nextworks 0.1.0-alpha.0 → 0.1.0-alpha.10

package/dist/kits/auth-core/.nextworks/docs/AUTH_QUICKSTART.md

@@ -0,0 +1,244 @@
+# Auth Quickstart
+
+Follow these steps to get email/password auth (and optional GitHub OAuth) running in under 5 minutes.
+
+If you are using the `nextworks` CLI in your own app, the recommended alpha setup is to install Blocks with sections and templates first, then Auth Core:
+
+```bash
+npx nextworks add blocks --sections --templates
+npx nextworks add auth-core
+```
+
+Then follow the steps below inside your app.
+
+## 1) Copy environment variables
+
+Create a `.env` file based on `.env.example`:
+
+```
+cp .env.example .env
+```
+
+Fill in values for the following environment variables used by the Auth kit:
+
+- DATABASE_URL — PostgreSQL connection string
+- NEXTAUTH_URL — URL of your app (e.g. http://localhost:3000 in dev)
+- NEXTAUTH_SECRET — a strong random string (used to sign NextAuth tokens)
+
+Optional / password reset / email provider vars:
+
+- GITHUB_ID — (optional) GitHub OAuth client id
+- GITHUB_SECRET — (optional) GitHub OAuth client secret
+- NEXTWORKS_ENABLE_PASSWORD_RESET — set to `1` to enable the dev password reset scaffold (default: disabled)
+- NEXTWORKS_USE_DEV_EMAIL — set to `1` to enable Ethereal dev email transport (for local testing only)
+- SMTP_HOST, SMTP_PORT, SMTP_USER, SMTP_PASS, NOREPLY_EMAIL — when using a real SMTP provider (required in production if enable password reset)
+- NODE_ENV — (production/dev) used to guard password-reset behavior
+
+Notes:
+
+- The Auth kit will only enable the GitHub provider when both GITHUB_ID and GITHUB_SECRET are present.
+- Password reset remains disabled by default; enable cautiously and only after configuring a real mail provider in production.
+
+## 2) Install and generate Prisma
+
+If you are using the monorepo directly:
+
+```bash
+npm install
+npx prisma generate
+npx prisma migrate dev -n init
+```
+
+If you installed Auth via the CLI (`npx nextworks add auth-core`), the schema and scripts are already in place in your app — you still need to run:
+
+```bash
+npm install @prisma/client prisma
+npx prisma generate
+npx prisma migrate dev -n init
+```
+
+This applies the Prisma schema and generates the Prisma client.
+
+## 3) Start the dev server
+
+```
+npm run dev
+```
+
+Visit:
+
+- http://localhost:3000/auth/signup to create a user
+- http://localhost:3000/auth/login to sign in
+- http://localhost:3000/dashboard after login
+
+## 4) Optional: GitHub OAuth
+
+If you provided GITHUB_ID and GITHUB_SECRET in `.env`, the GitHub provider will be enabled and the GitHub button will appear on the forms. If not provided, the button will be hidden and only email/password is available.
+
+## 5) Roles (optional)
+
+The `User` model has a `role` field (default: `user`). Role is propagated to the JWT and session so you can gate pages/components. You can later add admin tooling or seed scripts as needed.
+
+## 6) Seed and promote admin scripts
+
+- `scripts/seed-demo.mjs` (already in the repo) creates a demo admin user and sample posts for quick demos.
+- `scripts/promote-admin.mjs` (new) is idempotent and promotes an existing user to `admin`:
+
+```
+node ./scripts/promote-admin.mjs admin@example.com
+```
+
+## 7) Forgot password (development scaffold)
+
+This is a development scaffold that is disabled by default. To enable the password reset feature, set:
+
+```
+NEXTWORKS_ENABLE_PASSWORD_RESET=1
+```
+
