npm - @augmenting-integrations/create-tenant - Versions diffs - 0.0.0 - Mend

@augmenting-integrations/create-tenant 0.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/dist/cli.d.ts +2 -0
package/dist/cli.d.ts.map +1 -0
package/dist/cli.js +77 -0
package/dist/cli.js.map +1 -0
package/package.json +29 -0
package/templates/.env.example.tmpl +22 -0
package/templates/.gitignore.tmpl +7 -0
package/templates/README.md.tmpl +44 -0
package/templates/next.config.ts.tmpl +8 -0
package/templates/package.json.tmpl +31 -0
package/templates/src/app/Providers.tsx.tmpl +25 -0
package/templates/src/app/api/apps/route.ts.tmpl +7 -0
package/templates/src/app/api/auth/[...nextauth]/route.ts.tmpl +6 -0
package/templates/src/app/globals.css.tmpl +22 -0
package/templates/src/app/layout.tsx.tmpl +42 -0
package/templates/src/app/login/page.tsx.tmpl +26 -0
package/templates/src/app/page.tsx.tmpl +14 -0
package/templates/src/lib/auth.ts.tmpl +20 -0
package/templates/src/proxy.ts.tmpl +7 -0
package/templates/tsconfig.json.tmpl +21 -0

package/dist/cli.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":""}

package/dist/cli.js ADDED Viewed

@@ -0,0 +1,77 @@
+#!/usr/bin/env node
+// src/cli.ts
+import * as fs from "fs";
+import * as path from "path";
+import { fileURLToPath } from "url";
+import process from "process";
+function parseArgs(argv) {
+  const args = argv.slice(2);
+  let name;
+  let apex;
+  for (const a of args) {
+    if (a.startsWith("--apex=")) apex = a.slice("--apex=".length);
+    else if (!a.startsWith("--")) name = a;
+  }
+  if (!name) {
+    console.error("Usage: create-tenant <name> [--apex=tenant.example.com]");
+    process.exit(1);
+  }
+  return { name, apex: apex ?? `${name}.example.com` };
+}
+function templatesDir() {
+  const here = fileURLToPath(import.meta.url);
+  return path.resolve(path.dirname(here), "..", "templates");
+}
+function ensureEmptyDir(target) {
+  if (fs.existsSync(target)) {
+    const entries = fs.readdirSync(target);
+    if (entries.length > 0) {
+      console.error(`Refusing to write into non-empty directory: ${target}`);
+      process.exit(1);
+    }
+  } else {
+    fs.mkdirSync(target, { recursive: true });
+  }
+}
+function replaceVars(content, flags) {
+  return content.replace(/__TENANT_NAME__/g, flags.name).replace(/__TENANT_APEX__/g, flags.apex).replace(/__TENANT_PARENT__/g, `.${flags.apex}`);
+}
+function copyTree(src, dst, flags) {
+  for (const entry of fs.readdirSync(src, { withFileTypes: true })) {
+    const srcPath = path.join(src, entry.name);
+    const baseName = entry.name.endsWith(".tmpl") ? entry.name.slice(0, -".tmpl".length) : entry.name;
+    const dstPath = path.join(dst, replaceVars(baseName, flags));
+    if (entry.isDirectory()) {
+      fs.mkdirSync(dstPath, { recursive: true });
+      copyTree(srcPath, dstPath, flags);
+    } else {
+      const raw = fs.readFileSync(srcPath, "utf8");
+      fs.writeFileSync(dstPath, replaceVars(raw, flags), "utf8");
+    }
+  }
+}
+function main() {
+  const flags = parseArgs(process.argv);
+  const target = path.resolve(process.cwd(), flags.name);
+  ensureEmptyDir(target);
+  const templates = templatesDir();
+  if (!fs.existsSync(templates)) {
+    console.error(`Templates directory missing at ${templates}. Re-install the CLI.`);
