@pikku/inspector 0.12.13 → 0.12.16

package/src/add/add-workflow.test.ts

@@ -0,0 +1,152 @@
+import { strict as assert } from 'assert'
+import { describe, test } from 'node:test'
+import { mkdtemp, rm, writeFile } from 'node:fs/promises'
+import { tmpdir } from 'node:os'
+import { join } from 'node:path'
+import { inspect } from '../inspector.js'
+import type { InspectorLogger } from '../types.js'
+
+function makeLogger(
+  criticals: Array<{ code: string; message: string }>
+): InspectorLogger {
+  return {
+    debug: () => {},
+    info: () => {},
+    warn: () => {},
+    error: () => {},
+    critical: (code: any, message: string) => {
+      criticals.push({ code, message })
+    },
+    hasCriticalErrors: () => criticals.length > 0,
+  }
+}
+
+describe('addWorkflow — workflow.do RPC detection', () => {
+  test('detects RPC step when result is assigned to a const', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-workflow-'))
+    const wfFile = join(rootDir, 'my.workflow.ts')
+    const stepFile = join(rootDir, 'my.steps.ts')
+
+    await writeFile(
+      stepFile,
+      [
+        "import { pikkuSessionlessFunc } from '@pikku/core'",
+        'export const doThing = pikkuSessionlessFunc({',
+        '  func: async ({ logger }) => ({ ok: true }),',
+        '})',
+      ].join('\n')
+    )
+
+    await writeFile(
+      wfFile,
+      [
+        "import { pikkuWorkflowFunc } from '@pikku/core/workflow'",
+        'export const myWorkflow = pikkuWorkflowFunc(async (_, _input, { workflow }) => {',
+        "  const result = await workflow.do('Do thing', 'doThing', {})",
+        '  return { id: result.ok }',
+        '})',
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: string; message: string }> = []
+    try {
+      const state = await inspect(makeLogger(criticals), [stepFile, wfFile], {
+        rootDir,
+      })
+      assert.ok(
+        state.rpc.invokedFunctions.has('doThing'),
+        'doThing should be in invokedFunctions'
+      )
+      assert.ok(
+        state.rpc.internalFiles.has('doThing'),
+        'doThing should be in internalFiles'
+      )
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+
+  test('detects RPC step when result is reassigned to a pre-declared null variable', async () => {
+    // Regression: `let x = null; x = await workflow.do(...)` was treated as a
+    // set-step instead of an RPC step, so the referenced function was never registered.
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-workflow-reassign-'))
+    const wfFile = join(rootDir, 'project.workflow.ts')
+    const stepFile = join(rootDir, 'project.steps.ts')
+
+    await writeFile(
+      stepFile,
+      [
+        "import { pikkuSessionlessFunc } from '@pikku/core'",
+        'export const launchSandbox = pikkuSessionlessFunc({',
+        '  func: async ({ logger }) => ({ sandboxId: "abc" }),',
+        '})',
+      ].join('\n')
+    )
+
+    await writeFile(
+      wfFile,
+      [
+        "import { pikkuWorkflowFunc } from '@pikku/core/workflow'",
+        'export const createProjectWorkflow = pikkuWorkflowFunc(async (_, input, { workflow }) => {',
+        '  let launched: { sandboxId: string } | null = null',
+        '  if (input.createSandbox) {',
+        "    launched = await workflow.do('Launch sandbox', 'launchSandbox', { projectId: input.projectId })",
+        '  }',
+        '  return { sandboxId: launched?.sandboxId ?? null }',
+        '})',
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: string; message: string }> = []
+    try {
+      const state = await inspect(makeLogger(criticals), [stepFile, wfFile], {
+        rootDir,
+      })
+      assert.ok(
+        state.rpc.invokedFunctions.has('launchSandbox'),
+        'launchSandbox should be in invokedFunctions even when assigned to a pre-declared null variable'
+      )
+      assert.ok(
+        state.rpc.internalFiles.has('launchSandbox'),
+        'launchSandbox should be in internalFiles so it gets registered in pikku-functions.gen.ts'
+      )
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+
+  test('still treats plain reassignment to context var as a set step', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-workflow-set-'))
+    const wfFile = join(rootDir, 'set.workflow.ts')
+
+    await writeFile(
+      wfFile,
+      [
+        "import { pikkuWorkflowFunc } from '@pikku/core/workflow'",
+        'export const setWorkflow = pikkuWorkflowFunc(async (_, input, { workflow }) => {',
+        '  let status = "pending"',
+        '  status = "done"',
+        "  await workflow.do('No-op', 'noopStep', {})",
+        '  return { status }',
+        '})',
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: string; message: string }> = []
+    try {
+      const state = await inspect(makeLogger(criticals), [wfFile], { rootDir })
+      const meta = state.workflows.meta['setWorkflow']
+      assert.ok(meta, 'workflow should be registered')
+      const steps = meta.steps ?? []
+      const setStep = steps.find(
+        (s: any) => s.type === 'set' && s.variable === 'status'
+      )
+      assert.ok(
+        setStep,
+        'plain string reassignment should still produce a set step'
+      )
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+})