+- POST `/api/auth/forgot-password` accepts `{ email }`. When enabled the endpoint generates a one-time token stored in the database and (in development) prints a reset link to the server console. The endpoint always returns a generic success message to avoid user enumeration.
+- GET `/api/auth/reset-password?token=...` validates a token (only when enabled).
+- POST `/api/auth/reset-password` accepts `{ token, password, confirmPassword }` and updates the user password while invalidating the token (only when enabled).
+
+Security notes:
+
+- The scaffold is intentionally disabled by default; enable it only for local testing or after hardening.
+- The forgot-password scaffold uses an in-memory rate limiter for demo purposes — replace it with a centralized rate limiter (Redis, API gateway) in production.
+- Always use a real email provider (SMTP, SendGrid, etc.) in production and never log reset tokens in server logs.
+
+Migration & upgrade notes
+
+- A recent schema migration changed PasswordReset to store tokenHash (SHA-256) instead of the raw token. Steps we executed:
+  1. Added `tokenHash` (nullable) to the PasswordReset model and made `token` nullable in Prisma.
+  2. Generated a migration that adds the tokenHash column and a unique index on it.
+  3. Ran a one-off script `scripts/populate-tokenhash.mjs` to compute SHA-256 hashes for previous tokens and fill `tokenHash`.
+  4. Applied the migration and regenerated the Prisma client (`npx prisma generate`).
+
+- To enable password reset behavior in your environment, set:
+
+```
+NEXTWORKS_ENABLE_PASSWORD_RESET=1
+```
+
+- Dev email helper (optional): there is an optional dev email helper (nodemailer + Ethereal) that can be enabled with `NEXTWORKS_USE_DEV_EMAIL=1`. When enabled (and NEXTWORKS_ENABLE_PASSWORD_RESET=1), forgot-password will send an Ethereal email and the server will log only the Ethereal preview URL (no plaintext token in logs). This helper is strictly opt-in for development only. Use a real email provider in production.
+
+- Production hardening: Password reset should only be enabled in production when a mail provider is configured. To harden the scaffold in production, ensure the following environment variables are set for SMTP (or equivalent for other providers):
+
+```
+SMTP_HOST=smtp.example.com
+SMTP_PORT=587
+SMTP_USER=user@example.com
+SMTP_PASS=supersecret
+NOREPLY_EMAIL=no-reply@example.com
+NEXTWORKS_ENABLE_PASSWORD_RESET=1
+```
+
+When NEXTWORKS_ENABLE_PASSWORD_RESET=1 and NODE_ENV=production the server will refuse to enable password reset unless a mail provider is configured. The server will not log reset tokens or URLs in production logs.
+
+Security checklist before enabling reset in production:
+
+- Set a strong NEXTAUTH_SECRET
+- Use HTTPS/TLS
+- Replace in-memory rate limiting with a centralized store (Redis/API Gateway)
+- Configure and test a real mail provider (SMTP, SendGrid, etc.)
+- Ensure password reset tokens are expired/cleaned up periodically
+- Review logging to avoid token leakage
+
+- Promotion script: to promote an existing user to admin, run:
+
+```
+node ./scripts/promote-admin.mjs user@example.com
+```
+
+- Important: Before turning password reset on in production, ensure you:
+  - Replace the in-memory rate limiter with a centralized solution (Redis or API Gateway).
+  - Configure a real email provider and remove console logging of tokens.
+  - Ensure tokens are cleaned up periodically (see scripts/prune-password-resets.mjs stub).
+  - Set a secure NEXTAUTH_SECRET and use HTTPS in production.
+
+## Files & kit manifest (what to look at)
+
