zuro-cli 0.0.2-beta.15 → 0.0.2-beta.17

package/dist/index.js

@@ -825,6 +825,20 @@ var ENV_CONFIGS = {
       { name: "BETTER_AUTH_URL", schema: "z.string().url()" }
     ]
   },
+  "auth-jwt": {
+    envVars: {
+      JWT_ACCESS_SECRET: "your-jwt-access-secret-at-least-32-characters",
+      JWT_REFRESH_SECRET: "your-jwt-refresh-secret-at-least-32-characters",
+      JWT_ACCESS_EXPIRES_IN: "15m",
+      JWT_REFRESH_EXPIRES_IN: "7d"
+    },
+    schemaFields: [
+      { name: "JWT_ACCESS_SECRET", schema: "z.string().min(32)" },
+      { name: "JWT_REFRESH_SECRET", schema: "z.string().min(32)" },
+      { name: "JWT_ACCESS_EXPIRES_IN", schema: "z.string().min(2)" },
+      { name: "JWT_REFRESH_EXPIRES_IN", schema: "z.string().min(2)" }
+    ]
+  },
   mailer: {
     envVars: {
       SMTP_HOST: "smtp.example.com",
@@ -1309,57 +1323,93 @@ init_code_inject();
 async function isAuthModuleInstalled(projectRoot, srcDir) {
   return await import_fs_extra8.default.pathExists(import_path9.default.join(projectRoot, srcDir, "lib", "auth.ts"));
 }
-async function injectAuthRoutes(projectRoot, srcDir) {
+async function detectInstalledAuthProvider(projectRoot, srcDir) {
+  const authPath = import_path9.default.join(projectRoot, srcDir, "lib", "auth.ts");
+  if (!await import_fs_extra8.default.pathExists(authPath)) {
+    return null;
+  }
+  const authContent = await import_fs_extra8.default.readFile(authPath, "utf-8");
+  if (authContent.includes("better-auth")) {
+    return "better-auth";
+  }
+  if (authContent.includes("jsonwebtoken") || authContent.includes("JWT_ACCESS_SECRET")) {
+    return "jwt";
+  }
+  return null;
+}
+async function injectAuthRoutes(projectRoot, srcDir, provider) {
   const appPath = import_path9.default.join(projectRoot, srcDir, "app.ts");
   if (!await import_fs_extra8.default.pathExists(appPath)) {
     return false;
   }
   let appContent = await import_fs_extra8.default.readFile(appPath, "utf-8");
-  const authHandlerImport = `import { toNodeHandler } from "better-auth/node";`;
-  const authImport = `import { auth } from "./lib/auth";`;
   const routeIndexUserImport = `import userRoutes from "./user.routes";`;
+  const routeIndexAuthImport = `import authRoutes from "./auth.routes";`;
   const appUserImport = `import userRoutes from "./routes/user.routes";`;
+  const appAuthImport = `import authRoutes from "./routes/auth.routes";`;
   let appModified = false;
-  for (const importLine of [authHandlerImport, authImport]) {
-    const next = appendImport(appContent, importLine);
-    if (!next.inserted) {
-      return false;
+  if (provider === "better-auth") {
+    const authHandlerImport = `import { toNodeHandler } from "better-auth/node";`;
+    const authImport = `import { auth } from "./lib/auth";`;
+    for (const importLine of [authHandlerImport, authImport]) {
+      const next = appendImport(appContent, importLine);
+      if (!next.inserted) {
+        return false;
+      }
+      if (next.source !== appContent) {
+        appContent = next.source;
+        appModified = true;
+      }
     }
-    if (next.source !== appContent) {
-      appContent = next.source;
+    const hasAuthMount = /toNodeHandler\(\s*auth\s*\)/.test(appContent) && /\/api\/auth/.test(appContent);
+    if (!hasAuthMount) {
+      const authMountLine = "app.all(/^\\/api\\/auth(?:\\/.*)?$/, toNodeHandler(auth));\n";
+      const jsonIndex = appContent.search(/^\s*app\.use\(\s*express\.json\(\)\s*\);\s*$/m);
+      let insertionIndex = jsonIndex;
+      if (insertionIndex < 0) {
+        const healthIndex = appContent.search(/^\s*app\.get\(\s*["']\/health["']\s*,/m);
+        insertionIndex = healthIndex;
+      }
+      if (insertionIndex < 0) {
+        const exportMatch = appContent.match(/export default app;?\s*$/m);
+        insertionIndex = exportMatch?.index ?? -1;
+      }
+      if (insertionIndex < 0) {
+        return false;
+      }
+      appContent = appContent.slice(0, insertionIndex) + authMountLine + appContent.slice(insertionIndex);
       appModified = true;
     }
   }
-  const hasAuthMount = /toNodeHandler\(\s*auth\s*\)/.test(appContent) && /\/api\/auth/.test(appContent);
-  if (!hasAuthMount) {
-    const authMountLine = "app.all(/^\\/api\\/auth(?:\\/.*)?$/, toNodeHandler(auth));\n";
-    const jsonIndex = appContent.search(/^\s*app\.use\(\s*express\.json\(\)\s*\);\s*$/m);
-    let insertionIndex = jsonIndex;
-    if (insertionIndex < 0) {
-      const healthIndex = appContent.search(/^\s*app\.get\(\s*["']\/health["']\s*,/m);
-      insertionIndex = healthIndex;
-    }
-    if (insertionIndex < 0) {
