@oaklandzoo/ostup 0.10.0 → 0.12.0

package/README.md

@@ -24,6 +24,26 @@ When you run this tool, it will:
    (Better Auth + guarded dashboard + settings), blog (MDX posts + RSS
    + sitemap). Your first deploy shows a working homepage and day-one
    flow, not a blank Next.js welcome.
+8. Optionally pass `--private` to ship an **app-level default-deny**
+   project on Vercel Hobby: middleware blocks every request except
+   sign-in/up + audit-health, blob helpers default to `access: 'private'`,
+   image optimizer cannot proxy external URLs, rate limiting and audit
+   logging are wired. Run `ostup doctor --privacy <url>` after deploy to
+   verify. Toggle on/off an existing project with `ostup private add` /
+   `ostup private remove` (manifest at `.ostup/private.json` makes the
+   remove cleanly revertable).
+9. Optionally pass `--auth=clerk` or `--auth=google` to wire **a
+   working login flow** into the scaffold. Clerk uses `@clerk/nextjs`
+   (hosted UI, free up to 10k MAU); Google uses NextAuth v5 with the
+   Google provider (free; you create the OAuth app on Google Cloud).
+   Both ship sign-in / sign-up pages out of the box. `--auth` composes
+   cleanly with `--private` (the default-deny middleware recognizes
+   both providers' session cookies).
+10. Optionally pass `--publish-ready` if this CLI will be used to
+    publish an npm package later. ostup walks you through getting an
+    npm Bypass-2FA token (browser flow or guided token paste) and
+    saves it to `~/.npmrc`. After that, the `/publish` slash command
+    lets your agent ship a new version with one command.
 
 ## Quick Start
 

package/bin/cli.mjs

@@ -11,7 +11,7 @@ loadDotEnv();
 
 const PKG_ROOT = resolve(dirname(fileURLToPath(import.meta.url)), '..');
 
-const SUBCOMMANDS = new Set(['init', 'update', 'brief', 'export-pro', 'doctor', 'bootstrap']);
+const SUBCOMMANDS = new Set(['init', 'update', 'brief', 'export-pro', 'doctor', 'bootstrap', 'private']);
 
 async function readPkg() {
   const raw = await readFile(resolve(PKG_ROOT, 'package.json'), 'utf8');
@@ -45,6 +45,13 @@ function parseArgs(argv) {
     else if (a === '--output') flags.output = argv[++i];
     else if (a.startsWith('--output=')) flags.output = a.slice('--output='.length);
     else if (a === '--white-label') flags.whiteLabel = true;
+    else if (a === '--auth') flags.auth = argv[++i];
+    else if (a.startsWith('--auth=')) flags.auth = a.slice('--auth='.length);
+    else if (a === '--publish-ready') flags.publishReady = true;
+    else if (a === '--private') flags.private = true;
+    else if (a === '--privacy') flags.privacy = true;
+    else if (a === '--url') flags.url = argv[++i];
+    else if (a.startsWith('--url=')) flags.url = a.slice('--url='.length);
     else if (a === '--no-log') flags.noLog = true;
     else if (a === '--skip-bootstrap') flags.skipBootstrap = true;
     else if (a === '--no-install') flags.noInstall = true;
@@ -78,6 +85,8 @@ function printHelp() {
       '  brief               Run the 10-question operator intake; write docs/brief.md + brief.json.',
       '  export-pro          Bundle brief + brand + content + initial PRD into a ZIP for client handoff.',
       '  doctor              Self-diagnosis: tool detection + auth + permissions + disk + Chrome. Read-only.',
+      '  doctor --privacy    Probe a deployed URL for default-deny enforcement (privacy mode).',
+      '  private add|remove|status   Apply, undo, or report on app-level privacy (default-deny middleware).',
       '  update              Refresh bundled templates from the pinned source.',
       '',
       'Flags for `ostup init`:',
@@ -89,6 +98,9 @@ function printHelp() {
       '  --ingest <path>     Copy operator materials from <path> into inputs/.',
       '  --brief <path>      Load a brief.json from <path> and write brief files + apply profile overlay.',
       '  --white-label       Strip OSTUP / Goodshin attribution from generated docs (Studio tier).',
+      '  --private           App-level default-deny: middleware, blob proxy, image-optimizer lock, audit + rate-limit, CLAUDE.md Part 20. Refused with --profile saas-dashboard.',
+      '  --auth <provider>   Wire authentication. Values: clerk (Clerk + @clerk/nextjs), google (NextAuth v5 + Google), none. Refused with --profile saas-dashboard.',
+      '  --publish-ready     Walk through npm token setup so this CLI can publish later (writes ~/.npmrc).',
       '  --kit-only          Drop the markdown kit into a target dir, no GitHub or Vercel.',
       '  --config <path>     Read .ostup-config.yml from this path (kit-only mode).',
       '  --skip-bootstrap    Skip the in-CLI tool detection / install step (advanced).',
@@ -193,7 +205,7 @@ if (subcommand === 'export-pro') {
 if (subcommand === 'doctor') {
   const { runDoctor, printDoctorReport } = await import('../src/doctor.mjs');
   try {
-    const result = await runDoctor();
+    const result = await runDoctor({ flags });
     process.stdout.write(printDoctorReport(result));
     process.exit(result.failCount > 0 ? 1 : 0);
   } catch (err) {
@@ -202,6 +214,25 @@ if (subcommand === 'doctor') {
   }
 }
 
