@cfast/auth 0.0.1

package/dist/schema.js

@@ -0,0 +1,85 @@
+// src/schema.ts
+import { sqliteTable, text, integer } from "drizzle-orm/sqlite-core";
+var users = sqliteTable("users", {
+  id: text("id").primaryKey(),
+  email: text("email").notNull().unique(),
+  name: text("name").notNull(),
+  image: text("image"),
+  emailVerified: integer("email_verified", { mode: "boolean" }).notNull().default(false),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull().$defaultFn(() => /* @__PURE__ */ new Date()),
+  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull().$defaultFn(() => /* @__PURE__ */ new Date())
+});
+var sessions = sqliteTable("sessions", {
+  id: text("id").primaryKey(),
+  userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
+  token: text("token").notNull().unique(),
+  ipAddress: text("ip_address"),
+  userAgent: text("user_agent"),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull().$defaultFn(() => /* @__PURE__ */ new Date()),
+  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull().$defaultFn(() => /* @__PURE__ */ new Date())
+});
+var accounts = sqliteTable("accounts", {
+  id: text("id").primaryKey(),
+  userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+  accountId: text("account_id").notNull(),
+  providerId: text("provider_id").notNull(),
+  accessToken: text("access_token"),
+  refreshToken: text("refresh_token"),
+  accessTokenExpiresAt: integer("access_token_expires_at", {
+    mode: "timestamp"
+  }),
+  refreshTokenExpiresAt: integer("refresh_token_expires_at", {
+    mode: "timestamp"
+  }),
+  scope: text("scope"),
+  idToken: text("id_token"),
+  password: text("password"),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull().$defaultFn(() => /* @__PURE__ */ new Date()),
+  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull().$defaultFn(() => /* @__PURE__ */ new Date())
+});
+var verifications = sqliteTable("verifications", {
+  id: text("id").primaryKey(),
+  identifier: text("identifier").notNull(),
+  value: text("value").notNull(),
+  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull().$defaultFn(() => /* @__PURE__ */ new Date()),
+  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull().$defaultFn(() => /* @__PURE__ */ new Date())
+});
+var passkeys = sqliteTable("passkeys", {
+  id: text("id").primaryKey(),
+  name: text("name"),
+  userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+  publicKey: text("public_key").notNull(),
+  credentialId: text("credential_id").notNull().unique(),
+  counter: integer("counter").notNull().default(0),
+  deviceType: text("device_type"),
+  backedUp: integer("backed_up", { mode: "boolean" }).default(false),
+  transports: text("transports"),
+  createdAt: integer("created_at", { mode: "timestamp" }).$defaultFn(
+    () => /* @__PURE__ */ new Date()
+  )
+});
+var roles = sqliteTable("roles", {
+  id: text("id").primaryKey(),
+  userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+  role: text("role").notNull(),
+  grantedBy: text("granted_by").references(() => users.id),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull().$defaultFn(() => /* @__PURE__ */ new Date())
+});
+var impersonationLogs = sqliteTable("impersonation_logs", {
+  id: text("id").primaryKey(),
+  adminId: text("admin_id").notNull().references(() => users.id),
+  targetUserId: text("target_user_id").notNull().references(() => users.id),
+  startedAt: integer("started_at", { mode: "timestamp" }).notNull().$defaultFn(() => /* @__PURE__ */ new Date()),
+  endedAt: integer("ended_at", { mode: "timestamp" })
+});
+export {
+  accounts,
+  impersonationLogs,
+  passkeys,
+  roles,
+  sessions,
+  users,
+  verifications
+};

