@pikku/inspector 0.12.13 → 0.12.14

package/CHANGELOG.md

@@ -1,3 +1,29 @@
+## 0.12.14
+
+### Patch Changes
+
+- 4b5c75b: feat(auth-js): wire OIDC config (issuer/tenantId) as variables, expand provider registry
+  - Move `issuer` and `tenantId` out of the secret blob for OIDC providers (auth0, okta, azure-ad, keycloak, cognito, microsoft-entra-id) — they are public config URLs, not secrets. Now registered via `wireVariable` and loaded at runtime via `services.variables.get()`.
+  - Expand provider registry from 13 to 31 providers: reddit, notion, instagram, zoom, figma, tiktok, threads, patreon, dropbox, bitbucket, hubspot, salesforce, atlassian, strava, keycloak, cognito, microsoft-entra-id added.
+  - `serialize-auth-gen` emits `wireVariable({...})` declarations and `services.variables.get()` calls in the generated factory for OIDC providers.
+  - Integration verifier exercises real `/auth/providers` endpoint with `LocalSecretService` + `LocalVariablesService`, including a spy test proving `services.variables.get('AUTH0_ISSUER')` is called at request time.
+
+- 4b5c75b: Add end-to-end data classification for SQLite and Postgres projects.
+
+  **Core (`@pikku/core`):** New `Private<T>` and `Secret<T>` intersection brands, `ClassificationManifest`, `ColumnClassification`, and `AnonymizeStrategy` types exported from `data-classification.ts`.
+
+  **CLI (`@pikku/cli`):**
+  - SQL comment annotations: `-- @public`, `-- @private[:strategy]`, `-- @secret[:strategy]` on `CREATE TABLE` columns and `ALTER TABLE ... ADD COLUMN` statements. Unannotated columns default to `private`.
+  - `pikku db migrate` now emits a `classification.gen.ts` manifest alongside `schema.d.ts`.
+  - New `pikku db audit` command — prints a per-column classification summary and warns on `private`/`secret` columns with no anonymize strategy.
+  - Postgres dialect support in `resolveDb`, `PostgresMigrationExecutor`, and `PostgresIntrospector`.
+
+  **Inspector (`@pikku/inspector`):** New PKU910 check — `findPiiPaths()` walks inferred function return types looking for `__pii__` brands (including inside `Array<T>`, `Record<K,V>`, and index signatures) and fails the build if a function exposes branded fields in its output.
+
+- Updated dependencies [4b5c75b]
+- Updated dependencies [4b5c75b]
+  - @pikku/core@0.12.27
+
 ## 0.12.13
 
 ### Patch Changes

package/dist/add/add-auth.d.ts

@@ -0,0 +1,2 @@
+import type { AddWiring } from '../types.js';
+export declare const addAuth: AddWiring;

package/dist/add/add-auth.js

@@ -0,0 +1,34 @@
+import * as ts from 'typescript';
+import { ErrorCode } from '../error-codes.js';
+export const addAuth = (logger, node, _checker, state) => {
+    if (!ts.isCallExpression(node))
+        return;
+    const expression = node.expression;
+    if (!ts.isIdentifier(expression) || expression.text !== 'wireAuth')
+        return;
+    const firstArg = node.arguments[0];
+    if (!firstArg || !ts.isObjectLiteralExpression(firstArg))
+        return;
+    const providersProp = firstArg.properties.find((p) => ts.isPropertyAssignment(p) &&
+        (ts.isIdentifier(p.name) || ts.isStringLiteral(p.name)) &&
+        p.name.text === 'providers');
+    const sourceFile = node.getSourceFile().fileName;
+    state.auth.files.add(sourceFile);
+    if (!providersProp) {
+        return;
+    }
+    if (!ts.isArrayLiteralExpression(providersProp.initializer)) {
+        logger.critical(ErrorCode.MISSING_NAME, 'wireAuth: providers must be an array literal of string literals.');
+        return;
+    }
+    for (const element of providersProp.initializer
+        .elements) {
+        if (!ts.isStringLiteral(element)) {
+            logger.critical(ErrorCode.NON_LITERAL_WIRE_NAME, `wireAuth: each provider must be a string literal. Found: ${element.getText()}`);
+            return;
+        }
+        if (!state.auth.providers.includes(element.text)) {
+            state.auth.providers.push(element.text);
+        }
+    }
+};