+if (subcommand === 'private') {
+  const action = subPositional[0] || 'status';
+  const { runPrivate } = await import('../src/private-cmd.mjs');
+  try {
+    await runPrivate({ action, flags, cwd: process.cwd() });
+    process.exit(0);
+  } catch (err) {
+    process.stderr.write(`${err.message}\n`);
+    const userErrors = new Set([
+      'PRIVATE_SAAS_CONFLICT',
+      'PRIVATE_NOT_APPLIED',
+      'PRIVATE_ALREADY_APPLIED',
+      'PRIVATE_DIRTY',
+      'PRIVATE_UNKNOWN_ACTION',
+    ]);
+    process.exit(userErrors.has(err.code) ? 1 : 2);
+  }
+}
+
 if (subcommand === 'bootstrap') {
   const { runBootstrapStandalone } = await import('../src/bootstrap.mjs');
   try {
@@ -257,6 +288,13 @@ try {
     'INGEST_PATH_NOT_FOUND',
     'BRIEF_NOT_FOUND',
     'BRIEF_INVALID',
+    'AUTH_ALREADY_APPLIED',
+    'AUTH_PROFILE_CONFLICT',
+    'AUTH_DIRTY',
+    'AUTH_UNKNOWN_PROVIDER',
+    'PRIVATE_SAAS_CONFLICT',
+    'PRIVATE_ALREADY_APPLIED',
+    'PRIVATE_DIRTY',
     'NO_TTY_BOOTSTRAP',
     'BOOTSTRAP_DECLINED',
     'BOOTSTRAP_FAILED',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oaklandzoo/ostup",
-  "version": "0.10.0",
+  "version": "0.12.0",
   "description": "Scaffolds a new repo with the Ostup Agent Kit pre-installed: slash commands, doc templates, and a clean working state.",
   "type": "module",
   "bin": {

package/scripts/verify-auth.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+# verify-auth.sh: apply an auth overlay to a fresh temp dir and assert files + manifest land.
+#
+# Usage: bash scripts/verify-auth.sh <clerk|google>
+
+set -euo pipefail
+
+PROVIDER="${1:-}"
+case "$PROVIDER" in
+  clerk|google) ;;
+  *)
+    echo "usage: $0 <clerk|google>" >&2
+    exit 2
+    ;;
+esac
+
+OSTUP_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+TEST_FILE="$OSTUP_ROOT/test/auth-$PROVIDER.test.mjs"
+
+echo ">> verifying auth provider: $PROVIDER"
+echo ">> running: node --test $TEST_FILE"
+cd "$OSTUP_ROOT"
+node --test "$TEST_FILE"
+
+echo ">> ok: $PROVIDER overlay applies and asserts pass"
+echo ""
+echo ">> for live verification (operator only):"
+echo "   1. ostup init --yes --name verify-auth --brief test/fixtures/brief-leadgen.json --auth=$PROVIDER"
+echo "   2. cd verify-auth && npm install && npx next build"
+echo "   3. open the deployed URL, sign in, verify session lands on /dashboard"

