml (per-tenant infra varies; we ship a stub)\n//   - GitHub workflow (we ship a minimal deploy.yml stub)\n//   - DNS / Cognito / Aurora provisioning (tenant infra repo's job)\n// =============================================================================\n\ntype Flags = {\n  name: string;\n  slug: string;\n  subdomain: string;\n};\n\nfunction parseArgs(argv: string[]): Flags {\n  const args = argv.slice(2);\n  let name: string | undefined;\n  let slug: string | undefined;\n  let subdomain: string | undefined;\n  for (const a of args) {\n    if (a.startsWith(\"--slug=\")) slug = a.slice(\"--slug=\".length);\n    else if (a.startsWith(\"--subdomain=\")) subdomain = a.slice(\"--subdomain=\".length);\n    else if (!a.startsWith(\"--\")) name = a;\n  }\n  if (!name) {\n    console.error(\"Usage: create-spoke <name> [--slug=foo] [--subdomain=bar]\");\n    process.exit(1);\n  }\n  // Defaults: slug = name lowercased, subdomain = first segment of slug.\n  const safeName = name.toLowerCase().replace(/[^a-z0-9-]/g, \"-\");\n  return {\n    name,\n    slug: slug ?? safeName,\n    subdomain: subdomain ?? safeName.split(\"-\")[0]!,\n  };\n}\n\nfunction templatesDir(): string {\n  // dist/cli.js lives at <pkg>/dist/cli.js; templates at <pkg>/templates.\n  const here = fileURLToPath(import.meta.url);\n  return path.resolve(path.dirname(here), \"..\", \"templates\");\n}\n\nfunction ensureEmptyDir(target: string): void {\n  if (fs.existsSync(target)) {\n    const entries = fs.readdirSync(target);\n    if (entries.length > 0) {\n      console.error(`Refusing to write into non-empty directory: ${target}`);\n      process.exit(1);\n    }\n  } else {\n    fs.mkdirSync(target, { recursive: true });\n  }\n}\n\nfunction replaceVars(content: string, flags: Flags): string {\n  return content\n    .replace(/__SPOKE_NAME__/g, flags.name)\n    .replace(/__SPOKE_SLUG__/g, flags.slug)\n    .replace(/__SPOKE_SUBDOMAIN__/g, flags.subdomain);\n}\n\nfunction copyTree(src: string, dst: string, flags: Flags): void {\n  for (const entry of fs.readdirSync(src, { withFileTypes: true })) {\n    const srcPath = path.join(src, entry.name);\n    // Strip the \".tmpl\" suffix from file names so the templates can ship as\n    // .tmpl in npm (avoids npm's package-content guards rejecting bare\n    // package.json / .env inside the templates dir).\n    const baseName = entry.name.endsWith(\".tmpl\")\n      ? entry.name.slice(0, -\".tmpl\".length)\n      : entry.name;\n    const dstPath = path.join(dst, replaceVars(baseName, flags));\n    if (entry.isDirectory()) {\n      fs.mkdirSync(dstPath, { recursive: true });\n      copyTree(srcPath, dstPath, flags);\n    } else {\n      const raw = fs.readFileSync(srcPath, \"utf8\");\n      fs.writeFileSync(dstPath, replaceVars(raw, flags), \"utf8\");\n    }\n  }\n}\n\nfunction main(): void {\n  const flags = parseArgs(process.argv);\n  const target = path.resolve(process.cwd(), flags.name);\n  ensureEmptyDir(target);\n  const templates = templatesDir();\n  if (!fs.existsSync(templates)) {\n    console.error(`Templates directory missing at ${templates}. Re-install the CLI.