create-authhero 0.45.0 → 0.47.0

package/dist/cloudflare-wfp-tenant/src/index.ts

@@ -0,0 +1,69 @@
+import { drizzle } from "drizzle-orm/d1";
+import createAdapters from "@authhero/drizzle";
+import * as schema from "@authhero/drizzle/schema/sqlite";
+import {
+  AuthHeroConfig,
+  DataAdapters,
+  createEncryptedDataAdapter,
+  createEncryptedDataAdapterWithKeyRing,
+  loadEncryptionKey,
+  type KeyRing,
+} from "authhero";
+import { withRuntimeFallback } from "@authhero/multi-tenancy";
+import createApp from "./app";
+import { Env } from "./types";
+
+// The control plane tenant id whose projected defaults this tenant inherits.
+// Must match the control plane Worker's CONTROL_PLANE_TENANT_ID.
+const CONTROL_PLANE_TENANT_ID = "control_plane";
+
+export default {
+  async fetch(request: Request, env: Env): Promise<Response> {
+    const url = new URL(request.url);
+    const issuer = `${url.protocol}//${url.host}/`;
+    const origin = request.headers.get("Origin") || "";
+
+    const db = drizzle(env.AUTH_DB, { schema });
+    let dataAdapter: DataAdapters = createAdapters(db, {
+      useTransactions: false,
+    });
+
+    // Encrypt at rest. With both keys present, this tenant's own secrets use
+    // ENCRYPTION_KEY while control-plane-tenant rows (the inherited Google
+    // secret, etc.) use the "cp" key id — readable by this Worker, but opaque
+    // in a raw export of AUTH_DB.
+    if (env.ENCRYPTION_KEY && env.CONTROL_PLANE_ENCRYPTION_KEY) {
+      const ring: KeyRing = {
+        default: await loadEncryptionKey(env.ENCRYPTION_KEY),
+        keys: { cp: await loadEncryptionKey(env.CONTROL_PLANE_ENCRYPTION_KEY) },
+      };
+      dataAdapter = createEncryptedDataAdapterWithKeyRing(dataAdapter, ring, {
+        resolveEncryptKeyId: (tenantId) =>
+          tenantId === CONTROL_PLANE_TENANT_ID ? "cp" : undefined,
+      });
+    } else if (env.ENCRYPTION_KEY) {
+      // Single-key fallback (no inherited control-plane secrets).
+      dataAdapter = createEncryptedDataAdapter(
+        dataAdapter,
+        await loadEncryptionKey(env.ENCRYPTION_KEY),
+      );
+    }
+
+    // Resolve inherited defaults (connections by strategy, is_system resource
+    // servers, inheritable hooks, email provider) from the control-plane rows
+    // the rollout projected into THIS tenant's database — identical read path
+    // to a control-plane-colocated tenant.
+    dataAdapter = withRuntimeFallback(dataAdapter, {
+      controlPlaneTenantId: CONTROL_PLANE_TENANT_ID,
+    });
+
+    const config: AuthHeroConfig = {
+      dataAdapter,
+      allowedOrigins: [origin].filter(Boolean),
+    };
+
+    const app = createApp(config);
+
+    return app.fetch(request, { ...env, ISSUER: issuer });
+  },
+};

package/dist/cloudflare-wfp-tenant/src/types.ts

@@ -0,0 +1,16 @@
+/// <reference types="@cloudflare/workers-types" />
+
+export interface Env {
+  // This tenant's own D1 database. Each WFP tenant Worker has its own.
+  AUTH_DB: D1Database;
+
+  // Base64-encoded 32-byte key for this tenant's own secrets at rest.
+  // `wrangler secret put ENCRYPTION_KEY` (per tenant Worker).
+  ENCRYPTION_KEY?: string;
+
+  // Base64-encoded 32-byte CONTROL PLANE key. Decrypts the shared secrets
+  // (e.g. Google client_secret) that the control plane projected into this
+  // tenant's database under the "cp" key id. The Worker holds it as a binding;
+  // a raw export of AUTH_DB cannot be decrypted without it.
+  CONTROL_PLANE_ENCRYPTION_KEY?: string;
+}

package/dist/cloudflare-wfp-tenant/tsconfig.json

@@ -0,0 +1,14 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "types": ["@cloudflare/workers-types"]
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules"]
+}