package/dist/add/add-functions.js

@@ -629,7 +629,7 @@ export const addFunctions = (logger, node, checker, state, options) => {
     }
     // ── PII brand check ───────────────────────────────────────────────────────
     // Walk the function body's ACTUAL inferred return type looking for Private<T>
-    // / Secret<T> brands (__pii__ property).  This runs for every function,
+    // / Pii<T> / Secret<T> brands (__classification__ property).  This runs for every function,
     // including those with a Zod output schema, because the TS return type
     // reflects what the body actually returns before any Zod coercion.
     {

package/dist/inspector.js

@@ -115,6 +115,10 @@ export function getInitialInspectorState(rootDir) {
             meta: {},
             files: new Set(),
         },
+        auth: {
+            providers: [],
+            files: new Set(),
+        },
         secrets: {
             definitions: [],
             files: new Set(),

package/dist/types.d.ts

@@ -339,6 +339,10 @@ export interface InspectorState {
         meta: NodesMeta;
         files: Set<string>;
     };
+    auth: {
+        providers: string[];
+        files: Set<string>;
+    };
     secrets: {
         definitions: SecretDefinitions;
         files: Set<string>;

package/dist/utils/check-pii-output.d.ts

@@ -1,12 +1,12 @@
 import * as ts from 'typescript';
 /**
- * Recursively walks a resolved TypeScript type looking for `__pii__` brands —
+ * Recursively walks a resolved TypeScript type looking for `__classification__` brands —
  * the structural marker emitted by `Private<T>` and `Secret<T>`.
  *
- * `Private<T> = T & { readonly __pii__: 'private' }` shows up in the TS type
- * system as an intersection whose constituents include a type with a `__pii__`
+ * `Private<T> = T & { readonly __classification__: 'private' }` shows up in the TS type
+ * system as an intersection whose constituents include a type with a `__classification__`
  * property.  We detect that by checking whether any constituent of an
- * intersection exposes a property named `__pii__`.
+ * intersection exposes a property named `__classification__`.
  *
  * Returns the list of dotted field paths where a brand was found
  * (e.g. `['email', 'address.phone']`).  An empty array means clean.

package/dist/utils/check-pii-output.js

@@ -1,12 +1,12 @@
 import * as ts from 'typescript';
 /**
- * Recursively walks a resolved TypeScript type looking for `__pii__` brands —
+ * Recursively walks a resolved TypeScript type looking for `__classification__` brands —
  * the structural marker emitted by `Private<T>` and `Secret<T>`.
  *
- * `Private<T> = T & { readonly __pii__: 'private' }` shows up in the TS type
- * system as an intersection whose constituents include a type with a `__pii__`
+ * `Private<T> = T & { readonly __classification__: 'private' }` shows up in the TS type
+ * system as an intersection whose constituents include a type with a `__classification__`
  * property.  We detect that by checking whether any constituent of an
- * intersection exposes a property named `__pii__`.
+ * intersection exposes a property named `__classification__`.
  *
  * Returns the list of dotted field paths where a brand was found
  * (e.g. `['email', 'address.phone']`).  An empty array means clean.
@@ -16,10 +16,10 @@ export function findPiiPaths(checker, type, path = '', depth = 0, seen = new Set
         return [];
     seen.add(type);
     // ── Is this type itself branded? ─────────────────────────────────────────
-    // Private<T> = T & { readonly __pii__: 'private' }  →  isIntersection()
-    // where one constituent has a `__pii__` property.
+    // Private<T> = T & { readonly __classification__: 'private' }  →  isIntersection()
+    // where one constituent has a `__classification__` property.
     if (type.isIntersection()) {
-        const branded = type.types.some((t) => t.getProperties().some((p) => p.name === '__pii__'));
+        const branded = type.types.some((t) => t.getProperties().some((p) => p.name === '__classification__'));
         if (branded) {
             return [path || '<return value>'];
         }