package/src/add/add-workflow.ts

@@ -217,7 +217,8 @@ export const addWorkflow: AddWiring = (logger, node, checker, state) => {
       firstArg,
       'Workflow',
       workflowName,
-      logger
+      logger,
+      checker
     )
     if (metadata.disabled) return
     tags = metadata.tags

package/src/add/pii-check.test.ts

@@ -23,13 +23,14 @@ function makeLogger() {
 }
 
 /**
- * Inline Private<T>/Secret<T> definitions that the test source files use.
+ * Inline Private<T>/Pii<T>/Secret<T> definitions that the test source files use.
  * Mirrors what schema.d.ts emits so the TypeScript program sees the correct
  * structural brand type even without @pikku/core being importable from /tmp.
  */
 const BRAND_TYPES = `
-type Private<T> = T & { readonly __pii__: 'private' }
-type Secret<T> = T & { readonly __pii__: 'secret' }
+type Private<T> = T & { readonly __classification__: 'private' }
+type Pii<T> = T & { readonly __classification__: 'pii' }
+type Secret<T> = T & { readonly __classification__: 'secret' }
 `
 
 async function runInspect(sourceCode: string) {
@@ -45,30 +46,35 @@ async function runInspect(sourceCode: string) {
   return criticals
 }
 
-// ── findPiiPaths unit tests via full inspect() round-trip ────────────────────
+// ── classification semantics:
+//   secret  → never returned by any function (sessioned or not)
+//   private → only blocked in sessionless functions (pikkuSessionlessFunc)
+//   public  → safe for sessionless functions
 
 describe('PII output check — PKU910', () => {
-  test('flags a top-level Private<string> field', async () => {
+  // ── Secret<T>: always blocked ──────────────────────────────────────────────
+
+  test('flags a top-level Secret<string> field in a sessioned function', async () => {
     const criticals = await runInspect(`
 ${BRAND_TYPES}
 import { pikkuFunc } from '@pikku/core'
-export const getUser = pikkuFunc({
+export const getToken = pikkuFunc({
   func: async () => {
-    const email = 'test@example.com' as Private<string>
-    return { id: 1, email }
+    const token = 'abc' as Secret<string>
+    return { token }
   }
 })
 `)
     const hit = criticals.find((c) => c.code === ErrorCode.PII_IN_OUTPUT)
-    assert.ok(hit, `Expected PKU910 but got: ${JSON.stringify(criticals)}`)
-    assert.match(hit.message, /email/)
+    assert.ok(hit)
+    assert.match(hit.message, /token/)
   })
 
-  test('flags a top-level Secret<string> field', async () => {
+  test('flags a top-level Secret<string> field in a sessionless function', async () => {
     const criticals = await runInspect(`
 ${BRAND_TYPES}
-import { pikkuFunc } from '@pikku/core'
-export const getToken = pikkuFunc({
+import { pikkuSessionlessFunc } from '@pikku/core'
+export const getToken = pikkuSessionlessFunc({
   func: async () => {
     const token = 'abc' as Secret<string>
     return { token }
@@ -80,11 +86,48 @@ export const getToken = pikkuFunc({
     assert.match(hit.message, /token/)
   })
 
