@agent-native/core 0.7.81 → 0.7.83

package/dist/server/auth.js

@@ -1,5 +1,5 @@
 import crypto from "node:crypto";
-import { defineEventHandler, getMethod, getQuery, getRequestIP, sendRedirect, setResponseHeader, setResponseStatus, getCookie, setCookie, deleteCookie, } from "h3";
+import { defineEventHandler, getMethod, getQuery, getRequestIP, sendRedirect, setResponseHeader, setResponseStatus, getCookie, setCookie, deleteCookie, getHeader, } from "h3";
 // In h3 v2, `event.req` IS the web Request — but in Nitro's dev server (srvx
 // runtime), event.url and event.req share the same underlying URL object.
 // When registerMiddleware strips the mount prefix from event.url.pathname, it
@@ -34,11 +34,10 @@ function toWebRequest(event) {
     }
     return req;
 }
-import { getDbExec, isPostgres, intType, isLocalDatabase, retryOnDdlRace, } from "../db/client.js";
+import { getDbExec, isPostgres, intType, retryOnDdlRace, } from "../db/client.js";
 import { getBetterAuth, getBetterAuthSync } from "./better-auth-instance.js";
 import { getAllowedCorsOrigin, readCorsAllowedOrigins, } from "./cors-origins.js";
 import { getOnboardingHtml, getResetPasswordHtml } from "./onboarding-html.js";
-import { migrateLocalUserData } from "./local-migration.js";
 import { readBody } from "../server/h3-helpers.js";
 import { readDesktopSso, writeDesktopSso, clearDesktopSso, } from "./desktop-sso.js";
 import { isElectron as isElectronRequest, getAppBasePath, getAppUrl, encodeOAuthState, decodeOAuthState, createOAuthSession, oauthCallbackResponse, oauthErrorPage, resolveOAuthRedirectUri, isAllowedOAuthRedirectUri, } from "./google-oauth.js";
@@ -82,36 +81,8 @@ function getOAuthStateAppId() {
 }
 const DEFAULT_MAX_AGE = 60 * 60 * 24 * 30; // 30 days
 // ---------------------------------------------------------------------------
-// AUTH_MODE detection
+// Environment helpers
 // ---------------------------------------------------------------------------
-let _warnedRemoteLocalMode = false;
-/**
- * Check if the app is in local-only mode (no auth).
- *
- * Returns true when AUTH_MODE=local is explicitly set.
- *
- * Local mode is an explicit escape hatch for when you want to guarantee
- * no auth is used. In development, getSession() also falls back to
- * local@localhost automatically if no other auth method succeeds, so
- * apps are always usable without configuration in dev.
- *
- * Refuses to enable on any non-local database (Postgres, Turso, D1): local
- * mode uses a single shared virtual user with no per-machine scoping, so on
- * a shared DB every developer would land on the same account and collide.
- */
-async function isLocalModeEnabled() {
-    if (process.env.AUTH_MODE !== "local")
-        return false;
-    if (!isLocalDatabase()) {
-        if (!_warnedRemoteLocalMode) {
-            _warnedRemoteLocalMode = true;
-            console.warn("[agent-native] AUTH_MODE=local ignored: database is not local SQLite. " +
-                "local@localhost has no per-user scoping and would collide across developers on a shared DB.");
-        }
-        return false;
-    }
-    return true;
-}
 /**
  * Check if we're in a development/test environment.
  * Used for cookie security settings, not for auth bypass.
@@ -245,6 +216,36 @@ function safeTokenMatch(input, tokens) {
     }
     return false;
 }
+function getBearerSessionToken(event) {
+    const auth = getHeader(event, "authorization");
+    if (!auth)
+        return undefined;
+    const match = /^Bearer\s+(.+)$/i.exec(auth.trim());
+    return match?.[1]?.trim() || undefined;
+}
+async function getBearerLegacySession(event) {
+    const bearerToken = getBearerSessionToken(event);
+    if (!bearerToken)
+        return null;
+    const email = await getSessionEmail(bearerToken);
+    return email ? { email, token: bearerToken } : null;
+}
+function shouldExposeSessionTokenInBody(event) {
+    const origin = getHeader(event, "origin");
+    if (origin && DESKTOP_AUTH_TOKEN_BODY_ORIGINS.has(origin))
+        return true;
+    // Some native WebViews do not consistently emit an Origin header for
+    // programmatic fetches. The desktop app marks same-server requests with
+    // X-Request-Source; browsers can only use that cross-origin after our CORS
+    // allowlist has approved the origin, and same-origin pages already receive
+    // an equivalent httpOnly session cookie on successful login.
