@pikku/cli 0.12.34 → 0.12.36

package/dist/src/functions/db/zod-codegen.js

@@ -1,11 +1,40 @@
 import { mkdirSync, readFileSync, writeFileSync } from 'node:fs';
 import { dirname } from 'node:path';
+/**
+ * Canonical map of `format` tokens (authored in `db/annotations.ts`) to the zod
+ * expression they emit. These are all *string* refinements — they do not change
+ * the column's TypeScript type (it stays `string`), only the runtime validator.
+ * This is the single source of truth: `annotation-parser` imports it to validate
+ * authored values and `db-codegen` imports the key list to emit the `format`
+ * union in `ColumnEntry`. All confirmed present in zod 4.
+ */
+export const ZOD_FORMATS = {
+    email: 'z.email()',
+    url: 'z.url()',
+    emoji: 'z.emoji()',
+    e164: 'z.e164()',
+    jwt: 'z.jwt()',
+    cuid: 'z.cuid()',
+    cuid2: 'z.cuid2()',
+    ulid: 'z.ulid()',
+    nanoid: 'z.nanoid()',
+    base64: 'z.base64()',
+    base64url: 'z.base64url()',
+    ipv4: 'z.ipv4()',
+    ipv6: 'z.ipv6()',
+    cidrv4: 'z.cidrv4()',
+    cidrv6: 'z.cidrv6()',
+    isoDate: 'z.iso.date()',
+    isoTime: 'z.iso.time()',
+    isoDatetime: 'z.iso.datetime()',
+    isoDuration: 'z.iso.duration()',
+};
 const INTERFACE_RE = /export\s+interface\s+(\w+)\s*\{([^}]*)\}/g;
 const FIELD_RE = /^\s*(\w+)\s*:\s*(.+?)\s*$/gm;
 export function generateZodTypes(options) {
     const src = readFileSync(options.schemaFile, 'utf8');
     const tables = parseTables(src);
-    const body = emitZodModule(tables);
+    const body = emitZodModule(tables, options.formats ?? {});
     let existing = null;
     try {
         existing = readFileSync(options.outFile, 'utf8');
@@ -28,18 +57,21 @@ function parseTables(src) {
     const tables = [];
     for (const match of src.matchAll(INTERFACE_RE)) {
         const name = match[1];
-        if (name === 'DB')
+        if (!name || name === 'DB')
             continue;
-        const body = match[2];
+        const body = match[2] ?? '';
         const fields = [];
         for (const field of body.matchAll(FIELD_RE)) {
-            fields.push({ name: field[1], type: field[2].trim() });
+            const fieldName = field[1];
+            if (!fieldName)
+                continue;
+            fields.push({ name: fieldName, type: (field[2] ?? '').trim() });
         }
         tables.push({ name, fields });
     }
     return tables;
 }
-function emitZodModule(tables) {
+function emitZodModule(tables, formats) {
     const lines = [];
     lines.push('// Generated by @pikku/cli — do not edit by hand.');
     lines.push('// Run `pikku db migrate` to refresh.');
@@ -49,8 +81,9 @@ function emitZodModule(tables) {
     for (const table of tables) {
         const rowFields = [];
         const insertFields = [];
+        const tableFormats = formats[table.name] ?? {};
         for (const field of table.fields) {
-            const { schema, generated } = zodForType(field.type);
+            const { schema, generated } = zodForType(field.type, tableFormats[field.name]);
             rowFields.push(`  ${field.name}: ${schema},`);
             insertFields.push(`  ${field.name}: ${schema}${generated ? '.optional()' : ''},`);
         }
@@ -83,13 +116,13 @@ function emitZodModule(tables) {
  * and the column is insert-optional when `Insert` admits `undefined` (Kysely's
  * encoding for default/auto/generated columns).
  */
-function zodForType(tsType) {
+function zodForType(tsType, format) {
     let inner = tsType.trim();
     let generated = false;
     // Peel a single `Generated<…>` wrapper. For public bool/date columns this
     // wraps a `ColumnType<…>`, so the unwrapped inner is handled below.
     const generatedMatch = inner.match(/^Generated<(.+)>$/);
-    if (generatedMatch) {
+    if (generatedMatch?.[1]) {
         generated = true;
         inner = generatedMatch[1].trim();
     }
@@ -102,9 +135,9 @@ function zodForType(tsType) {
         if (unionIncludesUndefined(insertT)) {
             generated = true;
         }
-        return { schema: scalarSchema(selectT), generated };
+        return { schema: scalarSchema(selectT, format), generated };
     }
-    return { schema: scalarSchema(inner), generated };
+    return { schema: scalarSchema(inner, format), generated };
 }
 /**
  * Resolve a scalar/select type expression to a zod expression. Handles a
@@ -112,11 +145,11 @@ function zodForType(tsType) {
  * and the known scalar bases. Unknown bases fall back to `z.unknown()` so
  * generation stays total.
