create-authhero 0.41.2 → 0.43.0

package/dist/create-authhero.js

@@ -1,164 +1,187 @@
 #!/usr/bin/env node
-import { Command as R } from "commander";
-import m from "inquirer";
-import i from "fs";
-import s from "path";
-import { fileURLToPath as O } from "url";
-import { spawn as U } from "child_process";
-const N = new R(), p = {
-  local: {
-    name: "Local (SQLite)",
-    description: "Local development setup with SQLite database - great for getting started",
-    templateDir: "local",
-    packageJson: (a, e, o, r, n) => {
-      const t = r ? "workspace:*" : "latest";
-      return {
-        name: a,
-        version: "1.0.0",
-        type: "module",
-        scripts: {
-          dev: "npx tsx watch src/index.ts",
-          start: "npx tsx src/index.ts",
-          migrate: "npx tsx src/migrate.ts",
-          seed: "npx tsx src/seed.ts"
-        },
-        dependencies: {
-          "@authhero/kysely-adapter": t,
-          ...n && { "@authhero/react-admin": t },
-          "@authhero/widget": t,
-          "@hono/swagger-ui": "^0.5.0",
-          "@hono/zod-openapi": "^0.19.0",
-          "@hono/node-server": "latest",
-          authhero: t,
-          "better-sqlite3": "latest",
-          hono: "^4.6.0",
-          kysely: "latest",
-          ...e && { "@authhero/multi-tenancy": t },
-          ...o && { bcryptjs: "latest" }
-        },
-        devDependencies: {
-          "@types/better-sqlite3": "^7.6.0",
-          "@types/node": "^20.0.0",
-          tsx: "^4.0.0",
-          typescript: "^5.5.0"
-        }
-      };
-    },
-    seedFile: "seed.ts"
-  },
-  cloudflare: {
-    name: "Cloudflare Workers (D1)",
-    description: "Cloudflare Workers setup with D1 database",
-    templateDir: "cloudflare",
-    packageJson: (a, e, o, r, n) => {
-      const t = r ? "workspace:*" : "latest";
-      return {
-        name: a,
-        version: "1.0.0",
-        type: "module",
-        scripts: {
-          postinstall: "node copy-assets.js",
-          "copy-assets": "node copy-assets.js",
-          dev: "node copy-assets.js && wrangler dev --port 3000 --local-protocol https",
-          "dev:remote": "node copy-assets.js && wrangler dev --port 3000 --local-protocol https --remote --config wrangler.local.toml",
-          deploy: "node copy-assets.js && wrangler deploy --config wrangler.local.toml",
-          "db:migrate:local": "wrangler d1 migrations apply AUTH_DB --local",
-          "db:migrate:remote": "wrangler d1 migrations apply AUTH_DB --remote --config wrangler.local.toml",
-          migrate: "wrangler d1 migrations apply AUTH_DB --local",
-          "seed:local": "node seed-helper.js",
-          "seed:remote": "node seed-helper.js '' '' remote",
-          seed: "node seed-helper.js",
-          setup: "cp wrangler.toml wrangler.local.toml && cp .dev.vars.example .dev.vars && echo '✅ Created wrangler.local.toml and .dev.vars - update with your IDs'"
-        },
-        dependencies: {
-          "@authhero/drizzle": t,
-          "@authhero/kysely-adapter": t,
-          ...n && { "@authhero/react-admin": t },
-          "@authhero/widget": t,
-          "@hono/swagger-ui": "^0.5.0",
-          "@hono/zod-openapi": "^0.19.0",
-          authhero: t,
-          hono: "^4.6.0",
-          kysely: "latest",
-          "kysely-d1": "latest",
-          ...e && { "@authhero/multi-tenancy": t },
-          ...o && { bcryptjs: "latest" }
-        },
-        devDependencies: {
-          "@cloudflare/workers-types": "^4.0.0",
-          "drizzle-kit": "^0.31.0",
-          "drizzle-orm": "^0.44.0",
-          typescript: "^5.5.0",
-          wrangler: "^3.0.0"
-        }
-      };
-    },
-    seedFile: "seed.ts"
-  },
-  "aws-sst": {
-    name: "AWS SST (Lambda + DynamoDB)",
-    description: "Serverless AWS deployment with Lambda, DynamoDB, and SST",
-    templateDir: "aws-sst",
-    packageJson: (a, e, o, r, n) => {
-      const t = r ? "workspace:*" : "latest";
-      return {
-        name: a,
-        version: "1.0.0",
-        type: "module",
-        scripts: {
-          dev: "sst dev",
-          deploy: "sst deploy --stage production",
-          remove: "sst remove",
-          seed: "npx tsx src/seed.ts",
-          "copy-assets": "node copy-assets.js"
-        },
-        dependencies: {
-          "@authhero/aws": t,
-          ...n && { "@authhero/react-admin": t },
-          "@authhero/widget": t,
-          "@aws-sdk/client-dynamodb": "^3.0.0",
-          "@aws-sdk/lib-dynamodb": "^3.0.0",
-          "@hono/swagger-ui": "^0.5.0",
-          "@hono/zod-openapi": "^0.19.0",
-          authhero: t,
-          hono: "^4.6.0",
-          ...e && { "@authhero/multi-tenancy": t },
-          ...o && { bcryptjs: "latest" }
-        },
-        devDependencies: {
-          "@types/aws-lambda": "^8.10.0",
-          "@types/node": "^20.0.0",
-          sst: "^3.0.0",
-          tsx: "^4.0.0",
-          typescript: "^5.5.0"
-        }
-      };
-    },
-    seedFile: "seed.ts"
-  }
+import { Command as e } from "commander";
+import t from "inquirer";
+import n from "fs";
+import r from "path";
+import { fileURLToPath as i } from "url";
+import { spawn as a } from "child_process";
+//#region src/index.ts
+var o = new e(), s = {
+	local: {
+		name: "Local (SQLite)",
+		description: "Local development setup with SQLite database - great for getting started",
+		templateDir: "local",
+		packageJson: (e, t, n, r, i) => {
+			let a = r ? "workspace:*" : "latest";
+			return {
+				name: e,
+				version: "1.0.0",
+				type: "module",
+				scripts: {
+					dev: "npx tsx watch src/index.ts",
+					start: "npx tsx src/index.ts",
+					migrate: "npx tsx src/migrate.ts",
+					seed: "npx tsx src/seed.ts"
+				},
+				dependencies: {
+					"@authhero/kysely-adapter": a,
+					...i && { "@authhero/admin": a },
+					"@authhero/widget": a,
+					"@hono/swagger-ui": "^0.5.0",
+					"@hono/zod-openapi": "^0.19.0",
+					"@hono/node-server": "latest",
+					authhero: a,
+					"better-sqlite3": "latest",
+					hono: "^4.6.0",
+					kysely: "latest",
+					...t && { "@authhero/multi-tenancy": a },
+					...n && { bcryptjs: "latest" }
+				},
+				devDependencies: {
+					"@types/better-sqlite3": "^7.6.0",
+					"@types/node": "^20.0.0",
+					tsx: "^4.0.0",
+					typescript: "^5.5.0"
+				}
+			};
+		},
+		seedFile: "seed.ts"
+	},
+	cloudflare: {
+		name: "Cloudflare Workers (D1)",
+		description: "Cloudflare Workers setup with D1 database",
+		templateDir: "cloudflare",
+		packageJson: (e, t, n, r, i) => {
+			let a = r ? "workspace:*" : "latest";
+			return {
+				name: e,
+				version: "1.0.0",
+				type: "module",
+				scripts: {
+					postinstall: "node copy-assets.js",
+					"copy-assets": "node copy-assets.js",
+					dev: "node copy-assets.js && wrangler dev --port 3000 --local-protocol https",
+					"dev:remote": "node copy-assets.js && wrangler dev --port 3000 --local-protocol https --remote --config wrangler.local.toml",
+					deploy: "node copy-assets.js && wrangler deploy --config wrangler.local.toml",
+					"db:migrate:local": "wrangler d1 migrations apply AUTH_DB --local",
+					"db:migrate:remote": "wrangler d1 migrations apply AUTH_DB --remote --config wrangler.local.toml",
