@factiii/stack 0.1.91 → 0.1.94

package/dist/plugins/addons/auth/scanfix/secrets.js

@@ -0,0 +1,205 @@
+"use strict";
+/**
+ * Auth Secrets Scanfixes
+ *
+ * Manages authentication secrets in Ansible Vault:
+ * - JWT_SECRET: auto-generated 256-bit random key
+ * - OAuth keys: prompted from user (Google, Apple)
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.secretsFixes = void 0;
+const crypto = __importStar(require("crypto"));
+const config_helpers_js_1 = require("../../../../utils/config-helpers.js");
+/**
+ * Get auth config from FactiiiConfig (handles undefined/null)
+ */
+function getAuthConfig(config) {
+    const auth = config.auth;
+    if (!auth || typeof auth !== 'object')
+        return null;
+    return auth;
+}
+/**
+ * Check if OAuth is enabled for a specific provider
+ */
+function isOAuthEnabled(config, provider) {
+    const auth = getAuthConfig(config);
+    if (!auth)
+        return false;
+    // Check auth.features.oauth
+    const features = auth.features;
+    if (features?.oauth)
+        return true;
+    // Check auth.oauth_provider
+    if (auth.oauth_provider === provider)
+        return true;
+    return false;
+}
+/**
+ * Get Ansible Vault store
+ */
+async function getVault(config, rootDir) {
+    const { AnsibleVaultSecrets } = await Promise.resolve().then(() => __importStar(require('../../../../utils/ansible-vault-secrets.js')));
+    return new AnsibleVaultSecrets({
+        vault_path: config.ansible?.vault_path ?? (0, config_helpers_js_1.getDefaultVaultPath)(config),
+        vault_password_file: config.ansible?.vault_password_file,
+        rootDir,
+    });
+}
+exports.secretsFixes = [
+    {
+        id: 'auth-jwt-secret-missing',
+        stage: 'secrets',
+        severity: 'critical',
+        description: 'JWT_SECRET not found in Ansible Vault (required for auth)',
+        scan: async (config, rootDir) => {
+            try {
+                const vault = await getVault(config, rootDir);
+                const secret = await vault.getSecret('JWT_SECRET');
+                return !secret;
+            }
+            catch {
+                return false; // Vault not available, skip
+            }
+        },
+        fix: async (config, rootDir) => {
+            try {
+                const vault = await getVault(config, rootDir);
+                // Auto-generate a cryptographically secure 256-bit secret
+                const jwtSecret = crypto.randomBytes(32).toString('hex');
+                const result = await vault.setSecret('JWT_SECRET', jwtSecret);
+                if (result.success) {
+                    console.log('   [OK] Generated and stored JWT_SECRET in Ansible Vault');
+                    console.log('   (256-bit random key, no manual input needed)');
+                    return true;
+                }
+                console.log('   Failed to store JWT_SECRET in vault');
+                return false;
+            }
+            catch (e) {
+                console.log('   Error: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Generate and store JWT secret: npx stack deploy --secrets set JWT_SECRET',
+    },
+    {
+        id: 'auth-oauth-google-missing',
+        stage: 'secrets',
+        severity: 'warning',
+        description: 'Google OAuth credentials not in vault (GOOGLE_CLIENT_ID)',
+        scan: async (config, rootDir) => {
+            if (!isOAuthEnabled(config, 'google'))
+                return false;
+            try {
+                const vault = await getVault(config, rootDir);
+                const clientId = await vault.getSecret('GOOGLE_CLIENT_ID');
+                return !clientId;
+            }
+            catch {
+                return false;
+            }
+        },
+        fix: async (config, rootDir) => {
+            try {
+                const { promptForSecret } = await Promise.resolve().then(() => __importStar(require('../../../../utils/secret-prompts.js')));
+                const vault = await getVault(config, rootDir);
+                console.log('');
+                console.log('   Google OAuth Setup');
+                console.log('   Get credentials from: https://console.cloud.google.com/apis/credentials');
+                console.log('');
+                const clientId = await promptForSecret('GOOGLE_CLIENT_ID', config);
+                const r1 = await vault.setSecret('GOOGLE_CLIENT_ID', clientId);
+                if (!r1.success)
+                    return false;
