@percepta/create 4.1.16 → 4.2.0

package/templates/webapp/e2e/rbac.spec.ts

@@ -124,14 +124,38 @@ test.describe("RBAC access", () => {
   });
 });
 
+// Apps authenticate via Authentik SSO (there is no password form), so sign-in
+// drives Authentik's hosted login flow. `pnpm run setup` starts the monorepo's
+// local Authentik and seeds these users (password "password") via its blueprint.
+// The provider uses implicit consent, so there is no consent screen. Inputs are
+// targeted by Authentik's stable field names; each stage is submitted via its
+// submit button (Authentik's web-component form doesn't submit on Enter). The
+// identification stage is awaited to detach before the password stage so the two
+// stages don't race during the in-place re-render. (Verified end-to-end against
+// a live local Authentik: each user yields a valid OAuth code + state.)
 async function signIn(page: Page, email: string, callbackUrl: string) {
   await page.goto(
     `/auth/signin?callbackUrl=${encodeURIComponent(callbackUrl)}`,
   );
-  await page.getByLabel("Email").fill(email);
-  await page.getByLabel("Password").fill(password);
-  await page.getByRole("button", { name: "Sign In" }).click();
-  await page.waitForURL((url) => url.pathname !== "/auth/signin");
+  await page.getByRole("button", { name: /Continue with Authentik/i }).click();
+
+  await page.waitForURL(/\/\/localhost:9000\//);
+  const identifier = page.locator('input[name="uidField"]');
+  await identifier.waitFor({ state: "visible" });
+  await identifier.fill(email);
+  await page.locator('button[type="submit"]').first().click();
+  await identifier.waitFor({ state: "detached" });
+
+  const passwordField = page.locator('input[name="password"]');
+  await passwordField.waitFor({ state: "visible" });
+  await passwordField.fill(password);
+  await page.locator('button[type="submit"]').first().click();
+
+  // Back on the app once Authentik redirects through the OAuth callback.
+  await page.waitForURL(
+    (url) =>
+      !url.href.includes("localhost:9000") && url.pathname !== "/auth/signin",
+  );
 }
 
 async function expectNotFound(page: Page) {

package/templates/webapp/env.example.template

@@ -6,19 +6,15 @@ APP_BASE_URL=http://localhost:3000
 # App Database
 DATABASE_URL=postgresql://postgres:postgres@localhost:5434/__DB_NAME__
 
-# Authentication (Better Auth)
-# App auth setup selected by @percepta/create: __AUTH_MODE_LABEL__
-# Defaults to the workspace auth setup unless this app was scaffolded with an override.
-AUTH_MODE=__AUTH_MODE__
+# Authentication (Better Auth via Authentik SSO)
 BETTER_AUTH_SECRET=generate-with-openssl-rand-base64-32
-# Google OAuth apps should fill these:
-# GOOGLE_CLIENT_ID=
-# GOOGLE_CLIENT_SECRET=
-# GOOGLE_HOSTED_DOMAIN=
-# Okta OIDC apps should fill these:
-# OKTA_CLIENT_ID=
-# OKTA_CLIENT_SECRET=
-# OKTA_ISSUER=
+# These point at the monorepo's local Authentik container (brought up by
+# `pnpm run setup`) and the shared local OIDC client provisioned by its
+# blueprint. Deployed environments override them with the per-app Authentik
+# provider's issuer/credentials.
+AUTHENTIK_ISSUER=http://localhost:9000/application/o/mosaic-local/
+AUTHENTIK_CLIENT_ID=mosaic-local-client
+AUTHENTIK_CLIENT_SECRET=mosaic-local-secret
 
 # Shared Auth Database
 # Deployed apps should set this from the customer monorepo auth database Secret.

package/templates/webapp/scripts/seed.ts

@@ -11,42 +11,37 @@ import { AsyncLocalStorage } from "node:async_hooks";
 import { execFileSync } from "node:child_process";
 import * as nextEnvModule from "@next/env";
 import type { SubjectRef } from "@percepta/access-control";
-import {
-  ensurePerceptaAuthModeEnv,
-  type PerceptaAuthMode,
-} from "@percepta/auth/better-auth";
 
 const nextEnv =
   (nextEnvModule as { default?: typeof nextEnvModule }).default ??
   nextEnvModule;
 
+// Local users mirror the accounts in the monorepo's Authentik seed blueprint
+// (same emails, password "password"). Seeding creates the local user row +
+// SpiceDB grants; the first Authentik sign-in links to it by email.
 const SEEDED_USERS = [
   {
     access: "customer_admin",
     email: "customer-admin@example.com",
     name: "Customer Admin",
-    password: "password",
     role: "admin",
   },
   {
     access: "app_admin",
     email: "app-admin@example.com",
     name: "App Admin",
-    password: "password",
     role: "admin",
   },
   {
     access: "app_user",
     email: "app-user@example.com",
     name: "App User",
-    password: "password",
     role: "user",
   },
   {
     access: "none",
     email: "non-user@example.com",
     name: "App Non User",
-    password: "password",
     role: "user",
   },
 ] as const;
@@ -61,13 +56,8 @@ interface AdminCreateUserApi {
   }): Promise<{ user: { id: string } }>;
 }
 
-const DEFAULT_AUTH_MODE = "__AUTH_MODE__" satisfies PerceptaAuthMode;
-
 async function main(): Promise<void> {
   nextEnv.loadEnvConfig(process.cwd());
-  const authMode = ensurePerceptaAuthModeEnv({
-    defaultAuthMode: DEFAULT_AUTH_MODE,
-  });
   // oxlint-disable-next-line typescript/no-explicit-any
   (globalThis as any).AsyncLocalStorage = AsyncLocalStorage;
 
@@ -107,42 +97,21 @@ async function main(): Promise<void> {
         "Seed user already exists.",
       );
     } else {
-      if (authMode === "username-password") {
-        // Use Better Auth's signUpEmail API to create the user with a hashed password.
-        const res = await auth.api.signUpEmail({
-          body: {
-            email: seededUser.email,
-            name: seededUser.name,
-            password: seededUser.password,
-          },
-        });
-        userId = res.user.id;
-      } else {
-        // The admin plugin can create local access principals when this app
-        // starts with an external OAuth provider instead of credentials.
-        const adminApi = auth.api as typeof auth.api & AdminCreateUserApi;
-        const res = await adminApi.createUser({
-          body: {
-            email: seededUser.email,
-            name: seededUser.name,
-          },
-        });
-        userId = res.user.id;
-      }
-
+      // Apps authenticate via Authentik, so create the local user row with the
+      // admin plugin (no password). SpiceDB grants attach to this row, and the
+      // first Authentik sign-in links the OIDC identity to it by email.
+      const adminApi = auth.api as typeof auth.api & AdminCreateUserApi;
+      const res = await adminApi.createUser({
+        body: {
+          email: seededUser.email,
+          name: seededUser.name,
+        },
+      });
+      userId = res.user.id;
       logger.info(
         { safe: { email: seededUser.email, userId } },
         "Seed user created.",
       );
-      if (authMode === "username-password") {
-        logger.info(
-          {
-            safe: { email: seededUser.email },
-            unsafe: { password: seededUser.password },
-          },
-          "Seed user password configured.",
-        );
-      }
     }
 
     await authDb

package/templates/webapp/src/app/(auth)/auth/signin/SignInForm.tsx

@@ -0,0 +1,59 @@
+"use client";
+
+import { Button } from "@percepta/design";
+import { ArrowRight } from "lucide-react";
+import { useSearchParams } from "next/navigation";
+import { useCallback, useState } from "react";
+import { toast } from "sonner";
+import { authClient } from "../../../../lib/auth-client";
+
+export function SignInForm() {
+  const searchParams = useSearchParams();
+  const [isSubmitting, setIsSubmitting] = useState(false);
+
+  const callbackUrl = searchParams.get("callbackUrl") ?? "/";
+
+  const signIn = useCallback(async (): Promise<void> => {
+    setIsSubmitting(true);
+    try {
+      const { error } = await authClient.signIn.oauth2({
+        providerId: "authentik",
+        callbackURL: callbackUrl,
+      });
+
+      if (error != null) {
+        toast.error(error.message ?? "Unable to sign in with Authentik.");
+      }
+    } finally {
+      setIsSubmitting(false);
+    }
+  }, [callbackUrl]);
+
+  return (
+    <div className="grid gap-8">
+      <div className="grid gap-3">
+        <p className="app-auth-kicker">
+          <span>01</span>
+          <span>Sign in</span>
+        </p>
+        <h1 className="app-auth-title">Welcome back.</h1>
+        <p className="app-auth-copy text-sm">
+          Use your Authentik account to continue.
+        </p>
+      </div>
+      <div className="app-auth-form">
+        <div className="flex justify-end">
+          <Button
+            className="app-auth-submit"
+            type="button"
+            loading={isSubmitting}
+            onClick={signIn}
+          >
+            <span>Continue with Authentik</span>
+            <ArrowRight aria-hidden={true} />
+          </Button>
+        </div>
+      </div>
+    </div>
+  );
+}

