authjs-config-cli 1.0.0

package/dist/index.js

@@ -0,0 +1,1590 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { Command } from "commander";
+import chalk8 from "chalk";
+
+// src/commands/init.ts
+import chalk from "chalk";
+import { writeFileSync, mkdirSync, existsSync } from "fs";
+import { join } from "path";
+
+// src/templates/frameworks/nextjs.ts
+function nextjsTemplate(options) {
+  const strategy = options.strategy === "session" ? "database" : "jwt";
+  return `// Auth.js v5 configuration for Next.js (App Router)
+// Generated by authjs-config-cli
+// Docs: https://authjs.dev/getting-started/installation?framework=next.js
+
+import NextAuth from 'next-auth';
+import type { NextAuthConfig } from 'next-auth';
+${options.rbac ? "import type { JWT } from 'next-auth/jwt';\n" : ""}
+export const authConfig: NextAuthConfig = {
+  // Secret must be set in production: AUTH_SECRET env var
+  // Generate: openssl rand -base64 32
+
+  session: {
+    strategy: '${strategy}',
+    maxAge: 30 * 24 * 60 * 60, // 30 days
+    updateAge: 24 * 60 * 60,   // 24 hours
+  },
+
+  providers: [
+    // Add providers here:
+    // import GitHubProvider from 'next-auth/providers/github';
+    // GitHubProvider({ clientId: process.env.GITHUB_CLIENT_ID!, clientSecret: process.env.GITHUB_CLIENT_SECRET! }),
+  ],
+
+  callbacks: {
+    async jwt({ token, user, account${options.rbac ? ", profile" : ""} }) {
+      if (user) {
+        token.id = user.id;
+${options.rbac ? `        // Persist role into token
+        token.role = (user as any).role ?? 'user';
+` : ""}      }
+${options.refreshTokens ? `      // Refresh token rotation
+      if (account?.access_token) {
+        token.accessToken = account.access_token;
+        token.refreshToken = account.refresh_token;
+        token.expiresAt = account.expires_at;
+      }
+      if (Date.now() < ((token.expiresAt as number) ?? 0) * 1000) {
+        return token;
+      }
+      // TODO: implement refreshAccessToken(token.refreshToken)
+` : ""}      return token;
+    },
+
+    async session({ session, token }) {
+      if (token?.id) session.user.id = token.id as string;
+${options.rbac ? `      if (token?.role) (session.user as any).role = token.role;
+` : ""}      return session;
+    },
+  },
+
+  pages: {
+    signIn: '/auth/signin',
+    error: '/auth/error',
+    // signOut: '/auth/signout',
+    // verifyRequest: '/auth/verify-request',
+    // newUser: '/auth/new-user',
+  },
+
+  // debug: process.env.NODE_ENV === 'development',
+  trustHost: true,
+};
+
+export const { handlers, auth, signIn, signOut } = NextAuth(authConfig);
+
+// app/api/auth/[...nextauth]/route.ts:
+// export { GET, POST } from '@/auth';
+`;
+}
+
+// src/templates/frameworks/sveltekit.ts
+function sveltekitTemplate(options) {
+  const strategy = options.strategy === "session" ? "database" : "jwt";
+  return `// Auth.js v5 configuration for SvelteKit
+// Generated by authjs-config-cli
+// Docs: https://authjs.dev/getting-started/installation?framework=sveltekit
+
+import { SvelteKitAuth } from '@auth/sveltekit';
+import type { Handle } from '@sveltejs/kit';
+${options.rbac ? "import { redirect } from '@sveltejs/kit';\n" : ""}
+export const { handle, signIn, signOut } = SvelteKitAuth({
+  // AUTH_SECRET env var required in production
+
+  session: {
+    strategy: '${strategy}',
+    maxAge: 30 * 24 * 60 * 60,
+  },
+
+  providers: [
+    // Add providers here:
+    // import GitHub from '@auth/sveltekit/providers/github';
+    // GitHub({ clientId: process.env.GITHUB_ID, clientSecret: process.env.GITHUB_SECRET }),
+  ],
+
+  callbacks: {
+    async jwt({ token, user, account }) {
+      if (user) {
+        token.id = user.id;
+${options.rbac ? `        token.role = (user as any).role ?? 'user';
+` : ""}      }
+${options.refreshTokens ? `      if (account?.access_token) {
+        token.accessToken = account.access_token;
+        token.expiresAt = account.expires_at;
+      }
+` : ""}      return token;
+    },
+
+    async session({ session, token }) {
+      if (token?.id) session.user.id = token.id as string;
+${options.rbac ? `      if (token?.role) (session.user as any).role = token.role;
+` : ""}      return session;
+    },
+  },
+
+  trustHost: true,
+}) satisfies { handle: Handle };
+
+// src/hooks.server.ts should export handle directly.
+// src/app.d.ts \u2014 extend the session type:
+// declare module '@auth/core/types' {
+//   interface Session { user: { id: string${options.rbac ? "; role: string" : ""} } & DefaultSession['user'] }
+// }
+`;
+}
+
+// src/templates/frameworks/express.ts
+function expressTemplate(options) {
+  const rbacSection = options.rbac ? `// RBAC middleware
+function requireRole(role: string) {
+  return async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    const session = res.locals.session;
+    if (!session?.user) return res.status(401).json({ error: 'Unauthorized' });
+    if ((session.user as any).role !== role) return res.status(403).json({ error: 'Forbidden' });
+    next();
+  };
+}
+
+// Protected route example:
+// app.get('/admin', requireRole('admin'), (req, res) => res.json({ ok: true }));
+` : `// Protect routes:
+// app.get('/api/protected', async (req, res) => {
+//   const session = res.locals.session;
+//   if (!session) return res.status(401).json({ error: 'Unauthorized' });
+//   res.json({ user: session.user });
+// });
+`;
+  const rbacJwtLine = options.rbac ? `        token.role = (user as any).role ?? 'user';
+` : "";
+  const rbacSessionLine = options.rbac ? `      if (token?.role) (session.user as any).role = token.role;
+` : "";
+  const refreshSection = options.refreshTokens ? `      if (account?.access_token) {
+        token.accessToken = account.access_token;
+        token.expiresAt = account.expires_at;
+      }
+` : "";
+  return `// Auth.js configuration for Express
+// Generated by authjs-config-cli
+// Docs: https://authjs.dev/getting-started/installation?framework=express
+
+import express from 'express';
+import { ExpressAuth } from '@auth/express';
+import type { AuthConfig } from '@auth/core';
+
+const app = express();
+
+app.set('trust proxy', true);
+app.use(express.json());
+
+const authConfig: AuthConfig = {
+  // AUTH_SECRET env var required in production
+
+  providers: [
+    // Add providers here:
+    // import GitHub from '@auth/express/providers/github';
+    // GitHub({ clientId: process.env.GITHUB_ID!, clientSecret: process.env.GITHUB_SECRET! }),
+  ],
+
+  callbacks: {
+    async jwt({ token, user, account }) {
+      if (user) {
+        token.id = user.id;
+${rbacJwtLine}      }
+${refreshSection}      return token;
+    },
+
+    async session({ session, token }) {
+      if (token?.id) session.user.id = token.id as string;
+${rbacSessionLine}      return session;
+    },
+  },
+
+  trustHost: true,
+};
+
+// Mount the Auth.js handler
+app.use('/auth/*', ExpressAuth(authConfig));
+
+${rbacSection}
+const PORT = process.env.PORT ?? 3000;
+app.listen(PORT, () => console.log(\`Server running on port \${PORT}\`));
+
+export default app;
+`;
+}
+
+// src/templates/frameworks/solid-start.ts
+function solidStartTemplate(options) {
+  return `// Auth.js configuration for SolidStart
+// Generated by authjs-config-cli
+// Docs: https://authjs.dev/getting-started/installation?framework=solid-start
+
+import { SolidAuth } from '@auth/solid-start';
+import type { SolidAuthConfig } from '@auth/solid-start';
+
+export const authOptions: SolidAuthConfig = {
+  // AUTH_SECRET env var required in production
+
+  providers: [
+    // Add providers here:
+    // import GitHub from '@auth/core/providers/github';
+    // GitHub({ clientId: process.env.GITHUB_ID!, clientSecret: process.env.GITHUB_SECRET! }),
+  ],
+
+  callbacks: {
+    async jwt({ token, user, account }) {
+      if (user) {
+        token.id = user.id;
+${options.rbac ? `        token.role = (user as any).role ?? 'user';
+` : ""}      }
+${options.refreshTokens ? `      if (account?.access_token) {
+        token.accessToken = account.access_token;
+        token.expiresAt = account.expires_at;
+      }
+` : ""}      return token;
+    },
+
+    async session({ session, token }) {
+      if (token?.id) session.user.id = token.id as string;
+${options.rbac ? `      if (token?.role) (session.user as any).role = token.role;
+` : ""}      return session;
+    },
+  },
+
+  trustHost: true,
+};
+
+export const { GET, POST } = SolidAuth(authOptions);
+
+// Place this file at: src/routes/api/auth/[...solidauth].ts
+// Then use getSession(request, authOptions) in server functions.
