@better-auth/infra 0.1.14 → 0.2.0

package/dist/index.mjs

@@ -1,5 +1,4 @@
 import { n as INFRA_KV_URL, r as KV_TIMEOUT_MS, t as INFRA_API_URL } from "./constants-DdWGfvz1.mjs";
-import { n as createIdentificationMiddleware, t as IDENTIFICATION_COOKIE_NAME } from "./identification-DF2nvmng.mjs";
 import { EMAIL_TEMPLATES, createEmailSender, sendBulkEmails, sendEmail } from "./email.mjs";
 import { APIError, generateId, getAuthTables, logger, parseState } from "better-auth";
 import { env } from "@better-auth/core/env";
@@ -10,7 +9,6 @@ import { isValidPhoneNumber, parsePhoneNumberFromString } from "libphonenumber-j
 import { createLocalJWKSet, jwtVerify } from "jose";
 import z$1, { z } from "zod";
 import { setSessionCookie } from "better-auth/cookies";
-import { DEFAULT_MAX_SAML_METADATA_SIZE, DigestAlgorithm, DiscoveryError, SignatureAlgorithm, discoverOIDCConfig } from "@better-auth/sso";
 //#region src/options.ts
 function resolveConnectionOptions(options) {
 	return {
@@ -853,6 +851,152 @@ const initTrackEvents = (options) => {
 	return { tracker: { trackEvent } };
 };
 //#endregion
+//#region src/identification.ts
+/**
+* Identification Service
+*
+* Fetches identification data from the durable-kv service
+* when a request includes an X-Request-Id header.
+*/
+const IDENTIFICATION_COOKIE_NAME = "__infra-rid";
+const identificationCache = /* @__PURE__ */ new Map();
+const CACHE_TTL_MS = 6e4;
+const CACHE_MAX_SIZE = 1e3;
+let lastCleanup = Date.now();
+function cleanupCache() {
+	const now = Date.now();
+	for (const [key, value] of identificationCache.entries()) if (now - value.timestamp > CACHE_TTL_MS) identificationCache.delete(key);
+	lastCleanup = now;
+}
+function maybeCleanup() {
+	if (Date.now() - lastCleanup > CACHE_TTL_MS || identificationCache.size > CACHE_MAX_SIZE) cleanupCache();
+}
+/**
+* Fetch identification data from durable-kv by requestId
+*/
+async function getIdentification(requestId, apiKey, kvUrl) {
+	maybeCleanup();
+	const cached = identificationCache.get(requestId);
+	if (cached && Date.now() - cached.timestamp < CACHE_TTL_MS) return cached.data;
+	const baseUrl = kvUrl || INFRA_KV_URL;
+	const maxRetries = 3;
+	const retryDelays = [
+		50,
+		100,
+		200
+	];
+	for (let attempt = 0; attempt <= maxRetries; attempt++) try {
+		const response = await fetch(`${baseUrl}/identify/${requestId}`, {
+			method: "GET",
+			headers: { "x-api-key": apiKey },
+			signal: AbortSignal.timeout(KV_TIMEOUT_MS)
+		});
+		if (response.ok) {
+			const data = await response.json();
+			identificationCache.set(requestId, {
+				data,
+				timestamp: Date.now()
+			});
+			return data;
+		}
+		if (response.status === 404 && attempt < maxRetries) {
+			await new Promise((resolve) => setTimeout(resolve, retryDelays[attempt]));
+			continue;
+		}
+		if (response.status !== 404) identificationCache.set(requestId, {
+			data: null,
+			timestamp: Date.now()
+		});
+		return null;
+	} catch (error) {
+		if (attempt === maxRetries) {
+			logger.error("[Dash] Failed to fetch identification:", error);
+			return null;
+		}
+		await new Promise((resolve) => setTimeout(resolve, retryDelays[attempt] || 50));
+	}
+	return null;
+}
+/**
+* Extract identification headers from a request
+*/
+function extractIdentificationHeaders(request) {
+	if (!request) return {
+		visitorId: null,
+		requestId: null
+	};
+	return {
+		visitorId: request.headers.get("X-Visitor-Id"),
+		requestId: request.headers.get("X-Request-Id")
+	};
+}
+/**
+* Early middleware that loads identification data
+*/
+function createIdentificationMiddleware(options) {
+	return createAuthMiddleware(async (ctx) => {
+		const { visitorId, requestId: headerRequestId } = extractIdentificationHeaders(ctx.request);
+		const requestId = headerRequestId ?? ctx.getCookie("__infra-rid") ?? null;
+		ctx.context.visitorId = visitorId;
+		ctx.context.requestId = requestId;