package/dist/cloudflare-wfp-tenant/wrangler.toml

@@ -0,0 +1,46 @@
+# ════════════════════════════════════════════════════════════════════════════
+# AuthHero WFP Tenant Worker
+# ════════════════════════════════════════════════════════════════════════════
+# The full authhero app for ONE tenant, deployed into the `authhero-tenants`
+# dispatch namespace and fronted by the WFP dispatcher. It reads only its own
+# D1 and inherits the control plane's defaults from rows the control plane
+# rollout projected into that D1.
+#
+# Deploy into the namespace (one per tenant):
+#   wrangler deploy --dispatch-namespace=authhero-tenants --name=tenant-<id>-auth
+#
+# Sensitive IDs (database_id) go in wrangler.local.toml (gitignored).
+# ════════════════════════════════════════════════════════════════════════════
+
+name = "tenant-auth"
+main = "src/index.ts"
+compatibility_date = "2026-05-01"
+compatibility_flags = ["nodejs_compat"]
+
+[assets]
+directory = "./dist/assets"
+
+# ════════════════════════════════════════════════════════════════════════════
+# This tenant's own D1 database
+# ════════════════════════════════════════════════════════════════════════════
+# Each tenant Worker has its own database. Create one per tenant and set its id
+# in wrangler.local.toml:
+#   npx wrangler d1 create tenant-<id>-db
+[[d1_databases]]
+binding = "AUTH_DB"
+database_name = "tenant-db"
+database_id = "local"  # Use "local" for local dev, or your actual ID in wrangler.local.toml
+migrations_dir = "node_modules/@authhero/drizzle/drizzle"
+
+# ════════════════════════════════════════════════════════════════════════════
+# Encryption keys (set as secrets, not here)
+# ════════════════════════════════════════════════════════════════════════════
+#   wrangler secret put ENCRYPTION_KEY                  # this tenant's own key
+#   wrangler secret put CONTROL_PLANE_ENCRYPTION_KEY    # shared "cp" key
+#
+# CONTROL_PLANE_ENCRYPTION_KEY must be byte-identical to the key the control
+# plane used to project this tenant's inherited secrets, or they won't decrypt.
+
+# Optional: Enable observability
+# [observability]
+# enabled = true

