@cimplify/cli 0.7.2 → 0.7.4

package/dist/dispatcher.mjs

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
-import { TEMPLATES } from './chunk-CVQRL2VH.mjs';
-import { package_default } from './chunk-ZVEQGQ2Z.mjs';
+import { TEMPLATES } from './chunk-QOPMMTVI.mjs';
+import { package_default } from './chunk-NTY7JESF.mjs';
 
 // src/dispatcher.ts
 var VERSION = package_default.version ?? "unknown";
@@ -138,16 +138,16 @@ var COMMANDS = {
   logs: () => import('./logs-YNN2PQ24.mjs'),
   status: () => import('./status-JSYXM5RT.mjs'),
   dev: () => import('./dev-ONW2S77K.mjs'),
-  introspect: () => import('./introspect-FPBV3O4N.mjs'),
+  introspect: () => import('./introspect-FFB7TA2E.mjs'),
   inspect: () => import('./inspect-CGYX4DDF.mjs'),
-  doctor: () => import('./doctor-XLBDC6NO.mjs'),
-  explain: () => import('./explain-PKTL7ZR6.mjs'),
+  doctor: () => import('./doctor-ZVYWEE53.mjs'),
+  explain: () => import('./explain-S6S33HPN.mjs'),
   assets: () => import('./assets-74SK63TR.mjs'),
   repo: () => import('./repo-KNQMSPVV.mjs'),
-  list: () => import('./list-N7FKBQ3Y.mjs'),
-  add: () => import('./add-5NW7N5CJ.mjs'),
-  update: () => import('./update-ZC3JGKLI.mjs'),
-  upgrade: () => import('./update-ZC3JGKLI.mjs'),
+  list: () => import('./list-RLWFTEP4.mjs'),
+  add: () => import('./add-4PBCFGM3.mjs'),
+  update: () => import('./update-WH6NDWIM.mjs'),
+  upgrade: () => import('./update-WH6NDWIM.mjs'),
   "auth-step-up": () => import('./auth-step-up-BIUYQJP6.mjs')
 };
 var COMMAND_PREFIXES = {

package/dist/{doctor-XLBDC6NO.mjs → doctor-ZVYWEE53.mjs}

@@ -1,8 +1,8 @@
 #!/usr/bin/env node
-import { gatherIntrospection } from './chunk-26ETGFW6.mjs';
+import { gatherIntrospection } from './chunk-LRTPNNQG.mjs';
 import './chunk-K5464A3L.mjs';
 import './chunk-DBZ3UOQ2.mjs';
-import './chunk-ZVEQGQ2Z.mjs';
+import './chunk-NTY7JESF.mjs';
 import { parseArgs, flagBool } from './chunk-C4M3DXKC.mjs';
 import { ApiClient } from './chunk-MAOO6ZZ5.mjs';
 import { readAuthOrNull } from './chunk-UBAI443T.mjs';

package/dist/{explain-PKTL7ZR6.mjs → explain-S6S33HPN.mjs}

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { package_default } from './chunk-ZVEQGQ2Z.mjs';
+import { package_default } from './chunk-NTY7JESF.mjs';
 import { parseArgs } from './chunk-C4M3DXKC.mjs';
 import { bold, dim, info, result, CliError, CLI_ERROR_CODE } from './chunk-E2T2SBP5.mjs';
 

package/dist/{introspect-FPBV3O4N.mjs → introspect-FFB7TA2E.mjs}

@@ -1,8 +1,8 @@
 #!/usr/bin/env node
-export { run as default, extractMockSeed, gatherIntrospection, renderIntrospection } from './chunk-26ETGFW6.mjs';
+export { run as default, extractMockSeed, gatherIntrospection, renderIntrospection } from './chunk-LRTPNNQG.mjs';
 import './chunk-K5464A3L.mjs';
 import './chunk-DBZ3UOQ2.mjs';
-import './chunk-ZVEQGQ2Z.mjs';
+import './chunk-NTY7JESF.mjs';
 import './chunk-C4M3DXKC.mjs';
 import './chunk-UBAI443T.mjs';
 import './chunk-E2T2SBP5.mjs';