+    return !origin && getHeader(event, "x-request-source") === "clips-desktop";
+}
+function authLoginResponse(event, token, email) {
+    if (!shouldExposeSessionTokenInBody(event))
+        return { ok: true };
+    return email ? { ok: true, token, email } : { ok: true, token };
+}
 // ---------------------------------------------------------------------------
 // Legacy session store — kept for backward compat (addSession/getSessionEmail)
 // Used by google-oauth.ts for mobile deep linking session creation.
@@ -348,7 +349,6 @@ export async function getSessionEmail(token) {
 // getSession — the auth contract
 // ---------------------------------------------------------------------------
 let customGetSession = null;
-let authDisabledMode = false;
 let _authGuardConfig = null;
 const _genericGoogleOAuthRoutesEnabled = new WeakMap();
 function setGenericGoogleOAuthRoutesEnabled(app, enabled) {
@@ -361,6 +361,10 @@ function areGenericGoogleOAuthRoutesEnabled(app) {
 }
 const _desktopExchanges = new Map();
 const DESKTOP_EXCHANGE_ERROR_PREFIX = "__error__::";
+const DESKTOP_AUTH_TOKEN_BODY_ORIGINS = new Set([
+    "tauri://localhost",
+    "http://localhost:1420",
+]);
 // 5-minute TTL for exchange entries (short — single-use tokens).
 const DESKTOP_EXCHANGE_TTL_MS = 5 * 60 * 1000;
 export function setDesktopExchange(flowId, token, email) {
@@ -477,17 +481,6 @@ export async function runAuthGuard(event) {
         return; // Auth not mounted (local mode, etc.)
     return _authGuardFn(event);
 }
-/**
- * The framework's dev-mode bypass identity. When `AUTH_MODE=local` (or
- * dev-mode falls back), `getSession()` returns `{ email: DEV_MODE_USER_EMAIL }`.
- * Production code that needs to check whether the current request is the
- * dev-mode user (or filter it out of mailers, dashboards, etc.) should
- * compare against this constant instead of inlining the literal —
- * `guard-no-localhost-fallback.mjs` blocks the literal everywhere except
- * `auth.ts` and a handful of dev-mode helpers.
- */
-export const DEV_MODE_USER_EMAIL = "local@localhost";
-const LOCAL_SESSION = { email: DEV_MODE_USER_EMAIL };
 // ---------------------------------------------------------------------------
 // Auth guard factory
 // ---------------------------------------------------------------------------
@@ -506,9 +499,7 @@ function applyCorsHeaders(event) {
     // response would be missing the Allow-Origin header and the browser
     // blocks the response body (making it look like a network error
     // rather than "unauthenticated").
-    const reqHeaders = (event.node?.req?.headers ?? {});
-    const originRaw = reqHeaders["origin"];
-    const origin = Array.isArray(originRaw) ? originRaw[0] : originRaw;
+    const origin = getHeader(event, "origin");
     if (!origin)
         return { hasOrigin: false, allowed: true };
     const allowedOrigin = getAllowedCorsOrigin(origin, {
@@ -524,6 +515,24 @@ function applyCorsHeaders(event) {
     setResponseHeader(event, "Access-Control-Allow-Headers", "Content-Type,Authorization,X-Requested-With,X-Request-Source,X-Agent-Native-CSRF");
     return { hasOrigin: true, allowed: true };
 }
+function createAuthCorsHandler() {
+    return defineEventHandler((event) => {
+        const cors = applyCorsHeaders(event);
+        if (getMethod(event) !== "OPTIONS")
+            return;
+        if (cors.hasOrigin && !cors.allowed) {
+            setResponseStatus(event, 403);
+            return "";
+        }
+        setResponseStatus(event, 204);
+        return "";
+    });
+}
+function mountAuthCorsMiddleware(app) {
+    const handler = createAuthCorsHandler();
+    app.use("/_agent-native/auth", handler);
+    app.use("/_agent-native/google", handler);
+}
 function createAuthGuardFn() {
     return async (event) => {
         const config = _authGuardConfig;
@@ -628,8 +637,8 @@ function createAuthGuardFn() {
             });
         }
         // Auth entry pages are framework-owned pages, not app routes. When a user
-        // already has a session (including AUTH_MODE=local), redirect them back to
-        // the mounted app instead of letting React Router try to render /login.