package/src/auth-clerk.mjs

@@ -0,0 +1,146 @@
+// auth-clerk.mjs: applyAuthClerk post-processor. Drops Clerk integration into a scaffold.
+
+import { readFile, writeFile, mkdir, rm } from 'node:fs/promises';
+import { existsSync } from 'node:fs';
+import { dirname, join, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const PKG_ROOT = resolve(dirname(fileURLToPath(import.meta.url)), '..');
+const TEMPLATES_ROOT = resolve(PKG_ROOT, 'templates', 'auth-clerk');
+
+export const AUTH_MANIFEST_PATH = '.ostup/auth.json';
+
+class AuthError extends Error {
+  constructor(code, message) {
+    super(message);
+    this.code = code;
+  }
+}
+
+function plannedOps(targetDir) {
+  return [
+    { kind: 'create-or-overwrite', dest: 'middleware.ts', src: 'middleware.ts' },
+    { kind: 'create-or-overwrite', dest: 'app/layout.tsx', src: 'layout.tsx' },
+    { kind: 'create', dest: 'app/sign-in/[[...sign-in]]/page.tsx', src: 'sign-in-page.tsx' },
+    { kind: 'create', dest: 'app/sign-up/[[...sign-up]]/page.tsx', src: 'sign-up-page.tsx' },
+    { kind: 'package-merge', dest: 'package.json', src: 'package.json.additions' },
+    { kind: 'env-append', dest: '.env.example', src: 'env.example.additions' },
+  ];
+}
+
+async function loadTemplate(rel) {
+  return readFile(join(TEMPLATES_ROOT, rel), 'utf8');
+}
+
+function tokenSubstitute(body, tokens) {
+  if (!tokens) return body;
+  return body.replace(/\{\{([A-Z_][A-Z_0-9]*)\}\}/g, (m, k) => (tokens[k] != null ? String(tokens[k]) : 'TBD'));
+}
+
+function mergePackageJson(existing, additionsText) {
+  const additions = JSON.parse(additionsText);
+  const target = existing ? JSON.parse(existing) : {};
+  for (const section of ['dependencies', 'devDependencies', 'scripts']) {
+    if (additions[section]) {
+      target[section] = { ...(target[section] || {}), ...additions[section] };
+    }
+  }
+  return JSON.stringify(target, null, 2) + '\n';
+}
+
+export async function applyAuthClerk({ targetDir, profile = null, tokens = {}, force = false } = {}) {
+  const manifestPath = join(targetDir, AUTH_MANIFEST_PATH);
+  if (existsSync(manifestPath) && !force) {
+    const manifest = JSON.parse(await readFile(manifestPath, 'utf8'));
+    throw new AuthError(
+      'AUTH_ALREADY_APPLIED',
+      `${AUTH_MANIFEST_PATH} already exists (provider: ${manifest.provider}). Run remove first, or pass --force.`,
+    );
+  }
+  if (profile === 'saas-dashboard') {
+    throw new AuthError(
+      'AUTH_PROFILE_CONFLICT',
+      '--auth=clerk is not compatible with --profile saas-dashboard. saas-dashboard ships Better Auth. Pick one.',
+    );
+  }
+
+  const ops = plannedOps(targetDir);
+  const performed = [];
+
+  for (const op of ops) {
+    const destPath = join(targetDir, op.dest);
+    const tmpl = await loadTemplate(op.src);
+    const content = tokenSubstitute(tmpl, tokens);
+
+    if (op.kind === 'create') {
+      if (existsSync(destPath) && !force) {
+        throw new AuthError('AUTH_DIRTY', `${op.dest} already exists; refuse to overwrite without --force.`);
