@pikku/cli 0.12.34 → 0.12.36

package/dist/src/functions/db/annotation-parser.d.ts

@@ -1,31 +1,42 @@
 import type { ColumnKind } from './coercion-plugin.js';
+import { type ZodFormat } from './zod-codegen.js';
 type Classification = 'public' | 'private' | 'pii' | 'secret';
 type AnonymizeStrategy = 'fake:email' | 'fake:name' | 'hash' | 'keep' | null;
 export interface ColAnnotation {
+    /** Column kind override: `date`, `bool`, `json`, or `uuid`. */
     kind?: ColumnKind;
-    /** TypeScript type string for @json columns, e.g. `string[]`. */
+    /** TypeScript type string that overrides the inferred column type, e.g. `string[]`. */
     tsType?: string;
+    /**
+     * Zod string-format validator (`email`, `url`, …). Refines the zod schema only;
+     * the TypeScript type stays `string`. Applied by the codegen only when the
+     * column's resolved type is plain `string`.
+     */
+    format?: ZodFormat;
     classification?: Classification;
     anonymize?: AnonymizeStrategy;
 }
-/** Per-table, per-column annotation map built from migration SQL comments. */
+/** Per-table, per-column annotation map sourced from `db/annotations.ts`. */
 export type AnnotationMap = Record<string, Record<string, ColAnnotation>>;
 /**
- * Determine column kind from naming conventions:
- *   *_at / *_on            → date
- *   is_* / has_* / can_*   → bool
+ * Warn-only naming heuristic. We no longer *infer* a column's kind from its
+ * name (it produced wrong types — e.g. SQLite stores `*_at` as ISO TEXT, not a
+ * `Date`). Instead the codegen warns when a column name looks like it wants a
+ * `kind` but none is declared in `db/annotations.ts`, so the developer can opt
+ * in explicitly. Returns the *suggested* kind, or null.
  */
-export declare function annotationFromName(colName: string): {
-    kind: ColumnKind;
-} | null;
+export declare function nameSuggestsKind(colName: string): ColumnKind | null;
 /**
- * Parse `-- @bool | @date | @json [TsType] | @public | @private[:strategy] | @pii[:strategy] | @secret[:strategy]`
- * inline annotations from migration SQL files in `migrationsDir`.
+ * Load annotations from the `db/annotations.gen.json` sidecar, which is
+ * compiled from the developer-authored `db/annotations.ts` (`DbClassificationMap`)
+ * by `syncClassifications`. This is the single source of column classification
+ * and type-override information — there is no SQL-comment fallback.
+ *
+ * The authored `ColumnEntry` shape is:
+ *   { security?, classification?: <anonymize strategy>, kind?, tsType?, description? }
+ * where `security` is the privacy level and `classification` is the anonymize
+ * strategy. Returns `{}` if the sidecar doesn't exist yet (first migrate run,
+ * before it has been generated).
  */
-export declare function parseAnnotations(migrationsDir: string): AnnotationMap;
-/**
- * Load annotations for a project. Tries `db/annotations.ts` sidecar first;
- * falls back to SQL comment parsing from `migrationsDir` if not found.
- */
-export declare function loadAnnotations(rootDir: string, migrationsDir?: string): AnnotationMap;
+export declare function loadAnnotations(rootDir: string): AnnotationMap;
 export {};

