npm - @rblez/authly - Versions diffs - 0.1.0 → 0.3.0 - Mend

@rblez/authly 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/bin/authly.js +3 -1
package/dist/dashboard/app.js +182 -32
package/dist/dashboard/authorize.html +117 -0
package/dist/dashboard/index.html +192 -15
package/dist/dashboard/styles.css +10 -0
package/package.json +3 -2
package/src/auth/index.js +98 -0
package/src/commands/ext.js +107 -0
package/src/commands/serve.js +218 -15
package/src/generators/env.js +3 -2
package/src/generators/migrations.js +33 -0
package/src/integrations/supabase.js +156 -0
package/src/lib/oauth.js +23 -1
package/src/lib/supabase-api.js +152 -0
package/src/lib/supabase-oauth.js +200 -0

package/dist/dashboard/index.html CHANGED Viewed

@@ -4,8 +4,79 @@
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <title>Authly Dashboard</title>
-  <link rel="stylesheet" href="/styles.css">
+  <link rel="stylesheet" href="/styles.css" integrity="sha384-PLACEHOLDER">
   <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/remixicon@4.2.0/fonts/remixicon.css">
+  <style>
+    /* ── Provider SimpleIcons ───────────────────────── */
+    .provider-icon-img {
+      width: 20px; height: 20px; flex-shrink: 0;
+    }
+    .provider-card {
+      display: flex; align-items: center; gap: 12px;
+      padding: 12px 16px; background: #111; border: 1px solid #222;
+      border-radius: 8px; margin-bottom: 8px;
+    }
+    .provider-card .provider-info { flex: 1; }
+    .provider-card .provider-name { font-weight: 500; font-size: .875rem; color: #fff; text-transform: capitalize; }
+    .provider-card .provider-scopes { font-size: .75rem; color: #666; margin-top: 2px; }
+    .provider-card .provider-status {
+      font-size: .7rem; padding: 2px 8px; border-radius: 4px;
+      text-transform: uppercase; font-weight: 600; letter-spacing: .5px;
+    }
+    .provider-card .provider-status.enabled { background: #166534; color: #22c55e; }
+    .provider-card .provider-status.disabled { background: #222; color: #555; }
+    /* ── Inline docs ────────────────────────────────── */
+    .doc-panel {
+      background: #0a0a0a; border: 1px solid #1a1a1a; border-radius: 8px;
+      padding: 16px 20px; margin-bottom: 16px;
+    }
+    .doc-panel h4 {
+      font-size: .85rem; color: #fff; margin: 0 0 6px;
+      display: flex; align-items: center; gap: 6px;
+    }
+    .doc-panel p { color: #888; font-size: .8rem; margin: 0 0 8px; line-height: 1.5; }
+    .doc-panel ul {
+      margin: 0; padding-left: 18px; color: #aaa; font-size: .78rem; line-height: 1.8;
+    }
+    .doc-panel code {
+      background: #111; color: #c9c; padding: 1px 5px; border-radius: 3px;
+      font-size: .75rem; font-family: 'SF Mono', 'Fira Code', monospace;
+    }
+    .doc-panel .toggle-docs {
+      background: none; border: none; color: #555; cursor: pointer;
+      font-size: .75rem; margin-left: auto;
+    }
+    .doc-panel .toggle-docs:hover { color: #aaa; }
+    .doc-panel-body { transition: max-height .3s ease; overflow: hidden; }
+    .doc-panel-body.collapsed { max-height: 0; }
+    .doc-panel-body.expanded { max-height: 600px; }
+    /* ── UI improvements ───────────────────────────── */
+    .card h2 { margin-bottom: 4px; }
+    .card p { color: #666; font-size: .82rem; }
+    .card__icon {
+      width: 32px; height: 32px; display: flex; align-items: center;
+      justify-content: center; border-radius: 8px; margin-bottom: 12px;
+      background: #111; color: #fff; font-size: 1.2rem;
+    }
+    .text-muted { color: #555; font-size: .8rem; }
+    /* ── Toast ──────────────────────────────────────── */
+    .toast {
+      position: fixed; bottom: 20px; right: 20px; padding: 10px 16px;
+      border-radius: 6px; font-size: .82rem; z-index: 999;
+      animation: slideUp .2s ease;
+    }
+    .toast.toast--ok { background: #166534; color: #22c55e; border: 1px solid #22c55e44; }
+    .toast.toast--error { background: #7f1d1d; color: #f87171; border: 1px solid #f8717144; }
+    .toast.toast--info { background: #111; color: #888; border: 1px solid #333; }