+      }
+      await mkdir(dirname(destPath), { recursive: true });
+      await writeFile(destPath, content, 'utf8');
+      performed.push({ kind: 'created', path: op.dest });
+    } else if (op.kind === 'create-or-overwrite') {
+      const prior = existsSync(destPath) ? await readFile(destPath, 'utf8') : null;
+      await mkdir(dirname(destPath), { recursive: true });
+      await writeFile(destPath, content, 'utf8');
+      if (prior !== null) {
+        performed.push({ kind: 'replaced', path: op.dest, prior });
+      } else {
+        performed.push({ kind: 'created', path: op.dest });
+      }
+    } else if (op.kind === 'package-merge') {
+      const prior = existsSync(destPath) ? await readFile(destPath, 'utf8') : null;
+      const merged = mergePackageJson(prior, content);
+      await mkdir(dirname(destPath), { recursive: true });
+      await writeFile(destPath, merged, 'utf8');
+      if (prior !== null) {
+        performed.push({ kind: 'patched', path: op.dest, prior });
+      } else {
+        performed.push({ kind: 'created', path: op.dest });
+      }
+    } else if (op.kind === 'env-append') {
+      const prior = existsSync(destPath) ? await readFile(destPath, 'utf8') : null;
+      const next = prior ? prior + (prior.endsWith('\n') ? '' : '\n') + '\n' + content : content;
+      await mkdir(dirname(destPath), { recursive: true });
+      await writeFile(destPath, next, 'utf8');
+      if (prior !== null) {
+        performed.push({ kind: 'patched', path: op.dest, prior });
+      } else {
+        performed.push({ kind: 'created', path: op.dest });
+      }
+    }
+  }
+
+  await mkdir(dirname(manifestPath), { recursive: true });
+  await writeFile(
+    manifestPath,
+    JSON.stringify({ appliedAt: new Date().toISOString(), provider: 'clerk', ops: performed }, null, 2) + '\n',
+    'utf8',
+  );
+
+  return { applied: true, provider: 'clerk', touched: performed.map((p) => p.path) };
+}
+
+export async function removeAuthClerk({ targetDir } = {}) {
+  const manifestPath = join(targetDir, AUTH_MANIFEST_PATH);
+  if (!existsSync(manifestPath)) {
+    throw new AuthError('AUTH_NOT_APPLIED', `${AUTH_MANIFEST_PATH} not found.`);
+  }
+  const manifest = JSON.parse(await readFile(manifestPath, 'utf8'));
+  const restored = [];
+  for (const op of [...manifest.ops].reverse()) {
+    const p = join(targetDir, op.path);
+    if (op.kind === 'created' && existsSync(p)) {
+      await rm(p, { force: true });
+      restored.push({ kind: 'deleted', path: op.path });
+    } else if ((op.kind === 'replaced' || op.kind === 'patched') && existsSync(p)) {
+      await writeFile(p, op.prior, 'utf8');
+      restored.push({ kind: 'restored', path: op.path });
+    }
+  }
+  await rm(manifestPath, { force: true });
+  try { await rm(join(targetDir, '.ostup'), { recursive: false }); } catch {}
+  return { restored: restored.map((r) => r.path), provider: manifest.provider };
+}
+
+export { AuthError };

