create-authhero 0.23.0 → 0.25.0

package/dist/aws-sst/README.md

@@ -0,0 +1,142 @@
+# AuthHero - AWS SST (Lambda + DynamoDB)
+
+A serverless AuthHero deployment using [SST](https://sst.dev) with AWS Lambda and DynamoDB.
+
+## Prerequisites
+
+- Node.js 18+
+- AWS CLI configured with credentials
+- An AWS account
+
+## Setup
+
+1. **Install dependencies**
+
+   ```bash
+   npm install
+   ```
+
+2. **Start development mode**
+
+   ```bash
+   npm run dev
+   ```
+
+   This will:
+   - Deploy to your AWS account in development mode
+   - Create a DynamoDB table
+   - Start a Lambda function with live reloading
+   - Output your API URL
+
+3. **Seed the database**
+
+   After the dev server starts, seed your database:
+
+   ```bash
+   # Set your admin credentials
+   export ADMIN_EMAIL=admin@example.com
+   export ADMIN_PASSWORD=your-secure-password
+
+   npm run seed
+   ```
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `npm run dev` | Start SST in development mode |
+| `npm run deploy` | Deploy to production |
+| `npm run remove` | Remove all deployed resources |
+| `npm run seed` | Seed the database with initial data |
+
+## Project Structure
+
+```text
+├── sst.config.ts      # SST configuration (Lambda, DynamoDB, API Gateway)
+├── src/
+│   ├── index.ts       # Lambda handler
+│   ├── app.ts         # AuthHero app configuration
+│   └── seed.ts        # Database seeding script
+├── copy-assets.js     # Script to copy widget assets for Lambda
+└── package.json
+```
+
+## Architecture
+
+- **Lambda Function**: Runs the AuthHero Hono application
+- **DynamoDB**: Single-table design for all AuthHero data
+- **API Gateway**: HTTP API with custom domain support
+- **S3 Bucket**: Serves widget assets (CSS, JS)
+
+## Environment Variables
+
+Set these in SST or AWS Systems Manager:
+
+| Variable | Description |
+|----------|-------------|
+| `TABLE_NAME` | DynamoDB table name (auto-set by SST) |
+| `WIDGET_URL` | URL to widget assets (auto-set by SST) |
+| `ADMIN_EMAIL` | Admin user email (required for initial seeding) |
+| `ADMIN_PASSWORD` | Admin user password (required for initial seeding) |
+
+## Widget Assets
+
+Widget assets are served from an S3 bucket with CloudFront. SST automatically:
+1. Copies assets from `node_modules/authhero/dist/assets`
+2. Uploads them to S3
+3. Creates a CloudFront distribution
+4. Sets the `WIDGET_URL` environment variable
+
+## Custom Domain
+
+To use a custom domain, update `sst.config.ts`:
+
+```typescript
+const api = new sst.aws.ApiGatewayV2("AuthHeroApi", {
+  domain: "auth.yourdomain.com",
+});
+```
+
+## Production Deployment
+
+```bash
+npm run deploy -- --stage production
+```
+
+## Costs
+
+Estimated monthly costs for moderate usage:
+
+| Service | Free Tier | After Free Tier |
+|---------|-----------|-----------------|
+| Lambda | 1M requests/month | $0.20/1M requests |
+| DynamoDB | 25 WCU/RCU | ~$0.25/1M requests |
+| API Gateway | 1M requests/month | $1.00/1M requests |
+| S3 + CloudFront | 1GB + 50GB | ~$5/month |
+
+## Troubleshooting
+
+### Lambda timeout
+
+Increase timeout in `sst.config.ts`:
+
+```typescript
+new sst.aws.Function("AuthHero", {
+  timeout: "30 seconds",
+});
+```
+
+### DynamoDB throttling
+
+Enable auto-scaling or increase provisioned capacity in `sst.config.ts`.
+
+### Widget not loading
+
+Ensure the S3 bucket and CloudFront are properly configured. Check browser console for CORS errors.
+
+## Learn More
+
+- [SST Documentation](https://sst.dev/docs)
+- [AuthHero Documentation](https://authhero.net/docs)
+- [AWS Lambda](https://docs.aws.amazon.com/lambda/)
+- [DynamoDB](https://docs.aws.amazon.com/dynamodb/)

package/dist/aws-sst/copy-assets.js

@@ -0,0 +1,61 @@
+#!/usr/bin/env node
+
+/**
+ * Copy AuthHero widget assets for Lambda deployment
+ *
+ * This script copies widget assets from node_modules to dist/assets
+ * so they can be uploaded to S3 and served via CloudFront.
+ */
+
+import fs from "fs";
+import path from "path";
+import { fileURLToPath } from "url";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+function copyDirectory(src, dest) {
+  if (!fs.existsSync(dest)) {
+    fs.mkdirSync(dest, { recursive: true });
+  }
+
+  const entries = fs.readdirSync(src, { withFileTypes: true });
+
+  for (const entry of entries) {
+    const srcPath = path.join(src, entry.name);
+    const destPath = path.join(dest, entry.name);
+
+    if (entry.isDirectory()) {
+      copyDirectory(srcPath, destPath);
+    } else {
+      fs.copyFileSync(srcPath, destPath);
+    }
+  }
+}
+
+// Source and destination paths
+const authHeroAssets = path.join(__dirname, "node_modules/authhero/dist/assets");
+const widgetSource = path.join(
+  __dirname,
+  "node_modules/@authhero/widget/dist/authhero-widget"
+);
+const targetDir = path.join(__dirname, "dist/assets");
+const widgetTarget = path.join(targetDir, "u/widget");
+
+// Copy authhero assets
+if (fs.existsSync(authHeroAssets)) {
+  console.log("📦 Copying AuthHero assets...");
+  copyDirectory(authHeroAssets, targetDir);
+} else {
+  console.log("⚠️  AuthHero assets not found at:", authHeroAssets);
+}
+
+// Copy widget from @authhero/widget package
+if (fs.existsSync(widgetSource)) {
+  console.log("📦 Copying widget assets...");
+  copyDirectory(widgetSource, widgetTarget);
+} else {
+  console.log("⚠️  Widget assets not found at:", widgetSource);
+}
+
+console.log("✅ Assets copied to dist/assets");

