@pikku/cli 0.12.43 → 0.12.44

package/dist/src/fabric/functions/add.function.js

@@ -0,0 +1,144 @@
+import { z } from 'zod';
+import { readFile, mkdir, rm, writeFile, rename } from 'node:fs/promises';
+import { existsSync } from 'node:fs';
+import { dirname, isAbsolute, join } from 'node:path';
+import { tmpdir } from 'node:os';
+import { execFileSync } from 'node:child_process';
+import { pikkuSessionlessFunc } from '../../../.pikku/pikku-types.gen.js';
+import { resolveApiContext } from '../lib/config.js';
+export const FabricAddInput = z.object({
+    id: z.string(),
+    dir: z.string().optional(),
+    apiUrl: z.string().optional(),
+});
+export const FabricAddOutput = z.object({
+    id: z.string(),
+    name: z.string(),
+    version: z.string(),
+    path: z.string(),
+});
+/** Walk up from cwd to find the project root (the dir with package.json). */
+function resolveProjectRoot() {
+    let dir = process.cwd();
+    while (true) {
+        if (existsSync(join(dir, 'package.json')))
+            return dir;
+        const parent = dirname(dir);
+        if (parent === dir)
+            return process.cwd();
+        dir = parent;
+    }
+}
+/** Read `addons.addonDir` from pikku.config.json if present (json only). */
+async function readAddonDirFromConfig(root) {
+    const cfgPath = join(root, 'pikku.config.json');
+    if (!existsSync(cfgPath))
+        return undefined;
+    try {
+        const cfg = JSON.parse(await readFile(cfgPath, 'utf8'));
+        return cfg.addons?.addonDir;
+    }
+    catch {
+        return undefined;
+    }
+}
+/** Ensure the root package.json `workspaces` glob covers `<addonDir>/*`, so a
+ *  later `yarn install` symlinks the addon into node_modules and `wireAddon`
+ *  resolves it by package name. */
+async function ensureWorkspaceGlob(root, addonDir) {
+    const pkgPath = join(root, 'package.json');
+    const pkg = JSON.parse(await readFile(pkgPath, 'utf8'));
+    const glob = `${addonDir}/*`;
+    const objectForm = !Array.isArray(pkg.workspaces) && pkg.workspaces != null;
+    const list = Array.isArray(pkg.workspaces)
+        ? pkg.workspaces
+        : (pkg.workspaces?.packages ?? []);
+    if (list.includes(glob))
+        return;
+    list.push(glob);
+    if (objectForm)
+        pkg.workspaces.packages = list;
+    else
+        pkg.workspaces = list;
+    await writeFile(pkgPath, JSON.stringify(pkg, null, 2) + '\n');
+}
+/** Record install provenance in pikku-addons.json — CLI-owned, so we know which
+ *  registry package + version a folder came from even after the user forks it. */
+async function recordInstall(root, name, rec) {
+    const p = join(root, 'pikku-addons.json');
+    let data = {};
+    if (existsSync(p)) {
+        try {
+            data = JSON.parse(await readFile(p, 'utf8'));
+        }
+        catch {
+            data = {};
+        }
+    }
+    data[name] = rec;
+    await writeFile(p, JSON.stringify(data, null, 2) + '\n');
+}
+/**
+ * Install a community-registry addon shadcn-style: the source is copied into
+ * `<addonDir>/<name>/` (default `addons/`, top-level so it sits outside the
+ * app's TS scan and never collides with the project's own CoreConfig). The dir
+ * is registered as a yarn workspace, so `yarn install` symlinks it into
+ * node_modules and `wireAddon({ package })` resolves it by name unchanged.
+ *
+ * Provenance (registry id + version) is recorded in pikku-addons.json, which is
+ * CLI-owned and survives the user editing/forking the copied source.
+ */
+export const FabricAdd = pikkuSessionlessFunc({
+    description: 'Install an addon from the Fabric community registry into addons/ (shadcn-style).',
+    input: FabricAddInput,
+    output: FabricAddOutput,
+    func: async (_services, { id, dir, apiUrl: apiUrlOverride }) => {
+        const ctx = await resolveApiContext({ apiUrlOverride });
+        // 1. resolve a presigned download URL (public read)
+        const metaRes = await fetch(`${ctx.apiUrl}/registry/packages/${encodeURIComponent(id)}/download`);
+        if (!metaRes.ok)
+            throw new Error(`download lookup failed → ${metaRes.status}: ${await metaRes.text()}`);
+        const { url } = (await metaRes.json());
+        // 2. fetch the artifact
+        const dl = await fetch(url);
+        if (!dl.ok)
+            throw new Error(`artifact fetch failed → ${dl.status}`);
+        const artifact = Buffer.from(await dl.arrayBuffer());
+        const root = resolveProjectRoot();
+        const addonDir = dir ?? (await readAddonDirFromConfig(root)) ?? 'addons';
+        const addonRoot = isAbsolute(addonDir) ? addonDir : join(root, addonDir);
+        // 3. stage inside addonRoot (same filesystem — no EXDEV on the final move)
+        //    and strip npm-pack's `package/` prefix. The dir name isn't known until
+        //    we read the artifact's package.json.
+        await mkdir(addonRoot, { recursive: true });
+        const staging = join(addonRoot, `.pikku-add-${id}-${Date.now()}`);
+        await mkdir(staging, { recursive: true });
+        const tmp = join(tmpdir(), `pikku-add-${id}.tgz`);
+        await writeFile(tmp, artifact);
+        try {
+            execFileSync('tar', ['-xzf', tmp, '-C', staging, '--strip-components=1']);
+            await rm(tmp, { force: true });
+            const pkg = JSON.parse(await readFile(join(staging, 'package.json'), 'utf8'));
+            if (!pkg.name)
+                throw new Error('artifact package.json is missing a "name" field');
+            const version = pkg.version ?? '0.0.0';
+            // shadcn copy: folder is the last segment of the (scoped) package name
+            const folder = pkg.name.split('/').pop();
+            const target = join(addonRoot, folder);
+            await rm(target, { recursive: true, force: true });
+            await rename(staging, target);
+            // 4. register the workspace glob + record provenance (skip glob for an
+            //    absolute --dir override — it can't be a relative workspace pattern)
+            if (!isAbsolute(addonDir))
+                await ensureWorkspaceGlob(root, addonDir);
+            await recordInstall(root, pkg.name, { id, version });
+            console.log(`[fabric] installed ${pkg.name}@${version} → ${target}`);
+            console.log('[fabric] run `yarn install` to link it into node_modules');
+            return { id, name: pkg.name, version, path: target };
+        }
+        finally {
+            await rm(staging, { recursive: true, force: true });
+            await rm(tmp, { force: true });
+        }
+    },
+});