+    process.exit(1);
+  }
+  copyTree(templates, target, flags);
+  console.log(`Created apex "${flags.name}" at ${target}`);
+  console.log(`Apex domain: ${flags.apex}`);
+  console.log("");
+  console.log("Next steps:");
+  console.log(`  cd ${flags.name}`);
+  console.log("  cp .env.example .env  # fill in Cognito ARNs + AWS resources");
+  console.log("  pnpm install");
+  console.log("  pnpm dev");
+  console.log("");
+  console.log("Then provision tenant infra (Cognito + DNS + registry table):");
+  console.log("  see README.md");
+}
+main();
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/cli.ts"],"sourcesContent":["import * as fs from \"node:fs\";\nimport * as path from \"node:path\";\nimport { fileURLToPath } from \"node:url\";\nimport process from \"node:process\";\n\n// =============================================================================\n// create-tenant -- scaffold a new tenant apex app.\n//\n// Usage:\n// pnpm dlx @augmenting-integrations/create-tenant <name> [--apex=foo.com]\n//\n// Writes a minimal but deployable Next 16 apex to ./<name>/ that:\n// - Mounts /api/auth/[...nextauth] -- the ONLY Cognito OAuth callback in\n// the tenant ecosystem\n// - Exposes /api/apps (registry auto-discovery, read by every spoke's\n// AppShell) and /api/admin/apps (admin-only CRUD)\n// - Wires loadTenantConfig({ role: \"apex\" }) + TenantBootScript +\n// TenantProvider so spokes can read the same tenant struct\n// - Includes a /studio admin landing page stub\n//\n// Out of scope (manual follow-up, documented in the generated README):\n// - Cognito User Pool + App Client provisioning\n// - DNS hosted zone + cert\n// - App registry DynamoDB table\n// - GitHub OIDC role for deploys\n// - First spoke (use create-spoke for each product subdomain)\n// =============================================================================\n\ntype Flags = {\n name: string;\n apex: string;\n};\n\nfunction parseArgs(argv: string[]): Flags {\n const args = argv.slice(2);\n let name: string | undefined;\n let apex: string | undefined;\n for (const a of args) {\n if (a.startsWith(\"--apex=\")) apex = a.slice(\"--apex=\".length);\n else if (!a.startsWith(\"--\")) name = a;\n }\n if (!name) {\n console.error(\"Usage: create-tenant <name> [--apex=tenant.example.com]\");\n process.exit(1);\n }\n return { name, apex: apex ?? `${name}.example.com` };\n}\n\nfunction templatesDir(): string {\n const here = fileURLToPath(import.meta.url);\n return path.resolve(path.dirname(here), \"..\", \"templates\");\n}\n\nfunction ensureEmptyDir(target: string): void {\n if (fs.existsSync(target)) {\n const entries = fs.readdirSync(target);\n if (entries.length > 0) {\n console.error(`Refusing to write into non-empty directory: ${target}`);\n process.exit(1);\n }\n } else {\n fs.mkdirSync(target, { recursive: true });\n }\n}\n\nfunction replaceVars(content: string, flags: Flags): string {\n return content\n .replace(/__TENANT_NAME__/g, flags.name)\n .replace(/__TENANT_APEX__/g, flags.apex)\n .replace(/__TENANT_PARENT__/g, `.