@donotdev/cli 0.0.18 → 0.0.20

package/dist/bin/commands/setup.js

@@ -281,7 +281,7 @@ function fD({ input: e2 = j, output: u2 = M, overwrite: t = true, hideCursor: F2
     e2.off("keypress", i), F2 && u2.write(import_sisteransi.cursor.show), e2.isTTY && !AD && e2.setRawMode(false), s.terminal = false, s.close();
   };
 }
-var import_sisteransi, import_picocolors, uD, W, tD, eD, FD, sD, w, N, I, R, r, iD, CD, ED, d, oD, y, V, nD, G, _, z, K, aD, k, hD, lD, xD, B, AD, S, gD, vD, h, x, dD, A, kD, $D, H, SD, TD, jD, U, MD, OD, PD, J, LD, RD;
+var import_sisteransi, import_picocolors, uD, W, tD, eD, FD, sD, w, N, I, R, r, iD, CD, ED, d, oD, y, V, nD, G, _, z, K, aD, k, hD, lD, xD, B, AD, S, gD, vD, h, x, dD, A, OD, PD, J, LD, RD;
 var init_dist = __esm({
   "node_modules/.bun/@clack+prompts@0.11.0/node_modules/@clack/prompts/node_modules/@clack/core/dist/index.mjs"() {
     init_utils();
@@ -519,63 +519,6 @@ var init_dist = __esm({
       }
     };
     A = /* @__PURE__ */ new WeakMap();
-    kD = Object.defineProperty;
-    $D = (e2, u2, t) => u2 in e2 ? kD(e2, u2, { enumerable: true, configurable: true, writable: true, value: t }) : e2[u2] = t;
-    H = (e2, u2, t) => ($D(e2, typeof u2 != "symbol" ? u2 + "" : u2, t), t);
-    SD = class extends x {
-      constructor(u2) {
-        super(u2, false), H(this, "options"), H(this, "cursor", 0), this.options = u2.options, this.value = [...u2.initialValues ?? []], this.cursor = Math.max(this.options.findIndex(({ value: t }) => t === u2.cursorAt), 0), this.on("key", (t) => {
-          t === "a" && this.toggleAll();
-        }), this.on("cursor", (t) => {
-          switch (t) {
-            case "left":
-            case "up":
-              this.cursor = this.cursor === 0 ? this.options.length - 1 : this.cursor - 1;
-              break;
-            case "down":
-            case "right":
-              this.cursor = this.cursor === this.options.length - 1 ? 0 : this.cursor + 1;
-              break;
-            case "space":
-              this.toggleValue();
-              break;
-          }
-        });
-      }
-      get _value() {
-        return this.options[this.cursor].value;
-      }
-      toggleAll() {
-        const u2 = this.value.length === this.options.length;
-        this.value = u2 ? [] : this.options.map((t) => t.value);
-      }
-      toggleValue() {
-        const u2 = this.value.includes(this._value);
-        this.value = u2 ? this.value.filter((t) => t !== this._value) : [...this.value, this._value];
-      }
-    };
-    TD = Object.defineProperty;
-    jD = (e2, u2, t) => u2 in e2 ? TD(e2, u2, { enumerable: true, configurable: true, writable: true, value: t }) : e2[u2] = t;
-    U = (e2, u2, t) => (jD(e2, typeof u2 != "symbol" ? u2 + "" : u2, t), t);
-    MD = class extends x {
-      constructor({ mask: u2, ...t }) {
-        super(t), U(this, "valueWithCursor", ""), U(this, "_mask", "\u2022"), this._mask = u2 ?? "\u2022", this.on("finalize", () => {
-          this.valueWithCursor = this.masked;
-        }), this.on("value", () => {
-          if (this.cursor >= this.value.length) this.valueWithCursor = `${this.masked}${import_picocolors.default.inverse(import_picocolors.default.hidden("_"))}`;
-          else {
-            const F2 = this.masked.slice(0, this.cursor), s = this.masked.slice(this.cursor);
-            this.valueWithCursor = `${F2}${import_picocolors.default.inverse(s[0])}${s.slice(1)}`;
-          }
-        });
-      }
-      get cursor() {
-        return this._cursor;
-      }
-      get masked() {
-        return this.value.replaceAll(/./g, this._mask);
-      }
-    };
     OD = Object.defineProperty;
     PD = (e2, u2, t) => u2 in e2 ? OD(e2, u2, { enumerable: true, configurable: true, writable: true, value: t }) : e2[u2] = t;
     J = (e2, u2, t) => (PD(e2, typeof u2 != "symbol" ? u2 + "" : u2, t), t);
@@ -627,7 +570,7 @@ import y2 from "node:process";
 function ce() {
   return y2.platform !== "win32" ? y2.env.TERM !== "linux" : !!y2.env.CI || !!y2.env.WT_SESSION || !!y2.env.TERMINUS_SUBLIME || y2.env.ConEmuTask === "{cmd::Cmder}" || y2.env.TERM_PROGRAM === "Terminus-Sublime" || y2.env.TERM_PROGRAM === "vscode" || y2.env.TERM === "xterm-256color" || y2.env.TERM === "alacritty" || y2.env.TERMINAL_EMULATOR === "JetBrains-JediTerm";
 }
-var import_picocolors2, import_sisteransi2, V2, u, le, L2, W2, C, ue, o, d2, k2, P2, A2, T, F, $e, _2, me, de, pe, q, D, U2, K2, b2, G2, he, ge, ye, ve, fe, Me, xe, Ie, Se, M2, J2, Y2;
+var import_picocolors2, import_sisteransi2, V2, u, le, L2, W2, C, ue, o, d2, k2, P2, A2, T, F, $e, _2, me, de, pe, q, D, U, K2, b2, G2, he, ye, ve, Me, xe, Ie, Se, M2, J2, Y2;
 var init_dist2 = __esm({
   "node_modules/.bun/@clack+prompts@0.11.0/node_modules/@clack/prompts/dist/index.mjs"() {
     init_utils();
@@ -656,7 +599,7 @@ var init_dist2 = __esm({
     pe = u("\u256F", "+");
     q = u("\u25CF", "\u2022");
     D = u("\u25C6", "*");
-    U2 = u("\u25B2", "!");
+    U = u("\u25B2", "!");
     K2 = u("\u25A0", "x");
     b2 = (t) => {
       switch (t) {
@@ -699,27 +642,6 @@ ${import_picocolors2.default.gray(o)}` : ""}`;
         default:
           return `${n}${import_picocolors2.default.cyan(o)}  ${i}
 ${import_picocolors2.default.cyan(d2)}
-`;
-      }
-    } }).prompt();
-    ge = (t) => new MD({ validate: t.validate, mask: t.mask ?? $e, render() {
-      const n = `${import_picocolors2.default.gray(o)}
-${b2(this.state)}  ${t.message}
-`, r2 = this.valueWithCursor, i = this.masked;
-      switch (this.state) {
-        case "error":
-          return `${n.trim()}
-${import_picocolors2.default.yellow(o)}  ${i}
-${import_picocolors2.default.yellow(d2)}  ${import_picocolors2.default.yellow(this.error)}
-`;
-        case "submit":
-          return `${n}${import_picocolors2.default.gray(o)}  ${import_picocolors2.default.dim(i)}`;
-        case "cancel":
-          return `${n}${import_picocolors2.default.gray(o)}  ${import_picocolors2.default.strikethrough(import_picocolors2.default.dim(i ?? ""))}${i ? `
-${import_picocolors2.default.gray(o)}` : ""}`;
-        default:
-          return `${n}${import_picocolors2.default.cyan(o)}  ${r2}
-${import_picocolors2.default.cyan(d2)}
 `;
       }
     } }).prompt();
@@ -770,46 +692,6 @@ ${import_picocolors2.default.gray(o)}`;
             return `${r2}${import_picocolors2.default.cyan(o)}  ${G2({ cursor: this.cursor, options: this.options, maxItems: t.maxItems, style: (i, s) => n(i, s ? "active" : "inactive") }).join(`
 ${import_picocolors2.default.cyan(o)}  `)}
 ${import_picocolors2.default.cyan(d2)}
-`;
-        }
-      } }).prompt();
-    };
-    fe = (t) => {
-      const n = (r2, i) => {
-        const s = r2.label ?? String(r2.value);
-        return i === "active" ? `${import_picocolors2.default.cyan(A2)} ${s} ${r2.hint ? import_picocolors2.default.dim(`(${r2.hint})`) : ""}` : i === "selected" ? `${import_picocolors2.default.green(T)} ${import_picocolors2.default.dim(s)} ${r2.hint ? import_picocolors2.default.dim(`(${r2.hint})`) : ""}` : i === "cancelled" ? `${import_picocolors2.default.strikethrough(import_picocolors2.default.dim(s))}` : i === "active-selected" ? `${import_picocolors2.default.green(T)} ${s} ${r2.hint ? import_picocolors2.default.dim(`(${r2.hint})`) : ""}` : i === "submitted" ? `${import_picocolors2.default.dim(s)}` : `${import_picocolors2.default.dim(F)} ${import_picocolors2.default.dim(s)}`;
-      };
-      return new SD({ options: t.options, initialValues: t.initialValues, required: t.required ?? true, cursorAt: t.cursorAt, validate(r2) {
-        if (this.required && r2.length === 0) return `Please select at least one option.