+    .toast.hidden { display: none; }
+    @keyframes slideUp {
+      from { transform: translateY(20px); opacity: 0; }
+      to { transform: translateY(0); opacity: 1; }
+    }
+  </style>
 </head>
 <body>
   <div class="layout">
@@ -21,17 +92,22 @@
       </div>
       <nav class="sidebar__nav">
         <a href="#init" class="nav-item active" data-section="init"><i class="ri-flashlight-line"></i> Init</a>
+        <a href="#integration" class="nav-item" data-section="integration"><i class="ri-database-2-line"></i> Integration</a>
         <a href="#providers" class="nav-item" data-section="providers"><i class="ri-shield-keyhole-line"></i> Providers</a>
         <a href="#ui" class="nav-item" data-section="ui"><i class="ri-layout-masonry-line"></i> UI</a>
         <a href="#routes" class="nav-item" data-section="routes"><i class="ri-route-line"></i> Routes</a>
         <a href="#roles" class="nav-item" data-section="roles"><i class="ri-user-settings-line"></i> Roles</a>
         <a href="#api-keys" class="nav-item" data-section="api-keys"><i class="ri-key-2-line"></i> API Keys</a>
         <a href="#env" class="nav-item" data-section="env"><i class="ri-file-code-line"></i> Env</a>
-        <a href="#migrate" class="nav-item" data-section="migrate"><i class="ri-database-2-line"></i> Migrate</a>
+        <a href="#migrate" class="nav-item" data-section="migrate"><i class="ri-download-2-line"></i> Migrate</a>
         <a href="#users" class="nav-item" data-section="users"><i class="ri-user-line"></i> Users</a>
         <a href="#mcp" class="nav-item" data-section="mcp"><i class="ri-robot-line"></i> MCP <span class="badge">BETA</span></a>
         <a href="#audit" class="nav-item" data-section="audit"><i class="ri-search-line"></i> Audit</a>
       </nav>
+      <div class="sidebar__footer">
+        <span class="sidebar__version">v0.1.0</span>
+        <span class="sidebar__copy">MIT — rblez</span>
+      </div>
     </aside>
     <!-- Main -->
@@ -49,16 +125,37 @@
         <!-- ═══ INIT ═══ -->
         <section class="section" id="init">
+          <div class="doc-panel" id="initDocs">
+            <h4><i class="ri-book-line"></i> Auto-detection <button class="toggle-docs" data-target="initDocsBody">toggle</button></h4>
+            <div class="doc-panel-body expanded" id="initDocsBody">
+              <p>Authly scans your project files for Supabase credentials — no manual configuration needed.</p>
+              <ul>
+                <li>Checks <code>.env.local</code>, <code>.env.development.local</code>, <code>.env.development</code>, <code>.env</code></li>
+                <li>Also reads <code>supabase/config.toml</code> if present</li>
+                <li>If found — connects automatically</li>
+                <li>If not found — fill in manually below</li>
+              </ul>
+            </div>
+          </div>
+          <!-- Auto-detected status -->
+          <div class="card" id="autoDetectCard">
+            <div class="card__icon"><i class="ri-search-eye-line"></i></div>
+            <h2>Project scan</h2>
+            <div id="scanStatus" style="font-size:.85rem;color:#888">Scanning…</div>
+            <div id="scanDetail" class="hidden" style="margin-top:12px;font-size:.8rem"></div>
+            <div id="scanAction" class="hidden" style="margin-top:12px"></div>
+          </div>
+          <!-- Manual fallback -->
           <div class="card">
             <div class="card__icon"><i class="ri-flashlight-line"></i></div>
-            <h2>Connect your project</h2>
-            <p>Detect your Next.js project and set up Supabase credentials.</p>
+            <h2>Manual connect</h2>
+            <p style="margin-bottom:12px">Or enter credentials manually if auto-detect didn't find them.</p>
             <form id="initForm" class="init-form">
               <label>Supabase Project URL</label>
               <input type="url" id="initUrl" placeholder="https://xxxx.supabase.co" />
               <label>Supabase Anon Key</label>
