create-authhero 0.44.0 → 0.46.0

package/dist/aws-sst/README.md

@@ -133,6 +133,28 @@ Enable auto-scaling or increase provisioned capacity in `sst.config.ts`.
 
 Ensure the S3 bucket and CloudFront are properly configured. Check browser console for CORS errors.
 
+## Encryption at rest
+
+Sensitive credential fields (client secrets, connection secrets, email
+credentials, TOTP secrets, migration-source secrets) are encrypted at rest.
+A random `ENCRYPTION_KEY` was generated into `.env` when this project was
+created. `sst.config.ts` forwards it to the Lambda, and `src/index.ts` enables
+encryption whenever the key is present.
+
+> **The key is load-bearing.** If you delete, rotate, or lose `ENCRYPTION_KEY`,
+> any values already encrypted with it become unreadable. Treat the key as a
+> long-lived secret, back it up, and use a separate key per deployment stage.
+
+For production, set `ENCRYPTION_KEY` in your deploy environment / secret store
+rather than reusing the generated dev key.
+
+Helper scripts:
+
+```bash
+npm run gen:key                   # print a fresh base64 key
+npm run decrypt -- "enc:v1:..."   # decrypt a stored value using ENCRYPTION_KEY from .env
+```
+
 ## Learn More
 
 - [SST Documentation](https://sst.dev/docs)

package/dist/aws-sst/scripts/decrypt-field.mjs

@@ -0,0 +1,33 @@
+#!/usr/bin/env node
+import { loadEncryptionKey, decryptField } from "authhero";
+
+// Decrypt a stored field value using ENCRYPTION_KEY from the environment.
+// Usage: node --env-file=.env scripts/decrypt-field.mjs "enc:v1:..."
+// Values without the enc:v1: prefix (legacy plaintext) are printed unchanged.
+const value = process.argv[2];
+
+if (!value) {
+  console.error(
+    'Usage: node --env-file=<env> scripts/decrypt-field.mjs "<value>"',
+  );
+  process.exit(1);
+}
+
+const keyB64 = process.env.ENCRYPTION_KEY;
+if (!keyB64) {
+  console.error(
+    "ENCRYPTION_KEY is not set. Pass it via --env-file or the environment.",
+  );
+  process.exit(1);
+}
+
+try {
+  const key = await loadEncryptionKey(keyB64);
+  console.log(await decryptField(value, key));
+} catch (error) {
+  console.error(
+    "Failed to decrypt:",
+    error instanceof Error ? error.message : error,
+  );
+  process.exit(1);
+}

package/dist/aws-sst/scripts/generate-encryption-key.mjs

@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+import crypto from "node:crypto";
+
+// Print a fresh base64-encoded 32-byte (AES-256) key suitable for
+// ENCRYPTION_KEY. Copy the output into your env file (.env / .dev.vars) or set
+// it as a production secret.
+console.log(crypto.randomBytes(32).toString("base64"));

package/dist/aws-sst/src/index.ts

@@ -2,6 +2,11 @@ import { handle } from "hono/aws-lambda";
 import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
 import { DynamoDBDocumentClient } from "@aws-sdk/lib-dynamodb";
 import createAdapters from "@authhero/aws";
+import {
+  DataAdapters,
+  createEncryptedDataAdapter,
+  loadEncryptionKey,
+} from "authhero";
 import createApp from "./app";
 import type { APIGatewayProxyEventV2, Context } from "aws-lambda";
 
@@ -23,6 +28,22 @@ const dataAdapter = createAdapters(docClient, {
   tableName: process.env.TABLE_NAME,
 });
 
+// Encrypt sensitive credential fields at rest when ENCRYPTION_KEY is set.
+// The wrapped adapter is built once and cached across warm invocations.
+let encryptedAdapterPromise: Promise<DataAdapters> | null = null;
+async function getDataAdapter(): Promise<DataAdapters> {
+  if (!process.env.ENCRYPTION_KEY) {
+    return dataAdapter;
+  }
+  if (!encryptedAdapterPromise) {
+    const rawKey = process.env.ENCRYPTION_KEY;
+    encryptedAdapterPromise = loadEncryptionKey(rawKey).then((key) =>
+      createEncryptedDataAdapter(dataAdapter, key),
+    );
+  }
+  return encryptedAdapterPromise;
+}
+
 export async function handler(event: APIGatewayProxyEventV2, context: Context) {
   // Compute issuer from the request
   const host = event.headers.host || event.requestContext.domainName;
@@ -51,7 +72,7 @@ export async function handler(event: APIGatewayProxyEventV2, context: Context) {
   // Create app instance per request to avoid issuer contamination
   // Lambda containers are reused, so we can't mutate process.env.ISSUER globally
   const appWithIssuer = createApp({
-    dataAdapter,
+    dataAdapter: await getDataAdapter(),
     allowedOrigins,
     widgetUrl,
   });

package/dist/aws-sst/sst.config.ts

@@ -55,6 +55,10 @@ export default $config({
       environment: {
         TABLE_NAME: table.name,
         WIDGET_URL: assets.url,
+        // At-rest encryption key for sensitive credentials. Sourced from the
+        // environment (e.g. a generated .env loaded by SST, or your CI/secret
+        // store). Encryption is skipped when this is empty.
+        ENCRYPTION_KEY: process.env.ENCRYPTION_KEY ?? "",
       },
       nodejs: {
         install: ["@authhero/aws"],

package/dist/cloudflare/.dev.vars.example

@@ -5,6 +5,16 @@
 # The .dev.vars file is used by wrangler for local development.
 # ============================================================================
 
+# ============================================================================
+# Encryption at rest
+# ============================================================================
+# Base64-encoded 32-byte key used to encrypt sensitive credential fields
+# (client secrets, connection secrets, email credentials, TOTP secrets, etc.).
+# `create-authhero` writes a generated key into .dev.vars for local dev.
+# In production, set it as a secret instead: `wrangler secret put ENCRYPTION_KEY`.
+# Generate one with: openssl rand -base64 32
+# ENCRYPTION_KEY=
+
 # ============================================================================
 # OPTIONAL: Analytics Engine Configuration
 # ============================================================================

package/dist/cloudflare/README.md

@@ -404,3 +404,28 @@ Cloudflare Rate Limiting helps protect your authentication endpoints from abuse.
 | `limit`        | Max requests allowed               | `100`    |
 | `period`       | Time window in seconds             | `60`     |
 | `namespace_id` | Unique ID (string) for the limiter | `"1001"` |
+
+## Encryption at rest
+
+Sensitive credential fields (client secrets, connection secrets, email
+credentials, TOTP secrets, migration-source secrets) are encrypted at rest.
+A random `ENCRYPTION_KEY` was generated into `.dev.vars` when this project was
+created, and `src/index.ts` enables encryption whenever the key is present.
+
+> **The key is load-bearing.** If you delete, rotate, or lose `ENCRYPTION_KEY`,
+> any values already encrypted with it become unreadable. In local dev you can
+> recover by recreating the D1 database and re-seeding. In production, treat the
+> key as a long-lived secret and back it up.
+
+For production, set the key as a Worker secret (do **not** reuse the dev key):
+
+```bash
+wrangler secret put ENCRYPTION_KEY
+```
+
+Helper scripts:
+
+```bash
+npm run gen:key                   # print a fresh base64 key
+npm run decrypt -- "enc:v1:..."   # decrypt a stored value using ENCRYPTION_KEY from .dev.vars
+```

package/dist/cloudflare/scripts/decrypt-field.mjs

@@ -0,0 +1,33 @@
+#!/usr/bin/env node
+import { loadEncryptionKey, decryptField } from "authhero";
+
+// Decrypt a stored field value using ENCRYPTION_KEY from the environment.
+// Usage: node --env-file=.env scripts/decrypt-field.mjs "enc:v1:..."
+// Values without the enc:v1: prefix (legacy plaintext) are printed unchanged.
+const value = process.argv[2];
+
+if (!value) {
+  console.error(
+    'Usage: node --env-file=<env> scripts/decrypt-field.mjs "<value>"',
+  );
+  process.exit(1);
+}
+
+const keyB64 = process.env.ENCRYPTION_KEY;
+if (!keyB64) {
+  console.error(
+    "ENCRYPTION_KEY is not set. Pass it via --env-file or the environment.",
+  );
+  process.exit(1);
+}
+
+try {
+  const key = await loadEncryptionKey(keyB64);
+  console.log(await decryptField(value, key));
+} catch (error) {
+  console.error(
+    "Failed to decrypt:",
+    error instanceof Error ? error.message : error,
+  );
+  process.exit(1);
+}

package/dist/cloudflare/scripts/generate-encryption-key.mjs

@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+import crypto from "node:crypto";
+
+// Print a fresh base64-encoded 32-byte (AES-256) key suitable for
+// ENCRYPTION_KEY. Copy the output into your env file (.env / .dev.vars) or set
+// it as a production secret.
+console.log(crypto.randomBytes(32).toString("base64"));

package/dist/cloudflare/src/index.ts

@@ -1,9 +1,13 @@
-import { D1Dialect } from "kysely-d1";
-import { Kysely } from "kysely";
-import createAdapters from "@authhero/kysely-adapter";
+import { drizzle } from "drizzle-orm/d1";
+import createAdapters from "@authhero/drizzle";
+import * as schema from "@authhero/drizzle/schema/sqlite";
 import createApp from "./app";
 import { Env } from "./types";
-import { AuthHeroConfig } from "authhero";
+import {
+  AuthHeroConfig,
+  createEncryptedDataAdapter,
+  loadEncryptionKey,
+} from "authhero";
 
