@meetploy/cli 1.12.1 → 1.12.2

package/dist/index.js

@@ -7,8 +7,9 @@ import { promisify } from 'util';
 import { parse } from 'yaml';
 import { build } from 'esbuild';
 import { watch } from 'chokidar';
+import { randomBytes, randomUUID, createHmac, pbkdf2Sync, timingSafeEqual, createHash } from 'crypto';
+import { getCookie, deleteCookie, setCookie } from 'hono/cookie';
 import { URL, fileURLToPath } from 'url';
-import { randomBytes, randomUUID, createHash } from 'crypto';
 import { serve } from '@hono/node-server';
 import { Hono } from 'hono';
 import { homedir, tmpdir } from 'os';
@@ -220,6 +221,20 @@ function validatePloyConfig(config, configFile = "ploy.yaml", options = {}) {
       throw new Error(`'compatibility_date' in ${configFile} must be in YYYY-MM-DD format (e.g., 2025-04-02)`);
     }
   }
+  if (config.auth !== void 0) {
+    if (typeof config.auth !== "object" || config.auth === null) {
+      throw new Error(`'auth' in ${configFile} must be an object`);
+    }
+    if (!config.auth.binding) {
+      throw new Error(`'auth.binding' is required in ${configFile} when auth is configured`);
+    }
+    if (typeof config.auth.binding !== "string") {
+      throw new Error(`'auth.binding' in ${configFile} must be a string`);
+    }
+    if (!BINDING_NAME_REGEX.test(config.auth.binding)) {
+      throw new Error(`Invalid auth binding name '${config.auth.binding}' in ${configFile}. Binding names must be uppercase with underscores (e.g., AUTH_DB, AUTH)`);
+    }
+  }
   return validatedConfig;
 }
 async function readPloyConfig(projectDir, configPath) {
@@ -260,7 +275,7 @@ function readAndValidatePloyConfigSync(projectDir, configPath, validationOptions
   return validatePloyConfig(config, configFile, validationOptions);
 }
 function hasBindings(config) {
-  return !!(config.db || config.queue || config.workflow || config.ai);
+  return !!(config.db || config.queue || config.workflow || config.ai || config.auth);
 }
 function getWorkerEntryPoint(projectDir, config) {
   if (config.main) {
@@ -597,6 +612,12 @@ var init_trace_event = __esm({
   }
 });
 
+// ../shared/dist/trace-id.js
+var init_trace_id = __esm({
+  "../shared/dist/trace-id.js"() {
+  }
+});
+
 // ../shared/dist/unified-log.js
 var init_unified_log = __esm({
   "../shared/dist/unified-log.js"() {
@@ -616,6 +637,7 @@ var init_dist = __esm({
     init_error();
     init_health_check();
     init_trace_event();
+    init_trace_id();
     init_unified_log();
     init_url_validation();
   }
@@ -1316,6 +1338,255 @@ var init_workerd_config = __esm({
   "../emulator/dist/config/workerd-config.js"() {
   }
 });
+function generateId() {
+  return randomBytes(16).toString("hex");
+}
+function hashPassword(password) {
+  const salt = randomBytes(32).toString("hex");
+  const hash = pbkdf2Sync(password, salt, 1e5, 64, "sha512").toString("hex");
+  return `${salt}:${hash}`;
+}
+function verifyPassword(password, storedHash) {
+  const [salt, hash] = storedHash.split(":");
+  const derivedHash = pbkdf2Sync(password, salt, 1e5, 64, "sha512").toString("hex");
+  return timingSafeEqual(Buffer.from(hash, "hex"), Buffer.from(derivedHash, "hex"));
+}
+function hashToken(token) {
+  return createHmac("sha256", "emulator-secret").update(token).digest("hex");
+}
+function base64UrlEncode(str) {
+  return Buffer.from(str).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function base64UrlDecode(str) {
+  let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  while (base64.length % 4) {
+    base64 += "=";
+  }
+  return Buffer.from(base64, "base64").toString();
+}
+function createJWT(payload) {
+  const header = { alg: "HS256", typ: "JWT" };
+  const headerB64 = base64UrlEncode(JSON.stringify(header));
+  const payloadB64 = base64UrlEncode(JSON.stringify(payload));
+  const signature = createHmac("sha256", JWT_SECRET).update(`${headerB64}.${payloadB64}`).digest("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+  return `${headerB64}.${payloadB64}.${signature}`;
+}
+function verifyJWT(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) {
+      return null;
+    }
+    const [headerB64, payloadB64, signature] = parts;
