@better-auth/infra 0.1.7 → 0.1.9-beta.1

package/dist/index.mjs

@@ -1,4 +1,5 @@
-import { a as INFRA_KV_URL, i as INFRA_API_URL, n as createEmailSender, r as sendEmail, t as EMAIL_TEMPLATES } from "./email-BGxJ96Ky.mjs";
+import { n as INFRA_KV_URL, r as KV_TIMEOUT_MS, t as INFRA_API_URL } from "./constants-DWl1utFw.mjs";
+import { EMAIL_TEMPLATES, createEmailSender, sendBulkEmails, sendEmail } from "./email.mjs";
 import { APIError, generateId, getAuthTables, logger, parseState } from "better-auth";
 import { env } from "@better-auth/core/env";
 import { APIError as APIError$1, createAuthEndpoint, createAuthMiddleware, requestPasswordReset, sendVerificationEmailFn, sessionMiddleware } from "better-auth/api";
@@ -9,8 +10,6 @@ import z$1, { z } from "zod";
 import { setSessionCookie } from "better-auth/cookies";
 import { DEFAULT_MAX_SAML_METADATA_SIZE, DigestAlgorithm, DiscoveryError, SignatureAlgorithm, discoverOIDCConfig } from "@better-auth/sso";
 
-export * from "better-call"
-
 //#region src/options.ts
 function resolveConnectionOptions(options) {
 	return {
@@ -141,11 +140,11 @@ function backgroundTask(task) {
 	try {
 		result = task();
 	} catch (error) {
-		logger.debug("Error performing background operation: ", error);
+		logger.debug("[Dash] Background operation failed: ", error);
 		return;
 	}
 	Promise.resolve(result).catch((error) => {
-		logger.debug("Error performing background operation: ", error);
+		logger.debug("[Dash] Background operation failed: ", error);
 	});
 }
 
@@ -167,7 +166,7 @@ const getUserByEmail = async (email, ctx) => {
 			}]
 		});
 	} catch (error) {
-		logger.debug("Error fetching user info: ", error);
+		logger.debug("[Dash] Failed to fetch user info:", error);
 	}
 	return user;
 };
@@ -186,7 +185,9 @@ async function getUserById(userId, ctx) {
 				value: userId
 			}]
 		});
-	} catch {}
+	} catch (error) {
+		logger.debug("[Dash] Failed to fetch user info:", error);
+	}
 	return user;
 }
 const getUserByIdToken = async (providerId, idToken, ctx) => {
@@ -195,7 +196,7 @@ const getUserByIdToken = async (providerId, idToken, ctx) => {
 	if (provider) try {
 		user = await provider.getUserInfo(idToken);
 	} catch (error) {
-		logger.debug("Error fetching user info: ", error);
+		logger.debug("[Dash] Failed to fetch user info:", error);
 	}
 	return user;
 };
@@ -213,7 +214,7 @@ const getUserByAuthorizationCode = async (providerId, ctx) => {
 		});
 		userInfo = await provider.getUserInfo({ ...tokens }).then((res) => res?.user);
 	} catch (error) {
-		logger.debug("Error fetching user info: ", error);
+		logger.debug("[Dash] Failed to fetch user info:", error);
 	}
 	return userInfo;
 };
@@ -306,7 +307,7 @@ const initAccountEvents = (tracker) => {
 const stripQuery = (value) => value.split("?")[0] || value;
 const escapeRegex = (value) => value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 const routeToRegex = (route) => {
-	const pattern = escapeRegex(stripQuery(route)).replace(/\\\/:([^/]+)/g, "/[^/]+");
+	const pattern = escapeRegex(stripQuery(route)).replace(/\/:([^/]+)/g, "/[^/]+");
 	return /* @__PURE__ */ new RegExp(`${pattern}(?:$|[/?])`);
 };
 const matchesAnyRoute = (path, routes$1) => {
@@ -805,7 +806,7 @@ const initVerificationEvents = (tracker) => {
 //#endregion
 //#region src/events/triggers.ts
 const getTriggerInfo = (ctx, userId, session) => {
-	const sessionUserId = session?.userId ?? ctx.context.session?.session.userId ?? UNKNOWN_USER;
+	const sessionUserId = session?.userId ?? ctx.context.session?.session.userId ?? userId;
 	return {
 		triggeredBy: sessionUserId,
 		triggerContext: sessionUserId === userId ? "user" : matchesAnyRoute(ctx.path, [routes.ADMIN_ROUTE]) ? "admin" : matchesAnyRoute(ctx.path, [routes.DASH_ROUTE]) ? "dashboard" : sessionUserId === UNKNOWN_USER ? "user" : "unknown"
@@ -863,6 +864,7 @@ const initTrackEvents = (options) => {
 * Fetches identification data from the durable-kv service
 * when a request includes an X-Request-Id header.