+`;
+}
+
+// src/templates/frameworks/nuxt.ts
+function nuxtTemplate(options) {
+  return `// Auth.js configuration for Nuxt
+// Generated by authjs-config-cli
+// Docs: https://authjs.dev/getting-started/installation?framework=nuxt
+
+import { NuxtAuthHandler } from '#auth';
+import type { AuthOptions } from 'next-auth';
+
+// server/plugins/auth.ts  \u2014 or use server/api/auth/[...].ts
+
+export default NuxtAuthHandler({
+  secret: process.env.AUTH_SECRET,
+
+  providers: [
+    // Add providers here (use .default for Nuxt compatibility):
+    // const { default: GithubProvider } = await import('next-auth/providers/github');
+    // GithubProvider.default({ clientId: process.env.GITHUB_ID!, clientSecret: process.env.GITHUB_SECRET! }),
+  ],
+
+  callbacks: {
+    async jwt({ token, user, account }) {
+      if (user) {
+        token.id = user.id;
+${options.rbac ? `        token.role = (user as any).role ?? 'user';
+` : ""}      }
+${options.refreshTokens ? `      if (account?.access_token) {
+        token.accessToken = account.access_token;
+        token.expiresAt = account.expires_at;
+      }
+` : ""}      return token;
+    },
+
+    async session({ session, token }) {
+      if (token?.id) (session.user as any).id = token.id;
+${options.rbac ? `      if (token?.role) (session.user as any).role = token.role;
+` : ""}      return session;
+    },
+  },
+
+  pages: {
+    signIn: '/auth/signin',
+    error: '/auth/error',
+  },
+} satisfies AuthOptions);
+
+// nuxt.config.ts:
+// modules: ['@sidebase/nuxt-auth'],
+// auth: { provider: { type: 'authjs' } }
+`;
+}
+
+// src/commands/init.ts
+var FRAMEWORKS = ["nextjs", "sveltekit", "express", "solid-start", "nuxt"];
+function initCommand(framework, options) {
+  if (!FRAMEWORKS.includes(framework)) {
+    console.error(chalk.red(`\u2717 Unknown framework: ${chalk.bold(framework)}`));
+    console.error(chalk.dim(`  Supported: ${FRAMEWORKS.join(" | ")}`));
+    process.exit(1);
+  }
+  console.log(chalk.cyan(`
+\u25C6 Generating Auth.js config for ${chalk.bold(framework)}
+`));
+  const fw = framework;
+  let content;
+  switch (fw) {
+    case "nextjs":
+      content = nextjsTemplate(options);
+      break;
+    case "sveltekit":
+      content = sveltekitTemplate(options);
+      break;
+    case "express":
+      content = expressTemplate(options);
+      break;
+    case "solid-start":
+      content = solidStartTemplate(options);
+      break;
+    case "nuxt":
+      content = nuxtTemplate(options);
+      break;
+  }
+  const outputMap = {
+    nextjs: { file: "auth.ts", dir: "" },
+    sveltekit: { file: "hooks.server.ts", dir: "src" },
+    express: { file: "auth.ts", dir: "src" },
+    "solid-start": { file: "server.ts", dir: "src/routes/api/auth" },
+    nuxt: { file: "auth.ts", dir: "server/plugins" }
+  };
+  const { file, dir } = outputMap[fw];
+  const outDir = dir ? join(process.cwd(), dir) : process.cwd();
+  if (dir && !existsSync(outDir)) {
+    mkdirSync(outDir, { recursive: true });
+  }
+  const outPath = join(outDir, file);
+  writeFileSync(outPath, content, "utf-8");
+  console.log(chalk.green(`  \u2713 Created ${chalk.bold(dir ? `${dir}/${file}` : file)}`));
+  if (options.rbac) {
+    const rbacContent = generateRBACHelper();
+    const rbacPath = join(process.cwd(), "lib", "rbac.ts");
+    mkdirSync(join(process.cwd(), "lib"), { recursive: true });
+    writeFileSync(rbacPath, rbacContent, "utf-8");
+    console.log(chalk.green(`  \u2713 Created ${chalk.bold("lib/rbac.ts")} (RBAC helpers)`));
+  }
+  if (options.refreshTokens) {
+    console.log(chalk.yellow(`  \u26A0 Refresh token rotation: add jwt callback with refreshAccessToken logic`));
+    console.log(chalk.dim(`    Run: authjs-config add-callback jwt`));
+  }
+  console.log(chalk.dim(`
+  Next steps:`));
+  console.log(chalk.dim(`    authjs-config add-provider github`));
+  console.log(chalk.dim(`    authjs-config add-adapter prisma`));
+  console.log(chalk.dim(`    authjs-config add-middleware
+`));
+}
+function generateRBACHelper() {
+  return `import type { Session } from 'next-auth';
+
+export type Role = 'admin' | 'moderator' | 'user' | 'guest';
+
+export const ROLE_HIERARCHY: Record<Role, number> = {
+  admin: 4,
+  moderator: 3,
+  user: 2,
+  guest: 1,
+};
+
+export function hasRole(session: Session | null, requiredRole: Role): boolean {
+  if (!session?.user) return false;
+  const userRole = (session.user as { role?: Role }).role ?? 'guest';
+  return ROLE_HIERARCHY[userRole] >= ROLE_HIERARCHY[requiredRole];
+}
+
+export function requireRole(requiredRole: Role) {
+  return function (session: Session | null): boolean {
+    return hasRole(session, requiredRole);
+  };
+}
+
+export const isAdmin = requireRole('admin');
+export const isModerator = requireRole('moderator');
+export const isUser = requireRole('user');
+`;
+}
+
+// src/commands/add-provider.ts
+import chalk2 from "chalk";
+import { writeFileSync as writeFileSync2 } from "fs";
+import { join as join2 } from "path";
+var PROVIDERS = [
+  "google",
+  "github",
+  "discord",
+  "apple",
+  "twitter",
+  "facebook",
+  "linkedin",
+  "auth0",
+  "keycloak",
+  "credentials",
+  "email"
+];
+function addProviderCommand(name, options) {
+  if (!PROVIDERS.includes(name)) {
+    console.error(chalk2.red(`\u2717 Unknown provider: ${chalk2.bold(name)}`));