package/dist/{list-N7FKBQ3Y.mjs → list-RLWFTEP4.mjs}

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { REGISTRY_INDEX } from './chunk-CVQRL2VH.mjs';
+import { REGISTRY_INDEX } from './chunk-QOPMMTVI.mjs';
 import { parseArgs, flagBool } from './chunk-C4M3DXKC.mjs';
 import { CliError, CLI_ERROR_CODE, info, bold, dim, green, result } from './chunk-E2T2SBP5.mjs';
 

package/dist/{update-ZC3JGKLI.mjs → update-WH6NDWIM.mjs}

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { package_default } from './chunk-ZVEQGQ2Z.mjs';
+import { package_default } from './chunk-NTY7JESF.mjs';
 import { promptYesNo } from './chunk-ITAFAORS.mjs';
 import { parseArgs, flagBool, flagString } from './chunk-C4M3DXKC.mjs';
 import { success, bold, info, dim, result, failure, CliError, CLI_ERROR_CODE, step, isJsonMode } from './chunk-E2T2SBP5.mjs';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cimplify/cli",
-  "version": "0.7.2",
+  "version": "0.7.4",
   "description": "Cimplify CLI — deploy, manage env vars, link projects, and scaffold storefronts",
   "keywords": [
     "cimplify",
@@ -45,6 +45,6 @@
     "vitest": "^4.1.5"
   },
   "dependencies": {
-    "@cimplify/sdk": "^0.54.0"
+    "@cimplify/sdk": "^0.56.0"
   }
 }

package/templates/storefront-auto/app/auth/callback/route.ts

@@ -0,0 +1,16 @@
+import { handleOidcCallback } from "@cimplify/sdk/server";
+
+const CLIENT_ID = process.env.CIMPLIFY_CLIENT_ID ?? "";
+const AUTH_URL = process.env.CIMPLIFY_AUTH_URL;
+const REDIRECT_URI = process.env.CIMPLIFY_REDIRECT_URI ?? "";
+
+export async function POST(req: Request): Promise<Response> {
+  if (!CLIENT_ID || !REDIRECT_URI) {
+    return Response.json({ error: "oidc_not_configured" }, { status: 500 });
+  }
+  return handleOidcCallback(req, {
+    clientId: CLIENT_ID,
+    authUrl: AUTH_URL,
+    redirectUri: REDIRECT_URI,
+  });
+}

package/templates/storefront-auto/app/auth/session/route.ts

@@ -0,0 +1,11 @@
+import { handleSessionRequest } from "@cimplify/sdk/server";
+
+const CLIENT_ID = process.env.CIMPLIFY_CLIENT_ID ?? "";
+const AUTH_URL = process.env.CIMPLIFY_AUTH_URL;
+
+export async function GET(req: Request): Promise<Response> {
+  if (!CLIENT_ID) {
+    return Response.json({ sub: null }, { status: 200 });
+  }
+  return handleSessionRequest(req, { clientId: CLIENT_ID, authUrl: AUTH_URL });
+}

package/templates/storefront-auto/app/auth/signout/route.ts

@@ -0,0 +1,11 @@
+import { buildSignoutCookies } from "@cimplify/sdk/server";
+
+const CLIENT_ID = process.env.CIMPLIFY_CLIENT_ID ?? "";
+
+export async function POST(): Promise<Response> {
+  const headers = new Headers({ "Content-Type": "application/json" });
+  for (const cookie of buildSignoutCookies({ clientId: CLIENT_ID })) {
+    headers.append("Set-Cookie", cookie);
+  }
+  return new Response(JSON.stringify({ ok: true }), { status: 200, headers });
+}

package/templates/storefront-auto/components/account-iframe.tsx

@@ -1,13 +1,19 @@
 "use client";
 
 import { CimplifyAccount } from "@cimplify/sdk/react";
+import { brand } from "@/lib/brand";
 