package/dist/aws-sst/src/index.ts

@@ -0,0 +1,77 @@
+import { handle } from "hono/aws-lambda";
+import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
+import { DynamoDBDocumentClient } from "@aws-sdk/lib-dynamodb";
+import createAdapters from "@authhero/aws";
+import createApp from "./app";
+import type { APIGatewayProxyEventV2, Context } from "aws-lambda";
+
+// Validate required environment variables
+if (!process.env.TABLE_NAME) {
+  throw new Error("TABLE_NAME environment variable is required");
+}
+
+// Initialize DynamoDB client outside handler for connection reuse
+const client = new DynamoDBClient({});
+const docClient = DynamoDBDocumentClient.from(client, {
+  marshallOptions: {
+    removeUndefinedValues: true,
+  },
+});
+
+// Create adapters - reused across invocations
+const dataAdapter = createAdapters(docClient, {
+  tableName: process.env.TABLE_NAME,
+});
+
+export async function handler(event: APIGatewayProxyEventV2, context: Context) {
+  // Compute issuer from the request
+  const host = event.headers.host || event.requestContext.domainName;
+  const protocol = event.headers["x-forwarded-proto"] || "https";
+  const issuer = `${protocol}://${host}/`;
+
+  // Get origin for CORS
+  const origin = event.headers.origin || "";
+
+  // Widget URL from environment (set by SST)
+  const widgetUrl = process.env.WIDGET_URL || "";
+
+  // CORS configuration
+  // SECURITY: Configure ALLOWED_ORIGINS environment variable in production
+  // to restrict origins. Comma-separated list of allowed origins.
+  const allowedOrigins = process.env.ALLOWED_ORIGINS
+    ? process.env.ALLOWED_ORIGINS.split(",").map((o) => o.trim())
+    : [
+        // WARNING: These localhost origins are for development only
+        // Remove or override via ALLOWED_ORIGINS env var in production
+        "http://localhost:5173",
+        "https://localhost:3000",
+        origin,
+      ].filter(Boolean);
+
+  // Create app instance per request to avoid issuer contamination
+  // Lambda containers are reused, so we can't mutate process.env.ISSUER globally
+  const appWithIssuer = createApp({
+    dataAdapter,
+    allowedOrigins,
+    widgetUrl,
+  });
+
+  // Set issuer in a request-scoped way via middleware
+  appWithIssuer.use("*", async (c, next) => {
+    // Store issuer in context for this request
+    const originalIssuer = process.env.ISSUER;
+    process.env.ISSUER = issuer;
+    try {
+      await next();
+    } finally {
+      // Restore original value to prevent contamination
+      if (originalIssuer !== undefined) {
+        process.env.ISSUER = originalIssuer;
+      } else {
+        delete process.env.ISSUER;
+      }
+    }
+  });
+
+  return handle(appWithIssuer)(event, context);
+}

package/dist/aws-sst/src/types.ts

@@ -0,0 +1,5 @@
+export interface AppConfig {
+  dataAdapter: any;
+  allowedOrigins: string[];
+  widgetUrl: string;
+}

package/dist/aws-sst/sst.config.ts

@@ -0,0 +1,82 @@
+/// <reference path="./.sst/platform/config.d.ts" />
+
+export default $config({
+  app(input) {
+    return {
+      name: "authhero",
+      removal: input?.stage === "production" ? "retain" : "remove",
+      protect: ["production"].includes(input?.stage),
+      home: "aws",
+    };
+  },
+  async run() {
+    // ════════════════════════════════════════════════════════════════════════
+    // DynamoDB Table - Single-table design for all AuthHero data
+    // ════════════════════════════════════════════════════════════════════════
+    const table = new sst.aws.Dynamo("AuthHeroTable", {
+      fields: {
+        pk: "string",
+        sk: "string",
+        gsi1pk: "string",
+        gsi1sk: "string",
+        gsi2pk: "string",
+        gsi2sk: "string",
+      },
+      primaryIndex: { hashKey: "pk", rangeKey: "sk" },
+      globalIndexes: {
+        gsi1: { hashKey: "gsi1pk", rangeKey: "gsi1sk" },
+        gsi2: { hashKey: "gsi2pk", rangeKey: "gsi2sk" },
+      },
+      ttl: "expiresAt",
+    });
+
+    // ════════════════════════════════════════════════════════════════════════
+    // S3 Bucket + CloudFront for Widget Assets
+    // ════════════════════════════════════════════════════════════════════════
+    const assets = new sst.aws.StaticSite("WidgetAssets", {
+      path: "dist/assets",
+      build: {
+        command: "node copy-assets.js",
+        output: "dist/assets",
+      },
+    });
+
+    // ════════════════════════════════════════════════════════════════════════
+    // Lambda Function
+    // ════════════════════════════════════════════════════════════════════════
+    const api = new sst.aws.ApiGatewayV2("AuthHeroApi");
+
+    const authFunction = new sst.aws.Function("AuthHeroFunction", {
+      handler: "src/index.handler",
+      runtime: "nodejs20.x",
+      timeout: "30 seconds",
+      memory: "512 MB",
+      link: [table],
+      environment: {
+        TABLE_NAME: table.name,
+        WIDGET_URL: assets.url,
+      },
+      nodejs: {
+        install: ["@authhero/aws"],
+      },
+    });
+
+    api.route("$default", authFunction.arn);
+
+    // ════════════════════════════════════════════════════════════════════════
+    // Optional: Custom Domain
+    // ════════════════════════════════════════════════════════════════════════
+    // Uncomment and configure to use a custom domain:
+    //
+    // api.domain = {
+    //   name: "auth.yourdomain.com",
+    //   dns: sst.aws.dns(),
+    // };
+
+    return {
+      api: api.url,
+      assets: assets.url,
+      table: table.name,
+    };
+  },
+});