+        // already has a session, redirect them back to the mounted app instead of
+        // letting React Router try to render /login.
         if (p === "/login" || p === "/signup") {
             const session = await getSession(event);
             if (session) {
@@ -656,6 +665,15 @@ function createAuthGuardFn() {
             p.endsWith(".woff")) {
             return;
         }
+        // React Router 7's lazy route discovery fetches `/__manifest?p=...` to
+        // resolve manifest patches for `<Link>`s the user might click. The
+        // auth fallback returning loginHtml here makes RR fail to parse the
+        // body as RSC, surfacing as a console error and (when the visitor
+        // already errored elsewhere) blocking the app from rendering. Let it
+        // through — it returns a tiny RSC-encoded manifest of the public
+        // route tree, no per-user data.
+        if (p === "/__manifest")
+            return;
         if (isPublicPath(normalizedUrl, publicPaths))
             return;
         const session = await getSession(event);
@@ -687,51 +705,21 @@ function mapBetterAuthSession(baSession) {
  * Get the current auth session for a request.
  *
  * Resolution chain:
- * 1. AUTH_MODE=local → local@localhost (explicit escape hatch)
- * 2. AUTH_DISABLED=true → local@localhost (infrastructure auth)
- * 3. ACCESS_TOKEN → check legacy cookie-based token sessions
- * 4. BYOA custom getSession → delegate to template callback
- * 5. Better Auth → check session via Better Auth API (cookie or Bearer)
- * 6. Legacy cookie → check an_session cookie in legacy sessions table
+ * 1. ACCESS_TOKEN → check legacy cookie-based token sessions
+ * 2. BYOA custom getSession → delegate to template callback
+ * 3. Bearer legacy session → check Authorization: Bearer against sessions
+ * 4. Better Auth → check session via Better Auth API (cookie or Bearer)
+ * 5. Legacy cookie → check an_session cookie in legacy sessions table
+ * 6. Desktop SSO broker (Electron loopback only)
  * 7. Mobile _session query param → promote to cookie
- * 8. Dev-mode fallback → local@localhost (never block in development)
+ *
+ * Returns `null` for unauthenticated requests. There is no dev-mode bypass:
+ * local development uses the same Better Auth signup flow as production. The
+ * onboarding/sign-in page is served by `runAuthGuard` for any unauthenticated
+ * page load.
  */
 export async function getSession(event) {
-    // 1. AUTH_MODE=local — explicit local-only mode
-    if ((await isLocalModeEnabled()) || authDisabledMode) {
-        // Check for a real session cookie first (e.g. from Google OAuth)
-        try {
-            const cookie = getCookie(event, COOKIE_NAME);
-            if (cookie) {
-                const email = await getSessionEmail(cookie);
-                if (email)
-                    return { email, token: cookie };
-            }
-        }
-        catch {
-            // DB not ready yet
-        }
-        // Also try Better Auth session (for users who created an account then went local)
-        try {
-            const ba = getBetterAuthSync();
-            if (ba) {
-                const baSession = await ba.api.getSession({
-                    headers: event.headers,
-                });
-                if (baSession?.user?.email) {
-                    return mapBetterAuthSession(baSession);
-                }
-            }
-        }
-        catch {
-            // Better Auth not initialized yet
-        }
-        const querySession = await promoteQuerySession(event);
-        if (querySession)
-            return querySession;
-        return LOCAL_SESSION;
-    }
-    // 2. ACCESS_TOKEN check (programmatic/agent access)
+    // 1. ACCESS_TOKEN check (programmatic/agent access)
     const accessTokens = getAccessTokens();
     if (accessTokens.length > 0) {
         const cookie = getCookie(event, COOKIE_NAME);
@@ -741,11 +729,14 @@ export async function getSession(event) {
                 return { email, token: cookie };
         }
     }
-    // 3. BYOA custom getSession
+    // 2. BYOA custom getSession
     if (customGetSession) {
         const session = await customGetSession(event);
         if (session)
             return session;
+        const bearerSession = await getBearerLegacySession(event);
+        if (bearerSession)
+            return bearerSession;
         // Desktop SSO broker: even with BYOA auth, fall back to the broker
         // for Electron requests so cross-template SSO works for custom-auth
         // templates too. Gated on `readDesktopSsoSafely` so a non-loopback
@@ -757,6 +748,11 @@ export async function getSession(event) {
         // Fall through to mobile _session check
     }
     else {
+        // 3. Bearer legacy session. Desktop/native clients can persist a session
+        // token outside the WebView cookie jar and attach it to all app requests.
