@better-auth/infra 0.1.13 → 0.2.0

package/dist/index.mjs

@@ -9,7 +9,6 @@ import { isValidPhoneNumber, parsePhoneNumberFromString } from "libphonenumber-j
 import { createLocalJWKSet, jwtVerify } from "jose";
 import z$1, { z } from "zod";
 import { setSessionCookie } from "better-auth/cookies";
-import { DEFAULT_MAX_SAML_METADATA_SIZE, DigestAlgorithm, DiscoveryError, SignatureAlgorithm, discoverOIDCConfig } from "@better-auth/sso";
 //#region src/options.ts
 function resolveConnectionOptions(options) {
 	return {
@@ -128,6 +127,11 @@ const ORGANIZATION_EVENT_TYPES = {
 	ORGANIZATION_TEAM_MEMBER_ADDED: "organization_team_member_added",
 	ORGANIZATION_TEAM_MEMBER_REMOVED: "organization_team_member_removed"
 };
+/** All audit event type string constants (user + organization). */
+const USER_EVENT_TYPES = {
+	...EVENT_TYPES,
+	...ORGANIZATION_EVENT_TYPES
+};
 //#endregion
 //#region src/events/core/adapter.ts
 const getUserByEmail = async (email, ctx) => {
@@ -993,1020 +997,1011 @@ function getCountryCodeFromRequest(request) {
 	return cc ? cc.toUpperCase() : void 0;
 }
 //#endregion
-//#region src/security.ts
+//#region src/validation/matchers.ts
+const paths = [
+	"/sign-up/email",
+	"/email-otp/verify-email",
+	"/sign-in/email-otp",
+	"/sign-in/magic-link",
+	"/sign-in/email",
+	"/forget-password/email-otp",
+	"/email-otp/reset-password",
+	"/email-otp/create-verification-otp",
+	"/email-otp/get-verification-otp",
+	"/email-otp/send-verification-otp",
+	"/forget-password",
+	"/request-password-reset",
+	"/send-verification-email",
+	"/change-email"
+];
+const all = new Set(paths);
+new Set(paths.slice(1, 12));
+/**
+* Path is one of `[
+*   '/sign-up/email',
+*   '/email-otp/verify-email',
+*   '/sign-in/email-otp',
+*   '/sign-in/magic-link',
+*   '/sign-in/email',
+*   '/forget-password/email-otp',
+*   '/email-otp/reset-password',
+*   '/email-otp/create-verification-otp',
+*   '/email-otp/get-verification-otp',
+*   '/email-otp/send-verification-otp',
+*   '/forget-password',
+*   '/request-password-reset',
+*   '/send-verification-email',
+*   '/change-email'
+* ]`.
+* @param context Request context
+* @param context.path Request path
+* @returns boolean
+*/
+const allEmail = ({ path }) => !!path && all.has(path);
+//#endregion
+//#region src/validation/email.ts
+/**
+* Gmail-like providers that ignore dots in the local part
+*/
+const GMAIL_LIKE_DOMAINS = new Set(["gmail.com", "googlemail.com"]);
+/**
+* Providers known to support plus addressing
+*/
+const PLUS_ADDRESSING_DOMAINS = new Set([
+	"gmail.com",
+	"googlemail.com",
+	"outlook.com",
+	"hotmail.com",
+	"live.com",
+	"yahoo.com",
+	"icloud.com",
+	"me.com",
+	"mac.com",
+	"protonmail.com",
+	"proton.me",
+	"fastmail.com",
+	"zoho.com"
+]);
 /**
-* Security Client
+* Normalize an email address for comparison/deduplication
+* - Lowercase the entire email
+* - Remove dots from Gmail-like providers (they ignore dots)
+* - Remove plus addressing (user+tag@domain → user@domain)
+* - Normalize googlemail.com to gmail.com
 *
-* Thin client that forwards security checks to the Infra API
+* @param email - Raw email to normalize
+* @param context - Auth context with getPlugin (for sentinel policy)
 */
-async function hashForFingerprint(input) {
-	const data = new TextEncoder().encode(input);
-	const hashBuffer = await crypto.subtle.digest("SHA-256", data);
-	return Array.from(new Uint8Array(hashBuffer)).map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-async function sha1Hash(input) {
-	const data = new TextEncoder().encode(input);
-	const hashBuffer = await crypto.subtle.digest("SHA-1", data);
-	return Array.from(new Uint8Array(hashBuffer)).map((b) => b.toString(16).padStart(2, "0")).join("").toUpperCase();
+function normalizeEmail(email, context) {
+	if (!email || typeof email !== "string") return email;
+	if ((context.getPlugin?.("sentinel"))?.options?.emailValidation?.enabled === false) return email;
+	const trimmed = email.trim().toLowerCase();
+	const atIndex = trimmed.lastIndexOf("@");
+	if (atIndex === -1) return trimmed;
+	let localPart = trimmed.slice(0, atIndex);
+	let domain = trimmed.slice(atIndex + 1);
+	if (domain === "googlemail.com") domain = "gmail.com";
+	if (PLUS_ADDRESSING_DOMAINS.has(domain)) {
+		const plusIndex = localPart.indexOf("+");
+		if (plusIndex !== -1) localPart = localPart.slice(0, plusIndex);
+	}
+	if (GMAIL_LIKE_DOMAINS.has(domain)) localPart = localPart.replace(/\./g, "");
+	return `${localPart}@${domain}`;
 }
-function createSecurityClient(apiUrl, apiKey, options, onSecurityEvent) {
-	const resolvedApiUrl = apiUrl || INFRA_API_URL;
+function createEmailValidator(options = {}) {
+	const { apiKey = "", apiUrl = INFRA_API_URL, kvUrl = INFRA_KV_URL, defaultConfig = {} } = options;
 	const $api = createFetch({
-		baseURL: resolvedApiUrl,
-		headers: { "x-api-key": apiKey },
-		throw: true
+		baseURL: apiUrl,
+		headers: { "x-api-key": apiKey }
 	});
-	const emailSender = createEmailSender({
-		apiUrl: resolvedApiUrl,
-		apiKey
+	const $kv = createFetch({
+		baseURL: kvUrl,
+		headers: { "x-api-key": apiKey },
+		timeout: KV_TIMEOUT_MS
 	});
-	function logEvent(event) {
-		const fullEvent = {
-			...event,
-			timestamp: Date.now()
-		};
-		if (onSecurityEvent) onSecurityEvent(fullEvent);
+	/**
+	* Fetch and resolve email validity policy from API with caching
+	* Sends client config to API which merges with user's dashboard settings
+	*/
+	async function fetchPolicy() {
+		try {
+			const { data } = await $api("/security/resolve-policy", {
+				method: "POST",
+				body: {
+					policyId: "email_validity",
+					config: { emailValidation: {
+						enabled: defaultConfig.enabled,
+						strictness: defaultConfig.strictness,
+						action: defaultConfig.action,
+						domainAllowlist: defaultConfig.domainAllowlist
+					} }
+				}
+			});
+			if (data?.policy) return data.policy;
+		} catch (error) {
+			logger.warn("[Dash] Failed to fetch email policy, using defaults:", error);
+		}
+		return null;
 	}
-	return {
-		async checkSecurity(request) {
-			try {
-				const data = await $api("/security/check", {
-					method: "POST",
-					body: {
-						...request,
-						config: options
-					}
-				});
-				if (data.action !== "allow") logEvent({
-					type: this.mapReasonToEventType(data.reason),
-					userId: null,
-					visitorId: request.visitorId,
-					ip: request.ip,
-					country: null,
-					details: data.details || { reason: data.reason },
-					action: data.action === "block" ? "blocked" : "challenged"
-				});
-				return data;
-			} catch (error) {
-				logger.error("[Dash] Security check failed:", error);
-				return { action: "allow" };
-			}
-		},
-		mapReasonToEventType(reason) {
-			switch (reason) {
-				case "geo_blocked": return "geo_blocked";
-				case "bot_detected": return "bot_blocked";
-				case "suspicious_ip_detected": return "suspicious_ip_detected";
-				case "rate_limited": return "velocity_exceeded";
-				case "credential_stuffing_cooldown": return "credential_stuffing";
-				default: return "credential_stuffing";
-			}
-		},
-		async trackFailedAttempt(identifier, visitorId, password, ip) {
-			try {
-				const data = await $api("/security/track-failed-login", {
-					method: "POST",
-					body: {
-						identifier,
-						visitorId,
-						passwordHash: await hashForFingerprint(password),
-						ip,
-						config: options
-					}
-				});
-				if (data.blocked || data.challenged) logEvent({
-					type: "credential_stuffing",
-					userId: null,
-					visitorId,
-					ip,
-					country: null,
-					details: data.details || { reason: data.reason },
-					action: data.blocked ? "blocked" : "challenged"
-				});
-				return data;
-			} catch (error) {
-				logger.error("[Dash] Track failed attempt error:", error);
-				return { blocked: false };
-			}
-		},
-		async clearFailedAttempts(identifier) {
-			try {
-				await $api("/security/clear-failed-attempts", {
-					method: "POST",
-					body: { identifier }
-				});
-			} catch (error) {
-				logger.error("[Dash] Clear failed attempts error:", error);
-			}
-		},
-		async isBlocked(visitorId) {
-			try {
-				return (await $api(`/security/is-blocked?visitorId=${encodeURIComponent(visitorId)}`, { method: "GET" })).blocked ?? false;
-			} catch (error) {
-				logger.warn("[Dash] Security is-blocked check failed:", error);
-				return false;
-			}
-		},
-		async verifyPoWSolution(visitorId, solution) {
-			try {
-				return await $api("/security/pow/verify", {
-					method: "POST",
-					body: {
-						visitorId,
-						solution
-					}
-				});
-			} catch (error) {
-				logger.warn("[Dash] PoW verify failed:", error);
-				return {
+	return { async validate(email, checkMx = true) {
+		const trimmed = email.trim();
+		const policy = await fetchPolicy();
+		if (!policy?.enabled) return {
+			valid: true,
+			disposable: false,
+			confidence: "high",
+			policy
+		};
+		try {
+			const { data } = await $kv("/email/validate", {
+				method: "POST",
+				body: {
+					email: trimmed,
+					checkMx,
+					strictness: policy.strictness
+				}
+			});
+			return {
+				...data || {
 					valid: false,
-					reason: "error"
-				};
-			}
-		},
-		async generateChallenge(visitorId) {
-			try {
-				return (await $api("/security/pow/generate", {
-					method: "POST",
-					body: {
-						visitorId,
-						difficulty: options.challengeDifficulty
-					}
-				})).challenge || "";
-			} catch (error) {
-				logger.warn("[Dash] PoW generate challenge failed:", error);
-				return "";
-			}
-		},
-		async checkImpossibleTravel(userId, currentLocation, visitorId) {
-			if (!options.impossibleTravel?.enabled || !currentLocation) return null;
-			try {
-				const data = await $api("/security/impossible-travel", {
-					method: "POST",
-					body: {
-						userId,
-						visitorId,
-						location: currentLocation,
-						config: options
-					}
-				});
-				if (data.isImpossible) {
-					const actionTaken = data.action === "block" ? "blocked" : data.action === "challenge" ? "challenged" : "logged";
-					logEvent({
-						type: "impossible_travel",
-						userId,
-						visitorId: visitorId || null,
-						ip: null,
-						country: currentLocation.country?.code || null,
-						details: {
-							from: data.from,
-							to: data.to,
-							distance: data.distance,
-							speedRequired: data.speedRequired,
-							action: data.action
-						},
-						action: actionTaken
-					});
-				}
-				return data;
-			} catch (error) {
-				logger.warn("[Dash] Impossible travel check failed:", error);
-				return null;
-			}
-		},
-		async storeLastLocation(userId, location) {
-			if (!location) return;
-			try {
-				await $api("/security/store-last-login", {
-					method: "POST",
-					body: {
-						userId,
-						location
-					}
-				});
-			} catch (error) {
-				logger.error("[Dash] Store last location error:", error);
-			}
-		},
-		async checkFreeTrialAbuse(visitorId) {
-			if (!options.freeTrialAbuse?.enabled) return {
-				isAbuse: false,
-				accountCount: 0,
-				maxAccounts: 0,
-				action: "log"
-			};
-			try {
-				const data = await $api("/security/free-trial-abuse/check", {
-					method: "POST",
-					body: {
-						visitorId,
-						config: options
-					}
-				});
-				if (data.isAbuse) logEvent({
-					type: "free_trial_abuse",
-					userId: null,
-					visitorId,
-					ip: null,
-					country: null,
-					details: {
-						accountCount: data.accountCount,
-						maxAccounts: data.maxAccounts
-					},
-					action: data.action === "block" ? "blocked" : "logged"
-				});
-				return data;
-			} catch (error) {
-				logger.warn("[Dash] Free trial abuse check failed:", error);
-				return {
-					isAbuse: false,
-					accountCount: 0,
-					maxAccounts: 0,
-					action: "log"
-				};
-			}
-		},
-		async trackFreeTrialSignup(visitorId, userId) {
-			if (!options.freeTrialAbuse?.enabled) return;
-			try {
-				await $api("/security/free-trial-abuse/track", {
-					method: "POST",
-					body: {
-						visitorId,
-						userId
-					}
-				});
-			} catch (error) {
-				logger.error("[Dash] Track free trial signup error:", error);
-			}
-		},
-		async checkCompromisedPassword(password) {
-			try {
-				const hash = await sha1Hash(password);
-				const prefix = hash.substring(0, 5);
-				const suffix = hash.substring(5);
-				const data = await $api("/security/breached-passwords", {
-					method: "POST",
-					body: {
-						passwordPrefix: prefix,
-						config: options
-					}
-				});
-				if (!data.enabled) return { compromised: false };
-				const breachCount = (data.suffixes || {})[suffix] || 0;
-				const minBreachCount = data.minBreachCount ?? 1;
-				const action = data.action || "block";
-				const compromised = breachCount >= minBreachCount;
-				if (compromised) logEvent({
-					type: "compromised_password",
-					userId: null,
-					visitorId: null,
-					ip: null,
-					country: null,