+					migrate: "wrangler d1 migrations apply AUTH_DB --local",
+					"seed:local": "node seed-helper.js",
+					"seed:remote": "node seed-helper.js '' '' remote",
+					seed: "node seed-helper.js",
+					setup: "cp wrangler.toml wrangler.local.toml && cp .dev.vars.example .dev.vars && echo '✅ Created wrangler.local.toml and .dev.vars - update with your IDs'"
+				},
+				dependencies: {
+					"@authhero/drizzle": a,
+					"@authhero/kysely-adapter": a,
+					...i && { "@authhero/admin": a },
+					"@authhero/widget": a,
+					"@hono/swagger-ui": "^0.5.0",
+					"@hono/zod-openapi": "^0.19.0",
+					authhero: a,
+					hono: "^4.6.0",
+					kysely: "latest",
+					"kysely-d1": "latest",
+					...t && { "@authhero/multi-tenancy": a },
+					...n && { bcryptjs: "latest" }
+				},
+				devDependencies: {
+					"@cloudflare/workers-types": "^4.0.0",
+					"drizzle-kit": "^0.31.0",
+					"drizzle-orm": "^0.44.0",
+					typescript: "^5.5.0",
+					wrangler: "^3.0.0"
+				}
+			};
+		},
+		seedFile: "seed.ts"
+	},
+	proxy: {
+		name: "Proxy (Cloudflare Workers)",
+		description: "Host-based reverse proxy on Cloudflare Workers — static config, no DB",
+		templateDir: "proxy",
+		packageJson: (e, t, n, r) => ({
+			name: e,
+			version: "1.0.0",
+			type: "module",
+			scripts: {
+				dev: "wrangler dev --port 8787",
+				deploy: "wrangler deploy",
+				logs: "wrangler tail"
+			},
+			dependencies: {
+				"@authhero/proxy": r ? "workspace:*" : "latest",
+				hono: "^4.6.0"
+			},
+			devDependencies: {
+				"@cloudflare/workers-types": "^4.0.0",
+				"@types/node": "^20.0.0",
+				typescript: "^5.5.0",
+				wrangler: "^3.0.0"
+			}
+		})
+	},
+	"aws-sst": {
+		name: "AWS SST (Lambda + DynamoDB)",
+		description: "Serverless AWS deployment with Lambda, DynamoDB, and SST",
+		templateDir: "aws-sst",
+		packageJson: (e, t, n, r, i) => {
+			let a = r ? "workspace:*" : "latest";
+			return {
+				name: e,
+				version: "1.0.0",
+				type: "module",
+				scripts: {
+					dev: "sst dev",
+					deploy: "sst deploy --stage production",
+					remove: "sst remove",
+					seed: "npx tsx src/seed.ts",
+					"copy-assets": "node copy-assets.js"
+				},
+				dependencies: {
+					"@authhero/aws": a,
+					...i && { "@authhero/admin": a },
+					"@authhero/widget": a,
+					"@aws-sdk/client-dynamodb": "^3.0.0",
+					"@aws-sdk/lib-dynamodb": "^3.0.0",
+					"@hono/swagger-ui": "^0.5.0",
+					"@hono/zod-openapi": "^0.19.0",
+					authhero: a,
+					hono: "^4.6.0",
+					...t && { "@authhero/multi-tenancy": a },
+					...n && { bcryptjs: "latest" }
+				},
+				devDependencies: {
+					"@types/aws-lambda": "^8.10.0",
+					"@types/node": "^20.0.0",
+					sst: "^3.0.0",
+					tsx: "^4.0.0",
+					typescript: "^5.5.0"
+				}
+			};
+		},
+		seedFile: "seed.ts"
+	}
 };
-function P(a, e) {
-  i.readdirSync(a).forEach((r) => {
-    const n = s.join(a, r), t = s.join(e, r);
-    i.lstatSync(n).isDirectory() ? (i.mkdirSync(t, { recursive: !0 }), P(n, t)) : i.copyFileSync(n, t);
-  });
+function c(e, t) {
+	n.readdirSync(e).forEach((i) => {
+		let a = r.join(e, i), o = r.join(t, i);
+		n.lstatSync(a).isDirectory() ? (n.mkdirSync(o, { recursive: !0 }), c(a, o)) : n.copyFileSync(a, o);
+	});
 }
-function $(a, e = !1, o = "authhero-local", r) {
-  const n = a ? "control_plane" : "main", t = a ? "Control Plane" : "Main", c = [
-    "https://manage.authhero.net/auth-callback",
-    "https://local.authhero.net/auth-callback",
-    "http://localhost:5173/auth-callback",
-    "http://localhost:3000/auth-callback",
-    ...r ? ["http://localhost:3000/admin/auth-callback"] : []
-  ], d = e ? [
-    `https://localhost.emobix.co.uk:8443/test/a/${o}/callback`,
-    `https://localhost:8443/test/a/${o}/callback`
-  ] : [], f = [...c, ...d], h = [
-    "https://manage.authhero.net",
-    "https://local.authhero.net",
-    "http://localhost:5173",
-    "http://localhost:3000"
-  ], C = e ? ["https://localhost:8443/", "https://localhost.emobix.co.uk:8443/"] : [], y = [...h, ...C], _ = e ? `
+function l(e, t = !1, n = "authhero-local", r) {
+	let i = e ? "control_plane" : "main", a = e ? "Control Plane" : "Main", o = [
+		"https://manage.authhero.net/auth-callback",
+		"https://local.authhero.net/auth-callback",
+		"http://localhost:5173/auth-callback",
+		"http://localhost:3000/auth-callback",
+		...r ? ["http://localhost:3000/admin/auth-callback"] : []
+	], s = t ? [`https://localhost.emobix.co.uk:8443/test/a/${n}/callback`, `https://localhost:8443/test/a/${n}/callback`] : [], c = [...o, ...s], l = [
+		"https://manage.authhero.net",
+		"https://local.authhero.net",
+		"http://localhost:5173",
+		"http://localhost:3000"
+	], u = t ? ["https://localhost:8443/", "https://localhost.emobix.co.uk:8443/"] : [], d = [...l, ...u], f = t ? `
   // Create OpenID Conformance Suite test clients and user
   console.log("Creating conformance test clients and user...");
 
@@ -166,22 +189,26 @@ function $(a, e = !1, o = "authhero-local", r) {
   // requires either an explicit audience or a tenant default_audience to mint
   // an access token, so set one here for the conformance setup.
   // enable_dynamic_client_registration is required by the OIDCC dynamic plan,
-  // which has the suite register its own client via /oidc/register. Existing
-  // flags (e.g. inherit_global_permissions_in_organizations set by seed for
-  // the control-plane tenant) are merged in so the update doesn't clobber.
-  const existingTenant = await adapters.tenants.get("${n}");
-  await adapters.tenants.update("${n}", {
+  // which has the suite register its own client via /oidc/register. The
+  // OIDCC dynamic_client variant uses open DCR (no Initial Access Token), so
+  // dcr_require_initial_access_token must be flipped off — the AuthHero
+  // default is to require an IAT. Existing flags (e.g.
+  // inherit_global_permissions_in_organizations set by seed for the
+  // control-plane tenant) are merged in so the update doesn't clobber.
+  const existingTenant = await adapters.tenants.get("${i}");
+  await adapters.tenants.update("${i}", {
     default_audience: "urn:authhero:management",
     flags: {
       ...(existingTenant?.flags ?? {}),
       enable_dynamic_client_registration: true,
+      dcr_require_initial_access_token: false,
     },
   });
   console.log("✅ Set tenant default_audience and enabled DCR for conformance");
 
   const conformanceCallbacks = [
-    "https://localhost.emobix.co.uk:8443/test/a/${o}/callback",
-    "https://localhost:8443/test/a/${o}/callback",
+    "https://localhost.emobix.co.uk:8443/test/a/${n}/callback",
+    "https://localhost:8443/test/a/${n}/callback",
   ];
   const conformanceLogoutUrls = [
     "https://localhost:8443/",
@@ -192,46 +219,51 @@ function $(a, e = !1, o = "authhero-local", r) {
     "https://localhost.emobix.co.uk:8443",
   ];
 
-  try {
-    await adapters.clients.create("${n}", {
+  // Strict OIDC 5.4: scope-driven claims (profile/email/address/phone) belong
+  // in /userinfo whenever an access_token is co-issued at /authorize. The OIDF
+  // suite enforces this via EnsureIdTokenDoesNotContainEmailForScopeEmail;
+  // running the conformance tenant under Auth0-compatible defaults would WARN.
