@banata-auth/convex 0.1.0

package/dist/plugins/audit.d.ts

@@ -0,0 +1,106 @@
+/**
+ * Audit log plugin for Banata Auth.
+ *
+ * Provides:
+ * - API endpoints for listing, creating, and exporting audit events
+ * - Automatic logging of auth events via Better Auth hooks
+ * - Organization-scoped audit trails
+ *
+ * This plugin follows Better Auth's plugin pattern and uses the Convex
+ * database adapter (from Better Auth's context) to store events in the
+ * `auditEvent` table defined in the component schema.
+ *
+ * @see {@link ../../component/schema.ts} for the auditEvent table definition
+ * @see {@link ../../../shared/src/types.ts} for the AuditEvent SDK type
+ */
+import type { BetterAuthPlugin } from "better-auth";
+import { type PluginDBAdapter } from "./types";
+export interface AuditLogPluginOptions {
+    /** Actions to automatically log. If empty, logs all auth actions. */
+    autoLogActions?: string[];
+    /** Whether to auto-log all Better Auth endpoint calls. Default: true */
+    autoLog?: boolean;
+}
+/**
+ * Audit log plugin for Banata Auth.
+ *
+ * Registers custom API endpoints under `/api/auth/banata/audit-logs/`
+ * for listing, creating, and exporting audit events.
+ *
+ * Also installs an `after` hook on all Better Auth endpoints to
+ * automatically log auth events (sign-in, sign-up, password changes,
+ * organization operations, admin actions, etc.) into the `auditEvent`
+ * table via the Convex database adapter.
+ *
+ * @param options - Optional configuration for auto-logging behavior
+ * @returns A Better Auth plugin descriptor
+ *
+ * @example
+ * ```ts
+ * import { auditLog } from "./plugins/audit";
+ *
+ * const plugins = [
+ *   auditLog(),
+ *   // ... other plugins
+ * ];
+ * ```
+ */
+export declare function auditLog(options?: AuditLogPluginOptions): BetterAuthPlugin;
+/**
+ * Parameters for the `logAuditEvent` helper.
+ *
+ * Maps directly to the `auditEvent` table columns defined in
+ * the component schema (see `src/component/schema.ts`).
+ */
+export interface LogAuditEventParams {
+    /** Optional project scope for multi-tenant isolation. */
+    projectId?: string;
+    action: string;
+    actorType: "user" | "admin" | "system" | "api_key" | "scim";
+    actorId: string;
+    actorName?: string;
+    actorEmail?: string;
+    actorMetadata?: Record<string, string>;
+    targets?: Array<{
+        type: string;
+        id: string;
+        name?: string;
+        metadata?: Record<string, string>;
+    }>;
+    organizationId?: string;
+    ipAddress?: string;
+    userAgent?: string;
+    requestId?: string;
+    changes?: {
+        before?: Record<string, unknown>;
+        after?: Record<string, unknown>;
+    };
+    idempotencyKey?: string;
+    metadata?: Record<string, string>;
+}
+/**
+ * Log an audit event from a Better Auth hook or trigger handler.
+ *
+ * This helper can be called from Better Auth hooks, Convex triggers,
+ * or any code that has access to the database adapter to create an
+ * audit event record without going through the HTTP endpoint.
+ *
+ * @param adapter - The Better Auth database adapter (ctx.context.adapter)
+ * @param params  - The audit event data
+ *
+ * @example
+ * ```ts
+ * import { logAuditEvent } from "./plugins/audit";
+ *
+ * // Inside a Better Auth hook or trigger:
+ * await logAuditEvent(ctx.context.adapter, {
+ *   action: "user.login",
+ *   actorType: "user",
+ *   actorId: user.id,
+ *   actorEmail: user.email,
+ *   ipAddress: request.headers.get("x-forwarded-for"),
+ * });
+ * ```
+ */
+export declare function logAuditEvent(adapter: Pick<PluginDBAdapter, "create">, params: LogAuditEventParams): Promise<void>;
+//# sourceMappingURL=audit.d.ts.map