package/dist/create-authhero.js

@@ -81,22 +81,19 @@ var c = new e(), l = {
 				},
 				dependencies: {
 					"@authhero/drizzle": a,
-					"@authhero/kysely-adapter": a,
 					...i && { "@authhero/admin": a },
 					"@authhero/widget": a,
 					"@hono/swagger-ui": "^0.5.0",
 					"@hono/zod-openapi": "^0.19.0",
 					authhero: a,
+					"drizzle-orm": "^0.44.0",
 					hono: "^4.6.0",
-					kysely: "latest",
-					"kysely-d1": "latest",
 					...t && { "@authhero/multi-tenancy": a },
 					...n && { bcryptjs: "latest" }
 				},
 				devDependencies: {
 					"@cloudflare/workers-types": "^4.0.0",
 					"drizzle-kit": "^0.31.0",
-					"drizzle-orm": "^0.44.0",
 					typescript: "^5.5.0",
 					wrangler: "^3.0.0"
 				}
@@ -104,6 +101,127 @@ var c = new e(), l = {
 		},
 		seedFile: "seed.ts"
 	},
+	"cloudflare-wfp-dispatcher": {
+		name: "Cloudflare Workers for Platforms — Dispatcher",
+		description: "Thin dispatcher worker that routes per-publisher custom domains to tenant auth workers in a dispatch namespace (pair with the `cloudflare` template for tenant workers)",
+		templateDir: "cloudflare-wfp-dispatcher",
+		packageJson: (e, t, n, r) => {
+			let i = r ? "workspace:*" : "latest";
+			return {
+				name: e,
+				version: "1.0.0",
+				type: "module",
+				scripts: {
+					dev: "wrangler dev --port 3001 --local-protocol https",
+					"dev:remote": "wrangler dev --port 3001 --local-protocol https --remote --config wrangler.local.toml",
+					deploy: "wrangler deploy --config wrangler.local.toml",
+					"db:migrate:local": "wrangler d1 migrations apply AUTH_DB --local",
+					"db:migrate:remote": "wrangler d1 migrations apply AUTH_DB --remote --config wrangler.local.toml",
+					migrate: "wrangler d1 migrations apply AUTH_DB --local",
+					setup: "cp wrangler.toml wrangler.local.toml && echo '✅ Created wrangler.local.toml - update with your IDs'"
+				},
+				dependencies: {
+					"@authhero/drizzle": i,
+					"@authhero/proxy": i,
+					"drizzle-orm": "^0.44.0",
+					hono: "^4.6.0"
+				},
+				devDependencies: {
+					"@cloudflare/workers-types": "^4.0.0",
+					"drizzle-kit": "^0.31.0",
+					typescript: "^5.5.0",
+					wrangler: "^3.0.0"
+				}
+			};
+		}
+	},
+	"cloudflare-wfp-tenant": {
+		name: "Cloudflare Workers for Platforms — Tenant Worker",
+		description: "Per-tenant authhero worker (own D1) that inherits control plane defaults via runtime fallback + keyed encryption (deploy into the dispatch namespace; pair with the control-plane template)",
+		templateDir: "cloudflare-wfp-tenant",
+		packageJson: (e, t, n, r) => {
+			let i = r ? "workspace:*" : "latest";
+			return {
+				name: e,
+				version: "1.0.0",
+				type: "module",
+				scripts: {
+					postinstall: "node copy-assets.js",
+					"copy-assets": "node copy-assets.js",
+					dev: "node copy-assets.js && wrangler dev --port 3002 --local-protocol https",
+					"dev:remote": "node copy-assets.js && wrangler dev --port 3002 --local-protocol https --remote --config wrangler.local.toml",
+					deploy: "node copy-assets.js && wrangler deploy --config wrangler.local.toml",
+					"db:migrate:local": "wrangler d1 migrations apply AUTH_DB --local",
+					"db:migrate:remote": "wrangler d1 migrations apply AUTH_DB --remote --config wrangler.local.toml",
+					migrate: "wrangler d1 migrations apply AUTH_DB --local",
+					setup: "cp wrangler.toml wrangler.local.toml && cp .dev.vars.example .dev.vars && echo '✅ Created wrangler.local.toml and .dev.vars - update with your IDs and CONTROL_PLANE_ENCRYPTION_KEY'",
+					"gen:key": "node scripts/generate-encryption-key.mjs",
+					decrypt: "node --env-file=.dev.vars scripts/decrypt-field.mjs"
+				},
+				dependencies: {
+					"@authhero/drizzle": i,
+					"@authhero/multi-tenancy": i,
+					"@authhero/widget": i,
+					"@hono/swagger-ui": "^0.5.0",
+					"@hono/zod-openapi": "^0.19.0",
+					authhero: i,
+					"drizzle-orm": "^0.44.0",
+					hono: "^4.6.0"
+				},
+				devDependencies: {
+					"@cloudflare/workers-types": "^4.0.0",
+					"drizzle-kit": "^0.31.0",
+					typescript: "^5.5.0",
+					wrangler: "^3.0.0"
+				}
+			};
+		}
+	},
+	"cloudflare-control-plane": {
+		name: "Cloudflare Workers for Platforms — Control Plane",
+		description: "Control plane worker: tenant management + rollout source that projects default connections/prompts/branding into each WFP tenant's database (pair with the dispatcher and tenant templates)",
+		templateDir: "cloudflare-control-plane",
+		packageJson: (e, t, n, r) => {
+			let i = r ? "workspace:*" : "latest";
+			return {
+				name: e,
+				version: "1.0.0",
+				type: "module",
+				scripts: {
+					postinstall: "node copy-assets.js",
+					"copy-assets": "node copy-assets.js",
+					dev: "node copy-assets.js && wrangler dev --port 3000 --local-protocol https",
+					"dev:remote": "node copy-assets.js && wrangler dev --port 3000 --local-protocol https --remote --config wrangler.local.toml",
+					deploy: "node copy-assets.js && wrangler deploy --config wrangler.local.toml",
+					"db:migrate:local": "wrangler d1 migrations apply AUTH_DB --local",
+					"db:migrate:remote": "wrangler d1 migrations apply AUTH_DB --remote --config wrangler.local.toml",
+					migrate: "wrangler d1 migrations apply AUTH_DB --local",
+					"seed:local": "node seed-helper.js",
+					"seed:remote": "node seed-helper.js '' '' remote",
+					seed: "node seed-helper.js",
+					setup: "cp wrangler.toml wrangler.local.toml && cp .dev.vars.example .dev.vars && echo '✅ Created wrangler.local.toml and .dev.vars - update with your IDs and CONTROL_PLANE_ENCRYPTION_KEY'",
+					"gen:key": "node scripts/generate-encryption-key.mjs",
+					decrypt: "node --env-file=.dev.vars scripts/decrypt-field.mjs"
+				},
+				dependencies: {
+					"@authhero/drizzle": i,
+					"@authhero/multi-tenancy": i,
+					"@authhero/widget": i,
+					"@hono/swagger-ui": "^0.5.0",
+					"@hono/zod-openapi": "^0.19.0",
+					authhero: i,
+					"drizzle-orm": "^0.44.0",
+					hono: "^4.6.0"
+				},
+				devDependencies: {
+					"@cloudflare/workers-types": "^4.0.0",
+					"drizzle-kit": "^0.31.0",
+					typescript: "^5.5.0",
+					wrangler: "^3.0.0"
+				}
+			};
+		}
+	},
 	proxy: {
 		name: "Proxy (Cloudflare Workers)",
 		description: "Host-based reverse proxy on Cloudflare Workers — static config, no DB",
@@ -563,9 +681,9 @@ ${i}
 `;
 }
 function p(e) {
-	return `import { D1Dialect } from "kysely-d1";
-import { Kysely } from "kysely";
-import createAdapters from "@authhero/kysely-adapter";
+	return `import { drizzle } from "drizzle-orm/d1";
+import createAdapters from "@authhero/drizzle";
+import * as schema from "@authhero/drizzle/schema/sqlite";
 import { seed, createEncryptedDataAdapter, loadEncryptionKey } from "authhero";
 
