@pikku/cli 0.12.35 → 0.12.37

package/dist/src/functions/wirings/auth/serialize-auth-gen.js

@@ -1,4 +1,10 @@
-import { PROVIDER_REGISTRY } from '@pikku/auth-js';
+import { PROVIDER_REGISTRY } from '@pikku/better-auth';
+import { AUTH_HANDLER_FUNC_ID } from '@pikku/inspector';
+import { getFileImportRelativePath } from '../../../utils/file-import-path.js';
+// better-auth uses GET and POST for all of its endpoints (sign-in, callbacks,
+// session, sign-out, plugin routes). A single catch-all per method forwards
+// everything under basePath to better-auth's own internal router.
+const AUTH_METHODS = ['get', 'post'];
 function capitalize(s) {
     return s.charAt(0).toUpperCase() + s.slice(1);
 }
@@ -8,110 +14,138 @@ function providerSchemaName(name) {
 function providerSecretName(name) {
     return `${name.replace(/-([a-z])/g, (_, c) => c.toUpperCase())}OAuth`;
 }
-export const serializeAuthGen = (providers) => {
-    const known = providers.filter((p) => PROVIDER_REGISTRY[p]);
-    const unknown = providers.filter((p) => !PROVIDER_REGISTRY[p]);
-    if (unknown.length > 0) {
-        throw new Error(`wireAuth: unknown providers: ${unknown.join(', ')}. Supported: ${Object.keys(PROVIDER_REGISTRY).join(', ')}`);
-    }
-    const lines = ['// AUTO-GENERATED by pikku CLI — do not edit', ''];
-    // Provider imports
-    for (const name of known) {
-        const def = PROVIDER_REGISTRY[name];
-        lines.push(`import ${def.importName} from '${def.importPath}'`);
+function variableSchemaName(name, field) {
+    const camel = (s) => s.replace(/-([a-z])/g, (_, c) => c.toUpperCase());
+    return `${capitalize(camel(name))}${capitalize(field)}VariableSchema`;
+}
+/**
+ * Generates the `auth.gen.ts` (HTTP wiring) and `auth-secrets.gen.ts` (schemas +
+ * secret/variable wiring) files from a `pikkuBetterAuth((services) => betterAuth(...))`
+ * export.
+ *
+ * The wiring file side-effect imports the user's auth file (so `pikkuBetterAuth`
+ * registers its factory), builds ONE shared sessionless handler that reads the
+ * resolved `services.auth` and delegates to better-auth's fetch handler, wires a
+ * catch-all `${basePath}{/*splat}` route per method to it, and registers the
+ * better-auth session-bridge middleware globally. Provider/plugin metadata for
+ * the console is emitted separately as `auth-meta.gen.json` (see
+ * serializeAuthMeta). Because this is normal, statically inspectable HTTP
+ * wiring, the routes flow through inspection into the deploy manifest (one
+ * worker for all auth routes).
+ */
+export const serializeAuthGen = (definition, providers, authFile, typesDeclarationFile, packageMappings) => {
+    const known = providers.filter((p) => p in PROVIDER_REGISTRY);
+    const basePath = definition.basePath;
+    // Side-effect import of the user's auth file so `pikkuBetterAuth` runs and
+    // registers its factory into pikkuState before singleton services are built.
+    const configImportPath = getFileImportRelativePath(authFile, definition.sourceFile, packageMappings);
+    // Resolve the pikku types file relative to the scaffold location instead of
+    // hardcoding the `#pikku` subpath import — the scaffold dir may live outside
+    // the package's `imports` map (e.g. a project's `pikku/` dir), where `#pikku`
+    // would not resolve. This mirrors how the console/agent scaffolds import it.
+    const pikkuTypesImportPath = getFileImportRelativePath(authFile, typesDeclarationFile, packageMappings);
+    // ─── Secrets file: Zod schemas + wireSecret/wireVariable ──────────────────
+    const secrets = [
+        '// AUTO-GENERATED by pikku CLI — do not edit',
+        '',
+        `import { wireSecret } from '@pikku/core/secret'`,
+    ];
+    const hasVariables = known.some((name) => PROVIDER_REGISTRY[name].variables);
+    if (hasVariables) {
+        secrets.push(`import { wireVariable } from '@pikku/core/variable'`);
     }
-    if (known.length > 0)
-        lines.push('');
-    lines.push(`import { wireSecret } from '@pikku/core/secret'`);
-    lines.push(`import { wireVariable } from '@pikku/core/variable'`);
-    lines.push(`import { wireHTTPRoutes } from '@pikku/core/http'`);
-    lines.push(`import { createAuthRoutes } from '@pikku/auth-js'`);
-    lines.push(`import { z } from 'zod'`);
-    lines.push('');
-    // Zod schemas for each provider
+    secrets.push(`import { z } from 'zod'`, '');
+    // better-auth's session-signing secret is always required (its BETTER_AUTH_SECRET
+    // env convention). Wire it so the platform collects it, regardless of providers.
+    secrets.push(`export const BetterAuthSecretSchema = z.string()`);
+    secrets.push('');
+    secrets.push(`wireSecret({`);
+    secrets.push(`  name: 'betterAuthSecret',`);
+    secrets.push(`  displayName: 'Better Auth Secret',`);
+    secrets.push(`  description: 'Signing secret for better-auth sessions',`);
+    secrets.push(`  secretId: 'BETTER_AUTH_SECRET',`);
+    secrets.push(`  schema: BetterAuthSecretSchema,`);
+    secrets.push(`})`);
+    secrets.push('');
+    // Zod schemas for each provider's OAuth credentials secret.
     for (const name of known) {
         const def = PROVIDER_REGISTRY[name];
         const schemaName = providerSchemaName(name);
         const fieldLines = Object.entries(def.fields).map(([field, zodExpr]) => `  ${field}: ${zodExpr},`);
-        lines.push(`export const ${schemaName} = z.object({`);
-        lines.push(...fieldLines);
-        lines.push(`})`);
-        lines.push('');
+        secrets.push(`export const ${schemaName} = z.object({`);
+        secrets.push(...fieldLines);
+        secrets.push(`})`);
+        secrets.push('');
     }
-    // wireSecret for AUTH_SECRET
-    lines.push(`export const AuthSecretSchema = z.string()`);
-    lines.push('');
-    lines.push(`wireSecret({`);
-    lines.push(`  name: 'authSecret',`);
-    lines.push(`  displayName: 'Auth Secret',`);
-    lines.push(`  description: 'JWT signing secret for Auth.js sessions',`);
-    lines.push(`  secretId: 'AUTH_SECRET',`);
-    lines.push(`  schema: AuthSecretSchema,`);
-    lines.push(`})`);
-    lines.push('');
-    // wireSecret for each provider
+    // wireSecret for each provider.
     for (const name of known) {
         const def = PROVIDER_REGISTRY[name];
