create-forgeon 0.3.16 → 0.3.18

package/src/modules/sync-integrations.mjs

@@ -1,66 +1,31 @@
 import fs from 'node:fs';
 import path from 'node:path';
-import { copyRecursive } from '../utils/fs.mjs';
-import { ensureLineAfter } from './shared/patch-utils.mjs';
 
-const PRISMA_AUTH_STORE_TEMPLATE = path.join(
-  'templates',
-  'module-presets',
-  'jwt-auth',
-  'apps',
-  'api',
-  'src',
-  'auth',
-  'prisma-auth-refresh-token.store.ts',
-);
+const ACCOUNTS_RBAC_MARKERS = {
+  start: '<!-- forgeon:accounts:rbac:start -->',
+  end: '<!-- forgeon:accounts:rbac:end -->',
+};
 
-const PRISMA_AUTH_MIGRATION_TEMPLATE = path.join(
-  'templates',
-  'module-presets',
-  'jwt-auth',
-  'apps',
-  'api',
-  'prisma',
-  'migrations',
-  '0002_auth_refresh_token_hash',
-);
+const ACCOUNTS_RBAC_ENABLED_BLOCK =
+  '- RBAC compatibility sync: contracts and JWT payload surfaces are prepared for optional RBAC claims, while the base accounts schema remains free of roles and permissions.';
 
-const AUTH_PERSISTENCE_STRATEGIES = [
+const INTEGRATION_GROUPS = [
   {
-    id: 'db-prisma',
-    capability: 'db-adapter',
-    providerLabel: 'db-prisma',
-    participants: ['jwt-auth', 'db-adapter'],
-    relatedModules: ['jwt-auth', 'db-prisma'],
+    id: 'accounts-rbac',
+    title: 'Accounts RBAC Compatibility Sync',
+    participants: ['accounts', 'rbac'],
+    relatedModules: ['accounts', 'rbac'],
     description: [
-      'Patch AppModule to wire AUTH_REFRESH_TOKEN_STORE to the current db-adapter implementation (today: PrismaAuthRefreshTokenStore)',
-      'Add apps/api/src/auth/prisma-auth-refresh-token.store.ts',
-      'Extend Prisma User model with refreshTokenHash and add migration 0002_auth_refresh_token_hash',
-      'Update JWT auth README note to reflect db-adapter-backed refresh-token persistence',
+      'Add optional roles and permissions fields to accounts auth claims types',
+      'Keep the base accounts schema unchanged while exposing a compatibility seam for future RBAC claims providers',
+      'Update the generated README managed note for accounts + rbac compatibility',
     ],
-    isDetected: (detected) => detected.dbPrisma,
-    isPending: isAuthPersistencePending,
-    apply: syncJwtDbPrisma,
+    isAvailable: (detected) => detected.accounts && detected.rbac,
+    isPending: (rootDir) => isAccountsRbacPending(rootDir),
+    apply: syncAccountsRbacCompatibility,
   },
 ];
 