+    console.error(chalk2.dim(`  Supported: ${PROVIDERS.join(" | ")}`));
+    process.exit(1);
+  }
+  console.log(chalk2.cyan(`
+\u25C6 Adding provider: ${chalk2.bold(name)}
+`));
+  const provider = name;
+  const snippet = generateProviderSnippet(provider, options);
+  const outFile = join2(process.cwd(), `auth.providers.${name}.ts`);
+  writeFileSync2(outFile, snippet, "utf-8");
+  console.log(chalk2.green(`  \u2713 Created ${chalk2.bold(`auth.providers.${name}.ts`)}`));
+  printEnvHints(provider, options);
+  printIntegrationHint(name);
+}
+function generateProviderSnippet(provider, options) {
+  const header = `// Auth.js provider configuration \u2014 ${provider}
+// Generated by authjs-config-cli
+
+`;
+  switch (provider) {
+    case "google":
+      return header + `import GoogleProvider from 'next-auth/providers/google';
+
+export const googleProvider = GoogleProvider({
+  clientId: process.env.GOOGLE_CLIENT_ID!,
+  clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
+  authorization: {
+    params: {
+      prompt: 'consent',
+      access_type: 'offline',
+      response_type: 'code',
+    },
+  },
+  profile(profile) {
+    return {
+      id: profile.sub,
+      name: profile.name,
+      email: profile.email,
+      image: profile.picture,
+      // Custom profile mapping:
+      // role: 'user',
+    };
+  },
+});
+`;
+    case "github":
+      return header + `import GitHubProvider from 'next-auth/providers/github';
+
+export const githubProvider = GitHubProvider({
+  clientId: process.env.GITHUB_CLIENT_ID!,
+  clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+  profile(profile) {
+    return {
+      id: String(profile.id),
+      name: profile.name ?? profile.login,
+      email: profile.email,
+      image: profile.avatar_url,
+    };
+  },
+});
+`;
+    case "discord":
+      return header + `import DiscordProvider from 'next-auth/providers/discord';
+
+export const discordProvider = DiscordProvider({
+  clientId: process.env.DISCORD_CLIENT_ID!,
+  clientSecret: process.env.DISCORD_CLIENT_SECRET!,
+});
+`;
+    case "apple":
+      return header + `import AppleProvider from 'next-auth/providers/apple';
+
+export const appleProvider = AppleProvider({
+  clientId: process.env.APPLE_ID!,
+  clientSecret: process.env.APPLE_SECRET!,
+});
+`;
+    case "twitter":
+      return header + `import TwitterProvider from 'next-auth/providers/twitter';
+
+export const twitterProvider = TwitterProvider({
+  clientId: process.env.TWITTER_CLIENT_ID!,
+  clientSecret: process.env.TWITTER_CLIENT_SECRET!,
+  version: '2.0',
+});
+`;
+    case "facebook":
+      return header + `import FacebookProvider from 'next-auth/providers/facebook';
+
+export const facebookProvider = FacebookProvider({
+  clientId: process.env.FACEBOOK_CLIENT_ID!,
+  clientSecret: process.env.FACEBOOK_CLIENT_SECRET!,
+});
+`;
+    case "linkedin":
+      return header + `import LinkedInProvider from 'next-auth/providers/linkedin';
+
+export const linkedinProvider = LinkedInProvider({
+  clientId: process.env.LINKEDIN_CLIENT_ID!,
+  clientSecret: process.env.LINKEDIN_CLIENT_SECRET!,
+});
+`;
+    case "auth0":
+      return header + `import Auth0Provider from 'next-auth/providers/auth0';
+
+export const auth0Provider = Auth0Provider({
+  clientId: process.env.AUTH0_CLIENT_ID!,
+  clientSecret: process.env.AUTH0_CLIENT_SECRET!,
+  issuer: process.env.AUTH0_ISSUER!,
+});
+`;
+    case "keycloak":
+      return header + `import KeycloakProvider from 'next-auth/providers/keycloak';
+
+export const keycloakProvider = KeycloakProvider({
+  clientId: process.env.KEYCLOAK_ID!,
+  clientSecret: process.env.KEYCLOAK_SECRET!,
+  issuer: process.env.KEYCLOAK_ISSUER!,
+});
+`;
+    case "credentials":
+      return header + `import CredentialsProvider from 'next-auth/providers/credentials';
+import { z } from 'zod';
+
+const loginSchema = z.object({
+  email: z.string().email(),
+  password: z.string().min(8),
+});
+
+export const credentialsProvider = CredentialsProvider({
+  name: 'Credentials',
+  credentials: {
+    email: { label: 'Email', type: 'email', placeholder: 'user@example.com' },
+    password: { label: 'Password', type: 'password' },
+  },
+  async authorize(credentials) {
+    const parsed = loginSchema.safeParse(credentials);
+    if (!parsed.success) return null;
+
+    // TODO: replace with your actual user lookup
+    // const user = await db.user.findUnique({ where: { email: parsed.data.email } });
+    // const valid = await bcrypt.compare(parsed.data.password, user.passwordHash);
+    // if (!valid) return null;
+    // return user;
+
+    return null;
+  },
+});
+`;
+    case "email":
+      if (options.magicLink) {
+        return header + `import EmailProvider from 'next-auth/providers/email';
+
+// Magic Link provider \u2014 sends passwordless sign-in emails
+export const emailProvider = EmailProvider({
+  server: {
+    host: process.env.EMAIL_SERVER_HOST!,
+    port: Number(process.env.EMAIL_SERVER_PORT ?? 587),
+    auth: {
+      user: process.env.EMAIL_SERVER_USER!,
+      pass: process.env.EMAIL_SERVER_PASSWORD!,
+    },
+  },
+  from: process.env.EMAIL_FROM!,
+  // Custom email template:
+  async sendVerificationRequest({ identifier, url, provider }) {
+    // Use nodemailer, resend, sendgrid, etc.