  */
-function scalarSchema(tsType) {
+function scalarSchema(tsType, format) {
     let inner = tsType.trim();
     // Defensive: a Select arg may itself be `Generated<…>` in older schemas.
     const generatedMatch = inner.match(/^Generated<(.+)>$/);
-    if (generatedMatch) {
+    if (generatedMatch?.[1]) {
         inner = generatedMatch[1].trim();
     }
     const nullable = inner.endsWith(' | null');
@@ -125,48 +158,130 @@ function scalarSchema(tsType) {
     }
     // Unwrap a classification brand: `Private<T>` / `Pii<T>` / `Secret<T>` → T.
     const brandMatch = inner.match(/^(?:Private|Pii|Secret)<(.+)>$/);
-    if (brandMatch) {
+    if (brandMatch?.[1]) {
         inner = brandMatch[1].trim();
     }
     let schema;
-    switch (inner) {
-        case 'string':
-            schema = 'z.string()';
-            break;
-        case 'number':
-            schema = 'z.number()';
-            break;
-        case 'boolean':
-            schema = 'z.boolean()';
-            break;
-        case 'Date':
-            schema = 'z.date()';
-            break;
-        case 'unknown':
-            schema = 'z.unknown()';
-            break;
-        default:
-            if (inner.endsWith('[]')) {
-                schema = `z.array(${scalarSchema(inner.slice(0, -2).trim())})`;
-            }
-            else {
-                schema = 'z.unknown()';
+    // A `format` override (e.g. `email`, `url`) replaces the string base with a
+    // refined string validator. `db-codegen` only emits a format hint for columns
+    // whose select type is plain `string`, so this never collides with Date/enum.
+    if (format) {
+        schema = ZOD_FORMATS[format];
+    }
+    else {
+        // An enum column is emitted as a union of string literals, e.g.
+        // `'admin' | 'user'`. Detect it (after brand-unwrap + null-peel) and map to
+        // `z.enum([...])` (or `z.literal(...)` for a single value).
+        const literals = stringLiteralUnion(inner);
+        if (literals) {
+            schema =
+                literals.length === 1
+                    ? `z.literal('${literals[0]}')`
+                    : `z.enum([${literals.map((l) => `'${l}'`).join(', ')}])`;
+        }
+        else {
+            switch (inner) {
+                case 'string':
+                    schema = 'z.string()';
+                    break;
+                case 'number':
+                    schema = 'z.number()';
+                    break;
+                case 'boolean':
+                    schema = 'z.boolean()';
+                    break;
+                case 'Date':
+                    schema = 'z.date()';
+                    break;
+                case 'Uuid':
+                    schema = 'z.uuid()';
+                    break;
+                case 'unknown':
+                    schema = 'z.unknown()';
+                    break;
+                default:
+                    if (inner.endsWith('[]')) {
+                        schema = `z.array(${scalarSchema(inner.slice(0, -2).trim())})`;
+                    }
+                    else {
+                        schema = 'z.unknown()';
+                    }
+                    break;
             }
-            break;
+        }
     }
     if (nullable) {
         schema += '.nullable()';
     }
     return schema;
 }
-/** Split the generic argument list of `Foo<a, b, c>` on top-level commas. */
+/**
+ * If `s` is a union of single-quoted string literals (`'a' | 'b' | 'c'`),
+ * return the unescaped-as-written label list; otherwise null. Quote-aware so a
+ * label containing `|` does not split the union. Re-emitting wraps each captured
+ * group back in quotes, so escaping is preserved verbatim.
