@meetploy/cli 1.12.1 → 1.13.0

package/dist/index.js

@@ -1,14 +1,15 @@
 #!/usr/bin/env node
 import { createRequire } from 'module';
 import { mkdir, writeFile, readFile, chmod, access } from 'fs/promises';
-import { join, dirname, relative } from 'path';
+import { join, dirname, relative, basename } from 'path';
 import { existsSync, readFileSync, writeFileSync, unlinkSync, readFile as readFile$1, mkdirSync } from 'fs';
 import { promisify } from 'util';
 import { parse } from 'yaml';
 import { build } from 'esbuild';
 import { watch } from 'chokidar';
+import { randomBytes, randomUUID, createHmac, pbkdf2Sync, timingSafeEqual, createHash } from 'crypto';
+import { getCookie, deleteCookie, setCookie } from 'hono/cookie';
 import { URL, fileURLToPath } from 'url';
-import { randomBytes, randomUUID, createHash } from 'crypto';
 import { serve } from '@hono/node-server';
 import { Hono } from 'hono';
 import { homedir, tmpdir } from 'os';
@@ -195,6 +196,7 @@ function validatePloyConfig(config, configFile = "ploy.yaml", options = {}) {
   validatedConfig.main = validateRelativePath(config.main, "main", configFile);
   validateBindings(config.db, "db", configFile);
   validateBindings(config.queue, "queue", configFile);
+  validateBindings(config.cache, "cache", configFile);
   validateBindings(config.workflow, "workflow", configFile);
   if (config.ai !== void 0 && typeof config.ai !== "boolean") {
     throw new Error(`'ai' in ${configFile} must be a boolean`);
@@ -220,6 +222,20 @@ function validatePloyConfig(config, configFile = "ploy.yaml", options = {}) {
       throw new Error(`'compatibility_date' in ${configFile} must be in YYYY-MM-DD format (e.g., 2025-04-02)`);
     }
   }
+  if (config.auth !== void 0) {
+    if (typeof config.auth !== "object" || config.auth === null) {
+      throw new Error(`'auth' in ${configFile} must be an object`);
+    }
+    if (!config.auth.binding) {
+      throw new Error(`'auth.binding' is required in ${configFile} when auth is configured`);
+    }
+    if (typeof config.auth.binding !== "string") {
+      throw new Error(`'auth.binding' in ${configFile} must be a string`);
+    }
+    if (!BINDING_NAME_REGEX.test(config.auth.binding)) {
+      throw new Error(`Invalid auth binding name '${config.auth.binding}' in ${configFile}. Binding names must be uppercase with underscores (e.g., AUTH_DB, AUTH)`);
+    }
+  }
   return validatedConfig;
 }
 async function readPloyConfig(projectDir, configPath) {
@@ -260,7 +276,7 @@ function readAndValidatePloyConfigSync(projectDir, configPath, validationOptions
   return validatePloyConfig(config, configFile, validationOptions);
 }
 function hasBindings(config) {
-  return !!(config.db || config.queue || config.workflow || config.ai);
+  return !!(config.db || config.queue || config.cache || config.workflow || config.ai || config.auth);
 }
 function getWorkerEntryPoint(projectDir, config) {
   if (config.main) {
@@ -316,6 +332,66 @@ var init_cli = __esm({
   }
 });
 
+// ../emulator/dist/runtime/cache-runtime.js
+var CACHE_RUNTIME_CODE;
+var init_cache_runtime = __esm({
+  "../emulator/dist/runtime/cache-runtime.js"() {
+    CACHE_RUNTIME_CODE = `
+interface CacheBinding {
+  get: (key: string) => Promise<string | null>;
+  set: (key: string, value: string, opts: { ttl: number }) => Promise<void>;
+  delete: (key: string) => Promise<void>;
+}
+
+export function initializeCache(cacheName: string, serviceUrl: string): CacheBinding {
+  return {
+    async get(key: string): Promise<string | null> {
+      const response = await fetch(serviceUrl + "/cache/get", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ cacheName, key }),
+      });
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error("Cache get failed: " + errorText);
+      }
+
+      const result = await response.json();
+      return result.value ?? null;
+    },
+
+    async set(key: string, value: string, opts: { ttl: number }): Promise<void> {
+      const response = await fetch(serviceUrl + "/cache/set", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ cacheName, key, value, ttl: opts.ttl }),
+      });
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error("Cache set failed: " + errorText);
+      }
+    },
+
+    async delete(key: string): Promise<void> {
+      const response = await fetch(serviceUrl + "/cache/delete", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ cacheName, key }),
+      });
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error("Cache delete failed: " + errorText);
+      }
+    },
+  };
+}
+`;
+  }
+});
+
 // ../shared/dist/d1-runtime.js
 var DB_RUNTIME_CODE, DB_RUNTIME_CODE_PRODUCTION;
 var init_d1_runtime = __esm({
@@ -597,6 +673,12 @@ var init_trace_event = __esm({
   }
 });
 
+// ../shared/dist/trace-id.js
+var init_trace_id = __esm({
+  "../shared/dist/trace-id.js"() {
+  }
+});
+
 // ../shared/dist/unified-log.js
 var init_unified_log = __esm({
   "../shared/dist/unified-log.js"() {
@@ -616,6 +698,7 @@ var init_dist = __esm({
     init_error();
     init_health_check();
     init_trace_event();
