@meetploy/cli 1.12.1 → 1.13.0

package/dist/dev.js

@@ -9,14 +9,15 @@ import { promisify } from 'util';
 import { parse } from 'yaml';
 import { serve } from '@hono/node-server';
 import { Hono } from 'hono';
-import { randomUUID } from 'crypto';
+import { randomUUID, createHmac, pbkdf2Sync, timingSafeEqual, randomBytes } from 'crypto';
+import { getCookie, deleteCookie, setCookie } from 'hono/cookie';
 import 'os';
 import Database from 'better-sqlite3';
 
 createRequire(import.meta.url);
 promisify(readFile);
 function readPloyConfigSync(projectDir, configPath) {
-  const configFile = configPath;
+  const configFile = configPath || "ploy.yaml";
   const fullPath = join(projectDir, configFile);
   if (!existsSync(fullPath)) {
     throw new Error(`Config file not found: ${fullPath}`);
@@ -29,13 +30,287 @@ function readPloyConfigSync(projectDir, configPath) {
 function readPloyConfig(projectDir, configPath) {
   const config = readPloyConfigSync(projectDir, configPath);
   if (!config.kind) {
-    throw new Error(`Missing required field 'kind' in ${configPath}`);
+    throw new Error(`Missing required field 'kind' in ${configPath || "ploy.yaml"}`);
   }
   if (config.kind !== "dynamic" && config.kind !== "worker") {
-    throw new Error(`Invalid kind '${config.kind}' in ${configPath}. Must be 'dynamic' or 'worker'`);
+    throw new Error(`Invalid kind '${config.kind}' in ${configPath || "ploy.yaml"}. Must be 'dynamic' or 'worker'`);
   }
   return config;
 }
+function generateId() {
+  return randomBytes(16).toString("hex");
+}
+function hashPassword(password) {
+  const salt = randomBytes(32).toString("hex");
+  const hash = pbkdf2Sync(password, salt, 1e5, 64, "sha512").toString("hex");
+  return `${salt}:${hash}`;
+}
+function verifyPassword(password, storedHash) {
+  const [salt, hash] = storedHash.split(":");
+  const derivedHash = pbkdf2Sync(password, salt, 1e5, 64, "sha512").toString("hex");
+  return timingSafeEqual(Buffer.from(hash, "hex"), Buffer.from(derivedHash, "hex"));
+}
+function hashToken(token) {
+  return createHmac("sha256", "emulator-secret").update(token).digest("hex");
+}
+var JWT_SECRET = "ploy-emulator-dev-secret";
+var SESSION_TOKEN_EXPIRY = 7 * 24 * 60 * 60;
+function base64UrlEncode(str) {
+  return Buffer.from(str).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function base64UrlDecode(str) {
+  let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  while (base64.length % 4) {
+    base64 += "=";
+  }
+  return Buffer.from(base64, "base64").toString();
+}
+function createJWT(payload) {
+  const header = { alg: "HS256", typ: "JWT" };
+  const headerB64 = base64UrlEncode(JSON.stringify(header));
+  const payloadB64 = base64UrlEncode(JSON.stringify(payload));
+  const signature = createHmac("sha256", JWT_SECRET).update(`${headerB64}.${payloadB64}`).digest("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+  return `${headerB64}.${payloadB64}.${signature}`;
+}
+function verifyJWT(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) {
+      return null;
+    }
+    const [headerB64, payloadB64, signature] = parts;
+    const expectedSig = createHmac("sha256", JWT_SECRET).update(`${headerB64}.${payloadB64}`).digest("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+    if (signature !== expectedSig) {
+      return null;
+    }
+    const payload = JSON.parse(base64UrlDecode(payloadB64));
+    if (payload.exp < Math.floor(Date.now() / 1e3)) {
+      return null;
+    }
+    return payload;
+  } catch {
+    return null;
+  }
+}
+function createSessionToken(userId, email) {
+  const now = Math.floor(Date.now() / 1e3);
+  const sessionId = generateId();
+  const token = createJWT({
+    sub: userId,
+    email,
+    iat: now,
+    exp: now + SESSION_TOKEN_EXPIRY,
+    jti: sessionId
+  });
+  return {
+    token,
+    sessionId,