 // ──────────────────────────────────────────────────────────────────────────────
 // OPTIONAL: Uncomment to enable Cloudflare adapters (Analytics Engine, etc.)
@@ -18,9 +22,16 @@ export default {
     // Get the origin from the request for dynamic CORS
     const origin = request.headers.get("Origin") || "";
 
-    const dialect = new D1Dialect({ database: env.AUTH_DB });
-    const db = new Kysely<any>({ dialect });
-    const dataAdapter = createAdapters(db, { useTransactions: false });
+    const db = drizzle(env.AUTH_DB, { schema });
+    let dataAdapter = createAdapters(db, { useTransactions: false });
+
+    // Encrypt sensitive credential fields at rest when ENCRYPTION_KEY is set.
+    // In local dev it comes from .dev.vars; in production set it with
+    // `wrangler secret put ENCRYPTION_KEY`. Without it, behavior is unchanged.
+    if (env.ENCRYPTION_KEY) {
+      const encryptionKey = await loadEncryptionKey(env.ENCRYPTION_KEY);
+      dataAdapter = createEncryptedDataAdapter(dataAdapter, encryptionKey);
+    }
 
     // ────────────────────────────────────────────────────────────────────────
     // OPTIONAL: Cloudflare Analytics Engine for centralized logging

package/dist/cloudflare/src/types.ts

@@ -6,6 +6,11 @@
 export interface Env {
   AUTH_DB: D1Database;
 
+  // Base64-encoded 32-byte key for at-rest encryption of sensitive credential
+  // fields. Set in .dev.vars locally and via `wrangler secret put ENCRYPTION_KEY`
+  // in production. Optional — encryption is skipped when unset.
+  ENCRYPTION_KEY?: string;
+
   // ──────────────────────────────────────────────────────────────────────────
   // OPTIONAL: Analytics Engine for centralized logging
   // Uncomment to enable:

package/dist/cloudflare/wrangler.toml

@@ -13,7 +13,7 @@
 
 name = "authhero-server"
 main = "src/index.ts"
-compatibility_date = "2024-11-20"
+compatibility_date = "2026-05-01"
 compatibility_flags = ["nodejs_compat"]
 
 # ════════════════════════════════════════════════════════════════════════════

package/dist/cloudflare-wfp-dispatcher/README.md

@@ -0,0 +1,94 @@
+# AuthHero WFP Dispatcher
+
+Thin Cloudflare Worker that fronts a Workers-for-Platforms deployment of AuthHero. Resolves an incoming request's `Host` header to a tenant via the shared platform D1 (`custom_domains` table) and dispatches the request to that tenant's full authhero auth server, deployed as a script in a Cloudflare dispatch namespace.
+
+## Architecture
+
+```
+Internet
+   |
+   v
+[This worker — the dispatcher]
+   1. Host header -> custom_domains -> tenant_id
+   2. env.DISPATCHER.get('tenant-<id>-auth').fetch(request)
+   |
+   v
+[authhero-tenants dispatch namespace]
+   |- tenant-acme-auth   (full authhero, deployed from the `cloudflare` template)
+   |- tenant-bob-auth
+   |- ...
+```
+
+Tenant workers come from the **`cloudflare` create-authhero template** — they're the same single-tenant auth server, deployed into the namespace instead of standalone.
+
+## Prerequisites
+
+- A Cloudflare account on the **Workers for Platforms** plan (required for dispatch namespaces).
+- [Wrangler CLI](https://developers.cloudflare.com/workers/wrangler/install-and-update/).
+- A D1 database (shared with the tenant workers).
+
+## One-time platform setup
+
+```bash
+# 1. Create the dispatch namespace
+npx wrangler dispatch-namespace create authhero-tenants
+
+# 2. Create the shared D1 (or reuse the one your tenant workers use)
+npx wrangler d1 create authhero-db
+
+# 3. Copy wrangler.toml -> wrangler.local.toml and paste the database_id
+
+# 4. Install project dependencies (provides the local wrangler used by the
+#    db:migrate:* scripts)
+npm install
+
+# 5. Apply migrations to the shared D1
+npm run db:migrate:remote
+# Or, without installing dependencies first:
+#   npx wrangler d1 migrations apply AUTH_DB --remote --config wrangler.local.toml
+```
+
+## Deploy the dispatcher
+
+```bash
+npm run deploy
+```
+
+## Onboard a tenant
+
+For each publisher:
+
+1. **Provision the tenant in D1** — insert a `tenants` row, then a `custom_domains` row mapping their domain to the tenant_id. (Either via the authhero management API or by direct D1 query.)
+
+2. **Deploy their auth worker into the namespace.** From the sibling `cloudflare` template:
+
+   ```bash
+   # In the tenant's directory (scaffolded from `create-authhero --template=cloudflare`)
+   npx wrangler deploy \
+     --dispatch-namespace=authhero-tenants \
+     --name=tenant-<tenant_id>-auth
+   ```
+
+3. **Point their custom domain at this dispatcher worker** (Cloudflare → Workers → Triggers → Add Custom Domain on this worker, or via DNS to the worker's `*.workers.dev` route).
+
+Once those three steps are done, a request to `auth.<their-domain>/authorize?...` flows to this dispatcher → resolved via custom_domains → dispatched to their tenant worker.
+
+## Per-tenant routing customization
+
+By default, hosts with no `proxy_routes` rows get a single catch-all that dispatches to `tenant-<tenant_id>-auth`. If a tenant needs richer routing — different middleware chains, CORS, a special path that bypasses the namespace — insert `proxy_routes` rows for that `custom_domain_id`. The dispatcher uses the configured routes verbatim instead of the default.
+
+The script-name template (`tenant-{tenant_id}-auth`) can be overridden globally via the `SCRIPT_NAME_TEMPLATE` env var. Supported placeholders: `{tenant_id}`, `{custom_domain_id}`, `{domain}`, `{host}`.
+
+## Local development
+
+```bash
+npm run dev
+```
+
+`wrangler dev` runs against a **local SQLite-backed D1**. The dispatch namespace cannot be emulated locally — for end-to-end tests, deploy to a real Cloudflare account using `npm run dev:remote`.
+
+## Files
+
+- `src/index.ts` — dispatcher worker entrypoint
+- `src/types.ts` — Env interface (D1 binding + DISPATCHER namespace binding)
+- `wrangler.toml` — Cloudflare config (assets, D1, dispatch namespace)