+    console.log(\`Send magic link to \${identifier}: \${url}\`);
+  },
+  // Token expiry (default 24h)
+  maxAge: 24 * 60 * 60,
+});
+`;
+      }
+      return header + `import EmailProvider from 'next-auth/providers/email';
+
+export const emailProvider = EmailProvider({
+  server: process.env.EMAIL_SERVER!,
+  from: process.env.EMAIL_FROM!,
+});
+`;
+  }
+}
+function printEnvHints(provider, _options) {
+  const envMap = {
+    google: ["GOOGLE_CLIENT_ID", "GOOGLE_CLIENT_SECRET"],
+    github: ["GITHUB_CLIENT_ID", "GITHUB_CLIENT_SECRET"],
+    discord: ["DISCORD_CLIENT_ID", "DISCORD_CLIENT_SECRET"],
+    apple: ["APPLE_ID", "APPLE_SECRET"],
+    twitter: ["TWITTER_CLIENT_ID", "TWITTER_CLIENT_SECRET"],
+    facebook: ["FACEBOOK_CLIENT_ID", "FACEBOOK_CLIENT_SECRET"],
+    linkedin: ["LINKEDIN_CLIENT_ID", "LINKEDIN_CLIENT_SECRET"],
+    auth0: ["AUTH0_CLIENT_ID", "AUTH0_CLIENT_SECRET", "AUTH0_ISSUER"],
+    keycloak: ["KEYCLOAK_ID", "KEYCLOAK_SECRET", "KEYCLOAK_ISSUER"],
+    email: ["EMAIL_SERVER", "EMAIL_FROM"]
+  };
+  const envVars = envMap[provider];
+  if (envVars) {
+    console.log(chalk2.dim(`
+  Required env vars:`));
+    envVars.forEach((v) => console.log(chalk2.dim(`    ${v}=`)));
+  }
+}
+function printIntegrationHint(name) {
+  console.log(chalk2.dim(`
+  Add to your auth config providers array:`));
+  console.log(chalk2.dim(`    import { ${name}Provider } from './auth.providers.${name}'`));
+  console.log(chalk2.dim(`    providers: [..., ${name}Provider]
+`));
+}
+
+// src/commands/add-adapter.ts
+import chalk3 from "chalk";
+import { writeFileSync as writeFileSync3 } from "fs";
+import { join as join3 } from "path";
+var ADAPTERS = ["prisma", "drizzle", "typeorm", "mongodb", "dynamodb", "supabase", "firebase"];
+function addAdapterCommand(type) {
+  if (!ADAPTERS.includes(type)) {
+    console.error(chalk3.red(`\u2717 Unknown adapter: ${chalk3.bold(type)}`));
+    console.error(chalk3.dim(`  Supported: ${ADAPTERS.join(" | ")}`));
+    process.exit(1);
+  }
+  console.log(chalk3.cyan(`
+\u25C6 Generating adapter config: ${chalk3.bold(type)}
+`));
+  const adapter = type;
+  const content = generateAdapterConfig(adapter);
+  const outFile = join3(process.cwd(), `auth.adapter.${type}.ts`);
+  writeFileSync3(outFile, content, "utf-8");
+  console.log(chalk3.green(`  \u2713 Created ${chalk3.bold(`auth.adapter.${type}.ts`)}`));
+  printAdapterInstallHint(adapter);
+  printAdapterIntegrationHint(type);
+}
+function generateAdapterConfig(adapter) {
+  const header = `// Auth.js adapter configuration \u2014 ${adapter}
+// Generated by authjs-config-cli
+
+`;
+  switch (adapter) {
+    case "prisma":
+      return header + `import { PrismaAdapter } from '@auth/prisma-adapter';
+import { PrismaClient } from '@prisma/client';
+
+const globalForPrisma = globalThis as unknown as { prisma: PrismaClient };
+
+export const prisma =
+  globalForPrisma.prisma ||
+  new PrismaClient({
+    log: process.env.NODE_ENV === 'development' ? ['query', 'error', 'warn'] : ['error'],
+  });
+
+if (process.env.NODE_ENV !== 'production') globalForPrisma.prisma = prisma;
+
+export const adapter = PrismaAdapter(prisma);
+
+/*
+  Required Prisma schema models \u2014 add to your schema.prisma:
+
+  model Account {
+    id                String  @id @default(cuid())
+    userId            String
+    type              String
+    provider          String
+    providerAccountId String
+    refresh_token     String? @db.Text
+    access_token      String? @db.Text
+    expires_at        Int?
+    token_type        String?
+    scope             String?
+    id_token          String? @db.Text
+    session_state     String?
+    user User @relation(fields: [userId], references: [id], onDelete: Cascade)
+    @@unique([provider, providerAccountId])
+  }
+
+  model Session {
+    id           String   @id @default(cuid())
+    sessionToken String   @unique
+    userId       String
+    expires      DateTime
+    user         User     @relation(fields: [userId], references: [id], onDelete: Cascade)
+  }
+
+  model User {
+    id            String    @id @default(cuid())
+    name          String?
+    email         String?   @unique
+    emailVerified DateTime?
+    image         String?
+    role          String    @default("user")
+    accounts      Account[]
+    sessions      Session[]
+  }
+
+  model VerificationToken {
+    identifier String
+    token      String   @unique
+    expires    DateTime
+    @@unique([identifier, token])
+  }
+*/
+`;
+    case "drizzle":
+      return header + `import { DrizzleAdapter } from '@auth/drizzle-adapter';
+import { drizzle } from 'drizzle-orm/postgres-js';
+import postgres from 'postgres';
+import * as schema from './db/schema.js';
+
+const client = postgres(process.env.DATABASE_URL!);
+export const db = drizzle(client, { schema });
+export const adapter = DrizzleAdapter(db);
+
+/*
+  Required Drizzle schema (db/schema.ts):
+
+  import { pgTable, text, timestamp, primaryKey, integer } from 'drizzle-orm/pg-core';
+
+  export const users = pgTable('user', {
+    id: text('id').notNull().primaryKey(),
+    name: text('name'),
+    email: text('email').notNull(),
+    emailVerified: timestamp('emailVerified', { mode: 'date' }),
+    image: text('image'),
+    role: text('role').notNull().default('user'),
+  });
+
+  export const accounts = pgTable('account', {
+    userId: text('userId').notNull().references(() => users.id, { onDelete: 'cascade' }),
+    type: text('type').notNull(),
+    provider: text('provider').notNull(),
+    providerAccountId: text('providerAccountId').notNull(),
+    refresh_token: text('refresh_token'),
+    access_token: text('access_token'),
+    expires_at: integer('expires_at'),
+    token_type: text('token_type'),
+    scope: text('scope'),
+    id_token: text('id_token'),
+    session_state: text('session_state'),
+  }, (account) => ({ compoundKey: primaryKey({ columns: [account.provider, account.providerAccountId] }) }));
+
+  export const sessions = pgTable('session', {
+    sessionToken: text('sessionToken').notNull().primaryKey(),
+    userId: text('userId').notNull().references(() => users.id, { onDelete: 'cascade' }),
+    expires: timestamp('expires', { mode: 'date' }).notNull(),
+  });
+
+  export const verificationTokens = pgTable('verificationToken', {
+    identifier: text('identifier').notNull(),
+    token: text('token').notNull(),
+    expires: timestamp('expires', { mode: 'date' }).notNull(),
+  }, (vt) => ({ compoundKey: primaryKey({ columns: [vt.identifier, vt.token] }) }));
+*/
+`;
+    case "typeorm":
+      return header + `import { TypeORMAdapter } from '@auth/typeorm-adapter';
+
+export const adapter = TypeORMAdapter(
+  process.env.DATABASE_URL ?? {
+    type: 'postgres',
+    host: process.env.DB_HOST ?? 'localhost',
+    port: Number(process.env.DB_PORT ?? 5432),
+    username: process.env.DB_USER,