package/dist/plugins/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../src/plugins/audit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAGpD,OAAO,EAEN,KAAK,eAAe,EAKpB,MAAM,SAAS,CAAC;AAIjB,MAAM,WAAW,qBAAqB;IACrC,qEAAqE;IACrE,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,wEAAwE;IACxE,OAAO,CAAC,EAAE,OAAO,CAAC;CAClB;AA0HD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,QAAQ,CAAC,OAAO,CAAC,EAAE,qBAAqB,GAAG,gBAAgB,CAsR1E;AAID;;;;;GAKG;AACH,MAAM,WAAW,mBAAmB;IACnC,yDAAyD;IACzD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,GAAG,OAAO,GAAG,QAAQ,GAAG,SAAS,GAAG,MAAM,CAAC;IAC5D,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACvC,OAAO,CAAC,EAAE,KAAK,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;QACb,EAAE,EAAE,MAAM,CAAC;QACX,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAClC,CAAC,CAAC;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,CAAC;IAChF,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAsB,aAAa,CAClC,OAAO,EAAE,IAAI,CAAC,eAAe,EAAE,QAAQ,CAAC,EACxC,MAAM,EAAE,mBAAmB,GACzB,OAAO,CAAC,IAAI,CAAC,CAmCf"}

package/dist/plugins/config.d.ts

@@ -0,0 +1,83 @@
+/**
+ * Dashboard configuration plugin for Banata Auth.
+ *
+ * Provides CRUD endpoints for dashboard configuration data that
+ * doesn't exist natively in Better Auth:
+ *
+ * - `/banata/config/public`             — Read runtime auth config for public UIs
+ * - `/banata/config/dashboard`          — Read dashboard config (with persisted overrides)
+ * - `/banata/config/dashboard/save`     — Save partial dashboard config overrides
+ * - `/banata/config/roles/list`         — List custom role definitions
+ * - `/banata/config/roles/create`       — Create a role definition
+ * - `/banata/config/roles/delete`       — Delete a role definition
+ * - `/banata/config/permissions/list`   — List custom permission definitions
+ * - `/banata/config/permissions/create` — Create a permission definition
+ * - `/banata/config/permissions/delete` — Delete a permission definition
+ * - `/banata/config/branding/get`       — Get branding config
+ * - `/banata/config/branding/save`      — Upsert branding config
+ * - `/banata/config/emails/list`        — List email toggles
+ * - `/banata/config/emails/toggle`      — Toggle an email type on/off
+ * - `/banata/config/project/get`        — Get project config (name, description, env)
+ * - `/banata/config/project/save`       — Save project config
+ *
+ * All endpoints are registered under `/api/auth/banata/config/...` through
+ * Better Auth's plugin system and proxied via the existing catch-all route.
+ *
+ * @see {@link ../../component/schema.ts} for table definitions
+ * @see {@link ../auth.ts} for plugin registration
+ */
+import type { BetterAuthPlugin } from "better-auth";
+export interface ConfigPluginOptions {
+    /**
+     * Static auth methods config — mirrors BanataAuthConfig.authMethods.
+     * These are read from the server environment, not stored in DB.
+     */
+    authMethods?: {
+        sso?: boolean;
+        emailPassword?: boolean;
+        passkey?: boolean;
+        magicLink?: boolean;
+        emailOtp?: boolean;
+        twoFactor?: boolean;
+        organization?: boolean;
+        anonymous?: boolean;
+        username?: boolean;
+    };
+    /**
+     * Social providers config — keys are provider names, values indicate
+     * whether they are enabled + whether they use demo credentials.
+     */
+    socialProviders?: Record<string, {
+        enabled: boolean;
+        demo?: boolean;
+    }>;
+    /**
+     * Static feature flags.
+     */
+    features?: {
+        hostedUi?: boolean;
+        signUp?: boolean;
+        mfa?: boolean;
+        localization?: boolean;
+    };
+    /**
+     * Static session configuration.
+     */
+    sessions?: {
+        maxSessionLength?: string;
+        accessTokenDuration?: string;
+        inactivityTimeout?: string;
+        corsOrigins?: string[];
+    };
+}
+/**
+ * Config plugin for the Banata Auth dashboard.
+ *
+ * Registers endpoints under `/api/auth/banata/config/...` for managing
+ * dashboard configuration, roles, permissions, branding, and emails.
+ *
+ * @param options - Static config values sourced from environment/auth config
+ * @returns A Better Auth plugin descriptor
+ */
+export declare function configPlugin(options?: ConfigPluginOptions): BetterAuthPlugin;
+//# sourceMappingURL=config.d.ts.map