package/dist/cloudflare-wfp-dispatcher/src/index.ts

@@ -0,0 +1,72 @@
+import { drizzle } from "drizzle-orm/d1";
+import { createProxyDataAdapter } from "@authhero/drizzle";
+import * as schema from "@authhero/drizzle/schema/sqlite";
+import {
+  createProxyApp,
+  type ProxyDataAdapter,
+  type ResolvedHost,
+} from "@authhero/proxy";
+import type { Env } from "./types";
+
+// `tenant-{tenant_id}-auth` is the deploy convention used by this template's
+// per-tenant worker setup. Override with the SCRIPT_NAME_TEMPLATE env var or
+// by configuring proxy_routes rows per tenant for richer routing.
+const DEFAULT_SCRIPT_NAME_TEMPLATE = "tenant-{tenant_id}-auth";
+
+// If a host resolves to a known tenant but has no proxy_routes configured,
+// synthesize a single catch-all that dispatches to the tenant's auth worker
+// in the namespace. Operators who need middleware (CORS, headers, rate
+// limiting) per tenant can add real proxy_routes rows and this fallback
+// stays out of the way.
+function withDefaultDispatchRoute(
+  inner: ProxyDataAdapter,
+  binding: string,
+  scriptNameTemplate: string,
+): ProxyDataAdapter {
+  return {
+    proxyRoutes: inner.proxyRoutes,
+    resolveHost: async (host): Promise<ResolvedHost | null> => {
+      const resolved = await inner.resolveHost(host);
+      if (!resolved || resolved.routes.length > 0) return resolved;
+      const now = new Date(0).toISOString();
+      return {
+        ...resolved,
+        routes: [
+          {
+            id: `default-${resolved.custom_domain_id}`,
+            tenant_id: resolved.tenant_id,
+            custom_domain_id: resolved.custom_domain_id,
+            priority: 1000,
+            match: { path: "/*" },
+            handlers: [
+              {
+                type: "dispatch_namespace",
+                options: { binding, script_name: scriptNameTemplate },
+              },
+            ],
+            created_at: now,
+            updated_at: now,
+          },
+        ],
+      };
+    },
+  };
+}
+
+export default {
+  async fetch(request: Request, env: Env): Promise<Response> {
+    const db = drizzle(env.AUTH_DB, { schema });
+    const data = withDefaultDispatchRoute(
+      createProxyDataAdapter(db),
+      "DISPATCHER",
+      env.SCRIPT_NAME_TEMPLATE || DEFAULT_SCRIPT_NAME_TEMPLATE,
+    );
+
+    const app = createProxyApp({
+      data,
+      bindings: { DISPATCHER: env.DISPATCHER },
+    });
+
+    return app.fetch(request);
+  },
+};

package/dist/cloudflare-wfp-dispatcher/src/types.ts

@@ -0,0 +1,17 @@
+/// <reference types="@cloudflare/workers-types" />
+
+export interface Env {
+  // The shared platform D1 database. Holds custom_domains (host -> tenant)
+  // and proxy_routes (optional per-host route overrides).
+  AUTH_DB: D1Database;
+
+  // The Cloudflare Workers for Platforms dispatch namespace where each
+  // tenant's auth worker is deployed. Wrangler binding configured in
+  // wrangler.toml as `[[dispatch_namespaces]] binding = "DISPATCHER"`.
+  DISPATCHER: DispatchNamespace;
+
+  // Optional template for resolving a tenant to a dispatch namespace
+  // script name. Defaults to `tenant-{tenant_id}-auth`. Supported
+  // placeholders: {tenant_id}, {custom_domain_id}, {domain}, {host}.
+  SCRIPT_NAME_TEMPLATE?: string;
+}

package/dist/cloudflare-wfp-dispatcher/tsconfig.json

@@ -0,0 +1,14 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "types": ["@cloudflare/workers-types"]
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules"]
+}

package/dist/cloudflare-wfp-dispatcher/wrangler.toml

@@ -0,0 +1,56 @@
+# ════════════════════════════════════════════════════════════════════════════
+# AuthHero WFP Dispatcher Configuration
+# ════════════════════════════════════════════════════════════════════════════
+# Thin Cloudflare Worker that resolves a request's Host header to a tenant
+# (via the shared platform D1) and dispatches to that tenant's full
+# authhero auth server, deployed as a script in the `authhero-tenants`
+# dispatch namespace.
+#
+# Tenant workers are deployed separately via the `cloudflare` template,
+# using `wrangler deploy --dispatch-namespace=authhero-tenants
+# --name=tenant-<id>-auth`.
+#
+# Sensitive IDs (database_id) go in wrangler.local.toml (gitignored) or
+# GitHub Secrets, not this file.
+# ════════════════════════════════════════════════════════════════════════════
+
+name = "authhero-wfp-dispatcher"
+main = "src/index.ts"
+compatibility_date = "2026-05-01"
+compatibility_flags = ["nodejs_compat"]
+
+# ════════════════════════════════════════════════════════════════════════════
+# Dispatch namespace binding
+# ════════════════════════════════════════════════════════════════════════════
+# Create the namespace once before the first deploy:
+#   npx wrangler dispatch-namespace create authhero-tenants
+[[dispatch_namespaces]]
+binding = "DISPATCHER"
+namespace = "authhero-tenants"
+
+# ════════════════════════════════════════════════════════════════════════════
+# Shared platform D1 database
+# ════════════════════════════════════════════════════════════════════════════
+# Same D1 that the tenant workers read/write. Holds custom_domains and
+# proxy_routes that drive the dispatcher's host -> tenant resolution.
+[[d1_databases]]
+binding = "AUTH_DB"
+database_name = "authhero-db"
+database_id = "local"  # Use "local" for local dev, or your actual ID in wrangler.local.toml
+migrations_dir = "node_modules/@authhero/drizzle/drizzle"
+
+# ════════════════════════════════════════════════════════════════════════════
+# OPTIONAL: Custom Domain
+# ════════════════════════════════════════════════════════════════════════════
+# Point your platform's wildcard or per-publisher custom domains at this
+# worker. The publishers' subdomains must resolve here so the dispatcher
+# can route into the namespace.
+#
+# [[routes]]
+# pattern = "*.auth.yourplatform.com/*"
+# zone_name = "yourplatform.com"
+
+# Optional: Enable observability for `wrangler tail` insight into dispatch
+# decisions and namespace invocation latency.
+# [observability]
+# enabled = true