+    password: process.env.DB_PASS,
+    database: process.env.DB_NAME,
+    synchronize: process.env.NODE_ENV !== 'production',
+    ssl: process.env.NODE_ENV === 'production' ? { rejectUnauthorized: false } : false,
+  }
+);
+`;
+    case "mongodb":
+      return header + `import { MongoDBAdapter } from '@auth/mongodb-adapter';
+import { MongoClient } from 'mongodb';
+
+if (!process.env.MONGODB_URI) throw new Error('MONGODB_URI is not set');
+
+const client = new MongoClient(process.env.MONGODB_URI);
+const clientPromise = client.connect();
+
+export const adapter = MongoDBAdapter(clientPromise, {
+  databaseName: process.env.MONGODB_DB ?? 'auth',
+});
+`;
+    case "dynamodb":
+      return header + `import { DynamoDBAdapter } from '@auth/dynamodb-adapter';
+import { DynamoDB, DynamoDBClientConfig } from '@aws-sdk/client-dynamodb';
+import { DynamoDBDocument } from '@aws-sdk/lib-dynamodb';
+
+const config: DynamoDBClientConfig = {
+  credentials: {
+    accessKeyId: process.env.AWS_ACCESS_KEY_ID!,
+    secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY!,
+  },
+  region: process.env.AWS_REGION ?? 'us-east-1',
+};
+
+const client = DynamoDBDocument.from(new DynamoDB(config), {
+  marshallOptions: { convertEmptyValues: true, removeUndefinedValues: true },
+});
+
+export const adapter = DynamoDBAdapter(client, {
+  tableName: process.env.DYNAMODB_TABLE ?? 'next-auth',
+});
+`;
+    case "supabase":
+      return header + `import { SupabaseAdapter } from '@auth/supabase-adapter';
+
+export const adapter = SupabaseAdapter({
+  url: process.env.NEXT_PUBLIC_SUPABASE_URL!,
+  secret: process.env.SUPABASE_SERVICE_ROLE_KEY!,
+});
+
+/*
+  Run the following SQL in your Supabase SQL editor to create the required tables:
+  https://authjs.dev/getting-started/adapters/supabase
+*/
+`;
+    case "firebase":
+      return header + `import { FirestoreAdapter } from '@auth/firebase-adapter';
+import { initializeApp, getApps, cert } from 'firebase-admin/app';
+import { getFirestore } from 'firebase-admin/firestore';
+
+if (!getApps().length) {
+  initializeApp({
+    credential: cert({
+      projectId: process.env.FIREBASE_PROJECT_ID,
+      clientEmail: process.env.FIREBASE_CLIENT_EMAIL,
+      privateKey: process.env.FIREBASE_PRIVATE_KEY?.replace(/\\\\n/g, '\\n'),
+    }),
+  });
+}
+
+export const firestore = getFirestore();
+export const adapter = FirestoreAdapter(firestore);
+`;
+  }
+}
+function printAdapterInstallHint(adapter) {
+  const installMap = {
+    prisma: "npm install @auth/prisma-adapter @prisma/client",
+    drizzle: "npm install @auth/drizzle-adapter drizzle-orm postgres",
+    typeorm: "npm install @auth/typeorm-adapter typeorm",
+    mongodb: "npm install @auth/mongodb-adapter mongodb",
+    dynamodb: "npm install @auth/dynamodb-adapter @aws-sdk/client-dynamodb @aws-sdk/lib-dynamodb",
+    supabase: "npm install @auth/supabase-adapter",
+    firebase: "npm install @auth/firebase-adapter firebase-admin"
+  };
+  console.log(chalk3.dim(`
+  Install dependency:`));
+  console.log(chalk3.dim(`    ${installMap[adapter]}`));
+}
+function printAdapterIntegrationHint(type) {
+  console.log(chalk3.dim(`
+  Add to your auth config:`));
+  console.log(chalk3.dim(`    import { adapter } from './auth.adapter.${type}'`));
+  console.log(chalk3.dim(`    export const { handlers, auth, signIn, signOut } = NextAuth({ adapter, ... })
+`));
+}
+
+// src/commands/add-callback.ts
+import chalk4 from "chalk";
+import { writeFileSync as writeFileSync4 } from "fs";
+import { join as join4 } from "path";
+var CALLBACKS = ["signIn", "redirect", "session", "jwt"];
+function addCallbackCommand(type, options) {
+  if (!CALLBACKS.includes(type)) {
+    console.error(chalk4.red(`\u2717 Unknown callback: ${chalk4.bold(type)}`));
+    console.error(chalk4.dim(`  Supported: ${CALLBACKS.join(" | ")}`));
+    process.exit(1);
+  }
+  console.log(chalk4.cyan(`
+\u25C6 Generating callback: ${chalk4.bold(type)}
+`));
+  const cb = type;
+  const content = generateCallback(cb, options);
+  const outFile = join4(process.cwd(), `auth.callback.${type}.ts`);
+  writeFileSync4(outFile, content, "utf-8");
+  console.log(chalk4.green(`  \u2713 Created ${chalk4.bold(`auth.callback.${type}.ts`)}`));
+  console.log(chalk4.dim(`
+  Add to your auth config callbacks object:`));
+  console.log(chalk4.dim(`    import { ${type}Callback } from './auth.callback.${type}'`));
+  console.log(chalk4.dim(`    callbacks: { ${type}: ${type}Callback }
+`));
+}
+function generateCallback(type, options) {
+  const header = `// Auth.js ${type} callback
+// Generated by authjs-config-cli
+
+import type { CallbacksOptions } from 'next-auth';
+
+`;
+  switch (type) {
+    case "signIn":
+      return header + generateSignInCallback(options);
+    case "redirect":
+      return header + generateRedirectCallback();
+    case "session":
+      return header + generateSessionCallback(options);
+    case "jwt":
+      return header + generateJwtCallback(options);
+  }
+}
+function generateSignInCallback(options) {
+  let body = `export const signInCallback: CallbacksOptions['signIn'] = async ({
+  user,
+  account,
+  profile,
+  email,
+  credentials,
+}) => {
+`;
+  if (options.accountLinking) {
+    body += `  // Account linking: allow sign-in if user already exists with this email
+  if (account?.provider !== 'credentials') {
+    // TODO: check if user.email already linked to another provider
+    // const existingUser = await db.user.findUnique({ where: { email: user.email! } });
+    // if (existingUser && existingUser.provider !== account?.provider) {
+    //   // Link accounts \u2014 handle based on your policy
+    //   return '/auth/error?error=AccountExists';
+    // }
+  }
+
+`;
+  }
+  body += `  // Allow sign-in by default
+  return true;
+
+  // To block: return false or a redirect URL string
+  // return '/auth/error?error=AccessDenied';
+};
+`;
+  return body;
+}
+function generateRedirectCallback() {
+  return `export const redirectCallback: CallbacksOptions['redirect'] = async ({ url, baseUrl }) => {
+  // Allow relative URLs
+  if (url.startsWith('/')) return \`\${baseUrl}\${url}\`;
+
+  // Allow same-origin URLs
+  if (new URL(url).origin === baseUrl) return url;
+
+  // Default: return to base
+  return baseUrl;
+};
+`;
+}
+function generateSessionCallback(options) {
+  let body = `export const sessionCallback: CallbacksOptions['session'] = async ({ session, token, user }) => {
+`;
+  if (options.customProfile) {
+    body += `  // Merge custom profile fields into session
+  if (token) {
+    session.user.id = token.sub!;
+    // session.user.role = token.role as string;
+    // session.user.plan = token.plan as string;
+  }
+
+  // When using database sessions (user is available instead of token):
+  // if (user) {
+  //   session.user.id = user.id;
+  //   session.user.role = (user as any).role;
+  // }