+    expiresAt: new Date((now + SESSION_TOKEN_EXPIRY) * 1e3)
+  };
+}
+function validateEmail(email) {
+  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+  if (!emailRegex.test(email)) {
+    return "Invalid email format";
+  }
+  return null;
+}
+function validatePassword(password) {
+  if (password.length < 8) {
+    return "Password must be at least 8 characters";
+  }
+  return null;
+}
+function setSessionCookie(c, sessionToken) {
+  setCookie(c, "ploy_session", sessionToken, {
+    httpOnly: true,
+    secure: false,
+    sameSite: "Lax",
+    path: "/",
+    maxAge: SESSION_TOKEN_EXPIRY
+  });
+}
+function clearSessionCookie(c) {
+  deleteCookie(c, "ploy_session", { path: "/" });
+}
+function createAuthHandlers(db) {
+  const signupHandler = async (c) => {
+    try {
+      const body = await c.req.json();
+      const { email, password, metadata } = body;
+      const emailError = validateEmail(email);
+      if (emailError) {
+        return c.json({ error: emailError }, 400);
+      }
+      const passwordError = validatePassword(password);
+      if (passwordError) {
+        return c.json({ error: passwordError }, 400);
+      }
+      const existingUser = db.prepare("SELECT id FROM auth_users WHERE email = ?").get(email.toLowerCase());
+      if (existingUser) {
+        return c.json({ error: "User already exists" }, 409);
+      }
+      const userId = generateId();
+      const passwordHash = hashPassword(password);
+      const now = (/* @__PURE__ */ new Date()).toISOString();
+      db.prepare(`INSERT INTO auth_users (id, email, password_hash, created_at, updated_at, metadata)
+				 VALUES (?, ?, ?, ?, ?, ?)`).run(userId, email.toLowerCase(), passwordHash, now, now, metadata ? JSON.stringify(metadata) : null);
+      const { token: sessionToken, sessionId, expiresAt } = createSessionToken(userId, email.toLowerCase());
+      const sessionTokenHash = hashToken(sessionToken);
+      db.prepare(`INSERT INTO auth_sessions (id, user_id, token_hash, expires_at, created_at)
+				 VALUES (?, ?, ?, ?, ?)`).run(sessionId, userId, sessionTokenHash, expiresAt.toISOString(), now);
+      setSessionCookie(c, sessionToken);
+      return c.json({
+        user: {
+          id: userId,
+          email: email.toLowerCase(),
+          emailVerified: false,
+          createdAt: now,
+          metadata: metadata ?? null
+        }
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return c.json({ error: message }, 500);
+    }
+  };
+  const signinHandler = async (c) => {
+    try {
+      const body = await c.req.json();
+      const { email, password } = body;
+      const user = db.prepare("SELECT * FROM auth_users WHERE email = ?").get(email.toLowerCase());
+      if (!user) {
+        return c.json({ error: "Invalid credentials" }, 401);
+      }
+      if (!verifyPassword(password, user.password_hash)) {
+        return c.json({ error: "Invalid credentials" }, 401);
+      }
+      const { token: sessionToken, sessionId, expiresAt } = createSessionToken(user.id, user.email);
+      const sessionTokenHash = hashToken(sessionToken);
+      const now = (/* @__PURE__ */ new Date()).toISOString();
+      db.prepare(`INSERT INTO auth_sessions (id, user_id, token_hash, expires_at, created_at)
+				 VALUES (?, ?, ?, ?, ?)`).run(sessionId, user.id, sessionTokenHash, expiresAt.toISOString(), now);
+      let metadata = null;
+      if (user.metadata) {
+        try {
+          metadata = JSON.parse(user.metadata);
+        } catch {
+          metadata = null;
+        }
+      }
+      setSessionCookie(c, sessionToken);
+      return c.json({
+        user: {
+          id: user.id,
+          email: user.email,
+          emailVerified: user.email_verified === 1,
+          createdAt: user.created_at,
+          metadata
+        }
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return c.json({ error: message }, 500);