 interface Env {
@@ -582,8 +700,7 @@ export default {
     const issuer = \`\${url.protocol}//\${url.host}/\`;
 
     try {
-      const dialect = new D1Dialect({ database: env.AUTH_DB });
-      const db = new Kysely<any>({ dialect });
+      const db = drizzle(env.AUTH_DB, { schema });
       let adapters = createAdapters(db, { useTransactions: false });
 
       if (env.ENCRYPTION_KEY) {
@@ -813,9 +930,18 @@ function C() {
 	console.log("\n" + "─".repeat(50)), console.log("🔐 AuthHero server running at https://localhost:3000"), console.log("🚀 Open https://localhost:3000/setup to complete initial setup"), console.log("─".repeat(50) + "\n");
 }
 function w() {
-	console.log("\n" + "─".repeat(50)), console.log("🛰️  AuthHero proxy running at http://localhost:8787"), console.log("✏️  Edit src/proxy.config.ts to add hosts and routes"), console.log("📖 See README.md for deployment instructions"), console.log("─".repeat(50) + "\n");
+	console.log("\n" + "─".repeat(50)), console.log("🛰️  WFP dispatcher running at https://localhost:3001"), console.log("📦 Pair with the `cloudflare` template to deploy tenant workers:"), console.log("   wrangler deploy --dispatch-namespace=authhero-tenants --name=tenant-<id>-auth"), console.log("📖 See README.md for the full onboarding workflow"), console.log("─".repeat(50) + "\n");
 }
 function T() {
+	console.log("\n" + "─".repeat(50)), console.log("🏠 WFP tenant worker running at https://localhost:3002"), console.log("🔑 Set CONTROL_PLANE_ENCRYPTION_KEY in .dev.vars to match the"), console.log("   control plane, then run the control plane's sync-defaults."), console.log("📦 Deploy into the namespace:"), console.log("   wrangler deploy --dispatch-namespace=authhero-tenants --name=tenant-<id>-auth"), console.log("─".repeat(50) + "\n");
+}
+function E() {
+	console.log("\n" + "─".repeat(50)), console.log("🛰️  Control plane running at https://localhost:3000"), console.log("🚀 Open https://localhost:3000/setup to complete initial setup"), console.log("🔁 Project defaults into a tenant: POST /internal/tenants/:id/sync-defaults"), console.log("   (wire buildTenantAdapters() in src/index.ts and protect the route first)"), console.log("─".repeat(50) + "\n");
+}
+function D() {
+	console.log("\n" + "─".repeat(50)), console.log("🛰️  AuthHero proxy running at http://localhost:8787"), console.log("✏️  Edit src/proxy.config.ts to add hosts and routes"), console.log("📖 See README.md for deployment instructions"), console.log("─".repeat(50) + "\n");
+}
+function O() {
 	console.log("\n" + "─".repeat(50)), console.log("✅ Self-signed certificates generated with openssl"), console.log("⚠️  You may need to trust the certificate in your browser"), console.log("🔐 AuthHero server running at http://localhost:3000"), console.log("📚 API documentation available at http://localhost:3000/docs"), console.log("🚀 Open http://localhost:3000/setup to complete initial setup"), console.log("─".repeat(50) + "\n");
 }
 c.version("1.0.0").description("Create a new AuthHero project").argument("[project-name]", "name of the project").option("-t, --template <type>", "template type: local, cloudflare, aws-sst, or proxy").option("--package-manager <pm>", "package manager to use: npm, yarn, pnpm, or bun").option("--multi-tenant", "enable multi-tenant mode").option("--admin-ui", "include admin UI at /admin").option("--skip-install", "skip installing dependencies").option("--skip-migrate", "skip running database migrations").option("--skip-start", "skip starting the development server").option("--github-ci", "include GitHub CI workflows with semantic versioning").option("--conformance", "add OpenID conformance suite test clients").option("--conformance-alias <alias>", "alias for conformance suite (default: authhero-local)").option("--workspace", "use workspace:* dependencies for local monorepo development").option("-y, --yes", "skip all prompts and use defaults/provided options").action(async (e, i) => {