+    const expectedSig = createHmac("sha256", JWT_SECRET).update(`${headerB64}.${payloadB64}`).digest("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+    if (signature !== expectedSig) {
+      return null;
+    }
+    const payload = JSON.parse(base64UrlDecode(payloadB64));
+    if (payload.exp < Math.floor(Date.now() / 1e3)) {
+      return null;
+    }
+    return payload;
+  } catch {
+    return null;
+  }
+}
+function createSessionToken(userId, email) {
+  const now = Math.floor(Date.now() / 1e3);
+  const sessionId = generateId();
+  const token = createJWT({
+    sub: userId,
+    email,
+    iat: now,
+    exp: now + SESSION_TOKEN_EXPIRY,
+    jti: sessionId
+  });
+  return {
+    token,
+    sessionId,
+    expiresAt: new Date((now + SESSION_TOKEN_EXPIRY) * 1e3)
+  };
+}
+function validateEmail(email) {
+  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+  if (!emailRegex.test(email)) {
+    return "Invalid email format";
+  }
+  return null;
+}
+function validatePassword(password) {
+  if (password.length < 8) {
+    return "Password must be at least 8 characters";
+  }
+  return null;
+}
+function setSessionCookie(c, sessionToken) {
+  setCookie(c, "ploy_session", sessionToken, {
+    httpOnly: true,
+    secure: false,
+    sameSite: "Lax",
+    path: "/",
+    maxAge: SESSION_TOKEN_EXPIRY
+  });
+}
+function clearSessionCookie(c) {
+  deleteCookie(c, "ploy_session", { path: "/" });
+}
+function createAuthHandlers(db) {
+  const signupHandler = async (c) => {
+    try {
+      const body = await c.req.json();
+      const { email, password, metadata } = body;
+      const emailError = validateEmail(email);
+      if (emailError) {
+        return c.json({ error: emailError }, 400);
+      }
+      const passwordError = validatePassword(password);
+      if (passwordError) {
+        return c.json({ error: passwordError }, 400);
+      }
+      const existingUser = db.prepare("SELECT id FROM auth_users WHERE email = ?").get(email.toLowerCase());
+      if (existingUser) {
+        return c.json({ error: "User already exists" }, 409);
+      }
+      const userId = generateId();
+      const passwordHash = hashPassword(password);
+      const now = (/* @__PURE__ */ new Date()).toISOString();
+      db.prepare(`INSERT INTO auth_users (id, email, password_hash, created_at, updated_at, metadata)
+				 VALUES (?, ?, ?, ?, ?, ?)`).run(userId, email.toLowerCase(), passwordHash, now, now, metadata ? JSON.stringify(metadata) : null);
+      const { token: sessionToken, sessionId, expiresAt } = createSessionToken(userId, email.toLowerCase());
+      const sessionTokenHash = hashToken(sessionToken);
+      db.prepare(`INSERT INTO auth_sessions (id, user_id, token_hash, expires_at, created_at)
+				 VALUES (?, ?, ?, ?, ?)`).run(sessionId, userId, sessionTokenHash, expiresAt.toISOString(), now);
+      setSessionCookie(c, sessionToken);
+      return c.json({
+        user: {
+          id: userId,
+          email: email.toLowerCase(),
+          emailVerified: false,
+          createdAt: now,
+          metadata: metadata ?? null
+        }
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return c.json({ error: message }, 500);
+    }
+  };
+  const signinHandler = async (c) => {
+    try {
+      const body = await c.req.json();
+      const { email, password } = body;
+      const user = db.prepare("SELECT * FROM auth_users WHERE email = ?").get(email.toLowerCase());
+      if (!user) {
+        return c.json({ error: "Invalid credentials" }, 401);
+      }
+      if (!verifyPassword(password, user.password_hash)) {
+        return c.json({ error: "Invalid credentials" }, 401);
+      }
+      const { token: sessionToken, sessionId, expiresAt } = createSessionToken(user.id, user.email);
+      const sessionTokenHash = hashToken(sessionToken);
+      const now = (/* @__PURE__ */ new Date()).toISOString();
+      db.prepare(`INSERT INTO auth_sessions (id, user_id, token_hash, expires_at, created_at)
+				 VALUES (?, ?, ?, ?, ?)`).run(sessionId, user.id, sessionTokenHash, expiresAt.toISOString(), now);
+      let metadata = null;