+    init_trace_id();
     init_unified_log();
     init_url_validation();
   }
@@ -920,6 +1003,12 @@ function generateWrapperCode(config, mockServiceUrl) {
       bindings.push(`  ${bindingName}: initializeQueue("${queueName}", "${mockServiceUrl}"),`);
     }
   }
+  if (config.cache) {
+    imports.push('import { initializeCache } from "__ploy_cache_runtime__";');
+    for (const [bindingName, cacheName] of Object.entries(config.cache)) {
+      bindings.push(`  ${bindingName}: initializeCache("${cacheName}", "${mockServiceUrl}"),`);
+    }
+  }
   if (config.workflow) {
     imports.push('import { initializeWorkflow, createStepContext, executeWorkflow } from "__ploy_workflow_runtime__";');
     for (const [bindingName, workflowName] of Object.entries(config.workflow)) {
@@ -1023,6 +1112,10 @@ function createRuntimePlugin(_config) {
         path: "__ploy_queue_runtime__",
         namespace: "ploy-runtime"
       }));
+      build2.onResolve({ filter: /^__ploy_cache_runtime__$/ }, () => ({
+        path: "__ploy_cache_runtime__",
+        namespace: "ploy-runtime"
+      }));
       build2.onResolve({ filter: /^__ploy_workflow_runtime__$/ }, () => ({
         path: "__ploy_workflow_runtime__",
         namespace: "ploy-runtime"
@@ -1035,6 +1128,10 @@ function createRuntimePlugin(_config) {
         contents: QUEUE_RUNTIME_CODE,
         loader: "ts"
       }));
+      build2.onLoad({ filter: /^__ploy_cache_runtime__$/, namespace: "ploy-runtime" }, () => ({
+        contents: CACHE_RUNTIME_CODE,
+        loader: "ts"
+      }));
       build2.onLoad({ filter: /^__ploy_workflow_runtime__$/, namespace: "ploy-runtime" }, () => ({
         contents: WORKFLOW_RUNTIME_CODE,
         loader: "ts"
@@ -1075,6 +1172,7 @@ async function bundleWorker(options) {
 var NODE_BUILTINS;
 var init_bundler = __esm({
   "../emulator/dist/bundler/bundler.js"() {
+    init_cache_runtime();
     init_db_runtime();
     init_queue_runtime();
     init_workflow_runtime();
@@ -1134,9 +1232,6 @@ function log(message) {
 function success(message) {
   console.log(`${COLORS.dim}[${timestamp()}]${COLORS.reset} ${COLORS.green}[ploy]${COLORS.reset} ${message}`);
 }
-function warn(message) {
-  console.log(`${COLORS.dim}[${timestamp()}]${COLORS.reset} ${COLORS.yellow}[ploy]${COLORS.reset} ${message}`);
-}
 function error(message) {
   console.error(`${COLORS.dim}[${timestamp()}]${COLORS.reset} ${COLORS.red}[ploy]${COLORS.reset} ${message}`);
 }
@@ -1159,6 +1254,22 @@ var init_logger = __esm({
     };
   }
 });
+function isIgnored(filePath) {
+  const name = basename(filePath);
+  if (name.startsWith(".")) {
+    return true;
+  }
+  if (IGNORED_DIRS.has(name)) {
+    return true;
+  }
+  if (IGNORED_FILES.has(name)) {
+    return true;
+  }
+  if (name.endsWith(".log")) {
+    return true;
+  }
+  return false;
+}
 function createFileWatcher(srcDir, onRebuild) {
   let watcher = null;
   let debounceTimer = null;
@@ -1191,25 +1302,11 @@ function createFileWatcher(srcDir, onRebuild) {
       watcher = watch(srcDir, {
         persistent: true,
         ignoreInitial: true,
-        ignored: [
-          "**/node_modules/**",
-          "**/dist/**",
-          "**/.*",
-          "**/.*/**",
-          "**/coverage/**",
-          "**/build/**",
-          "**/*.log",
-          "**/pnpm-lock.yaml",
-          "**/package-lock.json",
-          "**/yarn.lock"
-        ]
+        ignored: isIgnored
       });
       watcher.on("error", (err) => {
         const error2 = err;
-        if (error2.code === "EMFILE") {
-          warn("Warning: Too many open files. Some file changes may not be detected.");
-          warn("Consider increasing your system's file descriptor limit (ulimit -n).");
-        } else {
+        if (error2.code !== "EMFILE") {
           error(`File watcher error: ${error2.message || String(err)}`);
         }
       });
@@ -1241,9 +1338,16 @@ function createFileWatcher(srcDir, onRebuild) {
     }
   };
 }
+var IGNORED_DIRS, IGNORED_FILES;
 var init_watcher = __esm({
   "../emulator/dist/bundler/watcher.js"() {
     init_logger();
+    IGNORED_DIRS = /* @__PURE__ */ new Set(["node_modules", "dist", "coverage", "build"]);
+    IGNORED_FILES = /* @__PURE__ */ new Set([
+      "pnpm-lock.yaml",
+      "package-lock.json",
+      "yarn.lock"
+    ]);
   }
 });
 
@@ -1316,6 +1420,289 @@ var init_workerd_config = __esm({
   "../emulator/dist/config/workerd-config.js"() {
   }
 });
+function generateId() {
+  return randomBytes(16).toString("hex");
+}
+function hashPassword(password) {
+  const salt = randomBytes(32).toString("hex");
+  const hash = pbkdf2Sync(password, salt, 1e5, 64, "sha512").toString("hex");
+  return `${salt}:${hash}`;
+}
+function verifyPassword(password, storedHash) {
+  const [salt, hash] = storedHash.split(":");
+  const derivedHash = pbkdf2Sync(password, salt, 1e5, 64, "sha512").toString("hex");
+  return timingSafeEqual(Buffer.from(hash, "hex"), Buffer.from(derivedHash, "hex"));
+}
+function hashToken(token) {
+  return createHmac("sha256", "emulator-secret").update(token).digest("hex");
+}