+ */
+function stringLiteralUnion(s) {
+    const parts = splitUnion(s);
+    const labels = [];
+    for (const part of parts) {
+        const match = part.trim().match(/^'((?:[^'\\]|\\.)*)'$/);
+        if (!match)
+            return null;
+        labels.push(match[1]);
+    }
+    return labels.length > 0 ? labels : null;
+}
+/** Split a union on top-level `|`, skipping `|` inside `'…'` strings or `<>`/`()`. */
+function splitUnion(s) {
+    const parts = [];
+    let depth = 0;
+    let inStr = false;
+    let start = 0;
+    for (let i = 0; i < s.length; i++) {
+        const char = s[i];
+        if (inStr) {
+            if (char === '\\')
+                i++;
+            else if (char === "'")
+                inStr = false;
+            continue;
+        }
+        if (char === "'")
+            inStr = true;
+        else if (char === '<' || char === '(')
+            depth++;
+        else if (char === '>' || char === ')')
+            depth--;
+        else if (char === '|' && depth === 0) {
+            parts.push(s.slice(start, i));
+            start = i + 1;
+        }
+    }
+    parts.push(s.slice(start));
+    return parts;
+}
+/**
+ * Split the generic argument list of `Foo<a, b, c>` on top-level commas.
+ * Quote-aware so a comma inside an enum label literal (`'a,b'`) does not split.
+ */
 function splitGenericArgs(args) {
     const parts = [];
     let depth = 0;
+    let inStr = false;
     let start = 0;
     for (let i = 0; i < args.length; i++) {
         const char = args[i];
-        if (char === '<')
+        if (inStr) {
+            if (char === '\\')
+                i++;
+            else if (char === "'")
+                inStr = false;
+            continue;
+        }
+        if (char === "'")
+            inStr = true;
+        else if (char === '<')
             depth++;
         else if (char === '>')
             depth--;

package/dist/src/functions/validate/workspace-validate.js

@@ -61,7 +61,7 @@ async function hasAuthSessionMiddleware(fnDir) {
     const meta = await readJsonSafe(metaPath);
     if (!meta?.instances)
         return false;
-    return Object.values(meta.instances).some((instance) => instance.definitionId === 'authJsSession');
+    return Object.values(meta.instances).some((instance) => instance.definitionId === 'betterAuthSession');
 }
 function migrationCreatesTable(sql, tableName) {
     const escapedTable = tableName.replace(/[-/\\^$*+?.()|[\]{}]/g, '\\$&');

package/dist/src/functions/wirings/auth/pikku-command-auth.js

@@ -1,17 +1,43 @@
+import { join, dirname } from 'node:path';
 import { pikkuSessionlessFunc } from '#pikku';
 import { writeFileInDir } from '../../../utils/file-writer.js';
 import { logCommandInfoAndTime } from '../../../middleware/log-command-info-and-time.js';
 import { serializeAuthGen } from './serialize-auth-gen.js';
+import { serializeAuthTypes } from './serialize-auth-types.js';
+import { serializeAuthMeta } from './serialize-auth-meta.js';
 export const pikkuAuth = pikkuSessionlessFunc({
     func: async ({ logger, config, getInspectorState }) => {
-        const { authFile } = config;
+        const { authFile, authTypesFile, authMetaJsonFile, functionTypesFile, typesDeclarationFile, secretsFile: secretsServiceFile, variablesFile, packageMappings, } = config;
         if (!authFile)
             return;
         const state = await getInspectorState();
-        if (state.auth.providers.length === 0)
+        // Only generate when the project declares auth via `pikkuBetterAuth`. Gating on
+        // the definition (not provider count) means credentials-only auth — which
+        // has no OAuth providers — still generates its /auth/* wiring.
+        if (!state.auth.definition)
             return;
-        const content = serializeAuthGen(state.auth.providers);
-        await writeFileInDir(logger, authFile, content);
+        const { wiring, secrets } = serializeAuthGen(state.auth.definition, state.auth.providers, authFile, typesDeclarationFile, packageMappings ?? {});
+        // The secrets file sits alongside authFile so re-inspection rediscovers it.
+        // It is kept separate from the wiring file because the CLI forbids Zod
+        // schemas and HTTP wiring (wireHTTPRoutes) in the same file (PKU490).
+        const secretsFile = join(dirname(authFile), 'auth-secrets.gen.ts');
+        await writeFileInDir(logger, authFile, wiring);
+        await writeFileInDir(logger, secretsFile, secrets);
+        // Static metadata of the enabled providers/plugins for the console SSO page,
+        // following the `*-meta.gen.json` convention. Read at runtime by the console
+        // getAuthProviders function instead of a runtime registry.