+        const bearerSession = await getBearerLegacySession(event);
+        if (bearerSession)
+            return bearerSession;
         // 4. Better Auth session (cookie or Bearer token)
         try {
             const ba = getBetterAuthSync();
@@ -765,9 +761,6 @@ export async function getSession(event) {
                     headers: event.headers,
                 });
                 if (baSession?.user?.email) {
-                    // Successful real sign-in — clear the upgrade-pending marker so
-                    // the dev fallback becomes reachable again for future local work.
-                    clearUpgradePendingCookie(event);
                     return mapBetterAuthSession(baSession);
                 }
             }
@@ -780,11 +773,10 @@ export async function getSession(event) {
         if (cookie) {
             const email = await getSessionEmail(cookie);
             if (email) {
-                clearUpgradePendingCookie(event);
                 return { email, token: cookie };
             }
         }
-        // 5b. Desktop SSO broker fallback.
+        // 6. Desktop SSO broker fallback.
         // Each template in the Electron desktop app has its own database, so
         // a session token created by one template doesn't resolve in another.
         // When an Electron request has no resolvable session, trust the
@@ -795,40 +787,13 @@ export async function getSession(event) {
         // impersonate whichever email last signed into the desktop app.
         const sso = await readDesktopSsoSafely(event);
         if (sso?.email) {
-            clearUpgradePendingCookie(event);
             return { email: sso.email, token: sso.token };
         }
     }
-    // 6. Mobile WebView bridge — _session query param
+    // 7. Mobile WebView bridge — _session query param
     const querySession = await promoteQuerySession(event);
     if (querySession)
         return querySession;
-    // 7. Dev-mode safety net — in development on a local SQLite database, fall
-    // back to local@localhost so the app is usable without any auth configuration.
-    // This prevents 401 errors when Better Auth isn't configured or the user
-    // simply wants to play around locally.
-    //
-    // Gated on isLocalDatabase() because local@localhost has no per-user scoping:
-    // on a shared DB (Postgres, Turso, D1) this fallback would land every
-    // developer on the same account and expose each other's data.
-    //
-    // STRICT NODE_ENV check: this used to read `isDevEnvironment()` which
-    // also accepted `NODE_ENV=test`, meaning a misconfigured prod deploy
-    // started with `NODE_ENV=test` (or undefined NODE_ENV in some CI/build
-    // contexts) would silently bypass auth entirely. Limiting to the literal
-    // string "development" closes that footgun. Tests that need this branch
-    // to fire stub NODE_ENV explicitly to "development".
-    //
-    // EXCEPTION: if the user has explicitly exited local mode (clicked "Upgrade
-    // to real account"), they've signaled they want real auth. The upgrade
-    // cookie suppresses this fallback so the onboarding/sign-in page is served
-    // instead of silently re-authenticating them as local@localhost.
-    if (process.env.NODE_ENV === "development" &&
-        isLocalDatabase() &&
-        !isUpgradePending(event) &&
-        !hasSignInFlag(event)) {
-        return LOCAL_SESSION;
-    }
     return null;
 }
 async function promoteQuerySession(event) {
@@ -842,44 +807,6 @@ async function promoteQuerySession(event) {
     setResponseHeader(event, "Referrer-Policy", "no-referrer");
     return { email, token: qToken };
 }
-/**
- * Cookie set by POST /_agent-native/auth/exit-local-mode so we know the user
- * is in the middle of upgrading from local@localhost to a real account.
- * While this cookie is present we skip the dev-mode "auto local session"
- * fallback so the onboarding/sign-in page can actually render.
- * Cleared on successful sign-in/sign-up.