package/dist/aws-sst/tsconfig.json

@@ -0,0 +1,16 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "outDir": "dist",
+    "declaration": true,
+    "types": ["node"]
+  },
+  "include": ["src/**/*", "sst.config.ts"],
+  "exclude": ["node_modules", "dist"]
+}

package/dist/create-authhero.js

@@ -1,10 +1,10 @@
 #!/usr/bin/env node
-import { Command as T } from "commander";
-import d from "inquirer";
-import s from "fs";
+import { Command as k } from "commander";
+import u from "inquirer";
+import a from "fs";
 import i from "path";
-import { spawn as D } from "child_process";
-const I = new T(), m = {
+import { spawn as N } from "child_process";
+const b = new k(), p = {
   local: {
     name: "Local (SQLite)",
     description: "Local development setup with SQLite database - great for getting started",
@@ -83,15 +83,51 @@ const I = new T(), m = {
       }
     }),
     seedFile: "seed.ts"
+  },
+  "aws-sst": {
+    name: "AWS SST (Lambda + DynamoDB)",
+    description: "Serverless AWS deployment with Lambda, DynamoDB, and SST",
+    templateDir: "aws-sst",
+    packageJson: (t, e) => ({
+      name: t,
+      version: "1.0.0",
+      type: "module",
+      scripts: {
+        dev: "sst dev",
+        deploy: "sst deploy --stage production",
+        remove: "sst remove",
+        seed: "npx tsx src/seed.ts",
+        "copy-assets": "node copy-assets.js"
+      },
+      dependencies: {
+        "@authhero/aws": "latest",
+        "@authhero/widget": "latest",
+        "@aws-sdk/client-dynamodb": "^3.0.0",
+        "@aws-sdk/lib-dynamodb": "^3.0.0",
+        "@hono/swagger-ui": "^0.5.0",
+        "@hono/zod-openapi": "^0.19.0",
+        authhero: "latest",
+        hono: "^4.6.0",
+        ...e && { "@authhero/multi-tenancy": "latest" }
+      },
+      devDependencies: {
+        "@types/aws-lambda": "^8.10.0",
+        "@types/node": "^20.0.0",
+        sst: "^3.0.0",
+        tsx: "^4.0.0",
+        typescript: "^5.5.0"
+      }
+    }),
+    seedFile: "seed.ts"
   }
 };
-function x(t, e) {
-  s.readdirSync(t).forEach((o) => {
-    const n = i.join(t, o), r = i.join(e, o);
-    s.lstatSync(n).isDirectory() ? (s.mkdirSync(r, { recursive: !0 }), x(n, r)) : s.copyFileSync(n, r);
+function E(t, e) {
+  a.readdirSync(t).forEach((s) => {
+    const n = i.join(t, s), o = i.join(e, s);
+    a.lstatSync(n).isDirectory() ? (a.mkdirSync(o, { recursive: !0 }), E(n, o)) : a.copyFileSync(n, o);
   });
 }
-function E(t) {
+function P(t) {
   return `import { SqliteDialect, Kysely } from "kysely";
 import Database from "better-sqlite3";
 import createAdapters from "@authhero/kysely-adapter";
@@ -128,21 +164,25 @@ async function main() {
 main().catch(console.error);
 `;
 }
-function j(t) {
+function R(t) {
   return t ? `import { Context } from "hono";
 import { swaggerUI } from "@hono/swagger-ui";
 import { AuthHeroConfig, DataAdapters } from "authhero";
 import { serveStatic } from "@hono/node-server/serve-static";
 import { initMultiTenant } from "@authhero/multi-tenancy";
 
-// Control plane tenant ID - the tenant that manages all other tenants
+// Control plane configuration
 const CONTROL_PLANE_TENANT_ID = "control_plane";
+const CONTROL_PLANE_CLIENT_ID = "default_client";
 
 export default function createApp(config: AuthHeroConfig & { dataAdapter: DataAdapters }) {
   // Initialize multi-tenant AuthHero - syncs resource servers, roles, and connections by default
   const { app } = initMultiTenant({
     ...config,
-    controlPlaneTenantId: CONTROL_PLANE_TENANT_ID,
+    controlPlane: {
+      tenantId: CONTROL_PLANE_TENANT_ID,
+      clientId: CONTROL_PLANE_CLIENT_ID,
+    },
   });
 
   app
@@ -228,7 +268,7 @@ export default function createApp(config: AuthHeroConfig) {
 }
 `;
 }
-function _(t) {
+function L(t) {
   return `import { D1Dialect } from "kysely-d1";
 import { Kysely } from "kysely";
 import createAdapters from "@authhero/kysely-adapter";
@@ -301,20 +341,24 @@ export default {
 };
 `;
 }
-function R(t) {
+function M(t) {
   return t ? `import { Context } from "hono";
 import { swaggerUI } from "@hono/swagger-ui";
 import { AuthHeroConfig, DataAdapters } from "authhero";
 import { initMultiTenant } from "@authhero/multi-tenancy";
 