 /**
  * Cimplify Account portal — iframe-mounted UI hosted by Cimplify Link.
  * Handles sign-in, sign-up, OTP, addresses, payment methods, sessions,
  * and order history. The iframe owns auth state; we just choose which
  * `section` to land on.
+ *
+ * `merchantName` is passed so the embedded widget can render scoping
+ * affordances ("Showing your account with {merchant} only.") and
+ * enforce the per-merchant data contract — orders/subs filter to this
+ * business, cross-merchant surfaces are hidden.
  */
 export function AccountIframe({ section }: { section?: string }) {
-  return <CimplifyAccount section={section} />;
+  return <CimplifyAccount section={section} merchantName={brand.name} />;
 }

package/templates/storefront-auto/components/account-pill.tsx

@@ -0,0 +1,49 @@
+"use client";
+
+import { useEffect, useRef } from "react";
+import Link from "next/link";
+import { CimplifySignInButton, useCimplifySession } from "@cimplify/sdk/react";
+import { signInSilent } from "@cimplify/sdk";
+
+const CLIENT_ID = process.env.NEXT_PUBLIC_CIMPLIFY_CLIENT_ID ?? "";
+
+// Attempts silent SSO on mount before showing the button so returning
+// shoppers don't see a flash of "Sign in" before landing as signed in.
+export function AccountPill() {
+  const { session, loading, refresh } = useCimplifySession();
+  const triedSilent = useRef(false);
+
+  useEffect(() => {
+    if (triedSilent.current || session || !CLIENT_ID) return;
+    triedSilent.current = true;
+    void signInSilent({
+      clientId: CLIENT_ID,
+      redirectUri: `${window.location.origin}/auth/callback`,
+    }).then((r) => {
+      if (r.ok) refresh();
+    });
+  }, [session, refresh]);
+
+  if (loading || !CLIENT_ID) return <span className="h-9 w-24" aria-hidden />;
+
+  if (session) {
+    const first = session.name?.split(/\s+/)[0] ?? "Account";
+    return (
+      <Link
+        href="/account"
+        className="text-[13px] font-medium tracking-wide text-foreground hover:text-primary transition-colors"
+      >
+        Hi, {first}
+      </Link>
+    );
+  }
+
+  return (
+    <CimplifySignInButton
+      clientId={CLIENT_ID}
+      redirectUri={`${typeof window !== "undefined" ? window.location.origin : ""}/auth/callback`}
+      variant="text"
+      onSuccess={() => refresh()}
+    />
+  );
+}

package/templates/storefront-auto/components/header.tsx

@@ -3,6 +3,7 @@ import { Suspense } from "react";
 import { NavLink } from "./nav-link";
 import { CartPill, CartPillSkeleton } from "./cart-pill";
 import { MobileNav } from "./mobile-nav";
+import { AccountPill } from "./account-pill";
 import { brand } from "@/lib/brand";
 
 /**
@@ -31,6 +32,7 @@ export function Header() {
             </Suspense>
           ))}
         </nav>
+        <AccountPill />
         <Suspense fallback={<CartPillSkeleton />}>
           <CartPill />
         </Suspense>

package/templates/storefront-auto/lib/auth.ts

@@ -0,0 +1,35 @@
+import { headers } from "next/headers";
+import {
+  getAccessTokenFromCookieHeader,
+  getServerClient,
+  getSessionFromCookieHeader,
+  type CimplifyClient,
+  type CimplifySession,
+} from "@cimplify/sdk/server";
+
+const CLIENT_ID = process.env.CIMPLIFY_CLIENT_ID ?? "";
+const AUTH_URL = process.env.CIMPLIFY_AUTH_URL;
+
+const oidcConfig = { clientId: CLIENT_ID, authUrl: AUTH_URL };
+
+export async function getSession(): Promise<CimplifySession | null> {
+  if (!CLIENT_ID) return null;
+  const cookieHeader = (await headers()).get("cookie");
+  return getSessionFromCookieHeader(oidcConfig, cookieHeader);
+}
+
+// Returns a Cimplify server client with the signed-in customer's access
+// token attached (if any). Use this instead of getServerClient() on pages
+// that need personalized data: orders, subscriptions, price-list pricing.
+// Pages without `revalidate: 0` will share a cache across customers, so
+// only use this on routes that opt out of static caching.
+export async function getAuthenticatedServerClient(): Promise<CimplifyClient> {
+  const cookieHeader = (await headers()).get("cookie");
+  const accessToken =
+    CLIENT_ID && cookieHeader
+      ? getAccessTokenFromCookieHeader(oidcConfig, cookieHeader) ?? undefined
+      : undefined;
+  return getServerClient({ accessToken });
+}
+
+export type { CimplifySession } from "@cimplify/sdk/server";