package/dist/create-authhero.js

@@ -3,10 +3,14 @@ import { Command as e } from "commander";
 import t from "inquirer";
 import n from "fs";
 import r from "path";
-import { fileURLToPath as i } from "url";
-import { spawn as a } from "child_process";
+import i from "crypto";
+import { fileURLToPath as a } from "url";
+import { spawn as o } from "child_process";
 //#region src/index.ts
-var o = new e(), s = {
+function s() {
+	return i.randomBytes(32).toString("base64");
+}
+var c = new e(), l = {
 	local: {
 		name: "Local (SQLite)",
 		description: "Local development setup with SQLite database - great for getting started",
@@ -18,10 +22,12 @@ var o = new e(), s = {
 				version: "1.0.0",
 				type: "module",
 				scripts: {
-					dev: "npx tsx watch src/index.ts",
-					start: "npx tsx src/index.ts",
+					dev: "npx tsx watch --env-file=.env src/index.ts",
+					start: "npx tsx --env-file=.env src/index.ts",
 					migrate: "npx tsx src/migrate.ts",
-					seed: "npx tsx src/seed.ts"
+					seed: "npx tsx --env-file=.env src/seed.ts",
+					"gen:key": "node scripts/generate-encryption-key.mjs",
+					decrypt: "node --env-file=.env scripts/decrypt-field.mjs"
 				},
 				dependencies: {
 					"@authhero/kysely-adapter": a,
@@ -69,26 +75,25 @@ var o = new e(), s = {
 					"seed:local": "node seed-helper.js",
 					"seed:remote": "node seed-helper.js '' '' remote",
 					seed: "node seed-helper.js",
-					setup: "cp wrangler.toml wrangler.local.toml && cp .dev.vars.example .dev.vars && echo '✅ Created wrangler.local.toml and .dev.vars - update with your IDs'"
+					setup: "cp wrangler.toml wrangler.local.toml && cp .dev.vars.example .dev.vars && echo '✅ Created wrangler.local.toml and .dev.vars - update with your IDs'",
+					"gen:key": "node scripts/generate-encryption-key.mjs",
+					decrypt: "node --env-file=.dev.vars scripts/decrypt-field.mjs"
 				},
 				dependencies: {
 					"@authhero/drizzle": a,
-					"@authhero/kysely-adapter": a,
 					...i && { "@authhero/admin": a },
 					"@authhero/widget": a,
 					"@hono/swagger-ui": "^0.5.0",
 					"@hono/zod-openapi": "^0.19.0",
 					authhero: a,
+					"drizzle-orm": "^0.44.0",
 					hono: "^4.6.0",
-					kysely: "latest",
-					"kysely-d1": "latest",
 					...t && { "@authhero/multi-tenancy": a },
 					...n && { bcryptjs: "latest" }
 				},
 				devDependencies: {
 					"@cloudflare/workers-types": "^4.0.0",
 					"drizzle-kit": "^0.31.0",
-					"drizzle-orm": "^0.44.0",
 					typescript: "^5.5.0",
 					wrangler: "^3.0.0"
 				}
@@ -96,6 +101,40 @@ var o = new e(), s = {
 		},
 		seedFile: "seed.ts"
 	},
+	"cloudflare-wfp-dispatcher": {
+		name: "Cloudflare Workers for Platforms — Dispatcher",
+		description: "Thin dispatcher worker that routes per-publisher custom domains to tenant auth workers in a dispatch namespace (pair with the `cloudflare` template for tenant workers)",
+		templateDir: "cloudflare-wfp-dispatcher",
+		packageJson: (e, t, n, r) => {
+			let i = r ? "workspace:*" : "latest";
+			return {
+				name: e,
+				version: "1.0.0",
+				type: "module",
+				scripts: {
+					dev: "wrangler dev --port 3001 --local-protocol https",
+					"dev:remote": "wrangler dev --port 3001 --local-protocol https --remote --config wrangler.local.toml",
+					deploy: "wrangler deploy --config wrangler.local.toml",
+					"db:migrate:local": "wrangler d1 migrations apply AUTH_DB --local",
+					"db:migrate:remote": "wrangler d1 migrations apply AUTH_DB --remote --config wrangler.local.toml",
+					migrate: "wrangler d1 migrations apply AUTH_DB --local",
+					setup: "cp wrangler.toml wrangler.local.toml && echo '✅ Created wrangler.local.toml - update with your IDs'"
+				},
+				dependencies: {
+					"@authhero/drizzle": i,
+					"@authhero/proxy": i,
+					"drizzle-orm": "^0.44.0",
+					hono: "^4.6.0"
+				},
+				devDependencies: {
+					"@cloudflare/workers-types": "^4.0.0",
+					"drizzle-kit": "^0.31.0",
+					typescript: "^5.5.0",
+					wrangler: "^3.0.0"
+				}
+			};
+		}
+	},
 	proxy: {
 		name: "Proxy (Cloudflare Workers)",
 		description: "Host-based reverse proxy on Cloudflare Workers — static config, no DB",
@@ -135,8 +174,10 @@ var o = new e(), s = {
 					dev: "sst dev",
 					deploy: "sst deploy --stage production",
 					remove: "sst remove",
-					seed: "npx tsx src/seed.ts",
-					"copy-assets": "node copy-assets.js"
+					seed: "npx tsx --env-file=.env src/seed.ts",
+					"copy-assets": "node copy-assets.js",
+					"gen:key": "node scripts/generate-encryption-key.mjs",
+					decrypt: "node --env-file=.env scripts/decrypt-field.mjs"
 				},
 				dependencies: {
 					"@authhero/aws": a,
@@ -163,13 +204,13 @@ var o = new e(), s = {
 		seedFile: "seed.ts"
 	}
 };
-function c(e, t) {
+function u(e, t) {
 	n.readdirSync(e).forEach((i) => {
 		let a = r.join(e, i), o = r.join(t, i);
-		n.lstatSync(a).isDirectory() ? (n.mkdirSync(o, { recursive: !0 }), c(a, o)) : n.copyFileSync(a, o);
+		n.lstatSync(a).isDirectory() ? (n.mkdirSync(o, { recursive: !0 }), u(a, o)) : n.copyFileSync(a, o);
 	});
 }
-function l(e, t = !1, n = "authhero-local", r) {
+function d(e, t = !1, n = "authhero-local", r) {
 	let i = e ? "control_plane" : "main", a = e ? "Control Plane" : "Main", o = [
 		"https://manage.authhero.net/auth-callback",
 		"https://local.authhero.net/auth-callback",
@@ -314,7 +355,7 @@ function l(e, t = !1, n = "authhero-local", r) {
 	return `import { SqliteDialect, Kysely } from "kysely";
 import Database from "better-sqlite3";
 import createAdapters from "@authhero/kysely-adapter";
-import { seed${t ? ", USERNAME_PASSWORD_PROVIDER" : ""} } from "authhero";
+import { seed, createEncryptedDataAdapter, loadEncryptionKey${t ? ", USERNAME_PASSWORD_PROVIDER" : ""} } from "authhero";
 
 interface ExtraClient {
   client_id: string;
@@ -368,7 +409,13 @@ async function main() {
   });
 
   const db = new Kysely<any>({ dialect });
-  const adapters = createAdapters(db);
+  let adapters = createAdapters(db);
+
+  // Match the server: encrypt seeded secrets at rest when a key is configured.
+  if (process.env.ENCRYPTION_KEY) {
+    const encryptionKey = await loadEncryptionKey(process.env.ENCRYPTION_KEY);
+    adapters = createEncryptedDataAdapter(adapters, encryptionKey);
+  }
 
   const seedResult = await seed(adapters, {
     adminUsername,
@@ -417,7 +464,7 @@ main().catch((err) => {
 });
 `;
 }
-function u(e, t) {
+function f(e, t) {
 	let n = t ? "import fs from \"fs\";\n" : "", r = t ? "\nconst adminDistPath = path.resolve(\n  __dirname,\n  \"../node_modules/@authhero/admin/dist\",\n);\nconst adminIndexPath = path.join(adminDistPath, \"index.html\");\n" : "", i = t ? `
   // Add admin UI handler if the package is installed
   if (fs.existsSync(adminIndexPath)) {
@@ -546,14 +593,15 @@ ${i}
 }
 `;
 }
-function d(e) {
-	return `import { D1Dialect } from "kysely-d1";
-import { Kysely } from "kysely";
-import createAdapters from "@authhero/kysely-adapter";
-import { seed } from "authhero";
+function p(e) {
+	return `import { drizzle } from "drizzle-orm/d1";
+import createAdapters from "@authhero/drizzle";
+import * as schema from "@authhero/drizzle/schema/sqlite";
+import { seed, createEncryptedDataAdapter, loadEncryptionKey } from "authhero";
 
 interface Env {
   AUTH_DB: D1Database;
+  ENCRYPTION_KEY?: string;
 }
 
 export default {
@@ -565,9 +613,13 @@ export default {
     const issuer = \`\${url.protocol}//\${url.host}/\`;
 
     try {
-      const dialect = new D1Dialect({ database: env.AUTH_DB });
-      const db = new Kysely<any>({ dialect });
-      const adapters = createAdapters(db, { useTransactions: false });
+      const db = drizzle(env.AUTH_DB, { schema });
+      let adapters = createAdapters(db, { useTransactions: false });
+
+      if (env.ENCRYPTION_KEY) {
+        const encryptionKey = await loadEncryptionKey(env.ENCRYPTION_KEY);
+        adapters = createEncryptedDataAdapter(adapters, encryptionKey);
+      }
 