package/dist/src/functions/db/annotation-parser.js

@@ -1,29 +1,44 @@
-import { readFileSync, readdirSync, existsSync } from 'node:fs';
+import { readFileSync, existsSync } from 'node:fs';
 import { join } from 'node:path';
+import { ZOD_FORMATS } from './zod-codegen.js';
 /**
- * Determine column kind from naming conventions:
- *   *_at / *_on            → date
- *   is_* / has_* / can_*   → bool
+ * Warn-only naming heuristic. We no longer *infer* a column's kind from its
+ * name (it produced wrong types — e.g. SQLite stores `*_at` as ISO TEXT, not a
+ * `Date`). Instead the codegen warns when a column name looks like it wants a
+ * `kind` but none is declared in `db/annotations.ts`, so the developer can opt
+ * in explicitly. Returns the *suggested* kind, or null.
  */
-export function annotationFromName(colName) {
+export function nameSuggestsKind(colName) {
     if (/_at$|_on$/.test(colName))
-        return { kind: 'date' };
+        return 'date';
     if (/^is_|^has_|^can_/.test(colName))
-        return { kind: 'bool' };
+        return 'bool';
     return null;
 }
-// ── Load from db/annotations.gen.json sidecar ────────────────────────────────
+function parseStrategy(s) {
+    if (!s)
+        return null;
+    const valid = ['fake:email', 'fake:name', 'hash', 'keep'];
+    return valid.includes(s)
+        ? s
+        : null;
+}
 /**
- * Try to load annotations from a `db/annotations.gen.json` sidecar generated
- * by `yarn db:types`. Returns null if the file doesn't exist.
+ * Load annotations from the `db/annotations.gen.json` sidecar, which is
+ * compiled from the developer-authored `db/annotations.ts` (`DbClassificationMap`)
+ * by `syncClassifications`. This is the single source of column classification
+ * and type-override information — there is no SQL-comment fallback.
  *
- * The JSON file uses snake_case keys (raw DB names) so it can be read
- * directly without any conversion. It is emitted by bin/db-classify.ts.
+ * The authored `ColumnEntry` shape is:
+ *   { security?, classification?: <anonymize strategy>, kind?, tsType?, description? }
+ * where `security` is the privacy level and `classification` is the anonymize
+ * strategy. Returns `{}` if the sidecar doesn't exist yet (first migrate run,
+ * before it has been generated).
  */
-function loadAnnotationsSidecar(rootDir) {
+export function loadAnnotations(rootDir) {
     const jsonPath = join(rootDir, 'db', 'annotations.gen.json');
     if (!existsSync(jsonPath))
-        return null;
+        return {};
     try {
         const raw = JSON.parse(readFileSync(jsonPath, 'utf8'));
         const result = {};
@@ -33,111 +48,36 @@ function loadAnnotationsSidecar(rootDir) {
                 if (!ann)
                     continue;
                 const entry = {};
-                if (ann.kind === 'bool' || ann.kind === 'date' || ann.kind === 'json')
+                if (ann.kind === 'bool' ||
+                    ann.kind === 'date' ||
+                    ann.kind === 'json' ||
+                    ann.kind === 'uuid')
                     entry.kind = ann.kind;
                 if (ann.tsType)
                     entry.tsType = ann.tsType;
-                const vis = ann.visibility;
-                if (vis === 'public' || vis === 'private' || vis === 'secret')
-                    entry.classification = vis;
+                if (ann.format && ann.format in ZOD_FORMATS)
+                    entry.format = ann.format;
+                // `security` is the privacy level. `encrypted` brands as `secret`.
+                switch (ann.security) {
+                    case 'public':
+                    case 'private':
+                    case 'pii':
+                    case 'secret':
+                        entry.classification = ann.security;
+                        break;
+                    case 'encrypted':
+                        entry.classification = 'secret';