${flags.apex}`);\n}\n\nfunction copyTree(src: string, dst: string, flags: Flags): void {\n for (const entry of fs.readdirSync(src, { withFileTypes: true })) {\n const srcPath = path.join(src, entry.name);\n const baseName = entry.name.endsWith(\".tmpl\")\n ? entry.name.slice(0, -\".tmpl\".length)\n : entry.name;\n const dstPath = path.join(dst, replaceVars(baseName, flags));\n if (entry.isDirectory()) {\n fs.mkdirSync(dstPath, { recursive: true });\n copyTree(srcPath, dstPath, flags);\n } else {\n const raw = fs.readFileSync(srcPath, \"utf8\");\n fs.writeFileSync(dstPath, replaceVars(raw, flags), \"utf8\");\n }\n }\n}\n\nfunction main(): void {\n const flags = parseArgs(process.argv);\n const target = path.resolve(process.cwd(), flags.name);\n ensureEmptyDir(target);\n const templates = templatesDir();\n if (!fs.existsSync(templates)) {\n console.error(`Templates directory missing at ${templates}. Re-install the CLI.`);\n process.exit(1);\n }\n copyTree(templates, target, flags);\n console.log(`Created apex \"${flags.name}\" at ${target}`);\n console.log(`Apex domain: ${flags.apex}`);\n console.log(\"\");\n console.log(\"Next steps:\");\n console.log(` cd ${flags.name}`);\n console.log(\" cp .env.example .env # fill in Cognito ARNs + AWS resources\");\n console.log(\" pnpm install\");\n console.log(\" pnpm dev\");\n console.log(\"\");\n console.log(\"Then provision tenant infra (Cognito + DNS + registry table):\");\n console.log(\" see README.md\");\n}\n\nmain();\n"],"mappings":";;;AAAA,YAAY,QAAQ;AACpB,YAAY,UAAU;AACtB,SAAS,qBAAqB;AAC9B,OAAO,aAAa;AA8BpB,SAAS,UAAU,MAAuB;AACxC,QAAM,OAAO,KAAK,MAAM,CAAC;AACzB,MAAI;AACJ,MAAI;AACJ,aAAW,KAAK,MAAM;AACpB,QAAI,EAAE,WAAW,SAAS,EAAG,QAAO,EAAE,MAAM,UAAU,MAAM;AAAA,aACnD,CAAC,EAAE,WAAW,IAAI,EAAG,QAAO;AAAA,EACvC;AACA,MAAI,CAAC,MAAM;AACT,YAAQ,MAAM,yDAAyD;AACvE,YAAQ,KAAK,CAAC;AAAA,EAChB;AACA,SAAO,EAAE,MAAM,MAAM,QAAQ,GAAG,IAAI,eAAe;AACrD;AAEA,SAAS,eAAuB;AAC9B,QAAM,OAAO,cAAc,YAAY,GAAG;AAC1C,SAAY,aAAa,aAAQ,IAAI,GAAG,MAAM,WAAW;AAC3D;AAEA,SAAS,eAAe,QAAsB;AAC5C,MAAO,cAAW,MAAM,GAAG;AACzB,UAAM,UAAa,eAAY,MAAM;AACrC,QAAI,QAAQ,SAAS,GAAG;AACtB,cAAQ,MAAM,+CAA+C,MAAM,EAAE;AACrE,cAAQ,KAAK,CAAC;AAAA,IAChB;AAAA,EACF,OAAO;AACL,IAAG,aAAU,QAAQ,EAAE,WAAW,KAAK,CAAC;AAAA,EAC1C;AACF;AAEA,SAAS,YAAY,SAAiB,OAAsB;AAC1D,SAAO,QACJ,QAAQ,oBAAoB,MAAM,IAAI,EACtC,QAAQ,oBAAoB,MAAM,IAAI,EACtC,QAAQ,sBAAsB,IAAI,MAAM,IAAI,EAAE;AACnD;AAEA,SAAS,SAAS,KAAa,KAAa,OAAoB;AAC9D,aAAW,SAAY,eAAY,KAAK,EAAE,eAAe,KAAK,CAAC,GAAG;AAChE,UAAM,UAAe,UAAK,KAAK,MAAM,IAAI;AACzC,UAAM,WAAW,MAAM,KAAK,SAAS,OAAO,IACxC,MAAM,KAAK,MAAM,GAAG,CAAC,QAAQ,MAAM,IACnC,MAAM;AACV,UAAM,UAAe,UAAK,KAAK,YAAY,UAAU,KAAK,CAAC;AAC3D,QAAI,MAAM,YAAY,GAAG;AACvB,MAAG,aAAU,SAAS,EAAE,WAAW,KAAK,CAAC;AACzC,eAAS,SAAS,SAAS,KAAK;AAAA,IAClC,OAAO;AACL,YAAM,MAAS,gBAAa,SAAS,MAAM;AAC3C,MAAG,iBAAc,SAAS,YAAY,KAAK,KAAK,GAAG,MAAM;AAAA,IAC3D;AAAA,EACF;AACF;AAEA,SAAS,OAAa;AACpB,QAAM,QAAQ,UAAU,QAAQ,IAAI;AACpC,QAAM,SAAc,aAAQ,QAAQ,IAAI,GAAG,MAAM,IAAI;AACrD,iBAAe,MAAM;AACrB,QAAM,YAAY,aAAa;AAC/B,MAAI,CAAI,cAAW,SAAS,GAAG;AAC7B,YAAQ,MAAM,kCAAkC,SAAS,uBAAuB;AAChF,YAAQ,KAAK,CAAC;AAAA,EAChB;AACA,WAAS,WAAW,QAAQ,KAAK;AACjC,UAAQ,IAAI,iBAAiB,MAAM,IAAI,QAAQ,MAAM,EAAE;AACvD,UAAQ,IAAI,gBAAgB,MAAM,IAAI,EAAE;AACxC,UAAQ,IAAI,EAAE;AACd,UAAQ,IAAI,aAAa;AACzB,UAAQ,IAAI,QAAQ,MAAM,IAAI,EAAE;AAChC,UAAQ,IAAI,gEAAgE;AAC5E,UAAQ,IAAI,gBAAgB;AAC5B,UAAQ,IAAI,YAAY;AACxB,UAAQ,IAAI,EAAE;AACd,UAAQ,IAAI,+DAA+D;AAC3E,UAAQ,IAAI,iBAAiB;AAC/B;AAEA,KAAK;","names":[]}