-  test('flags a nested Private field', async () => {
+  // ── Private<T>: only blocked in sessionless functions ─────────────────────
+
+  test('flags a top-level Private<string> field in a sessionless function', async () => {
+    const criticals = await runInspect(`
+${BRAND_TYPES}
+import { pikkuSessionlessFunc } from '@pikku/core'
+export const getUser = pikkuSessionlessFunc({
+  func: async () => {
+    const email = 'test@example.com' as Private<string>
+    return { id: 1, email }
+  }
+})
+`)
+    const hit = criticals.find((c) => c.code === ErrorCode.PII_IN_OUTPUT)
+    assert.ok(hit, `Expected PKU910 but got: ${JSON.stringify(criticals)}`)
+    assert.match(hit.message, /email/)
+  })
+
+  test('does not flag a Private<string> field in a sessioned function', async () => {
     const criticals = await runInspect(`
 ${BRAND_TYPES}
 import { pikkuFunc } from '@pikku/core'
-export const getProfile = pikkuFunc({
+export const getUser = pikkuFunc({
+  func: async () => {
+    const email = 'test@example.com' as Private<string>
+    return { id: 1, email }
+  }
+})
+`)
+    const hit = criticals.find((c) => c.code === ErrorCode.PII_IN_OUTPUT)
+    assert.equal(
+      hit,
+      undefined,
+      `Expected no PKU910 (sessioned function may return Private fields) but got: ${JSON.stringify(hit)}`
+    )
+  })
+
+  test('flags a nested Private field in a sessionless function', async () => {
+    const criticals = await runInspect(`
+${BRAND_TYPES}
+import { pikkuSessionlessFunc } from '@pikku/core'
+export const getProfile = pikkuSessionlessFunc({
   func: async () => {
     const email = 'x@y.com' as Private<string>
     return { user: { id: 1, email } }
@@ -104,7 +147,11 @@ export const getPublicData = pikkuFunc({
 })
 `)
     const hit = criticals.find((c) => c.code === ErrorCode.PII_IN_OUTPUT)
-    assert.equal(hit, undefined, `Expected no PKU910 but got: ${JSON.stringify(hit)}`)
+    assert.equal(
+      hit,
+      undefined,
+      `Expected no PKU910 but got: ${JSON.stringify(hit)}`
+    )
   })
 
   test('does not flag a void-returning function', async () => {
@@ -118,12 +165,12 @@ export const doWork = pikkuFunc({
     assert.equal(hit, undefined)
   })
 
-  test('flags a function that returns a typed alias with Private field', async () => {
+  test('flags a sessionless function that returns a typed alias with Private field', async () => {
     const criticals = await runInspect(`
 ${BRAND_TYPES}
-import { pikkuFunc } from '@pikku/core'
+import { pikkuSessionlessFunc } from '@pikku/core'
 type UserRow = { id: number; email: Private<string> }
-export const getUser = pikkuFunc({
+export const getUser = pikkuSessionlessFunc({
   func: async (): Promise<UserRow> => {
     return { id: 1, email: 'x' as Private<string> }
   }
@@ -134,17 +181,17 @@ export const getUser = pikkuFunc({
     assert.match(hit.message, /email/)
   })
 
-  test('flags across multiple functions in the same file', async () => {
+  test('flags across multiple sessionless functions in the same file', async () => {
     const criticals = await runInspect(`
 ${BRAND_TYPES}
-import { pikkuFunc } from '@pikku/core'
-export const getEmail = pikkuFunc({
+import { pikkuSessionlessFunc } from '@pikku/core'
+export const getEmail = pikkuSessionlessFunc({
   func: async () => ({ email: 'x' as Private<string> })
 })
-export const getPhone = pikkuFunc({
+export const getPhone = pikkuSessionlessFunc({
   func: async () => ({ phone: '555' as Private<string> })
 })
-export const getSafe = pikkuFunc({
+export const getSafe = pikkuSessionlessFunc({
   func: async () => ({ name: 'Alice' })
 })
 `)
@@ -152,11 +199,11 @@ export const getSafe = pikkuFunc({
     assert.equal(hits.length, 2, `Expected 2 PKU910 but got ${hits.length}`)
   })
 
-  test('flags branded values inside arrays', async () => {
+  test('flags branded values inside arrays (sessionless)', async () => {
     const criticals = await runInspect(`
 ${BRAND_TYPES}
-import { pikkuFunc } from '@pikku/core'
-export const getEmails = pikkuFunc({
+import { pikkuSessionlessFunc } from '@pikku/core'
+export const getEmails = pikkuSessionlessFunc({
   func: async () => ({ emails: ['x@y.com' as Private<string>] })
 })
 `)
@@ -165,11 +212,11 @@ export const getEmails = pikkuFunc({
     assert.match(hit.message, /emails/)
   })
 