+  const conformanceClientSpecs = [
+    {
       client_id: "conformance-test",
       client_secret: "conformanceTestSecret123",
       name: "Conformance Test Client",
-      callbacks: conformanceCallbacks,
-      allowed_logout_urls: conformanceLogoutUrls,
-      web_origins: conformanceWebOrigins,
-    });
-    console.log("✅ Created conformance-test client");
-  } catch (e: any) {
-    if (e.message?.includes("UNIQUE constraint")) {
-      console.log("ℹ️  conformance-test client already exists");
-    } else {
-      throw e;
-    }
-  }
-
-  try {
-    await adapters.clients.create("${n}", {
+    },
+    {
       client_id: "conformance-test2",
       client_secret: "conformanceTestSecret456",
       name: "Conformance Test Client 2",
+    },
+  ];
+  for (const spec of conformanceClientSpecs) {
+    const desired = {
+      name: spec.name,
+      client_secret: spec.client_secret,
       callbacks: conformanceCallbacks,
       allowed_logout_urls: conformanceLogoutUrls,
       web_origins: conformanceWebOrigins,
-    });
-    console.log("✅ Created conformance-test2 client");
-  } catch (e: any) {
-    if (e.message?.includes("UNIQUE constraint")) {
-      console.log("ℹ️  conformance-test2 client already exists");
+      auth0_conformant: false,
+    };
+    // Idempotent reconcile: prior runs may have created the client with stale
+    // callbacks/web_origins after this seed file was changed. Update existing
+    // records in place rather than just logging "already exists".
+    const existing = await adapters.clients.get("${i}", spec.client_id);
+    if (existing) {
+      await adapters.clients.update("${i}", spec.client_id, desired);
+      console.log(\`🔄 Updated \${spec.client_id} client\`);
     } else {
-      throw e;
+      await adapters.clients.create("${i}", {
+        client_id: spec.client_id,
+        ...desired,
+      });
+      console.log(\`✅ Created \${spec.client_id} client\`);
     }
   }
 
   // Create a conformance test user with ALL OIDC profile claims populated
   // This is required for OIDCC-5.4 (VerifyScopesReturnedInUserInfoClaims) test
   try {
-    await adapters.users.create("${n}", {
+    await adapters.users.create("${i}", {
       user_id: \`\${USERNAME_PASSWORD_PROVIDER}|conformance-user\`,
       email: "conformance@example.com",
       email_verified: true,
@@ -266,7 +298,7 @@ function $(a, e = !1, o = "authhero-local", r) {
   try {
     const bcrypt = await import("bcryptjs");
     const hashedPassword = await bcrypt.hash("ConformanceTest123!", 10);
-    await adapters.passwords.create("${n}", {
+    await adapters.passwords.create("${i}", {
       user_id: \`\${USERNAME_PASSWORD_PROVIDER}|conformance-user\`,
       password: hashedPassword,
     });
@@ -279,10 +311,10 @@ function $(a, e = !1, o = "authhero-local", r) {
     }
   }
 ` : "";
-  return `import { SqliteDialect, Kysely } from "kysely";
+	return `import { SqliteDialect, Kysely } from "kysely";
 import Database from "better-sqlite3";
 import createAdapters from "@authhero/kysely-adapter";
-import { seed${e ? ", USERNAME_PASSWORD_PROVIDER" : ""} } from "authhero";
+import { seed${t ? ", USERNAME_PASSWORD_PROVIDER" : ""} } from "authhero";
 
 interface ExtraClient {
   client_id: string;
@@ -341,12 +373,12 @@ async function main() {
   const seedResult = await seed(adapters, {
     adminUsername,
     adminPassword,
-    tenantId: "${n}",
-    tenantName: "${t}",
-    isControlPlane: ${!!a},
+    tenantId: "${i}",
+    tenantName: "${a}",
+    isControlPlane: ${!!e},
     clientId: "default",
-    callbacks: ${JSON.stringify(f)},
-    allowedLogoutUrls: ${JSON.stringify(y)},
+    callbacks: ${JSON.stringify(c)},
+    allowedLogoutUrls: ${JSON.stringify(d)},
   });
 
   for (const c of extraClients) {
@@ -375,7 +407,7 @@ async function main() {
     await adapters.users.update(seedResult.tenantId, seedResult.userId, userProfile);
     console.log(\`✅ Updated profile of user "\${seedResult.username}"\`);
   }
-${_}
+${f}
   await db.destroy();
 }
 
@@ -385,15 +417,8 @@ main().catch((err) => {
 });
 `;
 }
-function L(a, e) {
-  const o = e ? `import fs from "fs";
-` : "", r = e ? `
-const adminDistPath = path.resolve(
-  __dirname,
-  "../node_modules/@authhero/react-admin/dist",
-);
-const adminIndexPath = path.join(adminDistPath, "index.html");
-` : "", n = e ? `
+function u(e, t) {
+	let n = t ? "import fs from \"fs\";\n" : "", r = t ? "\nconst adminDistPath = path.resolve(\n  __dirname,\n  \"../node_modules/@authhero/admin/dist\",\n);\nconst adminIndexPath = path.join(adminDistPath, \"index.html\");\n" : "", i = t ? `
   // Add admin UI handler if the package is installed
   if (fs.existsSync(adminIndexPath)) {
     const issuer =
@@ -403,7 +428,7 @@ const adminIndexPath = path.join(adminDistPath, "index.html");
       .replace(/href="\\.\\//g, 'href="/admin/');
     const configJson = JSON.stringify({
       domain: issuer.replace(/\\/$/, ""),
-      clientId: ${a ? "CONTROL_PLANE_CLIENT_ID," : '"default",'}
+      clientId: ${e ? "CONTROL_PLANE_CLIENT_ID," : "\"default\","}
       basePath: "/admin",
     }).replace(/</g, "\\\\u003c");
     configWithHandlers.adminIndexHtml = rawHtml.replace(
@@ -416,13 +441,13 @@ const adminIndexPath = path.join(adminDistPath, "index.html");
     });
   }
 ` : "";
-  return a ? `import { Context } from "hono";
+	return e ? `import { Context } from "hono";
 import { swaggerUI } from "@hono/swagger-ui";
 import { AuthHeroConfig, DataAdapters } from "authhero";
 import { serveStatic } from "@hono/node-server/serve-static";
 import { initMultiTenant } from "@authhero/multi-tenancy";
 import path from "path";
-${o}import { fileURLToPath } from "url";
+${n}import { fileURLToPath } from "url";
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 
@@ -443,7 +468,7 @@ export default function createApp(config: AuthHeroConfig & { dataAdapter: DataAd
       rewriteRequestPath: (p) => p.replace("/u/widget", ""),
     }),
   };
-${n}
+${i}
   // Initialize multi-tenant AuthHero - syncs resource servers, roles, and connections by default
   const { app } = initMultiTenant({
     ...configWithHandlers,
@@ -480,7 +505,7 @@ import { AuthHeroConfig, init } from "authhero";
 import { swaggerUI } from "@hono/swagger-ui";
 import { serveStatic } from "@hono/node-server/serve-static";
 import path from "path";
-${o}import { fileURLToPath } from "url";
+${n}import { fileURLToPath } from "url";
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 
@@ -497,7 +522,7 @@ export default function createApp(config: AuthHeroConfig) {
       rewriteRequestPath: (p) => p.replace("/u/widget", ""),
     }),
   };
-${n}
+${i}
   const { app } = init(configWithHandlers);
 
   app
@@ -521,8 +546,8 @@ ${n}
 }
 `;
 }
-function j(a) {
-  return `import { D1Dialect } from "kysely-d1";
+function d(e) {
+	return `import { D1Dialect } from "kysely-d1";
 import { Kysely } from "kysely";
 import createAdapters from "@authhero/kysely-adapter";
 import { seed } from "authhero";
@@ -548,9 +573,9 @@ export default {
         adminUsername,
         adminPassword,
         issuer,
-        tenantId: "${a ? "control_plane" : "main"}",
-        tenantName: "${a ? "Control Plane" : "Main"}",
-        isControlPlane: ${!!a},
+        tenantId: "${e ? "control_plane" : "main"}",
+        tenantName: "${e ? "Control Plane" : "Main"}",
+        isControlPlane: ${!!e},
         clientId: "default",
       });
 
@@ -582,15 +607,13 @@ export default {
 };
 `;
 }
-function H(a, e) {