package/package.json ADDED Viewed

@@ -0,0 +1,29 @@
+{
+  "name": "@augmenting-integrations/create-tenant",
+  "version": "0.0.0",
+  "description": "Scaffold a new tenant apex app for an augint deployment. Generates a Next 16 + Auth.js v5 + Cognito apex with TenantConfig wired up, library-owned /api/apps registry handler, and /studio admin. Single command: pnpm dlx @augmenting-integrations/create-tenant my-tenant.",
+  "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  },
+  "type": "module",
+  "bin": {
+    "create-tenant": "./dist/cli.js"
+  },
+  "files": [
+    "dist",
+    "templates",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "clean": "rm -rf dist",
+    "test": "vitest run --passWithNoTests"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "tsup": "^8.3.5",
+    "typescript": "^5.7.2",
+    "vitest": "^4.1.5"
+  }
+}

package/templates/.env.example.tmpl ADDED Viewed

@@ -0,0 +1,22 @@
+APP_DOMAIN=__TENANT_APEX__
+APEX_DOMAIN=__TENANT_APEX__
+AUTH_COOKIE_DOMAIN=__TENANT_PARENT__
+AUTH_ALLOWED_PARENT_DOMAIN=__TENANT_PARENT__
+# Cognito (apex-only; from your tenant infra stack)
+AUTH_SECRET_ARN=
+AUTH_COGNITO_SECRET_ARN=
+AUTH_COGNITO_ID=
+AUTH_COGNITO_ISSUER=
+# App registry DynamoDB table (apex owns CRUD; spokes read)
+APP_REGISTRY_TABLE=
+TENANT_SLUG=__TENANT_NAME__
+STAGE=staging
+AWS_REGION=us-east-1
+ADMIN_EMAILS=
+# Local-dev fallbacks
+AUTH_SECRET=dev-only-fallback-not-for-prod
+NODE_ENV=development

package/templates/.gitignore.tmpl ADDED Viewed

@@ -0,0 +1,7 @@
+node_modules
+.next
+.env
+.env.local
+*.log
+.DS_Store
+.vercel

package/templates/README.md.tmpl ADDED Viewed

@@ -0,0 +1,44 @@
+# __TENANT_NAME__ apex
+Generated by `@augmenting-integrations/create-tenant`. This is the apex
+Next.js 16 app for a new augint tenant. It owns:
+- The OAuth callback (`/api/auth/[...nextauth]`) for the ENTIRE tenant
+- The session cookie scope (`Domain=__TENANT_PARENT__`)
+- The app registry (`/api/apps` for spoke auto-discovery)
+- The studio admin
+## Local dev
+```bash
+cp .env.example .env
+# fill in tenant identity values; AWS resources can be blank for local dev
+pnpm install
+pnpm dev
+```
+## Per-tenant infra (NOT scaffolded — provision separately)
+The application code is portable; the AWS infra is tenant-specific:
+1. **AWS account** — sandbox/staging + prod accounts.
+2. **Cognito User Pool** with one App Client + ONE callback URL:
+   `https://__TENANT_APEX__/api/auth/callback/cognito`
+3. **Hosted zone + certs** for `__TENANT_APEX__` and `*.__TENANT_APEX__`.
+4. **App registry DynamoDB table** (PK = `slug`). Apex owns CRUD; spokes
+   read via `/api/apps`. Set `APP_REGISTRY_TABLE` env to the table name.
+5. **Secrets Manager** rows for `AUTH_SECRET`, `AUTH_COGNITO_SECRET`.
+6. **GitHub OIDC role** in each AWS account for CI deploys.
+Copy `template.yaml` from an existing tenant (the example tenant ships one)
+and adapt the parameters.
+## Adding spokes
+```bash
+pnpm dlx @augmenting-integrations/create-spoke my-product-spoke
+```
+Then register the new spoke in this apex's app registry table (slug,
+subdomain, displayName, navOrder). The spoke shows up in every other
+spoke's AppShell ecosystem nav automatically.