-  test('flags branded values inside string-indexed records', async () => {
+  test('flags branded values inside string-indexed records (sessionless)', async () => {
     const criticals = await runInspect(`
 ${BRAND_TYPES}
-import { pikkuFunc } from '@pikku/core'
-export const getMap = pikkuFunc({
+import { pikkuSessionlessFunc } from '@pikku/core'
+export const getMap = pikkuSessionlessFunc({
   func: async () => ({ byId: { a: 'x@y.com' as Private<string> } as Record<string, Private<string>> })
 })
 `)
@@ -181,8 +228,8 @@ export const getMap = pikkuFunc({
   test('does not flag when branded field is stripped before return', async () => {
     const criticals = await runInspect(`
 ${BRAND_TYPES}
-import { pikkuFunc } from '@pikku/core'
-export const getUser = pikkuFunc({
+import { pikkuSessionlessFunc } from '@pikku/core'
+export const getUser = pikkuSessionlessFunc({
   func: async () => {
     const raw: { email: Private<string> } = { email: 'x' as Private<string> }
     const safe: { email: string } = { email: raw.email as string }

package/src/inspector.ts

@@ -145,6 +145,10 @@ export function getInitialInspectorState(rootDir: string): InspectorState {
       meta: {},
       files: new Set(),
     },
+    auth: {
+      providers: [],
+      files: new Set(),
+    },
     secrets: {
       definitions: [],
       files: new Set(),

package/src/types.ts

@@ -382,6 +382,10 @@ export interface InspectorState {
     meta: NodesMeta
     files: Set<string>
   }
+  auth: {
+    providers: string[]
+    files: Set<string>
+  }
   secrets: {
     definitions: SecretDefinitions
     files: Set<string>

package/src/utils/check-pii-output.ts

@@ -1,16 +1,22 @@
 import * as ts from 'typescript'
 
+export type ClassifiedField = {
+  path: string
+  classification: 'private' | 'pii' | 'secret' | string
+}
+
 /**
- * Recursively walks a resolved TypeScript type looking for `__pii__` brands —
- * the structural marker emitted by `Private<T>` and `Secret<T>`.
+ * Recursively walks a resolved TypeScript type looking for `__classification__` brands —
+ * the structural marker emitted by `Private<T>`, `Pii<T>`, and `Secret<T>`.
  *
- * `Private<T> = T & { readonly __pii__: 'private' }` shows up in the TS type
- * system as an intersection whose constituents include a type with a `__pii__`
+ * `Private<T> = T & { readonly __classification__: 'private' }` shows up in the TS type
+ * system as an intersection whose constituents include a type with a `__classification__`
  * property.  We detect that by checking whether any constituent of an
- * intersection exposes a property named `__pii__`.
+ * intersection exposes a property named `__classification__`.
  *
- * Returns the list of dotted field paths where a brand was found
- * (e.g. `['email', 'address.phone']`).  An empty array means clean.
+ * Returns the list of classified fields found, each with its dotted path and
+ * classification level (e.g. `[{ path: 'email', classification: 'private' }]`).
+ * An empty array means clean.
  */
 export function findPiiPaths(
   checker: ts.TypeChecker,
@@ -18,23 +24,33 @@ export function findPiiPaths(
   path = '',
   depth = 0,
   seen = new Set<ts.Type>()
-): string[] {
+): ClassifiedField[] {
   if (depth > 8 || seen.has(type)) return []
   seen.add(type)
 
   // ── Is this type itself branded? ─────────────────────────────────────────
-  // Private<T> = T & { readonly __pii__: 'private' }  →  isIntersection()
-  // where one constituent has a `__pii__` property.
+  // Private<T> = T & { readonly __classification__: 'private' }  →  isIntersection()
+  // where one constituent has a `__classification__` property whose type is a string literal.
   if (type.isIntersection()) {
-    const branded = type.types.some((t) =>
-      t.getProperties().some((p) => p.name === '__pii__')
-    )
-    if (branded) {
-      return [path || '<return value>']
+    for (const t of type.types) {
+      const classificationProp = t
+        .getProperties()
+        .find((p) => p.name === '__classification__')
+      if (classificationProp) {
+        const decl =
+          classificationProp.valueDeclaration ??
+          classificationProp.declarations?.[0]
+        const classification = decl
+          ? ((
+              checker.getTypeOfSymbolAtLocation(classificationProp, decl) as any
+            )?.value ?? 'private')
+          : 'private'
+        return [{ path: path || '<return value>', classification }]
+      }
     }
   }
 