`);\n    process.exit(1);\n  }\n  copyTree(templates, target, flags);\n  console.log(`Created spoke \"${flags.name}\" at ${target}`);\n  console.log(\"\");\n  console.log(\"Next steps:\");\n  console.log(`  cd ${flags.name}`);\n  console.log(\"  cp .env.example .env  # fill in tenant values\");\n  console.log(\"  pnpm install\");\n  console.log(\"  pnpm dev\");\n}\n\nmain();\n"],"mappings":";;;AAAA,YAAY,QAAQ;AACpB,YAAY,UAAU;AACtB,SAAS,qBAAqB;AAC9B,OAAO,aAAa;AAgCpB,SAAS,UAAU,MAAuB;AACxC,QAAM,OAAO,KAAK,MAAM,CAAC;AACzB,MAAI;AACJ,MAAI;AACJ,MAAI;AACJ,aAAW,KAAK,MAAM;AACpB,QAAI,EAAE,WAAW,SAAS,EAAG,QAAO,EAAE,MAAM,UAAU,MAAM;AAAA,aACnD,EAAE,WAAW,cAAc,EAAG,aAAY,EAAE,MAAM,eAAe,MAAM;AAAA,aACvE,CAAC,EAAE,WAAW,IAAI,EAAG,QAAO;AAAA,EACvC;AACA,MAAI,CAAC,MAAM;AACT,YAAQ,MAAM,2DAA2D;AACzE,YAAQ,KAAK,CAAC;AAAA,EAChB;AAEA,QAAM,WAAW,KAAK,YAAY,EAAE,QAAQ,eAAe,GAAG;AAC9D,SAAO;AAAA,IACL;AAAA,IACA,MAAM,QAAQ;AAAA,IACd,WAAW,aAAa,SAAS,MAAM,GAAG,EAAE,CAAC;AAAA,EAC/C;AACF;AAEA,SAAS,eAAuB;AAE9B,QAAM,OAAO,cAAc,YAAY,GAAG;AAC1C,SAAY,aAAa,aAAQ,IAAI,GAAG,MAAM,WAAW;AAC3D;AAEA,SAAS,eAAe,QAAsB;AAC5C,MAAO,cAAW,MAAM,GAAG;AACzB,UAAM,UAAa,eAAY,MAAM;AACrC,QAAI,QAAQ,SAAS,GAAG;AACtB,cAAQ,MAAM,+CAA+C,MAAM,EAAE;AACrE,cAAQ,KAAK,CAAC;AAAA,IAChB;AAAA,EACF,OAAO;AACL,IAAG,aAAU,QAAQ,EAAE,WAAW,KAAK,CAAC;AAAA,EAC1C;AACF;AAEA,SAAS,YAAY,SAAiB,OAAsB;AAC1D,SAAO,QACJ,QAAQ,mBAAmB,MAAM,IAAI,EACrC,QAAQ,mBAAmB,MAAM,IAAI,EACrC,QAAQ,wBAAwB,MAAM,SAAS;AACpD;AAEA,SAAS,SAAS,KAAa,KAAa,OAAoB;AAC9D,aAAW,SAAY,eAAY,KAAK,EAAE,eAAe,KAAK,CAAC,GAAG;AAChE,UAAM,UAAe,UAAK,KAAK,MAAM,IAAI;AAIzC,UAAM,WAAW,MAAM,KAAK,SAAS,OAAO,IACxC,MAAM,KAAK,MAAM,GAAG,CAAC,QAAQ,MAAM,IACnC,MAAM;AACV,UAAM,UAAe,UAAK,KAAK,YAAY,UAAU,KAAK,CAAC;AAC3D,QAAI,MAAM,YAAY,GAAG;AACvB,MAAG,aAAU,SAAS,EAAE,WAAW,KAAK,CAAC;AACzC,eAAS,SAAS,SAAS,KAAK;AAAA,IAClC,OAAO;AACL,YAAM,MAAS,gBAAa,SAAS,MAAM;AAC3C,MAAG,iBAAc,SAAS,YAAY,KAAK,KAAK,GAAG,MAAM;AAAA,IAC3D;AAAA,EACF;AACF;AAEA,SAAS,OAAa;AACpB,QAAM,QAAQ,UAAU,QAAQ,IAAI;AACpC,QAAM,SAAc,aAAQ,QAAQ,IAAI,GAAG,MAAM,IAAI;AACrD,iBAAe,MAAM;AACrB,QAAM,YAAY,aAAa;AAC/B,MAAI,CAAI,cAAW,SAAS,GAAG;AAC7B,YAAQ,MAAM,kCAAkC,SAAS,uBAAuB;AAChF,YAAQ,KAAK,CAAC;AAAA,EAChB;AACA,WAAS,WAAW,QAAQ,KAAK;AACjC,UAAQ,IAAI,kBAAkB,MAAM,IAAI,QAAQ,MAAM,EAAE;AACxD,UAAQ,IAAI,EAAE;AACd,UAAQ,IAAI,aAAa;AACzB,UAAQ,IAAI,QAAQ,MAAM,IAAI,EAAE;AAChC,UAAQ,IAAI,iDAAiD;AAC7D,UAAQ,IAAI,gBAAgB;AAC5B,UAAQ,IAAI,YAAY;AAC1B;AAEA,KAAK;","names":[]}