-  const o = e ? `import adminIndexHtml from "./admin-index-html";
-` : "", r = e ? `    adminIndexHtml,
-` : "";
-  return a ? `import { Context } from "hono";
+function f(e, t) {
+	let n = t ? "import adminIndexHtml from \"./admin-index-html\";\n" : "", r = t ? "    adminIndexHtml,\n" : "";
+	return e ? `import { Context } from "hono";
 import { swaggerUI } from "@hono/swagger-ui";
 import { AuthHeroConfig, DataAdapters } from "authhero";
 import { initMultiTenant } from "@authhero/multi-tenancy";
-${o}
+${n}
 // Control plane configuration
 const CONTROL_PLANE_TENANT_ID = "control_plane";
 const CONTROL_PLANE_CLIENT_ID = "default";
@@ -631,7 +654,7 @@ ${r}    controlPlane: {
 import { cors } from "hono/cors";
 import { AuthHeroConfig, init } from "authhero";
 import { swaggerUI } from "@hono/swagger-ui";
-${o}
+${n}
 export default function createApp(config: AuthHeroConfig) {
   const { app } = init({
     ...config,
@@ -667,114 +690,11 @@ ${r}  });
 }
 `;
 }
-function M(a) {
-  return a ? `import { Context } from "hono";
-import { swaggerUI } from "@hono/swagger-ui";
-import { AuthHeroConfig, DataAdapters } from "authhero";
-import { initMultiTenant } from "@authhero/multi-tenancy";
-
-// Control plane configuration
-const CONTROL_PLANE_TENANT_ID = "control_plane";
-const CONTROL_PLANE_CLIENT_ID = "default";
-
-interface AppConfig extends AuthHeroConfig {
-  dataAdapter: DataAdapters;
-  widgetUrl: string;
-}
-
-export default function createApp(config: AppConfig) {
-  // Initialize multi-tenant AuthHero
-  const { app } = initMultiTenant({
-    ...config,
-    controlPlane: {
-      tenantId: CONTROL_PLANE_TENANT_ID,
-      clientId: CONTROL_PLANE_CLIENT_ID,
-    },
-  });
-
-  app
-    .onError((err, ctx) => {
-      if (err && typeof err === "object" && "getResponse" in err) {
-        return (err as { getResponse: () => Response }).getResponse();
-      }
-      console.error(err);
-      return ctx.text(err instanceof Error ? err.message : "Internal Server Error", 500);
-    })
-    .get("/", async (ctx: Context) => {
-      return ctx.json({
-        name: "AuthHero Multi-Tenant Server (AWS)",
-        version: "1.0.0",
-        status: "running",
-        docs: "/docs",
-        controlPlaneTenant: CONTROL_PLANE_TENANT_ID,
-      });
-    })
-    .get("/docs", swaggerUI({ url: "/api/v2/spec" }))
-    // Redirect widget requests to S3/CloudFront
-    .get("/u/widget/*", async (ctx) => {
-      const file = ctx.req.path.replace("/u/widget/", "");
-      return ctx.redirect(\`\${config.widgetUrl}/u/widget/\${file}\`);
-    })
-    .get("/u/*", async (ctx) => {
-      const file = ctx.req.path.replace("/u/", "");
-      return ctx.redirect(\`\${config.widgetUrl}/u/\${file}\`);
-    });
-
-  return app;
+function p(e) {
+	return e ? "import { Context } from \"hono\";\nimport { swaggerUI } from \"@hono/swagger-ui\";\nimport { AuthHeroConfig, DataAdapters } from \"authhero\";\nimport { initMultiTenant } from \"@authhero/multi-tenancy\";\n\n// Control plane configuration\nconst CONTROL_PLANE_TENANT_ID = \"control_plane\";\nconst CONTROL_PLANE_CLIENT_ID = \"default\";\n\ninterface AppConfig extends AuthHeroConfig {\n  dataAdapter: DataAdapters;\n  widgetUrl: string;\n}\n\nexport default function createApp(config: AppConfig) {\n  // Initialize multi-tenant AuthHero\n  const { app } = initMultiTenant({\n    ...config,\n    controlPlane: {\n      tenantId: CONTROL_PLANE_TENANT_ID,\n      clientId: CONTROL_PLANE_CLIENT_ID,\n    },\n  });\n\n  app\n    .onError((err, ctx) => {\n      if (err && typeof err === \"object\" && \"getResponse\" in err) {\n        return (err as { getResponse: () => Response }).getResponse();\n      }\n      console.error(err);\n      return ctx.text(err instanceof Error ? err.message : \"Internal Server Error\", 500);\n    })\n    .get(\"/\", async (ctx: Context) => {\n      return ctx.json({\n        name: \"AuthHero Multi-Tenant Server (AWS)\",\n        version: \"1.0.0\",\n        status: \"running\",\n        docs: \"/docs\",\n        controlPlaneTenant: CONTROL_PLANE_TENANT_ID,\n      });\n    })\n    .get(\"/docs\", swaggerUI({ url: \"/api/v2/spec\" }))\n    // Redirect widget requests to S3/CloudFront\n    .get(\"/u/widget/*\", async (ctx) => {\n      const file = ctx.req.path.replace(\"/u/widget/\", \"\");\n      return ctx.redirect(`${config.widgetUrl}/u/widget/${file}`);\n    })\n    .get(\"/u/*\", async (ctx) => {\n      const file = ctx.req.path.replace(\"/u/\", \"\");\n      return ctx.redirect(`${config.widgetUrl}/u/${file}`);\n    });\n\n  return app;\n}\n" : "import { Context } from \"hono\";\nimport { cors } from \"hono/cors\";\nimport { AuthHeroConfig, init, DataAdapters } from \"authhero\";\nimport { swaggerUI } from \"@hono/swagger-ui\";\n\ninterface AppConfig extends AuthHeroConfig {\n  dataAdapter: DataAdapters;\n  widgetUrl: string;\n}\n\nexport default function createApp(config: AppConfig) {\n  const { app } = init(config);\n\n  // Enable CORS for all origins in development\n  app.use(\"*\", cors({\n    origin: (origin) => origin || \"*\",\n    allowMethods: [\"GET\", \"POST\", \"PUT\", \"DELETE\", \"PATCH\", \"OPTIONS\"],\n    allowHeaders: [\"Content-Type\", \"Authorization\", \"Auth0-Client\"],\n    exposeHeaders: [\"Content-Length\"],\n    credentials: true,\n  }));\n\n  app\n    .onError((err, ctx) => {\n      if (err && typeof err === \"object\" && \"getResponse\" in err) {\n        return (err as { getResponse: () => Response }).getResponse();\n      }\n      console.error(err);\n      return ctx.text(err instanceof Error ? err.message : \"Internal Server Error\", 500);\n    })\n    .get(\"/\", async (ctx: Context) => {\n      return ctx.json({\n        name: \"AuthHero Server (AWS)\",\n        status: \"running\",\n      });\n    })\n    .get(\"/docs\", swaggerUI({ url: \"/api/v2/spec\" }))\n    // Redirect widget requests to S3/CloudFront\n    .get(\"/u/widget/*\", async (ctx) => {\n      const file = ctx.req.path.replace(\"/u/widget/\", \"\");\n      return ctx.redirect(`${config.widgetUrl}/u/widget/${file}`);\n    })\n    .get(\"/u/*\", async (ctx) => {\n      const file = ctx.req.path.replace(\"/u/\", \"\");\n      return ctx.redirect(`${config.widgetUrl}/u/${file}`);\n    });\n\n  return app;\n}\n";
 }
-` : `import { Context } from "hono";
-import { cors } from "hono/cors";
-import { AuthHeroConfig, init, DataAdapters } from "authhero";
-import { swaggerUI } from "@hono/swagger-ui";
-
-interface AppConfig extends AuthHeroConfig {
-  dataAdapter: DataAdapters;
-  widgetUrl: string;
-}
-
-export default function createApp(config: AppConfig) {
-  const { app } = init(config);
-
-  // Enable CORS for all origins in development
-  app.use("*", cors({
-    origin: (origin) => origin || "*",
-    allowMethods: ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
-    allowHeaders: ["Content-Type", "Authorization", "Auth0-Client"],
-    exposeHeaders: ["Content-Length"],
-    credentials: true,
-  }));
-
-  app
-    .onError((err, ctx) => {
-      if (err && typeof err === "object" && "getResponse" in err) {
-        return (err as { getResponse: () => Response }).getResponse();
-      }
-      console.error(err);
-      return ctx.text(err instanceof Error ? err.message : "Internal Server Error", 500);
-    })
-    .get("/", async (ctx: Context) => {
-      return ctx.json({
-        name: "AuthHero Server (AWS)",
-        status: "running",
-      });
-    })
-    .get("/docs", swaggerUI({ url: "/api/v2/spec" }))
