@cloudwerk/cli 0.15.0 → 0.15.2

package/dist/index.js

@@ -358,26 +358,6 @@ async function build(pathArg, options) {
         logger.debug(`Found ${serviceManifest.services.length} service(s)`);
       }
     }
-    const renderer = cloudwerkConfig.ui?.renderer ?? "hono-jsx";
-    const serverEntryCode = generateServerEntry(manifest, scanResult, {
-      appDir,
-      routesDir,
-      config: cloudwerkConfig,
-      serverEntry: null,
-      clientEntry: null,
-      verbose,
-      hydrationEndpoint: "/__cloudwerk",
-      renderer,
-      publicDir: cloudwerkConfig.publicDir ?? "public",
-      root: cwd,
-      isProduction: true
-    }, {
-      queueManifest,
-      serviceManifest
-    });
-    const tempEntryPath = path2.join(tempDir, "_server-entry.ts");
-    fs2.writeFileSync(tempEntryPath, serverEntryCode);
-    logger.debug(`Generated temp entry: ${tempEntryPath}`);
     logger.debug(`Building client assets...`);
     const baseClientConfig = {
       root: cwd,
@@ -391,11 +371,14 @@ async function build(pathArg, options) {
         emptyOutDir: true,
         minify: minify ? "esbuild" : false,
         sourcemap,
+        manifest: true,
+        // Generate manifest.json for asset mapping
         rollupOptions: {
           input: "virtual:cloudwerk/client-entry",
           output: {
-            entryFileNames: "__cloudwerk/client.js",
+            entryFileNames: "__cloudwerk/client-[hash].js",
             chunkFileNames: "__cloudwerk/[name]-[hash].js",
+            // Use hashed names for CSS to enable caching
             assetFileNames: "__cloudwerk/[name]-[hash][extname]"
           }
         }
@@ -410,14 +393,41 @@ async function build(pathArg, options) {
         clientConfig.plugins = [...userPlugins, ...baseClientConfig.plugins ?? []];
       }
     }
+    let assetManifest = null;
     try {
       await viteBuild(clientConfig);
       logger.debug(`Client assets built successfully`);
+      const manifestPath = path2.join(outputDir, "static", ".vite", "manifest.json");
+      if (fs2.existsSync(manifestPath)) {
+        assetManifest = JSON.parse(fs2.readFileSync(manifestPath, "utf-8"));
+        logger.debug(`Loaded asset manifest with ${Object.keys(assetManifest).length} entries`);
+      }
     } catch (error) {
       if (verbose) {
         logger.debug(`Client build skipped or failed: ${error instanceof Error ? error.message : String(error)}`);
       }
     }
+    const renderer = cloudwerkConfig.ui?.renderer ?? "hono-jsx";
+    const serverEntryCode = generateServerEntry(manifest, scanResult, {
+      appDir,
+      routesDir,
+      config: cloudwerkConfig,
+      serverEntry: null,
+      clientEntry: null,
+      verbose,
+      hydrationEndpoint: "/__cloudwerk",
+      renderer,
+      publicDir: cloudwerkConfig.publicDir ?? "public",
+      root: cwd,
+      isProduction: true
+    }, {
+      queueManifest,
+      serviceManifest,
+      assetManifest
+    });
+    const tempEntryPath = path2.join(tempDir, "_server-entry.ts");
+    fs2.writeFileSync(tempEntryPath, serverEntryCode);
+    logger.debug(`Generated temp entry: ${tempEntryPath}`);
     logger.debug(`Building server bundle...`);
     const baseServerConfig = {
       root: cwd,
@@ -435,12 +445,16 @@ async function build(pathArg, options) {
         minify: minify ? "esbuild" : false,
         sourcemap,
         ssr: true,
+        // Emit CSS and other assets from SSR build (CSS imported in layouts, etc.)
