create-authhero 0.45.0 → 0.46.0

package/dist/cloudflare/src/index.ts

@@ -1,6 +1,6 @@
-import { D1Dialect } from "kysely-d1";
-import { Kysely } from "kysely";
-import createAdapters from "@authhero/kysely-adapter";
+import { drizzle } from "drizzle-orm/d1";
+import createAdapters from "@authhero/drizzle";
+import * as schema from "@authhero/drizzle/schema/sqlite";
 import createApp from "./app";
 import { Env } from "./types";
 import {
@@ -22,8 +22,7 @@ export default {
     // Get the origin from the request for dynamic CORS
     const origin = request.headers.get("Origin") || "";
 
-    const dialect = new D1Dialect({ database: env.AUTH_DB });
-    const db = new Kysely<any>({ dialect });
+    const db = drizzle(env.AUTH_DB, { schema });
     let dataAdapter = createAdapters(db, { useTransactions: false });
 
     // Encrypt sensitive credential fields at rest when ENCRYPTION_KEY is set.

package/dist/cloudflare/wrangler.toml

@@ -13,7 +13,7 @@
 
 name = "authhero-server"
 main = "src/index.ts"
-compatibility_date = "2024-11-20"
+compatibility_date = "2026-05-01"
 compatibility_flags = ["nodejs_compat"]
 
 # ════════════════════════════════════════════════════════════════════════════

package/dist/cloudflare-wfp-dispatcher/README.md

@@ -0,0 +1,94 @@
+# AuthHero WFP Dispatcher
+
+Thin Cloudflare Worker that fronts a Workers-for-Platforms deployment of AuthHero. Resolves an incoming request's `Host` header to a tenant via the shared platform D1 (`custom_domains` table) and dispatches the request to that tenant's full authhero auth server, deployed as a script in a Cloudflare dispatch namespace.
+
+## Architecture
+
+```
+Internet
+   |
+   v
+[This worker — the dispatcher]
+   1. Host header -> custom_domains -> tenant_id
+   2. env.DISPATCHER.get('tenant-<id>-auth').fetch(request)
+   |
+   v
+[authhero-tenants dispatch namespace]
+   |- tenant-acme-auth   (full authhero, deployed from the `cloudflare` template)
+   |- tenant-bob-auth
+   |- ...
+```
+
+Tenant workers come from the **`cloudflare` create-authhero template** — they're the same single-tenant auth server, deployed into the namespace instead of standalone.
+
+## Prerequisites
+
+- A Cloudflare account on the **Workers for Platforms** plan (required for dispatch namespaces).
+- [Wrangler CLI](https://developers.cloudflare.com/workers/wrangler/install-and-update/).
+- A D1 database (shared with the tenant workers).
+
+## One-time platform setup
+
+```bash
+# 1. Create the dispatch namespace
+npx wrangler dispatch-namespace create authhero-tenants
+
+# 2. Create the shared D1 (or reuse the one your tenant workers use)
+npx wrangler d1 create authhero-db
+
+# 3. Copy wrangler.toml -> wrangler.local.toml and paste the database_id
+
+# 4. Install project dependencies (provides the local wrangler used by the
+#    db:migrate:* scripts)
+npm install
+
+# 5. Apply migrations to the shared D1
+npm run db:migrate:remote
+# Or, without installing dependencies first:
+#   npx wrangler d1 migrations apply AUTH_DB --remote --config wrangler.local.toml
+```
+
+## Deploy the dispatcher
+
+```bash
+npm run deploy
+```
+
+## Onboard a tenant
+
+For each publisher:
+
+1. **Provision the tenant in D1** — insert a `tenants` row, then a `custom_domains` row mapping their domain to the tenant_id. (Either via the authhero management API or by direct D1 query.)
+
+2. **Deploy their auth worker into the namespace.** From the sibling `cloudflare` template:
+
+   ```bash
+   # In the tenant's directory (scaffolded from `create-authhero --template=cloudflare`)
+   npx wrangler deploy \
+     --dispatch-namespace=authhero-tenants \
+     --name=tenant-<tenant_id>-auth
+   ```
+
+3. **Point their custom domain at this dispatcher worker** (Cloudflare → Workers → Triggers → Add Custom Domain on this worker, or via DNS to the worker's `*.workers.dev` route).
+
+Once those three steps are done, a request to `auth.<their-domain>/authorize?...` flows to this dispatcher → resolved via custom_domains → dispatched to their tenant worker.
+
+## Per-tenant routing customization
+
+By default, hosts with no `proxy_routes` rows get a single catch-all that dispatches to `tenant-<tenant_id>-auth`. If a tenant needs richer routing — different middleware chains, CORS, a special path that bypasses the namespace — insert `proxy_routes` rows for that `custom_domain_id`. The dispatcher uses the configured routes verbatim instead of the default.
+
+The script-name template (`tenant-{tenant_id}-auth`) can be overridden globally via the `SCRIPT_NAME_TEMPLATE` env var. Supported placeholders: `{tenant_id}`, `{custom_domain_id}`, `{domain}`, `{host}`.
+
+## Local development
+
+```bash
+npm run dev
+```
+
+`wrangler dev` runs against a **local SQLite-backed D1**. The dispatch namespace cannot be emulated locally — for end-to-end tests, deploy to a real Cloudflare account using `npm run dev:remote`.
+
+## Files
+
+- `src/index.ts` — dispatcher worker entrypoint
+- `src/types.ts` — Env interface (D1 binding + DISPATCHER namespace binding)
+- `wrangler.toml` — Cloudflare config (assets, D1, dispatch namespace)