-  const violations: string[] = []
+  const violations: ClassifiedField[] = []
 
   // ── Union: check every branch ─────────────────────────────────────────────
   if (type.isUnion()) {
@@ -54,12 +70,16 @@ export function findPiiPaths(
     const numberIndex = checker.getIndexTypeOfType(type, ts.IndexKind.Number)
     if (numberIndex) {
       const idxPath = path ? `${path}[]` : '[]'
-      violations.push(...findPiiPaths(checker, numberIndex, idxPath, depth + 1, seen))
+      violations.push(
+        ...findPiiPaths(checker, numberIndex, idxPath, depth + 1, seen)
+      )
     }
     const stringIndex = checker.getIndexTypeOfType(type, ts.IndexKind.String)
     if (stringIndex) {
       const idxPath = path ? `${path}[*]` : '[*]'
-      violations.push(...findPiiPaths(checker, stringIndex, idxPath, depth + 1, seen))
+      violations.push(
+        ...findPiiPaths(checker, stringIndex, idxPath, depth + 1, seen)
+      )
     }
 
     for (const prop of type.getProperties()) {
@@ -68,7 +88,9 @@ export function findPiiPaths(
       if (!decl) continue
       const propType = checker.getTypeOfSymbolAtLocation(prop, decl)
       const subPath = path ? `${path}.${prop.name}` : prop.name
-      violations.push(...findPiiPaths(checker, propType, subPath, depth + 1, seen))
+      violations.push(
+        ...findPiiPaths(checker, propType, subPath, depth + 1, seen)
+      )
     }
   }
 

package/src/utils/ensure-function-metadata.ts

@@ -280,7 +280,9 @@ export function ensureFunctionMetadata(
           const { tags } = getCommonWireMetaData(
             firstArg,
             'Function',
-            fallbackName || pikkuFuncId
+            fallbackName || pikkuFuncId,
+            undefined,
+            checker
           )
           if (tags) {
             meta.tags = tags

package/src/utils/extract-node-value.test.ts

@@ -46,18 +46,20 @@ describe('extractDescription', () => {
     assert.equal(extractDescription(obj, checker), 'my step')
   })
 
-  test('returns null for non-literal description value without crashing', () => {
+  test('extracts concatenated string literals in description', () => {
     const { checker, sourceFile } = createChecker(
-      `const name = 'test'; const data = { description: name + ' addon' }`
+      `const data = { description: 'line one ' + 'line two' }`
     )
-    const objs: ts.ObjectLiteralExpression[] = []
-    const visit = (node: ts.Node) => {
-      if (ts.isObjectLiteralExpression(node)) objs.push(node)
-      ts.forEachChild(node, visit)
-    }
-    ts.forEachChild(sourceFile, visit)
-    const dataObj = objs[objs.length - 1]!
-    assert.equal(extractDescription(dataObj, checker), null)
+    const obj = findObjectLiteral(sourceFile)!
+    assert.equal(extractDescription(obj, checker), 'line one line two')
+  })
+
+  test('extracts deeply nested concatenation in description', () => {
+    const { checker, sourceFile } = createChecker(
+      `const data = { description: 'a' + 'b' + 'c' }`
+    )
+    const obj = findObjectLiteral(sourceFile)!
+    assert.equal(extractDescription(obj, checker), 'abc')
   })
 
   test('returns null for non-object node', () => {

package/src/utils/extract-node-value.ts

@@ -32,6 +32,16 @@ export function extractStringLiteral(
     return extractStringLiteral(node.expression, checker)
   }
 