+    }
+  };
+  const meHandler = async (c) => {
+    try {
+      const cookieToken = getCookie(c, "ploy_session");
+      const authHeader = c.req.header("Authorization");
+      let token;
+      if (cookieToken) {
+        token = cookieToken;
+      } else if (authHeader && authHeader.startsWith("Bearer ")) {
+        token = authHeader.slice(7);
+      }
+      if (!token) {
+        return c.json({ error: "Missing authentication" }, 401);
+      }
+      const payload = verifyJWT(token);
+      if (!payload) {
+        return c.json({ error: "Invalid or expired session" }, 401);
+      }
+      const user = db.prepare("SELECT id, email, email_verified, created_at, updated_at, metadata FROM auth_users WHERE id = ?").get(payload.sub);
+      if (!user) {
+        return c.json({ error: "User not found" }, 401);
+      }
+      let metadata = null;
+      if (user.metadata) {
+        try {
+          metadata = JSON.parse(user.metadata);
+        } catch {
+          metadata = null;
+        }
+      }
+      return c.json({
+        user: {
+          id: user.id,
+          email: user.email,
+          emailVerified: user.email_verified === 1,
+          createdAt: user.created_at,
+          updatedAt: user.updated_at,
+          metadata
+        }
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return c.json({ error: message }, 500);
+    }
+  };
+  const signoutHandler = async (c) => {
+    try {
+      const sessionToken = getCookie(c, "ploy_session");
+      if (sessionToken) {
+        const payload = verifyJWT(sessionToken);
+        if (payload) {
+          const tokenHash = hashToken(sessionToken);
+          db.prepare("UPDATE auth_sessions SET revoked = 1 WHERE token_hash = ?").run(tokenHash);
+        }
+      }
+      clearSessionCookie(c);
+      return c.json({ success: true });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return c.json({ error: message }, 500);
+    }
+  };
+  return {
+    signupHandler,
+    signinHandler,
+    meHandler,
+    signoutHandler
+  };
+}
+
+// ../emulator/dist/services/cache-service.js
+function createCacheHandlers(db) {
+  const getHandler = async (c) => {
+    const body = await c.req.json();
+    const { cacheName, key } = body;
+    const now = Math.floor(Date.now() / 1e3);
+    const row = db.prepare(`SELECT value FROM cache_entries WHERE cache_name = ? AND key = ? AND expires_at > ?`).get(cacheName, key, now);
+    return c.json({ value: row?.value ?? null });
+  };
+  const setHandler = async (c) => {
+    const body = await c.req.json();
+    const { cacheName, key, value, ttl } = body;
+    const now = Math.floor(Date.now() / 1e3);
+    const expiresAt = now + ttl;
+    db.prepare(`INSERT OR REPLACE INTO cache_entries (cache_name, key, value, expires_at) VALUES (?, ?, ?, ?)`).run(cacheName, key, value, expiresAt);
+    return c.json({ success: true });
+  };
+  const deleteHandler = async (c) => {
+    const body = await c.req.json();
+    const { cacheName, key } = body;
+    db.prepare(`DELETE FROM cache_entries WHERE cache_name = ? AND key = ?`).run(cacheName, key);
+    return c.json({ success: true });
+  };
+  return {
+    getHandler,
+    setHandler,
+    deleteHandler
+  };
+}
 var __filename = fileURLToPath(import.meta.url);
 var __dirname = dirname(__filename);
 function findDashboardDistPath() {
@@ -77,9 +352,175 @@ function createDashboardRoutes(app, dbManager2, config) {
     return c.json({
       db: config.db,
       queue: config.queue,
-      workflow: config.workflow
+      cache: config.cache,
+      workflow: config.workflow,
+      auth: config.auth
     });
   });
+  if (config.auth) {
+    app.get("/api/auth/tables", (c) => {
+      try {
+        const db = dbManager2.emulatorDb;
+        const tables = db.prepare(`SELECT name FROM sqlite_master