-    // Redirect widget requests to S3/CloudFront
-    .get("/u/widget/*", async (ctx) => {
-      const file = ctx.req.path.replace("/u/widget/", "");
-      return ctx.redirect(\`\${config.widgetUrl}/u/widget/\${file}\`);
-    })
-    .get("/u/*", async (ctx) => {
-      const file = ctx.req.path.replace("/u/", "");
-      return ctx.redirect(\`\${config.widgetUrl}/u/\${file}\`);
-    });
-
-  return app;
-}
-`;
-}
-function F(a) {
-  return `import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
+function m(e) {
+	return `import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
 import { DynamoDBDocumentClient } from "@aws-sdk/lib-dynamodb";
 import createAdapters from "@authhero/aws";
 import { seed } from "authhero";
@@ -802,9 +722,9 @@ async function main() {
   await seed(adapters, {
     adminUsername,
     adminPassword,
-    tenantId: "${a ? "control_plane" : "main"}",
-    tenantName: "${a ? "Control Plane" : "Main"}",
-    isControlPlane: ${!!a},
+    tenantId: "${e ? "control_plane" : "main"}",
+    tenantName: "${e ? "Control Plane" : "Main"}",
+    isControlPlane: ${!!e},
   });
 
   console.log("✅ Database seeded successfully!");
@@ -813,408 +733,223 @@ async function main() {
 main().catch(console.error);
 `;
 }
-function W(a, e) {
-  const o = s.join(a, "src");
-  i.writeFileSync(
-    s.join(o, "app.ts"),
-    M(e)
-  ), i.writeFileSync(
-    s.join(o, "seed.ts"),
-    F(e)
-  );
+function h(e, t) {
+	let i = r.join(e, "src");
+	n.writeFileSync(r.join(i, "app.ts"), p(t)), n.writeFileSync(r.join(i, "seed.ts"), m(t));
 }
-function k() {
-  console.log("\\n" + "─".repeat(50)), console.log("🔐 AuthHero deployed to AWS!"), console.log("📚 Check SST output for your API URL"), console.log("🚀 Open your server URL /setup to complete initial setup"), console.log("🌐 Portal available at https://local.authhero.net"), console.log("─".repeat(50) + "\\n");
+function g() {
+	console.log("\\n" + "─".repeat(50)), console.log("🔐 AuthHero deployed to AWS!"), console.log("📚 Check SST output for your API URL"), console.log("🚀 Open your server URL /setup to complete initial setup"), console.log("🌐 Portal available at https://local.authhero.net"), console.log("─".repeat(50) + "\\n");
 }
-function q(a) {
-  const e = s.join(a, ".github", "workflows");
-  i.mkdirSync(e, { recursive: !0 });
-  const o = `name: Unit tests
-
-on: push
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: "22"
-          cache: "npm"
-
-      - name: Install dependencies
-        run: npm ci
-
-      - run: npm run type-check
-      - run: npm test
-`, r = `name: Deploy to Dev
-
-on:
-  push:
-    branches:
-      - main
-
-jobs:
-  release:
-    name: Release and Deploy
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: "22"
-          cache: "npm"
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Release
-        env:
-          GITHUB_TOKEN: \${{ secrets.GITHUB_TOKEN }}
-        run: npx semantic-release
-
-      - name: Deploy to Cloudflare (Dev)
-        uses: cloudflare/wrangler-action@v3
-        with:
-          apiToken: \${{ secrets.CLOUDFLARE_API_TOKEN }}
-          command: deploy
-`, n = `name: Deploy to Production
-
-on:
-  release:
-    types: ["released"]
-
-jobs:
-  deploy:
-    name: Deploy to Production
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: "22"
-          cache: "npm"
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Deploy to Cloudflare (Production)
-        uses: cloudflare/wrangler-action@v3
-        with:
-          apiToken: \${{ secrets.PROD_CLOUDFLARE_API_TOKEN }}
-          command: deploy --env production
-`;
-  i.writeFileSync(s.join(e, "unit-tests.yml"), o), i.writeFileSync(s.join(e, "deploy-dev.yml"), r), i.writeFileSync(s.join(e, "release.yml"), n), console.log("\\n📦 GitHub CI workflows created!");
+function _(e) {
+	let t = r.join(e, ".github", "workflows");
+	n.mkdirSync(t, { recursive: !0 }), n.writeFileSync(r.join(t, "unit-tests.yml"), "name: Unit tests\n\non: push\n\njobs:\n  test:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n\n      - name: Setup Node.js\n        uses: actions/setup-node@v4\n        with:\n          node-version: \"22\"\n          cache: \"npm\"\n\n      - name: Install dependencies\n        run: npm ci\n\n      - run: npm run type-check\n      - run: npm test\n"), n.writeFileSync(r.join(t, "deploy-dev.yml"), "name: Deploy to Dev\n\non:\n  push:\n    branches:\n      - main\n\njobs:\n  release:\n    name: Release and Deploy\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n        with:\n          fetch-depth: 0\n\n      - name: Setup Node.js\n        uses: actions/setup-node@v4\n        with:\n          node-version: \"22\"\n          cache: \"npm\"\n\n      - name: Install dependencies\n        run: npm ci\n\n      - name: Release\n        env:\n          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n        run: npx semantic-release\n\n      - name: Deploy to Cloudflare (Dev)\n        uses: cloudflare/wrangler-action@v3\n        with:\n          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}\n          command: deploy\n"), n.writeFileSync(r.join(t, "release.yml"), "name: Deploy to Production\n\non:\n  release:\n    types: [\"released\"]\n\njobs:\n  deploy:\n    name: Deploy to Production\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Node.js\n        uses: actions/setup-node@v4\n        with:\n          node-version: \"22\"\n          cache: \"npm\"\n\n      - name: Install dependencies\n        run: npm ci\n\n      - name: Deploy to Cloudflare (Production)\n        uses: cloudflare/wrangler-action@v3\n        with:\n          apiToken: ${{ secrets.PROD_CLOUDFLARE_API_TOKEN }}\n          command: deploy --env production\n"), console.log("\\n📦 GitHub CI workflows created!");
 }
-function J(a) {
-  const e = {
-    branches: ["main"],
-    plugins: [
-      "@semantic-release/commit-analyzer",
-      "@semantic-release/release-notes-generator",
-      "@semantic-release/github"
-    ]
-  };
-  i.writeFileSync(
-    s.join(a, ".releaserc.json"),
-    JSON.stringify(e, null, 2)
-  );
-  const o = s.join(a, "package.json"), r = JSON.parse(i.readFileSync(o, "utf-8"));
-  r.devDependencies = {
-    ...r.devDependencies,
-    "semantic-release": "^24.0.0"
-  }, r.scripts = {
-    ...r.scripts,
-    test: 'echo "No tests yet"',
-    "type-check": "tsc --noEmit"
-  }, i.writeFileSync(o, JSON.stringify(r, null, 2));
+function v(e) {
+	n.writeFileSync(r.join(e, ".releaserc.json"), JSON.stringify({
+		branches: ["main"],
+		plugins: [
+			"@semantic-release/commit-analyzer",
+			"@semantic-release/release-notes-generator",
+			"@semantic-release/github"
+		]
+	}, null, 2));
+	let t = r.join(e, "package.json"), i = JSON.parse(n.readFileSync(t, "utf-8"));
+	i.devDependencies = {
+		...i.devDependencies,
+		"semantic-release": "^24.0.0"
+	}, i.scripts = {
+		...i.scripts,
+		test: "echo \"No tests yet\"",
+		"type-check": "tsc --noEmit"
+	}, n.writeFileSync(t, JSON.stringify(i, null, 2));
 }
-function A(a, e) {
-  return new Promise((o, r) => {
-    const n = U(a, [], {
-      cwd: e,
-      shell: !0,
-      stdio: "inherit"
-    });
-    n.on("close", (t) => {
-      t === 0 ? o() : r(new Error(`Command failed with exit code ${t}`));
-    }), n.on("error", r);
-  });
+function y(e, t) {
+	return new Promise((n, r) => {
+		let i = a(e, [], {
+			cwd: t,
+			shell: !0,
+			stdio: "inherit"
+		});
+		i.on("close", (e) => {
+			e === 0 ? n() : r(/* @__PURE__ */ Error(`Command failed with exit code ${e}`));
