npm - @rblez/authly - Versions diffs - 0.3.0 → 0.4.1 - Mend

@rblez/authly 0.3.0 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/bin/authly.js +1 -1
package/dist/dashboard/app.js +5 -2
package/dist/dashboard/authorize.html +7 -8
package/dist/dashboard/index.html +1 -1
package/package.json +1 -1
package/src/commands/init.js +24 -29
package/src/commands/serve.js +112 -205

package/bin/authly.js CHANGED Viewed

@@ -11,7 +11,7 @@ const COMMANDS = {
   init: { description: "Initialize authly in your project", handler: cmdInit },
   ext: { description: "Manage extensions (add, remove)", handler: cmdExt },
   audit: { description: "Check auth configuration for issues", handler: cmdAudit },
-  version: { description: "Show version", handler: () => console.log("0.3.0") },
+  version: { description: "Show version", handler: () => console.log("0.4.0") },
 };
 async function main() {

package/dist/dashboard/app.js CHANGED Viewed

@@ -7,11 +7,14 @@ document.addEventListener("DOMContentLoaded", () => {
   const statusText = document.getElementById("statusText");
   const statusDot = document.querySelector(".header__dot");
+  // All API calls go to the hosted authly instance
+  const API_URL = "https://authly.rblez.com/api";
   checkHealth();
   // ── Helpers ─────────────────────────────────────────
   async function api(endpoint, opts = {}) {
-    const res = await fetch(`/api${endpoint}`, {
+    const res = await fetch(`${API_URL}${endpoint}`, {
       headers: { "Content-Type": "application/json" },
       ...opts,
     });
@@ -40,7 +43,7 @@ document.addEventListener("DOMContentLoaded", () => {
   // ── Health ──────────────────────────────────────────
   async function checkHealth() {
     try {
-      const res = await fetch("/api/health");
+      const res = await fetch(`${API_URL}/health`);
       if (res.ok) {
         statusText.textContent = "Connected";
         statusDot.style.background = "#22c55e";

package/dist/dashboard/authorize.html CHANGED Viewed

@@ -54,7 +54,7 @@
       <!-- Platform: Connect Supabase (OAuth to Supabase API) -->
       <div class="section-label">Platform connection</div>
-      <a href="/api/auth/supabase/authorize" id="supabasePlatformBtn" class="platform-connect">
+      <a href="https://authly.rblez.com/api/auth/supabase/authorize" id="supabasePlatformBtn" class="platform-connect">
         <img src="https://cdn.simpleicons.org/supabase/fff" width="20" height="20" alt="Supabase" />
         <span class="label">Connect Supabase</span>
         <span class="status" id="sbStatus">Not connected</span>
@@ -68,10 +68,12 @@
   </div>
   <script>
+    const API_URL = "https://authly.rblez.com/api";
     async function loadProviders() {
       const container = document.getElementById("providerList");
       try {
-        const res = await fetch("/api/providers");
+        const res = await fetch(`${API_URL}/providers`);
         const data = await res.json();
         if (!data.providers) { container.innerHTML = "<p style='color:#555'>&mdash;</p>"; return; }
@@ -86,11 +88,10 @@
           </div>`;
         }).join("");
-        // Attach click handlers
         container.querySelectorAll(".provider-btn[data-enabled='true']").forEach(el => {
           el.addEventListener("click", () => {
             const provider = el.dataset.provider;
-            window.location.href = `/api/auth/${provider}/authorize`;
+            window.location.href = `${API_URL}/auth/${provider}/authorize`;
           });
         });
       } catch {
@@ -98,14 +99,12 @@
       }
     }
-    // Check if Supabase is already connected
     async function checkSupabaseConnected() {
       try {
-        const res = await fetch("/api/health");
+        const res = await fetch(`${API_URL}/health`);
         if (res.ok) {
           document.getElementById("sbStatus").textContent = "Connected";
