@smittdev/next-jwt-auth 0.1.0

package/dist/index.js

@@ -0,0 +1,1128 @@
+#!/usr/bin/env node
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// src/commands/init.ts
+var import_prompts = __toESM(require("prompts"));
+var import_picocolors2 = __toESM(require("picocolors"));
+
+// src/utils/fs.ts
+var import_fs = __toESM(require("fs"));
+var import_path = __toESM(require("path"));
+function fileExists(filePath) {
+  return import_fs.default.existsSync(filePath);
+}
+function dirExists(dirPath) {
+  try {
+    return import_fs.default.existsSync(dirPath) && import_fs.default.statSync(dirPath).isDirectory();
+  } catch {
+    return false;
+  }
+}
+function readJson(filePath) {
+  try {
+    const content = import_fs.default.readFileSync(filePath, "utf-8");
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+function resolveCwd(...segments) {
+  return import_path.default.resolve(process.cwd(), ...segments);
+}
+
+// src/steps/detect.ts
+function parseMajorVersion(versionStr) {
+  if (!versionStr) return 0;
+  const cleaned = versionStr.replace(/^[\^~>=<\s]+/, "");
+  const major = parseInt(cleaned.split(".")[0], 10);
+  return isNaN(major) ? 0 : major;
+}
+function detectProject() {
+  const hasPackageJson = fileExists(resolveCwd("package.json"));
+  const pkg = hasPackageJson ? readJson(resolveCwd("package.json")) : null;
+  const deps = {
+    ...pkg?.dependencies ?? {},
+    ...pkg?.devDependencies ?? {}
+  };
+  const hasNext = "next" in deps;
+  const nextVersion = typeof deps["next"] === "string" ? deps["next"] : null;
+  const hasZod = "zod" in deps;
+  const hasSrcApp = dirExists(resolveCwd("src", "app"));
+  const hasRootApp = dirExists(resolveCwd("app"));
+  const hasAppRouter = hasSrcApp || hasRootApp;
+  const srcDir = hasSrcApp && !hasRootApp;
+  const hasTypeScript = fileExists(resolveCwd("tsconfig.json"));
+  const packageManager = fileExists(
+    resolveCwd("pnpm-lock.yaml")
+  ) ? "pnpm" : fileExists(resolveCwd("yarn.lock")) ? "yarn" : "npm";
+  return {
+    hasPackageJson,
+    hasNext,
+    hasAppRouter,
+    hasTypeScript,
+    hasZod,
+    packageManager,
+    nextVersion,
+    srcDir
+  };
+}
+function detectConflicts(targetDir, srcDir, nextMajorVersion) {
+  const authTsPath = srcDir ? resolveCwd("src", "auth.ts") : resolveCwd("auth.ts");
+  const middlewareFileName = nextMajorVersion >= 16 ? "proxy.ts" : "middleware.ts";
+  const middlewarePath = srcDir ? resolveCwd("src", middlewareFileName) : resolveCwd(middlewareFileName);
+  return {
+    authDirExists: dirExists(resolveCwd(targetDir)),
+    authTsExists: fileExists(authTsPath),
+    middlewareExists: fileExists(middlewarePath)
+  };
+}
+function detectTsConfigAlias() {
+  const tsconfigPath = resolveCwd("tsconfig.json");
+  if (!fileExists(tsconfigPath)) return "@/";
+  const tsconfig = readJson(tsconfigPath);
+  if (!tsconfig) return "@/";
+  const paths = tsconfig?.compilerOptions?.paths;
+  if (!paths || typeof paths !== "object") return "@/";
+  const rootMappings = ["./*", "./src/*", "src/*"];
+  for (const [aliasPattern, targets] of Object.entries(paths)) {
+    if (!Array.isArray(targets)) continue;
+    const mapsToRoot = targets.some((t) => rootMappings.includes(t));
+    if (!mapsToRoot) continue;
+    if (aliasPattern.endsWith("*")) {
+      return aliasPattern.slice(0, -1);
+    }
+  }
+  return "@/";
+}
+function detectExistingAuthDir() {
+  const markerFile = "index.ts";
+  const candidates = [
+    "lib/auth",
+    "src/lib/auth",
+    "app/lib/auth",
+    "src/app/lib/auth",
+    "auth",
+    "src/auth"
+  ];
+  for (const candidate of candidates) {
+    if (fileExists(resolveCwd(candidate, markerFile))) {
+      return candidate;
+    }
+  }
+  return null;
+}
+
+// src/steps/copy-files.ts
+var import_path2 = __toESM(require("path"));
+var import_fs_extra = __toESM(require("fs-extra"));
+
+// src/utils/logger.ts
+var import_picocolors = __toESM(require("picocolors"));
+var logger = {
+  info: (msg) => console.log(import_picocolors.default.cyan("  \u2139 ") + msg),
+  success: (msg) => console.log(import_picocolors.default.green("  \u2714 ") + msg),
+  warn: (msg) => console.log(import_picocolors.default.yellow("  \u26A0 ") + msg),
+  error: (msg) => console.log(import_picocolors.default.red("  \u2716 ") + msg),
+  step: (msg) => console.log(import_picocolors.default.blue("  \u2192 ") + msg),
+  dim: (msg) => console.log(import_picocolors.default.gray("    " + msg)),
+  break: () => console.log(),
+  banner() {
+    console.log();
+    console.log(
+      "  " + import_picocolors.default.bold(import_picocolors.default.cyan("@ss/next-jwt-auth")) + import_picocolors.default.gray("  v0.1.0")
+    );
+    console.log(
+      import_picocolors.default.gray("  JWT authentication scaffolder for Next.js App Router")
+    );
+    console.log();
+  },
+  done() {
+    console.log();
+    console.log("  " + import_picocolors.default.bold(import_picocolors.default.green("\u2714 Auth scaffold complete!")));
+    console.log();
+  },
+  nextSteps(authDir, hasMiddleware) {