+                const clientSecret = await promptForSecret('GOOGLE_CLIENT_SECRET', config);
+                const r2 = await vault.setSecret('GOOGLE_CLIENT_SECRET', clientSecret);
+                if (!r2.success)
+                    return false;
+                console.log('   [OK] Stored Google OAuth credentials in vault');
+                return true;
+            }
+            catch {
+                return false;
+            }
+        },
+        manualFix: 'Store Google OAuth credentials:\n' +
+            '      npx stack deploy --secrets set GOOGLE_CLIENT_ID\n' +
+            '      npx stack deploy --secrets set GOOGLE_CLIENT_SECRET\n' +
+            '      Get from: https://console.cloud.google.com/apis/credentials',
+    },
+    {
+        id: 'auth-oauth-apple-missing',
+        stage: 'secrets',
+        severity: 'warning',
+        description: 'Apple OAuth credentials not in vault (APPLE_CLIENT_ID)',
+        scan: async (config, rootDir) => {
+            if (!isOAuthEnabled(config, 'apple'))
+                return false;
+            try {
+                const vault = await getVault(config, rootDir);
+                const clientId = await vault.getSecret('APPLE_CLIENT_ID');
+                return !clientId;
+            }
+            catch {
+                return false;
+            }
+        },
+        fix: async (config, rootDir) => {
+            try {
+                const { promptForSecret } = await Promise.resolve().then(() => __importStar(require('../../../../utils/secret-prompts.js')));
+                const vault = await getVault(config, rootDir);
+                console.log('');
+                console.log('   Apple OAuth Setup');
+                console.log('   Get credentials from: https://developer.apple.com/account/resources/identifiers');
+                console.log('');
+                const clientId = await promptForSecret('APPLE_CLIENT_ID', config);
+                const r1 = await vault.setSecret('APPLE_CLIENT_ID', clientId);
+                if (!r1.success)
+                    return false;
+                console.log('   [OK] Stored Apple OAuth credentials in vault');
+                return true;
+            }
+            catch {
+                return false;
+            }
+        },
+        manualFix: 'Store Apple OAuth credentials:\n' +
+            '      npx stack deploy --secrets set APPLE_CLIENT_ID\n' +
+            '      Get from: https://developer.apple.com/account/resources/identifiers',
+    },
+];
+//# sourceMappingURL=secrets.js.map

package/dist/plugins/addons/auth/scanfix/secrets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.js","sourceRoot":"","sources":["../../../../../src/plugins/addons/auth/scanfix/secrets.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,+CAAiC;AAEjC,2EAA0E;AAE1E;;GAEG;AACH,SAAS,aAAa,CAAC,MAAqB;IAC1C,MAAM,IAAI,GAAI,MAAkC,CAAC,IAAI,CAAC;IACtD,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACnD,OAAO,IAA+B,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,MAAqB,EAAE,QAA4B;IACzE,MAAM,IAAI,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACnC,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IAExB,4BAA4B;IAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,QAA+C,CAAC;IACtE,IAAI,QAAQ,EAAE,KAAK;QAAE,OAAO,IAAI,CAAC;IAEjC,4BAA4B;IAC5B,IAAI,IAAI,CAAC,cAAc,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAElD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,QAAQ,CAAC,MAAqB,EAAE,OAAe;IAC5D,MAAM,EAAE,mBAAmB,EAAE,GAAG,wDAAa,4CAA4C,GAAC,CAAC;IAC3F,OAAO,IAAI,mBAAmB,CAAC;QAC7B,UAAU,EAAE,MAAM,CAAC,OAAO,EAAE,UAAU,IAAI,IAAA,uCAAmB,EAAC,MAAM,CAAC;QACrE,mBAAmB,EAAE,MAAM,CAAC,OAAO,EAAE,mBAAmB;QACxD,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAEY,QAAA,YAAY,GAAU;IACjC;QACE,EAAE,EAAE,yBAAyB;QAC7B,KAAK,EAAE,SAAS;QAChB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,2DAA2D;QACxE,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAE,OAAe,EAAoB,EAAE;YACvE,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBAC9C,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;gBACnD,OAAO,CAAC,MAAM,CAAC;YACjB,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC,CAAC,4BAA4B;YAC5C,CAAC;QACH,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAE,OAAe,EAAoB,EAAE;YACtE,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBAE9C,0DAA0D;gBAC1D,MAAM,SAAS,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;gBACzD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;gBAE9D,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;oBACnB,OAAO,CAAC,GAAG,CAAC,0DAA0D,CAAC,CAAC;oBACxE,OAAO,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;oBAC/D,OAAO,IAAI,CAAC;gBACd,CAAC;gBAED,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAC;gBACtD,OAAO,KAAK,CAAC;YACf,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,YAAY,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACzE,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,0EAA0E;KACtF;IAED;QACE,EAAE,EAAE,2BAA2B;QAC/B,KAAK,EAAE,SAAS;QAChB,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,0DAA0D;QACvE,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAE,OAAe,EAAoB,EAAE;YACvE,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,QAAQ,CAAC;gBAAE,OAAO,KAAK,CAAC;YAEpD,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBAC9C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;gBAC3D,OAAO,CAAC,QAAQ,CAAC;YACnB,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAE,OAAe,EAAoB,EAAE;YACtE,IAAI,CAAC;gBACH,MAAM,EAAE,eAAe,EAAE,GAAG,wDAAa,qCAAqC,GAAC,CAAC;gBAChF,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBAE9C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;gBACrC,OAAO,CAAC,GAAG,CAAC,4EAA4E,CAAC,CAAC;gBAC1F,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAEhB,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC;gBACnE,MAAM,EAAE,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,kBAAkB,EAAE,QAAQ,CAAC,CAAC;gBAC/D,IAAI,CAAC,EAAE,CAAC,OAAO;oBAAE,OAAO,KAAK,CAAC;gBAE9B,MAAM,YAAY,GAAG,MAAM,eAAe,CAAC,sBAAsB,EAAE,MAAM,CAAC,CAAC;gBAC3E,MAAM,EAAE,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,sBAAsB,EAAE,YAAY,CAAC,CAAC;gBACvE,IAAI,CAAC,EAAE,CAAC,OAAO;oBAAE,OAAO,KAAK,CAAC;gBAE9B,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC;gBAChE,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EACP,mCAAmC;YACnC,yDAAyD;YACzD,6DAA6D;YAC7D,mEAAmE;KACtE;IAED;QACE,EAAE,EAAE,0BAA0B;QAC9B,KAAK,EAAE,SAAS;QAChB,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,wDAAwD;QACrE,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAE,OAAe,EAAoB,EAAE;YACvE,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC;gBAAE,OAAO,KAAK,CAAC;YAEnD,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBAC9C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;gBAC1D,OAAO,CAAC,QAAQ,CAAC;YACnB,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAE,OAAe,EAAoB,EAAE;YACtE,IAAI,CAAC;gBACH,MAAM,EAAE,eAAe,EAAE,GAAG,wDAAa,qCAAqC,GAAC,CAAC;gBAChF,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBAE9C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;gBACpC,OAAO,CAAC,GAAG,CAAC,oFAAoF,CAAC,CAAC;gBAClG,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAEhB,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;gBAClE,MAAM,EAAE,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,iBAAiB,EAAE,QAAQ,CAAC,CAAC;gBAC9D,IAAI,CAAC,EAAE,CAAC,OAAO;oBAAE,OAAO,KAAK,CAAC;gBAE9B,OAAO,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;gBAC/D,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EACP,kCAAkC;YAClC,wDAAwD;YACxD,2EAA2E;KAC9E;CACF,CAAC"}

package/dist/plugins/addons/auth/scanfix/setup.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Auth Setup Scanfixes (Dev Stage)
+ *
+ * Detects @factiii/auth in dependencies and ensures:
+ * - Auth config exists in stack.yml
+ * - Auth Prisma schema is initialized (npx @factiii/auth init)
+ * - Auth doctor passes (validates setup)
+ * - Prisma migrations are applied for auth tables
+ */
+import type { Fix } from '../../../../types/index.js';
+export declare const setupFixes: Fix[];
+//# sourceMappingURL=setup.d.ts.map

package/dist/plugins/addons/auth/scanfix/setup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"setup.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/addons/auth/scanfix/setup.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH,OAAO,KAAK,EAAiB,GAAG,EAAE,MAAM,4BAA4B,CAAC;AA+BrE,eAAO,MAAM,UAAU,EAAE,GAAG,EAmK3B,CAAC"}

package/dist/plugins/addons/auth/scanfix/setup.js

@@ -0,0 +1,235 @@
+"use strict";
+/**
+ * Auth Setup Scanfixes (Dev Stage)
+ *
+ * Detects @factiii/auth in dependencies and ensures:
+ * - Auth config exists in stack.yml
+ * - Auth Prisma schema is initialized (npx @factiii/auth init)
+ * - Auth doctor passes (validates setup)
+ * - Prisma migrations are applied for auth tables
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.setupFixes = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const child_process_1 = require("child_process");
+const js_yaml_1 = __importDefault(require("js-yaml"));
+const config_files_js_1 = require("../../../../constants/config-files.js");