-      const exportMatch = appContent.match(/export default app;?\s*$/m);
-      insertionIndex = exportMatch?.index ?? -1;
-    }
-    if (insertionIndex < 0) {
-      return false;
-    }
-    appContent = appContent.slice(0, insertionIndex) + authMountLine + appContent.slice(insertionIndex);
-    appModified = true;
-  }
   const routeIndexPath = import_path9.default.join(projectRoot, srcDir, "routes", "index.ts");
   if (await import_fs_extra8.default.pathExists(routeIndexPath)) {
     let routeContent = await import_fs_extra8.default.readFile(routeIndexPath, "utf-8");
     let routeModified = false;
-    const userImportResult = appendImport(routeContent, routeIndexUserImport);
-    if (!userImportResult.inserted) {
-      return false;
+    const routeImports = provider === "jwt" ? [routeIndexAuthImport, routeIndexUserImport] : [routeIndexUserImport];
+    for (const importLine of routeImports) {
+      const next = appendImport(routeContent, importLine);
+      if (!next.inserted) {
+        return false;
+      }
+      if (next.source !== routeContent) {
+        routeContent = next.source;
+        routeModified = true;
+      }
     }
-    if (userImportResult.source !== routeContent) {
-      routeContent = userImportResult.source;
-      routeModified = true;
+    if (provider === "jwt") {
+      const hasAuthRoute = /rootRouter\.use\(\s*["']\/auth["']\s*,\s*authRoutes\s*\)/.test(routeContent);
+      if (!hasAuthRoute) {
+        const routeSetup = `
+// Auth routes
+rootRouter.use("/auth", authRoutes);
+`;
+        const exportMatch = routeContent.match(/export default rootRouter;?\s*$/m);
+        if (!exportMatch || exportMatch.index === void 0) {
+          return false;
+        }
+        routeContent = routeContent.slice(0, exportMatch.index) + routeSetup + "\n" + routeContent.slice(exportMatch.index);
+        routeModified = true;
+      }
     }
     const hasUserRoute = /rootRouter\.use\(\s*["']\/users["']\s*,\s*userRoutes\s*\)/.test(routeContent);
     if (!hasUserRoute) {
@@ -1378,6 +1428,29 @@ rootRouter.use("/users", userRoutes);
       await import_fs_extra8.default.writeFile(routeIndexPath, routeContent);
     }
   } else {
+    if (provider === "jwt") {
+      const authImportResult = appendImport(appContent, appAuthImport);
+      if (!authImportResult.inserted) {
+        return false;
+      }
+      if (authImportResult.source !== appContent) {
+        appContent = authImportResult.source;
+        appModified = true;
+      }
+      const hasAuthRoute = /app\.use\(\s*["']\/api\/auth["']\s*,\s*authRoutes\s*\)/.test(appContent);
+      if (!hasAuthRoute) {
+        const exportMatch = appContent.match(/export default app;?\s*$/m);
+        if (!exportMatch || exportMatch.index === void 0) {
+          return false;
+        }
+        const routeSetup = `
+// Auth routes
+app.use("/api/auth", authRoutes);
+`;
+        appContent = appContent.slice(0, exportMatch.index) + routeSetup + "\n" + appContent.slice(exportMatch.index);
+        appModified = true;
+      }
+    }
     const hasUserRoute = /app\.use\(\s*["']\/api\/users["']\s*,\s*userRoutes\s*\)/.test(appContent);
     if (!hasUserRoute) {
       const exportMatch = appContent.match(/export default app;?\s*$/m);
@@ -1405,21 +1478,23 @@ app.use("/api/users", userRoutes);
   }
   return true;
 }
-async function injectAuthDocs(projectRoot, srcDir) {
+async function injectAuthDocs(projectRoot, srcDir, provider) {
   const openApiPath = import_path9.default.join(projectRoot, srcDir, "lib", "openapi.ts");
   if (!await import_fs_extra8.default.pathExists(openApiPath)) {
     return false;
   }
-  const authMarker = "// ZURO_AUTH_DOCS";
+  const betterAuthMarker = "// ZURO_AUTH_DOCS_BETTER_AUTH";
+  const jwtMarker = "// ZURO_AUTH_DOCS_JWT";
+  const legacyMarker = "// ZURO_AUTH_DOCS";
   let content = await import_fs_extra8.default.readFile(openApiPath, "utf-8");
-  if (content.includes(authMarker)) {
+  if (content.includes(betterAuthMarker) || content.includes(jwtMarker) || content.includes(legacyMarker)) {
     return true;
   }
   const moduleDocsEndMarker = "// ZURO_DOCS_MODULES_END";
   if (!content.includes(moduleDocsEndMarker)) {
     return false;
   }
-  const authBlock = `
+  const authBlock = provider === "jwt" ? `
 const authSignUpSchema = z.object({
     email: z.string().email().openapi({ example: "dev@company.com" }),
     password: z.string().min(8).openapi({ example: "strong-password" }),
@@ -1431,13 +1506,169 @@ const authSignInSchema = z.object({
     password: z.string().min(8).openapi({ example: "strong-password" }),
 });
 
+const authRefreshSchema = z.object({