package/dist/cloudflare-wfp-dispatcher/src/index.ts

@@ -0,0 +1,72 @@
+import { drizzle } from "drizzle-orm/d1";
+import { createProxyDataAdapter } from "@authhero/drizzle";
+import * as schema from "@authhero/drizzle/schema/sqlite";
+import {
+  createProxyApp,
+  type ProxyDataAdapter,
+  type ResolvedHost,
+} from "@authhero/proxy";
+import type { Env } from "./types";
+
+// `tenant-{tenant_id}-auth` is the deploy convention used by this template's
+// per-tenant worker setup. Override with the SCRIPT_NAME_TEMPLATE env var or
+// by configuring proxy_routes rows per tenant for richer routing.
+const DEFAULT_SCRIPT_NAME_TEMPLATE = "tenant-{tenant_id}-auth";
+
+// If a host resolves to a known tenant but has no proxy_routes configured,
+// synthesize a single catch-all that dispatches to the tenant's auth worker
+// in the namespace. Operators who need middleware (CORS, headers, rate
+// limiting) per tenant can add real proxy_routes rows and this fallback
+// stays out of the way.
+function withDefaultDispatchRoute(
+  inner: ProxyDataAdapter,
+  binding: string,
+  scriptNameTemplate: string,
+): ProxyDataAdapter {
+  return {
+    proxyRoutes: inner.proxyRoutes,
+    resolveHost: async (host): Promise<ResolvedHost | null> => {
+      const resolved = await inner.resolveHost(host);
+      if (!resolved || resolved.routes.length > 0) return resolved;
+      const now = new Date(0).toISOString();
+      return {
+        ...resolved,
+        routes: [
+          {
+            id: `default-${resolved.custom_domain_id}`,
+            tenant_id: resolved.tenant_id,
+            custom_domain_id: resolved.custom_domain_id,
+            priority: 1000,
+            match: { path: "/*" },
+            handlers: [
+              {
+                type: "dispatch_namespace",
+                options: { binding, script_name: scriptNameTemplate },
+              },
+            ],
+            created_at: now,
+            updated_at: now,
+          },
+        ],
+      };
+    },
+  };
+}
+
+export default {
+  async fetch(request: Request, env: Env): Promise<Response> {
+    const db = drizzle(env.AUTH_DB, { schema });
+    const data = withDefaultDispatchRoute(
+      createProxyDataAdapter(db),
+      "DISPATCHER",
+      env.SCRIPT_NAME_TEMPLATE || DEFAULT_SCRIPT_NAME_TEMPLATE,
+    );
+
+    const app = createProxyApp({
+      data,
+      bindings: { DISPATCHER: env.DISPATCHER },
+    });
+
+    return app.fetch(request);
+  },
+};

