zuro-cli 0.0.2-beta.16 → 0.0.2-beta.17

package/dist/index.mjs

@@ -20,7 +20,7 @@ import {
 } from "./chunk-VMOTWTER.mjs";
 
 // src/index.ts
-import { Command } from "commander";
+import { Command, InvalidArgumentError } from "commander";
 
 // src/commands/init.ts
 import ora from "ora";
@@ -371,6 +371,20 @@ var ENV_CONFIGS = {
       { name: "BETTER_AUTH_URL", schema: "z.string().url()" }
     ]
   },
+  "auth-jwt": {
+    envVars: {
+      JWT_ACCESS_SECRET: "your-jwt-access-secret-at-least-32-characters",
+      JWT_REFRESH_SECRET: "your-jwt-refresh-secret-at-least-32-characters",
+      JWT_ACCESS_EXPIRES_IN: "15m",
+      JWT_REFRESH_EXPIRES_IN: "7d"
+    },
+    schemaFields: [
+      { name: "JWT_ACCESS_SECRET", schema: "z.string().min(32)" },
+      { name: "JWT_REFRESH_SECRET", schema: "z.string().min(32)" },
+      { name: "JWT_ACCESS_EXPIRES_IN", schema: "z.string().min(2)" },
+      { name: "JWT_REFRESH_EXPIRES_IN", schema: "z.string().min(2)" }
+    ]
+  },
   mailer: {
     envVars: {
       SMTP_HOST: "smtp.example.com",
@@ -852,57 +866,93 @@ import chalk4 from "chalk";
 async function isAuthModuleInstalled(projectRoot, srcDir) {
   return await fs6.pathExists(path7.join(projectRoot, srcDir, "lib", "auth.ts"));
 }
-async function injectAuthRoutes(projectRoot, srcDir) {
+async function detectInstalledAuthProvider(projectRoot, srcDir) {
+  const authPath = path7.join(projectRoot, srcDir, "lib", "auth.ts");
+  if (!await fs6.pathExists(authPath)) {
+    return null;
+  }
+  const authContent = await fs6.readFile(authPath, "utf-8");
+  if (authContent.includes("better-auth")) {
+    return "better-auth";
+  }
+  if (authContent.includes("jsonwebtoken") || authContent.includes("JWT_ACCESS_SECRET")) {
+    return "jwt";
+  }
+  return null;
+}
+async function injectAuthRoutes(projectRoot, srcDir, provider) {
   const appPath = path7.join(projectRoot, srcDir, "app.ts");
   if (!await fs6.pathExists(appPath)) {
     return false;
   }
   let appContent = await fs6.readFile(appPath, "utf-8");
-  const authHandlerImport = `import { toNodeHandler } from "better-auth/node";`;
-  const authImport = `import { auth } from "./lib/auth";`;
   const routeIndexUserImport = `import userRoutes from "./user.routes";`;
+  const routeIndexAuthImport = `import authRoutes from "./auth.routes";`;
   const appUserImport = `import userRoutes from "./routes/user.routes";`;
+  const appAuthImport = `import authRoutes from "./routes/auth.routes";`;
   let appModified = false;
-  for (const importLine of [authHandlerImport, authImport]) {
-    const next = appendImport(appContent, importLine);
-    if (!next.inserted) {
-      return false;
+  if (provider === "better-auth") {
+    const authHandlerImport = `import { toNodeHandler } from "better-auth/node";`;
+    const authImport = `import { auth } from "./lib/auth";`;
+    for (const importLine of [authHandlerImport, authImport]) {
+      const next = appendImport(appContent, importLine);
+      if (!next.inserted) {
+        return false;
+      }
+      if (next.source !== appContent) {
+        appContent = next.source;
+        appModified = true;
+      }
     }
-    if (next.source !== appContent) {
-      appContent = next.source;
+    const hasAuthMount = /toNodeHandler\(\s*auth\s*\)/.test(appContent) && /\/api\/auth/.test(appContent);
+    if (!hasAuthMount) {
+      const authMountLine = "app.all(/^\\/api\\/auth(?:\\/.*)?$/, toNodeHandler(auth));\n";
+      const jsonIndex = appContent.search(/^\s*app\.use\(\s*express\.json\(\)\s*\);\s*$/m);
+      let insertionIndex = jsonIndex;
+      if (insertionIndex < 0) {
+        const healthIndex = appContent.search(/^\s*app\.get\(\s*["']\/health["']\s*,/m);