-${import_picocolors2.default.reset(import_picocolors2.default.dim(`Press ${import_picocolors2.default.gray(import_picocolors2.default.bgWhite(import_picocolors2.default.inverse(" space ")))} to select, ${import_picocolors2.default.gray(import_picocolors2.default.bgWhite(import_picocolors2.default.inverse(" enter ")))} to submit`))}`;
-      }, render() {
-        const r2 = `${import_picocolors2.default.gray(o)}
-${b2(this.state)}  ${t.message}
-`, i = (s, c) => {
-          const a = this.value.includes(s.value);
-          return c && a ? n(s, "active-selected") : a ? n(s, "selected") : n(s, c ? "active" : "inactive");
-        };
-        switch (this.state) {
-          case "submit":
-            return `${r2}${import_picocolors2.default.gray(o)}  ${this.options.filter(({ value: s }) => this.value.includes(s)).map((s) => n(s, "submitted")).join(import_picocolors2.default.dim(", ")) || import_picocolors2.default.dim("none")}`;
-          case "cancel": {
-            const s = this.options.filter(({ value: c }) => this.value.includes(c)).map((c) => n(c, "cancelled")).join(import_picocolors2.default.dim(", "));
-            return `${r2}${import_picocolors2.default.gray(o)}  ${s.trim() ? `${s}
-${import_picocolors2.default.gray(o)}` : ""}`;
-          }
-          case "error": {
-            const s = this.error.split(`
-`).map((c, a) => a === 0 ? `${import_picocolors2.default.yellow(d2)}  ${import_picocolors2.default.yellow(c)}` : `   ${c}`).join(`
-`);
-            return `${r2 + import_picocolors2.default.yellow(o)}  ${G2({ options: this.options, cursor: this.cursor, maxItems: t.maxItems, style: i }).join(`
-${import_picocolors2.default.yellow(o)}  `)}
-${s}
-`;
-          }
-          default:
-            return `${r2}${import_picocolors2.default.cyan(o)}  ${G2({ options: this.options, cursor: this.cursor, maxItems: t.maxItems, style: i }).join(`
-${import_picocolors2.default.cyan(o)}  `)}
-${import_picocolors2.default.cyan(d2)}
 `;
         }
       } }).prompt();
@@ -861,7 +743,7 @@ ${import_picocolors2.default.gray(d2)}  ${t}
     }, step: (t) => {
       M2.message(t, { symbol: import_picocolors2.default.green(C) });
     }, warn: (t) => {
-      M2.message(t, { symbol: import_picocolors2.default.yellow(U2) });
+      M2.message(t, { symbol: import_picocolors2.default.yellow(U) });
     }, warning: (t) => {
       M2.warn(t);
     }, error: (t) => {
@@ -888,7 +770,7 @@ ${import_picocolors2.default.gray(d2)}  ${t}
       }, R2 = (m2) => m2.replace(/\.+$/, ""), O2 = (m2) => {
         const h2 = (performance.now() - m2) / 1e3, w2 = Math.floor(h2 / 60), I2 = Math.floor(h2 % 60);
         return w2 > 0 ? `[${w2}m ${I2}s]` : `[${I2}s]`;
-      }, H2 = (m2 = "") => {
+      }, H = (m2 = "") => {
         a = true, s = fD(), l2 = R2(m2), g2 = performance.now(), process.stdout.write(`${import_picocolors2.default.gray(o)}
 `);
         let h2 = 0, w2 = 0;
@@ -911,7 +793,7 @@ ${import_picocolors2.default.gray(d2)}  ${t}
 `) : process.stdout.write(`${w2}  ${l2}
 `), E(), s();
       };
-      return { start: H2, stop: N2, message: (m2 = "") => {
+      return { start: H, stop: N2, message: (m2 = "") => {
         l2 = R2(m2 ?? l2);
       } };
     };
@@ -8361,24 +8243,6 @@ async function askForSelection(message, choices, defaultValue = 0) {
   }
   return result;
 }
-async function askForMultiSelection(message, choices, defaultIndices = []) {
-  const options = choices.map((choice) => ({
-    value: choice.value,
-    label: choice.title,
-    hint: choice.hint
-  }));
-  const initialValues = defaultIndices.map((i) => choices[i]?.value).filter(Boolean);
-  const result = await fe({
-    message,
-    options,
-    initialValues: initialValues.length > 0 ? initialValues : void 0
-  });
-  if (pD(result)) {
-    xe("Operation cancelled.");
-    process.exit(0);
-  }
-  return result;
-}
 var init_cli_input = __esm({
   "packages/tooling/src/utils/cli-input.ts"() {
     "use strict";
@@ -8405,14 +8269,27 @@ function readEnvVar(filePath, varName) {
   }
   return null;
 }
-function resolveVercelToken(appDir) {
-  if (process.env.VERCEL_TOKEN) return process.env.VERCEL_TOKEN;
-  const fromEnv = readEnvVar(joinPath(appDir, ".env"), "VERCEL_TOKEN");
-  if (fromEnv) return fromEnv;
-  const fromLocal = readEnvVar(joinPath(appDir, ".env.local"), "VERCEL_TOKEN");
+function resolveVercelVar(appDir, varName) {
+  if (process.env[varName]) return process.env[varName];
+  const fromLocal = readEnvVar(joinPath(appDir, ".env.local"), varName);
   if (fromLocal) return fromLocal;
+  const fromEnv = readEnvVar(joinPath(appDir, ".env"), varName);
+  if (fromEnv) return fromEnv;
   return null;
 }
+function resolveVercelCredentials(appDir) {
+  const token = resolveVercelVar(appDir, "VERCEL_TOKEN");
+  const orgId = resolveVercelVar(appDir, "VERCEL_ORG_ID");
+  const projectId = resolveVercelVar(appDir, "VERCEL_PROJECT_ID");
+  const missing = [];
+  if (!token) missing.push("VERCEL_TOKEN");
+  if (!orgId) missing.push("VERCEL_ORG_ID");
+  if (!projectId) missing.push("VERCEL_PROJECT_ID");
+  if (missing.length > 0) return { missing };
+  return {
+    credentials: { token, orgId, projectId }
+  };
+}
 var init_vercel_token = __esm({
   "packages/tooling/src/cli/setup/vercel-token.ts"() {
     "use strict";
@@ -8444,6 +8321,67 @@ var init_error_handling = __esm({
   }
 });
 
+// packages/tooling/src/utils/cross-app-detection.ts
+function detectBackendFromProviders(appDir) {
+  for (const candidate of PROVIDERS_CANDIDATES) {
+    const filePath = joinPath(appDir, candidate);
+    if (!pathExists(filePath)) continue;
+    const content = readSync(filePath, { format: "text" });
+    if (typeof content !== "string") continue;
+    if (content.includes("@donotdev/firebase") || content.includes("FirebaseAuth") || content.includes("firebaseAuth")) {
+      return "firebase";
+    }
+    if (content.includes("@donotdev/supabase") || content.includes("SupabaseAuth") || content.includes("supabaseAuth")) {
+      return "supabase";
+    }
+    break;
+  }
+  return null;
+}
+function analyzeProjectTopology(projectRoot) {
+  const apps = detectApps(projectRoot);
+  const appBackends = /* @__PURE__ */ new Map();
+  const backendOwners = /* @__PURE__ */ new Map();
+  for (const app of apps) {
+    let backend = app.platform === "firebase" || app.platform === "supabase" ? app.platform : null;
+    if (!backend) {
+      backend = detectBackendFromProviders(app.path);
+    }
+    appBackends.set(app.name, backend);
+    if (pathExists(joinPath(app.path, "supabase", "config.toml"))) {
+      backendOwners.set("supabase", app);
+    }
+    if (pathExists(joinPath(app.path, "firebase.json")) || pathExists(joinPath(app.path, "functions", "firebase.json"))) {
+      backendOwners.set("firebase", app);
+    }
+  }
+  if (!backendOwners.has("firebase") && (pathExists(joinPath(projectRoot, "firebase.json")) || pathExists(joinPath(projectRoot, ".firebaserc")))) {
+  }
+  return { apps, appBackends, backendOwners };
+}
+function findBackendApp(topology, appName) {
+  const backend = topology.appBackends.get(appName);
+  if (!backend) return void 0;
+  return topology.backendOwners.get(backend);
+}
+var PROVIDERS_CANDIDATES;
+var init_cross_app_detection = __esm({
+  "packages/tooling/src/utils/cross-app-detection.ts"() {
+    "use strict";
+    init_utils();
+    init_app_detection();
+    init_pathResolver();
+    PROVIDERS_CANDIDATES = [
+      "src/config/providers.ts",
+      "src/config/providers.tsx",
+      "src/providers.ts",
+      "src/providers.tsx",
+      "src/lib/providers.ts",
+      "src/lib/providers.tsx"
+    ];
+  }
+});
+
 // packages/tooling/src/cli/setup/types.ts
 function computeOverallStatus(steps) {
   const hasFailure = steps.some((s) => s.status === "failed");
@@ -8523,7 +8461,7 @@ function isFirebaseInstalled() {
 async function checkPrerequisites() {
   if (!isFirebaseInstalled()) {
     log.error("Firebase CLI is not installed.");
-    log.info("Install it with: npm install -g firebase-tools");
+    log.info("Install it with: bun install -g firebase-tools");
     process.exit(1);
   }
   if (!isFirebaseLoggedIn()) {
@@ -8974,15 +8912,40 @@ var init_firebase = __esm({
 });
 
 // packages/tooling/src/utils/supabase-management.ts
-import { execSync } from "node:child_process";
-function extractProjectRef(supabaseUrl) {
-  const match = supabaseUrl.match(/https?:\/\/([a-z0-9]+)\.supabase\.co/);
-  if (!match?.[1]) {
-    throw new Error(
-      `Cannot extract project ref from URL: ${supabaseUrl}. Expected format: https://<ref>.supabase.co`
-    );
+import { execSync, spawnSync as spawnSync2 } from "node:child_process";
+function stripQuotes(value) {
+  if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+    return value.slice(1, -1);
+  }
+  return value;
+}
+function detectDbUrl(appDir) {
+  const envPaths = [
+    joinPath(appDir, "supabase", "functions", ".env"),
+    joinPath(appDir, "functions", ".env"),
+    joinPath(appDir, ".env.local"),
+    joinPath(appDir, ".env")
+  ];
+  for (const envPath of envPaths) {
+    if (!pathExists(envPath)) continue;
+    try {
+      const content = readSync(envPath);
+      if (!content) continue;
+      for (const line of content.split("\n")) {
+        const trimmed = line.trim();
+        if (trimmed.startsWith("#") || !trimmed.includes("=")) continue;
+        const eqIdx = trimmed.indexOf("=");
+        const key = trimmed.slice(0, eqIdx).trim();
+        const value = stripQuotes(trimmed.slice(eqIdx + 1).trim());
+        if (key === "SUPABASE_DB_URL" && value) {
+          return value;
+        }
+      }
+    } catch {
+      continue;
+    }
   }
-  return match[1];
+  return null;
 }
 async function cleanupOldEntityMigrations(supabaseDir, latestFile) {
   const migrationsDir = joinPath(supabaseDir, "migrations");
@@ -9040,35 +9003,38 @@ async function executeMigration(options) {
   const projectRoot = dirname4(supabaseDir);
   try {
     const cmd = getSupabaseCmd();
-    execSync(`${cmd} db push --include-all`, {
+    const parts = cmd.split(" ");
+    const bin = parts[0];
+    const baseArgs = [
+      ...parts.slice(1),
+      "db",
+      "push",
+      "--include-all",
+      "--db-url",
+      options.dbUrl
+    ];
+    const result = spawnSync2(bin, baseArgs, {
       cwd: projectRoot,
       stdio: ["pipe", "pipe", "pipe"],
       input: "Y\n",
       env: { ...process.env }
     });
+    if (result.status !== 0) {
+      const stderr = result.stderr?.toString() || "";
+      throw new Error(stderr || `Process exited with code ${result.status}`);
+    }
   } catch (error2) {
-    const message = error2 instanceof Error ? error2.message : String(error2);
+    const raw = error2 instanceof Error ? error2.message : String(error2);
+    const sanitized = raw.replace(
+      /postgresql:\/\/[^\s"']*/g,
+      "postgresql://***"
+    );
     throw new Error(
-      `Failed to push migrations: ${message}
-Apply manually: copy the generated .sql content into the Supabase Dashboard SQL Editor.`
+      `Failed to push migrations: ${sanitized}
+Check your SUPABASE_DB_URL (format: postgresql://postgres:<password>@db.<ref>.supabase.co:5432/postgres)`
     );
   }
 }
-function ensureProjectLinked(appDir, projectRef) {
-  const linkMarker = joinPath(appDir, ".supabase");
-  if (pathExists(linkMarker)) return;
-  const cmd = getSupabaseCmd();
-  try {
-    execSync(`${cmd} link --project-ref ${projectRef}`, {
-      cwd: appDir,
-      stdio: "pipe",
-      env: { ...process.env }
-    });
-  } catch (error2) {
-    const message = error2 instanceof Error ? error2.message : String(error2);
-    throw new Error(`Failed to link Supabase project: ${message}`);
-  }
-}
 function getSupabaseCmd() {
   try {
     execSync("supabase --version", { stdio: "pipe" });
@@ -9694,6 +9660,9 @@ function roleToSqlCondition(role) {
     case "super":
       return "(auth.jwt()->'app_metadata'->>'role') = 'super'";
     default:
+      log.warn(
+        `Unknown access role "${role}" \u2014 defaulting to deny (false). Use guest|user|admin|super.`
+      );
       return "false";
   }
 }
@@ -10288,30 +10257,32 @@ async function main3(options = {}) {
   const supabaseUrl = existingConfig.url;
   log.success(`Supabase URL: ${supabaseUrl}`);
   const secretKey = detectSecretKey(appDir);
-  if (secretKey) {
-    log.success("Secret key detected");
-  } else {
+  const dbUrl = detectDbUrl(appDir);
+  if (secretKey) log.success("Secret key detected");
+  else log.error("Missing SUPABASE_SECRET_KEY in supabase/functions/.env");
+  if (dbUrl) log.success("DB URL detected");
+  else log.error("Missing SUPABASE_DB_URL in supabase/functions/.env");
+  if (!secretKey || !dbUrl) {
     const functionsEnvPath = joinPath(supabaseDir, "functions", ".env");
+    const missing = [];
+    if (!secretKey) missing.push("  SUPABASE_SECRET_KEY=your-service-role-key");
+    if (!dbUrl)
+      missing.push(
+        "  SUPABASE_DB_URL=postgresql://postgres:...@db.<ref>.supabase.co:5432/postgres"
+      );
     Me(
       [
         `Fill in ${functionsEnvPath}:`,
-        "  SUPABASE_SECRET_KEY=your-service-role-key",
+        ...missing,
         "",
-        "Get this from: https://supabase.com/dashboard > Settings > API > service_role key",
+        "Get these from: https://supabase.com/dashboard > Settings > Database",
         "",
-        "Without it, migrations cannot be pushed to the remote database."