-					details: { breachCount },
-					action: action === "block" ? "blocked" : action === "challenge" ? "challenged" : "logged"
-				});
-				return {
-					compromised,
-					breachCount: breachCount > 0 ? breachCount : void 0,
-					action: compromised ? action : void 0
-				};
-			} catch (error) {
-				logger.error("[Dash] Compromised password check error:", error);
-				return { compromised: false };
-			}
-		},
-		async checkStaleUser(userId, lastActiveAt) {
-			if (!options.staleUsers?.enabled) return { isStale: false };
-			try {
-				const data = await $api("/security/stale-user", {
-					method: "POST",
-					body: {
-						userId,
-						lastActiveAt: lastActiveAt instanceof Date ? lastActiveAt.toISOString() : lastActiveAt,
-						config: options
-					}
-				});
-				if (data.isStale) logEvent({
-					type: "stale_account_reactivation",
-					userId,
-					visitorId: null,
-					ip: null,
-					country: null,
-					details: {
-						daysSinceLastActive: data.daysSinceLastActive,
-						staleDays: data.staleDays,
-						lastActiveAt: data.lastActiveAt,
-						notifyUser: data.notifyUser,
-						notifyAdmin: data.notifyAdmin
-					},
-					action: data.action === "block" ? "blocked" : data.action === "challenge" ? "challenged" : "logged"
-				});
-				return data;
-			} catch (error) {
-				logger.error("[Dash] Stale user check error:", error);
-				return { isStale: false };
-			}
-		},
-		async notifyStaleAccountUser(userEmail, userName, daysSinceLastActive, identification, appName) {
-			const loginTime = (/* @__PURE__ */ new Date()).toLocaleString("en-US", {
-				dateStyle: "long",
-				timeStyle: "short",
-				timeZone: "UTC"
-			}) + " UTC";
-			const location = identification?.location;
-			const loginLocation = location?.city && location?.country?.name ? `${location.city}, ${location.country.code}` : location?.country?.name || "Unknown";
-			const browser = identification?.browser;
-			const loginDevice = browser?.name && browser?.os ? `${browser.name} on ${browser.os}` : "Unknown device";
-			const result = await emailSender.send({
-				template: "stale-account-user",
-				to: userEmail,
-				variables: {
-					userEmail,
-					userName: userName || "User",
-					appName: appName || "Your App",
-					daysSinceLastActive: String(daysSinceLastActive),
-					loginTime,
-					loginLocation,
-					loginDevice,
-					loginIp: identification?.ip || "Unknown"
-				}
-			});
-			if (result.success) logger.info(`[Dash] Stale account notification sent to user: ${userEmail}`);
-			else logger.error(`[Dash] Failed to send stale account user notification: ${result.error}`);
-		},
-		async notifyStaleAccountAdmin(adminEmail, userId, userEmail, userName, daysSinceLastActive, identification, appName) {
-			const loginTime = (/* @__PURE__ */ new Date()).toLocaleString("en-US", {
-				dateStyle: "long",
-				timeStyle: "short",
-				timeZone: "UTC"
-			}) + " UTC";
-			const location = identification?.location;
-			const loginLocation = location?.city && location?.country?.name ? `${location.city}, ${location.country.code}` : location?.country?.name || "Unknown";
-			const browser = identification?.browser;
-			const loginDevice = browser?.name && browser?.os ? `${browser.name} on ${browser.os}` : "Unknown device";
-			const result = await emailSender.send({
-				template: "stale-account-admin",
-				to: adminEmail,
-				variables: {
-					userEmail,
-					userName: userName || "User",
-					userId,
-					appName: appName || "Your App",
-					daysSinceLastActive: String(daysSinceLastActive),
-					loginTime,
-					loginLocation,
-					loginDevice,
-					loginIp: identification?.ip || "Unknown",
-					adminEmail
-				}
-			});
-			if (result.success) logger.info(`[Dash] Stale account admin notification sent to: ${adminEmail}`);
-			else logger.error(`[Dash] Failed to send stale account admin notification: ${result.error}`);
-		},
-		async checkUnknownDevice(_userId, _visitorId) {
-			return false;
-		},
-		async notifyUnknownDevice(userId, email, identification) {
-			logEvent({
-				type: "unknown_device",
-				userId,
-				visitorId: identification?.visitorId || null,
-				ip: identification?.ip || null,
-				country: identification?.location?.country?.code || null,
-				details: {
-					email,
-					device: identification?.browser.device,
-					os: identification?.browser.os,
-					browser: identification?.browser.name,
-					city: identification?.location?.city,
-					country: identification?.location?.country?.name
+					reason: "invalid_format"
 				},
-				action: "logged"
-			});
+				policy
+			};
+		} catch (error) {
+			logger.warn("[Dash] Email validation API error, falling back to allow:", error);
+			return {
+				valid: true,
+				policy
+			};
 		}
-	};
+	} };
 }
-//#endregion
-//#region src/security-hooks.ts
 /**
-* Security Hooks
-*
-* Consolidated security check logic for the sentinel plugin.
-* This module extracts the repetitive security check patterns into reusable functions.
+* Basic local email format validation (fallback)
 */
-const ERROR_MESSAGES = {
-	geo_blocked: "Access from your location is not allowed.",
-	bot_detected: "Automated access is not allowed.",
-	suspicious_ip_detected: "Anonymous connections (VPN, proxy, Tor) are not allowed.",
-	rate_limited: "Too many attempts. Please try again later.",
-	compromised_password: "This password has been found in data breaches. Please choose a different password.",
-	impossible_travel: "Login blocked due to suspicious location change."
-};
-const DISPLAY_NAMES = {
-	geo_blocked: {
-		challenge: "Security: geo challenge",
-		block: "Security: geo blocked"
-	},
-	bot_detected: {
-		challenge: "Security: bot challenge",
-		block: "Security: bot blocked"
-	},
-	suspicious_ip_detected: {
-		challenge: "Security: anonymous IP challenge",
-		block: "Security: anonymous IP blocked"
-	},
-	rate_limited: {
-		challenge: "Security: velocity challenge",
-		block: "Security: velocity exceeded"
-	},
-	compromised_password: {
-		challenge: "Security: breached password warning",
-		block: "Security: breached password blocked"
-	},
-	impossible_travel: {
-		challenge: "Security: impossible travel challenge",
-		block: "Security: impossible travel blocked"
-	}
+function isValidEmailFormatLocal(email) {
+	if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) return false;
+	if (email.length > 254) return false;
+	const [localPart, domain] = email.split("@");
+	if (!localPart || !domain) return false;
+	if (localPart.length > 64) return false;
+	if (domain.length > 253) return false;
+	return true;
+}
+const getEmail = (ctx) => {
+	if (ctx.path === "/change-email") return {
+		email: ctx.body?.newEmail,
+		container: "body",
+		field: "newEmail"
+	};
+	const body = ctx.body;
+	const query = ctx.query;
+	return {
+		email: body?.email ?? query?.email,
+		container: body ? "body" : "query",
+		field: "email"
+	};
 };
 /**
-* Throw a challenge error with appropriate headers
+* Create email normalization hook (shared between all configurations)
 */
-function throwChallengeError(challenge, reason, message = "Please complete a security check to continue.") {
-	const error = new APIError("LOCKED", {
-		message,
-		code: "POW_CHALLENGE_REQUIRED"
-	});
-	error.headers = {
-		"X-PoW-Challenge": challenge,
-		"X-PoW-Reason": reason
+function createEmailNormalizationHook() {
+	return {
+		matcher: allEmail,
+		handler: createAuthMiddleware(async (ctx) => {
+			const { email, container, field } = getEmail(ctx);
+			if (typeof email !== "string") return;
+			const normalized = normalizeEmail(email, ctx.context);
+			if (normalized === email) return;
+			const data = container === "query" ? {
+				...ctx.query,
+				[field]: normalized
+			} : {
+				...ctx.body,
+				[field]: normalized
+			};
+			return { context: {
+				...ctx,
+				[container]: data
+			} };
+		})
 	};
-	throw error;
 }
 /**
-* Build common event data for security tracking
+* Create email validation hook with configurable validation strategy
 */
-function buildEventData(ctx, action, reason, confidence = 1, extraData) {
-	const { visitorId, identification, path, identifier, userAgent } = ctx;
-	const countryCode = identification?.location?.country?.code || void 0;
+function createEmailValidationHook(validator, onDisposableEmail) {
 	return {
-		eventKey: visitorId || identification?.ip || "unknown",
-		eventType: action === "challenged" ? "security_challenged" : "security_blocked",
-		eventDisplayName: DISPLAY_NAMES[reason]?.[action === "challenged" ? "challenge" : "block"] || `Security: ${reason}`,
-		eventData: {
-			action,
-			reason,
-			visitorId: visitorId || "",
-			path,
-			userAgent,
-			identifier,
-			confidence,
-			...extraData
-		},
-		ipAddress: identification?.ip || void 0,
-		city: identification?.location?.city || void 0,
-		country: identification?.location?.country?.name || void 0,
-		countryCode
+		matcher: allEmail,
+		handler: createAuthMiddleware(async (ctx) => {
+			const { email } = getEmail(ctx);
+			if (typeof email !== "string") return;
+			const trimmed = email.trim();
+			if (!isValidEmailFormatLocal(trimmed)) throw new APIError$1("BAD_REQUEST", { message: "Invalid email" });
+			if (validator) {
+				const result = await validator.validate(trimmed);
+				const policy = result.policy;
+				if (!policy?.enabled) return;
+				if (policy.domainAllowlist?.length) {
+					const domain = trimmed.toLowerCase().split("@")[1];
+					if (domain && policy.domainAllowlist.includes(domain)) return;
+				}
+				const action = policy.action;
+				if (!result.valid) {
+					if ((result.disposable || result.reason === "no_mx_records" || result.reason === "blocklist" || result.reason === "known_invalid_email" || result.reason === "known_invalid_host" || result.reason === "reserved_tld" || result.reason === "provider_local_too_short") && onDisposableEmail) {
+						const ip = ctx.request?.headers?.get("x-forwarded-for")?.split(",")[0] || ctx.request?.headers?.get("cf-connecting-ip") || void 0;
+						onDisposableEmail({
+							email: trimmed,
+							reason: result.reason || "disposable",
+							confidence: result.confidence,
+							ip,
+							path: ctx.path,
+							action
+						});
+					}
+					if (action === "allow") return;
+					throw new APIError$1("BAD_REQUEST", { message: result.reason === "no_mx_records" ? "This email domain cannot receive emails" : result.disposable || result.reason === "blocklist" ? "Disposable email addresses are not allowed" : result.reason === "known_invalid_email" || result.reason === "known_invalid_host" || result.reason === "reserved_tld" || result.reason === "provider_local_too_short" ? "This email address appears to be invalid" : "Invalid email" });
+				}
+			}
+		})
+	};
+}
+/**
+* Create email validation hooks with optional API-backed validation
+*
+* @param options - Configuration options
+* @param options.enabled - Enable email validation (default: true)
+* @param options.useApi - Use API-backed validation (requires apiKey)
+* @param options.apiKey - API key for remote validation
+* @param options.apiUrl - API URL for policy fetching (defaults to INFRA_API_URL)
+* @param options.kvUrl - KV URL for email validation (defaults to INFRA_KV_URL)
+* @param options.strictness - Default strictness level: 'low', 'medium' (default), or 'high'
+* @param options.action - Default action when invalid: 'allow', 'block' (default), or 'challenge'
+*
+* @example
+* // Local validation only
+* createEmailHooks()
+*
+* @example
+* // API-backed validation
+* createEmailHooks({ useApi: true, apiKey: "your-api-key" })
+*
+* @example
+* // API-backed validation with high strictness default
+* createEmailHooks({ useApi: true, apiKey: "your-api-key", strictness: "high" })
+*/
+function createEmailHooks(options = {}) {
+	const { useApi = false, apiKey = "", apiUrl = INFRA_API_URL, kvUrl = INFRA_KV_URL, defaultConfig, onDisposableEmail } = options;
+	const emailConfig = {
+		enabled: true,
+		strictness: "medium",
+		action: "block",
+		...defaultConfig
 	};
+	if (!emailConfig.enabled) return { before: [] };
+	const validator = useApi ? createEmailValidator({
+		apiUrl,
+		kvUrl,
+		apiKey,
+		defaultConfig: emailConfig
+	}) : void 0;
+	return { before: [createEmailNormalizationHook(), createEmailValidationHook(validator, onDisposableEmail)] };
 }
+createEmailHooks();
+//#endregion
+//#region src/validation/phone.ts
 /**
-* Handle a security check result by tracking events and throwing appropriate errors
-*
-* @param verdict - The security verdict from the security service
-* @param ctx - Security check context with request information
-* @param trackEvent - Function to track security events
-* @param securityService - Security service for generating challenges
-* @returns True if the request should be blocked
+* Common fake/test phone numbers that should be blocked
+* These are numbers commonly used in testing, movies, documentation, etc.