-          const btn = document.getElementById("supabasePlatformBtn");
-          btn.classList.add("connected");
+          document.getElementById("supabasePlatformBtn").classList.add("connected");
         }
       } catch {}
     }

package/dist/dashboard/index.html CHANGED Viewed

@@ -187,7 +187,7 @@
             <div id="integrationDetail" class="hidden" style="margin-top:12px"></div>
             <div style="margin-top:16px;display:flex;gap:8px;flex-wrap:wrap">
               <button class="btn btn--primary btn--sm" id="reconnectBtn"><i class="ri-refresh-line"></i> Re-scan &amp; reconnect</button>
-              <a href="/api/auth/supabase/authorize" class="btn btn--sm" style="background:#0d1b3e;border:1px solid #1d355e;color:#58a6ff;text-decoration:none" id="connectSbPlatformBtn"><i class="ri-plug-line"></i> Connect via OAuth</a>
+              <a href="https://authly.rblez.com/api/auth/supabase/authorize" target="_blank" class="btn btn--sm" style="background:#0d1b3e;border:1px solid #1d355e;color:#58a6ff;text-decoration:none" id="connectSbPlatformBtn"><i class="ri-plug-line"></i> Connect via OAuth</a>
             </div>
           </div>
         </section>

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@rblez/authly",
-  "version": "0.3.0",
+  "version": "0.4.1",
   "description": "Local auth dashboard for Next.js + Supabase",
   "type": "module",
   "bin": {

package/src/commands/init.js CHANGED Viewed

@@ -3,6 +3,7 @@ import path from "node:path";
 import chalk from "chalk";
 import ora from "ora";
 import { detectFramework } from "../lib/framework.js";
+import { scanSupabase } from "../integrations/supabase.js";
 import { generateEnv } from "../generators/env.js";
 export async function cmdInit() {
@@ -11,56 +12,50 @@ export async function cmdInit() {
   // Detect framework
   const framework = detectFramework();
   if (!framework) {
-    console.log(chalk.yellow("  No Next.js project detected. Run authly init from your Next.js project root.\n"));
+    console.log(chalk.yellow("  × No Next.js project detected. Run authly init from your Next.js project root.\n"));
     process.exit(1);
   }
   console.log(`${chalk.green("✔")} Detected framework: ${chalk.cyan(framework.name)}`);
-  // Check for existing config
-  const hasEnv = fs.existsSync(".env.local");
-  const hasAuthlyConfig = fs.existsSync("authly.config.json");
+  // Scan for existing Supabase credentials
+  const projectRoot = path.resolve(process.cwd());
+  const scan = scanSupabase(projectRoot);
-  if (hasEnv) {
-    console.log(`${chalk.yellow("•")} .env.local already exists`);
+  if (scan.detected) {
+    console.log(`${chalk.green("✔")} Found existing Supabase credentials`);
   }
-  if (hasAuthlyConfig) {
-    console.log(`${chalk.yellow("•")} authly.config.json already exists`);
-  }
-  // Generate .env.local template
-  const spinner = ora("Generating .env.local").start();
-  const envPath = path.join(process.cwd(), ".env.local");
-  if (!hasEnv) {
+  // Generate .env.local if missing
+  const envPath = path.join(projectRoot, ".env.local");
+  if (!fs.existsSync(envPath)) {
+    const spinner = ora("Generating .env.local").start();
     await generateEnv(envPath);
-    spinner.succeed("Generated .env.local with authly variables");
+    spinner.succeed("Generated .env.local");
   } else {
-    spinner.info(".env.local already exists, skipping");
+    console.log(`${chalk.yellow("·")} .env.local already exists`);
   }
-  // Generate authly config
-  const configSpinner = ora("Creating authly.config.json").start();
-  if (!hasAuthlyConfig) {
+  // Generate authly.config.json if missing
+  const configPath = path.join(projectRoot, "authly.config.json");
+  if (!fs.existsSync(configPath)) {
+    const configSpinner = ora("Creating authly.config.json").start();
     const config = {
       $schema: "https://raw.githubusercontent.com/rblez/authly/main/schema/config.json",