package/templates/webapp/src/app/(auth)/auth/signin/page.tsx

@@ -1,8 +1,8 @@
 import type { Metadata } from "next";
 import { redirect } from "next/navigation";
 import { Suspense } from "react";
-import { AUTH_MODE, getServerSession } from "../../../../lib/auth";
-import { CredentialsSignInForm } from "./CredentialsSignInForm";
+import { getServerSession } from "../../../../lib/auth";
+import { SignInForm } from "./SignInForm";
 
 export const metadata: Metadata = {
   title: "Sign In — __APP_TITLE__",
@@ -21,7 +21,7 @@ export default async function SignInPage() {
         <p className="text-center text-sm text-muted-foreground">Loading…</p>
       }
     >
-      <CredentialsSignInForm authMode={AUTH_MODE} />
+      <SignInForm />
     </Suspense>
   );
 }

package/templates/webapp/src/lib/auth/index.ts

@@ -1,8 +1,7 @@
 import { auth, type BetterAuthSession } from "@__REPO_NAME__/auth";
 import { headers } from "next/headers";
-import { AUTH_MODE, type AuthMode } from "./app-auth-mode";
 
-export { AUTH_MODE, auth, type AuthMode, type BetterAuthSession };
+export { auth, type BetterAuthSession };
 
 export async function getServerSession() {
   return auth.api.getSession({

package/dist/register-app-BeSQEsel.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"register-app-BeSQEsel.js","names":[],"sources":["../src/commands/infra/register-app.ts"],"sourcesContent":["import path from \"node:path\";\nimport chalk from \"chalk\";\nimport fs from \"fs-extra\";\nimport { isMap, isSeq, parseDocument } from \"yaml\";\nimport {\n  toKebabCase,\n  toSnakeCase,\n  toTitleCase,\n} from \"../../utils/case-converters.js\";\nimport { detectMonorepo } from \"../../utils/detect-monorepo.js\";\nimport { validateProjectName } from \"../../utils/validate.js\";\nimport { readWorkspaceManifest } from \"../../utils/workspace-manifest.js\";\nimport {\n  createInfraGitHubApi,\n  createOrUpdateInfraPullRequestFiles,\n  INFRA_BASE_BRANCH,\n  INFRA_REPOSITORY,\n  type InfraGitHubApi,\n  type InfraPullRequestFile,\n  resolveGitHubToken,\n} from \"./github.js\";\n\nconst OS_POSTGRESQL_TERRAFORM_SUFFIX = \"postgresql-terraform\";\nconst LEGACY_OS_POSTGRESQL_TERRAFORM_ALIAS = \"os-postgresql-terraform\";\nconst OS_POSTGRESQL_TERRAFORM_SERVICES = new Set([\n  \"os-postgresql-terraform-aws\",\n  \"os-postgresql-terraform-azure\",\n]);\nconst OS_BLUEPRINT_INPUT_GROUPS = [\n  {\n    name: \"general\",\n    displayName: \"General\",\n    description: \"Shared OS infrastructure settings.\",\n  },\n  {\n    name: \"applications\",\n    displayName: \"Applications\",\n    description: \"Generated OS webapp settings.\",\n  },\n  {\n    name: \"aws_postgresql\",\n    displayName: \"AWS PostgreSQL\",\n    description: \"AWS Aurora PostgreSQL settings.\",\n    condition: '{{ eq EnvironmentProviderType \"aws\" }}',\n  },\n  {\n    name: \"azure_postgresql\",\n    displayName: \"Azure PostgreSQL\",\n    description: \"Azure PostgreSQL Flexible Server settings.\",\n    condition: '{{ eq EnvironmentProviderType \"azure\" }}',\n  },\n];\n\nexport interface RegisterAppResult {\n  appName: string;\n  blueprintName: string;\n  blueprintPath: string;\n  branchName: string;\n  customerSlug: string;\n  pullRequestUrl: string | null;\n  repository: typeof INFRA_REPOSITORY;\n  status: \"already_registered\" | \"created_pr\" | \"updated_pr\";\n  servicePath: string;\n  targetPath: string;\n}\n\nexport async function registerApp(\n  appNameInput: string,\n  args: {\n    cwd?: string;\n    github?: InfraGitHubApi;\n  } = {},\n): Promise<RegisterAppResult> {\n  const appName = normalizeAppName(appNameInput);\n  const cwd = args.cwd ?? process.cwd();\n  const monorepoContext = await detectMonorepo(cwd);\n  if (!monorepoContext.found || !monorepoContext.rootDir) {\n    throw new Error(\n      \"Run this command from a Mosaic customer monorepo with a .mosaic-workspace.json file.\",\n    );\n  }\n\n  const workspaceManifest = await readWorkspaceManifest(\n    monorepoContext.rootDir,\n  );\n  const customerSlug = workspaceManifest?.customerSlug;\n  if (!customerSlug) {\n    throw new Error(\n      \".mosaic-workspace.json is missing customerSlug. Recreate the monorepo with a current @percepta/create.\",\n    );\n  }\n\n  const github = args.github ?? createInfraGitHubApi(resolveGitHubToken());\n  const blueprintName = `${customerSlug}-os`;\n  const branchName = `blueberry/register-${customerSlug}-${appName}`;\n  const blueprintPath = [\n    \"ryvn\",\n    \"definitions\",\n    customerSlug,\n    \"blueprints\",\n    `${blueprintName}.blueprint.yaml`,\n  ].join(\"/\");\n  const servicePath = [\n    \"ryvn\",\n    \"definitions\",\n    customerSlug,\n    \"services\",\n    `${appName}.service.yaml`,\n  ].join(\"/\");\n\n  const mainBlueprintFile = await github.getFile(\n    blueprintPath,\n    INFRA_BASE_BRANCH,\n  );\n  if (!mainBlueprintFile) {\n    throw new Error(\n      `${blueprintPath} does not exist in ${INFRA_REPOSITORY}. Run \\`pnpm mosaic infra register-os-blueprint\\` and merge that infra PR first.`,\n    );\n  }\n\n  const mainServiceFile = await github.getFile(servicePath, INFRA_BASE_BRANCH);\n  const serviceContent =\n    mainServiceFile == null\n      ? await readLocalServiceDefinition(monorepoContext.rootDir, appName)\n      : null;\n  const blueprintContent = registerAppInBlueprint(\n    mainBlueprintFile.content,\n    appName,\n  );\n\n  const files: InfraPullRequestFile[] = [];\n  if (blueprintContent !