         const schemaName = providerSchemaName(name);
         const secretName = providerSecretName(name);
-        lines.push(`wireSecret({`);
-        lines.push(`  name: '${secretName}',`);
-        lines.push(`  displayName: '${def.displayName}',`);
-        lines.push(`  secretId: '${def.secretId}',`);
-        lines.push(`  schema: ${schemaName},`);
-        lines.push(`})`);
-        lines.push('');
+        secrets.push(`wireSecret({`);
+        secrets.push(`  name: '${secretName}',`);
+        secrets.push(`  displayName: '${def.displayName}',`);
+        secrets.push(`  secretId: '${def.secretId}',`);
+        secrets.push(`  schema: ${schemaName},`);
+        secrets.push(`})`);
+        secrets.push('');
     }
-    // wireVariable for providers with non-secret config (issuer, tenantId, etc.)
+    // wireVariable for providers with non-secret config (issuer, tenantId, etc.).
     for (const name of known) {
         const def = PROVIDER_REGISTRY[name];
         if (!def.variables)
             continue;
         for (const [field, meta] of Object.entries(def.variables)) {
-            lines.push(`wireVariable({`);
-            lines.push(`  name: '${name}_${field}',`);
-            lines.push(`  displayName: '${def.displayName} ${capitalize(field)}',`);
-            lines.push(`  description: '${meta.description}',`);
-            lines.push(`  variableId: '${meta.variableId}',`);
-            lines.push(`  schema: z.string(),`);
-            lines.push(`})`);
-            lines.push('');
+            // PKU111 requires `schema` to be a variable reference, not an inline
+            // expression — so each variable gets a named schema const.
+            const schemaName = variableSchemaName(name, field);
+            secrets.push(`export const ${schemaName} = z.string()`);
+            secrets.push('');
+            secrets.push(`wireVariable({`);
+            secrets.push(`  name: '${name}_${field}',`);
+            secrets.push(`  displayName: '${def.displayName} ${capitalize(field)}',`);
+            secrets.push(`  description: '${meta.description}',`);
+            secrets.push(`  variableId: '${meta.variableId}',`);
+            secrets.push(`  schema: ${schemaName},`);
+            secrets.push(`})`);
+            secrets.push('');
         }
     }
-    // Auth route setup
-    lines.push(`const authRoutes = createAuthRoutes(async (services) => {`);
-    lines.push(`  const secretIds = ['AUTH_SECRET', ${known.map((n) => `'${PROVIDER_REGISTRY[n].secretId}'`).join(', ')}]`);
-    lines.push(`  const secretsMap = new Map(Object.entries(await services.secrets.getSecrets(secretIds)))`);
-    lines.push('');
-    lines.push(`  const authSecret = secretsMap.get('AUTH_SECRET') as string | undefined`);
-    lines.push(`  const providers: any[] = []`);
-    lines.push('');
-    for (const name of known) {
-        const def = PROVIDER_REGISTRY[name];
-        const varName = providerSecretName(name);
-        const hasVariables = def.variables && Object.keys(def.variables).length > 0;
-        lines.push(`  const ${varName}Secrets = secretsMap.get('${def.secretId}')`);
-        lines.push(`  if (${varName}Secrets) {`);
-        lines.push(`    const ${varName}Config = { ...${varName}Secrets as any }`);
-        if (hasVariables && def.variables) {
-            for (const [field, meta] of Object.entries(def.variables)) {
-                lines.push(`    const ${varName}${capitalize(field)} = await services.variables.get('${meta.variableId}')`);
-                lines.push(`    if (${varName}${capitalize(field)} !== undefined) ${varName}Config.${field} = ${varName}${capitalize(field)}`);
-            }
-        }
-        lines.push(`    providers.push(${def.importName}(${varName}Config))`);
-        lines.push(`  }`);
+    // ─── Wiring file: handler + catch-all routes + session middleware ─────────
+    // Provider/plugin metadata for the console SSO page is emitted separately as
+    // `auth-meta.gen.json` (see serializeAuthMeta) rather than wired into the
+    // runtime, so it is available without evaluating the better-auth factory.
+    const wiring = [
+        '// AUTO-GENERATED by pikku CLI — do not edit',
+        '',
+        `import { pikkuSessionlessFunc, wireHTTPRoutes, addHTTPMiddleware } from '${pikkuTypesImportPath}'`,
+        `import { createAuthHandler, betterAuthSession } from '@pikku/better-auth'`,
+        `import '${configImportPath}'`,
+        '',
+        // createAuthHandler is called once at module load; the exported handler is a
+        // plain arrow (so the inspector can resolve a valid `func`) that delegates to
+        // it. The handler's required services are stamped onto its meta by the
+        // inspector from the pikkuBetterAuth factory.
+        `const authConfigHandler = createAuthHandler()`,
+        `export const ${AUTH_HANDLER_FUNC_ID} = pikkuSessionlessFunc({`,
+        `  func: (services: any, data: any, interaction: any) =>`,
+        `    authConfigHandler.func(services, data, interaction),`,
+        `})`,
+        '',
+        // Bridge the better-auth session into the Pikku session on every request.
+        `addHTTPMiddleware('*', [betterAuthSession()])`,
+        '',
+        `wireHTTPRoutes({`,
+        `  routes: {`,
+    ];
+    // One catch-all route per method. `{/*splat}` matches both the bare basePath
+    // and every sub-path under it, so better-auth's internal router sees the full
+    // request and handles all of its own endpoints.
+    for (const method of AUTH_METHODS) {
+        wiring.push(`    ${method}AuthCatchAll: { method: '${method}', route: '${basePath}{/*splat}', func: ${AUTH_HANDLER_FUNC_ID}, auth: false },`);
     }
-    lines.push('');
-    lines.push(`  return {`);
-    lines.push(`    providers,`);
-    lines.push(`    secret: authSecret,`);
-    lines.push(`    trustHost: true,`);
-    lines.push(`    basePath: '/auth',`);
-    lines.push(`  }`);
-    lines.push(`})`);
-    lines.push('');
-    lines.push(`wireHTTPRoutes({ routes: { auth: authRoutes } })`);
-    lines.push('');
-    return lines.join('\n');
+    wiring.push(`  },`);
+    wiring.push(`})`);
+    wiring.push('');
+    return { wiring: wiring.join('\n'), secrets: secrets.join('\n') };
 };