package/dist/types-19GeiMs4.d.ts

@@ -0,0 +1,64 @@
+import { Permissions, Grant } from '@cfast/permissions';
+
+type AuthUser = {
+    id: string;
+    email: string;
+    name: string;
+    avatarUrl: string | null;
+    roles: string[];
+    isImpersonating?: boolean;
+    realUser?: {
+        id: string;
+        name: string;
+    };
+};
+type AuthContext = {
+    user: AuthUser | null;
+    grants: Grant[];
+};
+type AuthenticatedContext = {
+    user: AuthUser;
+    grants: Grant[];
+};
+type AuthConfig = {
+    permissions: Permissions;
+    schema?: Record<string, unknown>;
+    passkeys?: {
+        rpName: string;
+        rpId: string;
+    };
+    magicLink?: {
+        sendMagicLink: (params: {
+            email: string;
+            url: string;
+        }) => Promise<void>;
+    };
+    session?: {
+        expiresIn?: string;
+    };
+    redirects?: {
+        afterLogin?: string;
+        loginPath?: string;
+    };
+    anonymousRoles?: string[];
+    defaultRoles?: string[];
+    roleTableName?: string;
+};
+type AuthEnvConfig = {
+    d1: D1Database;
+    appUrl: string;
+};
+type AuthInstance = {
+    createContext: (request: Request) => Promise<AuthContext>;
+    requireUser: (request: Request) => Promise<AuthenticatedContext>;
+    getRoles: (userId: string) => Promise<string[]>;
+    setRole: (userId: string, role: string) => Promise<void>;
+    setRoles: (userId: string, roles: string[]) => Promise<void>;
+    removeRole: (userId: string, role: string) => Promise<void>;
+    /** Handle auth API requests (forwards to Better Auth) */
+    handler: (request: Request) => Promise<Response>;
+    /** The underlying Better Auth instance */
+    api: unknown;
+};
+
+export type { AuthUser as A, AuthConfig as a, AuthEnvConfig as b, AuthInstance as c, AuthContext as d, AuthenticatedContext as e };

package/dist/types-8eZilolN.d.ts

@@ -0,0 +1,63 @@
+import { Permissions, Grant } from '@cfast/permissions';
+
+type AuthUser = {
+    id: string;
+    email: string;
+    name: string;
+    avatarUrl: string | null;
+    roles: string[];
+    isImpersonating?: boolean;
+    realUser?: {
+        id: string;
+        name: string;
+    };
+};
+type AuthContext = {
+    user: AuthUser | null;
+    grants: Grant[];
+};
+type AuthenticatedContext = {
+    user: AuthUser;
+    grants: Grant[];
+};
+type AuthConfig = {
+    permissions: Permissions;
+    schema?: Record<string, unknown>;
+    passkeys?: {
+        rpName: string;
+        rpId: string;
+    };
+    magicLink?: {
+        sendMagicLink: (params: {
+            email: string;
+            url: string;
+        }) => Promise<void>;
+    };
+    session?: {
+        expiresIn?: string;
+    };
+    redirects?: {
+        afterLogin?: string;
+        loginPath?: string;
+    };
+    anonymousRoles?: string[];
+    defaultRoles?: string[];
+};
+type AuthEnvConfig = {
+    d1: D1Database;
+    appUrl: string;
+};
+type AuthInstance = {
+    createContext: (request: Request) => Promise<AuthContext>;
+    requireUser: (request: Request) => Promise<AuthenticatedContext>;
+    getRoles: (userId: string) => Promise<string[]>;
+    setRole: (userId: string, role: string) => Promise<void>;
+    setRoles: (userId: string, roles: string[]) => Promise<void>;
+    removeRole: (userId: string, role: string) => Promise<void>;
+    /** Handle auth API requests (forwards to Better Auth) */
+    handler: (request: Request) => Promise<Response>;
+    /** The underlying Better Auth instance */
+    api: unknown;
+};
+
+export type { AuthUser as A, AuthConfig as a, AuthEnvConfig as b, AuthInstance as c, AuthContext as d, AuthenticatedContext as e };