== mainBlueprintFile.content) {\n    files.push({\n      baseFileSha: mainBlueprintFile.sha,\n      content: blueprintContent,\n      message: `Register ${appName} in ${blueprintName}`,\n      path: blueprintPath,\n    });\n  }\n  if (serviceContent != null) {\n    files.push({\n      content: serviceContent,\n      message: `Register ${appName} service`,\n      path: servicePath,\n    });\n  }\n\n  if (files.length === 0) {\n    return {\n      appName,\n      blueprintName,\n      blueprintPath,\n      branchName,\n      customerSlug,\n      pullRequestUrl: null,\n      repository: INFRA_REPOSITORY,\n      status: \"already_registered\",\n      servicePath,\n      targetPath: blueprintPath,\n    };\n  }\n\n  const pullRequest = await createOrUpdateInfraPullRequestFiles({\n    branchName,\n    github,\n    files,\n    title: `Register ${appName} app`,\n    body: [\n      `Registers the ${appName} service and deployment in ${blueprintName}.`,\n      \"\",\n      \"Generated by `mosaic infra register-app`.\",\n    ].join(\"\\n\"),\n  });\n\n  return {\n    appName,\n    blueprintName,\n    blueprintPath,\n    branchName,\n    customerSlug,\n    pullRequestUrl: pullRequest.pullRequestUrl,\n    repository: INFRA_REPOSITORY,\n    status: pullRequest.status,\n    servicePath,\n    targetPath: blueprintPath,\n  };\n}\n\nexport async function registerAppCommand(appName: string): Promise<void> {\n  try {\n    const result = await registerApp(appName);\n\n    if (result.status === \"already_registered\") {\n      console.log(\n        chalk.green(\"✔\"),\n        `${result.appName} is already registered in ${result.repository} at`,\n        chalk.cyan(result.targetPath),\n      );\n      return;\n    }\n\n    const verb =\n      result.status === \"created_pr\" ? \"Created\" : \"Updated existing\";\n    console.log(\n      chalk.green(\"✔\"),\n      `${verb} infra PR for ${result.appName}:`,\n      chalk.cyan(result.pullRequestUrl),\n    );\n  } catch (error) {\n    console.error(chalk.red(\"Error:\"), (error as Error).message);\n    process.exit(1);\n  }\n}\n\nexport function addAppDatabaseToBlueprint(\n  blueprintContent: string,\n  appName: string,\n): string {\n  return updateBlueprint(blueprintContent, appName, {\n    appDatabase: true,\n    appInstallation: false,\n    appInputs: false,\n  });\n}\n\nexport function registerAppInBlueprint(\n  blueprintContent: string,\n  appName: string,\n): string {\n  return updateBlueprint(blueprintContent, appName, {\n    appDatabase: true,\n    appInstallation: true,\n    appInputs: true,\n  });\n}\n\nfunction updateBlueprint(\n  blueprintContent: string,\n  appName: string,\n  options: {\n    appDatabase: boolean;\n    appInstallation: boolean;\n    appInputs: boolean;\n  },\n): string {\n  const document = parseDocument(blueprintContent);\n  if (document.errors.length > 0) {\n    throw new Error(\n      `Invalid OS blueprint YAML: ${document.errors.map((error) => error.message).join(\"; \")}`,\n    );\n  }\n\n  const spec = document.get(\"spec\", true);\n  if (!isMap(spec)) {\n    throw new Error(\"OS blueprint must include a spec map.\");\n  }\n\n  let changed = false;\n  const inputs = spec.get(\"inputs\", true);\n  if (!isSeq(inputs)) {\n    throw new Error(\"OS blueprint spec.inputs must be a sequence.\");\n  }\n\n  changed = ensureInputGroups(document, spec) || changed;\n\n  if (options.appInputs) {\n    changed =\n      addAppInput(document, inputs, renderIngressDomainInput()) || changed;\n    changed =\n      addAppInput(document, inputs, renderBetterAuthSecretInput(appName)) ||\n      changed;\n    changed =\n      addAppInput(document, inputs, renderLangfusePublicKeyInput()) || changed;\n    changed =\n      addAppInput(document, inputs, renderLangfuseSecretKeyInput()) || changed;\n    changed =\n      addAppInput(document, inputs, renderInngestEventKeyInput()) || changed;\n    changed =\n      addAppInput(document, inputs, renderInngestSigningKeyInput()) || changed;\n  }\n\n  if (options.appDatabase) {\n    changed = addAppDatabase(document, inputs, appName) || changed;\n  }\n\n  if (options.appInstallation) {\n    const installations = spec.get(\"installations\", true);\n    if (!isSeq(installations)) {\n      throw new Error(\"OS blueprint spec.installations must be a sequence.\");\n    }\n    const postgresqlInstallationName = getOsPostgresqlInstallationName(\n      getBlueprintName(document),\n    );\n    changed =\n      ensureOsPostgresqlInstallationAlias(\n        installations,\n        postgresqlInstallationName,\n      ) || changed;\n    changed =\n      ensureAppInstallationPostgresqlOutputRefs(\n        installations,\n        postgresqlInstallationName,\n      ) || changed;\n    changed =\n      addAppInstallation(\n        document,\n        installations,\n        appName,\n        postgresqlInstallationName,\n      ) || changed;\n  }\n\n  return changed ? document.toString() : blueprintContent;\n}\n\nfunction ensureInputGroups(\n  document: ReturnType<typeof parseDocument>,\n  spec: {\n    get(key: string, keepScalar?: true): unknown;\n    set(key: string, value: unknown): void;\n  },\n): boolean {\n  let changed = false;\n  const inputGroups = spec.get(\"inputGroups\", true);\n\n  if (inputGroups == null) {\n    spec.set(\"inputGroups\", document.createNode(OS_BLUEPRINT_INPUT_GROUPS));\n    return true;\n  }\n\n  if (!isSeq(inputGroups)) {\n    throw new Error(\"OS blueprint spec.inputGroups must be a sequence.