+If you want to inspect or package the Auth kit, the primary files and routes are listed below. This is a minimal manifest intended for documentation and CLI packaging reference — adjust paths if you extract the kit into another project.
+
+Key files
+
+- NextAuth handler & callbacks: lib/auth.ts
+- Prisma client: lib/prisma.ts
+- Auth helper utilities: lib/auth-helpers.ts, lib/hash.ts
+- Email providers: lib/email/index.ts, lib/email/dev-transport.ts, lib/email/provider-smtp.ts
+- Validation helpers: lib/validation/forms.ts
+- Form error mapping: lib/forms/map-errors.ts
+- UI components used by Auth: components/auth/_ and components/ui/_ (login-form.tsx, signup-form.tsx, button/input/label etc.)
+- Pages & API routes:
+  - app/auth/login/page.tsx
+  - app/auth/signup/page.tsx
+  - app/auth/forgot-password/page.tsx
+  - app/auth/reset-password/page.tsx
+  - app/auth/verify-email/page.tsx
+  - app/api/auth/[...nextauth]/route.ts
+  - app/api/auth/forgot-password/route.ts
+  - app/api/auth/reset-password/route.ts
+  - app/api/auth/send-verify-email/route.ts
+  - app/api/auth/providers/route.ts
+  - app/api/signup/route.ts
+- Prisma schema & auth models: prisma/schema.prisma and prisma/auth-models.prisma
+- Seed & maintenance scripts: scripts/seed-demo.mjs, scripts/promote-admin.mjs, scripts/populate-tokenhash.mjs
+
+Minimal manifest (JSON)
+
+{
+"name": "auth-core",
+"files": [
+"lib/auth.ts",
+"lib/prisma.ts",
+"lib/auth-helpers.ts",
+"lib/hash.ts",
+"lib/forms/map-errors.ts",
+"lib/validation/forms.ts",
+"lib/email/index.ts",
+"components/auth/login-form.tsx",
+"components/auth/signup-form.tsx",
+"components/auth/logout-button.tsx",
+"components/session-provider.tsx",
+"app/auth/login/page.tsx",
+"app/auth/signup/page.tsx",
+"app/api/auth/[...nextauth]/route.ts",
+"app/api/signup/route.ts",
+"prisma/schema.prisma",
+"scripts/seed-demo.mjs",
+"scripts/promote-admin.mjs"
+]
+}
+
+## Where to customize NextAuth behavior
+
+- The NextAuth configuration and handlers live in lib/auth.ts. Common customizations include:
+  - Adjusting providers (add/remove OAuth providers).
+  - Modifying session and jwt callbacks to include or remove fields on the token/session.
+  - Customizing pages (e.g., pages.signIn) or redirect logic.
+
+- Notes: lib/auth.ts already persists user.id and role into the JWT and exposes them on session.user for server components. If you change what is exposed on the session, ensure server-side checks (RBAC) are updated accordingly.
+
+## CLI kit source (if packaging later)
+
+- A kit skeleton for packaging already exists in the repo at: `cli/kits/auth-core/` — it contains a compact copy of the core auth files (components, lib, prisma snippets) used by the CLI during development. Use that folder as a starting point when you implement the CLI packaging step.
+
+## Post-install checklist (Auth)
+
+1. Copy `.env.example` → `.env` and set DATABASE_URL, NEXTAUTH_URL, NEXTAUTH_SECRET (and GITHUB_ID/GITHUB_SECRET if using GitHub OAuth).
+2. Generate Prisma client and run migrations:
+
+   npx prisma generate
+   npx prisma migrate dev -n init
+
+3. (Optional) Seed demo data for quick testing:
+
+   SEED_ADMIN_EMAIL=admin@example.com SEED_ADMIN_PASSWORD=password123 node ./scripts/seed-demo.mjs
+
+4. Start dev server:
+
+   npm run dev
+
+5. Visit: `/auth/signup`, `/auth/login` and `/dashboard` for protected pages.
+
+If you want, I can also create a short docs/AUTH_MANIFEST.json file containing the JSON manifest above in the repo (useful for CLI packaging). I will not create CLI code or copy files unless you ask.