-      framework,
+      framework: framework.name,
       port: 1284,
       supabase: {
-        url: "",
-        anonKey: "",
-        serviceRoleKey: "",
+        url: scan.url || "",
+        anonKey: scan.anonKey ? "set" : "",
+        serviceRoleKey: scan.serviceKey ? "set" : "",
+        projectRef: scan.projectRef || "",
       },
       providers: {},
       roles: ["admin", "user", "guest"],
     };
-    fs.writeFileSync(envPath ? ".env.local" : ".env.local", "", { flag: "a" });
-    fs.writeFileSync(
-      "authly.config.json",
-      JSON.stringify(config, null, 2) + "\n",
-    );
+    fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n");
     configSpinner.succeed("Created authly.config.json");
   } else {
-    configSpinner.info("authly.config.json already exists");
+    console.log(`${chalk.yellow("·")} authly.config.json already exists`);
   }
   console.log(chalk.dim("\n  Next: run `npx @rblez/authly serve` to start the dashboard\n"));

package/src/commands/serve.js CHANGED Viewed

@@ -18,13 +18,10 @@ import {
   listRoles,
 } from "../generators/roles.js";
 import { listMigrations, getMigration, migrations } from "../generators/migrations.js";
-import { detectFramework } from "../lib/framework.js";
 import { scaffoldAuth, previewGenerated } from "../generators/ui.js";
-import { generateEnv } from "../generators/env.js";
 import { mountMcp } from "../mcp/server.js";
-import { scanSupabase } from "../integrations/supabase.js";
 import { generatePKCE, buildSupabaseAuthorizeUrl, exchangeSupabaseToken, saveSupabaseTokens } from "../lib/supabase-oauth.js";
-import { ensureValidAccessToken, autoConfigureFromToken, getProjects, getProjectApiKeys } from "../lib/supabase-api.js";
+import { ensureValidAccessToken, getProjects, getProjectApiKeys } from "../lib/supabase-api.js";
 const PORT = process.env.PORT || process.env.AUTHLY_PORT || 1284;
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
@@ -41,6 +38,17 @@ export async function cmdServe() {
   const app = new Hono();
+  // ── CORS — allow localhost to call hosted API ──
+  app.use("/api/*", (c) => {
+    c.header("Access-Control-Allow-Origin", "*");
+    c.header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
+    c.header("Access-Control-Allow-Headers", "Content-Type, Authorization");
+    if (c.req.method === "OPTIONS") {
+      return new Response(null, { status: 204 });
+    }
+    return c.next();
+  });
   // ── Static file serving ────────────────────────────
   const dashboardPath = path.join(__dirname, "../../dist/dashboard");
   const hasDashboard = fs.existsSync(dashboardPath);
@@ -59,13 +67,6 @@ export async function cmdServe() {
   // ── Public API ─────────────────────────────────────
   app.get("/api/health", (c) => c.json({ status: "ok", uptime: process.uptime() }));
-  /** GET /api/integrations/supabase/scan — scan local project */
-  app.get("/api/integrations/supabase/scan", (c) => {
-    const projectRoot = path.resolve(process.cwd());
-    const scan = scanSupabase(projectRoot);
-    return c.json({ success: true, ...scan });
-  });
   /** GET /api/users — list all users from Supabase */
   app.get("/api/users", async (c) => {
     const { client, errors } = getSupabaseClient();
@@ -90,7 +91,6 @@ export async function cmdServe() {
       const result = buildAuthorizeUrl({ provider, redirectUri, state: query.state, scope: query.scope });
       return c.redirect(result.url);
     } catch (e) {
-      // Provider not found — redirect to authorize page
       return c.redirect("/authorize");
     }
   });
@@ -104,6 +104,33 @@ export async function cmdServe() {
     return c.json({ providers: listProviderStatus() });
   });
+  /** POST /api/auth/:provider/authorize — get OAuth URL as JSON */
+  app.post("/api/auth/:provider/authorize", async (c) => {
+    const { provider } = c.req.param();
+    const body = await c.req.json();
