npm - @pikku/cli - Versions diffs - 0.12.35 → 0.12.36 - Mend

@pikku/cli 0.12.35 → 0.12.36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (99) hide show

package/dist/src/functions/commands/db-generate.js ADDED Viewed

@@ -0,0 +1,45 @@
+import { pikkuSessionlessFunc } from '#pikku';
+import { resolveDb, generateAuthMigration } from '../db/local-db.js';
+import { loadUserConfigForDb } from './db-shared.js';
+export const dbGenerate = pikkuSessionlessFunc({
+    remote: true,
+    func: async ({ logger, config }) => {
+        const userConfig = await loadUserConfigForDb({ config, logger });
+        if (!userConfig)
+            return;
+        const resolved = resolveDb(userConfig, config.rootDir, config.outDir, config.runtimeDir);
+        if (!resolved) {
+            logger.error('pikku db generate: no database configured — set sqliteDb or postgresUrl in your createConfig.');
+            throw new Error('no database configured');
+        }
+        const result = await generateAuthMigration(resolved, config.rootDir, config.srcDirectories, logger);
+        switch (result.status) {
+            case 'no-auth':
+                logger.info('db generate: no pikkuBetterAuth found — nothing to generate');
+                return;
+            case 'up-to-date':
+                logger.info('db generate: Better Auth schema already covered by existing migrations — nothing to generate');
+                return;
+            case 'unsupported-dialect':
+                logger.warn('db generate: automatic Better Auth migration generation is currently SQLite-only. Run Better Auth schema generation manually for postgres.');
+                return;
+            case 'incremental-unsupported': {
+                const cols = (result.missingColumns ?? [])
+                    .map((m) => `${m.table}(${m.columns.join(', ')})`)
+                    .join('; ');
+                logger.error('db generate: the Better Auth config requires schema changes on top of an existing auth schema:');
+                if (result.missingTables?.length) {
+                    logger.error(`  missing tables: ${result.missingTables.join(', ')}`);
+                }
+                if (cols)
+                    logger.error(`  missing columns: ${cols}`);
+                logger.error('  Write a forward migration adding these by hand (incremental auto-generation is not yet supported).');
+                throw new Error('incremental auth schema change requires a manual migration');
+            }
+            case 'written':
+                logger.info(`db generate: wrote ${result.file}`);
+                logger.info('  Review it, then run `pikku db migrate` to apply.');
+                return;
+        }
+    },
+});

package/dist/src/functions/commands/db-migrate.js CHANGED Viewed

@@ -1,5 +1,5 @@
 import { pikkuSessionlessFunc } from '#pikku';
-import { resolveDb, migrateAndCodegen } from '../db/local-db.js';
+import { resolveDb, migrateAndCodegen, computeAuthDrift, } from '../db/local-db.js';
 import { loadUserConfigForDb } from './db-shared.js';
 export const dbMigrate = pikkuSessionlessFunc({
     remote: true,
@@ -27,5 +27,17 @@ export const dbMigrate = pikkuSessionlessFunc({
         logger.info(zod.written
             ? `db migrate: regenerated ${zod.outFile} (${zod.tables.length} tables)`
             : `db migrate: ${zod.outFile} unchanged`);
+        const drift = await computeAuthDrift(resolved, config.rootDir, config.srcDirectories, logger);
+        if (drift.hasAuth && !drift.inSync) {
+            logger.error('db migrate: the Better Auth schema is not satisfied by the applied migrations:');
+            if (drift.missingTables.length) {
+                logger.error(`  missing tables: ${drift.missingTables.join(', ')}`);
+            }
+            for (const { table, columns } of drift.missingColumns) {
+                logger.error(`  ${table} missing columns: ${columns.join(', ')}`);
+            }
+            logger.error('  Run `pikku db generate` to create the missing migration, then re-run.');
+            throw new Error('Better Auth schema drift — run `pikku db generate`');
+        }
     },
 });