\");\n  }\n\n  for (const group of OS_BLUEPRINT_INPUT_GROUPS) {\n    const exists = inputGroups.items.some(\n      (item) => isMap(item) && item.get(\"name\") === group.name,\n    );\n    if (exists) continue;\n\n    inputGroups.add(document.createNode(group));\n    changed = true;\n  }\n\n  return changed;\n}\n\nfunction ensureOsPostgresqlInstallationAlias(\n  installations: { items: unknown[] },\n  postgresqlInstallationName: string,\n): boolean {\n  let changed = false;\n\n  for (const installation of installations.items) {\n    if (!isMap(installation)) continue;\n\n    const service = installation.get(\"service\");\n    if (\n      typeof service !== \"string\" ||\n      !OS_POSTGRESQL_TERRAFORM_SERVICES.has(service)\n    ) {\n      continue;\n    }\n\n    if (installation.get(\"name\") === postgresqlInstallationName) continue;\n\n    installation.set(\"name\", postgresqlInstallationName);\n    changed = true;\n  }\n\n  return changed;\n}\n\nfunction ensureAppInstallationPostgresqlOutputRefs(\n  installations: { items: unknown[] },\n  postgresqlInstallationName: string,\n): boolean {\n  let changed = false;\n\n  for (const installation of installations.items) {\n    if (!isMap(installation)) continue;\n    if (isOsPostgresqlInstallation(installation)) continue;\n\n    const env = installation.get(\"env\", true);\n    if (!isSeq(env)) continue;\n\n    for (const envVar of env.items) {\n      if (!isMap(envVar)) continue;\n\n      const valueFromOutput = envVar.get(\"valueFromOutput\", true);\n      if (!isMap(valueFromOutput)) continue;\n      if (\n        valueFromOutput.get(\"serviceInstallation\") !==\n        LEGACY_OS_POSTGRESQL_TERRAFORM_ALIAS\n      ) {\n        continue;\n      }\n\n      const outputName = valueFromOutput.get(\"name\");\n      if (\n        typeof outputName !== \"string\" ||\n        (outputName !== \"auth_database_url\" &&\n          !outputName.startsWith(\"app_database_urls.\"))\n      ) {\n        continue;\n      }\n\n      valueFromOutput.set(\"serviceInstallation\", postgresqlInstallationName);\n      changed = true;\n    }\n  }\n\n  return changed;\n}\n\nfunction isOsPostgresqlInstallation(installation: {\n  get(key: string, keepScalar?: true): unknown;\n}): boolean {\n  const service = installation.get(\"service\");\n  return (\n    typeof service === \"string\" && OS_POSTGRESQL_TERRAFORM_SERVICES.has(service)\n  );\n}\n\nfunction getBlueprintName(document: ReturnType<typeof parseDocument>): string {\n  const metadata = document.get(\"metadata\", true);\n  if (!isMap(metadata)) {\n    throw new Error(\"OS blueprint must include a metadata map.\");\n  }\n\n  const name = metadata.get(\"name\");\n  if (typeof name !== \"string\" || name.length === 0) {\n    throw new Error(\"OS blueprint metadata.name must be a non-empty string.\");\n  }\n\n  return name;\n}\n\nfunction getOsPostgresqlInstallationName(blueprintName: string): string {\n  return `${blueprintName}-${OS_POSTGRESQL_TERRAFORM_SUFFIX}`;\n}\n\nfunction addAppInput(\n  document: ReturnType<typeof parseDocument>,\n  inputs: { add(value: unknown): void; items: unknown[] },\n  input: Record<string, unknown> & { name: string },\n): boolean {\n  if (\n    inputs.items.some((item) => isMap(item) && item.get(\"name\") === input.name)\n  ) {\n    return false;\n  }\n\n  inputs.add(document.createNode(input));\n  return true;\n}\n\nfunction addAppDatabase(\n  document: ReturnType<typeof parseDocument>,\n  inputs: { items: unknown[] },\n  appName: string,\n): boolean {\n  const appDatabasesInput = inputs.items.find(\n    (item) => isMap(item) && item.get(\"name\") === \"app_databases\",\n  );\n  if (!isMap(appDatabasesInput)) {\n    throw new Error(\"OS blueprint must include an app_databases input.\");\n  }\n\n  const defaultValue = appDatabasesInput.get(\"default\", true);\n  if (!isMap(defaultValue)) {\n    throw new Error(\"OS blueprint app_databases default must be a map.\");\n  }\n\n  if (defaultValue.has(appName)) return false;\n\n  defaultValue.flow = false;\n  const appDatabaseValue = document.createNode({\n    schema_name: toSnakeCase(appName),\n  });\n  defaultValue.set(appName, appDatabaseValue);\n  return true;\n}\n\nfunction addAppInstallation(\n  document: ReturnType<typeof parseDocument>,\n  installations: { add(value: unknown): void; items: unknown[] },\n  appName: string,\n  postgresqlInstallationName: string,\n): boolean {\n  if (\n    installations.items.some(\n      (item) => isMap(item) && item.get(\"service\") === appName,\n    )\n  ) {\n    return false;\n  }\n\n  installations.add(\n    document.createNode({\n      service: appName,\n      env: renderAppInstallationEnv(appName, postgresqlInstallationName),\n      config: renderAppInstallationConfig(appName),\n    }),\n  );\n  return true;\n}\n\nfunction renderIngressDomainInput(): Record<string, unknown> & {\n  name: string;\n} {\n  return {\n    name: ingressDomainInputName(),\n    type: \"string\",\n    group: \"applications\",\n    displayName: \"Ingress Domain\",\n    description: \"Shared ingress domain for generated OS webapps.\",\n    default: '{{ default \"example.local\" .ryvn.env.state.public_domain.name }}',\n  };\n}\n\nfunction renderBetterAuthSecretInput(\n  appName: string,\n): Record<string, unknown> & { name: string } {\n  return {\n    name: betterAuthSecretInputName(appName),\n    type: \"string\",\n    isSecret: true,\n    group: \"applications\",\n    displayName: `${toTitleCase(appName)} Better Auth Secret`,\n    description: `Generated Better Auth signing secret for ${appName}.