+        insertionIndex = healthIndex;
+      }
+      if (insertionIndex < 0) {
+        const exportMatch = appContent.match(/export default app;?\s*$/m);
+        insertionIndex = exportMatch?.index ?? -1;
+      }
+      if (insertionIndex < 0) {
+        return false;
+      }
+      appContent = appContent.slice(0, insertionIndex) + authMountLine + appContent.slice(insertionIndex);
       appModified = true;
     }
   }
-  const hasAuthMount = /toNodeHandler\(\s*auth\s*\)/.test(appContent) && /\/api\/auth/.test(appContent);
-  if (!hasAuthMount) {
-    const authMountLine = "app.all(/^\\/api\\/auth(?:\\/.*)?$/, toNodeHandler(auth));\n";
-    const jsonIndex = appContent.search(/^\s*app\.use\(\s*express\.json\(\)\s*\);\s*$/m);
-    let insertionIndex = jsonIndex;
-    if (insertionIndex < 0) {
-      const healthIndex = appContent.search(/^\s*app\.get\(\s*["']\/health["']\s*,/m);
-      insertionIndex = healthIndex;
-    }
-    if (insertionIndex < 0) {
-      const exportMatch = appContent.match(/export default app;?\s*$/m);
-      insertionIndex = exportMatch?.index ?? -1;
-    }
-    if (insertionIndex < 0) {
-      return false;
-    }
-    appContent = appContent.slice(0, insertionIndex) + authMountLine + appContent.slice(insertionIndex);
-    appModified = true;
-  }
   const routeIndexPath = path7.join(projectRoot, srcDir, "routes", "index.ts");
   if (await fs6.pathExists(routeIndexPath)) {
     let routeContent = await fs6.readFile(routeIndexPath, "utf-8");
     let routeModified = false;
-    const userImportResult = appendImport(routeContent, routeIndexUserImport);
-    if (!userImportResult.inserted) {
-      return false;
+    const routeImports = provider === "jwt" ? [routeIndexAuthImport, routeIndexUserImport] : [routeIndexUserImport];
+    for (const importLine of routeImports) {
+      const next = appendImport(routeContent, importLine);
+      if (!next.inserted) {
+        return false;
+      }
+      if (next.source !== routeContent) {
+        routeContent = next.source;
+        routeModified = true;
+      }
     }
-    if (userImportResult.source !== routeContent) {
-      routeContent = userImportResult.source;
-      routeModified = true;
+    if (provider === "jwt") {
+      const hasAuthRoute = /rootRouter\.use\(\s*["']\/auth["']\s*,\s*authRoutes\s*\)/.test(routeContent);
+      if (!hasAuthRoute) {
+        const routeSetup = `
+// Auth routes
+rootRouter.use("/auth", authRoutes);
+`;
+        const exportMatch = routeContent.match(/export default rootRouter;?\s*$/m);
+        if (!exportMatch || exportMatch.index === void 0) {
+          return false;
+        }
+        routeContent = routeContent.slice(0, exportMatch.index) + routeSetup + "\n" + routeContent.slice(exportMatch.index);
+        routeModified = true;
+      }
     }
     const hasUserRoute = /rootRouter\.use\(\s*["']\/users["']\s*,\s*userRoutes\s*\)/.test(routeContent);
     if (!hasUserRoute) {
@@ -921,6 +971,29 @@ rootRouter.use("/users", userRoutes);
       await fs6.writeFile(routeIndexPath, routeContent);
     }
   } else {
+    if (provider === "jwt") {
+      const authImportResult = appendImport(appContent, appAuthImport);
+      if (!authImportResult.inserted) {
+        return false;
+      }
+      if (authImportResult.source !== appContent) {
+        appContent = authImportResult.source;
+        appModified = true;
+      }
+      const hasAuthRoute = /app\.use\(\s*["']\/api\/auth["']\s*,\s*authRoutes\s*\)/.test(appContent);
+      if (!hasAuthRoute) {
+        const exportMatch = appContent.match(/export default app;?\s*$/m);
+        if (!exportMatch || exportMatch.index === void 0) {