+        if (authMetaJsonFile) {
+            const meta = serializeAuthMeta(state.auth.definition, state.auth.providers);
+            await writeFileInDir(logger, authMetaJsonFile, JSON.stringify(meta, null, 2));
+        }
+        // Generate the typed pikkuBetterAuth re-export consumed by `import { pikkuBetterAuth } from '#pikku'`.
+        if (authTypesFile &&
+            functionTypesFile &&
+            secretsServiceFile &&
+            variablesFile) {
+            const authTypes = serializeAuthTypes(authTypesFile, functionTypesFile, secretsServiceFile, variablesFile, packageMappings ?? {});
+            await writeFileInDir(logger, authTypesFile, authTypes);
+        }
     },
     middleware: [
         logCommandInfoAndTime({

package/dist/src/functions/wirings/auth/serialize-auth-gen.d.ts

@@ -1 +1,33 @@
-export declare const serializeAuthGen: (providers: string[]) => string;
+import type { AuthDefinition } from '@pikku/inspector';
+/**
+ * The two files generated from a `pikkuBetterAuth` export.
+ *
+ * They are split because the CLI's schema/wiring-separation rule (PKU490)
+ * forbids a file from declaring Zod schemas AND `wireHTTPRoutes` together —
+ * schema files are imported at runtime, which would fire HTTP wiring
+ * side-effects without a server context. `wireSecret`/`wireVariable` are NOT
+ * HTTP wiring, so schemas may sit alongside them; only the route wiring must be
+ * separated out.
+ */
+export interface AuthGenOutput {
+    /** The HTTP wiring file (authFile): handler + catch-all routes + session middleware. */
+    wiring: string;
+    /** The secrets file: Zod schemas + wireSecret/wireVariable. */
+    secrets: string;
+}
+/**
+ * Generates the `auth.gen.ts` (HTTP wiring) and `auth-secrets.gen.ts` (schemas +
+ * secret/variable wiring) files from a `pikkuBetterAuth((services) => betterAuth(...))`
+ * export.
+ *
+ * The wiring file side-effect imports the user's auth file (so `pikkuBetterAuth`
+ * registers its factory), builds ONE shared sessionless handler that reads the
+ * resolved `services.auth` and delegates to better-auth's fetch handler, wires a
+ * catch-all `${basePath}{/*splat}` route per method to it, and registers the
+ * better-auth session-bridge middleware globally. Provider/plugin metadata for
+ * the console is emitted separately as `auth-meta.gen.json` (see
+ * serializeAuthMeta). Because this is normal, statically inspectable HTTP
+ * wiring, the routes flow through inspection into the deploy manifest (one
+ * worker for all auth routes).
+ */
+export declare const serializeAuthGen: (definition: AuthDefinition, providers: string[], authFile: string, typesDeclarationFile: string, packageMappings: Record<string, string>) => AuthGenOutput;

package/dist/src/functions/wirings/auth/serialize-auth-gen.js

@@ -1,4 +1,10 @@
-import { PROVIDER_REGISTRY } from '@pikku/auth-js';
+import { PROVIDER_REGISTRY } from '@pikku/better-auth';
+import { AUTH_HANDLER_FUNC_ID } from '@pikku/inspector';
+import { getFileImportRelativePath } from '../../../utils/file-import-path.js';
+// better-auth uses GET and POST for all of its endpoints (sign-in, callbacks,
+// session, sign-out, plugin routes). A single catch-all per method forwards
+// everything under basePath to better-auth's own internal router.
+const AUTH_METHODS = ['get', 'post'];
 function capitalize(s) {
     return s.charAt(0).toUpperCase() + s.slice(1);
 }
@@ -8,110 +14,138 @@ function providerSchemaName(name) {
 function providerSecretName(name) {
     return `${name.replace(/-([a-z])/g, (_, c) => c.toUpperCase())}OAuth`;
 }
-export const serializeAuthGen = (providers) => {
-    const known = providers.filter((p) => PROVIDER_REGISTRY[p]);
-    const unknown = providers.filter((p) => !PROVIDER_REGISTRY[p]);
-    if (unknown.length > 0) {
-        throw new Error(`wireAuth: unknown providers: ${unknown.join(', ')}. Supported: ${Object.keys(PROVIDER_REGISTRY).join(', ')}`);
-    }
-    const lines = ['// AUTO-GENERATED by pikku CLI — do not edit', ''];
-    // Provider imports
-    for (const name of known) {
-        const def = PROVIDER_REGISTRY[name];
-        lines.push(`import ${def.importName} from '${def.importPath}'`);
+function variableSchemaName(name, field) {
+    const camel = (s) => s.replace(/-([a-z])/g, (_, c) => c.toUpperCase());
+    return `${capitalize(camel(name))}${capitalize(field)}VariableSchema`;
+}
+/**
+ * Generates the `auth.gen.ts` (HTTP wiring) and `auth-secrets.gen.ts` (schemas +
+ * secret/variable wiring) files from a `pikkuBetterAuth((services) => betterAuth(...))`
+ * export.