 */
-async function handleSecurityVerdict(verdict, ctx, trackEvent, securityService) {
-	if (verdict.action === "allow") return;
-	const reason = verdict.reason || "unknown";
-	const confidence = 1;
-	if (verdict.action === "challenge" && ctx.visitorId) {
-		const challenge = verdict.challenge || await securityService.generateChallenge(ctx.visitorId);
-		if (!challenge?.trim()) {
-			logger.warn("[Sentinel] Could not generate PoW challenge (service may be unavailable). Falling back to allow.");
-			return;
-		}
-		trackEvent(buildEventData(ctx, "challenged", reason, confidence, verdict.details));
-		throwChallengeError(challenge, reason, "Please complete a security check to continue.");
-	} else if (verdict.action === "block") {
-		trackEvent(buildEventData(ctx, "blocked", reason, confidence, verdict.details));
-		throw new APIError("FORBIDDEN", { message: ERROR_MESSAGES[reason] || "Access denied." });
-	}
-}
+const INVALID_PHONE_NUMBERS = new Set([
+	"+15550000000",
+	"+15550001111",
+	"+15550001234",
+	"+15551234567",
+	"+15555555555",
+	"+15551111111",
+	"+15550000001",
+	"+15550123456",
+	"+12125551234",
+	"+13105551234",
+	"+14155551234",
+	"+12025551234",
+	"+10000000000",
+	"+11111111111",
+	"+12222222222",
+	"+13333333333",
+	"+14444444444",
+	"+15555555555",
+	"+16666666666",
+	"+17777777777",
+	"+18888888888",
+	"+19999999999",
+	"+11234567890",
+	"+10123456789",
+	"+19876543210",
+	"+441632960000",
+	"+447700900000",
+	"+447700900001",
+	"+447700900123",
+	"+447700900999",
+	"+442079460000",
+	"+442079460123",
+	"+441134960000",
+	"+0000000000",
+	"+1000000000",
+	"+123456789",
+	"+1234567890",
+	"+12345678901",
+	"+0123456789",
+	"+9876543210",
+	"+11111111111",
+	"+99999999999",
+	"+491234567890",
+	"+491111111111",
+	"+33123456789",
+	"+33111111111",
+	"+61123456789",
+	"+61111111111",
+	"+81123456789",
+	"+81111111111",
+	"+19001234567",
+	"+19761234567",
+	"+1911",
+	"+1411",
+	"+1611",
+	"+44999",
+	"+44112"
+]);
 /**
-* Run all security checks using the consolidated checkSecurity API
-*
-* This replaces the multiple individual check calls with a single API call
-* that handles all security checks server-side.
+* Patterns that indicate fake/test phone numbers
 */
-async function runSecurityChecks(ctx, securityService, trackEvent, powVerified) {
-	if (powVerified) return;
-	await handleSecurityVerdict(await securityService.checkSecurity({
-		visitorId: ctx.visitorId,
-		requestId: ctx.identification?.requestId || null,
-		ip: ctx.identification?.ip || null,
-		path: ctx.path,
-		identifier: ctx.identifier
-	}), ctx, trackEvent, securityService);
-}
-//#endregion
-//#region src/validation/matchers.ts
-const paths = [
-	"/sign-up/email",
-	"/email-otp/verify-email",
-	"/sign-in/email-otp",
-	"/sign-in/magic-link",
-	"/sign-in/email",
-	"/forget-password/email-otp",
-	"/email-otp/reset-password",
-	"/email-otp/create-verification-otp",
-	"/email-otp/get-verification-otp",
-	"/email-otp/send-verification-otp",
-	"/forget-password",
-	"/request-password-reset",
-	"/send-verification-email",
-	"/change-email"
+const INVALID_PHONE_PATTERNS = [
+	/^\+\d(\d)\1{6,}$/,
+	/^\+\d*1234567890/,
+	/^\+\d*0123456789/,
+	/^\+\d*9876543210/,
+	/^\+\d*0987654321/,
+	/^\+\d*(12){4,}/,
+	/^\+\d*(21){4,}/,
+	/^\+\d*(00){4,}/,
+	/^\+1\d{3}555\d{4}$/,
+	/^\+\d{1,3}\d{1,5}$/,
+	/^\+\d+0{7,}$/,
+	/^\+\d*147258369/,
+	/^\+\d*258369147/,
+	/^\+\d*369258147/,
+	/^\+\d*789456123/,
+	/^\+\d*123456789/,
+	/^\+\d*1234512345/,
+	/^\+\d*1111122222/,
+	/^\+\d*1212121212/,
+	/^\+\d*1010101010/
 ];
-const all = new Set(paths);
-new Set(paths.slice(1, 12));
 /**
-* Path is one of `[
-*   '/sign-up/email',
-*   '/email-otp/verify-email',
-*   '/sign-in/email-otp',
-*   '/sign-in/magic-link',
-*   '/sign-in/email',
-*   '/forget-password/email-otp',
-*   '/email-otp/reset-password',
-*   '/email-otp/create-verification-otp',
-*   '/email-otp/get-verification-otp',
-*   '/email-otp/send-verification-otp',
-*   '/forget-password',
-*   '/request-password-reset',
-*   '/send-verification-email',
-*   '/change-email'
-* ]`.
-* @param context Request context
-* @param context.path Request path
-* @returns boolean
+* Invalid area codes / prefixes that indicate test numbers
+* Key: country code, Value: set of invalid prefixes
 */
-const allEmail = ({ path }) => !!path && all.has(path);
-//#endregion
-//#region src/validation/email.ts
+const INVALID_PREFIXES_BY_COUNTRY = {
+	US: new Set([
+		"555",
+		"000",
+		"111",
+		"911",
+		"411",
+		"611"
+	]),
+	CA: new Set([
+		"555",
+		"000",
+		"911"
+	]),
+	GB: new Set([
+		"7700900",
+		"1632960",
+		"1134960"
+	]),
+	AU: new Set([
+		"0491570",
+		"0491571",
+		"0491572"
+	])
+};
 /**
-* Gmail-like providers that ignore dots in the local part
+* Check if a phone number is a commonly used fake/test number
+* @param phone - The phone number to check (E.164 format preferred)
+* @param defaultCountry - Default country code if not included in phone string
+* @returns true if the phone appears to be fake/test, false if it seems legitimate
 */
-const GMAIL_LIKE_DOMAINS = new Set(["gmail.com", "googlemail.com"]);
+const isFakePhoneNumber = (phone, defaultCountry) => {
+	const parsed = parsePhoneNumberFromString(phone, defaultCountry);
+	if (!parsed) return true;
+	const e164 = parsed.number;
+	const nationalNumber = parsed.nationalNumber;
+	const country = parsed.country;
+	if (INVALID_PHONE_NUMBERS.has(e164)) return true;
+	for (const pattern of INVALID_PHONE_PATTERNS) if (pattern.test(e164)) return true;
+	if (country && INVALID_PREFIXES_BY_COUNTRY[country]) {
+		const prefixes = INVALID_PREFIXES_BY_COUNTRY[country];
+		for (const prefix of prefixes) if (nationalNumber.startsWith(prefix)) return true;
+	}
+	if (/^(\d)\1+$/.test(nationalNumber)) return true;
+	const digits = nationalNumber.split("").map(Number);
+	let isSequential = digits.length >= 6;
+	for (let i = 1; i < digits.length && isSequential; i++) {
+		const current = digits[i];
+		const previous = digits[i - 1];
+		if (current === void 0 || previous === void 0 || current !== previous + 1 && current !== previous - 1) isSequential = false;
+	}
+	if (isSequential) return true;
+	return false;
+};
 /**
-* Providers known to support plus addressing
+* Validate a phone number format
+* @param phone - The phone number to validate
+* @param defaultCountry - Default country code if not included in phone string
+* @returns true if the phone number is valid
 */
-const PLUS_ADDRESSING_DOMAINS = new Set([
-	"gmail.com",
-	"googlemail.com",
-	"outlook.com",
-	"hotmail.com",
-	"live.com",
-	"yahoo.com",
-	"icloud.com",
-	"me.com",
-	"mac.com",
-	"protonmail.com",
-	"proton.me",
-	"fastmail.com",
-	"zoho.com"
+const isValidPhone = (phone, defaultCountry) => {
+	return isValidPhoneNumber(phone, defaultCountry);
+};
+/**
+* Comprehensive phone number validation
+* @param phone - The phone number to validate
+* @param options - Validation options
+* @returns true if valid, false otherwise
+*/
+const validatePhone = (phone, options = {}) => {
+	const { mobileOnly = false, allowedCountries, blockedCountries, blockFakeNumbers = true, blockPremiumRate = true, blockTollFree = false, blockVoip = false, defaultCountry } = options;
+	if (!isValidPhone(phone, defaultCountry)) return false;
+	const parsed = parsePhoneNumberFromString(phone, defaultCountry);
+	if (!parsed) return false;
+	if (blockFakeNumbers && isFakePhoneNumber(phone, defaultCountry)) return false;
+	const country = parsed.country;
+	if (country) {
+		if (allowedCountries && !allowedCountries.includes(country)) return false;
+		if (blockedCountries?.includes(country)) return false;
+	}
+	const phoneType = parsed.getType();
+	if (mobileOnly) {
+		if (phoneType !== "MOBILE" && phoneType !== "FIXED_LINE_OR_MOBILE") return false;
+	}
+	if (blockPremiumRate && phoneType === "PREMIUM_RATE") return false;
+	if (blockTollFree && phoneType === "TOLL_FREE") return false;
+	if (blockVoip && phoneType === "VOIP") return false;
+	return true;
+};
+const allPhonePaths = new Set([
+	"/phone-number/send-otp",
+	"/phone-number/verify",
+	"/sign-in/phone-number",
+	"/phone-number/request-password-reset",
+	"/phone-number/reset-password"
 ]);
+const getPhoneNumber = (ctx) => ctx.body?.phoneNumber ?? ctx.query?.phoneNumber;
 /**
-* Normalize an email address for comparison/deduplication
-* - Lowercase the entire email
-* - Remove dots from Gmail-like providers (they ignore dots)
-* - Remove plus addressing (user+tag@domain → user@domain)
-* - Normalize googlemail.com to gmail.com
-*
-* @param email - Raw email to normalize
-* @param context - Auth context with getPlugin (for sentinel policy). Pass undefined when context unavailable (e.g. server, hooks).