+function base64UrlEncode(str) {
+  return Buffer.from(str).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function base64UrlDecode(str) {
+  let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  while (base64.length % 4) {
+    base64 += "=";
+  }
+  return Buffer.from(base64, "base64").toString();
+}
+function createJWT(payload) {
+  const header = { alg: "HS256", typ: "JWT" };
+  const headerB64 = base64UrlEncode(JSON.stringify(header));
+  const payloadB64 = base64UrlEncode(JSON.stringify(payload));
+  const signature = createHmac("sha256", JWT_SECRET).update(`${headerB64}.${payloadB64}`).digest("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+  return `${headerB64}.${payloadB64}.${signature}`;
+}
+function verifyJWT(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) {
+      return null;
+    }
+    const [headerB64, payloadB64, signature] = parts;
+    const expectedSig = createHmac("sha256", JWT_SECRET).update(`${headerB64}.${payloadB64}`).digest("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+    if (signature !== expectedSig) {
+      return null;
+    }
+    const payload = JSON.parse(base64UrlDecode(payloadB64));
+    if (payload.exp < Math.floor(Date.now() / 1e3)) {
+      return null;
+    }
+    return payload;
+  } catch {
+    return null;
+  }
+}
+function createSessionToken(userId, email) {
+  const now = Math.floor(Date.now() / 1e3);
+  const sessionId = generateId();
+  const token = createJWT({
+    sub: userId,
+    email,
+    iat: now,
+    exp: now + SESSION_TOKEN_EXPIRY,
+    jti: sessionId
+  });
+  return {
+    token,
+    sessionId,
+    expiresAt: new Date((now + SESSION_TOKEN_EXPIRY) * 1e3)
+  };
+}
+function validateEmail(email) {
+  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+  if (!emailRegex.test(email)) {
+    return "Invalid email format";
+  }
+  return null;
+}
+function validatePassword(password) {
+  if (password.length < 8) {
+    return "Password must be at least 8 characters";
+  }
+  return null;
+}
+function setSessionCookie(c, sessionToken) {
+  setCookie(c, "ploy_session", sessionToken, {
+    httpOnly: true,
+    secure: false,
+    sameSite: "Lax",
+    path: "/",
+    maxAge: SESSION_TOKEN_EXPIRY
+  });
+}
+function clearSessionCookie(c) {
+  deleteCookie(c, "ploy_session", { path: "/" });
+}
+function createAuthHandlers(db) {
+  const signupHandler = async (c) => {
+    try {
+      const body = await c.req.json();
+      const { email, password, metadata } = body;
+      const emailError = validateEmail(email);
+      if (emailError) {
+        return c.json({ error: emailError }, 400);
+      }
+      const passwordError = validatePassword(password);
+      if (passwordError) {
+        return c.json({ error: passwordError }, 400);
+      }
+      const existingUser = db.prepare("SELECT id FROM auth_users WHERE email = ?").get(email.toLowerCase());
+      if (existingUser) {
+        return c.json({ error: "User already exists" }, 409);
+      }
+      const userId = generateId();
+      const passwordHash = hashPassword(password);
+      const now = (/* @__PURE__ */ new Date()).toISOString();
+      db.prepare(`INSERT INTO auth_users (id, email, password_hash, created_at, updated_at, metadata)
+				 VALUES (?, ?, ?, ?, ?, ?)`).run(userId, email.toLowerCase(), passwordHash, now, now, metadata ? JSON.stringify(metadata) : null);
+      const { token: sessionToken, sessionId, expiresAt } = createSessionToken(userId, email.toLowerCase());
+      const sessionTokenHash = hashToken(sessionToken);
+      db.prepare(`INSERT INTO auth_sessions (id, user_id, token_hash, expires_at, created_at)
+				 VALUES (?, ?, ?, ?, ?)`).run(sessionId, userId, sessionTokenHash, expiresAt.toISOString(), now);
+      setSessionCookie(c, sessionToken);
+      return c.json({
+        user: {
+          id: userId,
+          email: email.toLowerCase(),
+          emailVerified: false,
+          createdAt: now,
+          metadata: metadata ?? null
+        }
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return c.json({ error: message }, 500);
+    }
+  };
+  const signinHandler = async (c) => {
+    try {
+      const body = await c.req.json();
+      const { email, password } = body;
+      const user = db.prepare("SELECT * FROM auth_users WHERE email = ?").get(email.toLowerCase());
+      if (!user) {
+        return c.json({ error: "Invalid credentials" }, 401);
+      }
+      if (!verifyPassword(password, user.password_hash)) {
+        return c.json({ error: "Invalid credentials" }, 401);
+      }
+      const { token: sessionToken, sessionId, expiresAt } = createSessionToken(user.id, user.email);
+      const sessionTokenHash = hashToken(sessionToken);
+      const now = (/* @__PURE__ */ new Date()).toISOString();
+      db.prepare(`INSERT INTO auth_sessions (id, user_id, token_hash, expires_at, created_at)
+				 VALUES (?, ?, ?, ?, ?)`).run(sessionId, user.id, sessionTokenHash, expiresAt.toISOString(), now);
+      let metadata = null;
+      if (user.metadata) {
+        try {
+          metadata = JSON.parse(user.metadata);