+		if (requestId) ctx.context.identification = ctx.context.identification ?? await getIdentification(requestId, options.apiKey, options.kvUrl) ?? null;
+		else ctx.context.identification = null;
+		const ipConfig = ctx.context.options?.advanced?.ipAddress;
+		if (ipConfig?.disableIpTracking === true) {
+			ctx.context.location = void 0;
+			return;
+		}
+		const identification = ctx.context.identification;
+		if (requestId && identification) {
+			const loc = getLocation(identification);
+			ctx.context.location = {
+				ipAddress: identification.ip || void 0,
+				city: loc?.city || void 0,
+				country: loc?.country?.name || void 0,
+				countryCode: loc?.country?.code || void 0
+			};
+			return;
+		}
+		const ipAddress = getClientIpFromRequest(ctx.request, ipConfig?.ipAddressHeaders || null);
+		const countryCode = getCountryCodeFromRequest(ctx.request);
+		if (ipAddress || countryCode) {
+			ctx.context.location = {
+				ipAddress,
+				countryCode
+			};
+			return;
+		}
+		ctx.context.location = void 0;
+	});
+}
+/**
+* Get the visitor's location
+*/
+function getLocation(identification) {
+	if (!identification) return null;
+	return identification.location;
+}
+function getClientIpFromRequest(request, ipAddressHeaders) {
+	if (!request) return void 0;
+	const headers = ipAddressHeaders?.length ? ipAddressHeaders : [
+		"cf-connecting-ip",
+		"x-forwarded-for",
+		"x-real-ip",
+		"x-vercel-forwarded-for"
+	];
+	for (const headerName of headers) {
+		const value = request.headers.get(headerName);
+		if (!value) continue;
+		const ip = value.split(",")[0]?.trim();
+		if (ip) return ip;
+	}
+}
+function getCountryCodeFromRequest(request) {
+	if (!request) return void 0;
+	const cc = request.headers.get("cf-ipcountry") ?? request.headers.get("x-vercel-ip-country");
+	return cc ? cc.toUpperCase() : void 0;
+}
+//#endregion
 //#region src/validation/matchers.ts
 const paths = [
 	"/sign-up/email",
@@ -2602,7 +2746,7 @@ const jwtValidateMiddleware = (options) => createAuthMiddleware(async (ctx) => {
 });
 //#endregion
 //#region src/version.ts
-const PLUGIN_VERSION = "0.1.14";
+const PLUGIN_VERSION = "0.2.0";
 //#endregion
 //#region src/routes/auth/config.ts
 const PLUGIN_OPTIONS_EXCLUDE_KEYS = { stripe: new Set(["stripeClient"]) };
@@ -2655,7 +2799,7 @@ const getConfig = (options) => {
 					version: plugin.version,
 					options: sanitizePluginOptions(plugin.id, plugin.options)
 				};
-				if (plugin.id === "dash") return {
+				if (plugin.id === "dash" && !plugin.version) return {
 					...base,
 					version: PLUGIN_VERSION
 				};
@@ -4089,11 +4233,13 @@ const listOrganizations = (options) => {
 				field: "name",
 				value: searchTerm,
 				operator: "starts_with",
+				mode: "insensitive",
 				connector: "OR"
 			}, {
 				field: "slug",
 				value: searchTerm,
 				operator: "starts_with",
+				mode: "insensitive",
 				connector: "OR"
 			});
 		}
@@ -4109,7 +4255,7 @@ const listOrganizations = (options) => {
 		});
 		const needsInMemoryProcessing = sortBy === "members" || !!filterMembers;
 		const dbSortBy = sortBy === "members" ? "createdAt" : sortBy;
-		const fetchLimit = needsInMemoryProcessing ? 1500 : limit;
+		const fetchLimit = needsInMemoryProcessing ? 2500 : limit;
 		const fetchOffset = needsInMemoryProcessing ? 0 : offset;
 		const [organizations, initialTotal] = await Promise.all([ctx.context.adapter.findMany({
 			model: "organization",
@@ -5254,8 +5400,16 @@ function getSSOPlugin(ctx) {
 }
 //#endregion
 //#region src/routes/sso-validation.ts
-const DEPRECATED_SIGNATURE_ALGORITHMS = [SignatureAlgorithm.RSA_SHA1];
-const DEPRECATED_DIGEST_ALGORITHMS = [DigestAlgorithm.SHA1];
+/**
+* SAML metadata limits and algorithm URIs aligned with @better-auth/sso
+* (see packages/sso dist constants). Inlined so consumers (e.g. Metro) never
+* statically pull @better-auth/sso for validation-only code paths.