+        "Then re-run: dndev setup supabase"
       ].join("\n"),
-      "Missing Secret Key"
-    );
-  }
-  try {
-    const projectRef = extractProjectRef(supabaseUrl);
-    ensureProjectLinked(appDir, projectRef);
-    log.success("Supabase CLI linked");
-  } catch (error2) {
-    log.warn(
-      `Could not link Supabase project: ${error2 instanceof Error ? error2.message : String(error2)}`
+      "Missing Credentials"
     );
+    Se("Setup aborted.");
+    return;
   }
   const entitiesDir = joinPath(projectRoot, "entities");
   const hasEntities = pathExists(entitiesDir) && pathExists(joinPath(entitiesDir, "index.ts"));
@@ -10364,25 +10335,21 @@ async function main3(options = {}) {
     }
   }
   let migrationsPushed = false;
-  if (!secretKey) {
-    log.info("Skipping migration push (no secret key).");
-  } else {
-    const shouldPush = await askForConfirmation(
-      "Push migrations to remote database?",
-      true
-    );
-    if (shouldPush) {
-      const s = Y2();
-      s.start("Pushing migrations...");
-      try {
-        await executeMigration({ supabaseDir });
-        s.stop("Migrations pushed successfully");
-        migrationsPushed = true;
-      } catch (error2) {
-        s.stop("Failed to push migrations");
-        log.error(`${error2 instanceof Error ? error2.message : String(error2)}`);
-        log.info("Apply manually via the Supabase Dashboard SQL Editor.");
-      }
+  const shouldPush = await askForConfirmation(
+    "Push migrations to remote database?",
+    true
+  );
+  if (shouldPush) {
+    const s = Y2();
+    s.start("Pushing migrations...");
+    try {
+      await executeMigration({ supabaseDir, dbUrl });
+      s.stop("Migrations pushed successfully");
+      migrationsPushed = true;
+    } catch (error2) {
+      s.stop("Failed to push migrations");
+      log.error(`${error2 instanceof Error ? error2.message : String(error2)}`);
+      log.info("Apply manually via the Supabase Dashboard SQL Editor.");
     }
   }
   try {
@@ -10441,96 +10408,121 @@ var init_supabase = __esm({
       async run(ctx) {
         const steps = [];
         const framework = ctx.app?.framework === "nextjs" ? "nextjs" : "vite";
+        const supabaseDir = joinPath(ctx.appDir, "supabase");
         const existingConfig = detectPublicConfig(ctx.appDir, framework);
         if (!existingConfig) {
-          const prefix = framework === "nextjs" ? "NEXT_PUBLIC_" : "VITE_";
-          const envPath = joinPath(ctx.appDir, ".env");
-          Me(
-            [
-              `Fill in ${envPath}:`,
-              `  ${prefix}SUPABASE_URL=https://your-project.supabase.co`,
-              `  ${prefix}SUPABASE_PUBLIC_KEY=sb_publishable_...`,
-              "",
-              "Get these from: https://supabase.com/dashboard > Settings > API",
-              "",
-              "Then re-run: dndev setup supabase"
-            ].join("\n"),
-            "Missing Public Credentials"
-          );
           steps.push({
             name: "Credentials",
             status: "failed",
-            message: "Missing Supabase credentials in .env",
-            coachingTopic: "supabase-credentials"
+            message: "Missing Supabase URL or public key in .env"
           });
           return { provider: "supabase", steps, overallStatus: "failed" };
         }
-        const supabaseUrl = existingConfig.url;
-        steps.push({
-          name: "Public credentials",
-          status: "success",
-          message: `URL: ${supabaseUrl}`
-        });
         const secretKey = detectSecretKey(ctx.appDir);
-        if (secretKey) {
+        const dbUrl = detectDbUrl(ctx.appDir);
+        const missingSecrets = [];
+        if (!secretKey) missingSecrets.push("SUPABASE_SECRET_KEY");
+        if (!dbUrl) missingSecrets.push("SUPABASE_DB_URL");
+        if (missingSecrets.length > 0) {
           steps.push({
-            name: "Secret key",
-            status: "success",
-            message: "Detected in functions/.env"
+            name: "Credentials",
+            status: "failed",
+            message: `Missing in functions/.env: ${missingSecrets.join(", ")}`
           });
+          return { provider: "supabase", steps, overallStatus: "failed" };
+        }
+        steps.push({
+          name: "Credentials",
+          status: "success",
+          message: `${existingConfig.url}`
+        });
+        const entitiesDir = joinPath(ctx.projectRoot, "entities");
+        const hasEntities = pathExists(entitiesDir) && pathExists(joinPath(entitiesDir, "index.ts"));
+        let generatedEntityFile = null;
+        if (hasEntities) {
+          try {
+            const { SqlGenerator: SqlGenerator2 } = await Promise.resolve().then(() => (init_sql_generator(), sql_generator_exports));
+            const generator = new SqlGenerator2({
+              entityDir: entitiesDir,
+              outputDir: joinPath(supabaseDir, "migrations"),
+              singleFile: true
+            });
+            const s = Y2();
+            s.start("Generating SQL from entities...");
+            const result = await generator.run();
+            if (result.success) {
+              s.stop("SQL generated");
+              generatedEntityFile = result.generatedFiles[0] ?? null;
+              steps.push({
+                name: "SQL generation",
+                status: "success",
+                message: `${result.filesGenerated} migration file(s)`
+              });
+            } else {
+              s.stop("SQL generation failed");
+              steps.push({
+                name: "SQL generation",
+                status: "failed",
+                message: "Generator returned failure"
+              });
+            }
+          } catch (error2) {
+            steps.push({
+              name: "SQL generation",
+              status: "failed",
+              message: getErrorMessage(error2)
+            });
+          }
         } else {
-          const supabaseDir = joinPath(ctx.appDir, "supabase");
-          const functionsEnvPath = joinPath(supabaseDir, "functions", ".env");
-          Me(
-            [
-              `Fill in ${functionsEnvPath}:`,
-              "  SUPABASE_SECRET_KEY=your-service-role-key",
-              "",
-              "Get this from: https://supabase.com/dashboard > Settings > API > service_role key"
-            ].join("\n"),
-            "Missing Secret Key"
-          );
           steps.push({
-            name: "Secret key",
-            status: "needs-manual",
-            message: "Secret key not found \u2014 needed for migrations",
-            coachingTopic: "supabase-secret-key"
+            name: "SQL generation",
+            status: "skipped",
+            message: "No entities/ directory"
           });
         }
-        if (!ctx.dryRun) {
+        if (generatedEntityFile) {
+          try {
+            await cleanupOldEntityMigrations(supabaseDir, generatedEntityFile);
+          } catch {
+          }
+        }
+        const migrationsDir = joinPath(supabaseDir, "migrations");
+        if (pathExists(migrationsDir)) {
+          const s = Y2();
+          s.start("Pushing migrations...");
           try {
-            const projectRef = extractProjectRef(supabaseUrl);
-            ensureProjectLinked(ctx.appDir, projectRef);
+            await executeMigration({ supabaseDir, dbUrl });
+            s.stop("Migrations pushed");
             steps.push({
-              name: "CLI link",
+              name: "DB migrations",
               status: "success",
-              message: "Supabase CLI linked"
+              message: "All migrations applied"
             });
-          } catch (err) {
+          } catch (error2) {
+            s.stop("Migration push failed");
             steps.push({
-              name: "CLI link",
+              name: "DB migrations",
               status: "failed",
-              message: getErrorMessage(err)
+              message: getErrorMessage(error2)
+            });
+          }
+        }
+        if (hasEntities) {
+          try {
+            await generateCrudFunction(supabaseDir, ctx.projectRoot);
+            steps.push({
+              name: "CRUD function",
+              status: "success",
+              message: "Entity imports patched"
+            });
+          } catch (error2) {
+            steps.push({
+              name: "CRUD function",
+              status: "failed",
+              message: getErrorMessage(error2)
             });
           }
-        } else {
-          steps.push({ name: "CLI link", status: "skipped", message: "Dry run" });
         }
-        Me(
-          [
-            "If you use custom RLS policies beyond the defaults,",
-            "review them in the Supabase Dashboard:",
-            "",
-            "https://supabase.com/dashboard > Authentication > Policies"
-          ].join("\n"),
-          "Row Level Security"
-        );
-        steps.push({
-          name: "RLS policies",
-          status: "needs-manual",
-          message: "Review custom RLS policies in dashboard",
-          coachingTopic: "supabase-rls"
-        });
         return {
           provider: "supabase",
           steps,
@@ -10546,27 +10538,13 @@ var vercel_exports = {};
 __export(vercel_exports, {
   vercelWizard: () => vercelWizard
 });
-import { spawnSync as spawnSync2 } from "node:child_process";
-function isVercelInstalled() {
-  try {
-    const result = spawnSync2("vercel", ["--version"], {
-      stdio: "pipe",
-      encoding: "utf-8"
-    });
-    return result.status === 0;
-  } catch {
-    return false;
-  }
-}
 var vercelWizard;
 var init_vercel = __esm({
   "packages/tooling/src/cli/setup/vercel.ts"() {
     "use strict";
     init_utils();
     init_cli_output();
-    init_cli_output();
     init_pathResolver();
-    init_error_handling();
     init_types();
     init_vercel_token();
     vercelWizard = {
@@ -10577,108 +10555,22 @@ var init_vercel = __esm({
       },
       async run(ctx) {
         const steps = [];
-        if (!isVercelInstalled()) {
-          log.error("Vercel CLI is not installed.");
-          log.info("Install it with: npm install -g vercel");
-          steps.push({
-            name: "Vercel CLI",
-            status: "failed",
-            message: "Not installed. Run: npm install -g vercel"
-          });
-          return { provider: "vercel", steps, overallStatus: "failed" };
-        }
-        steps.push({ name: "Vercel CLI", status: "success", message: "Installed" });
-        const token = resolveVercelToken(ctx.appDir);
-        if (token) {
-          log.success("VERCEL_TOKEN detected \u2014 no login required");
+        const result = resolveVercelCredentials(ctx.appDir);
+        if (result.credentials) {
+          log.success("Vercel credentials detected");
           steps.push({
-            name: "Auth",
+            name: "Credentials",
             status: "success",
-            message: "Token-based auth (VERCEL_TOKEN)"
-          });
-        } else {
-          Me(
-            [
-              "No VERCEL_TOKEN found. Add to .env or .env.local:",
-              "  VERCEL_TOKEN=your_token_here",
-              "",
-              "Your customer generates it at:",
-              "  https://vercel.com/account/tokens",
-              "  \u2192 Scope to their team for isolation",
-              "",
-              "This way you deploy to THEIR Vercel without logging in."