package/dist/types-DZ7AeznW.d.ts

@@ -0,0 +1,74 @@
+import { Permissions, Grant } from '@cfast/permissions';
+
+type AuthUser = {
+    id: string;
+    email: string;
+    name: string;
+    avatarUrl: string | null;
+    roles: string[];
+    isImpersonating?: boolean;
+    realUser?: {
+        id: string;
+        name: string;
+    };
+};
+type AuthContext = {
+    user: AuthUser | null;
+    grants: Grant[];
+};
+type AuthenticatedContext = {
+    user: AuthUser;
+    grants: Grant[];
+};
+type AuthConfig = {
+    permissions: Permissions;
+    schema?: Record<string, unknown>;
+    passkeys?: {
+        rpName: string;
+        rpId: string;
+    };
+    magicLink?: {
+        sendMagicLink: (params: {
+            email: string;
+            url: string;
+        }) => Promise<void>;
+    };
+    session?: {
+        expiresIn?: string;
+    };
+    redirects?: {
+        afterLogin?: string;
+        loginPath?: string;
+    };
+    anonymousRoles?: string[];
+    defaultRoles?: string[];
+    roleTableName?: string;
+    roleGrants?: Record<string, string[]>;
+    impersonation?: {
+        allowedRoles?: string[];
+    };
+};
+type AuthEnvConfig = {
+    d1: D1Database;
+    appUrl: string;
+};
+type AuthInstance = {
+    createContext: (request: Request) => Promise<AuthContext>;
+    requireUser: (request: Request) => Promise<AuthenticatedContext>;
+    getRoles: (userId: string) => Promise<string[]>;
+    setRole: (userId: string, role: string, caller?: {
+        callerRoles?: string[];
+    }) => Promise<void>;
+    setRoles: (userId: string, roles: string[], caller?: {
+        callerRoles?: string[];
+    }) => Promise<void>;
+    removeRole: (userId: string, role: string) => Promise<void>;
+    impersonate: (adminUserId: string, targetUserId: string) => Promise<void>;
+    stopImpersonating: (adminUserId: string) => Promise<void>;
+    /** Handle auth API requests (forwards to Better Auth) */
+    handler: (request: Request) => Promise<Response>;
+    /** The underlying Better Auth instance */
+    api: unknown;
+};
+
+export type { AuthUser as A, AuthConfig as a, AuthEnvConfig as b, AuthInstance as c, AuthContext as d, AuthenticatedContext as e };

package/dist/types-DdbPIOVK.d.ts

@@ -0,0 +1,85 @@
+import { Permissions, Grant } from '@cfast/permissions';
+
+type AuthUser = {
+    id: string;
+    email: string;
+    name: string;
+    avatarUrl: string | null;
+    roles: string[];
+    isImpersonating?: boolean;
+    realUser?: {
+        id: string;
+        name: string;
+    };
+};
+type AuthContext = {
+    user: AuthUser | null;
+    grants: Grant[];
+};
+type AuthenticatedContext = {
+    user: AuthUser;
+    grants: Grant[];
+};
+type AuthConfig = {
+    permissions: Permissions;
+    schema?: Record<string, unknown>;
+    passkeys?: {
+        rpName: string;
+        rpId: string;
+    };
+    magicLink?: {
+        sendMagicLink: (params: {
+            email: string;
+            url: string;
+        }) => Promise<void>;
+    };
+    session?: {
+        expiresIn?: string;
+    };
+    redirects?: {
+        afterLogin?: string;
+        loginPath?: string;
+    };
+    anonymousRoles?: string[];
+    defaultRoles?: string[];
+    roleTableName?: string;
+    roleGrants?: Record<string, string[]>;
+    impersonation?: {
+        allowedRoles?: string[];
+    };
+    templates?: {
+        magicLink?: (props: {
+            url: string;
+            email: string;
+        }) => string;
+    };
+};
+type AuthEnvConfig = {
+    d1: D1Database;
+    appUrl: string;
+};
+type AuthInstance = {
+    createContext: (request: Request) => Promise<AuthContext>;
+    requireUser: (request: Request) => Promise<AuthenticatedContext>;
+    getRoles: (userId: string) => Promise<string[]>;
+    setRole: (userId: string, role: string, caller?: {
+        callerRoles?: string[];
+    }) => Promise<void>;
+    setRoles: (userId: string, roles: string[], caller?: {
+        callerRoles?: string[];
+    }) => Promise<void>;
+    removeRole: (userId: string, role: string) => Promise<void>;
+    impersonate: (adminUserId: string, targetUserId: string) => Promise<void>;
+    stopImpersonating: (adminUserId: string) => Promise<void>;
+    /** Send a magic link email to the given address */
+    sendMagicLink: (params: {
+        email: string;
+        callbackURL?: string;
+    }) => Promise<void>;
+    /** Handle auth API requests (forwards to Better Auth) */
+    handler: (request: Request) => Promise<Response>;
+    /** The underlying Better Auth instance */
+    api: unknown;
+};
+
+export type { AuthUser as A, AuthConfig as a, AuthEnvConfig as b, AuthInstance as c, AuthContext as d, AuthenticatedContext as e };