+ *
+ * The wiring file side-effect imports the user's auth file (so `pikkuBetterAuth`
+ * registers its factory), builds ONE shared sessionless handler that reads the
+ * resolved `services.auth` and delegates to better-auth's fetch handler, wires a
+ * catch-all `${basePath}{/*splat}` route per method to it, and registers the
+ * better-auth session-bridge middleware globally. Provider/plugin metadata for
+ * the console is emitted separately as `auth-meta.gen.json` (see
+ * serializeAuthMeta). Because this is normal, statically inspectable HTTP
+ * wiring, the routes flow through inspection into the deploy manifest (one
+ * worker for all auth routes).
+ */
+export const serializeAuthGen = (definition, providers, authFile, typesDeclarationFile, packageMappings) => {
+    const known = providers.filter((p) => p in PROVIDER_REGISTRY);
+    const basePath = definition.basePath;
+    // Side-effect import of the user's auth file so `pikkuBetterAuth` runs and
+    // registers its factory into pikkuState before singleton services are built.
+    const configImportPath = getFileImportRelativePath(authFile, definition.sourceFile, packageMappings);
+    // Resolve the pikku types file relative to the scaffold location instead of
+    // hardcoding the `#pikku` subpath import — the scaffold dir may live outside
+    // the package's `imports` map (e.g. a project's `pikku/` dir), where `#pikku`
+    // would not resolve. This mirrors how the console/agent scaffolds import it.
+    const pikkuTypesImportPath = getFileImportRelativePath(authFile, typesDeclarationFile, packageMappings);
+    // ─── Secrets file: Zod schemas + wireSecret/wireVariable ──────────────────
+    const secrets = [
+        '// AUTO-GENERATED by pikku CLI — do not edit',
+        '',
+        `import { wireSecret } from '@pikku/core/secret'`,
+    ];
+    const hasVariables = known.some((name) => PROVIDER_REGISTRY[name].variables);
+    if (hasVariables) {
+        secrets.push(`import { wireVariable } from '@pikku/core/variable'`);
     }
-    if (known.length > 0)
-        lines.push('');
-    lines.push(`import { wireSecret } from '@pikku/core/secret'`);
-    lines.push(`import { wireVariable } from '@pikku/core/variable'`);
-    lines.push(`import { wireHTTPRoutes } from '@pikku/core/http'`);
-    lines.push(`import { createAuthRoutes } from '@pikku/auth-js'`);
-    lines.push(`import { z } from 'zod'`);
-    lines.push('');
-    // Zod schemas for each provider
+    secrets.push(`import { z } from 'zod'`, '');
+    // better-auth's session-signing secret is always required (its BETTER_AUTH_SECRET
+    // env convention). Wire it so the platform collects it, regardless of providers.
+    secrets.push(`export const BetterAuthSecretSchema = z.string()`);
+    secrets.push('');
+    secrets.push(`wireSecret({`);
+    secrets.push(`  name: 'betterAuthSecret',`);
+    secrets.push(`  displayName: 'Better Auth Secret',`);
+    secrets.push(`  description: 'Signing secret for better-auth sessions',`);
+    secrets.push(`  secretId: 'BETTER_AUTH_SECRET',`);
+    secrets.push(`  schema: BetterAuthSecretSchema,`);
+    secrets.push(`})`);
+    secrets.push('');
+    // Zod schemas for each provider's OAuth credentials secret.