package/templates/storefront-auto/package.json

@@ -17,7 +17,7 @@
     "check": "bun run typecheck && bun run test:run"
   },
   "dependencies": {
-    "@cimplify/sdk": "^0.54.0",
+    "@cimplify/sdk": "^0.56.0",
     "next": "^16.2.6",
     "react": "^19.0.0",
     "react-dom": "^19.0.0"

package/templates/storefront-bakery/app/auth/callback/route.ts

@@ -0,0 +1,16 @@
+import { handleOidcCallback } from "@cimplify/sdk/server";
+
+const CLIENT_ID = process.env.CIMPLIFY_CLIENT_ID ?? "";
+const AUTH_URL = process.env.CIMPLIFY_AUTH_URL;
+const REDIRECT_URI = process.env.CIMPLIFY_REDIRECT_URI ?? "";
+
+export async function POST(req: Request): Promise<Response> {
+  if (!CLIENT_ID || !REDIRECT_URI) {
+    return Response.json({ error: "oidc_not_configured" }, { status: 500 });
+  }
+  return handleOidcCallback(req, {
+    clientId: CLIENT_ID,
+    authUrl: AUTH_URL,
+    redirectUri: REDIRECT_URI,
+  });
+}

package/templates/storefront-bakery/app/auth/session/route.ts

@@ -0,0 +1,11 @@
+import { handleSessionRequest } from "@cimplify/sdk/server";
+
+const CLIENT_ID = process.env.CIMPLIFY_CLIENT_ID ?? "";
+const AUTH_URL = process.env.CIMPLIFY_AUTH_URL;
+
+export async function GET(req: Request): Promise<Response> {
+  if (!CLIENT_ID) {
+    return Response.json({ sub: null }, { status: 200 });
+  }
+  return handleSessionRequest(req, { clientId: CLIENT_ID, authUrl: AUTH_URL });
+}

package/templates/storefront-bakery/app/auth/signout/route.ts

@@ -0,0 +1,11 @@
+import { buildSignoutCookies } from "@cimplify/sdk/server";
+
+const CLIENT_ID = process.env.CIMPLIFY_CLIENT_ID ?? "";
+
+export async function POST(): Promise<Response> {
+  const headers = new Headers({ "Content-Type": "application/json" });
+  for (const cookie of buildSignoutCookies({ clientId: CLIENT_ID })) {
+    headers.append("Set-Cookie", cookie);
+  }
+  return new Response(JSON.stringify({ ok: true }), { status: 200, headers });
+}

package/templates/storefront-bakery/components/account-iframe.tsx

@@ -1,13 +1,19 @@
 "use client";
 
 import { CimplifyAccount } from "@cimplify/sdk/react";
+import { brand } from "@/lib/brand";
 
 /**
  * Cimplify Account portal — iframe-mounted UI hosted by Cimplify Link.
  * Handles sign-in, sign-up, OTP, addresses, payment methods, sessions,
  * and order history. The iframe owns auth state; we just choose which
  * `section` to land on.
+ *
+ * `merchantName` is passed so the embedded widget can render scoping
+ * affordances ("Showing your account with Akua's Bakery only.") and
+ * enforce the per-merchant data contract — orders/subs filter to this
+ * business, cross-merchant surfaces are hidden.
  */
 export function AccountIframe({ section }: { section?: string }) {
-  return <CimplifyAccount section={section} />;
+  return <CimplifyAccount section={section} merchantName={brand.name} />;
 }