+
+`;
+  } else {
+    body += `  // Pass token.sub (user id) into session
+  if (token?.sub) session.user.id = token.sub;
+
+`;
+  }
+  body += `  return session;
+};
+`;
+  return body;
+}
+function generateJwtCallback(options) {
+  let body = `export const jwtCallback: CallbacksOptions['jwt'] = async ({ token, user, account, profile, trigger, session }) => {
+`;
+  if (options.customProfile) {
+    body += `  // On first sign-in, persist custom fields
+  if (user) {
+    token.id = user.id;
+    // token.role = (user as any).role;
+    // token.plan = (user as any).plan;
+  }
+
+`;
+  } else {
+    body += `  if (user) token.id = user.id;
+
+`;
+  }
+  body += `  // Refresh token rotation
+  if (account?.access_token) {
+    token.accessToken = account.access_token;
+    token.refreshToken = account.refresh_token;
+    token.expiresAt = account.expires_at;
+  }
+
+  // Check token expiry and refresh
+  if (token.expiresAt && Date.now() < (token.expiresAt as number) * 1000) {
+    return token;
+  }
+
+  // Token expired \u2014 attempt refresh
+  // try {
+  //   const refreshed = await refreshAccessToken(token.refreshToken as string);
+  //   return { ...token, ...refreshed };
+  // } catch {
+  //   return { ...token, error: 'RefreshAccessTokenError' };
+  // }
+
+  // Handle session update trigger
+  if (trigger === 'update' && session) {
+    token = { ...token, ...session };
+  }
+
+  return token;
+};
+`;
+  return body;
+}
+
+// src/commands/add-middleware.ts
+import chalk5 from "chalk";
+import { writeFileSync as writeFileSync5 } from "fs";
+import { join as join5 } from "path";
+function addMiddlewareCommand(options) {
+  console.log(chalk5.cyan(`
+\u25C6 Generating auth middleware
+`));
+  const publicRoutes = options.publicRoutes.split(",").map((r) => r.trim()).filter(Boolean);
+  const content = generateMiddleware(options.rbac, publicRoutes);
+  const outFile = join5(process.cwd(), "middleware.ts");
+  writeFileSync5(outFile, content, "utf-8");
+  console.log(chalk5.green(`  \u2713 Created ${chalk5.bold("middleware.ts")}`));
+  console.log(chalk5.dim(`
+  Public routes configured: ${publicRoutes.join(", ")}`));
+  console.log(chalk5.dim(`  Protected: all other routes require authentication`));
+  if (options.rbac) {
+    console.log(chalk5.dim(`  RBAC: role-based route guards included`));
+  }
+  console.log(chalk5.dim(`
+  Ensure AUTH_SECRET is set in your environment.
+`));
+}
+function generateMiddleware(rbac, publicRoutes) {
+  const publicPatternsStr = publicRoutes.map((r) => `  '${r}',`).join("\n");
+  if (rbac) {
+    return `// Auth.js middleware with RBAC route protection
+// Generated by authjs-config-cli
+
+import { auth } from './auth';
+import { NextResponse } from 'next/server';
+import type { NextRequest } from 'next/server';
+
+export type Role = 'admin' | 'moderator' | 'user' | 'guest';
+
+// Routes accessible without authentication
+const publicRoutes: string[] = [
+${publicPatternsStr}
+  '/auth/signin',
+  '/auth/error',
+  '/api/auth',
+];
+
+// Role-based route restrictions
+const roleRoutes: Record<string, Role> = {
+  '/admin': 'admin',
+  '/dashboard/settings': 'admin',
+  '/moderator': 'moderator',
+};
+
+function isPublic(pathname: string): boolean {
+  return publicRoutes.some(
+    (route) => pathname === route || pathname.startsWith(\`\${route}/\`)
+  );
+}
+
+function requiredRole(pathname: string): Role | null {
+  for (const [prefix, role] of Object.entries(roleRoutes)) {
+    if (pathname.startsWith(prefix)) return role;
+  }
+  return null;
+}
+
+const ROLE_HIERARCHY: Record<Role, number> = {
+  admin: 4,
+  moderator: 3,
+  user: 2,
+  guest: 1,
+};
+
+function hasRole(userRole: string | undefined, required: Role): boolean {
+  const r = (userRole ?? 'guest') as Role;
+  return (ROLE_HIERARCHY[r] ?? 1) >= ROLE_HIERARCHY[required];
+}
+
+export default auth((req: NextRequest & { auth: any }) => {
+  const { pathname } = req.nextUrl;
+
+  if (isPublic(pathname)) return NextResponse.next();
+
+  if (!req.auth) {
+    const signInUrl = new URL('/auth/signin', req.url);
+    signInUrl.searchParams.set('callbackUrl', req.url);
+    return NextResponse.redirect(signInUrl);
+  }
+
+  const required = requiredRole(pathname);
+  if (required) {
+    const userRole = req.auth.user?.role as string | undefined;
+    if (!hasRole(userRole, required)) {
+      return NextResponse.redirect(new URL('/auth/error?error=AccessDenied', req.url));
+    }
+  }
+
+  return NextResponse.next();
+});
+
+export const config = {
+  matcher: ['/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)'],
+};
+`;
+  }
+  return `// Auth.js middleware for route protection
+// Generated by authjs-config-cli
+
+import { auth } from './auth';
+import { NextResponse } from 'next/server';
+import type { NextRequest } from 'next/server';
+
+// Routes accessible without authentication
+const publicRoutes: string[] = [
+${publicPatternsStr}
+  '/auth/signin',
+  '/auth/error',
+  '/api/auth',
+];
+
+function isPublic(pathname: string): boolean {
+  return publicRoutes.some(
+    (route) => pathname === route || pathname.startsWith(\`\${route}/\`)
+  );
+}
+
+export default auth((req: NextRequest & { auth: any }) => {
+  const { pathname } = req.nextUrl;
+
+  if (isPublic(pathname)) return NextResponse.next();
+
+  if (!req.auth) {
+    const signInUrl = new URL('/auth/signin', req.url);
+    signInUrl.searchParams.set('callbackUrl', req.url);
+    return NextResponse.redirect(signInUrl);
+  }
+
+  return NextResponse.next();
+});
+
+export const config = {
+  matcher: ['/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)'],
+};
+`;
+}
+
+// src/commands/add-pages.ts
+import chalk6 from "chalk";
+import { writeFileSync as writeFileSync6, mkdirSync as mkdirSync2 } from "fs";
+import { join as join6 } from "path";
+var ALL_PAGES = ["signIn", "signOut", "error", "verifyRequest", "newUser"];
+function addPagesCommand(options) {
+  const selected = options.all ? [...ALL_PAGES] : options.pages.split(",").map((p) => p.trim()).filter((p) => ALL_PAGES.includes(p));
+  if (selected.length === 0) {
+    console.error(chalk6.red(`\u2717 No pages specified`));
+    console.error(chalk6.dim(`  Use --all or --pages signIn,error`));
+    console.error(chalk6.dim(`  Available: ${ALL_PAGES.join(" | ")}`));
+    process.exit(1);
+  }
+  console.log(chalk6.cyan(`
+\u25C6 Generating custom auth pages
+`));
+  const pagesDir = join6(process.cwd(), "app", "auth");
+  mkdirSync2(pagesDir, { recursive: true });
+  for (const page of selected) {
+    const subDir = join6(pagesDir, pageToRoute(page));
+    mkdirSync2(subDir, { recursive: true });
+    const content = generatePage(page);
+    const outFile = join6(subDir, "page.tsx");
+    writeFileSync6(outFile, content, "utf-8");
+    console.log(chalk6.green(`  \u2713 Created ${chalk6.bold(`app/auth/${pageToRoute(page)}/page.tsx`)}`));