package/dist/plugins/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/plugins/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AA4BpD,MAAM,WAAW,mBAAmB;IACnC;;;OAGG;IACH,WAAW,CAAC,EAAE;QACb,GAAG,CAAC,EAAE,OAAO,CAAC;QACd,aAAa,CAAC,EAAE,OAAO,CAAC;QACxB,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,SAAS,CAAC,EAAE,OAAO,CAAC;QACpB,QAAQ,CAAC,EAAE,OAAO,CAAC;QACnB,SAAS,CAAC,EAAE,OAAO,CAAC;QACpB,YAAY,CAAC,EAAE,OAAO,CAAC;QACvB,SAAS,CAAC,EAAE,OAAO,CAAC;QACpB,QAAQ,CAAC,EAAE,OAAO,CAAC;KACnB,CAAC;IAEF;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,IAAI,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IAEvE;;OAEG;IACH,QAAQ,CAAC,EAAE;QACV,QAAQ,CAAC,EAAE,OAAO,CAAC;QACnB,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,GAAG,CAAC,EAAE,OAAO,CAAC;QACd,YAAY,CAAC,EAAE,OAAO,CAAC;KACvB,CAAC;IAEF;;OAEG;IACH,QAAQ,CAAC,EAAE;QACV,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAC1B,mBAAmB,CAAC,EAAE,MAAM,CAAC;QAC7B,iBAAiB,CAAC,EAAE,MAAM,CAAC;QAC3B,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;KACvB,CAAC;CACF;AAkuBD;;;;;;;;GAQG;AACH,wBAAgB,YAAY,CAAC,OAAO,CAAC,EAAE,mBAAmB,GAAG,gBAAgB,CAmxD5E"}

package/dist/plugins/domains.d.ts

@@ -0,0 +1,3 @@
+import type { BetterAuthPlugin } from "better-auth";
+export declare function domainsPlugin(): BetterAuthPlugin;
+//# sourceMappingURL=domains.d.ts.map

package/dist/plugins/domains.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"domains.d.ts","sourceRoot":"","sources":["../../src/plugins/domains.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAqLpD,wBAAgB,aAAa,IAAI,gBAAgB,CAwOhD"}

package/dist/plugins/email-sender.d.ts

@@ -0,0 +1,75 @@
+/**
+ * Provider-agnostic email sending abstraction for Banata Auth.
+ *
+ * All providers use the Fetch API directly (no Node.js SDKs), making this
+ * compatible with Convex's runtime, Cloudflare Workers, Deno, and any
+ * other edge/serverless environment.
+ *
+ * Supported providers:
+ * - Resend (https://resend.com)
+ * - SendGrid (https://sendgrid.com)
+ * - Amazon SES (https://aws.amazon.com/ses) — via SES v2 HTTP API
+ * - Mailgun (https://mailgun.com)
+ * - Postmark (https://postmarkapp.com)
+ */
+export type EmailProviderId = "resend" | "sendgrid" | "ses" | "mailgun" | "postmark";
+export interface EmailMessage {
+    /** Sender address (e.g., "noreply@acme.com" or "Acme <noreply@acme.com>"). */
+    from: string;
+    /** Recipient address. */
+    to: string;
+    /** Email subject. */
+    subject: string;
+    /** HTML body. */
+    html: string;
+    /** Plain text body (fallback). */
+    text?: string;
+    /** Reply-to address. */
+    replyTo?: string;
+}
+export interface EmailProviderCredentials {
+    /** API key (used by Resend, SendGrid, Mailgun, Postmark). */
+    apiKey?: string;
+    /** AWS region (used by SES). */
+    region?: string;
+    /** AWS access key ID (used by SES). */
+    accessKeyId?: string;
+    /** AWS secret access key (used by SES). */
+    secretAccessKey?: string;
+    /** Mailgun domain (e.g., "mg.example.com"). */
+    domain?: string;
+}
+export interface SendResult {
+    success: boolean;
+    messageId?: string;
+    error?: string;
+}
+/**
+ * Send an email using the specified provider.
+ *
+ * This is the main entry point for sending emails. It dispatches to the
+ * appropriate provider implementation based on the `provider` parameter.
+ *
+ * @example
+ * ```ts
+ * import { sendEmail } from "@banata-auth/convex/plugins";
+ *
+ * await sendEmail("resend", {
+ *   from: "noreply@acme.com",
+ *   to: "user@example.com",
+ *   subject: "Welcome!",
+ *   html: "<h1>Welcome</h1>",
+ * }, {
+ *   apiKey: "re_xxxxx",
+ * });
+ * ```
+ */
+export declare function sendEmail(provider: EmailProviderId, message: EmailMessage, credentials: EmailProviderCredentials): Promise<SendResult>;
+/**
+ * Validate that the required credentials are present for a given provider.
+ */
+export declare function validateCredentials(provider: EmailProviderId, credentials: EmailProviderCredentials): {
+    valid: boolean;
+    missing: string[];
+};
+//# sourceMappingURL=email-sender.d.ts.map