+                        break;
+                }
+                const strategy = parseStrategy(ann.classification);
+                if (strategy !== null)
+                    entry.anonymize = strategy;
                 result[table][col] = entry;
             }
         }
         return result;
     }
-    catch {
-        return null;
-    }
-}
-// ── SQL comment parsing (fallback) ───────────────────────────────────────────
-function parseStrategy(s) {
-    if (!s)
-        return null;
-    const valid = ['fake:email', 'fake:name', 'hash', 'keep'];
-    return valid.includes(s)
-        ? s
-        : null;
-}
-function parseComment(comment) {
-    const ann = {};
-    if (/@bool\b/i.test(comment)) {
-        ann.kind = 'bool';
-    }
-    else if (/@date\b/i.test(comment)) {
-        ann.kind = 'date';
-    }
-    else {
-        const jsonM = comment.match(/@json\b(?:\s+([^\s@]+))?/i);
-        if (jsonM) {
-            ann.kind = 'json';
-            if (jsonM[1])
-                ann.tsType = jsonM[1].trim();
-        }
-    }
-    const classM = comment.match(/@(public|private|pii|secret)(?::([^\s@]+))?/i);
-    if (classM) {
-        ann.classification = classM[1].toLowerCase();
-        const strategy = parseStrategy(classM[2]);
-        if (strategy !== null)
-            ann.anonymize = strategy;
-    }
-    return ann;
-}
-/**
- * Parse `-- @bool | @date | @json [TsType] | @public | @private[:strategy] | @pii[:strategy] | @secret[:strategy]`
- * inline annotations from migration SQL files in `migrationsDir`.
- */
-export function parseAnnotations(migrationsDir) {
-    let files;
-    try {
-        files = readdirSync(migrationsDir)
-            .filter((f) => f.endsWith('.sql'))
-            .sort();
-    }
     catch {
         return {};
     }
-    const result = {};
-    function merge(tableName, colName, partial) {
-        if (!partial.kind && partial.classification === undefined)
-            return;
-        if (!result[tableName])
-            result[tableName] = {};
-        result[tableName][colName] = { ...result[tableName][colName], ...partial };
-    }
-    for (const file of files) {
-        const content = readFileSync(join(migrationsDir, file), 'utf8');
-        const createTablePattern = /CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?"?(\w+)"?\s*\(([^;]+)\)/gis;
-        let tableMatch;
-        while ((tableMatch = createTablePattern.exec(content)) !== null) {
-            const tableName = tableMatch[1].toLowerCase();
-            const body = tableMatch[2];
-            for (const line of body.split('\n')) {
-                const trimmed = line.trim();
-                if (/^(PRIMARY|UNIQUE|CHECK|FOREIGN|CONSTRAINT)/i.test(trimmed))
-                    continue;
-                const lineMatch = trimmed.match(/^(\w+)\s+\w[^-]*--\s*(.+?)\s*,?\s*$/);
-                if (!lineMatch)
-                    continue;
-                merge(tableName, lineMatch[1].toLowerCase(), parseComment(lineMatch[2]));
-            }
-        }
-        const alterPattern = /ALTER\s+TABLE\s+"?(\w+)"?\s+ADD\s+(?:COLUMN\s+)?"?(\w+)"?\s+\w[^;\n-]*(?:;\s*)?--\s*(.+?)(?:\r?\n|$)/gim;
-        let alterMatch;
-        while ((alterMatch = alterPattern.exec(content)) !== null) {
-            merge(alterMatch[1].toLowerCase(), alterMatch[2].toLowerCase(), parseComment(alterMatch[3]));
-        }
-    }
-    return result;
-}
-// ── Public entry point ────────────────────────────────────────────────────────
-/**
- * Load annotations for a project. Tries `db/annotations.ts` sidecar first;
- * falls back to SQL comment parsing from `migrationsDir` if not found.
- */
-export function loadAnnotations(rootDir, migrationsDir) {
-    const sidecar = loadAnnotationsSidecar(rootDir);
-    if (sidecar)
-        return sidecar;
-    return migrationsDir ? parseAnnotations(migrationsDir) : {};
 }