+*/
+const DEFAULT_MAX_SAML_METADATA_SIZE = 100 * 1024;
+const RSA_SHA1 = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
+const SHA1 = "http://www.w3.org/2000/09/xmldsig#sha1";
+const DEPRECATED_SIGNATURE_ALGORITHMS = [RSA_SHA1];
+const DEPRECATED_DIGEST_ALGORITHMS = [SHA1];
 function validateSAMLMetadataSize(metadataXml, maxSize = DEFAULT_MAX_SAML_METADATA_SIZE) {
 	if (new TextEncoder().encode(metadataXml).byteLength > maxSize) throw new Error(`IdP metadata exceeds maximum allowed size (${Math.round(maxSize / 1024)}KB)`);
 }
@@ -5283,6 +5437,10 @@ function validateSAMLMetadataAlgorithms(metadataXml) {
 }
 //#endregion
 //#region src/routes/sso/index.ts
+let ssoRuntimeModule;
+function loadSsoRuntime() {
+	return ssoRuntimeModule ??= import("@better-auth/sso");
+}
 function requireOrganizationAccess(ctx) {
 	const orgIdFromUrl = tryDecode(ctx.params.id);
 	const orgIdFromToken = ctx.context.payload?.organizationId;
@@ -5355,6 +5513,7 @@ async function resolveSAMLConfig(samlConfig, providerId, baseURL, ctx) {
 		}] } : {},
 		...samlConfig.cert ? { cert: samlConfig.cert } : {}
 	};
+	const m = samlConfig.mapping;
 	return {
 		config: {
 			issuer: samlConfig.entityId ?? `${baseURL}/sso/saml2/sp/metadata?providerId=${providerId}`,
@@ -5363,7 +5522,15 @@ async function resolveSAMLConfig(samlConfig, providerId, baseURL, ctx) {
 			spMetadata: {},
 			entryPoint: samlConfig.entryPoint ?? "",
 			cert: samlConfig.cert ?? "",
-			...samlConfig.mapping ? { mapping: samlConfig.mapping } : {}
+			...m ? { mapping: {
+				id: m.id ?? "nameID",
+				email: m.email ?? "email",
+				name: m.name ?? "name",
+				emailVerified: m.emailVerified,
+				firstName: m.firstName,
+				lastName: m.lastName,
+				extraFields: m.extraFields
+			} } : {}
 		},
 		...metadataAlgorithmWarnings.length > 0 ? { warnings: metadataAlgorithmWarnings } : {}
 	};
@@ -5377,8 +5544,9 @@ async function resolveOIDCConfig(oidcConfig, domain, ctx) {
 	}
 	const issuerHint = oidcConfig.issuer || `https://${normalizedDomain}`;
 	const issuer = issuerHint.startsWith("http") ? issuerHint : `https://${issuerHint}`;
+	const sso = await loadSsoRuntime();
 	try {
-		const hydratedConfig = await discoverOIDCConfig({
+		const hydratedConfig = await sso.discoverOIDCConfig({
 			issuer,
 			discoveryEndpoint: oidcConfig.discoveryUrl,
 			isTrustedOrigin: (url) => {
@@ -5390,6 +5558,7 @@ async function resolveOIDCConfig(oidcConfig, domain, ctx) {
 				}
 			}
 		});
+		const om = oidcConfig.mapping;
 		return {
 			config: {
 				clientId: oidcConfig.clientId,
@@ -5402,12 +5571,19 @@ async function resolveOIDCConfig(oidcConfig, domain, ctx) {
 				userInfoEndpoint: hydratedConfig.userInfoEndpoint,
 				tokenEndpointAuthentication: hydratedConfig.tokenEndpointAuthentication,
 				pkce: true,
-				...oidcConfig.mapping ? { mapping: oidcConfig.mapping } : {}
+				...om ? { mapping: {
+					id: om.id ?? "sub",
+					email: om.email ?? "email",
+					name: om.name ?? "name",
+					emailVerified: om.emailVerified,
+					image: om.image,
+					extraFields: om.extraFields
+				} } : {}
 			},
 			issuer: hydratedConfig.issuer
 		};
 	} catch (e) {
-		if (e instanceof DiscoveryError) {
+		if (e instanceof sso.DiscoveryError) {
 			ctx.context.logger.error("[Dash] OIDC discovery failed:", e);
 			throw ctx.error("BAD_REQUEST", {
 				message: `OIDC discovery failed: ${e.message}`,
@@ -5494,6 +5670,8 @@ const createSsoProvider = (options) => {
 					...buildSessionContext(userId)