+    const result = buildAuthorizeUrl({
+      provider,
+      redirectUri: body.redirectUri,
+      state: body.state,
+      scope: body.scope,
+    });
+    if (result.error) return c.json({ error: result.error }, 400);
+    return c.json(result);
+  });
+  /** POST /api/auth/:provider/callback — exchange code for session */
+  app.post("/api/auth/:provider/callback", async (c) => {
+    const { provider } = c.req.param();
+    const body = await c.req.json();
+    const { user, token, error } = await handleOAuthCallback({
+      provider,
+      code: body.code,
+      redirectUri: body.redirectUri,
+    });
+    if (error) return c.json({ success: false, error }, 400);
+    return c.json({ success: true, user, token });
+  });
   // ── Supabase Platform OAuth with PKCE ───────────────
   /** GET /api/auth/supabase/authorize — start Supabase OAuth flow */
@@ -111,11 +138,7 @@ export async function cmdServe() {
     const query = c.req.query();
     const { verifier, challenge } = generatePKCE();
     const state = randomBytes(16).toString("hex");
-    // Store verifier for later exchange
     pkceState.set(state, { verifier, challenge });
-    // Auto-expire state after 10 min
     setTimeout(() => pkceState.delete(state), 10 * 60 * 1000);
     const result = buildSupabaseAuthorizeUrl({
@@ -123,65 +146,85 @@ export async function cmdServe() {
       codeChallenge: challenge,
       organizationSlug: query.organization,
     });
     return c.redirect(result.url);
   });
-  /** GET /api/auth/supabase/callback — OAuth callback with PKCE */
+  /** GET /api/auth/supabase/callback — OAuth callback with PKCE
+   *  Saves tokens to DB. Shows project + API keys directly to user
+   *  for manual copy-paste into .env.local. */
   app.get("/api/auth/supabase/callback", async (c) => {
     const query = c.req.query();
     const code = query.code;
     const state = query.state;
-    // Validate state and get stored verifier
     const stored = pkceState.get(state);
     if (!stored) {
-      return c.html(`<h1>Invalid or expired state token</h1>
-        <p>Return to <a href="/">dashboard</a></p>`, 400);
+      return c.html(`<h1>Invalid or expired state token</h1><p><a href="/">dashboard</a></p>`, 400);
     }
     pkceState.delete(state);
     if (!code) {
-      return c.html(`<h1>Authorization failed</h1>
-        <p>Return to <a href="/">dashboard</a></p>`, 400);
+      return c.html(`<h1>Authorization failed</h1><p><a href="/">dashboard</a></p>`, 400);
     }
     try {
-      // Exchange code for tokens
-      const tokens = await exchangeSupabaseToken({
-        code,
-        verifier: stored.verifier,
-      });
-      // Save tokens to DB
+      const tokens = await exchangeSupabaseToken({ code, verifier: stored.verifier });
       await saveSupabaseTokens({
         accessToken: tokens.access_token,
         refreshToken: tokens.refresh_token,
         expiresIn: tokens.expires_in,
       });
-      // Auto-configure: get project, extract keys, fill .env.local
-      const config = await autoConfigureFromToken(tokens.access_token);
-      if (config) {
-        return c.html(`<div style="font-family:sans-serif;max-width:500px;margin:60px auto;text-align:center">
-          <h1 style="color:#22c55e">Connected to Supabase</h1>
-          <p>Project: <strong>${config.projectName}</strong></p>
-          <p><code style="background:#eee;padding:2px 8px;border-radius:4px">${config.projectRef}</code></p>
-          <p style="color:#666">.env.local and authly.config.json have been updated.</p>
-          <a href="/" style="display:inline-block;margin-top:16px;padding:8px 24px;background:#111;color:#fff;text-decoration:none;border-radius:6px">Go to Dashboard</a>
-        </div>`);
+      // Get project info for success page
+      const projects = await getProjects(tokens.access_token);
+      const project = projects?.[0];