package/templates/next.config.ts.tmpl ADDED Viewed

@@ -0,0 +1,8 @@
+import type { NextConfig } from "next";
+const nextConfig: NextConfig = {
+  output: "standalone",
+  outputFileTracingRoot: process.cwd(),
+};
+export default nextConfig;

package/templates/package.json.tmpl ADDED Viewed

@@ -0,0 +1,31 @@
+{
+  "name": "__TENANT_NAME__-apex",
+  "version": "0.1.0",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "dev": "next dev",
+    "build": "next build",
+    "start": "next start",
+    "lint": "eslint .",
+    "type-check": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@augmenting-integrations/auth": "^8.0.0",
+    "@augmenting-integrations/aws": "^8.0.0",
+    "@augmenting-integrations/brand": "^8.0.0",
+    "@augmenting-integrations/registry": "^8.0.0",
+    "@augmenting-integrations/themes": "^8.0.0",
+    "@augmenting-integrations/ui": "^8.0.0",
+    "next": "^16.2.5",
+    "next-auth": "^5.0.0-beta.31",
+    "react": "^19.2.0",
+    "react-dom": "^19.2.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "@types/react": "^19.0.0",
+    "@types/react-dom": "^19.0.0",
+    "typescript": "^5.7.2"
+  }
+}

package/templates/src/app/Providers.tsx.tmpl ADDED Viewed

@@ -0,0 +1,25 @@
+"use client";
+import * as React from "react";
+import type { Session } from "next-auth";
+import { SessionProvider } from "@augmenting-integrations/ui";
+import {
+  TenantProvider,
+  type TenantPublicConfig,
+} from "@augmenting-integrations/auth/client";
+export function Providers({
+  children,
+  session,
+  tenant,
+}: {
+  children: React.ReactNode;
+  session: Session | null;
+  tenant: TenantPublicConfig;
+}) {
+  return (
+    <TenantProvider tenant={tenant}>
+      <SessionProvider session={session}>{children}</SessionProvider>
+    </TenantProvider>
+  );
+}

package/templates/src/app/api/apps/route.ts.tmpl ADDED Viewed

@@ -0,0 +1,7 @@
+// Auto-discovery endpoint consumed by every spoke's AppShell. Scans the
+// DynamoDB app registry table + filters by the caller's Cognito groups.
+import { createGetHandler } from "@augmenting-integrations/registry/api-route";
+import { auth } from "@/lib/auth";
+export const GET = createGetHandler({ authFn: auth });
+export const runtime = "nodejs";

package/templates/src/app/api/auth/[...nextauth]/route.ts.tmpl ADDED Viewed

@@ -0,0 +1,6 @@
+// The ONLY Cognito callback in the tenant ecosystem. Subdomain spokes
+// redirect to /login here; we run the OAuth dance and set the parent-domain
+// cookie so every spoke sees the session on the next request.
+import { handlers } from "@/lib/auth";
+export const { GET, POST } = handlers;

package/templates/src/app/globals.css.tmpl ADDED Viewed

@@ -0,0 +1,22 @@
+@import "tailwindcss";
+@source "../../node_modules/@augmenting-integrations/ui/dist";
+@source "../../node_modules/@augmenting-integrations/auth/dist";
+@source "../../node_modules/@augmenting-integrations/brand/dist";
+@custom-variant dark (&:where(.dark, .dark *));
+:root {
+  --background: oklch(0.99 0 0);
+  --foreground: oklch(0.15 0 0);
+}
+.dark {
+  --background: oklch(0.12 0.02 240);
+  --foreground: oklch(0.95 0 0);
+}
+body {
+  background-color: var(--background);
+  color: var(--foreground);
+}