+		}), i.on("error", r);
+	});
 }
-function z(a, e, o) {
-  const r = s.join(a, "src");
-  i.writeFileSync(
-    s.join(r, "app.ts"),
-    H(e, o)
-  ), i.writeFileSync(
-    s.join(r, "seed.ts"),
-    j(e)
-  );
+function b(e, t, i) {
+	let a = r.join(e, "src");
+	n.writeFileSync(r.join(a, "app.ts"), f(t, i)), n.writeFileSync(r.join(a, "seed.ts"), d(t));
 }
-function D() {
-  console.log(`
-` + "─".repeat(50)), console.log("🔐 AuthHero server running at https://localhost:3000"), console.log("🚀 Open https://localhost:3000/setup to complete initial setup"), console.log("─".repeat(50) + `
-`);
+function x() {
+	console.log("\n" + "─".repeat(50)), console.log("🔐 AuthHero server running at https://localhost:3000"), console.log("🚀 Open https://localhost:3000/setup to complete initial setup"), console.log("─".repeat(50) + "\n");
 }
-function T() {
-  console.log(`
-` + "─".repeat(50)), console.log("✅ Self-signed certificates generated with openssl"), console.log("⚠️  You may need to trust the certificate in your browser"), console.log("🔐 AuthHero server running at http://localhost:3000"), console.log("📚 API documentation available at http://localhost:3000/docs"), console.log("🚀 Open http://localhost:3000/setup to complete initial setup"), console.log("─".repeat(50) + `
-`);
+function S() {
+	console.log("\n" + "─".repeat(50)), console.log("🛰️  AuthHero proxy running at http://localhost:8787"), console.log("✏️  Edit src/proxy.config.ts to add hosts and routes"), console.log("📖 See README.md for deployment instructions"), console.log("─".repeat(50) + "\n");
 }
-N.version("1.0.0").description("Create a new AuthHero project").argument("[project-name]", "name of the project").option("-t, --template <type>", "template type: local or cloudflare").option(
-  "--package-manager <pm>",
-  "package manager to use: npm, yarn, pnpm, or bun"
-).option("--multi-tenant", "enable multi-tenant mode").option("--admin-ui", "include admin UI at /admin").option("--skip-install", "skip installing dependencies").option("--skip-migrate", "skip running database migrations").option("--skip-start", "skip starting the development server").option("--github-ci", "include GitHub CI workflows with semantic versioning").option("--conformance", "add OpenID conformance suite test clients").option(
-  "--conformance-alias <alias>",
-  "alias for conformance suite (default: authhero-local)"
-).option(
-  "--workspace",
-  "use workspace:* dependencies for local monorepo development"
-).option("-y, --yes", "skip all prompts and use defaults/provided options").action(async (a, e) => {
-  const o = e.yes === !0;
-  console.log(`
-🔐 Welcome to AuthHero!
-`);
-  let r = a;
-  r || (o ? (r = "auth-server", console.log(`Using default project name: ${r}`)) : r = (await m.prompt([
-    {
-      type: "input",
-      name: "projectName",
-      message: "Project name:",
-      default: "auth-server",
-      validate: (u) => u !== "" || "Project name cannot be empty"
-    }
-  ])).projectName);
-  const n = s.join(process.cwd(), r);
-  i.existsSync(n) && (console.error(`❌ Project "${r}" already exists.`), process.exit(1));
-  let t;
-  e.template ? (["local", "cloudflare", "aws-sst"].includes(e.template) || (console.error(`❌ Invalid template: ${e.template}`), console.error("Valid options: local, cloudflare, aws-sst"), process.exit(1)), t = e.template, console.log(`Using template: ${p[t].name}`)) : t = (await m.prompt([
-    {
-      type: "list",
-      name: "setupType",
-      message: "Select your setup type:",
-      choices: [
-        {
-          name: `${p.local.name}
-     ${p.local.description}`,
-          value: "local",
-          short: p.local.name
-        },
-        {
-          name: `${p.cloudflare.name}
-     ${p.cloudflare.description}`,
-          value: "cloudflare",
-          short: p.cloudflare.name
-        },
-        {
-          name: `${p["aws-sst"].name}
-     ${p["aws-sst"].description}`,
-          value: "aws-sst",
-          short: p["aws-sst"].name
-        }
-      ]
-    }
-  ])).setupType;
-  let c;
-  e.multiTenant !== void 0 ? c = e.multiTenant : o ? c = !1 : c = (await m.prompt([
-    {
-      type: "confirm",
-      name: "multiTenant",
-      message: "Would you like to enable multi-tenant mode?",
-      default: !1
-    }
-  ])).multiTenant, c && console.log("Multi-tenant mode: enabled");
-  let d = !1;
-  (t === "local" || t === "cloudflare") && (e.adminUi !== void 0 ? d = e.adminUi : o ? d = !0 : d = (await m.prompt([
-    {
-      type: "confirm",
-      name: "adminUi",
-      message: "Would you like to include the admin UI at /admin?",
-      default: !0
-    }
-  ])).adminUi, d && console.log("Admin UI: enabled (available at /admin)"));
-  const f = e.conformance || !1, h = e.conformanceAlias || "authhero-local";
-  f && console.log(
-    `OpenID Conformance Suite: enabled (alias: ${h})`
-  );
-  const C = e.workspace || !1;
-  C && console.log("Workspace mode: enabled (using workspace:* dependencies)");
-  const y = p[t];
-  i.mkdirSync(n, { recursive: !0 }), i.writeFileSync(
-    s.join(n, "package.json"),
-    JSON.stringify(
-      y.packageJson(
-        r,
-        c,
-        f,
-        C,
-        d
-      ),
-      null,
-      2
-    )
-  );
-  const _ = y.templateDir, S = s.dirname(O(import.meta.url)), x = [
-    s.join(S, _),
-    s.join(S, "..", "templates", _)
-  ], I = x.find((l) => i.existsSync(l));
-  if (I ? P(I, n) : (console.error(
-    `❌ Template directory not found. Looked in:
-  ${x.join(`
-  `)}`
-  ), process.exit(1)), t === "cloudflare" && z(n, c, d), t === "cloudflare") {
-    const l = s.join(n, "wrangler.toml"), u = s.join(n, "wrangler.local.toml");
-    i.existsSync(l) && i.copyFileSync(l, u);
-    const g = s.join(n, ".dev.vars.example"), w = s.join(n, ".dev.vars");
-    i.existsSync(g) && i.copyFileSync(g, w), console.log(
-      "📁 Created wrangler.local.toml and .dev.vars for local development"
-    );
-  }
-  let b = !1;
-  if (t === "cloudflare" && (e.githubCi !== void 0 ? (b = e.githubCi, b && console.log("Including GitHub CI workflows with semantic versioning")) : o || (b = (await m.prompt([
-    {
-      type: "confirm",
-      name: "includeGithubCi",
-      message: "Would you like to include GitHub CI with semantic versioning?",
-      default: !1
-    }
-  ])).includeGithubCi), b && (q(n), J(n))), t === "local") {
-    const l = $(
-      c,
-      f,
-      h,
-      d
-    );
-    i.writeFileSync(s.join(n, "src/seed.ts"), l);
-    const u = L(c, d);
-    i.writeFileSync(s.join(n, "src/app.ts"), u);
-  }
-  if (t === "aws-sst" && W(n, c), f) {
-    const l = {
-      alias: h,
-      description: "AuthHero Conformance Test",
-      server: {
-        discoveryUrl: "http://host.docker.internal:3000/.well-known/openid-configuration"
-      },
-      client: {
-        client_id: "conformance-test",
-        client_secret: "conformanceTestSecret123"
-      },
-      client2: {
-        client_id: "conformance-test2",
-        client_secret: "conformanceTestSecret456"
-      },
-      resource: {
-        resourceUrl: "http://host.docker.internal:3000/userinfo"
-      }
-    };
-    i.writeFileSync(
-      s.join(n, "conformance-config.json"),
-      JSON.stringify(l, null, 2)
-    ), console.log(
-      "📝 Created conformance-config.json for OpenID Conformance Suite"
-    );
-  }
-  const E = c ? "multi-tenant" : "single-tenant";
-  console.log(
-    `
-✅ Project "${r}" has been created with ${y.name} (${E}) setup!