package/src/auth-google.mjs

@@ -0,0 +1,137 @@
+// auth-google.mjs: applyAuthGoogle post-processor. Drops NextAuth v5 + Google provider into a scaffold.
+
+import { readFile, writeFile, mkdir, rm } from 'node:fs/promises';
+import { existsSync } from 'node:fs';
+import { dirname, join, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const PKG_ROOT = resolve(dirname(fileURLToPath(import.meta.url)), '..');
+const TEMPLATES_ROOT = resolve(PKG_ROOT, 'templates', 'auth-google');
+
+export const AUTH_MANIFEST_PATH = '.ostup/auth.json';
+
+class AuthError extends Error {
+  constructor(code, message) {
+    super(message);
+    this.code = code;
+  }
+}
+
+function plannedOps() {
+  return [
+    { kind: 'create', dest: 'auth.ts', src: 'auth.ts' },
+    { kind: 'create', dest: 'app/api/auth/[...nextauth]/route.ts', src: 'route.ts' },
+    { kind: 'create', dest: 'app/sign-in/page.tsx', src: 'sign-in-page.tsx' },
+    { kind: 'create', dest: 'app/sign-up/page.tsx', src: 'sign-up-page.tsx' },
+    { kind: 'package-merge', dest: 'package.json', src: 'package.json.additions' },
+    { kind: 'env-append', dest: '.env.example', src: 'env.example.additions' },
+  ];
+}
+
+async function loadTemplate(rel) {
+  return readFile(join(TEMPLATES_ROOT, rel), 'utf8');
+}
+
+function tokenSubstitute(body, tokens) {
+  if (!tokens) return body;
+  return body.replace(/\{\{([A-Z_][A-Z_0-9]*)\}\}/g, (m, k) => (tokens[k] != null ? String(tokens[k]) : 'TBD'));
+}
+
+function mergePackageJson(existing, additionsText) {
+  const additions = JSON.parse(additionsText);
+  const target = existing ? JSON.parse(existing) : {};
+  for (const section of ['dependencies', 'devDependencies', 'scripts']) {
+    if (additions[section]) {
+      target[section] = { ...(target[section] || {}), ...additions[section] };
+    }
+  }
+  return JSON.stringify(target, null, 2) + '\n';
+}
+
+export async function applyAuthGoogle({ targetDir, profile = null, tokens = {}, force = false } = {}) {
+  const manifestPath = join(targetDir, AUTH_MANIFEST_PATH);
+  if (existsSync(manifestPath) && !force) {
+    const manifest = JSON.parse(await readFile(manifestPath, 'utf8'));
+    throw new AuthError(
+      'AUTH_ALREADY_APPLIED',
+      `${AUTH_MANIFEST_PATH} already exists (provider: ${manifest.provider}). Run remove first, or pass --force.`,
+    );
+  }
+  if (profile === 'saas-dashboard') {
+    throw new AuthError(
+      'AUTH_PROFILE_CONFLICT',
+      '--auth=google is not compatible with --profile saas-dashboard. saas-dashboard ships Better Auth. Pick one.',
+    );
+  }
+
+  const ops = plannedOps();
+  const performed = [];
+
+  for (const op of ops) {
+    const destPath = join(targetDir, op.dest);
+    const tmpl = await loadTemplate(op.src);
+    const content = tokenSubstitute(tmpl, tokens);
+
+    if (op.kind === 'create') {
+      if (existsSync(destPath) && !force) {
+        throw new AuthError('AUTH_DIRTY', `${op.dest} already exists; refuse to overwrite without --force.`);
+      }
+      await mkdir(dirname(destPath), { recursive: true });
+      await writeFile(destPath, content, 'utf8');
+      performed.push({ kind: 'created', path: op.dest });
+    } else if (op.kind === 'package-merge') {
+      const prior = existsSync(destPath) ? await readFile(destPath, 'utf8') : null;
+      const merged = mergePackageJson(prior, content);
+      await mkdir(dirname(destPath), { recursive: true });
+      await writeFile(destPath, merged, 'utf8');
+      if (prior !== null) {
+        performed.push({ kind: 'patched', path: op.dest, prior });
+      } else {
+        performed.push({ kind: 'created', path: op.dest });
+      }
+    } else if (op.kind === 'env-append') {
+      const prior = existsSync(destPath) ? await readFile(destPath, 'utf8') : null;
+      const next = prior ? prior + (prior.endsWith('\n') ? '' : '\n') + '\n' + content : content;
+      await mkdir(dirname(destPath), { recursive: true });
+      await writeFile(destPath, next, 'utf8');
+      if (prior !== null) {
+        performed.push({ kind: 'patched', path: op.dest, prior });
+      } else {
+        performed.push({ kind: 'created', path: op.dest });
+      }
+    }
+  }
+
+  await mkdir(dirname(manifestPath), { recursive: true });
+  await writeFile(
+    manifestPath,
+    JSON.stringify({ appliedAt: new Date().toISOString(), provider: 'google', ops: performed }, null, 2) + '\n',
+    'utf8',
+  );
+
+  return { applied: true, provider: 'google', touched: performed.map((p) => p.path) };
+}
+
+export async function removeAuthGoogle({ targetDir } = {}) {
+  const manifestPath = join(targetDir, AUTH_MANIFEST_PATH);
+  if (!existsSync(manifestPath)) {
+    throw new AuthError('AUTH_NOT_APPLIED', `${AUTH_MANIFEST_PATH} not found.`);
+  }
+  const manifest = JSON.parse(await readFile(manifestPath, 'utf8'));
+  const restored = [];
+  for (const op of [...manifest.ops].reverse()) {
+    const p = join(targetDir, op.path);
+    if (op.kind === 'created' && existsSync(p)) {
+      await rm(p, { force: true });
+      restored.push({ kind: 'deleted', path: op.path });
+    } else if (op.kind === 'patched' && existsSync(p)) {
+      await writeFile(p, op.prior, 'utf8');
+      restored.push({ kind: 'restored', path: op.path });
+    }
+  }
+  await rm(manifestPath, { force: true });
+  try { await rm(join(targetDir, '.ostup'), { recursive: false }); } catch {}
+  return { restored: restored.map((r) => r.path), provider: manifest.provider };
+}
+
+export { AuthError };