package/package.json

@@ -0,0 +1,29 @@
+{
+  "name": "@augmenting-integrations/create-spoke",
+  "version": "8.3.0",
+  "description": "Scaffold a new product subdomain (spoke) for an augint-* tenant. Generates a Next 16 + Auth.js v5 app with TenantConfig wired up, library-owned route handlers, a Prisma canonical schema fragment, and a deployable template.yaml + GitHub workflow. Single command: pnpm dlx @augmenting-integrations/create-spoke my-spoke.",
+  "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  },
+  "type": "module",
+  "bin": {
+    "create-spoke": "./dist/cli.js"
+  },
+  "files": [
+    "dist",
+    "templates",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "clean": "rm -rf dist",
+    "test": "vitest run --passWithNoTests"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "tsup": "^8.3.5",
+    "typescript": "^5.7.2",
+    "vitest": "^4.1.5"
+  }
+}

package/templates/.env.example.tmpl

@@ -0,0 +1,25 @@
+# Tenant identity (everything else flows from these)
+APP_DOMAIN=__SPOKE_SUBDOMAIN__.tenant.example.com
+APP_SLUG=__SPOKE_SLUG__
+APEX_DOMAIN=tenant.example.com
+AUTH_COOKIE_DOMAIN=.tenant.example.com
+AUTH_ALLOWED_PARENT_DOMAIN=.tenant.example.com
+
+# AWS resources (typically pulled from SSM in deployed Lambda; local dev only)
+AWS_REGION=us-east-1
+AUTH_SECRET_ARN=
+AUTH_COGNITO_ID=
+AUTH_COGNITO_ISSUER=
+DB_SECRET_ARN=
+DB_HOST=
+DB_NAME=
+APP_REGISTRY_TABLE=
+STRIPE_SECRET_ARN=
+STRIPE_WEBHOOK_SECRET_ARN=
+
+# Comma-separated emails auto-promoted to role=admin on first sign-in
+ADMIN_EMAILS=
+
+# Local-dev fallback for testing without Secrets Manager
+AUTH_SECRET=dev-only-fallback-not-for-prod
+NODE_ENV=development

package/templates/.gitignore.tmpl

@@ -0,0 +1,9 @@
+node_modules
+.next
+.env
+.env.local
+*.log
+.DS_Store
+prisma/migrations
+prisma/dev.db
+.vercel

package/templates/README.md.tmpl

@@ -0,0 +1,47 @@
+# __SPOKE_NAME__
+
+Generated by `@augmenting-integrations/create-spoke`. This is a Next.js 16
+product subdomain ("spoke") inside an augint tenant. Auth, billing, and
+admin route handlers come from `@augmenting-integrations/*` libraries —
+your job is the product surface in `src/app/` plus any product-specific
+Prisma models.
+
+## Local dev
+
+```bash
+cp .env.example .env
+# fill in the tenant identity values; AWS creds may stay blank for local dev
+pnpm install
+pnpm dev
+```
+
+You should see `Not signed in.` on `/`. Sign-in flow requires a working
+apex (the apex app is the only OAuth callback in the tenant — it sets the
+shared cookie and redirects you back).
+
+## Per-tenant adoption checklist
+
+1. **Tenant identity** in `.env` — replace `tenant.example.com` with your real apex.
+2. **AWS resources** — `AUTH_SECRET_ARN`, `DB_SECRET_ARN`, Cognito ids, etc. come from your tenant infra stack (the same SSM params the apex reads).
+3. **Prisma** — `prisma/schema.prisma` ships with canonical User/Invitation/PaymentMethod/CreditTransaction. Add your product models below the marker comment.
+4. **Brand** — drop a `config/brand.json` in if you want this spoke's name in the chrome.
+5. **App registry** — register this spoke in your apex's DynamoDB app registry (slug `__SPOKE_SLUG__`, subdomain `__SPOKE_SUBDOMAIN__`).
+
+## Deploy
+
+This scaffold ships only the application code. Infrastructure (CloudFront
+distribution, Lambda runtime, Aurora cluster + RDS Proxy, migrate-runner
+Lambda) is per-tenant and varies; copy the `template.yaml` from your
+tenant's other spokes (e.g. the example leads-marketplace) and edit the
+slug + subdomain.
+
+## What you can NOT customize without diverging from the library
+
+- Canonical schema fields (`User.credit_balance`, `CreditTransaction.type`,
+  `PaymentMethod.stripe_payment_method_id`, etc.). The library's billing
+  factory assumes these.
+- `/api/billing/*` URL paths (the client widgets bake them in).
+- Auth.js v5 + Cognito as the provider chain.
+
+For product-specific routes (`/api/leads`, `/api/quotes`, `/api/products`),
+add them under `src/app/api/` — they're yours to design.