package/dist/cloudflare-wfp-dispatcher/src/types.ts

@@ -0,0 +1,17 @@
+/// <reference types="@cloudflare/workers-types" />
+
+export interface Env {
+  // The shared platform D1 database. Holds custom_domains (host -> tenant)
+  // and proxy_routes (optional per-host route overrides).
+  AUTH_DB: D1Database;
+
+  // The Cloudflare Workers for Platforms dispatch namespace where each
+  // tenant's auth worker is deployed. Wrangler binding configured in
+  // wrangler.toml as `[[dispatch_namespaces]] binding = "DISPATCHER"`.
+  DISPATCHER: DispatchNamespace;
+
+  // Optional template for resolving a tenant to a dispatch namespace
+  // script name. Defaults to `tenant-{tenant_id}-auth`. Supported
+  // placeholders: {tenant_id}, {custom_domain_id}, {domain}, {host}.
+  SCRIPT_NAME_TEMPLATE?: string;
+}

package/dist/cloudflare-wfp-dispatcher/tsconfig.json

@@ -0,0 +1,14 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "types": ["@cloudflare/workers-types"]
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules"]
+}

package/dist/cloudflare-wfp-dispatcher/wrangler.toml

@@ -0,0 +1,56 @@
+# ════════════════════════════════════════════════════════════════════════════
+# AuthHero WFP Dispatcher Configuration
+# ════════════════════════════════════════════════════════════════════════════
+# Thin Cloudflare Worker that resolves a request's Host header to a tenant
+# (via the shared platform D1) and dispatches to that tenant's full
+# authhero auth server, deployed as a script in the `authhero-tenants`
+# dispatch namespace.
+#
+# Tenant workers are deployed separately via the `cloudflare` template,
+# using `wrangler deploy --dispatch-namespace=authhero-tenants
+# --name=tenant-<id>-auth`.
+#
+# Sensitive IDs (database_id) go in wrangler.local.toml (gitignored) or
+# GitHub Secrets, not this file.
+# ════════════════════════════════════════════════════════════════════════════
+
+name = "authhero-wfp-dispatcher"
+main = "src/index.ts"
+compatibility_date = "2026-05-01"
+compatibility_flags = ["nodejs_compat"]
+
+# ════════════════════════════════════════════════════════════════════════════
+# Dispatch namespace binding
+# ════════════════════════════════════════════════════════════════════════════
+# Create the namespace once before the first deploy:
+#   npx wrangler dispatch-namespace create authhero-tenants
+[[dispatch_namespaces]]
+binding = "DISPATCHER"
+namespace = "authhero-tenants"
+
+# ════════════════════════════════════════════════════════════════════════════
+# Shared platform D1 database
+# ════════════════════════════════════════════════════════════════════════════
+# Same D1 that the tenant workers read/write. Holds custom_domains and
+# proxy_routes that drive the dispatcher's host -> tenant resolution.
+[[d1_databases]]
+binding = "AUTH_DB"
+database_name = "authhero-db"
+database_id = "local"  # Use "local" for local dev, or your actual ID in wrangler.local.toml
+migrations_dir = "node_modules/@authhero/drizzle/drizzle"
+
+# ════════════════════════════════════════════════════════════════════════════
+# OPTIONAL: Custom Domain
+# ════════════════════════════════════════════════════════════════════════════
+# Point your platform's wildcard or per-publisher custom domains at this
+# worker. The publishers' subdomains must resolve here so the dispatcher
+# can route into the namespace.
+#
+# [[routes]]
+# pattern = "*.auth.yourplatform.com/*"
+# zone_name = "yourplatform.com"
+
+# Optional: Enable observability for `wrangler tail` insight into dispatch
+# decisions and namespace invocation latency.
+# [observability]
+# enabled = true