 				}
 			});
+			let verificationToken = null;
+			if ("domainVerificationToken" in result && typeof result.domainVerificationToken === "string") verificationToken = result.domainVerificationToken;
 			return {
 				success: true,
 				provider: {
@@ -5503,7 +5681,7 @@ const createSsoProvider = (options) => {
 				},
 				domainVerification: {
 					txtRecordName: `better-auth-token-${providerId}`,
-					verificationToken: result.domainVerificationToken ?? null
+					verificationToken
 				}
 			};
 		} catch (e) {
@@ -5604,7 +5782,9 @@ const requestSsoVerificationToken = (options) => {
 		requireOrganizationPlugin(ctx);
 		requireOrganizationAccess(ctx);
 		const ssoPlugin = getSSOPlugin(ctx);
-		if (!ssoPlugin?.endpoints?.requestDomainVerification || !ssoPlugin.options?.domainVerification?.enabled) throw ctx.error("BAD_REQUEST", { message: "SSO plugin with domain verification is not enabled or feature is not supported in your plugin version" });
+		if (!ssoPlugin || !ssoPlugin.options?.domainVerification?.enabled) throw ctx.error("BAD_REQUEST", { message: "SSO plugin with domain verification is not enabled or feature is not supported in your plugin version" });
+		const endpoints = ssoPlugin.endpoints;
+		if (typeof endpoints.requestDomainVerification !== "function") throw ctx.error("BAD_REQUEST", { message: "SSO plugin with domain verification is not enabled or feature is not supported in your plugin version" });
 		const organizationId = tryDecode(ctx.params.id);
 		const { providerId } = ctx.body;
 		const provider = await ctx.context.adapter.findOne({
@@ -5620,7 +5800,7 @@ const requestSsoVerificationToken = (options) => {
 		if (!provider) throw ctx.error("NOT_FOUND", { message: "SSO provider not found" });
 		const txtRecordName = `${ssoPlugin.options?.domainVerification?.tokenPrefix || "better-auth-token"}-${provider.providerId}`;
 		try {
-			const result = await ssoPlugin.endpoints.requestDomainVerification({
+			const result = await endpoints.requestDomainVerification({
 				body: { providerId },
 				context: {
 					...ctx.context,
@@ -5650,7 +5830,9 @@ const verifySsoProviderDomain = (options) => {
 		requireOrganizationPlugin(ctx);
 		requireOrganizationAccess(ctx);
 		const ssoPlugin = getSSOPlugin(ctx);
-		if (!ssoPlugin?.endpoints?.verifyDomain || !ssoPlugin.options?.domainVerification?.enabled) throw ctx.error("BAD_REQUEST", { message: "SSO plugin with domain verification is not enabled or feature is not supported in your plugin version" });
+		if (!ssoPlugin || !ssoPlugin.options?.domainVerification?.enabled) throw ctx.error("BAD_REQUEST", { message: "SSO plugin with domain verification is not enabled or feature is not supported in your plugin version" });
+		const dvEndpoints = ssoPlugin.endpoints;
+		if (typeof dvEndpoints.verifyDomain !== "function") throw ctx.error("BAD_REQUEST", { message: "SSO plugin with domain verification is not enabled or feature is not supported in your plugin version" });
 		const organizationId = tryDecode(ctx.params.id);
 		const { providerId } = ctx.body;
 		const provider = await ctx.context.adapter.findOne({
@@ -5665,7 +5847,7 @@ const verifySsoProviderDomain = (options) => {
 		});
 		if (!provider) throw ctx.error("NOT_FOUND", { message: "SSO provider not found" });
 		try {
-			await ssoPlugin.endpoints.verifyDomain({
+			await dvEndpoints.verifyDomain({
 				body: { providerId },
 				context: {
 					...ctx.context,
@@ -7188,6 +7370,7 @@ const dash = (options) => {