package/src/credential-prompts-npm.mjs

@@ -0,0 +1,154 @@
+// credential-prompts-npm.mjs: detect npm credentials, walk operator through token-paste or browser flow.
+
+import * as p from '@clack/prompts';
+import { execSync } from 'node:child_process';
+import { readFileSync, existsSync, appendFileSync, writeFileSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { run as exec } from './exec.mjs';
+
+const NPMRC_PATH = join(homedir(), '.npmrc');
+
+export function checkNpmAuth({ env = process.env, runner = defaultCmdOk, npmrcReader = defaultNpmrcReader } = {}) {
+  if (env.NPM_TOKEN) return { ok: true, source: 'env' };
+  const npmrc = npmrcReader();
+  if (npmrc && /_authToken=/.test(npmrc)) return { ok: true, source: 'npmrc' };
+  if (runner('npm whoami')) return { ok: true, source: 'npm-cli' };
+  return { ok: false };
+}
+
+function defaultCmdOk(cmd) {
+  try {
+    execSync(cmd, { stdio: ['ignore', 'ignore', 'ignore'] });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function defaultNpmrcReader() {
+  try {
+    return existsSync(NPMRC_PATH) ? readFileSync(NPMRC_PATH, 'utf8') : '';
+  } catch {
+    return '';
+  }
+}
+
+const NPM_BLURB = [
+  '',
+  'npm credentials not found.',
+  '',
+  'Why this matters: if you ever want to publish a package from this machine,',
+  'you need a token. Skip this step if you are only building apps (most users).',
+  '',
+  'If you do not have an npm account yet:',
+  '  1. Open https://www.npmjs.com/signup',
+  '  2. Create an account, then return here.',
+  '',
+  'To create a granular Bypass-2FA token (recommended; survives 2FA-required publishes):',
+  '  1. Open https://www.npmjs.com/settings/<your-username>/tokens/new',
+  '  2. Token type: Granular access token',
+  '  3. Expiration: 90 days (or longer)',
+  '  4. Packages and scopes: select what you plan to publish',
+  '  5. Permissions: Read and Write',
+  '  6. 2FA: select "Bypass 2FA"',
+  '  7. Generate token, copy the value (starts with npm_)',
+  '',
+].join('\n');
+
+export async function promptForNpmToken() {
+  process.stdout.write(NPM_BLURB);
+  const token = await p.password({
+    message: 'Paste your npm token (starts with npm_; leave blank to skip)',
+  });
+  if (p.isCancel(token)) return null;
+  const trimmed = typeof token === 'string' ? token.trim() : '';
+  if (!trimmed) return null;
+  return trimmed;
+}
+
+function binaryOnPath(bin) {
+  try {
+    execSync(`${bin} --version`, { stdio: ['ignore', 'ignore', 'ignore'] });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function chooseNpmAuthMethod() {
+  const choice = await p.select({
+    message: 'npm: how would you like to set up publishing?',
+    options: [
+      { value: 'browser', label: 'Sign in via npm login --auth-type=web (recommended)' },
+      { value: 'token', label: 'Paste a Bypass-2FA token instead' },
+      { value: 'skip', label: 'Skip for now (no publishing from this machine)' },