 */
+const IDENTIFICATION_COOKIE_NAME = "__infra-rid";
 const identificationCache = /* @__PURE__ */ new Map();
 const CACHE_TTL_MS = 6e4;
 const CACHE_MAX_SIZE = 1e3;
@@ -892,7 +894,8 @@ async function getIdentification(requestId, apiKey, kvUrl) {
 	for (let attempt = 0; attempt <= maxRetries; attempt++) try {
 		const response = await fetch(`${baseUrl}/identify/${requestId}`, {
 			method: "GET",
-			headers: { "x-api-key": apiKey }
+			headers: { "x-api-key": apiKey },
+			signal: AbortSignal.timeout(KV_TIMEOUT_MS)
 		});
 		if (response.ok) {
 			const data = await response.json();
@@ -938,7 +941,8 @@ function extractIdentificationHeaders(request) {
 */
 function createIdentificationMiddleware(options) {
 	return createAuthMiddleware(async (ctx) => {
-		const { visitorId, requestId } = extractIdentificationHeaders(ctx.request);
+		const { visitorId, requestId: headerRequestId } = extractIdentificationHeaders(ctx.request);
+		const requestId = headerRequestId ?? ctx.getCookie(IDENTIFICATION_COOKIE_NAME) ?? null;
 		ctx.context.visitorId = visitorId;
 		ctx.context.requestId = requestId;
 		if (requestId) ctx.context.identification = ctx.context.identification ?? await getIdentification(requestId, options.apiKey, options.kvUrl) ?? null;
@@ -1020,7 +1024,8 @@ function createSecurityClient(apiUrl, apiKey, options, onSecurityEvent) {
 	const resolvedApiUrl = apiUrl || INFRA_API_URL;
 	const $api = createFetch({
 		baseURL: resolvedApiUrl,
-		headers: { "x-api-key": apiKey }
+		headers: { "x-api-key": apiKey },
+		throw: true
 	});
 	const emailSender = createEmailSender({
 		apiUrl: resolvedApiUrl,
@@ -1036,14 +1041,14 @@ function createSecurityClient(apiUrl, apiKey, options, onSecurityEvent) {
 	return {
 		async checkSecurity(request) {
 			try {
-				const { data } = await $api("/security/check", {
+				const data = await $api("/security/check", {
 					method: "POST",
 					body: {
 						...request,
 						config: options
 					}
 				});
-				if (data && data.action !== "allow") logEvent({
+				if (data.action !== "allow") logEvent({
 					type: this.mapReasonToEventType(data.reason),
 					userId: null,
 					visitorId: request.visitorId,
@@ -1052,7 +1057,7 @@ function createSecurityClient(apiUrl, apiKey, options, onSecurityEvent) {
 					details: data.details || { reason: data.reason },
 					action: data.action === "block" ? "blocked" : "challenged"
 				});
-				return data || { action: "allow" };
+				return data;
 			} catch (error) {
 				logger.error("[Dash] Security check failed:", error);
 				return { action: "allow" };
@@ -1070,7 +1075,7 @@ function createSecurityClient(apiUrl, apiKey, options, onSecurityEvent) {
 		},
 		async trackFailedAttempt(identifier, visitorId, password, ip) {
 			try {
-				const { data } = await $api("/security/track-failed-login", {
+				const data = await $api("/security/track-failed-login", {
 					method: "POST",
 					body: {
 						identifier,
@@ -1080,7 +1085,7 @@ function createSecurityClient(apiUrl, apiKey, options, onSecurityEvent) {
 						config: options
 					}
 				});
-				if (data?.blocked || data?.challenged) logEvent({
+				if (data.blocked || data.challenged) logEvent({
 					type: "credential_stuffing",
 					userId: null,
 					visitorId,
@@ -1089,7 +1094,7 @@ function createSecurityClient(apiUrl, apiKey, options, onSecurityEvent) {
 					details: data.details || { reason: data.reason },
 					action: data.blocked ? "blocked" : "challenged"
 				});
-				return data || { blocked: false };
+				return data;
 			} catch (error) {
 				logger.error("[Dash] Track failed attempt error:", error);
 				return { blocked: false };
@@ -1107,26 +1112,23 @@ function createSecurityClient(apiUrl, apiKey, options, onSecurityEvent) {
 		},
 		async isBlocked(visitorId) {
 			try {
-				const { data } = await $api(`/security/is-blocked?visitorId=${encodeURIComponent(visitorId)}`, { method: "GET" });
-				return data?.blocked ?? false;
-			} catch {
+				return (await $api(`/security/is-blocked?visitorId=${encodeURIComponent(visitorId)}`, { method: "GET" })).blocked ?? false;
+			} catch (error) {
+				logger.warn("[Dash] Security is-blocked check failed:", error);
 				return false;
 			}
 		},
 		async verifyPoWSolution(visitorId, solution) {
 			try {
-				const { data } = await $api("/security/pow/verify", {
+				return await $api("/security/pow/verify", {
 					method: "POST",
 					body: {
 						visitorId,
 						solution
 					}
 				});
-				return data || {
-					valid: false,
-					reason: "unknown"
-				};
-			} catch {
+			} catch (error) {
+				logger.warn("[Dash] PoW verify failed:", error);
 				return {
 					valid: false,
 					reason: "error"
@@ -1135,22 +1137,22 @@ function createSecurityClient(apiUrl, apiKey, options, onSecurityEvent) {
 		},
 		async generateChallenge(visitorId) {
 			try {
-				const { data } = await $api("/security/pow/generate", {
+				return (await $api("/security/pow/generate", {
 					method: "POST",
 					body: {
 						visitorId,
 						difficulty: options.challengeDifficulty
 					}
-				});
-				return data?.challenge || "";
-			} catch {
+				})).challenge || "";
+			} catch (error) {
+				logger.warn("[Dash] PoW generate challenge failed:", error);
 				return "";
 			}
 		},
 		async checkImpossibleTravel(userId, currentLocation, visitorId) {
 			if (!options.impossibleTravel?.enabled || !currentLocation) return null;
 			try {
-				const { data } = await $api("/security/impossible-travel", {
+				const data = await $api("/security/impossible-travel", {
 					method: "POST",
 					body: {
 						userId,
@@ -1159,7 +1161,7 @@ function createSecurityClient(apiUrl, apiKey, options, onSecurityEvent) {
 						config: options
 					}
 				});
-				if (data?.isImpossible) {
+				if (data.isImpossible) {
 					const actionTaken = data.action === "block" ? "blocked" : data.action === "challenge" ? "challenged" : "logged";
 					logEvent({
 						type: "impossible_travel",
@@ -1177,8 +1179,9 @@ function createSecurityClient(apiUrl, apiKey, options, onSecurityEvent) {
 						action: actionTaken
 					});
 				}
-				return data || null;
-			} catch {
+				return data;
+			} catch (error) {
+				logger.warn("[Dash] Impossible travel check failed:", error);
 				return null;
 			}
 		},
@@ -1204,14 +1207,14 @@ function createSecurityClient(apiUrl, apiKey, options, onSecurityEvent) {
 				action: "log"
 			};
 			try {
-				const { data } = await $api("/security/free-trial-abuse/check", {
+				const data = await $api("/security/free-trial-abuse/check", {
 					method: "POST",
 					body: {
 						visitorId,
 						config: options
 					}
 				});
-				if (data?.isAbuse) logEvent({
+				if (data.isAbuse) logEvent({
 					type: "free_trial_abuse",
 					userId: null,
 					visitorId,
@@ -1223,13 +1226,9 @@ function createSecurityClient(apiUrl, apiKey, options, onSecurityEvent) {
 					},
 					action: data.action === "block" ? "blocked" : "logged"
 				});
-				return data || {
-					isAbuse: false,
-					accountCount: 0,
-					maxAccounts: 0,
-					action: "log"
-				};
-			} catch {
+				return data;
+			} catch (error) {
+				logger.warn("[Dash] Free trial abuse check failed:", error);
 				return {
 					isAbuse: false,
 					accountCount: 0,
@@ -1254,17 +1253,17 @@ function createSecurityClient(apiUrl, apiKey, options, onSecurityEvent) {
 		},
 		async checkCompromisedPassword(password) {
 			try {
-				const hash = await sha1Hash(password);
-				const prefix = hash.substring(0, 5);
-				const suffix = hash.substring(5);
-				const { data } = await $api("/security/breached-passwords", {
+				const hash$1 = await sha1Hash(password);
+				const prefix = hash$1.substring(0, 5);
+				const suffix = hash$1.substring(5);
+				const data = await $api("/security/breached-passwords", {
 					method: "POST",
 					body: {
 						passwordPrefix: prefix,
 						config: options
 					}
 				});
-				if (!data?.enabled) return { compromised: false };
+				if (!data.enabled) return { compromised: false };
 				const breachCount = (data.suffixes || {})[suffix] || 0;
 				const minBreachCount = data.minBreachCount ?? 1;
 				const action = data.action || "block";
@@ -1291,7 +1290,7 @@ function createSecurityClient(apiUrl, apiKey, options, onSecurityEvent) {
 		async checkStaleUser(userId, lastActiveAt) {
 			if (!options.staleUsers?.enabled) return { isStale: false };
 			try {
-				const { data } = await $api("/security/stale-user", {
+				const data = await $api("/security/stale-user", {
 					method: "POST",
 					body: {
 						userId,
@@ -1299,7 +1298,7 @@ function createSecurityClient(apiUrl, apiKey, options, onSecurityEvent) {
 						config: options
 					}
 				});
-				if (data?.isStale) logEvent({
+				if (data.isStale) logEvent({
 					type: "stale_account_reactivation",
 					userId,
 					visitorId: null,
@@ -1314,7 +1313,7 @@ function createSecurityClient(apiUrl, apiKey, options, onSecurityEvent) {
 					},
 					action: data.action === "block" ? "blocked" : data.action === "challenge" ? "challenged" : "logged"
 				});
-				return data || { isStale: false };
+				return data;
 			} catch (error) {
 				logger.error("[Dash] Stale user check error:", error);
 				return { isStale: false };
@@ -1496,8 +1495,13 @@ async function handleSecurityVerdict(verdict, ctx, trackEvent, securityService)
 	const reason = verdict.reason || "unknown";
 	const confidence = 1;
 	if (verdict.action === "challenge" && ctx.visitorId) {
+		const challenge = verdict.challenge || await securityService.generateChallenge(ctx.visitorId);
+		if (!challenge?.trim()) {
+			logger.warn("[Sentinel] Could not generate PoW challenge (service may be unavailable). Falling back to allow.");
+			return;
+		}
 		trackEvent(buildEventData(ctx, "challenged", reason, confidence, verdict.details));
-		throwChallengeError(verdict.challenge || await securityService.generateChallenge(ctx.visitorId), reason, "Please complete a security check to continue.");
+		throwChallengeError(challenge, reason, "Please complete a security check to continue.");
 	} else if (verdict.action === "block") {
 		trackEvent(buildEventData(ctx, "blocked", reason, confidence, verdict.details));
 		throw new APIError("FORBIDDEN", { message: ERROR_MESSAGES[reason] || "Access denied." });
@@ -1633,7 +1637,8 @@ function createEmailValidator(options = {}) {
 	});
 	const $kv = createFetch({
 		baseURL: kvUrl,
-		headers: { "x-api-key": apiKey }
+		headers: { "x-api-key": apiKey },
+		timeout: KV_TIMEOUT_MS
 	});
 	/**
 	* Fetch and resolve email validity policy from API with caching
@@ -2124,12 +2129,19 @@ const sentinel = (options) => {
 						try {
 							user = await hookCtx.context.adapter.findOne({
 								model: "user",
+								select: [
+									"email",
+									"name",
+									"lastActiveAt"
+								],
 								where: [{
 									field: "id",
 									value: session.userId
 								}]
 							});
-						} catch {}
+						} catch (error) {
+							logger.warn("[Sentinel] Failed to fetch user for security checks:", error);
+						}
 						if (visitorId) {
 							if (await securityService.checkUnknownDevice(session.userId, visitorId) && user?.email) backgroundTask(() => securityService.notifyUnknownDevice(session.userId, user.email, identification));
 						}
@@ -2628,16 +2640,49 @@ const initTeamEvents = (tracker) => {
 //#endregion
 //#region src/jwt.ts
 /**
+* Hash the given value
+* Note: Must match @infra/crypto hash()
+* @param value - The value to hash
+*/
+async function hash(value) {
+	const data = new TextEncoder().encode(value);
+	const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+	const hashArray = new Uint8Array(hashBuffer);
+	return Array.from(hashArray).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+/**
 * Skip JTI check for JWTs issued within this many seconds.
 * This is safe because replay attacks require time for interception.
 * A freshly issued token is almost certainly legitimate.
 */
 const JTI_CHECK_GRACE_PERIOD_SECONDS = 30;
-async function getJWKs(apiUrl) {
+const JWKS_CACHE_TTL_MS = 900 * 1e3;
+const jwksCache = /* @__PURE__ */ new Map();
+const inflightRequests = /* @__PURE__ */ new Map();
+async function fetchJWKS(apiUrl) {
 	const jwks = await betterFetch(`${apiUrl}/api/auth/jwks`);
 	if (!jwks.data) throw new APIError$1("UNAUTHORIZED", { message: "Invalid API key" });
+	jwksCache.set(apiUrl, {
+		data: jwks.data,
+		expiresAt: Date.now() + JWKS_CACHE_TTL_MS
+	});
 	return createLocalJWKSet(jwks.data);
 }
+async function prefetchJWKS(apiUrl) {
+	const fetchPromise = fetchJWKS(apiUrl);
+	inflightRequests.set(apiUrl, fetchPromise);
+	fetchPromise.finally(() => inflightRequests.delete(apiUrl));
+	return fetchPromise;
+}
+async function getJWKs(apiUrl) {
+	const cached = jwksCache.get(apiUrl);
+	if (cached && Date.now() < cached.expiresAt) return createLocalJWKSet(cached.data);
+	if (cached) {
+		if (!inflightRequests.has(apiUrl)) prefetchJWKS(apiUrl);
+		return createLocalJWKSet(cached.data);
+	}
+	return inflightRequests.get(apiUrl) ?? prefetchJWKS(apiUrl);
+}
 /**
 * Check if JWT is recently issued and can skip JTI verification.
 * JWTs issued within the grace period are trusted without JTI check
@@ -2651,19 +2696,24 @@ function isRecentlyIssued(payload) {
 const jwtMiddleware = (options, schema, getJWT) => createAuthMiddleware(async (ctx) => {
 	const jwsFromHeader = getJWT ? await getJWT(ctx) : ctx.headers?.get("Authorization")?.split(" ")[1];
 	if (!jwsFromHeader) throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
-	const { payload } = await jwtVerify(jwsFromHeader, await getJWKs(options.apiUrl), { maxTokenAge: "5m" }).catch(() => {
+	const { payload } = await jwtVerify(jwsFromHeader, await getJWKs(options.apiUrl), { maxTokenAge: "5m" }).catch((e) => {
+		ctx.context.logger.error("[Dash] JWT verification failed:", e);
 		throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
 	});
 	if (!isRecentlyIssued(payload)) {
 		if (!(await betterFetch("/api/auth/check-jti", {
 			baseURL: options.apiUrl,
 			method: "POST",
+			headers: { "x-api-key": options.apiKey },
 			body: {
 				jti: payload.jti,
 				expiresAt: payload.exp
 			}
 		})).data?.valid) throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
 	}
+	const apiKeyHash = payload.apiKeyHash;
+	if (typeof apiKeyHash !== "string" || !options.apiKey) throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
+	if (apiKeyHash !== await hash(options.apiKey)) throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
 	if (schema) {
 		const parsed = schema.safeParse(payload);
 		if (!parsed.success) throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
@@ -2674,6 +2724,33 @@ const jwtMiddleware = (options, schema, getJWT) => createAuthMiddleware(async (c
 
 //#endregion
 //#region src/routes/config.ts
+const PLUGIN_OPTIONS_EXCLUDE_KEYS = { stripe: new Set(["stripeClient"]) };
+function isPlainSerializable(value) {
+	if (value === null || typeof value !== "object") return true;
+	if (Array.isArray(value)) return true;
+	if (value instanceof Date) return true;
+	const constructor = Object.getPrototypeOf(value)?.constructor;
+	if (constructor && constructor.name !== "Object" && constructor.name !== "Array") return false;
+	return true;
+}
+function sanitizePluginOptions(pluginId, options, seen = /* @__PURE__ */ new WeakSet()) {
+	if (options === null || options === void 0) return options;
+	if (typeof options === "function") return void 0;
+	if (typeof options !== "object") return options;
+	if (seen.has(options)) return void 0;
+	seen.add(options);
+	const excludeKeys = PLUGIN_OPTIONS_EXCLUDE_KEYS[pluginId];
+	if (Array.isArray(options)) return options.map((item) => sanitizePluginOptions(pluginId, item, seen)).filter((item) => item !== void 0);
+	const result = {};
+	for (const [key, value] of Object.entries(options)) {
+		if (excludeKeys?.has(key)) continue;
+		if (typeof value === "function") continue;
+		if (value !== null && typeof value === "object" && !isPlainSerializable(value)) continue;
+		const sanitized = sanitizePluginOptions(pluginId, value, seen);
+		if (sanitized !== void 0) result[key] = sanitized;
+	}
+	return result;
+}
 function estimateEntropy(str) {
 	const unique = new Set(str).size;
 	if (unique === 0) return 0;
@@ -2685,6 +2762,7 @@ const getConfig = (options) => {
 		use: [jwtMiddleware(options)]
 	}, async (ctx) => {
 		const advancedOptions = ctx.context.options.advanced;
+		const organizationPlugin = ctx.context.getPlugin("organization");
 		return {
 			version: ctx.context.version || null,
 			socialProviders: Object.keys(ctx.context.options.socialProviders || {}),
@@ -2693,13 +2771,13 @@ const getConfig = (options) => {
 				return {
 					id: plugin.id,
 					schema: plugin.schema,
-					options: plugin.options
+					options: sanitizePluginOptions(plugin.id, plugin.options)
 				};
 			}),
 			organization: {
-				sendInvitationEmailEnabled: !!ctx.context.options.plugins?.find((plugin) => plugin.id === "organization")?.options?.sendInvitationEmail,
+				sendInvitationEmailEnabled: !!organizationPlugin?.options?.sendInvitationEmail,
 				additionalFields: (() => {
-					const orgAdditionalFields = (ctx.context.options.plugins?.find((plugin) => plugin.id === "organization"))?.options?.schema?.organization?.additionalFields || {};
+					const orgAdditionalFields = organizationPlugin?.options?.schema?.organization?.additionalFields || {};
 					return Object.keys(orgAdditionalFields).map((field) => {
 						const fieldType = orgAdditionalFields[field];
 						return {
@@ -2853,7 +2931,8 @@ const listOrganizationDirectories = (options) => {
 				providerId: provider.providerId,
 				scimEndpoint: getScimEndpoint(ctx.context.baseURL)
 			}));
-		} catch {
+		} catch (error) {
+			ctx.context.logger.warn("[Dash] Failed to list SCIM provider connections:", error);
 			return [];
 		}
 	});
@@ -3036,7 +3115,10 @@ const getUserEvents = (options) => {
 				offset: offset.toString()
 			}
 		});
-		if (error || !data) throw ctx.error("INTERNAL_SERVER_ERROR", { message: "Failed to fetch events" });
+		if (error || !data) {
+			ctx.context.logger.error("[Dash] Failed to fetch events:", error);
+			throw ctx.error("INTERNAL_SERVER_ERROR", { message: "Failed to fetch events" });
+		}
 		let events = data.events.map(transformEvent);
 		if (ctx.query?.eventType) events = events.filter((event) => event.eventType === ctx.query?.eventType);
 		return {
@@ -3118,7 +3200,10 @@ const getAuditLogs = (options) => {
 					offset: offset.toString()
 				}
 			});
-			if (error || !data) throw ctx.error("INTERNAL_SERVER_ERROR", { message: "Failed to fetch organization audit logs" });
+			if (error || !data) {
+				ctx.context.logger.error("[Dash] Failed to fetch organization audit logs:", error);
+				throw ctx.error("INTERNAL_SERVER_ERROR", { message: "Failed to fetch organization audit logs" });
+			}
 			rawEvents = data.events;
 			total = data.total;
 			responseLimit = data.limit;
@@ -3132,7 +3217,10 @@ const getAuditLogs = (options) => {
 					offset: offset.toString()
 				}
 			});
-			if (error || !data) throw ctx.error("INTERNAL_SERVER_ERROR", { message: "Failed to fetch user audit logs" });
+			if (error || !data) {
+				ctx.context.logger.error("[Dash] Failed to fetch user audit logs:", error);
+				throw ctx.error("INTERNAL_SERVER_ERROR", { message: "Failed to fetch user audit logs" });
+			}
 			rawEvents = data.events;
 			total = data.total;
 			responseLimit = data.limit;
@@ -3503,7 +3591,8 @@ const listOrganizationLogDrains = (options) => {
 				...drain,
 				config: maskSensitiveConfig(drain.config, drain.destinationType)
 			}));
-		} catch {
+		} catch (error) {
+			ctx.context.logger.warn("[Dash] Failed to list log drains:", error);
 			return [];
 		}
 	});
@@ -3765,6 +3854,7 @@ const testOrganizationLogDrain = (options) => {
 			}
 			return { success: true };
 		} catch (error) {
+			ctx.context.logger.warn("[Dash] Log drain test failed:", error);
 			return {
 				success: false,
 				error: error instanceof Error ? error.message : "Unknown error"
@@ -3773,6 +3863,89 @@ const testOrganizationLogDrain = (options) => {
 	});
 };
 
+//#endregion
+//#region src/export-factory.ts
+const exportFactory = (input, options) => async (ctx) => {
+	const batchSize = options?.batchSize || 1e4;
+	const staleMs = options?.staleMs || 300 * 1e3;
+	const enabledFields = options?.enabledFields || [];
+	const userLimit = input.limit;
+	const userOffset = input.offset || 0;
+	const abortController = new AbortController();
+	let page = 0;
+	let totalExported = 0;
+	let staleTimeout;
+	const resetTimeout = () => {
+		clearTimeout(staleTimeout);
+		staleTimeout = setTimeout(() => {
+			abortController.abort();
+		}, staleMs);
+	};
+	const stream = new ReadableStream({ async start(controller) {
+		const start = performance.now();
+		resetTimeout();
+		try {
+			while (true) {
+				let effectiveBatchSize = batchSize;
+				if (userLimit !== void 0) {
+					const remaining = userLimit - totalExported;
+					if (remaining <= 0) break;
+					effectiveBatchSize = Math.min(batchSize, remaining);
+				}
+				const batch = await ctx.context.adapter.findMany({
+					...input,
+					limit: effectiveBatchSize,
+					offset: userOffset + page * batchSize
+				});
+				resetTimeout();
+				if (batch.length === 0) {
+					if (page === 0) throw new APIError("FAILED_DEPENDENCY", { message: "Nothing found to export" });
+					break;
+				}
+				let processedBatch = batch;
+				if (enabledFields.length > 0) processedBatch = batch.map((item) => Object.fromEntries(enabledFields.map((key) => [key, item?.[key] ?? null])));
+				const chunk = processedBatch.map((u) => options?.processRow ? options.processRow(u) : u).filter((v) => v !== void 0).map((u) => JSON.stringify(u)).join("\n") + "\n";
+				controller.enqueue(new TextEncoder().encode(chunk));
+				totalExported += batch.length;
+				page++;
+				if (userLimit !== void 0 && totalExported >= userLimit) break;
+				resetTimeout();
+			}
+		} catch (err) {
+			if (!abortController.signal.aborted) console.error("Export stream failed:", err);
+		} finally {
+			clearTimeout(staleTimeout);
+			controller.close();
+			const end = performance.now();
+			console.log(`Export streamed ${totalExported} records in ${Math.round((end - start) / 1e3)}s` + (abortController.signal.aborted ? " (stale timeout)" : ""));
+		}
+	} });
+	return new Response(stream, { headers: { "Content-Type": "application/x-ndjson" } });
+};
+
+//#endregion
+//#region src/helper.ts
+function* chunkArray(arr, options) {
+	const batchSize = options?.batchSize || 200;
+	for (let i = 0; i < arr.length; i += batchSize) yield arr.slice(i, i + batchSize);
+}
+async function withConcurrency(items, fn, options) {
+	const concurrency = options?.concurrency || 5;
+	const results = [];
+	const executing = [];
+	const run = async () => {
+		const batchResults = await Promise.all(executing);
+		results.push(...batchResults);
+		executing.length = 0;
+	};
+	for (const item of items) {
+		executing.push(fn(item));
+		if (executing.length >= concurrency) await run();
+	}
+	if (executing.length > 0) await run();
+	return results;
+}
+
 //#endregion
 //#region src/validation/ssrf.ts
 /**
@@ -3865,9 +4038,7 @@ function buildSessionContext(userId, user) {
 	} };
 }
 function getSSOPlugin(ctx) {
-	const plugin = ctx.context.options.plugins?.find((p) => p.id === "sso");
-	if (!plugin || !("endpoints" in plugin)) return null;
-	return plugin;
+	return ctx.context.getPlugin("sso");
 }
 
 //#endregion
@@ -3916,12 +4087,19 @@ const listOrganizations = (options) => {
 				"members"
 			]).optional(),
 			sortOrder: z$1.enum(["asc", "desc"]).optional(),
+			filterMembers: z$1.enum([
+				"abandoned",
+				"eq1",
+				"gt1",
+				"gt5",
+				"gt10"
+			]).optional(),
 			search: z$1.string().optional(),
 			startDate: z$1.date().or(z$1.string().transform((val) => new Date(val))).optional(),
 			endDate: z$1.date().or(z$1.string().transform((val) => new Date(val))).optional()
 		}).optional()
 	}, async (ctx) => {
-		const { limit = 10, offset = 0, sortBy = "createdAt", sortOrder = "desc", search } = ctx.query || {};
+		const { limit = 10, offset = 0, sortBy = "createdAt", sortOrder = "desc", search, filterMembers } = ctx.query || {};
 		const where = [];
 		if (search && search.trim().length > 0) {
 			const searchTerm = search.trim();
@@ -3947,26 +4125,64 @@ const listOrganizations = (options) => {
 			value: ctx.query.endDate,
 			operator: "lte"
 		});
+		const needsInMemoryProcessing = sortBy === "members" || !!filterMembers;
+		const dbSortBy = sortBy === "members" ? "createdAt" : sortBy;
 		const [organizations, initialTotal] = await Promise.all([ctx.context.adapter.findMany({
 			model: "organization",
 			where,
-			limit,
-			offset,
+			...needsInMemoryProcessing ? {} : {
+				limit,
+				offset
+			},
 			sortBy: {
-				field: sortBy,
+				field: dbSortBy,
 				direction: sortOrder
-			},
-			join: { member: true }
-		}), ctx.context.adapter.count({
+			}
+		}), needsInMemoryProcessing ? Promise.resolve(0) : ctx.context.adapter.count({
 			model: "organization",
 			where
 		})]);
-		const withCounts = organizations.map((organization) => ({
-			...organization,
-			memberCount: organization.member.length
-		}));
+		const orgIds = organizations.map((o) => o.id);
+		const allMembers = orgIds.length > 0 ? await ctx.context.adapter.findMany({
+			model: "member",
+			where: [{
+				field: "organizationId",
+				value: orgIds,
+				operator: "in"
+			}]
+		}) : [];
+		const membersByOrg = /* @__PURE__ */ new Map();
+		for (const m of allMembers) {
+			const list = membersByOrg.get(m.organizationId) || [];
+			list.push(m);
+			membersByOrg.set(m.organizationId, list);
+		}
+		let withCounts = organizations.map((organization) => {
+			const orgMembers = membersByOrg.get(organization.id) || [];
+			return {
+				...organization,
+				_members: orgMembers,
+				memberCount: orgMembers.length
+			};
+		});
+		if (filterMembers) {
+			const predicate = {
+				abandoned: (c) => c === 0,
+				eq1: (c) => c === 1,
+				gt1: (c) => c > 1,
+				gt5: (c) => c > 5,
+				gt10: (c) => c > 10
+			}[filterMembers];
+			if (predicate) withCounts = withCounts.filter((o) => predicate(o.memberCount));
+		}
+		if (sortBy === "members") {
+			const dir = sortOrder === "asc" ? 1 : -1;
+			withCounts.sort((a, b) => (a.memberCount - b.memberCount) * dir);
+		}
+		const total = needsInMemoryProcessing ? withCounts.length : initialTotal;
+		if (needsInMemoryProcessing) withCounts = withCounts.slice(offset, offset + limit);
 		const allUserIds = /* @__PURE__ */ new Set();
-		for (const organization of withCounts) for (const member of organization.member.slice(0, 5)) allUserIds.add(member.userId);
+		for (const organization of withCounts) for (const member of organization._members.slice(0, 5)) allUserIds.add(member.userId);
 		const users = allUserIds.size > 0 ? await ctx.context.adapter.findMany({
 			model: "user",
 			where: [{
@@ -3978,29 +4194,63 @@ const listOrganizations = (options) => {
 		const userMap = new Map(users.map((u) => [u.id, u]));
 		return {
 			organizations: withCounts.map((organization) => {
-				const members = organization.member.slice(0, 5).map((m) => userMap.get(m.userId)).filter((u) => u !== void 0).map((u) => ({
+				const members = organization._members.slice(0, 5).map((m) => userMap.get(m.userId)).filter((u) => u !== void 0).map((u) => ({
 					id: u.id,
 					name: u.name,
 					email: u.email,
 					image: u.image
 				}));
+				const { _members, ...org } = organization;
 				return {
-					...organization,
+					...org,
 					members
 				};
 			}),
-			total: initialTotal,
+			total,
 			offset,
 			limit
 		};
 	});
 };
+function parseWhereClause$1(val) {
+	if (!val) return [];
+	const parsed = JSON.parse(val);
+	if (!Array.isArray(parsed)) return [];
+	return parsed;
+}
+const exportOrganizationsQuerySchema = z$1.object({
+	limit: z$1.number().or(z$1.string().transform(Number)).optional(),
+	offset: z$1.number().or(z$1.string().transform(Number)).optional(),
+	sortBy: z$1.string().optional(),
+	sortOrder: z$1.enum(["asc", "desc"]).optional(),
+	where: z$1.string().transform(parseWhereClause$1).optional()
+}).optional();
+const exportOrganizations = (options) => {
+	return createAuthEndpoint("/dash/export-organizations", {
+		method: "GET",
+		use: [jwtMiddleware(options)],
+		query: exportOrganizationsQuerySchema
+	}, async (ctx) => {
+		const sortBy = ctx.query?.sortBy || "createdAt";
+		const sortOrder = ctx.query?.sortOrder || "desc";
+		return exportFactory({
+			model: "organization",
+			limit: ctx.query?.limit,
+			offset: ctx.query?.offset ?? 0,
+			sortBy: {
+				field: sortBy,
+				direction: sortOrder
+			},
+			where: ctx.query?.where
+		})(ctx);
+	});
+};
 const getOrganizationOptions = (options) => {
 	return createAuthEndpoint("/dash/organization/options", {
 		method: "GET",
 		use: [jwtMiddleware(options)]
 	}, async (ctx) => {
-		const organizationPlugin = ctx.context.options.plugins?.find((p) => p.id === "organization");
+		const organizationPlugin = ctx.context.getPlugin("organization");
 		if (!organizationPlugin) return { teamsEnabled: false };
 		return { teamsEnabled: organizationPlugin.options?.teams?.enabled && organizationPlugin.options.teams.defaultTeam?.enabled !== false };
 	});
@@ -4141,7 +4391,7 @@ const deleteOrganization = (options) => {
 	}, async (ctx) => {
 		const { organizationId } = ctx.context.payload;
 		const { organizationId: bodyOrganizationId } = ctx.body;
-		const orgOptions = (ctx.context.options.plugins?.find((p) => p.id === "organization"))?.options || {};
+		const orgOptions = ctx.context.getPlugin("organization")?.options || {};
 		if (organizationId !== bodyOrganizationId) throw ctx.error("BAD_REQUEST", { message: "Organization ID mismatch" });
 		const owners = await ctx.context.adapter.findMany({
 			model: "member",
@@ -4194,6 +4444,41 @@ const deleteOrganization = (options) => {
 		return { success: true };
 	});
 };
+const deleteManyOrganizations = (options) => {
+	return createAuthEndpoint("/dash/organization/delete-many", {
+		method: "POST",
+		use: [jwtMiddleware(options, z$1.object({ organizationIds: z$1.string().array() }))]
+	}, async (ctx) => {
+		const { organizationIds } = ctx.context.payload;
+		const deletedOrgIds = /* @__PURE__ */ new Set();
+		const skippedOrgIds = /* @__PURE__ */ new Set();
+		const start = performance.now();
+		await withConcurrency(chunkArray(organizationIds), async (chunk) => {
+			const where = [{
+				field: "id",
+				value: chunk,
+				operator: "in"
+			}];
+			await ctx.context.adapter.deleteMany({
+				model: "organization",
+				where
+			});
+			const remainingOrgs = await ctx.context.adapter.findMany({
+				model: "organization",
+				where
+			});
+			for (const id of chunk) if (!remainingOrgs.some((u) => u.id === id)) deletedOrgIds.add(id);
+			else skippedOrgIds.add(id);
+		});
+		const end = performance.now();
+		console.log(`Time taken to bulk delete ${deletedOrgIds.size} organizations: ${Math.round((end - start) / 1e3)}s`, skippedOrgIds.size > 0 ? `Failed: ${skippedOrgIds.size}` : "");
+		return {
+			success: deletedOrgIds.size > 0,
+			deletedOrgIds: Array.from(deletedOrgIds),
+			skippedOrgIds: Array.from(skippedOrgIds)
+		};
+	});
+};
 const listOrganizationTeams = (options) => {
 	return createAuthEndpoint("/dash/organization/:id/teams", {
 		method: "GET",
@@ -4217,7 +4502,8 @@ const listOrganizationTeams = (options) => {
 							value: team.id
 						}]
 					});
-				} catch {
+				} catch (error) {
+					ctx.context.logger.warn("[Dash] Failed to count team members:", error);
 					memberCount = 0;
 				}
 				return {
@@ -4225,7 +4511,8 @@ const listOrganizationTeams = (options) => {
 					memberCount
 				};
 			}));
-		} catch {
+		} catch (error) {
+			ctx.context.logger.warn("[Dash] Failed to list organization teams:", error);
 			return [];
 		}
 	});
@@ -4240,7 +4527,7 @@ const updateTeam = (options) => {
 		})
 	}, async (ctx) => {
 		const { organizationId } = ctx.context.payload;
-		const organizationPlugin = ctx.context.options.plugins?.find((p) => p.id === "organization");
+		const organizationPlugin = ctx.context.getPlugin("organization");
 		if (!organizationPlugin) throw ctx.error("BAD_REQUEST", { message: "Organization plugin not enabled" });
 		const orgOptions = organizationPlugin.options || {};
 		if (!orgOptions?.teams?.enabled) throw ctx.error("BAD_REQUEST", { message: "Teams are not enabled" });
@@ -4325,7 +4612,7 @@ const deleteTeam = (options) => {
 		body: z$1.object({ teamId: z$1.string() })
 	}, async (ctx) => {
 		const { organizationId } = ctx.context.payload;
-		const organizationPlugin = ctx.context.options.plugins?.find((p) => p.id === "organization");
+		const organizationPlugin = ctx.context.getPlugin("organization");
 		if (!organizationPlugin) throw ctx.error("BAD_REQUEST", { message: "Organization plugin not enabled" });
 		const orgOptions = organizationPlugin.options || {};
 		if (!orgOptions?.teams?.enabled) throw ctx.error("BAD_REQUEST", { message: "Teams are not enabled" });
@@ -4409,7 +4696,7 @@ const createTeam = (options) => {
 		body: z$1.object({ name: z$1.string() })
 	}, async (ctx) => {
 		const { organizationId } = ctx.context.payload;
-		const organizationPlugin = ctx.context.options.plugins?.find((p) => p.id === "organization");
+		const organizationPlugin = ctx.context.getPlugin("organization");
 		if (!organizationPlugin) throw ctx.error("BAD_REQUEST", { message: "Organization plugin not enabled" });
 		const orgOptions = organizationPlugin.options || {};
 		if (!orgOptions?.teams?.enabled) throw ctx.error("BAD_REQUEST", { message: "Teams are not enabled" });
@@ -4429,7 +4716,10 @@ const createTeam = (options) => {
 					value: organizationId
 				}]
 			});
-			const maxTeams = typeof orgOptions.teams.maximumTeams === "function" ? await orgOptions.teams.maximumTeams({ organizationId }) : orgOptions.teams.maximumTeams;
+			const maxTeams = typeof orgOptions.teams.maximumTeams === "function" ? await orgOptions.teams.maximumTeams({
+				organizationId,
+				session: null
+			}) : orgOptions.teams.maximumTeams;
 			if (teamsCount >= maxTeams) throw ctx.error("BAD_REQUEST", { message: `Maximum number of teams (${maxTeams}) reached for this organization` });
 		}
 		const owners = await ctx.context.adapter.findMany({
@@ -4526,7 +4816,8 @@ const listTeamMembers = (options) => {
 					} : null
 				};
 			}));
-		} catch (_e) {
+		} catch (e) {
+			ctx.context.logger.warn("[Dash] Failed to list team members:", e);
 			return [];
 		}
 	});
@@ -4541,7 +4832,7 @@ const addTeamMember = (options) => {
 		})
 	}, async (ctx) => {
 		const { organizationId } = ctx.context.payload;
-		const organizationPlugin = ctx.context.options.plugins?.find((p) => p.id === "organization");
+		const organizationPlugin = ctx.context.getPlugin("organization");
 		if (!organizationPlugin) throw ctx.error("BAD_REQUEST", { message: "Organization plugin not enabled" });
 		const orgOptions = organizationPlugin.options || {};
 		if (!orgOptions?.teams?.enabled) throw ctx.error("BAD_REQUEST", { message: "Teams are not enabled" });
@@ -4602,7 +4893,8 @@ const addTeamMember = (options) => {
 			});
 			const maxMembers = typeof orgOptions.teams.maximumMembersPerTeam === "function" ? await orgOptions.teams.maximumMembersPerTeam({
 				teamId: ctx.body.teamId,
-				organizationId
+				organizationId,
+				session: null
 			}) : orgOptions.teams.maximumMembersPerTeam;
 			if (teamMemberCount >= maxMembers) throw ctx.error("BAD_REQUEST", { message: `Maximum number of team members (${maxMembers}) reached for this team` });
 		}
@@ -4646,7 +4938,7 @@ const removeTeamMember = (options) => {
 		})
 	}, async (ctx) => {
 		const { organizationId } = ctx.context.payload;
-		const organizationPlugin = ctx.context.options.plugins?.find((p) => p.id === "organization");
+		const organizationPlugin = ctx.context.getPlugin("organization");
 		if (!organizationPlugin) throw ctx.error("BAD_REQUEST", { message: "Organization plugin not enabled" });
 		const orgOptions = organizationPlugin.options || {};
 		if (!orgOptions?.teams?.enabled) throw ctx.error("BAD_REQUEST", { message: "Teams are not enabled" });
@@ -4727,7 +5019,7 @@ const createOrganization = (options) => {
 			defaultTeamName: z$1.string().optional()
 		}).passthrough()
 	}, async (ctx) => {