+        ssrEmitAssets: true,
         rollupOptions: {
           input: tempEntryPath,
           // Externalize Node.js builtins (polyfilled by nodejs_compat in Workers)
           external: [...builtinModules, /^node:/],
           output: {
-            entryFileNames: "index.js"
+            entryFileNames: "index.js",
+            // Put assets in static directory to be served by Cloudflare
+            assetFileNames: "static/assets/[name]-[hash][extname]"
           }
         }
       },
@@ -465,6 +479,12 @@ async function build(pathArg, options) {
     }
     await viteBuild(serverConfig);
     logger.debug(`Server bundle built successfully`);
+    const headersContent = `/__cloudwerk/*
+  Cache-Control: public, max-age=31536000, immutable
+`;
+    const headersPath = path2.join(outputDir, "static", "_headers");
+    fs2.writeFileSync(headersPath, headersContent);
+    logger.debug(`Generated _headers file for static asset caching`);
     let ssgPaths = [];
     if (options.ssg) {
       logger.info(`Generating static pages...`);
@@ -1585,6 +1605,10 @@ function removeBinding(cwd, bindingName, env) {
         found = true;
       }
     }
+    if (cfg.images && cfg.images.binding === bindingName) {
+      delete cfg.images;
+      found = true;
+    }
     return found;
   };
   if (env && config.env?.[env]) {
@@ -1698,6 +1722,12 @@ function extractBindingsFromConfig(config) {
       });
     }
   }
+  if (config.images) {
+    bindings2.push({
+      type: "images",
+      name: config.images.binding
+    });
+  }
   return bindings2;
 }
 function getBindingTypeName(type) {
@@ -1722,6 +1752,8 @@ function getBindingTypeName(type) {
       return "Vectorize";
     case "hyperdrive":
       return "Hyperdrive";
+    case "images":
+      return "Images";
     default:
       return type;
   }
@@ -1826,7 +1858,8 @@ var TYPE_MAPPINGS = {
   secret: "string",
   ai: "Ai",
   vectorize: "VectorizeIndex",
-  hyperdrive: "Hyperdrive"
+  hyperdrive: "Hyperdrive",
+  images: 'import("@cloudwerk/core/bindings").CloudflareImagesBinding'
 };
 function getTypeForBinding(type) {
   return TYPE_MAPPINGS[type] || "unknown";
@@ -1857,6 +1890,7 @@ function generateEnvTypes(cwd, bindings2, options = {}) {
     "ai",
     "vectorize",
     "hyperdrive",
+    "images",
     "secret"
   ];
   const resultBindings = [];
@@ -1911,6 +1945,8 @@ function getSectionName(type) {
       return "Vectorize Indexes";
     case "hyperdrive":
       return "Hyperdrive";
+    case "images":
+      return "Images";
     default:
       return "Other";
   }
@@ -3005,6 +3041,7 @@ function generateBindingsDts(bindings2, includeTimestamp) {
     "ai",
     "vectorize",
     "hyperdrive",
+    "images",
     "secret"
   ];
   let firstSection = true;
@@ -3056,6 +3093,7 @@ function generateContextDts(bindings2, includeTimestamp) {
     "ai",
     "vectorize",
     "hyperdrive",
+    "images",
     "secret"
   ];
   let firstSection = true;
@@ -3130,6 +3168,8 @@ function getSectionName2(type) {
       return "Vectorize Indexes";
     case "hyperdrive":
       return "Hyperdrive";
+    case "images":
+      return "Images";
     default:
       return "Other";
   }
@@ -5782,6 +5822,435 @@ async function servicesStatus(options = {}) {
   }
 }
 
+// src/commands/auth.ts
+import pc25 from "picocolors";
+import { loadConfig as loadConfig21 } from "@cloudwerk/core/build";
+
+// src/utils/auth-scanner.ts
+import * as fs18 from "fs";
+import * as path20 from "path";
+import { pathToFileURL } from "url";
+import { build as build2 } from "esbuild";
+import {
+  scanAuth,
+  loadConfig as loadConfig20
+} from "@cloudwerk/core/build";
+async function compileTypeScriptModule(filePath) {
+  const result = await build2({
+    entryPoints: [filePath],
+    bundle: true,
+    write: false,
+    format: "esm",
+    platform: "node",
+    target: "node20",
+    // Externalize all packages - they'll be resolved from node_modules at runtime
+    packages: "external"
+  });
+  const fileDir = path20.dirname(filePath);
+  const fileName = path20.basename(filePath, path20.extname(filePath));
+  const tempPath = path20.join(fileDir, `.${fileName}-${Date.now()}.mjs`);