       const result = await seed(adapters, {
         adminUsername,
@@ -607,7 +659,7 @@ export default {
 };
 `;
 }
-function f(e, t) {
+function m(e, t) {
 	let n = t ? "import adminIndexHtml from \"./admin-index-html\";\n" : "", r = t ? "    adminIndexHtml,\n" : "";
 	return e ? `import { Context } from "hono";
 import { swaggerUI } from "@hono/swagger-ui";
@@ -690,14 +742,14 @@ ${r}  });
 }
 `;
 }
-function p(e) {
+function h(e) {
 	return e ? "import { Context } from \"hono\";\nimport { swaggerUI } from \"@hono/swagger-ui\";\nimport { AuthHeroConfig, DataAdapters } from \"authhero\";\nimport { initMultiTenant } from \"@authhero/multi-tenancy\";\n\n// Control plane configuration\nconst CONTROL_PLANE_TENANT_ID = \"control_plane\";\nconst CONTROL_PLANE_CLIENT_ID = \"default\";\n\ninterface AppConfig extends AuthHeroConfig {\n  dataAdapter: DataAdapters;\n  widgetUrl: string;\n}\n\nexport default function createApp(config: AppConfig) {\n  // Initialize multi-tenant AuthHero\n  const { app } = initMultiTenant({\n    ...config,\n    controlPlane: {\n      tenantId: CONTROL_PLANE_TENANT_ID,\n      clientId: CONTROL_PLANE_CLIENT_ID,\n    },\n  });\n\n  app\n    .onError((err, ctx) => {\n      if (err && typeof err === \"object\" && \"getResponse\" in err) {\n        return (err as { getResponse: () => Response }).getResponse();\n      }\n      console.error(err);\n      return ctx.text(err instanceof Error ? err.message : \"Internal Server Error\", 500);\n    })\n    .get(\"/\", async (ctx: Context) => {\n      return ctx.json({\n        name: \"AuthHero Multi-Tenant Server (AWS)\",\n        version: \"1.0.0\",\n        status: \"running\",\n        docs: \"/docs\",\n        controlPlaneTenant: CONTROL_PLANE_TENANT_ID,\n      });\n    })\n    .get(\"/docs\", swaggerUI({ url: \"/api/v2/spec\" }))\n    // Redirect widget requests to S3/CloudFront\n    .get(\"/u/widget/*\", async (ctx) => {\n      const file = ctx.req.path.replace(\"/u/widget/\", \"\");\n      return ctx.redirect(`${config.widgetUrl}/u/widget/${file}`);\n    })\n    .get(\"/u/*\", async (ctx) => {\n      const file = ctx.req.path.replace(\"/u/\", \"\");\n      return ctx.redirect(`${config.widgetUrl}/u/${file}`);\n    });\n\n  return app;\n}\n" : "import { Context } from \"hono\";\nimport { cors } from \"hono/cors\";\nimport { AuthHeroConfig, init, DataAdapters } from \"authhero\";\nimport { swaggerUI } from \"@hono/swagger-ui\";\n\ninterface AppConfig extends AuthHeroConfig {\n  dataAdapter: DataAdapters;\n  widgetUrl: string;\n}\n\nexport default function createApp(config: AppConfig) {\n  const { app } = init(config);\n\n  // Enable CORS for all origins in development\n  app.use(\"*\", cors({\n    origin: (origin) => origin || \"*\",\n    allowMethods: [\"GET\", \"POST\", \"PUT\", \"DELETE\", \"PATCH\", \"OPTIONS\"],\n    allowHeaders: [\"Content-Type\", \"Authorization\", \"Auth0-Client\"],\n    exposeHeaders: [\"Content-Length\"],\n    credentials: true,\n  }));\n\n  app\n    .onError((err, ctx) => {\n      if (err && typeof err === \"object\" && \"getResponse\" in err) {\n        return (err as { getResponse: () => Response }).getResponse();\n      }\n      console.error(err);\n      return ctx.text(err instanceof Error ? err.message : \"Internal Server Error\", 500);\n    })\n    .get(\"/\", async (ctx: Context) => {\n      return ctx.json({\n        name: \"AuthHero Server (AWS)\",\n        status: \"running\",\n      });\n    })\n    .get(\"/docs\", swaggerUI({ url: \"/api/v2/spec\" }))\n    // Redirect widget requests to S3/CloudFront\n    .get(\"/u/widget/*\", async (ctx) => {\n      const file = ctx.req.path.replace(\"/u/widget/\", \"\");\n      return ctx.redirect(`${config.widgetUrl}/u/widget/${file}`);\n    })\n    .get(\"/u/*\", async (ctx) => {\n      const file = ctx.req.path.replace(\"/u/\", \"\");\n      return ctx.redirect(`${config.widgetUrl}/u/${file}`);\n    });\n\n  return app;\n}\n";
 }
-function m(e) {
+function g(e) {
 	return `import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
 import { DynamoDBDocumentClient } from "@aws-sdk/lib-dynamodb";
 import createAdapters from "@authhero/aws";
-import { seed } from "authhero";
+import { seed, createEncryptedDataAdapter, loadEncryptionKey } from "authhero";
 
 async function main() {
   const adminUsername = process.argv[2] || process.env.ADMIN_USERNAME || "admin";
@@ -717,7 +769,12 @@ async function main() {
     },
   });
 
-  const adapters = createAdapters(docClient, { tableName });
+  let adapters = createAdapters(docClient, { tableName });
+
+  if (process.env.ENCRYPTION_KEY) {
+    const encryptionKey = await loadEncryptionKey(process.env.ENCRYPTION_KEY);
+    adapters = createEncryptedDataAdapter(adapters, encryptionKey);
+  }
 