+    refreshToken: z.string().openapi({ example: "eyJhbGciOi..." }),
+});
+
+const authTokenSchema = z.object({
+    accessToken: z.string().openapi({ example: "eyJhbGciOi..." }),
+    refreshToken: z.string().openapi({ example: "eyJhbGciOi..." }),
+    tokenType: z.literal("Bearer").openapi({ example: "Bearer" }),
+});
+
 const authUserSchema = z.object({
     id: z.string().openapi({ example: "user_123" }),
     email: z.string().email().openapi({ example: "dev@company.com" }),
     name: z.string().nullable().openapi({ example: "Dev User" }),
 });
 
-${authMarker}
+${jwtMarker}
+registry.registerPath({
+    method: "post",
+    path: "/api/auth/sign-up/email",
+    tags: ["Auth"],
+    summary: "Register user and issue JWT tokens",
+    request: {
+        body: {
+            content: {
+                "application/json": {
+                    schema: authSignUpSchema,
+                },
+            },
+        },
+    },
+    responses: {
+        200: {
+            description: "Registration successful",
+            content: {
+                "application/json": {
+                    schema: z.object({ user: authUserSchema, ...authTokenSchema.shape }),
+                },
+            },
+        },
+        409: { description: "Email already registered" },
+    },
+});
+
+registry.registerPath({
+    method: "post",
+    path: "/api/auth/sign-in/email",
+    tags: ["Auth"],
+    summary: "Sign in and issue JWT tokens",
+    request: {
+        body: {
+            content: {
+                "application/json": {
+                    schema: authSignInSchema,
+                },
+            },
+        },
+    },
+    responses: {
+        200: {
+            description: "Sign in successful",
+            content: {
+                "application/json": {
+                    schema: authTokenSchema,
+                },
+            },
+        },
+        401: { description: "Invalid credentials" },
+    },
+});
+
+registry.registerPath({
+    method: "post",
+    path: "/api/auth/refresh",
+    tags: ["Auth"],
+    summary: "Exchange refresh token for new JWT tokens",
+    request: {
+        body: {
+            content: {
+                "application/json": {
+                    schema: authRefreshSchema,
+                },
+            },
+        },
+    },
+    responses: {
+        200: {
+            description: "Tokens refreshed",
+            content: {
+                "application/json": {
+                    schema: authTokenSchema,
+                },
+            },
+        },
+        401: { description: "Invalid refresh token" },
+    },
+});
+
+registry.registerPath({
+    method: "post",
+    path: "/api/auth/sign-out",
+    tags: ["Auth"],
+    summary: "Client-side sign out for JWT auth",
+    responses: {
+        200: { description: "Sign out successful" },
+    },
+});
+
+registry.registerPath({
+    method: "get",
+    path: "/api/auth/get-session",
+    tags: ["Auth"],
+    summary: "Get current JWT session user",
+    security: [{ bearerAuth: [] }],
+    responses: {
+        200: {
+            description: "Current session",
+            content: {
+                "application/json": {
+                    schema: z.object({ user: authUserSchema.nullable() }),
+                },
+            },
+        },
+    },
+});
+
+registry.registerPath({
+    method: "get",
+    path: "/api/users/me",
+    tags: ["Auth"],
+    summary: "Get current authenticated user",
+    security: [{ bearerAuth: [] }],
+    responses: {
+        200: {
+            description: "Current user",
+            content: {
+                "application/json": {
+                    schema: z.object({ user: authUserSchema }),
+                },
+            },
+        },
+        401: { description: "Not authenticated" },
+    },
+});
+` : `
+const authSignUpSchema = z.object({
+    email: z.string().email().openapi({ example: "dev@company.com" }),
+    password: z.string().min(8).openapi({ example: "strong-password" }),
+    name: z.string().min(1).optional().openapi({ example: "Dev User" }),
+});
+
+const authSignInSchema = z.object({
+    email: z.string().email().openapi({ example: "dev@company.com" }),
+    password: z.string().min(8).openapi({ example: "strong-password" }),
+});
+
+const authUserSchema = z.object({
+    id: z.string().openapi({ example: "user_123" }),
+    email: z.string().email().openapi({ example: "dev@company.com" }),
+    name: z.string().nullable().openapi({ example: "Dev User" }),
+});
+
+${betterAuthMarker}
 registry.registerPath({
     method: "post",
     path: "/api/auth/sign-up/email",