               <input type="password" id="initAnon" placeholder="eyJh…" />
-              <label>Service Role Key (optional, for admin)</label>
+              <label>Service Role Key (admin)</label>
               <input type="password" id="initService" placeholder="eyJh…" />
               <div id="initResult" class="result hidden"></div>
               <button type="submit" class="btn btn--primary" id="initBtn">
@@ -66,26 +163,69 @@
               </button>
             </form>
           </div>
+        </section>
+        <!-- ═══ INTEGRATION ═══ -->
+        <section class="section hidden" id="integration">
+          <div class="doc-panel" id="intDocs">
+            <h4><i class="ri-book-line"></i> Supabase integration <button class="toggle-docs" data-target="intDocsBody">toggle</button></h4>
+            <div class="doc-panel-body expanded" id="intDocsBody">
+              <p>Authly connects directly to your Supabase database to manage users, roles, sessions, and migrations.</p>
+              <ul>
+                <li>Users are stored in <code>authly_users</code> table (not Supabase auth.users)</li>
+                <li>OAuth providers link via <code>authly_oauth_accounts</code></li>
+                <li>Role assignments via <code>authly_user_roles</code></li>
+                <li>Magic link tokens in <code>authly_magic_links</code></li>
+              </ul>
+              <p style="margin-top:8px">Connection is automatic if Supabase credentials exist in your env files.</p>
+            </div>
+          </div>
           <div class="card">
-            <div class="card__icon"><i class="ri-folder-check-line"></i></div>
-            <h2>Generated files</h2>
-            <ul class="file-list" id="fileList">
-              <li><i class="ri-file-line"></i> .env.local <span class="file-status" id="envStatus">checking…</span></li>
-              <li><i class="ri-file-line"></i> authly.config.json <span class="file-status" id="configStatus">checking…</span></li>
-            </ul>
+            <div class="card__icon"><i class="ri-database-2-line"></i></div>
+            <h2>Supabase connection</h2>
+            <div id="integrationStatus" style="font-size:.85rem;color:#888">Checking…</div>
+            <div id="integrationDetail" class="hidden" style="margin-top:12px"></div>
+            <div style="margin-top:16px;display:flex;gap:8px;flex-wrap:wrap">
+              <button class="btn btn--primary btn--sm" id="reconnectBtn"><i class="ri-refresh-line"></i> Re-scan &amp; reconnect</button>
+              <a href="/api/auth/supabase/authorize" class="btn btn--sm" style="background:#0d1b3e;border:1px solid #1d355e;color:#58a6ff;text-decoration:none" id="connectSbPlatformBtn"><i class="ri-plug-line"></i> Connect via OAuth</a>
+            </div>
           </div>
         </section>
         <!-- ═══ PROVIDERS ═══ -->
         <section class="section hidden" id="providers">
+          <div class="doc-panel" id="provDocs">
+            <h4><i class="ri-book-line"></i> Provider setup <button class="toggle-docs" data-target="provDocsBody">toggle</button></h4>
+            <div class="doc-panel-body expanded" id="provDocsBody">
+              <p>Enable authentication methods for your project. Each provider requires OAuth client credentials.</p>
+              <ul>
+                <li><img src="https://cdn.simpleicons.org/google/fff" width="14" height="14" alt="Google"> <strong>Google</strong> — Console → APIs → OAuth 2.0 → Credentials</li>
+                <li><img src="https://cdn.simpleicons.org/github/fff" width="14" height="14" alt="GitHub"> <strong>GitHub</strong> — Settings → Developer settings → OAuth Apps</li>
+                <li><img src="https://cdn.simpleicons.org/discord/fff" width="14" height="14" alt="Discord"> <strong>Discord</strong> — Developer Portal → Applications</li>
+                <li><img src="https://cdn.simpleicons.org/resend/fff" width="14" height="14" alt="Resend"> <strong>Magic Link</strong> — Resend dashboard (API key)</li>
+              </ul>