+        } catch {
+          metadata = null;
+        }
+      }
+      setSessionCookie(c, sessionToken);
+      return c.json({
+        user: {
+          id: user.id,
+          email: user.email,
+          emailVerified: user.email_verified === 1,
+          createdAt: user.created_at,
+          metadata
+        }
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return c.json({ error: message }, 500);
+    }
+  };
+  const meHandler = async (c) => {
+    try {
+      const cookieToken = getCookie(c, "ploy_session");
+      const authHeader = c.req.header("Authorization");
+      let token;
+      if (cookieToken) {
+        token = cookieToken;
+      } else if (authHeader && authHeader.startsWith("Bearer ")) {
+        token = authHeader.slice(7);
+      }
+      if (!token) {
+        return c.json({ error: "Missing authentication" }, 401);
+      }
+      const payload = verifyJWT(token);
+      if (!payload) {
+        return c.json({ error: "Invalid or expired session" }, 401);
+      }
+      const user = db.prepare("SELECT id, email, email_verified, created_at, updated_at, metadata FROM auth_users WHERE id = ?").get(payload.sub);
+      if (!user) {
+        return c.json({ error: "User not found" }, 401);
+      }
+      let metadata = null;
+      if (user.metadata) {
+        try {
+          metadata = JSON.parse(user.metadata);
+        } catch {
+          metadata = null;
+        }
+      }
+      return c.json({
+        user: {
+          id: user.id,
+          email: user.email,
+          emailVerified: user.email_verified === 1,
+          createdAt: user.created_at,
+          updatedAt: user.updated_at,
+          metadata
+        }
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return c.json({ error: message }, 500);
+    }
+  };
+  const signoutHandler = async (c) => {
+    try {
+      const sessionToken = getCookie(c, "ploy_session");
+      if (sessionToken) {
+        const payload = verifyJWT(sessionToken);
+        if (payload) {
+          const tokenHash = hashToken(sessionToken);
+          db.prepare("UPDATE auth_sessions SET revoked = 1 WHERE token_hash = ?").run(tokenHash);
+        }
+      }
+      clearSessionCookie(c);
+      return c.json({ success: true });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return c.json({ error: message }, 500);
+    }
+  };
+  return {
+    signupHandler,
+    signinHandler,
+    meHandler,
+    signoutHandler
+  };
+}
+var JWT_SECRET, SESSION_TOKEN_EXPIRY;
+var init_auth_service = __esm({
+  "../emulator/dist/services/auth-service.js"() {
+    JWT_SECRET = "ploy-emulator-dev-secret";
+    SESSION_TOKEN_EXPIRY = 7 * 24 * 60 * 60;
+  }
+});
+
+// ../emulator/dist/services/cache-service.js
+function createCacheHandlers(db) {
+  const getHandler = async (c) => {
+    const body = await c.req.json();
+    const { cacheName, key } = body;
+    const now = Math.floor(Date.now() / 1e3);
+    const row = db.prepare(`SELECT value FROM cache_entries WHERE cache_name = ? AND key = ? AND expires_at > ?`).get(cacheName, key, now);
+    return c.json({ value: row?.value ?? null });
+  };
+  const setHandler = async (c) => {
+    const body = await c.req.json();
+    const { cacheName, key, value, ttl } = body;
+    const now = Math.floor(Date.now() / 1e3);
+    const expiresAt = now + ttl;
+    db.prepare(`INSERT OR REPLACE INTO cache_entries (cache_name, key, value, expires_at) VALUES (?, ?, ?, ?)`).run(cacheName, key, value, expiresAt);
+    return c.json({ success: true });
+  };
+  const deleteHandler = async (c) => {
+    const body = await c.req.json();
+    const { cacheName, key } = body;
+    db.prepare(`DELETE FROM cache_entries WHERE cache_name = ? AND key = ?`).run(cacheName, key);
+    return c.json({ success: true });
+  };
+  return {
+    getHandler,
+    setHandler,
+    deleteHandler
+  };
+}
+var init_cache_service = __esm({
+  "../emulator/dist/services/cache-service.js"() {
+  }
+});
 function findDashboardDistPath() {
   const possiblePaths = [
     join(__dirname, "dashboard-dist"),
@@ -1343,9 +1730,175 @@ function createDashboardRoutes(app, dbManager2, config) {
     return c.json({
       db: config.db,
       queue: config.queue,
-      workflow: config.workflow
+      cache: config.cache,
+      workflow: config.workflow,
+      auth: config.auth
     });
   });
+  if (config.auth) {
+    app.get("/api/auth/tables", (c) => {
+      try {
+        const db = dbManager2.emulatorDb;
+        const tables = db.prepare(`SELECT name FROM sqlite_master
+						 WHERE type='table' AND (name = 'auth_users' OR name = 'auth_sessions')
+						 ORDER BY name`).all();
+        return c.json({ tables });
+      } catch (err) {
+        return c.json({ error: err instanceof Error ? err.message : String(err) }, 500);
+      }
+    });
+    app.get("/api/auth/tables/:tableName", (c) => {
+      const tableName = c.req.param("tableName");
+      if (tableName !== "auth_users" && tableName !== "auth_sessions") {
+        return c.json({ error: "Table not found" }, 404);
+      }