package/dist/utils/serialize-inspector-state.d.ts

@@ -203,6 +203,10 @@ export interface SerializableInspectorState {
         meta: InspectorState['nodes']['meta'];
         files: string[];
     };
+    auth: {
+        providers: string[];
+        files: string[];
+    };
     secrets: {
         definitions: InspectorState['secrets']['definitions'];
         files: string[];

package/dist/utils/serialize-inspector-state.js

@@ -98,6 +98,10 @@ export function serializeInspectorState(state) {
             meta: state.nodes.meta,
             files: Array.from(state.nodes.files),
         },
+        auth: {
+            providers: state.auth.providers,
+            files: Array.from(state.auth.files),
+        },
         secrets: {
             definitions: state.secrets.definitions,
             files: Array.from(state.secrets.files),
@@ -246,6 +250,10 @@ export function deserializeInspectorState(data) {
             meta: data.nodes?.meta || {},
             files: new Set(data.nodes?.files || []),
         },
+        auth: {
+            providers: data.auth?.providers || [],
+            files: new Set(data.auth?.files || []),
+        },
         secrets: {
             definitions: data.secrets?.definitions || [],
             files: new Set(data.secrets?.files || []),

package/dist/visit.js

@@ -17,6 +17,7 @@ import { addWireAddon } from './add/add-wire-addon.js';
 import { addMiddleware } from './add/add-middleware.js';
 import { addPermission } from './add/add-permission.js';
 import { addCLI, addCLIRenderers } from './add/add-cli.js';
+import { addAuth } from './add/add-auth.js';
 import { addSecret } from './add/add-secret.js';
 import { addCredential } from './add/add-credential.js';
 import { addVariable } from './add/add-variable.js';
@@ -41,6 +42,7 @@ export const visitSetup = (logger, checker, node, state, options) => {
 };
 export const visitRoutes = (logger, checker, node, state, options) => {
     addFunctions(logger, node, checker, state, options);
+    addAuth(logger, node, checker, state, options);
     addSecret(logger, node, checker, state, options);
     addCredential(logger, node, checker, state, options);
     addVariable(logger, node, checker, state, options);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pikku/inspector",
-  "version": "0.12.13",
+  "version": "0.12.14",
   "author": "yasser.fadl@gmail.com",
   "license": "BUSL-1.1",
   "type": "module",
@@ -35,7 +35,7 @@
   },
   "dependencies": {
     "@openapi-contrib/json-schema-to-openapi-schema": "^4.3.1",
-    "@pikku/core": "^0.12.25",
+    "@pikku/core": "^0.12.27",
     "path-to-regexp": "^8.3.0",
     "ts-json-schema-generator": "^2.5.0",
     "tsx": "^4.21.0",