+* Better Auth plugin for phone number validation
+* Validates phone numbers on all phone-related endpoints
 */
-function normalizeEmail(email, context) {
-	if (!email || typeof email !== "string") return email;
-	if ((context.getPlugin?.("sentinel"))?.options?.emailValidation?.enabled === false) return email;
-	const trimmed = email.trim().toLowerCase();
-	const atIndex = trimmed.lastIndexOf("@");
-	if (atIndex === -1) return trimmed;
-	let localPart = trimmed.slice(0, atIndex);
-	let domain = trimmed.slice(atIndex + 1);
-	if (domain === "googlemail.com") domain = "gmail.com";
-	if (PLUS_ADDRESSING_DOMAINS.has(domain)) {
-		const plusIndex = localPart.indexOf("+");
-		if (plusIndex !== -1) localPart = localPart.slice(0, plusIndex);
-	}
-	if (GMAIL_LIKE_DOMAINS.has(domain)) localPart = localPart.replace(/\./g, "");
-	return `${localPart}@${domain}`;
+const phoneValidationHooks = { before: [{
+	matcher: (context) => !!context.path && allPhonePaths.has(context.path),
+	handler: createAuthMiddleware(async (ctx) => {
+		const phoneNumber = getPhoneNumber(ctx);
+		if (typeof phoneNumber !== "string") return;
+		if (!validatePhone(phoneNumber)) throw new APIError$1("BAD_REQUEST", { message: "Invalid phone number" });
+	})
+}] };
+//#endregion
+//#region src/sentinel/security.ts
+async function hashForFingerprint(input) {
+	const data = new TextEncoder().encode(input);
+	const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+	return Array.from(new Uint8Array(hashBuffer)).map((b) => b.toString(16).padStart(2, "0")).join("");
 }
-function createEmailValidator(options = {}) {
-	const { apiKey = "", apiUrl = INFRA_API_URL, kvUrl = INFRA_KV_URL, defaultConfig = {} } = options;
+async function sha1Hash(input) {
+	const data = new TextEncoder().encode(input);
+	const hashBuffer = await crypto.subtle.digest("SHA-1", data);
+	return Array.from(new Uint8Array(hashBuffer)).map((b) => b.toString(16).padStart(2, "0")).join("").toUpperCase();
+}
+function createSecurityClient(apiUrl, apiKey, options, onSecurityEvent) {
+	const resolvedApiUrl = apiUrl || INFRA_API_URL;
 	const $api = createFetch({
-		baseURL: apiUrl,
-		headers: { "x-api-key": apiKey }
-	});
-	const $kv = createFetch({
-		baseURL: kvUrl,
+		baseURL: resolvedApiUrl,
 		headers: { "x-api-key": apiKey },
-		timeout: KV_TIMEOUT_MS
+		throw: true
 	});
-	/**
-	* Fetch and resolve email validity policy from API with caching
-	* Sends client config to API which merges with user's dashboard settings
-	*/
-	async function fetchPolicy() {
-		try {
-			const { data } = await $api("/security/resolve-policy", {
-				method: "POST",
-				body: {
-					policyId: "email_validity",
-					config: { emailValidation: {
-						enabled: defaultConfig.enabled,
-						strictness: defaultConfig.strictness,
-						action: defaultConfig.action,
-						domainAllowlist: defaultConfig.domainAllowlist
-					} }
-				}
-			});
-			if (data?.policy) return data.policy;
-		} catch (error) {
-			logger.warn("[Dash] Failed to fetch email policy, using defaults:", error);
-		}
-		return null;
-	}
-	return { async validate(email, checkMx = true) {
-		const policy = await fetchPolicy();
-		if (!policy?.enabled) return {
-			valid: true,
-			disposable: false,
-			confidence: "high",
-			policy
+	const emailSender = createEmailSender({
+		apiUrl: resolvedApiUrl,
+		apiKey
+	});
+	function logEvent(event) {
+		const fullEvent = {
+			...event,
+			timestamp: Date.now()
 		};
-		try {
-			const { data } = await $kv("/email/validate", {
-				method: "POST",
-				body: {
-					email,
-					checkMx,
-					strictness: policy.strictness
+		if (onSecurityEvent) onSecurityEvent(fullEvent);
+	}
+	return {
+		async checkSecurity(request) {
+			try {
+				const data = await $api("/security/check", {
+					method: "POST",
+					body: {
+						...request,
+						config: options
+					}
+				});
+				if (data.action !== "allow") logEvent({
+					type: this.mapReasonToEventType(data.reason),
+					userId: null,
+					visitorId: request.visitorId,
+					ip: request.ip,
+					country: null,
+					details: data.details || { reason: data.reason },
+					action: data.action === "block" ? "blocked" : "challenged"
+				});
+				return data;
+			} catch (error) {
+				logger.error("[Dash] Security check failed:", error);
+				return { action: "allow" };
+			}
+		},
+		mapReasonToEventType(reason) {
+			switch (reason) {
+				case "geo_blocked": return "geo_blocked";
+				case "bot_detected": return "bot_blocked";
+				case "suspicious_ip_detected": return "suspicious_ip_detected";
+				case "rate_limited": return "velocity_exceeded";
+				case "credential_stuffing_cooldown": return "credential_stuffing";
+				default: return "credential_stuffing";
+			}
+		},
+		async trackFailedAttempt(identifier, visitorId, password, ip) {
+			try {
+				const data = await $api("/security/track-failed-login", {
+					method: "POST",
+					body: {
+						identifier,
+						visitorId,
+						passwordHash: await hashForFingerprint(password),
+						ip,
+						config: options
+					}
+				});
+				if (data.blocked || data.challenged) logEvent({
+					type: "credential_stuffing",
+					userId: null,
+					visitorId,
+					ip,
+					country: null,
+					details: data.details || { reason: data.reason },
+					action: data.blocked ? "blocked" : "challenged"
+				});
+				return data;
+			} catch (error) {
+				logger.error("[Dash] Track failed attempt error:", error);
+				return { blocked: false };
+			}
+		},
+		async clearFailedAttempts(identifier) {
+			try {
+				await $api("/security/clear-failed-attempts", {
+					method: "POST",
+					body: { identifier }
+				});
+			} catch (error) {
+				logger.error("[Dash] Clear failed attempts error:", error);
+			}
+		},
+		async isBlocked(visitorId) {
+			try {
+				return (await $api(`/security/is-blocked?visitorId=${encodeURIComponent(visitorId)}`, { method: "GET" })).blocked ?? false;
+			} catch (error) {
+				logger.warn("[Dash] Security is-blocked check failed:", error);
+				return false;
+			}
+		},
+		async verifyPoWSolution(visitorId, solution) {
+			try {
+				return await $api("/security/pow/verify", {
+					method: "POST",
+					body: {
+						visitorId,
+						solution
+					}
+				});
+			} catch (error) {
+				logger.warn("[Dash] PoW verify failed:", error);
+				return {
+					valid: false,
+					reason: "error"
+				};
+			}
+		},
+		async generateChallenge(visitorId) {
+			try {
+				return (await $api("/security/pow/generate", {
+					method: "POST",
+					body: {
+						visitorId,
+						difficulty: options.challengeDifficulty
+					}
+				})).challenge || "";
+			} catch (error) {
+				logger.warn("[Dash] PoW generate challenge failed:", error);
+				return "";
+			}
+		},
+		async checkImpossibleTravel(userId, currentLocation, visitorId) {
+			if (!options.impossibleTravel?.enabled || !currentLocation) return null;
+			try {
+				const data = await $api("/security/impossible-travel", {
+					method: "POST",
+					body: {
+						userId,
+						visitorId,
+						location: currentLocation,
+						config: options
+					}
+				});
+				if (data.isImpossible) {
+					const actionTaken = data.action === "block" ? "blocked" : data.action === "challenge" ? "challenged" : "logged";
+					logEvent({
+						type: "impossible_travel",
+						userId,
+						visitorId: visitorId || null,
+						ip: null,
+						country: currentLocation.country?.code || null,
+						details: {
+							from: data.from,
+							to: data.to,
+							distance: data.distance,
+							speedRequired: data.speedRequired,
+							action: data.action
+						},
+						action: actionTaken
+					});
 				}
-			});
-			return {
-				...data || {
-					valid: false,
-					reason: "invalid_format"
-				},
-				policy
-			};
-		} catch (error) {
-			logger.warn("[Dash] Email validation API error, falling back to allow:", error);
-			return {
-				valid: true,
-				policy
-			};
-		}
-	} };
-}
-/**
-* Basic local email format validation (fallback)
-*/
-function isValidEmailFormatLocal(email) {
-	if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) return false;
-	if (email.length > 254) return false;
-	const [localPart, domain] = email.split("@");
-	if (!localPart || !domain) return false;
-	if (localPart.length > 64) return false;
-	if (domain.length > 253) return false;
-	return true;
-}
-const getEmail = (ctx) => {
-	if (ctx.path === "/change-email") return {
-		email: ctx.body?.newEmail,
-		container: "body",
-		field: "newEmail"
-	};
-	const body = ctx.body;
-	const query = ctx.query;
-	return {
-		email: body?.email ?? query?.email,
-		container: body ? "body" : "query",
-		field: "email"
-	};
-};
-/**
-* Create email normalization hook (shared between all configurations)
-*/
-function createEmailNormalizationHook() {
-	return {
-		matcher: allEmail,
-		handler: createAuthMiddleware(async (ctx) => {
-			const { email, container, field } = getEmail(ctx);
-			if (typeof email !== "string") return;
-			const normalized = normalizeEmail(email, ctx.context);
-			if (normalized === email) return;
-			const data = container === "query" ? {
-				...ctx.query,
-				[field]: normalized
-			} : {
-				...ctx.body,
-				[field]: normalized
+				return data;
+			} catch (error) {
+				logger.warn("[Dash] Impossible travel check failed:", error);
+				return null;
+			}
+		},
+		async storeLastLocation(userId, location) {
+			if (!location) return;
+			try {
+				await $api("/security/store-last-login", {
+					method: "POST",
+					body: {
+						userId,
+						location
+					}
+				});
+			} catch (error) {
+				logger.error("[Dash] Store last location error:", error);
+			}
+		},
+		async checkFreeTrialAbuse(visitorId) {
+			if (!options.freeTrialAbuse?.enabled) return {
+				isAbuse: false,
+				accountCount: 0,
+				maxAccounts: 0,
+				action: "log"
 			};
-			return { context: {
-				...ctx,
-				[container]: data
-			} };
-		})
-	};
-}
-/**
-* Create email validation hook with configurable validation strategy
-*/
-function createEmailValidationHook(validator, onDisposableEmail) {
-	return {
-		matcher: allEmail,
-		handler: createAuthMiddleware(async (ctx) => {
-			const { email } = getEmail(ctx);
-			if (typeof email !== "string") return;
-			if (!isValidEmailFormatLocal(email)) throw new APIError$1("BAD_REQUEST", { message: "Invalid email" });
-			if (validator) {
-				const result = await validator.validate(email);
-				const policy = result.policy;
-				if (!policy?.enabled) return;
-				if (policy.domainAllowlist?.length) {
-					const domain = email.toLowerCase().trim().split("@")[1];
-					if (domain && policy.domainAllowlist.includes(domain)) return;
-				}
-				const action = policy.action;
-				if (!result.valid) {
-					if ((result.disposable || result.reason === "no_mx_records" || result.reason === "blocklist" || result.reason === "known_invalid_email" || result.reason === "known_invalid_host" || result.reason === "reserved_tld" || result.reason === "provider_local_too_short") && onDisposableEmail) {
-						const ip = ctx.request?.headers?.get("x-forwarded-for")?.split(",")[0] || ctx.request?.headers?.get("cf-connecting-ip") || void 0;
-						onDisposableEmail({
-							email,
-							reason: result.reason || "disposable",
-							confidence: result.confidence,
-							ip,
-							path: ctx.path,
-							action
-						});
+			try {
+				const data = await $api("/security/free-trial-abuse/check", {
+					method: "POST",
+					body: {
+						visitorId,
+						config: options
 					}
-					if (action === "allow") return;
-					throw new APIError$1("BAD_REQUEST", { message: result.reason === "no_mx_records" ? "This email domain cannot receive emails" : result.disposable || result.reason === "blocklist" ? "Disposable email addresses are not allowed" : result.reason === "known_invalid_email" || result.reason === "known_invalid_host" || result.reason === "reserved_tld" || result.reason === "provider_local_too_short" ? "This email address appears to be invalid" : "Invalid email" });
+				});
+				if (data.isAbuse) logEvent({
+					type: "free_trial_abuse",
+					userId: null,
+					visitorId,
+					ip: null,
+					country: null,
+					details: {
+						accountCount: data.accountCount,
+						maxAccounts: data.maxAccounts
+					},
+					action: data.action === "block" ? "blocked" : "logged"
+				});
+				return data;
+			} catch (error) {
+				logger.warn("[Dash] Free trial abuse check failed:", error);
+				return {
+					isAbuse: false,
+					accountCount: 0,
+					maxAccounts: 0,
+					action: "log"
+				};
+			}
+		},
+		async trackFreeTrialSignup(visitorId, userId) {
+			if (!options.freeTrialAbuse?.enabled) return;
+			try {
+				await $api("/security/free-trial-abuse/track", {
+					method: "POST",
+					body: {
+						visitorId,
+						userId
+					}
+				});
+			} catch (error) {
+				logger.error("[Dash] Track free trial signup error:", error);
+			}
+		},
+		async checkCompromisedPassword(password) {
+			try {
+				const hash = await sha1Hash(password);
+				const prefix = hash.substring(0, 5);
+				const suffix = hash.substring(5);
+				const data = await $api("/security/breached-passwords", {
+					method: "POST",
+					body: {
+						passwordPrefix: prefix,
+						config: options
+					}
+				});
+				if (!data.enabled) return { compromised: false };
+				const breachCount = (data.suffixes || {})[suffix] || 0;
+				const minBreachCount = data.minBreachCount ?? 1;
+				const action = data.action || "block";
+				const compromised = breachCount >= minBreachCount;
+				if (compromised) logEvent({
+					type: "compromised_password",
+					userId: null,
+					visitorId: null,
+					ip: null,
+					country: null,
+					details: { breachCount },
+					action: action === "block" ? "blocked" : action === "challenge" ? "challenged" : "logged"
+				});
+				return {
+					compromised,
+					breachCount: breachCount > 0 ? breachCount : void 0,
+					action: compromised ? action : void 0
+				};
+			} catch (error) {
+				logger.error("[Dash] Compromised password check error:", error);
+				return { compromised: false };
+			}
+		},
+		async checkStaleUser(userId, lastActiveAt) {
+			if (!options.staleUsers?.enabled) return { isStale: false };
+			try {
+				const data = await $api("/security/stale-user", {
+					method: "POST",
+					body: {
+						userId,
+						lastActiveAt: lastActiveAt instanceof Date ? lastActiveAt.toISOString() : lastActiveAt,
+						config: options
+					}
+				});
+				if (data.isStale) logEvent({
+					type: "stale_account_reactivation",
+					userId,
+					visitorId: null,
+					ip: null,
+					country: null,
+					details: {