+  fs18.writeFileSync(tempPath, result.outputFiles[0].text);
+  return tempPath;
+}
+async function loadTypeScriptModule(filePath) {
+  let tempFile = null;
+  try {
+    if (filePath.endsWith(".ts") || filePath.endsWith(".tsx")) {
+      tempFile = await compileTypeScriptModule(filePath);
+      const module = await import(pathToFileURL(tempFile).href);
+      return module;
+    }
+    return await import(pathToFileURL(filePath).href);
+  } finally {
+    if (tempFile) {
+      try {
+        fs18.unlinkSync(tempFile);
+      } catch {
+      }
+    }
+  }
+}
+async function scanAuthProviders(appDir) {
+  const config = await loadConfig20(process.cwd());
+  const scanResult = await scanAuth(appDir, { extensions: config.extensions });
+  if (scanResult.providerFiles.length === 0) {
+    return [];
+  }
+  const providers = [];
+  for (const file of scanResult.providerFiles) {
+    const entry = {
+      id: file.providerId ?? file.name,
+      type: "oauth",
+      // Default
+      filePath: file.absolutePath,
+      name: file.name,
+      disabled: false
+    };
+    try {
+      const module = await loadTypeScriptModule(file.absolutePath);
+      const exported = module?.default;
+      if (exported && typeof exported === "object") {
+        const obj = exported;
+        if ("provider" in obj && "id" in obj && "type" in obj) {
+          providers.push({
+            id: obj.id,
+            type: obj.type,
+            filePath: file.absolutePath
+          });
+          continue;
+        }
+        if ("id" in obj && "type" in obj) {
+          providers.push({
+            id: obj.id,
+            type: obj.type,
+            filePath: file.absolutePath
+          });
+          continue;
+        }
+      }
+      providers.push({
+        id: entry.id,
+        type: entry.type,
+        filePath: entry.filePath
+      });
+    } catch (error) {
+      console.warn(`Failed to load provider module: ${file.absolutePath}`, error);
+      providers.push({
+        id: entry.id,
+        type: entry.type,
+        filePath: entry.filePath
+      });
+    }
+  }
+  return providers;
+}
+async function loadAuthConfig(appDir) {
+  const config = await loadConfig20(process.cwd());
+  const scanResult = await scanAuth(appDir, { extensions: config.extensions });
+  if (!scanResult.configFile) {
+    return null;
+  }
+  try {
+    const module = await loadTypeScriptModule(scanResult.configFile.absolutePath);
+    const authConfig = module?.default;
+    if (!authConfig) {
+      return null;
+    }
+    const session = authConfig.session;
+    return {
+      basePath: authConfig.basePath,
+      session: session?.strategy ? { strategy: session.strategy } : void 0,
+      debug: authConfig.debug
+    };
+  } catch {
+    return null;
+  }
+}
+function generateUsersTableSQL() {
+  return `-- Users table for authentication
+CREATE TABLE IF NOT EXISTS users (
+  id TEXT PRIMARY KEY,
+  email TEXT UNIQUE,
+  email_verified TEXT,
+  name TEXT,
+  image TEXT,
+  created_at TEXT NOT NULL DEFAULT (datetime('now')),
+  updated_at TEXT NOT NULL DEFAULT (datetime('now'))
+);
+
+CREATE INDEX IF NOT EXISTS idx_users_email ON users(email);
+`;
+}
+function generateAccountsTableSQL() {
+  return `-- Accounts table for OAuth provider links
+CREATE TABLE IF NOT EXISTS accounts (
+  id TEXT PRIMARY KEY,
+  user_id TEXT NOT NULL,
+  type TEXT NOT NULL,
+  provider TEXT NOT NULL,
+  provider_account_id TEXT NOT NULL,
+  refresh_token TEXT,
+  access_token TEXT,
+  expires_at INTEGER,
+  token_type TEXT,
+  scope TEXT,
+  id_token TEXT,
+  FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE,
+  UNIQUE(provider, provider_account_id)
+);
+
+CREATE INDEX IF NOT EXISTS idx_accounts_user_id ON accounts(user_id);
+CREATE INDEX IF NOT EXISTS idx_accounts_provider ON accounts(provider, provider_account_id);
+`;
+}
+function generateSessionsTableSQL() {
+  return `-- Sessions table for database session strategy
+CREATE TABLE IF NOT EXISTS sessions (
+  id TEXT PRIMARY KEY,
+  user_id TEXT NOT NULL,
+  session_token TEXT UNIQUE NOT NULL,
+  expires_at TEXT NOT NULL,