+/**
+ * Check if Prisma schema contains auth models (User, Session)
+ */
+function hasAuthModels(rootDir) {
+    const schemaPath = path.join(rootDir, 'prisma', 'schema.prisma');
+    if (!fs.existsSync(schemaPath))
+        return false;
+    const content = fs.readFileSync(schemaPath, 'utf8');
+    return content.includes('model User') && content.includes('model Session');
+}
+/**
+ * Run a command silently and return success/failure
+ */
+function runSilent(cmd, rootDir) {
+    try {
+        const output = (0, child_process_1.execSync)(cmd, {
+            cwd: rootDir,
+            encoding: 'utf8',
+            stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        return { success: true, output };
+    }
+    catch (e) {
+        const output = e instanceof Error ? e.message : String(e);
+        return { success: false, output };
+    }
+}
+exports.setupFixes = [
+    {
+        id: 'auth-missing-stack-yml-config',
+        stage: 'dev',
+        severity: 'warning',
+        description: 'Auth config missing from stack.yml (@factiii/auth detected but no auth: section)',
+        scan: async (_config, rootDir) => {
+            const stackPath = path.join(rootDir, config_files_js_1.STACK_CONFIG_FILENAME);
+            if (!fs.existsSync(stackPath))
+                return false; // No stack.yml yet, bootstrap handles it
+            const content = fs.readFileSync(stackPath, 'utf8');
+            // Check if there's an uncommented auth: key at the top level
+            return !content.match(/^auth:/m);
+        },
+        fix: async (_config, rootDir) => {
+            try {
+                const stackPath = path.join(rootDir, config_files_js_1.STACK_CONFIG_FILENAME);
+                const content = fs.readFileSync(stackPath, 'utf8');
+                // Build auth section
+                const authSection = '\n# ============================================================\n' +
+                    '# AUTH (@factiii/auth)\n' +
+                    '# ============================================================\n' +
+                    '# Detected @factiii/auth in dependencies.\n' +
+                    '# JWT_SECRET is auto-generated and stored in Ansible Vault.\n' +
+                    '# Customize features below as needed.\n' +
+                    'auth:\n' +
+                    '  features:\n' +
+                    '    oauth: false\n' +
+                    '    twoFa: false\n' +
+                    '    emailVerification: false\n' +
+                    '  oauth_provider: EXAMPLE_google\n';
+                // Remove any commented-out auth section if present
+                let updated = content.replace(/\n?# =+\n# AUTH[^\n]*\n# =+\n(?:#[^\n]*\n)*/g, '');
+                // Append auth section before NEXT STEPS or at end
+                if (updated.includes('# NEXT STEPS')) {
+                    updated = updated.replace(/(\n# =+\n# NEXT STEPS)/, authSection + '\n$1');
+                }
+                else {
+                    updated = updated.trimEnd() + '\n' + authSection;
+                }
+                fs.writeFileSync(stackPath, updated, 'utf8');
+                console.log('   [OK] Added auth: section to ' + config_files_js_1.STACK_CONFIG_FILENAME);
+                // Verify by re-reading
+                const verify = fs.readFileSync(stackPath, 'utf8');
+                const parsed = js_yaml_1.default.load(verify);
+                return !!parsed.auth;
+            }
+            catch (e) {
+                console.log('   Failed: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Add to ' + config_files_js_1.STACK_CONFIG_FILENAME + ':\n' +
+            '      auth:\n' +
+            '        features:\n' +
+            '          oauth: false\n' +
+            '          twoFa: false\n' +
+            '          emailVerification: false\n' +
+            '        oauth_provider: EXAMPLE_google',
+    },
+    {
+        id: 'auth-not-initialized',
+        stage: 'dev',
+        severity: 'critical',
+        description: 'Auth schema not initialized (missing User/Session models in Prisma)',
+        scan: async (_config, rootDir) => {
+            // Only flag if @factiii/auth is installed but schema not initialized
+            const schemaPath = path.join(rootDir, 'prisma', 'schema.prisma');
+            if (!fs.existsSync(schemaPath))
+                return true; // No schema at all
+            return !hasAuthModels(rootDir);
+        },