package/dist/plugins/email-sender.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"email-sender.d.ts","sourceRoot":"","sources":["../../src/plugins/email-sender.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH,MAAM,MAAM,eAAe,GAAG,QAAQ,GAAG,UAAU,GAAG,KAAK,GAAG,SAAS,GAAG,UAAU,CAAC;AAErF,MAAM,WAAW,YAAY;IAC5B,8EAA8E;IAC9E,IAAI,EAAE,MAAM,CAAC;IACb,yBAAyB;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,qBAAqB;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,iBAAiB;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,kCAAkC;IAClC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,wBAAwB;IACxB,OAAO,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,wBAAwB;IACxC,6DAA6D;IAC7D,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,gCAAgC;IAChC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,uCAAuC;IACvC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,2CAA2C;IAC3C,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,+CAA+C;IAC/C,MAAM,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,UAAU;IAC1B,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CACf;AA2SD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,SAAS,CAC9B,QAAQ,EAAE,eAAe,EACzB,OAAO,EAAE,YAAY,EACrB,WAAW,EAAE,wBAAwB,GACnC,OAAO,CAAC,UAAU,CAAC,CAoBrB;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAClC,QAAQ,EAAE,eAAe,EACzB,WAAW,EAAE,wBAAwB,GACnC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,EAAE,CAAA;CAAE,CAoBvC"}