 	return {
 		id: "dash",
 		options: opts,
+		version: PLUGIN_VERSION,
 		init(ctx) {
 			const organizationPlugin = ctx.getPlugin("organization");
 			if (organizationPlugin) {

package/dist/native.d.mts

@@ -0,0 +1,18 @@
+import { a as dashClient, i as DashGetAuditLogsInput, n as DashAuditLogsResponse, r as DashClientOptions, t as DashAuditLog } from "./dash-client-hJHp7l_X.mjs";
+import { BetterAuthClientPlugin } from "better-auth";
+
+//#region src/sentinel/native/client.d.ts
+interface SentinelNativeClientOptions {
+  identifyUrl?: string;
+  autoSolveChallenge?: boolean;
+  onChallengeReceived?: (reason: string) => void;
+  onChallengeSolved?: (solveTimeMs: number) => void;
+  onChallengeFailed?: (error: Error) => void;
+  storage?: {
+    getItem: (key: string) => Promise<string | null>;
+    setItem: (key: string, value: string) => Promise<void>;
+  };
+}
+declare const sentinelNativeClient: (options?: SentinelNativeClientOptions) => BetterAuthClientPlugin;
+//#endregion
+export { type DashAuditLog, type DashAuditLogsResponse, type DashClientOptions, type DashGetAuditLogsInput, type SentinelNativeClientOptions, dashClient, sentinelNativeClient };

package/dist/native.mjs

@@ -0,0 +1,292 @@
+import { a as identify, c as dashClient, n as encodePoWSolution, o as bytesToHex, r as solvePoWChallenge, t as decodePoWChallenge } from "./pow-BUuN_EKw.mjs";
+import { env } from "@better-auth/core/env";
+import { Dimensions, InteractionManager, PixelRatio, Platform } from "react-native";
+//#region src/sentinel/native/components.ts
+/**
+* Default first-party component payload for React Native / Expo.
+* Avoids browser-style entropy; sets `clientRuntime` for durable-kv bot scoring.
+*/
+async function defaultCollectNativeComponents() {
+	const windowDims = Dimensions.get("window");
+	const scale = PixelRatio.get();
+	let locale = "en";
+	let locales = ["en"];
+	try {
+		locale = Intl.DateTimeFormat().resolvedOptions().locale || locale;
+		locales = [locale];
+	} catch {}
+	const nav = globalThis.navigator;
+	if (nav?.languages?.length) locales = [...nav.languages];
+	let timezone = "";
+	let timezoneOffset = 0;
+	try {
+		timezone = Intl.DateTimeFormat().resolvedOptions().timeZone || "";
+		timezoneOffset = (/* @__PURE__ */ new Date()).getTimezoneOffset();
+	} catch {
+		timezone = "unknown";
+	}
+	const components = {
+		clientRuntime: "react-native",
+		platform: Platform.OS,
+		screenResolution: `${Math.round(windowDims.width)}x${Math.round(windowDims.height)}`,
+		pixelRatio: scale,
+		fontScale: windowDims.fontScale,
+		language: locales[0] ?? locale,
+		languages: locales,
+		locale,
+		timezone,
+		timezoneOffset,
+		touchSupport: true,
+		maxTouchPoints: Platform.OS === "ios" ? 5 : 10
+	};
+	if (nav?.userAgent) components.userAgent = nav.userAgent;
+	await applyOptionalExpoMetadata(components);
+	return components;
+}
+async function applyOptionalExpoMetadata(components) {
+	try {
+		const c = (await import("expo-constants")).default;
+		if (c?.expoConfig?.version) components.appVersion = c.expoConfig.version;
+		else if (c?.nativeAppVersion) components.appVersion = c.nativeAppVersion;
+		if (c?.expoConfig?.slug) components.expoSlug = c.expoConfig.slug;
+	} catch {}
+	try {
+		const d = (await import("expo-device")).default;
+		if (d?.modelName) components.deviceModel = d.modelName;
+		if (d?.osVersion) components.osVersion = d.osVersion;
+	} catch {}
+}
+//#endregion
+//#region src/sentinel/native/crypto.ts