package/templates/storefront-bakery/components/account-pill.tsx

@@ -0,0 +1,49 @@
+"use client";
+
+import { useEffect, useRef } from "react";
+import Link from "next/link";
+import { CimplifySignInButton, useCimplifySession } from "@cimplify/sdk/react";
+import { signInSilent } from "@cimplify/sdk";
+
+const CLIENT_ID = process.env.NEXT_PUBLIC_CIMPLIFY_CLIENT_ID ?? "";
+
+// Attempts silent SSO on mount before showing the button so returning
+// shoppers don't see a flash of "Sign in" before landing as signed in.
+export function AccountPill() {
+  const { session, loading, refresh } = useCimplifySession();
+  const triedSilent = useRef(false);
+
+  useEffect(() => {
+    if (triedSilent.current || session || !CLIENT_ID) return;
+    triedSilent.current = true;
+    void signInSilent({
+      clientId: CLIENT_ID,
+      redirectUri: `${window.location.origin}/auth/callback`,
+    }).then((r) => {
+      if (r.ok) refresh();
+    });
+  }, [session, refresh]);
+
+  if (loading || !CLIENT_ID) return <span className="h-9 w-24" aria-hidden />;
+
+  if (session) {
+    const first = session.name?.split(/\s+/)[0] ?? "Account";
+    return (
+      <Link
+        href="/account"
+        className="text-[13px] font-medium tracking-wide text-foreground hover:text-primary transition-colors"
+      >
+        Hi, {first}
+      </Link>
+    );
+  }
+
+  return (
+    <CimplifySignInButton
+      clientId={CLIENT_ID}
+      redirectUri={`${typeof window !== "undefined" ? window.location.origin : ""}/auth/callback`}
+      variant="text"
+      onSuccess={() => refresh()}
+    />
+  );
+}

package/templates/storefront-bakery/components/header.tsx

@@ -3,6 +3,7 @@ import { Suspense } from "react";
 import { NavLink } from "./nav-link";
 import { CartPill, CartPillSkeleton } from "./cart-pill";
 import { MobileNav } from "./mobile-nav";
+import { AccountPill } from "./account-pill";
 import { brand } from "@/lib/brand";
 
 /**
@@ -29,6 +30,7 @@ export function Header() {
             </Suspense>
           ))}
         </nav>
+        <AccountPill />
         <Suspense fallback={<CartPillSkeleton />}>
           <CartPill />
         </Suspense>

package/templates/storefront-bakery/lib/auth.ts

@@ -0,0 +1,35 @@
+import { headers } from "next/headers";
+import {
+  getAccessTokenFromCookieHeader,
+  getServerClient,
+  getSessionFromCookieHeader,
+  type CimplifyClient,
+  type CimplifySession,
+} from "@cimplify/sdk/server";
+
+const CLIENT_ID = process.env.CIMPLIFY_CLIENT_ID ?? "";
+const AUTH_URL = process.env.CIMPLIFY_AUTH_URL;
+
+const oidcConfig = { clientId: CLIENT_ID, authUrl: AUTH_URL };
+
+export async function getSession(): Promise<CimplifySession | null> {
+  if (!CLIENT_ID) return null;
+  const cookieHeader = (await headers()).get("cookie");
+  return getSessionFromCookieHeader(oidcConfig, cookieHeader);
+}
+
+// Returns a Cimplify server client with the signed-in customer's access
+// token attached (if any). Use this instead of getServerClient() on pages
+// that need personalized data: orders, subscriptions, price-list pricing.
+// Pages without `revalidate: 0` will share a cache across customers, so
+// only use this on routes that opt out of static caching.
+export async function getAuthenticatedServerClient(): Promise<CimplifyClient> {
+  const cookieHeader = (await headers()).get("cookie");
+  const accessToken =
+    CLIENT_ID && cookieHeader
+      ? getAccessTokenFromCookieHeader(oidcConfig, cookieHeader) ?? undefined
+      : undefined;
+  return getServerClient({ accessToken });
+}
+
+export type { CimplifySession } from "@cimplify/sdk/server";

package/templates/storefront-bakery/package.json

@@ -17,7 +17,7 @@
     "check": "bun run typecheck && bun run test:run"
   },
   "dependencies": {
-    "@cimplify/sdk": "^0.54.0",
+    "@cimplify/sdk": "^0.56.0",
     "next": "^16.2.6",
     "react": "^19.0.0",
     "react-dom": "^19.0.0"