package/dist/plugins/email-templates.d.ts

@@ -0,0 +1,108 @@
+/**
+ * Built-in email templates for Banata Auth.
+ *
+ * Server-renderable HTML email templates designed for maximum email client
+ * compatibility. Uses inline styles and table-based layouts (the email
+ * industry standard) for consistent rendering across Gmail, Outlook,
+ * Apple Mail, Yahoo Mail, and others.
+ *
+ * Templates are parameterized with branding (colors, logo, app name)
+ * and can be overridden per-template via the dashboard.
+ *
+ * The visual design follows React Email / Resend conventions:
+ * - Clean, minimal layout
+ * - Centered card with subtle border
+ * - Primary-colored CTA button
+ * - Muted footer with legal text
+ */
+export interface EmailBranding {
+    /** Application name displayed in the email header. */
+    appName: string;
+    /** Primary color for buttons and accents (hex). */
+    primaryColor: string;
+    /** Background color of the email body (hex). */
+    bgColor: string;
+    /** Logo URL (optional, displayed above the heading). */
+    logoUrl?: string;
+    /** Border radius for buttons in pixels. */
+    borderRadius: number;
+    /** Font family stack (full CSS value). */
+    fontFamily: string;
+    /** Whether dark mode is enabled. Affects card/text colors. */
+    darkMode: boolean;
+    /** Custom CSS to inject into a <style> block in the email. */
+    customCss?: string;
+}
+/**
+ * Map a short font name (stored in DB) to a full CSS font-family stack.
+ */
+export declare function fontNameToStack(font: string | null | undefined): string | undefined;
+export type EmailTemplateType = "verification" | "password-reset" | "magic-link" | "email-otp" | "invitation" | "welcome";
+export interface VerificationEmailData {
+    type: "verification";
+    userName: string;
+    verificationUrl: string;
+    token: string;
+}
+export interface PasswordResetEmailData {
+    type: "password-reset";
+    userName: string;
+    resetUrl: string;
+    token: string;
+}
+export interface MagicLinkEmailData {
+    type: "magic-link";
+    email: string;
+    magicLinkUrl: string;
+    token: string;
+}
+export interface EmailOtpData {
+    type: "email-otp";
+    email: string;
+    otp: string;
+}
+export interface InvitationEmailData {
+    type: "invitation";
+    email: string;
+    invitationId: string;
+    organizationName: string;
+    inviterName: string;
+    /** If the consumer provides a URL builder, we can include a direct link. */
+    acceptUrl?: string;
+}
+export interface WelcomeEmailData {
+    type: "welcome";
+    userName: string;
+    /** URL to the app dashboard or getting-started page. */
+    dashboardUrl?: string;
+}
+export type EmailData = VerificationEmailData | PasswordResetEmailData | MagicLinkEmailData | EmailOtpData | InvitationEmailData | WelcomeEmailData;
+export interface RenderedEmail {
+    subject: string;
+    html: string;
+    text: string;
+}
+/**
+ * Render an email template with the given data and branding.
+ *
+ * Can be called from:
+ * - The Convex auth plugin (automatic sending on auth events)
+ * - The SDK (`banataAuth.emails.send(...)`)
+ * - The dashboard (template preview)
+ *
+ * @param data - The email data (type-discriminated union)
+ * @param brandingOverrides - Partial branding, merged with defaults
+ * @returns The rendered email with subject, HTML, and plain text
+ */
+export declare function renderEmail(data: EmailData, brandingOverrides?: Partial<EmailBranding>): RenderedEmail;
+/**
+ * Get the subject line for a given email template type.
+ * Useful for the dashboard template preview.
+ */
+export declare function getTemplateSubject(type: EmailTemplateType, appName?: string): string;
+/**
+ * Generate preview data for a template type.
+ * Used by the dashboard template preview and the SDK.
+ */
+export declare function getPreviewData(type: EmailTemplateType): EmailData;
+//# sourceMappingURL=email-templates.d.ts.map

package/dist/plugins/email-templates.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"email-templates.d.ts","sourceRoot":"","sources":["../../src/plugins/email-templates.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,MAAM,WAAW,aAAa;IAC7B,sDAAsD;IACtD,OAAO,EAAE,MAAM,CAAC;IAChB,mDAAmD;IACnD,YAAY,EAAE,MAAM,CAAC;IACrB,gDAAgD;IAChD,OAAO,EAAE,MAAM,CAAC;IAChB,wDAAwD;IACxD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,2CAA2C;IAC3C,YAAY,EAAE,MAAM,CAAC;IACrB,0CAA0C;IAC1C,UAAU,EAAE,MAAM,CAAC;IACnB,8DAA8D;IAC9D,QAAQ,EAAE,OAAO,CAAC;IAClB,8DAA8D;IAC9D,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAYD;;GAEG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAiBnF;AAID,MAAM,MAAM,iBAAiB,GAC1B,cAAc,GACd,gBAAgB,GAChB,YAAY,GACZ,WAAW,GACX,YAAY,GACZ,SAAS,CAAC;AAEb,MAAM,WAAW,qBAAqB;IACrC,IAAI,EAAE,cAAc,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,KAAK,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,sBAAsB;IACtC,IAAI,EAAE,gBAAgB,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,kBAAkB;IAClC,IAAI,EAAE,YAAY,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,YAAY;IAC5B,IAAI,EAAE,WAAW,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,mBAAmB;IACnC,IAAI,EAAE,YAAY,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,4EAA4E;IAC5E,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,gBAAgB;IAChC,IAAI,EAAE,SAAS,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,wDAAwD;IACxD,YAAY,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,MAAM,SAAS,GAClB,qBAAqB,GACrB,sBAAsB,GACtB,kBAAkB,GAClB,YAAY,GACZ,mBAAmB,GACnB,gBAAgB,CAAC;AAIpB,MAAM,WAAW,aAAa;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACb;AAqWD;;;;;;;;;;;GAWG;AACH,wBAAgB,WAAW,CAC1B,IAAI,EAAE,SAAS,EACf,iBAAiB,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,GACxC,aAAa,CAqBf;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,iBAAiB,EAAE,OAAO,SAAgB,GAAG,MAAM,CAe3F;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,iBAAiB,GAAG,SAAS,CA6CjE"}