+  created_at TEXT NOT NULL DEFAULT (datetime('now')),
+  updated_at TEXT NOT NULL DEFAULT (datetime('now')),
+  data TEXT,
+  FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS idx_sessions_user_id ON sessions(user_id);
+CREATE INDEX IF NOT EXISTS idx_sessions_token ON sessions(session_token);
+CREATE INDEX IF NOT EXISTS idx_sessions_expires ON sessions(expires_at);
+`;
+}
+function generateWebAuthnCredentialsTableSQL() {
+  return `-- WebAuthn credentials table for passkey authentication
+CREATE TABLE IF NOT EXISTS webauthn_credentials (
+  id TEXT PRIMARY KEY,
+  user_id TEXT NOT NULL,
+  public_key TEXT NOT NULL,
+  counter INTEGER NOT NULL DEFAULT 0,
+  aaguid TEXT,
+  transports TEXT,
+  backed_up INTEGER NOT NULL DEFAULT 0,
+  device_type TEXT NOT NULL DEFAULT 'singleDevice',
+  created_at TEXT NOT NULL DEFAULT (datetime('now')),
+  last_used_at TEXT,
+  name TEXT,
+  FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS idx_credentials_user_id ON webauthn_credentials(user_id);
+`;
+}
+function generateVerificationTokensTableSQL() {
+  return `-- Verification tokens table for email verification and password reset
+CREATE TABLE IF NOT EXISTS verification_tokens (
+  identifier TEXT NOT NULL,
+  token TEXT NOT NULL,
+  expires_at TEXT NOT NULL,
+  PRIMARY KEY (identifier, token)
+);
+
+CREATE INDEX IF NOT EXISTS idx_verification_tokens_token ON verification_tokens(token);
+`;
+}
+function generateUserRolesTableSQL() {
+  return `-- User roles junction table for RBAC
+CREATE TABLE IF NOT EXISTS user_roles (
+  user_id TEXT NOT NULL,
+  role_id TEXT NOT NULL,
+  assigned_at TEXT NOT NULL DEFAULT (datetime('now')),
+  PRIMARY KEY (user_id, role_id),
+  FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS idx_user_roles_user_id ON user_roles(user_id);
+CREATE INDEX IF NOT EXISTS idx_user_roles_role_id ON user_roles(role_id);
+`;
+}
+
+// src/commands/auth.ts
+async function auth(options = {}) {
+  const verbose = options.verbose ?? false;
+  const logger = createLogger(verbose);
+  try {
+    const cwd = process.cwd();
+    logger.debug("Loading configuration...");
+    const config = await loadConfig21(cwd);
+    const appDir = config.appDir;
+    logger.debug(`Scanning for auth providers in ${appDir}/auth/providers/...`);
+    const providers = await scanAuthProviders(appDir);
+    logger.debug(`Loading auth config from ${appDir}/auth/config.ts...`);
+    const authConfig = await loadAuthConfig(appDir);
+    console.log();
+    console.log(pc25.bold("Cloudwerk Authentication"));
+    console.log();
+    console.log(pc25.dim(`  Found ${providers.length} provider(s):`));
+    if (providers.length === 0) {
+      console.log(pc25.dim("    (none)"));
+    } else {
+      for (const provider of providers) {
+        const typeColor = provider.type === "oauth" ? pc25.blue : provider.type === "passkey" ? pc25.yellow : provider.type === "credentials" ? pc25.green : pc25.cyan;
+        console.log(
+          `    ${pc25.cyan(provider.id)} ${pc25.dim("(")}${typeColor(provider.type)}${pc25.dim(")")}`
+        );
+      }
+    }
+    console.log();
+    const sessionStrategy = authConfig?.session?.strategy ?? "jwt";
+    console.log(pc25.dim("  Session strategy:"));
+    console.log(
+      `    ${sessionStrategy === "database" ? pc25.yellow("database") : pc25.green("jwt")} ${pc25.dim(sessionStrategy === "database" ? "(requires D1)" : "(stateless)")}`
+    );
+    console.log();
+    console.log(pc25.bold("Commands:"));
+    console.log();
+    console.log(
+      pc25.dim("  cloudwerk auth migrations     ") + "Generate D1 migration files"
+    );
+    console.log();
+    if (providers.length === 0) {
+      console.log(pc25.bold("Quick Start:"));
+      console.log();
+      console.log(pc25.dim("  Create a provider at app/auth/providers/github.ts:"));
+      console.log();
+      console.log(
+        pc25.cyan("    import { defineProvider, github } from '@cloudwerk/auth/convention'")
+      );
+      console.log();
+      console.log(pc25.cyan("    export default defineProvider("));
+      console.log(pc25.cyan("      github({"));