     for (const name of known) {
         const def = PROVIDER_REGISTRY[name];
         const schemaName = providerSchemaName(name);
         const fieldLines = Object.entries(def.fields).map(([field, zodExpr]) => `  ${field}: ${zodExpr},`);
-        lines.push(`export const ${schemaName} = z.object({`);
-        lines.push(...fieldLines);
-        lines.push(`})`);
-        lines.push('');
+        secrets.push(`export const ${schemaName} = z.object({`);
+        secrets.push(...fieldLines);
+        secrets.push(`})`);
+        secrets.push('');
     }
-    // wireSecret for AUTH_SECRET
-    lines.push(`export const AuthSecretSchema = z.string()`);
-    lines.push('');
-    lines.push(`wireSecret({`);
-    lines.push(`  name: 'authSecret',`);
-    lines.push(`  displayName: 'Auth Secret',`);
-    lines.push(`  description: 'JWT signing secret for Auth.js sessions',`);
-    lines.push(`  secretId: 'AUTH_SECRET',`);
-    lines.push(`  schema: AuthSecretSchema,`);
-    lines.push(`})`);
-    lines.push('');
-    // wireSecret for each provider
+    // wireSecret for each provider.
     for (const name of known) {
         const def = PROVIDER_REGISTRY[name];
         const schemaName = providerSchemaName(name);
         const secretName = providerSecretName(name);
-        lines.push(`wireSecret({`);
-        lines.push(`  name: '${secretName}',`);
-        lines.push(`  displayName: '${def.displayName}',`);
-        lines.push(`  secretId: '${def.secretId}',`);
-        lines.push(`  schema: ${schemaName},`);
-        lines.push(`})`);
-        lines.push('');
+        secrets.push(`wireSecret({`);
+        secrets.push(`  name: '${secretName}',`);
+        secrets.push(`  displayName: '${def.displayName}',`);
+        secrets.push(`  secretId: '${def.secretId}',`);
+        secrets.push(`  schema: ${schemaName},`);
+        secrets.push(`})`);
+        secrets.push('');
     }
-    // wireVariable for providers with non-secret config (issuer, tenantId, etc.)
+    // wireVariable for providers with non-secret config (issuer, tenantId, etc.).
     for (const name of known) {
         const def = PROVIDER_REGISTRY[name];
         if (!def.variables)
             continue;
         for (const [field, meta] of Object.entries(def.variables)) {
-            lines.push(`wireVariable({`);
-            lines.push(`  name: '${name}_${field}',`);
-            lines.push(`  displayName: '${def.displayName} ${capitalize(field)}',`);
-            lines.push(`  description: '${meta.description}',`);
-            lines.push(`  variableId: '${meta.variableId}',`);
-            lines.push(`  schema: z.string(),`);
-            lines.push(`})`);
-            lines.push('');
+            // PKU111 requires `schema` to be a variable reference, not an inline
+            // expression — so each variable gets a named schema const.
+            const schemaName = variableSchemaName(name, field);
+            secrets.push(`export const ${schemaName} = z.string()`);
+            secrets.push('');
+            secrets.push(`wireVariable({`);
+            secrets.push(`  name: '${name}_${field}',`);
+            secrets.push(`  displayName: '${def.displayName} ${capitalize(field)}',`);
+            secrets.push(`  description: '${meta.description}',`);
+            secrets.push(`  variableId: '${meta.variableId}',`);
+            secrets.push(`  schema: ${schemaName},`);
+            secrets.push(`})`);
+            secrets.push('');
         }
     }
-    // Auth route setup
-    lines.push(`const authRoutes = createAuthRoutes(async (services) => {`);
-    lines.push(`  const secretIds = ['AUTH_SECRET', ${known.map((n) => `'${PROVIDER_REGISTRY[n].secretId}'`).join(', ')}]`);
-    lines.push(`  const secretsMap = new Map(Object.entries(await services.secrets.getSecrets(secretIds)))`);
-    lines.push('');
-    lines.push(`  const authSecret = secretsMap.get('AUTH_SECRET') as string | undefined`);
-    lines.push(`  const providers: any[] = []`);
-    lines.push('');
-    for (const name of known) {
-        const def = PROVIDER_REGISTRY[name];
-        const varName = providerSecretName(name);
-        const hasVariables = def.variables && Object.keys(def.variables).length > 0;
-        lines.push(`  const ${varName}Secrets = secretsMap.get('${def.secretId}')`);
-        lines.push(`  if (${varName}Secrets) {`);
-        lines.push(`    const ${varName}Config = { ...${varName}Secrets as any }`);
-        if (hasVariables && def.variables) {
-            for (const [field, meta] of Object.entries(def.variables)) {
-                lines.push(`    const ${varName}${capitalize(field)} = await services.variables.get('${meta.variableId}')`);
-                lines.push(`    if (${varName}${capitalize(field)} !== undefined) ${varName}Config.${field} = ${varName}${capitalize(field)}`);
-            }
-        }
-        lines.push(`    providers.push(${def.importName}(${varName}Config))`);
-        lines.push(`  }`);
+    // ─── Wiring file: handler + catch-all routes + session middleware ─────────
+    // Provider/plugin metadata for the console SSO page is emitted separately as
+    // `auth-meta.gen.json` (see serializeAuthMeta) rather than wired into the
+    // runtime, so it is available without evaluating the better-auth factory.