+        fix: async (_config, rootDir) => {
+            try {
+                console.log('   Running: npx @factiii/auth init');
+                (0, child_process_1.execSync)('npx @factiii/auth init', {
+                    cwd: rootDir,
+                    stdio: 'inherit',
+                });
+                // Regenerate Prisma client
+                console.log('   Running: npx prisma generate');
+                (0, child_process_1.execSync)('npx prisma generate', {
+                    cwd: rootDir,
+                    stdio: 'inherit',
+                });
+                return hasAuthModels(rootDir);
+            }
+            catch (e) {
+                console.log('   Failed: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Run: npx @factiii/auth init && npx prisma generate',
+    },
+    {
+        id: 'auth-doctor-fail',
+        stage: 'dev',
+        severity: 'warning',
+        description: 'Auth doctor check failed (run npx @factiii/auth doctor for details)',
+        scan: async (_config, rootDir) => {
+            // Skip if auth models not yet initialized
+            if (!hasAuthModels(rootDir))
+                return false;
+            const result = runSilent('npx @factiii/auth doctor', rootDir);
+            return !result.success;
+        },
+        fix: async (_config, rootDir) => {
+            // Run doctor with output visible so user can see what's wrong
+            try {
+                (0, child_process_1.execSync)('npx @factiii/auth doctor', {
+                    cwd: rootDir,
+                    stdio: 'inherit',
+                });
+                return true;
+            }
+            catch {
+                console.log('   Doctor found issues — review output above');
+                return false;
+            }
+        },
+        manualFix: 'Run: npx @factiii/auth doctor',
+    },
+    {
+        id: 'auth-prisma-not-migrated',
+        stage: 'dev',
+        severity: 'warning',
+        description: 'Auth database tables not migrated (pending Prisma migrations)',
+        scan: async (_config, rootDir) => {
+            // Skip if auth models not initialized
+            if (!hasAuthModels(rootDir))
+                return false;
+            // Check for pending migrations
+            const result = runSilent('npx prisma migrate status', rootDir);
+            if (!result.success)
+                return true; // Can't check = assume pending
+            return result.output.includes('Following migration') || result.output.includes('not yet been applied');
+        },
+        fix: async (_config, rootDir) => {
+            try {
+                console.log('   Running: npx prisma migrate dev');
+                (0, child_process_1.execSync)('npx prisma migrate dev', {
+                    cwd: rootDir,
+                    stdio: 'inherit',
+                });
+                return true;
+            }
+            catch (e) {
+                console.log('   Migration failed: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Run: npx prisma migrate dev',
+    },
+];
+//# sourceMappingURL=setup.js.map

package/dist/plugins/addons/auth/scanfix/setup.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"setup.js","sourceRoot":"","sources":["../../../../../src/plugins/addons/auth/scanfix/setup.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,uCAAyB;AACzB,2CAA6B;AAC7B,iDAAyC;AACzC,sDAA2B;AAE3B,2EAA8E;AAE9E;;GAEG;AACH,SAAS,aAAa,CAAC,OAAe;IACpC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,EAAE,eAAe,CAAC,CAAC;IACjE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,KAAK,CAAC;IAE7C,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IACpD,OAAO,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC;AAC7E,CAAC;AAED;;GAEG;AACH,SAAS,SAAS,CAAC,GAAW,EAAE,OAAe;IAC7C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAA,wBAAQ,EAAC,GAAG,EAAE;YAC3B,GAAG,EAAE,OAAO;YACZ,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAChC,CAAC,CAAC;QACH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IACnC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,MAAM,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC1D,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;IACpC,CAAC;AACH,CAAC;AAEY,QAAA,UAAU,GAAU;IAC/B;QACE,EAAE,EAAE,+BAA+B;QACnC,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,kFAAkF;QAC/F,IAAI,EAAE,KAAK,EAAE,OAAsB,EAAE,OAAe,EAAoB,EAAE;YACxE,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,uCAAqB,CAAC,CAAC;YAC5D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC;gBAAE,OAAO,KAAK,CAAC,CAAC,yCAAyC;YAEtF,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;YACnD,6DAA6D;YAC7D,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACnC,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,OAAsB,EAAE,OAAe,EAAoB,EAAE;YACvE,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,uCAAqB,CAAC,CAAC;gBAC5D,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;gBAEnD,qBAAqB;gBACrB,MAAM,WAAW,GACf,oEAAoE;oBACpE,0BAA0B;oBAC1B,kEAAkE;oBAClE,6CAA6C;oBAC7C,+DAA+D;oBAC/D,yCAAyC;oBACzC,SAAS;oBACT,eAAe;oBACf,oBAAoB;oBACpB,oBAAoB;oBACpB,gCAAgC;oBAChC,oCAAoC,CAAC;gBAEvC,mDAAmD;gBACnD,IAAI,OAAO,GAAG,OAAO,CAAC,OAAO,CAC3B,8CAA8C,EAC9C,EAAE,CACH,CAAC;gBAEF,kDAAkD;gBAClD,IAAI,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;oBACrC,OAAO,GAAG,OAAO,CAAC,OAAO,CACvB,wBAAwB,EACxB,WAAW,GAAG,MAAM,CACrB,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,OAAO,GAAG,OAAO,CAAC,OAAO,EAAE,GAAG,IAAI,GAAG,WAAW,CAAC;gBACnD,CAAC;gBAED,EAAE,CAAC,aAAa,CAAC,SAAS,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;gBAC7C,OAAO,CAAC,GAAG,CAAC,iCAAiC,GAAG,uCAAqB,CAAC,CAAC;gBAEvE,uBAAuB;gBACvB,MAAM,MAAM,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;gBAClD,MAAM,MAAM,GAAG,iBAAI,CAAC,IAAI,CAAC,MAAM,CAA4B,CAAC;gBAC5D,OAAO,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC;YACvB,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,aAAa,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC1E,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,SAAS,GAAG,uCAAqB,GAAG,KAAK;YAClD,eAAe;YACf,qBAAqB;YACrB,0BAA0B;YAC1B,0BAA0B;YAC1B,sCAAsC;YACtC,wCAAwC;KAC3C;IAED;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,qEAAqE;QAClF,IAAI,EAAE,KAAK,EAAE,OAAsB,EAAE,OAAe,EAAoB,EAAE;YACxE,qEAAqE;YACrE,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,EAAE,eAAe,CAAC,CAAC;YACjE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;gBAAE,OAAO,IAAI,CAAC,CAAC,mBAAmB;YAChE,OAAO,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;QACjC,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,OAAsB,EAAE,OAAe,EAAoB,EAAE;YACvE,IAAI,CAAC;gBACH,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;gBAClD,IAAA,wBAAQ,EAAC,wBAAwB,EAAE;oBACjC,GAAG,EAAE,OAAO;oBACZ,KAAK,EAAE,SAAS;iBACjB,CAAC,CAAC;gBAEH,2BAA2B;gBAC3B,OAAO,CAAC,GAAG,CAAC,iCAAiC,CAAC,CAAC;gBAC/C,IAAA,wBAAQ,EAAC,qBAAqB,EAAE;oBAC9B,GAAG,EAAE,OAAO;oBACZ,KAAK,EAAE,SAAS;iBACjB,CAAC,CAAC;gBAEH,OAAO,aAAa,CAAC,OAAO,CAAC,CAAC;YAChC,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,aAAa,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC1E,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,oDAAoD;KAChE;IAED;QACE,EAAE,EAAE,kBAAkB;QACtB,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,qEAAqE;QAClF,IAAI,EAAE,KAAK,EAAE,OAAsB,EAAE,OAAe,EAAoB,EAAE;YACxE,0CAA0C;YAC1C,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC;gBAAE,OAAO,KAAK,CAAC;YAE1C,MAAM,MAAM,GAAG,SAAS,CAAC,0BAA0B,EAAE,OAAO,CAAC,CAAC;YAC9D,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC;QACzB,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,OAAsB,EAAE,OAAe,EAAoB,EAAE;YACvE,8DAA8D;YAC9D,IAAI,CAAC;gBACH,IAAA,wBAAQ,EAAC,0BAA0B,EAAE;oBACnC,GAAG,EAAE,OAAO;oBACZ,KAAK,EAAE,SAAS;iBACjB,CAAC,CAAC;gBACH,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;gBAC5D,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,+BAA+B;KAC3C;IAED;QACE,EAAE,EAAE,0BAA0B;QAC9B,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,+DAA+D;QAC5E,IAAI,EAAE,KAAK,EAAE,OAAsB,EAAE,OAAe,EAAoB,EAAE;YACxE,sCAAsC;YACtC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC;gBAAE,OAAO,KAAK,CAAC;YAE1C,+BAA+B;YAC/B,MAAM,MAAM,GAAG,SAAS,CAAC,2BAA2B,EAAE,OAAO,CAAC,CAAC;YAC/D,IAAI,CAAC,MAAM,CAAC,OAAO;gBAAE,OAAO,IAAI,CAAC,CAAC,+BAA+B;YACjE,OAAO,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,qBAAqB,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;QACzG,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,OAAsB,EAAE,OAAe,EAAoB,EAAE;YACvE,IAAI,CAAC;gBACH,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;gBAClD,IAAA,wBAAQ,EAAC,wBAAwB,EAAE;oBACjC,GAAG,EAAE,OAAO;oBACZ,KAAK,EAAE,SAAS;iBACjB,CAAC,CAAC;gBACH,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,uBAAuB,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACpF,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,6BAA6B;KACzC;CACF,CAAC"}

package/dist/plugins/addons/auth/scanfix/validate.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Auth Validation Scanfixes (Staging/Prod)
+ *
+ * Validates that auth environment variables are properly
+ * configured on staging and production servers.