package/dist/src/functions/wirings/auth/serialize-auth-meta.d.ts

@@ -0,0 +1,32 @@
+import type { AuthDefinition } from '@pikku/inspector';
+export interface AuthMetaProvider {
+    id: string;
+    displayName: string;
+    secretId: string;
+}
+export interface AuthMetaPlugin {
+    id: string;
+    displayName: string;
+}
+/**
+ * The contents of `auth-meta.gen.json` — the static description of a project's
+ * Better Auth configuration the console SSO page reads (via getAuthProviders) to
+ * show which social providers and plugins are enabled. Replaces the previous
+ * runtime `setAuthRegistry`/`getAuthRegistry` mechanism with a generated file
+ * following the `*-meta.gen.json` convention.
+ */
+export interface AuthMeta {
+    basePath: string;
+    hasCredentials: boolean;
+    providers: AuthMetaProvider[];
+    plugins: AuthMetaPlugin[];
+}
+/**
+ * Builds the `auth-meta.gen.json` payload from the inspected auth definition.
+ *
+ * Only providers known to {@link PROVIDER_REGISTRY} are emitted (the same ones
+ * the CLI wires a secret for); unknown keys (e.g. wired via the genericOAuth
+ * plugin) are dropped since they have no secret metadata. Every plugin id from
+ * the config is emitted, enriched with a display name.
+ */
+export declare const serializeAuthMeta: (definition: AuthDefinition, providers: string[]) => AuthMeta;