+              <p style="margin-top:8px">Set credentials in <code>GOOGLE_CLIENT_ID</code> / <code>GOOGLE_CLIENT_SECRET</code> etc. Buttons appear automatically when providers are enabled.</p>
+            </div>
+          </div>
           <div id="providerList"></div>
         </section>
         <!-- ═══ UI (Scaffold) ═══ -->
         <section class="section hidden" id="ui">
+          <div class="doc-panel" id="scaffoldDocs">
+            <h4><i class="ri-book-line"></i> UI scaffolding <button class="toggle-docs" data-target="scaffoldDocsBody">toggle</button></h4>
+            <div class="doc-panel-body expanded" id="scaffoldDocsBody">
+              <p>Generates ready-to-use TSX pages for your Next.js App Router project. Click a scaffold card to preview the code.</p>
+              <ul>
+                <li><strong>Login</strong> — Email/password + dynamic SimpleIcon buttons for enabled providers</li>
+                <li><strong>Sign Up</strong> — Registration form with validation</li>
+                <li><strong>Middleware</strong> — Route protection for protected and auth paths</li>
+              </ul>
+              <p style="margin-top:8px">Files are generated into <code>src/app/auth/</code> in your Next.js project.</p>
+            </div>
+          </div>
           <div class="card">
             <h2>Scaffold auth pages</h2>
-            <p>Generate ready-to-use TSX pages for your Next.js project.</p>
             <div class="grid-3">
               <div class="scaffold-card" data-scaffold="login">
                 <i class="ri-login-circle-line"></i>
@@ -109,15 +249,36 @@
         <!-- ═══ ROUTES ═══ -->
         <section class="section hidden" id="routes">
+          <div class="doc-panel" id="routesDocs">
+            <h4><i class="ri-book-line"></i> Route protection <button class="toggle-docs" data-target="routesDocsBody">toggle</button></h4>
+            <div class="doc-panel-body expanded" id="routesDocsBody">
+              <p>The scaffolded middleware intercepts requests and checks for a valid <code>authly_session</code> cookie. Missing cookies redirect to login.</p>
+              <ul>
+                <li><code>/dashboard</code>, <code>/profile</code>, <code>/settings</code> → unprotected redirects to <code>/auth/login</code></li>
+                <li><code>/auth/login</code>, <code>/auth/signup</code> → redirect to <code>/dashboard</code> if logged in</li>
+              </ul>
+            </div>
+          </div>
           <div class="card">
             <h2>Protected routes</h2>
-            <p>Middleware scaffold protects these paths:</p>
             <div class="code-block"><code>/dashboard, /profile, /settings → redirect to /auth/login if unauthenticated</code></div>
           </div>
         </section>
         <!-- ═══ ROLES ═══ -->
         <section class="section hidden" id="roles">
+          <div class="doc-panel" id="rolesDocs">
+            <h4><i class="ri-book-line"></i> Role-based access control <button class="toggle-docs" data-target="rolesDocsBody">toggle</button></h4>
+            <div class="doc-panel-body expanded" id="rolesDocsBody">
+              <p>Authly implements RBAC with three default roles:</p>
+              <ul>
+                <li><code>admin</code> — Full access to all resources</li>
+                <li><code>user</code> — Standard authenticated (auto-assigned on signup)</li>
+                <li><code>guest</code> — Limited access, read-only</li>
+              </ul>
+              <p style="margin-top:8px">Requires the <code>001_create_roles_table</code> and <code>004_create_user_roles_table</code> migrations.</p>
+            </div>
+          </div>
           <div class="card">
             <div style="display:flex;justify-content:space-between;align-items:center">
               <h2>Roles</h2>
@@ -146,7 +307,7 @@
         <section class="section hidden" id="api-keys">
           <div class="card">
             <h2>Generate API Key</h2>
-            <p>Create a key for programmatic access.</p>