@@ -1514,7 +1745,27 @@ ${moduleDocsEndMarker}`);
 async function promptAuthConfig(projectRoot, srcDir, options) {
   const { isDocsModuleInstalled: isDocsModuleInstalled2 } = await Promise.resolve().then(() => (init_docs_handler(), docs_handler_exports));
   const docsInstalled = await isDocsModuleInstalled2(projectRoot, srcDir);
+  let authProvider = "better-auth";
   let shouldInstallDocsForAuth = false;
+  if (options.authProvider) {
+    authProvider = options.authProvider;
+  } else if (!options.yes) {
+    const providerResponse = await (0, import_prompts3.default)({
+      type: "select",
+      name: "provider",
+      message: "Choose auth provider:",
+      choices: [
+        { title: "Better Auth (session + plugin ecosystem)", value: "better-auth" },
+        { title: "JWT (access/refresh tokens)", value: "jwt" }
+      ],
+      initial: 0
+    });
+    if (!providerResponse.provider) {
+      console.log(import_chalk5.default.yellow("Operation cancelled."));
+      return null;
+    }
+    authProvider = providerResponse.provider;
+  }
   if (!docsInstalled) {
     if (options.yes) {
       shouldInstallDocsForAuth = true;
@@ -1534,13 +1785,19 @@ async function promptAuthConfig(projectRoot, srcDir, options) {
   }
   const { detectInstalledDatabaseDialect: detectInstalledDatabaseDialect2 } = await Promise.resolve().then(() => (init_database_handler(), database_handler_exports));
   const authDatabaseDialect = await detectInstalledDatabaseDialect2(projectRoot, srcDir);
-  return { shouldInstallDocsForAuth, authDatabaseDialect };
+  return { authProvider, shouldInstallDocsForAuth, authDatabaseDialect };
 }
-function printAuthHints(generatedAuthSecret) {
-  if (generatedAuthSecret) {
-    console.log(import_chalk5.default.yellow("\u2139 BETTER_AUTH_SECRET was generated automatically."));
+function printAuthHints(generatedAuthSecret, provider) {
+  if (provider === "better-auth") {
+    if (generatedAuthSecret) {
+      console.log(import_chalk5.default.yellow("\u2139 BETTER_AUTH_SECRET was generated automatically."));
+    } else {
+      console.log(import_chalk5.default.yellow("\u2139 Review BETTER_AUTH_SECRET and BETTER_AUTH_URL in .env."));
+    }
+  } else if (generatedAuthSecret) {
+    console.log(import_chalk5.default.yellow("\u2139 JWT_ACCESS_SECRET and JWT_REFRESH_SECRET were generated automatically."));
   } else {
-    console.log(import_chalk5.default.yellow("\u2139 Review BETTER_AUTH_SECRET and BETTER_AUTH_URL in .env."));
+    console.log(import_chalk5.default.yellow("\u2139 Review JWT_ACCESS_SECRET, JWT_REFRESH_SECRET, and token TTLs in .env."));
   }
   console.log(import_chalk5.default.yellow("\u2139 Run migrations: npx drizzle-kit generate && npx drizzle-kit migrate"));
 }
@@ -1793,27 +2050,15 @@ var UPLOAD_PRESETS = {
     mimeTypes: ["video/mp4", "video/quicktime", "video/webm"],
     maxFileSize: 100 * 1024 * 1024,
     maxFiles: 1
-  },
-  mixed: {
-    mimeTypes: [
-      "image/jpeg",
-      "image/png",
-      "image/webp",
-      "application/pdf",
-      "text/plain",
-      "video/mp4"
-    ],
-    maxFileSize: 25 * 1024 * 1024,
-    maxFiles: 5
   }
 };
 function getUploadEnvSchemaFields(provider) {
   const shared = [
     { name: "UPLOAD_PROVIDER", schema: `z.enum(["s3", "r2", "cloudinary"])` },
     { name: "UPLOAD_MODE", schema: `z.enum(["proxy", "direct", "large"])` },
-    { name: "UPLOAD_AUTH_MODE", schema: `z.enum(["required", "optional", "none"])` },
+    { name: "UPLOAD_AUTH_MODE", schema: `z.enum(["required", "none"])` },
     { name: "UPLOAD_FILE_ACCESS", schema: `z.enum(["private", "public"])` },
-    { name: "UPLOAD_FILE_PRESET", schema: `z.enum(["image", "document", "video", "mixed"])` },
+    { name: "UPLOAD_FILE_PRESET", schema: `z.enum(["image", "document", "video"])` },
     { name: "UPLOAD_KEY_PREFIX", schema: "z.string().min(1)" },
     { name: "UPLOAD_ALLOWED_MIME", schema: "z.string().min(1)" },
     { name: "UPLOAD_MAX_FILE_SIZE", schema: "z.coerce.number().positive()" },
@@ -1848,103 +2093,24 @@ async function isAuthInstalled(projectRoot, srcDir) {
 function hasDrizzleDatabase(config) {
   return config?.database?.orm === "drizzle";
 }
-async function promptCredentials(provider) {
-  console.log(import_chalk7.default.dim("  Tip: Leave fields blank to use placeholders and configure later.\n"));
+function getProviderEnvDefaults(provider) {
   if (provider === "cloudinary") {
-    const response2 = await (0, import_prompts5.default)([
-      {
-        type: "text",
-        name: "cloudName",
-        message: "Cloudinary cloud name",
-        initial: ""
-      },
-      {