package/dist/src/functions/db/better-auth-schema.d.ts ADDED Viewed

@@ -0,0 +1,23 @@
+import type { Kysely } from 'kysely';
+export interface BetterAuthOptionsLike {
+    database?: {
+        db?: unknown;
+        type?: string;
+    };
+    [key: string]: unknown;
+}
+export interface GetMigrationsResult {
+    toBeCreated: unknown[];
+    toBeAdded: unknown[];
+    runMigrations: () => Promise<void>;
+    compileMigrations: () => Promise<string>;
+}
+export declare function loadAuthOptions(opts: {
+    rootDir: string;
+    srcDirectories: string[];
+    kysely: Kysely<any>;
+    logger: {
+        error: (msg: string) => void;
+    };
+}): Promise<BetterAuthOptionsLike | null>;
+export declare function getAuthMigrations(authOptions: BetterAuthOptionsLike): Promise<GetMigrationsResult>;

package/dist/src/functions/db/better-auth-schema.js ADDED Viewed

@@ -0,0 +1,122 @@
+import { createRequire } from 'node:module';
+import { pathToFileURL } from 'node:url';
+import { readdirSync, statSync, readFileSync, existsSync } from 'node:fs';
+import { join, extname, dirname } from 'node:path';
+import { PIKKU_BETTER_AUTH } from '@pikku/better-auth';
+import { loadUserModule } from '../commands/load-user-project.js';
+let cachedGetMigrations = null;
+async function loadGetMigrations() {
+    if (cachedGetMigrations)
+        return cachedGetMigrations;
+    const require = createRequire(import.meta.url);
+    const mainEntry = require.resolve('better-auth');
+    let root = dirname(mainEntry);
+    while (!existsSync(join(root, 'package.json'))) {
+        const parent = dirname(root);
+        if (parent === root) {
+            throw new Error('Could not locate the better-auth package root');
+        }
+        root = parent;
+    }
+    const modUrl = pathToFileURL(join(root, 'dist/db/get-migration.mjs')).href;
+    const mod = await import(modUrl);
+    cachedGetMigrations = mod.getMigrations;
+    return cachedGetMigrations;
+}
+const SKIP_DIRS = new Set([
+    'node_modules',
+    '.pikku',
+    '.git',
+    'dist',
+    '.pikku-runtime',
+]);
+function findAuthSourceFile(rootDir, srcDirectories) {
+    const walk = (dir) => {
+        let entries;
+        try {
+            entries = readdirSync(dir);
+        }
+        catch {
+            return null;
+        }
+        for (const entry of entries) {
+            if (SKIP_DIRS.has(entry))
+                continue;
+            const full = join(dir, entry);
+            let st;
+            try {
+                st = statSync(full);
+            }
+            catch {
+                continue;
+            }
+            if (st.isDirectory()) {
+                const found = walk(full);
+                if (found)
+                    return found;
+                continue;
+            }
+            if (extname(full) !== '.ts')
+                continue;
+            let src;
+            try {
+                src = readFileSync(full, 'utf8');
+            }
+            catch {
+                continue;
+            }
+            if (/\bpikkuBetterAuth\s*\(/.test(src))
+                return full;
+        }
+        return null;
+    };
+    for (const srcDir of srcDirectories) {
+        const found = walk(join(rootDir, srcDir));
+        if (found)
+            return found;
+    }
+    return walk(rootDir);
+}
+async function loadAuthFactory(sourceFile) {
+    const mod = await loadUserModule(sourceFile);
+    for (const value of Object.values(mod)) {
+        if (typeof value === 'function' && value[PIKKU_BETTER_AUTH]) {
+            return value;
+        }
+    }
+    return null;
+}
+function schemaServicesStub(kysely, logger) {
+    const dummy = 'x'.repeat(32);
+    const fromKeys = (keys) => Object.fromEntries(keys.map((k) => [k, dummy]));
+    const base = {
+        kysely,
+        logger,
+        secrets: {
+            getSecret: async () => dummy,
+            getSecrets: async (keys) => fromKeys(keys),
+        },
+        variables: {
+            getVariable: async () => dummy,
+            getVariables: async (keys) => fromKeys(keys),
+        },
+    };
+    return new Proxy(base, {
+        get: (target, prop) => typeof prop === 'string' && prop in target ? target[prop] : undefined,
+    });
+}
+export async function loadAuthOptions(opts) {
+    const sourceFile = findAuthSourceFile(opts.rootDir, opts.srcDirectories);
+    if (!sourceFile)
+        return null;
+    const factory = await loadAuthFactory(sourceFile);
+    if (!factory)
+        return null;
+    const instance = await factory(schemaServicesStub(opts.kysely, opts.logger));
+    const options = instance.options;
+    return options ?? null;
+}
+export async function getAuthMigrations(authOptions) {
+    const getMigrations = await loadGetMigrations();
+    return getMigrations(authOptions);
+}