-// Control plane tenant ID - the tenant that manages all other tenants
+// Control plane configuration
 const CONTROL_PLANE_TENANT_ID = "control_plane";
+const CONTROL_PLANE_CLIENT_ID = "default_client";
 
 export default function createApp(config: AuthHeroConfig & { dataAdapter: DataAdapters }) {
   // Initialize multi-tenant AuthHero - syncs resource servers, roles, and connections by default
   const { app } = initMultiTenant({
     ...config,
-    controlPlaneTenantId: CONTROL_PLANE_TENANT_ID,
+    controlPlane: {
+      tenantId: CONTROL_PLANE_TENANT_ID,
+      clientId: CONTROL_PLANE_CLIENT_ID,
+    },
   });
 
   app
@@ -377,10 +421,175 @@ export default function createApp(config: AuthHeroConfig) {
 }
 `;
 }
-function M(t) {
+function j(t) {
+  return t ? `import { Context } from "hono";
+import { swaggerUI } from "@hono/swagger-ui";
+import { AuthHeroConfig, DataAdapters } from "authhero";
+import { initMultiTenant } from "@authhero/multi-tenancy";
+
+// Control plane configuration
+const CONTROL_PLANE_TENANT_ID = "control_plane";
+const CONTROL_PLANE_CLIENT_ID = "default_client";
+
+interface AppConfig extends AuthHeroConfig {
+  dataAdapter: DataAdapters;
+  widgetUrl: string;
+}
+
+export default function createApp(config: AppConfig) {
+  // Initialize multi-tenant AuthHero
+  const { app } = initMultiTenant({
+    ...config,
+    controlPlane: {
+      tenantId: CONTROL_PLANE_TENANT_ID,
+      clientId: CONTROL_PLANE_CLIENT_ID,
+    },
+  });
+
+  app
+    .onError((err, ctx) => {
+      if (err && typeof err === "object" && "getResponse" in err) {
+        return (err as { getResponse: () => Response }).getResponse();
+      }
+      console.error(err);
+      return ctx.text(err instanceof Error ? err.message : "Internal Server Error", 500);
+    })
+    .get("/", async (ctx: Context) => {
+      return ctx.json({
+        name: "AuthHero Multi-Tenant Server (AWS)",
+        version: "1.0.0",
+        status: "running",
+        docs: "/docs",
+        controlPlaneTenant: CONTROL_PLANE_TENANT_ID,
+      });
+    })
+    .get("/docs", swaggerUI({ url: "/api/v2/spec" }))
+    // Redirect widget requests to S3/CloudFront
+    .get("/u/widget/*", async (ctx) => {
+      const file = ctx.req.path.replace("/u/widget/", "");
+      return ctx.redirect(\`\${config.widgetUrl}/u/widget/\${file}\`);
+    })
+    .get("/u/*", async (ctx) => {
+      const file = ctx.req.path.replace("/u/", "");
+      return ctx.redirect(\`\${config.widgetUrl}/u/\${file}\`);
+    });
+
+  return app;
+}
+` : `import { Context } from "hono";
+import { cors } from "hono/cors";
+import { AuthHeroConfig, init, DataAdapters } from "authhero";
+import { swaggerUI } from "@hono/swagger-ui";
+
+interface AppConfig extends AuthHeroConfig {
+  dataAdapter: DataAdapters;
+  widgetUrl: string;
+}
+
+export default function createApp(config: AppConfig) {
+  const { app } = init(config);
+
+  // Enable CORS for all origins in development
+  app.use("*", cors({
+    origin: (origin) => origin || "*",
+    allowMethods: ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
+    allowHeaders: ["Content-Type", "Authorization", "Auth0-Client"],
+    exposeHeaders: ["Content-Length"],
+    credentials: true,
+  }));
+
+  app
+    .onError((err, ctx) => {
+      if (err && typeof err === "object" && "getResponse" in err) {
+        return (err as { getResponse: () => Response }).getResponse();
+      }
+      console.error(err);
+      return ctx.text(err instanceof Error ? err.message : "Internal Server Error", 500);
+    })
+    .get("/", async (ctx: Context) => {
+      return ctx.json({
+        name: "AuthHero Server (AWS)",
+        status: "running",
+      });
+    })
+    .get("/docs", swaggerUI({ url: "/api/v2/spec" }))
+    // Redirect widget requests to S3/CloudFront
+    .get("/u/widget/*", async (ctx) => {
+      const file = ctx.req.path.replace("/u/widget/", "");
+      return ctx.redirect(\`\${config.widgetUrl}/u/widget/\${file}\`);
+    })
+    .get("/u/*", async (ctx) => {
+      const file = ctx.req.path.replace("/u/", "");
+      return ctx.redirect(\`\${config.widgetUrl}/u/\${file}\`);
+    });
+
+  return app;
+}
+`;
+}
+function O(t) {
+  return `import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
+import { DynamoDBDocumentClient } from "@aws-sdk/lib-dynamodb";
+import createAdapters from "@authhero/aws";
+import { seed } from "authhero";
+
+async function main() {
+  const adminEmail = process.argv[2] || process.env.ADMIN_EMAIL;
+  const adminPassword = process.argv[3] || process.env.ADMIN_PASSWORD;
+  const tableName = process.argv[4] || process.env.TABLE_NAME;
+
+  if (!adminEmail || !adminPassword) {
+    console.error("Usage: npm run seed <email> <password>");
+    console.error("   or: ADMIN_EMAIL=... ADMIN_PASSWORD=... npm run seed");
+    process.exit(1);
+  }
+
+  if (!tableName) {
+    console.error("TABLE_NAME environment variable is required");
+    console.error("Run 'sst dev' first to get the table name from outputs");
+    process.exit(1);
+  }
+
+  const client = new DynamoDBClient({});
+  const docClient = DynamoDBDocumentClient.from(client, {
+    marshallOptions: {
+      removeUndefinedValues: true,
+    },
+  });
+
+  const adapters = createAdapters(docClient, { tableName });
+
+  await seed(adapters, {
+    adminEmail,
+    adminPassword,
+    tenantId: "${t ? "control_plane" : "main"}",
+    tenantName: "${t ? "Control Plane" : "Main"}",
+    isControlPlane: ${t},
+  });
+
+  console.log("✅ Database seeded successfully!");
+}
+
+main().catch(console.error);
+`;
+}
+function $(t, e) {
+  const r = i.join(t, "src");
+  a.writeFileSync(
+    i.join(r, "app.ts"),
+    j(e)
+  ), a.writeFileSync(
+    i.join(r, "seed.ts"),
+    O(e)
+  );
+}
+function C(t) {
+  console.log("\\n" + "─".repeat(50)), console.log("🔐 AuthHero deployed to AWS!"), console.log("📚 Check SST output for your API URL"), console.log("🌐 Portal available at https://local.authhero.net"), console.log(t ? "🏢 Multi-tenant mode enabled with control_plane tenant" : "🏠 Single-tenant mode with 'main' tenant"), console.log("─".repeat(50) + "\\n");
+}
+function H(t) {
   const e = i.join(t, ".github", "workflows");
-  s.mkdirSync(e, { recursive: !0 });
-  const a = `name: Unit tests
+  a.mkdirSync(e, { recursive: !0 });
+  const r = `name: Unit tests
 