+						 WHERE type='table' AND (name = 'auth_users' OR name = 'auth_sessions')
+						 ORDER BY name`).all();
+        return c.json({ tables });
+      } catch (err) {
+        return c.json({ error: err instanceof Error ? err.message : String(err) }, 500);
+      }
+    });
+    app.get("/api/auth/tables/:tableName", (c) => {
+      const tableName = c.req.param("tableName");
+      if (tableName !== "auth_users" && tableName !== "auth_sessions") {
+        return c.json({ error: "Table not found" }, 404);
+      }
+      const limit = parseInt(c.req.query("limit") || "50", 10);
+      const offset = parseInt(c.req.query("offset") || "0", 10);
+      try {
+        const db = dbManager2.emulatorDb;
+        const columnsResult = db.prepare(`PRAGMA table_info("${tableName}")`).all();
+        const columns = columnsResult.map((col) => col.name);
+        const countResult = db.prepare(`SELECT COUNT(*) as count FROM "${tableName}"`).get();
+        const total = countResult.count;
+        let data;
+        if (tableName === "auth_users") {
+          data = db.prepare(`SELECT id, email, email_verified, created_at, updated_at, metadata FROM "${tableName}" LIMIT ? OFFSET ?`).all(limit, offset);
+        } else {
+          data = db.prepare(`SELECT * FROM "${tableName}" LIMIT ? OFFSET ?`).all(limit, offset);
+        }
+        const visibleColumns = tableName === "auth_users" ? columns.filter((c2) => c2 !== "password_hash") : columns;
+        return c.json({ data, columns: visibleColumns, total });
+      } catch (err) {
+        return c.json({ error: err instanceof Error ? err.message : String(err) }, 500);
+      }
+    });
+    app.get("/api/auth/schema", (c) => {
+      try {
+        const db = dbManager2.emulatorDb;
+        const tables = ["auth_users", "auth_sessions"].map((tableName) => {
+          const columnsResult = db.prepare(`PRAGMA table_info("${tableName}")`).all();
+          const visibleColumns = tableName === "auth_users" ? columnsResult.filter((col) => col.name !== "password_hash") : columnsResult;
+          return {
+            name: tableName,
+            columns: visibleColumns.map((col) => ({
+              name: col.name,
+              type: col.type,
+              notNull: col.notnull === 1,
+              primaryKey: col.pk === 1
+            }))
+          };
+        });
+        return c.json({ tables });
+      } catch (err) {
+        return c.json({ error: err instanceof Error ? err.message : String(err) }, 500);
+      }
+    });
+    app.post("/api/auth/query", async (c) => {
+      const body = await c.req.json();
+      const { query } = body;
+      if (!query) {
+        return c.json({ error: "Query is required" }, 400);
+      }
+      const normalizedQuery = query.trim().toUpperCase();
+      if (!normalizedQuery.startsWith("SELECT")) {
+        return c.json({ error: "Only SELECT queries are allowed on auth tables" }, 400);
+      }
+      const allowedTables = ["auth_users", "auth_sessions"];
+      const hasDisallowedTable = !allowedTables.some((table) => query.toLowerCase().includes(`from ${table}`) || query.toLowerCase().includes(`join ${table}`));
+      if (hasDisallowedTable) {
+        return c.json({
+          error: "Query must reference auth tables (auth_users or auth_sessions)"
+        }, 400);
+      }
+      try {
+        const db = dbManager2.emulatorDb;
+        const startTime = Date.now();
+        const stmt = db.prepare(query);
+        const results = stmt.all();
+        const sanitizedResults = results.map((row) => {
+          const { password_hash: _, ...rest } = row;
+          return rest;
+        });
+        const duration = Date.now() - startTime;
+        return c.json({
+          results: sanitizedResults,
+          success: true,
+          meta: {
+            duration,
+            rows_read: results.length,