package/dist/types-DrnTPiku.d.ts

@@ -0,0 +1,62 @@
+import { Permissions, Grant } from '@cfast/permissions';
+
+type AuthUser = {
+    id: string;
+    email: string;
+    name: string;
+    avatarUrl: string | null;
+    roles: string[];
+    isImpersonating?: boolean;
+    realUser?: {
+        id: string;
+        name: string;
+    };
+};
+type AuthContext = {
+    user: AuthUser | null;
+    grants: Grant[];
+};
+type AuthenticatedContext = {
+    user: AuthUser;
+    grants: Grant[];
+};
+type AuthConfig = {
+    permissions: Permissions;
+    passkeys?: {
+        rpName: string;
+        rpId: string;
+    };
+    magicLink?: {
+        sendMagicLink: (params: {
+            email: string;
+            url: string;
+        }) => Promise<void>;
+    };
+    session?: {
+        expiresIn?: string;
+    };
+    redirects?: {
+        afterLogin?: string;
+        loginPath?: string;
+    };
+    anonymousRoles?: string[];
+    defaultRoles?: string[];
+};
+type AuthEnvConfig = {
+    d1: D1Database;
+    appUrl: string;
+};
+type AuthInstance = {
+    createContext: (request: Request) => Promise<AuthContext>;
+    requireUser: (request: Request) => Promise<AuthenticatedContext>;
+    getRoles: (userId: string) => Promise<string[]>;
+    setRole: (userId: string, role: string) => Promise<void>;
+    setRoles: (userId: string, roles: string[]) => Promise<void>;
+    removeRole: (userId: string, role: string) => Promise<void>;
+    /** Handle auth API requests (forwards to Better Auth) */
+    handler: (request: Request) => Promise<Response>;
+    /** The underlying Better Auth instance */
+    api: unknown;
+};
+
+export type { AuthUser as A, AuthConfig as a, AuthEnvConfig as b, AuthInstance as c, AuthContext as d, AuthenticatedContext as e };