+      console.log(pc25.cyan("        clientId: process.env.GITHUB_CLIENT_ID!,"));
+      console.log(pc25.cyan("        clientSecret: process.env.GITHUB_CLIENT_SECRET!,"));
+      console.log(pc25.cyan("      })"));
+      console.log(pc25.cyan("    )"));
+      console.log();
+    }
+  } catch (error) {
+    handleCommandError(error, verbose);
+  }
+}
+
+// src/commands/auth/migrations.ts
+import * as fs19 from "fs";
+import * as path21 from "path";
+import pc26 from "picocolors";
+import { loadConfig as loadConfig22, scanAuth as scanAuth2 } from "@cloudwerk/core/build";
+async function authMigrations(options = {}) {
+  const verbose = options.verbose ?? false;
+  const dryRun = options.dryRun ?? false;
+  const logger = createLogger(verbose);
+  try {
+    const cwd = process.cwd();
+    logger.debug("Loading configuration...");
+    const config = await loadConfig22(cwd);
+    const appDir = config.appDir;
+    logger.debug(`Scanning for auth providers in ${appDir}/auth/providers/...`);
+    const providers = await scanAuthProviders(appDir);
+    logger.debug(`Loading auth config from ${appDir}/auth/config.ts...`);
+    const authConfig = await loadAuthConfig(appDir);
+    console.log();
+    console.log(pc26.bold("Auth Migrations Generator"));
+    console.log();
+    const tables = [];
+    tables.push({
+      name: "users",
+      reason: "Required for all auth",
+      sql: generateUsersTableSQL()
+    });
+    const hasOAuth = providers.some((p) => p.type === "oauth" || p.type === "oidc");
+    const hasPasskey = providers.some((p) => p.type === "passkey");
+    const hasEmail = providers.some((p) => p.type === "email");
+    if (hasOAuth) {
+      const oauthProviders = providers.filter((p) => p.type === "oauth" || p.type === "oidc").map((p) => p.id).join(", ");
+      tables.push({
+        name: "accounts",
+        reason: `Required for OAuth providers (${oauthProviders})`,
+        sql: generateAccountsTableSQL()
+      });
+    }
+    const sessionStrategy = authConfig?.session?.strategy ?? "jwt";
+    if (sessionStrategy === "database") {
+      tables.push({
+        name: "sessions",
+        reason: "Required for database session strategy",
+        sql: generateSessionsTableSQL()
+      });
+    }
+    if (hasPasskey) {
+      const passkeyProvider = providers.find((p) => p.type === "passkey");
+      tables.push({
+        name: "webauthn_credentials",
+        reason: `Required for passkey provider (${passkeyProvider?.id})`,
+        sql: generateWebAuthnCredentialsTableSQL()
+      });
+    }
+    if (hasEmail) {
+      const emailProvider = providers.find((p) => p.type === "email");
+      tables.push({
+        name: "verification_tokens",
+        reason: `Required for email provider (${emailProvider?.id})`,
+        sql: generateVerificationTokensTableSQL()
+      });
+    }
+    const authScanResult = await scanAuth2(appDir, { extensions: config.extensions });
+    const hasRBAC = authScanResult.rbacFile !== void 0;
+    if (hasRBAC) {
+      tables.push({
+        name: "user_roles",
+        reason: "Required for role-based access control",
+        sql: generateUserRolesTableSQL()
+      });
+    }
+    console.log(pc26.dim("  Detected configuration:"));
+    console.log(
+      `    ${pc26.cyan("Providers")}: ${providers.length === 0 ? pc26.dim("(none)") : providers.map((p) => `${p.id} (${p.type})`).join(", ")}`
+    );
+    console.log(
+      `    ${pc26.cyan("Session")}: ${sessionStrategy === "database" ? pc26.yellow("database") : pc26.green("jwt")}`
+    );
+    console.log(
+      `    ${pc26.cyan("RBAC")}: ${hasRBAC ? pc26.green("enabled") : pc26.dim("(none)")}`
+    );
+    console.log();
+    console.log(pc26.dim("  Tables to create:"));
+    for (const table of tables) {
+      console.log(`    ${pc26.green("\u2713")} ${pc26.cyan(table.name)} ${pc26.dim(`- ${table.reason}`)}`);
+    }
+    console.log();
+    const outputDir = options.output ?? path21.join(cwd, "migrations");
+    const migrationName = "0001_auth_tables.sql";
+    const migrationPath = path21.join(outputDir, migrationName);
+    const migrationContent = [
+      "-- Cloudwerk Auth Migration",