package/dist/plugins/email.d.ts

@@ -0,0 +1,82 @@
+/**
+ * Built-in email plugin for Banata Auth.
+ *
+ * Provides automatic email sending on auth events (verification,
+ * password reset, magic link, OTP, invitation, welcome) using the
+ * provider and credentials configured through the dashboard.
+ *
+ * The plugin:
+ * 1. Reads the active email provider + API key from the DB (set via dashboard)
+ * 2. Reads branding config from the DB (colors, logo, app name)
+ * 3. Renders built-in HTML email templates with the branding
+ * 4. Sends via the configured provider's HTTP API (no Node.js SDKs)
+ *
+ * Consumer callbacks (in BanataAuthEmailConfig) still work as overrides:
+ * if a consumer provides e.g. `sendVerificationEmail`, it takes priority
+ * over the built-in sending for that email type.
+ *
+ * Also exposes API endpoints for the SDK and dashboard:
+ * - POST /banata/emails/send    — SDK-driven email sending
+ * - POST /banata/emails/preview — Template preview for dashboard
+ * - POST /banata/test-email     — Send test email
+ */
+import type { BetterAuthPlugin } from "better-auth";
+import { type PluginDBAdapter } from "./types";
+/** Options for the banataEmail plugin. */
+export interface BanataEmailOptions {
+    /**
+     * Default "from" address for all outgoing emails.
+     * Can include a name: "Acme <noreply@acme.com>"
+     */
+    fromAddress?: string;
+    /**
+     * Default "reply-to" address for outgoing emails.
+     */
+    replyTo?: string;
+    /**
+     * Application name used in email templates.
+     * Falls back to branding config, then "Banata Auth".
+     */
+    appName?: string;
+}
+/**
+ * Create the Banata Auth email plugin.
+ *
+ * Registers API endpoints for SDK-driven email sending, template
+ * preview, and test email delivery.
+ */
+export declare function banataEmail(options?: BanataEmailOptions): BetterAuthPlugin;
+export declare function createAutoEmailCallbacks(getDb: () => PluginDBAdapter, emailOptions: BanataEmailOptions): {
+    sendVerificationEmail: (params: {
+        user: {
+            email: string;
+            name: string;
+        };
+        url: string;
+        token: string;
+    }) => Promise<void>;
+    sendResetPassword: (params: {
+        user: {
+            email: string;
+            name: string;
+        };
+        url: string;
+        token: string;
+    }) => Promise<void>;
+    sendMagicLink: (params: {
+        email: string;
+        url: string;
+        token: string;
+    }) => Promise<void>;
+    sendOtp: (params: {
+        email: string;
+        otp: string;
+    }) => Promise<void>;
+    sendInvitationEmail: (params: {
+        email: string;
+        invitationId: string;
+        organizationName: string;
+        inviterName: string;
+    }) => Promise<void>;
+};
+//# sourceMappingURL=email.d.ts.map