package/dist/create-authhero.js

@@ -81,22 +81,19 @@ var c = new e(), l = {
 				},
 				dependencies: {
 					"@authhero/drizzle": a,
-					"@authhero/kysely-adapter": a,
 					...i && { "@authhero/admin": a },
 					"@authhero/widget": a,
 					"@hono/swagger-ui": "^0.5.0",
 					"@hono/zod-openapi": "^0.19.0",
 					authhero: a,
+					"drizzle-orm": "^0.44.0",
 					hono: "^4.6.0",
-					kysely: "latest",
-					"kysely-d1": "latest",
 					...t && { "@authhero/multi-tenancy": a },
 					...n && { bcryptjs: "latest" }
 				},
 				devDependencies: {
 					"@cloudflare/workers-types": "^4.0.0",
 					"drizzle-kit": "^0.31.0",
-					"drizzle-orm": "^0.44.0",
 					typescript: "^5.5.0",
 					wrangler: "^3.0.0"
 				}
@@ -104,6 +101,40 @@ var c = new e(), l = {
 		},
 		seedFile: "seed.ts"
 	},
+	"cloudflare-wfp-dispatcher": {
+		name: "Cloudflare Workers for Platforms — Dispatcher",
+		description: "Thin dispatcher worker that routes per-publisher custom domains to tenant auth workers in a dispatch namespace (pair with the `cloudflare` template for tenant workers)",
+		templateDir: "cloudflare-wfp-dispatcher",
+		packageJson: (e, t, n, r) => {
+			let i = r ? "workspace:*" : "latest";
+			return {
+				name: e,
+				version: "1.0.0",
+				type: "module",
+				scripts: {
+					dev: "wrangler dev --port 3001 --local-protocol https",
+					"dev:remote": "wrangler dev --port 3001 --local-protocol https --remote --config wrangler.local.toml",
+					deploy: "wrangler deploy --config wrangler.local.toml",
+					"db:migrate:local": "wrangler d1 migrations apply AUTH_DB --local",
+					"db:migrate:remote": "wrangler d1 migrations apply AUTH_DB --remote --config wrangler.local.toml",
+					migrate: "wrangler d1 migrations apply AUTH_DB --local",
+					setup: "cp wrangler.toml wrangler.local.toml && echo '✅ Created wrangler.local.toml - update with your IDs'"
+				},
+				dependencies: {
+					"@authhero/drizzle": i,
+					"@authhero/proxy": i,
+					"drizzle-orm": "^0.44.0",
+					hono: "^4.6.0"
+				},
+				devDependencies: {
+					"@cloudflare/workers-types": "^4.0.0",
+					"drizzle-kit": "^0.31.0",
+					typescript: "^5.5.0",
+					wrangler: "^3.0.0"
+				}
+			};
+		}
+	},
 	proxy: {
 		name: "Proxy (Cloudflare Workers)",
 		description: "Host-based reverse proxy on Cloudflare Workers — static config, no DB",
@@ -563,9 +594,9 @@ ${i}
 `;
 }
 function p(e) {
-	return `import { D1Dialect } from "kysely-d1";
-import { Kysely } from "kysely";
-import createAdapters from "@authhero/kysely-adapter";
+	return `import { drizzle } from "drizzle-orm/d1";
+import createAdapters from "@authhero/drizzle";
+import * as schema from "@authhero/drizzle/schema/sqlite";
 import { seed, createEncryptedDataAdapter, loadEncryptionKey } from "authhero";
 
 interface Env {
@@ -582,8 +613,7 @@ export default {
     const issuer = \`\${url.protocol}//\${url.host}/\`;
 
     try {
-      const dialect = new D1Dialect({ database: env.AUTH_DB });
-      const db = new Kysely<any>({ dialect });
+      const db = drizzle(env.AUTH_DB, { schema });
       let adapters = createAdapters(db, { useTransactions: false });
 