+            rows_written: 0
+          }
+        });
+      } catch (err) {
+        return c.json({
+          results: [],
+          success: false,
+          error: err instanceof Error ? err.message : String(err),
+          meta: { duration: 0, rows_read: 0, rows_written: 0 }
+        }, 400);
+      }
+    });
+    app.get("/api/auth/settings", (c) => {
+      try {
+        const db = dbManager2.emulatorDb;
+        const settings = db.prepare("SELECT * FROM auth_settings WHERE id = 1").get();
+        if (!settings) {
+          return c.json({
+            sessionTokenExpiry: 604800,
+            allowSignups: true,
+            requireEmailVerification: false,
+            requireName: false
+          });
+        }
+        return c.json({
+          sessionTokenExpiry: settings.session_token_expiry,
+          allowSignups: settings.allow_signups === 1,
+          requireEmailVerification: settings.require_email_verification === 1,
+          requireName: settings.require_name === 1
+        });
+      } catch (err) {
+        return c.json({ error: err instanceof Error ? err.message : String(err) }, 500);
+      }
+    });
+    app.patch("/api/auth/settings", async (c) => {
+      try {
+        const body = await c.req.json();
+        const db = dbManager2.emulatorDb;
+        const updates = [];
+        const values = [];
+        if (body.sessionTokenExpiry !== void 0) {
+          updates.push("session_token_expiry = ?");
+          values.push(body.sessionTokenExpiry);
+        }
+        if (body.allowSignups !== void 0) {
+          updates.push("allow_signups = ?");
+          values.push(body.allowSignups ? 1 : 0);
+        }
+        if (body.requireEmailVerification !== void 0) {
+          updates.push("require_email_verification = ?");
+          values.push(body.requireEmailVerification ? 1 : 0);
+        }
+        if (body.requireName !== void 0) {
+          updates.push("require_name = ?");
+          values.push(body.requireName ? 1 : 0);
+        }
+        if (updates.length > 0) {
+          updates.push("updated_at = strftime('%s', 'now')");
+          const sql = `UPDATE auth_settings SET ${updates.join(", ")} WHERE id = 1`;
+          db.prepare(sql).run(...values);
+        }
+        const settings = db.prepare("SELECT * FROM auth_settings WHERE id = 1").get();
+        return c.json({
+          sessionTokenExpiry: settings.session_token_expiry,
+          allowSignups: settings.allow_signups === 1,
+          requireEmailVerification: settings.require_email_verification === 1,
+          requireName: settings.require_name === 1
+        });
+      } catch (err) {
+        return c.json({ error: err instanceof Error ? err.message : String(err) }, 500);
+      }
+    });
+  }
   app.post("/api/db/:binding/query", async (c) => {
     const binding = c.req.param("binding");
     const resourceName = getDbResourceName(binding);
@@ -252,6 +693,39 @@ function createDashboardRoutes(app, dbManager2, config) {
       return c.json({ error: err instanceof Error ? err.message : String(err) }, 500);
     }
   });
+  app.get("/api/cache/:binding/entries", (c) => {
+    const binding = c.req.param("binding");
+    const cacheName = config.cache?.[binding];
+    const limit = parseInt(c.req.query("limit") || "20", 10);
+    const offset = parseInt(c.req.query("offset") || "0", 10);
+    const now = Math.floor(Date.now() / 1e3);
+    if (!cacheName) {
+      return c.json({ error: "Cache binding not found" }, 404);
+    }
+    try {
+      const db = dbManager2.emulatorDb;
+      const total = db.prepare(`SELECT COUNT(*) as count FROM cache_entries
+						 WHERE cache_name = ? AND expires_at > ?`).get(cacheName, now).count;
+      const entries = db.prepare(`SELECT key, value, expires_at
+					 FROM cache_entries
+					 WHERE cache_name = ? AND expires_at > ?