+						daysSinceLastActive: data.daysSinceLastActive,
+						staleDays: data.staleDays,
+						lastActiveAt: data.lastActiveAt,
+						notifyUser: data.notifyUser,
+						notifyAdmin: data.notifyAdmin
+					},
+					action: data.action === "block" ? "blocked" : data.action === "challenge" ? "challenged" : "logged"
+				});
+				return data;
+			} catch (error) {
+				logger.error("[Dash] Stale user check error:", error);
+				return { isStale: false };
+			}
+		},
+		async notifyStaleAccountUser(userEmail, userName, daysSinceLastActive, identification, appName) {
+			const loginTime = (/* @__PURE__ */ new Date()).toLocaleString("en-US", {
+				dateStyle: "long",
+				timeStyle: "short",
+				timeZone: "UTC"
+			}) + " UTC";
+			const location = identification?.location;
+			const loginLocation = location?.city && location?.country?.name ? `${location.city}, ${location.country.code}` : location?.country?.name || "Unknown";
+			const browser = identification?.browser;
+			const loginDevice = browser?.name && browser?.os ? `${browser.name} on ${browser.os}` : "Unknown device";
+			const result = await emailSender.send({
+				template: "stale-account-user",
+				to: userEmail,
+				variables: {
+					userEmail,
+					userName: userName || "User",
+					appName: appName || "Your App",
+					daysSinceLastActive: String(daysSinceLastActive),
+					loginTime,
+					loginLocation,
+					loginDevice,
+					loginIp: identification?.ip || "Unknown"
 				}
-			}
-		})
-	};
-}
-/**
-* Create email validation hooks with optional API-backed validation
-*
-* @param options - Configuration options
-* @param options.enabled - Enable email validation (default: true)
-* @param options.useApi - Use API-backed validation (requires apiKey)
-* @param options.apiKey - API key for remote validation
-* @param options.apiUrl - API URL for policy fetching (defaults to INFRA_API_URL)
-* @param options.kvUrl - KV URL for email validation (defaults to INFRA_KV_URL)
-* @param options.strictness - Default strictness level: 'low', 'medium' (default), or 'high'
-* @param options.action - Default action when invalid: 'allow', 'block' (default), or 'challenge'
-*
-* @example
-* // Local validation only
-* createEmailHooks()
-*
-* @example
-* // API-backed validation
-* createEmailHooks({ useApi: true, apiKey: "your-api-key" })
-*
-* @example
-* // API-backed validation with high strictness default
-* createEmailHooks({ useApi: true, apiKey: "your-api-key", strictness: "high" })
-*/
-function createEmailHooks(options = {}) {
-	const { useApi = false, apiKey = "", apiUrl = INFRA_API_URL, kvUrl = INFRA_KV_URL, defaultConfig, onDisposableEmail } = options;
-	const emailConfig = {
-		enabled: true,
-		strictness: "medium",
-		action: "block",
-		...defaultConfig
+			});
+			if (result.success) logger.info(`[Dash] Stale account notification sent to user: ${userEmail}`);
+			else logger.error(`[Dash] Failed to send stale account user notification: ${result.error}`);
+		},
+		async notifyStaleAccountAdmin(adminEmail, userId, userEmail, userName, daysSinceLastActive, identification, appName) {
+			const loginTime = (/* @__PURE__ */ new Date()).toLocaleString("en-US", {
+				dateStyle: "long",
+				timeStyle: "short",
+				timeZone: "UTC"
+			}) + " UTC";
+			const location = identification?.location;
+			const loginLocation = location?.city && location?.country?.name ? `${location.city}, ${location.country.code}` : location?.country?.name || "Unknown";
+			const browser = identification?.browser;
+			const loginDevice = browser?.name && browser?.os ? `${browser.name} on ${browser.os}` : "Unknown device";
+			const result = await emailSender.send({
+				template: "stale-account-admin",
+				to: adminEmail,
+				variables: {
+					userEmail,
+					userName: userName || "User",
+					userId,
+					appName: appName || "Your App",
+					daysSinceLastActive: String(daysSinceLastActive),
+					loginTime,
+					loginLocation,
+					loginDevice,
+					loginIp: identification?.ip || "Unknown",
+					adminEmail
+				}
+			});
+			if (result.success) logger.info(`[Dash] Stale account admin notification sent to: ${adminEmail}`);
+			else logger.error(`[Dash] Failed to send stale account admin notification: ${result.error}`);
+		},
+		async checkUnknownDevice(_userId, _visitorId) {
+			return false;
+		},
+		async notifyUnknownDevice(userId, email, identification) {
+			logEvent({
+				type: "unknown_device",
+				userId,
+				visitorId: identification?.visitorId || null,
+				ip: identification?.ip || null,
+				country: identification?.location?.country?.code || null,
+				details: {
+					email,
+					device: identification?.browser.device,
+					os: identification?.browser.os,
+					browser: identification?.browser.name,
+					city: identification?.location?.city,
+					country: identification?.location?.country?.name
+				},
+				action: "logged"
+			});
+		}
 	};
-	if (!emailConfig.enabled) return { before: [] };
-	const validator = useApi ? createEmailValidator({
-		apiUrl,
-		kvUrl,
-		apiKey,
-		defaultConfig: emailConfig
-	}) : void 0;
-	return { before: [createEmailNormalizationHook(), createEmailValidationHook(validator, onDisposableEmail)] };
 }
-createEmailHooks();
 //#endregion
-//#region src/validation/phone.ts
-/**
-* Common fake/test phone numbers that should be blocked
-* These are numbers commonly used in testing, movies, documentation, etc.
-*/
-const INVALID_PHONE_NUMBERS = new Set([
-	"+15550000000",
-	"+15550001111",
-	"+15550001234",
-	"+15551234567",
-	"+15555555555",
-	"+15551111111",
-	"+15550000001",
-	"+15550123456",
-	"+12125551234",
-	"+13105551234",
-	"+14155551234",
-	"+12025551234",
-	"+10000000000",
-	"+11111111111",
-	"+12222222222",
-	"+13333333333",
-	"+14444444444",
-	"+15555555555",
-	"+16666666666",
-	"+17777777777",
-	"+18888888888",
-	"+19999999999",
-	"+11234567890",
-	"+10123456789",
-	"+19876543210",
-	"+441632960000",
-	"+447700900000",
-	"+447700900001",
-	"+447700900123",
-	"+447700900999",
-	"+442079460000",
-	"+442079460123",
-	"+441134960000",
-	"+0000000000",
-	"+1000000000",
-	"+123456789",
-	"+1234567890",
-	"+12345678901",
-	"+0123456789",
-	"+9876543210",
-	"+11111111111",
-	"+99999999999",
-	"+491234567890",
-	"+491111111111",
-	"+33123456789",
-	"+33111111111",
-	"+61123456789",
-	"+61111111111",
-	"+81123456789",
-	"+81111111111",
-	"+19001234567",
-	"+19761234567",
-	"+1911",
-	"+1411",
-	"+1611",
-	"+44999",
-	"+44112"
-]);
-/**
-* Patterns that indicate fake/test phone numbers
-*/
-const INVALID_PHONE_PATTERNS = [
-	/^\+\d(\d)\1{6,}$/,
-	/^\+\d*1234567890/,
-	/^\+\d*0123456789/,
-	/^\+\d*9876543210/,
-	/^\+\d*0987654321/,
-	/^\+\d*(12){4,}/,
-	/^\+\d*(21){4,}/,
-	/^\+\d*(00){4,}/,
-	/^\+1\d{3}555\d{4}$/,
-	/^\+\d{1,3}\d{1,5}$/,
-	/^\+\d+0{7,}$/,
-	/^\+\d*147258369/,
-	/^\+\d*258369147/,
-	/^\+\d*369258147/,
-	/^\+\d*789456123/,
-	/^\+\d*123456789/,
-	/^\+\d*1234512345/,
-	/^\+\d*1111122222/,
-	/^\+\d*1212121212/,
-	/^\+\d*1010101010/
-];
-/**
-* Invalid area codes / prefixes that indicate test numbers
-* Key: country code, Value: set of invalid prefixes
-*/
-const INVALID_PREFIXES_BY_COUNTRY = {
-	US: new Set([
-		"555",
-		"000",
-		"111",
-		"911",
-		"411",
-		"611"
-	]),
-	CA: new Set([
-		"555",
-		"000",
-		"911"
-	]),
-	GB: new Set([
-		"7700900",
-		"1632960",
-		"1134960"
-	]),
-	AU: new Set([
-		"0491570",
-		"0491571",
-		"0491572"
-	])
+//#region src/sentinel/security-hooks.ts
+const ERROR_MESSAGES = {
+	geo_blocked: "Access from your location is not allowed.",
+	bot_detected: "Automated access is not allowed.",
+	suspicious_ip_detected: "Anonymous connections (VPN, proxy, Tor) are not allowed.",
+	rate_limited: "Too many attempts. Please try again later.",
+	compromised_password: "This password has been found in data breaches. Please choose a different password.",
+	impossible_travel: "Login blocked due to suspicious location change."
+};
+const DISPLAY_NAMES = {
+	geo_blocked: {
+		challenge: "Security: geo challenge",
+		block: "Security: geo blocked"
+	},
+	bot_detected: {
+		challenge: "Security: bot challenge",
+		block: "Security: bot blocked"
+	},
+	suspicious_ip_detected: {
+		challenge: "Security: anonymous IP challenge",
+		block: "Security: anonymous IP blocked"
+	},
+	rate_limited: {
+		challenge: "Security: velocity challenge",
+		block: "Security: velocity exceeded"
+	},
+	compromised_password: {
+		challenge: "Security: breached password warning",
+		block: "Security: breached password blocked"
+	},
+	impossible_travel: {
+		challenge: "Security: impossible travel challenge",
+		block: "Security: impossible travel blocked"
+	}
 };
 /**
-* Check if a phone number is a commonly used fake/test number
-* @param phone - The phone number to check (E.164 format preferred)
-* @param defaultCountry - Default country code if not included in phone string
-* @returns true if the phone appears to be fake/test, false if it seems legitimate
+* Throw a challenge error with appropriate headers
 */
-const isFakePhoneNumber = (phone, defaultCountry) => {
-	const parsed = parsePhoneNumberFromString(phone, defaultCountry);
-	if (!parsed) return true;
-	const e164 = parsed.number;
-	const nationalNumber = parsed.nationalNumber;
-	const country = parsed.country;
-	if (INVALID_PHONE_NUMBERS.has(e164)) return true;
-	for (const pattern of INVALID_PHONE_PATTERNS) if (pattern.test(e164)) return true;
-	if (country && INVALID_PREFIXES_BY_COUNTRY[country]) {
-		const prefixes = INVALID_PREFIXES_BY_COUNTRY[country];
-		for (const prefix of prefixes) if (nationalNumber.startsWith(prefix)) return true;
-	}
-	if (/^(\d)\1+$/.test(nationalNumber)) return true;
-	const digits = nationalNumber.split("").map(Number);
-	let isSequential = digits.length >= 6;
-	for (let i = 1; i < digits.length && isSequential; i++) {
-		const current = digits[i];
-		const previous = digits[i - 1];
-		if (current === void 0 || previous === void 0 || current !== previous + 1 && current !== previous - 1) isSequential = false;
-	}
-	if (isSequential) return true;
-	return false;
-};
+function throwChallengeError(challenge, reason, message = "Please complete a security check to continue.") {
+	const error = new APIError("LOCKED", {
+		message,
+		code: "POW_CHALLENGE_REQUIRED"
+	});
+	error.headers = {
+		"X-PoW-Challenge": challenge,
+		"X-PoW-Reason": reason
+	};
+	throw error;
+}
 /**
-* Validate a phone number format
-* @param phone - The phone number to validate
-* @param defaultCountry - Default country code if not included in phone string
-* @returns true if the phone number is valid
+* Build common event data for security tracking
 */
-const isValidPhone = (phone, defaultCountry) => {
-	return isValidPhoneNumber(phone, defaultCountry);
-};
+function buildEventData(ctx, action, reason, confidence = 1, extraData) {
+	const { visitorId, identification, path, identifier, userAgent } = ctx;
+	const countryCode = identification?.location?.country?.code || void 0;
+	return {
+		eventKey: visitorId || identification?.ip || "unknown",
+		eventType: action === "challenged" ? "security_challenged" : "security_blocked",
+		eventDisplayName: DISPLAY_NAMES[reason]?.[action === "challenged" ? "challenge" : "block"] || `Security: ${reason}`,
+		eventData: {
+			action,
+			reason,
+			visitorId: visitorId || "",
+			path,
+			userAgent,
+			identifier,
+			confidence,
+			...extraData
+		},
+		ipAddress: identification?.ip || void 0,
+		city: identification?.location?.city || void 0,
+		country: identification?.location?.country?.name || void 0,
+		countryCode
+	};
+}
 /**
-* Comprehensive phone number validation
-* @param phone - The phone number to validate
-* @param options - Validation options
-* @returns true if valid, false otherwise
+* Handle a security check result by tracking events and throwing appropriate errors
+*
+* @param verdict - The security verdict from the security service
+* @param ctx - Security check context with request information
+* @param trackEvent - Function to track security events
+* @param securityService - Security service for generating challenges
+* @returns True if the request should be blocked
 */
-const validatePhone = (phone, options = {}) => {
-	const { mobileOnly = false, allowedCountries, blockedCountries, blockFakeNumbers = true, blockPremiumRate = true, blockTollFree = false, blockVoip = false, defaultCountry } = options;
-	if (!isValidPhone(phone, defaultCountry)) return false;
-	const parsed = parsePhoneNumberFromString(phone, defaultCountry);
-	if (!parsed) return false;
-	if (blockFakeNumbers && isFakePhoneNumber(phone, defaultCountry)) return false;
-	const country = parsed.country;
-	if (country) {
-		if (allowedCountries && !allowedCountries.includes(country)) return false;
-		if (blockedCountries?.includes(country)) return false;
-	}
-	const phoneType = parsed.getType();
-	if (mobileOnly) {
-		if (phoneType !== "MOBILE" && phoneType !== "FIXED_LINE_OR_MOBILE") return false;
+async function handleSecurityVerdict(verdict, ctx, trackEvent, securityService) {
+	if (verdict.action === "allow") return;
+	const reason = verdict.reason || "unknown";
+	const confidence = 1;
+	if (verdict.action === "challenge" && ctx.visitorId) {
+		const challenge = verdict.challenge || await securityService.generateChallenge(ctx.visitorId);
+		if (!challenge?.trim()) {
+			logger.warn("[Sentinel] Could not generate PoW challenge (service may be unavailable). Falling back to allow.");
+			return;
+		}
+		trackEvent(buildEventData(ctx, "challenged", reason, confidence, verdict.details));
+		throwChallengeError(challenge, reason, "Please complete a security check to continue.");
+	} else if (verdict.action === "block") {
+		trackEvent(buildEventData(ctx, "blocked", reason, confidence, verdict.details));
+		throw new APIError("FORBIDDEN", { message: ERROR_MESSAGES[reason] || "Access denied." });
 	}
-	if (blockPremiumRate && phoneType === "PREMIUM_RATE") return false;
-	if (blockTollFree && phoneType === "TOLL_FREE") return false;
-	if (blockVoip && phoneType === "VOIP") return false;
-	return true;
-};
-const allPhonePaths = new Set([
-	"/phone-number/send-otp",
-	"/phone-number/verify",
-	"/sign-in/phone-number",
-	"/phone-number/request-password-reset",
-	"/phone-number/reset-password"
-]);
-const getPhoneNumber = (ctx) => ctx.body?.phoneNumber ?? ctx.query?.phoneNumber;
+}
 /**
-* Better Auth plugin for phone number validation
-* Validates phone numbers on all phone-related endpoints
+* Run all security checks using the consolidated checkSecurity API
+*
+* This replaces the multiple individual check calls with a single API call
+* that handles all security checks server-side.