package/dist/types-ghXti5CW.d.ts

@@ -0,0 +1,191 @@
+import { Permissions, Grant } from '@cfast/permissions';
+
+/**
+ * The authenticated user object available throughout the application.
+ *
+ * Contains identity fields, assigned roles, and optional impersonation state.
+ * This is the user shape returned by {@link AuthContext} and {@link AuthenticatedContext},
+ * and is the same object passed to `createDb({ user })` for permission resolution.
+ */
+type AuthUser = {
+    /** Unique user identifier (UUID from Better Auth). */
+    id: string;
+    /** The user's email address, used for magic link authentication. */
+    email: string;
+    /** Display name for the user. */
+    name: string;
+    /** URL to the user's avatar image, or `null` if not set. */
+    avatarUrl: string | null;
+    /** Roles assigned to this user, matching role names from `@cfast/permissions`. */
+    roles: string[];
+    /** Whether an admin is currently impersonating this user. */
+    isImpersonating?: boolean;
+    /** The real admin user performing the impersonation, if active. */
+    realUser?: {
+        id: string;
+        name: string;
+    };
+};
+/**
+ * The auth context for a request, which may or may not be authenticated.
+ *
+ * When the user is not logged in, `user` is `null` and `grants` contains
+ * only the anonymous role grants. Use {@link AuthenticatedContext} when
+ * you need a guaranteed non-null user.
+ */
+type AuthContext = {
+    /** The current user, or `null` if the request is unauthenticated. */
+    user: AuthUser | null;
+    /** Permission grants resolved from the user's roles (or anonymous roles). */
+    grants: Grant[];
+};
+/**
+ * A narrowed {@link AuthContext} where the user is guaranteed to be present.
+ *
+ * Returned by `auth.requireUser()`, which redirects to the login page if
+ * the request is unauthenticated. Use this in loaders and actions that
+ * require a logged-in user.
+ */
+type AuthenticatedContext = {
+    /** The authenticated user (always present). */
+    user: AuthUser;
+    /** Permission grants resolved from the user's assigned roles. */
+    grants: Grant[];
+};
+/**
+ * Configuration for {@link createAuth}.
+ *
+ * Defines authentication methods, session behavior, role management rules,
+ * and integration with `@cfast/permissions`.
+ */
+type AuthConfig = {
+    /** The permissions config from `definePermissions()`. Roles are inferred from this. */
+    permissions: Permissions;
+    /** Optional Drizzle schema override for the Better Auth database adapter. */
+    schema?: Record<string, unknown>;
+    /** WebAuthn passkey configuration. Required to enable passkey authentication. */
+    passkeys?: {
+        /** Relying party display name shown during WebAuthn registration. */
+        rpName: string;
+        /** Relying party identifier, typically the app's domain (e.g., `"myapp.com"`). */
+        rpId: string;
+    };
+    /** Magic link email configuration. Required to enable magic link authentication. */
+    magicLink?: {
+        /** Callback to send the magic link email. Receives the user's email and the login URL. */
+        sendMagicLink: (params: {
+            email: string;
+            url: string;
+        }) => Promise<void>;
+    };
+    /** Session lifetime configuration. */
+    session?: {
+        /** How long sessions last before expiring (e.g., `"30d"`, `"12h"`, `"60m"`). Defaults to `"30d"`. */
+        expiresIn?: string;
+    };
+    /** Redirect paths for the authentication flow. */
+    redirects?: {
+        /** Where to redirect after successful login. Defaults to `"/"`. */
+        afterLogin?: string;
+        /** Where to send unauthenticated users. Defaults to `"/login"`. */
+        loginPath?: string;
+    };
+    /** Roles assigned to unauthenticated (anonymous) requests for permission resolution. */
+    anonymousRoles?: string[];
+    /** Default roles assigned to authenticated users who have no explicit role assignments. Defaults to `["reader"]`. */
+    defaultRoles?: string[];
+    /** Custom table name for storing role assignments. Defaults to `"roles"`. */
+    roleTableName?: string;
+    /** Maps each role to the set of roles it is allowed to assign. Controls who can promote whom. */
+    roleGrants?: Record<string, string[]>;
+    /** Impersonation feature configuration. */
+    impersonation?: {
+        /** Roles permitted to impersonate other users. Defaults to `["admin"]`. */
+        allowedRoles?: string[];
+    };
+    /** Custom email template functions. */
+    templates?: {
+        /** Returns an HTML string for the magic link email. Receives the login URL and recipient email. */
+        magicLink?: (props: {
+            url: string;
+            email: string;
+        }) => string;
+    };
+};
+/**
+ * Per-request environment bindings required to initialize an {@link AuthInstance}.
+ *
+ * Passed to the `initAuth()` function returned by {@link createAuth}.
+ */
+type AuthEnvConfig = {
+    /** The Cloudflare D1 database binding for session and user storage. */
+    d1: D1Database;
+    /** The application's public URL, used as the base URL for Better Auth endpoints. */
+    appUrl: string;
+};
+/**
+ * The initialized auth instance with methods for session management, role assignment,
+ * impersonation, and request handling.
+ *
+ * Created by calling the `initAuth()` function returned from {@link createAuth}
+ * with an {@link AuthEnvConfig}.
+ */
+type AuthInstance = {
+    /**
+     * Builds an {@link AuthContext} from the request's session cookie.
+     * Returns a context with `user: null` if the session is invalid or missing.
+     */
+    createContext: (request: Request) => Promise<AuthContext>;
+    /**
+     * Like {@link AuthInstance.createContext | createContext}, but redirects to the login page
+     * if the user is not authenticated. Sets a `cfast_redirect_to` cookie so the user
+     * returns to the original URL after login.
+     *
+     * @throws {Response} A 302 redirect response when the user is not authenticated.
+     */
+    requireUser: (request: Request) => Promise<AuthenticatedContext>;
+    /** Retrieves all roles assigned to a user. */
+    getRoles: (userId: string) => Promise<string[]>;
+    /**
+     * Assigns a single role to a user (additive, does not remove existing roles).
+     * When `caller.callerRoles` is provided, validates against `roleGrants` rules.
+     */
+    setRole: (userId: string, role: string, caller?: {
+        callerRoles?: string[];
+    }) => Promise<void>;
+    /**
+     * Replaces all of a user's roles with the given set.
+     * When `caller.callerRoles` is provided, validates each role against `roleGrants` rules.
+     */
+    setRoles: (userId: string, roles: string[], caller?: {
+        callerRoles?: string[];
+    }) => Promise<void>;
+    /** Removes a single role from a user. */
+    removeRole: (userId: string, role: string) => Promise<void>;
+    /**
+     * Starts an impersonation session where the admin acts as the target user.
+     * Only users with roles listed in `impersonation.allowedRoles` can impersonate.
+     *
+     * @throws {Error} If the admin user's roles do not permit impersonation.
+     */
+    impersonate: (adminUserId: string, targetUserId: string) => Promise<void>;
+    /** Ends all active impersonation sessions for the given admin user. */
+    stopImpersonating: (adminUserId: string) => Promise<void>;
+    /**
+     * Sends a magic link email to the given address for passwordless authentication.
+     *
+     * @throws {Error} If the magic link plugin is not configured.
+     */
+    sendMagicLink: (params: {
+        /** The recipient's email address. */
+        email: string;
+        /** Override the post-login redirect URL. Defaults to `redirects.afterLogin`. */
+        callbackURL?: string;
+    }) => Promise<void>;
+    /** Forwards an HTTP request to the Better Auth handler for processing auth API routes. */
+    handler: (request: Request) => Promise<Response>;
+    /** The underlying Better Auth instance, for escape-hatch usage. */
+    api: unknown;
+};
+
+export type { AuthUser as A, AuthConfig as a, AuthEnvConfig as b, AuthInstance as c, AuthContext as d, AuthenticatedContext as e };