package/templates/storefront-fashion/app/auth/callback/route.ts

@@ -0,0 +1,16 @@
+import { handleOidcCallback } from "@cimplify/sdk/server";
+
+const CLIENT_ID = process.env.CIMPLIFY_CLIENT_ID ?? "";
+const AUTH_URL = process.env.CIMPLIFY_AUTH_URL;
+const REDIRECT_URI = process.env.CIMPLIFY_REDIRECT_URI ?? "";
+
+export async function POST(req: Request): Promise<Response> {
+  if (!CLIENT_ID || !REDIRECT_URI) {
+    return Response.json({ error: "oidc_not_configured" }, { status: 500 });
+  }
+  return handleOidcCallback(req, {
+    clientId: CLIENT_ID,
+    authUrl: AUTH_URL,
+    redirectUri: REDIRECT_URI,
+  });
+}

package/templates/storefront-fashion/app/auth/session/route.ts

@@ -0,0 +1,11 @@
+import { handleSessionRequest } from "@cimplify/sdk/server";
+
+const CLIENT_ID = process.env.CIMPLIFY_CLIENT_ID ?? "";
+const AUTH_URL = process.env.CIMPLIFY_AUTH_URL;
+
+export async function GET(req: Request): Promise<Response> {
+  if (!CLIENT_ID) {
+    return Response.json({ sub: null }, { status: 200 });
+  }
+  return handleSessionRequest(req, { clientId: CLIENT_ID, authUrl: AUTH_URL });
+}

package/templates/storefront-fashion/app/auth/signout/route.ts

@@ -0,0 +1,11 @@
+import { buildSignoutCookies } from "@cimplify/sdk/server";
+
+const CLIENT_ID = process.env.CIMPLIFY_CLIENT_ID ?? "";
+
+export async function POST(): Promise<Response> {
+  const headers = new Headers({ "Content-Type": "application/json" });
+  for (const cookie of buildSignoutCookies({ clientId: CLIENT_ID })) {
+    headers.append("Set-Cookie", cookie);
+  }
+  return new Response(JSON.stringify({ ok: true }), { status: 200, headers });
+}

package/templates/storefront-fashion/components/account-iframe.tsx

@@ -1,13 +1,19 @@
 "use client";
 
 import { CimplifyAccount } from "@cimplify/sdk/react";
+import { brand } from "@/lib/brand";
 
 /**
  * Cimplify Account portal — iframe-mounted UI hosted by Cimplify Link.
  * Handles sign-in, sign-up, OTP, addresses, payment methods, sessions,
  * and order history. The iframe owns auth state; we just choose which
  * `section` to land on.
+ *
+ * `merchantName` is passed so the embedded widget can render scoping
+ * affordances ("Showing your account with {merchant} only.") and
+ * enforce the per-merchant data contract — orders/subs filter to this
+ * business, cross-merchant surfaces are hidden.
  */
 export function AccountIframe({ section }: { section?: string }) {
-  return <CimplifyAccount section={section} />;
+  return <CimplifyAccount section={section} merchantName={brand.name} />;
 }

package/templates/storefront-fashion/components/account-pill.tsx

@@ -0,0 +1,49 @@
+"use client";
+
+import { useEffect, useRef } from "react";
+import Link from "next/link";
+import { CimplifySignInButton, useCimplifySession } from "@cimplify/sdk/react";
+import { signInSilent } from "@cimplify/sdk";
+
+const CLIENT_ID = process.env.NEXT_PUBLIC_CIMPLIFY_CLIENT_ID ?? "";
+
+// Attempts silent SSO on mount before showing the button so returning
+// shoppers don't see a flash of "Sign in" before landing as signed in.
+export function AccountPill() {
+  const { session, loading, refresh } = useCimplifySession();
+  const triedSilent = useRef(false);
+
+  useEffect(() => {
+    if (triedSilent.current || session || !CLIENT_ID) return;
+    triedSilent.current = true;
+    void signInSilent({
+      clientId: CLIENT_ID,
+      redirectUri: `${window.location.origin}/auth/callback`,
+    }).then((r) => {
+      if (r.ok) refresh();
+    });
+  }, [session, refresh]);
+
+  if (loading || !CLIENT_ID) return <span className="h-9 w-24" aria-hidden />;
+
+  if (session) {
+    const first = session.name?.split(/\s+/)[0] ?? "Account";
+    return (
+      <Link
+        href="/account"
+        className="text-[13px] font-medium tracking-wide text-foreground hover:text-primary transition-colors"
+      >
+        Hi, {first}
+      </Link>
+    );
+  }
+
+  return (
+    <CimplifySignInButton
+      clientId={CLIENT_ID}
+      redirectUri={`${typeof window !== "undefined" ? window.location.origin : ""}/auth/callback`}
+      variant="text"
+      onSuccess={() => refresh()}
+    />
+  );
+}