 */
-const phoneValidationHooks = { before: [{
-	matcher: (context) => !!context.path && allPhonePaths.has(context.path),
-	handler: createAuthMiddleware(async (ctx) => {
-		const phoneNumber = getPhoneNumber(ctx);
-		if (typeof phoneNumber !== "string") return;
-		if (!validatePhone(phoneNumber)) throw new APIError$1("BAD_REQUEST", { message: "Invalid phone number" });
-	})
-}] };
+async function runSecurityChecks(ctx, securityService, trackEvent, powVerified) {
+	if (powVerified) return;
+	await handleSecurityVerdict(await securityService.checkSecurity({
+		visitorId: ctx.visitorId,
+		requestId: ctx.identification?.requestId || null,
+		ip: ctx.identification?.ip || null,
+		path: ctx.path,
+		identifier: ctx.identifier
+	}), ctx, trackEvent, securityService);
+}
 //#endregion
-//#region src/sentinel.ts
+//#region src/sentinel/sentinel.ts
 const sentinel = (options) => {
 	const opts = resolveSentinelOptions(options);
 	const { tracker } = initTrackEvents(opts);
@@ -2062,7 +2057,8 @@ const sentinel = (options) => {
 	});
 	return {
 		id: "sentinel",
-		init() {
+		init(ctx) {
+			const activityTrackingEnabled = (ctx.getPlugin("dash")?.options)?.activityTracking?.enabled === true;
 			return { options: {
 				emailValidation: opts.security?.emailValidation,
 				databaseHooks: {
@@ -2074,7 +2070,7 @@ const sentinel = (options) => {
 								const abuseCheck = await securityService.checkFreeTrialAbuse(visitorId);
 								if (abuseCheck.isAbuse && abuseCheck.action === "block") throw new APIError("FORBIDDEN", { message: "Account creation is not allowed from this device." });
 							}
-							if (user.email && typeof user.email === "string") return { data: {
+							if (user.email && typeof user.email === "string" && opts.security?.emailValidation?.enabled !== false) return { data: {
 								...user,
 								email: normalizeEmail(user.email, ctx.context)
 							} };
@@ -2103,14 +2099,15 @@ const sentinel = (options) => {
 							const visitorId = ctx.context.visitorId;
 							const identification = ctx.context.identification;
 							let user = null;
+							const userSelect = [
+								"email",
+								"name",
+								...activityTrackingEnabled ? ["lastActiveAt"] : []
+							];
 							try {
 								user = await ctx.context.adapter.findOne({
 									model: "user",
-									select: [
-										"email",
-										"name",
-										"lastActiveAt"
-									],
+									select: [...userSelect],
 									where: [{
 										field: "id",
 										value: session.userId
@@ -2123,7 +2120,8 @@ const sentinel = (options) => {
 								if (await securityService.checkUnknownDevice(session.userId, visitorId) && user?.email) await ctx.context.runInBackgroundOrAwait(securityService.notifyUnknownDevice(session.userId, user.email, identification));
 							}
 							if (opts.security?.staleUsers?.enabled && user) {
-								const staleCheck = await securityService.checkStaleUser(session.userId, user.lastActiveAt || null);
+								const lastActiveAtForStale = activityTrackingEnabled ? user.lastActiveAt ?? null : null;
+								const staleCheck = await securityService.checkStaleUser(session.userId, lastActiveAtForStale);
 								if (staleCheck.isStale) {
 									const staleOpts = opts.security.staleUsers;
 									const notificationPromises = [];
@@ -2747,6 +2745,9 @@ const jwtValidateMiddleware = (options) => createAuthMiddleware(async (ctx) => {
 	return { payload };
 });
 //#endregion
+//#region src/version.ts
+const PLUGIN_VERSION = "0.2.0";
+//#endregion
 //#region src/routes/auth/config.ts
 const PLUGIN_OPTIONS_EXCLUDE_KEYS = { stripe: new Set(["stripeClient"]) };
 function isPlainSerializable(value) {
@@ -2792,11 +2793,17 @@ const getConfig = (options) => {
 			socialProviders: Object.keys(ctx.context.options.socialProviders || {}),
 			emailAndPassword: ctx.context.options.emailAndPassword,
 			plugins: ctx.context.options.plugins?.map((plugin) => {
-				return {
+				const base = {
 					id: plugin.id,
 					schema: plugin.schema,
+					version: plugin.version,
 					options: sanitizePluginOptions(plugin.id, plugin.options)
 				};
+				if (plugin.id === "dash" && !plugin.version) return {
+					...base,
+					version: PLUGIN_VERSION
+				};
+				return base;
 			}) ?? [],
 			organization: {
 				sendInvitationEmailEnabled: !!organizationPlugin?.options?.sendInvitationEmail,
@@ -3092,13 +3099,6 @@ const regenerateDirectoryToken = (options) => {
 };
 //#endregion
 //#region src/routes/events/index.ts
-/**
-* All available event types that can be returned in audit logs
-*/
-const USER_EVENT_TYPES = {
-	...EVENT_TYPES,
-	...ORGANIZATION_EVENT_TYPES
-};
 function transformEvent(raw) {
 	const location = raw.ipAddress || raw.city || raw.country || raw.countryCode ? {
 		ipAddress: raw.ipAddress,
@@ -3498,6 +3498,7 @@ const completeInvitation = (options) => {
 		})
 	}, async (ctx) => {
 		const { token, password, providerId, providerAccountId, accessToken, refreshToken } = ctx.body;
+		const fallbackRedirect = typeof ctx.context.options.baseURL === "string" ? ctx.context.options.baseURL : "/";
 		const { data: invitation, error } = await $api("/api/internal/invitations/verify", {
 			method: "POST",
 			body: { token }
@@ -3525,7 +3526,7 @@ const completeInvitation = (options) => {
 			});
 			return {
 				success: true,
-				redirectUrl: invitation.redirectUrl || ctx.context.options.baseURL || "/"
+				redirectUrl: invitation.redirectUrl ?? fallbackRedirect
 			};
 		}
 		const user = await ctx.context.internalAdapter.createUser({
@@ -3562,7 +3563,7 @@ const completeInvitation = (options) => {
 		});
 		return {
 			success: true,
-			redirectUrl: invitation.redirectUrl || ctx.context.options.baseURL || "/"
+			redirectUrl: invitation.redirectUrl ?? fallbackRedirect
 		};
 	});
 };
@@ -3710,7 +3711,7 @@ const checkUserByEmail = (options) => {
 				id: user.id,
 				name: user.name,
 				email: user.email,
-				image: user.image
+				image: user.image ?? null
 			},
 			isAlreadyMember: !!existingMember
 		};
@@ -3861,26 +3862,31 @@ const listOrganizationMembers = (options) => {
 			if (inviter && inv.inviterId) inviterById.set(inv.inviterId, inviter);
 		}
 		const invitationByEmail = new Map(invitations.map((i) => [i.email.toLowerCase(), i]));
-		return members.map((m) => {
-			const user = (Array.isArray(m.user) ? m.user[0] : m.user) ?? null;
-			const invitation = user ? invitationByEmail.get(user.email.toLowerCase()) : null;
-			const inviter = invitation ? inviterById.get(invitation.inviterId) : null;
-			return {
-				...m,
-				user: user ? {
-					id: user.id,
-					email: user.email,
-					name: user.name,
-					image: user.image || null
-				} : null,
-				invitedBy: inviter ? {
-					id: inviter.id,
-					name: inviter.name,
-					email: inviter.email,
-					image: inviter.image || null
-				} : null
+		const result = [];
+		for (const m of members) {
+			const joinedUser = Array.isArray(m.user) ? m.user[0] : m.user;
+			if (!joinedUser) continue;
+			const invitation = invitationByEmail.get(joinedUser.email.toLowerCase());
+			const inviter = invitation ? inviterById.get(invitation.inviterId) : void 0;
+			const user = {
+				id: joinedUser.id,
+				email: joinedUser.email,
+				name: joinedUser.name,
+				image: joinedUser.image ?? null
 			};
-		});
+			const invitedBy = inviter ? {
+				id: inviter.id,
+				name: inviter.name,
+				email: inviter.email,
+				image: inviter.image ?? null
+			} : null;
+			result.push({
+				...m,
+				user,
+				invitedBy
+			});
+		}
+		return result;
 	});
 };
 const addMember = (options) => {
@@ -4144,6 +4150,16 @@ const exportFactory = (input, options) => async (ctx) => {
 //#endregion
 //#region src/helper.ts
 /**
+* Returns true when sessions live exclusively in secondary storage
+* (i.e. the user has configured secondaryStorage but has NOT enabled
+* storeSessionInDatabase). In this case DB queries against the session
+* model will return empty results and we must go through the
+* internalAdapter instead.
+*/
+function isSessionInSecondaryStorageOnly(context) {
+	return !!context.options.secondaryStorage && !context.options.session?.storeSessionInDatabase;
+}
+/**
 * Checks whether a plugin is registered by its ID.
 * Prefers the native `hasPlugin` when available, otherwise
 * falls back to scanning `options.plugins`.