+/**
+* Cryptographically secure random bytes for React Native, Node (e.g. Expo API routes),
+* and other runtimes
+*/
+async function randomBytesAsync(length) {
+	const c = globalThis.crypto;
+	if (c && typeof c.getRandomValues === "function") {
+		const bytes = new Uint8Array(length);
+		c.getRandomValues(bytes);
+		return bytes;
+	}
+	try {
+		const { getRandomBytesAsync } = await import("expo-crypto");
+		return await getRandomBytesAsync(length);
+	} catch {
+		throw new Error("[@better-auth/infra] No secure RNG available: use Web Crypto / Node, add `import \"react-native-get-random-values\"` at app entry (before other imports), or install `expo-crypto` with a native dev build.");
+	}
+}
+//#endregion
+//#region src/sentinel/native/fingerprint.ts
+async function randomVisitorId() {
+	return bytesToHex(await randomBytesAsync(10)).slice(0, 20);
+}
+async function generateRequestId() {
+	const h = bytesToHex(await randomBytesAsync(16));
+	return [
+		h.slice(0, 8),
+		h.slice(8, 12),
+		h.slice(12, 16),
+		h.slice(16, 20),
+		h.slice(20, 32)
+	].join("-");
+}
+/** Conservative confidence for first-party native payloads (not web-grade signals). */
+const NATIVE_IDENTIFY_CONFIDENCE = .52;
+/** Logical URL recorded with native identify payloads. */
+const NATIVE_IDENTIFY_CONTEXT_URL = "react-native://identify";
+function createNativeFingerprintRuntime(deps) {
+	let cached = null;
+	let pending = null;
+	let identifySent = false;
+	let identifyComplete = null;
+	let identifyCompleteResolve = null;
+	async function getFingerprint() {
+		if (cached != null) return cached;
+		if (pending != null) return pending;
+		pending = (async () => {
+			try {
+				const visitorId = await deps.getOrCreateVisitorId();
+				const components = await defaultCollectNativeComponents();
+				const result = {
+					visitorId,
+					requestId: await generateRequestId(),
+					confidence: NATIVE_IDENTIFY_CONFIDENCE,
+					components
+				};
+				cached = result;
+				return result;
+			} catch (error) {
+				console.warn("[Sentinel native] Fingerprint generation failed:", error);
+				pending = null;
+				return null;
+			}
+		})();
+		return pending;
+	}
+	async function sendIdentify() {
+		if (identifySent) return;
+		const fingerprint = await getFingerprint();
+		if (!fingerprint) return;
+		identifySent = true;
+		identifyComplete = new Promise((resolve) => {
+			identifyCompleteResolve = resolve;
+		});
+		const payload = {
+			visitorId: fingerprint.visitorId,
+			requestId: fingerprint.requestId,
+			confidence: fingerprint.confidence,
+			components: fingerprint.components,
+			url: NATIVE_IDENTIFY_CONTEXT_URL,
+			incognito: false
+		};
+		try {
+			await identify(deps.identifyUrl, payload);
+		} catch (error) {
+			console.warn("[Sentinel native] Identify request failed:", error);
+		} finally {
+			identifyCompleteResolve?.();
+			identifyCompleteResolve = null;
+		}
+	}
+	async function waitForIdentify(timeoutMs = 500) {
+		if (!identifyComplete) return;
+		await Promise.race([identifyComplete, new Promise((resolve) => setTimeout(resolve, timeoutMs))]);
+	}
+	return {
+		getFingerprint,
+		sendIdentify,
+		waitForIdentify
+	};
+}
+const VISITOR_STORAGE_KEY = "better-auth.infra.sentinel.visitorId";
+let memoryVisitorId = null;
+/**
+* Stable per-install visitor id. Prefer passing `storage` (e.g. secure storage).
+* Otherwise tries `@react-native-async-storage/async-storage`, then falls back to an in-memory id (session only).