package/package.json

@@ -0,0 +1,66 @@
+{
+  "name": "@cfast/auth",
+  "version": "0.0.1",
+  "description": "Authentication for Cloudflare Workers: magic email, passkeys, roles, and impersonation",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/DanielMSchmidt/cfast.git",
+    "directory": "packages/auth"
+  },
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    },
+    "./client": {
+      "import": "./dist/client.js",
+      "types": "./dist/client.d.ts"
+    },
+    "./plugin": {
+      "import": "./dist/plugin.js",
+      "types": "./dist/plugin.d.ts"
+    },
+    "./schema": {
+      "import": "./dist/schema.js",
+      "types": "./dist/schema.d.ts"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "sideEffects": false,
+  "publishConfig": {
+    "access": "public"
+  },
+  "peerDependencies": {
+    "better-auth": ">=1",
+    "drizzle-orm": ">=0.35",
+    "react": ">=18"
+  },
+  "dependencies": {
+    "@cfast/permissions": "0.0.1"
+  },
+  "devDependencies": {
+    "@cloudflare/workers-types": "^4.20260305.1",
+    "@testing-library/react": "^16.3.2",
+    "@types/react": "^19.0.0",
+    "better-auth": "^1.2.0",
+    "drizzle-orm": "^0.45.1",
+    "jsdom": "^28.1.0",
+    "react": "^19.0.0",
+    "tsup": "^8",
+    "typescript": "^5.7",
+    "vitest": "^4.1.0"
+  },
+  "scripts": {
+    "build": "tsup src/index.ts src/client.ts src/plugin.ts src/schema.ts --format esm --dts",
+    "dev": "tsup src/index.ts src/client.ts src/plugin.ts src/schema.ts --format esm --dts --watch",
+    "test": "vitest run",
+    "typecheck": "tsc --noEmit",
+    "lint": "eslint src/"
+  }
+}