create-prisma-php-app 5.0.0-alpha.28 → 5.0.0-alpha.29

package/dist/.github/copilot-instructions.md

@@ -26,6 +26,18 @@
 - Use `--tag <value>` or `--tag=<value>` for release-channel or pinned-version updates.
 - Do not use `npx pp update project` as a substitute for Prisma ORM migration commands.
 
+## Authentication Route Strategy
+
+- Prisma PHP defaults to public routes.
+- Choose the route privacy strategy at the start of the app, before creating most routes.
+- If the app will have many public pages, keep the public-default strategy.
+- If the app will have only a few public entry points and most routes should require login, use the private-default strategy.
+- For private-default routing, enable both `IS_ALL_ROUTES_PRIVATE = true` and `IS_TOKEN_AUTO_REFRESH = true` in `src/Lib/Auth/AuthConfig.php`.
+- When `IS_ALL_ROUTES_PRIVATE` is `true`, Prisma PHP treats routes as private by default and uses `publicRoutes` for the public allowlist; home is already public by default because `publicRoutes` starts as `['/']`.
+- Keep `authRoutes` public by default unless the user explicitly asks to change them.
+- There is no need to modify other Prisma PHP core files for this route privacy behavior.
+- If `src/Lib/Auth/AuthConfig.php` is customized, preserve it during future Prisma PHP project updates by adding `./src/Lib/Auth/AuthConfig.php` to `excludeFiles` in `prisma-php.json`.
+
 ## PulsePoint-First Frontend Rules
 
 - In full-stack Prisma PHP apps, treat PulsePoint as the primary JavaScript authoring model for frontend behavior.

package/dist/AGENTS.md

@@ -408,6 +408,14 @@ Important auth rules:
 
 - route privacy strategy is configured from `AuthConfig.php`
 - Prisma PHP supports both public-default and private-default route protection strategies
+- Prisma PHP defaults to public routes, so keep the public-default strategy when the app will expose many public pages
+- choose the route privacy strategy early, ideally before creating most routes in a new app or route subtree
+- if the app will have only a few public entry points and most routes should require login, switch to the private-default strategy
+- when choosing private-default routing, enable both `AuthConfig::IS_ALL_ROUTES_PRIVATE` and `AuthConfig::IS_TOKEN_AUTO_REFRESH`
+- when `IS_ALL_ROUTES_PRIVATE` is `true`, keep public exceptions in `AuthConfig::$publicRoutes`; home remains public by default because it starts as `['/']`
+- keep `AuthConfig::$authRoutes` public by default unless the user explicitly wants a different auth route allowlist
+- there is no need to modify other Prisma PHP core files to enable private-default routing
+- if `src/Lib/Auth/AuthConfig.php` was customized, protect it from future project updates by adding `./src/Lib/Auth/AuthConfig.php` to `excludeFiles` in `prisma-php.json`
 - sign users in with `Auth::getInstance()->signIn(...)`
 - sign users out with `Auth::getInstance()->signOut(...)`
 - use `Auth::getInstance()->refreshUserSession(...)` when current-session auth payloads must be updated after role or profile changes
@@ -700,6 +708,7 @@ Important rules:
 
 - update `prisma-php.json` before assuming a feature is active in a consumer app
 - do not assume Tailwind, Prisma, Swagger, WebSocket, MCP, or TypeScript support is enabled unless `prisma-php.json` says so
+- keep customized framework-managed files such as `src/Lib/Auth/AuthConfig.php` in `excludeFiles` when you need project updates to preserve them
 - after changing feature flags, follow the documented project update flow
 - for AI-driven or scripted updates, prefer `npx pp update project -y`
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-prisma-php-app",
-  "version": "5.0.0-alpha.28",
+  "version": "5.0.0-alpha.29",
   "description": "Prisma-PHP: A Revolutionary Library Bridging PHP with Prisma ORM",
   "main": "dist/index.js",
   "type": "module",