+          return false;
+        }
+        const routeSetup = `
+// Auth routes
+app.use("/api/auth", authRoutes);
+`;
+        appContent = appContent.slice(0, exportMatch.index) + routeSetup + "\n" + appContent.slice(exportMatch.index);
+        appModified = true;
+      }
+    }
     const hasUserRoute = /app\.use\(\s*["']\/api\/users["']\s*,\s*userRoutes\s*\)/.test(appContent);
     if (!hasUserRoute) {
       const exportMatch = appContent.match(/export default app;?\s*$/m);
@@ -948,21 +1021,23 @@ app.use("/api/users", userRoutes);
   }
   return true;
 }
-async function injectAuthDocs(projectRoot, srcDir) {
+async function injectAuthDocs(projectRoot, srcDir, provider) {
   const openApiPath = path7.join(projectRoot, srcDir, "lib", "openapi.ts");
   if (!await fs6.pathExists(openApiPath)) {
     return false;
   }
-  const authMarker = "// ZURO_AUTH_DOCS";
+  const betterAuthMarker = "// ZURO_AUTH_DOCS_BETTER_AUTH";
+  const jwtMarker = "// ZURO_AUTH_DOCS_JWT";
+  const legacyMarker = "// ZURO_AUTH_DOCS";
   let content = await fs6.readFile(openApiPath, "utf-8");
-  if (content.includes(authMarker)) {
+  if (content.includes(betterAuthMarker) || content.includes(jwtMarker) || content.includes(legacyMarker)) {
     return true;
   }
   const moduleDocsEndMarker = "// ZURO_DOCS_MODULES_END";
   if (!content.includes(moduleDocsEndMarker)) {
     return false;
   }
-  const authBlock = `
+  const authBlock = provider === "jwt" ? `
 const authSignUpSchema = z.object({
     email: z.string().email().openapi({ example: "dev@company.com" }),
     password: z.string().min(8).openapi({ example: "strong-password" }),
@@ -974,13 +1049,169 @@ const authSignInSchema = z.object({
     password: z.string().min(8).openapi({ example: "strong-password" }),
 });
 
+const authRefreshSchema = z.object({
+    refreshToken: z.string().openapi({ example: "eyJhbGciOi..." }),
+});
+
+const authTokenSchema = z.object({
+    accessToken: z.string().openapi({ example: "eyJhbGciOi..." }),
+    refreshToken: z.string().openapi({ example: "eyJhbGciOi..." }),
+    tokenType: z.literal("Bearer").openapi({ example: "Bearer" }),
+});
+
 const authUserSchema = z.object({
     id: z.string().openapi({ example: "user_123" }),
     email: z.string().email().openapi({ example: "dev@company.com" }),
     name: z.string().nullable().openapi({ example: "Dev User" }),
 });
 
-${authMarker}
+${jwtMarker}
+registry.registerPath({
+    method: "post",
+    path: "/api/auth/sign-up/email",
+    tags: ["Auth"],
+    summary: "Register user and issue JWT tokens",
+    request: {
+        body: {
+            content: {
+                "application/json": {
+                    schema: authSignUpSchema,
+                },
+            },
+        },
+    },
+    responses: {
+        200: {
+            description: "Registration successful",
+            content: {
+                "application/json": {
+                    schema: z.object({ user: authUserSchema, ...authTokenSchema.shape }),
+                },
+            },
+        },
+        409: { description: "Email already registered" },
+    },
+});
+
+registry.registerPath({
+    method: "post",
+    path: "/api/auth/sign-in/email",
+    tags: ["Auth"],
+    summary: "Sign in and issue JWT tokens",
+    request: {
+        body: {
+            content: {
+                "application/json": {
+                    schema: authSignInSchema,
+                },
+            },
+        },
+    },
+    responses: {
+        200: {
+            description: "Sign in successful",
+            content: {
+                "application/json": {
+                    schema: authTokenSchema,