package/dist/src/functions/wirings/auth/serialize-auth-meta.js

@@ -0,0 +1,23 @@
+import { PROVIDER_REGISTRY, pluginDisplayName } from '@pikku/better-auth';
+/**
+ * Builds the `auth-meta.gen.json` payload from the inspected auth definition.
+ *
+ * Only providers known to {@link PROVIDER_REGISTRY} are emitted (the same ones
+ * the CLI wires a secret for); unknown keys (e.g. wired via the genericOAuth
+ * plugin) are dropped since they have no secret metadata. Every plugin id from
+ * the config is emitted, enriched with a display name.
+ */
+export const serializeAuthMeta = (definition, providers) => ({
+    basePath: definition.basePath,
+    hasCredentials: definition.hasCredentials,
+    providers: providers
+        .filter((id) => id in PROVIDER_REGISTRY)
+        .map((id) => {
+        const def = PROVIDER_REGISTRY[id];
+        return { id, displayName: def.displayName, secretId: def.secretId };
+    }),
+    plugins: definition.plugins.map((id) => ({
+        id,
+        displayName: pluginDisplayName(id),
+    })),
+});

package/dist/src/functions/wirings/auth/serialize-auth-types.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Generates `.pikku/auth/auth.types.ts` — a typed wrapper around `pikkuBetterAuth`
+ * from `@pikku/better-auth` that substitutes the project's specific
+ * `SingletonServices` type for the generic `CoreSingletonServices`. This lets
+ * users write:
+ *
+ *   import { pikkuBetterAuth } from '#pikku'
+ *
+ * and get proper autocomplete on the factory's `services` param (e.g.
+ * `(services) => betterAuth({ database: { db: services.kysely } })` types
+ * `services.kysely` as the project's Kysely instance, not the loose `any` from
+ * `CoreSingletonServices`).
+ *
+ * The wrapper also substitutes the project's generated `TypedSecretService` /
+ * `TypedVariablesService` for the base `secrets` / `variables` services and wraps
+ * them at runtime — the same treatment addon services get from
+ * `pikkuAddonServices`. That gives the factory typed, map-aware access:
+ *
+ *   socialProviders: { github: await secrets.getSecret('GITHUB_OAUTH') }
+ *
+ * with no inline `getSecrets<{ ... }>()` generic, because the secret types flow
+ * from the generated `CredentialsMap`.
+ *
+ * The file is re-exported from `.pikku/pikku-types.gen.ts` (the `#pikku` hub)
+ * so the single import resolves correctly.
+ */
+export declare const serializeAuthTypes: (authTypesFile: string, functionTypesFile: string, secretsFile: string, variablesFile: string, packageMappings: Record<string, string>) => string;