   await seed(adapters, {
     adminUsername,
@@ -733,18 +790,21 @@ async function main() {
 main().catch(console.error);
 `;
 }
-function h(e, t) {
+function _(e, t) {
 	let i = r.join(e, "src");
-	n.writeFileSync(r.join(i, "app.ts"), p(t)), n.writeFileSync(r.join(i, "seed.ts"), m(t));
+	n.writeFileSync(r.join(i, "app.ts"), h(t)), n.writeFileSync(r.join(i, "seed.ts"), g(t)), n.writeFileSync(r.join(e, ".env"), `# At-rest encryption key for sensitive credentials. Generated automatically.
+# Keep this stable and secret — losing it makes encrypted data unrecoverable.
+ENCRYPTION_KEY=${s()}
+`);
 }
-function g() {
+function v() {
 	console.log("\\n" + "─".repeat(50)), console.log("🔐 AuthHero deployed to AWS!"), console.log("📚 Check SST output for your API URL"), console.log("🚀 Open your server URL /setup to complete initial setup"), console.log("🌐 Portal available at https://local.authhero.net"), console.log("─".repeat(50) + "\\n");
 }
-function _(e) {
+function y(e) {
 	let t = r.join(e, ".github", "workflows");
 	n.mkdirSync(t, { recursive: !0 }), n.writeFileSync(r.join(t, "unit-tests.yml"), "name: Unit tests\n\non: push\n\njobs:\n  test:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n\n      - name: Setup Node.js\n        uses: actions/setup-node@v4\n        with:\n          node-version: \"22\"\n          cache: \"npm\"\n\n      - name: Install dependencies\n        run: npm ci\n\n      - run: npm run type-check\n      - run: npm test\n"), n.writeFileSync(r.join(t, "deploy-dev.yml"), "name: Deploy to Dev\n\non:\n  push:\n    branches:\n      - main\n\njobs:\n  release:\n    name: Release and Deploy\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n        with:\n          fetch-depth: 0\n\n      - name: Setup Node.js\n        uses: actions/setup-node@v4\n        with:\n          node-version: \"22\"\n          cache: \"npm\"\n\n      - name: Install dependencies\n        run: npm ci\n\n      - name: Release\n        env:\n          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n        run: npx semantic-release\n\n      - name: Deploy to Cloudflare (Dev)\n        uses: cloudflare/wrangler-action@v3\n        with:\n          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}\n          command: deploy\n"), n.writeFileSync(r.join(t, "release.yml"), "name: Deploy to Production\n\non:\n  release:\n    types: [\"released\"]\n\njobs:\n  deploy:\n    name: Deploy to Production\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Node.js\n        uses: actions/setup-node@v4\n        with:\n          node-version: \"22\"\n          cache: \"npm\"\n\n      - name: Install dependencies\n        run: npm ci\n\n      - name: Deploy to Cloudflare (Production)\n        uses: cloudflare/wrangler-action@v3\n        with:\n          apiToken: ${{ secrets.PROD_CLOUDFLARE_API_TOKEN }}\n          command: deploy --env production\n"), console.log("\\n📦 GitHub CI workflows created!");
 }
-function v(e) {
+function b(e) {
 	n.writeFileSync(r.join(e, ".releaserc.json"), JSON.stringify({
 		branches: ["main"],
 		plugins: [
@@ -763,9 +823,9 @@ function v(e) {
 		"type-check": "tsc --noEmit"
 	}, n.writeFileSync(t, JSON.stringify(i, null, 2));
 }
-function y(e, t) {
+function x(e, t) {
 	return new Promise((n, r) => {
-		let i = a(e, [], {
+		let i = o(e, [], {
 			cwd: t,
 			shell: !0,
 			stdio: "inherit"
@@ -775,107 +835,123 @@ function y(e, t) {
 		}), i.on("error", r);
 	});
 }
-function b(e, t, i) {
+function S(e, t, i) {
 	let a = r.join(e, "src");
-	n.writeFileSync(r.join(a, "app.ts"), f(t, i)), n.writeFileSync(r.join(a, "seed.ts"), d(t));
+	n.writeFileSync(r.join(a, "app.ts"), m(t, i)), n.writeFileSync(r.join(a, "seed.ts"), p(t));
 }
-function x() {
+function C() {
 	console.log("\n" + "─".repeat(50)), console.log("🔐 AuthHero server running at https://localhost:3000"), console.log("🚀 Open https://localhost:3000/setup to complete initial setup"), console.log("─".repeat(50) + "\n");
 }
-function S() {
+function w() {
+	console.log("\n" + "─".repeat(50)), console.log("🛰️  WFP dispatcher running at https://localhost:3001"), console.log("📦 Pair with the `cloudflare` template to deploy tenant workers:"), console.log("   wrangler deploy --dispatch-namespace=authhero-tenants --name=tenant-<id>-auth"), console.log("📖 See README.md for the full onboarding workflow"), console.log("─".repeat(50) + "\n");
+}
+function T() {
 	console.log("\n" + "─".repeat(50)), console.log("🛰️  AuthHero proxy running at http://localhost:8787"), console.log("✏️  Edit src/proxy.config.ts to add hosts and routes"), console.log("📖 See README.md for deployment instructions"), console.log("─".repeat(50) + "\n");
 }
-function C() {
+function E() {
 	console.log("\n" + "─".repeat(50)), console.log("✅ Self-signed certificates generated with openssl"), console.log("⚠️  You may need to trust the certificate in your browser"), console.log("🔐 AuthHero server running at http://localhost:3000"), console.log("📚 API documentation available at http://localhost:3000/docs"), console.log("🚀 Open http://localhost:3000/setup to complete initial setup"), console.log("─".repeat(50) + "\n");
 }
-o.version("1.0.0").description("Create a new AuthHero project").argument("[project-name]", "name of the project").option("-t, --template <type>", "template type: local, cloudflare, aws-sst, or proxy").option("--package-manager <pm>", "package manager to use: npm, yarn, pnpm, or bun").option("--multi-tenant", "enable multi-tenant mode").option("--admin-ui", "include admin UI at /admin").option("--skip-install", "skip installing dependencies").option("--skip-migrate", "skip running database migrations").option("--skip-start", "skip starting the development server").option("--github-ci", "include GitHub CI workflows with semantic versioning").option("--conformance", "add OpenID conformance suite test clients").option("--conformance-alias <alias>", "alias for conformance suite (default: authhero-local)").option("--workspace", "use workspace:* dependencies for local monorepo development").option("-y, --yes", "skip all prompts and use defaults/provided options").action(async (e, a) => {
-	let o = a.yes === !0;
+c.version("1.0.0").description("Create a new AuthHero project").argument("[project-name]", "name of the project").option("-t, --template <type>", "template type: local, cloudflare, aws-sst, or proxy").option("--package-manager <pm>", "package manager to use: npm, yarn, pnpm, or bun").option("--multi-tenant", "enable multi-tenant mode").option("--admin-ui", "include admin UI at /admin").option("--skip-install", "skip installing dependencies").option("--skip-migrate", "skip running database migrations").option("--skip-start", "skip starting the development server").option("--github-ci", "include GitHub CI workflows with semantic versioning").option("--conformance", "add OpenID conformance suite test clients").option("--conformance-alias <alias>", "alias for conformance suite (default: authhero-local)").option("--workspace", "use workspace:* dependencies for local monorepo development").option("-y, --yes", "skip all prompts and use defaults/provided options").action(async (e, i) => {
+	let o = i.yes === !0;
 	console.log("\n🔐 Welcome to AuthHero!\n");
-	let d = e;
-	d || (o ? (d = "auth-server", console.log(`Using default project name: ${d}`)) : d = (await t.prompt([{
+	let c = e;
+	c || (o ? (c = "auth-server", console.log(`Using default project name: ${c}`)) : c = (await t.prompt([{
 		type: "input",
 		name: "projectName",
 		message: "Project name:",
 		default: "auth-server",
 		validate: (e) => e !== "" || "Project name cannot be empty"
 	}])).projectName);
-	let f = r.join(process.cwd(), d);
-	n.existsSync(f) && (console.error(`❌ Project "${d}" already exists.`), process.exit(1));
-	let p;
-	a.template ? ([
+	let p = r.join(process.cwd(), c);
+	n.existsSync(p) && (console.error(`❌ Project "${c}" already exists.`), process.exit(1));
+	let m;
+	i.template ? ([
 		"local",
 		"cloudflare",
+		"cloudflare-wfp-dispatcher",
 		"aws-sst",
 		"proxy"
-	].includes(a.template) || (console.error(`❌ Invalid template: ${a.template}`), console.error("Valid options: local, cloudflare, aws-sst, proxy"), process.exit(1)), p = a.template, console.log(`Using template: ${s[p].name}`)) : p = (await t.prompt([{
+	].includes(i.template) || (console.error(`❌ Invalid template: ${i.template}`), console.error("Valid options: local, cloudflare, cloudflare-wfp-dispatcher, aws-sst, proxy"), process.exit(1)), m = i.template, console.log(`Using template: ${l[m].name}`)) : m = (await t.prompt([{
 		type: "list",
 		name: "setupType",
 		message: "Select your setup type:",
 		choices: [
 			{
-				name: `${s.local.name}\n     ${s.local.description}`,
+				name: `${l.local.name}\n     ${l.local.description}`,
 				value: "local",
-				short: s.local.name
+				short: l.local.name
 			},
 			{
-				name: `${s.cloudflare.name}\n     ${s.cloudflare.description}`,
+				name: `${l.cloudflare.name}\n     ${l.cloudflare.description}`,
 				value: "cloudflare",
-				short: s.cloudflare.name
+				short: l.cloudflare.name
+			},
+			{
+				name: `${l["cloudflare-wfp-dispatcher"].name}\n     ${l["cloudflare-wfp-dispatcher"].description}`,
+				value: "cloudflare-wfp-dispatcher",
+				short: l["cloudflare-wfp-dispatcher"].name
 			},
 			{
-				name: `${s["aws-sst"].name}\n     ${s["aws-sst"].description}`,
+				name: `${l["aws-sst"].name}\n     ${l["aws-sst"].description}`,
 				value: "aws-sst",
-				short: s["aws-sst"].name
+				short: l["aws-sst"].name
 			},
 			{
-				name: `${s.proxy.name}\n     ${s.proxy.description}`,
+				name: `${l.proxy.name}\n     ${l.proxy.description}`,
 				value: "proxy",
-				short: s.proxy.name
+				short: l.proxy.name
 			}
 		]
 	}])).setupType;
-	let m;
-	m = p === "proxy" ? !1 : a.multiTenant === void 0 ? o ? !1 : (await t.prompt([{
+	let h;
+	h = m === "proxy" || m === "cloudflare-wfp-dispatcher" ? !1 : i.multiTenant === void 0 ? o ? !1 : (await t.prompt([{
 		type: "confirm",
 		name: "multiTenant",
 		message: "Would you like to enable multi-tenant mode?",
 		default: !1
-	}])).multiTenant : a.multiTenant, m && console.log("Multi-tenant mode: enabled");
-	let w = !1;
-	(p === "local" || p === "cloudflare") && (w = a.adminUi === void 0 ? o ? !0 : (await t.prompt([{
+	}])).multiTenant : i.multiTenant, h && console.log("Multi-tenant mode: enabled");
+	let g = !1;
+	(m === "local" || m === "cloudflare") && (g = i.adminUi === void 0 ? o ? !0 : (await t.prompt([{
 		type: "confirm",
 		name: "adminUi",
 		message: "Would you like to include the admin UI at /admin?",
 		default: !0
-	}])).adminUi : a.adminUi, w && console.log("Admin UI: enabled (available at /admin)"));
-	let T = a.conformance || !1, E = a.conformanceAlias || "authhero-local";
-	T && console.log(`OpenID Conformance Suite: enabled (alias: ${E})`);
-	let D = a.workspace || !1;
-	D && console.log("Workspace mode: enabled (using workspace:* dependencies)");
-	let O = s[p];
-	n.mkdirSync(f, { recursive: !0 }), n.writeFileSync(r.join(f, "package.json"), JSON.stringify(O.packageJson(d, m, T, D, w), null, 2));
-	let k = O.templateDir, A = r.dirname(i(import.meta.url)), j = [r.join(A, k), r.join(A, "..", "templates", k)], M = j.find((e) => n.existsSync(e));
-	if (M ? c(M, f) : (console.error(`❌ Template directory not found. Looked in:\n  ${j.join("\n  ")}`), process.exit(1)), p === "cloudflare" && b(f, m, w), p === "cloudflare") {