package/templates/src/app/layout.tsx.tmpl ADDED Viewed

@@ -0,0 +1,42 @@
+import type { Metadata } from "next";
+import { cookies } from "next/headers";
+import {
+  THEME_COOKIE_KEY,
+  THEME_VARIANT_COOKIE_KEY,
+} from "@augmenting-integrations/themes";
+import { ThemeBootScript } from "@augmenting-integrations/ui";
+import { TenantBootScript, publicSubset } from "@augmenting-integrations/auth/server";
+import { auth, tenant } from "@/lib/auth";
+import { Providers } from "./Providers";
+import "./globals.css";
+export const metadata: Metadata = {
+  title: { default: "__TENANT_NAME__", template: "%s — __TENANT_NAME__" },
+};
+export default async function RootLayout({ children }: { children: React.ReactNode }) {
+  const [session, cookieStore] = await Promise.all([auth(), cookies()]);
+  const themeName = cookieStore.get(THEME_COOKIE_KEY)?.value ?? "default";
+  const variantCookie = cookieStore.get(THEME_VARIANT_COOKIE_KEY)?.value;
+  const variant: "dark" | "light" =
+    variantCookie === "dark" || variantCookie === "light" ? variantCookie : "light";
+  const publicTenant = publicSubset(tenant);
+  return (
+    <html
+      lang="en"
+      data-theme={themeName}
+      className={variant === "dark" ? "dark" : undefined}
+      suppressHydrationWarning
+    >
+      <head>
+        <TenantBootScript config={publicTenant} />
+        <ThemeBootScript />
+      </head>
+      <body>
+        <Providers session={session} tenant={publicTenant}>
+          {children}
+        </Providers>
+      </body>
+    </html>
+  );
+}

package/templates/src/app/login/page.tsx.tmpl ADDED Viewed

@@ -0,0 +1,26 @@
+import { signIn } from "@/lib/auth";
+export default function LoginPage() {
+  return (
+    <main
+      style={{
+        padding: "2rem",
+        fontFamily: "system-ui",
+        display: "flex",
+        flexDirection: "column",
+        alignItems: "center",
+        gap: "1rem",
+      }}
+    >
+      <h1>Sign in to __TENANT_NAME__</h1>
+      <form
+        action={async () => {
+          "use server";
+          await signIn("cognito", { redirectTo: "/home" });
+        }}
+      >
+        <button type="submit">Sign in with Cognito</button>
+      </form>
+    </main>
+  );
+}

package/templates/src/app/page.tsx.tmpl ADDED Viewed

@@ -0,0 +1,14 @@
+import Link from "next/link";
+export default function Home() {
+  return (
+    <main style={{ padding: "2rem", fontFamily: "system-ui" }}>
+      <h1>__TENANT_NAME__</h1>
+      <p>Tenant apex at <strong>__TENANT_APEX__</strong>.</p>
+      <p>
+        <Link href="/login">Sign in</Link> to access the studio admin or any
+        product subdomain.
+      </p>
+    </main>
+  );
+}

package/templates/src/lib/auth.ts.tmpl ADDED Viewed

@@ -0,0 +1,20 @@
+import { createAuth, loadTenantConfig } from "@augmenting-integrations/auth/server";
+import { getSecret } from "@augmenting-integrations/aws/server";
+// Single tenant configuration source.
+export const tenant = loadTenantConfig({ role: "apex" });
+// Apex is the OAuth broker -- it needs both auth secret and Cognito client
+// secret. Both live in Secrets Manager (ARNs in tenant config).
+const [authSecretRaw, cognitoClientSecretRaw] = await Promise.all([
+  getSecret(tenant.authSecretArn),
+  getSecret(tenant.authCognitoSecretArn!),
+]);
+const authSecret = authSecretRaw ?? "dev-only-fallback-not-for-prod";
+export const { handlers, auth, signIn, signOut } = createAuth({
+  tenant,
+  authedRoutePrefixes: ["/home", "/studio"],
+  authSecret,
+  cognitoClientSecret: cognitoClientSecretRaw,
+});

package/templates/src/proxy.ts.tmpl ADDED Viewed

@@ -0,0 +1,7 @@
+import { auth } from "./lib/auth.js";
+export default auth;
+export const config = {
+  matcher: ["/((?!_next/static|_next/image|favicon.ico|api/auth/).*)"],
+};

package/templates/tsconfig.json.tmpl ADDED Viewed

@@ -0,0 +1,21 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "lib": ["dom", "dom.iterable", "esnext"],
+    "allowJs": false,
+    "skipLibCheck": true,
+    "strict": true,
+    "noEmit": true,
+    "esModuleInterop": true,
+    "module": "esnext",
+    "moduleResolution": "bundler",
+    "resolveJsonModule": true,
+    "isolatedModules": true,
+    "jsx": "preserve",
+    "incremental": true,
+    "plugins": [{ "name": "next" }],
+    "paths": { "@/*": ["./src/*"] }
+  },
+  "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
+  "exclude": ["node_modules"]
+}