+ */
+import type { Fix } from '../../../../types/index.js';
+export declare const validateFixes: Fix[];
+//# sourceMappingURL=validate.d.ts.map

package/dist/plugins/addons/auth/scanfix/validate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/addons/auth/scanfix/validate.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAiB,GAAG,EAAE,MAAM,4BAA4B,CAAC;AAkBrE,eAAO,MAAM,aAAa,EAAE,GAAG,EAiG9B,CAAC"}

package/dist/plugins/addons/auth/scanfix/validate.js

@@ -0,0 +1,153 @@
+"use strict";
+/**
+ * Auth Validation Scanfixes (Staging/Prod)
+ *
+ * Validates that auth environment variables are properly
+ * configured on staging and production servers.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateFixes = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const config_helpers_js_1 = require("../../../../utils/config-helpers.js");
+/**
+ * Check if an env file has a variable set (non-empty, non-EXAMPLE)
+ */
+function envFileHasVar(envFilePath, varName) {
+    if (!fs.existsSync(envFilePath))
+        return false;
+    const content = fs.readFileSync(envFilePath, 'utf8');
+    const regex = new RegExp('^' + varName + '\\s*=\\s*(.+)$', 'm');
+    const match = content.match(regex);
+    if (!match || !match[1])
+        return false;
+    const value = match[1].trim();
+    return value.length > 0 && !value.toUpperCase().startsWith('EXAMPLE');
+}
+exports.validateFixes = [
+    {
+        id: 'auth-env-jwt-staging',
+        stage: 'staging',
+        severity: 'critical',
+        description: 'JWT_SECRET not set in .env.staging (auth will not work)',
+        scan: async (_config, rootDir) => {
+            const envPath = path.join(rootDir, '.env.staging');
+            return !envFileHasVar(envPath, 'JWT_SECRET');
+        },
+        fix: async (config, rootDir) => {
+            try {
+                const { AnsibleVaultSecrets } = await Promise.resolve().then(() => __importStar(require('../../../../utils/ansible-vault-secrets.js')));
+                const vault = new AnsibleVaultSecrets({
+                    vault_path: config.ansible?.vault_path ?? (0, config_helpers_js_1.getDefaultVaultPath)(config),
+                    vault_password_file: config.ansible?.vault_password_file,
+                    rootDir,
+                });
+                const jwtSecret = await vault.getSecret('JWT_SECRET');
+                if (!jwtSecret) {
+                    console.log('   JWT_SECRET not in vault — run: npx stack fix --secrets');
+                    return false;
+                }
+                // Append to .env.staging
+                const envPath = path.join(rootDir, '.env.staging');
+                let content = '';
+                if (fs.existsSync(envPath)) {
+                    content = fs.readFileSync(envPath, 'utf8');
+                }
+                if (content.includes('JWT_SECRET=')) {
+                    // Replace existing (empty or EXAMPLE) value
+                    content = content.replace(/^JWT_SECRET\s*=.*$/m, 'JWT_SECRET=' + jwtSecret);
+                }
+                else {
+                    content = content.trimEnd() + '\nJWT_SECRET=' + jwtSecret + '\n';
+                }
+                fs.writeFileSync(envPath, content, 'utf8');
+                console.log('   [OK] Set JWT_SECRET in .env.staging from vault');
+                return true;
+            }
+            catch (e) {
+                console.log('   Error: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Add JWT_SECRET to .env.staging or run: npx stack fix --secrets && npx stack fix --staging',
+    },
+    {
+        id: 'auth-env-jwt-prod',
+        stage: 'prod',
+        severity: 'critical',
+        description: 'JWT_SECRET not set in .env.prod (auth will not work)',
+        scan: async (_config, rootDir) => {
+            const envPath = path.join(rootDir, '.env.prod');
+            return !envFileHasVar(envPath, 'JWT_SECRET');
+        },
+        fix: async (config, rootDir) => {
+            try {
+                const { AnsibleVaultSecrets } = await Promise.resolve().then(() => __importStar(require('../../../../utils/ansible-vault-secrets.js')));
+                const vault = new AnsibleVaultSecrets({
+                    vault_path: config.ansible?.vault_path ?? (0, config_helpers_js_1.getDefaultVaultPath)(config),
+                    vault_password_file: config.ansible?.vault_password_file,
+                    rootDir,
+                });
+                const jwtSecret = await vault.getSecret('JWT_SECRET');
+                if (!jwtSecret) {
+                    console.log('   JWT_SECRET not in vault — run: npx stack fix --secrets');
+                    return false;
+                }
+                // Append to .env.prod
+                const envPath = path.join(rootDir, '.env.prod');
+                let content = '';
+                if (fs.existsSync(envPath)) {