package/templates/next.config.ts.tmpl

@@ -0,0 +1,11 @@
+import type { NextConfig } from "next";
+
+const nextConfig: NextConfig = {
+  output: "standalone",
+  // Pin trace root to this app. Next 16 otherwise detects a parent monorepo
+  // and emits .next/standalone/<pkg>/server.js. Our run.sh + Makefile assume
+  // a flat .next/standalone/server.js root.
+  outputFileTracingRoot: process.cwd(),
+};
+
+export default nextConfig;

package/templates/package.json.tmpl

@@ -0,0 +1,35 @@
+{
+  "name": "__SPOKE_NAME__",
+  "version": "0.1.0",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "dev": "next dev",
+    "build": "next build",
+    "start": "next start",
+    "lint": "eslint .",
+    "type-check": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@augmenting-integrations/auth": "^8.0.0",
+    "@augmenting-integrations/aws": "^8.0.0",
+    "@augmenting-integrations/billing": "^8.0.0",
+    "@augmenting-integrations/brand": "^8.0.0",
+    "@augmenting-integrations/db-secret-loader": "^8.0.0",
+    "@augmenting-integrations/themes": "^8.0.0",
+    "@augmenting-integrations/ui": "^8.0.0",
+    "@prisma/client": "^6.0.0",
+    "next": "^16.2.5",
+    "next-auth": "^5.0.0-beta.31",
+    "react": "^19.2.0",
+    "react-dom": "^19.2.0",
+    "zod": "^4.1.7"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "@types/react": "^19.0.0",
+    "@types/react-dom": "^19.0.0",
+    "prisma": "^6.0.0",
+    "typescript": "^5.7.2"
+  }
+}

package/templates/prisma/schema.prisma.tmpl

@@ -0,0 +1,97 @@
+// Canonical schema fragment + your product models below.
+// The User / Invitation / PaymentMethod / CreditTransaction / ActivityLog
+// shapes are what @augmenting-integrations/auth + /billing assume.
+// Modify ONLY the product models section.
+
+generator client {
+  provider      = "prisma-client-js"
+  binaryTargets = ["native", "rhel-openssl-3.0.x"]
+}
+
+datasource db {
+  provider = "postgresql"
+  url      = env("DATABASE_URL")
+}
+
+// ---------------- Canonical: required by @augmenting-integrations ----------------
+
+model User {
+  id                                     BigInt    @id @default(autoincrement())
+  email                                  String    @unique
+  name                                   String
+  role                                   String    @default("member")
+  is_active                              Boolean   @default(true)
+  must_change_password                   Boolean   @default(false)
+  parent_id                              BigInt?
+  credit_balance                         Decimal   @default(0) @db.Decimal(12, 2)
+  password_hash                          String    @default("")
+  zapier_api_key                         String?
+  stripe_customer_id                     String?   @unique
+  stripe_default_payment_method          String?
+  stripe_default_payment_method_display  String?
+  auto_recharge_enabled                  Boolean   @default(false)
+  auto_recharge_threshold                Decimal?  @db.Decimal(12, 2)
+  auto_recharge_amount                   Decimal?  @db.Decimal(12, 2)
+  created_at                             DateTime  @default(now())
+  updated_at                             DateTime  @updatedAt
+  parent                                 User?     @relation("UserHierarchy", fields: [parent_id], references: [id])
+  children                               User[]    @relation("UserHierarchy")
+  payment_methods                        PaymentMethod[]
+  credit_transactions                    CreditTransaction[]
+  activity_log                           ActivityLog[]
+  invitations_sent                       Invitation[] @relation("InviterRelation")
+}
+
+model Invitation {
+  id            BigInt   @id @default(autoincrement())
+  email         String
+  token         String   @unique
+  inviter_id    BigInt
+  intended_role String
+  expires_at    DateTime
+  accepted_at   DateTime?
+  accepted_by_user_id BigInt?
+  created_at    DateTime @default(now())
+  inviter       User     @relation("InviterRelation", fields: [inviter_id], references: [id])
+}
+
+model PaymentMethod {
+  id                       BigInt   @id @default(autoincrement())
+  user_id                  BigInt
+  stripe_payment_method_id String   @unique
+  brand                    String
+  last4                    String
+  exp_month                Int
+  exp_year                 Int
+  is_default               Boolean  @default(false)
+  created_at               DateTime @default(now())
+  user                     User     @relation(fields: [user_id], references: [id], onDelete: Cascade)
+}
+
+model CreditTransaction {
+  id                       BigInt   @id @default(autoincrement())
+  user_id                  BigInt
+  type                     String
+  amount                   Decimal  @db.Decimal(12, 2)
+  description              String?
+  stripe_payment_intent_id String?  @unique
+  payment_method_display   String?
+  created_at               DateTime @default(now())
+  user                     User     @relation(fields: [user_id], references: [id], onDelete: Cascade)
+}
+
+model ActivityLog {
+  id         BigInt   @id @default(autoincrement())
+  user_id    BigInt
+  action     String
+  metadata   Json?
+  created_at DateTime @default(now())
+  user       User     @relation(fields: [user_id], references: [id], onDelete: Cascade)
+}
+
+// ---------------- Product-specific models (yours to design) ----------------
+
+// model __SPOKE_SLUG___Item {
+//   id BigInt @id @default(autoincrement())
+//   ...
+// }