+					 ORDER BY key ASC
+					 LIMIT ? OFFSET ?`).all(cacheName, now, limit, offset);
+      return c.json({
+        entries: entries.map((e) => ({
+          key: e.key,
+          value: e.value,
+          ttlSeconds: Math.max(0, e.expires_at - now),
+          expiresAt: new Date(e.expires_at * 1e3).toISOString()
+        })),
+        total,
+        limit,
+        offset
+      });
+    } catch (err) {
+      return c.json({ error: err instanceof Error ? err.message : String(err) }, 500);
+    }
+  });
   app.get("/api/workflow/:binding/executions", (c) => {
     const binding = c.req.param("binding");
     const workflowConfig = config.workflow?.[binding];
@@ -302,7 +776,7 @@ function createDashboardRoutes(app, dbManager2, config) {
     }
     try {
       const db = dbManager2.emulatorDb;
-      const execution = db.prepare(`SELECT id, workflow_name, status, error, started_at, completed_at, created_at
+      const execution = db.prepare(`SELECT id, workflow_name, status, input, output, error, started_at, completed_at, created_at
 					 FROM workflow_executions
 					 WHERE id = ?`).get(executionId);
       if (!execution) {
@@ -316,6 +790,8 @@ function createDashboardRoutes(app, dbManager2, config) {
         execution: {
           id: execution.id,
           status: execution.status.toUpperCase(),
+          input: execution.input ? JSON.parse(execution.input) : null,
+          output: execution.output ? JSON.parse(execution.output) : null,
           startedAt: execution.started_at ? new Date(execution.started_at * 1e3).toISOString() : null,
           completedAt: execution.completed_at ? new Date(execution.completed_at * 1e3).toISOString() : null,
           durationMs: execution.started_at && execution.completed_at ? (execution.completed_at - execution.started_at) * 1e3 : null,
@@ -541,8 +1017,10 @@ function createQueueHandlers(db) {
     try {
       const body = await c.req.json();
       const { messageId, deliveryId } = body;
-      const result = db.prepare(`DELETE FROM queue_messages
-					 WHERE id = ? AND delivery_id = ?`).run(messageId, deliveryId);
+      const now = Math.floor(Date.now() / 1e3);
+      const result = db.prepare(`UPDATE queue_messages
+					 SET status = 'acknowledged', updated_at = ?
+					 WHERE id = ? AND delivery_id = ?`).run(now, messageId, deliveryId);
       if (result.changes === 0) {
         return c.json({ success: false, error: "Message not found or already processed" }, 404);
       }
@@ -779,6 +1257,19 @@ async function startMockServer(dbManager2, config, options = {}) {
     app.post("/workflow/complete", workflowHandlers.completeHandler);
     app.post("/workflow/fail", workflowHandlers.failHandler);
   }
+  if (config.cache) {
+    const cacheHandlers = createCacheHandlers(dbManager2.emulatorDb);
+    app.post("/cache/get", cacheHandlers.getHandler);
+    app.post("/cache/set", cacheHandlers.setHandler);
+    app.post("/cache/delete", cacheHandlers.deleteHandler);
+  }
+  if (config.auth) {
+    const authHandlers = createAuthHandlers(dbManager2.emulatorDb);
+    app.post("/auth/signup", authHandlers.signupHandler);
+    app.post("/auth/signin", authHandlers.signinHandler);
+    app.get("/auth/me", authHandlers.meHandler);
+    app.post("/auth/signout", authHandlers.signoutHandler);