@@ -4200,14 +4216,16 @@ const listOrganizations = (options) => {
 			endDate: z$1.date().or(z$1.string().transform((val) => new Date(val))).optional()
 		}).optional()
 	}, async (ctx) => {
+		const { limit = 10, offset = 0, sortBy = "createdAt", sortOrder = "desc", search, filterMembers } = ctx.query || {};
 		if (!isOrganizationEnabled(ctx)) {
 			ctx.context.logger.warn("[Dash] Organization plugin not enabled, returning empty organizations list");
 			return {
 				organizations: [],
-				total: 0
+				total: 0,
+				offset,
+				limit
 			};
 		}
-		const { limit = 10, offset = 0, sortBy = "createdAt", sortOrder = "desc", search, filterMembers } = ctx.query || {};
 		const where = [];
 		if (search && search.trim().length > 0) {
 			const searchTerm = search.trim();
@@ -4215,11 +4233,13 @@ const listOrganizations = (options) => {
 				field: "name",
 				value: searchTerm,
 				operator: "starts_with",
+				mode: "insensitive",
 				connector: "OR"
 			}, {
 				field: "slug",
 				value: searchTerm,
 				operator: "starts_with",
+				mode: "insensitive",
 				connector: "OR"
 			});
 		}
@@ -4235,7 +4255,7 @@ const listOrganizations = (options) => {
 		});
 		const needsInMemoryProcessing = sortBy === "members" || !!filterMembers;
 		const dbSortBy = sortBy === "members" ? "createdAt" : sortBy;
-		const fetchLimit = needsInMemoryProcessing ? 1500 : limit;
+		const fetchLimit = needsInMemoryProcessing ? 2500 : limit;
 		const fetchOffset = needsInMemoryProcessing ? 0 : offset;
 		const [organizations, initialTotal] = await Promise.all([ctx.context.adapter.findMany({
 			model: "organization",
@@ -4356,7 +4376,7 @@ const getOrganizationOptions = (options) => {
 	}, async (ctx) => {
 		const organizationPlugin = ctx.context.getPlugin("organization");
 		if (!organizationPlugin) return { teamsEnabled: false };
-		return { teamsEnabled: organizationPlugin.options?.teams?.enabled && organizationPlugin.options.teams.defaultTeam?.enabled !== false };
+		return { teamsEnabled: Boolean(organizationPlugin.options?.teams?.enabled && organizationPlugin.options.teams.defaultTeam?.enabled !== false) };
 	});
 };
 const getOrganization = (options) => {
@@ -4844,6 +4864,7 @@ const updateTeam = (options) => {
 			}],
 			update: updateData
 		});
+		if (!team) throw ctx.error("INTERNAL_SERVER_ERROR", { message: "Failed to update team" });
 		if (orgOptions?.organizationHooks?.afterUpdateTeam) await orgOptions.organizationHooks.afterUpdateTeam({
 			team,
 			user,
@@ -5043,7 +5064,7 @@ const listTeamMembers = (options) => {
 						id: user.id,
 						name: user.name,
 						email: user.email,
-						image: user.image
+						image: user.image ?? null
 					} : null
 				};
 			});
@@ -5232,43 +5253,6 @@ const removeTeamMember = (options) => {
 };
 //#endregion
 //#region src/routes/sessions/index.ts
-const listAllSessions = (options) => {
-	return createAuthEndpoint("/dash/list-all-sessions", {
-		method: "GET",
-		use: [jwtMiddleware(options)],
-		query: z$1.object({
-			limit: z$1.number().optional(),
-			offset: z$1.number().optional()
-		}).optional()
-	}, async (ctx) => {
-		const sessionsCount = await ctx.context.adapter.count({ model: "session" });
-		const limit = ctx.query?.limit || sessionsCount;
-		const offset = ctx.query?.offset || 0;
-		const sessions = await ctx.context.adapter.findMany({
-			model: "session",
-			limit,
-			offset,
-			sortBy: {
-				field: "createdAt",
-				direction: "desc"
-			},
-			join: { user: true }
-		});
-		const userMap = /* @__PURE__ */ new Map();
-		for (const s of sessions) {
-			const user = Array.isArray(s.user) ? s.user[0] : s.user;
-			if (!user) continue;
-			const { user: _u, ...sessionData } = s;
-			const session = sessionData;
-			if (!userMap.has(user.id)) userMap.set(user.id, {
-				...user,
-				sessions: []
-			});
-			userMap.get(user.id).sessions.push(session);
-		}
-		return Array.from(userMap.values());
-	});
-};
 const revokeSession = (options) => createAuthEndpoint("/dash/sessions/revoke", {
 	method: "POST",
 	use: [jwtMiddleware(options)],
@@ -5276,18 +5260,26 @@ const revokeSession = (options) => createAuthEndpoint("/dash/sessions/revoke", {
 }, async (ctx) => {
 	const { sessionId, userId } = ctx.context.payload;
 	if (!sessionId || !userId) throw ctx.error("FORBIDDEN", { message: "Invalid payload" });
-	const session = await ctx.context.adapter.findOne({
-		model: "session",
-		where: [{
-			field: "id",
-			value: sessionId
-		}, {
-			field: "userId",
-			value: userId
-		}]
-	});
-	if (!session) throw ctx.error("NOT_FOUND", { message: "Session not found" });
-	await ctx.context.internalAdapter.deleteSession(session.token);
+	let sessionToken;
+	if (isSessionInSecondaryStorageOnly(ctx.context)) {
+		const match = (await ctx.context.internalAdapter.listSessions(userId)).find((s) => s.id === sessionId || s.token === sessionId);
+		if (!match) throw ctx.error("NOT_FOUND", { message: "Session not found" });
+		sessionToken = match.token;
+	} else {
+		const session = await ctx.context.adapter.findOne({
+			model: "session",
+			where: [{
+				field: "id",
+				value: sessionId
+			}, {
+				field: "userId",
+				value: userId
+			}]
+		});
+		if (!session) throw ctx.error("NOT_FOUND", { message: "Session not found" });
+		sessionToken = session.token;
+	}
+	await ctx.context.internalAdapter.deleteSession(sessionToken);
 	return ctx.json({ success: true });
 });
 const revokeAllSessions = (options) => createAuthEndpoint("/dash/sessions/revoke-all", {
@@ -5408,8 +5400,16 @@ function getSSOPlugin(ctx) {
 }
 //#endregion
 //#region src/routes/sso-validation.ts
-const DEPRECATED_SIGNATURE_ALGORITHMS = [SignatureAlgorithm.RSA_SHA1];
-const DEPRECATED_DIGEST_ALGORITHMS = [DigestAlgorithm.SHA1];
+/**
+* SAML metadata limits and algorithm URIs aligned with @better-auth/sso
+* (see packages/sso dist constants). Inlined so consumers (e.g. Metro) never
+* statically pull @better-auth/sso for validation-only code paths.
+*/
+const DEFAULT_MAX_SAML_METADATA_SIZE = 100 * 1024;
+const RSA_SHA1 = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
+const SHA1 = "http://www.w3.org/2000/09/xmldsig#sha1";
+const DEPRECATED_SIGNATURE_ALGORITHMS = [RSA_SHA1];
+const DEPRECATED_DIGEST_ALGORITHMS = [SHA1];
 function validateSAMLMetadataSize(metadataXml, maxSize = DEFAULT_MAX_SAML_METADATA_SIZE) {
 	if (new TextEncoder().encode(metadataXml).byteLength > maxSize) throw new Error(`IdP metadata exceeds maximum allowed size (${Math.round(maxSize / 1024)}KB)`);
 }
@@ -5437,6 +5437,10 @@ function validateSAMLMetadataAlgorithms(metadataXml) {
 }
 //#endregion
 //#region src/routes/sso/index.ts
+let ssoRuntimeModule;
+function loadSsoRuntime() {
+	return ssoRuntimeModule ??= import("@better-auth/sso");
+}
 function requireOrganizationAccess(ctx) {
 	const orgIdFromUrl = tryDecode(ctx.params.id);
 	const orgIdFromToken = ctx.context.payload?.organizationId;
@@ -5509,6 +5513,7 @@ async function resolveSAMLConfig(samlConfig, providerId, baseURL, ctx) {
 		}] } : {},
 		...samlConfig.cert ? { cert: samlConfig.cert } : {}
 	};
+	const m = samlConfig.mapping;
 	return {
 		config: {
 			issuer: samlConfig.entityId ?? `${baseURL}/sso/saml2/sp/metadata?providerId=${providerId}`,
@@ -5517,7 +5522,15 @@ async function resolveSAMLConfig(samlConfig, providerId, baseURL, ctx) {
 			spMetadata: {},
 			entryPoint: samlConfig.entryPoint ?? "",
 			cert: samlConfig.cert ?? "",
-			...samlConfig.mapping ? { mapping: samlConfig.mapping } : {}
+			...m ? { mapping: {
+				id: m.id ?? "nameID",
+				email: m.email ?? "email",
+				name: m.name ?? "name",
+				emailVerified: m.emailVerified,
+				firstName: m.firstName,
+				lastName: m.lastName,
+				extraFields: m.extraFields
+			} } : {}
 		},
 		...metadataAlgorithmWarnings.length > 0 ? { warnings: metadataAlgorithmWarnings } : {}
 	};
@@ -5531,8 +5544,9 @@ async function resolveOIDCConfig(oidcConfig, domain, ctx) {
 	}
 	const issuerHint = oidcConfig.issuer || `https://${normalizedDomain}`;
 	const issuer = issuerHint.startsWith("http") ? issuerHint : `https://${issuerHint}`;
+	const sso = await loadSsoRuntime();
 	try {
-		const hydratedConfig = await discoverOIDCConfig({
+		const hydratedConfig = await sso.discoverOIDCConfig({
 			issuer,
 			discoveryEndpoint: oidcConfig.discoveryUrl,
 			isTrustedOrigin: (url) => {
@@ -5544,6 +5558,7 @@ async function resolveOIDCConfig(oidcConfig, domain, ctx) {
 				}
 			}
 		});
+		const om = oidcConfig.mapping;
 		return {
 			config: {
 				clientId: oidcConfig.clientId,
@@ -5556,12 +5571,19 @@ async function resolveOIDCConfig(oidcConfig, domain, ctx) {
 				userInfoEndpoint: hydratedConfig.userInfoEndpoint,
 				tokenEndpointAuthentication: hydratedConfig.tokenEndpointAuthentication,
 				pkce: true,
-				...oidcConfig.mapping ? { mapping: oidcConfig.mapping } : {}
+				...om ? { mapping: {
+					id: om.id ?? "sub",
+					email: om.email ?? "email",
+					name: om.name ?? "name",
+					emailVerified: om.emailVerified,
+					image: om.image,
+					extraFields: om.extraFields
+				} } : {}
 			},
 			issuer: hydratedConfig.issuer
 		};
 	} catch (e) {
-		if (e instanceof DiscoveryError) {
+		if (e instanceof sso.DiscoveryError) {
 			ctx.context.logger.error("[Dash] OIDC discovery failed:", e);
 			throw ctx.error("BAD_REQUEST", {
 				message: `OIDC discovery failed: ${e.message}`,
@@ -5648,6 +5670,8 @@ const createSsoProvider = (options) => {
 					...buildSessionContext(userId)
 				}
 			});
+			let verificationToken = null;
+			if ("domainVerificationToken" in result && typeof result.domainVerificationToken === "string") verificationToken = result.domainVerificationToken;
 			return {
 				success: true,
 				provider: {
@@ -5657,7 +5681,7 @@ const createSsoProvider = (options) => {
 				},
 				domainVerification: {
 					txtRecordName: `better-auth-token-${providerId}`,
-					verificationToken: result.domainVerificationToken ?? null
+					verificationToken
 				}
 			};
 		} catch (e) {
@@ -5758,7 +5782,9 @@ const requestSsoVerificationToken = (options) => {
 		requireOrganizationPlugin(ctx);
 		requireOrganizationAccess(ctx);
 		const ssoPlugin = getSSOPlugin(ctx);
-		if (!ssoPlugin?.endpoints?.requestDomainVerification || !ssoPlugin.options?.domainVerification?.enabled) throw ctx.error("BAD_REQUEST", { message: "SSO plugin with domain verification is not enabled or feature is not supported in your plugin version" });
+		if (!ssoPlugin || !ssoPlugin.options?.domainVerification?.enabled) throw ctx.error("BAD_REQUEST", { message: "SSO plugin with domain verification is not enabled or feature is not supported in your plugin version" });
+		const endpoints = ssoPlugin.endpoints;
+		if (typeof endpoints.requestDomainVerification !== "function") throw ctx.error("BAD_REQUEST", { message: "SSO plugin with domain verification is not enabled or feature is not supported in your plugin version" });
 		const organizationId = tryDecode(ctx.params.id);
 		const { providerId } = ctx.body;
 		const provider = await ctx.context.adapter.findOne({
@@ -5774,7 +5800,7 @@ const requestSsoVerificationToken = (options) => {
 		if (!provider) throw ctx.error("NOT_FOUND", { message: "SSO provider not found" });
 		const txtRecordName = `${ssoPlugin.options?.domainVerification?.tokenPrefix || "better-auth-token"}-${provider.providerId}`;
 		try {
-			const result = await ssoPlugin.endpoints.requestDomainVerification({
+			const result = await endpoints.requestDomainVerification({
 				body: { providerId },
 				context: {
 					...ctx.context,
@@ -5785,7 +5811,7 @@ const requestSsoVerificationToken = (options) => {
 				success: true,
 				providerId: provider.providerId,
 				domain: provider.domain,
-				verificationToken: result.domainVerificationToken,