-`
-  );
-  let v;
-  if (e.skipInstall ? v = !1 : o ? v = !0 : v = (await m.prompt([
-    {
-      type: "confirm",
-      name: "shouldInstall",
-      message: "Would you like to install dependencies now?",
-      default: !0
-    }
-  ])).shouldInstall, v) {
-    let l;
-    e.packageManager ? (["npm", "yarn", "pnpm", "bun"].includes(e.packageManager) || (console.error(
-      `❌ Invalid package manager: ${e.packageManager}`
-    ), console.error("Valid options: npm, yarn, pnpm, bun"), process.exit(1)), l = e.packageManager) : o ? l = "pnpm" : l = (await m.prompt([
-      {
-        type: "list",
-        name: "packageManager",
-        message: "Which package manager would you like to use?",
-        choices: [
-          { name: "pnpm", value: "pnpm" },
-          { name: "npm", value: "npm" },
-          { name: "yarn", value: "yarn" },
-          { name: "bun", value: "bun" }
-        ],
-        default: "pnpm"
-      }
-    ])).packageManager, console.log(`
-📦 Installing dependencies with ${l}...
-`);
-    try {
-      const u = l === "pnpm" ? "pnpm install --ignore-workspace" : `${l} install`;
-      if (await A(u, n), t === "local" && (console.log(`
-🔧 Building native modules...
-`), await A("npm rebuild better-sqlite3", n)), console.log(`
-✅ Dependencies installed successfully!
-`), (t === "local" || t === "cloudflare") && !e.skipMigrate) {
-        let w;
-        o ? w = !0 : w = (await m.prompt([
-          {
-            type: "confirm",
-            name: "shouldMigrate",
-            message: "Would you like to run database migrations?",
-            default: !0
-          }
-        ])).shouldMigrate, w && (console.log(`
-🔄 Running migrations...
-`), await A(`${l} run migrate`, n));
-      }
-      let g;
-      e.skipStart || o ? g = !1 : g = (await m.prompt([
-        {
-          type: "confirm",
-          name: "shouldStart",
-          message: "Would you like to start the development server?",
-          default: !0
-        }
-      ])).shouldStart, g && (t === "cloudflare" ? D() : t === "aws-sst" ? k() : T(), console.log(`🚀 Starting development server...
-`), await A(`${l} run dev`, n)), o && !g && (console.log(`
-✅ Setup complete!`), console.log(`
-To start the development server:`), console.log(`  cd ${r}`), console.log("  npm run dev"), t === "cloudflare" ? D() : t === "aws-sst" ? k() : T());
-    } catch (u) {
-      console.error(`
-❌ An error occurred:`, u), process.exit(1);
-    }
-  }
-  v || (console.log("Next steps:"), console.log(`  cd ${r}`), t === "local" ? (console.log("  npm install"), console.log("  npm run migrate"), console.log("  npm run dev"), console.log(
-    `
-Open http://localhost:3000/setup to complete initial setup`
-  )) : t === "cloudflare" ? (console.log("  npm install"), console.log(
-    "  npm run migrate  # or npm run db:migrate:remote for production"
-  ), console.log("  npm run dev  # or npm run dev:remote for production"), console.log(
-    `
-Open https://localhost:3000/setup to complete initial setup`
-  )) : t === "aws-sst" && (console.log("  npm install"), console.log("  npm run dev  # Deploys to AWS in development mode"), console.log(`
-Open your server URL /setup to complete initial setup`)), console.log(`
-Server will be available at: http://localhost:3000`), f && (console.log(`
-🧪 OpenID Conformance Suite Testing:`), console.log(
-    "  1. Clone and start the conformance suite (if not already running):"
-  ), console.log(
-    "     git clone https://gitlab.com/openid/conformance-suite.git"
-  ), console.log("     cd conformance-suite && mvn clean package"), console.log("     docker-compose up -d"), console.log("  2. Open https://localhost.emobix.co.uk:8443"), console.log(
-    "  3. Create a test plan and use conformance-config.json for settings"
-  ), console.log(`  4. Use alias: ${h}`)), console.log(`
-For more information, visit: https://authhero.net/docs
-`));
-});
-N.parse(process.argv);
+function C() {
+	console.log("\n" + "─".repeat(50)), console.log("✅ Self-signed certificates generated with openssl"), console.log("⚠️  You may need to trust the certificate in your browser"), console.log("🔐 AuthHero server running at http://localhost:3000"), console.log("📚 API documentation available at http://localhost:3000/docs"), console.log("🚀 Open http://localhost:3000/setup to complete initial setup"), console.log("─".repeat(50) + "\n");
+}
+o.version("1.0.0").description("Create a new AuthHero project").argument("[project-name]", "name of the project").option("-t, --template <type>", "template type: local, cloudflare, aws-sst, or proxy").option("--package-manager <pm>", "package manager to use: npm, yarn, pnpm, or bun").option("--multi-tenant", "enable multi-tenant mode").option("--admin-ui", "include admin UI at /admin").option("--skip-install", "skip installing dependencies").option("--skip-migrate", "skip running database migrations").option("--skip-start", "skip starting the development server").option("--github-ci", "include GitHub CI workflows with semantic versioning").option("--conformance", "add OpenID conformance suite test clients").option("--conformance-alias <alias>", "alias for conformance suite (default: authhero-local)").option("--workspace", "use workspace:* dependencies for local monorepo development").option("-y, --yes", "skip all prompts and use defaults/provided options").action(async (e, a) => {
+	let o = a.yes === !0;
+	console.log("\n🔐 Welcome to AuthHero!\n");
+	let d = e;
+	d || (o ? (d = "auth-server", console.log(`Using default project name: ${d}`)) : d = (await t.prompt([{
+		type: "input",
+		name: "projectName",
+		message: "Project name:",
+		default: "auth-server",
+		validate: (e) => e !== "" || "Project name cannot be empty"
+	}])).projectName);
+	let f = r.join(process.cwd(), d);
+	n.existsSync(f) && (console.error(`❌ Project "${d}" already exists.`), process.exit(1));
+	let p;
+	a.template ? ([
+		"local",
+		"cloudflare",
+		"aws-sst",
+		"proxy"
+	].includes(a.template) || (console.error(`❌ Invalid template: ${a.template}`), console.error("Valid options: local, cloudflare, aws-sst, proxy"), process.exit(1)), p = a.template, console.log(`Using template: ${s[p].name}`)) : p = (await t.prompt([{
+		type: "list",
+		name: "setupType",
+		message: "Select your setup type:",
+		choices: [
+			{
+				name: `${s.local.name}\n     ${s.local.description}`,
+				value: "local",
+				short: s.local.name
+			},
+			{
+				name: `${s.cloudflare.name}\n     ${s.cloudflare.description}`,
+				value: "cloudflare",
+				short: s.cloudflare.name
+			},
+			{
+				name: `${s["aws-sst"].name}\n     ${s["aws-sst"].description}`,
+				value: "aws-sst",
+				short: s["aws-sst"].name
+			},
+			{
+				name: `${s.proxy.name}\n     ${s.proxy.description}`,
+				value: "proxy",
+				short: s.proxy.name
+			}
+		]
+	}])).setupType;
+	let m;