@@ -835,9 +961,12 @@ c.version("1.0.0").description("Create a new AuthHero project").argument("[proje
 	i.template ? ([
 		"local",
 		"cloudflare",
+		"cloudflare-wfp-dispatcher",
+		"cloudflare-wfp-tenant",
+		"cloudflare-control-plane",
 		"aws-sst",
 		"proxy"
-	].includes(i.template) || (console.error(`❌ Invalid template: ${i.template}`), console.error("Valid options: local, cloudflare, aws-sst, proxy"), process.exit(1)), m = i.template, console.log(`Using template: ${l[m].name}`)) : m = (await t.prompt([{
+	].includes(i.template) || (console.error(`❌ Invalid template: ${i.template}`), console.error("Valid options: local, cloudflare, cloudflare-wfp-dispatcher, cloudflare-wfp-tenant, cloudflare-control-plane, aws-sst, proxy"), process.exit(1)), m = i.template, console.log(`Using template: ${l[m].name}`)) : m = (await t.prompt([{
 		type: "list",
 		name: "setupType",
 		message: "Select your setup type:",
@@ -852,6 +981,21 @@ c.version("1.0.0").description("Create a new AuthHero project").argument("[proje
 				value: "cloudflare",
 				short: l.cloudflare.name
 			},
+			{
+				name: `${l["cloudflare-wfp-dispatcher"].name}\n     ${l["cloudflare-wfp-dispatcher"].description}`,
+				value: "cloudflare-wfp-dispatcher",
+				short: l["cloudflare-wfp-dispatcher"].name
+			},
+			{
+				name: `${l["cloudflare-control-plane"].name}\n     ${l["cloudflare-control-plane"].description}`,
+				value: "cloudflare-control-plane",
+				short: l["cloudflare-control-plane"].name
+			},
+			{
+				name: `${l["cloudflare-wfp-tenant"].name}\n     ${l["cloudflare-wfp-tenant"].description}`,
+				value: "cloudflare-wfp-tenant",
+				short: l["cloudflare-wfp-tenant"].name
+			},
 			{
 				name: `${l["aws-sst"].name}\n     ${l["aws-sst"].description}`,
 				value: "aws-sst",
@@ -865,7 +1009,7 @@ c.version("1.0.0").description("Create a new AuthHero project").argument("[proje
 		]
 	}])).setupType;
 	let h;
-	h = m === "proxy" ? !1 : i.multiTenant === void 0 ? o ? !1 : (await t.prompt([{
+	h = m === "cloudflare-control-plane" ? !0 : m === "proxy" || m === "cloudflare-wfp-dispatcher" || m === "cloudflare-wfp-tenant" ? !1 : i.multiTenant === void 0 ? o ? !1 : (await t.prompt([{
 		type: "confirm",
 		name: "multiTenant",
 		message: "Would you like to enable multi-tenant mode?",
@@ -878,27 +1022,30 @@ c.version("1.0.0").description("Create a new AuthHero project").argument("[proje
 		message: "Would you like to include the admin UI at /admin?",
 		default: !0
 	}])).adminUi : i.adminUi, g && console.log("Admin UI: enabled (available at /admin)"));
-	let E = i.conformance || !1, D = i.conformanceAlias || "authhero-local";
-	E && console.log(`OpenID Conformance Suite: enabled (alias: ${D})`);
-	let O = i.workspace || !1;
-	O && console.log("Workspace mode: enabled (using workspace:* dependencies)");
-	let k = l[m];
-	n.mkdirSync(p, { recursive: !0 }), n.writeFileSync(r.join(p, "package.json"), JSON.stringify(k.packageJson(c, h, E, O, g), null, 2));
-	let A = k.templateDir, j = r.dirname(a(import.meta.url)), M = [r.join(j, A), r.join(j, "..", "templates", A)], N = M.find((e) => n.existsSync(e));
-	if (N ? u(N, p) : (console.error(`❌ Template directory not found. Looked in:\n  ${M.join("\n  ")}`), process.exit(1)), m === "cloudflare" && S(p, h, g), m === "cloudflare") {
+	let k = i.conformance || !1, A = i.conformanceAlias || "authhero-local";
+	k && console.log(`OpenID Conformance Suite: enabled (alias: ${A})`);
+	let j = i.workspace || !1;
+	j && console.log("Workspace mode: enabled (using workspace:* dependencies)");
+	let M = l[m];
+	n.mkdirSync(p, { recursive: !0 }), n.writeFileSync(r.join(p, "package.json"), JSON.stringify(M.packageJson(c, h, k, j, g), null, 2));
+	let N = M.templateDir, P = r.dirname(a(import.meta.url)), F = [r.join(P, N), r.join(P, "..", "templates", N)], I = F.find((e) => n.existsSync(e));
+	I ? u(I, p) : (console.error(`❌ Template directory not found. Looked in:\n  ${F.join("\n  ")}`), process.exit(1)), m === "cloudflare" && S(p, h, g);