package/dist/src/functions/db/better-auth-schema.d.ts

@@ -0,0 +1,23 @@
+import type { Kysely } from 'kysely';
+export interface BetterAuthOptionsLike {
+    database?: {
+        db?: unknown;
+        type?: string;
+    };
+    [key: string]: unknown;
+}
+export interface GetMigrationsResult {
+    toBeCreated: unknown[];
+    toBeAdded: unknown[];
+    runMigrations: () => Promise<void>;
+    compileMigrations: () => Promise<string>;
+}
+export declare function loadAuthOptions(opts: {
+    rootDir: string;
+    srcDirectories: string[];
+    kysely: Kysely<any>;
+    logger: {
+        error: (msg: string) => void;
+    };
+}): Promise<BetterAuthOptionsLike | null>;
+export declare function getAuthMigrations(authOptions: BetterAuthOptionsLike): Promise<GetMigrationsResult>;

package/dist/src/functions/db/better-auth-schema.js

@@ -0,0 +1,122 @@
+import { createRequire } from 'node:module';
+import { pathToFileURL } from 'node:url';
+import { readdirSync, statSync, readFileSync, existsSync } from 'node:fs';
+import { join, extname, dirname } from 'node:path';
+import { PIKKU_BETTER_AUTH } from '@pikku/better-auth';
+import { loadUserModule } from '../commands/load-user-project.js';
+let cachedGetMigrations = null;
+async function loadGetMigrations() {
+    if (cachedGetMigrations)
+        return cachedGetMigrations;
+    const require = createRequire(import.meta.url);
+    const mainEntry = require.resolve('better-auth');
+    let root = dirname(mainEntry);
+    while (!existsSync(join(root, 'package.json'))) {
+        const parent = dirname(root);
+        if (parent === root) {
+            throw new Error('Could not locate the better-auth package root');
+        }
+        root = parent;
+    }
+    const modUrl = pathToFileURL(join(root, 'dist/db/get-migration.mjs')).href;
+    const mod = await import(modUrl);
+    cachedGetMigrations = mod.getMigrations;
+    return cachedGetMigrations;
+}
+const SKIP_DIRS = new Set([
+    'node_modules',
+    '.pikku',
+    '.git',
+    'dist',
+    '.pikku-runtime',
+]);
+function findAuthSourceFile(rootDir, srcDirectories) {
+    const walk = (dir) => {
+        let entries;
+        try {
+            entries = readdirSync(dir);
+        }
+        catch {
+            return null;
+        }
+        for (const entry of entries) {
+            if (SKIP_DIRS.has(entry))
+                continue;
+            const full = join(dir, entry);
+            let st;
+            try {
+                st = statSync(full);
+            }
+            catch {
+                continue;
+            }
+            if (st.isDirectory()) {
+                const found = walk(full);
+                if (found)
+                    return found;
+                continue;
+            }
+            if (extname(full) !== '.ts')
+                continue;
+            let src;
+            try {
+                src = readFileSync(full, 'utf8');
+            }
+            catch {
+                continue;
+            }
+            if (/\bpikkuBetterAuth\s*\(/.test(src))
+                return full;
+        }
+        return null;
+    };
+    for (const srcDir of srcDirectories) {
+        const found = walk(join(rootDir, srcDir));
+        if (found)
+            return found;
+    }
+    return walk(rootDir);
+}
+async function loadAuthFactory(sourceFile) {
+    const mod = await loadUserModule(sourceFile);
+    for (const value of Object.values(mod)) {
+        if (typeof value === 'function' && value[PIKKU_BETTER_AUTH]) {
+            return value;
+        }
+    }
+    return null;
+}
+function schemaServicesStub(kysely, logger) {
+    const dummy = 'x'.repeat(32);
+    const fromKeys = (keys) => Object.fromEntries(keys.map((k) => [k, dummy]));
+    const base = {
+        kysely,
+        logger,
+        secrets: {
+            getSecret: async () => dummy,
+            getSecrets: async (keys) => fromKeys(keys),
+        },
+        variables: {
+            getVariable: async () => dummy,
+            getVariables: async (keys) => fromKeys(keys),
+        },
+    };
+    return new Proxy(base, {
+        get: (target, prop) => typeof prop === 'string' && prop in target ? target[prop] : undefined,
+    });
+}
+export async function loadAuthOptions(opts) {
+    const sourceFile = findAuthSourceFile(opts.rootDir, opts.srcDirectories);
+    if (!sourceFile)
+        return null;
+    const factory = await loadAuthFactory(sourceFile);
+    if (!factory)
+        return null;
+    const instance = await factory(schemaServicesStub(opts.kysely, opts.logger));
+    const options = instance.options;
+    return options ?? null;
+}
+export async function getAuthMigrations(authOptions) {
+    const getMigrations = await loadGetMigrations();
+    return getMigrations(authOptions);
+}

package/dist/src/functions/db/coercion-plugin.d.ts

@@ -1,5 +1,5 @@
 import type { KyselyPlugin } from 'kysely';
-export type ColumnKind = 'date' | 'bool' | 'json';
+export type ColumnKind = 'date' | 'bool' | 'json' | 'uuid';
 export type CoercionMap = Record<string, Record<string, ColumnKind>>;
 export interface CreateCoercionPluginOptions {
     map: CoercionMap;

package/dist/src/functions/db/coercion-plugin.js

@@ -23,6 +23,10 @@ function fromDb(value, kind) {
             catch {
                 return value;
             }
+        case 'uuid':
+            // UUIDs are strings in both Postgres and SQLite — no runtime coercion.
+            // (Codegen also omits `uuid` from the coercion map; this is defensive.)
+            return value;
     }
 }
 function snakeToCamel(name) {

package/dist/src/functions/db/db-codegen.d.ts

@@ -1,4 +1,6 @@
 import type { DbIntrospector } from './db-introspector.js';
+import { type ZodFormat } from './zod-codegen.js';
+type Dialect = 'sqlite' | 'postgres';
 export interface CodegenOptions {
     outFile: string;
     coercionFile: string;
@@ -7,7 +9,8 @@ export interface CodegenOptions {
     schemaJsonFile?: string;
     camelCase?: boolean;
     rootDir?: string;
-    migrationsDir?: string;
+    /** DB dialect — drives real-type-aware date typing. Defaults to 'sqlite'. */
+    dialect?: Dialect;
 }
 export interface CodegenResult {
     outFile: string;
@@ -19,6 +22,14 @@ export interface CodegenResult {
     manifestWritten: boolean;
     classificationMapWritten: boolean;
     tables: string[];
+    /** Non-fatal codegen warnings (e.g. name looks like a date but unannotated). */
+    warnings: string[];
+    /**
+     * Per-interface, per-field zod `format` overrides for the zod codegen. Keyed
+     * by interface name (PascalCase) and field name (camelCase), matching the
+     * shapes the zod emitter parses out of `schema.d.ts`.
+     */
+    zodFormats: Record<string, Record<string, ZodFormat>>;
 }
 /**
  * Introspect `introspector` and emit:
@@ -27,3 +38,4 @@ export interface CodegenResult {
  *   - `classification.gen.ts`  Data-classification manifest (when manifestFile set)
  */
 export declare function generateSchemaTypes(introspector: DbIntrospector, options: CodegenOptions): Promise<CodegenResult>;
+export {};