       if (env.ENCRYPTION_KEY) {
@@ -813,9 +843,12 @@ function C() {
 	console.log("\n" + "─".repeat(50)), console.log("🔐 AuthHero server running at https://localhost:3000"), console.log("🚀 Open https://localhost:3000/setup to complete initial setup"), console.log("─".repeat(50) + "\n");
 }
 function w() {
-	console.log("\n" + "─".repeat(50)), console.log("🛰️  AuthHero proxy running at http://localhost:8787"), console.log("✏️  Edit src/proxy.config.ts to add hosts and routes"), console.log("📖 See README.md for deployment instructions"), console.log("─".repeat(50) + "\n");
+	console.log("\n" + "─".repeat(50)), console.log("🛰️  WFP dispatcher running at https://localhost:3001"), console.log("📦 Pair with the `cloudflare` template to deploy tenant workers:"), console.log("   wrangler deploy --dispatch-namespace=authhero-tenants --name=tenant-<id>-auth"), console.log("📖 See README.md for the full onboarding workflow"), console.log("─".repeat(50) + "\n");
 }
 function T() {
+	console.log("\n" + "─".repeat(50)), console.log("🛰️  AuthHero proxy running at http://localhost:8787"), console.log("✏️  Edit src/proxy.config.ts to add hosts and routes"), console.log("📖 See README.md for deployment instructions"), console.log("─".repeat(50) + "\n");
+}
+function E() {
 	console.log("\n" + "─".repeat(50)), console.log("✅ Self-signed certificates generated with openssl"), console.log("⚠️  You may need to trust the certificate in your browser"), console.log("🔐 AuthHero server running at http://localhost:3000"), console.log("📚 API documentation available at http://localhost:3000/docs"), console.log("🚀 Open http://localhost:3000/setup to complete initial setup"), console.log("─".repeat(50) + "\n");
 }
 c.version("1.0.0").description("Create a new AuthHero project").argument("[project-name]", "name of the project").option("-t, --template <type>", "template type: local, cloudflare, aws-sst, or proxy").option("--package-manager <pm>", "package manager to use: npm, yarn, pnpm, or bun").option("--multi-tenant", "enable multi-tenant mode").option("--admin-ui", "include admin UI at /admin").option("--skip-install", "skip installing dependencies").option("--skip-migrate", "skip running database migrations").option("--skip-start", "skip starting the development server").option("--github-ci", "include GitHub CI workflows with semantic versioning").option("--conformance", "add OpenID conformance suite test clients").option("--conformance-alias <alias>", "alias for conformance suite (default: authhero-local)").option("--workspace", "use workspace:* dependencies for local monorepo development").option("-y, --yes", "skip all prompts and use defaults/provided options").action(async (e, i) => {
@@ -835,9 +868,10 @@ c.version("1.0.0").description("Create a new AuthHero project").argument("[proje
 	i.template ? ([
 		"local",
 		"cloudflare",
+		"cloudflare-wfp-dispatcher",
 		"aws-sst",
 		"proxy"
-	].includes(i.template) || (console.error(`❌ Invalid template: ${i.template}`), console.error("Valid options: local, cloudflare, aws-sst, proxy"), process.exit(1)), m = i.template, console.log(`Using template: ${l[m].name}`)) : m = (await t.prompt([{
+	].includes(i.template) || (console.error(`❌ Invalid template: ${i.template}`), console.error("Valid options: local, cloudflare, cloudflare-wfp-dispatcher, aws-sst, proxy"), process.exit(1)), m = i.template, console.log(`Using template: ${l[m].name}`)) : m = (await t.prompt([{
 		type: "list",
 		name: "setupType",
 		message: "Select your setup type:",
@@ -852,6 +886,11 @@ c.version("1.0.0").description("Create a new AuthHero project").argument("[proje
 				value: "cloudflare",
 				short: l.cloudflare.name
 			},
+			{
+				name: `${l["cloudflare-wfp-dispatcher"].name}\n     ${l["cloudflare-wfp-dispatcher"].description}`,