+    ],
+    initialValue: 'browser',
+  });
+  if (p.isCancel(choice)) return 'skip';
+  return choice;
+}
+
+async function attemptBrowserAuth() {
+  try {
+    await exec('npm-login', 'npm', ['login', '--auth-type=web'], { stdio: 'inherit' });
+    return true;
+  } catch {
+    process.stdout.write('npm browser sign-in did not complete. Falling back to token paste.\n');
+    return false;
+  }
+}
+
+function writeNpmrcToken(token, npmrcPath = NPMRC_PATH) {
+  const line = `//registry.npmjs.org/:_authToken=${token}\n`;
+  if (existsSync(npmrcPath)) {
+    const existing = readFileSync(npmrcPath, 'utf8');
+    if (existing.includes('//registry.npmjs.org/:_authToken=')) {
+      const replaced = existing.replace(/^\/\/registry\.npmjs\.org\/:_authToken=.*$/m, line.trim());
+      writeFileSync(npmrcPath, replaced, 'utf8');
+    } else {
+      appendFileSync(npmrcPath, (existing.endsWith('\n') ? '' : '\n') + line, 'utf8');
+    }
+  } else {
+    writeFileSync(npmrcPath, line, 'utf8');
+  }
+}
+
+export async function ensureNpmCredentials({ flags = {} } = {}) {
+  const result = checkNpmAuth();
+  if (result.ok) {
+    process.stdout.write(`npm: using existing auth (${result.source}).\n`);
+    return { ok: true, source: result.source };
+  }
+
+  if (!binaryOnPath('npm')) {
+    process.stdout.write('npm CLI not on PATH; skipping npm setup.\n');
+    return { ok: false, source: 'missing-npm' };
+  }
+
+  const method = flags.yes ? 'skip' : await chooseNpmAuthMethod();
+  if (method === 'skip') {
+    process.stdout.write('npm: setup skipped. Run `npm login` later if you need to publish.\n');
+    return { ok: false, source: 'skipped' };
+  }
+
+  if (method === 'browser') {
+    const ok = await attemptBrowserAuth();
+    if (ok && checkNpmAuth().ok) {
+      process.stdout.write('npm: signed in via browser.\n');
+      return { ok: true, source: 'browser' };
+    }
+  }
+
+  const token = await promptForNpmToken();
+  if (!token) {
+    process.stdout.write('npm: no token provided. Skipping.\n');
+    return { ok: false, source: 'skipped' };
+  }
+  writeNpmrcToken(token);
+  process.stdout.write(`npm: token saved to ${NPMRC_PATH}.\n`);
+  return { ok: true, source: 'npmrc-write' };
+}
+
+export { writeNpmrcToken, NPMRC_PATH };

package/src/credential-prompts.mjs

@@ -2,6 +2,7 @@
 import * as p from '@clack/prompts';
 import { execSync } from 'node:child_process';
 import { run as exec } from './exec.mjs';
+import { ensureNpmCredentials } from './credential-prompts-npm.mjs';
 
 export function checkGithubAuth({ env = process.env, runner = defaultCmdOk } = {}) {
   if (env.GH_TOKEN) return { ok: true, source: 'env-or-dotenv' };
@@ -178,5 +179,9 @@ export async function ensureCredentials({ stack = 'next', flags = {} } = {}) {
     }
   }
 
+  if (flags.publishReady) {
+    await ensureNpmCredentials({ flags });
+  }
+
   return { collected };
 }