package/dist/kits/auth-core/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Jakob Bro Liebe Hansen
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/kits/auth-core/app/(protected)/admin/posts/page.tsx

@@ -0,0 +1,29 @@
+"use client";
+
+import Link from "next/link";
+
+export default function AdminPostsPlaceholderPage() {
+  return (
+    <main className="mx-auto max-w-2xl px-4 py-12">
+      <h1 className="text-2xl font-semibold text-foreground">
+        Posts admin requires the Data kit
+      </h1>
+      <p className="mt-2 text-sm text-muted-foreground">
+        This project has the auth-core kit installed, which provides
+        authentication and basic admin scaffolding.
+        <br />
+        To create and manage posts, install the Data kit and wire up its admin
+        routes into your app.
+      </p>
+
+      <div className="mt-6 flex items-center gap-3 text-sm">
+        <Link
+          href="/dashboard"
+          className="text-primary underline-offset-4 hover:underline"
+        >
+          Back to dashboard
+        </Link>
+      </div>
+    </main>
+  );
+}

package/dist/kits/auth-core/app/(protected)/admin/users/page.tsx

@@ -0,0 +1,29 @@
+"use client";
+
+import Link from "next/link";
+
+export default function AdminUsersPlaceholderPage() {
+  return (
+    <main className="mx-auto max-w-2xl px-4 py-12">
+      <h1 className="text-2xl font-semibold text-foreground">
+        Users admin requires the Data kit
+      </h1>
+      <p className="mt-2 text-sm text-muted-foreground">
+        This project has the auth-core kit installed, which provides
+        authentication and basic admin scaffolding.
+        <br />
+        To manage users (list, filter, edit, etc.), install the Data kit and
+        add its admin routes to your app.
+      </p>
+
+      <div className="mt-6 flex items-center gap-3 text-sm">
+        <Link
+          href="/dashboard"
+          className="text-primary underline-offset-4 hover:underline"
+        >
+          Back to dashboard
+        </Link>
+      </div>
+    </main>
+  );
+}

package/dist/kits/auth-core/app/api/users/[id]/route.ts

@@ -0,0 +1,127 @@
+import { NextRequest } from "next/server";
+import { prisma } from "@/lib/prisma";
+import type { Prisma } from "@prisma/client";
+import { jsonOk, jsonFail } from "@/lib/server/result";
+import { getServerSession } from "next-auth";
+import { authOptions } from "@/lib/auth";
+
+// Ensure Prisma runs in Node.js (not Edge)
+export const runtime = "nodejs";
+
+type RouteContext = { params: Promise<{ id: string }> };
+
+// Type guards/helpers (kept minimal here)
+const hasErrorCode = (e: unknown, code: string): boolean =>
+  typeof e === "object" &&
+  e !== null &&
+  "code" in e &&
+  typeof (e as { code?: unknown }).code === "string" &&
+  (e as { code: string }).code === code;
+
+export async function GET(_req: NextRequest, { params }: RouteContext) {
+  try {
+    const { id } = await params; // async params in Next.js 15
+
+    const user = await prisma.user.findUnique({
+      where: { id },
+      select: { id: true, name: true, email: true, role: true },
+    });
+
+    if (!user) {
+      return jsonFail("Not found", { status: 404 });
+    }
+
+    return jsonOk(user);
+  } catch (e) {
+    console.error("GET /api/users/[id] error:", e);
+    return jsonFail("Failed to fetch user", { status: 500 });
+  }
+}
+
+export async function PUT(req: NextRequest, { params }: RouteContext) {
+  try {
+    // Only admins may update other users. Allow self-update as well.
+    const session = await getServerSession(authOptions);
+    if (!session?.user) return jsonFail("Unauthorized", { status: 401 });
+
+    const { id } = await params;
+    const isAdmin = (session.user as { role?: string }).role === "admin";
+    const isSelf = (session.user as { id?: string }).id === id;
+    if (!isAdmin && !isSelf) return jsonFail("Forbidden", { status: 403 });
+
+    const body: unknown = await req.json();
+    if (typeof body !== "object" || body === null) {
+      return jsonFail("Body must be a JSON object", { status: 400 });
+    }
+
+    // Validate with Zod (imported lazily to keep this route light)
+    const { userUpdateSchema } = await import("@/lib/validation/forms");
+    try {
+      const parsed = userUpdateSchema.parse(body);
+
+      // Build Prisma-compatible update object
+      const data: Prisma.UserUpdateInput = {};
+      if (parsed.name !== undefined)
+        data.name = parsed.name === "" ? null : parsed.name;
+      if (parsed.email !== undefined) data.email = parsed.email;
+      if (parsed.image !== undefined)
+        data.image = parsed.image === "" ? null : parsed.image;
+      if (parsed.password !== undefined) {
+        // Hash password before saving
+        const { hashPassword } = await import("@/lib/hash");
+        data.password = await hashPassword(parsed.password as string);
+      }
+      if (parsed.emailVerified !== undefined)
+        data.emailVerified = parsed.emailVerified as any;
+
+      const updated = await prisma.user.update({
+        where: { id },
+        data,
+      });
+
+      return jsonOk(updated, { status: 200, message: "User updated" });
+    } catch (err) {
+      // Zod errors
+      if (err && typeof err === "object" && "issues" in (err as any)) {
+        const { jsonFromZod } = await import("@/lib/server/result");
+        return jsonFromZod(err as any, {
+          status: 400,
+          message: "Validation failed",
+        });
+      }
+      throw err;
+    }
+  } catch (e) {
+    console.error("PUT /api/users/[id] error:", e);
+    if (hasErrorCode(e, "P2025")) {
+      return jsonFail("Not found", { status: 404 });
+    }
+    return jsonFail("Failed to update user", { status: 500 });
+  }
+}
+
+export async function DELETE(_req: NextRequest, { params }: RouteContext) {
+  try {
+    const { requireAdminApi } = await import("@/lib/auth-helpers");
+    const session = await requireAdminApi();
+    if (!session) return jsonFail("Forbidden", { status: 403 });
+
+    const { id } = await params;
+
+    // Clean up dependent records first to avoid FK violations
+    await prisma.$transaction([
+      prisma.account.deleteMany({ where: { userId: id } }),
+      prisma.session.deleteMany({ where: { userId: id } }),
+      prisma.post.deleteMany({ where: { authorId: id } }),
+      prisma.user.delete({ where: { id } }),
+    ]);
+
+    return jsonOk({ ok: true }, { status: 200, message: "User deleted" });
+  } catch (e) {
+    console.error("DELETE /api/users/[id] error:", e);
+    if (hasErrorCode(e, "P2025")) {
+      return jsonFail("Not found", { status: 404 });
+    }
+    return jsonFail("Failed to delete user", { status: 500 });
+  }
+}