+*/
+async function getOrCreateVisitorId(storage) {
+	if (storage) {
+		const existing = await storage.getItem(VISITOR_STORAGE_KEY);
+		if (existing) return existing;
+		const id = await randomVisitorId();
+		await storage.setItem(VISITOR_STORAGE_KEY, id);
+		return id;
+	}
+	try {
+		const { default: AsyncStorage } = await import("@react-native-async-storage/async-storage");
+		const existing = await AsyncStorage.getItem(VISITOR_STORAGE_KEY);
+		if (existing) return existing;
+		const id = await randomVisitorId();
+		await AsyncStorage.setItem(VISITOR_STORAGE_KEY, id);
+		return id;
+	} catch {
+		memoryVisitorId ??= await randomVisitorId();
+		return memoryVisitorId;
+	}
+}
+//#endregion
+//#region src/sentinel/native/client.ts
+const DEFAULT_IDENTIFY_URL = "https://kv.better-auth.com";
+function scheduleIdentify(send) {
+	const run = () => {
+		try {
+			send();
+		} catch (e) {
+			console.warn("[Sentinel native] identify schedule error:", e);
+		}
+	};
+	try {
+		const im = InteractionManager;
+		if (im && typeof im.runAfterInteractions === "function") {
+			im.runAfterInteractions(run);
+			return;
+		}
+	} catch {}
+	if (typeof queueMicrotask === "function") queueMicrotask(run);
+	else setTimeout(run, 0);
+}
+const sentinelNativeClient = (options) => {
+	const autoSolve = options?.autoSolveChallenge !== false;
+	const runtime = createNativeFingerprintRuntime({
+		identifyUrl: options?.identifyUrl ?? env.BETTER_AUTH_KV_URL ?? DEFAULT_IDENTIFY_URL,
+		getOrCreateVisitorId: () => getOrCreateVisitorId(options?.storage)
+	});
+	scheduleIdentify(() => {
+		runtime.sendIdentify();
+	});
+	return {
+		id: "sentinel",
+		fetchPlugins: [{
+			id: "sentinel-fingerprint",
+			name: "sentinel-fingerprint",
+			hooks: { async onRequest(context) {
+				await runtime.waitForIdentify(500);
+				const fingerprint = await runtime.getFingerprint();
+				if (!fingerprint) return context;
+				const headers = context.headers || new Headers();
+				if (headers instanceof Headers) {
+					headers.set("X-Visitor-Id", fingerprint.visitorId);
+					headers.set("X-Request-Id", fingerprint.requestId);
+				}
+				return {
+					...context,
+					headers
+				};
+			} }
+		}, {
+			id: "sentinel-pow-solver",
+			name: "sentinel-pow-solver",
+			hooks: {
+				async onResponse(context) {
+					if (context.response.status !== 423 || !autoSolve) return context;
+					const challengeHeader = context.response.headers.get("X-PoW-Challenge");
+					const reason = context.response.headers.get("X-PoW-Reason") || "";
+					if (!challengeHeader) return context;
+					options?.onChallengeReceived?.(reason);
+					const challenge = decodePoWChallenge(challengeHeader);
+					if (!challenge) return context;
+					try {
+						const startTime = Date.now();
+						const solution = await solvePoWChallenge(challenge);
+						const solveTime = Date.now() - startTime;
+						options?.onChallengeSolved?.(solveTime);
+						const originalUrl = context.response.url;
+						const fingerprint = await runtime.getFingerprint();
+						const retryHeaders = new Headers();
+						retryHeaders.set("X-PoW-Solution", encodePoWSolution(solution));
+						if (fingerprint) {
+							retryHeaders.set("X-Visitor-Id", fingerprint.visitorId);
+							retryHeaders.set("X-Request-Id", fingerprint.requestId);
+						}
+						retryHeaders.set("Content-Type", "application/json");
+						let body;
+						if (context.request?.body) body = context.request._originalBody;
+						const retryResponse = await fetch(originalUrl, {
+							method: context.request?.method || "POST",
+							headers: retryHeaders,
+							body
+						});
+						return {
+							...context,
+							response: retryResponse
+						};
+					} catch (err) {
+						console.error("[Sentinel native] Failed to solve PoW challenge:", err);
+						options?.onChallengeFailed?.(err instanceof Error ? err : new Error(String(err)));
+						return context;
+					}
+				},
+				async onRequest(context) {
+					if (context.body) {
+						const ctx = context;
+						ctx._originalBody = context.body;
+					}
+					return context;
+				}
+			}
+		}]
+	};
+};
+//#endregion
+export { dashClient, sentinelNativeClient };