package/templates/storefront-fashion/components/header.tsx

@@ -3,6 +3,7 @@ import { Suspense } from "react";
 import { NavLink } from "./nav-link";
 import { CartPill, CartPillSkeleton } from "./cart-pill";
 import { MobileNav } from "./mobile-nav";
+import { AccountPill } from "./account-pill";
 import { brand } from "@/lib/brand";
 
 /**
@@ -29,6 +30,7 @@ export function Header() {
             </Suspense>
           ))}
         </nav>
+        <AccountPill />
         <Suspense fallback={<CartPillSkeleton />}>
           <CartPill />
         </Suspense>

package/templates/storefront-fashion/lib/auth.ts

@@ -0,0 +1,35 @@
+import { headers } from "next/headers";
+import {
+  getAccessTokenFromCookieHeader,
+  getServerClient,
+  getSessionFromCookieHeader,
+  type CimplifyClient,
+  type CimplifySession,
+} from "@cimplify/sdk/server";
+
+const CLIENT_ID = process.env.CIMPLIFY_CLIENT_ID ?? "";
+const AUTH_URL = process.env.CIMPLIFY_AUTH_URL;
+
+const oidcConfig = { clientId: CLIENT_ID, authUrl: AUTH_URL };
+
+export async function getSession(): Promise<CimplifySession | null> {
+  if (!CLIENT_ID) return null;
+  const cookieHeader = (await headers()).get("cookie");
+  return getSessionFromCookieHeader(oidcConfig, cookieHeader);
+}
+
+// Returns a Cimplify server client with the signed-in customer's access
+// token attached (if any). Use this instead of getServerClient() on pages
+// that need personalized data: orders, subscriptions, price-list pricing.
+// Pages without `revalidate: 0` will share a cache across customers, so
+// only use this on routes that opt out of static caching.
+export async function getAuthenticatedServerClient(): Promise<CimplifyClient> {
+  const cookieHeader = (await headers()).get("cookie");
+  const accessToken =
+    CLIENT_ID && cookieHeader
+      ? getAccessTokenFromCookieHeader(oidcConfig, cookieHeader) ?? undefined
+      : undefined;
+  return getServerClient({ accessToken });
+}
+
+export type { CimplifySession } from "@cimplify/sdk/server";

package/templates/storefront-fashion/package.json

@@ -19,7 +19,7 @@
     "check": "bun run typecheck && bun run test:run"
   },
   "dependencies": {
-    "@cimplify/sdk": "^0.54.0",
+    "@cimplify/sdk": "^0.56.0",
     "next": "^16.2.6",
     "react": "^19.0.0",
     "react-dom": "^19.0.0"

package/templates/storefront-grocery/app/auth/callback/route.ts

@@ -0,0 +1,16 @@
+import { handleOidcCallback } from "@cimplify/sdk/server";
+
+const CLIENT_ID = process.env.CIMPLIFY_CLIENT_ID ?? "";
+const AUTH_URL = process.env.CIMPLIFY_AUTH_URL;
+const REDIRECT_URI = process.env.CIMPLIFY_REDIRECT_URI ?? "";
+
+export async function POST(req: Request): Promise<Response> {
+  if (!CLIENT_ID || !REDIRECT_URI) {
+    return Response.json({ error: "oidc_not_configured" }, { status: 500 });
+  }
+  return handleOidcCallback(req, {
+    clientId: CLIENT_ID,
+    authUrl: AUTH_URL,
+    redirectUri: REDIRECT_URI,
+  });
+}