-            ].join("\n"),
-            "Vercel Authentication"
-          );
-          steps.push({
-            name: "Auth",
-            status: "needs-manual",
-            message: "Drop VERCEL_TOKEN in .env (get it from customer)",
-            coachingTopic: "vercel-token"
-          });
-        }
-        if (token && !ctx.dryRun) {
-          const s = Y2();
-          s.start("Linking Vercel project...");
-          try {
-            const result = spawnSync2(
-              "vercel",
-              ["link", "--yes", "--token", token],
-              {
-                cwd: ctx.appDir,
-                stdio: ["inherit", "pipe", "pipe"],
-                encoding: "utf-8",
-                timeout: 3e4
-              }
-            );
-            if (result.status === 0) {
-              s.stop("Vercel project linked");
-              steps.push({
-                name: "Project link",
-                status: "success",
-                message: "Linked to Vercel project"
-              });
-            } else {
-              s.stop("Vercel link failed");
-              const stderr = result.stderr?.trim() || "Unknown error";
-              steps.push({
-                name: "Project link",
-                status: "failed",
-                message: stderr
-              });
-            }
-          } catch (err) {
-            s.stop("Vercel link failed");
-            steps.push({
-              name: "Project link",
-              status: "failed",
-              message: getErrorMessage(err)
-            });
-          }
-        } else if (!token) {
-          steps.push({
-            name: "Project link",
-            status: "skipped",
-            message: "No token \u2014 cannot link"
+            message: "VERCEL_TOKEN, VERCEL_ORG_ID, VERCEL_PROJECT_ID found"
           });
         } else {
+          log.error(`Missing in .env.local: ${result.missing.join(", ")}`);
           steps.push({
-            name: "Project link",
-            status: "skipped",
-            message: "Dry run"
+            name: "Credentials",
+            status: "failed",
+            message: `Missing: ${result.missing.join(", ")}`
           });
         }
-        Me(
-          [
-            "Once VERCEL_TOKEN is in .env:",
-            "  dndev deploy       \u2192 picks it up automatically",
-            "  dndev deploy:web   \u2192 deploy specific app",
-            "",
-            "deploy.ts reads vercel.json + injects the token.",
-            'No separate "vercel deploy" needed.'
-          ].join("\n"),
-          "Deployment"
-        );
         return {
           provider: "vercel",
           steps,
@@ -10689,868 +10581,77 @@ var init_vercel = __esm({
   }
 });
 
-// packages/tooling/src/cli/setup/stripe.ts
-var stripe_exports = {};
-__export(stripe_exports, {
-  stripeWizard: () => stripeWizard
-});
-function isValidPublishableKey(key) {
-  return key.startsWith("pk_test_") || key.startsWith("pk_live_");
-}
-function isValidSecretKey(key) {
-  return key.startsWith("sk_test_") || key.startsWith("sk_live_") || key.startsWith("rk_test_") || key.startsWith("rk_live_");
-}
-function isValidWebhookSecret(key) {
-  return key.startsWith("whsec_");
-}
-function readEnvValue(envPath, varName) {
-  if (!pathExists(envPath)) return null;
-  const content = readSync(envPath, { format: "text" });
-  if (typeof content !== "string") return null;
-  for (const line of content.split(/\r?\n/)) {
-    const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith("#")) continue;
-    if (trimmed.startsWith(`${varName}=`)) {
-      return trimmed.substring(`${varName}=`.length).trim();
-    }
-  }
-  return null;
-}
-function writeEnvVar(envPath, varName, value) {
-  let content = "";
-  if (pathExists(envPath)) {
-    const raw = readSync(envPath, { format: "text" });
-    content = typeof raw === "string" ? raw : "";
-  }
-  const lines = content.split("\n");
-  let replaced = false;
-  const updated = lines.map((line) => {
-    if (line.trim().startsWith(`${varName}=`) || line.trim().startsWith(`# ${varName}=`)) {
-      replaced = true;
-      return `${varName}=${value}`;
-    }
-    return line;
-  });
-  if (!replaced) {
-    updated.push(`${varName}=${value}`);
-  }
-  write(envPath, updated.join("\n"));
-}
-var stripeWizard;
-var init_stripe = __esm({
-  "packages/tooling/src/cli/setup/stripe.ts"() {
-    "use strict";
-    init_utils();
-    init_dist2();
-    init_cli_output();
-    init_cli_output();
-    init_pathResolver();
-    init_cli_input();
-    init_types();
-    stripeWizard = {
-      id: "stripe",
-      name: "Stripe",
-      isRelevant(ctx) {
-        const envPath = joinPath(ctx.appDir, ".env");
-        if (pathExists(envPath)) {
-          const content = readSync(envPath, { format: "text" });
-          if (typeof content === "string" && content.includes("STRIPE_"))
-            return true;
-        }
-        const pkgPath = joinPath(ctx.appDir, "package.json");
-        if (pathExists(pkgPath)) {
-          const pkg = readSync(pkgPath, { format: "json" });
-          if (pkg && typeof pkg === "object") {
-            const deps = {
-              ...pkg.dependencies
-            };
-            if (deps["@donotdev/billing"]) return true;
-          }
-        }
-        return false;
-      },
-      async run(ctx) {
-        const steps = [];
-        const framework = ctx.app?.framework === "nextjs" ? "nextjs" : "vite";
-        const prefix = framework === "nextjs" ? "NEXT_PUBLIC_" : "VITE_";
-        const envPath = joinPath(ctx.appDir, ".env");
-        const existingPk = readEnvValue(envPath, `${prefix}STRIPE_PUBLISHABLE_KEY`);
-        let publishableKey = existingPk;
-        if (existingPk && isValidPublishableKey(existingPk)) {
-          steps.push({
-            name: "Publishable key",
-            status: "success",
-            message: "Found in .env"
-          });
-        } else {
-          const pk = await askForInput(
-            "Stripe publishable key (pk_test_... or pk_live_...)",
-            ""
-          );
-          if (isValidPublishableKey(pk)) {
-            if (!ctx.dryRun) {
-              writeEnvVar(envPath, `${prefix}STRIPE_PUBLISHABLE_KEY`, pk);
-              log.success("Wrote STRIPE_PUBLISHABLE_KEY to .env");
-            }
-            publishableKey = pk;
-            steps.push({
-              name: "Publishable key",
-              status: "success",
-              message: "Written to .env"
-            });
-          } else {
-            steps.push({
-              name: "Publishable key",
-              status: "failed",
-              message: "Invalid format \u2014 must start with pk_test_ or pk_live_"
-            });
-          }
-        }
-        const functionsEnvPath = joinPath(
-          ctx.appDir,
-          "supabase",
-          "functions",
-          ".env"
-        );
-        const altFunctionsEnvPath = joinPath(ctx.appDir, "functions", ".env");
-        const secretEnvPath = pathExists(functionsEnvPath) ? functionsEnvPath : altFunctionsEnvPath;
-        const existingSk = readEnvValue(secretEnvPath, "STRIPE_SECRET_KEY");
-        if (existingSk && isValidSecretKey(existingSk)) {
-          steps.push({
-            name: "Secret key",
-            status: "success",
-            message: "Found in functions/.env"
-          });
-        } else {
-          const sk = await ge({
-            message: "Stripe secret key (sk_test_... or sk_live_...):"
-          });
-          if (typeof sk === "string" && isValidSecretKey(sk)) {
-            if (!ctx.dryRun) {
-              writeEnvVar(secretEnvPath, "STRIPE_SECRET_KEY", sk);
-              log.success("Wrote STRIPE_SECRET_KEY to functions/.env");
-            }
-            steps.push({
-              name: "Secret key",
-              status: "success",
-              message: "Written to functions/.env"
-            });
-          } else {
-            steps.push({
-              name: "Secret key",
-              status: "failed",
-              message: "STRIPE_SECRET_KEY has invalid format"
-            });
-          }
-        }
-        const existingWh = readEnvValue(secretEnvPath, "STRIPE_WEBHOOK_SECRET");
-        if (existingWh && isValidWebhookSecret(existingWh)) {
-          steps.push({
-            name: "Webhook secret",
-            status: "success",
-            message: "Found in functions/.env"
-          });
-        } else {
-          Me(
-            [
-              "Set up your Stripe webhook endpoint:",
-              "",
-              "1. Go to https://dashboard.stripe.com/webhooks",
-              '2. Click "Add endpoint"',
-              "3. Set URL to your functions endpoint:",
-              "   e.g., https://your-project.supabase.co/functions/v1/stripe-webhook",
-              "4. Select events: checkout.session.completed, customer.subscription.*",
-              "5. Copy the webhook signing secret (whsec_...)",
-              "",
-              `Then add to ${secretEnvPath}:`,
-              "  STRIPE_WEBHOOK_SECRET=whsec_..."