-const JWT_AUTH_PERSISTENCE_MARKERS = {
-  start: '<!-- forgeon:jwt-auth:persistence:start -->',
-  end: '<!-- forgeon:jwt-auth:persistence:end -->',
-};
-
-const JWT_AUTH_RBAC_MARKERS = {
-  start: '<!-- forgeon:jwt-auth:rbac:start -->',
-  end: '<!-- forgeon:jwt-auth:rbac:end -->',
-};
-
-const JWT_AUTH_DB_PRISMA_PERSISTENCE_BLOCK = [
-  '- refresh token persistence: enabled through the `db-adapter` capability (current provider: `db-prisma`)',
-  '- migration: `apps/api/prisma/migrations/0002_auth_refresh_token_hash`',
-].join('\n');
-
-const JWT_AUTH_RBAC_ENABLED_BLOCK = '- RBAC integration: demo auth tokens include `health.rbac` permission';
-
 function escapeRegExp(value) {
   return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
 }
@@ -72,429 +37,143 @@ function replaceReadmeManagedBlock(content, startMarker, endMarker, nextBody) {
   }
   return content.replace(pattern, `${startMarker}\n${nextBody}\n${endMarker}`);
 }
-function isAuthPersistencePending(rootDir) {
-  const appModulePath = path.join(rootDir, 'apps', 'api', 'src', 'app.module.ts');
-  const schemaPath = path.join(rootDir, 'apps', 'api', 'prisma', 'schema.prisma');
-  const storePath = path.join(rootDir, 'apps', 'api', 'src', 'auth', 'prisma-auth-refresh-token.store.ts');
-  const migrationPath = path.join(
-    rootDir,
-    'apps',
-    'api',
-    'prisma',
-    'migrations',
-    '0002_auth_refresh_token_hash',
-    'migration.sql',
-  );
-
-  if (!fs.existsSync(appModulePath) || !fs.existsSync(schemaPath)) {
-    return false;
-  }
-
-  const appModule = fs.readFileSync(appModulePath, 'utf8');
-  const schema = fs.readFileSync(schemaPath, 'utf8');
-
-  const hasModuleWiring =
-    appModule.includes('refreshTokenStoreProvider') &&
-    appModule.includes('PrismaAuthRefreshTokenStore') &&
-    appModule.includes('AUTH_REFRESH_TOKEN_STORE');
-  const hasSchema = schema.includes('refreshTokenHash');
-  const hasStoreFile = fs.existsSync(storePath);
-  const hasMigration = fs.existsSync(migrationPath);
-
-  return !(hasModuleWiring && hasSchema && hasStoreFile && hasMigration);
-}
-
-function isAuthRbacPending(rootDir) {
-  const authContractsPath = path.join(rootDir, 'packages', 'auth-contracts', 'src', 'index.ts');
-  const authServicePath = path.join(rootDir, 'packages', 'auth-api', 'src', 'auth.service.ts');
-  const authControllerPath = path.join(rootDir, 'packages', 'auth-api', 'src', 'auth.controller.ts');
-
-  if (!fs.existsSync(authContractsPath) || !fs.existsSync(authServicePath) || !fs.existsSync(authControllerPath)) {
-    return false;
-  }
-
-  const authContracts = fs.readFileSync(authContractsPath, 'utf8');
-  const authService = fs.readFileSync(authServicePath, 'utf8');
-  const authController = fs.readFileSync(authControllerPath, 'utf8');
-
-  const hasContracts = authContracts.includes('permissions?: string[];');
-  const hasDemoClaims = authService.includes("permissions: ['health.rbac']");
-  const hasPayloadClaims = authService.includes('permissions: user.permissions,');
-  const hasRefreshClaims = authService.includes('permissions: Array.isArray(payload.permissions) ? payload.permissions : [],');
-  const hasControllerClaims =
-    authController.includes('permissions: Array.isArray(payload.permissions) ? payload.permissions : [],');
-
-  return !(hasContracts && hasDemoClaims && hasPayloadClaims && hasRefreshClaims && hasControllerClaims);
-}
-
-const INTEGRATION_GROUPS = [
-  {
-    id: 'auth-persistence',
-    title: 'Auth Persistence Integration',
-    participants: ['jwt-auth', 'db-adapter'],
-    relatedModules: ['jwt-auth', 'db-prisma'],
-    description: (detected) => getAuthPersistenceDescription(detected),
-    isAvailable: (detected) => detected.jwtAuth && hasSingleAuthPersistenceStrategy(detected),
-    isPending: (rootDir, detected) => isAuthPersistencePendingForDetected(rootDir, detected),
-    apply: applyAuthPersistenceSync,
-  },
-  {
-    id: 'auth-rbac-claims',
-    title: 'Auth Claims Integration',
-    participants: ['jwt-auth', 'rbac'],
-    relatedModules: ['jwt-auth', 'rbac'],
-    description: [
-      'Extend AuthUser with optional permissions in @forgeon/auth-contracts',
-      'Add demo RBAC claims to jwt-auth login and token payloads',
-      'Expose permissions in auth refresh and /me responses',
-      'Update JWT auth README note about RBAC demo claims',
-    ],
-    isAvailable: (detected) => detected.jwtAuth && detected.rbac,
-    isPending: (rootDir) => isAuthRbacPending(rootDir),
-    apply: syncJwtRbacClaims,
-  },
-];
 
 function detectModules(rootDir) {
   const appModulePath = path.join(rootDir, 'apps', 'api', 'src', 'app.module.ts');
   const appModuleText = fs.existsSync(appModulePath) ? fs.readFileSync(appModulePath, 'utf8') : '';
 
   return {
-    jwtAuth:
-      fs.existsSync(path.join(rootDir, 'packages', 'auth-api', 'package.json')) ||
-      appModuleText.includes("from '@forgeon/auth-api'"),
+    accounts:
+      fs.existsSync(path.join(rootDir, 'packages', 'accounts-api', 'package.json')) ||
+      appModuleText.includes("from '@forgeon/accounts-api'"),
     rbac:
       fs.existsSync(path.join(rootDir, 'packages', 'rbac', 'package.json')) ||
       appModuleText.includes("from '@forgeon/rbac'"),
-    dbPrisma:
-      fs.existsSync(path.join(rootDir, 'packages', 'db-prisma', 'package.json')) ||
-      appModuleText.includes("from '@forgeon/db-prisma'"),
   };
 }
 
-function resolveAuthPersistenceStrategy(detected) {
-  const matched = AUTH_PERSISTENCE_STRATEGIES.filter((strategy) => strategy.isDetected(detected));
-  if (matched.length === 0) {
-    return { kind: 'none' };
-  }
-  if (matched.length > 1) {
-    return { kind: 'conflict', strategies: matched };
-  }
-  return { kind: 'single', strategy: matched[0] };
-}
-
-function hasSingleAuthPersistenceStrategy(detected) {
-  return resolveAuthPersistenceStrategy(detected).kind === 'single';
-}
-
-function getAuthPersistenceDescription(detected) {
-  const resolved = resolveAuthPersistenceStrategy(detected);
-  if (resolved.kind === 'single') {
-    return [...resolved.strategy.description];
-  }
-  return [
-    'Use the current db-adapter provider strategy to wire refresh-token persistence.',
-    'A supported db-adapter provider must be installed before this integration can apply.',
-  ];
-}
+function isAccountsRbacPending(rootDir) {
+  const contractsPath = path.join(rootDir, 'packages', 'accounts-contracts', 'src', 'index.ts');
+  const authTypesPath = path.join(rootDir, 'packages', 'accounts-api', 'src', 'auth.types.ts');
+  const readmePath = path.join(rootDir, 'README.md');
 
-function isAuthPersistencePendingForDetected(rootDir, detected) {
-  const resolved = resolveAuthPersistenceStrategy(detected);
-  if (resolved.kind !== 'single') {
+  if (!fs.existsSync(contractsPath) || !fs.existsSync(authTypesPath) || !fs.existsSync(readmePath)) {
     return false;
   }
-  return resolved.strategy.isPending(rootDir);
-}
-
-function applyAuthPersistenceSync({ rootDir, packageRoot, changedFiles }) {
-  const detected = detectModules(rootDir);
-  const resolved = resolveAuthPersistenceStrategy(detected);
-  if (resolved.kind === 'none') {
-    return { applied: false, reason: 'no supported db-adapter provider detected' };
-  }
-  if (resolved.kind === 'conflict') {
-    return { applied: false, reason: 'multiple db-adapter providers detected' };
-  }
-  return resolved.strategy.apply({ rootDir, packageRoot, changedFiles });
-}
 
-function getGroupParticipants(group) {
-  return Array.isArray(group.participants) && group.participants.length > 0
-    ? group.participants
-    : Array.isArray(group.modules)
-      ? group.modules
-      : [];
-}
+  const contracts = fs.readFileSync(contractsPath, 'utf8');
+  const authTypes = fs.readFileSync(authTypesPath, 'utf8');
+  const readme = fs.readFileSync(readmePath, 'utf8');
 
-function getGroupRelatedModules(group) {
-  return Array.isArray(group.relatedModules) && group.relatedModules.length > 0
-    ? group.relatedModules
-    : getGroupParticipants(group);
-}
+  const contractsReady =
+    contracts.includes('roles?: string[];') &&
+    contracts.includes('permissions?: string[];');
+  const authTypesReady =
+    authTypes.includes('roles?: string[];') &&
+    authTypes.includes('permissions?: string[];');
+  const readmeReady = readme.includes(ACCOUNTS_RBAC_ENABLED_BLOCK);
 
-function getGroupDescription(group, detected) {
-  if (typeof group.description === 'function') {
-    return group.description(detected);
-  }
-  return Array.isArray(group.description) ? group.description : [];
+  return !(contractsReady && authTypesReady && readmeReady);
 }
 
-function syncJwtDbPrisma({ rootDir, packageRoot, changedFiles }) {
-  const appModulePath = path.join(rootDir, 'apps', 'api', 'src', 'app.module.ts');
-  const schemaPath = path.join(rootDir, 'apps', 'api', 'prisma', 'schema.prisma');
+function syncAccountsRbacCompatibility({ rootDir, changedFiles }) {
+  const contractsPath = path.join(rootDir, 'packages', 'accounts-contracts', 'src', 'index.ts');
+  const authTypesPath = path.join(rootDir, 'packages', 'accounts-api', 'src', 'auth.types.ts');
   const readmePath = path.join(rootDir, 'README.md');
-  const storePath = path.join(rootDir, 'apps', 'api', 'src', 'auth', 'prisma-auth-refresh-token.store.ts');
-  const migrationPath = path.join(
-    rootDir,
-    'apps',
-    'api',
-    'prisma',
-    'migrations',
-    '0002_auth_refresh_token_hash',
-    'migration.sql',
-  );
 
-  if (!fs.existsSync(appModulePath) || !fs.existsSync(schemaPath)) {
-    return { applied: false, reason: 'app module or prisma schema is missing' };
+  if (!fs.existsSync(contractsPath) || !fs.existsSync(authTypesPath) || !fs.existsSync(readmePath)) {
+    return { applied: false, reason: 'accounts package files are missing' };
   }
 
   let touched = false;
 
-  if (!fs.existsSync(storePath)) {
-    const storeSource = path.join(packageRoot, PRISMA_AUTH_STORE_TEMPLATE);
-    if (!fs.existsSync(storeSource)) {
-      return { applied: false, reason: 'jwt-auth prisma store template is missing' };
-    }
-    fs.mkdirSync(path.dirname(storePath), { recursive: true });
-    copyRecursive(storeSource, storePath);
-    changedFiles.add(storePath);
-    touched = true;
-  }
-
-  let appModule = fs.readFileSync(appModulePath, 'utf8').replace(/\r\n/g, '\n');
-  const originalAppModule = appModule;
-
-  if (!appModule.includes("AUTH_REFRESH_TOKEN_STORE, authConfig")) {
-    appModule = appModule.replace(
-      /import\s*\{\s*authConfig,\s*authEnvSchema,\s*ForgeonAuthModule\s*\}\s*from '@forgeon\/auth-api';/m,
-      "import { AUTH_REFRESH_TOKEN_STORE, authConfig, authEnvSchema, ForgeonAuthModule } from '@forgeon/auth-api';",
-    );
-  }
-
-  const storeImportLine = "import { PrismaAuthRefreshTokenStore } from './auth/prisma-auth-refresh-token.store';";
-  if (!appModule.includes(storeImportLine)) {
-    appModule = ensureLineAfter(
-      appModule,
-      "import { HealthController } from './health/health.controller';",
-      storeImportLine,
+  let contracts = fs.readFileSync(contractsPath, 'utf8').replace(/\r\n/g, '\n');
+  const originalContracts = contracts;
+  if (!contracts.includes('roles?: string[];')) {
+    contracts = contracts.replace(
+      "  type: 'access';",
+      "  type: 'access';\n  roles?: string[];\n  permissions?: string[];",
     );
   }
-
-  if (!appModule.includes('refreshTokenStoreProvider')) {
-    appModule = appModule.replace(
-      /ForgeonAuthModule\.register\(\),/m,
-      `ForgeonAuthModule.register({
-      imports: [DbPrismaModule],
-      refreshTokenStoreProvider: {
-        provide: AUTH_REFRESH_TOKEN_STORE,
-        useClass: PrismaAuthRefreshTokenStore,
-      },
-    }),`,
+  if (!contracts.includes("jti: string;\n  type: 'refresh';\n  roles?: string[];")) {
+    contracts = contracts.replace(
+      "  jti: string;\n  type: 'refresh';",
+      "  jti: string;\n  type: 'refresh';\n  roles?: string[];\n  permissions?: string[];",
     );
   }
-
-  if (appModule !== originalAppModule) {
-    fs.writeFileSync(appModulePath, `${appModule.trimEnd()}\n`, 'utf8');
-    changedFiles.add(appModulePath);
-    touched = true;
-  }
-
-  let schema = fs.readFileSync(schemaPath, 'utf8').replace(/\r\n/g, '\n');
-  const originalSchema = schema;
-  if (!schema.includes('refreshTokenHash')) {
-    schema = schema.replace(/email\s+String\s+@unique/g, 'email            String   @unique\n  refreshTokenHash String?');
-  }
-  if (schema !== originalSchema) {
-    fs.writeFileSync(schemaPath, `${schema.trimEnd()}\n`, 'utf8');
-    changedFiles.add(schemaPath);
-    touched = true;
-  }
-
-  if (!fs.existsSync(migrationPath)) {
-    const migrationSource = path.join(packageRoot, PRISMA_AUTH_MIGRATION_TEMPLATE);
-    if (!fs.existsSync(migrationSource)) {
-      return { applied: false, reason: 'jwt-auth migration template is missing' };
-    }
-    const migrationDir = path.dirname(migrationPath);
-    fs.mkdirSync(path.dirname(migrationDir), { recursive: true });
-    copyRecursive(migrationSource, migrationDir);
-    changedFiles.add(migrationPath);
+  if (contracts !== originalContracts) {
+    fs.writeFileSync(contractsPath, `${contracts.trimEnd()}\n`, 'utf8');
+    changedFiles.add(contractsPath);
     touched = true;
   }
 
-  if (fs.existsSync(readmePath)) {
-    let readme = fs.readFileSync(readmePath, 'utf8').replace(/\r\n/g, '\n');
-    const originalReadme = readme;
-    const managedReadme = replaceReadmeManagedBlock(
-      readme,
-      JWT_AUTH_PERSISTENCE_MARKERS.start,
-      JWT_AUTH_PERSISTENCE_MARKERS.end,
-      JWT_AUTH_DB_PRISMA_PERSISTENCE_BLOCK,
+  let authTypes = fs.readFileSync(authTypesPath, 'utf8').replace(/\r\n/g, '\n');
+  const originalAuthTypes = authTypes;
+  if (!authTypes.includes('roles?: string[];')) {
+    authTypes = authTypes.replace(
+      "  exp?: number;",
+      "  exp?: number;\n  roles?: string[];\n  permissions?: string[];",
     );
-    if (managedReadme !== readme) {
-      readme = managedReadme;
-    } else {
-      readme = readme.replace(
-        '- refresh token persistence: disabled by default (stateless mode; enable it later through a `db-adapter` provider + integration sync)',
-        '- refresh token persistence: enabled through the `db-adapter` capability (current provider: `db-prisma`)',
-      );
-      readme = readme.replace(
-        /- to enable persistence later:[\s\S]*?2\. run `pnpm forgeon:sync-integrations` to wire auth persistence to the active DB adapter implementation\./m,
-        '- migration: `apps/api/prisma/migrations/0002_auth_refresh_token_hash`',
-      );
-    }
-    if (readme !== originalReadme) {
-      fs.writeFileSync(readmePath, `${readme.trimEnd()}\n`, 'utf8');
-      changedFiles.add(readmePath);
-      touched = true;
-    }
-  }
-
-  if (!touched) {
-    return { applied: false, reason: 'already synced' };
-  }
-  return { applied: true };
-}
-
-function syncJwtRbacClaims({ rootDir, changedFiles }) {
-  const authContractsPath = path.join(rootDir, 'packages', 'auth-contracts', 'src', 'index.ts');
-  const authServicePath = path.join(rootDir, 'packages', 'auth-api', 'src', 'auth.service.ts');
-  const authControllerPath = path.join(rootDir, 'packages', 'auth-api', 'src', 'auth.controller.ts');
-  const readmePath = path.join(rootDir, 'README.md');
-
-  if (!fs.existsSync(authContractsPath) || !fs.existsSync(authServicePath) || !fs.existsSync(authControllerPath)) {
-    return { applied: false, reason: 'auth package files are missing' };
   }
-
-  let touched = false;
-
-  let authContracts = fs.readFileSync(authContractsPath, 'utf8').replace(/\r\n/g, '\n');
-  const originalAuthContracts = authContracts;
-  if (!authContracts.includes('permissions?: string[];')) {
-    authContracts = authContracts.replace(
-      '  roles: string[];',
-      `  roles: string[];
-  permissions?: string[];`,
+  const refreshPattern = /export interface AuthRefreshTokenPayload[\s\S]*?\{[\s\S]*?exp\?: number;[\s\S]*?\}/m;
+  const refreshMatch = authTypes.match(refreshPattern)?.[0] ?? '';
+  if (refreshMatch && !refreshMatch.includes('roles?: string[];')) {
+    authTypes = authTypes.replace(
+      "export interface AuthRefreshTokenPayload extends AuthRefreshClaims {\n  iat?: number;\n  exp?: number;\n}",
+      "export interface AuthRefreshTokenPayload extends AuthRefreshClaims {\n  iat?: number;\n  exp?: number;\n  roles?: string[];\n  permissions?: string[];\n}",
     );
   }
-  if (authContracts !== originalAuthContracts) {
-    fs.writeFileSync(authContractsPath, `${authContracts.trimEnd()}\n`, 'utf8');
-    changedFiles.add(authContractsPath);
+  if (authTypes !== originalAuthTypes) {
+    fs.writeFileSync(authTypesPath, `${authTypes.trimEnd()}\n`, 'utf8');
+    changedFiles.add(authTypesPath);
     touched = true;
   }
 
-  let authService = fs.readFileSync(authServicePath, 'utf8').replace(/\r\n/g, '\n');
-  const originalAuthService = authService;
-  authService = authService.replace(
-    /roles: \['user'\],/g,
-    `roles: ['admin'],
-      permissions: ['health.rbac'],`,
+  let readme = fs.readFileSync(readmePath, 'utf8').replace(/\r\n/g, '\n');
+  const originalReadme = readme;
+  readme = replaceReadmeManagedBlock(
+    readme,
+    ACCOUNTS_RBAC_MARKERS.start,
+    ACCOUNTS_RBAC_MARKERS.end,
+    ACCOUNTS_RBAC_ENABLED_BLOCK,
   );
-  if (!authService.includes('permissions: user.permissions,')) {
-    authService = authService.replace(
-      '      roles: user.roles,',
-      `      roles: user.roles,
-      permissions: user.permissions,`,
-    );
-  }
-  if (!authService.includes('permissions: Array.isArray(payload.permissions) ? payload.permissions : [],')) {
-    authService = authService.replace(
-      "      roles: Array.isArray(payload.roles) ? payload.roles : ['user'],",
-      `      roles: Array.isArray(payload.roles) ? payload.roles : ['user'],
-      permissions: Array.isArray(payload.permissions) ? payload.permissions : [],`,
-    );
-  }
-  if (!authService.includes('demoPermissions: [')) {
-    authService = authService.replace(
-      "      demoEmail: this.configService.demoEmail,",
-      `      demoEmail: this.configService.demoEmail,
-      demoPermissions: ['health.rbac'],`,
-    );
-  }
-  if (authService !== originalAuthService) {
-    fs.writeFileSync(authServicePath, `${authService.trimEnd()}\n`, 'utf8');
-    changedFiles.add(authServicePath);
+  if (readme !== originalReadme) {
+    fs.writeFileSync(readmePath, `${readme.trimEnd()}\n`, 'utf8');
+    changedFiles.add(readmePath);
     touched = true;
   }
 
-  let authController = fs.readFileSync(authControllerPath, 'utf8').replace(/\r\n/g, '\n');
-  const originalAuthController = authController;
-  if (!authController.includes('permissions: Array.isArray(payload.permissions) ? payload.permissions : [],')) {
-    authController = authController.replace(
-      "      roles: Array.isArray(payload.roles) ? payload.roles : ['user'],",
-      `      roles: Array.isArray(payload.roles) ? payload.roles : ['user'],
-      permissions: Array.isArray(payload.permissions) ? payload.permissions : [],`,
-    );
-  }
-  if (authController !== originalAuthController) {
-    fs.writeFileSync(authControllerPath, `${authController.trimEnd()}\n`, 'utf8');
-    changedFiles.add(authControllerPath);
-    touched = true;
-  }
-
-  if (fs.existsSync(readmePath)) {
-    let readme = fs.readFileSync(readmePath, 'utf8').replace(/\r\n/g, '\n');
-    const originalReadme = readme;
-    const managedReadme = replaceReadmeManagedBlock(
-      readme,
-      JWT_AUTH_RBAC_MARKERS.start,
-      JWT_AUTH_RBAC_MARKERS.end,
-      JWT_AUTH_RBAC_ENABLED_BLOCK,
-    );
-    if (managedReadme !== readme) {
-      readme = managedReadme;
-    } else if (!readme.includes('- RBAC integration: demo auth tokens include `health.rbac` permission')) {
-      const marker = 'Default demo credentials:';
-      if (readme.includes(marker)) {
-        readme = readme.replace(
-          marker,
-          '- RBAC integration: demo auth tokens include `health.rbac` permission\n\nDefault demo credentials:',
-        );
-      }
-    }
-    if (readme !== originalReadme) {
-      fs.writeFileSync(readmePath, `${readme.trimEnd()}\n`, 'utf8');
-      changedFiles.add(readmePath);
-      touched = true;
-    }
-  }
-
   if (!touched) {
     return { applied: false, reason: 'already synced' };
   }
   return { applied: true };
 }
 
-export function syncIntegrations({ targetRoot, packageRoot, groupIds = null }) {
+function getGroupParticipants(group) {
+  return Array.isArray(group.participants) ? group.participants : [];
+}
+
+function getGroupRelatedModules(group) {
+  return Array.isArray(group.relatedModules) ? group.relatedModules : getGroupParticipants(group);
+}
+
+export function syncIntegrations({ targetRoot, groupIds = null }) {
   const rootDir = path.resolve(targetRoot);
   const changedFiles = new Set();
   const detected = detectModules(rootDir);
-  const summary = [];
   const available = INTEGRATION_GROUPS.filter(
-    (group) => group.isAvailable(detected) && group.isPending(rootDir, detected),
+    (group) => group.isAvailable(detected) && group.isPending(rootDir),
   );
   const selected = Array.isArray(groupIds)
     ? available.filter((group) => groupIds.includes(group.id))
     : available;
 
-  for (const group of selected) {
-    summary.push({
-      id: group.id,
-      title: group.title,
-      modules: getGroupParticipants(group),
-      result: group.apply({ rootDir, packageRoot, changedFiles }),
-    });
-  }
+  const summary = selected.map((group) => ({
+    id: group.id,
+    title: group.title,
+    modules: [...getGroupParticipants(group)],
+    result: group.apply({ rootDir, changedFiles }),
+  }));
 
   return {
     summary,
@@ -502,7 +181,7 @@ export function syncIntegrations({ targetRoot, packageRoot, groupIds = null }) {
       id: group.id,
       title: group.title,
       modules: [...getGroupParticipants(group)],
-      description: [...getGroupDescription(group, detected)],
+      description: [...group.description],
     })),
     changedFiles: [...changedFiles].sort().map((filePath) => path.relative(rootDir, filePath)),
   };
@@ -511,18 +190,19 @@ export function syncIntegrations({ targetRoot, packageRoot, groupIds = null }) {
 export function scanIntegrations({ targetRoot, relatedModuleId = null }) {
   const rootDir = path.resolve(targetRoot);
   const detected = detectModules(rootDir);
-  const available = INTEGRATION_GROUPS.filter(
+  const groups = INTEGRATION_GROUPS.filter(
     (group) =>
       group.isAvailable(detected) &&
-      group.isPending(rootDir, detected) &&
+      group.isPending(rootDir) &&
       (!relatedModuleId || getGroupRelatedModules(group).includes(relatedModuleId)),
   );
+
   return {
-    groups: available.map((group) => ({
+    groups: groups.map((group) => ({
       id: group.id,
       title: group.title,
       modules: [...getGroupParticipants(group)],
-      description: [...getGroupDescription(group, detected)],
+      description: [...group.description],
     })),
   };
-}
+}