+      if (user.metadata) {
+        try {
+          metadata = JSON.parse(user.metadata);
+        } catch {
+          metadata = null;
+        }
+      }
+      setSessionCookie(c, sessionToken);
+      return c.json({
+        user: {
+          id: user.id,
+          email: user.email,
+          emailVerified: user.email_verified === 1,
+          createdAt: user.created_at,
+          metadata
+        }
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return c.json({ error: message }, 500);
+    }
+  };
+  const meHandler = async (c) => {
+    try {
+      const cookieToken = getCookie(c, "ploy_session");
+      const authHeader = c.req.header("Authorization");
+      let token;
+      if (cookieToken) {
+        token = cookieToken;
+      } else if (authHeader && authHeader.startsWith("Bearer ")) {
+        token = authHeader.slice(7);
+      }
+      if (!token) {
+        return c.json({ error: "Missing authentication" }, 401);
+      }
+      const payload = verifyJWT(token);
+      if (!payload) {
+        return c.json({ error: "Invalid or expired session" }, 401);
+      }
+      const user = db.prepare("SELECT id, email, email_verified, created_at, updated_at, metadata FROM auth_users WHERE id = ?").get(payload.sub);
+      if (!user) {
+        return c.json({ error: "User not found" }, 401);
+      }
+      let metadata = null;
+      if (user.metadata) {
+        try {
+          metadata = JSON.parse(user.metadata);
+        } catch {
+          metadata = null;
+        }
+      }
+      return c.json({
+        user: {
+          id: user.id,
+          email: user.email,
+          emailVerified: user.email_verified === 1,
+          createdAt: user.created_at,
+          updatedAt: user.updated_at,
+          metadata
+        }
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return c.json({ error: message }, 500);
+    }
+  };
+  const signoutHandler = async (c) => {
+    try {
+      const sessionToken = getCookie(c, "ploy_session");
+      if (sessionToken) {
+        const payload = verifyJWT(sessionToken);
+        if (payload) {
+          const tokenHash = hashToken(sessionToken);
+          db.prepare("UPDATE auth_sessions SET revoked = 1 WHERE token_hash = ?").run(tokenHash);
+        }
+      }
+      clearSessionCookie(c);
+      return c.json({ success: true });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return c.json({ error: message }, 500);
+    }
+  };
+  return {
+    signupHandler,
+    signinHandler,
+    meHandler,
+    signoutHandler
+  };
+}
+var JWT_SECRET, SESSION_TOKEN_EXPIRY;
+var init_auth_service = __esm({
+  "../emulator/dist/services/auth-service.js"() {
+    JWT_SECRET = "ploy-emulator-dev-secret";
+    SESSION_TOKEN_EXPIRY = 7 * 24 * 60 * 60;
+  }
+});
 function findDashboardDistPath() {
   const possiblePaths = [
     join(__dirname, "dashboard-dist"),
@@ -1343,9 +1614,174 @@ function createDashboardRoutes(app, dbManager2, config) {
     return c.json({
       db: config.db,
       queue: config.queue,
-      workflow: config.workflow
+      workflow: config.workflow,
+      auth: config.auth
     });
   });
+  if (config.auth) {
+    app.get("/api/auth/tables", (c) => {
+      try {
+        const db = dbManager2.emulatorDb;
+        const tables = db.prepare(`SELECT name FROM sqlite_master
+						 WHERE type='table' AND (name = 'auth_users' OR name = 'auth_sessions')
+						 ORDER BY name`).all();
+        return c.json({ tables });
+      } catch (err) {
+        return c.json({ error: err instanceof Error ? err.message : String(err) }, 500);
+      }
+    });
+    app.get("/api/auth/tables/:tableName", (c) => {
+      const tableName = c.req.param("tableName");
+      if (tableName !== "auth_users" && tableName !== "auth_sessions") {
+        return c.json({ error: "Table not found" }, 404);
+      }
+      const limit = parseInt(c.req.query("limit") || "50", 10);
+      const offset = parseInt(c.req.query("offset") || "0", 10);
+      try {
+        const db = dbManager2.emulatorDb;
+        const columnsResult = db.prepare(`PRAGMA table_info("${tableName}")`).all();