package/dist/src/functions/db/local-db.d.ts CHANGED Viewed

@@ -53,4 +53,37 @@ export declare function migrateAndCodegen(resolved: ResolvedDb): Promise<Migrate
 export declare function seed(resolved: ResolvedSqliteDb): Promise<SeedResult>;
 export declare function reset(resolved: ResolvedSqliteDb, rootDir: string): void;
 export declare function createKysely<DB>(resolved: ResolvedSqliteDb): Promise<Kysely<DB>>;
+type SchemaMap = Map<string, Set<string>>;
+export interface DesiredAuthSchema {
+    tables: SchemaMap;
+    sql: string;
+}
+export declare function desiredAuthSchema(rootDir: string, srcDirectories: string[], logger: {
+    error: (msg: string) => void;
+}): Promise<DesiredAuthSchema | null>;
+export declare function introspectSchema(resolved: ResolvedDb): Promise<SchemaMap>;
+export interface AuthDriftResult {
+    hasAuth: boolean;
+    inSync: boolean;
+    missingTables: string[];
+    missingColumns: {
+        table: string;
+        columns: string[];
+    }[];
+}
+export declare function computeAuthDrift(resolved: ResolvedDb, rootDir: string, srcDirectories: string[], logger: {
+    error: (msg: string) => void;
+}): Promise<AuthDriftResult>;
+export interface GenerateAuthResult {
+    status: 'no-auth' | 'up-to-date' | 'written' | 'incremental-unsupported' | 'unsupported-dialect';
+    file?: string;
+    missingTables?: string[];
+    missingColumns?: {
+        table: string;
+        columns: string[];
+    }[];
+}
+export declare function generateAuthMigration(resolved: ResolvedDb, rootDir: string, srcDirectories: string[], logger: {
+    error: (msg: string) => void;
+}): Promise<GenerateAuthResult>;
 export {};