package/dist/kits/auth-core/components/ui/button.tsx

@@ -5,24 +5,27 @@ import { cva, type VariantProps } from "class-variance-authority";
 import { cn } from "@/lib/utils";
 
 const buttonVariants = cva(
-  "inline-flex items-center justify-center whitespace-nowrap rounded-md text-sm font-medium ring-offset-background transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2 disabled:pointer-events-none disabled:opacity-50",
+  "focus-visible:border-ring focus-visible:ring-ring/50 aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive inline-flex shrink-0 items-center justify-center gap-2 rounded-md text-sm font-medium whitespace-nowrap transition-all outline-none focus-visible:ring-[3px] disabled:pointer-events-none disabled:opacity-50 [&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4",
   {
     variants: {
       variant: {
-        default: "bg-primary text-primary-foreground hover:bg-primary/90",
+        default:
+          "bg-primary text-primary-foreground hover:bg-primary/90 shadow-xs",
         destructive:
-          "bg-destructive text-destructive-foreground hover:bg-destructive/90",
+          "bg-destructive text-destructive-foreground hover:bg-destructive/90 focus-visible:ring-destructive/20 dark:focus-visible:ring-destructive/40 dark:bg-destructive/60 shadow-xs",
         outline:
-          "border border-input bg-background hover:bg-accent hover:text-accent-foreground",
-        secondary: "bg-secondary text-secondary-foreground hover:bg-secondary/80",
-        ghost: "hover:bg-accent hover:text-accent-foreground",
+          "bg-background hover:bg-accent hover:text-accent-foreground dark:bg-input/30 dark:border-input dark:hover:bg-input/50 border shadow-xs",
+        secondary:
+          "bg-secondary text-secondary-foreground hover:bg-secondary/80 shadow-xs",
+        ghost:
+          "hover:bg-accent hover:text-accent-foreground dark:hover:bg-accent/50",
         link: "text-primary underline-offset-4 hover:underline",
       },
       size: {
-        default: "h-10 px-4 py-2",
-        sm: "h-9 rounded-md px-3",
-        lg: "h-11 rounded-md px-8",
-        icon: "h-10 w-10",
+        default: "h-9 px-4 py-2 has-[>svg]:px-3",
+        sm: "h-8 gap-1.5 rounded-md px-3 has-[>svg]:px-2.5",
+        lg: "h-10 rounded-md px-6 has-[>svg]:px-4",
+        icon: "size-9",
       },
     },
     defaultVariants: {
@@ -32,24 +35,88 @@ const buttonVariants = cva(
   },
 );
 