+	let L = m === "cloudflare" || m === "cloudflare-wfp-dispatcher" || m === "cloudflare-wfp-tenant" || m === "cloudflare-control-plane", R = m === "cloudflare" || m === "cloudflare-wfp-tenant" || m === "cloudflare-control-plane", z = m === "cloudflare-wfp-tenant" || m === "cloudflare-control-plane";
+	if (L) {
 		let e = r.join(p, "wrangler.toml"), t = r.join(p, "wrangler.local.toml");
-		n.existsSync(e) && n.copyFileSync(e, t);
-		let i = r.join(p, ".dev.vars.example"), a = r.join(p, ".dev.vars");
-		n.existsSync(i) && (n.copyFileSync(i, a), n.appendFileSync(a, `\n# Generated at-rest encryption key (local dev). Use a separate secret in production.\nENCRYPTION_KEY=${s()}\n`), console.log("🔒 Added a generated ENCRYPTION_KEY to .dev.vars")), console.log("📁 Created wrangler.local.toml and .dev.vars for local development");
+		if (n.existsSync(e) && !n.existsSync(t) && n.copyFileSync(e, t), R) {
+			let e = r.join(p, ".dev.vars.example"), t = r.join(p, ".dev.vars");
+			n.existsSync(e) && (n.copyFileSync(e, t), n.appendFileSync(t, `\n# Generated at-rest encryption key (local dev). Use a separate secret in production.\nENCRYPTION_KEY=${s()}\n`), z ? (n.appendFileSync(t, `# Shared control-plane key id "cp". Must be byte-identical across the control plane and every tenant worker.\nCONTROL_PLANE_ENCRYPTION_KEY=${s()}\n`), console.log("🔒 Added generated ENCRYPTION_KEY + CONTROL_PLANE_ENCRYPTION_KEY to .dev.vars"), console.log("⚠️  Align CONTROL_PLANE_ENCRYPTION_KEY across the control plane and all tenant workers.")) : console.log("🔒 Added a generated ENCRYPTION_KEY to .dev.vars")), console.log("📁 Created wrangler.local.toml and .dev.vars for local development");
+		} else console.log("📁 Created wrangler.local.toml for local development");
 	}
-	let P = !1;
-	if (m === "cloudflare" && (i.githubCi === void 0 ? o || (P = (await t.prompt([{
+	let B = !1;
+	if (m === "cloudflare" && (i.githubCi === void 0 ? o || (B = (await t.prompt([{
 		type: "confirm",
 		name: "includeGithubCi",
 		message: "Would you like to include GitHub CI with semantic versioning?",
 		default: !1
-	}])).includeGithubCi) : (P = i.githubCi, P && console.log("Including GitHub CI workflows with semantic versioning")), P && (y(p), b(p))), m === "local") {
-		let e = d(h, E, D, g);
+	}])).includeGithubCi) : (B = i.githubCi, B && console.log("Including GitHub CI workflows with semantic versioning")), B && (y(p), b(p))), m === "local") {
+		let e = d(h, k, A, g);
 		n.writeFileSync(r.join(p, "src/seed.ts"), e);
 		let t = f(h, g);
 		n.writeFileSync(r.join(p, "src/app.ts"), t);
@@ -909,9 +1056,9 @@ ENCRYPTION_KEY=${s()}
 `;
 		n.writeFileSync(r.join(p, ".env"), i), console.log("🔒 Generated .env with an at-rest encryption key");
 	}
-	if (m === "aws-sst" && _(p, h), E) {
+	if (m === "aws-sst" && _(p, h), k) {
 		let e = {
-			alias: D,
+			alias: A,
 			description: "AuthHero Conformance Test",
 			server: { discoveryUrl: "http://host.docker.internal:3000/.well-known/openid-configuration" },
 			client: {
@@ -926,15 +1073,15 @@ ENCRYPTION_KEY=${s()}
 		};
 		n.writeFileSync(r.join(p, "conformance-config.json"), JSON.stringify(e, null, 2)), console.log("📝 Created conformance-config.json for OpenID Conformance Suite");
 	}
-	let F = h ? "multi-tenant" : "single-tenant";
-	console.log(`\n✅ Project "${c}" has been created with ${k.name} (${F}) setup!\n`);
-	let I;
-	if (I = i.skipInstall ? !1 : o ? !0 : (await t.prompt([{
+	let V = h ? "multi-tenant" : "single-tenant";
+	console.log(`\n✅ Project "${c}" has been created with ${M.name} (${V}) setup!\n`);
+	let H;
+	if (H = i.skipInstall ? !1 : o ? !0 : (await t.prompt([{
 		type: "confirm",
 		name: "shouldInstall",
 		message: "Would you like to install dependencies now?",
 		default: !0
-	}])).shouldInstall, I) {
+	}])).shouldInstall, H) {
 		let e;
 		i.packageManager ? ([
 			"npm",
@@ -966,7 +1113,7 @@ ENCRYPTION_KEY=${s()}
 			default: "pnpm"