- */
-const UPGRADE_COOKIE = "an_upgrade_pending";
-function isUpgradePending(event) {
-    try {
-        return getCookie(event, UPGRADE_COOKIE) === "1";
-    }
-    catch {
-        return false;
-    }
-}
-function setUpgradePendingCookie(event) {
-    setCookie(event, UPGRADE_COOKIE, "1", {
-        httpOnly: true,
-        ...crossSiteCookieAttrs(event),
-        path: "/",
-        maxAge: 60 * 60, // 1 hour — enough to complete sign-in
-    });
-}
-/**
- * URL-flag fallback for third-party iframe contexts (e.g. the Builder.io
- * editor) where SameSite=Lax cookies from an exit-local-mode POST are not
- * delivered on the subsequent reload. TeamPage reloads with ?signin=1 so
- * we can reliably suppress the dev-mode local fallback without a cookie.
- */
-function hasSignInFlag(event) {
-    try {
-        return getQuery(event)?.signin === "1";
-    }
-    catch {
-        return false;
-    }
-}
 function isReadMethod(event) {
     const method = getMethod(event);
     return method === "GET" || method === "HEAD";
@@ -905,21 +832,11 @@ function setFrameworkSessionCookie(event, token) {
 }
 function isHttpsRequest(event) {
     try {
-        const req = event.req ?? event.node?.req;
-        const headers = req?.headers;
-        const get = (k) => {
-            if (!headers)
-                return undefined;
-            if (typeof headers.get === "function") {
-                return headers.get(k) ?? undefined;
-            }
-            const v = headers[k];
-            return Array.isArray(v) ? v[0] : v;
-        };
-        const xfProto = get("x-forwarded-proto");
+        const xfProto = getHeader(event, "x-forwarded-proto");
         if (xfProto && String(xfProto).split(",")[0].trim() === "https") {
             return true;
         }
+        const req = event.req ?? event.node?.req;
         const url = req?.url;
         if (typeof url === "string" && url.startsWith("https://"))
             return true;
@@ -932,14 +849,6 @@ function isHttpsRequest(event) {
     }
     return false;
 }
-function clearUpgradePendingCookie(event) {
-    try {
-        deleteCookie(event, UPGRADE_COOKIE, { path: "/" });
-    }
-    catch {
-        // ignore
-    }
-}
 // ---------------------------------------------------------------------------
 // Public path matching
 // ---------------------------------------------------------------------------
@@ -1053,57 +962,6 @@ const TOKEN_LOGIN_HTML = `<!DOCTYPE html>
 </body>
 </html>`;
 // ---------------------------------------------------------------------------
-// Local mode route helpers
-// ---------------------------------------------------------------------------
-function localModeMarkerDisabled(event) {
-    setResponseStatus(event, 410);
-    return {
-        error: "The local-mode marker file has been removed. Set AUTH_MODE=local in your local shell or .env only for one-off local development.",
-    };
-}
-function exitLocalMode(event) {
-    // Mark the browser so getSession's dev-mode fallback won't silently
-    // re-authenticate the user as local@localhost on the next request.
-    setUpgradePendingCookie(event);
-    return { ok: true };
-}
-/**
- * POST /_agent-native/auth/migrate-local-data handler. Exposed here (not
- * inlined in a single mount function) because it must be registered from
- * every auth-mount path — including local-mode and fallback — so the
- * upgrade-from-local flow never 500s when BetterAuth init is skipped or
- * failed. Previously this was only mounted inside mountBetterAuthRoutes()
- * which meant that in local mode (or when BetterAuth failed to init) the
- * request fell through to the Nitro SSR renderer and produced a 500.
- */
-const migrateLocalDataHandler = defineEventHandler(async (event) => {
-    if (getMethod(event) !== "POST") {
-        setResponseStatus(event, 405);
-        return { error: "Method not allowed" };
-    }
-    const session = await getSession(event);
-    if (!session?.email || session.email === "local@localhost") {
-        setResponseStatus(event, 401);
-        return { error: "Not authenticated as a real account" };
-    }
-    try {
-        const result = await migrateLocalUserData(session.email);
-        return { ok: true, ...result };
-    }
-    catch (e) {
-        console.error("[migrate-local-data] Migration threw for", session.email, e);
-        setResponseStatus(event, 500);
-        return {
-            error: e?.message || "Migration failed",
-            // Only surface the stack when explicitly enabled. `isDevEnvironment()`
-            // returns true on preview deploys and Lambda contexts that forget
-            // NODE_ENV=production, which leaked stack traces to clients. Use
-            // AGENT_NATIVE_DEBUG_ERRORS=1 for opt-in debug visibility.