package/dist/src/fabric/functions/publish.function.d.ts

@@ -0,0 +1,45 @@
+import { z } from 'zod';
+export declare const FabricPublishInput: z.ZodObject<{
+    dir: z.ZodOptional<z.ZodString>;
+    apiUrl: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export declare const FabricPublishOutput: z.ZodObject<{
+    id: z.ZodString;
+    name: z.ZodString;
+    version: z.ZodString;
+    publisher: z.ZodNullable<z.ZodString>;
+}, z.core.$strip>;
+/**
+ * Publish a package to the Fabric community registry. Packs the directory into
+ * a gzipped tar, requests a short-lived presigned upload URL, PUTs the artifact
+ * to R2, then finalizes the publish so the catalogue indexes it. Authenticated
+ * as the logged-in user (the package is attributed to their org or person).
+ *
+ * Generating the package contents (`.pikku/` meta etc.) is a separate step;
+ * this command only packages + uploads what's already in the directory.
+ */
+export declare const FabricPublish: import("../../../.pikku/pikku-types.gen.js").PikkuFunctionConfig<{
+    dir?: string | undefined;
+    apiUrl?: string | undefined;
+}, {
+    id: string;
+    name: string;
+    version: string;
+    publisher: string | null;
+}, "session" | "rpc", import("../../../.pikku/pikku-types.gen.js").PikkuFunctionSessionless<{
+    dir?: string | undefined;
+    apiUrl?: string | undefined;
+}, {
+    id: string;
+    name: string;
+    version: string;
+    publisher: string | null;
+}, "session" | "rpc", import("../../../types/application-types.js").Services> | import("../../../.pikku/pikku-types.gen.js").PikkuFunction<{
+    dir?: string | undefined;
+    apiUrl?: string | undefined;
+}, {
+    id: string;
+    name: string;
+    version: string;
+    publisher: string | null;
+}, "session" | "rpc", import("../../../types/application-types.js").Services>, undefined, undefined>;