 on: push
 
@@ -401,7 +610,7 @@ jobs:
 
       - run: npm run type-check
       - run: npm test
-`, o = `name: Deploy to Dev
+`, s = `name: Deploy to Dev
 
 on:
   push:
@@ -466,9 +675,9 @@ jobs:
           apiToken: \${{ secrets.PROD_CLOUDFLARE_API_TOKEN }}
           command: deploy --env production
 `;
-  s.writeFileSync(i.join(e, "unit-tests.yml"), a), s.writeFileSync(i.join(e, "deploy-dev.yml"), o), s.writeFileSync(i.join(e, "release.yml"), n), console.log("\\n📦 GitHub CI workflows created!");
+  a.writeFileSync(i.join(e, "unit-tests.yml"), r), a.writeFileSync(i.join(e, "deploy-dev.yml"), s), a.writeFileSync(i.join(e, "release.yml"), n), console.log("\\n📦 GitHub CI workflows created!");
 }
-function $(t) {
+function U(t) {
   const e = {
     branches: ["main"],
     plugins: [
@@ -477,109 +686,115 @@ function $(t) {
       "@semantic-release/github"
     ]
   };
-  s.writeFileSync(
+  a.writeFileSync(
     i.join(t, ".releaserc.json"),
     JSON.stringify(e, null, 2)
   );
-  const a = i.join(t, "package.json"), o = JSON.parse(s.readFileSync(a, "utf-8"));
-  o.devDependencies = {
-    ...o.devDependencies,
+  const r = i.join(t, "package.json"), s = JSON.parse(a.readFileSync(r, "utf-8"));
+  s.devDependencies = {
+    ...s.devDependencies,
     "semantic-release": "^24.0.0"
-  }, o.scripts = {
-    ...o.scripts,
+  }, s.scripts = {
+    ...s.scripts,
     test: 'echo "No tests yet"',
     "type-check": "tsc --noEmit"
-  }, s.writeFileSync(a, JSON.stringify(o, null, 2));
+  }, a.writeFileSync(r, JSON.stringify(s, null, 2));
 }
 function v(t, e) {
-  return new Promise((a, o) => {
-    const n = D(t, [], {
+  return new Promise((r, s) => {
+    const n = N(t, [], {
       cwd: e,
       shell: !0,
       stdio: "inherit"
     });
-    n.on("close", (r) => {
-      r === 0 ? a() : o(new Error(`Command failed with exit code ${r}`));
-    }), n.on("error", o);
+    n.on("close", (o) => {
+      o === 0 ? r() : s(new Error(`Command failed with exit code ${o}`));
+    }), n.on("error", s);
   });
 }
-function b(t, e, a) {
-  return new Promise((o, n) => {
-    const r = D(t, [], {
+function D(t, e, r) {
+  return new Promise((s, n) => {
+    const o = N(t, [], {
       cwd: e,
       shell: !0,
       stdio: "inherit",
-      env: { ...process.env, ...a }
+      env: { ...process.env, ...r }
     });
-    r.on("close", (c) => {
-      c === 0 ? o() : n(new Error(`Command failed with exit code ${c}`));
-    }), r.on("error", n);
+    o.on("close", (c) => {
+      c === 0 ? s() : n(new Error(`Command failed with exit code ${c}`));
+    }), o.on("error", n);
   });
 }
-function O(t, e) {
-  const a = i.join(t, "src");
-  s.writeFileSync(
-    i.join(a, "app.ts"),
-    R(e)
-  ), s.writeFileSync(
-    i.join(a, "seed.ts"),
-    _(e)
+function F(t, e) {
+  const r = i.join(t, "src");
+  a.writeFileSync(
+    i.join(r, "app.ts"),
+    M(e)
+  ), a.writeFileSync(
+    i.join(r, "seed.ts"),
+    L(e)
   );
 }
-function k(t) {
+function I(t) {
   console.log(`
 ` + "─".repeat(50)), console.log("🔐 AuthHero server running at https://localhost:3000"), console.log("📚 API documentation available at https://localhost:3000/docs"), console.log("🌐 Portal available at https://local.authhero.net"), console.log(t ? "🏢 Multi-tenant mode enabled with control_plane tenant" : "🏠 Single-tenant mode with 'main' tenant"), console.log("─".repeat(50) + `
 `);
 }
-function C(t) {
+function x(t) {
   console.log(`
 ` + "─".repeat(50)), console.log("✅ Self-signed certificates generated with openssl"), console.log("⚠️  You may need to trust the certificate in your browser"), console.log("🔐 AuthHero server running at https://localhost:3000"), console.log("📚 API documentation available at https://localhost:3000/docs"), console.log("🌐 Portal available at https://local.authhero.net"), console.log(t ? "🏢 Multi-tenant mode enabled with control_plane tenant" : "🏠 Single-tenant mode with 'main' tenant"), console.log("─".repeat(50) + `
 `);
 }
-I.version("1.0.0").description("Create a new AuthHero project").argument("[project-name]", "name of the project").option("-t, --template <type>", "template type: local or cloudflare").option("-e, --email <email>", "admin email address").option("-p, --password <password>", "admin password (min 8 characters)").option(