package/templates/prisma/seed.mjs.tmpl

@@ -0,0 +1,41 @@
+import { PrismaClient } from "@prisma/client";
+
+const prisma = new PrismaClient();
+
+async function main() {
+  // Refuse to seed outside staging. Without this gate, a CI run with
+  // STAGE=prod could fire seeds into a real customer database. Pair with
+  // the migrate-runner Lambda which always passes STAGE in env.
+  if (process.env.STAGE && process.env.STAGE !== "staging") {
+    console.log(`Seed: refusing to run in stage=${process.env.STAGE}`);
+    return;
+  }
+  const adminEmails = (process.env.ADMIN_EMAILS ?? "")
+    .split(",")
+    .map((s) => s.trim().toLowerCase())
+    .filter(Boolean);
+
+  for (const email of adminEmails) {
+    await prisma.user.upsert({
+      where: { email },
+      update: { role: "admin" },
+      create: {
+        email,
+        name: email.split("@")[0],
+        role: "admin",
+        is_active: true,
+        credit_balance: 500,
+      },
+    });
+    console.log(`Seeded admin: ${email}`);
+  }
+}
+
+main()
+  .catch((e) => {
+    console.error(e);
+    process.exit(1);
+  })
+  .finally(async () => {
+    await prisma.$disconnect();
+  });

package/templates/src/app/Providers.tsx.tmpl

@@ -0,0 +1,25 @@
+"use client";
+
+import * as React from "react";
+import type { Session } from "next-auth";
+import { SessionProvider } from "@augmenting-integrations/ui";
+import {
+  TenantProvider,
+  type TenantPublicConfig,
+} from "@augmenting-integrations/auth/client";
+
+export function Providers({
+  children,
+  session,
+  tenant,
+}: {
+  children: React.ReactNode;
+  session: Session | null;
+  tenant: TenantPublicConfig;
+}) {
+  return (
+    <TenantProvider tenant={tenant}>
+      <SessionProvider session={session}>{children}</SessionProvider>
+    </TenantProvider>
+  );
+}

package/templates/src/app/api/admin/users/[id]/impersonate/route.ts.tmpl

@@ -0,0 +1,13 @@
+import { createImpersonateHandlers } from "@augmenting-integrations/auth/server";
+import { auth } from "@/lib/auth";
+import { getDb } from "@/lib/db";
+import { getOrCreateAppUser } from "@/lib/users";
+
+export const runtime = "nodejs";
+export const dynamic = "force-dynamic";
+
+export const { POST, DELETE } = createImpersonateHandlers({
+  auth,
+  getDb: getDb as never,
+  getOrCreateAppUser: getOrCreateAppUser as never,
+});