+                    content = fs.readFileSync(envPath, 'utf8');
+                }
+                if (content.includes('JWT_SECRET=')) {
+                    content = content.replace(/^JWT_SECRET\s*=.*$/m, 'JWT_SECRET=' + jwtSecret);
+                }
+                else {
+                    content = content.trimEnd() + '\nJWT_SECRET=' + jwtSecret + '\n';
+                }
+                fs.writeFileSync(envPath, content, 'utf8');
+                console.log('   [OK] Set JWT_SECRET in .env.prod from vault');
+                return true;
+            }
+            catch (e) {
+                console.log('   Error: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Add JWT_SECRET to .env.prod or run: npx stack fix --secrets && npx stack fix --prod',
+    },
+];
+//# sourceMappingURL=validate.js.map

package/dist/plugins/addons/auth/scanfix/validate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../../../../src/plugins/addons/auth/scanfix/validate.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,uCAAyB;AACzB,2CAA6B;AAE7B,2EAA+F;AAE/F;;GAEG;AACH,SAAS,aAAa,CAAC,WAAmB,EAAE,OAAe;IACzD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC;QAAE,OAAO,KAAK,CAAC;IAE9C,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IACrD,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,GAAG,GAAG,OAAO,GAAG,gBAAgB,EAAE,GAAG,CAAC,CAAC;IAChE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACnC,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAEtC,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC9B,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;AACxE,CAAC;AAEY,QAAA,aAAa,GAAU;IAClC;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,SAAS;QAChB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,yDAAyD;QACtE,IAAI,EAAE,KAAK,EAAE,OAAsB,EAAE,OAAe,EAAoB,EAAE;YACxE,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;YACnD,OAAO,CAAC,aAAa,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QAC/C,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAE,OAAe,EAAoB,EAAE;YACtE,IAAI,CAAC;gBACH,MAAM,EAAE,mBAAmB,EAAE,GAAG,wDAAa,4CAA4C,GAAC,CAAC;gBAC3F,MAAM,KAAK,GAAG,IAAI,mBAAmB,CAAC;oBACpC,UAAU,EAAE,MAAM,CAAC,OAAO,EAAE,UAAU,IAAI,IAAA,uCAAmB,EAAC,MAAM,CAAC;oBACrE,mBAAmB,EAAE,MAAM,CAAC,OAAO,EAAE,mBAAmB;oBACxD,OAAO;iBACR,CAAC,CAAC;gBAEH,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;gBACtD,IAAI,CAAC,SAAS,EAAE,CAAC;oBACf,OAAO,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;oBACzE,OAAO,KAAK,CAAC;gBACf,CAAC;gBAED,yBAAyB;gBACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;gBACnD,IAAI,OAAO,GAAG,EAAE,CAAC;gBACjB,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC3B,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;gBAC7C,CAAC;gBAED,IAAI,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;oBACpC,4CAA4C;oBAC5C,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,qBAAqB,EAAE,aAAa,GAAG,SAAS,CAAC,CAAC;gBAC9E,CAAC;qBAAM,CAAC;oBACN,OAAO,GAAG,OAAO,CAAC,OAAO,EAAE,GAAG,eAAe,GAAG,SAAS,GAAG,IAAI,CAAC;gBACnE,CAAC;gBAED,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;gBAC3C,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;gBACjE,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,YAAY,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACzE,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,2FAA2F;KACvG;IAED;QACE,EAAE,EAAE,mBAAmB;QACvB,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,sDAAsD;QACnE,IAAI,EAAE,KAAK,EAAE,OAAsB,EAAE,OAAe,EAAoB,EAAE;YACxE,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;YAChD,OAAO,CAAC,aAAa,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QAC/C,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAE,OAAe,EAAoB,EAAE;YACtE,IAAI,CAAC;gBACH,MAAM,EAAE,mBAAmB,EAAE,GAAG,wDAAa,4CAA4C,GAAC,CAAC;gBAC3F,MAAM,KAAK,GAAG,IAAI,mBAAmB,CAAC;oBACpC,UAAU,EAAE,MAAM,CAAC,OAAO,EAAE,UAAU,IAAI,IAAA,uCAAmB,EAAC,MAAM,CAAC;oBACrE,mBAAmB,EAAE,MAAM,CAAC,OAAO,EAAE,mBAAmB;oBACxD,OAAO;iBACR,CAAC,CAAC;gBAEH,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;gBACtD,IAAI,CAAC,SAAS,EAAE,CAAC;oBACf,OAAO,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;oBACzE,OAAO,KAAK,CAAC;gBACf,CAAC;gBAED,sBAAsB;gBACtB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;gBAChD,IAAI,OAAO,GAAG,EAAE,CAAC;gBACjB,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC3B,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;gBAC7C,CAAC;gBAED,IAAI,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;oBACpC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,qBAAqB,EAAE,aAAa,GAAG,SAAS,CAAC,CAAC;gBAC9E,CAAC;qBAAM,CAAC;oBACN,OAAO,GAAG,OAAO,CAAC,OAAO,EAAE,GAAG,eAAe,GAAG,SAAS,GAAG,IAAI,CAAC;gBACnE,CAAC;gBAED,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;gBAC3C,OAAO,CAAC,GAAG,CAAC,gDAAgD,CAAC,CAAC;gBAC9D,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,YAAY,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACzE,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,qFAAqF;KACjG;CACF,CAAC"}