+            <p>Create a key for programmatic access. The raw key is shown <strong>only once</strong>.</p>
             <form id="keyForm" style="display:flex;gap:8px;align-items:end;flex-wrap:wrap">
               <div>
                 <label style="font-size:.75rem;color:#888;display:block;margin-bottom:2px">Key name</label>
@@ -162,12 +323,29 @@
         <section class="section hidden" id="env">
           <div class="card">
             <h2>Environment variables</h2>
+            <p>Check which variables are set in the current environment.</p>
             <div class="vars-list" id="envVars"></div>
           </div>
         </section>
         <!-- ═══ MIGRATE ═══ -->
         <section class="section hidden" id="migrate">
+          <div class="doc-panel" id="migrateDocs">
+            <h4><i class="ri-book-line"></i> Database migrations <button class="toggle-docs" data-target="migrateDocsBody">toggle</button></h4>
+            <div class="doc-panel-body expanded" id="migrateDocsBody">
+              <p>Authly manages its own schema via incremental SQL migrations. Click <strong>Run</strong> to execute a migration directly against your Supabase database.</p>
+              <ul>
+                <li><code>001</code> — Roles table (admin, user, guest)</li>
+                <li><code>002</code> — Users table (authly_users)</li>
+                <li><code>003</code> — OAuth accounts (provider linkages)</li>
+                <li><code>004</code> — User roles + auto-assign trigger</li>
+                <li><code>005</code> — API keys (hashed)</li>
+                <li><code>006</code> — Sessions</li>
+                <li><code>007</code> — Magic links (Resend)</li>
+              </ul>
+              <p style="margin-top:8px">You can run migrations in any order — each uses <code>CREATE TABLE IF NOT EXISTS</code> so they're idempotent.</p>
+            </div>
+          </div>
           <div class="card">
             <h2>Migrations</h2>
             <div class="migration-list" id="migrationList"></div>
@@ -211,7 +389,6 @@
             </div>
             <p style="font-size:.8rem;color:#666;margin-top:12px">
               <i class="ri-error-warning-line"></i> MCP tools are experimental. All backend tools are wired directly via the REST API for now.
-              MCP will be fully trained after all tools are tested and stable.
             </p>
           </div>
         </section>

package/dist/dashboard/styles.css CHANGED Viewed

@@ -124,6 +124,16 @@ code {
   text-align: center;
 }
+.sidebar__footer {
+  margin-top: auto;
+  padding: 10px 16px;
+  border-top: 1px solid var(--border);
+  display: flex;
+  justify-content: space-between;
+  font-size: 0.7rem;
+  color: #444;
+}
 /* ── Main ─────────────────────────────────────────────── */
 .main {
   flex: 1;

package/package.json CHANGED Viewed

@@ -1,18 +1,19 @@
 {
   "name": "@rblez/authly",
-  "version": "0.1.0",
+  "version": "0.3.0",
   "description": "Local auth dashboard for Next.js + Supabase",
   "type": "module",
   "bin": {
     "authly": "./bin/authly.js"
   },
   "scripts": {
+    "start": "node bin/authly.js serve",
     "dev": "node bin/authly.js serve",
     "lint": "prettier --check src/",
     "format": "prettier --write src/"
   },
   "engines": {
-    "node": ">=18.0.0"
+    "node": ">=20.0.0"
   },
   "files": [
     "bin/",

package/src/auth/index.js CHANGED Viewed

@@ -5,6 +5,7 @@
  */
 import bcrypt from "bcryptjs";
+import { randomBytes, createHash } from "node:crypto";
 import { getSupabaseClient } from "../lib/supabase.js";
 import { createSessionToken, verifySessionToken } from "../lib/jwt.js";
 import { buildAuthorizeUrl, exchangeTokens, upsertUser, authWithProvider, listProviderStatus } from "../lib/oauth.js";
@@ -132,3 +133,100 @@ export async function handleOAuthCallback({ provider, code, redirectUri }) {
     return { user: null, token: null, error: e.message };
   }
 }
+// ── Magic Link (Resend) ──────────────────────────────
+/**
+ * Send a magic link to the user's email via Resend.