package/dist/src/functions/wirings/auth/serialize-auth-types.js

@@ -0,0 +1,58 @@
+import { getFileImportRelativePath } from '../../../utils/file-import-path.js';
+/**
+ * Generates `.pikku/auth/auth.types.ts` — a typed wrapper around `pikkuBetterAuth`
+ * from `@pikku/better-auth` that substitutes the project's specific
+ * `SingletonServices` type for the generic `CoreSingletonServices`. This lets
+ * users write:
+ *
+ *   import { pikkuBetterAuth } from '#pikku'
+ *
+ * and get proper autocomplete on the factory's `services` param (e.g.
+ * `(services) => betterAuth({ database: { db: services.kysely } })` types
+ * `services.kysely` as the project's Kysely instance, not the loose `any` from
+ * `CoreSingletonServices`).
+ *
+ * The wrapper also substitutes the project's generated `TypedSecretService` /
+ * `TypedVariablesService` for the base `secrets` / `variables` services and wraps
+ * them at runtime — the same treatment addon services get from
+ * `pikkuAddonServices`. That gives the factory typed, map-aware access:
+ *
+ *   socialProviders: { github: await secrets.getSecret('GITHUB_OAUTH') }
+ *
+ * with no inline `getSecrets<{ ... }>()` generic, because the secret types flow
+ * from the generated `CredentialsMap`.
+ *
+ * The file is re-exported from `.pikku/pikku-types.gen.ts` (the `#pikku` hub)
+ * so the single import resolves correctly.
+ */
+export const serializeAuthTypes = (authTypesFile, functionTypesFile, secretsFile, variablesFile, packageMappings) => {
+    const functionTypesImport = getFileImportRelativePath(authTypesFile, functionTypesFile, packageMappings);
+    const secretsImport = getFileImportRelativePath(authTypesFile, secretsFile, packageMappings);
+    const variablesImport = getFileImportRelativePath(authTypesFile, variablesFile, packageMappings);
+    return [
+        '// AUTO-GENERATED by pikku CLI — do not edit',
+        '',
+        `import { pikkuBetterAuth as _pikkuBetterAuth } from '@pikku/better-auth'`,
+        `import type { BetterAuthInstance, PikkuBetterAuthFactory } from '@pikku/better-auth'`,
+        `import type { SingletonServices } from '${functionTypesImport}'`,
+        `import { TypedSecretService } from '${secretsImport}'`,
+        `import { TypedVariablesService } from '${variablesImport}'`,
+        '',
+        `type AuthSingletonServices = Omit<SingletonServices, 'secrets' | 'variables'> & {`,
+        `  secrets: TypedSecretService`,
+        `  variables: TypedVariablesService`,
+        `}`,
+        '',
+        `export const pikkuBetterAuth = <I extends BetterAuthInstance>(`,
+        `  factory: (services: AuthSingletonServices) => I | Promise<I>`,
+        `): PikkuBetterAuthFactory<I> =>`,
+        `  _pikkuBetterAuth((services) =>`,
+        `    factory({`,
+        `      ...services,`,
+        `      secrets: new TypedSecretService(services.secrets),`,
+        `      variables: new TypedVariablesService(services.variables),`,
+        `    } as AuthSingletonServices)`,
+        `  )`,
+        '',
+    ].join('\n');
+};

package/dist/src/functions/wirings/functions/pikku-command-function-types.d.ts

@@ -1 +1,7 @@
-export declare const pikkuFunctionTypes: import("#pikku").PikkuFunctionConfig<void, void, "rpc" | "session", import("#pikku").PikkuFunctionSessionless<void, void, "rpc" | "session", import("#pikku").Services> | import("#pikku").PikkuFunction<void, void, "rpc" | "session", import("#pikku").Services>, undefined, undefined>;
+export declare const pikkuFunctionTypes: import("#pikku").PikkuFunctionConfig<{
+    bootstrap?: boolean;
+}, void, "rpc" | "session", import("#pikku").PikkuFunctionSessionless<{
+    bootstrap?: boolean;
+}, void, "rpc" | "session", import("#pikku").Services> | import("#pikku").PikkuFunction<{
+    bootstrap?: boolean;
+}, void, "rpc" | "session", import("#pikku").Services>, undefined, undefined>;

package/dist/src/functions/wirings/functions/pikku-command-function-types.js

@@ -4,14 +4,27 @@ import { writeFileInDir } from '../../../utils/file-writer.js';
 import { logCommandInfoAndTime } from '../../../middleware/log-command-info-and-time.js';
 import { serializePikkuTypesHub } from './serialize-pikku-types-hub.js';
 export const pikkuFunctionTypes = pikkuSessionlessFunc({
-    func: async ({ logger, config }) => {
-        const { typesDeclarationFile: typesFile, packageMappings, functionTypesFile, httpTypesFile, channelsTypesFile, triggersTypesFile, schedulersTypesFile, queueTypesFile, mcpTypesFile, cliTypesFile, nodeTypesFile, secretTypesFile, addonTypesFile, } = config;
+    func: async ({ logger, config, getInspectorState }, data) => {
+        const { typesDeclarationFile: typesFile, packageMappings, functionTypesFile, httpTypesFile, channelsTypesFile, triggersTypesFile, schedulersTypesFile, queueTypesFile, mcpTypesFile, cliTypesFile, nodeTypesFile, secretTypesFile, addonTypesFile, authTypesFile, } = config;
         const getImportPath = (file) => config.addon
             ? null
             : getFileImportRelativePath(typesFile, file, packageMappings);
         // Node and trigger types are included for addon packages
         const getAlwaysImportPath = (file) => getFileImportRelativePath(typesFile, file, packageMappings);
-        const content = serializePikkuTypesHub(getFileImportRelativePath(typesFile, functionTypesFile, packageMappings), getImportPath(httpTypesFile), getImportPath(channelsTypesFile), getAlwaysImportPath(triggersTypesFile), getImportPath(schedulersTypesFile), getImportPath(queueTypesFile), getImportPath(mcpTypesFile), getImportPath(cliTypesFile), getAlwaysImportPath(nodeTypesFile), getAlwaysImportPath(secretTypesFile), config.addon ? getAlwaysImportPath(addonTypesFile) : null);
+        // Include the typed pikkuBetterAuth re-export only when the project has a
+        // pikkuBetterAuth declaration. This avoids importing @pikku/better-auth in
+        // projects that don't use it.
+        //
+        // Skip inspector state entirely during cold bootstrap: .pikku doesn't exist
+        // yet, so a full inspect would runtime-import user files that themselves
+        // import `.pikku/pikku-types.gen.js` — deadlocking before this step can
+        // write that very file. The auth re-export is added on the later
+        // post-inspect pass (where .pikku already exists) instead.
+        const state = data?.bootstrap ? null : await getInspectorState();
+        const authTypesImportPath = authTypesFile && state?.auth.definition
+            ? getFileImportRelativePath(typesFile, authTypesFile, packageMappings)
+            : null;
+        const content = serializePikkuTypesHub(getFileImportRelativePath(typesFile, functionTypesFile, packageMappings), getImportPath(httpTypesFile), getImportPath(channelsTypesFile), getAlwaysImportPath(triggersTypesFile), getImportPath(schedulersTypesFile), getImportPath(queueTypesFile), getImportPath(mcpTypesFile), getImportPath(cliTypesFile), getAlwaysImportPath(nodeTypesFile), getAlwaysImportPath(secretTypesFile), config.addon ? getAlwaysImportPath(addonTypesFile) : null, authTypesImportPath);
         await writeFileInDir(logger, typesFile, content);
     },
     middleware: [