`,\n    hidden: true,\n    generated: {\n      type: \"random-bytes\",\n      length: 32,\n    },\n  };\n}\n\nfunction renderLangfusePublicKeyInput(): Record<string, unknown> & {\n  name: string;\n} {\n  return {\n    name: langfusePublicKeyInputName(),\n    type: \"string\",\n    group: \"applications\",\n    displayName: \"Langfuse Public Key\",\n    description:\n      \"Shared Langfuse public key for generated OS webapps. Leave empty to disable Langfuse export.\",\n    default: \"\",\n  };\n}\n\nfunction renderLangfuseSecretKeyInput(): Record<string, unknown> & {\n  name: string;\n} {\n  return {\n    name: langfuseSecretKeyInputName(),\n    type: \"string\",\n    isSecret: true,\n    group: \"applications\",\n    displayName: \"Langfuse Secret Key\",\n    description:\n      \"Shared Langfuse secret key for generated OS webapps. Leave unset to disable Langfuse export.\",\n    condition: `{{ ne (input \"${langfusePublicKeyInputName()}\") \"\" }}`,\n  };\n}\n\nfunction renderInngestEventKeyInput(): Record<string, unknown> & {\n  name: string;\n} {\n  return {\n    name: inngestEventKeyInputName(),\n    type: \"string\",\n    isSecret: true,\n    group: \"applications\",\n    displayName: \"Inngest Event Key\",\n    description: \"Shared Inngest event key for generated OS webapps.\",\n  };\n}\n\nfunction renderInngestSigningKeyInput(): Record<string, unknown> & {\n  name: string;\n} {\n  return {\n    name: inngestSigningKeyInputName(),\n    type: \"string\",\n    isSecret: true,\n    group: \"applications\",\n    displayName: \"Inngest Signing Key\",\n    description: \"Shared Inngest signing key for generated OS webapps.\",\n  };\n}\n\nfunction renderAppInstallationEnv(\n  appName: string,\n  postgresqlInstallationName: string,\n): Array<Record<string, unknown>> {\n  const appInternalEndpoint = `http://${appName}-web-server.{{ .ryvn.env.name }}.svc.cluster.local:3000/api/inngest`;\n\n  return [\n    {\n      key: \"DATABASE_URL\",\n      isSecret: true,\n      valueFromOutput: {\n        serviceInstallation: postgresqlInstallationName,\n        name: `app_database_urls.${appName}`,\n      },\n    },\n    {\n      key: \"AUTH_DATABASE_URL\",\n      isSecret: true,\n      valueFromOutput: {\n        serviceInstallation: postgresqlInstallationName,\n        name: \"auth_database_url\",\n      },\n    },\n    {\n      key: \"DATABASE_SCHEMA\",\n      value: toSnakeCase(appName),\n    },\n    {\n      key: \"INGRESS_DOMAIN\",\n      valueFromInput: {\n        name: ingressDomainInputName(),\n      },\n    },\n    {\n      key: \"APP_BASE_URL\",\n      value: `https://${appName}.$(INGRESS_DOMAIN)`,\n    },\n    {\n      key: \"BETTER_AUTH_URL\",\n      value: `https://${appName}.$(INGRESS_DOMAIN)`,\n    },\n    {\n      key: \"DEPLOYMENT_ENVIRONMENT\",\n      value: \"{{ .ryvn.env.name }}\",\n    },\n    {\n      key: \"BETTER_AUTH_SECRET\",\n      isSecret: true,\n      valueFromInput: {\n        name: betterAuthSecretInputName(appName),\n      },\n    },\n    {\n      key: \"INNGEST_BASE_URL\",\n      valueFromOutput: {\n        blueprintInstallation: \"mosaic\",\n        name: \"inngest_base_url\",\n      },\n    },\n    {\n      key: \"INNGEST_EVENT_KEY\",\n      isSecret: true,\n      valueFromInput: {\n        name: inngestEventKeyInputName(),\n      },\n    },\n    {\n      key: \"INNGEST_SIGNING_KEY\",\n      isSecret: true,\n      valueFromInput: {\n        name: inngestSigningKeyInputName(),\n      },\n    },\n    {\n      key: \"INNGEST_APP_URL\",\n      value: appInternalEndpoint,\n    },\n    {\n      key: \"INNGEST_SERVE_HOST\",\n      value: appInternalEndpoint,\n    },\n    {\n      key: \"LANGFUSE_BASE_URL\",\n      valueFromOutput: {\n        blueprintInstallation: \"mosaic\",\n        name: \"langfuse_internal_url\",\n      },\n    },\n    {\n      key: \"LANGFUSE_PUBLIC_KEY\",\n      valueFromInput: {\n        name: langfusePublicKeyInputName(),\n      },\n    },\n    {\n      key: \"LANGFUSE_SECRET_KEY\",\n      isSecret: true,\n      valueFromInput: {\n        name: langfuseSecretKeyInputName(),\n      },\n    },\n    {\n      key: \"OTEL_EXPORTER_OTLP_ENDPOINT\",\n      valueFromOutput: {\n        blueprintInstallation: \"mosaic\",\n        name: \"otel_exporter_otlp_endpoint\",\n      },\n    },\n    {\n      key: \"SPICEDB_ENDPOINT\",\n      valueFromOutput: {\n        blueprintInstallation: \"mosaic\",\n        name: \"spicedb_endpoint\",\n      },\n    },\n    {\n      key: \"SPICEDB_PRESHARED_KEY\",\n      isSecret: true,\n      valueFromOutput: {\n        blueprintInstallation: \"mosaic\",\n        name: \"spicedb_preshared_key\",\n      },\n    },\n    {\n      key: \"SPICEDB_INSECURE\",\n      valueFromOutput: {\n        blueprintInstallation: \"mosaic\",\n        name: \"spicedb_insecure\",\n      },\n    },\n  ];\n}\n\nfunction renderAppInstallationConfig(appName: string): string {\n  const appHost = `${appName}.{{ input \"${ingressDomainInputName()}\" }}`;\n\n  return [\n    \"replicaCount: 1\",\n    \"\",\n    \"service:\",\n    \"  port: 3000\",\n    \"\",\n    \"livenessEnabled: true\",\n    \"readinessEnabled: true\",\n    \"startupEnabled: true\",\n    \"\",\n    \"resources:\",\n    \"  requests:\",\n    '    cpu: \"100m\"',\n    \"    memory: 256Mi\",\n    \"  limits:\",\n    '    cpu: \"500m\"',\n    \"    memory: 512Mi\",\n    \"\",\n    \"ingress:\",\n    \"  enabled: true\",\n    \"  className: external-nginx\",\n    \"  annotations:\",\n    \"    cert-manager.io/cluster-issuer: external-issuer\",\n    '    nginx.ingress.kubernetes.io/ssl-redirect: \"true\"',\n    \"  hosts:\",\n    `    - host: '${appHost}'`,\n    \"      paths:\",\n    \"        - path: /\",\n    \"          pathType: Prefix\",\n    \"  tls:\",\n    `    - secretName: ${appName}-tls`,\n    \"      hosts:\",\n    `        - '${appHost}'`,\n    \"\",\n  ].join(\"\\n\");\n}\n\nasync function readLocalServiceDefinition(\n  monorepoRoot: string,\n  appName: string,\n): Promise<string> {\n  const serviceDefinitionPath = path.join(\n    monorepoRoot,\n    \"packages\",\n    appName,\n    \"deploy\",\n    \"ryvn\",\n    `${appName}.service.yaml`,\n  );\n  if (!