+                },
+            },
+        },
+        401: { description: "Invalid credentials" },
+    },
+});
+
+registry.registerPath({
+    method: "post",
+    path: "/api/auth/refresh",
+    tags: ["Auth"],
+    summary: "Exchange refresh token for new JWT tokens",
+    request: {
+        body: {
+            content: {
+                "application/json": {
+                    schema: authRefreshSchema,
+                },
+            },
+        },
+    },
+    responses: {
+        200: {
+            description: "Tokens refreshed",
+            content: {
+                "application/json": {
+                    schema: authTokenSchema,
+                },
+            },
+        },
+        401: { description: "Invalid refresh token" },
+    },
+});
+
+registry.registerPath({
+    method: "post",
+    path: "/api/auth/sign-out",
+    tags: ["Auth"],
+    summary: "Client-side sign out for JWT auth",
+    responses: {
+        200: { description: "Sign out successful" },
+    },
+});
+
+registry.registerPath({
+    method: "get",
+    path: "/api/auth/get-session",
+    tags: ["Auth"],
+    summary: "Get current JWT session user",
+    security: [{ bearerAuth: [] }],
+    responses: {
+        200: {
+            description: "Current session",
+            content: {
+                "application/json": {
+                    schema: z.object({ user: authUserSchema.nullable() }),
+                },
+            },
+        },
+    },
+});
+
+registry.registerPath({
+    method: "get",
+    path: "/api/users/me",
+    tags: ["Auth"],
+    summary: "Get current authenticated user",
+    security: [{ bearerAuth: [] }],
+    responses: {
+        200: {
+            description: "Current user",
+            content: {
+                "application/json": {
+                    schema: z.object({ user: authUserSchema }),
+                },
+            },
+        },
+        401: { description: "Not authenticated" },
+    },
+});
+` : `
+const authSignUpSchema = z.object({
+    email: z.string().email().openapi({ example: "dev@company.com" }),
+    password: z.string().min(8).openapi({ example: "strong-password" }),
+    name: z.string().min(1).optional().openapi({ example: "Dev User" }),
+});
+
+const authSignInSchema = z.object({
+    email: z.string().email().openapi({ example: "dev@company.com" }),
+    password: z.string().min(8).openapi({ example: "strong-password" }),
+});
+
+const authUserSchema = z.object({
+    id: z.string().openapi({ example: "user_123" }),
+    email: z.string().email().openapi({ example: "dev@company.com" }),
+    name: z.string().nullable().openapi({ example: "Dev User" }),
+});
+
+${betterAuthMarker}
 registry.registerPath({
     method: "post",
     path: "/api/auth/sign-up/email",
@@ -1057,7 +1288,27 @@ ${moduleDocsEndMarker}`);
 async function promptAuthConfig(projectRoot, srcDir, options) {
   const { isDocsModuleInstalled: isDocsModuleInstalled2 } = await import("./docs.handler-JL3ZIVJQ.mjs");
   const docsInstalled = await isDocsModuleInstalled2(projectRoot, srcDir);
+  let authProvider = "better-auth";
   let shouldInstallDocsForAuth = false;
+  if (options.authProvider) {
+    authProvider = options.authProvider;
+  } else if (!options.yes) {
+    const providerResponse = await prompts2({
+      type: "select",
+      name: "provider",
+      message: "Choose auth provider:",
+      choices: [
+        { title: "Better Auth (session + plugin ecosystem)", value: "better-auth" },
+        { title: "JWT (access/refresh tokens)", value: "jwt" }
+      ],
+      initial: 0
+    });
+    if (!providerResponse.provider) {