package/dist/src/fabric/functions/publish.function.js

@@ -0,0 +1,85 @@
+import { z } from 'zod';
+import { readFile } from 'node:fs/promises';
+import { existsSync, readFileSync, mkdirSync } from 'node:fs';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
+import { execFileSync } from 'node:child_process';
+import { pikkuSessionlessFunc } from '../../../.pikku/pikku-types.gen.js';
+import { resolveApiContext } from '../lib/config.js';
+export const FabricPublishInput = z.object({
+    dir: z.string().optional(),
+    apiUrl: z.string().optional(),
+});
+export const FabricPublishOutput = z.object({
+    id: z.string(),
+    name: z.string(),
+    version: z.string(),
+    publisher: z.string().nullable(),
+});
+/**
+ * Publish a package to the Fabric community registry. Packs the directory into
+ * a gzipped tar, requests a short-lived presigned upload URL, PUTs the artifact
+ * to R2, then finalizes the publish so the catalogue indexes it. Authenticated
+ * as the logged-in user (the package is attributed to their org or person).
+ *
+ * Generating the package contents (`.pikku/` meta etc.) is a separate step;
+ * this command only packages + uploads what's already in the directory.
+ */
+export const FabricPublish = pikkuSessionlessFunc({
+    description: 'Publish a package directory to the Fabric community registry.',
+    input: FabricPublishInput,
+    output: FabricPublishOutput,
+    func: async (_services, { dir, apiUrl: apiUrlOverride }) => {
+        const ctx = await resolveApiContext({ apiUrlOverride });
+        if (!ctx.token)
+            throw new Error('Not logged in. Run `pikku fabric login` first.');
+        const packageDir = dir ?? process.cwd();
+        const pkgPath = join(packageDir, 'package.json');
+        if (!existsSync(pkgPath))
+            throw new Error(`No package.json found in ${packageDir}`);
+        const pkg = JSON.parse(await readFile(pkgPath, 'utf8'));
+        if (!pkg.name || !pkg.version)
+            throw new Error('package.json must have a name and version');
+        // Pack via `npm pack` so the artifact honours the package's `files` field
+        // (ship src/.pikku/types, not build/VCS noise) and matches the layout a
+        // normal install produces. npm nests contents under `package/`; the
+        // registry ingestion and `pikku fabric add` both handle that prefix.
+        const packDir = join(tmpdir(), `pikku-publish-${Date.now()}`);
+        mkdirSync(packDir, { recursive: true });
+        const packOut = execFileSync('npm', ['pack', '--json', '--pack-destination', packDir], { cwd: packageDir, encoding: 'utf8' });
+        const tgzName = JSON.parse(packOut)[0].filename;
+        const artifact = readFileSync(join(packDir, tgzName));
+        const headers = {
+            authorization: `Bearer ${ctx.token}`,
+            'content-type': 'application/json',
+        };
+        const post = async (path, body) => {
+            const r = await fetch(`${ctx.apiUrl}${path}`, {
+                method: 'POST',
+                headers,
+                body: JSON.stringify(body),
+            });
+            if (!r.ok)
+                throw new Error(`POST ${path} → ${r.status}: ${await r.text()}`);
+            return r.json();
+        };
+        // 1. presigned upload URL (short-lived)
+        const { uploadUrl, artifactKey } = await post('/registry/packages/publish-url', { packageName: pkg.name, version: pkg.version });
+        // 2. PUT the artifact to the exact signed URL (no extra headers — the URL
+        //    is signed over host only; mismatched headers break the signature).
+        const put = await fetch(uploadUrl, { method: 'PUT', body: artifact });
+        if (!put.ok)
+            throw new Error(`upload failed → ${put.status}: ${await put.text()}`);
+        // 3. finalize — server reads the artifact back, extracts meta, indexes it
+        const entry = await post('/registry/packages/publish', { artifactKey });
+        const publisher = entry.publisher?.name ?? null;
+        console.log(`[fabric] published ${entry.name}@${entry.version} (id=${entry.id})` +
+            (publisher ? ` as ${publisher}` : ''));
+        return {
+            id: entry.id,
+            name: entry.name,
+            version: entry.version,
+            publisher,
+        };
+    },
+});