+				value: "cloudflare-wfp-dispatcher",
+				short: l["cloudflare-wfp-dispatcher"].name
+			},
 			{
 				name: `${l["aws-sst"].name}\n     ${l["aws-sst"].description}`,
 				value: "aws-sst",
@@ -865,7 +904,7 @@ c.version("1.0.0").description("Create a new AuthHero project").argument("[proje
 		]
 	}])).setupType;
 	let h;
-	h = m === "proxy" ? !1 : i.multiTenant === void 0 ? o ? !1 : (await t.prompt([{
+	h = m === "proxy" || m === "cloudflare-wfp-dispatcher" ? !1 : i.multiTenant === void 0 ? o ? !1 : (await t.prompt([{
 		type: "confirm",
 		name: "multiTenant",
 		message: "Would you like to enable multi-tenant mode?",
@@ -878,27 +917,28 @@ c.version("1.0.0").description("Create a new AuthHero project").argument("[proje
 		message: "Would you like to include the admin UI at /admin?",
 		default: !0
 	}])).adminUi : i.adminUi, g && console.log("Admin UI: enabled (available at /admin)"));
-	let E = i.conformance || !1, D = i.conformanceAlias || "authhero-local";
-	E && console.log(`OpenID Conformance Suite: enabled (alias: ${D})`);
-	let O = i.workspace || !1;
-	O && console.log("Workspace mode: enabled (using workspace:* dependencies)");
-	let k = l[m];
-	n.mkdirSync(p, { recursive: !0 }), n.writeFileSync(r.join(p, "package.json"), JSON.stringify(k.packageJson(c, h, E, O, g), null, 2));
-	let A = k.templateDir, j = r.dirname(a(import.meta.url)), M = [r.join(j, A), r.join(j, "..", "templates", A)], N = M.find((e) => n.existsSync(e));
-	if (N ? u(N, p) : (console.error(`❌ Template directory not found. Looked in:\n  ${M.join("\n  ")}`), process.exit(1)), m === "cloudflare" && S(p, h, g), m === "cloudflare") {
+	let D = i.conformance || !1, O = i.conformanceAlias || "authhero-local";
+	D && console.log(`OpenID Conformance Suite: enabled (alias: ${O})`);
+	let k = i.workspace || !1;
+	k && console.log("Workspace mode: enabled (using workspace:* dependencies)");
+	let A = l[m];
+	n.mkdirSync(p, { recursive: !0 }), n.writeFileSync(r.join(p, "package.json"), JSON.stringify(A.packageJson(c, h, D, k, g), null, 2));
+	let j = A.templateDir, M = r.dirname(a(import.meta.url)), N = [r.join(M, j), r.join(M, "..", "templates", j)], P = N.find((e) => n.existsSync(e));
+	if (P ? u(P, p) : (console.error(`❌ Template directory not found. Looked in:\n  ${N.join("\n  ")}`), process.exit(1)), m === "cloudflare" && S(p, h, g), m === "cloudflare" || m === "cloudflare-wfp-dispatcher") {
 		let e = r.join(p, "wrangler.toml"), t = r.join(p, "wrangler.local.toml");
-		n.existsSync(e) && n.copyFileSync(e, t);
-		let i = r.join(p, ".dev.vars.example"), a = r.join(p, ".dev.vars");
-		n.existsSync(i) && (n.copyFileSync(i, a), n.appendFileSync(a, `\n# Generated at-rest encryption key (local dev). Use a separate secret in production.\nENCRYPTION_KEY=${s()}\n`), console.log("🔒 Added a generated ENCRYPTION_KEY to .dev.vars")), console.log("📁 Created wrangler.local.toml and .dev.vars for local development");
+		if (n.existsSync(e) && !n.existsSync(t) && n.copyFileSync(e, t), m === "cloudflare") {
+			let e = r.join(p, ".dev.vars.example"), t = r.join(p, ".dev.vars");
+			n.existsSync(e) && (n.copyFileSync(e, t), n.appendFileSync(t, `\n# Generated at-rest encryption key (local dev). Use a separate secret in production.\nENCRYPTION_KEY=${s()}\n`), console.log("🔒 Added a generated ENCRYPTION_KEY to .dev.vars")), console.log("📁 Created wrangler.local.toml and .dev.vars for local development");
+		} else console.log("📁 Created wrangler.local.toml for local development");
 	}
-	let P = !1;
-	if (m === "cloudflare" && (i.githubCi === void 0 ? o || (P = (await t.prompt([{
+	let F = !1;
+	if (m === "cloudflare" && (i.githubCi === void 0 ? o || (F = (await t.prompt([{
 		type: "confirm",
 		name: "includeGithubCi",
 		message: "Would you like to include GitHub CI with semantic versioning?",