(await fs.pathExists(serviceDefinitionPath))) {\n    throw new Error(\n      `${serviceDefinitionPath} does not exist. Add the app's Ryvn service definition before registering it in infra.`,\n    );\n  }\n\n  const content = await fs.readFile(serviceDefinitionPath, \"utf-8\");\n  validateLocalServiceDefinition(content, appName, serviceDefinitionPath);\n  return content.endsWith(\"\\n\") ? content : `${content}\\n`;\n}\n\nfunction validateLocalServiceDefinition(\n  content: string,\n  appName: string,\n  serviceDefinitionPath: string,\n): void {\n  const document = parseDocument(content);\n  if (document.errors.length > 0) {\n    throw new Error(\n      `Invalid Ryvn service YAML at ${serviceDefinitionPath}: ${document.errors.map((error) => error.message).join(\"; \")}`,\n    );\n  }\n\n  const service = document.toJS() as {\n    kind?: unknown;\n    metadata?: { name?: unknown };\n  };\n  if (service.kind !== \"Service\" || service.metadata?.name !== appName) {\n    throw new Error(\n      `${serviceDefinitionPath} must define kind: Service with metadata.name: ${appName}.`,\n    );\n  }\n}\n\nfunction ingressDomainInputName(): string {\n  return \"ingress_domain\";\n}\n\nfunction betterAuthSecretInputName(appName: string): string {\n  return `${toSnakeCase(appName)}_better_auth_secret`;\n}\n\nfunction langfusePublicKeyInputName(): string {\n  return \"langfuse_public_key\";\n}\n\nfunction langfuseSecretKeyInputName(): string {\n  return \"langfuse_secret_key\";\n}\n\nfunction inngestEventKeyInputName(): string {\n  return \"inngest_event_key\";\n}\n\nfunction inngestSigningKeyInputName(): string {\n  return \"inngest_signing_key\";\n}\n\nfunction normalizeAppName(appNameInput: string): string {\n  const appName = toKebabCase(appNameInput);\n  const validation = validateProjectName(appName);\n  if (!validation.valid) {\n    throw new Error(`Invalid app name: ${validation.error}`);\n  }\n  return appName;\n}\n"],"mappings":";;;;;;;AAsBA,MAAM,iCAAiC;AACvC,MAAM,uCAAuC;AAC7C,MAAM,mCAAmC,IAAI,IAAI,CAC/C,+BACA,+BACF,CAAC;AACD,MAAM,4BAA4B;CAChC;EACE,MAAM;EACN,aAAa;EACb,aAAa;CACf;CACA;EACE,MAAM;EACN,aAAa;EACb,aAAa;CACf;CACA;EACE,MAAM;EACN,aAAa;EACb,aAAa;EACb,WAAW;CACb;CACA;EACE,MAAM;EACN,aAAa;EACb,aAAa;EACb,WAAW;CACb;AACF;AAeA,eAAsB,YACpB,cACA,OAGI,CAAC,GACuB;CAC5B,MAAM,UAAU,iBAAiB,YAAY;CAE7C,MAAM,kBAAkB,MAAM,eADlB,KAAK,OAAO,QAAQ,IAAI,CACY;CAChD,IAAI,CAAC,gBAAgB,SAAS,CAAC,gBAAgB,SAC7C,MAAM,IAAI,MACR,sFACF;CAMF,MAAM,gBAAe,MAHW,sBAC9B,gBAAgB,OAClB,IACwC;CACxC,IAAI,CAAC,cACH,MAAM,IAAI,MACR,wGACF;CAGF,MAAM,SAAS,KAAK,UAAU,qBAAqB,mBAAmB,CAAC;CACvE,MAAM,gBAAgB,GAAG,aAAa;CACtC,MAAM,aAAa,sBAAsB,aAAa,GAAG;CACzD,MAAM,gBAAgB;EACpB;EACA;EACA;EACA;EACA,GAAG,cAAc;CACnB,EAAE,KAAK,GAAG;CACV,MAAM,cAAc;EAClB;EACA;EACA;EACA;EACA,GAAG,QAAQ;CACb,EAAE,KAAK,GAAG;CAEV,MAAM,oBAAoB,MAAM,OAAO,QACrC,eACA,iBACF;CACA,IAAI,CAAC,mBACH,MAAM,IAAI,MACR,GAAG,cAAc,qBAAqB,iBAAiB,iFACzD;CAIF,MAAM,iBACJ,MAF4B,OAAO,QAAQ,aAAA,MAA8B,KAEtD,OACf,MAAM,2BAA2B,gBAAgB,SAAS,OAAO,IACjE;CACN,MAAM,mBAAmB,uBACvB,kBAAkB,SAClB,OACF;CAEA,MAAM,QAAgC,CAAC;CACvC,IAAI,qBAAqB,kBAAkB,SACzC,MAAM,KAAK;EACT,aAAa,kBAAkB;EAC/B,SAAS;EACT,SAAS,YAAY,QAAQ,MAAM;EACnC,MAAM;CACR,CAAC;CAEH,IAAI,kBAAkB,MACpB,MAAM,KAAK;EACT,SAAS;EACT,SAAS,YAAY,QAAQ;EAC7B,MAAM;CACR,CAAC;CAGH,IAAI,MAAM,WAAW,GACnB,OAAO;EACL;EACA;EACA;EACA;EACA;EACA,gBAAgB;EAChB,YAAY;EACZ,QAAQ;EACR;EACA,YAAY;CACd;CAGF,MAAM,cAAc,MAAM,oCAAoC;EAC5D;EACA;EACA;EACA,OAAO,YAAY,QAAQ;EAC3B,MAAM;GACJ,iBAAiB,QAAQ,6BAA6B,cAAc;GACpE;GACA;EACF,EAAE,KAAK,IAAI;CACb,CAAC;CAED,OAAO;EACL;EACA;EACA;EACA;EACA;EACA,gBAAgB,YAAY;EAC5B,YAAY;EACZ,QAAQ,YAAY;EACpB;EACA,YAAY;CACd;AACF;AAEA,eAAsB,mBAAmB,SAAgC;CACvE,IAAI;EACF,MAAM,SAAS,MAAM,YAAY,OAAO;EAExC,IAAI,OAAO,WAAW,sBAAsB;GAC1C,QAAQ,IACN,MAAM,MAAM,GAAG,GACf,GAAG,OAAO,QAAQ,4BAA4B,OAAO,WAAW,MAChE,MAAM,KAAK,OAAO,UAAU,CAC9B;GACA;EACF;EAEA,MAAM,OACJ,OAAO,WAAW,eAAe,YAAY;EAC/C,QAAQ,IACN,MAAM,MAAM,GAAG,GACf,GAAG,KAAK,gBAAgB,OAAO,QAAQ,IACvC,MAAM,KAAK,OAAO,cAAc,CAClC;CACF,SAAS,OAAO;EACd,QAAQ,MAAM,MAAM,IAAI,QAAQ,GAAI,MAAgB,OAAO;EAC3D,QAAQ,KAAK,CAAC;CAChB;AACF;AAaA,SAAgB,uBACd,kBACA,SACQ;CACR,OAAO,gBAAgB,kBAAkB,SAAS;EAChD,aAAa;EACb,iBAAiB;EACjB,WAAW;CACb,CAAC;AACH;AAEA,SAAS,gBACP,kBACA,SACA,SAKQ;CACR,MAAM,WAAW,cAAc,gBAAgB;CAC/C,IAAI,SAAS,OAAO,SAAS,GAC3B,MAAM,IAAI,MACR,8BAA8B,SAAS,OAAO,KAAK,UAAU,MAAM,OAAO,EAAE,KAAK,IAAI,GACvF;CAGF,MAAM,OAAO,SAAS,IAAI,QAAQ,IAAI;CACtC,IAAI,CAAC,MAAM,IAAI,GACb,MAAM,IAAI,MAAM,uCAAuC;CAGzD,IAAI,UAAU;CACd,MAAM,SAAS,KAAK,IAAI,UAAU,IAAI;CACtC,IAAI,CAAC,MAAM,MAAM,GACf,MAAM,IAAI,MAAM,8CAA8C;CAGhE,UAAU,kBAAkB,UAAU,IAAI,KAAK;CAE/C,IAAI,QAAQ,WAAW;EACrB,UACE,YAAY,UAAU,QAAQ,yBAAyB,CAAC,KAAK;EAC/D,UACE,YAAY,UAAU,QAAQ,4BAA4B,OAAO,CAAC,KAClE;EACF,UACE,YAAY,UAAU,QAAQ,6BAA6B,CAAC,KAAK;EACnE,UACE,YAAY,UAAU,QAAQ,6BAA6B,CAAC,KAAK;EACnE,UACE,YAAY,UAAU,QAAQ,2BAA2B,CAAC,KAAK;EACjE,UACE,YAAY,UAAU,QAAQ,6BAA6B,CAAC,KAAK;CACrE;CAEA,IAAI,QAAQ,aACV,UAAU,eAAe,UAAU,QAAQ,OAAO,KAAK;CAGzD,IAAI,QAAQ,iBAAiB;EAC3B,MAAM,gBAAgB,KAAK,IAAI,iBAAiB,IAAI;EACpD,IAAI,CAAC,MAAM,aAAa,GACtB,MAAM,IAAI,MAAM,qDAAqD;EAEvE,MAAM,6BAA6B,gCACjC,iBAAiB,QAAQ,CAC3B;EACA,UACE,oCACE,eACA,0BACF,KAAK;EACP,UACE,0CACE,eACA,0BACF,KAAK;EACP,UACE,mBACE,UACA,eACA,SACA,0BACF,KAAK;CACT;CAEA,OAAO,UAAU,SAAS,SAAS,IAAI;AACzC;AAEA,SAAS,kBACP,UACA,MAIS;CACT,IAAI,UAAU;CACd,MAAM,cAAc,KAAK,IAAI,eAAe,IAAI;CAEhD,IAAI,eAAe,MAAM;EACvB,KAAK,IAAI,eAAe,SAAS,WAAW,yBAAyB,CAAC;EACtE,OAAO;CACT;CAEA,IAAI,CAAC,MAAM,WAAW,GACpB,MAAM,IAAI,MAAM,mDAAmD;CAGrE,KAAK,MAAM,SAAS,2BAA2B;EAI7C,IAHe,YAAY,MAAM,MAC9B,SAAS,MAAM,IAAI,KAAK,KAAK,IAAI,MAAM,MAAM,MAAM,IAE7C,GAAG;EAEZ,YAAY,IAAI,SAAS,WAAW,KAAK,CAAC;EAC1C,UAAU;CACZ;CAEA,OAAO;AACT;AAEA,SAAS,oCACP,eACA,4BACS;CACT,IAAI,UAAU;CAEd,KAAK,MAAM,gBAAgB,cAAc,OAAO;EAC9C,IAAI,CAAC,MAAM,YAAY,GAAG;EAE1B,MAAM,UAAU,aAAa,IAAI,SAAS;EAC1C,IACE,OAAO,YAAY,YACnB,CAAC,iCAAiC,IAAI,OAAO,GAE7C;EAGF,IAAI,aAAa,IAAI,MAAM,MAAM,4BAA4B;EAE7D,aAAa,IAAI,QAAQ,0BAA0B;EACnD,UAAU;CACZ;CAEA,OAAO;AACT;AAEA,SAAS,0CACP,eACA,4BACS;CACT,IAAI,UAAU;CAEd,KAAK,MAAM,gBAAgB,cAAc,OAAO;EAC9C,IAAI,CAAC,MAAM,YAAY,GAAG;EAC1B,IAAI,2BAA2B,YAAY,GAAG;EAE9C,MAAM,MAAM,aAAa,IAAI,OAAO,IAAI;EACxC,IAAI,CAAC,MAAM,GAAG,GAAG;EAEjB,KAAK,MAAM,UAAU,IAAI,OAAO;GAC9B,IAAI,CAAC,MAAM,MAAM,GAAG;GAEpB,MAAM,kBAAkB,OAAO,IAAI,mBAAmB,IAAI;GAC1D,IAAI,CAAC,MAAM,eAAe,GAAG;GAC7B,IACE,gBAAgB,IAAI,qBAAqB,MACzC,sCAEA;GAGF,MAAM,aAAa,gBAAgB,IAAI,MAAM;GAC7C,IACE,OAAO,eAAe,YACrB,eAAe,uBACd,CAAC,WAAW,WAAW,oBAAoB,GAE7C;GAGF,gBAAgB,IAAI,uBAAuB,0BAA0B;GACrE,UAAU;EACZ;CACF;CAEA,OAAO;AACT;AAEA,SAAS,2BAA2B,cAExB;CACV,MAAM,UAAU,aAAa,IAAI,SAAS;CAC1C,OACE,OAAO,YAAY,YAAY,iCAAiC,IAAI,OAAO;AAE/E;AAEA,SAAS,iBAAiB,UAAoD;CAC5E,MAAM,WAAW,SAAS,IAAI,YAAY,IAAI;CAC9C,IAAI,CAAC,MAAM,QAAQ,GACjB,MAAM,IAAI,MAAM,2CAA2C;CAG7D,MAAM,OAAO,SAAS,IAAI,MAAM;CAChC,IAAI,OAAO,SAAS,YAAY,KAAK,WAAW,GAC9C,MAAM,IAAI,MAAM,wDAAwD;CAG1E,OAAO;AACT;AAEA,SAAS,gCAAgC,eAA+B;CACtE,OAAO,GAAG,cAAc,GAAG;AAC7B;AAEA,SAAS,YACP,UACA,QACA,OACS;CACT,IACE,OAAO,MAAM,MAAM,SAAS,MAAM,IAAI,KAAK,KAAK,IAAI,MAAM,MAAM,MAAM,IAAI,GAE1E,OAAO;CAGT,OAAO,IAAI,SAAS,WAAW,KAAK,CAAC;CACrC,OAAO;AACT;AAEA,SAAS,eACP,UACA,QACA,SACS;CACT,MAAM,oBAAoB,OAAO,MAAM,MACpC,SAAS,MAAM,IAAI,KAAK,KAAK,IAAI,MAAM,MAAM,eAChD;CACA,IAAI,CAAC,MAAM,iBAAiB,GAC1B,MAAM,IAAI,MAAM,mDAAmD;CAGrE,MAAM,eAAe,kBAAkB,IAAI,WAAW,IAAI;CAC1D,IAAI,CAAC,MAAM,YAAY,GACrB,MAAM,IAAI,MAAM,mDAAmD;CAGrE,IAAI,aAAa,IAAI,OAAO,GAAG,OAAO;CAEtC,aAAa,OAAO;CACpB,MAAM,mBAAmB,SAAS,WAAW,EAC3C,aAAa,YAAY,OAAO,EAClC,CAAC;CACD,aAAa,IAAI,SAAS,gBAAgB;CAC1C,OAAO;AACT;AAEA,SAAS,mBACP,UACA,eACA,SACA,4BACS;CACT,IACE,cAAc,MAAM,MACjB,SAAS,MAAM,IAAI,KAAK,KAAK,IAAI,SAAS,MAAM,OACnD,GAEA,OAAO;CAGT,cAAc,IACZ,SAAS,WAAW;EAClB,SAAS;EACT,KAAK,yBAAyB,SAAS,0BAA0B;EACjE,QAAQ,4BAA4B,OAAO;CAC7C,CAAC,CACH;CACA,OAAO;AACT;AAEA,SAAS,2BAEP;CACA,OAAO;EACL,MAAM,uBAAuB;EAC7B,MAAM;EACN,OAAO;EACP,aAAa;EACb,aAAa;EACb,SAAS;CACX;AACF;AAEA,SAAS,4BACP,SAC4C;CAC5C,OAAO;EACL,MAAM,0BAA0B,OAAO;EACvC,MAAM;EACN,UAAU;EACV,OAAO;EACP,aAAa,GAAG,YAAY,OAAO,EAAE;EACrC,aAAa,4CAA4C,QAAQ;EACjE,QAAQ;EACR,WAAW;GACT,MAAM;GACN,QAAQ;EACV;CACF;AACF;AAEA,SAAS,+BAEP;CACA,OAAO;EACL,MAAM,2BAA2B;EACjC,MAAM;EACN,OAAO;EACP,aAAa;EACb,aACE;EACF,SAAS;CACX;AACF;AAEA,SAAS,+BAEP;CACA,OAAO;EACL,MAAM,2BAA2B;EACjC,MAAM;EACN,UAAU;EACV,OAAO;EACP,aAAa;EACb,aACE;EACF,WAAW,iBAAiB,2BAA2B,EAAE;CAC3D;AACF;AAEA,SAAS,6BAEP;CACA,OAAO;EACL,MAAM,yBAAyB;EAC/B,MAAM;EACN,UAAU;EACV,OAAO;EACP,aAAa;EACb,aAAa;CACf;AACF;AAEA,SAAS,+BAEP;CACA,OAAO;EACL,MAAM,2BAA2B;EACjC,MAAM;EACN,UAAU;EACV,OAAO;EACP,aAAa;EACb,aAAa;CACf;AACF;AAEA,SAAS,yBACP,SACA,4BACgC;CAChC,MAAM,sBAAsB,UAAU,QAAQ;CAE9C,OAAO;EACL;GACE,KAAK;GACL,UAAU;GACV,iBAAiB;IACf,qBAAqB;IACrB,MAAM,qBAAqB;GAC7B;EACF;EACA;GACE,KAAK;GACL,UAAU;GACV,iBAAiB;IACf,qBAAqB;IACrB,MAAM;GACR;EACF;EACA;GACE,KAAK;GACL,OAAO,YAAY,OAAO;EAC5B;EACA;GACE,KAAK;GACL,gBAAgB,EACd,MAAM,uBAAuB,EAC/B;EACF;EACA;GACE,KAAK;GACL,OAAO,WAAW,QAAQ;EAC5B;EACA;GACE,KAAK;GACL,OAAO,WAAW,QAAQ;EAC5B;EACA;GACE,KAAK;GACL,OAAO;EACT;EACA;GACE,KAAK;GACL,UAAU;GACV,gBAAgB,EACd,MAAM,0BAA0B,OAAO,EACzC;EACF;EACA;GACE,KAAK;GACL,iBAAiB;IACf,uBAAuB;IACvB,MAAM;GACR;EACF;EACA;GACE,KAAK;GACL,UAAU;GACV,gBAAgB,EACd,MAAM,yBAAyB,EACjC;EACF;EACA;GACE,KAAK;GACL,UAAU;GACV,gBAAgB,EACd,MAAM,2BAA2B,EACnC;EACF;EACA;GACE,KAAK;GACL,OAAO;EACT;EACA;GACE,KAAK;GACL,OAAO;EACT;EACA;GACE,KAAK;GACL,iBAAiB;IACf,uBAAuB;IACvB,MAAM;GACR;EACF;EACA;GACE,KAAK;GACL,gBAAgB,EACd,MAAM,2BAA2B,EACnC;EACF;EACA;GACE,KAAK;GACL,UAAU;GACV,gBAAgB,EACd,MAAM,2BAA2B,EACnC;EACF;EACA;GACE,KAAK;GACL,iBAAiB;IACf,uBAAuB;IACvB,MAAM;GACR;EACF;EACA;GACE,KAAK;GACL,iBAAiB;IACf,uBAAuB;IACvB,MAAM;GACR;EACF;EACA;GACE,KAAK;GACL,UAAU;GACV,iBAAiB;IACf,uBAAuB;IACvB,MAAM;GACR;EACF;EACA;GACE,KAAK;GACL,iBAAiB;IACf,uBAAuB;IACvB,MAAM;GACR;EACF;CACF;AACF;AAEA,SAAS,4BAA4B,SAAyB;CAC5D,MAAM,UAAU,GAAG,QAAQ,aAAa,uBAAuB,EAAE;CAEjE,OAAO;EACL;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA,gBAAgB,QAAQ;EACxB;EACA;EACA;EACA;EACA,qBAAqB,QAAQ;EAC7B;EACA,cAAc,QAAQ;EACtB;CACF,EAAE,KAAK,IAAI;AACb;AAEA,eAAe,2BACb,cACA,SACiB;CACjB,MAAM,wBAAwB,KAAK,KACjC,cACA,YACA,SACA,UACA,QACA,GAAG,QAAQ,cACb;CACA,IAAI,CAAE,MAAM,GAAG,WAAW,qBAAqB,GAC7C,MAAM,IAAI,MACR,GAAG,sBAAsB,uFAC3B;CAGF,MAAM,UAAU,MAAM,GAAG,SAAS,uBAAuB,OAAO;CAChE,+BAA+B,SAAS,SAAS,qBAAqB;CACtE,OAAO,QAAQ,SAAS,IAAI,IAAI,UAAU,GAAG,QAAQ;AACvD;AAEA,SAAS,+BACP,SACA,SACA,uBACM;CACN,MAAM,WAAW,cAAc,OAAO;CACtC,IAAI,SAAS,OAAO,SAAS,GAC3B,MAAM,IAAI,MACR,gCAAgC,sBAAsB,IAAI,SAAS,OAAO,KAAK,UAAU,MAAM,OAAO,EAAE,KAAK,IAAI,GACnH;CAGF,MAAM,UAAU,SAAS,KAAK;CAI9B,IAAI,QAAQ,SAAS,aAAa,QAAQ,UAAU,SAAS,SAC3D,MAAM,IAAI,MACR,GAAG,sBAAsB,iDAAiD,QAAQ,EACpF;AAEJ;AAEA,SAAS,yBAAiC;CACxC,OAAO;AACT;AAEA,SAAS,0BAA0B,SAAyB;CAC1D,OAAO,GAAG,YAAY,OAAO,EAAE;AACjC;AAEA,SAAS,6BAAqC;CAC5C,OAAO;AACT;AAEA,SAAS,6BAAqC;CAC5C,OAAO;AACT;AAEA,SAAS,2BAAmC;CAC1C,OAAO;AACT;AAEA,SAAS,6BAAqC;CAC5C,OAAO;AACT;AAEA,SAAS,iBAAiB,cAA8B;CACtD,MAAM,UAAU,YAAY,YAAY;CACxC,MAAM,aAAa,oBAAoB,OAAO;CAC9C,IAAI,CAAC,WAAW,OACd,MAAM,IAAI,MAAM,qBAAqB,WAAW,OAAO;CAEzD,OAAO;AACT"}