-        type: "text",
-        name: "apiKey",
-        message: "Cloudinary API key",
-        initial: ""
-      },
-      {
-        type: "password",
-        name: "apiSecret",
-        message: "Cloudinary API secret"
-      },
-      {
-        type: "text",
-        name: "folder",
-        message: "Cloudinary folder",
-        initial: "uploads"
-      },
-      {
-        type: "text",
-        name: "uploadPreset",
-        message: "Cloudinary upload preset (optional)",
-        initial: ""
-      }
-    ]);
-    if (response2.cloudName === void 0) {
-      console.log(import_chalk7.default.yellow("Operation cancelled."));
-      return null;
-    }
-    const values2 = {
-      CLOUDINARY_CLOUD_NAME: response2.cloudName?.trim() || "your-cloud-name",
-      CLOUDINARY_API_KEY: response2.apiKey?.trim() || "your-api-key",
-      CLOUDINARY_API_SECRET: response2.apiSecret?.trim() || "your-api-secret",
-      CLOUDINARY_FOLDER: response2.folder?.trim() || "uploads",
-      CLOUDINARY_UPLOAD_PRESET: response2.uploadPreset?.trim() || ""
+    return {
+      CLOUDINARY_CLOUD_NAME: "your-cloud-name",
+      CLOUDINARY_API_KEY: "your-api-key",
+      CLOUDINARY_API_SECRET: "your-api-secret",
+      CLOUDINARY_FOLDER: "uploads",
+      CLOUDINARY_UPLOAD_PRESET: ""
     };
-    return values2;
-  }
-  const response = await (0, import_prompts5.default)([
-    {
-      type: "text",
-      name: "bucket",
-      message: `${provider.toUpperCase()} bucket name`,
-      initial: ""
-    },
-    {
-      type: "text",
-      name: "region",
-      message: `${provider.toUpperCase()} region`,
-      initial: provider === "r2" ? "auto" : "us-east-1"
-    },
-    {
-      type: "text",
-      name: "endpoint",
-      message: provider === "r2" ? "R2 S3 endpoint" : "Custom S3 endpoint (optional)",
-      initial: provider === "r2" ? "https://<account-id>.r2.cloudflarestorage.com" : ""
-    },
-    {
-      type: "text",
-      name: "accessKeyId",
-      message: "Access key ID",
-      initial: ""
-    },
-    {
-      type: "password",
-      name: "secretAccessKey",
-      message: "Secret access key"
-    },
-    {
-      type: "text",
-      name: "publicBaseUrl",
-      message: "Public base URL (optional)",
-      initial: ""
-    }
-  ]);
-  if (response.bucket === void 0) {
-    console.log(import_chalk7.default.yellow("Operation cancelled."));
-    return null;
   }
-  const values = {
-    UPLOAD_BUCKET: response.bucket?.trim() || `your-${provider}-bucket`,
-    UPLOAD_REGION: response.region?.trim() || (provider === "r2" ? "auto" : "us-east-1"),
-    UPLOAD_ENDPOINT: response.endpoint?.trim() || (provider === "r2" ? "https://<account-id>.r2.cloudflarestorage.com" : ""),
-    UPLOAD_ACCESS_KEY_ID: response.accessKeyId?.trim() || "your-access-key-id",
-    UPLOAD_SECRET_ACCESS_KEY: response.secretAccessKey?.trim() || "your-secret-access-key",
-    UPLOAD_PUBLIC_BASE_URL: response.publicBaseUrl?.trim() || ""
+  return {
+    UPLOAD_BUCKET: `your-${provider}-bucket`,
+    UPLOAD_REGION: provider === "r2" ? "auto" : "us-east-1",
+    UPLOAD_ENDPOINT: provider === "r2" ? "https://<account-id>.r2.cloudflarestorage.com" : "",
+    UPLOAD_ACCESS_KEY_ID: "your-access-key-id",
+    UPLOAD_SECRET_ACCESS_KEY: "your-secret-access-key",
+    UPLOAD_PUBLIC_BASE_URL: ""
   };
-  return values;
 }
 function buildSharedEnvVars(provider, mode, authMode, access, preset, maxFileSize, maxFiles) {
   return {
@@ -1995,10 +2161,9 @@ async function promptUploadsConfig(projectRoot, srcDir) {
       message: "Who can upload?",
       choices: [
         { title: "Authenticated only", value: "required" },
-        { title: "Optional auth", value: "optional" },
         { title: "Public", value: "none" }
       ],
-      initial: authInstalled ? 0 : 2
+      initial: authInstalled ? 0 : 1
     },
     {
       type: "select",
@@ -2017,16 +2182,9 @@ async function promptUploadsConfig(projectRoot, srcDir) {
       choices: [
         { title: "Image", value: "image" },
         { title: "Document", value: "document" },
-        { title: "Video", value: "video" },
-        { title: "Mixed", value: "mixed" }
+        { title: "Video", value: "video" }
       ],
       initial: 0
-    },
-    {
-      type: "confirm",
-      name: "useDefaults",
-      message: "Use recommended upload limits for this preset?",
-      initial: true
     }
   ]);
   if (initial.provider === void 0) {
@@ -2043,7 +2201,7 @@ async function promptUploadsConfig(projectRoot, srcDir) {
     console.log(import_chalk7.default.yellow("Use S3 or R2 for large uploads, or pick Proxy/Direct for Cloudinary.\n"));