+b.version("1.0.0").description("Create a new AuthHero project").argument("[project-name]", "name of the project").option("-t, --template <type>", "template type: local or cloudflare").option("-e, --email <email>", "admin email address").option("-p, --password <password>", "admin password (min 8 characters)").option(
   "--package-manager <pm>",
   "package manager to use: npm, yarn, pnpm, or bun"
 ).option("--multi-tenant", "enable multi-tenant mode").option("--skip-install", "skip installing dependencies").option("--skip-migrate", "skip running database migrations").option("--skip-seed", "skip seeding the database").option("--skip-start", "skip starting the development server").option("--github-ci", "include GitHub CI workflows with semantic versioning").option("-y, --yes", "skip all prompts and use defaults/provided options").action(async (t, e) => {
-  const a = e.yes === !0;
+  const r = e.yes === !0;
   console.log(`
 🔐 Welcome to AuthHero!
 `);
-  let o = t;
-  o || (a ? (o = "auth-server", console.log(`Using default project name: ${o}`)) : o = (await d.prompt([
+  let s = t;
+  s || (r ? (s = "auth-server", console.log(`Using default project name: ${s}`)) : s = (await u.prompt([
     {
       type: "input",
       name: "projectName",
       message: "Project name:",
       default: "auth-server",
-      validate: (p) => p !== "" || "Project name cannot be empty"
+      validate: (d) => d !== "" || "Project name cannot be empty"
     }
   ])).projectName);
-  const n = i.join(process.cwd(), o);
-  s.existsSync(n) && (console.error(`❌ Project "${o}" already exists.`), process.exit(1));
-  let r;
-  e.template ? (["local", "cloudflare"].includes(e.template) || (console.error(`❌ Invalid template: ${e.template}`), console.error("Valid options: local, cloudflare"), process.exit(1)), r = e.template, console.log(`Using template: ${m[r].name}`)) : r = (await d.prompt([
+  const n = i.join(process.cwd(), s);
+  a.existsSync(n) && (console.error(`❌ Project "${s}" already exists.`), process.exit(1));
+  let o;
+  e.template ? (["local", "cloudflare", "aws-sst"].includes(e.template) || (console.error(`❌ Invalid template: ${e.template}`), console.error("Valid options: local, cloudflare, aws-sst"), process.exit(1)), o = e.template, console.log(`Using template: ${p[o].name}`)) : o = (await u.prompt([
     {
       type: "list",
       name: "setupType",
       message: "Select your setup type:",
       choices: [
         {
-          name: `${m.local.name}
-     ${m.local.description}`,
+          name: `${p.local.name}
+     ${p.local.description}`,
           value: "local",
-          short: m.local.name
+          short: p.local.name
         },
         {
-          name: `${m.cloudflare.name}
-     ${m.cloudflare.description}`,
+          name: `${p.cloudflare.name}
+     ${p.cloudflare.description}`,
           value: "cloudflare",
-          short: m.cloudflare.name
+          short: p.cloudflare.name
+        },
+        {
+          name: `${p["aws-sst"].name}
+     ${p["aws-sst"].description}`,
+          value: "aws-sst",
+          short: p["aws-sst"].name
         }
       ]
     }
   ])).setupType;
   let c;
-  e.multiTenant !== void 0 ? (c = e.multiTenant, console.log(`Multi-tenant mode: ${c ? "enabled" : "disabled"}`)) : a ? c = !1 : c = (await d.prompt([
+  e.multiTenant !== void 0 ? (c = e.multiTenant, console.log(`Multi-tenant mode: ${c ? "enabled" : "disabled"}`)) : r ? c = !1 : c = (await u.prompt([
     {
       type: "confirm",
       name: "multiTenant",
@@ -588,56 +803,57 @@ I.version("1.0.0").description("Create a new AuthHero project").argument("[proje
       default: !1
     }
   ])).multiTenant;
-  const S = m[r];
-  s.mkdirSync(n, { recursive: !0 }), s.writeFileSync(
+  const A = p[o];
+  a.mkdirSync(n, { recursive: !0 }), a.writeFileSync(
     i.join(n, "package.json"),
-    JSON.stringify(S.packageJson(o, c), null, 2)
+    JSON.stringify(A.packageJson(s, c), null, 2)
   );
-  const N = S.templateDir, A = i.join(
+  const _ = A.templateDir, S = i.join(
     import.meta.url.replace("file://", "").replace("/create-authhero.js", ""),
-    N
+    _
   );
-  if (s.existsSync(A) ? x(A, n) : (console.error(`❌ Template directory not found: ${A}`), process.exit(1)), r === "cloudflare" && O(n, c), r === "cloudflare") {
-    const l = i.join(n, "wrangler.toml"), p = i.join(n, "wrangler.local.toml");