package/dist/src/functions/db/local-db.js CHANGED Viewed

@@ -1,9 +1,10 @@
-import { existsSync, mkdirSync, rmSync, writeFileSync, readFileSync, } from 'node:fs';
+import { existsSync, mkdirSync, rmSync, writeFileSync, readFileSync, readdirSync, } from 'node:fs';
 import { resolve, isAbsolute, relative, dirname, join } from 'node:path';
 import { createRequire } from 'node:module';
 import { runInNewContext } from 'node:vm';
 import { transformSync } from 'esbuild';
 import { migrate } from './db-migrator.js';
+import { loadAuthOptions, getAuthMigrations } from './better-auth-schema.js';
 import { generateSchemaTypes } from './db-codegen.js';
 import { generateZodTypes } from './zod-codegen.js';
 import { createCoercionPlugin } from './coercion-plugin.js';
@@ -295,3 +296,126 @@ export async function createKysely(resolved) {
         plugins: coercionMap ? [createCoercionPlugin({ map: coercionMap })] : [],
     });
 }
+async function introspectorToMap(intro) {
+    const map = new Map();
+    for (const table of await intro.listTables()) {
+        const cols = await intro.getColumns(table);
+        map.set(table, new Set(cols.map((c) => c.name)));
+    }
+    return map;
+}
+function diffSchemas(desired, actual) {
+    const missingTables = [];
+    const missingColumns = [];
+    for (const [table, cols] of desired) {
+        const actualCols = actual.get(table);
+        if (!actualCols) {
+            missingTables.push(table);
+            continue;
+        }
+        const missing = [...cols].filter((c) => !actualCols.has(c));
+        if (missing.length)
+            missingColumns.push({ table, columns: missing });
+    }
+    return { missingTables, missingColumns };
+}
+export async function desiredAuthSchema(rootDir, srcDirectories, logger) {
+    const runtime = await loadSqliteRuntime();
+    const db = runtime.open(':memory:');
+    try {
+        const kysely = createSqliteKysely({ db, camelCase: true });
+        const options = await loadAuthOptions({ rootDir, srcDirectories, kysely, logger });
+        if (!options)
+            return null;
+        const { runMigrations, compileMigrations } = await getAuthMigrations(options);
+        await runMigrations();
+        const tables = await introspectorToMap(new SqliteIntrospector(db));
+        const sql = await compileMigrations();
+        return { tables, sql };
+    }
+    finally {
+        db.close();
+    }
+}
+export async function introspectSchema(resolved) {
+    if (resolved.dialect === 'sqlite') {
+        const runtime = await loadSqliteRuntime();
+        const db = runtime.open(resolved.dbFile);
+        try {
+            return await introspectorToMap(new SqliteIntrospector(db));
+        }
+        finally {
+            db.close();
+        }
+    }
+    const intro = new PostgresIntrospector(resolved.connectionString);
+    await intro.connect();
+    try {
+        return await introspectorToMap(intro);
+    }
+    finally {
+        await intro.close();
+    }
+}
+async function coveredSqliteSchema(migrationsDir) {
+    const runtime = await loadSqliteRuntime();
+    const db = runtime.open(':memory:');
+    try {
+        await migrate(new SqliteMigrationExecutor(db), migrationsDir);
+        return await introspectorToMap(new SqliteIntrospector(db));
+    }
+    finally {
+        db.close();
+    }
+}
+export async function computeAuthDrift(resolved, rootDir, srcDirectories, logger) {
+    const desired = await desiredAuthSchema(rootDir, srcDirectories, logger);
+    if (!desired) {
+        return { hasAuth: false, inSync: true, missingTables: [], missingColumns: [] };
+    }
+    const actual = await introspectSchema(resolved);
+    const { missingTables, missingColumns } = diffSchemas(desired.tables, actual);
+    return {
+        hasAuth: true,
+        inSync: missingTables.length === 0 && missingColumns.length === 0,
+        missingTables,
+        missingColumns,
+    };
+}
+function nextMigrationFile(migrationsDir, label) {
+    mkdirSync(migrationsDir, { recursive: true });
+    let max = 0;
+    try {
+        for (const file of readdirSync(migrationsDir)) {
+            const m = /^(\d+)/.exec(file);
+            if (m)
+                max = Math.max(max, parseInt(m[1], 10));
+        }
+    }
+    catch {
+        max = 0;
+    }
+    const num = String(max + 1).padStart(4, '0');
+    return join(migrationsDir, `${num}-${label}.sql`);
+}
+export async function generateAuthMigration(resolved, rootDir, srcDirectories, logger) {
+    if (resolved.dialect !== 'sqlite')
+        return { status: 'unsupported-dialect' };
+    const desired = await desiredAuthSchema(rootDir, srcDirectories, logger);
+    if (!desired)
+        return { status: 'no-auth' };
+    const covered = await coveredSqliteSchema(resolved.migrationsDir);
+    const { missingTables, missingColumns } = diffSchemas(desired.tables, covered);
+    if (missingTables.length === 0 && missingColumns.length === 0) {
+        return { status: 'up-to-date' };
+    }
+    const coveredHasAnyAuthTable = [...desired.tables.keys()].some((t) => covered.has(t));
+    if (coveredHasAnyAuthTable) {
+        return { status: 'incremental-unsupported', missingTables, missingColumns };
+    }
+    const file = nextMigrationFile(resolved.migrationsDir, 'better-auth');
+    const header = '-- Generated by `pikku db generate` from pikkuBetterAuth (Better Auth).\n' +
+        '-- Re-run the command after changing the auth config.\n\n';
+    writeFileSync(file, header + desired.sql + '\n', 'utf8');
+    return { status: 'written', file, missingTables };
+}