 		default: !1
-	}])).includeGithubCi) : (P = i.githubCi, P && console.log("Including GitHub CI workflows with semantic versioning")), P && (y(p), b(p))), m === "local") {
-		let e = d(h, E, D, g);
+	}])).includeGithubCi) : (F = i.githubCi, F && console.log("Including GitHub CI workflows with semantic versioning")), F && (y(p), b(p))), m === "local") {
+		let e = d(h, D, O, g);
 		n.writeFileSync(r.join(p, "src/seed.ts"), e);
 		let t = f(h, g);
 		n.writeFileSync(r.join(p, "src/app.ts"), t);
@@ -909,9 +949,9 @@ ENCRYPTION_KEY=${s()}
 `;
 		n.writeFileSync(r.join(p, ".env"), i), console.log("🔒 Generated .env with an at-rest encryption key");
 	}
-	if (m === "aws-sst" && _(p, h), E) {
+	if (m === "aws-sst" && _(p, h), D) {
 		let e = {
-			alias: D,
+			alias: O,
 			description: "AuthHero Conformance Test",
 			server: { discoveryUrl: "http://host.docker.internal:3000/.well-known/openid-configuration" },
 			client: {
@@ -926,15 +966,15 @@ ENCRYPTION_KEY=${s()}
 		};
 		n.writeFileSync(r.join(p, "conformance-config.json"), JSON.stringify(e, null, 2)), console.log("📝 Created conformance-config.json for OpenID Conformance Suite");
 	}
-	let F = h ? "multi-tenant" : "single-tenant";
-	console.log(`\n✅ Project "${c}" has been created with ${k.name} (${F}) setup!\n`);
-	let I;
-	if (I = i.skipInstall ? !1 : o ? !0 : (await t.prompt([{
+	let I = h ? "multi-tenant" : "single-tenant";
+	console.log(`\n✅ Project "${c}" has been created with ${A.name} (${I}) setup!\n`);
+	let L;
+	if (L = i.skipInstall ? !1 : o ? !0 : (await t.prompt([{
 		type: "confirm",
 		name: "shouldInstall",
 		message: "Would you like to install dependencies now?",
 		default: !0
-	}])).shouldInstall, I) {
+	}])).shouldInstall, L) {
 		let e;
 		i.packageManager ? ([
 			"npm",
@@ -981,11 +1021,11 @@ ENCRYPTION_KEY=${s()}
 				name: "shouldStart",
 				message: "Would you like to start the development server?",
 				default: !0
-			}])).shouldStart, n && (m === "cloudflare" ? C() : m === "aws-sst" ? v() : m === "proxy" ? w() : T(), console.log("🚀 Starting development server...\n"), await x(`${e} run dev`, p)), o && !n && (console.log("\n✅ Setup complete!"), console.log("\nTo start the development server:"), console.log(`  cd ${c}`), console.log("  npm run dev"), m === "cloudflare" ? C() : m === "aws-sst" ? v() : m === "proxy" ? w() : T());
+			}])).shouldStart, n && (m === "cloudflare" ? C() : m === "cloudflare-wfp-dispatcher" ? w() : m === "aws-sst" ? v() : m === "proxy" ? T() : E(), console.log("🚀 Starting development server...\n"), await x(`${e} run dev`, p)), o && !n && (console.log("\n✅ Setup complete!"), console.log("\nTo start the development server:"), console.log(`  cd ${c}`), console.log("  npm run dev"), m === "cloudflare" ? C() : m === "cloudflare-wfp-dispatcher" ? w() : m === "aws-sst" ? v() : m === "proxy" ? T() : E());
 		} catch (e) {
 			console.error("\n❌ An error occurred:", e), process.exit(1);
 		}
 	}
-	I || (console.log("Next steps:"), console.log(`  cd ${c}`), m === "local" ? (console.log("  npm install"), console.log("  npm run migrate"), console.log("  npm run dev"), console.log("\nOpen http://localhost:3000/setup to complete initial setup")) : m === "cloudflare" ? (console.log("  npm install"), console.log("  npm run migrate  # or npm run db:migrate:remote for production"), console.log("  npm run dev  # or npm run dev:remote for production"), console.log("\nOpen https://localhost:3000/setup to complete initial setup")) : m === "aws-sst" ? (console.log("  npm install"), console.log("  npm run dev  # Deploys to AWS in development mode"), console.log("\nOpen your server URL /setup to complete initial setup")) : m === "proxy" && (console.log("  npm install"), console.log("  npm run dev"), console.log("\nEdit src/proxy.config.ts to add hosts and routes")), console.log(`\nServer will be available at: http://localhost:${m === "proxy" ? 