-            stack: process.env.AGENT_NATIVE_DEBUG_ERRORS === "1" ? e?.stack : undefined,
-        };
-    }
-});
-// ---------------------------------------------------------------------------
 // mountBetterAuthRoutes — Better Auth powered auth with backward-compat routes
 // ---------------------------------------------------------------------------
 async function mountBetterAuthRoutes(app, options) {
@@ -1470,23 +1328,6 @@ async function mountBetterAuthRoutes(app, options) {
         }
         return response;
     }));
-    // POST /_agent-native/auth/local-mode — legacy endpoint kept so old clients
-    // receive an explicit error instead of creating a persistent local marker.
-    app.use("/_agent-native/auth/local-mode", defineEventHandler(async (event) => {
-        if (getMethod(event) !== "POST") {
-            setResponseStatus(event, 405);
-            return { error: "Method not allowed" };
-        }
-        return localModeMarkerDisabled(event);
-    }));
-    // POST /_agent-native/auth/exit-local-mode — switch back to real auth
-    app.use("/_agent-native/auth/exit-local-mode", defineEventHandler(async (event) => {
-        if (getMethod(event) !== "POST") {
-            setResponseStatus(event, 405);
-            return { error: "Method not allowed" };
-        }
-        return exitLocalMode(event);
-    }));
     // Backward-compat: POST /_agent-native/auth/login
     app.use("/_agent-native/auth/login", defineEventHandler(async (event) => {
         if (getMethod(event) !== "POST") {
@@ -1510,7 +1351,7 @@ async function mountBetterAuthRoutes(app, options) {
                 path: "/",
                 maxAge: sessionMaxAge,
             });
-            return { ok: true };
+            return authLoginResponse(event, sessionToken, "user");
         }
         // Email/password login via Better Auth
         const email = body?.email?.trim?.()?.toLowerCase?.();
@@ -1538,7 +1379,7 @@ async function mountBetterAuthRoutes(app, options) {
                         expiresAt: Date.now() + sessionMaxAge * 1000,
                     });
                 }
-                return { ok: true };
+                return authLoginResponse(event, result.token, email);
             }
             // signInEmail succeeded but returned no token — typically means the
             // email isn't verified yet. Don't return { ok: true } without a
@@ -1589,6 +1430,9 @@ async function mountBetterAuthRoutes(app, options) {
         const cookie = getCookie(event, COOKIE_NAME);
         if (cookie)
             await removeSession(cookie);
+        const bearerToken = getBearerSessionToken(event);
+        if (bearerToken)
+            await removeSession(bearerToken);
         deleteCookie(event, COOKIE_NAME, { path: "/" });
         try {
             await auth.api.signOut({ headers: event.headers });
@@ -1677,10 +1521,6 @@ async function mountBetterAuthRoutes(app, options) {
         const session = await getSession(event);
         return session ?? { error: "Not authenticated" };
     }));
-    // POST /_agent-native/auth/migrate-local-data — move local-mode data to
-    // the currently signed-in account. Called by the UI after a user upgrades
-    // from local mode to a real account so they don't lose their data.
-    app.use("/_agent-native/auth/migrate-local-data", migrateLocalDataHandler);
     // GET /_agent-native/auth/reset — HTML page shown when a user clicks the
     // reset link in their email. Reads ?token=... and POSTs to Better Auth's
     // /reset-password endpoint on submit.