+    console.log(import_picocolors.default.bold("  Next steps:"));
+    console.log();
+    console.log(
+      "  1. Open " + import_picocolors.default.cyan("auth.ts") + " and implement your three adapter functions"
+    );
+    console.log(
+      "     " + import_picocolors.default.gray("login()  \xB7  refreshToken()  \xB7  fetchUser()")
+    );
+    console.log();
+    console.log(
+      "  2. Wrap your root layout with " + import_picocolors.default.cyan("<AuthProvider actions={auth.actions}>")
+    );
+    console.log();
+    console.log("  3. Use server helpers in Server Components:");
+    console.log("     " + import_picocolors.default.cyan(`import { auth } from "@/auth"`));
+    console.log(
+      "     " + import_picocolors.default.gray(
+        "auth.getSession()  \xB7  auth.requireSession()  \xB7  auth.getUser()"
+      )
+    );
+    console.log();
+    if (hasMiddleware) {
+      console.log(
+        "  4. Edit " + import_picocolors.default.cyan("middleware.ts") + " to configure your protected and public routes"
+      );
+      console.log();
+    }
+    console.log(
+      "  " + import_picocolors.default.gray("Library installed at: ") + import_picocolors.default.cyan(authDir + "/")
+    );
+    console.log();
+  }
+};
+
+// src/steps/copy-files.ts
+async function copyLibraryFiles(targetDir) {
+  const sourceDir = import_path2.default.join(__dirname, "files", "lib", "auth");
+  const destDir = resolveCwd(targetDir);
+  await import_fs_extra.default.ensureDir(destDir);
+  await import_fs_extra.default.copy(sourceDir, destDir, { overwrite: true });
+  logger.success(`Library files copied to ${targetDir}/`);
+}
+
+// src/steps/generate-auth.ts
+var import_fs_extra2 = __toESM(require("fs-extra"));
+var import_path3 = __toESM(require("path"));
+async function generateAuthFile(authDir, srcDir, alias = "@/") {
+  const importSegment = srcDir && authDir.startsWith("src/") ? authDir.slice("src/".length) : authDir;
+  const importPath = `${alias}${importSegment}`;
+  const authFilePath = srcDir ? resolveCwd("src", "auth.ts") : resolveCwd("auth.ts");
+  await import_fs_extra2.default.ensureDir(import_path3.default.dirname(authFilePath));
+  const content = `import { Auth } from "${importPath}";
+
+/**
+ * Extend SessionUser with your own fields via module augmentation.
+ *
+ * Any fields you add here will be fully typed everywhere in your app:
+ *   - session.user.name in Server Components
+ *   - session.user in useSession() on the client
+ *   - session.user in middleware
+ *
+ * Example:
+ *
+ *   declare module "${importPath}" {
+ *     interface SessionUser {
+ *       name: string;
+ *       role: "admin" | "user";
+ *       avatarUrl?: string;
+ *     }
+ *   }
+ */
+
+export const auth = Auth({
+  adapter: {
+    /**
+     * Called when the user submits your login form.
+     * Receives whatever credentials object you pass to login().
+     * Must return { accessToken, refreshToken } or throw an Error.
+     *
+     * Example:
+     *   const res = await fetch("https://your-api.com/auth/login", {
+     *     method: "POST",
+     *     headers: { "Content-Type": "application/json" },
+     *     body: JSON.stringify(credentials),
+     *   });
+     *   if (!res.ok) throw new Error("Invalid credentials");
+     *   return res.json(); // { accessToken: "...", refreshToken: "..." }
+     */
+    async login(credentials) {
+      throw new Error("login() not implemented \u2014 edit auth.ts to connect your API");
+    },
+
+    /**
+     * Called automatically when the access token is near expiry.
+     * Receives the current refresh token.
+     * Must return { accessToken, refreshToken } or throw an Error.
+     *
+     * Example:
+     *   const res = await fetch("https://your-api.com/auth/refresh", {
+     *     method: "POST",
+     *     headers: { "Content-Type": "application/json" },
+     *     body: JSON.stringify({ refreshToken }),
+     *   });
+     *   if (!res.ok) throw new Error("Session expired");
+     *   return res.json(); // { accessToken: "...", refreshToken: "..." }
+     */
+    async refreshToken(refreshToken) {
+      throw new Error("refreshToken() not implemented \u2014 edit auth.ts to connect your API");
+    },
+
+    /**
+     * Called after login and refresh to hydrate the user object.
+     * Receives the fresh access token.
+     * Must return an object with at least { id: string, email: string }.
+     * Add extra fields by extending SessionUser above.
+     *
+     * Example:
+     *   const res = await fetch("https://your-api.com/me", {
+     *     headers: { Authorization: \`Bearer \${accessToken}\` },
+     *   });
+     *   if (!res.ok) throw new Error("Failed to fetch user");
+     *   return res.json(); // { id: "1", email: "user@example.com", name: "..." }
+     */
+    async fetchUser(accessToken) {
+      throw new Error("fetchUser() not implemented \u2014 edit auth.ts to connect your API");
+    },
+
+    /**
+     * Optional: called on logout to invalidate the refresh token server-side.