package/src/add/add-auth.test.ts

@@ -0,0 +1,175 @@
+import { strict as assert } from 'assert'
+import { describe, test } from 'node:test'
+import { mkdtemp, rm, writeFile } from 'node:fs/promises'
+import { tmpdir } from 'node:os'
+import { join } from 'node:path'
+import { inspect } from '../inspector.js'
+import { ErrorCode } from '../error-codes.js'
+import type { InspectorLogger } from '../types.js'
+
+const makeLogger = (criticals: Array<{ code: ErrorCode; message: string }>) =>
+  ({
+    debug: () => {},
+    info: () => {},
+    warn: () => {},
+    error: () => {},
+    critical: (code: ErrorCode, message: string) => {
+      criticals.push({ code, message })
+    },
+    hasCriticalErrors: () => criticals.length > 0,
+  }) satisfies InspectorLogger
+
+describe('addAuth inspector', () => {
+  test('extracts provider string literals from wireAuth call', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-add-auth-'))
+    const file = join(rootDir, 'auth.ts')
+
+    await writeFile(
+      file,
+      [
+        "import { wireAuth } from '@pikku/auth-js'",
+        "wireAuth({ providers: ['github', 'google'] })",
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: ErrorCode; message: string }> = []
+    try {
+      const state = await inspect(makeLogger(criticals), [file], { rootDir })
+      assert.equal(criticals.length, 0)
+      assert.deepEqual(state.auth.providers, ['github', 'google'])
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+
+  test('deduplicates providers across multiple wireAuth calls', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-add-auth-dedup-'))
+    const file = join(rootDir, 'auth.ts')
+
+    await writeFile(
+      file,
+      [
+        "import { wireAuth } from '@pikku/auth-js'",
+        "wireAuth({ providers: ['github'] })",
+        "wireAuth({ providers: ['github', 'google'] })",
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: ErrorCode; message: string }> = []
+    try {
+      const state = await inspect(makeLogger(criticals), [file], { rootDir })
+      assert.equal(criticals.length, 0)
+      assert.deepEqual(state.auth.providers, ['github', 'google'])
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+
+  test('logs critical error when a provider is a non-literal reference', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-add-auth-nonlit-'))
+    const file = join(rootDir, 'auth.ts')
+
+    await writeFile(
+      file,
+      [
+        "import { wireAuth } from '@pikku/auth-js'",
+        "const PROVIDER = 'github'",
+        'wireAuth({ providers: [PROVIDER] })',
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: ErrorCode; message: string }> = []
+    try {
+      await inspect(makeLogger(criticals), [file], { rootDir })
+      const hit = criticals.find(
+        (e) => e.code === ErrorCode.NON_LITERAL_WIRE_NAME
+      )
+      assert.ok(hit, 'expected NON_LITERAL_WIRE_NAME critical')
+      assert.match(hit!.message, /PROVIDER/)
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+
+  test('does not error when providers is absent (credentials-only wireAuth)', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-add-auth-creds-only-'))
+    const file = join(rootDir, 'auth.ts')
+
+    await writeFile(
+      file,
+      [
+        "import { wireAuth } from '@pikku/auth-js'",
+        'wireAuth({ credentials: { authorize: async () => null } })',
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: ErrorCode; message: string }> = []
+    try {
+      const state = await inspect(makeLogger(criticals), [file], { rootDir })
+      assert.equal(
+        criticals.length,
+        0,
+        'credentials-only wireAuth must not produce errors'
+      )
+      assert.deepEqual(
+        state.auth.providers,
+        [],
+        'no providers should be extracted'
+      )
+      assert.ok(state.auth.files.has(file), 'source file still tracked')
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+
+  test('logs critical error when providers is not an array literal', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-add-auth-nonarray-'))
+    const file = join(rootDir, 'auth.ts')
+
+    await writeFile(
+      file,
+      [
+        "import { wireAuth } from '@pikku/auth-js'",
+        "const PROVIDERS = ['github']",
+        'wireAuth({ providers: PROVIDERS })',
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: ErrorCode; message: string }> = []
+    try {
+      await inspect(makeLogger(criticals), [file], { rootDir })
+      const hit = criticals.find((e) => e.code === ErrorCode.MISSING_NAME)
+      assert.ok(
+        hit,
+        'expected MISSING_NAME critical for non-array-literal providers'
+      )
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+
+  test('tracks source file in state.auth.files', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-add-auth-files-'))
+    const file = join(rootDir, 'auth.wiring.ts')
+
+    await writeFile(
+      file,
+      [
+        "import { wireAuth } from '@pikku/auth-js'",
+        "wireAuth({ providers: ['discord'] })",
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: ErrorCode; message: string }> = []
+    try {
+      const state = await inspect(makeLogger(criticals), [file], { rootDir })
+      assert.equal(criticals.length, 0)
+      assert.ok(
+        state.auth.files.has(file),
+        'source file should be tracked in state.auth.files'
+      )
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+})

package/src/add/add-auth.ts

@@ -0,0 +1,49 @@
+import * as ts from 'typescript'
+import type { AddWiring } from '../types.js'
+import { ErrorCode } from '../error-codes.js'
+
+export const addAuth: AddWiring = (logger, node, _checker, state) => {
+  if (!ts.isCallExpression(node)) return
+
+  const expression = node.expression
+  if (!ts.isIdentifier(expression) || expression.text !== 'wireAuth') return
+
+  const firstArg = node.arguments[0]
+  if (!firstArg || !ts.isObjectLiteralExpression(firstArg)) return
+
+  const providersProp = firstArg.properties.find(
+    (p) =>
+      ts.isPropertyAssignment(p) &&
+      (ts.isIdentifier(p.name) || ts.isStringLiteral(p.name)) &&
+      p.name.text === 'providers'
+  ) as ts.PropertyAssignment | undefined
+
+  const sourceFile = node.getSourceFile().fileName
+  state.auth.files.add(sourceFile)
+
+  if (!providersProp) {
+    return
+  }
+
+  if (!ts.isArrayLiteralExpression(providersProp.initializer)) {
+    logger.critical(
+      ErrorCode.MISSING_NAME,
+      'wireAuth: providers must be an array literal of string literals.'
+    )
+    return
+  }
+
+  for (const element of (providersProp.initializer as ts.ArrayLiteralExpression)
+    .elements) {
+    if (!ts.isStringLiteral(element)) {
+      logger.critical(
+        ErrorCode.NON_LITERAL_WIRE_NAME,
+        `wireAuth: each provider must be a string literal. Found: ${element.getText()}`
+      )
+      return
+    }
+    if (!state.auth.providers.includes(element.text)) {
+      state.auth.providers.push(element.text)
+    }
+  }
+}