@@ -1729,12 +1569,15 @@ function mountTokenOnlyRoutes(app, accessTokens, publicPaths = []) {
             path: "/",
             maxAge: sessionMaxAge,
         });
-        return { ok: true };
+        return authLoginResponse(event, sessionToken, "user");
     }));
     app.use("/_agent-native/auth/logout", defineEventHandler(async (event) => {
         const cookie = getCookie(event, COOKIE_NAME);
         if (cookie)
             await removeSession(cookie);
+        const bearerToken = getBearerSessionToken(event);
+        if (bearerToken)
+            await removeSession(bearerToken);
         deleteCookie(event, COOKIE_NAME, { path: "/" });
         if (isElectronRequest(event))
             await clearDesktopSso();
@@ -1748,38 +1591,12 @@ function mountTokenOnlyRoutes(app, accessTokens, publicPaths = []) {
         const session = await getSession(event);
         return session ?? { error: "Not authenticated" };
     }));
-    app.use("/_agent-native/auth/migrate-local-data", migrateLocalDataHandler);
     _authGuardConfig = { loginHtml: TOKEN_LOGIN_HTML, publicPaths };
     const guardFn = createAuthGuardFn();
     _authGuardFn = guardFn;
     app.use(defineEventHandler(guardFn));
 }
 // ---------------------------------------------------------------------------
-// mountLocalModeRoutes — stub routes for AUTH_MODE=local
-// ---------------------------------------------------------------------------
-function mountLocalModeRoutes(app) {
-    app.use("/_agent-native/auth/session", defineEventHandler(async (event) => {
-        if (!isReadMethod(event)) {
-            setResponseStatus(event, 405);
-            return { error: "Method not allowed" };
-        }
-        return await getSession(event);
-    }));
-    app.use("/_agent-native/auth/login", defineEventHandler(() => ({ ok: true })));
-    app.use("/_agent-native/auth/logout", defineEventHandler(() => ({ ok: true })));
-    // Allow exiting local mode to switch to real auth
-    app.use("/_agent-native/auth/exit-local-mode", defineEventHandler(async (event) => {
-        if (getMethod(event) !== "POST") {
-            setResponseStatus(event, 405);
-            return { error: "Method not allowed" };
-        }
-        return exitLocalMode(event);
-    }));
-    // Upgrade path: migrate-local-data must be reachable from local mode
-    // because the user is still in local mode when they trigger the upgrade.
-    app.use("/_agent-native/auth/migrate-local-data", migrateLocalDataHandler);
-}
-// ---------------------------------------------------------------------------
 // mountAuthFallbackRoutes — minimal auth endpoints when Better Auth init fails
 // ---------------------------------------------------------------------------
 function mountAuthFallbackRoutes(app) {
@@ -1815,7 +1632,7 @@ function mountAuthFallbackRoutes(app) {
                         expiresAt: Date.now() + sessionMaxAge * 1000,
                     });
                 }
-                return { ok: true };
+                return authLoginResponse(event, result.token, email);
             }
             setResponseStatus(event, 403);
             return {
@@ -1859,6 +1676,9 @@ function mountAuthFallbackRoutes(app) {
         const cookie = getCookie(event, COOKIE_NAME);
         if (cookie)
             await removeSession(cookie);
+        const bearerToken = getBearerSessionToken(event);
+        if (bearerToken)
+            await removeSession(bearerToken);
         deleteCookie(event, COOKIE_NAME, { path: "/" });
         try {
             const auth = await getBetterAuth();
@@ -1871,20 +1691,6 @@ function mountAuthFallbackRoutes(app) {
             await clearDesktopSso();
         return { ok: true };
     }));
-    app.use("/_agent-native/auth/local-mode", defineEventHandler(async (event) => {
-        if (getMethod(event) !== "POST") {
-            setResponseStatus(event, 405);
-            return { error: "Method not allowed" };
-        }
-        return localModeMarkerDisabled(event);
-    }));
-    app.use("/_agent-native/auth/exit-local-mode", defineEventHandler(async (event) => {
-        if (getMethod(event) !== "POST") {
-            setResponseStatus(event, 405);
-            return { error: "Method not allowed" };
-        }
-        return exitLocalMode(event);
-    }));
     app.use("/_agent-native/auth/session", defineEventHandler(async (event) => {
         if (!isReadMethod(event)) {
             setResponseStatus(event, 405);
@@ -1893,10 +1699,6 @@ function mountAuthFallbackRoutes(app) {
         const session = await getSession(event);
         return session ?? { error: "Not authenticated" };
     }));
-    // Must be reachable from fallback mode too — otherwise a user who
-    // upgrades-from-local on a server that couldn't init Better Auth gets a
-    // 500 instead of a clear 401.