package/templates/src/app/api/auth/[...nextauth]/route.ts.tmpl

@@ -0,0 +1,5 @@
+// Spokes don't actually serve /api/auth/callback (the apex does), but they
+// need this file present so internal Auth.js calls (signIn, signOut) work.
+import { handlers } from "@/lib/auth";
+
+export const { GET, POST } = handlers;

package/templates/src/app/api/auth/me/route.ts.tmpl

@@ -0,0 +1,13 @@
+import { createMeHandler } from "@augmenting-integrations/auth/server";
+import { auth } from "@/lib/auth";
+import { getDb } from "@/lib/db";
+import { getOrCreateAppUser } from "@/lib/users";
+
+export const runtime = "nodejs";
+export const dynamic = "force-dynamic";
+
+export const { GET } = createMeHandler({
+  auth,
+  getDb: getDb as never,
+  getOrCreateAppUser: getOrCreateAppUser as never,
+});

package/templates/src/app/api/billing/auto-recharge/route.ts.tmpl

@@ -0,0 +1,6 @@
+import { billingHandlers } from "@/lib/billing";
+
+export const runtime = "nodejs";
+export const dynamic = "force-dynamic";
+
+export const { PATCH } = billingHandlers.autoRecharge;

package/templates/src/app/api/billing/balance/route.ts.tmpl

@@ -0,0 +1,6 @@
+import { billingHandlers } from "@/lib/billing";
+
+export const runtime = "nodejs";
+export const dynamic = "force-dynamic";
+
+export const { GET } = billingHandlers.balance;

package/templates/src/app/api/billing/payment-intent/route.ts.tmpl

@@ -0,0 +1,6 @@
+import { billingHandlers } from "@/lib/billing";
+
+export const runtime = "nodejs";
+export const dynamic = "force-dynamic";
+
+export const { POST } = billingHandlers.paymentIntent;

package/templates/src/app/api/billing/payment-methods/[id]/default/route.ts.tmpl

@@ -0,0 +1,6 @@
+import { billingHandlers } from "@/lib/billing";
+
+export const runtime = "nodejs";
+export const dynamic = "force-dynamic";
+
+export const { PATCH } = billingHandlers.paymentMethodDefault;

package/templates/src/app/api/billing/payment-methods/[id]/route.ts.tmpl

@@ -0,0 +1,6 @@
+import { billingHandlers } from "@/lib/billing";
+
+export const runtime = "nodejs";
+export const dynamic = "force-dynamic";
+
+export const { DELETE } = billingHandlers.paymentMethodById;

package/templates/src/app/api/billing/payment-methods/route.ts.tmpl

@@ -0,0 +1,6 @@
+import { billingHandlers } from "@/lib/billing";
+
+export const runtime = "nodejs";
+export const dynamic = "force-dynamic";
+
+export const { GET } = billingHandlers.paymentMethods;

package/templates/src/app/api/billing/route.ts.tmpl

@@ -0,0 +1,6 @@
+import { billingHandlers } from "@/lib/billing";
+
+export const runtime = "nodejs";
+export const dynamic = "force-dynamic";
+
+export const { GET } = billingHandlers.aggregate;

package/templates/src/app/api/billing/setup-intent/route.ts.tmpl

@@ -0,0 +1,6 @@
+import { billingHandlers } from "@/lib/billing";
+
+export const runtime = "nodejs";
+export const dynamic = "force-dynamic";
+
+export const { POST } = billingHandlers.setupIntent;

package/templates/src/app/api/billing/stripe-webhook/route.ts.tmpl

@@ -0,0 +1,6 @@
+import { billingHandlers } from "@/lib/billing";
+
+export const runtime = "nodejs";
+export const dynamic = "force-dynamic";
+
+export const { POST } = billingHandlers.webhook;

package/templates/src/app/api/billing/transactions/route.ts.tmpl

@@ -0,0 +1,6 @@
+import { billingHandlers } from "@/lib/billing";
+
+export const runtime = "nodejs";
+export const dynamic = "force-dynamic";
+
+export const { GET } = billingHandlers.transactions;

package/templates/src/app/api/invitations/[token]/route.ts.tmpl

@@ -0,0 +1,7 @@
+import { createInvitationHandlers } from "@augmenting-integrations/auth/server";
+import { getDb } from "@/lib/db";
+
+export const runtime = "nodejs";
+export const dynamic = "force-dynamic";
+
+export const { GET, POST } = createInvitationHandlers({ getDb: getDb as never });