+				verificationToken: result.domainVerificationToken ?? "",
 				txtRecordName
 			};
 		} catch (e) {
@@ -5804,7 +5830,9 @@ const verifySsoProviderDomain = (options) => {
 		requireOrganizationPlugin(ctx);
 		requireOrganizationAccess(ctx);
 		const ssoPlugin = getSSOPlugin(ctx);
-		if (!ssoPlugin?.endpoints?.verifyDomain || !ssoPlugin.options?.domainVerification?.enabled) throw ctx.error("BAD_REQUEST", { message: "SSO plugin with domain verification is not enabled or feature is not supported in your plugin version" });
+		if (!ssoPlugin || !ssoPlugin.options?.domainVerification?.enabled) throw ctx.error("BAD_REQUEST", { message: "SSO plugin with domain verification is not enabled or feature is not supported in your plugin version" });
+		const dvEndpoints = ssoPlugin.endpoints;
+		if (typeof dvEndpoints.verifyDomain !== "function") throw ctx.error("BAD_REQUEST", { message: "SSO plugin with domain verification is not enabled or feature is not supported in your plugin version" });
 		const organizationId = tryDecode(ctx.params.id);
 		const { providerId } = ctx.body;
 		const provider = await ctx.context.adapter.findOne({
@@ -5819,7 +5847,7 @@ const verifySsoProviderDomain = (options) => {
 		});
 		if (!provider) throw ctx.error("NOT_FOUND", { message: "SSO provider not found" });
 		try {
-			await ssoPlugin.endpoints.verifyDomain({
+			await dvEndpoints.verifyDomain({
 				body: { providerId },
 				context: {
 					...ctx.context,
@@ -6434,6 +6462,7 @@ const getUserDetails = (options) => {
 		const { userId } = ctx.context.payload;
 		const minimal = !!ctx.query?.minimal;
 		const hasAdminPlugin = hasPlugin(ctx.context, "admin");
+		const secondaryStorageOnly = isSessionInSecondaryStorageOnly(ctx.context);
 		const user = await ctx.context.adapter.findOne({
 			model: "user",
 			where: [{
@@ -6442,7 +6471,7 @@ const getUserDetails = (options) => {
 			}],
 			...minimal ? {} : { join: {
 				account: true,
-				session: true
+				...secondaryStorageOnly ? {} : { session: true }
 			} }
 		});
 		if (!user) throw ctx.error("NOT_FOUND", { message: "User not found" });
@@ -6456,10 +6485,10 @@ const getUserDetails = (options) => {
 			session: []
 		};
 		const activityTrackingEnabled = !!options.activityTracking?.enabled;
-		const sessions = user.session || [];
+		const sessions = secondaryStorageOnly ? await ctx.context.internalAdapter.listSessions(userId) : user.session || [];
 		let lastActiveAt = null;
 		if (activityTrackingEnabled) {
-			lastActiveAt = user.lastActiveAt;
+			lastActiveAt = user.lastActiveAt ?? null;
 			let shouldUpdateLastActiveAt = false;
 			if (sessions.length > 0) {
 				const mostRecentSession = [...sessions].sort((a, b) => {
@@ -6487,6 +6516,7 @@ const getUserDetails = (options) => {
 		}
 		return {
 			...user,
+			...secondaryStorageOnly ? { session: sessions } : {},
 			lastActiveAt,
 			banned: hasAdminPlugin ? user.banned ?? false : false,
 			banReason: hasAdminPlugin ? user.banReason ?? null : null,
@@ -6537,7 +6567,7 @@ const getUserOrganizations = (options) => {
 				role: m.role,
 				teams: teams.filter((team) => team.organizationId === organization.id)
 			};
-		}).filter(Boolean) };
+		}).filter((row) => row != null) };
 	});
 };
 const updateUser = (options) => createAuthEndpoint("/dash/update-user", {
@@ -6562,8 +6592,8 @@ const updateUser = (options) => createAuthEndpoint("/dash/update-user", {
 	if (!user) throw new APIError("NOT_FOUND", { message: "User not found" });
 	return user;
 });
-async function countUniqueActiveUsers(adapter, range, activityTrackingEnabled) {
-	const field = activityTrackingEnabled ? "lastActiveAt" : "updatedAt";
+async function countUniqueActiveUsers(ctx, range, options) {
+	const field = options.activityTrackingEnabled ? "lastActiveAt" : "updatedAt";
 	const where = [{
 		field,
 		operator: "gte",
@@ -6574,11 +6604,31 @@ async function countUniqueActiveUsers(adapter, range, activityTrackingEnabled) {
 		operator: "lt",
 		value: range.to
 	});
-	if (activityTrackingEnabled) return adapter.count({
+	if (options.activityTrackingEnabled) return ctx.context.adapter.count({
 		model: "user",
 		where
 	});
-	const sessions = await adapter.findMany({
+	if (options.storeInSecondaryStorageOnly) {
+		const users = await ctx.context.adapter.findMany({
+			model: "user",
+			select: ["id"]
+		});
+		const fromMs = range.from.getTime();
+		const toMs = range.to?.getTime();
+		const activeUserIds = /* @__PURE__ */ new Set();
+		await withConcurrency(users, async (user) => {
+			const sessions = await ctx.context.internalAdapter.listSessions(user.id);
+			for (const session of sessions) {
+				const updatedAt = new Date(session.updatedAt).getTime();
+				if (updatedAt >= fromMs && (toMs === void 0 || updatedAt < toMs)) {
+					activeUserIds.add(user.id);
+					break;
+				}
+			}
+		}, { concurrency: 50 });
+		return activeUserIds.size;
+	}
+	const sessions = await ctx.context.adapter.findMany({
 		model: "session",
 		select: ["userId"],
 		where
@@ -6597,6 +6647,7 @@ const getUserStats = (options) => createAuthEndpoint("/dash/user-stats", {
 	const oneMonthAgo = /* @__PURE__ */ new Date(now.getTime() - 720 * 60 * 60 * 1e3);
 	const twoMonthsAgo = /* @__PURE__ */ new Date(now.getTime() - 1440 * 60 * 60 * 1e3);
 	const activityTrackingEnabled = !!options.activityTracking?.enabled;
+	const storeInSecondaryStorageOnly = isSessionInSecondaryStorageOnly(ctx.context);
 	const [dailyCount, previousDailyCount, weeklyCount, previousWeeklyCount, monthlyCount, previousMonthlyCount, totalCount, dailyActiveCount, previousDailyActiveCount, weeklyActiveCount, previousWeeklyActiveCount, monthlyActiveCount, previousMonthlyActiveCount] = await Promise.all([
 		ctx.context.adapter.count({
 			model: "user",
@@ -6659,21 +6710,39 @@ const getUserStats = (options) => createAuthEndpoint("/dash/user-stats", {
 			}]
 		}),
 		ctx.context.adapter.count({ model: "user" }),
-		countUniqueActiveUsers(ctx.context.adapter, { from: oneDayAgo }, activityTrackingEnabled),
-		countUniqueActiveUsers(ctx.context.adapter, {
+		countUniqueActiveUsers(ctx, { from: oneDayAgo }, {
+			storeInSecondaryStorageOnly,
+			activityTrackingEnabled
+		}),
+		countUniqueActiveUsers(ctx, {
 			from: twoDaysAgo,
 			to: oneDayAgo
-		}, activityTrackingEnabled),
-		countUniqueActiveUsers(ctx.context.adapter, { from: oneWeekAgo }, activityTrackingEnabled),
-		countUniqueActiveUsers(ctx.context.adapter, {
+		}, {
+			storeInSecondaryStorageOnly,
+			activityTrackingEnabled
+		}),
+		countUniqueActiveUsers(ctx, { from: oneWeekAgo }, {
+			storeInSecondaryStorageOnly,
+			activityTrackingEnabled
+		}),
+		countUniqueActiveUsers(ctx, {
 			from: twoWeeksAgo,
 			to: oneWeekAgo
-		}, activityTrackingEnabled),
-		countUniqueActiveUsers(ctx.context.adapter, { from: oneMonthAgo }, activityTrackingEnabled),
-		countUniqueActiveUsers(ctx.context.adapter, {
+		}, {
+			storeInSecondaryStorageOnly,
+			activityTrackingEnabled
+		}),
+		countUniqueActiveUsers(ctx, { from: oneMonthAgo }, {
+			storeInSecondaryStorageOnly,
+			activityTrackingEnabled
+		}),
+		countUniqueActiveUsers(ctx, {
 			from: twoMonthsAgo,
 			to: oneMonthAgo
-		}, activityTrackingEnabled)
+		}, {
+			storeInSecondaryStorageOnly,
+			activityTrackingEnabled
+		})
 	]);
 	const calculatePercentage = (current, previous) => {
 		if (previous === 0) return current > 0 ? 100 : 0;
@@ -6721,6 +6790,7 @@ const getUserGraphData = (options) => createAuthEndpoint("/dash/user-graph-data"
 	const { period } = ctx.query;
 	const now = /* @__PURE__ */ new Date();
 	const activityTrackingEnabled = !!options.activityTracking?.enabled;
+	const storeInSecondaryStorageOnly = isSessionInSecondaryStorageOnly(ctx.context);
 	const intervals = period === "daily" ? 7 : period === "weekly" ? 8 : 6;
 	const msPerInterval = period === "daily" ? 1440 * 60 * 1e3 : period === "weekly" ? 10080 * 60 * 1e3 : 720 * 60 * 60 * 1e3;
 	const intervalData = [];
@@ -6761,10 +6831,13 @@ const getUserGraphData = (options) => createAuthEndpoint("/dash/user-graph-data"
 				value: interval.endDate
 			}]
 		}),
-		countUniqueActiveUsers(ctx.context.adapter, {
+		countUniqueActiveUsers(ctx, {
 			from: interval.startDate,
 			to: interval.endDate
-		}, activityTrackingEnabled)
+		}, {
+			storeInSecondaryStorageOnly,
+			activityTrackingEnabled
+		})
 	]);
 	const results = await Promise.all(allQueries);
 	return {
@@ -6803,6 +6876,7 @@ const getUserRetentionData = (options) => createAuthEndpoint("/dash/user-retenti
 	*/
 	const { period } = ctx.query;
 	const activityTrackingEnabled = !!options.activityTracking?.enabled;
+	const secondaryOnly = isSessionInSecondaryStorageOnly(ctx.context);
 	const now = /* @__PURE__ */ new Date();
 	const startOfUtcDay = (d) => new Date(Date.UTC(d.getUTCFullYear(), d.getUTCMonth(), d.getUTCDate()));
 	const startOfUtcMonth = (d) => new Date(Date.UTC(d.getUTCFullYear(), d.getUTCMonth(), 1));
@@ -6884,7 +6958,22 @@ const getUserRetentionData = (options) => createAuthEndpoint("/dash/user-retenti
 			ctx.context.logger.warn("[Dash] Failed to count retained users by lastActiveAt:", error);
 			return 0;
 		});
-		else {
+		else if (secondaryOnly) {
+			const activeStartMs = activeStart.getTime();
+			const activeEndMs = activeEnd.getTime();
+			const retainedUsers = /* @__PURE__ */ new Set();
+			await withConcurrency(cohortUserIds, async (userId) => {
+				const sessions = await ctx.context.internalAdapter.listSessions(userId);
+				for (const session of sessions) {
+					const updatedAt = new Date(session.updatedAt).getTime();
+					if (updatedAt >= activeStartMs && updatedAt < activeEndMs) {
+						retainedUsers.add(userId);
+						break;
+					}
+				}
+			}, { concurrency: 50 });
+			retained = retainedUsers.size;
+		} else {
 			const sessionsInActiveWindow = await ctx.context.adapter.findMany({
 				model: "session",
 				select: ["userId"],
@@ -6946,20 +7035,7 @@ const banUser = (options) => createAuthEndpoint("/dash/ban-user", {
 		banExpires: banExpires ? new Date(banExpires) : null,
 		updatedAt: /* @__PURE__ */ new Date()
 	});
-	const sessions = await ctx.context.adapter.findMany({
-		model: "session",
-		where: [{
-			field: "userId",
-			value: userId
-		}]
-	});
-	for (const session of sessions) await ctx.context.adapter.delete({
-		model: "session",
-		where: [{
-			field: "id",
-			value: session.id
-		}]
-	});
+	await ctx.context.internalAdapter.deleteSessions(userId);
 	return { success: true };
 });
 const banManyUsers = (options) => {
@@ -7293,6 +7369,8 @@ const dash = (options) => {
 	const { trackOrganizationMemberInvited, trackOrganizationMemberInviteAccepted, trackOrganizationMemberInviteCanceled, trackOrganizationMemberInviteRejected } = initInvitationEvents(tracker);
 	return {
 		id: "dash",
+		options: opts,
+		version: PLUGIN_VERSION,
 		init(ctx) {
 			const organizationPlugin = ctx.getPlugin("organization");
 			if (organizationPlugin) {
@@ -7645,7 +7723,6 @@ const dash = (options) => {
 			updateDashUser: updateUser(opts),
 			setDashPassword: setPassword(opts),
 			unlinkDashAccount: unlinkAccount(opts),
-			listAllDashSessions: listAllSessions(opts),
 			dashRevokeSession: revokeSession(opts),
 			dashRevokeAllSessions: revokeAllSessions(opts),
 			dashRevokeManySessions: revokeManySessions(opts),
@@ -7689,7 +7766,10 @@ const dash = (options) => {
 			regenerateDashDirectoryToken: regenerateDirectoryToken(opts),
 			dashExecuteAdapter: executeAdapter(opts)
 		},
-		schema: opts.activityTracking?.enabled ? { user: { fields: { lastActiveAt: { type: "date" } } } } : {}
+		schema: opts.activityTracking?.enabled ? { user: { fields: { lastActiveAt: {
+			type: "date",
+			required: false
+		} } } } : {}
 	};
 };
 //#endregion