     return null;
   }
-  if (provider === "cloudinary" && (preset === "document" || preset === "mixed")) {
+  if (provider === "cloudinary" && preset === "document") {
     const warning = await (0, import_prompts5.default)({
       type: "confirm",
       name: "continue",
@@ -2056,50 +2214,19 @@ async function promptUploadsConfig(projectRoot, srcDir) {
     }
   }
   const presetDefaults = UPLOAD_PRESETS[preset];
-  let maxFileSize = presetDefaults.maxFileSize;
-  let maxFiles = presetDefaults.maxFiles;
-  if (!initial.useDefaults) {
-    const custom = await (0, import_prompts5.default)([
-      {
-        type: "number",
-        name: "maxFileSizeMb",
-        message: "Max file size (MB)",
-        initial: Math.max(1, Math.round(presetDefaults.maxFileSize / (1024 * 1024))),
-        min: 1
-      },
-      {
-        type: "number",
-        name: "maxFiles",
-        message: "Max files per request",
-        initial: presetDefaults.maxFiles,
-        min: 1,
-        max: 20
-      }
-    ]);
-    if (custom.maxFileSizeMb === void 0) {
-      console.log(import_chalk7.default.yellow("Operation cancelled."));
-      return null;
-    }
-    maxFileSize = Number(custom.maxFileSizeMb) * 1024 * 1024;
-    maxFiles = Number(custom.maxFiles);
-  }
   let useDatabaseMetadata = false;
   let shouldInstallDatabase = false;
   const metadataPrompt = await (0, import_prompts5.default)({
-    type: "select",
+    type: "confirm",
     name: "metadata",
-    message: "Upload metadata storage?",
-    choices: [
-      { title: drizzleInstalled ? "Database" : "Install database + track uploads", value: "db" },
-      { title: "No metadata", value: "none" }
-    ],
-    initial: 0
+    message: drizzleInstalled ? "Store upload metadata in your database?" : "Install database and store upload metadata?",
+    initial: true
   });
   if (metadataPrompt.metadata === void 0) {
     console.log(import_chalk7.default.yellow("Operation cancelled."));
     return null;
   }
-  if (metadataPrompt.metadata === "db") {
+  if (metadataPrompt.metadata === true) {
     useDatabaseMetadata = true;
     if (!projectConfig?.database) {
       shouldInstallDatabase = true;
@@ -2135,10 +2262,6 @@ async function promptUploadsConfig(projectRoot, srcDir) {
     }
     shouldInstallAuth = true;
   }
-  const providerEnv = await promptCredentials(provider);
-  if (!providerEnv) {
-    return null;
-  }
   return {
     provider,
     mode,
@@ -2149,8 +2272,8 @@ async function promptUploadsConfig(projectRoot, srcDir) {
     shouldInstallAuth,
     shouldInstallDatabase,
     envVars: {
-      ...buildSharedEnvVars(provider, mode, authMode, access, preset, maxFileSize, maxFiles),
-      ...providerEnv
+      ...buildSharedEnvVars(provider, mode, authMode, access, preset, presetDefaults.maxFileSize, presetDefaults.maxFiles),
+      ...getProviderEnvDefaults(provider)
     }
   };
 }
@@ -2386,6 +2509,7 @@ ${moduleDocsEndMarker}`);
 function printUploadHints(result) {
   console.log(import_chalk7.default.yellow("\u2139 Upload routes are mounted at: /api/uploads"));
   console.log(import_chalk7.default.yellow(`\u2139 Provider: ${result.provider} \xB7 Mode: ${result.mode} \xB7 Access: ${result.access}`));
+  console.log(import_chalk7.default.yellow("\u2139 Fill the generated upload env vars in .env before testing uploads."));
   if (result.mode === "proxy") {
     console.log(import_chalk7.default.yellow("\u2139 Reuse uploadSingle()/uploadArray() from src/lib/uploads/proxy.ts in your own form + file routes."));
   }
@@ -2456,6 +2580,8 @@ var add = async (moduleName, options = {}) => {
   let selectedDatabaseDialect = null;
   let generatedAuthSecret = false;
   let authDatabaseDialect = null;
+  let authProvider = options.authProvider || "better-auth";
+  let uploadAuthProvider = null;
   let customSmtpVars;
   let usedDefaultSmtp = false;
   let mailerProvider = "smtp";
@@ -2482,6 +2608,7 @@ var add = async (moduleName, options = {}) => {
   if (resolvedModuleName === "auth") {
     const result = await promptAuthConfig(projectRoot, srcDir, options);
     if (!result) return;
+    authProvider = result.authProvider;
     shouldInstallDocsForAuth = result.shouldInstallDocsForAuth;
     authDatabaseDialect = result.authDatabaseDialect;
   }
@@ -2508,6 +2635,11 @@ var add = async (moduleName, options = {}) => {
     currentStep = "module dependency resolution";
     await resolveDependencies(moduleDeps, projectRoot);
     if (resolvedModuleName === "uploads" && uploadConfig) {
+      const errorHandlerInstalled = import_fs_extra12.default.existsSync(import_path13.default.join(projectRoot, srcDir, "lib", "errors.ts"));