package/dist/src/functions/wirings/functions/pikku-command-services.d.ts

@@ -1,2 +1,2 @@
-export declare const serializeServicesMap: (allSingletonServices: string[], allWireServices: string[], requiredServices: Set<string>, forceRequiredServices: string[] | undefined, servicesImport: string, wireServicesImport: string, addonRequiredParentServices?: string[]) => string;
+export declare const serializeServicesMap: (allSingletonServices: string[], allWireServices: string[], requiredServices: Set<string>, forceRequiredServices: string[] | undefined, servicesImport: string, wireServicesImport: string, addonRequiredParentServices?: string[], authInjected?: boolean) => string;
 export declare const pikkuServices: import("#pikku").PikkuFunctionConfig<void, void, "rpc" | "session", import("#pikku").PikkuFunctionSessionless<void, void, "rpc" | "session", import("#pikku").Services> | import("#pikku").PikkuFunction<void, void, "rpc" | "session", import("#pikku").Services>, undefined, undefined>;

package/dist/src/functions/wirings/functions/pikku-command-services.js

@@ -3,7 +3,7 @@ import { getFileImportRelativePath } from '../../../utils/file-import-path.js';
 import { checkRequiredTypes } from '../../../utils/check-required-types.js';
 import { writeFileInDir } from '../../../utils/file-writer.js';
 import { logCommandInfoAndTime } from '../../../middleware/log-command-info-and-time.js';
-export const serializeServicesMap = (allSingletonServices, allWireServices, requiredServices, forceRequiredServices = [], servicesImport, wireServicesImport, addonRequiredParentServices = []) => {
+export const serializeServicesMap = (allSingletonServices, allWireServices, requiredServices, forceRequiredServices = [], servicesImport, wireServicesImport, addonRequiredParentServices = [], authInjected = false) => {
     // Use pre-aggregated services from inspector state
     // This includes services from:
     // - Wired functions (HTTP, channels, queues, schedulers, MCP, CLI, RPC)
@@ -32,6 +32,13 @@ export const serializeServicesMap = (allSingletonServices, allWireServices, requ
     // Services that are always required internally by the framework
     const defaultServices = ['config', 'logger', 'variables', 'schema', 'secrets'];
     defaultServices.forEach((service) => usedServices.add(service));
+    // When a pikkuBetterAuth factory is present, the generated `pikkuServices`
+    // wrapper always injects a resolved `auth` singleton. Mark it required so
+    // RequiredSingletonServices keeps `auth` non-optional and stays assignable
+    // to a SingletonServices type that types `auth` from the factory's return.
+    if (authInjected) {
+        usedServices.add('auth');
+    }
     // Create singleton services map: all singleton services with true/false based on usage
     const singletonServicesMap = {};
     allSingletonServices.forEach((service) => {
@@ -103,7 +110,7 @@ export const pikkuServices = pikkuSessionlessFunc({
         }
         const servicesImport = `import type { ${singletonServicesType.type} } from '${getFileImportRelativePath(config.typesDeclarationFile, singletonServicesType.typePath, config.packageMappings)}'`;
         const wireServicesImport = `import type { ${wireServicesType.type} } from '${getFileImportRelativePath(config.typesDeclarationFile, wireServicesType.typePath, config.packageMappings)}'`;
-        const servicesCode = serializeServicesMap(visitState.serviceAggregation.allSingletonServices, visitState.serviceAggregation.allWireServices, visitState.serviceAggregation.requiredServices, config.forceRequiredServices, servicesImport, wireServicesImport, config.addonName ? visitState.addonRequiredParentServices : []);
+        const servicesCode = serializeServicesMap(visitState.serviceAggregation.allSingletonServices, visitState.serviceAggregation.allWireServices, visitState.serviceAggregation.requiredServices, config.forceRequiredServices, servicesImport, wireServicesImport, config.addonName ? visitState.addonRequiredParentServices : [], Boolean(visitState.auth?.definition));
         await writeFileInDir(logger, config.servicesFile, servicesCode);
     },
     middleware: [