+     * If omitted, only the httpOnly cookies are cleared on logout.
+     *
+     * Example:
+     *   await fetch("https://your-api.com/auth/logout", {
+     *     method: "POST",
+     *     headers: { "Content-Type": "application/json" },
+     *     body: JSON.stringify({ refreshToken: tokens.refreshToken }),
+     *   });
+     */
+    // async logout(tokens) {},
+  },
+
+  /**
+   * All configuration below is optional \u2014 defaults shown.
+   */
+
+  // Enable verbose debug logging in development
+  // debug: process.env.NODE_ENV === "development",
+
+  // cookies: {
+  //   name: "auth-session",          // Generates "auth-session.access" + "auth-session.refresh" cookies
+  //   secure: true,                  // Defaults to true in production, false in development
+  //   sameSite: "lax",
+  //   path: "/",
+  //   domain: undefined,             // Set for cross-subdomain auth
+  // },
+
+  // refresh: {
+  //   refreshThresholdSeconds: 120,  // Refresh when < 2 minutes remain on the access token
+  // },
+
+  // pages: {
+  //   signIn: "/login",              // Where to redirect unauthenticated users
+  //   afterSignIn: "/dashboard",     // Where to redirect after successful login
+  //   afterSignOut: "/",             // Where to redirect after logout
+  // },
+});
+`;
+  await import_fs_extra2.default.writeFile(authFilePath, content, "utf-8");
+  const displayPath = srcDir ? "src/auth.ts" : "auth.ts";
+  logger.success(`Generated ${displayPath}`);
+}
+
+// src/steps/generate-middleware.ts
+var import_fs_extra3 = __toESM(require("fs-extra"));
+var import_path4 = __toESM(require("path"));
+function parseMajorVersion2(versionStr) {
+  if (!versionStr) return 0;
+  const cleaned = versionStr.replace(/^[\^~>=<\s]+/, "");
+  const major = parseInt(cleaned.split(".")[0], 10);
+  return isNaN(major) ? 0 : major;
+}
+async function generateMiddlewareFile(srcDir, nextVersion, alias = "@/") {
+  const majorVersion = parseMajorVersion2(nextVersion);
+  const fileName = majorVersion >= 16 ? "proxy.ts" : "middleware.ts";
+  const fileDir = srcDir ? resolveCwd("src") : resolveCwd(".");
+  const filePath = import_path4.default.join(fileDir, fileName);
+  await import_fs_extra3.default.ensureDir(fileDir);
+  const authImport = srcDir ? `${alias}auth` : `./auth`;
+  const content = `import { NextRequest, NextResponse } from "next/server";
+import { auth } from "${authImport}";
+
+/**
+ * ${fileName} \u2014 Route protection via @ss/next-jwt-auth
+ *
+ * The middleware runs on every request matched by config.matcher below.
+ * It silently refreshes expired access tokens so sessions stay alive.
+ *
+ * HOW IT WORKS:
+ *   1. resolveAuth() reads cookies, verifies the access token, and refreshes
+ *      it transparently if it is near expiry or expired.
+ *   2. session.isAuthenticated \u2014 true if a valid session exists.
+ *   3. session.response(base) \u2014 writes refreshed token cookies onto your response.
+ *      Always wrap your final NextResponse with this.
+ *   4. session.redirect(url) \u2014 redirects and clears session cookies.
+ *      Use this when sending unauthenticated users to the login page.
+ *
+ * \u2500\u2500\u2500 PROTECTING ROUTES \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+ *
+ * Uncomment and adapt the examples below to match your route structure.
+ * auth.matchesPath() supports wildcards: "/dashboard/:path*" matches all sub-routes.
+ *
+ * Example \u2014 redirect unauthenticated users away from protected routes:
+ *
+ *   if (!session.isAuthenticated && auth.matchesPath(pathname, ["/dashboard/:path*", "/settings/:path*"])) {
+ *     const loginUrl = new URL("/login", request.url);
+ *     loginUrl.searchParams.set("callbackUrl", pathname);
+ *     return session.redirect(loginUrl);
+ *   }
+ *
+ * Example \u2014 redirect authenticated users away from public-only routes:
+ *
+ *   if (session.isAuthenticated && auth.matchesPath(pathname, ["/login", "/register"])) {
+ *     return session.response(NextResponse.redirect(new URL("/", request.url)));
+ *   }
+ *
+ * \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+ */
+
+const resolveAuth = auth.createMiddleware();
+
+export default async function ${majorVersion >= 16 ? "proxy" : "middleware"}(request: NextRequest) {
+  const session = await resolveAuth(request);
+  const { pathname } = request.nextUrl;
+
+  // Add your route protection logic here.
+  // See the comments above for examples.
+
+  // Pass through \u2014 always wrap with session.response() to write refreshed cookies
+  return session.response(NextResponse.next());
+}
+
+export const config = {
+  // Run on all routes except Next.js internals and static files
+  matcher: ["/((?!_next/static|_next/image|favicon.ico).*)"],
+};
+`;
+  await import_fs_extra3.default.writeFile(filePath, content, "utf-8");
+  const displayPath = srcDir ? `src/${fileName}` : fileName;
+  logger.success(`Generated ${displayPath}`);
+  return { fileName, filePath };
+}
+
+// src/steps/install-deps.ts
+var import_child_process = require("child_process");
+function installDeps(packageManager, packages) {
+  if (packages.length === 0) return;
+  const cmd = packageManager === "pnpm" ? `pnpm add ${packages.join(" ")}` : packageManager === "yarn" ? `yarn add ${packages.join(" ")}` : `npm install ${packages.join(" ")}`;
+  logger.step(`Installing dependencies: ${packages.join(", ")}`);
+  try {
+    (0, import_child_process.execSync)(cmd, { stdio: "inherit", cwd: process.cwd() });
+    logger.success(`Installed: ${packages.join(", ")}`);
+  } catch {
+    logger.error(`Auto-install failed. Run this manually:
+
+    ${cmd}
+`);
+  }
+}
+
+// src/commands/init.ts
+async function init() {
+  logger.banner();
+  const project = detectProject();
+  if (!project.hasPackageJson) {
+    logger.error(
+      "No package.json found in the current directory.\n    Make sure you are running this command from your project root."