package/templates/src/app/globals.css.tmpl

@@ -0,0 +1,44 @@
+@import "tailwindcss";
+
+@source "../../node_modules/@augmenting-integrations/ui/dist";
+@source "../../node_modules/@augmenting-integrations/auth/dist";
+@source "../../node_modules/@augmenting-integrations/billing/dist";
+@source "../../node_modules/@augmenting-integrations/brand/dist";
+
+@custom-variant dark (&:where(.dark, .dark *));
+
+@theme inline {
+  --color-background: var(--background);
+  --color-foreground: var(--foreground);
+  --color-primary: var(--primary);
+  --color-primary-foreground: var(--primary-foreground);
+  --color-secondary: var(--secondary);
+  --color-secondary-foreground: var(--secondary-foreground);
+  --color-muted: var(--muted);
+  --color-muted-foreground: var(--muted-foreground);
+  --color-accent: var(--accent);
+  --color-accent-foreground: var(--accent-foreground);
+  --color-destructive: var(--destructive);
+  --color-destructive-foreground: var(--destructive-foreground);
+  --color-success: var(--success);
+  --color-success-foreground: var(--success-foreground);
+  --color-warning: var(--warning);
+  --color-warning-foreground: var(--warning-foreground);
+  --color-info: var(--info);
+  --color-info-foreground: var(--info-foreground);
+  --color-border: var(--border);
+}
+
+:root {
+  --background: oklch(0.99 0 0);
+  --foreground: oklch(0.15 0 0);
+  --primary: oklch(0.55 0.18 250);
+  --primary-foreground: oklch(0.98 0 0);
+  --border: oklch(0.9 0 0);
+}
+
+.dark {
+  --background: oklch(0.12 0.02 240);
+  --foreground: oklch(0.95 0 0);
+  --border: oklch(0.25 0 0);
+}

package/templates/src/app/layout.tsx.tmpl

@@ -0,0 +1,42 @@
+import type { Metadata } from "next";
+import { cookies } from "next/headers";
+import {
+  THEME_COOKIE_KEY,
+  THEME_VARIANT_COOKIE_KEY,
+} from "@augmenting-integrations/themes";
+import { ThemeBootScript } from "@augmenting-integrations/ui";
+import { TenantBootScript, publicSubset } from "@augmenting-integrations/auth/server";
+import { auth, tenant } from "@/lib/auth";
+import { Providers } from "./Providers";
+import "./globals.css";
+
+export const metadata: Metadata = {
+  title: { default: "__SPOKE_NAME__", template: "%s — __SPOKE_NAME__" },
+};
+
+export default async function RootLayout({ children }: { children: React.ReactNode }) {
+  const [session, cookieStore] = await Promise.all([auth(), cookies()]);
+  const themeName = cookieStore.get(THEME_COOKIE_KEY)?.value ?? "default";
+  const variantCookie = cookieStore.get(THEME_VARIANT_COOKIE_KEY)?.value;
+  const variant: "dark" | "light" =
+    variantCookie === "dark" || variantCookie === "light" ? variantCookie : "light";
+  const publicTenant = publicSubset(tenant);
+  return (
+    <html
+      lang="en"
+      data-theme={themeName}
+      className={variant === "dark" ? "dark" : undefined}
+      suppressHydrationWarning
+    >
+      <head>
+        <TenantBootScript config={publicTenant} />
+        <ThemeBootScript />
+      </head>
+      <body>
+        <Providers session={session} tenant={publicTenant}>
+          {children}
+        </Providers>
+      </body>
+    </html>
+  );
+}

package/templates/src/app/page.tsx.tmpl

@@ -0,0 +1,36 @@
+import { auth, signOut } from "@/lib/auth";
+import { getOrCreateAppUser } from "@/lib/users";
+
+export const dynamic = "force-dynamic";
+
+export default async function Home() {
+  const session = await auth();
+  const user = session?.user ? await getOrCreateAppUser(session) : null;
+  return (
+    <main style={{ padding: "2rem", fontFamily: "system-ui" }}>
+      <h1>__SPOKE_NAME__</h1>
+      {user ? (
+        <>
+          <p>
+            Hello, <strong>{user.name}</strong> ({user.email}) — role:{" "}
+            <code>{user.role}</code>
+          </p>
+          <p>
+            Credit balance:{" "}
+            <strong>${Number(user.credit_balance).toFixed(2)}</strong>
+          </p>
+          <form
+            action={async () => {
+              "use server";
+              await signOut();
+            }}
+          >
+            <button type="submit">Sign out</button>
+          </form>
+        </>
+      ) : (
+        <p>Not signed in.</p>
+      )}
+    </main>
+  );
+}