 		}])).packageManager, console.log(`\n📦 Installing dependencies with ${e}...\n`);
 		try {
-			if (await x(e === "pnpm" ? "pnpm install --ignore-workspace" : `${e} install`, p), m === "local" && (console.log("\n🔧 Building native modules...\n"), await x("npm rebuild better-sqlite3", p)), console.log("\n✅ Dependencies installed successfully!\n"), (m === "local" || m === "cloudflare") && !i.skipMigrate) {
+			if (await x(e === "pnpm" ? "pnpm install --ignore-workspace" : `${e} install`, p), m === "local" && (console.log("\n🔧 Building native modules...\n"), await x("npm rebuild better-sqlite3", p)), console.log("\n✅ Dependencies installed successfully!\n"), (m === "local" || m === "cloudflare" || m === "cloudflare-wfp-tenant" || m === "cloudflare-control-plane") && !i.skipMigrate) {
 				let n;
 				n = o ? !0 : (await t.prompt([{
 					type: "confirm",
@@ -981,11 +1128,11 @@ ENCRYPTION_KEY=${s()}
 				name: "shouldStart",
 				message: "Would you like to start the development server?",
 				default: !0
-			}])).shouldStart, n && (m === "cloudflare" ? C() : m === "aws-sst" ? v() : m === "proxy" ? w() : T(), console.log("🚀 Starting development server...\n"), await x(`${e} run dev`, p)), o && !n && (console.log("\n✅ Setup complete!"), console.log("\nTo start the development server:"), console.log(`  cd ${c}`), console.log("  npm run dev"), m === "cloudflare" ? C() : m === "aws-sst" ? v() : m === "proxy" ? w() : T());
+			}])).shouldStart, n && (m === "cloudflare" ? C() : m === "cloudflare-wfp-dispatcher" ? w() : m === "cloudflare-wfp-tenant" ? T() : m === "cloudflare-control-plane" ? E() : m === "aws-sst" ? v() : m === "proxy" ? D() : O(), console.log("🚀 Starting development server...\n"), await x(`${e} run dev`, p)), o && !n && (console.log("\n✅ Setup complete!"), console.log("\nTo start the development server:"), console.log(`  cd ${c}`), console.log("  npm run dev"), m === "cloudflare" ? C() : m === "cloudflare-wfp-dispatcher" ? w() : m === "cloudflare-wfp-tenant" ? T() : m === "cloudflare-control-plane" ? E() : m === "aws-sst" ? v() : m === "proxy" ? D() : O());
 		} catch (e) {
 			console.error("\n❌ An error occurred:", e), process.exit(1);
 		}
 	}
-	I || (console.log("Next steps:"), console.log(`  cd ${c}`), m === "local" ? (console.log("  npm install"), console.log("  npm run migrate"), console.log("  npm run dev"), console.log("\nOpen http://localhost:3000/setup to complete initial setup")) : m === "cloudflare" ? (console.log("  npm install"), console.log("  npm run migrate  # or npm run db:migrate:remote for production"), console.log("  npm run dev  # or npm run dev:remote for production"), console.log("\nOpen https://localhost:3000/setup to complete initial setup")) : m === "aws-sst" ? (console.log("  npm install"), console.log("  npm run dev  # Deploys to AWS in development mode"), console.log("\nOpen your server URL /setup to complete initial setup")) : m === "proxy" && (console.log("  npm install"), console.log("  npm run dev"), console.log("\nEdit src/proxy.config.ts to add hosts and routes")), console.log(`\nServer will be available at: http://localhost:${m === "proxy" ? 8787 : 3e3}`), E && (console.log("\n🧪 OpenID Conformance Suite Testing:"), console.log("  1. Clone and start the conformance suite (if not already running):"), console.log("     git clone https://gitlab.com/openid/conformance-suite.git"), console.log("     cd conformance-suite && mvn clean package"), console.log("     docker-compose up -d"), console.log("  2. Open https://localhost.emobix.co.uk:8443"), console.log("  3. Create a test plan and use conformance-config.json for settings"), console.log(`  4. Use alias: ${D}`)), console.log("\nFor more information, visit: https://authhero.net/docs\n"));