+  if (
+    ts.isBinaryExpression(node) &&
+    node.operatorToken.kind === ts.SyntaxKind.PlusToken
+  ) {
+    return (
+      extractStringLiteral(node.left, checker) +
+      extractStringLiteral(node.right, checker)
+    )
+  }
+
   // Try to evaluate constant identifiers
   if (ts.isIdentifier(node)) {
     const symbol = checker.getSymbolAtLocation(node)
@@ -52,7 +62,7 @@ export function extractStringLiteral(
 /**
  * Check if node is string-like (string literal or template expression)
  */
-export function isStringLike(node: ts.Node, _checker: ts.TypeChecker): boolean {
+export function isStringLike(node: ts.Node, checker: ts.TypeChecker): boolean {
   if (ts.isStringLiteral(node) || ts.isNoSubstitutionTemplateLiteral(node)) {
     return true
   }
@@ -60,6 +70,10 @@ export function isStringLike(node: ts.Node, _checker: ts.TypeChecker): boolean {
   if (ts.isTemplateExpression(node)) {
     return true
   }
+  // Unwrap type assertions: `expr as Type` or `<Type>expr`
+  if (ts.isAsExpression(node) || ts.isTypeAssertionExpression(node)) {
+    return isStringLike(node.expression, checker)
+  }
   return false
 }
 

package/src/utils/get-property-value.ts

@@ -1,5 +1,6 @@
 import * as ts from 'typescript'
 import { ErrorCode } from '../error-codes.js'
+import { extractStringLiteral } from './extract-node-value.js'
 
 /**
  * Extracts an array of strings from an object property.
@@ -137,7 +138,8 @@ export const getCommonWireMetaData = (
   obj: ts.ObjectLiteralExpression,
   wiringType: string,
   wiringName: string | null,
-  logger?: { critical: (code: ErrorCode, message: string) => void }
+  logger?: { critical: (code: ErrorCode, message: string) => void },
+  checker?: ts.TypeChecker
 ): {
   disabled?: true
   title?: string
@@ -166,18 +168,36 @@ export const getCommonWireMetaData = (
         prop.initializer.kind === ts.SyntaxKind.TrueKeyword
       ) {
         metadata.disabled = true
-      } else if (propName === 'title' && ts.isStringLiteral(prop.initializer)) {
-        metadata.title = prop.initializer.text
-      } else if (
-        propName === 'summary' &&
-        ts.isStringLiteral(prop.initializer)
-      ) {
-        metadata.summary = prop.initializer.text
-      } else if (
-        propName === 'description' &&
-        ts.isStringLiteral(prop.initializer)
-      ) {
-        metadata.description = prop.initializer.text
+      } else if (propName === 'title') {
+        try {
+          metadata.title = checker
+            ? extractStringLiteral(prop.initializer, checker)
+            : ts.isStringLiteral(prop.initializer)
+              ? prop.initializer.text
+              : undefined
+        } catch {
+          // non-static title — skip
+        }
+      } else if (propName === 'summary') {
+        try {
+          metadata.summary = checker
+            ? extractStringLiteral(prop.initializer, checker)
+            : ts.isStringLiteral(prop.initializer)
+              ? prop.initializer.text
+              : undefined
+        } catch {
+          // non-static summary — skip
+        }
+      } else if (propName === 'description') {
+        try {
+          metadata.description = checker
+            ? extractStringLiteral(prop.initializer, checker)
+            : ts.isStringLiteral(prop.initializer)
+              ? prop.initializer.text
+              : undefined
+        } catch {
+          // non-static description — skip
+        }
       } else if (propName === 'tags') {
         if (ts.isArrayLiteralExpression(prop.initializer)) {
           metadata.tags = prop.initializer.elements

package/src/utils/serialize-inspector-state.ts

@@ -181,6 +181,10 @@ export interface SerializableInspectorState {
     meta: InspectorState['nodes']['meta']
     files: string[]
   }
+  auth: {
+    providers: string[]
+    files: string[]
+  }
   secrets: {
     definitions: InspectorState['secrets']['definitions']
     files: string[]
@@ -383,6 +387,10 @@ export function serializeInspectorState(
       meta: state.nodes.meta,
       files: Array.from(state.nodes.files),
     },
+    auth: {
+      providers: state.auth.providers,
+      files: Array.from(state.auth.files),
+    },
     secrets: {
       definitions: state.secrets.definitions,
       files: Array.from(state.secrets.files),
@@ -556,6 +564,10 @@ export function deserializeInspectorState(
       meta: data.nodes?.meta || {},
       files: new Set(data.nodes?.files || []),
     },
+    auth: {
+      providers: data.auth?.providers || [],
+      files: new Set(data.auth?.files || []),
+    },
     secrets: {
       definitions: data.secrets?.definitions || [],
       files: new Set(data.secrets?.files || []),