+        const columns = columnsResult.map((col) => col.name);
+        const countResult = db.prepare(`SELECT COUNT(*) as count FROM "${tableName}"`).get();
+        const total = countResult.count;
+        let data;
+        if (tableName === "auth_users") {
+          data = db.prepare(`SELECT id, email, email_verified, created_at, updated_at, metadata FROM "${tableName}" LIMIT ? OFFSET ?`).all(limit, offset);
+        } else {
+          data = db.prepare(`SELECT * FROM "${tableName}" LIMIT ? OFFSET ?`).all(limit, offset);
+        }
+        const visibleColumns = tableName === "auth_users" ? columns.filter((c2) => c2 !== "password_hash") : columns;
+        return c.json({ data, columns: visibleColumns, total });
+      } catch (err) {
+        return c.json({ error: err instanceof Error ? err.message : String(err) }, 500);
+      }
+    });
+    app.get("/api/auth/schema", (c) => {
+      try {
+        const db = dbManager2.emulatorDb;
+        const tables = ["auth_users", "auth_sessions"].map((tableName) => {
+          const columnsResult = db.prepare(`PRAGMA table_info("${tableName}")`).all();
+          const visibleColumns = tableName === "auth_users" ? columnsResult.filter((col) => col.name !== "password_hash") : columnsResult;
+          return {
+            name: tableName,
+            columns: visibleColumns.map((col) => ({
+              name: col.name,
+              type: col.type,
+              notNull: col.notnull === 1,
+              primaryKey: col.pk === 1
+            }))
+          };
+        });
+        return c.json({ tables });
+      } catch (err) {
+        return c.json({ error: err instanceof Error ? err.message : String(err) }, 500);
+      }
+    });
+    app.post("/api/auth/query", async (c) => {
+      const body = await c.req.json();
+      const { query } = body;
+      if (!query) {
+        return c.json({ error: "Query is required" }, 400);
+      }
+      const normalizedQuery = query.trim().toUpperCase();
+      if (!normalizedQuery.startsWith("SELECT")) {
+        return c.json({ error: "Only SELECT queries are allowed on auth tables" }, 400);
+      }
+      const allowedTables = ["auth_users", "auth_sessions"];
+      const hasDisallowedTable = !allowedTables.some((table) => query.toLowerCase().includes(`from ${table}`) || query.toLowerCase().includes(`join ${table}`));
+      if (hasDisallowedTable) {
+        return c.json({
+          error: "Query must reference auth tables (auth_users or auth_sessions)"
+        }, 400);
+      }
+      try {
+        const db = dbManager2.emulatorDb;
+        const startTime = Date.now();
+        const stmt = db.prepare(query);
+        const results = stmt.all();
+        const sanitizedResults = results.map((row) => {
+          const { password_hash: _, ...rest } = row;
+          return rest;
+        });
+        const duration = Date.now() - startTime;
+        return c.json({
+          results: sanitizedResults,
+          success: true,
+          meta: {
+            duration,
+            rows_read: results.length,
+            rows_written: 0
+          }
+        });
+      } catch (err) {
+        return c.json({
+          results: [],
+          success: false,
+          error: err instanceof Error ? err.message : String(err),
+          meta: { duration: 0, rows_read: 0, rows_written: 0 }
+        }, 400);
+      }
+    });
+    app.get("/api/auth/settings", (c) => {
+      try {
+        const db = dbManager2.emulatorDb;
+        const settings = db.prepare("SELECT * FROM auth_settings WHERE id = 1").get();
+        if (!settings) {
+          return c.json({
+            sessionTokenExpiry: 604800,
+            allowSignups: true,
+            requireEmailVerification: false,
+            requireName: false
+          });
+        }
+        return c.json({
+          sessionTokenExpiry: settings.session_token_expiry,
+          allowSignups: settings.allow_signups === 1,
+          requireEmailVerification: settings.require_email_verification === 1,
+          requireName: settings.require_name === 1
+        });
+      } catch (err) {
+        return c.json({ error: err instanceof Error ? err.message : String(err) }, 500);