package/templates/src/lib/auth.ts.tmpl

@@ -0,0 +1,15 @@
+import { createAuth, loadTenantConfig } from "@augmenting-integrations/auth/server";
+import { getSecret } from "@augmenting-integrations/aws/server";
+
+// Single tenant configuration source.
+export const tenant = loadTenantConfig({ role: "spoke" });
+
+// AUTH_SECRET lives in Secrets Manager in prod; dev falls back to a placeholder.
+const authSecret =
+  (await getSecret(tenant.authSecretArn)) ?? "dev-only-fallback-not-for-prod";
+
+export const { handlers, auth, signIn, signOut } = createAuth({
+  tenant,
+  authedRoutePrefixes: ["/"],
+  authSecret,
+});

package/templates/src/lib/billing.ts.tmpl

@@ -0,0 +1,11 @@
+import { createBillingHandlers } from "@augmenting-integrations/billing/server";
+import { auth } from "./auth.js";
+import { getDb } from "./db.js";
+import { getOrCreateAppUser } from "./users.js";
+
+// One factory call. Each /api/billing/* route file re-exports from this.
+export const billingHandlers = createBillingHandlers({
+  auth,
+  getDb: getDb as never,
+  getOrCreateAppUser: getOrCreateAppUser as never,
+});

package/templates/src/lib/db.ts.tmpl

@@ -0,0 +1,21 @@
+import { PrismaClient } from "@prisma/client";
+import { loadDatabaseUrl } from "@augmenting-integrations/db-secret-loader";
+import { tenant } from "./auth.js";
+
+// Lazy singleton. Lambda container reuse caches the client.
+let _db: Promise<PrismaClient> | undefined;
+
+export async function getDb(): Promise<PrismaClient> {
+  if (!_db) {
+    _db = (async () => {
+      const url = await loadDatabaseUrl({
+        secretArn: tenant.dbSecretArn,
+        host: tenant.dbHost,
+        dbName: tenant.dbName,
+        fallbackUrl: process.env.DATABASE_URL,
+      });
+      return new PrismaClient({ datasources: { db: { url } } });
+    })();
+  }
+  return _db;
+}

package/templates/src/lib/users.ts.tmpl

@@ -0,0 +1,21 @@
+import { createGetOrCreateAppUser } from "@augmenting-integrations/auth/server";
+import { getDb } from "./db.js";
+
+// Default $500 for admins/owners, $100 for everyone else. Tune per spoke.
+function computeCreditBalance(role: string): number {
+  if (role === "admin" || role === "owner") return 500;
+  return 100;
+}
+
+export const getOrCreateAppUser = createGetOrCreateAppUser({
+  db: getDb,
+  defaultRole: "member",
+  computeCreditBalance,
+  adminEmails: (process.env.ADMIN_EMAILS ?? "")
+    .split(",")
+    .map((s) => s.trim().toLowerCase())
+    .filter(Boolean),
+  extraCreateFields: { is_active: true, must_change_password: false },
+});
+
+export type { AppUser } from "@augmenting-integrations/auth/server";

package/templates/src/proxy.ts.tmpl

@@ -0,0 +1,10 @@
+// Next 16: this file must be at src/proxy.ts as a DEFAULT export. The
+// @augmenting-integrations/auth package's createAuth() returns a value
+// containing the proxy; we re-export it directly.
+import { auth } from "./lib/auth.js";
+
+export default auth;
+
+export const config = {
+  matcher: ["/((?!_next/static|_next/image|favicon.ico|api/auth/).*)"],
+};

package/templates/tsconfig.json.tmpl

@@ -0,0 +1,21 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "lib": ["dom", "dom.iterable", "esnext"],
+    "allowJs": false,
+    "skipLibCheck": true,
+    "strict": true,
+    "noEmit": true,
+    "esModuleInterop": true,
+    "module": "esnext",
+    "moduleResolution": "bundler",
+    "resolveJsonModule": true,
+    "isolatedModules": true,
+    "jsx": "preserve",
+    "incremental": true,
+    "plugins": [{ "name": "next" }],
+    "paths": { "@/*": ["./src/*"] }
+  },
+  "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
+  "exclude": ["node_modules"]
+}