-            ].join("\n"),
-            "Webhook Setup"
-          );
-          steps.push({
-            name: "Webhook secret",
-            status: "needs-manual",
-            message: "Configure webhook endpoint in Stripe Dashboard",
-            coachingTopic: "stripe-webhook"
-          });
-        }
-        return {
-          provider: "stripe",
-          steps,
-          overallStatus: computeOverallStatus(steps)
-        };
-      }
-    };
-  }
-});
-
-// packages/tooling/src/cli/setup/oauth.ts
-var oauth_exports = {};
-__export(oauth_exports, {
-  oauthWizard: () => oauthWizard
-});
-function getRedirectUri(ctx, provider) {
-  if (provider === "firebase") {
-    const rcPath = joinPath(ctx.projectRoot, ".firebaserc");
-    if (pathExists(rcPath)) {
-      try {
-        const raw = readSync(rcPath, { format: "text" });
-        const rc = JSON.parse(typeof raw === "string" ? raw : "{}");
-        const projectId = rc?.projects?.default;
-        if (projectId) {
-          return `https://${projectId}.firebaseapp.com/__/auth/handler`;
-        }
-      } catch {
-      }
-    }
-    return "https://<YOUR_PROJECT_ID>.firebaseapp.com/__/auth/handler";
-  }
-  const envPath = joinPath(ctx.appDir, ".env");
-  if (pathExists(envPath)) {
-    const content = readSync(envPath, { format: "text" });
-    if (typeof content === "string") {
-      const match = content.match(/(?:VITE_|NEXT_PUBLIC_)SUPABASE_URL=(.+)/);
-      if (match?.[1]) {
-        return `${match[1].trim()}/auth/v1/callback`;
-      }
-    }
-  }
-  return "https://<YOUR_PROJECT_REF>.supabase.co/auth/v1/callback";
-}
-var OAUTH_PROVIDERS, oauthWizard;
-var init_oauth = __esm({
-  "packages/tooling/src/cli/setup/oauth.ts"() {
-    "use strict";
-    init_utils();
-    init_cli_output();
-    init_pathResolver();
-    init_cli_input();
-    init_types();
-    OAUTH_PROVIDERS = [
-      {
-        id: "google",
-        name: "Google",
-        consoleUrl: "https://console.cloud.google.com/apis/credentials",
-        instructions: [
-          "1. Go to Google Cloud Console > APIs & Services > Credentials",
-          "2. Create OAuth 2.0 Client ID (Web application)",
-          "3. Add authorized redirect URI (see below)",
-          "4. Copy Client ID + Client Secret"
-        ]
-      },
-      {
-        id: "github",
-        name: "GitHub",
-        consoleUrl: "https://github.com/settings/developers",
-        instructions: [
-          "1. Go to GitHub > Settings > Developer settings > OAuth Apps",
-          '2. Click "New OAuth App"',
-          "3. Set Authorization callback URL (see below)",
-          "4. Copy Client ID + Client Secret"
-        ]
-      },
-      {
-        id: "apple",
-        name: "Apple",
-        consoleUrl: "https://developer.apple.com/account/resources/identifiers/list/serviceId",
-        instructions: [
-          "1. Go to Apple Developer > Certificates, Identifiers & Profiles",
-          "2. Create a Services ID",
-          '3. Enable "Sign In with Apple"',
-          "4. Configure redirect URL (see below)",
-          "5. Create a private key for Sign In with Apple"
-        ]
-      }
-    ];
-    oauthWizard = {
-      id: "oauth",
-      name: "OAuth Providers",
-      isRelevant(ctx) {
-        const pkgPath = joinPath(ctx.appDir, "package.json");
-        if (pathExists(pkgPath)) {
-          const pkg = readSync(pkgPath, { format: "json" });
-          if (pkg && typeof pkg === "object") {
-            const deps = pkg.dependencies;
-            if (deps?.["@donotdev/auth"] || deps?.["@donotdev/oauth"]) return true;
-          }
-        }
-        return false;
-      },
-      async run(ctx) {
-        const steps = [];
-        const hasFirebase = pathExists(joinPath(ctx.projectRoot, ".firebaserc")) || pathExists(joinPath(ctx.appDir, "firebase.json"));
-        const hasSupabase = pathExists(joinPath(ctx.appDir, "supabase"));
-        const backendProvider = hasFirebase ? "firebase" : "supabase";
-        const redirectUri = getRedirectUri(ctx, backendProvider);
-        const selected = await askForMultiSelection(
-          "Which OAuth providers do you want to configure?",
-          OAUTH_PROVIDERS.map((p2) => ({
-            title: p2.name,
-            value: p2.id
-          }))
-        );
-        if (selected.length === 0) {
-          steps.push({
-            name: "OAuth",
-            status: "skipped",
-            message: "No providers selected"
-          });
-          return { provider: "oauth", steps, overallStatus: "success" };
-        }
-        for (const providerId of selected) {
-          const provider = OAUTH_PROVIDERS.find((p2) => p2.id === providerId);
-          if (!provider) continue;
-          Me(
-            [
-              ...provider.instructions,
-              "",
-              `Redirect URI: ${redirectUri}`,
-              "",
-              `Console: ${provider.consoleUrl}`,
-              "",
-              hasSupabase ? `Then enable "${provider.name}" in Supabase Dashboard > Authentication > Providers` : `Then enable "${provider.name}" in Firebase Console > Authentication > Sign-in method`
-            ].join("\n"),
-            `${provider.name} OAuth Setup`
-          );
-          steps.push({
-            name: `${provider.name} OAuth`,
-            status: "needs-manual",
-            message: `Register app in ${provider.name} console + enable provider`,
-            coachingTopic: `oauth-${provider.id}`
-          });
-        }
-        return {
-          provider: "oauth",
-          steps,
-          overallStatus: computeOverallStatus(steps)
-        };
-      }
-    };
-  }
-});
-
-// packages/tooling/src/cli/setup/auth.ts
-var auth_exports = {};
-__export(auth_exports, {
-  authWizard: () => authWizard
-});
-function detectAuthProviders(ctx) {
-  const providers = ["email"];
-  const srcDir = joinPath(ctx.appDir, "src");
-  if (!pathExists(srcDir)) return providers;
-  const candidates = [
-    joinPath(srcDir, "providers.ts"),
-    joinPath(srcDir, "providers.tsx"),
-    joinPath(srcDir, "config", "providers.ts"),
-    joinPath(srcDir, "lib", "providers.ts")
-  ];
-  for (const candidate of candidates) {
-    if (!pathExists(candidate)) continue;
-    const content = readSync(candidate, { format: "text" });
-    if (typeof content !== "string") continue;
-    if (content.includes("google") || content.includes("Google"))
-      providers.push("google");
-    if (content.includes("github") || content.includes("GitHub"))
-      providers.push("github");
-    if (content.includes("apple") || content.includes("Apple"))
-      providers.push("apple");
-    if (content.includes("facebook") || content.includes("Facebook"))
-      providers.push("facebook");
-    break;
-  }
-  return [...new Set(providers)];
-}
-var authWizard;
-var init_auth = __esm({
-  "packages/tooling/src/cli/setup/auth.ts"() {
-    "use strict";
-    init_utils();
-    init_cli_output();
-    init_pathResolver();
-    init_types();
-    authWizard = {
-      id: "auth",
-      name: "Authentication",
-      isRelevant(ctx) {
-        const pkgPath = joinPath(ctx.appDir, "package.json");
-        if (pathExists(pkgPath)) {
-          const pkg = readSync(pkgPath, { format: "json" });
-          if (pkg && typeof pkg === "object") {
-            const deps = pkg.dependencies;
-            if (deps?.["@donotdev/auth"]) return true;
-          }
-        }
-        return false;
-      },
-      async run(ctx) {
-        const steps = [];
-        const detectedProviders = detectAuthProviders(ctx);
-        const hasFirebase = pathExists(joinPath(ctx.projectRoot, ".firebaserc")) || pathExists(joinPath(ctx.appDir, "firebase.json"));
-        const hasSupabase = pathExists(joinPath(ctx.appDir, "supabase"));
-        steps.push({
-          name: "Detected providers",
-          status: "success",
-          message: `Found: ${detectedProviders.join(", ")}`
-        });
-        if (hasFirebase) {
-          const rcPath = joinPath(ctx.projectRoot, ".firebaserc");
-          let projectId = "<YOUR_PROJECT_ID>";
-          if (pathExists(rcPath)) {
-            try {
-              const raw = readSync(rcPath, { format: "text" });
-              const rc = JSON.parse(typeof raw === "string" ? raw : "{}");
-              if (rc?.projects?.default) projectId = rc.projects.default;
-            } catch {
-            }
-          }
-          const providerList = detectedProviders.map((p2) => `  - ${p2.charAt(0).toUpperCase() + p2.slice(1)}`).join("\n");
-          Me(
-            [
-              "Enable these auth providers in Firebase Console:",
-              `https://console.firebase.google.com/project/${projectId}/authentication/providers`,
-              "",
-              providerList,
-              "",
-              "For each provider:",
-              "\u2192 Click the provider \u2192 Enable \u2192 Save",
-              "\u2192 For OAuth providers, paste the Client ID + Secret from the provider console"
-            ].join("\n"),
-            "Firebase Authentication"
-          );
-          steps.push({
-            name: "Firebase Auth",
-            status: "needs-manual",
-            message: "Enable auth providers in Firebase Console",
-            coachingTopic: "auth-firebase"
-          });
-        }
-        if (hasSupabase) {
-          const providerList = detectedProviders.map((p2) => `  - ${p2.charAt(0).toUpperCase() + p2.slice(1)}`).join("\n");
-          Me(
-            [
-              "Enable these auth providers in Supabase Dashboard:",
-              "https://supabase.com/dashboard > Authentication > Providers",
-              "",
-              providerList,
-              "",
-              "For each provider:",
-              "\u2192 Toggle the provider on",
-              "\u2192 For OAuth providers, paste the Client ID + Secret from the provider console"
-            ].join("\n"),
-            "Supabase Authentication"
-          );
-          steps.push({
-            name: "Supabase Auth",
-            status: "needs-manual",
-            message: "Enable auth providers in Supabase Dashboard",
-            coachingTopic: "auth-supabase"
-          });
-        }
-        return {
-          provider: "auth",
-          steps,
-          overallStatus: computeOverallStatus(steps)
-        };
-      }
-    };
-  }
-});
+// packages/cli/src/bin/commands/setup.ts
+init_utils();
 
-// packages/tooling/src/cli/doctor/check-env.ts
-var check_env_exports = {};
-__export(check_env_exports, {
-  envCheck: () => envCheck,
-  parseEnvFile: () => parseEnvFile
-});
-function parseEnvFile(filePath) {
-  const map = /* @__PURE__ */ new Map();
-  if (!pathExists(filePath)) return map;
-  const content = readSync(filePath, { format: "text" });
-  if (typeof content !== "string") return map;
-  for (const line of content.split(/\r?\n/)) {
-    const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith("#")) continue;
-    const eqIdx = trimmed.indexOf("=");
-    if (eqIdx < 0) continue;
-    const key = trimmed.substring(0, eqIdx).trim();
-    const value = trimmed.substring(eqIdx + 1).trim();
-    if (key) map.set(key, value);
-  }
-  return map;
-}
-var envCheck;
-var init_check_env = __esm({
-  "packages/tooling/src/cli/doctor/check-env.ts"() {
-    "use strict";
-    init_utils();
-    init_pathResolver();
-    envCheck = {
-      id: "env",
-      name: "Environment Files",
-      isRelevant(_ctx) {
-        return true;
-      },
-      async run(ctx) {
-        const results = [];
-        const envPath = joinPath(ctx.appDir, ".env");
-        const examplePath = joinPath(ctx.appDir, ".env.example");
-        if (!pathExists(envPath)) {
-          results.push({
-            name: ".env file",
-            status: "fail",
-            message: "Not found \u2014 run dndev setup"
-          });
-          return results;
-        }
-        results.push({ name: ".env file", status: "pass", message: "Found" });
-        if (pathExists(examplePath)) {
-          const example = parseEnvFile(examplePath);
-          const actual = parseEnvFile(envPath);
-          const missing = [];
-          const empty = [];
-          for (const [key] of example) {