package/src/add/add-functions.ts

@@ -885,7 +885,7 @@ export const addFunctions: AddWiring = (
 
   // ── PII brand check ───────────────────────────────────────────────────────
   // Walk the function body's ACTUAL inferred return type looking for Private<T>
-  // / Secret<T> brands (__pii__ property).  This runs for every function,
+  // / Pii<T> / Secret<T> brands (__classification__ property).  This runs for every function,
   // including those with a Zod output schema, because the TS return type
   // reflects what the body actually returns before any Zod coercion.
   {

package/src/add/pii-check.test.ts

@@ -23,13 +23,14 @@ function makeLogger() {
 }
 
 /**
- * Inline Private<T>/Secret<T> definitions that the test source files use.
+ * Inline Private<T>/Pii<T>/Secret<T> definitions that the test source files use.
  * Mirrors what schema.d.ts emits so the TypeScript program sees the correct
  * structural brand type even without @pikku/core being importable from /tmp.
  */
 const BRAND_TYPES = `
-type Private<T> = T & { readonly __pii__: 'private' }
-type Secret<T> = T & { readonly __pii__: 'secret' }
+type Private<T> = T & { readonly __classification__: 'private' }
+type Pii<T> = T & { readonly __classification__: 'pii' }
+type Secret<T> = T & { readonly __classification__: 'secret' }
 `
 
 async function runInspect(sourceCode: string) {
@@ -104,7 +105,11 @@ export const getPublicData = pikkuFunc({
 })
 `)
     const hit = criticals.find((c) => c.code === ErrorCode.PII_IN_OUTPUT)
-    assert.equal(hit, undefined, `Expected no PKU910 but got: ${JSON.stringify(hit)}`)
+    assert.equal(
+      hit,
+      undefined,
+      `Expected no PKU910 but got: ${JSON.stringify(hit)}`
+    )
   })
 
   test('does not flag a void-returning function', async () => {

package/src/inspector.ts

@@ -145,6 +145,10 @@ export function getInitialInspectorState(rootDir: string): InspectorState {
       meta: {},
       files: new Set(),
     },
+    auth: {
+      providers: [],
+      files: new Set(),
+    },
     secrets: {
       definitions: [],
       files: new Set(),

package/src/types.ts

@@ -382,6 +382,10 @@ export interface InspectorState {
     meta: NodesMeta
     files: Set<string>
   }
+  auth: {
+    providers: string[]
+    files: Set<string>
+  }
   secrets: {
     definitions: SecretDefinitions
     files: Set<string>

package/src/utils/check-pii-output.ts

@@ -1,13 +1,13 @@
 import * as ts from 'typescript'
 
 /**
- * Recursively walks a resolved TypeScript type looking for `__pii__` brands —
+ * Recursively walks a resolved TypeScript type looking for `__classification__` brands —
  * the structural marker emitted by `Private<T>` and `Secret<T>`.
  *
- * `Private<T> = T & { readonly __pii__: 'private' }` shows up in the TS type
- * system as an intersection whose constituents include a type with a `__pii__`
+ * `Private<T> = T & { readonly __classification__: 'private' }` shows up in the TS type
+ * system as an intersection whose constituents include a type with a `__classification__`
  * property.  We detect that by checking whether any constituent of an
- * intersection exposes a property named `__pii__`.
+ * intersection exposes a property named `__classification__`.
  *
  * Returns the list of dotted field paths where a brand was found
  * (e.g. `['email', 'address.phone']`).  An empty array means clean.
@@ -23,11 +23,11 @@ export function findPiiPaths(
   seen.add(type)
 