+  }
+  console.log(chalk6.dim(`
+  Register pages in your auth config:`));
+  console.log(chalk6.dim(`    pages: {`));
+  selected.forEach((p) => {
+    console.log(chalk6.dim(`      ${p}: '/auth/${pageToRoute(p)}',`));
+  });
+  console.log(chalk6.dim(`    }
+`));
+}
+function pageToRoute(page) {
+  const map = {
+    signIn: "signin",
+    signOut: "signout",
+    error: "error",
+    verifyRequest: "verify-request",
+    newUser: "new-user"
+  };
+  return map[page];
+}
+function generatePage(page) {
+  switch (page) {
+    case "signIn":
+      return `'use client';
+
+import { signIn } from 'next-auth/react';
+import { useState } from 'react';
+
+export default function SignInPage() {
+  const [email, setEmail] = useState('');
+  const [password, setPassword] = useState('');
+  const [loading, setLoading] = useState(false);
+  const [error, setError] = useState('');
+
+  async function handleSubmit(e: React.FormEvent) {
+    e.preventDefault();
+    setLoading(true);
+    setError('');
+
+    const result = await signIn('credentials', {
+      email,
+      password,
+      redirect: false,
+    });
+
+    if (result?.error) {
+      setError('Invalid email or password');
+    } else {
+      window.location.href = '/dashboard';
+    }
+    setLoading(false);
+  }
+
+  return (
+    <div className="min-h-screen flex items-center justify-center">
+      <div className="max-w-md w-full p-8 bg-white rounded-lg shadow">
+        <h1 className="text-2xl font-bold mb-6">Sign In</h1>
+
+        {error && (
+          <div className="mb-4 p-3 bg-red-50 text-red-700 rounded">{error}</div>
+        )}
+
+        <form onSubmit={handleSubmit} className="space-y-4">
+          <div>
+            <label htmlFor="email" className="block text-sm font-medium">Email</label>
+            <input
+              id="email"
+              type="email"
+              value={email}
+              onChange={(e) => setEmail(e.target.value)}
+              required
+              className="mt-1 block w-full border rounded px-3 py-2"
+            />
+          </div>
+          <div>
+            <label htmlFor="password" className="block text-sm font-medium">Password</label>
+            <input
+              id="password"
+              type="password"
+              value={password}
+              onChange={(e) => setPassword(e.target.value)}
+              required
+              className="mt-1 block w-full border rounded px-3 py-2"
+            />
+          </div>
+          <button
+            type="submit"
+            disabled={loading}
+            className="w-full bg-blue-600 text-white py-2 rounded hover:bg-blue-700 disabled:opacity-50"
+          >
+            {loading ? 'Signing in...' : 'Sign In'}
+          </button>
+        </form>
+
+        <div className="mt-6 space-y-2">
+          <p className="text-sm text-gray-500 text-center">Or continue with</p>
+          <button
+            onClick={() => signIn('github', { callbackUrl: '/dashboard' })}
+            className="w-full border py-2 rounded hover:bg-gray-50"
+          >
+            GitHub
+          </button>
+          <button
+            onClick={() => signIn('google', { callbackUrl: '/dashboard' })}
+            className="w-full border py-2 rounded hover:bg-gray-50"
+          >
+            Google
+          </button>
+        </div>
+      </div>
+    </div>
+  );
+}
+`;
+    case "signOut":
+      return `'use client';
+
+import { signOut } from 'next-auth/react';
+
+export default function SignOutPage() {
+  return (
+    <div className="min-h-screen flex items-center justify-center">
+      <div className="max-w-md w-full p-8 bg-white rounded-lg shadow text-center">
+        <h1 className="text-2xl font-bold mb-4">Sign Out</h1>
+        <p className="text-gray-600 mb-6">Are you sure you want to sign out?</p>
+        <div className="flex gap-3 justify-center">
+          <button
+            onClick={() => signOut({ callbackUrl: '/' })}
+            className="bg-red-600 text-white px-6 py-2 rounded hover:bg-red-700"
+          >
+            Sign Out
+          </button>
+          <button
+            onClick={() => window.history.back()}
+            className="border px-6 py-2 rounded hover:bg-gray-50"
+          >
+            Cancel
+          </button>
+        </div>
+      </div>
+    </div>
+  );
+}
+`;
+    case "error":
+      return `'use client';
+
+import { useSearchParams } from 'next/navigation';
+import Link from 'next/link';
+
+const ERROR_MESSAGES: Record<string, string> = {
+  Configuration: 'There is a problem with the server configuration.',
+  AccessDenied: 'You do not have permission to access this resource.',
+  Verification: 'The verification link may have expired or been used already.',
+  OAuthCallback: 'An error occurred during authentication. Please try again.',
+  OAuthCreateAccount: 'Could not create your account. Please try again.',
+  EmailCreateAccount: 'Could not create your account. Please try again.',
+  Callback: 'An error occurred in the authentication callback.',
+  OAuthAccountNotLinked: 'This email is already associated with another account.',
+  EmailSignin: 'The email could not be sent. Please try again.',
+  CredentialsSignin: 'Invalid credentials. Please check your email and password.',
+  SessionRequired: 'Please sign in to access this page.',
+  Default: 'An unexpected error occurred. Please try again.',
+};
+
+export default function ErrorPage() {
+  const params = useSearchParams();
+  const error = params.get('error') ?? 'Default';
+  const message = ERROR_MESSAGES[error] ?? ERROR_MESSAGES.Default;
+
+  return (
+    <div className="min-h-screen flex items-center justify-center">
+      <div className="max-w-md w-full p-8 bg-white rounded-lg shadow text-center">
+        <div className="text-red-500 text-5xl mb-4">\u26A0</div>
+        <h1 className="text-2xl font-bold mb-2">Authentication Error</h1>
+        <p className="text-gray-600 mb-6">{message}</p>
+        <Link
+          href="/auth/signin"
+          className="bg-blue-600 text-white px-6 py-2 rounded hover:bg-blue-700 inline-block"
+        >
+          Try Again
+        </Link>
+      </div>
+    </div>
+  );
+}
+`;
+    case "verifyRequest":
+      return `export default function VerifyRequestPage() {
+  return (
+    <div className="min-h-screen flex items-center justify-center">
+      <div className="max-w-md w-full p-8 bg-white rounded-lg shadow text-center">
+        <div className="text-blue-500 text-5xl mb-4">\u2709</div>
+        <h1 className="text-2xl font-bold mb-2">Check your email</h1>
+        <p className="text-gray-600 mb-4">
+          A sign-in link has been sent to your email address.
+        </p>
+        <p className="text-sm text-gray-500">
+          The link expires in 24 hours. If you don&apos;t see the email,
+          check your spam folder.