+      if (project) {
+        const keys = await getProjectApiKeys(tokens.access_token, project.id);
+        const anon = keys.find(k => k.type === "anon")?.api_key || "";
+        const svc = keys.find(k => k.type === "service_role")?.api_key || "";
+        // Save project ref in tokens table
+        const { client } = getSupabaseClient();
+        if (client) {
+          await client
+            .from("authly_supabase_tokens")
+            .update({ project_ref: project.id, project_name: project.name })
+            .eq("user_id", "00000000-0000-0000-0000-000000000000");
+        }
+        return c.html(`<!DOCTYPE html><html><head><meta charset="utf-8"><title>Authly — Connected</title>
+<style>
+body{font-family:sans-serif;background:#0a0a0a;color:#fff;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0}
+.card{background:#111;border:1px solid #222;border-radius:12px;padding:40px 32px;max-width:540px;width:100%;text-align:center}
+h1{color:#22c55e;margin:0 0 12px;font-size:1.5rem}
+p{color:#888;font-size:.9rem;margin:0 0 8px}
+.code{background:#0a0a0a;border:1px solid #333;border-radius:8px;padding:16px;text-align:left;font-size:.8rem;font-family:monospace;overflow-x:auto;color:#ccc;margin:12px 0;line-height:1.8;word-break:break-all}
+.key-val{color:#22c55e}
+.key-label{color:#666}
+a{display:inline-block;margin-top:16px;padding:10px 24px;background:#444;color:#fff;text-decoration:none;border-radius:6px;font-size:.9rem}
+a:hover{background:#555}
+</style></head><body><div class="card">
+<h1>Connected to Supabase</h1>
+<p>Project: <strong>${project.name}</strong></p>
+<p><code style="color:#58a6ff">${project.id}</code></p>
+<p style="margin-top:20px;text-align:left;color:#aaa;">Add these to your project's <strong>.env.local</strong>:</p>
+<div class="code"><span class="key-label">SUPABASE_URL=</span>"<span class="key-val">https://${project.id}.supabase.co</span>"<br>
+<span class="key-label">SUPABASE_ANON_KEY=</span>"<span class="key-val">${anon}</span>"<br>
+<span class="key-label">SUPABASE_SERVICE_ROLE_KEY=</span>"<span class="key-val">${svc}</span>"<br>
+<span class="key-label">AUTHLY_SECRET=</span>"<span class="key-val">generate-with-openssl-rand-hex-32</span>"</div>
+<a href="/">Back to Dashboard</a>
+</div></body></html>`);
       }
-      return c.html(`<div style="font-family:sans-serif;max-width:500px;margin:60px auto;text-align:center">
-        <h1 style="color:#22c55e">Authenticated</h1>
-        <p>Supabase tokens saved successfully.</p>
-        <p>Return to <a href="/">dashboard</a>.</p>
-      </div>`);
+      return c.html(`<!DOCTYPE html><html><head><meta charset="utf-8"><title>Authly</title>
+<style>body{font-family:sans-serif;background:#0a0a0a;color:#fff;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0}
+.card{background:#111;border:1px solid #222;border-radius:12px;padding:40px 32px;max-width:540px;width:100%;text-align:center}
+h1{color:#22c55e;margin:0 0 12px}
+a{color:#58a6ff}</style></head><body><div class="card">
+<h1>Authenticated</h1><p>Supabase tokens saved, no projects found.</p>
+<a href="/">Back to Dashboard</a></div></body></html>`);
     } catch (e) {
-      return c.html(`<h1>Token exchange failed</h1><p>${e.message}</p>
-        <p>Return to <a href="/">dashboard</a></p>`, 400);
+      return c.html(`<h1>Token exchange failed</h1><p>${e.message}</p><p><a href="/">dashboard</a></p>`, 400);
     }
   });
@@ -189,7 +232,7 @@ export async function cmdServe() {
   app.get("/api/supabase/projects", async (c) => {
     try {
       const token = await ensureValidAccessToken();
-      if (!token) return c.json({ error: "Not connected to Supabase — visit /api/auth/supabase/authorize" }, 401);
+      if (!token) return c.json({ error: "Not connected to Supabase" }, 401);
       const projects = await getProjects(token);
       return c.json({ success: true, projects });