+      }
+    });
+    app.patch("/api/auth/settings", async (c) => {
+      try {
+        const body = await c.req.json();
+        const db = dbManager2.emulatorDb;
+        const updates = [];
+        const values = [];
+        if (body.sessionTokenExpiry !== void 0) {
+          updates.push("session_token_expiry = ?");
+          values.push(body.sessionTokenExpiry);
+        }
+        if (body.allowSignups !== void 0) {
+          updates.push("allow_signups = ?");
+          values.push(body.allowSignups ? 1 : 0);
+        }
+        if (body.requireEmailVerification !== void 0) {
+          updates.push("require_email_verification = ?");
+          values.push(body.requireEmailVerification ? 1 : 0);
+        }
+        if (body.requireName !== void 0) {
+          updates.push("require_name = ?");
+          values.push(body.requireName ? 1 : 0);
+        }
+        if (updates.length > 0) {
+          updates.push("updated_at = strftime('%s', 'now')");
+          const sql = `UPDATE auth_settings SET ${updates.join(", ")} WHERE id = 1`;
+          db.prepare(sql).run(...values);
+        }
+        const settings = db.prepare("SELECT * FROM auth_settings WHERE id = 1").get();
+        return c.json({
+          sessionTokenExpiry: settings.session_token_expiry,
+          allowSignups: settings.allow_signups === 1,
+          requireEmailVerification: settings.require_email_verification === 1,
+          requireName: settings.require_name === 1
+        });
+      } catch (err) {
+        return c.json({ error: err instanceof Error ? err.message : String(err) }, 500);
+      }
+    });
+  }
   app.post("/api/db/:binding/query", async (c) => {
     const binding = c.req.param("binding");
     const resourceName = getDbResourceName(binding);
@@ -1568,7 +2004,7 @@ function createDashboardRoutes(app, dbManager2, config) {
     }
     try {
       const db = dbManager2.emulatorDb;
-      const execution = db.prepare(`SELECT id, workflow_name, status, error, started_at, completed_at, created_at
+      const execution = db.prepare(`SELECT id, workflow_name, status, input, output, error, started_at, completed_at, created_at
 					 FROM workflow_executions
 					 WHERE id = ?`).get(executionId);
       if (!execution) {
@@ -1582,6 +2018,8 @@ function createDashboardRoutes(app, dbManager2, config) {
         execution: {
           id: execution.id,
           status: execution.status.toUpperCase(),
+          input: execution.input ? JSON.parse(execution.input) : null,
+          output: execution.output ? JSON.parse(execution.output) : null,
           startedAt: execution.started_at ? new Date(execution.started_at * 1e3).toISOString() : null,
           completedAt: execution.completed_at ? new Date(execution.completed_at * 1e3).toISOString() : null,
           durationMs: execution.started_at && execution.completed_at ? (execution.completed_at - execution.started_at) * 1e3 : null,
@@ -1830,8 +2268,10 @@ function createQueueHandlers(db) {
     try {
       const body = await c.req.json();
       const { messageId, deliveryId } = body;
-      const result = db.prepare(`DELETE FROM queue_messages
-					 WHERE id = ? AND delivery_id = ?`).run(messageId, deliveryId);
+      const now = Math.floor(Date.now() / 1e3);
+      const result = db.prepare(`UPDATE queue_messages
+					 SET status = 'acknowledged', updated_at = ?
+					 WHERE id = ? AND delivery_id = ?`).run(now, messageId, deliveryId);
       if (result.changes === 0) {
         return c.json({ success: false, error: "Message not found or already processed" }, 404);
       }
@@ -1906,7 +2346,7 @@ function createQueueProcessor(db, queueBindings, workerUrl) {
           body: row.payload
         });
         if (response.ok) {
-          db.prepare(`DELETE FROM queue_messages WHERE id = ?`).run(row.id);
+          db.prepare(`UPDATE queue_messages SET status = 'acknowledged', updated_at = ? WHERE id = ?`).run(now, row.id);
         } else {
           db.prepare(`UPDATE queue_messages
 						 SET status = 'pending', delivery_id = NULL, visible_at = ?, updated_at = ?