package/dist/src/fabric/functions/validate-core.d.ts

@@ -6,9 +6,9 @@ export declare const FabricValidateOutput: z.ZodObject<{
     findings: z.ZodArray<z.ZodObject<{
         id: z.ZodString;
         severity: z.ZodEnum<{
-            info: "info";
             warn: "warn";
             error: "error";
+            info: "info";
         }>;
         message: z.ZodString;
         path: z.ZodString;

package/dist/src/fabric/functions/validate.function.d.ts

@@ -6,9 +6,9 @@ export declare const FabricValidateOutput: z.ZodObject<{
     findings: z.ZodArray<z.ZodObject<{
         id: z.ZodString;
         severity: z.ZodEnum<{
-            info: "info";
             warn: "warn";
             error: "error";
+            info: "info";
         }>;
         message: z.ZodString;
         path: z.ZodString;
@@ -21,7 +21,7 @@ export declare const FabricValidate: import("../../../.pikku/pikku-types.gen.js"
     root: string;
     findings: {
         id: string;
-        severity: "info" | "warn" | "error";
+        severity: "warn" | "error" | "info";
         message: string;
         path: string;
         fixHint: string;
@@ -31,7 +31,7 @@ export declare const FabricValidate: import("../../../.pikku/pikku-types.gen.js"
     root: string;
     findings: {
         id: string;
-        severity: "info" | "warn" | "error";
+        severity: "warn" | "error" | "info";
         message: string;
         path: string;
         fixHint: string;
@@ -41,7 +41,7 @@ export declare const FabricValidate: import("../../../.pikku/pikku-types.gen.js"
     root: string;
     findings: {
         id: string;
-        severity: "info" | "warn" | "error";
+        severity: "warn" | "error" | "info";
         message: string;
         path: string;
         fixHint: string;