+    const wiring = [
+        '// AUTO-GENERATED by pikku CLI — do not edit',
+        '',
+        `import { pikkuSessionlessFunc, wireHTTPRoutes, addHTTPMiddleware } from '${pikkuTypesImportPath}'`,
+        `import { createAuthHandler, betterAuthSession } from '@pikku/better-auth'`,
+        `import '${configImportPath}'`,
+        '',
+        // createAuthHandler is called once at module load; the exported handler is a
+        // plain arrow (so the inspector can resolve a valid `func`) that delegates to
+        // it. The handler's required services are stamped onto its meta by the
+        // inspector from the pikkuBetterAuth factory.
+        `const authConfigHandler = createAuthHandler()`,
+        `export const ${AUTH_HANDLER_FUNC_ID} = pikkuSessionlessFunc({`,
+        `  func: (services: any, data: any, interaction: any) =>`,
+        `    authConfigHandler.func(services, data, interaction),`,
+        `})`,
+        '',
+        // Bridge the better-auth session into the Pikku session on every request.
+        `addHTTPMiddleware('*', [betterAuthSession()])`,
+        '',
+        `wireHTTPRoutes({`,
+        `  routes: {`,
+    ];
+    // One catch-all route per method. `{/*splat}` matches both the bare basePath
+    // and every sub-path under it, so better-auth's internal router sees the full
+    // request and handles all of its own endpoints.
+    for (const method of AUTH_METHODS) {
+        wiring.push(`    ${method}AuthCatchAll: { method: '${method}', route: '${basePath}{/*splat}', func: ${AUTH_HANDLER_FUNC_ID}, auth: false },`);
     }
-    lines.push('');
-    lines.push(`  return {`);
-    lines.push(`    providers,`);
-    lines.push(`    secret: authSecret,`);
-    lines.push(`    trustHost: true,`);
-    lines.push(`    basePath: '/auth',`);
-    lines.push(`  }`);
-    lines.push(`})`);
-    lines.push('');
-    lines.push(`wireHTTPRoutes({ routes: { auth: authRoutes } })`);
-    lines.push('');
-    return lines.join('\n');
+    wiring.push(`  },`);
+    wiring.push(`})`);
+    wiring.push('');
+    return { wiring: wiring.join('\n'), secrets: secrets.join('\n') };
 };

package/dist/src/functions/wirings/auth/serialize-auth-meta.d.ts

@@ -0,0 +1,32 @@
+import type { AuthDefinition } from '@pikku/inspector';
+export interface AuthMetaProvider {
+    id: string;
+    displayName: string;
+    secretId: string;
+}
+export interface AuthMetaPlugin {
+    id: string;
+    displayName: string;
+}
+/**
+ * The contents of `auth-meta.gen.json` — the static description of a project's
+ * Better Auth configuration the console SSO page reads (via getAuthProviders) to
+ * show which social providers and plugins are enabled. Replaces the previous
+ * runtime `setAuthRegistry`/`getAuthRegistry` mechanism with a generated file
+ * following the `*-meta.gen.json` convention.
+ */
+export interface AuthMeta {
+    basePath: string;
+    hasCredentials: boolean;
+    providers: AuthMetaProvider[];
+    plugins: AuthMetaPlugin[];
+}
+/**
+ * Builds the `auth-meta.gen.json` payload from the inspected auth definition.
+ *
+ * Only providers known to {@link PROVIDER_REGISTRY} are emitted (the same ones
+ * the CLI wires a secret for); unknown keys (e.g. wired via the genericOAuth
+ * plugin) are dropped since they have no secret metadata. Every plugin id from
+ * the config is emitted, enriched with a display name.
+ */
+export declare const serializeAuthMeta: (definition: AuthDefinition, providers: string[]) => AuthMeta;