+ * Creates or finds the user, generates a verification token.
+ */
+export async function sendMagicLink({ email, callbackUrl }) {
+  const { client, errors } = getSupabaseClient();
+  if (!client) return { sent: false, error: errors.join(", ") };
+  const resendKey = process.env.RESEND_API_KEY;
+  if (!resendKey) return { sent: false, error: "RESEND_API_KEY not configured" };
+  if (!email) return { sent: false, error: "Email is required" };
+  const emailLower = email.toLowerCase();
+  const token = randomBytes(32).toString("hex");
+  const expiresAt = new Date(Date.now() + 30 * 60 * 1000); // 30 min
+  // Check if user exists, create if not (without password)
+  const { data: existing } = await client
+    .from("authly_users")
+    .select("id")
+    .eq("email", emailLower)
+    .single();
+  let userId = existing?.id;
+  if (!existing) {
+    const { data: newUser } = await client
+      .from("authly_users")
+      .insert({ email: emailLower, password_hash: null, name: emailLower.split("@")[0] })
+      .select("id")
+      .single();
+    if (newUser) userId = newUser.id;
+  }
+  if (!userId) return { sent: false, error: "Failed to create user record" };
+  // Store magic link token in DB
+  const { error: tokenError } = await client
+    .from("authly_magic_links")
+    .insert({ user_id: userId, token_hash: createHash("sha256").update(token).digest("hex"), expires_at: expiresAt.toISOString(), used: false });
+  if (tokenError) return { sent: false, error: tokenError.message };
+  // Send email via Resend
+  const from = process.env.RESEND_FROM || "noreply@authly.dev";
+  const link = `${callbackUrl}?token=${token}`;
+  const res = await fetch("https://api.resend.com/emails", {
+    method: "POST",
+    headers: { "Authorization": `Bearer ${resendKey}`, "Content-Type": "application/json" },
+    body: JSON.stringify({
+      from,
+      to: [emailLower],
+      subject: "Your Authly Magic Link",
+      html: `<p>Click the link to sign in:</p><p><a href="${link}">Sign In</a></p><p>This link expires in 30 minutes.</p>`,
+    }),
+  });
+  if (!res.ok) {
+    const err = await res.json().catch(() => ({}));
+    return { sent: false, error: err.message || "Failed to send email" };
+  }
+  return { sent: true, error: null };
+}
+/**
+ * Verify a magic link token and create a session.
+ */
+export async function verifyMagicLink({ token }) {
+  const { client, errors } = getSupabaseClient();
+  if (!client) return { user: null, error: errors.join(", ") };
+  const tokenHash = createHash("sha256").update(token).digest("hex");
+  const { data: record, error } = await client
+    .from("authly_magic_links")
+    .select("user_id, expires_at, used")
+    .eq("token_hash", tokenHash)
+    .single();
+  if (error || !record) return { user: null, error: "Invalid token" };
+  if (record.used) return { user: null, error: "Token already used" };
+  if (new Date(record.expires_at) < new Date()) return { user: null, error: "Token expired" };
+  // Mark as used
+  await client.from("authly_magic_links").update({ used: true }).eq("token_hash", tokenHash);
+  // Get user
+  const { data: user } = await client.from("authly_users").select("id, email, name").eq("id", record.user_id).single();
+  if (!user) return { user: null, error: "User not found" };
+  const sessionToken = await createSessionToken({ sub: user.id, role: "user" });
+  return { user, token: sessionToken, error: null };
+}

package/src/commands/ext.js ADDED Viewed

@@ -0,0 +1,107 @@
+import fs from "node:fs";
+import path from "node:path";
+import chalk from "chalk";
+import ora from "ora";
+import { detectFramework } from "../lib/framework.js";
+import { scanSupabase } from "../integrations/supabase.js";
+import { generateEnv } from "../generators/env.js";
+/**
+ * `authly ext add <name>` — add an extension to the project.
+ * Currently supports: supabase
+ */
+export async function cmdExt(args) {
+  const subcmd = args[0];
+  const name = args[1];
+  if (!subcmd || subcmd === "add") {
+    if (!name) {
+      console.log(chalk.bold("\n  Authly Extensions — add\n"));
+      console.log(chalk.bold("  Usage:"));
+      console.log(`    npx @rblez/authly ext add <name>\n`);
+      console.log(chalk.bold("  Available:"));
+      console.log(`    ${chalk.cyan("supabase")}  Auto-detect & connect Supabase, show auth URL\n`);
+      return;
+    }
+    if (name === "supabase") {
+      return cmdExtAddSupabase();
+    }
+    console.error(chalk.red(`\n  Unknown extension: ${name}\n`));
+    process.exit(1);
+  }
+  console.error(chalk.red(`\n  Unknown subcommand: ${subcmd}\n`));
+  process.exit(1);
+}
+async function cmdExtAddSupabase() {
+  console.log(chalk.bold("\n  Authly — Supabase Extension\n"));
+  // Detect framework
+  const framework = detectFramework();
+  if (!framework) {
+    console.log(chalk.yellow("  ⚠ No framework detected, but continuing anyway.\n"));
+  } else {
+    console.log(`${chalk.green("✔")} Detected framework: ${chalk.cyan(framework.name ?? "unknown")}`);
+  }
+  const projectRoot = path.resolve(process.cwd());
+  // Scan for Supabase credentials
+  const spinner = ora("Scanning project for Supabase credentials").start();
+  const scan = scanSupabase(projectRoot);
+  if (scan.detected) {
+    let detail = [];
+    if (scan.url) detail.push(chalk.green("URL found"));
+    if (scan.anonKey) detail.push(chalk.green("Anon key found"));
+    if (scan.serviceKey) detail.push(chalk.green("Service key found"));
+    if (scan.projectRef) detail.push(`Ref: ${scan.projectRef}`);
+    spinner.succeed(`Found credentials: ${detail.join(" · ")}`);
+  } else {
+    spinner.warn("No Supabase credentials found in env files");
+    console.log(chalk.yellow("\n  You can still connect manually. Run `authly serve` for the dashboard.\n"));
+    process.exit(0);
+  }
+  // Write authly.config.json if not exists
+  const configPath = path.join(projectRoot, "authly.config.json");
+  if (!fs.existsSync(configPath)) {
+    const config = {
+      $schema: "https://raw.githubusercontent.com/rblez/authly/main/schema/config.json",
+      framework: framework?.name ?? "unknown",
+      port: 1284,
+      supabase: {
+        url: scan.url ?? "",
+        anonKey: scan.anonKey ? "set" : "",
+        serviceRoleKey: scan.serviceKey ? "set" : "",
+        projectRef: scan.projectRef ?? "",
+      },
+      providers: {},
+      roles: ["admin", "user", "guest"],
+    };
+    fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n");
+    console.log(`${chalk.green("✔")} Created authly.config.json`);
+  } else {
+    console.log(`${chalk.yellow("•")} authly.config.json already exists`);
+  }
+  // Generate .env.local if not exists
+  const envPath = path.join(projectRoot, ".env.local");
+  if (!fs.existsSync(envPath)) {
+    const envSpinner = ora("Generating .env.local").start();
+    await generateEnv(envPath);
+    envSpinner.succeed("Generated .env.local with authly variables");
+  } else {
+    console.log(`${chalk.yellow("•")} .env.local already exists`);
+  }
+  // Show auth URL
+  const port = process.env.AUTHLY_PORT || 1284;
+  const authUrl = `http://localhost:${port}/authorize`;
+  console.log(chalk.bold(`\n  Ready! Start the dashboard and go to:`));
+  console.log(`  ${chalk.cyan.underline(authUrl)}`);
+  console.log(chalk.dim(`\n  Run: npx @rblez/authly serve\n`));
+}