package/dist/src/functions/wirings/functions/serialize-function-types.js

@@ -629,12 +629,26 @@ export const pikkuConfig = (
  * \`\`\`
  */
 export const pikkuServices = (
-  func: (config: Config, existingServices: Partial<SingletonServices>) => Promise<RequiredSingletonServices>
+  func: (config: Config, existingServices: Partial<SingletonServices>) => Promise<Omit<RequiredSingletonServices, 'auth'>>
 ) => {
   return async (config: Config, existingServices: Partial<SingletonServices> = {}) => {
     const services = await func(config, existingServices)
-    __pikkuState(null, 'package', 'singletonServices', services as any)
-    return services
+    const authFactory = __pikkuState(null, 'package', 'authFactory')
+    if (authFactory) {
+      let authInstance: Promise<unknown> | undefined
+      ;(services as any).auth = () => {
+        authInstance ??= Promise.resolve()
+          .then(() => authFactory(services as any))
+          .catch((error) => {
+            authInstance = undefined
+            throw error
+          })
+        return authInstance
+      }
+    }
+    const resolved = services as RequiredSingletonServices
+    __pikkuState(null, 'package', 'singletonServices', resolved as any)
+    return resolved
   }
 }
 

package/dist/src/functions/wirings/functions/serialize-pikku-types-hub.d.ts

@@ -1,4 +1,4 @@
 /**
  * Generates the main pikku-types.gen.ts file as a re-export hub
  */
-export declare const serializePikkuTypesHub: (functionTypesImportPath: string, httpTypesImportPath: string | null, channelTypesImportPath: string | null, triggerTypesImportPath: string | null, schedulerTypesImportPath: string | null, queueTypesImportPath: string | null, mcpTypesImportPath: string | null, cliTypesImportPath: string | null, nodeTypesImportPath: string | null, secretTypesImportPath: string | null, addonTypesImportPath: string | null) => string;
+export declare const serializePikkuTypesHub: (functionTypesImportPath: string, httpTypesImportPath: string | null, channelTypesImportPath: string | null, triggerTypesImportPath: string | null, schedulerTypesImportPath: string | null, queueTypesImportPath: string | null, mcpTypesImportPath: string | null, cliTypesImportPath: string | null, nodeTypesImportPath: string | null, secretTypesImportPath: string | null, addonTypesImportPath: string | null, authTypesImportPath?: string | null) => string;

package/dist/src/functions/wirings/functions/serialize-pikku-types-hub.js

@@ -1,7 +1,7 @@
 /**
  * Generates the main pikku-types.gen.ts file as a re-export hub
  */
-export const serializePikkuTypesHub = (functionTypesImportPath, httpTypesImportPath, channelTypesImportPath, triggerTypesImportPath, schedulerTypesImportPath, queueTypesImportPath, mcpTypesImportPath, cliTypesImportPath, nodeTypesImportPath, secretTypesImportPath, addonTypesImportPath) => {
+export const serializePikkuTypesHub = (functionTypesImportPath, httpTypesImportPath, channelTypesImportPath, triggerTypesImportPath, schedulerTypesImportPath, queueTypesImportPath, mcpTypesImportPath, cliTypesImportPath, nodeTypesImportPath, secretTypesImportPath, addonTypesImportPath, authTypesImportPath = null) => {
     const exports = [
         {
             comment: 'Core function, middleware, and permission types',
@@ -17,6 +17,7 @@ export const serializePikkuTypesHub = (functionTypesImportPath, httpTypesImportP
         { comment: 'Node wiring types', path: nodeTypesImportPath },
         { comment: 'Secret definition types', path: secretTypesImportPath },
         { comment: 'Addon types', path: addonTypesImportPath },
+        { comment: 'Auth types (typed pikkuBetterAuth re-export)', path: authTypesImportPath },
     ];
     const exportStatements = exports
         .filter((e) => e.path)