+      const limit = parseInt(c.req.query("limit") || "50", 10);
+      const offset = parseInt(c.req.query("offset") || "0", 10);
+      try {
+        const db = dbManager2.emulatorDb;
+        const columnsResult = db.prepare(`PRAGMA table_info("${tableName}")`).all();
+        const columns = columnsResult.map((col) => col.name);
+        const countResult = db.prepare(`SELECT COUNT(*) as count FROM "${tableName}"`).get();
+        const total = countResult.count;
+        let data;
+        if (tableName === "auth_users") {
+          data = db.prepare(`SELECT id, email, email_verified, created_at, updated_at, metadata FROM "${tableName}" LIMIT ? OFFSET ?`).all(limit, offset);
+        } else {
+          data = db.prepare(`SELECT * FROM "${tableName}" LIMIT ? OFFSET ?`).all(limit, offset);
+        }
+        const visibleColumns = tableName === "auth_users" ? columns.filter((c2) => c2 !== "password_hash") : columns;
+        return c.json({ data, columns: visibleColumns, total });
+      } catch (err) {
+        return c.json({ error: err instanceof Error ? err.message : String(err) }, 500);
+      }
+    });
+    app.get("/api/auth/schema", (c) => {
+      try {
+        const db = dbManager2.emulatorDb;
+        const tables = ["auth_users", "auth_sessions"].map((tableName) => {
+          const columnsResult = db.prepare(`PRAGMA table_info("${tableName}")`).all();
+          const visibleColumns = tableName === "auth_users" ? columnsResult.filter((col) => col.name !== "password_hash") : columnsResult;
+          return {
+            name: tableName,
+            columns: visibleColumns.map((col) => ({
+              name: col.name,
+              type: col.type,
+              notNull: col.notnull === 1,
+              primaryKey: col.pk === 1
+            }))
+          };
+        });
+        return c.json({ tables });
+      } catch (err) {
+        return c.json({ error: err instanceof Error ? err.message : String(err) }, 500);
+      }
+    });
+    app.post("/api/auth/query", async (c) => {
+      const body = await c.req.json();
+      const { query } = body;
+      if (!query) {
+        return c.json({ error: "Query is required" }, 400);
+      }
+      const normalizedQuery = query.trim().toUpperCase();
+      if (!normalizedQuery.startsWith("SELECT")) {
+        return c.json({ error: "Only SELECT queries are allowed on auth tables" }, 400);
+      }
+      const allowedTables = ["auth_users", "auth_sessions"];
+      const hasDisallowedTable = !allowedTables.some((table) => query.toLowerCase().includes(`from ${table}`) || query.toLowerCase().includes(`join ${table}`));
+      if (hasDisallowedTable) {
+        return c.json({
+          error: "Query must reference auth tables (auth_users or auth_sessions)"
+        }, 400);
+      }
+      try {
+        const db = dbManager2.emulatorDb;
+        const startTime = Date.now();
+        const stmt = db.prepare(query);
+        const results = stmt.all();
+        const sanitizedResults = results.map((row) => {
+          const { password_hash: _, ...rest } = row;
+          return rest;
+        });
+        const duration = Date.now() - startTime;
+        return c.json({
+          results: sanitizedResults,
+          success: true,
+          meta: {
+            duration,
+            rows_read: results.length,
+            rows_written: 0
+          }
+        });
+      } catch (err) {
+        return c.json({
+          results: [],
+          success: false,
+          error: err instanceof Error ? err.message : String(err),
+          meta: { duration: 0, rows_read: 0, rows_written: 0 }
+        }, 400);
+      }
+    });
+    app.get("/api/auth/settings", (c) => {
+      try {
+        const db = dbManager2.emulatorDb;
+        const settings = db.prepare("SELECT * FROM auth_settings WHERE id = 1").get();
+        if (!settings) {
+          return c.json({
+            sessionTokenExpiry: 604800,
+            allowSignups: true,
+            requireEmailVerification: false,
+            requireName: false
+          });
+        }
+        return c.json({
+          sessionTokenExpiry: settings.session_token_expiry,
+          allowSignups: settings.allow_signups === 1,
+          requireEmailVerification: settings.require_email_verification === 1,
+          requireName: settings.require_name === 1
+        });
+      } catch (err) {
+        return c.json({ error: err instanceof Error ? err.message : String(err) }, 500);
+      }
+    });
+    app.patch("/api/auth/settings", async (c) => {
+      try {
+        const body = await c.req.json();
+        const db = dbManager2.emulatorDb;
+        const updates = [];
+        const values = [];
+        if (body.sessionTokenExpiry !== void 0) {
+          updates.push("session_token_expiry = ?");
+          values.push(body.sessionTokenExpiry);
+        }
+        if (body.allowSignups !== void 0) {
+          updates.push("allow_signups = ?");
+          values.push(body.allowSignups ? 1 : 0);
+        }
+        if (body.requireEmailVerification !== void 0) {