     } catch (e) {
@@ -204,7 +247,7 @@ export async function cmdServe() {
       const token = await ensureValidAccessToken();
       if (!token) return c.json({ error: "Not connected to Supabase" }, 401);
       const keys = await getProjectApiKeys(token, ref);
-      return c.json({ success: true, keys });
+      return c.json({ success: true, keys: keys.filter(k => ["anon", "service_role"].includes(k.type)) });
     } catch (e) {
       return c.json({ error: e.message }, 500);
     }
@@ -221,57 +264,7 @@ export async function cmdServe() {
     }
   });
-  /** POST /api/auth/:provider/authorize — get OAuth URL as JSON */
-  app.post("/api/auth/:provider/authorize", async (c) => {
-    const { provider } = c.req.param();
-    const body = await c.req.json();
-    const result = buildAuthorizeUrl({
-      provider,
-      redirectUri: body.redirectUri,
-      state: body.state,
-      scope: body.scope,
-    });
-    if (result.error) return c.json({ error: result.error }, 400);
-    return c.json(result);
-  });
-  /** POST /api/auth/ :provider/callback — exchange code for session */
-  app.post("/api/auth/:provider/callback", async (c) => {
-    const { provider } = c.req.param();
-    const body = await c.req.json();
-    const { session, error } = await exchangeOAuthCode({
-      provider,
-      code: body.code,
-      redirectUri: body.redirectUri,
-    });
-    if (error) return c.json({ success: false, error }, 400);
-    // Create an internal Authly session token too
-    const token = await createSessionToken({
-      sub: session.user?.id ?? "unknown",
-      role: session.user?.user_metadata?.role ?? "user",
-    });
-    return c.json({ success: true, session, token });
-  });
-  /** POST /api/auth/session — create a session token from credentials */
-  app.post("/api/auth/session", async (c) => {
-    const body = await c.req.json();
-    if (!body.sub) return c.json({ error: "Missing 'sub' field" }, 400);
-    const token = await createSessionToken({
-      sub: body.sub,
-      role: body.role ?? "user",
-    });
-    return c.json({ success: true, token });
-  });
-  /** GET /api/auth/me — verify session token from Authorization header */
-  app.get("/api/auth/me", authMiddleware(), (c) =>
-    c.json({ success: true, session: c.get("session") }),
-  );
   // ── Password Auth ──────────────────────────────────
-  /** POST /api/auth/register — sign up with email + password */
   app.post("/api/auth/register", async (c) => {
     const body = await c.req.json();
     const { user, token, error } = await signUp({
@@ -283,7 +276,6 @@ export async function cmdServe() {
     return c.json({ success: true, user, token });
   });
-  /** POST /api/auth/login — sign in with email + password */
   app.post("/api/auth/login", async (c) => {
     const body = await c.req.json();
     const { user, token, error } = await signIn({
@@ -294,13 +286,25 @@ export async function cmdServe() {
     return c.json({ success: true, user, token });
   });
-  /** GET /api/auth/providers — list available and enabled providers */
   app.get("/api/auth/providers", (c) => {
     const providers = getProviders();
     return c.json({ providers });
   });
-  /** POST /api/auth/magic-link/send — send magic link email */
+  app.post("/api/auth/session", async (c) => {
+    const body = await c.req.json();
+    if (!body.sub) return c.json({ error: "Missing 'sub' field" }, 400);
+    const token = await createSessionToken({
+      sub: body.sub,
+      role: body.role ?? "user",
+    });
+    return c.json({ success: true, token });
+  });
+  app.get("/api/auth/me", authMiddleware(), (c) =>
+    c.json({ success: true, session: c.get("session") }),
+  );
   app.post("/api/auth/magic-link/send", async (c) => {
     const body = await c.req.json();
     const result = await sendMagicLink({ email: body.email, callbackUrl: body.callbackUrl || "/" });