-		let e = r.join(f, "wrangler.toml"), t = r.join(f, "wrangler.local.toml");
-		n.existsSync(e) && n.copyFileSync(e, t);
-		let i = r.join(f, ".dev.vars.example"), a = r.join(f, ".dev.vars");
-		n.existsSync(i) && n.copyFileSync(i, a), console.log("📁 Created wrangler.local.toml and .dev.vars for local development");
+	}])).adminUi : i.adminUi, g && console.log("Admin UI: enabled (available at /admin)"));
+	let D = i.conformance || !1, O = i.conformanceAlias || "authhero-local";
+	D && console.log(`OpenID Conformance Suite: enabled (alias: ${O})`);
+	let k = i.workspace || !1;
+	k && console.log("Workspace mode: enabled (using workspace:* dependencies)");
+	let A = l[m];
+	n.mkdirSync(p, { recursive: !0 }), n.writeFileSync(r.join(p, "package.json"), JSON.stringify(A.packageJson(c, h, D, k, g), null, 2));
+	let j = A.templateDir, M = r.dirname(a(import.meta.url)), N = [r.join(M, j), r.join(M, "..", "templates", j)], P = N.find((e) => n.existsSync(e));
+	if (P ? u(P, p) : (console.error(`❌ Template directory not found. Looked in:\n  ${N.join("\n  ")}`), process.exit(1)), m === "cloudflare" && S(p, h, g), m === "cloudflare" || m === "cloudflare-wfp-dispatcher") {
+		let e = r.join(p, "wrangler.toml"), t = r.join(p, "wrangler.local.toml");
+		if (n.existsSync(e) && !n.existsSync(t) && n.copyFileSync(e, t), m === "cloudflare") {
+			let e = r.join(p, ".dev.vars.example"), t = r.join(p, ".dev.vars");
+			n.existsSync(e) && (n.copyFileSync(e, t), n.appendFileSync(t, `\n# Generated at-rest encryption key (local dev). Use a separate secret in production.\nENCRYPTION_KEY=${s()}\n`), console.log("🔒 Added a generated ENCRYPTION_KEY to .dev.vars")), console.log("📁 Created wrangler.local.toml and .dev.vars for local development");
+		} else console.log("📁 Created wrangler.local.toml for local development");
 	}
-	let N = !1;
-	if (p === "cloudflare" && (a.githubCi === void 0 ? o || (N = (await t.prompt([{
+	let F = !1;
+	if (m === "cloudflare" && (i.githubCi === void 0 ? o || (F = (await t.prompt([{
 		type: "confirm",
 		name: "includeGithubCi",
 		message: "Would you like to include GitHub CI with semantic versioning?",
 		default: !1
-	}])).includeGithubCi) : (N = a.githubCi, N && console.log("Including GitHub CI workflows with semantic versioning")), N && (_(f), v(f))), p === "local") {
-		let e = l(m, T, E, w);
-		n.writeFileSync(r.join(f, "src/seed.ts"), e);
-		let t = u(m, w);
-		n.writeFileSync(r.join(f, "src/app.ts"), t);
+	}])).includeGithubCi) : (F = i.githubCi, F && console.log("Including GitHub CI workflows with semantic versioning")), F && (y(p), b(p))), m === "local") {
+		let e = d(h, D, O, g);
+		n.writeFileSync(r.join(p, "src/seed.ts"), e);
+		let t = f(h, g);
+		n.writeFileSync(r.join(p, "src/app.ts"), t);
+		let i = `# Encryption key for at-rest encryption of sensitive credentials.
+# Generated automatically. Keep this stable and secret — losing it makes
+# existing encrypted data unrecoverable. Use a separate key in production.
+ENCRYPTION_KEY=${s()}
+`;
+		n.writeFileSync(r.join(p, ".env"), i), console.log("🔒 Generated .env with an at-rest encryption key");
 	}
-	if (p === "aws-sst" && h(f, m), T) {
+	if (m === "aws-sst" && _(p, h), D) {
 		let e = {
-			alias: E,
+			alias: O,
 			description: "AuthHero Conformance Test",
 			server: { discoveryUrl: "http://host.docker.internal:3000/.well-known/openid-configuration" },
 			client: {
@@ -888,24 +964,24 @@ o.version("1.0.0").description("Create a new AuthHero project").argument("[proje
 			},
 			resource: { resourceUrl: "http://host.docker.internal:3000/userinfo" }
 		};
-		n.writeFileSync(r.join(f, "conformance-config.json"), JSON.stringify(e, null, 2)), console.log("📝 Created conformance-config.json for OpenID Conformance Suite");
+		n.writeFileSync(r.join(p, "conformance-config.json"), JSON.stringify(e, null, 2)), console.log("📝 Created conformance-config.json for OpenID Conformance Suite");
 	}
-	let P = m ? "multi-tenant" : "single-tenant";
-	console.log(`\n✅ Project "${d}" has been created with ${O.name} (${P}) setup!\n`);
-	let F;
-	if (F = a.skipInstall ? !1 : o ? !0 : (await t.prompt([{
+	let I = h ? "multi-tenant" : "single-tenant";
+	console.log(`\n✅ Project "${c}" has been created with ${A.name} (${I}) setup!\n`);
+	let L;
+	if (L = i.skipInstall ? !1 : o ? !0 : (await t.prompt([{
 		type: "confirm",
 		name: "shouldInstall",
 		message: "Would you like to install dependencies now?",
 		default: !0
-	}])).shouldInstall, F) {
+	}])).shouldInstall, L) {
 		let e;
-		a.packageManager ? ([
+		i.packageManager ? ([
 			"npm",
 			"yarn",
 			"pnpm",
 			"bun"
-		].includes(a.packageManager) || (console.error(`❌ Invalid package manager: ${a.packageManager}`), console.error("Valid options: npm, yarn, pnpm, bun"), process.exit(1)), e = a.packageManager) : e = o ? "pnpm" : (await t.prompt([{
+		].includes(i.packageManager) || (console.error(`❌ Invalid package manager: ${i.packageManager}`), console.error("Valid options: npm, yarn, pnpm, bun"), process.exit(1)), e = i.packageManager) : e = o ? "pnpm" : (await t.prompt([{
 			type: "list",
 			name: "packageManager",
 			message: "Which package manager would you like to use?",
@@ -930,26 +1006,26 @@ o.version("1.0.0").description("Create a new AuthHero project").argument("[proje
 			default: "pnpm"
 		}])).packageManager, console.log(`\n📦 Installing dependencies with ${e}...\n`);
 		try {
-			if (await y(e === "pnpm" ? "pnpm install --ignore-workspace" : `${e} install`, f), p === "local" && (console.log("\n🔧 Building native modules...\n"), await y("npm rebuild better-sqlite3", f)), console.log("\n✅ Dependencies installed successfully!\n"), (p === "local" || p === "cloudflare") && !a.skipMigrate) {
+			if (await x(e === "pnpm" ? "pnpm install --ignore-workspace" : `${e} install`, p), m === "local" && (console.log("\n🔧 Building native modules...\n"), await x("npm rebuild better-sqlite3", p)), console.log("\n✅ Dependencies installed successfully!\n"), (m === "local" || m === "cloudflare") && !i.skipMigrate) {
 				let n;
 				n = o ? !0 : (await t.prompt([{
 					type: "confirm",
 					name: "shouldMigrate",
 					message: "Would you like to run database migrations?",
 					default: !0
-				}])).shouldMigrate, n && (console.log("\n🔄 Running migrations...\n"), await y(`${e} run migrate`, f));
+				}])).shouldMigrate, n && (console.log("\n🔄 Running migrations...\n"), await x(`${e} run migrate`, p));
 			}
 			let n;
-			n = a.skipStart || o ? !1 : (await t.prompt([{
+			n = i.skipStart || o ? !1 : (await t.prompt([{
 				type: "confirm",
 				name: "shouldStart",
 				message: "Would you like to start the development server?",
 				default: !0
-			}])).shouldStart, n && (p === "cloudflare" ? x() : p === "aws-sst" ? g() : p === "proxy" ? S() : C(), console.log("🚀 Starting development server...\n"), await y(`${e} run dev`, f)), o && !n && (console.log("\n✅ Setup complete!"), console.log("\nTo start the development server:"), console.log(`  cd ${d}`), console.log("  npm run dev"), p === "cloudflare" ? x() : p === "aws-sst" ? g() : p === "proxy" ? S() : C());
+			}])).shouldStart, n && (m === "cloudflare" ? C() : m === "cloudflare-wfp-dispatcher" ? w() : m === "aws-sst" ? v() : m === "proxy" ? T() : E(), console.log("🚀 Starting development server...\n"), await x(`${e} run dev`, p)), o && !n && (console.log("\n✅ Setup complete!"), console.log("\nTo start the development server:"), console.log(`  cd ${c}`), console.log("  npm run dev"), m === "cloudflare" ? C() : m === "cloudflare-wfp-dispatcher" ? w() : m === "aws-sst" ? v() : m === "proxy" ? T() : E());
 		} catch (e) {
 			console.error("\n❌ An error occurred:", e), process.exit(1);
 		}
 	}
-	F || (console.log("Next steps:"), console.log(`  cd ${d}`), p === "local" ? (console.log("  npm install"), console.log("  npm run migrate"), console.log("  npm run dev"), console.log("\nOpen http://localhost:3000/setup to complete initial setup")) : p === "cloudflare" ? (console.log("  npm install"), console.log("  npm run migrate  # or npm run db:migrate:remote for production"), console.log("  npm run dev  # or npm run dev:remote for production"), console.log("\nOpen https://localhost:3000/setup to complete initial setup")) : p === "aws-sst" ? (console.log("  npm install"), console.log("  npm run dev  # Deploys to AWS in development mode"), console.log("\nOpen your server URL /setup to complete initial setup")) : p === "proxy" && (console.log("  npm install"), console.log("  npm run dev"), console.log("\nEdit src/proxy.config.ts to add hosts and routes")), console.log(`\nServer will be available at: http://localhost:${p === "proxy" ? 8787 : 3e3}`), T && (console.log("\n🧪 OpenID Conformance Suite Testing:"), console.log("  1. Clone and start the conformance suite (if not already running):"), console.log("     git clone https://gitlab.com/openid/conformance-suite.git"), console.log("     cd conformance-suite && mvn clean package"), console.log("     docker-compose up -d"), console.log("  2. Open https://localhost.emobix.co.uk:8443"), console.log("  3. Create a test plan and use conformance-config.json for settings"), console.log(`  4. Use alias: ${E}`)), console.log("\nFor more information, visit: https://authhero.net/docs\n"));
-}), o.parse(process.argv);
+	L || (console.log("Next steps:"), console.log(`  cd ${c}`), m === "local" ? (console.log("  npm install"), console.log("  npm run migrate"), console.log("  npm run dev"), console.log("\nOpen http://localhost:3000/setup to complete initial setup")) : m === "cloudflare" ? (console.log("  npm install"), console.log("  npm run migrate  # or npm run db:migrate:remote for production"), console.log("  npm run dev  # or npm run dev:remote for production"), console.log("\nOpen https://localhost:3000/setup to complete initial setup")) : m === "cloudflare-wfp-dispatcher" ? (console.log("  npm install"), console.log("  npm run setup  # creates wrangler.local.toml — paste your database_id"), console.log("  npx wrangler dispatch-namespace create authhero-tenants"), console.log("  npm run dev  # or npm run dev:remote for production"), console.log("\nDeploy tenant workers separately (`cloudflare` template):"), console.log("  wrangler deploy --dispatch-namespace=authhero-tenants --name=tenant-<id>-auth")) : m === "aws-sst" ? (console.log("  npm install"), console.log("  npm run dev  # Deploys to AWS in development mode"), console.log("\nOpen your server URL /setup to complete initial setup")) : m === "proxy" && (console.log("  npm install"), console.log("  npm run dev"), console.log("\nEdit src/proxy.config.ts to add hosts and routes")), console.log(`\nServer will be available at: http://localhost:${m === "proxy" ? 8787 : m === "cloudflare-wfp-dispatcher" ? 3001 : 3e3}`), D && (console.log("\n🧪 OpenID Conformance Suite Testing:"), console.log("  1. Clone and start the conformance suite (if not already running):"), console.log("     git clone https://gitlab.com/openid/conformance-suite.git"), console.log("     cd conformance-suite && mvn clean package"), console.log("     docker-compose up -d"), console.log("  2. Open https://localhost.emobix.co.uk:8443"), console.log("  3. Create a test plan and use conformance-config.json for settings"), console.log(`  4. Use alias: ${O}`)), console.log("\nFor more information, visit: https://authhero.net/docs\n"));
+}), c.parse(process.argv);
 //#endregion