package/dist/src/functions/db/zod-codegen.js CHANGED Viewed

@@ -57,12 +57,15 @@ function parseTables(src) {
     const tables = [];
     for (const match of src.matchAll(INTERFACE_RE)) {
         const name = match[1];
-        if (name === 'DB')
+        if (!name || name === 'DB')
             continue;
-        const body = match[2];
+        const body = match[2] ?? '';
         const fields = [];
         for (const field of body.matchAll(FIELD_RE)) {
-            fields.push({ name: field[1], type: field[2].trim() });
+            const fieldName = field[1];
+            if (!fieldName)
+                continue;
+            fields.push({ name: fieldName, type: (field[2] ?? '').trim() });
         }
         tables.push({ name, fields });
     }
@@ -119,7 +122,7 @@ function zodForType(tsType, format) {
     // Peel a single `Generated<…>` wrapper. For public bool/date columns this
     // wraps a `ColumnType<…>`, so the unwrapped inner is handled below.
     const generatedMatch = inner.match(/^Generated<(.+)>$/);
-    if (generatedMatch) {
+    if (generatedMatch?.[1]) {
         generated = true;
         inner = generatedMatch[1].trim();
     }
@@ -146,7 +149,7 @@ function scalarSchema(tsType, format) {
     let inner = tsType.trim();
     // Defensive: a Select arg may itself be `Generated<…>` in older schemas.
     const generatedMatch = inner.match(/^Generated<(.+)>$/);
-    if (generatedMatch) {
+    if (generatedMatch?.[1]) {
         inner = generatedMatch[1].trim();
     }
     const nullable = inner.endsWith(' | null');
@@ -155,7 +158,7 @@ function scalarSchema(tsType, format) {
     }
     // Unwrap a classification brand: `Private<T>` / `Pii<T>` / `Secret<T>` → T.
     const brandMatch = inner.match(/^(?:Private|Pii|Secret)<(.+)>$/);
-    if (brandMatch) {
+    if (brandMatch?.[1]) {
         inner = brandMatch[1].trim();
     }
     let schema;

package/dist/src/functions/validate/workspace-validate.js CHANGED Viewed

@@ -61,7 +61,7 @@ async function hasAuthSessionMiddleware(fnDir) {
     const meta = await readJsonSafe(metaPath);
     if (!meta?.instances)
         return false;
-    return Object.values(meta.instances).some((instance) => instance.definitionId === 'authJsSession');
+    return Object.values(meta.instances).some((instance) => instance.definitionId === 'betterAuthSession');
 }
 function migrationCreatesTable(sql, tableName) {
     const escapedTable = tableName.replace(/[-/\\^$*+?.()|[\]{}]/g, '\\$&');