+          updates.push("require_email_verification = ?");
+          values.push(body.requireEmailVerification ? 1 : 0);
+        }
+        if (body.requireName !== void 0) {
+          updates.push("require_name = ?");
+          values.push(body.requireName ? 1 : 0);
+        }
+        if (updates.length > 0) {
+          updates.push("updated_at = strftime('%s', 'now')");
+          const sql = `UPDATE auth_settings SET ${updates.join(", ")} WHERE id = 1`;
+          db.prepare(sql).run(...values);
+        }
+        const settings = db.prepare("SELECT * FROM auth_settings WHERE id = 1").get();
+        return c.json({
+          sessionTokenExpiry: settings.session_token_expiry,
+          allowSignups: settings.allow_signups === 1,
+          requireEmailVerification: settings.require_email_verification === 1,
+          requireName: settings.require_name === 1
+        });
+      } catch (err) {
+        return c.json({ error: err instanceof Error ? err.message : String(err) }, 500);
+      }
+    });
+  }
   app.post("/api/db/:binding/query", async (c) => {
     const binding = c.req.param("binding");
     const resourceName = getDbResourceName(binding);
@@ -1518,6 +2071,39 @@ function createDashboardRoutes(app, dbManager2, config) {
       return c.json({ error: err instanceof Error ? err.message : String(err) }, 500);
     }
   });
+  app.get("/api/cache/:binding/entries", (c) => {
+    const binding = c.req.param("binding");
+    const cacheName = config.cache?.[binding];
+    const limit = parseInt(c.req.query("limit") || "20", 10);
+    const offset = parseInt(c.req.query("offset") || "0", 10);
+    const now = Math.floor(Date.now() / 1e3);
+    if (!cacheName) {
+      return c.json({ error: "Cache binding not found" }, 404);
+    }
+    try {
+      const db = dbManager2.emulatorDb;
+      const total = db.prepare(`SELECT COUNT(*) as count FROM cache_entries
+						 WHERE cache_name = ? AND expires_at > ?`).get(cacheName, now).count;
+      const entries = db.prepare(`SELECT key, value, expires_at
+					 FROM cache_entries
+					 WHERE cache_name = ? AND expires_at > ?
+					 ORDER BY key ASC
+					 LIMIT ? OFFSET ?`).all(cacheName, now, limit, offset);
+      return c.json({
+        entries: entries.map((e) => ({
+          key: e.key,
+          value: e.value,
+          ttlSeconds: Math.max(0, e.expires_at - now),
+          expiresAt: new Date(e.expires_at * 1e3).toISOString()
+        })),
+        total,
+        limit,
+        offset
+      });
+    } catch (err) {
+      return c.json({ error: err instanceof Error ? err.message : String(err) }, 500);
+    }
+  });
   app.get("/api/workflow/:binding/executions", (c) => {
     const binding = c.req.param("binding");
     const workflowConfig = config.workflow?.[binding];
@@ -1568,7 +2154,7 @@ function createDashboardRoutes(app, dbManager2, config) {
     }
     try {
       const db = dbManager2.emulatorDb;
-      const execution = db.prepare(`SELECT id, workflow_name, status, error, started_at, completed_at, created_at
+      const execution = db.prepare(`SELECT id, workflow_name, status, input, output, error, started_at, completed_at, created_at
 					 FROM workflow_executions
 					 WHERE id = ?`).get(executionId);
       if (!execution) {
@@ -1582,6 +2168,8 @@ function createDashboardRoutes(app, dbManager2, config) {
         execution: {
           id: execution.id,
           status: execution.status.toUpperCase(),
+          input: execution.input ? JSON.parse(execution.input) : null,
+          output: execution.output ? JSON.parse(execution.output) : null,
           startedAt: execution.started_at ? new Date(execution.started_at * 1e3).toISOString() : null,
           completedAt: execution.completed_at ? new Date(execution.completed_at * 1e3).toISOString() : null,
           durationMs: execution.started_at && execution.completed_at ? (execution.completed_at - execution.started_at) * 1e3 : null,
@@ -1830,8 +2418,10 @@ function createQueueHandlers(db) {
     try {
       const body = await c.req.json();
       const { messageId, deliveryId } = body;
-      const result = db.prepare(`DELETE FROM queue_messages
-					 WHERE id = ? AND delivery_id = ?`).run(messageId, deliveryId);
+      const now = Math.floor(Date.now() / 1e3);
+      const result = db.prepare(`UPDATE queue_messages
+					 SET status = 'acknowledged', updated_at = ?
+					 WHERE id = ? AND delivery_id = ?`).run(now, messageId, deliveryId);
       if (result.changes === 0) {
         return c.json({ success: false, error: "Message not found or already processed" }, 404);
       }
@@ -1906,7 +2496,7 @@ function createQueueProcessor(db, queueBindings, workerUrl) {
           body: row.payload
         });
         if (response.ok) {
-          db.prepare(`DELETE FROM queue_messages WHERE id = ?`).run(row.id);
+          db.prepare(`UPDATE queue_messages SET status = 'acknowledged', updated_at = ? WHERE id = ?`).run(now, row.id);
         } else {
           db.prepare(`UPDATE queue_messages
 						 SET status = 'pending', delivery_id = NULL, visible_at = ?, updated_at = ?
@@ -2143,6 +2733,19 @@ async function startMockServer(dbManager2, config, options = {}) {
     app.post("/workflow/complete", workflowHandlers.completeHandler);
     app.post("/workflow/fail", workflowHandlers.failHandler);
   }
+  if (config.cache) {
+    const cacheHandlers = createCacheHandlers(dbManager2.emulatorDb);
+    app.post("/cache/get", cacheHandlers.getHandler);
+    app.post("/cache/set", cacheHandlers.setHandler);
+    app.post("/cache/delete", cacheHandlers.deleteHandler);
+  }
+  if (config.auth) {
+    const authHandlers = createAuthHandlers(dbManager2.emulatorDb);
+    app.post("/auth/signup", authHandlers.signupHandler);
+    app.post("/auth/signin", authHandlers.signinHandler);
+    app.get("/auth/me", authHandlers.meHandler);
+    app.post("/auth/signout", authHandlers.signoutHandler);
+  }
   app.get("/health", (c) => c.json({ status: "ok" }));
   if (options.dashboardEnabled !== false) {
     createDashboardRoutes(app, dbManager2, config);
@@ -2165,6 +2768,8 @@ async function startMockServer(dbManager2, config, options = {}) {
 var DEFAULT_MOCK_SERVER_PORT;
 var init_mock_server = __esm({
   "../emulator/dist/services/mock-server.js"() {
+    init_auth_service();
+    init_cache_service();
     init_dashboard_routes();
     init_db_service();
     init_queue_service();
@@ -2281,6 +2886,58 @@ CREATE TABLE IF NOT EXISTS workflow_steps (
 
 CREATE INDEX IF NOT EXISTS idx_workflow_steps_execution
   ON workflow_steps(execution_id, step_index);
+
+-- Auth users table
+CREATE TABLE IF NOT EXISTS auth_users (
+  id TEXT PRIMARY KEY,
+  email TEXT UNIQUE NOT NULL,
+  email_verified INTEGER NOT NULL DEFAULT 0,
+  password_hash TEXT NOT NULL,
+  created_at TEXT NOT NULL,
+  updated_at TEXT NOT NULL,
+  metadata TEXT
+);
+
+CREATE INDEX IF NOT EXISTS idx_auth_users_email
+  ON auth_users(email);
+
+-- Auth sessions table
+CREATE TABLE IF NOT EXISTS auth_sessions (
+  id TEXT PRIMARY KEY,
+  user_id TEXT NOT NULL,
+  token_hash TEXT UNIQUE NOT NULL,
+  expires_at TEXT NOT NULL,
+  created_at TEXT NOT NULL,
+  revoked INTEGER NOT NULL DEFAULT 0,
+  FOREIGN KEY (user_id) REFERENCES auth_users(id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS idx_auth_sessions_user
+  ON auth_sessions(user_id);
+CREATE INDEX IF NOT EXISTS idx_auth_sessions_hash
+  ON auth_sessions(token_hash);
+
+-- Auth settings table
+CREATE TABLE IF NOT EXISTS auth_settings (
+  id INTEGER PRIMARY KEY CHECK (id = 1),
+  session_token_expiry INTEGER NOT NULL DEFAULT 604800,
+  allow_signups INTEGER NOT NULL DEFAULT 1,
+  require_email_verification INTEGER NOT NULL DEFAULT 0,
+  require_name INTEGER NOT NULL DEFAULT 0,
+  updated_at INTEGER DEFAULT (strftime('%s', 'now'))
+);
+
+-- Insert default settings if not exists
+INSERT OR IGNORE INTO auth_settings (id) VALUES (1);
+
+-- Cache entries table
+CREATE TABLE IF NOT EXISTS cache_entries (
+  cache_name TEXT NOT NULL,
+  key TEXT NOT NULL,
+  value TEXT NOT NULL,
+  expires_at INTEGER NOT NULL,
+  PRIMARY KEY (cache_name, key)
+);
 `;
   }
 });
@@ -2381,6 +3038,9 @@ var init_emulator = __esm({
           if (this.config.queue) {
             log(`  Queue bindings: ${Object.keys(this.config.queue).join(", ")}`);
           }
+          if (this.config.cache) {
+            log(`  Cache bindings: ${Object.keys(this.config.cache).join(", ")}`);
+          }
           if (this.config.workflow) {
             log(`  Workflow bindings: ${Object.keys(this.config.workflow).join(", ")}`);
           }
@@ -2635,6 +3295,38 @@ function createDevD1(databaseId, apiUrl) {
     }
   };
 }
+function createDevPloyAuth(apiUrl) {
+  return {
+    async getUser(token) {
+      try {
+        const response = await fetch(`${apiUrl}/auth/me`, {
+          headers: {
+            Authorization: `Bearer ${token}`
+          }
+        });
+        if (!response.ok) {
+          return null;
+        }
+        const data = await response.json();
+        return data.user;
+      } catch {
+        return null;
+      }
+    },
+    async verifyToken(token) {
+      try {
+        const response = await fetch(`${apiUrl}/auth/me`, {
+          headers: {
+            Authorization: `Bearer ${token}`
+          }
+        });
+        return response.ok;
+      } catch {
+        return false;
+      }
+    }
+  };
+}
 async function initPloyForDev(config) {
   if (process.env.NODE_ENV !== "development") {
     return;
@@ -2643,6 +3335,56 @@ async function initPloyForDev(config) {
     return;
   }
   globalThis.__PLOY_DEV_INITIALIZED__ = true;
+  const cliMockServerUrl = process.env.PLOY_MOCK_SERVER_URL;
+  if (cliMockServerUrl) {
+    const configPath2 = config?.configPath || "./ploy.yaml";
+    const projectDir2 = process.cwd();
+    let ployConfig2;
+    try {
+      ployConfig2 = readPloyConfig2(projectDir2, configPath2);
+    } catch {
+      if (config?.bindings?.db) {