+  }
   app.get("/health", (c) => c.json({ status: "ok" }));
   if (options.dashboardEnabled !== false) {
     createDashboardRoutes(app, dbManager2, config);
@@ -859,6 +1350,58 @@ CREATE TABLE IF NOT EXISTS workflow_steps (
 
 CREATE INDEX IF NOT EXISTS idx_workflow_steps_execution
   ON workflow_steps(execution_id, step_index);
+
+-- Auth users table
+CREATE TABLE IF NOT EXISTS auth_users (
+  id TEXT PRIMARY KEY,
+  email TEXT UNIQUE NOT NULL,
+  email_verified INTEGER NOT NULL DEFAULT 0,
+  password_hash TEXT NOT NULL,
+  created_at TEXT NOT NULL,
+  updated_at TEXT NOT NULL,
+  metadata TEXT
+);
+
+CREATE INDEX IF NOT EXISTS idx_auth_users_email
+  ON auth_users(email);
+
+-- Auth sessions table
+CREATE TABLE IF NOT EXISTS auth_sessions (
+  id TEXT PRIMARY KEY,
+  user_id TEXT NOT NULL,
+  token_hash TEXT UNIQUE NOT NULL,
+  expires_at TEXT NOT NULL,
+  created_at TEXT NOT NULL,
+  revoked INTEGER NOT NULL DEFAULT 0,
+  FOREIGN KEY (user_id) REFERENCES auth_users(id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS idx_auth_sessions_user
+  ON auth_sessions(user_id);
+CREATE INDEX IF NOT EXISTS idx_auth_sessions_hash
+  ON auth_sessions(token_hash);
+
+-- Auth settings table
+CREATE TABLE IF NOT EXISTS auth_settings (
+  id INTEGER PRIMARY KEY CHECK (id = 1),
+  session_token_expiry INTEGER NOT NULL DEFAULT 604800,
+  allow_signups INTEGER NOT NULL DEFAULT 1,
+  require_email_verification INTEGER NOT NULL DEFAULT 0,
+  require_name INTEGER NOT NULL DEFAULT 0,
+  updated_at INTEGER DEFAULT (strftime('%s', 'now'))
+);
+
+-- Insert default settings if not exists
+INSERT OR IGNORE INTO auth_settings (id) VALUES (1);
+
+-- Cache entries table
+CREATE TABLE IF NOT EXISTS cache_entries (
+  cache_name TEXT NOT NULL,
+  key TEXT NOT NULL,
+  value TEXT NOT NULL,
+  expires_at INTEGER NOT NULL,
+  PRIMARY KEY (cache_name, key)
+);
 `;
 function initializeDatabases(projectDir) {
   const dataDir = ensureDataDir(projectDir);
@@ -991,6 +1534,38 @@ function createDevD1(databaseId, apiUrl) {
     }
   };
 }
+function createDevPloyAuth(apiUrl) {
+  return {
+    async getUser(token) {
+      try {
+        const response = await fetch(`${apiUrl}/auth/me`, {
+          headers: {
+            Authorization: `Bearer ${token}`
+          }
+        });
+        if (!response.ok) {
+          return null;
+        }
+        const data = await response.json();
+        return data.user;
+      } catch {
+        return null;
+      }
+    },
+    async verifyToken(token) {
+      try {
+        const response = await fetch(`${apiUrl}/auth/me`, {
+          headers: {
+            Authorization: `Bearer ${token}`
+          }
+        });
+        return response.ok;
+      } catch {
+        return false;
+      }
+    }
+  };
+}
 var mockServer = null;
 var dbManager = null;
 async function initPloyForDev(config) {
@@ -1001,6 +1576,56 @@ async function initPloyForDev(config) {
     return;
   }
   globalThis.__PLOY_DEV_INITIALIZED__ = true;
+  const cliMockServerUrl = process.env.PLOY_MOCK_SERVER_URL;
+  if (cliMockServerUrl) {
+    const configPath2 = config?.configPath || "./ploy.yaml";
+    const projectDir2 = process.cwd();
+    let ployConfig2;
+    try {
+      ployConfig2 = readPloyConfig(projectDir2, configPath2);