+      if (!errorHandlerInstalled) {
+        console.log(import_chalk8.default.blue("\n\u2139 Uploads needs the error-handler module. Installing error-handler..."));
+        await add("error-handler");
+      }
       if (uploadConfig.shouldInstallDatabase) {
         console.log(import_chalk8.default.blue("\n\u2139 Upload metadata needs a Drizzle database. Installing database module..."));
         await add("database");
@@ -2517,6 +2649,7 @@ var add = async (moduleName, options = {}) => {
         await add("auth", { yes: true });
       }
       uploadDatabaseDialect = await detectInstalledDatabaseDialect(projectRoot, srcDir);
+      uploadAuthProvider = await detectInstalledAuthProvider(projectRoot, srcDir);
       if (uploadConfig.useDatabaseMetadata) {
         if (uploadDatabaseDialect === "database-prisma-pg" || uploadDatabaseDialect === "database-prisma-mysql") {
           spinner.fail("Uploads metadata currently supports Drizzle-based database setup only.");
@@ -2551,6 +2684,15 @@ var add = async (moduleName, options = {}) => {
         devDeps = ["@types/nodemailer"];
       }
     }
+    if (resolvedModuleName === "auth") {
+      if (authProvider === "jwt") {
+        runtimeDeps = ["jsonwebtoken", "bcryptjs"];
+        devDeps = ["@types/jsonwebtoken", "@types/bcryptjs"];
+      } else {
+        runtimeDeps = ["better-auth"];
+        devDeps = [];
+      }
+    }
     if (resolvedModuleName === "uploads" && uploadConfig) {
       runtimeDeps = ["multer"];
       devDeps = ["@types/multer"];
@@ -2569,11 +2711,46 @@ var add = async (moduleName, options = {}) => {
       let fetchPath = file.path;
       let expectedSha256 = file.sha256;
       let expectedSize = file.size;
+      if (resolvedModuleName === "auth" && authProvider === "better-auth" && (file.target === "routes/auth.routes.ts" || file.target === "controllers/auth.controller.ts")) {
+        continue;
+      }
       if (resolvedModuleName === "auth" && file.target === "db/schema/auth.ts" && authDatabaseDialect === "database-mysql") {
         fetchPath = "express/db/schema/auth.mysql.ts";
         expectedSha256 = void 0;
         expectedSize = void 0;
       }
+      if (resolvedModuleName === "auth" && authProvider === "jwt") {
+        if (file.target === "lib/auth.ts") {
+          fetchPath = "express/lib/auth.jwt.ts";
+          expectedSha256 = void 0;
+          expectedSize = void 0;
+        }
+        if (file.target === "controllers/user.controller.ts") {
+          fetchPath = "express/controllers/user.controller.jwt.ts";
+          expectedSha256 = void 0;
+          expectedSize = void 0;
+        }
+        if (file.target === "routes/user.routes.ts") {
+          fetchPath = "express/routes/user.routes.jwt.ts";
+          expectedSha256 = void 0;
+          expectedSize = void 0;
+        }
+        if (file.target === "controllers/auth.controller.ts") {
+          fetchPath = "express/controllers/auth.controller.jwt.ts";
+          expectedSha256 = void 0;
+          expectedSize = void 0;
+        }
+        if (file.target === "routes/auth.routes.ts") {
+          fetchPath = "express/routes/auth.routes.jwt.ts";
+          expectedSha256 = void 0;
+          expectedSize = void 0;
+        }
+        if (file.target === "db/schema/auth.ts") {
+          fetchPath = authDatabaseDialect === "database-mysql" ? "express/db/schema/auth.mysql.jwt.ts" : "express/db/schema/auth.jwt.ts";
+          expectedSha256 = void 0;
+          expectedSize = void 0;
+        }
+      }
       if (resolvedModuleName === "mailer" && file.target === "lib/mailer.ts" && mailerProvider === "resend") {
         fetchPath = "express/lib/mailer.resend.ts";
         expectedSha256 = void 0;
@@ -2591,7 +2768,12 @@ var add = async (moduleName, options = {}) => {
           expectedSize = void 0;
         }
         if (file.target === "middleware/upload-auth.ts") {
-          fetchPath = `express/middleware/upload-auth.${uploadConfig.authMode}.ts`;
+          if (uploadConfig.authMode === "none") {
+            fetchPath = "express/middleware/upload-auth.none.ts";
+          } else {
+            const providerSuffix = uploadAuthProvider === "jwt" ? "jwt" : "better-auth";
+            fetchPath = `express/middleware/upload-auth.required.${providerSuffix}.ts`;
+          }
           expectedSha256 = void 0;
           expectedSize = void 0;
         }
@@ -2627,7 +2809,7 @@ var add = async (moduleName, options = {}) => {
     spinner.succeed("Files generated");
     if (resolvedModuleName === "auth") {
       spinner.start("Configuring routes...");