package/dist/src/fabric/functions/validate.function.js

@@ -59,6 +59,41 @@ async function readTextSafe(path) {
         return null;
     }
 }
+// Minimum @pikku/* versions Fabric requires. The pikku packages are versioned
+// independently (e.g. @pikku/cli moves faster than @pikku/core), so this is a
+// per-package floor map, not a single number. Only listed packages are
+// enforced — others are skipped to avoid false positives on packages with
+// their own (lower) version lines. Bump these as the supported floor moves.
+//   - @pikku/cli  < 0.12.43 ships a `pikku dev` that hangs without ever
+//     listening (the sandbox never serves routes).
+//   - @pikku/core mismatches split pikkuState into duplicate copies, so app
+//     and console routes 404; pin the floor that matches the runtime.
+const PIKKU_MIN_VERSIONS = {
+    '@pikku/cli': '0.12.43',
+    '@pikku/core': '0.12.34',
+};
+// Pull major.minor.patch from a spec, ignoring range prefixes (^ ~ >=),
+// npm: aliases, and pre-release/build suffixes. null if no semver is present
+// (file:, workspace:, *, latest — resolved only at install time).
+function parseSemver(spec) {
+    const m = spec.match(/(\d+)\.(\d+)\.(\d+)/);
+    if (!m)
+        return null;
+    return [parseInt(m[1], 10), parseInt(m[2], 10), parseInt(m[3], 10)];
+}
+function semverLt(a, b) {
+    for (let i = 0; i < 3; i++) {
+        if (a[i] !== b[i])
+            return a[i] < b[i];
+    }
+    return false;
+}
+// Fall back to the installed version when the spec carries no semver
+// (file:/workspace:/* deps resolve to a concrete version on disk).
+async function installedSemver(root, pkg) {
+    const j = await readJsonSafe(join(root, 'node_modules', pkg, 'package.json'));
+    return j?.version ? parseSemver(j.version) : null;
+}
 // PostgreSQL-specific syntax that won't work on SQLite/libSQL (Turso)
 const POSTGRES_SQL_PATTERNS = [
     {
@@ -146,6 +181,59 @@ export async function runValidate(startDir = process.cwd()) {
             }
         }
     }
+    // ── @pikku/* minimum versions ──────────────────────────────────────────
+    // Scan every workspace manifest for @pikku/* deps below the required floor.
+    // A stale @pikku/cli hangs `pikku dev`; a stale @pikku/core duplicates
+    // pikkuState and 404s every route — both are hard blockers, so error.
+    {
+        const manifestPaths = [rootPkgPath];
+        for (const group of ['packages', 'apps']) {
+            const groupDir = join(root, group);
+            if (!existsSync(groupDir))
+                continue;
+            try {
+                for (const d of await readdir(groupDir, { withFileTypes: true })) {
+                    if (d.isDirectory()) {
+                        manifestPaths.push(join(groupDir, d.name, 'package.json'));
+                    }
+                }
+            }
+            catch {
+                // ignore
+            }
+        }
+        const lowestByPkg = new Map();
+        for (const mPath of manifestPaths) {
+            const m = await readJsonSafe(mPath);
+            if (!m)
+                continue;
+            const deps = {
+                ...m.dependencies,
+                ...m.devDependencies,
+                ...m.peerDependencies,
+            };
+            for (const [pkg, spec] of Object.entries(deps)) {
+                if (!pkg.startsWith('@pikku/') || !(pkg in PIKKU_MIN_VERSIONS))
+                    continue;
+                if (typeof spec !== 'string')
+                    continue;
+                const version = parseSemver(spec) ?? (await installedSemver(root, pkg));
+                if (!version)
+                    continue;
+                const prev = lowestByPkg.get(pkg);
+                if (!prev || semverLt(version, prev.version)) {
+                    lowestByPkg.set(pkg, { version, manifest: mPath, spec });
+                }
+            }
+        }
+        for (const [pkg, seen] of lowestByPkg) {
+            const floorStr = PIKKU_MIN_VERSIONS[pkg];
+            const floor = parseSemver(floorStr);
+            if (floor && semverLt(seen.version, floor)) {
+                e(`pikku-version-below-min-${pkg.replace(/[@/]/g, '-')}`, `${pkg} is ${seen.version.join('.')} (spec "${seen.spec}") — Fabric requires >= ${floorStr}`, seen.manifest, lines(`Bump ${pkg} to ^${floorStr} (or newer) and reinstall:`, `  yarn up ${pkg}@^${floorStr}`, 'Then run `yarn install` and re-run `pikku fabric validate`.'));
+            }
+        }
+    }
     // ── packages/functions/ ────────────────────────────────────────────────
     const fnDir = join(root, 'packages', 'functions');
     const functionsSdkPkgName = (await readJsonSafe(join(root, 'packages', 'functions-sdk', 'package.json')))?.name;
@@ -199,6 +287,37 @@ export async function runValidate(startDir = process.cwd()) {
                 e('missing-kysely-sqlite', 'services.ts imports @pikku/kysely-sqlite but it is not in root package.json', rootPkgPath, 'Add "@pikku/kysely-sqlite": "file:./vendor/pikku-kysely-sqlite.tgz" to dependencies');
             }
         }
+        // ── better-auth client baseURL must include the /auth segment ──────────
+        // The Fabric deploy edge keeps the /api prefix for the better-auth unit
+        // (it registers /api/auth/*) and strips /api only for the other units; the
+        // sandbox Caddy mirrors that with a non-stripping /api/auth/* handler. So
+        // the DEFAULT basePath (/api/auth) is the CORRECT server config — do NOT
+        // override it. The real footgun is the client: better-auth appends the
+        // endpoint to baseURL verbatim, so a bare /api baseURL yields
+        // /api/sign-in/email (no /auth) and 404s. The client baseURL must resolve
+        // to /api/auth.
+        const appsDir = join(root, 'apps');
+        if (existsSync(appsDir)) {
+            try {
+                const appFiles = (await readdir(appsDir, { recursive: true })).filter((f) => typeof f === 'string' &&
+                    (f.endsWith('.ts') || f.endsWith('.tsx')) &&
+                    !f.includes('node_modules'));
+                for (const rel of appFiles) {
+                    const text = await readTextSafe(join(appsDir, rel));
+                    if (!text || !/\bcreateAuthClient\s*\(/.test(text))
+                        continue;
+                    const baseURL = text.match(/createAuthClient\s*\([^)]*baseURL\s*:\s*([^,)\n]+)/)?.[1];
+                    // Heuristic: flag a bare /api baseURL with no /auth segment anywhere
+                    // near the client config.
+                    if (baseURL && /['"`]\/api['"`]/.test(baseURL) && !/auth/i.test(baseURL)) {
+                        w('better-auth-client-baseurl-missing-auth', `createAuthClient baseURL is ${baseURL.trim()} — it omits the /auth segment, so the client calls /api/sign-in/email instead of /api/auth/sign-in/email and auth 404s`, join(appsDir, rel), "Append the auth basePath: baseURL: `${apiUrl()}/auth` (resolving to /api/auth)");
+                    }
+                }
+            }
+            catch {
+                // readdir failure — skip
+            }
+        }
         // Database layout is declared by pikku.config.json db.engine.
         const migrationsDir = join(root, 'db', dbEngine === 'postgres' ? 'postgres' : 'sqlite');
         if (!existsSync(migrationsDir)) {

package/dist/src/functions/commands/pikku-command-summary.js

@@ -54,8 +54,9 @@ export const pikkuSummary = pikkuSessionlessFunc({
             // stdout (which would break NDJSON consumers).
             logger.info({ message: summary.format(), type: 'summary' });
         }
-        if (logger.hasCriticalErrors()) {
-            throw new Error('Pikku inspection failed due to critical diagnostics');
+        if (logger.hasBlockingDiagnostics()) {
+            const severities = logger.blockingSeverities().join(', ');
+            throw new Error(`Pikku inspection failed due to ${severities} diagnostics`);
         }
     },
 });

package/dist/src/functions/commands/versions-update.js

@@ -12,11 +12,17 @@ export const pikkuVersionsUpdate = pikkuSessionlessFunc({
         }
         const immutabilityErrors = visitState.manifest.errors.filter((e) => e.code === ErrorCode.FUNCTION_VERSION_MODIFIED);
         if (immutabilityErrors.length > 0) {
+            // A published contract changed without a version bump. We must not save
+            // (that would overwrite an immutable record), but a contract drift should
+            // not crash `pikku all` / the dev server. Surface it as an `error`
+            // diagnostic: printed always, blocking only under `--fail-on-error`.
+            // `pikku versions check` remains the hard deploy gate.
             for (const e of immutabilityErrors) {
-                logger.critical(ErrorCode.FUNCTION_VERSION_MODIFIED, e.message);
-            }
-            if (logger.hasCriticalErrors()) {
-                process.exit(1);
+                logger.diagnostic({
+                    severity: 'error',
+                    code: ErrorCode.FUNCTION_VERSION_MODIFIED,
+                    message: e.message,
+                });
             }
             return;
         }

package/dist/src/functions/commands/workspace-validate.d.ts

@@ -4,7 +4,7 @@ export declare const workspaceValidate: import("#pikku").PikkuFunctionConfig<Rec
     root: string;
     findings: {
         id: string;
-        severity: "info" | "warn" | "error";
+        severity: "warn" | "error" | "info";
         message: string;
         path: string;
         fixHint: string;
@@ -14,7 +14,7 @@ export declare const workspaceValidate: import("#pikku").PikkuFunctionConfig<Rec
     root: string;
     findings: {
         id: string;
-        severity: "info" | "warn" | "error";
+        severity: "warn" | "error" | "info";
         message: string;
         path: string;
         fixHint: string;
@@ -24,7 +24,7 @@ export declare const workspaceValidate: import("#pikku").PikkuFunctionConfig<Rec
     root: string;
     findings: {
         id: string;
-        severity: "info" | "warn" | "error";
+        severity: "warn" | "error" | "info";
         message: string;
         path: string;
         fixHint: string;

package/dist/src/functions/db/better-auth-schema.js

@@ -3,7 +3,7 @@ import { pathToFileURL } from 'node:url';
 import { readdirSync, statSync, readFileSync, existsSync } from 'node:fs';
 import { join, extname, dirname } from 'node:path';
 import { PIKKU_BETTER_AUTH } from '@pikku/better-auth';
-import { LocalSecretService, LocalVariablesService } from '@pikku/core/services';
+import { LocalVariablesService } from '@pikku/core/services';
 import { loadUserModule } from '../commands/load-user-project.js';
 let cachedGetMigrations = null;
 async function loadGetMigrations() {
@@ -87,9 +87,22 @@ async function loadAuthFactory(sourceFile) {
     }
     return null;
 }
+// Schema-only auth introspection never executes auth — it just reads the Better
+// Auth options to derive the table/column shape. Secret *values* don't affect the
+// schema, so we hand the factory a fake secret service that resolves every key to
+// a placeholder. This keeps `pikku db migrate`'s drift check from requiring the
+// app's real secrets (BETTER_AUTH_SECRET etc.) to be present in the environment.
+function fakeSecretService() {
+    const placeholder = 'schema-introspection-only';
+    return {
+        getSecret: async () => placeholder,
+        hasSecret: async () => true,
+        setSecret: async () => { },
+    };
+}
 function schemaServicesStub(kysely, logger) {
     const variables = new LocalVariablesService();
-    const secrets = new LocalSecretService(variables);
+    const secrets = fakeSecretService();
     const base = {
         kysely,
         logger,

package/dist/src/functions/db/sqlite/sqlite-kysely.js

@@ -12,12 +12,19 @@ function coerce(v) {
         return JSON.stringify(v);
     return v;
 }
+// A statement returns rows when it is a SELECT or carries a RETURNING clause.
+// node:sqlite's StatementSync has no `reader` flag (always undefined), so without
+// this kysely would run INSERT ... RETURNING via `.run()` and drop the returned
+// rows — which breaks better-auth sign-up (it inserts and expects the row back).
+function isReaderSql(sql) {
+    return /^\s*select/i.test(sql) || /\breturning\b/i.test(sql);
+}
 class RuntimeSqliteStatement {
     stmt;
     reader;
-    constructor(stmt) {
+    constructor(stmt, reader) {
         this.stmt = stmt;
-        this.reader = Boolean(stmt.reader);
+        this.reader = reader;
     }
     all(parameters) {
         return this.stmt.all(...parameters.map(coerce));
@@ -41,7 +48,8 @@ class RuntimeSqliteDatabase {
         this.db = db;
     }
     prepare(sql) {
-        return new RuntimeSqliteStatement(this.db.prepare(sql));
+        const stmt = this.db.prepare(sql);
+        return new RuntimeSqliteStatement(stmt, Boolean(stmt.reader) || isReaderSql(sql));
     }
     close() {
         this.db.close();

package/dist/src/functions/validate/workspace-validate.d.ts

@@ -2,9 +2,9 @@ import { z } from 'zod';
 export declare const FindingSchema: z.ZodObject<{
     id: z.ZodString;
     severity: z.ZodEnum<{
-        info: "info";
         warn: "warn";
         error: "error";
+        info: "info";
     }>;
     message: z.ZodString;
     path: z.ZodString;
@@ -18,9 +18,9 @@ export declare const WorkspaceValidateOutput: z.ZodObject<{
     findings: z.ZodArray<z.ZodObject<{
         id: z.ZodString;
         severity: z.ZodEnum<{
-            info: "info";
             warn: "warn";
             error: "error";
+            info: "info";
         }>;
         message: z.ZodString;
         path: z.ZodString;

package/dist/src/functions/validate/workspace-validate.js

@@ -95,6 +95,10 @@ export async function runWorkspaceValidate(startDir = process.cwd()) {
         if (!pikkuConfig.clientFiles) {
             info('pikku-config-no-client-files', 'pikku.config.json missing "clientFiles" — generated RPC client files and React Query hooks will not be written', pikkuConfigPath, 'Add clientFiles.rpcMapDeclarationFile and clientFiles.reactQueryFile pointing to packages/functions-sdk/src/pikku/ (for example: rpc-map.gen.d.ts and api.gen.ts)');
         }
+        const scaffold = pikkuConfig.scaffold;
+        if (!scaffold?.console) {
+            e('pikku-config-no-console-scaffold', 'pikku.config.json missing "scaffold.console" — Fabric cannot introspect the running app (console:getFunctionsMeta and friends 404), so the sandbox builder shows no functions', pikkuConfigPath, 'Add "console": "no-auth" under "scaffold" in pikku.config.json (use "auth" to require a session)');
+        }
     }
     const rootPkgPath = join(root, 'package.json');
     const rootPkg = await readJsonSafe(rootPkgPath);