@@ -2143,6 +2583,13 @@ async function startMockServer(dbManager2, config, options = {}) {
     app.post("/workflow/complete", workflowHandlers.completeHandler);
     app.post("/workflow/fail", workflowHandlers.failHandler);
   }
+  if (config.auth) {
+    const authHandlers = createAuthHandlers(dbManager2.emulatorDb);
+    app.post("/auth/signup", authHandlers.signupHandler);
+    app.post("/auth/signin", authHandlers.signinHandler);
+    app.get("/auth/me", authHandlers.meHandler);
+    app.post("/auth/signout", authHandlers.signoutHandler);
+  }
   app.get("/health", (c) => c.json({ status: "ok" }));
   if (options.dashboardEnabled !== false) {
     createDashboardRoutes(app, dbManager2, config);
@@ -2165,6 +2612,7 @@ async function startMockServer(dbManager2, config, options = {}) {
 var DEFAULT_MOCK_SERVER_PORT;
 var init_mock_server = __esm({
   "../emulator/dist/services/mock-server.js"() {
+    init_auth_service();
     init_dashboard_routes();
     init_db_service();
     init_queue_service();
@@ -2281,6 +2729,49 @@ CREATE TABLE IF NOT EXISTS workflow_steps (
 
 CREATE INDEX IF NOT EXISTS idx_workflow_steps_execution
   ON workflow_steps(execution_id, step_index);
+
+-- Auth users table
+CREATE TABLE IF NOT EXISTS auth_users (
+  id TEXT PRIMARY KEY,
+  email TEXT UNIQUE NOT NULL,
+  email_verified INTEGER NOT NULL DEFAULT 0,
+  password_hash TEXT NOT NULL,
+  created_at TEXT NOT NULL,
+  updated_at TEXT NOT NULL,
+  metadata TEXT
+);
+
+CREATE INDEX IF NOT EXISTS idx_auth_users_email
+  ON auth_users(email);
+
+-- Auth sessions table
+CREATE TABLE IF NOT EXISTS auth_sessions (
+  id TEXT PRIMARY KEY,
+  user_id TEXT NOT NULL,
+  token_hash TEXT UNIQUE NOT NULL,
+  expires_at TEXT NOT NULL,
+  created_at TEXT NOT NULL,
+  revoked INTEGER NOT NULL DEFAULT 0,
+  FOREIGN KEY (user_id) REFERENCES auth_users(id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS idx_auth_sessions_user
+  ON auth_sessions(user_id);
+CREATE INDEX IF NOT EXISTS idx_auth_sessions_hash
+  ON auth_sessions(token_hash);
+
+-- Auth settings table
+CREATE TABLE IF NOT EXISTS auth_settings (
+  id INTEGER PRIMARY KEY CHECK (id = 1),
+  session_token_expiry INTEGER NOT NULL DEFAULT 604800,
+  allow_signups INTEGER NOT NULL DEFAULT 1,
+  require_email_verification INTEGER NOT NULL DEFAULT 0,
+  require_name INTEGER NOT NULL DEFAULT 0,
+  updated_at INTEGER DEFAULT (strftime('%s', 'now'))
+);
+
+-- Insert default settings if not exists
+INSERT OR IGNORE INTO auth_settings (id) VALUES (1);
 `;
   }
 });
@@ -2635,6 +3126,38 @@ function createDevD1(databaseId, apiUrl) {
     }
   };
 }
+function createDevPloyAuth(apiUrl) {
+  return {
+    async getUser(token) {
+      try {
+        const response = await fetch(`${apiUrl}/auth/me`, {
+          headers: {
+            Authorization: `Bearer ${token}`
+          }
+        });
+        if (!response.ok) {
+          return null;
+        }
+        const data = await response.json();
+        return data.user;
+      } catch {
+        return null;
+      }
+    },
+    async verifyToken(token) {
+      try {
+        const response = await fetch(`${apiUrl}/auth/me`, {
+          headers: {
+            Authorization: `Bearer ${token}`
+          }
+        });
+        return response.ok;
+      } catch {
+        return false;
+      }
+    }
+  };
+}
 async function initPloyForDev(config) {
   if (process.env.NODE_ENV !== "development") {
     return;
@@ -2643,6 +3166,56 @@ async function initPloyForDev(config) {
     return;
   }
   globalThis.__PLOY_DEV_INITIALIZED__ = true;
+  const cliMockServerUrl = process.env.PLOY_MOCK_SERVER_URL;
+  if (cliMockServerUrl) {
+    const configPath2 = config?.configPath || "./ploy.yaml";
+    const projectDir2 = process.cwd();
+    let ployConfig2;
+    try {
+      ployConfig2 = readPloyConfig2(projectDir2, configPath2);
+    } catch {
+      if (config?.bindings?.db) {
+        ployConfig2 = { db: config.bindings.db };