+	H || (console.log("Next steps:"), console.log(`  cd ${c}`), m === "local" ? (console.log("  npm install"), console.log("  npm run migrate"), console.log("  npm run dev"), console.log("\nOpen http://localhost:3000/setup to complete initial setup")) : m === "cloudflare" ? (console.log("  npm install"), console.log("  npm run migrate  # or npm run db:migrate:remote for production"), console.log("  npm run dev  # or npm run dev:remote for production"), console.log("\nOpen https://localhost:3000/setup to complete initial setup")) : m === "cloudflare-wfp-dispatcher" ? (console.log("  npm install"), console.log("  npm run setup  # creates wrangler.local.toml — paste your database_id"), console.log("  npx wrangler dispatch-namespace create authhero-tenants"), console.log("  npm run dev  # or npm run dev:remote for production"), console.log("\nDeploy tenant workers separately (`cloudflare` template):"), console.log("  wrangler deploy --dispatch-namespace=authhero-tenants --name=tenant-<id>-auth")) : m === "cloudflare-control-plane" ? (console.log("  npm install"), console.log("  npm run setup  # creates wrangler.local.toml + .dev.vars"), console.log("  # set CONTROL_PLANE_ENCRYPTION_KEY in .dev.vars (share it with every tenant worker)"), console.log("  npm run migrate"), console.log("  npm run seed"), console.log("  npm run dev  # or npm run dev:remote for production"), console.log("\nWire buildTenantAdapters() in src/index.ts, then project defaults:"), console.log("  POST /internal/tenants/:id/sync-defaults")) : m === "cloudflare-wfp-tenant" ? (console.log("  npm install"), console.log("  npm run setup  # creates wrangler.local.toml + .dev.vars"), console.log("  # set CONTROL_PLANE_ENCRYPTION_KEY in .dev.vars (must match the control plane)"), console.log("  npm run migrate"), console.log("  npm run dev  # or npm run dev:remote for production"), console.log("\nDeploy into the dispatch namespace:"), console.log("  wrangler deploy --dispatch-namespace=authhero-tenants --name=tenant-<id>-auth")) : m === "aws-sst" ? (console.log("  npm install"), console.log("  npm run dev  # Deploys to AWS in development mode"), console.log("\nOpen your server URL /setup to complete initial setup")) : m === "proxy" && (console.log("  npm install"), console.log("  npm run dev"), console.log("\nEdit src/proxy.config.ts to add hosts and routes")), console.log(`\nServer will be available at: http://localhost:${m === "proxy" ? 8787 : m === "cloudflare-wfp-dispatcher" ? 3001 : m === "cloudflare-wfp-tenant" ? 3002 : 3e3}`), k && (console.log("\n🧪 OpenID Conformance Suite Testing:"), console.log("  1. Clone and start the conformance suite (if not already running):"), console.log("     git clone https://gitlab.com/openid/conformance-suite.git"), console.log("     cd conformance-suite && mvn clean package"), console.log("     docker-compose up -d"), console.log("  2. Open https://localhost.emobix.co.uk:8443"), console.log("  3. Create a test plan and use conformance-config.json for settings"), console.log(`  4. Use alias: ${A}`)), console.log("\nFor more information, visit: https://authhero.net/docs\n"));
 }), c.parse(process.argv);
 //#endregion

package/dist/proxy/src/index.ts

@@ -1,8 +1,5 @@
 import { AsyncLocalStorage } from "node:async_hooks";
-import {
-  createProxyApp,
-  createStaticProxyAdapter,
-} from "@authhero/proxy";
+import { createProxyApp, createStaticProxyAdapter } from "@authhero/proxy";
 import { proxyConfig } from "./proxy.config";
 
 // AsyncLocalStorage threads each request's ExecutionContext through to the
@@ -32,9 +29,8 @@ const app = createProxyApp({
 
 export default {
   fetch(request: Request, _env: unknown, ctx: ExecutionContext) {
-    return requestCtx.run(
-      { waitUntil: ctx.waitUntil.bind(ctx) },
-      () => app.fetch(request),
+    return requestCtx.run({ waitUntil: ctx.waitUntil.bind(ctx) }, () =>
+      app.fetch(request),
     );
   },
 };

package/package.json

@@ -5,7 +5,7 @@
     "type": "git",
     "url": "https://github.com/markusahlstrand/authhero"
   },
-  "version": "0.45.0",
+  "version": "0.47.0",
   "type": "module",
   "main": "dist/create-authhero.js",
   "bin": {