package/dist/local/README.md

@@ -47,4 +47,26 @@ You can customize the AuthHero configuration in `src/app.ts`. Common options inc
 - Custom email templates
 - Session configuration
 
+## Encryption at rest
+
+Sensitive credential fields (client secrets, connection secrets, email
+credentials, TOTP secrets, migration-source secrets) are encrypted at rest.
+A random `ENCRYPTION_KEY` was generated into `.env` when this project was
+created, and the dev/seed scripts load it via `--env-file=.env`.
+
+> **The key is load-bearing.** If you delete, rotate, or lose `ENCRYPTION_KEY`,
+> any values already encrypted with it become unreadable. In local dev you can
+> recover by deleting `db.sqlite` and re-running `npm run migrate && npm run seed`.
+> In production, treat the key as a long-lived secret and back it up.
+
+For production, set your own `ENCRYPTION_KEY` in the deployment environment
+rather than reusing the generated dev key.
+
+Helper scripts:
+
+```bash
+npm run gen:key                   # print a fresh base64 key
+npm run decrypt -- "enc:v1:..."   # decrypt a stored value using ENCRYPTION_KEY from .env
+```
+
 For more information, visit [https://authhero.net/docs](https://authhero.net/docs).

package/dist/local/scripts/decrypt-field.mjs

@@ -0,0 +1,33 @@
+#!/usr/bin/env node
+import { loadEncryptionKey, decryptField } from "authhero";
+
+// Decrypt a stored field value using ENCRYPTION_KEY from the environment.
+// Usage: node --env-file=.env scripts/decrypt-field.mjs "enc:v1:..."
+// Values without the enc:v1: prefix (legacy plaintext) are printed unchanged.
+const value = process.argv[2];
+
+if (!value) {
+  console.error(
+    'Usage: node --env-file=<env> scripts/decrypt-field.mjs "<value>"',
+  );
+  process.exit(1);
+}
+
+const keyB64 = process.env.ENCRYPTION_KEY;
+if (!keyB64) {
+  console.error(
+    "ENCRYPTION_KEY is not set. Pass it via --env-file or the environment.",
+  );
+  process.exit(1);
+}
+
+try {
+  const key = await loadEncryptionKey(keyB64);
+  console.log(await decryptField(value, key));
+} catch (error) {
+  console.error(
+    "Failed to decrypt:",
+    error instanceof Error ? error.message : error,
+  );
+  process.exit(1);
+}

package/dist/local/scripts/generate-encryption-key.mjs

@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+import crypto from "node:crypto";
+
+// Print a fresh base64-encoded 32-byte (AES-256) key suitable for
+// ENCRYPTION_KEY. Copy the output into your env file (.env / .dev.vars) or set
+// it as a production secret.
+console.log(crypto.randomBytes(32).toString("base64"));

package/dist/local/src/index.ts

@@ -3,6 +3,7 @@ import { SqliteDialect } from "kysely";
 import { Kysely } from "kysely";
 import Database from "better-sqlite3";
 import createAdapters from "@authhero/kysely-adapter";
+import { createEncryptedDataAdapter, loadEncryptionKey } from "authhero";
 import createApp from "./app";
 import fs from "fs";
 import path from "path";
@@ -102,7 +103,14 @@ try {
   process.exit(1);
 }
 
-const dataAdapter = createAdapters(db);
+let dataAdapter = createAdapters(db);
+
+// Encrypt sensitive credential fields at rest when ENCRYPTION_KEY is set
+// (generated into .env at scaffold time). Without it, behavior is unchanged.
+if (process.env.ENCRYPTION_KEY) {
+  const encryptionKey = await loadEncryptionKey(process.env.ENCRYPTION_KEY);
+  dataAdapter = createEncryptedDataAdapter(dataAdapter, encryptionKey);
+}
 
 // Create the AuthHero app
 const app = createApp({

package/dist/proxy/src/index.ts

@@ -1,8 +1,5 @@
 import { AsyncLocalStorage } from "node:async_hooks";
-import {
-  createProxyApp,
-  createStaticProxyAdapter,
-} from "@authhero/proxy";
+import { createProxyApp, createStaticProxyAdapter } from "@authhero/proxy";
 import { proxyConfig } from "./proxy.config";
 
 // AsyncLocalStorage threads each request's ExecutionContext through to the
@@ -32,9 +29,8 @@ const app = createProxyApp({
 
 export default {
   fetch(request: Request, _env: unknown, ctx: ExecutionContext) {
-    return requestCtx.run(
-      { waitUntil: ctx.waitUntil.bind(ctx) },
-      () => app.fetch(request),
+    return requestCtx.run({ waitUntil: ctx.waitUntil.bind(ctx) }, () =>
+      app.fetch(request),
     );
   },
 };

package/package.json

@@ -5,7 +5,7 @@
     "type": "git",
     "url": "https://github.com/markusahlstrand/authhero"
   },
-  "version": "0.44.0",
+  "version": "0.46.0",
   "type": "module",
   "main": "dist/create-authhero.js",
   "bin": {