package/dist/src/functions/workflows/all.workflow.js

@@ -30,7 +30,9 @@ export const allWorkflow = pikkuWorkflowComplexFunc({
             logger.debug(`• .pikku directory not found, running bootstrap first...`);
             await workflow.do('Bootstrap inspect', async () => getInspectorState(false, true, true));
             await workflow.do('Bootstrap function types split', 'pikkuFunctionTypesSplit', { bootstrap: true });
-            await workflow.do('Bootstrap function types', 'pikkuFunctionTypes', null);
+            await workflow.do('Bootstrap function types', 'pikkuFunctionTypes', {
+                bootstrap: true,
+            });
             await workflow.do('Bootstrap addon types', 'pikkuAddonTypes', {
                 bootstrap: true,
             });
@@ -66,7 +68,7 @@ export const allWorkflow = pikkuWorkflowComplexFunc({
                 await workflow.do(`Scaffold ${generator}`, generator, null);
             }
         }
-        await workflow.do('Generate function types', 'pikkuFunctionTypes', null);
+        await workflow.do('Generate function types', 'pikkuFunctionTypes', {});
         if (!typesDeclarationFileExists || missingScaffolds.length > 0) {
             logger.debug(`• Type file or scaffolds first created, inspecting again...`);
             await workflow.do('Re-inspect after types', async () => getInspectorState(true));
@@ -130,6 +132,18 @@ export const allWorkflow = pikkuWorkflowComplexFunc({
         if (agents || !config.addon) {
             await workflow.do('Re-inspect after agents', async () => getInspectorState(true));
         }
+        // pikkuAuth generates auth-secrets.gen.ts (with wireSecret calls) inside the
+        // Promise.all above, but pikkuSecrets runs concurrently from the pre-auth
+        // inspector state. Re-run secret/credential/variable codegen now so that the
+        // freshly-generated auth-secrets.gen.ts (just picked up by Re-inspect above)
+        // is reflected in pikku-secrets-meta.gen.json.
+        if ((await getInspectorState()).auth.definition) {
+            await Promise.all([
+                workflow.do('Secrets (post-auth)', 'pikkuSecrets', null),
+                workflow.do('Credentials (post-auth)', 'pikkuCredentials', null),
+                workflow.do('Variables (post-auth)', 'pikkuVariables', null),
+            ]);
+        }
         const schemas = await workflow.do('Schemas', 'pikkuSchemas', null);
         if (schemas) {
             allImports.push(`${config.schemaDirectory}/register.gen.ts`);

package/dist/src/scaffold/rpc-remote.gen.js

@@ -1,5 +1,5 @@
 /**
- * This file was generated by @pikku/cli@0.12.35
+ * This file was generated by @pikku/cli@0.12.37
  */
 /**
  * Auto-generated remote internal RPC queue worker and HTTP endpoint

package/dist/src/services.js

@@ -187,6 +187,14 @@ export const createSingletonServices = async (config) => {
                 config.workflowRoutesFile,
                 config.publicRpcFile,
                 config.publicAgentFile,
+                // The auth scaffold (catch-all routes + session middleware) and its
+                // sibling secrets file (wireSecret per provider) are generated into the
+                // scaffold dir, which may live outside srcDirectories (e.g. a project's
+                // `pikku/` dir). Add them explicitly so their wirings are inspected.
+                config.authFile,
+                config.authFile
+                    ? path.join(path.dirname(config.authFile), 'auth-secrets.gen.ts')
+                    : undefined,
             ];
             for (const file of scaffoldFiles) {
                 if (file && !wiringFiles.includes(file) && existsSync(file)) {

package/dist/src/utils/pikku-cli-config.js

@@ -197,6 +197,15 @@ const _getPikkuCLIConfig = async (logger, configFile = undefined, requiredFields
         if (result.scaffold?.console && !result.consoleFunctionsFile) {
             result.consoleFunctionsFile = join(resolvedScaffoldDir, 'console.gen.ts');
         }
+        if (!result.authFile) {
+            result.authFile = join(resolvedScaffoldDir, 'auth.gen.ts');
+        }
+        if (!result.authTypesFile) {
+            result.authTypesFile = join(result.outDir, 'auth', 'auth.types.ts');
+        }
+        if (!result.authMetaJsonFile) {
+            result.authMetaJsonFile = join(result.outDir, 'auth', 'pikku-auth-meta.gen.json');
+        }
         if (result.scaffold?.events && !result.eventsChannelFile) {
             result.eventsChannelFile = join(resolvedScaffoldDir, 'events.gen.ts');
         }
@@ -422,6 +431,9 @@ const _getPikkuCLIConfig = async (logger, configFile = undefined, requiredFields
         if (result.authFile && !isAbsolute(result.authFile)) {
             result.authFile = join(result.configDir, result.authFile);
         }
+        if (result.authTypesFile && !isAbsolute(result.authTypesFile)) {
+            result.authTypesFile = join(result.configDir, result.authTypesFile);
+        }
         if (!isAbsolute(result.tsconfig)) {
             result.tsconfig = join(result.rootDir, result.tsconfig);
         }