-            if (!actual.has(key)) {
-              missing.push(key);
-            } else if (!actual.get(key)) {
-              empty.push(key);
-            }
-          }
-          if (missing.length > 0) {
-            results.push({
-              name: "Missing vars",
-              status: "fail",
-              message: `${missing.length} var(s) in .env.example not in .env: ${missing.join(", ")}`
-            });
-          }
-          if (empty.length > 0) {
-            results.push({
-              name: "Empty vars",
-              status: "warn",
-              message: `${empty.length} var(s) are empty: ${empty.join(", ")}`
-            });
-          }
-          if (missing.length === 0 && empty.length === 0) {
-            results.push({
-              name: ".env vs .env.example",
-              status: "pass",
-              message: `All ${example.size} expected vars present`
-            });
-          }
-        }
-        const gitignorePath = joinPath(ctx.projectRoot, ".gitignore");
-        if (pathExists(gitignorePath)) {
-          const content = readSync(gitignorePath, { format: "text" });
-          if (typeof content === "string") {
-            const hasEnvIgnore = content.split("\n").some((line) => {
-              const trimmed = line.trim();
-              if (!trimmed || trimmed.startsWith("#")) return false;
-              return /^\.env(\*|\..*)?$/.test(trimmed);
-            });
-            if (hasEnvIgnore) {
-              results.push({
-                name: ".gitignore",
-                status: "pass",
-                message: ".env is gitignored"
-              });
-            } else {
-              results.push({
-                name: ".gitignore",
-                status: "warn",
-                message: ".env might not be gitignored \u2014 verify manually"
-              });
-            }
-          }
-        }
-        return results;
-      }
-    };
-  }
-});
+// packages/tooling/src/index.ts
+init_utils();
 
-// packages/tooling/src/cli/doctor/check-firebase.ts
-var check_firebase_exports = {};
-__export(check_firebase_exports, {
-  firebaseCheck: () => firebaseCheck
-});
-import { spawnSync as spawnSync3 } from "node:child_process";
-var firebaseCheck;
-var init_check_firebase = __esm({
-  "packages/tooling/src/cli/doctor/check-firebase.ts"() {
-    "use strict";
-    init_utils();
-    init_pathResolver();
-    firebaseCheck = {
-      id: "firebase",
-      name: "Firebase",
-      isRelevant(ctx) {
-        return pathExists(joinPath(ctx.appDir, "firebase.json")) || pathExists(joinPath(ctx.projectRoot, "firebase.json")) || pathExists(joinPath(ctx.projectRoot, ".firebaserc"));
-      },
-      async run(ctx) {
-        const results = [];
-        try {
-          const result = spawnSync3("firebase", ["--version"], {
-            stdio: "pipe",
-            encoding: "utf-8",
-            timeout: 1e4
-          });
-          if (result.status === 0) {
-            results.push({
-              name: "Firebase CLI",
-              status: "pass",
-              message: result.stdout.trim()
-            });
-          } else {
-            results.push({
-              name: "Firebase CLI",
-              status: "fail",
-              message: "Not installed"
-            });
-          }
-        } catch {
-          results.push({
-            name: "Firebase CLI",
-            status: "fail",
-            message: "Not installed"
-          });
-        }
-        const rcPath = joinPath(ctx.projectRoot, ".firebaserc");
-        if (pathExists(rcPath)) {
-          try {
-            const raw = readSync(rcPath, { format: "text" });
-            if (typeof raw !== "string") throw new Error("Not a string");
-            const rc = JSON.parse(raw);
-            const projects = rc?.projects;
-            const projectId = projects && typeof projects === "object" ? projects.default : void 0;
-            if (projectId && typeof projectId === "string") {
-              results.push({
-                name: ".firebaserc",
-                status: "pass",
-                message: `Project: ${projectId}`
-              });
-            } else {
-              results.push({
-                name: ".firebaserc",
-                status: "warn",
-                message: "No default project set"
-              });
-            }
-          } catch {
-            results.push({
-              name: ".firebaserc",
-              status: "warn",
-              message: "Invalid JSON"
-            });
-          }
-        } else {
-          results.push({
-            name: ".firebaserc",
-            status: "fail",
-            message: "Missing \u2014 run dndev setup firebase"
-          });
-        }
-        const framework = ctx.app?.framework ?? "vite";
-        const prefix = framework === "nextjs" ? "NEXT_PUBLIC_" : "VITE_";
-        const envPath = joinPath(ctx.appDir, ".env");
-        if (pathExists(envPath)) {
-          const content = readSync(envPath, { format: "text" });
-          if (typeof content === "string") {
-            const requiredKeys = [
-              "FIREBASE_API_KEY",
-              "FIREBASE_PROJECT_ID",
-              "FIREBASE_AUTH_DOMAIN"
-            ];
-            const missing = requiredKeys.filter(
-              (key) => !content.includes(`${prefix}${key}=`)
-            );
-            if (missing.length === 0) {
-              results.push({
-                name: "Firebase .env",
-                status: "pass",
-                message: "All required keys present"
-              });
-            } else {
-              results.push({
-                name: "Firebase .env",
-                status: "fail",
-                message: `Missing: ${missing.join(", ")}`
-              });
-            }
-          }
-        } else {
-          results.push({
-            name: "Firebase .env",
-            status: "fail",
-            message: ".env file not found"
-          });
-        }
-        const saKeyPaths = [
-          joinPath(ctx.appDir, "service-account-key.json"),
-          joinPath(ctx.projectRoot, "service-account-key.json")
-        ];
-        const saFound = saKeyPaths.some((p2) => pathExists(p2));
-        if (saFound) {
-          results.push({
-            name: "Service account key",
-            status: "pass",
-            message: "Found"
-          });
-        } else {
-          results.push({
-            name: "Service account key",
-            status: "warn",
-            message: "Not found (needed for deploy/emu)"
-          });
-        }
-        return results;
-      }
-    };
-  }
-});
+// packages/tooling/src/cli/index.ts
+init_utils();
 
-// packages/tooling/src/cli/doctor/check-supabase.ts
-var check_supabase_exports = {};
-__export(check_supabase_exports, {
-  supabaseCheck: () => supabaseCheck
-});
-import { spawnSync as spawnSync4 } from "node:child_process";
-var supabaseCheck;
-var init_check_supabase = __esm({
-  "packages/tooling/src/cli/doctor/check-supabase.ts"() {
-    "use strict";
-    init_utils();
-    init_pathResolver();
-    init_supabase();
-    supabaseCheck = {
-      id: "supabase",
-      name: "Supabase",
-      isRelevant(ctx) {
-        return pathExists(joinPath(ctx.appDir, "supabase")) || pathExists(joinPath(ctx.appDir, "supabase", "config.toml"));
-      },
-      async run(ctx) {
-        const results = [];
-        const framework = ctx.app?.framework === "nextjs" ? "nextjs" : "vite";
-        const prefix = framework === "nextjs" ? "NEXT_PUBLIC_" : "VITE_";
-        try {
-          const result = spawnSync4("supabase", ["--version"], {
-            stdio: "pipe",
-            encoding: "utf-8",
-            timeout: 1e4
-          });
-          if (result.status === 0) {
-            results.push({
-              name: "Supabase CLI",
-              status: "pass",
-              message: result.stdout.trim()
-            });
-          } else {
-            results.push({
-              name: "Supabase CLI",
-              status: "warn",
-              message: "Not installed (needed for migrations)"
-            });
-          }
-        } catch {
-          results.push({
-            name: "Supabase CLI",
-            status: "warn",
-            message: "Not installed"
-          });
-        }
-        const configPath = joinPath(ctx.appDir, "supabase", "config.toml");
-        if (pathExists(configPath)) {
-          results.push({ name: "config.toml", status: "pass", message: "Found" });
-        } else {
-          results.push({
-            name: "config.toml",
-            status: "warn",
-            message: "Missing (expected at supabase/config.toml)"
-          });
-        }
-        const envPath = joinPath(ctx.appDir, ".env");
-        if (pathExists(envPath)) {
-          const content = readSync(envPath, { format: "text" });
-          if (typeof content === "string") {
-            const urlMatch = content.match(
-              new RegExp(`${prefix}SUPABASE_URL=(.+)`)
-            );
-            const url = urlMatch?.[1]?.trim();
-            if (url && isValidSupabaseUrl(url)) {
-              results.push({ name: "Supabase URL", status: "pass", message: url });
-            } else if (url) {
-              results.push({
-                name: "Supabase URL",
-                status: "fail",
-                message: "Invalid URL format"
-              });
-            } else {
-              results.push({
-                name: "Supabase URL",
-                status: "fail",
-                message: "Missing in .env"
-              });
-            }
-            const keyMatch = content.match(
-              new RegExp(`${prefix}SUPABASE_(?:PUBLIC_KEY|ANON_KEY)=(.+)`)
-            );
-            const key = keyMatch?.[1]?.trim();
-            if (key && isValidPublicKey(key)) {
-              results.push({
-                name: "Supabase public key",
-                status: "pass",
-                message: "Present"
-              });
-            } else {
-              results.push({
-                name: "Supabase public key",
-                status: "fail",
-                message: "Missing in .env"
-              });
-            }
-          }
-        } else {
-          results.push({
-            name: "Supabase .env",
-            status: "fail",
-            message: ".env file not found"
-          });
-        }
-        const functionsEnvCandidates = [
-          joinPath(ctx.appDir, "supabase", "functions", ".env"),
-          joinPath(ctx.appDir, "functions", ".env")
-        ];
-        let secretFound = false;
-        for (const fenvPath of functionsEnvCandidates) {
-          if (!pathExists(fenvPath)) continue;
-          const content = readSync(fenvPath, { format: "text" });
-          if (typeof content === "string" && content.match(/SUPABASE_(?:SECRET|SERVICE_ROLE)_KEY=.+/)) {
-            secretFound = true;
-            results.push({
-              name: "Secret key",
-              status: "pass",
-              message: `Found in ${fenvPath.split("/").pop()}`
-            });
-            break;
-          }
-        }
-        if (!secretFound) {
-          results.push({
-            name: "Secret key",
-            status: "warn",
-            message: "Not found (needed for migrations + deploy)"
-          });
-        }
-        return results;
-      }
-    };
-  }
-});
+// packages/tooling/src/cli/setup/setup.ts
+init_utils();
+init_cli_output();
+init_pathResolver();
+init_cross_app_detection();
 
-// packages/tooling/src/cli/doctor/check-stripe.ts
-var check_stripe_exports = {};
-__export(check_stripe_exports, {
-  stripeCheck: () => stripeCheck
-});
-function readEnvValue2(envPath, varName) {
+// packages/tooling/src/cli/setup/validate-env.ts
+init_utils();
+init_pathResolver();
+init_cli_output();
+var FIREBASE_VARS = [
+  {
+    provider: "Firebase",
+    varName: "FIREBASE_API_KEY",
+    envFile: ".env",
+    needsPrefix: true
+  },
+  {
+    provider: "Firebase",
+    varName: "FIREBASE_PROJECT_ID",
+    envFile: ".env",
+    needsPrefix: true
+  },
+  {
+    provider: "Firebase",
+    varName: "FIREBASE_AUTH_DOMAIN",
+    envFile: ".env",