   // ── Is this type itself branded? ─────────────────────────────────────────
-  // Private<T> = T & { readonly __pii__: 'private' }  →  isIntersection()
-  // where one constituent has a `__pii__` property.
+  // Private<T> = T & { readonly __classification__: 'private' }  →  isIntersection()
+  // where one constituent has a `__classification__` property.
   if (type.isIntersection()) {
     const branded = type.types.some((t) =>
-      t.getProperties().some((p) => p.name === '__pii__')
+      t.getProperties().some((p) => p.name === '__classification__')
     )
     if (branded) {
       return [path || '<return value>']
@@ -54,12 +54,16 @@ export function findPiiPaths(
     const numberIndex = checker.getIndexTypeOfType(type, ts.IndexKind.Number)
     if (numberIndex) {
       const idxPath = path ? `${path}[]` : '[]'
-      violations.push(...findPiiPaths(checker, numberIndex, idxPath, depth + 1, seen))
+      violations.push(
+        ...findPiiPaths(checker, numberIndex, idxPath, depth + 1, seen)
+      )
     }
     const stringIndex = checker.getIndexTypeOfType(type, ts.IndexKind.String)
     if (stringIndex) {
       const idxPath = path ? `${path}[*]` : '[*]'
-      violations.push(...findPiiPaths(checker, stringIndex, idxPath, depth + 1, seen))
+      violations.push(
+        ...findPiiPaths(checker, stringIndex, idxPath, depth + 1, seen)
+      )
     }
 
     for (const prop of type.getProperties()) {
@@ -68,7 +72,9 @@ export function findPiiPaths(
       if (!decl) continue
       const propType = checker.getTypeOfSymbolAtLocation(prop, decl)
       const subPath = path ? `${path}.${prop.name}` : prop.name
-      violations.push(...findPiiPaths(checker, propType, subPath, depth + 1, seen))
+      violations.push(
+        ...findPiiPaths(checker, propType, subPath, depth + 1, seen)
+      )
     }
   }
 

package/src/utils/serialize-inspector-state.ts

@@ -181,6 +181,10 @@ export interface SerializableInspectorState {
     meta: InspectorState['nodes']['meta']
     files: string[]
   }
+  auth: {
+    providers: string[]
+    files: string[]
+  }
   secrets: {
     definitions: InspectorState['secrets']['definitions']
     files: string[]
@@ -383,6 +387,10 @@ export function serializeInspectorState(
       meta: state.nodes.meta,
       files: Array.from(state.nodes.files),
     },
+    auth: {
+      providers: state.auth.providers,
+      files: Array.from(state.auth.files),
+    },
     secrets: {
       definitions: state.secrets.definitions,
       files: Array.from(state.secrets.files),
@@ -556,6 +564,10 @@ export function deserializeInspectorState(
       meta: data.nodes?.meta || {},
       files: new Set(data.nodes?.files || []),
     },
+    auth: {
+      providers: data.auth?.providers || [],
+      files: new Set(data.auth?.files || []),
+    },
     secrets: {
       definitions: data.secrets?.definitions || [],
       files: new Set(data.secrets?.files || []),

package/src/visit.ts

@@ -22,6 +22,7 @@ import { addWireAddon } from './add/add-wire-addon.js'
 import { addMiddleware } from './add/add-middleware.js'
 import { addPermission } from './add/add-permission.js'
 import { addCLI, addCLIRenderers } from './add/add-cli.js'
+import { addAuth } from './add/add-auth.js'
 import { addSecret } from './add/add-secret.js'
 import { addCredential } from './add/add-credential.js'
 import { addVariable } from './add/add-variable.js'
@@ -106,6 +107,7 @@ export const visitRoutes = (
   options: InspectorOptions
 ) => {
   addFunctions(logger, node, checker, state, options)
+  addAuth(logger, node, checker, state, options)
   addSecret(logger, node, checker, state, options)
   addCredential(logger, node, checker, state, options)
   addVariable(logger, node, checker, state, options)