package/dist/src/functions/wirings/auth/pikku-command-auth.js CHANGED Viewed

@@ -1,17 +1,43 @@
+import { join, dirname } from 'node:path';
 import { pikkuSessionlessFunc } from '#pikku';
 import { writeFileInDir } from '../../../utils/file-writer.js';
 import { logCommandInfoAndTime } from '../../../middleware/log-command-info-and-time.js';
 import { serializeAuthGen } from './serialize-auth-gen.js';
+import { serializeAuthTypes } from './serialize-auth-types.js';
+import { serializeAuthMeta } from './serialize-auth-meta.js';
 export const pikkuAuth = pikkuSessionlessFunc({
     func: async ({ logger, config, getInspectorState }) => {
-        const { authFile } = config;
+        const { authFile, authTypesFile, authMetaJsonFile, functionTypesFile, typesDeclarationFile, secretsFile: secretsServiceFile, variablesFile, packageMappings, } = config;
         if (!authFile)
             return;
         const state = await getInspectorState();
-        if (state.auth.providers.length === 0)
+        // Only generate when the project declares auth via `pikkuBetterAuth`. Gating on
+        // the definition (not provider count) means credentials-only auth — which
+        // has no OAuth providers — still generates its /auth/* wiring.
+        if (!state.auth.definition)
             return;
-        const content = serializeAuthGen(state.auth.providers);
-        await writeFileInDir(logger, authFile, content);
+        const { wiring, secrets } = serializeAuthGen(state.auth.definition, state.auth.providers, authFile, typesDeclarationFile, packageMappings ?? {});
+        // The secrets file sits alongside authFile so re-inspection rediscovers it.
+        // It is kept separate from the wiring file because the CLI forbids Zod
+        // schemas and HTTP wiring (wireHTTPRoutes) in the same file (PKU490).
+        const secretsFile = join(dirname(authFile), 'auth-secrets.gen.ts');
+        await writeFileInDir(logger, authFile, wiring);
+        await writeFileInDir(logger, secretsFile, secrets);
+        // Static metadata of the enabled providers/plugins for the console SSO page,
+        // following the `*-meta.gen.json` convention. Read at runtime by the console
+        // getAuthProviders function instead of a runtime registry.
+        if (authMetaJsonFile) {
+            const meta = serializeAuthMeta(state.auth.definition, state.auth.providers);
+            await writeFileInDir(logger, authMetaJsonFile, JSON.stringify(meta, null, 2));
+        }
+        // Generate the typed pikkuBetterAuth re-export consumed by `import { pikkuBetterAuth } from '#pikku'`.
+        if (authTypesFile &&
+            functionTypesFile &&
+            secretsServiceFile &&
+            variablesFile) {
+            const authTypes = serializeAuthTypes(authTypesFile, functionTypesFile, secretsServiceFile, variablesFile, packageMappings ?? {});
+            await writeFileInDir(logger, authTypesFile, authTypes);
+        }
     },
     middleware: [
         logCommandInfoAndTime({

package/dist/src/functions/wirings/auth/serialize-auth-gen.d.ts CHANGED Viewed

@@ -1 +1,33 @@
-export declare const serializeAuthGen: (providers: string[]) => string;
+import type { AuthDefinition } from '@pikku/inspector';
+/**
+ * The two files generated from a `pikkuBetterAuth` export.
+ *
+ * They are split because the CLI's schema/wiring-separation rule (PKU490)
+ * forbids a file from declaring Zod schemas AND `wireHTTPRoutes` together —
+ * schema files are imported at runtime, which would fire HTTP wiring
+ * side-effects without a server context. `wireSecret`/`wireVariable` are NOT
+ * HTTP wiring, so schemas may sit alongside them; only the route wiring must be
+ * separated out.
+ */
+export interface AuthGenOutput {
+    /** The HTTP wiring file (authFile): handler + catch-all routes + session middleware. */
+    wiring: string;
+    /** The secrets file: Zod schemas + wireSecret/wireVariable. */
+    secrets: string;
+}
+/**
+ * Generates the `auth.gen.ts` (HTTP wiring) and `auth-secrets.gen.ts` (schemas +
+ * secret/variable wiring) files from a `pikkuBetterAuth((services) => betterAuth(...))`
+ * export.
+ *
+ * The wiring file side-effect imports the user's auth file (so `pikkuBetterAuth`
+ * registers its factory), builds ONE shared sessionless handler that reads the
+ * resolved `services.auth` and delegates to better-auth's fetch handler, wires a
+ * catch-all `${basePath}{/*splat}` route per method to it, and registers the
+ * better-auth session-bridge middleware globally. Provider/plugin metadata for
+ * the console is emitted separately as `auth-meta.gen.json` (see
+ * serializeAuthMeta). Because this is normal, statically inspectable HTTP
+ * wiring, the routes flow through inspection into the deploy manifest (one
+ * worker for all auth routes).
+ */
+export declare const serializeAuthGen: (definition: AuthDefinition, providers: string[], authFile: string, typesDeclarationFile: string, packageMappings: Record<string, string>) => AuthGenOutput;