+    needsPrefix: true
+  }
+];
+var SUPABASE_VARS = [
+  {
+    provider: "Supabase",
+    varName: "SUPABASE_URL",
+    envFile: ".env",
+    needsPrefix: true
+  },
+  {
+    provider: "Supabase",
+    varName: "SUPABASE_PUBLIC_KEY",
+    envFile: ".env",
+    needsPrefix: true
+  }
+];
+var SUPABASE_SECRET_VARS = [
+  {
+    provider: "Supabase",
+    varName: "SUPABASE_SECRET_KEY",
+    envFile: "supabase/functions/.env"
+  },
+  {
+    provider: "Supabase",
+    varName: "SUPABASE_DB_URL",
+    envFile: "supabase/functions/.env"
+  }
+];
+var VERCEL_VARS = [
+  { provider: "Vercel", varName: "VERCEL_TOKEN", envFile: ".env.local" },
+  { provider: "Vercel", varName: "VERCEL_ORG_ID", envFile: ".env.local" },
+  { provider: "Vercel", varName: "VERCEL_PROJECT_ID", envFile: ".env.local" }
+];
+function readEnvValue(envPath, varName) {
   if (!pathExists(envPath)) return null;
   const content = readSync(envPath, { format: "text" });
   if (typeof content !== "string") return null;
@@ -11558,520 +10659,230 @@ function readEnvValue2(envPath, varName) {
     const trimmed = line.trim();
     if (!trimmed || trimmed.startsWith("#")) continue;
     if (trimmed.startsWith(`${varName}=`)) {
-      let val = trimmed.substring(`${varName}=`.length).trim();
-      if (val.startsWith('"') && val.endsWith('"') || val.startsWith("'") && val.endsWith("'")) {
-        val = val.slice(1, -1);
-      }
-      return val || null;
+      return trimmed.substring(`${varName}=`.length).trim();
     }
   }
   return null;
 }
-function findFunctionsEnv(ctx) {
-  const candidates = [
-    joinPath(ctx.appDir, "supabase", "functions", ".env"),
-    joinPath(ctx.appDir, "functions", ".env")
-  ];
-  return candidates.find((p2) => pathExists(p2)) ?? null;
+function isProviderRelevant(ctx, provider) {
+  switch (provider) {
+    case "Firebase":
+      return pathExists(joinPath(ctx.appDir, "firebase.json")) || pathExists(joinPath(ctx.projectRoot, "firebase.json")) || pathExists(joinPath(ctx.projectRoot, ".firebaserc"));
+    case "Supabase":
+      return pathExists(joinPath(ctx.appDir, "supabase")) || pathExists(joinPath(ctx.appDir, "supabase", "config.toml"));
+    case "Vercel":
+      return pathExists(joinPath(ctx.appDir, "vercel.json"));
+    default:
+      return false;
+  }
 }
-var stripeCheck;
-var init_check_stripe = __esm({
-  "packages/tooling/src/cli/doctor/check-stripe.ts"() {
-    "use strict";
-    init_utils();
-    init_pathResolver();
-    stripeCheck = {
-      id: "stripe",
-      name: "Stripe",
-      isRelevant(ctx) {
-        const pkgPath = joinPath(ctx.appDir, "package.json");
-        if (pathExists(pkgPath)) {
-          const pkg = readSync(pkgPath, { format: "json" });
-          if (pkg && typeof pkg === "object") {
-            const deps = pkg.dependencies;
-            if (deps?.["@donotdev/billing"]) return true;
-          }
-        }
-        const envPath = joinPath(ctx.appDir, ".env");
-        if (pathExists(envPath)) {
-          const content = readSync(envPath, { format: "text" });
-          if (typeof content === "string" && content.includes("STRIPE_PUBLISHABLE_KEY"))
-            return true;
-        }
-        return false;
-      },
-      async run(ctx) {
-        const results = [];
-        const framework = ctx.app?.framework ?? "vite";
-        const prefix = framework === "nextjs" ? "NEXT_PUBLIC_" : "VITE_";
-        const envPath = joinPath(ctx.appDir, ".env");
-        const functionsEnvPath = findFunctionsEnv(ctx);
-        const pk = readEnvValue2(envPath, `${prefix}STRIPE_PUBLISHABLE_KEY`);
-        let pkMode = null;
-        if (pk) {
-          if (pk.startsWith("pk_test_") || pk.startsWith("pk_live_")) {
-            pkMode = pk.startsWith("pk_test_") ? "test" : "live";
-            results.push({
-              name: "Publishable key",
-              status: "pass",
-              message: `Valid (${pkMode} mode)`
-            });
-          } else {
-            results.push({
-              name: "Publishable key",
-              status: "fail",
-              message: "Invalid format \u2014 must start with pk_test_ or pk_live_"
-            });
-          }
-        } else {
-          results.push({
-            name: "Publishable key",
-            status: "fail",
-            message: "Missing in .env"
-          });
-        }
-        let skMode = null;
-        if (functionsEnvPath) {
-          const sk = readEnvValue2(functionsEnvPath, "STRIPE_SECRET_KEY");
-          if (sk) {
-            if (sk.startsWith("sk_test_") || sk.startsWith("sk_live_") || sk.startsWith("rk_test_") || sk.startsWith("rk_live_")) {
-              skMode = sk.includes("_test_") ? "test" : "live";
-              results.push({
-                name: "Secret key",
-                status: "pass",
-                message: `Valid (${skMode} mode)`
-              });
-            } else {
-              results.push({
-                name: "Secret key",
-                status: "fail",
-                message: "STRIPE_SECRET_KEY has invalid format"
-              });
-            }
-          } else {
-            results.push({
-              name: "Secret key",
-              status: "warn",
-              message: "Not found in functions/.env"
-            });
-          }
-        } else {
-          results.push({
-            name: "Secret key",
-            status: "warn",
-            message: "No functions/.env found"
-          });
-        }
-        if (functionsEnvPath) {
-          const wh = readEnvValue2(functionsEnvPath, "STRIPE_WEBHOOK_SECRET");
-          if (wh) {
-            if (wh.startsWith("whsec_")) {
-              results.push({
-                name: "Webhook secret",
-                status: "pass",
-                message: "Valid format"
-              });
-            } else {
-              results.push({
-                name: "Webhook secret",
-                status: "fail",
-                message: "STRIPE_WEBHOOK_SECRET has invalid format"
-              });
-            }
-          } else {
-            results.push({
-              name: "Webhook secret",
-              status: "warn",
-              message: "Not found \u2014 webhooks won't verify"
-            });
-          }
-        }
-        if (pkMode && skMode) {
-          if (pkMode !== skMode) {
-            results.push({
-              name: "Key mode",
-              status: "warn",
-              message: `Publishable key is ${pkMode} but secret key is ${skMode}`
-            });
-          } else {
-            results.push({
-              name: "Key mode",
-              status: "pass",
-              message: `Both keys are ${pkMode}`
-            });
-          }
-        }
-        return results;
-      }
-    };
+function validateRequiredEnvVars(ctx) {
+  const missing = [];
+  const framework = ctx.app?.framework === "nextjs" ? "nextjs" : "vite";
+  const prefix = framework === "nextjs" ? "NEXT_PUBLIC_" : "VITE_";
+  const requirements = [];
+  if (isProviderRelevant(ctx, "Firebase")) {
+    requirements.push(...FIREBASE_VARS);
+  }
+  if (isProviderRelevant(ctx, "Supabase")) {
+    requirements.push(...SUPABASE_VARS);
+    const sbFunctionsEnv = joinPath(
+      ctx.appDir,
+      "supabase",
+      "functions",
+      ".env"
+    );
+    const altFunctionsEnv = joinPath(ctx.appDir, "functions", ".env");
+    if (pathExists(joinPath(ctx.appDir, "supabase", "functions")) || pathExists(sbFunctionsEnv)) {
+      requirements.push(...SUPABASE_SECRET_VARS);
+    } else if (pathExists(altFunctionsEnv)) {
+      requirements.push({
+        provider: "Supabase",
+        varName: "SUPABASE_SECRET_KEY",
+        envFile: "functions/.env"
+      });
+    }
   }
-});
-
-// packages/tooling/src/cli/doctor/check-auth.ts
-var check_auth_exports = {};
-__export(check_auth_exports, {
-  authCheck: () => authCheck
-});
-var authCheck;
-var init_check_auth = __esm({
-  "packages/tooling/src/cli/doctor/check-auth.ts"() {
-    "use strict";
-    init_utils();
-    init_pathResolver();
-    authCheck = {
-      id: "auth",
-      name: "Authentication",
-      isRelevant(ctx) {
-        const pkgPath = joinPath(ctx.appDir, "package.json");
-        if (pathExists(pkgPath)) {
-          const content = readSync(pkgPath, { format: "text" });
-          if (typeof content === "string" && content.includes("@donotdev/auth"))
-            return true;
-        }
-        return false;
-      },
-      async run(ctx) {
-        const results = [];
-        results.push({
-          name: "@donotdev/auth",
-          status: "pass",
-          message: "Installed"
+  if (isProviderRelevant(ctx, "Vercel")) {
+    requirements.push(...VERCEL_VARS);
+  }
+  for (const req of requirements) {
+    const actualVarName = req.needsPrefix ? `${prefix}${req.varName}` : req.varName;
+    const envFilePath = joinPath(ctx.appDir, req.envFile);
+    if (req.varName === "SUPABASE_PUBLIC_KEY") {
+      const pkValue = readEnvValue(envFilePath, actualVarName);
+      const anonValue = readEnvValue(envFilePath, `${prefix}SUPABASE_ANON_KEY`);
+      if ((!pkValue || pkValue === "") && (!anonValue || anonValue === "")) {
+        missing.push({
+          provider: req.provider,
+          varName: actualVarName,
+          envFile: req.envFile,
+          status: pathExists(envFilePath) ? "empty" : "missing"
         });
-        const candidates = [
-          joinPath(ctx.appDir, "src", "providers.ts"),
-          joinPath(ctx.appDir, "src", "providers.tsx"),
-          joinPath(ctx.appDir, "src", "config", "providers.ts"),
-          joinPath(ctx.appDir, "src", "lib", "providers.ts")
-        ];
-        const providerFile = candidates.find((c) => pathExists(c));
-        if (providerFile) {
-          results.push({
-            name: "Providers config",
-            status: "pass",
-            message: `Found: ${providerFile.split("/").slice(-2).join("/")}`
-          });
-          const content = readSync(providerFile, { format: "text" });
-          if (typeof content === "string") {
-            const providers = [];
-            if (content.includes("email") || content.includes("Email"))
-              providers.push("email");
-            if (content.includes("google") || content.includes("Google"))
-              providers.push("google");
-            if (content.includes("github") || content.includes("GitHub"))
-              providers.push("github");
-            if (content.includes("apple") || content.includes("Apple"))
-              providers.push("apple");
-            if (providers.length > 0) {
-              results.push({
-                name: "Auth providers",
-                status: "pass",
-                message: `Configured: ${providers.join(", ")}`
-              });
-            }
-          }
-        } else {
-          results.push({
-            name: "Providers config",
-            status: "warn",
-            message: "No providers.ts found \u2014 auth may not work"
-          });
-        }
-        const hasFirebase = pathExists(joinPath(ctx.projectRoot, ".firebaserc"));
-        const hasSupabase = pathExists(joinPath(ctx.appDir, "supabase"));
-        if (hasFirebase) {
-          results.push({
-            name: "Backend",
-            status: "pass",
-            message: "Firebase Auth (verify providers are enabled in console)",
-            detail: "Run dndev setup auth for setup coaching"
-          });
-        } else if (hasSupabase) {
-          results.push({
-            name: "Backend",
-            status: "pass",
-            message: "Supabase Auth (verify providers are enabled in dashboard)",
-            detail: "Run dndev setup auth for setup coaching"
-          });
-        } else {
-          results.push({
-            name: "Backend",
-            status: "warn",
-            message: "No backend detected for auth"
-          });
-        }
-        return results;
-      }
-    };
-  }
-});
-
-// packages/tooling/src/cli/doctor/doctor.ts
-var doctor_exports = {};
-__export(doctor_exports, {
-  default: () => doctor_default,
-  main: () => main4
-});
-function renderResults(allResults, verbose) {
-  const lines = [];