+        ployConfig2 = { db: config.bindings.db };
+      } else {
+        return;
+      }
+    }
+    if (config?.bindings?.db) {
+      ployConfig2 = { ...ployConfig2, db: config.bindings.db };
+    }
+    const hasDbBindings2 = ployConfig2.db && Object.keys(ployConfig2.db).length > 0;
+    const hasAuthConfig2 = !!ployConfig2.auth;
+    if (!hasDbBindings2 && !hasAuthConfig2) {
+      return;
+    }
+    const env2 = {};
+    if (hasDbBindings2 && ployConfig2.db) {
+      for (const [bindingName, databaseId] of Object.entries(ployConfig2.db)) {
+        env2[bindingName] = createDevD1(databaseId, cliMockServerUrl);
+      }
+    }
+    if (hasAuthConfig2) {
+      env2.PLOY_AUTH = createDevPloyAuth(cliMockServerUrl);
+    }
+    const context2 = { env: env2, cf: void 0, ctx: void 0 };
+    globalThis.__PLOY_DEV_CONTEXT__ = context2;
+    Object.defineProperty(globalThis, PLOY_CONTEXT_SYMBOL, {
+      get() {
+        return context2;
+      },
+      configurable: true
+    });
+    const bindingNames2 = Object.keys(env2);
+    const features2 = [];
+    if (bindingNames2.length > 0) {
+      features2.push(`bindings: ${bindingNames2.join(", ")}`);
+    }
+    if (hasAuthConfig2) {
+      features2.push("auth");
+    }
+    console.log(`[Ploy] Using CLI mock server at ${cliMockServerUrl} (${features2.join(", ")})`);
+    return;
+  }
   const configPath = config?.configPath || "./ploy.yaml";
   const projectDir = process.cwd();
   let ployConfig;
@@ -2658,7 +3400,9 @@ async function initPloyForDev(config) {
   if (config?.bindings?.db) {
     ployConfig = { ...ployConfig, db: config.bindings.db };
   }
-  if (!ployConfig.db || Object.keys(ployConfig.db).length === 0) {
+  const hasDbBindings = ployConfig.db && Object.keys(ployConfig.db).length > 0;
+  const hasAuthConfig = !!ployConfig.auth;
+  if (!hasDbBindings && !hasAuthConfig) {
     return;
   }
   ensureDataDir(projectDir);
@@ -2666,8 +3410,14 @@ async function initPloyForDev(config) {
   mockServer = await startMockServer(dbManager, ployConfig, {});
   const apiUrl = `http://localhost:${mockServer.port}`;
   const env = {};
-  for (const [bindingName, databaseId] of Object.entries(ployConfig.db)) {
-    env[bindingName] = createDevD1(databaseId, apiUrl);
+  if (hasDbBindings && ployConfig.db) {
+    for (const [bindingName, databaseId] of Object.entries(ployConfig.db)) {
+      env[bindingName] = createDevD1(databaseId, apiUrl);
+    }
+  }
+  if (hasAuthConfig) {
+    env.PLOY_AUTH = createDevPloyAuth(apiUrl);
+    process.env.NEXT_PUBLIC_PLOY_AUTH_URL = `${apiUrl}/auth`;
   }
   const context = {
     env,
@@ -2682,7 +3432,14 @@ async function initPloyForDev(config) {
     configurable: true
   });
   const bindingNames = Object.keys(env);
-  console.log(`[Ploy] Development context initialized with bindings: ${bindingNames.join(", ")}`);
+  const features = [];
+  if (bindingNames.length > 0) {
+    features.push(`bindings: ${bindingNames.join(", ")}`);
+  }
+  if (hasAuthConfig) {
+    features.push("auth");
+  }
+  console.log(`[Ploy] Development context initialized with ${features.join(", ")}`);
   console.log(`[Ploy] Mock server running at ${apiUrl}`);
   const cleanup = async () => {
     if (mockServer) {
@@ -4268,6 +5025,12 @@ function generateEnvType(config) {
       properties.push(`	${bindingName}: QueueBinding;`);
     }
   }
+  if (config.cache) {
+    imports.push("CacheBinding");
+    for (const bindingName of Object.keys(config.cache)) {
+      properties.push(`	${bindingName}: CacheBinding;`);
+    }
+  }
   if (config.workflow) {
     imports.push("WorkflowBinding");
     for (const bindingName of Object.keys(config.workflow)) {
@@ -4315,7 +5078,7 @@ async function typesCommand(options = {}) {
     console.error("Error: ploy.yaml not found in current directory");
     process.exit(1);
   }
-  const hasBindings2 = config.ai || config.db || config.queue || config.workflow;
+  const hasBindings2 = config.ai || config.db || config.queue || config.cache || config.workflow;
   if (!hasBindings2) {
     console.log("No bindings found in ploy.yaml. Generating empty Env.");
   }
@@ -4476,7 +5239,9 @@ async function startNextJsDev(options) {
       env: {
         ...process.env,
         // Set environment variable so initPloyForDev knows the mock server URL
-        PLOY_MOCK_SERVER_URL: `http://localhost:${dashboard.port}`
+        PLOY_MOCK_SERVER_URL: `http://localhost:${dashboard.port}`,
+        // Set PORT so initPloyForDev can construct the correct handler URL
+        PORT: String(nextPort)
       }
     });
   } else {
@@ -4486,7 +5251,8 @@ async function startNextJsDev(options) {
       shell: true,
       env: {
         ...process.env,
-        PLOY_MOCK_SERVER_URL: `http://localhost:${dashboard.port}`
+        PLOY_MOCK_SERVER_URL: `http://localhost:${dashboard.port}`,
+        PORT: String(nextPort)
       }
     });
   }