package/dist/plugins/email.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"email.d.ts","sourceRoot":"","sources":["../../src/plugins/email.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAiBpD,OAAO,EAIN,KAAK,eAAe,EAKpB,MAAM,SAAS,CAAC;AAoBjB,0CAA0C;AAC1C,MAAM,WAAW,kBAAkB;IAClC;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CACjB;AA+gBD;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,OAAO,GAAE,kBAAuB,GAAG,gBAAgB,CA4e9E;AAiCD,wBAAgB,wBAAwB,CACvC,KAAK,EAAE,MAAM,eAAe,EAC5B,YAAY,EAAE,kBAAkB;oCAGO;QACrC,IAAI,EAAE;YAAE,KAAK,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,MAAM,CAAA;SAAE,CAAC;QACtC,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,CAAC;KACd;gCA0BiC;QACjC,IAAI,EAAE;YAAE,KAAK,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,MAAM,CAAA;SAAE,CAAC;QACtC,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,CAAC;KACd;4BA0B6B;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE;sBA0BnD;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE;kCAyBlB;QACnC,KAAK,EAAE,MAAM,CAAC;QACd,YAAY,EAAE,MAAM,CAAC;QACrB,gBAAgB,EAAE,MAAM,CAAC;QACzB,WAAW,EAAE,MAAM,CAAC;KACpB;EA2BF"}

package/dist/plugins/enterprise.d.ts

@@ -0,0 +1,3 @@
+import type { BetterAuthPlugin } from "better-auth";
+export declare function enterpriseProvisioningPlugin(): BetterAuthPlugin;
+//# sourceMappingURL=enterprise.d.ts.map

package/dist/plugins/enterprise.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"enterprise.d.ts","sourceRoot":"","sources":["../../src/plugins/enterprise.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAqlBpD,wBAAgB,4BAA4B,IAAI,gBAAgB,CAsgB/D"}

package/dist/plugins/events.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Events plugin for Banata Auth.
+ *
+ * Provides a unified event stream API that queries the existing `auditEvent`
+ * table and maps records into lightweight `WebhookEvent`-compatible shapes.
+ *
+ * This gives consumers a simple, poll-based alternative to webhooks —
+ * similar to WorkOS's Events API. Under the hood, events are sourced from
+ * audit log records stored by the audit plugin.
+ *
+ * @see {@link ./audit.ts} for the underlying audit log plugin
+ * @see {@link ../../../shared/src/types.ts} for the WebhookEvent SDK type
+ */
+import type { BetterAuthPlugin } from "better-auth";
+import { type AuditEventRow } from "./types";
+/**
+ * Map an audit event row to a lightweight event payload.
+ */
+/** @internal Exported for testing. */
+export declare function toEventPayload(row: AuditEventRow): Record<string, unknown>;
+/**
+ * Events plugin for Banata Auth.
+ *
+ * Registers a single API endpoint under `/api/auth/banata/events/list`
+ * that exposes audit events as a lightweight, pollable event stream.
+ *
+ * @returns A Better Auth plugin descriptor
+ *
+ * @example
+ * ```ts
+ * import { eventsPlugin } from "./plugins/events";
+ *
+ * const plugins = [
+ *   eventsPlugin(),
+ *   // ... other plugins
+ * ];
+ * ```
+ */
+export declare function eventsPlugin(): BetterAuthPlugin;
+//# sourceMappingURL=events.d.ts.map

package/dist/plugins/events.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"events.d.ts","sourceRoot":"","sources":["../../src/plugins/events.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAGpD,OAAO,EACN,KAAK,aAAa,EAMlB,MAAM,SAAS,CAAC;AAuBjB;;GAEG;AACH,sCAAsC;AACtC,wBAAgB,cAAc,CAAC,GAAG,EAAE,aAAa,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAkB1E;AAYD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,YAAY,IAAI,gBAAgB,CA4G/C"}