-export interface ButtonProps
-  extends React.ButtonHTMLAttributes<HTMLButtonElement>,
-    VariantProps<typeof buttonVariants> {
-  asChild?: boolean;
-}
+type ButtonProps = React.ComponentProps<"button"> &
+  VariantProps<typeof buttonVariants> & {
+    asChild?: boolean;
+    /** When true, bypasses tokenized buttonVariants so callers fully control classes */
+    unstyled?: boolean;
+    /** Opt-in: force inline CSS var styles for color/bg/border/ring */
+    forceInlineVars?: boolean;
+  };
 
 const Button = React.forwardRef<HTMLButtonElement, ButtonProps>(
-  ({ className, variant, size, asChild = false, ...props }, ref) => {
+  (
+    {
+      className,
+      variant,
+      size,
+      asChild = false,
+      unstyled = false,
+      forceInlineVars = false,
+      ...props
+    },
+    ref,
+  ) => {
     const Comp = asChild ? Slot : "button";
+
+    // Use caller-provided style; only inject inline var-driven colors when explicitly requested
+    const incomingStyle =
+      (props.style as React.CSSProperties | undefined) ?? undefined;
+    const finalStyle =
+      forceInlineVars && !unstyled
+        ? {
+            ...incomingStyle,
+            color: "var(--btn-fg)",
+            backgroundColor: "var(--btn-bg)",
+            borderColor: "var(--btn-border)",
+            "--tw-ring-color": "var(--btn-ring)",
+          }
+        : incomingStyle;
+
+    // Only enable CSS variable hooks when explicitly requested via inline vars
+    // or when the caller sets any [--btn-*] classes in className.
+    const wantsVarHooks =
+      !unstyled &&
+      (forceInlineVars ||
+        (typeof className === "string" && className.includes("[--btn-")));
+
     return (
       <Comp
-        className={cn(buttonVariants({ variant, size, className }))}
         ref={ref}
+        data-slot="button"
+        className={
+          unstyled
+            ? cn(
+                "inline-flex items-center justify-center gap-2 rounded-md text-sm font-medium whitespace-nowrap disabled:pointer-events-none disabled:opacity-50",
+                className,
+              )
+            : cn(
+                buttonVariants({ variant, size }),
+                wantsVarHooks && [
+                  // Color var hooks (apply only when CSS vars are provided)
+                  "text-[var(--btn-fg)]",
+                  "bg-[var(--btn-bg)]",
+                  "hover:bg-[var(--btn-hover-bg)]",
+                  "hover:text-[var(--btn-hover-fg)]",
+                  // explicit dark variants to compete with dark: utilities from variants like outline
+                  "dark:bg-[var(--btn-bg)]",
+                  "dark:hover:bg-[var(--btn-hover-bg)]",
+                  "dark:hover:text-[var(--btn-hover-fg)]",
+                  // Focus ring and border hooks
+                  "focus-visible:ring-[var(--btn-ring)]",
+                  "border-[var(--btn-border)]",
+                  "dark:border-[var(--btn-border)]",
+                ],
+                className,
+              )
+        }
+        style={finalStyle}
         {...props}
       />
     );
   },
 );
+
 Button.displayName = "Button";
 
 export { Button, buttonVariants };

package/dist/kits/auth-core/components/ui/input.tsx

@@ -2,8 +2,7 @@ import * as React from "react";
 
 import { cn } from "@/lib/utils";
 