+	m = p === "proxy" ? !1 : a.multiTenant === void 0 ? o ? !1 : (await t.prompt([{
+		type: "confirm",
+		name: "multiTenant",
+		message: "Would you like to enable multi-tenant mode?",
+		default: !1
+	}])).multiTenant : a.multiTenant, m && console.log("Multi-tenant mode: enabled");
+	let w = !1;
+	(p === "local" || p === "cloudflare") && (w = a.adminUi === void 0 ? o ? !0 : (await t.prompt([{
+		type: "confirm",
+		name: "adminUi",
+		message: "Would you like to include the admin UI at /admin?",
+		default: !0
+	}])).adminUi : a.adminUi, w && console.log("Admin UI: enabled (available at /admin)"));
+	let T = a.conformance || !1, E = a.conformanceAlias || "authhero-local";
+	T && console.log(`OpenID Conformance Suite: enabled (alias: ${E})`);
+	let D = a.workspace || !1;
+	D && console.log("Workspace mode: enabled (using workspace:* dependencies)");
+	let O = s[p];
+	n.mkdirSync(f, { recursive: !0 }), n.writeFileSync(r.join(f, "package.json"), JSON.stringify(O.packageJson(d, m, T, D, w), null, 2));
+	let k = O.templateDir, A = r.dirname(i(import.meta.url)), j = [r.join(A, k), r.join(A, "..", "templates", k)], M = j.find((e) => n.existsSync(e));
+	if (M ? c(M, f) : (console.error(`❌ Template directory not found. Looked in:\n  ${j.join("\n  ")}`), process.exit(1)), p === "cloudflare" && b(f, m, w), p === "cloudflare") {
+		let e = r.join(f, "wrangler.toml"), t = r.join(f, "wrangler.local.toml");
+		n.existsSync(e) && n.copyFileSync(e, t);
+		let i = r.join(f, ".dev.vars.example"), a = r.join(f, ".dev.vars");
+		n.existsSync(i) && n.copyFileSync(i, a), console.log("📁 Created wrangler.local.toml and .dev.vars for local development");
+	}
+	let N = !1;
+	if (p === "cloudflare" && (a.githubCi === void 0 ? o || (N = (await t.prompt([{
+		type: "confirm",
+		name: "includeGithubCi",
+		message: "Would you like to include GitHub CI with semantic versioning?",
+		default: !1
+	}])).includeGithubCi) : (N = a.githubCi, N && console.log("Including GitHub CI workflows with semantic versioning")), N && (_(f), v(f))), p === "local") {
+		let e = l(m, T, E, w);
+		n.writeFileSync(r.join(f, "src/seed.ts"), e);
+		let t = u(m, w);
+		n.writeFileSync(r.join(f, "src/app.ts"), t);
+	}
+	if (p === "aws-sst" && h(f, m), T) {
+		let e = {
+			alias: E,
+			description: "AuthHero Conformance Test",
+			server: { discoveryUrl: "http://host.docker.internal:3000/.well-known/openid-configuration" },
+			client: {
+				client_id: "conformance-test",
+				client_secret: "conformanceTestSecret123"
+			},
+			client2: {
+				client_id: "conformance-test2",
+				client_secret: "conformanceTestSecret456"
+			},
+			resource: { resourceUrl: "http://host.docker.internal:3000/userinfo" }
+		};
+		n.writeFileSync(r.join(f, "conformance-config.json"), JSON.stringify(e, null, 2)), console.log("📝 Created conformance-config.json for OpenID Conformance Suite");
+	}
+	let P = m ? "multi-tenant" : "single-tenant";
+	console.log(`\n✅ Project "${d}" has been created with ${O.name} (${P}) setup!\n`);
+	let F;
+	if (F = a.skipInstall ? !1 : o ? !0 : (await t.prompt([{
+		type: "confirm",
+		name: "shouldInstall",
+		message: "Would you like to install dependencies now?",
+		default: !0
+	}])).shouldInstall, F) {
+		let e;
+		a.packageManager ? ([
+			"npm",
+			"yarn",
+			"pnpm",
+			"bun"
+		].includes(a.packageManager) || (console.error(`❌ Invalid package manager: ${a.packageManager}`), console.error("Valid options: npm, yarn, pnpm, bun"), process.exit(1)), e = a.packageManager) : e = o ? "pnpm" : (await t.prompt([{
+			type: "list",
+			name: "packageManager",
+			message: "Which package manager would you like to use?",
+			choices: [
+				{
+					name: "pnpm",
+					value: "pnpm"
+				},
+				{
+					name: "npm",
+					value: "npm"
+				},
+				{
+					name: "yarn",
+					value: "yarn"
+				},
+				{
+					name: "bun",
+					value: "bun"
+				}
+			],
+			default: "pnpm"
+		}])).packageManager, console.log(`\n📦 Installing dependencies with ${e}...\n`);
+		try {
+			if (await y(e === "pnpm" ? "pnpm install --ignore-workspace" : `${e} install`, f), p === "local" && (console.log("\n🔧 Building native modules...\n"), await y("npm rebuild better-sqlite3", f)), console.log("\n✅ Dependencies installed successfully!\n"), (p === "local" || p === "cloudflare") && !a.skipMigrate) {
+				let n;
+				n = o ? !0 : (await t.prompt([{
+					type: "confirm",
+					name: "shouldMigrate",
+					message: "Would you like to run database migrations?",
+					default: !0
+				}])).shouldMigrate, n && (console.log("\n🔄 Running migrations...\n"), await y(`${e} run migrate`, f));
+			}
+			let n;
+			n = a.skipStart || o ? !1 : (await t.prompt([{
+				type: "confirm",
+				name: "shouldStart",
+				message: "Would you like to start the development server?",
+				default: !0
+			}])).shouldStart, n && (p === "cloudflare" ? x() : p === "aws-sst" ? g() : p === "proxy" ? S() : C(), console.log("🚀 Starting development server...\n"), await y(`${e} run dev`, f)), o && !n && (console.log("\n✅ Setup complete!"), console.log("\nTo start the development server:"), console.log(`  cd ${d}`), console.log("  npm run dev"), p === "cloudflare" ? x() : p === "aws-sst" ? g() : p === "proxy" ? S() : C());
+		} catch (e) {
+			console.error("\n❌ An error occurred:", e), process.exit(1);
+		}
+	}
+	F || (console.log("Next steps:"), console.log(`  cd ${d}`), p === "local" ? (console.log("  npm install"), console.log("  npm run migrate"), console.log("  npm run dev"), console.log("\nOpen http://localhost:3000/setup to complete initial setup")) : p === "cloudflare" ? (console.log("  npm install"), console.log("  npm run migrate  # or npm run db:migrate:remote for production"), console.log("  npm run dev  # or npm run dev:remote for production"), console.log("\nOpen https://localhost:3000/setup to complete initial setup")) : p === "aws-sst" ? (console.log("  npm install"), console.log("  npm run dev  # Deploys to AWS in development mode"), console.log("\nOpen your server URL /setup to complete initial setup")) : p === "proxy" && (console.log("  npm install"), console.log("  npm run dev"), console.log("\nEdit src/proxy.config.ts to add hosts and routes")), console.log(`\nServer will be available at: http://localhost:${p === "proxy" ? 8787 : 3e3}`), T && (console.log("\n🧪 OpenID Conformance Suite Testing:"), console.log("  1. Clone and start the conformance suite (if not already running):"), console.log("     git clone https://gitlab.com/openid/conformance-suite.git"), console.log("     cd conformance-suite && mvn clean package"), console.log("     docker-compose up -d"), console.log("  2. Open https://localhost.emobix.co.uk:8443"), console.log("  3. Create a test plan and use conformance-config.json for settings"), console.log(`  4. Use alias: ${E}`)), console.log("\nFor more information, visit: https://authhero.net/docs\n"));
+}), o.parse(process.argv);
+//#endregion