+      console.log(chalk4.yellow("Operation cancelled."));
+      return null;
+    }
+    authProvider = providerResponse.provider;
+  }
   if (!docsInstalled) {
     if (options.yes) {
       shouldInstallDocsForAuth = true;
@@ -1077,13 +1328,19 @@ async function promptAuthConfig(projectRoot, srcDir, options) {
   }
   const { detectInstalledDatabaseDialect: detectInstalledDatabaseDialect2 } = await import("./database.handler-5OUD6XJZ.mjs");
   const authDatabaseDialect = await detectInstalledDatabaseDialect2(projectRoot, srcDir);
-  return { shouldInstallDocsForAuth, authDatabaseDialect };
+  return { authProvider, shouldInstallDocsForAuth, authDatabaseDialect };
 }
-function printAuthHints(generatedAuthSecret) {
-  if (generatedAuthSecret) {
-    console.log(chalk4.yellow("\u2139 BETTER_AUTH_SECRET was generated automatically."));
+function printAuthHints(generatedAuthSecret, provider) {
+  if (provider === "better-auth") {
+    if (generatedAuthSecret) {
+      console.log(chalk4.yellow("\u2139 BETTER_AUTH_SECRET was generated automatically."));
+    } else {
+      console.log(chalk4.yellow("\u2139 Review BETTER_AUTH_SECRET and BETTER_AUTH_URL in .env."));
+    }
+  } else if (generatedAuthSecret) {
+    console.log(chalk4.yellow("\u2139 JWT_ACCESS_SECRET and JWT_REFRESH_SECRET were generated automatically."));
   } else {
-    console.log(chalk4.yellow("\u2139 Review BETTER_AUTH_SECRET and BETTER_AUTH_URL in .env."));
+    console.log(chalk4.yellow("\u2139 Review JWT_ACCESS_SECRET, JWT_REFRESH_SECRET, and token TTLs in .env."));
   }
   console.log(chalk4.yellow("\u2139 Run migrations: npx drizzle-kit generate && npx drizzle-kit migrate"));
 }
@@ -1862,6 +2119,8 @@ var add = async (moduleName, options = {}) => {
   let selectedDatabaseDialect = null;
   let generatedAuthSecret = false;
   let authDatabaseDialect = null;
+  let authProvider = options.authProvider || "better-auth";
+  let uploadAuthProvider = null;
   let customSmtpVars;
   let usedDefaultSmtp = false;
   let mailerProvider = "smtp";
@@ -1888,6 +2147,7 @@ var add = async (moduleName, options = {}) => {
   if (resolvedModuleName === "auth") {
     const result = await promptAuthConfig(projectRoot, srcDir, options);
     if (!result) return;
+    authProvider = result.authProvider;
     shouldInstallDocsForAuth = result.shouldInstallDocsForAuth;
     authDatabaseDialect = result.authDatabaseDialect;
   }
@@ -1928,6 +2188,7 @@ var add = async (moduleName, options = {}) => {
         await add("auth", { yes: true });
       }
       uploadDatabaseDialect = await detectInstalledDatabaseDialect(projectRoot, srcDir);
+      uploadAuthProvider = await detectInstalledAuthProvider(projectRoot, srcDir);
       if (uploadConfig.useDatabaseMetadata) {
         if (uploadDatabaseDialect === "database-prisma-pg" || uploadDatabaseDialect === "database-prisma-mysql") {
           spinner.fail("Uploads metadata currently supports Drizzle-based database setup only.");
@@ -1962,6 +2223,15 @@ var add = async (moduleName, options = {}) => {
         devDeps = ["@types/nodemailer"];
       }
     }
+    if (resolvedModuleName === "auth") {
+      if (authProvider === "jwt") {
+        runtimeDeps = ["jsonwebtoken", "bcryptjs"];
+        devDeps = ["@types/jsonwebtoken", "@types/bcryptjs"];
+      } else {
+        runtimeDeps = ["better-auth"];
+        devDeps = [];
+      }
+    }
     if (resolvedModuleName === "uploads" && uploadConfig) {
       runtimeDeps = ["multer"];
       devDeps = ["@types/multer"];
@@ -1980,11 +2250,46 @@ var add = async (moduleName, options = {}) => {
       let fetchPath = file.path;
       let expectedSha256 = file.sha256;
       let expectedSize = file.size;
+      if (resolvedModuleName === "auth" && authProvider === "better-auth" && (file.target === "routes/auth.routes.ts" || file.target === "controllers/auth.controller.ts")) {
+        continue;
+      }
       if (resolvedModuleName === "auth" && file.target === "db/schema/auth.ts" && authDatabaseDialect === "database-mysql") {
         fetchPath = "express/db/schema/auth.mysql.ts";
         expectedSha256 = void 0;
         expectedSize = void 0;
       }
+      if (resolvedModuleName === "auth" && authProvider === "jwt") {
+        if (file.target === "lib/auth.ts") {
+          fetchPath = "express/lib/auth.jwt.ts";
+          expectedSha256 = void 0;
+          expectedSize = void 0;
+        }
+        if (file.target === "controllers/user.controller.ts") {
+          fetchPath = "express/controllers/user.controller.jwt.ts";
+          expectedSha256 = void 0;
+          expectedSize = void 0;
+        }
+        if (file.target === "routes/user.routes.ts") {
+          fetchPath = "express/routes/user.routes.jwt.ts";
+          expectedSha256 = void 0;
+          expectedSize = void 0;
+        }
+        if (file.target === "controllers/auth.controller.ts") {
+          fetchPath = "express/controllers/auth.controller.jwt.ts";
+          expectedSha256 = void 0;
+          expectedSize = void 0;
+        }
+        if (file.target === "routes/auth.routes.ts") {
+          fetchPath = "express/routes/auth.routes.jwt.ts";
+          expectedSha256 = void 0;
+          expectedSize = void 0;
+        }
+        if (file.target === "db/schema/auth.ts") {
+          fetchPath = authDatabaseDialect === "database-mysql" ? "express/db/schema/auth.mysql.jwt.ts" : "express/db/schema/auth.jwt.ts";
+          expectedSha256 = void 0;
+          expectedSize = void 0;
+        }
+      }
       if (resolvedModuleName === "mailer" && file.target === "lib/mailer.ts" && mailerProvider === "resend") {
         fetchPath = "express/lib/mailer.resend.ts";
         expectedSha256 = void 0;
@@ -2002,7 +2307,12 @@ var add = async (moduleName, options = {}) => {
           expectedSize = void 0;
         }
         if (file.target === "middleware/upload-auth.ts") {
-          fetchPath = `express/middleware/upload-auth.${uploadConfig.authMode}.ts`;
+          if (uploadConfig.authMode === "none") {
+            fetchPath = "express/middleware/upload-auth.none.ts";
+          } else {
+            const providerSuffix = uploadAuthProvider === "jwt" ? "jwt" : "better-auth";
+            fetchPath = `express/middleware/upload-auth.required.${providerSuffix}.ts`;
+          }
           expectedSha256 = void 0;
           expectedSize = void 0;
         }
@@ -2038,7 +2348,7 @@ var add = async (moduleName, options = {}) => {
     spinner.succeed("Files generated");
     if (resolvedModuleName === "auth") {
       spinner.start("Configuring routes...");
-      const injected = await injectAuthRoutes(projectRoot, srcDir);
+      const injected = await injectAuthRoutes(projectRoot, srcDir, authProvider);
       if (injected) {
         spinner.succeed("Routes configured");
       } else {
@@ -2047,7 +2357,7 @@ var add = async (moduleName, options = {}) => {
       const docsInstalled = await isDocsModuleInstalled(projectRoot, srcDir);
       if (docsInstalled) {
         spinner.start("Adding auth endpoints to API docs...");
-        const authDocsInjected = await injectAuthDocs(projectRoot, srcDir);
+        const authDocsInjected = await injectAuthDocs(projectRoot, srcDir, authProvider);
         if (authDocsInjected) {
           spinner.succeed("Auth endpoints added to API docs");
         } else {
@@ -2083,8 +2393,9 @@ var add = async (moduleName, options = {}) => {
       }
       const authInstalled = await isAuthModuleInstalled(projectRoot, srcDir);
       if (authInstalled) {
+        const installedAuthProvider = await detectInstalledAuthProvider(projectRoot, srcDir) || "better-auth";
         spinner.start("Adding auth endpoints to API docs...");
-        const authDocsInjected = await injectAuthDocs(projectRoot, srcDir);
+        const authDocsInjected = await injectAuthDocs(projectRoot, srcDir, installedAuthProvider);
         if (authDocsInjected) {
           spinner.succeed("Auth endpoints added to API docs");
         } else {
@@ -2128,6 +2439,9 @@ var add = async (moduleName, options = {}) => {
     if (resolvedModuleName === "mailer" && mailerProvider === "resend") {
       envConfigKey = "mailer-resend";
     }
+    if (resolvedModuleName === "auth" && authProvider === "jwt") {
+      envConfigKey = "auth-jwt";
+    }
     const envConfig = ENV_CONFIGS[envConfigKey];
     if (envConfig) {
       currentStep = "environment configuration";
@@ -2140,10 +2454,23 @@ var add = async (moduleName, options = {}) => {
         Object.assign(envVars, customSmtpVars);
       }
       if (resolvedModuleName === "auth") {
-        const hasExistingSecret = await hasEnvVariable(projectRoot, "BETTER_AUTH_SECRET");
-        if (!hasExistingSecret) {
-          envVars.BETTER_AUTH_SECRET = randomBytes(32).toString("hex");
-          generatedAuthSecret = true;
+        if (authProvider === "better-auth") {
+          const hasExistingSecret = await hasEnvVariable(projectRoot, "BETTER_AUTH_SECRET");
+          if (!hasExistingSecret) {
+            envVars.BETTER_AUTH_SECRET = randomBytes(32).toString("hex");
+            generatedAuthSecret = true;
+          }
+        } else {
+          const hasAccessSecret = await hasEnvVariable(projectRoot, "JWT_ACCESS_SECRET");
+          if (!hasAccessSecret) {
+            envVars.JWT_ACCESS_SECRET = randomBytes(32).toString("hex");
+            generatedAuthSecret = true;
+          }
+          const hasRefreshSecret = await hasEnvVariable(projectRoot, "JWT_REFRESH_SECRET");
+          if (!hasRefreshSecret) {
+            envVars.JWT_REFRESH_SECRET = randomBytes(32).toString("hex");
+            generatedAuthSecret = true;
+          }
         }
       }
       await updateEnvFile(projectRoot, envVars, true, {
@@ -2184,7 +2511,7 @@ var add = async (moduleName, options = {}) => {
       printDatabaseHints(resolvedModuleName, customDbUrl, usedDefaultDbUrl, databaseBackupPath);
     }
     if (resolvedModuleName === "auth") {
-      printAuthHints(generatedAuthSecret);
+      printAuthHints(generatedAuthSecret, authProvider);
     }
     if (resolvedModuleName === "mailer") {
       printMailerHints(usedDefaultSmtp);
@@ -2213,6 +2540,15 @@ ${chalk7.bold("Retry:")}`);
 var program = new Command();
 program.name("zuro-cli").description("Zuro CLI tool").version("0.0.1");
 program.command("init").description("Initialize a new Zuro project").action(init);
-program.command("add <module>").description("Add a module to your project").action((module, options) => add(module, options));
+program.command("add <module>").description("Add a module to your project").option(
+  "--auth-provider <provider>",
+  "Auth provider for auth module (better-auth|jwt)",
+  (value) => {
+    if (value === "better-auth" || value === "jwt") {
+      return value;
+    }
+    throw new InvalidArgumentError("auth-provider must be 'better-auth' or 'jwt'");
+  }
+).option("-y, --yes", "Skip prompts and use defaults").action((module, options) => add(module, options));
 program.parse(process.argv);
 //# sourceMappingURL=index.mjs.map