-export interface InputProps
-  extends React.InputHTMLAttributes<HTMLInputElement> {}
+export type InputProps = React.InputHTMLAttributes<HTMLInputElement>;
 
 const Input = React.forwardRef<HTMLInputElement, InputProps>(
   ({ className, type, ...props }, ref) => {
@@ -11,7 +10,10 @@ const Input = React.forwardRef<HTMLInputElement, InputProps>(
       <input
         type={type}
         className={cn(
-          "flex h-10 w-full rounded-md border border-input bg-background px-3 py-2 text-sm ring-offset-background file:border-0 file:bg-transparent file:text-sm file:font-medium placeholder:text-muted-foreground focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-50",
+          // Base structural + token fallbacks
+          "border-input bg-background ring-offset-background placeholder:text-muted-foreground focus-visible:ring-ring aria-invalid:border-destructive aria-invalid:focus-visible:ring-destructive/30 dark:aria-invalid:focus-visible:ring-destructive/40 flex h-10 w-full rounded-md border px-3 py-2 text-sm file:border-0 file:bg-transparent file:text-sm file:font-medium focus-visible:ring-2 focus-visible:ring-offset-2 focus-visible:outline-none disabled:cursor-not-allowed disabled:opacity-50",
+          // CSS variable hooks (preset-first). When vars are unset, these are ignored and tokens above apply.
+          "focus-visible:ring-offset-background border-[var(--input-border)] bg-[var(--input-bg)] text-[var(--input-fg)] placeholder:text-[var(--input-placeholder)] focus-visible:ring-[var(--input-focus-ring,var(--ring))] focus-visible:ring-offset-2",
           className,
         )}
         ref={ref}

package/dist/kits/auth-core/components/ui/label.tsx

@@ -1,18 +1,24 @@
-"use client";
-
 import * as React from "react";
 import * as LabelPrimitive from "@radix-ui/react-label";
+import { cva, type VariantProps } from "class-variance-authority";
 
 import { cn } from "@/lib/utils";
 
+const labelVariants = cva(
+  "text-sm leading-none font-medium peer-disabled:cursor-not-allowed peer-disabled:opacity-70",
+);
+
 const Label = React.forwardRef<
   React.ElementRef<typeof LabelPrimitive.Root>,
-  React.ComponentPropsWithoutRef<typeof LabelPrimitive.Root>
+  React.ComponentPropsWithoutRef<typeof LabelPrimitive.Root> &
+    VariantProps<typeof labelVariants>
 >(({ className, ...props }, ref) => (
   <LabelPrimitive.Root
     ref={ref}
     className={cn(
-      "text-sm font-medium leading-none peer-disabled:cursor-not-allowed peer-disabled:opacity-70",
+      labelVariants(),
+      // Optional color override via var; falls back to inherited color when unset
+      "text-[var(--label-fg)]",
       className,
     )}
     {...props}

package/dist/kits/auth-core/lib/prisma.ts

@@ -13,3 +13,13 @@ export const prisma =
   });
 
 if (process.env.NODE_ENV !== "production") globalForPrisma.prisma = prisma;
+
+if (process.env.NODE_ENV === "development" && process.platform === "win32") {
+  // Dev-only hint for Windows users hitting Prisma + Turbopack symlink issues
+  // (e.g. "create symlink to ../../../../node_modules/@prisma/client" with os error 1314).
+  // This is intentionally a console.warn so it surfaces clearly but only in dev.
+  // See docs/AUTH_QUICKSTART.md for full details.
+  console.warn(
+    "[nextworks][auth-core] On Windows with Next 16+ and Prisma, enable Windows Developer Mode or run your dev server from an elevated terminal to avoid Prisma symlink errors (os error 1314). See AUTH_QUICKSTART.md for details."
+  );
+}