-  for (const { checkName, results } of allResults) {
-    lines.push(checkName);
-    for (const result of results) {
-      const icon = STATUS_ICONS[result.status];
-      lines.push(`  ${icon} ${result.name}: ${result.message}`);
-      if (verbose && result.detail) {
-        lines.push(`     ${result.detail}`);
       }
+      continue;
     }
-    lines.push("");
-  }
-  Me(lines.join("\n"), "Health Check Results");
-}
-async function main4(options = {}) {
-  Ie("DoNotDev Doctor");
-  const projectRoot = process.cwd();
-  let appDir = projectRoot;
-  let app = null;
-  const appsDir = joinPath(projectRoot, "apps");
-  if (pathExists(appsDir)) {
-    try {
-      app = await selectApp(projectRoot, options.app);
-      if (app) {
-        appDir = app.path;
-      }
-    } catch {
+    const value = readEnvValue(envFilePath, actualVarName);
+    if (value === null) {
+      missing.push({
+        provider: req.provider,
+        varName: actualVarName,
+        envFile: req.envFile,
+        status: pathExists(envFilePath) ? "missing" : "missing"
+      });
+    } else if (value === "") {
+      missing.push({
+        provider: req.provider,
+        varName: actualVarName,
+        envFile: req.envFile,
+        status: "empty"
+      });
     }
   }
-  const ctx = {
-    projectRoot,
-    appDir,
-    app,
-    verbose: options.verbose
-  };
-  const allResults = [];
-  let hasFail = false;
-  const registry = options.check ? CHECK_REGISTRY.filter((e2) => e2.id === options.check) : CHECK_REGISTRY;
-  if (options.check && registry.length === 0) {
-    log.error(
-      `Unknown check: ${options.check}. Available: ${CHECK_REGISTRY.map((e2) => e2.id).join(", ")}`
-    );
-    Se("Doctor aborted.");
-    return 1;
+  return missing;
+}
+function validateAllApps(apps, _topology, projectRoot) {
+  const results = [];
+  for (const app of apps) {
+    const ctx = {
+      projectRoot,
+      appDir: app.path,
+      app
+    };
+    const missing = validateRequiredEnvVars(ctx);
+    results.push({ app, missing });
   }
-  for (const entry of registry) {
-    const check = await entry.load();
-    if (!check.isRelevant(ctx)) continue;
-    const results = await check.run(ctx);
-    allResults.push({ checkName: check.name, results });
-    if (results.some((r2) => r2.status === "fail")) {
-      hasFail = true;
+  return results;
+}
+function printAllValidationResults(results, multiApp) {
+  const allMissing = [];
+  for (const { app, missing } of results) {
+    for (const m2 of missing) {
+      allMissing.push({ appName: app.name, m: m2 });
     }
   }
-  if (allResults.length === 0) {
-    log.warn("No checks were relevant for this project.");
-    Se("Nothing to check.");
-    return 0;
+  if (allMissing.length === 0) {
+    log.success("Credentials OK");
+    return true;
   }
-  renderResults(allResults, options.verbose ?? false);
-  let passes = 0;
-  let warnings = 0;
-  let fails = 0;
-  for (const { results } of allResults) {
-    for (const r2 of results) {
-      if (r2.status === "pass") passes++;
-      else if (r2.status === "warn") warnings++;
-      else if (r2.status === "fail") fails++;
-    }
-  }
-  const totalChecks = passes + warnings + fails;
-  const summaryParts = [`${passes}/${totalChecks} passed`];
-  if (warnings > 0) summaryParts.push(`${warnings} warning(s)`);
-  if (fails > 0) summaryParts.push(`${fails} failure(s)`);
-  const exitCode = hasFail ? 1 : 0;
-  Se(
-    hasFail ? `Health check failed: ${summaryParts.join(", ")}` : `All clear: ${summaryParts.join(", ")}`
-  );
-  return exitCode;
-}
-var CHECK_REGISTRY, STATUS_ICONS, doctor_default;
-var init_doctor = __esm({
-  "packages/tooling/src/cli/doctor/doctor.ts"() {
-    "use strict";
-    init_utils();
-    init_cli_output();
-    init_app_selector();
-    init_pathResolver();
-    CHECK_REGISTRY = [
-      { id: "env", load: async () => (await Promise.resolve().then(() => (init_check_env(), check_env_exports))).envCheck },
-      {
-        id: "firebase",
-        load: async () => (await Promise.resolve().then(() => (init_check_firebase(), check_firebase_exports))).firebaseCheck
-      },
-      {
-        id: "supabase",
-        load: async () => (await Promise.resolve().then(() => (init_check_supabase(), check_supabase_exports))).supabaseCheck
-      },
-      {
-        id: "stripe",
-        load: async () => (await Promise.resolve().then(() => (init_check_stripe(), check_stripe_exports))).stripeCheck
-      },
-      { id: "auth", load: async () => (await Promise.resolve().then(() => (init_check_auth(), check_auth_exports))).authCheck }
-    ];
-    STATUS_ICONS = {
-      pass: "\u2705",
-      // green check
-      warn: "\u26A0\uFE0F",
-      // warning
-      fail: "\u274C"
-      // red x
-    };
-    doctor_default = main4;
+  for (const { appName, m: m2 } of allMissing) {
+    const prefix = multiApp ? `${appName}: ` : "";
+    const detail = m2.status === "empty" ? `empty in ${m2.envFile}` : `missing \u2014 ${m2.envFile}`;
+    log.error(`  ${prefix}${m2.varName} (${detail})`);
   }
-});
-
-// packages/cli/src/bin/commands/setup.ts
-init_utils();
-
-// packages/tooling/src/index.ts
-init_utils();
-
-// packages/tooling/src/cli/index.ts
-init_utils();
+  log.warn(`Run 'dndev coach' to see where to get them.`);
+  return false;
+}
 
 // packages/tooling/src/cli/setup/setup.ts
-init_utils();
-init_cli_output();
-init_cli_input();
-init_app_selector();
-init_pathResolver();
 var WIZARD_REGISTRY = {
   firebase: async () => (await Promise.resolve().then(() => (init_firebase(), firebase_exports))).firebaseWizard,
   supabase: async () => (await Promise.resolve().then(() => (init_supabase(), supabase_exports))).supabaseWizard,
-  vercel: async () => (await Promise.resolve().then(() => (init_vercel(), vercel_exports))).vercelWizard,
-  stripe: async () => (await Promise.resolve().then(() => (init_stripe(), stripe_exports))).stripeWizard,
-  oauth: async () => (await Promise.resolve().then(() => (init_oauth(), oauth_exports))).oauthWizard,
-  auth: async () => (await Promise.resolve().then(() => (init_auth(), auth_exports))).authWizard
+  vercel: async () => (await Promise.resolve().then(() => (init_vercel(), vercel_exports))).vercelWizard
 };
-var WIZARD_ORDER = [
-  "firebase",
-  "supabase",
-  "vercel",
-  "stripe",
-  "auth",
-  "oauth"
-];
-var STATUS_ICONS2 = {
+var WIZARD_ORDER = ["firebase", "supabase", "vercel"];
+var STATUS_ICONS = {
   success: "\u2705",
-  // green check
   skipped: "\u23ED\uFE0F",
-  // skip
   failed: "\u274C",
-  // red x
   "needs-manual": "\u{1F449}"
-  // pointing right
 };
-function renderSummary(results) {
-  const lines = [];
-  for (const result of results) {
-    lines.push(`${result.provider.toUpperCase()} (${result.overallStatus})`);
+function renderResults(results, multiApp) {
+  for (const { appName, result } of results) {
+    if (multiApp) {
+      log.info(`
+${appName} \u2014 ${result.provider}:`);
+    }
     for (const step of result.steps) {
-      const icon = STATUS_ICONS2[step.status];
-      lines.push(`  ${icon} ${step.name}: ${step.message}`);
+      const icon = STATUS_ICONS[step.status];
+      log.info(`  ${icon} ${step.name}: ${step.message}`);
     }
-    lines.push("");
   }
-  Me(lines.join("\n"), "Setup Summary");
 }
-async function main5(options = {}) {
-  Ie("DoNotDev Setup");
-  const projectRoot = process.cwd();
-  let appDir = projectRoot;
-  let app = null;
-  const appsDir = joinPath(projectRoot, "apps");
-  if (pathExists(appsDir)) {
-    try {
-      app = await selectApp(projectRoot, options.app);
-      if (app) {
-        appDir = app.path;
-      }
-    } catch {
-    }
-  }
-  const ctx = {
+function buildSetupContext(app, projectRoot, topology, options) {
+  const backendApp = findBackendApp(topology, app.name);
+  return {
     projectRoot,
-    appDir,
+    appDir: app.path,
     app,
     verbose: options.verbose,
-    dryRun: options.dryRun
+    dryRun: options.dryRun,
+    allApps: topology.apps,
+    backendApp
   };
-  let wizardIds;
-  if (options.provider) {
-    const id = options.provider.toLowerCase();
-    if (!WIZARD_REGISTRY[id]) {
-      log.error(`Unknown provider: ${options.provider}`);
-      log.info(`Available: ${Object.keys(WIZARD_REGISTRY).join(", ")}`);
-      Se("Setup aborted.");
-      return 1;
-    }
-    wizardIds = [id];
-  } else {
-    const relevant = [];
-    for (const id of WIZARD_ORDER) {
+}
+async function main4(options = {}) {
+  const projectRoot = process.cwd();
+  Ie("DoNotDev Setup");
+  const topology = analyzeProjectTopology(projectRoot);
+  let apps = topology.apps;
+  if (apps.length === 0) {
+    apps = [
+      {
+        name: "root",
+        packageName: "root",
+        path: projectRoot,
+        packageJsonPath: joinPath(projectRoot, "package.json"),
+        framework: "vite",
+        hasFunctions: false
+      }
+    ];
+  }
+  const multiApp = apps.length > 1;
+  const validationResults = validateAllApps(apps, topology, projectRoot);
+  const allValid = printAllValidationResults(validationResults, multiApp);
+  if (!allValid) {
+    Se("Fix missing values, then re-run.");
+    return 1;
+  }
+  const allResults = [];
+  for (const app of apps) {
+    const ctx = buildSetupContext(app, projectRoot, topology, options);
+    let wizardIds;
+    if (options.provider) {
+      const id = options.provider.toLowerCase();
+      if (!WIZARD_REGISTRY[id]) {
+        log.error(`Unknown provider: ${options.provider}`);
+        Se("Setup aborted.");
+        return 1;
+      }
+      const wizard = await WIZARD_REGISTRY[id]();
+      wizardIds = wizard.isRelevant(ctx) ? [id] : [];
+    } else {
+      wizardIds = [];
+      for (const id of WIZARD_ORDER) {
+        const loader = WIZARD_REGISTRY[id];
+        if (!loader) continue;
+        const wizard = await loader();
+        if (wizard.isRelevant(ctx)) {
+          wizardIds.push(id);
+        }
+      }
+    }
+    for (const id of wizardIds) {
       const loader = WIZARD_REGISTRY[id];
       if (!loader) continue;
       const wizard = await loader();
-      if (wizard.isRelevant(ctx)) {
-        relevant.push({ id, wizard });
-      }
-    }
-    if (relevant.length === 0) {
-      log.warn("No providers detected in this project.");
-      log.info(
-        `Available providers: ${Object.keys(WIZARD_REGISTRY).join(", ")}`
-      );
-      log.info("Run: dndev setup <provider>");
-      Se("Nothing to set up.");
-      return 0;
-    }
-    const selected = await askForMultiSelection(
-      "Which providers do you want to set up?",
-      relevant.map((r2) => ({
-        title: r2.wizard.name,
-        value: r2.id,
-        hint: "detected"
-      }))
-    );
-    if (selected.length === 0) {
-      Se("No providers selected.");
-      return 0;
+      const result = await wizard.run(ctx);
+      allResults.push({ appName: app.name, result });
     }
-    wizardIds = selected;
   }
-  const results = [];
-  for (const id of wizardIds) {
-    const loader = WIZARD_REGISTRY[id];
-    if (!loader) continue;
-    log.info(`
-Setting up ${id}...`);
-    const wizard = await loader();
-    const result = await wizard.run(ctx);
-    results.push(result);
-  }
-  renderSummary(results);
-  if (!options.skipDoctor) {
-    log.info("\nRunning health checks...");
-    try {
-      const { main: doctor } = await Promise.resolve().then(() => (init_doctor(), doctor_exports));
-      await doctor({ app: options.app, verbose: options.verbose });
-    } catch {
-      log.warn("Doctor check skipped (module not available).");
-    }
+  if (allResults.length === 0) {
+    log.warn("No providers detected. Run: dndev setup <provider>");
+    Se("Nothing to set up.");
+    return 0;
   }
-  const hasFailures = results.some((r2) => r2.overallStatus === "failed");
-  Se(hasFailures ? "Setup completed with errors." : "Setup complete.");
+  renderResults(allResults, multiApp);
+  const hasFailures = allResults.some(
+    (r2) => r2.result.overallStatus === "failed"
+  );
+  Se(
+    hasFailures ? "Setup incomplete \u2014 see errors above." : "Setup complete."
+  );
   return hasFailures ? 1 : 0;
 }
 export {
-  main5 as main
+  main4 as main
 };
 /*! Bundled license information: