create-payloadpack-auth 0.1.0

package/bin/cli.js

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+import '../dist/index.js'

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+
+export {  }

package/dist/index.js

@@ -0,0 +1,633 @@
+// src/index.ts
+import * as p from "@clack/prompts";
+import pc from "picocolors";
+
+// src/constants.ts
+var REGISTRY_URL = "https://payloadpack.nodejs.pub";
+var PACKAGE_NAME = "@payloadpack/auth";
+var DOCS_URL = "https://better-payload-auth.com/docs";
+var TOKEN_ENV_VAR = "PAYLOADPACK_AUTH_TOKEN";
+var DEPENDENCIES = ["@payloadpack/auth", "better-auth"];
+var DEV_DEPENDENCIES = ["dotenv-cli"];
+var NPMRC_CONTENT = `@payloadpack:registry=https://payloadpack.nodejs.pub
+//payloadpack.nodejs.pub/:_authToken=\${PAYLOADPACK_AUTH_TOKEN}
+`;
+
+// src/validators/license.ts
+async function validateLicenseKey(token) {
+  try {
+    const encodedPackageName = PACKAGE_NAME.replace("/", "%2F");
+    const response = await fetch(`${REGISTRY_URL}/${encodedPackageName}`, {
+      headers: {
+        Authorization: `Bearer ${token}`
+      }
+    });
+    if (response.status === 401 || response.status === 403) {
+      return { valid: false, error: "Invalid or expired license key" };
+    }
+    if (!response.ok) {
+      return { valid: false, error: `Registry returned status ${response.status}` };
+    }
+    return { valid: true };
+  } catch (error) {
+    return {
+      valid: false,
+      error: error instanceof Error ? error.message : "Network error validating license"
+    };
+  }
+}
+
+// src/validators/project.ts
+import fs from "fs-extra";
+import path from "path";
+async function validatePayloadProject(cwd) {
+  const pkgPath = path.join(cwd, "package.json");
+  if (!await fs.pathExists(pkgPath)) {
+    return { valid: false, srcDir: "src", configPath: "", error: "No package.json found" };
+  }
+  const pkg = await fs.readJson(pkgPath);
+  const deps = { ...pkg.dependencies, ...pkg.devDependencies };
+  if (!deps["payload"]) {
+    return { valid: false, srcDir: "src", configPath: "", error: "Payload is not installed" };
+  }
+  const possibleConfigs = [
+    { path: "src/payload.config.ts", srcDir: "src" },
+    { path: "payload.config.ts", srcDir: "." }
+  ];
+  for (const config of possibleConfigs) {
+    const fullPath = path.join(cwd, config.path);
+    if (await fs.pathExists(fullPath)) {
+      return {
+        valid: true,
+        srcDir: config.srcDir,
+        configPath: fullPath
+      };
+    }
+  }
+  return {
+    valid: false,
+    srcDir: "src",
+    configPath: "",
+    error: "Could not find payload.config.ts"
+  };
+}
+
+// src/validators/package-manager.ts
+import fs2 from "fs-extra";
+import path2 from "path";
+var LOCK_FILES = {
+  "bun.lock": "bun",
+  "bun.lockb": "bun",
+  "pnpm-lock.yaml": "pnpm",
+  "yarn.lock": "yarn",
+  "package-lock.json": "npm"
+};
+var ADD_COMMANDS = {
+  bun: "bun add",
+  pnpm: "pnpm add",
+  yarn: "yarn add",
+  npm: "npm install"
+};
+async function detectPackageManager(cwd) {
+  for (const [lockfile, pm] of Object.entries(LOCK_FILES)) {
+    const lockfilePath = path2.join(cwd, lockfile);
+    if (await fs2.pathExists(lockfilePath)) {
+      return { name: pm, addCommand: ADD_COMMANDS[pm] };
+    }
+  }
+  const pkgPath = path2.join(cwd, "package.json");
+  if (await fs2.pathExists(pkgPath)) {
+    const pkg = await fs2.readJson(pkgPath);
+    if (pkg.packageManager) {
+      const match = pkg.packageManager.match(/^(npm|yarn|pnpm|bun)@/);
+      if (match && match[1] in ADD_COMMANDS) {
+        const name = match[1];
+        return { name, addCommand: ADD_COMMANDS[name] };
+      }
+    }
+  }
+  return { name: "npm", addCommand: ADD_COMMANDS.npm };
+}
+
+// src/scaffolders/files.ts
+import fs3 from "fs-extra";
+import path3 from "path";
+
+// src/templates/index.ts
+var TEMPLATES = {
+  "lib/auth/options.ts": `import { nextCookies } from 'better-auth/next-js'
+import type { BetterAuthOptionsFn } from '@payloadpack/auth/plugin'
+
+const baseURL = process.env.NEXT_PUBLIC_BETTER_AUTH_URL ?? 'http://localhost:3000'
+
+/**
+ * Better Auth options as a function that receives the Payload instance.
+ * The payload object is only available in callbacks since these are called at request time.
+ * Alternatively, you can use \`const payload = await getPayload()\` inside callbacks.
+ */
+export const betterAuthOptions = ((payload) => ({
+  baseURL,
+  trustedOrigins: [baseURL],
+  secret: process.env.PAYLOAD_SECRET,
+  plugins: [nextCookies()],
+  emailAndPassword: {
+    enabled: true,
+    requireEmailVerification: true,
+    async sendResetPassword({ user, url }) {
+      if (!payload) throw new Error('Payload not available in sendResetPassword callback')
+      // Don't await to prevent timing attacks
+      void payload.sendEmail({
+        to: user.email,
+        subject: 'Reset your password',
+        text: \`Click here to reset your password: \${url}\`
+      })
+    }
+  },
+  emailVerification: {
+    sendOnSignUp: true,
+    autoSignInAfterVerification: true,
+    async sendVerificationEmail({ user, url }) {
+      if (!payload) throw new Error('Payload not available in sendVerificationEmail callback')
+      // Don't await to prevent timing attacks
+      void payload.sendEmail({
+        to: user.email,
+        subject: 'Verify your email',
+        text: \`Click here to verify your email: \${url}\`
+      })
+    }
+  }
+})) satisfies BetterAuthOptionsFn
+`,
+  "lib/auth/plugin-options.ts": `import type { BetterAuthPluginOptionsInput } from '@payloadpack/auth/plugin'
+import { betterAuthOptions } from './options'
+
+export const betterAuthPluginOptions = {
+  betterAuthOptions
+} satisfies BetterAuthPluginOptionsInput
+`,
+  "lib/auth/types.ts": `import type { betterAuth } from 'better-auth'
+import type { betterAuthOptions } from './options'
+
+/** Used to type payload.betterAuth with your auth configuration. */
+export type Auth = ReturnType<typeof betterAuth<ReturnType<typeof betterAuthOptions>>>
+export type Session = Auth['$Infer']['Session']
+export type User = Auth['$Infer']['Session']['user']
+`,
+  "lib/get-payload.ts": `import 'server-only'
+
+import { getPayload as getPayloadBase } from 'payload'
+import { withBetterAuth } from '@payloadpack/auth/plugin'
+import payloadConfig from '@payload-config'
+import type { Auth } from './auth/types'
+
+export const getPayload = withBetterAuth<Auth>(async () => {
+  return await getPayloadBase({ config: payloadConfig })
+})
+`,
+  "app/api/auth/[...all]/route.ts": `import configPromise from '@payload-config'
+import { toNextJsHandler } from '@payloadpack/auth/next-js'
+
+export const { POST, GET } = toNextJsHandler(configPromise)
+`
+};
+var TEMPLATE_PATHS = Object.keys(TEMPLATES);
+
+// src/scaffolders/files.ts
+async function scaffoldFiles(cwd, srcDir) {
+  const created = [];
+  const skipped = [];
+  for (const [relativePath, content] of Object.entries(TEMPLATES)) {
+    const fullPath = path3.join(cwd, srcDir, relativePath);
+    if (await fs3.pathExists(fullPath)) {
+      skipped.push(relativePath);
+      continue;
+    }
+    await fs3.ensureDir(path3.dirname(fullPath));
+    await fs3.writeFile(fullPath, content, "utf-8");
+    created.push(relativePath);
+  }
+  return { created, skipped };
+}
+
+// src/scaffolders/npmrc.ts
+import fs4 from "fs-extra";
+import path4 from "path";
+async function configureNpmrc(cwd) {
+  const npmrcPath = path4.join(cwd, ".npmrc");
+  if (await fs4.pathExists(npmrcPath)) {
+    const existing = await fs4.readFile(npmrcPath, "utf-8");
+    const hasRegistry = existing.includes("@payloadpack:registry");
+    const hasTokenLine = existing.includes("//payloadpack.nodejs.pub/:_authToken");
+    if (hasRegistry && hasTokenLine) {
+      return { created: false, updated: false, alreadyConfigured: true };
+    }
+    const newContent = existing.endsWith("\n") ? existing + NPMRC_CONTENT : existing + "\n" + NPMRC_CONTENT;
+    await fs4.writeFile(npmrcPath, newContent, "utf-8");
+    return { created: false, updated: true, alreadyConfigured: false };
+  }
+  await fs4.writeFile(npmrcPath, NPMRC_CONTENT, "utf-8");
+  return { created: true, updated: false, alreadyConfigured: false };
+}
+
+// src/scaffolders/env.ts
+import fs5 from "fs-extra";
+import path5 from "path";
+async function configureEnvFile(cwd, token) {
+  const envPath = path5.join(cwd, ".env");
+  if (await fs5.pathExists(envPath)) {
+    const existing = await fs5.readFile(envPath, "utf-8");
+    const tokenRegex = new RegExp(`^${TOKEN_ENV_VAR}=.*$`, "m");
+    if (tokenRegex.test(existing)) {
+      const newContent2 = existing.replace(tokenRegex, `${TOKEN_ENV_VAR}=${token}`);
+      await fs5.writeFile(envPath, newContent2, "utf-8");
+      return { created: false, updated: true };
+    }
+    const newContent = existing.endsWith("\n") ? `${existing}${TOKEN_ENV_VAR}=${token}
+` : `${existing}
+${TOKEN_ENV_VAR}=${token}
+`;
+    await fs5.writeFile(envPath, newContent, "utf-8");
+    return { created: false, updated: true };
+  }
+  await fs5.writeFile(envPath, `${TOKEN_ENV_VAR}=${token}
+`, "utf-8");
+  return { created: true, updated: false };
+}
+
+// src/scaffolders/package-json.ts
+import fs6 from "fs-extra";
+import path6 from "path";
+var INSTALL_SCRIPT_NAME = "install:with-keys";
+var INSTALL_COMMANDS = {
+  bun: "dotenv -- bun install",
+  pnpm: "dotenv -- pnpm install",
+  yarn: "dotenv -- yarn install",
+  npm: "dotenv -- npm install"
+};
+async function addInstallScript(cwd, pm) {
+  const pkgPath = path6.join(cwd, "package.json");
+  const content = await fs6.readFile(pkgPath, "utf-8");
+  const pkg = JSON.parse(content);
+  pkg.scripts ??= {};
+  if (pkg.scripts[INSTALL_SCRIPT_NAME]) {
+    return { added: false, alreadyExists: true };
+  }
+  pkg.scripts[INSTALL_SCRIPT_NAME] = INSTALL_COMMANDS[pm];
+  await fs6.writeFile(pkgPath, JSON.stringify(pkg, null, 2) + "\n", "utf-8");
+  return { added: true, alreadyExists: false };
+}
+function getInstallScriptName() {
+  return INSTALL_SCRIPT_NAME;
+}
+
+// src/scaffolders/payload-config.ts
+import fs7 from "fs-extra";
+import path7 from "path";
+import { parseModule, generateCode, builders } from "magicast";
+import { execa } from "execa";
+async function detectFormatter(cwd) {
+  const biomeConfigs = ["biome.json", "biome.jsonc"];
+  for (const config of biomeConfigs) {
+    if (await fs7.pathExists(path7.join(cwd, config))) {
+      return "biome";
+    }
+  }
+  const prettierConfigs = [
+    ".prettierrc",
+    ".prettierrc.json",
+    ".prettierrc.js",
+    ".prettierrc.cjs",
+    ".prettierrc.mjs",
+    ".prettierrc.yaml",
+    ".prettierrc.yml",
+    "prettier.config.js",
+    "prettier.config.cjs",
+    "prettier.config.mjs"
+  ];
+  for (const config of prettierConfigs) {
+    if (await fs7.pathExists(path7.join(cwd, config))) {
+      return "prettier";
+    }
+  }
+  const pkgPath = path7.join(cwd, "package.json");
+  if (await fs7.pathExists(pkgPath)) {
+    const pkg = await fs7.readJson(pkgPath);
+    if (pkg.prettier) {
+      return "prettier";
+    }
+  }
+  return null;
+}
+async function detectPackageRunner(cwd) {
+  if (await fs7.pathExists(path7.join(cwd, "bun.lock")) || await fs7.pathExists(path7.join(cwd, "bun.lockb"))) {
+    return "bunx";
+  }
+  return "npx";
+}
+async function formatFile(filePath, formatter, cwd) {
+  if (!formatter) return false;
+  const runner = await detectPackageRunner(cwd);
+  try {
+    if (formatter === "biome") {
+      await execa(runner, ["@biomejs/biome", "format", "--write", filePath], { cwd, stdio: "pipe" });
+    } else {
+      await execa(runner, ["prettier", "--write", filePath], { cwd, stdio: "pipe" });
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+var MANUAL_INSTRUCTIONS = `
+Add these imports at the top of your payload.config.ts:
+
+  import { betterPayloadAuth } from '@payloadpack/auth'
+  import { betterAuthPluginOptions } from './lib/auth/plugin-options'
+
+Then add the plugin to your buildConfig plugins array:
+
+  plugins: [betterPayloadAuth(betterAuthPluginOptions)]
+`;
+function getManualInstructions() {
+  return MANUAL_INSTRUCTIONS;
+}
+async function modifyPayloadConfig(configPath, cwd) {
+  const source = await fs7.readFile(configPath, "utf-8");
+  if (source.includes("betterPayloadAuth") || source.includes("better-payload-auth")) {
+    return { success: true, modified: false, alreadyConfigured: true };
+  }
+  const formatter = await detectFormatter(cwd);
+  const backupPath = `${configPath}.backup-${Date.now()}`;
+  await fs7.copyFile(configPath, backupPath);
+  try {
+    const mod = parseModule(source);
+    mod.imports.$prepend({
+      from: "@payloadpack/auth",
+      imported: "betterPayloadAuth"
+    });
+    mod.imports.$prepend({
+      from: "./lib/auth/plugin-options",
+      imported: "betterAuthPluginOptions"
+    });
+    const configObj = mod.exports.default?.$args?.[0];
+    if (!configObj) {
+      throw new Error("Could not find buildConfig object");
+    }
+    const existingPlugins = configObj.plugins;
+    if (existingPlugins && typeof existingPlugins.length === "number") {
+      existingPlugins.unshift(builders.raw("betterPayloadAuth(betterAuthPluginOptions)"));
+    } else if (!existingPlugins) {
+      configObj.plugins = builders.raw("[betterPayloadAuth(betterAuthPluginOptions)]");
+    } else {
+      throw new Error("plugins property exists but is not an array literal - cannot safely modify");
+    }
+    const result = generateCode(mod).code;
+    await fs7.writeFile(configPath, result, "utf-8");
+    const formatted = await formatFile(configPath, formatter, cwd);
+    await fs7.remove(backupPath);
+    return { success: true, modified: true, formatted };
+  } catch (error) {
+    await fs7.copyFile(backupPath, configPath);
+    await fs7.remove(backupPath);
+    return {
+      success: false,
+      modified: false,
+      error: error instanceof Error ? error.message : "Unknown error",
+      manualRequired: true
+    };
+  }
+}
+
+// src/scaffolders/dockerfile.ts
+import fs8 from "fs-extra";
+import path8 from "path";
+var INSTALL_CHECK_PATTERNS = {
+  bun: /^\s*RUN\s+bun\s+(?:install|i)\b/m,
+  pnpm: /^\s*RUN\s+pnpm\s+(?:install|i)\b/m,
+  yarn: /^\s*RUN\s+yarn(?:\s+(?:install|i)\b|\s+--|\s*$)/m,
+  npm: /^\s*RUN\s+npm\s+(?:ci|install|i)\b/m
+};
+var INSTALL_LINE_PATTERNS = {
+  bun: /^(\s*)RUN\s+(bun\s+(?:install|i)\b.*)$/m,
+  pnpm: /^(\s*)RUN\s+(pnpm\s+(?:install|i)\b.*)$/m,
+  yarn: /^(\s*)RUN\s+(yarn(?:\s+(?:install|i)\b|\s+--)?.*)$/m,
+  npm: /^(\s*)RUN\s+(npm\s+(?:ci|install|i)\b.*)$/m
+};
+var SECRET_MOUNT_PATTERN = /--mount=type=secret,id=BETTER_PAYLOAD_AUTH_TOKEN/;
+async function checkDockerfile(cwd, pm) {
+  const dockerfilePath = path8.join(cwd, "Dockerfile");
+  if (!await fs8.pathExists(dockerfilePath)) {
+    return { hasDockerfile: false, hasInstallCommand: false, dockerfilePath: null };
+  }
+  const content = await fs8.readFile(dockerfilePath, "utf-8");
+  const pattern = INSTALL_CHECK_PATTERNS[pm];
+  const hasInstallCommand = pattern.test(content);
+  return { hasDockerfile: true, hasInstallCommand, dockerfilePath };
+}
+async function modifyDockerfile(dockerfilePath, pm) {
+  const content = await fs8.readFile(dockerfilePath, "utf-8");
+  if (SECRET_MOUNT_PATTERN.test(content)) {
+    return { modified: false, alreadyConfigured: true };
+  }
+  const pattern = INSTALL_LINE_PATTERNS[pm];
+  const newContent = content.replace(pattern, (_match, indent, originalCommand) => {
+    return `${indent}RUN --mount=type=secret,id=${TOKEN_ENV_VAR},env=${TOKEN_ENV_VAR} \\
+${indent}    ${originalCommand}`;
+  });
+  await fs8.writeFile(dockerfilePath, newContent, "utf-8");
+  return { modified: true, alreadyConfigured: false };
+}
+var EXAMPLE_INSTALL_COMMANDS = {
+  bun: "bun install --frozen-lockfile",
+  pnpm: "pnpm install --frozen-lockfile",
+  yarn: "yarn install --frozen-lockfile",
+  npm: "npm ci"
+};
+function getDockerfileInstructions(pm) {
+  const exampleCommand = EXAMPLE_INSTALL_COMMANDS[pm];
+  return `Add the secret mount to your install command:
+
+RUN --mount=type=secret,id=${TOKEN_ENV_VAR},env=${TOKEN_ENV_VAR} \\
+    ${exampleCommand}
+
+Then build with:
+docker build --secret id=${TOKEN_ENV_VAR},env=${TOKEN_ENV_VAR} .`;
+}
+
+// src/utils/exec.ts
+import { execa as execa2 } from "execa";
+async function installDependencies({
+  cwd,
+  pm,
+  packages,
+  licenseKey,
+  dev = false
+}) {
+  let args;
+  if (pm.name === "npm") {
+    args = ["install", ...dev ? ["--save-dev"] : [], ...packages];
+  } else {
+    args = ["add", ...dev ? ["-D"] : [], ...packages];
+  }
+  await execa2(pm.name, args, {
+    cwd,
+    stdio: "inherit",
+    env: {
+      ...process.env,
+      // Set token for the install command to authenticate with registry
+      [TOKEN_ENV_VAR]: licenseKey
+    }
+  });
+}
+
+// src/index.ts
+async function main() {
+  const cwd = process.cwd();
+  console.log();
+  p.intro(pc.bgCyan(pc.black(" Better Payload Auth Setup ")));
+  const project = await validatePayloadProject(cwd);
+  if (!project.valid) {
+    p.cancel(project.error || "This does not appear to be a Payload CMS project.");
+    p.outro(pc.dim("Make sure you run this command from a directory with a payload.config.ts file."));
+    process.exit(1);
+  }
+  const licenseKey = await p.text({
+    message: "Enter your Anystack license key:"
+  });
+  if (p.isCancel(licenseKey)) {
+    p.cancel("Setup cancelled.");
+    process.exit(0);
+  }
+  const spinner2 = p.spinner();
+  spinner2.start("Validating license...");
+  const license = await validateLicenseKey(licenseKey);
+  if (!license.valid) {
+    spinner2.stop("License validation failed");
+    p.cancel(license.error || "Invalid license key");
+    p.outro(pc.dim("Get your license key from https://anystack.sh after purchasing."));
+    process.exit(1);
+  }
+  spinner2.stop("License valid!");
+  const pm = await detectPackageManager(cwd);
+  p.log.info(`Detected package manager: ${pc.cyan(pm.name)}`);
+  const dockerCheck = await checkDockerfile(cwd, pm.name);
+  const planLines = [
+    "This will:",
+    ...TEMPLATE_PATHS.map((f) => `  ${pc.green("+")} Create ${f}`),
+    `  ${pc.yellow("~")} Update/create .npmrc with registry configuration`,
+    `  ${pc.yellow("~")} Add ${TOKEN_ENV_VAR} to .env`,
+    `  ${pc.yellow("~")} Add "${getInstallScriptName()}" script to package.json`,
+    `  ${pc.yellow("~")} Modify payload.config.ts to add the plugin`,
+    ...dockerCheck.hasDockerfile && dockerCheck.hasInstallCommand ? [`  ${pc.yellow("?")} Optionally configure Dockerfile for BuildKit secrets`] : [],
+    `  ${pc.blue(">")} Install ${DEPENDENCIES.join(", ")} and ${DEV_DEPENDENCIES.join(", ")}`
+  ];
+  p.note(planLines.join("\n"), "Setup Plan");
+  const proceed = await p.confirm({
+    message: "Proceed with setup?",
+    initialValue: true
+  });
+  if (!proceed || p.isCancel(proceed)) {
+    p.cancel("Setup cancelled.");
+    process.exit(0);
+  }
+  spinner2.start("Creating auth configuration files...");
+  const scaffoldResult = await scaffoldFiles(cwd, project.srcDir);
+  spinner2.stop(`Created ${scaffoldResult.created.length} files`);
+  if (scaffoldResult.skipped.length > 0) {
+    p.log.warn(`Skipped ${scaffoldResult.skipped.length} existing files: ${scaffoldResult.skipped.join(", ")}`);
+  }
+  spinner2.start("Configuring .npmrc...");
+  const npmrcResult = await configureNpmrc(cwd);
+  spinner2.stop(
+    npmrcResult.alreadyConfigured ? ".npmrc already configured" : npmrcResult.created ? "Created .npmrc" : "Updated .npmrc"
+  );
+  spinner2.start(`Adding ${TOKEN_ENV_VAR} to .env...`);
+  const envResult = await configureEnvFile(cwd, licenseKey);
+  spinner2.stop(envResult.created ? `Created .env with ${TOKEN_ENV_VAR}` : `Updated ${TOKEN_ENV_VAR} in .env`);
+  spinner2.start("Adding install script to package.json...");
+  const scriptResult = await addInstallScript(cwd, pm.name);
+  spinner2.stop(
+    scriptResult.alreadyExists ? `"${getInstallScriptName()}" script already exists` : `Added "${getInstallScriptName()}" script to package.json`
+  );
+  spinner2.start("Updating payload.config.ts...");
+  const configResult = await modifyPayloadConfig(project.configPath, cwd);
+  if (configResult.success) {
+    let message;
+    if (configResult.alreadyConfigured) {
+      message = "payload.config.ts already configured";
+    } else if (configResult.formatted) {
+      message = "Updated payload.config.ts (formatted)";
+    } else {
+      message = "Updated payload.config.ts";
+    }
+    spinner2.stop(message);
+  } else {
+    spinner2.stop("Could not automatically update payload.config.ts");
+    p.log.warn("Please manually update your payload.config.ts:");
+    p.note(getManualInstructions(), "Manual Steps Required");
+  }
+  if (dockerCheck.hasDockerfile && dockerCheck.hasInstallCommand && dockerCheck.dockerfilePath) {
+    const modifyDocker = await p.confirm({
+      message: "Dockerfile detected with install command. Configure it to use BuildKit secrets for registry auth?",
+      initialValue: true
+    });
+    if (!p.isCancel(modifyDocker) && modifyDocker) {
+      spinner2.start("Updating Dockerfile...");
+      const dockerResult = await modifyDockerfile(dockerCheck.dockerfilePath, pm.name);
+      spinner2.stop(
+        dockerResult.alreadyConfigured ? "Dockerfile already configured for secrets" : "Updated Dockerfile with BuildKit secret mount"
+      );
+    } else if (!p.isCancel(modifyDocker)) {
+      p.log.info("Skipped Dockerfile modification");
+      p.note(getDockerfileInstructions(pm.name), "Manual Dockerfile Setup");
+    }
+  }
+  p.log.step("Installing dependencies...");
+  console.log();
+  try {
+    await installDependencies({
+      cwd,
+      pm,
+      packages: [...DEPENDENCIES],
+      licenseKey
+    });
+    await installDependencies({
+      cwd,
+      pm,
+      packages: [...DEV_DEPENDENCIES],
+      licenseKey,
+      dev: true
+    });
+    console.log();
+    p.log.success("Dependencies installed");
+  } catch {
+    console.log();
+    p.log.error("Failed to install dependencies");
+    p.log.warn(
+      `Run manually: ${pc.cyan(`${TOKEN_ENV_VAR}=<your-token> ${pm.addCommand} ${DEPENDENCIES.join(" ")}`)}`
+    );
+    p.outro(pc.red("Setup incomplete - dependency installation failed"));
+    process.exit(1);
+  }
+  p.outro(pc.green("Better Payload Auth is now configured!"));
+  console.log(`
+${pc.bold("Next steps:")}
+  1. Ensure ${pc.cyan("PAYLOAD_SECRET")} is set in your .env (required for auth)
+  2. Run your dev server: ${pc.cyan(`${pm.name} run dev`)}
+  3. Visit ${pc.cyan("/admin")} to see the new auth UI
+
+${pc.bold("Future installs:")}
+  Use ${pc.cyan(`${pm.name} run ${getInstallScriptName()}`)} to install dependencies with registry auth.
+  This reads ${TOKEN_ENV_VAR} from your .env file via dotenv-cli.
+
+${pc.yellow("Note:")} The .npmrc references ${pc.cyan("${" + TOKEN_ENV_VAR + "}")} - safe to commit.
+      Your .env file contains the actual token - ${pc.bold("do not commit it")}.
+
+${pc.dim(`Docs: ${DOCS_URL}`)}
+`);
+}
+main().catch((error) => {
+  p.cancel("An unexpected error occurred");
+  console.error(error);
+  process.exit(1);
+});

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "create-payloadpack-auth",
+  "version": "0.1.0",
+  "description": "CLI to set up @payloadpack/auth in Payload CMS projects",
+  "type": "module",
+  "bin": {
+    "create-payloadpack-auth": "./bin/cli.js"
+  },
+  "main": "./dist/index.js",
+  "files": [
+    "bin",
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsup src/index.ts --format esm --dts --clean",
+    "dev": "tsup src/index.ts --format esm --watch",
+    "test": "bun test",
+    "prepublishOnly": "bun run build"
+  },
+  "dependencies": {
+    "@clack/prompts": "^0.8.2",
+    "execa": "^9.5.2",
+    "fs-extra": "^11.3.0",
+    "magicast": "^0.3.5",
+    "picocolors": "^1.1.1"
+  },
+  "devDependencies": {
+    "@types/fs-extra": "^11.0.4",
+    "@types/node": "^22.5.4",
+    "tsup": "^8.4.0",
+    "typescript": "5.7.3"
+  },
+  "engines": {
+    "node": ">=22.0.0"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/payloadpack/auth.git",
+    "directory": "packages/create-payloadpack-auth"
+  },
+  "keywords": [
+    "payload",
+    "payloadcms",
+    "better-auth",
+    "authentication",
+    "cli",
+    "create"
+  ],
+  "author": "Payload Pack",
+  "license": "MIT"
+}