-    app.use("/_agent-native/auth/migrate-local-data", migrateLocalDataHandler);
 }
 // ---------------------------------------------------------------------------
 // autoMountAuth — the recommended entry point
@@ -1904,14 +1706,16 @@ function mountAuthFallbackRoutes(app) {
 /**
  * Automatically configure auth based on environment and configuration:
  *
- * - **AUTH_MODE=local**: Auth bypassed. `getSession()` returns `{ email: "local@localhost" }`.
- *   This is the explicit escape hatch for solo local development.
  * - **BYOA (custom getSession)**: Template-provided auth callback handles everything.
- * - **AUTH_DISABLED=true**: Auth bypassed (for infrastructure-level auth like Cloudflare Access).
  * - **ACCESS_TOKEN/ACCESS_TOKENS**: Simple token-based auth.
  * - **Default**: Better Auth with email/password, social providers, organizations, and JWT.
  *   Users see an onboarding page to create an account on first visit.
  *
+ * Local development uses the same Better Auth flow as production. Email
+ * verification is automatically skipped in dev/test environments and when
+ * no email provider is configured (see `shouldSkipEmailVerification`), so a
+ * fresh local clone only needs an email + password to get started.
+ *
  * Returns true if auth was mounted, false if skipped.
  */
 export async function autoMountAuth(app, options = {}) {
@@ -1959,8 +1763,7 @@ export async function autoMountAuth(app, options = {}) {
     _authGuardConfig = null;
     _mountedApp = app;
     if (!app) {
-        if ((await isLocalModeEnabled()) || isDevEnvironment()) {
-            authDisabledMode = false;
+        if (isDevEnvironment()) {
             customGetSession = null;
             return false;
         }
@@ -1968,27 +1771,12 @@ export async function autoMountAuth(app, options = {}) {
     }
     // Reset globals
     customGetSession = null;
-    authDisabledMode = false;
     sessionMaxAge = options.maxAge ?? DEFAULT_MAX_AGE;
     const publicPaths = options.publicPaths ?? [];
+    mountAuthCorsMiddleware(app);
     if (options.getSession) {
         customGetSession = options.getSession;
     }
-    // AUTH_MODE=local — explicit local-only mode (escape hatch)
-    if (await isLocalModeEnabled()) {
-        try {
-            // Mount the standard auth endpoints and guard even in local mode so the
-            // app can switch back to real auth immediately after AUTH_MODE is
-            // cleared, without waiting for a server restart/remount.
-            await mountBetterAuthRoutes(app, options);
-        }
-        catch (err) {
-            console.error("[agent-native] Failed to initialize Better Auth in local mode:", err);
-            mountLocalModeRoutes(app);
-        }
-        console.log("[agent-native] Auth mode: local (upgrade path enabled).");
-        return false;
-    }
     // BYOA — custom getSession provider
     if (customGetSession) {
         app.use("/_agent-native/auth/session", defineEventHandler(async (event) => {
@@ -2004,12 +1792,14 @@ export async function autoMountAuth(app, options = {}) {
             const cookie = getCookie(event, COOKIE_NAME);
             if (cookie)
                 await removeSession(cookie);
+            const bearerToken = getBearerSessionToken(event);
+            if (bearerToken)
+                await removeSession(bearerToken);
             deleteCookie(event, COOKIE_NAME, { path: "/" });
             if (isElectronRequest(event))
                 await clearDesktopSso();
             return { ok: true };
         }));
-        app.use("/_agent-native/auth/migrate-local-data", migrateLocalDataHandler);
         const byoaLoginHtml = options.loginHtml ?? TOKEN_LOGIN_HTML;
         _authGuardConfig = { loginHtml: byoaLoginHtml, publicPaths };
         const guardFn = createAuthGuardFn();
@@ -2019,14 +1809,6 @@ export async function autoMountAuth(app, options = {}) {
             console.log("[agent-native] Auth enabled — custom getSession provider.");
         return true;
     }
-    // AUTH_DISABLED — skip auth (infrastructure-level auth)
-    if (process.env.AUTH_DISABLED === "true") {
-        authDisabledMode = true;
-        console.warn("[agent-native] AUTH_DISABLED=true — running without auth. " +
-            "Ensure this app is behind infrastructure-level auth (Cloudflare Access, VPN, etc.).");
-        mountLocalModeRoutes(app);
-        return false;
-    }
     // ACCESS_TOKEN-only mode
     const tokens = getAccessTokens();
     if (tokens.length > 0) {