+    );
+    process.exit(1);
+  }
+  if (!project.hasNext) {
+    logger.warn(
+      "Next.js was not found in your dependencies.\n    This library requires Next.js 14+ with App Router."
+    );
+    logger.break();
+  }
+  if (!project.hasAppRouter) {
+    logger.warn(
+      "No app/ directory detected \u2014 App Router is required.\n    If you are using src/app/, that is fine and will be auto-detected."
+    );
+    logger.break();
+  }
+  const nextMajor = parseMajorVersion(project.nextVersion);
+  const middlewareFileName = nextMajor >= 16 ? "proxy.ts" : "middleware.ts";
+  const alias = detectTsConfigAlias();
+  if (project.hasNext) {
+    const version = project.nextVersion ? import_picocolors2.default.gray(`(${project.nextVersion})`) : "";
+    logger.info(
+      `Detected: Next.js ${version}  \xB7  ${project.hasAppRouter ? import_picocolors2.default.green("App Router \u2714") : import_picocolors2.default.yellow("App Router?")}  \xB7  ${project.hasTypeScript ? import_picocolors2.default.green("TypeScript \u2714") : import_picocolors2.default.yellow("JavaScript")}  \xB7  ${project.srcDir ? import_picocolors2.default.cyan("src/ layout") : "root layout"}`
+    );
+    logger.dim(`Package manager: ${project.packageManager}`);
+    logger.dim(
+      `Import alias:     ${alias}  ${alias !== "@/" ? import_picocolors2.default.yellow("(custom \u2014 detected from tsconfig.json)") : import_picocolors2.default.gray("(default)")} `
+    );
+    if (nextMajor >= 16) {
+      logger.dim(
+        `Next.js >= 16 detected \u2014 will generate proxy.ts instead of middleware.ts`
+      );
+    }
+    logger.break();
+  }
+  const answers = await (0, import_prompts.default)(
+    [
+      {
+        type: "text",
+        name: "authDir",
+        message: "Where should the auth library be placed?",
+        initial: project.srcDir ? "src/lib/auth" : "lib/auth",
+        validate: (val) => val.trim().length > 0 ? true : "Path cannot be empty"
+      },
+      {
+        type: "confirm",
+        name: "generateMiddleware",
+        message: `Generate ${middlewareFileName} with route protection scaffold?`,
+        initial: true
+      },
+      ...project.hasZod ? [] : [
+        {
+          type: "confirm",
+          name: "installZod",
+          message: `Install zod? ${import_picocolors2.default.gray("(required peer dependency)")}`,
+          initial: true
+        }
+      ]
+    ],
+    {
+      onCancel: () => {
+        logger.break();
+        logger.error("Setup cancelled.");
+        logger.break();
+        process.exit(0);
+      }
+    }
+  );
+  if (project.hasZod) answers.installZod = false;
+  logger.break();
+  const conflicts = detectConflicts(
+    answers.authDir,
+    project.srcDir,
+    nextMajor
+  );
+  if (conflicts.authDirExists) {
+    const { overwrite } = await (0, import_prompts.default)({
+      type: "confirm",
+      name: "overwrite",
+      message: `${import_picocolors2.default.yellow(answers.authDir)}/ already exists. Overwrite?`,
+      initial: false
+    });
+    if (!overwrite) {
+      logger.error("Aborted \u2014 existing directory was not modified.");
+      process.exit(0);
+    }
+    logger.break();
+  }
+  if (conflicts.authTsExists) {
+    const { overwriteAuth } = await (0, import_prompts.default)({
+      type: "confirm",
+      name: "overwriteAuth",
+      message: `${import_picocolors2.default.yellow(project.srcDir ? "src/auth.ts" : "auth.ts")} already exists. Overwrite?`,
+      initial: false
+    });
+    answers.skipAuthTs = !overwriteAuth;
+    if (answers.skipAuthTs)
+      logger.warn("Skipping auth.ts \u2014 existing file preserved.");
+    logger.break();
+  }
+  if (answers.generateMiddleware && conflicts.middlewareExists) {
+    const displayName = project.srcDir ? `src/${middlewareFileName}` : middlewareFileName;
+    const { overwriteMiddleware } = await (0, import_prompts.default)({
+      type: "confirm",
+      name: "overwriteMiddleware",
+      message: `${import_picocolors2.default.yellow(displayName)} already exists. Overwrite?`,
+      initial: false
+    });
+    if (!overwriteMiddleware) {
+      answers.generateMiddleware = false;
+      logger.warn(`Skipping ${middlewareFileName} \u2014 existing file preserved.`);
+      logger.break();
+    }
+  }
+  logger.info("Scaffolding auth library...");
+  logger.break();
+  await copyLibraryFiles(answers.authDir);
+  if (!answers.skipAuthTs) {
+    await generateAuthFile(answers.authDir, project.srcDir, alias);
+  }
+  if (answers.generateMiddleware) {
+    await generateMiddlewareFile(project.srcDir, project.nextVersion, alias);
+  }
+  if (answers.installZod) {
+    logger.break();
+    installDeps(project.packageManager, ["zod"]);
+  }
+  logger.done();
+  logger.nextSteps(
+    answers.authDir,
+    answers.generateMiddleware
+  );
+}
+
+// src/commands/update.ts
+var import_prompts2 = __toESM(require("prompts"));
+var import_picocolors3 = __toESM(require("picocolors"));
+var import_path5 = __toESM(require("path"));
+var import_fs_extra4 = __toESM(require("fs-extra"));
+function listFilesRecursive(dir) {
+  if (!import_fs_extra4.default.existsSync(dir)) return [];
+  const results = [];
+  function walk(current) {
+    const entries = import_fs_extra4.default.readdirSync(current, { withFileTypes: true });
+    for (const entry of entries) {
+      const fullPath = import_path5.default.join(current, entry.name);
+      if (entry.isDirectory()) {
+        walk(fullPath);
+      } else {
+        results.push(import_path5.default.relative(dir, fullPath));
+      }
+    }
+  }
+  walk(dir);
+  return results.sort();
+}
+function diffSnapshots(beforeDir, afterDir, files) {
+  const added = [];
+  const removed = [];
+  const modified = [];
+  const afterFiles = new Set(listFilesRecursive(afterDir));
+  const beforeFiles = new Set(files);
+  for (const file of afterFiles) {
+    if (!beforeFiles.has(file)) {
+      added.push(file);
+    } else {
+      const beforeSize = import_fs_extra4.default.statSync(import_path5.default.join(beforeDir, file)).size;
+      const afterSize = import_fs_extra4.default.statSync(import_path5.default.join(afterDir, file)).size;
+      if (beforeSize !== afterSize) {
+        modified.push(file);
+      }
+    }
+  }
+  for (const file of beforeFiles) {
+    if (!afterFiles.has(file)) {
+      removed.push(file);
+    }
+  }
+  return { added, removed, modified };
+}
+async function update(dryRun = false) {
+  logger.banner();
+  if (dryRun) {
+    logger.info("Dry run \u2014 no files will be written.");
+  } else {
+    logger.info("Updating scaffolded library files...");
+  }
+  logger.break();
+  const project = detectProject();
+  if (!project.hasPackageJson) {
+    logger.error(
+      "No package.json found. Make sure you are running this from your project root."
+    );
+    process.exit(1);
+  }
+  const detected = detectExistingAuthDir();
+  let authDir;
+  if (detected) {
+    logger.info(`Found existing installation at: ${import_picocolors3.default.cyan(detected + "/")}`);
+    logger.break();
+    if (!dryRun) {
+      const { confirm } = await (0, import_prompts2.default)({
+        type: "confirm",
+        name: "confirm",
+        message: `Update files in ${import_picocolors3.default.cyan(detected + "/")}?`,
+        initial: true
+      });
+      if (!confirm) {
+        logger.break();
+        logger.error("Update cancelled.");
+        process.exit(0);
+      }
+    }
+    authDir = detected;
+  } else {
+    logger.warn(
+      "Could not auto-detect an existing installation.\n    Common locations checked: lib/auth, src/lib/auth, auth, src/auth"
+    );
+    logger.break();
+    const { manualDir } = await (0, import_prompts2.default)(
+      {
+        type: "text",
+        name: "manualDir",
+        message: "Enter the path where the library is installed:",
+        initial: project.srcDir ? "src/lib/auth" : "lib/auth",
+        validate: (val) => {
+          if (!val.trim()) return "Path cannot be empty";
+          if (!import_fs_extra4.default.existsSync(resolveCwd(val))) {
+            return `Directory not found: ${val}`;
+          }
+          return true;
+        }
+      },
+      {
+        onCancel: () => {
+          logger.break();
+          logger.error("Update cancelled.");
+          process.exit(0);
+        }
+      }
+    );
+    authDir = manualDir;
+  }
+  logger.break();
+  const destDir = resolveCwd(authDir);
+  const beforeFiles = listFilesRecursive(destDir);
+  const sourceDir = import_path5.default.join(__dirname, "files", "lib", "auth");
+  let added, removed, modified;
+  if (dryRun) {
+    ({ added, removed, modified } = diffSnapshots(destDir, sourceDir, beforeFiles));
+  } else {
+    logger.step("Copying updated library files...");
+    const tempDir = import_path5.default.join(
+      require("os").tmpdir(),
+      `next-jwt-auth-backup-${Date.now()}`
+    );
+    await import_fs_extra4.default.copy(destDir, tempDir, { overwrite: true });
+    try {
+      await copyLibraryFiles(authDir);
+    } catch (error) {
+      await import_fs_extra4.default.copy(tempDir, destDir, { overwrite: true });
+      await import_fs_extra4.default.remove(tempDir);
+      logger.error(
+        `Update failed \u2014 original files restored.
+    ${error instanceof Error ? error.message : String(error)}`
+      );
+      process.exit(1);
+    }
+    ({ added, removed, modified } = diffSnapshots(tempDir, destDir, beforeFiles));
+    await import_fs_extra4.default.remove(tempDir);
+  }
+  logger.break();
+  if (dryRun) {
+    logger.info("Dry run complete \u2014 no files were modified.");
+  } else {
+    logger.success("Library files updated!");
+  }
+  logger.break();
+  const totalChanges = added.length + removed.length + modified.length;
+  if (totalChanges === 0) {
+    logger.dim(
+      dryRun ? "No file changes \u2014 already up to date." : "No file changes \u2014 you were already on the latest version."
+    );
+  } else {
+    if (modified.length > 0) {
+      console.log(import_picocolors3.default.bold(dryRun ? "  Would update:" : "  Updated:"));
+      modified.forEach((f) => logger.dim(`${import_picocolors3.default.yellow("~")} ${f}`));
+      logger.break();
+    }
+    if (added.length > 0) {
+      console.log(import_picocolors3.default.bold(dryRun ? "  Would add:" : "  Added:"));
+      added.forEach((f) => logger.dim(`${import_picocolors3.default.green("+")} ${f}`));
+      logger.break();
+    }
+    if (removed.length > 0) {
+      console.log(import_picocolors3.default.bold(dryRun ? "  Would remove:" : "  Removed:"));
+      removed.forEach((f) => logger.dim(`${import_picocolors3.default.red("-")} ${f}`));
+      logger.break();
+    }
+  }
+  const authTsPath = project.srcDir ? "src/auth.ts" : "auth.ts";
+  if (!dryRun && fileExists(resolveCwd(authTsPath))) {
+    logger.dim(
+      `${import_picocolors3.default.green("\u2714")} ${authTsPath} preserved \u2014 your adapter was not modified.`
+    );
+    logger.break();
+  }
+  const alias = detectTsConfigAlias();
+  logger.dim(`Import alias in use: ${import_picocolors3.default.cyan(alias)}`);
+  logger.dim(
+    "If your import alias has changed since you ran init, re-run " + import_picocolors3.default.cyan("npx @ss/next-jwt-auth init") + " to regenerate auth.ts and middleware.ts."
+  );
+  logger.break();
+}
+
+// src/commands/check.ts
+var import_picocolors4 = __toESM(require("picocolors"));
+var import_fs_extra5 = __toESM(require("fs-extra"));
+function readFileSafe(filePath) {
+  try {
+    return import_fs_extra5.default.readFileSync(filePath, "utf-8");
+  } catch {
+    return null;
+  }
+}
+function printResult(result) {
+  const icon = result.status === "pass" ? import_picocolors4.default.green("  \u2714") : result.status === "warn" ? import_picocolors4.default.yellow("  \u26A0") : result.status === "fail" ? import_picocolors4.default.red("  \u2716") : import_picocolors4.default.gray("  \u2013");
+  const label = result.status === "pass" ? import_picocolors4.default.white(result.label) : result.status === "warn" ? import_picocolors4.default.yellow(result.label) : result.status === "fail" ? import_picocolors4.default.red(result.label) : import_picocolors4.default.gray(result.label);
+  console.log(`${icon}  ${label}`);
+  if (result.detail) {
+    console.log(`       ${import_picocolors4.default.gray(result.detail)}`);
+  }
+  if (result.hint) {
+    console.log(`       ${import_picocolors4.default.cyan("\u2192")} ${import_picocolors4.default.gray(result.hint)}`);
+  }
+}
+function checkAuthDirExists(authDir) {
+  if (!authDir) {
+    return {
+      label: "Library installation not found",
+      status: "fail",
+      detail: "Checked: lib/auth, src/lib/auth, auth, src/auth",
+      hint: "Run: npx @ss/next-jwt-auth init"
+    };
+  }
+  return {
+    label: `Library found at ${authDir}/`,
+    status: "pass"
+  };
+}
+function checkAuthTsExists(srcDir) {
+  const authTsPath = srcDir ? resolveCwd("src", "auth.ts") : resolveCwd("auth.ts");
+  const displayPath = srcDir ? "src/auth.ts" : "auth.ts";
+  if (!fileExists(authTsPath)) {
+    return {
+      label: `${displayPath} not found`,
+      status: "fail",
+      hint: "Run: npx @ss/next-jwt-auth init  (it generates auth.ts for you)"
+    };
+  }
+  return {
+    label: `${displayPath} exists`,
+    status: "pass"
+  };
+}
+function checkAdapterImplemented(srcDir) {
+  const authTsPath = srcDir ? resolveCwd("src", "auth.ts") : resolveCwd("auth.ts");
+  const displayPath = srcDir ? "src/auth.ts" : "auth.ts";
+  const content = readFileSafe(authTsPath);
+  if (!content) {
+    return {
+      label: "Adapter implementation check skipped",
+      status: "skip",
+      detail: `${displayPath} could not be read`
+    };
+  }
+  const stubs = [
+    { fn: "login()", marker: "login() not implemented" },
+    { fn: "refreshToken()", marker: "refreshToken() not implemented" },
+    { fn: "fetchUser()", marker: "fetchUser() not implemented" }
+  ];
+  const unimplemented = stubs.filter(({ marker }) => content.includes(marker)).map(({ fn }) => fn);
+  if (unimplemented.length === 0) {
+    return {
+      label: "Adapter functions implemented",
+      status: "pass"
+    };
+  }
+  return {
+    label: `Adapter stubs not yet implemented: ${unimplemented.join(", ")}`,
+    status: "warn",
+    hint: `Open ${displayPath} and replace the throw stubs with your API calls`
+  };
+}
+function checkAuthProviderInLayout(srcDir) {
+  const layoutCandidates = srcDir ? [
+    resolveCwd("src", "app", "layout.tsx"),
+    resolveCwd("src", "app", "layout.ts")
+  ] : [resolveCwd("app", "layout.tsx"), resolveCwd("app", "layout.ts")];
+  for (const layoutPath of layoutCandidates) {
+    const content = readFileSafe(layoutPath);
+    if (!content) continue;
+    if (content.includes("AuthProvider")) {
+      return {
+        label: "AuthProvider found in root layout",
+        status: "pass"
+      };
+    }
+    return {
+      label: "AuthProvider not found in root layout",
+      status: "warn",
+      detail: `Found layout at ${layoutPath.replace(resolveCwd(), ".")} but AuthProvider is missing`,
+      hint: "Wrap your layout's children with <AuthProvider actions={auth.actions}>"
+    };
+  }
+  return {
+    label: "Root layout check skipped",
+    status: "skip",
+    detail: "Could not find app/layout.tsx or src/app/layout.tsx"
+  };
+}
+function checkMiddleware(srcDir, nextMajor) {
+  const fileName = nextMajor >= 16 ? "proxy.ts" : "middleware.ts";
+  const middlewarePath = srcDir ? resolveCwd("src", fileName) : resolveCwd(fileName);
+  const displayPath = srcDir ? `src/${fileName}` : fileName;
+  if (!fileExists(middlewarePath)) {
+    return {
+      label: `${displayPath} not found`,
+      status: "warn",
+      detail: "Without middleware, tokens won't be silently refreshed between page navigations",
+      hint: `Run: npx @ss/next-jwt-auth init  and choose to generate ${fileName}`
+    };
+  }
+  const content = readFileSafe(middlewarePath);
+  if (!content) {
+    return {
+      label: `${displayPath} exists (could not read)`,
+      status: "skip"
+    };
+  }
+  const hasCreateMiddleware = content.includes("createMiddleware");
+  const hasMatcher = content.includes("matcher");
+  const hasSessionResponse = content.includes("session.response");
+  if (!hasCreateMiddleware) {
+    return {
+      label: `${displayPath} found but createMiddleware() is missing`,
+      status: "warn",
+      detail: "The middleware won't refresh tokens without calling auth.createMiddleware()",
+      hint: "Re-generate with: npx @ss/next-jwt-auth init"
+    };
+  }
+  if (!hasSessionResponse) {
+    return {
+      label: `${displayPath} found but session.response() is missing`,
+      status: "warn",
+      detail: "Token cookies won't be written back without wrapping your response",
+      hint: "Return session.response(NextResponse.next()) instead of NextResponse.next()"
+    };
+  }
+  if (!hasMatcher) {
+    return {
+      label: `${displayPath} found but config.matcher is missing`,
+      status: "warn",
+      hint: 'Add: export const config = { matcher: ["/((?!_next/static|_next/image|favicon.ico).*)"] }'
+    };
+  }
+  return {
+    label: `${displayPath} looks correct`,
+    status: "pass"
+  };
+}
+function checkImportAlias(srcDir) {
+  const detectedAlias = detectTsConfigAlias();
+  const authTsPath = srcDir ? resolveCwd("src", "auth.ts") : resolveCwd("auth.ts");
+  const displayPath = srcDir ? "src/auth.ts" : "auth.ts";
+  const content = readFileSafe(authTsPath);
+  if (!content) {
+    return {
+      label: "Import alias check skipped",
+      status: "skip",
+      detail: `${displayPath} could not be read`
+    };
+  }
+  const match = content.match(/from\s+["']([^"']+)["']/);
+  if (!match) {
+    return {
+      label: "Import alias check skipped",
+      status: "skip",
+      detail: "Could not parse import path from auth.ts"
+    };
+  }
+  const usedAlias = match[1].replace(/lib\/auth.*$/, "").replace(/auth.*$/, "");
+  if (usedAlias === detectedAlias) {
+    return {
+      label: `Import alias matches tsconfig (${import_picocolors4.default.cyan(detectedAlias)})`,
+      status: "pass"
+    };
+  }
+  return {
+    label: "Import alias mismatch",
+    status: "warn",
+    detail: `auth.ts uses "${usedAlias}" but tsconfig.json configures "${detectedAlias}"`,
+    hint: "Re-run: npx @ss/next-jwt-auth init  to regenerate auth.ts with the correct alias"
+  };
+}
+async function check() {
+  logger.banner();
+  console.log(import_picocolors4.default.bold("  Checking your next-jwt-auth setup...\n"));
+  const project = detectProject();
+  if (!project.hasPackageJson) {
+    logger.error("No package.json found. Run from your project root.");
+    process.exit(1);
+  }
+  const nextMajor = parseInt(
+    (project.nextVersion ?? "0").replace(/^[\^~>=<\s]+/, "").split(".")[0],
+    10
+  );
+  const authDir = detectExistingAuthDir();
+  const results = [
+    checkAuthDirExists(authDir),
+    checkAuthTsExists(project.srcDir),
+    checkAdapterImplemented(project.srcDir),
+    checkAuthProviderInLayout(project.srcDir),
+    checkMiddleware(project.srcDir, isNaN(nextMajor) ? 0 : nextMajor),
+    checkImportAlias(project.srcDir)
+  ];
+  results.forEach(printResult);
+  logger.break();
+  const passed = results.filter((r) => r.status === "pass").length;
+  const warned = results.filter((r) => r.status === "warn").length;
+  const failed = results.filter((r) => r.status === "fail").length;
+  const skipped = results.filter((r) => r.status === "skip").length;
+  const parts = [];
+  if (passed) parts.push(import_picocolors4.default.green(`${passed} passed`));
+  if (warned)
+    parts.push(import_picocolors4.default.yellow(`${warned} warning${warned > 1 ? "s" : ""}`));
+  if (failed) parts.push(import_picocolors4.default.red(`${failed} failed`));
+  if (skipped) parts.push(import_picocolors4.default.gray(`${skipped} skipped`));
+  console.log(`  ${parts.join(import_picocolors4.default.gray("  \xB7  "))}`);
+  logger.break();
+  if (failed > 0) {
+    process.exit(1);
+  }
+}
+
+// src/commands/uninstall.ts
+var import_prompts3 = __toESM(require("prompts"));
+var import_picocolors5 = __toESM(require("picocolors"));
+var import_fs_extra6 = __toESM(require("fs-extra"));
+async function uninstall() {
+  logger.banner();
+  logger.info("Removing scaffolded auth library files...");
+  logger.break();
+  const project = detectProject();
+  if (!project.hasPackageJson) {
+    logger.error(
+      "No package.json found. Make sure you are running this from your project root."
+    );
+    process.exit(1);
+  }
+  const detected = detectExistingAuthDir();
+  if (!detected) {
+    logger.warn(
+      "Could not find an existing installation.\n    Common locations checked: lib/auth, src/lib/auth, auth, src/auth"
+    );
+    process.exit(0);
+  }
+  logger.info(`Found installation at: ${import_picocolors5.default.cyan(detected + "/")}`);
+  logger.break();
+  const nextMajor = parseMajorVersion(project.nextVersion);
+  const middlewareFileName = nextMajor >= 16 ? "proxy.ts" : "middleware.ts";
+  const authTsPath = project.srcDir ? "src/auth.ts" : "auth.ts";
+  const middlewarePath = project.srcDir ? `src/${middlewareFileName}` : middlewareFileName;
+  const authTsExists = fileExists(resolveCwd(authTsPath));
+  const middlewareExists = fileExists(resolveCwd(middlewarePath));
+  const { confirmDir } = await (0, import_prompts3.default)(
+    {
+      type: "confirm",
+      name: "confirmDir",
+      message: `Delete ${import_picocolors5.default.red(detected + "/")} (the library files)?`,
+      initial: true
+    },
+    {
+      onCancel: () => {
+        logger.break();
+        logger.error("Uninstall cancelled.");
+        process.exit(0);
+      }
+    }
+  );
+  let removeAuthTs = false;
+  let removeMiddleware = false;
+  if (authTsExists) {
+    const { confirm } = await (0, import_prompts3.default)({
+      type: "confirm",
+      name: "confirm",
+      message: `Delete ${import_picocolors5.default.red(authTsPath)} (your adapter config)?`,
+      initial: false
+    });
+    removeAuthTs = confirm;
+  }
+  if (middlewareExists) {
+    const { confirm } = await (0, import_prompts3.default)({
+      type: "confirm",
+      name: "confirm",
+      message: `Delete ${import_picocolors5.default.red(middlewarePath)}?`,
+      initial: false
+    });
+    removeMiddleware = confirm;
+  }
+  if (!confirmDir && !removeAuthTs && !removeMiddleware) {
+    logger.break();
+    logger.warn("Nothing to remove.");
+    process.exit(0);
+  }
+  logger.break();
+  if (confirmDir) {
+    await import_fs_extra6.default.remove(resolveCwd(detected));
+    logger.success(`Removed ${detected}/`);
+  }
+  if (removeAuthTs) {
+    await import_fs_extra6.default.remove(resolveCwd(authTsPath));
+    logger.success(`Removed ${authTsPath}`);
+  }
+  if (removeMiddleware) {
+    await import_fs_extra6.default.remove(resolveCwd(middlewarePath));
+    logger.success(`Removed ${middlewarePath}`);
+  }
+  logger.break();
+  logger.dim("Uninstall complete.");
+  logger.dim(
+    "If you installed zod only for this library, you can remove it with your package manager."
+  );
+  logger.break();
+}
+
+// src/index.ts
+var args = process.argv.slice(2);
+var command = args[0];
+async function main() {
+  if (!command || command === "init") {
+    await init();
+  } else if (command === "update") {
+    const dryRun = args.includes("--dry-run");
+    await update(dryRun);
+  } else if (command === "check") {
+    await check();
+  } else if (command === "uninstall") {
+    await uninstall();
+  } else if (command === "--help" || command === "-h") {
+    console.log("");
+    console.log(
+      "  @ss/next-jwt-auth \u2014 JWT auth scaffolder for Next.js App Router"
+    );
+    console.log("");
+    console.log("  Usage:");
+    console.log(
+      "    npx @ss/next-jwt-auth init      Scaffold auth into your project"
+    );
+    console.log(
+      "    npx @ss/next-jwt-auth update             Update library files to the latest version"
+    );
+    console.log(
+      "    npx @ss/next-jwt-auth update --dry-run   Preview changes without writing any files"
+    );
+    console.log(
+      "    npx @ss/next-jwt-auth check        Validate your project setup (exits with code 1 on failure)"
+    );
+    console.log(
+      "    npx @ss/next-jwt-auth uninstall    Remove scaffolded auth files from the project"
+    );
+    console.log("");
+  } else if (command === "--version" || command === "-v") {
+    console.log("0.1.0");
+  } else {
+    console.error(`  Unknown command: ${command}`);
+    console.log("  Run  npx @ss/next-jwt-auth --help  for usage");
+    process.exit(1);
+  }
+}
+main().catch((err) => {
+  const message = err instanceof Error ? err.message : String(err);
+  console.error(`
+  Fatal error: ${message}
+`);
+  process.exit(1);
+});