8787 : 3e3}`), E && (console.log("\n🧪 OpenID Conformance Suite Testing:"), console.log("  1. Clone and start the conformance suite (if not already running):"), console.log("     git clone https://gitlab.com/openid/conformance-suite.git"), console.log("     cd conformance-suite && mvn clean package"), console.log("     docker-compose up -d"), console.log("  2. Open https://localhost.emobix.co.uk:8443"), console.log("  3. Create a test plan and use conformance-config.json for settings"), console.log(`  4. Use alias: ${D}`)), console.log("\nFor more information, visit: https://authhero.net/docs\n"));
+	L || (console.log("Next steps:"), console.log(`  cd ${c}`), m === "local" ? (console.log("  npm install"), console.log("  npm run migrate"), console.log("  npm run dev"), console.log("\nOpen http://localhost:3000/setup to complete initial setup")) : m === "cloudflare" ? (console.log("  npm install"), console.log("  npm run migrate  # or npm run db:migrate:remote for production"), console.log("  npm run dev  # or npm run dev:remote for production"), console.log("\nOpen https://localhost:3000/setup to complete initial setup")) : m === "cloudflare-wfp-dispatcher" ? (console.log("  npm install"), console.log("  npm run setup  # creates wrangler.local.toml — paste your database_id"), console.log("  npx wrangler dispatch-namespace create authhero-tenants"), console.log("  npm run dev  # or npm run dev:remote for production"), console.log("\nDeploy tenant workers separately (`cloudflare` template):"), console.log("  wrangler deploy --dispatch-namespace=authhero-tenants --name=tenant-<id>-auth")) : m === "aws-sst" ? (console.log("  npm install"), console.log("  npm run dev  # Deploys to AWS in development mode"), console.log("\nOpen your server URL /setup to complete initial setup")) : m === "proxy" && (console.log("  npm install"), console.log("  npm run dev"), console.log("\nEdit src/proxy.config.ts to add hosts and routes")), console.log(`\nServer will be available at: http://localhost:${m === "proxy" ? 8787 : m === "cloudflare-wfp-dispatcher" ? 3001 : 3e3}`), D && (console.log("\n🧪 OpenID Conformance Suite Testing:"), console.log("  1. Clone and start the conformance suite (if not already running):"), console.log("     git clone https://gitlab.com/openid/conformance-suite.git"), console.log("     cd conformance-suite && mvn clean package"), console.log("     docker-compose up -d"), console.log("  2. Open https://localhost.emobix.co.uk:8443"), console.log("  3. Create a test plan and use conformance-config.json for settings"), console.log(`  4. Use alias: ${O}`)), console.log("\nFor more information, visit: https://authhero.net/docs\n"));
 }), c.parse(process.argv);
 //#endregion

package/dist/proxy/src/index.ts

@@ -1,8 +1,5 @@
 import { AsyncLocalStorage } from "node:async_hooks";
-import {
-  createProxyApp,
-  createStaticProxyAdapter,
-} from "@authhero/proxy";
+import { createProxyApp, createStaticProxyAdapter } from "@authhero/proxy";
 import { proxyConfig } from "./proxy.config";
 
 // AsyncLocalStorage threads each request's ExecutionContext through to the
@@ -32,9 +29,8 @@ const app = createProxyApp({
 
 export default {
   fetch(request: Request, _env: unknown, ctx: ExecutionContext) {
-    return requestCtx.run(
-      { waitUntil: ctx.waitUntil.bind(ctx) },
-      () => app.fetch(request),
+    return requestCtx.run({ waitUntil: ctx.waitUntil.bind(ctx) }, () =>
+      app.fetch(request),
     );
   },
 };

package/package.json

@@ -5,7 +5,7 @@
     "type": "git",
     "url": "https://github.com/markusahlstrand/authhero"
   },
-  "version": "0.45.0",
+  "version": "0.46.0",
   "type": "module",
   "main": "dist/create-authhero.js",
   "bin": {