@@ -308,7 +312,6 @@ export async function cmdServe() {
     return c.json({ success: true, sent: true });
   });
-  /** POST /api/auth/magic-link/verify — verify magic link token */
   app.post("/api/auth/magic-link/verify", async (c) => {
     const body = await c.req.json();
     const { user, token, error } = await verifyMagicLink({ token: body.token });
@@ -316,26 +319,13 @@ export async function cmdServe() {
     return c.json({ success: true, user, token });
   });
-  /** GET /api/config — non-sensitive project config */
-  app.get("/api/config", async (c) => {
-    const fw = detectFramework();
-    const { roles = [], error } = await listRoles();
-    return c.json({
-      framework: fw ?? null,
-      providers: listProviderStatus(),
-      roles,
-    });
-  });
-  // ── Role management (protected) ────────────────────
-  /** GET /api/roles — list all roles */
+  // ── Role management ────────────────────────────────
   app.get("/api/roles", async (c) => {
     const { roles, error } = await listRoles();
     if (error) return c.json({ success: false, error }, 500);
     return c.json({ success: true, roles });
   });
-  /** POST /api/roles — create a new role */
   app.post("/api/roles", async (c) => {
     const { name, description } = await c.req.json();
     if (!name) return c.json({ error: "'name' is required" }, 400);
@@ -344,7 +334,6 @@ export async function cmdServe() {
     return c.json(result);
   });
-  /** POST /api/roles/:roleId/users/:userId/assign — assign role to user */
   app.post("/api/roles/:roleName/users/:userId/assign", async (c) => {
     const { roleName, userId } = c.req.param();
     const result = await assignRoleToUser(userId, roleName);
@@ -352,7 +341,6 @@ export async function cmdServe() {
     return c.json(result);
   });
-  /** DELETE /api/roles/:roleId/users/:userId/revoke — revoke role from user */
   app.delete("/api/roles/:roleName/users/:userId/revoke", async (c) => {
     const { roleName, userId } = c.req.param();
     const result = await revokeRoleFromUser(userId, roleName);
@@ -360,7 +348,6 @@ export async function cmdServe() {
     return c.json(result);
   });
-  /** GET /api/users/:userId/roles — get roles for a user */
   app.get("/api/users/:userId/roles", async (c) => {
     const { userId } = c.req.param();
     const { roles, error } = await getUserRoles(userId);
@@ -369,7 +356,6 @@ export async function cmdServe() {
   });
   // ── API Keys ───────────────────────────────────────
-  /** POST /api/keys — generate a new API key */
   app.post("/api/keys", async (c) => {
     const { client, errors } = getSupabaseClient();
     if (!client) return c.json({ success: false, errors }, 503);
@@ -389,17 +375,14 @@ export async function cmdServe() {
     });
     if (error) return c.json({ success: false, error: error.message }, 400);
-    // Return raw key ONCE — it cannot be retrieved later
     return c.json({ success: true, key: rawKey, hashesTo: keyHash });
   });
   // ── Migrations ─────────────────────────────────────
-  /** GET /api/migrations — list available migrations */
   app.get("/api/migrations", (c) =>
     c.json({ success: true, migrations: listMigrations() }),
   );
-  /** GET /api/migrations/:name/sql — get SQL for a migration */
   app.get("/api/migrations/:name/sql", (c) => {
     const { name } = c.req.param();
     const sql = getMigration(name);
@@ -407,7 +390,6 @@ export async function cmdServe() {
     return c.json({ success: true, name, sql });
   });
-  /** POST /api/migrations/:name/run — execute a migration against Supabase */
   app.post("/api/migrations/:name/run", async (c) => {
     const { client, errors } = getSupabaseClient();
     if (!client) return c.json({ success: false, errors }, 503);
@@ -421,8 +403,7 @@ export async function cmdServe() {
     return c.json({ success: true, migration: name });
   });