+        </p>
+      </div>
+    </div>
+  );
+}
+`;
+    case "newUser":
+      return `'use client';
+
+import { useSession } from 'next-auth/react';
+import { useRouter } from 'next/navigation';
+import { useState } from 'react';
+
+export default function NewUserPage() {
+  const { data: session } = useSession();
+  const router = useRouter();
+  const [username, setUsername] = useState('');
+  const [loading, setLoading] = useState(false);
+
+  async function handleSetup(e: React.FormEvent) {
+    e.preventDefault();
+    setLoading(true);
+
+    // TODO: call your API to complete profile setup
+    // await fetch('/api/user/setup', {
+    //   method: 'POST',
+    //   body: JSON.stringify({ username }),
+    // });
+
+    router.push('/dashboard');
+  }
+
+  return (
+    <div className="min-h-screen flex items-center justify-center">
+      <div className="max-w-md w-full p-8 bg-white rounded-lg shadow">
+        <h1 className="text-2xl font-bold mb-2">Welcome!</h1>
+        <p className="text-gray-600 mb-6">
+          Hello {session?.user?.name ?? 'there'}! Let&apos;s set up your account.
+        </p>
+
+        <form onSubmit={handleSetup} className="space-y-4">
+          <div>
+            <label htmlFor="username" className="block text-sm font-medium">
+              Choose a username
+            </label>
+            <input
+              id="username"
+              type="text"
+              value={username}
+              onChange={(e) => setUsername(e.target.value)}
+              placeholder="your-username"
+              required
+              className="mt-1 block w-full border rounded px-3 py-2"
+            />
+          </div>
+          <button
+            type="submit"
+            disabled={loading}
+            className="w-full bg-blue-600 text-white py-2 rounded hover:bg-blue-700 disabled:opacity-50"
+          >
+            {loading ? 'Setting up...' : 'Complete Setup'}
+          </button>
+        </form>
+      </div>
+    </div>
+  );
+}
+`;
+  }
+}
+
+// src/commands/validate.ts
+import chalk7 from "chalk";
+import { readFileSync as readFileSync2, existsSync as existsSync3 } from "fs";
+import { join as join7, resolve } from "path";
+function validateCommand(file) {
+  const target = file ? resolve(file) : findAuthFile(process.cwd());
+  if (!target || !existsSync3(target)) {
+    console.error(chalk7.red(`\u2717 Auth config file not found`));
+    console.error(chalk7.dim(`  Tried: ${target ?? "auth.ts, auth.js, src/auth.ts"}`));
+    console.error(chalk7.dim(`  Run: authjs-config init <framework>`));
+    process.exit(1);
+  }
+  console.log(chalk7.cyan(`
+\u25C6 Validating: ${chalk7.bold(target)}
+`));
+  const source = readFileSync2(target, "utf-8");
+  const issues = [];
+  if (!source.includes("AUTH_SECRET") && !source.includes("secret")) {
+    issues.push({ level: "error", message: "Missing AUTH_SECRET \u2014 required for production security" });
+  }
+  if (!source.includes("trustHost") && !source.includes("NEXTAUTH_URL")) {
+    issues.push({ level: "warn", message: "Consider setting trustHost: true or NEXTAUTH_URL for deployment" });
+  }
+  if (!source.includes("Provider") && !source.includes("providers")) {
+    issues.push({ level: "warn", message: "No providers detected \u2014 add at least one provider" });
+  }
+  const secretPatterns = [
+    /clientSecret:\s*['"][^'"]{8,}['"]/,
+    /clientId:\s*['"][a-zA-Z0-9]{16,}['"]/
+  ];
+  for (const pattern of secretPatterns) {
+    if (pattern.test(source)) {
+      issues.push({ level: "error", message: "Possible hardcoded secret detected \u2014 use environment variables" });
+      break;
+    }
+  }
+  if (source.includes("strategy:") && !source.includes('"jwt"') && !source.includes("'jwt'") && !source.includes('"database"') && !source.includes("'database'")) {
+    issues.push({ level: "warn", message: 'Session strategy value may be invalid \u2014 use "jwt" or "database"' });
+  }
+  if (source.includes("callbacks")) {
+    issues.push({ level: "info", message: "Callbacks detected \u2014 ensure they return correct types" });
+  }
+  if (source.includes("adapter")) {
+    issues.push({ level: "info", message: "Adapter detected \u2014 ensure database schema is migrated" });
+  }
+  if (source.includes("pages:")) {
+    issues.push({ level: "info", message: "Custom pages configured" });
+  }
+  const errors = issues.filter((i) => i.level === "error");
+  const warnings = issues.filter((i) => i.level === "warn");
+  const infos = issues.filter((i) => i.level === "info");
+  issues.forEach(({ level, message }) => {
+    const icon = level === "error" ? chalk7.red("  \u2717") : level === "warn" ? chalk7.yellow("  \u26A0") : chalk7.blue("  \u2139");
+    const text = level === "error" ? chalk7.red(message) : level === "warn" ? chalk7.yellow(message) : chalk7.dim(message);
+    console.log(`${icon} ${text}`);
+  });
+  if (issues.length === 0) {
+    console.log(chalk7.green("  \u2713 No issues found"));
+  }
+  console.log("");
+  if (errors.length > 0) {
+    console.log(chalk7.red(`  ${errors.length} error(s)  ${warnings.length} warning(s)  ${infos.length} info`));
+    process.exit(1);
+  } else {
+    console.log(chalk7.green(`  ${errors.length} errors  `) + chalk7.yellow(`${warnings.length} warning(s)  `) + chalk7.dim(`${infos.length} info`));
+  }
+  console.log("");
+}
+function findAuthFile(cwd) {
+  const candidates = [
+    "auth.ts",
+    "auth.js",
+    "src/auth.ts",
+    "src/auth.js",
+    "lib/auth.ts",
+    "lib/auth.js"
+  ];
+  for (const c of candidates) {
+    const full = join7(cwd, c);
+    if (existsSync3(full)) return full;
+  }
+  return null;
+}
+
+// src/index.ts
+var program = new Command();
+program.name("authjs-config").description(chalk8.bold("Auth.js / NextAuth.js configuration generator")).version("1.0.0");
+program.command("init <framework>").description("Generate auth config for a framework: nextjs | sveltekit | express | solid-start | nuxt").option("--strategy <strategy>", "Session strategy: session | jwt", "jwt").option("--rbac", "Include role-based access control setup", false).option("--refresh-tokens", "Include refresh token rotation", false).action(initCommand);
+program.command("add-provider <name>").description("Add OAuth provider: google | github | discord | apple | twitter | facebook | linkedin | auth0 | keycloak | credentials | email").option("--magic-link", "Configure as magic link (email provider)", false).option("--2fa", "Add 2FA setup scaffold", false).action(addProviderCommand);
+program.command("add-adapter <type>").description("Generate adapter config: prisma | drizzle | typeorm | mongodb | dynamodb | supabase | firebase").action(addAdapterCommand);
+program.command("add-callback <type>").description("Generate callback handler: signIn | redirect | session | jwt").option("--account-linking", "Include account linking logic", false).option("--custom-profile", "Include custom profile mapping", false).action(addCallbackCommand);
+program.command("add-middleware").description("Generate auth middleware for route protection").option("--rbac", "Include role-based route guards", false).option("--public-routes <routes>", "Comma-separated public route patterns", "/").action(addMiddlewareCommand);
+program.command("add-pages").description("Generate custom auth pages: signIn | signOut | error | verifyRequest | newUser").option("--all", "Generate all custom pages", false).option("--pages <pages>", "Comma-separated page names to generate", "").action(addPagesCommand);
+program.command("validate [file]").description("Validate auth configuration file").action(validateCommand);
+program.parse(process.argv);
+if (process.argv.length < 3) {
+  program.help();
+}