+      } else {
+        return;
+      }
+    }
+    if (config?.bindings?.db) {
+      ployConfig2 = { ...ployConfig2, db: config.bindings.db };
+    }
+    const hasDbBindings2 = ployConfig2.db && Object.keys(ployConfig2.db).length > 0;
+    const hasAuthConfig2 = !!ployConfig2.auth;
+    if (!hasDbBindings2 && !hasAuthConfig2) {
+      return;
+    }
+    const env2 = {};
+    if (hasDbBindings2 && ployConfig2.db) {
+      for (const [bindingName, databaseId] of Object.entries(ployConfig2.db)) {
+        env2[bindingName] = createDevD1(databaseId, cliMockServerUrl);
+      }
+    }
+    if (hasAuthConfig2) {
+      env2.PLOY_AUTH = createDevPloyAuth(cliMockServerUrl);
+    }
+    const context2 = { env: env2, cf: void 0, ctx: void 0 };
+    globalThis.__PLOY_DEV_CONTEXT__ = context2;
+    Object.defineProperty(globalThis, PLOY_CONTEXT_SYMBOL, {
+      get() {
+        return context2;
+      },
+      configurable: true
+    });
+    const bindingNames2 = Object.keys(env2);
+    const features2 = [];
+    if (bindingNames2.length > 0) {
+      features2.push(`bindings: ${bindingNames2.join(", ")}`);
+    }
+    if (hasAuthConfig2) {
+      features2.push("auth");
+    }
+    console.log(`[Ploy] Using CLI mock server at ${cliMockServerUrl} (${features2.join(", ")})`);
+    return;
+  }
   const configPath = config?.configPath || "./ploy.yaml";
   const projectDir = process.cwd();
   let ployConfig;
@@ -2658,7 +3231,9 @@ async function initPloyForDev(config) {
   if (config?.bindings?.db) {
     ployConfig = { ...ployConfig, db: config.bindings.db };
   }
-  if (!ployConfig.db || Object.keys(ployConfig.db).length === 0) {
+  const hasDbBindings = ployConfig.db && Object.keys(ployConfig.db).length > 0;
+  const hasAuthConfig = !!ployConfig.auth;
+  if (!hasDbBindings && !hasAuthConfig) {
     return;
   }
   ensureDataDir(projectDir);
@@ -2666,8 +3241,14 @@ async function initPloyForDev(config) {
   mockServer = await startMockServer(dbManager, ployConfig, {});
   const apiUrl = `http://localhost:${mockServer.port}`;
   const env = {};
-  for (const [bindingName, databaseId] of Object.entries(ployConfig.db)) {
-    env[bindingName] = createDevD1(databaseId, apiUrl);
+  if (hasDbBindings && ployConfig.db) {
+    for (const [bindingName, databaseId] of Object.entries(ployConfig.db)) {
+      env[bindingName] = createDevD1(databaseId, apiUrl);
+    }
+  }
+  if (hasAuthConfig) {
+    env.PLOY_AUTH = createDevPloyAuth(apiUrl);
+    process.env.NEXT_PUBLIC_PLOY_AUTH_URL = `${apiUrl}/auth`;
   }
   const context = {
     env,
@@ -2682,7 +3263,14 @@ async function initPloyForDev(config) {
     configurable: true
   });
   const bindingNames = Object.keys(env);
-  console.log(`[Ploy] Development context initialized with bindings: ${bindingNames.join(", ")}`);
+  const features = [];
+  if (bindingNames.length > 0) {
+    features.push(`bindings: ${bindingNames.join(", ")}`);
+  }
+  if (hasAuthConfig) {
+    features.push("auth");
+  }
+  console.log(`[Ploy] Development context initialized with ${features.join(", ")}`);
   console.log(`[Ploy] Mock server running at ${apiUrl}`);
   const cleanup = async () => {
     if (mockServer) {
@@ -4476,7 +5064,9 @@ async function startNextJsDev(options) {
       env: {
         ...process.env,
         // Set environment variable so initPloyForDev knows the mock server URL
-        PLOY_MOCK_SERVER_URL: `http://localhost:${dashboard.port}`
+        PLOY_MOCK_SERVER_URL: `http://localhost:${dashboard.port}`,
+        // Set PORT so initPloyForDev can construct the correct handler URL
+        PORT: String(nextPort)
       }
     });
   } else {
@@ -4486,7 +5076,8 @@ async function startNextJsDev(options) {
       shell: true,
       env: {
         ...process.env,
-        PLOY_MOCK_SERVER_URL: `http://localhost:${dashboard.port}`
+        PLOY_MOCK_SERVER_URL: `http://localhost:${dashboard.port}`,
+        PORT: String(nextPort)
       }
     });
   }