+      "-- Generated by: cloudwerk auth migrations",
+      `-- Date: ${(/* @__PURE__ */ new Date()).toISOString()}`,
+      "--",
+      "-- This migration creates the following tables:",
+      ...tables.map((t) => `--   - ${t.name}: ${t.reason}`),
+      "",
+      ...tables.map((t) => t.sql)
+    ].join("\n");
+    if (dryRun) {
+      console.log(pc26.bold("Dry run - Migration content:"));
+      console.log();
+      console.log(pc26.dim("\u2500".repeat(60)));
+      console.log(migrationContent);
+      console.log(pc26.dim("\u2500".repeat(60)));
+      console.log();
+      console.log(pc26.dim(`  Would write to: ${migrationPath}`));
+      console.log();
+      return;
+    }
+    if (!fs19.existsSync(outputDir)) {
+      fs19.mkdirSync(outputDir, { recursive: true });
+      console.log(pc26.dim(`  Created migrations directory: ${outputDir}`));
+    }
+    if (fs19.existsSync(migrationPath)) {
+      console.log(pc26.yellow(`  Migration already exists: ${migrationPath}`));
+      console.log(pc26.dim("  Use --dry-run to preview the migration content"));
+      console.log(pc26.dim("  Delete the existing file to regenerate"));
+      console.log();
+      return;
+    }
+    fs19.writeFileSync(migrationPath, migrationContent);
+    console.log(pc26.green(`  \u2713 Created migration: ${migrationPath}`));
+    console.log();
+    console.log(pc26.bold("Next steps:"));
+    console.log();
+    console.log(pc26.dim("  1. Review the generated migration file"));
+    console.log(pc26.dim("  2. Apply with wrangler:"));
+    console.log();
+    console.log(pc26.cyan("     wrangler d1 migrations apply <DATABASE_NAME> --local"));
+    console.log();
+    console.log(pc26.dim("  3. For production:"));
+    console.log();
+    console.log(pc26.cyan("     wrangler d1 migrations apply <DATABASE_NAME> --remote"));
+    console.log();
+  } catch (error) {
+    handleCommandError(error, verbose);
+  }
+}
+
 // src/index.ts
 program.name("cloudwerk").description("Cloudwerk CLI - Build and deploy full-stack apps to Cloudflare").version(VERSION).enablePositionalOptions();
 program.command("dev [path]").description("Start development server").option("-p, --port <number>", "Port to listen on", String(DEFAULT_PORT)).option("-H, --host <host>", "Host to bind", DEFAULT_HOST).option("-c, --config <path>", "Path to config file").option("--verbose", "Enable verbose logging").action(dev);
@@ -5811,4 +6280,6 @@ servicesCmd.command("extract <name>").description("Extract service to separate W
 servicesCmd.command("inline <name>").description("Convert extracted service back to local mode").option("--verbose", "Enable verbose logging").action(servicesInline);
 servicesCmd.command("deploy <name>").description("Deploy extracted service").option("-e, --env <environment>", "Environment to deploy to").option("--verbose", "Enable verbose logging").action(servicesDeploy);
 servicesCmd.command("status").description("Show status of all services").option("--json", "Output as JSON").option("--verbose", "Enable verbose logging").action(servicesStatus);
+var authCmd = program.command("auth").description("Manage Cloudwerk authentication").enablePositionalOptions().passThroughOptions().option("--verbose", "Enable verbose logging").action(auth);
+authCmd.command("migrations").description("Generate D1 migration files for auth tables").option("-o, --output <dir>", "Output directory for migrations").option("--dry-run", "Preview migration without writing").option("--verbose", "Enable verbose logging").action(authMigrations);
 program.parse();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloudwerk/cli",
-  "version": "0.15.0",
+  "version": "0.15.2",
   "description": "Dev server, build, deploy commands for Cloudwerk",
   "repository": {
     "type": "git",
@@ -31,9 +31,9 @@
     "picocolors": "^1.1.0",
     "wrangler": "^4.0.0",
     "vite": "^6.0.0",
-    "@cloudwerk/core": "^0.15.0",
-    "@cloudwerk/vite-plugin": "^0.6.2",
-    "@cloudwerk/ui": "^0.15.0"
+    "@cloudwerk/core": "^0.15.1",
+    "@cloudwerk/ui": "^0.15.1",
+    "@cloudwerk/vite-plugin": "^0.6.5"
   },
   "devDependencies": {
     "@types/node": "^20.0.0",