-    s.existsSync(l) && s.copyFileSync(l, p);
-    const u = i.join(n, ".dev.vars.example"), g = i.join(n, ".dev.vars");
-    s.existsSync(u) && s.copyFileSync(u, g), console.log(
+  if (a.existsSync(S) ? E(S, n) : (console.error(`❌ Template directory not found: ${S}`), process.exit(1)), o === "cloudflare" && F(n, c), o === "cloudflare") {
+    const l = i.join(n, "wrangler.toml"), d = i.join(n, "wrangler.local.toml");
+    a.existsSync(l) && a.copyFileSync(l, d);
+    const m = i.join(n, ".dev.vars.example"), g = i.join(n, ".dev.vars");
+    a.existsSync(m) && a.copyFileSync(m, g), console.log(
       "📁 Created wrangler.local.toml and .dev.vars for local development"
     );
   }
   let w = !1;
-  if (r === "cloudflare" && (e.githubCi !== void 0 ? (w = e.githubCi, w && console.log("Including GitHub CI workflows with semantic versioning")) : a || (w = (await d.prompt([
+  if (o === "cloudflare" && (e.githubCi !== void 0 ? (w = e.githubCi, w && console.log("Including GitHub CI workflows with semantic versioning")) : r || (w = (await u.prompt([
     {
       type: "confirm",
       name: "includeGithubCi",
       message: "Would you like to include GitHub CI with semantic versioning?",
       default: !1
     }
-  ])).includeGithubCi), w && (M(n), $(n))), r === "local") {
-    const l = E(c);
-    s.writeFileSync(i.join(n, "src/seed.ts"), l);
-    const p = j(c);
-    s.writeFileSync(i.join(n, "src/app.ts"), p);
+  ])).includeGithubCi), w && (H(n), U(n))), o === "local") {
+    const l = P(c);
+    a.writeFileSync(i.join(n, "src/seed.ts"), l);
+    const d = R(c);
+    a.writeFileSync(i.join(n, "src/app.ts"), d);
   }
-  const P = c ? "multi-tenant" : "single-tenant";
+  o === "aws-sst" && $(n, c);
+  const T = c ? "multi-tenant" : "single-tenant";
   console.log(
     `
-✅ Project "${o}" has been created with ${S.name} (${P}) setup!
+✅ Project "${s}" has been created with ${A.name} (${T}) setup!
 `
   );
-  let f;
-  if (e.skipInstall ? f = !1 : a ? f = !0 : f = (await d.prompt([
+  let h;
+  if (e.skipInstall ? h = !1 : r ? h = !0 : h = (await u.prompt([
     {
       type: "confirm",
       name: "shouldInstall",
       message: "Would you like to install dependencies now?",
       default: !0
     }
-  ])).shouldInstall, f) {
+  ])).shouldInstall, h) {
     let l;
     e.packageManager ? (["npm", "yarn", "pnpm", "bun"].includes(e.packageManager) || (console.error(
       `❌ Invalid package manager: ${e.packageManager}`
-    ), console.error("Valid options: npm, yarn, pnpm, bun"), process.exit(1)), l = e.packageManager) : a ? l = "pnpm" : l = (await d.prompt([
+    ), console.error("Valid options: npm, yarn, pnpm, bun"), process.exit(1)), l = e.packageManager) : r ? l = "pnpm" : l = (await u.prompt([
       {
         type: "list",
         name: "packageManager",
@@ -654,14 +870,14 @@ I.version("1.0.0").description("Create a new AuthHero project").argument("[proje
 📦 Installing dependencies with ${l}...
 `);
     try {
-      const p = l === "pnpm" ? "pnpm install --ignore-workspace" : `${l} install`;
-      if (await v(p, n), r === "local" && (console.log(`
+      const d = l === "pnpm" ? "pnpm install --ignore-workspace" : `${l} install`;
+      if (await v(d, n), o === "local" && (console.log(`
 🔧 Building native modules...
 `), await v("npm rebuild better-sqlite3", n)), console.log(`
 ✅ Dependencies installed successfully!
-`), r === "local" || r === "cloudflare") {
+`), o === "local" || o === "cloudflare") {
         let g;
-        if (e.skipMigrate && e.skipSeed ? g = !1 : a ? g = !e.skipMigrate || !e.skipSeed : g = (await d.prompt([
+        if (e.skipMigrate && e.skipSeed ? g = !1 : r ? g = !e.skipMigrate || !e.skipSeed : g = (await u.prompt([
           {
             type: "confirm",
             name: "shouldSetup",
@@ -669,11 +885,11 @@ I.version("1.0.0").description("Create a new AuthHero project").argument("[proje
             default: !0
           }
         ])).shouldSetup, g) {
-          let h;
-          e.email && e.password ? (/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(e.email) || (console.error("❌ Invalid email address provided"), process.exit(1)), e.password.length < 8 && (console.error("❌ Password must be at least 8 characters"), process.exit(1)), h = {
+          let f;