package/dist/plugins/index.d.ts

@@ -0,0 +1,18 @@
+export { auditLog, logAuditEvent, type AuditLogPluginOptions, type LogAuditEventParams, } from "./audit";
+export { webhookSystem, signWebhookPayload, verifyWebhookSignature, dispatchWebhookEvent, type WebhookPluginOptions, } from "./webhook";
+export { configPlugin, type ConfigPluginOptions } from "./config";
+export { banataProtection, type BanataProtectionOptions, type BotVerifyFn, type BotVerificationResult, } from "./protection";
+export { banataEmail, createAutoEmailCallbacks, type BanataEmailOptions, } from "./email";
+export { domainsPlugin } from "./domains";
+export { eventsPlugin } from "./events";
+export { vaultPlugin, type VaultPluginOptions, } from "./vault";
+export { projectsPlugin, type ProjectsPluginOptions, } from "./projects";
+export { enterpriseProvisioningPlugin } from "./enterprise";
+export { portalPlugin } from "./portal";
+export { organizationRbacPlugin } from "./organization-rbac";
+export { userManagementPlugin } from "./user-management";
+export { renderEmail, getTemplateSubject, getPreviewData, type EmailBranding, type EmailData, type EmailTemplateType, type RenderedEmail, type VerificationEmailData, type PasswordResetEmailData, type MagicLinkEmailData, type EmailOtpData, type InvitationEmailData, type WelcomeEmailData, } from "./email-templates";
+export { sendEmail, validateCredentials, type EmailProviderId, type EmailMessage, type EmailProviderCredentials, type SendResult, } from "./email-sender";
+export { projectScopeSchema, getProjectScope, getEffectiveProjectPermissions, requireProjectPermission, } from "./types";
+export type { PluginDBAdapter, PluginAuthContext, PluginEndpointContext, PluginHookContext, WhereClause, SortBy, SessionUser, SessionRecord, AuditEventRow, WebhookEndpointRow, WebhookDeliveryRow, RoleDefinitionRow, PermissionDefinitionRow, BrandingConfigRow, EmailConfigRow, EmailTemplateRow, ProjectRow, } from "./types";
+//# sourceMappingURL=index.d.ts.map

package/dist/plugins/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/plugins/index.ts"],"names":[],"mappings":"AAOA,OAAO,EACN,QAAQ,EACR,aAAa,EACb,KAAK,qBAAqB,EAC1B,KAAK,mBAAmB,GACxB,MAAM,SAAS,CAAC;AACjB,OAAO,EACN,aAAa,EACb,kBAAkB,EAClB,sBAAsB,EACtB,oBAAoB,EACpB,KAAK,oBAAoB,GACzB,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,YAAY,EAAE,KAAK,mBAAmB,EAAE,MAAM,UAAU,CAAC;AAClE,OAAO,EACN,gBAAgB,EAChB,KAAK,uBAAuB,EAC5B,KAAK,WAAW,EAChB,KAAK,qBAAqB,GAC1B,MAAM,cAAc,CAAC;AACtB,OAAO,EACN,WAAW,EACX,wBAAwB,EACxB,KAAK,kBAAkB,GACvB,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxC,OAAO,EACN,WAAW,EACX,KAAK,kBAAkB,GACvB,MAAM,SAAS,CAAC;AACjB,OAAO,EACN,cAAc,EACd,KAAK,qBAAqB,GAC1B,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,4BAA4B,EAAE,MAAM,cAAc,CAAC;AAC5D,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxC,OAAO,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAC7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,EACN,WAAW,EACX,kBAAkB,EAClB,cAAc,EACd,KAAK,aAAa,EAClB,KAAK,SAAS,EACd,KAAK,iBAAiB,EACtB,KAAK,aAAa,EAClB,KAAK,qBAAqB,EAC1B,KAAK,sBAAsB,EAC3B,KAAK,kBAAkB,EACvB,KAAK,YAAY,EACjB,KAAK,mBAAmB,EACxB,KAAK,gBAAgB,GACrB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACN,SAAS,EACT,mBAAmB,EACnB,KAAK,eAAe,EACpB,KAAK,YAAY,EACjB,KAAK,wBAAwB,EAC7B,KAAK,UAAU,GACf,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EACN,kBAAkB,EAClB,eAAe,EACf,8BAA8B,EAC9B,wBAAwB,GACxB,MAAM,SAAS,CAAC;AAGjB,YAAY,EACX,eAAe,EACf,iBAAiB,EACjB,qBAAqB,EACrB,iBAAiB,EACjB,WAAW,EACX,MAAM,EACN,WAAW,EACX,aAAa,EACb,aAAa,EACb,kBAAkB,EAClB,kBAAkB,EAClB,iBAAiB,EACjB,uBAAuB,EACvB,iBAAiB,EACjB,cAAc,EACd,gBAAgB,EAChB,UAAU,GACV,MAAM,SAAS,CAAC"}