-  // ── Scaffold ───────────────────────────────────────
-  /** POST /api/scaffold/preview — preview generated code without writing */
+  // ── Scaffold preview only ─────────────────────────
   app.post("/api/scaffold/preview", async (c) => {
     const { type } = await c.req.json();
     if (!["login", "signup", "middleware", "route-login", "route-signup"].includes(type)) {
@@ -431,78 +412,6 @@ export async function cmdServe() {
     return c.json({ success: true, type, code: previewGenerated(type) });
   });
-  /** POST /api/scaffold/generate — write auth files to a project */
-  app.post("/api/scaffold/generate", async (c) => {
-    const { targetDir } = await c.req.json();
-    if (!targetDir) return c.json({ error: "'targetDir' is required" }, 400);
-    try {
-      const { files } = await scaffoldAuth(targetDir, { apiRoutes: true });
-      c.json({ success: true, files });
-    } catch (e) {
-      c.json({ success: false, error: e.message }, 500);
-    }
-  });
-  // ── Init ──────────────────────────────────────────
-  /** GET /api/init/scan — autodetect Supabase config in current project */
-  app.get("/api/init/scan", (c) => {
-    const projectRoot = path.resolve(process.cwd());
-    const scan = scanSupabase(projectRoot);
-    return c.json(scan);
-  });
-  /** POST /api/init/connect — connect with autodetected or manual config */
-  app.post("/api/init/connect", async (c) => {
-    const body = await c.req.json().catch(() => ({}));
-    // Auto-detect first
-    const projectRoot = path.resolve(process.cwd());
-    const scan = scanSupabase(projectRoot);
-    // Merge scan results with any manually provided values
-    const url = scan.url || body.supabaseUrl || process.env.SUPABASE_URL || "";
-    const anonKey = scan.anonKey || body.supabaseAnonKey || process.env.SUPABASE_ANON_KEY || "";
-    const serviceKey = scan.serviceKey || body.supabaseServiceKey || process.env.SUPABASE_SERVICE_ROLE_KEY || "";
-    // Set env vars from detected config
-    if (url) process.env.SUPABASE_URL = url;
-    if (anonKey) process.env.SUPABASE_ANON_KEY = anonKey;
-    if (serviceKey) process.env.SUPABASE_SERVICE_ROLE_KEY = serviceKey;
-    const fw = scan.framework || detectFramework();
-    if (!fw && !body.supabaseUrl) return c.json({ success: false, error: "No Next.js project detected" }, 400);
-    // Generate .env.local if needed
-    if (!fs.existsSync(".env.local")) {
-      await generateEnv(".env.local");
-    }
-    // Write authly.config.json
-    const config = {
-      framework: fw || "unknown",
-      supabase: {
-        url,
-        projectRef: scan.projectRef || "",
-        anonKey: anonKey ? "set" : "",
-        serviceKey: serviceKey ? "set" : "",
-        autoDetected: scan.detected,
-        sources: scan.sources,
-      },
-    };
-    fs.writeFileSync("authly.config.json", JSON.stringify(config, null, 2) + "\n");
-    return c.json({
-      success: true,
-      framework: fw,
-      supabase: {
-        url,
-        detected: scan.detected,
-        canConnect: scan.canConnect,
-        sources: scan.sources,
-      },
-    });
-  });
   // ── MCP (beta) ─────────────────────────────────────
   mountMcp(app);
@@ -510,13 +419,11 @@ export async function cmdServe() {
   app.post("/api/audit", async (c) => {
     const issues = [];
-    // Env vars
     for (const key of ["SUPABASE_URL", "SUPABASE_ANON_KEY", "AUTHLY_SECRET"]) {
       if (!process.env[key]) issues.push({ check: key, status: "fail", detail: "not set" });
       else issues.push({ check: key, status: "ok" });
     }
-    // Supabase connection
     const { client } = getSupabaseClient();
     if (client) {
       const { error } = await client
@@ -542,7 +449,7 @@ export async function cmdServe() {
     }
     return c.json({
       name: "authly",
-      version: "0.1.0",
+      version: "0.4.0",
       docs: "/api/health",
     });
   });