-      const injected = await injectAuthRoutes(projectRoot, srcDir);
+      const injected = await injectAuthRoutes(projectRoot, srcDir, authProvider);
       if (injected) {
         spinner.succeed("Routes configured");
       } else {
@@ -2636,7 +2818,7 @@ var add = async (moduleName, options = {}) => {
       const docsInstalled = await isDocsModuleInstalled(projectRoot, srcDir);
       if (docsInstalled) {
         spinner.start("Adding auth endpoints to API docs...");
-        const authDocsInjected = await injectAuthDocs(projectRoot, srcDir);
+        const authDocsInjected = await injectAuthDocs(projectRoot, srcDir, authProvider);
         if (authDocsInjected) {
           spinner.succeed("Auth endpoints added to API docs");
         } else {
@@ -2672,8 +2854,9 @@ var add = async (moduleName, options = {}) => {
       }
       const authInstalled = await isAuthModuleInstalled(projectRoot, srcDir);
       if (authInstalled) {
+        const installedAuthProvider = await detectInstalledAuthProvider(projectRoot, srcDir) || "better-auth";
         spinner.start("Adding auth endpoints to API docs...");
-        const authDocsInjected = await injectAuthDocs(projectRoot, srcDir);
+        const authDocsInjected = await injectAuthDocs(projectRoot, srcDir, installedAuthProvider);
         if (authDocsInjected) {
           spinner.succeed("Auth endpoints added to API docs");
         } else {
@@ -2717,6 +2900,9 @@ var add = async (moduleName, options = {}) => {
     if (resolvedModuleName === "mailer" && mailerProvider === "resend") {
       envConfigKey = "mailer-resend";
     }
+    if (resolvedModuleName === "auth" && authProvider === "jwt") {
+      envConfigKey = "auth-jwt";
+    }
     const envConfig = ENV_CONFIGS[envConfigKey];
     if (envConfig) {
       currentStep = "environment configuration";
@@ -2729,10 +2915,23 @@ var add = async (moduleName, options = {}) => {
         Object.assign(envVars, customSmtpVars);
       }
       if (resolvedModuleName === "auth") {
-        const hasExistingSecret = await hasEnvVariable(projectRoot, "BETTER_AUTH_SECRET");
-        if (!hasExistingSecret) {
-          envVars.BETTER_AUTH_SECRET = (0, import_node_crypto2.randomBytes)(32).toString("hex");
-          generatedAuthSecret = true;
+        if (authProvider === "better-auth") {
+          const hasExistingSecret = await hasEnvVariable(projectRoot, "BETTER_AUTH_SECRET");
+          if (!hasExistingSecret) {
+            envVars.BETTER_AUTH_SECRET = (0, import_node_crypto2.randomBytes)(32).toString("hex");
+            generatedAuthSecret = true;
+          }
+        } else {
+          const hasAccessSecret = await hasEnvVariable(projectRoot, "JWT_ACCESS_SECRET");
+          if (!hasAccessSecret) {
+            envVars.JWT_ACCESS_SECRET = (0, import_node_crypto2.randomBytes)(32).toString("hex");
+            generatedAuthSecret = true;
+          }
+          const hasRefreshSecret = await hasEnvVariable(projectRoot, "JWT_REFRESH_SECRET");
+          if (!hasRefreshSecret) {
+            envVars.JWT_REFRESH_SECRET = (0, import_node_crypto2.randomBytes)(32).toString("hex");
+            generatedAuthSecret = true;
+          }
         }
       }
       await updateEnvFile(projectRoot, envVars, true, {
@@ -2773,7 +2972,7 @@ var add = async (moduleName, options = {}) => {
       printDatabaseHints(resolvedModuleName, customDbUrl, usedDefaultDbUrl, databaseBackupPath);
     }
     if (resolvedModuleName === "auth") {
-      printAuthHints(generatedAuthSecret);
+      printAuthHints(generatedAuthSecret, authProvider);
     }
     if (resolvedModuleName === "mailer") {
       printMailerHints(usedDefaultSmtp);
@@ -2802,6 +3001,15 @@ ${import_chalk8.default.bold("Retry:")}`);
 var program = new import_commander.Command();
 program.name("zuro-cli").description("Zuro CLI tool").version("0.0.1");
 program.command("init").description("Initialize a new Zuro project").action(init);
-program.command("add <module>").description("Add a module to your project").action((module2, options) => add(module2, options));
+program.command("add <module>").description("Add a module to your project").option(
+  "--auth-provider <provider>",
+  "Auth provider for auth module (better-auth|jwt)",
+  (value) => {
+    if (value === "better-auth" || value === "jwt") {
+      return value;
+    }
+    throw new import_commander.InvalidArgumentError("auth-provider must be 'better-auth' or 'jwt'");
+  }
+).option("-y, --yes", "Skip prompts and use defaults").action((module2, options) => add(module2, options));
 program.parse(process.argv);
 //# sourceMappingURL=index.js.map