+          e.email && e.password ? (/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(e.email) || (console.error("❌ Invalid email address provided"), process.exit(1)), e.password.length < 8 && (console.error("❌ Password must be at least 8 characters"), process.exit(1)), f = {
             username: e.email,
             password: e.password
-          }, console.log(`Using admin email: ${e.email}`)) : h = await d.prompt([
+          }, console.log(`Using admin email: ${e.email}`)) : f = await u.prompt([
             {
               type: "input",
               name: "username",
@@ -692,49 +908,51 @@ I.version("1.0.0").description("Create a new AuthHero project").argument("[proje
 🔄 Running migrations...
 `), await v(`${l} run migrate`, n)), e.skipSeed || (console.log(`
 🌱 Seeding database...
-`), r === "local" ? await b(
+`), o === "local" ? await D(
             `${l} run seed`,
             n,
             {
-              ADMIN_EMAIL: h.username,
-              ADMIN_PASSWORD: h.password
+              ADMIN_EMAIL: f.username,
+              ADMIN_PASSWORD: f.password
             }
-          ) : await b(
+          ) : await D(
             `${l} run seed:local`,
             n,
             {
-              ADMIN_EMAIL: h.username,
-              ADMIN_PASSWORD: h.password
+              ADMIN_EMAIL: f.username,
+              ADMIN_PASSWORD: f.password
             }
           ));
         }
       }
-      let u;
-      e.skipStart || a ? u = !1 : u = (await d.prompt([
+      let m;
+      e.skipStart || r ? m = !1 : m = (await u.prompt([
         {
           type: "confirm",
           name: "shouldStart",
           message: "Would you like to start the development server?",
           default: !0
         }
-      ])).shouldStart, u && (r === "cloudflare" ? k(c) : C(c), console.log(`🚀 Starting development server...
-`), await v(`${l} run dev`, n)), a && !u && (console.log(`
+      ])).shouldStart, m && (o === "cloudflare" ? I(c) : o === "aws-sst" ? C(c) : x(c), console.log(`🚀 Starting development server...
+`), await v(`${l} run dev`, n)), r && !m && (console.log(`
 ✅ Setup complete!`), console.log(`
-To start the development server:`), console.log(`  cd ${o}`), console.log("  npm run dev"), r === "cloudflare" ? k(c) : C(c));
-    } catch (p) {
+To start the development server:`), console.log(`  cd ${s}`), console.log("  npm run dev"), o === "cloudflare" ? I(c) : o === "aws-sst" ? C(c) : x(c));
+    } catch (d) {
       console.error(`
-❌ An error occurred:`, p), process.exit(1);
+❌ An error occurred:`, d), process.exit(1);
     }
   }
-  f || (console.log("Next steps:"), console.log(`  cd ${o}`), r === "local" ? (console.log("  npm install"), console.log("  npm run migrate"), console.log(
+  h || (console.log("Next steps:"), console.log(`  cd ${s}`), o === "local" ? (console.log("  npm install"), console.log("  npm run migrate"), console.log(
     "  ADMIN_EMAIL=admin@example.com ADMIN_PASSWORD=yourpassword npm run seed"
-  ), console.log("  npm run dev")) : r === "cloudflare" && (console.log("  npm install"), console.log(
+  ), console.log("  npm run dev")) : o === "cloudflare" ? (console.log("  npm install"), console.log(
     "  npm run migrate  # or npm run db:migrate:remote for production"
   ), console.log(
     "  ADMIN_EMAIL=admin@example.com ADMIN_PASSWORD=yourpassword npm run seed"
-  ), console.log("  npm run dev  # or npm run dev:remote for production")), console.log(`
+  ), console.log("  npm run dev  # or npm run dev:remote for production")) : o === "aws-sst" && (console.log("  npm install"), console.log("  npm run dev  # Deploys to AWS in development mode"), console.log("  # After deploy, get TABLE_NAME from output, then:"), console.log(
+    "  TABLE_NAME=<your-table> ADMIN_EMAIL=admin@example.com ADMIN_PASSWORD=yourpassword npm run seed"
+  )), console.log(`
 Server will be available at: https://localhost:3000`), console.log("Portal available at: https://local.authhero.net"), console.log(`
 For more information, visit: https://authhero.net/docs
 `));
 });
-I.parse(process.argv);
+b.parse(process.argv);

package/package.json

@@ -5,7 +5,7 @@
     "type": "git",
     "url": "https://github.com/markusahlstrand/authhero"
   },
-  "version": "0.23.0",
+  "version": "0.25.0",
   "type": "module",
   "main": "dist/create-authhero.js",
   "bin": {