package/templates/webapp/src/app/(auth)/auth/signin/CredentialsSignInForm.tsx

@@ -1,179 +0,0 @@
-"use client";
-
-import { zodResolver } from "@hookform/resolvers/zod";
-import { Button, Input } from "@percepta/design";
-import { ArrowRight } from "lucide-react";
-import Link from "next/link";
-import { useRouter, useSearchParams } from "next/navigation";
-import React, { useCallback, useState } from "react";
-import { Controller, useForm } from "react-hook-form";
-import { toast } from "sonner";
-import z from "zod";
-import { FormItem } from "../../../../components/form/FormItem";
-import { IS_DEV } from "../../../../config/isDev";
-import { authClient } from "../../../../lib/auth-client";
-
-const CREDENTIALS_SCHEMA = z.object({
-  email: z.string().min(1, "Email is required"),
-  password: z.string().min(1, "Password is required"),
-});
-
-type Credentials = z.infer<typeof CREDENTIALS_SCHEMA>;
-type AuthMode = "username-password" | "google" | "okta";
-
-// Defaults are empty in production so deployed instances don't suggest seeded
-// credentials. In dev we prefill with the seeded user from `pnpm db:seed` so a
-// fresh scaffold is one click away from authed.
-const DEFAULTS: Credentials = IS_DEV
-  ? { email: "app-admin@example.com", password: "password" }
-  : { email: "", password: "" };
-
-export function CredentialsSignInForm({ authMode }: { authMode: AuthMode }) {
-  const router = useRouter();
-  const searchParams = useSearchParams();
-  const [isProviderSubmitting, setIsProviderSubmitting] = useState(false);
-
-  const {
-    control,
-    formState: { isSubmitting },
-    handleSubmit,
-  } = useForm<Credentials>({
-    resolver: zodResolver(CREDENTIALS_SCHEMA),
-    defaultValues: DEFAULTS,
-  });
-
-  const callbackUrl = searchParams.get("callbackUrl") ?? "/";
-  const usesCredentials = authMode === "username-password";
-  const providerName = authMode === "google" ? "Google" : "Okta";
-
-  const submit = useCallback(
-    async ({ email, password }: Credentials): Promise<void> => {
-      const { error } = await authClient.signIn.email({
-        email,
-        password,
-        callbackURL: callbackUrl,
-      });
-
-      if (error != null) {
-        toast.error(
-          error.message ??
-            "Invalid email or password. Please check your credentials and try again.",
-        );
-        return;
-      }
-
-      router.push(callbackUrl);
-      router.refresh();
-    },
-    [callbackUrl, router],
-  );
-
-  const signInWithProvider = useCallback(async (): Promise<void> => {
-    setIsProviderSubmitting(true);
-    try {
-      const { error } =
-        authMode === "google"
-          ? await authClient.signIn.social({
-              provider: "google",
-              callbackURL: callbackUrl,
-            })
-          : await authClient.signIn.oauth2({
-              providerId: "okta",
-              callbackURL: callbackUrl,
-            });
-
-      if (error != null) {
-        toast.error(error.message ?? `Unable to sign in with ${providerName}.`);
-      }
-    } finally {
-      setIsProviderSubmitting(false);
-    }
-  }, [authMode, callbackUrl, providerName]);
-
-  return (
-    <div className="grid gap-8">
-      <div className="grid gap-3">
-        <p className="app-auth-kicker">
-          <span>01</span>
-          <span>Sign in</span>
-        </p>
-        <h1 className="app-auth-title">Welcome back.</h1>
-        {usesCredentials ? (
-          <p className="app-auth-copy text-sm">
-            Need an account?{" "}
-            <Link
-              className="app-auth-link"
-              href={`/auth/signup?callbackUrl=${encodeURIComponent(callbackUrl)}`}
-            >
-              Create one
-            </Link>
-          </p>
-        ) : (
-          <p className="app-auth-copy text-sm">
-            Use your {providerName} account to continue.
-          </p>
-        )}
-      </div>
-      {usesCredentials ? (
-        <form className="app-auth-form" onSubmit={handleSubmit(submit)}>
-          <div className="app-auth-fields">
-            <Controller
-              control={control}
-              name="email"
-              render={({ field, fieldState }) => (
-                <FormItem
-                  className="app-auth-field"
-                  label="Email"
-                  fieldState={fieldState}
-                >
-                  <Input {...field} type="email" autoComplete="email" />
-                </FormItem>
-              )}
-            />
-            <Controller
-              control={control}
-              name="password"
-              render={({ field, fieldState }) => (
-                <FormItem
-                  className="app-auth-field"
-                  label="Password"
-                  fieldState={fieldState}
-                >
-                  <Input
-                    {...field}
-                    type="password"
-                    autoComplete="current-password"
-                  />
-                </FormItem>
-              )}
-            />
-          </div>
-          <div className="flex justify-end">
-            <Button
-              className="app-auth-submit"
-              type="submit"
-              loading={isSubmitting}
-            >
-              <span>Sign In</span>
-              <ArrowRight aria-hidden={true} />
-            </Button>
-          </div>
-        </form>
-      ) : (
-        <div className="app-auth-form">
-          <div className="flex justify-end">
-            <Button
-              className="app-auth-submit"
-              type="button"
-              loading={isProviderSubmitting}
-              onClick={signInWithProvider}
-            >
-              <span>Continue with {providerName}</span>
-              <ArrowRight aria-hidden={true} />
-            </Button>
-          </div>
-        </div>
-      )}
-    </div>
-  );
-}

package/templates/webapp/src/app/(auth)/auth/signup/CredentialsSignUpForm.tsx

@@ -1,135 +0,0 @@
-"use client";
-
-import { zodResolver } from "@hookform/resolvers/zod";
-import { Button, Input } from "@percepta/design";
-import { ArrowRight } from "lucide-react";
-import Link from "next/link";
-import { useRouter, useSearchParams } from "next/navigation";
-import React, { useCallback } from "react";
-import { Controller, useForm } from "react-hook-form";
-import { toast } from "sonner";
-import z from "zod";
-import { FormItem } from "../../../../components/form/FormItem";
-import { authClient } from "../../../../lib/auth-client";
-
-const CREDENTIALS_SCHEMA = z.object({
-  name: z.string().min(1, "Name is required"),
-  email: z.string().email("Enter a valid email address"),
-  password: z.string().min(8, "Password must be at least 8 characters"),
-});
-
-type Credentials = z.infer<typeof CREDENTIALS_SCHEMA>;
-
-export function CredentialsSignUpForm() {
-  const router = useRouter();
-  const searchParams = useSearchParams();
-
-  const {
-    control,
-    formState: { isSubmitting },
-    handleSubmit,
-  } = useForm<Credentials>({
-    resolver: zodResolver(CREDENTIALS_SCHEMA),
-    defaultValues: {
-      name: "",
-      email: "",
-      password: "",
-    },
-  });
-
-  const callbackUrl = searchParams.get("callbackUrl") ?? "/";
-
-  const submit = useCallback(
-    async ({ name, email, password }: Credentials): Promise<void> => {
-      const { error } = await authClient.signUp.email({
-        name,
-        email,
-        password,
-        callbackURL: callbackUrl,
-      });
-
-      if (error != null) {
-        toast.error(error.message ?? "Unable to create account.");
-        return;
-      }
-
-      router.push(callbackUrl);
-      router.refresh();
-    },
-    [callbackUrl, router],
-  );
-
-  return (
-    <div className="grid gap-8">
-      <div className="grid gap-3">
-        <p className="app-auth-kicker">
-          <span>01</span>
-          <span>Request access</span>
-        </p>
-        <h1 className="app-auth-title">Create account.</h1>
-        <p className="app-auth-copy text-sm">
-          Already have an account?{" "}
-          <Link
-            className="app-auth-link"
-            href={`/auth/signin?callbackUrl=${encodeURIComponent(callbackUrl)}`}
-          >
-            Sign in
-          </Link>
-        </p>
-      </div>
-      <form className="app-auth-form" onSubmit={handleSubmit(submit)}>
-        <div className="app-auth-fields">
-          <Controller
-            control={control}
-            name="name"
-            render={({ field, fieldState }) => (
-              <FormItem
-                className="app-auth-field"
-                label="Name"
-                fieldState={fieldState}
-              >
-                <Input {...field} autoComplete="name" />
-              </FormItem>
-            )}
-          />
-          <Controller
-            control={control}
-            name="email"
-            render={({ field, fieldState }) => (
-              <FormItem
-                className="app-auth-field"
-                label="Email"
-                fieldState={fieldState}
-              >
-                <Input {...field} type="email" autoComplete="email" />
-              </FormItem>
-            )}
-          />
-          <Controller
-            control={control}
-            name="password"
-            render={({ field, fieldState }) => (
-              <FormItem
-                className="app-auth-field"
-                label="Password"
-                fieldState={fieldState}
-              >
-                <Input {...field} type="password" autoComplete="new-password" />
-              </FormItem>
-            )}
-          />
-        </div>
-        <div className="flex justify-end">
-          <Button
-            className="app-auth-submit"
-            type="submit"
-            loading={isSubmitting}
-          >
-            <span>Create Account</span>
-            <ArrowRight aria-hidden={true} />
-          </Button>
-        </div>
-      </form>
-    </div>
-  );
-}