+    } catch {
+      if (config?.bindings?.db) {
+        ployConfig2 = { db: config.bindings.db };
+      } else {
+        return;
+      }
+    }
+    if (config?.bindings?.db) {
+      ployConfig2 = { ...ployConfig2, db: config.bindings.db };
+    }
+    const hasDbBindings2 = ployConfig2.db && Object.keys(ployConfig2.db).length > 0;
+    const hasAuthConfig2 = !!ployConfig2.auth;
+    if (!hasDbBindings2 && !hasAuthConfig2) {
+      return;
+    }
+    const env2 = {};
+    if (hasDbBindings2 && ployConfig2.db) {
+      for (const [bindingName, databaseId] of Object.entries(ployConfig2.db)) {
+        env2[bindingName] = createDevD1(databaseId, cliMockServerUrl);
+      }
+    }
+    if (hasAuthConfig2) {
+      env2.PLOY_AUTH = createDevPloyAuth(cliMockServerUrl);
+    }
+    const context2 = { env: env2, cf: void 0, ctx: void 0 };
+    globalThis.__PLOY_DEV_CONTEXT__ = context2;
+    Object.defineProperty(globalThis, PLOY_CONTEXT_SYMBOL, {
+      get() {
+        return context2;
+      },
+      configurable: true
+    });
+    const bindingNames2 = Object.keys(env2);
+    const features2 = [];
+    if (bindingNames2.length > 0) {
+      features2.push(`bindings: ${bindingNames2.join(", ")}`);
+    }
+    if (hasAuthConfig2) {
+      features2.push("auth");
+    }
+    console.log(`[Ploy] Using CLI mock server at ${cliMockServerUrl} (${features2.join(", ")})`);
+    return;
+  }
   const configPath = config?.configPath || "./ploy.yaml";
   const projectDir = process.cwd();
   let ployConfig;
@@ -1016,7 +1641,9 @@ async function initPloyForDev(config) {
   if (config?.bindings?.db) {
     ployConfig = { ...ployConfig, db: config.bindings.db };
   }
-  if (!ployConfig.db || Object.keys(ployConfig.db).length === 0) {
+  const hasDbBindings = ployConfig.db && Object.keys(ployConfig.db).length > 0;
+  const hasAuthConfig = !!ployConfig.auth;
+  if (!hasDbBindings && !hasAuthConfig) {
     return;
   }
   ensureDataDir(projectDir);
@@ -1024,8 +1651,14 @@ async function initPloyForDev(config) {
   mockServer = await startMockServer(dbManager, ployConfig, {});
   const apiUrl = `http://localhost:${mockServer.port}`;
   const env = {};
-  for (const [bindingName, databaseId] of Object.entries(ployConfig.db)) {
-    env[bindingName] = createDevD1(databaseId, apiUrl);
+  if (hasDbBindings && ployConfig.db) {
+    for (const [bindingName, databaseId] of Object.entries(ployConfig.db)) {
+      env[bindingName] = createDevD1(databaseId, apiUrl);
+    }
+  }
+  if (hasAuthConfig) {
+    env.PLOY_AUTH = createDevPloyAuth(apiUrl);
+    process.env.NEXT_PUBLIC_PLOY_AUTH_URL = `${apiUrl}/auth`;
   }
   const context = {
     env,
@@ -1040,7 +1673,14 @@ async function initPloyForDev(config) {
     configurable: true
   });
   const bindingNames = Object.keys(env);
-  console.log(`[Ploy] Development context initialized with bindings: ${bindingNames.join(", ")}`);
+  const features = [];
+  if (bindingNames.length > 0) {
+    features.push(`bindings: ${bindingNames.join(", ")}`);
+  }
+  if (hasAuthConfig) {
+    features.push("auth");
+  }
+  console.log(`[Ploy] Development context initialized with ${features.join(", ")}`);
   console.log(`[Ploy] Mock server running at ${apiUrl}`);
   const cleanup = async () => {
     if (mockServer) {