-		const organizationPlugin = ctx.context.options.plugins?.find((p) => p.id === "organization");
+		const organizationPlugin = ctx.context.getPlugin("organization");
 		if (!organizationPlugin) throw ctx.error("BAD_REQUEST", { message: "Organization plugin not enabled" });
 		const { userId } = ctx.context.payload;
 		const user = await ctx.context.adapter.findOne({
@@ -4892,7 +5184,7 @@ const updateOrganization = (options) => {
 		}).passthrough()
 	}, async (ctx) => {
 		const { organizationId } = ctx.context.payload;
-		const orgOptions = (ctx.context.options.plugins?.find((p) => p.id === "organization"))?.options || {};
+		const orgOptions = ctx.context.getPlugin("organization")?.options || {};
 		if (ctx.body.slug) {
 			const existingOrg = await ctx.context.adapter.findOne({
 				model: "organization",
@@ -4929,10 +5221,16 @@ const updateOrganization = (options) => {
 		});
 		if (!updatedByUser) throw ctx.error("NOT_FOUND", { message: "Owner user not found" });
 		let updateData = { ...ctx.body };
+		if (typeof updateData.metadata === "string") try {
+			updateData.metadata = updateData.metadata === "" ? void 0 : JSON.parse(updateData.metadata);
+		} catch {
+			throw ctx.error("BAD_REQUEST", { message: "Invalid metadata: must be valid JSON" });
+		}
 		if (orgOptions?.organizationHooks?.beforeUpdateOrganization) {
 			const response = await orgOptions.organizationHooks.beforeUpdateOrganization({
 				organization: updateData,
-				user: updatedByUser
+				user: updatedByUser,
+				member: owner
 			});
 			if (response && typeof response === "object" && "data" in response) updateData = {
 				...updateData,
@@ -4945,11 +5243,16 @@ const updateOrganization = (options) => {
 				field: "id",
 				value: organizationId
 			}],
-			update: updateData
+			update: {
+				...updateData,
+				metadata: typeof updateData.metadata === "object" ? JSON.stringify(updateData.metadata) : updateData.metadata
+			}
 		});
+		if (!organization) throw ctx.error("INTERNAL_SERVER_ERROR", { message: "Failed to update organization" });
 		if (orgOptions?.organizationHooks?.afterUpdateOrganization) await orgOptions.organizationHooks.afterUpdateOrganization({
 			organization,
-			user: updatedByUser
+			user: updatedByUser,
+			member: owner
 		});
 		return organization;
 	});
@@ -4964,7 +5267,7 @@ const addMember = (options) => {
 		})
 	}, async (ctx) => {
 		const { organizationId } = ctx.context.payload;
-		const orgOptions = (ctx.context.options.plugins?.find((p) => p.id === "organization"))?.options || {};
+		const orgOptions = ctx.context.getPlugin("organization")?.options || {};
 		const organization = await ctx.context.adapter.findOne({
 			model: "organization",
 			where: [{
@@ -5017,7 +5320,7 @@ const removeMember = (options) => {
 		body: z$1.object({ memberId: z$1.string() })
 	}, async (ctx) => {
 		const { organizationId } = ctx.context.payload;
-		const orgOptions = (ctx.context.options.plugins?.find((p) => p.id === "organization"))?.options || {};
+		const orgOptions = ctx.context.getPlugin("organization")?.options || {};
 		const member = await ctx.context.adapter.findOne({
 			model: "member",
 			where: [{
@@ -5097,7 +5400,7 @@ const updateMemberRole = (options) => {
 		})
 	}, async (ctx) => {
 		const { organizationId } = ctx.context.payload;
-		const orgOptions = (ctx.context.options.plugins?.find((p) => p.id === "organization"))?.options || {};
+		const orgOptions = ctx.context.getPlugin("organization")?.options || {};
 		const existingMember = await ctx.context.adapter.findOne({
 			model: "member",
 			where: [{
@@ -5131,7 +5434,7 @@ const updateMemberRole = (options) => {
 				member: existingMember,
 				user,
 				organization,
-				role: newRole
+				newRole
 			});
 			if (response && typeof response === "object" && "data" in response) newRole = response.data.role || newRole;
 		}
@@ -5143,6 +5446,7 @@ const updateMemberRole = (options) => {
 			}],
 			update: { role: newRole }
 		});
+		if (!member) throw ctx.error("INTERNAL_SERVER_ERROR", { message: "Failed to update member role" });
 		if (orgOptions?.organizationHooks?.afterUpdateMemberRole) await orgOptions.organizationHooks.afterUpdateMemberRole({
 			member,
 			user,
@@ -5166,8 +5470,8 @@ const inviteMember = (options) => {
 		}))]
 	}, async (ctx) => {
 		const { organizationId } = ctx.context.payload;
-		const organizationPlugin = ctx.context.options.plugins?.find((p) => p.id === "organization");
-		if (!organizationPlugin.options?.sendInvitationEmail) throw ctx.error("BAD_REQUEST", { message: "Invitation email is not enabled" });
+		const organizationPlugin = ctx.context.getPlugin("organization");
+		if (!organizationPlugin?.options?.sendInvitationEmail) throw ctx.error("BAD_REQUEST", { message: "Invitation email is not enabled" });
 		const invitedBy = await ctx.context.adapter.findOne({
 			model: "user",
 			where: [{
@@ -5177,7 +5481,7 @@ const inviteMember = (options) => {
 		});
 		if (!invitedBy) throw ctx.error("BAD_REQUEST", { message: "Invited by user not found" });
 		return await organizationPlugin.endpoints.createInvitation({
-			headers: ctx.request?.headers,
+			headers: ctx.request?.headers ?? new Headers(),
 			body: {
 				email: ctx.body.email,
 				role: ctx.body.role,
@@ -5244,7 +5548,7 @@ const cancelInvitation = (options) => {
 		}))],
 		body: z$1.object({ invitationId: z$1.string() })
 	}, async (ctx) => {
-		const organizationPlugin = ctx.context.options.plugins?.find((p) => p.id === "organization");
+		const organizationPlugin = ctx.context.getPlugin("organization");
 		if (!organizationPlugin) throw ctx.error("BAD_REQUEST", { message: "Organization plugin is not enabled" });
 		const orgOptions = organizationPlugin.options || {};
 		const { invitationId, organizationId } = ctx.context.payload;
@@ -5337,7 +5641,7 @@ async function resolveSAMLConfig(samlConfig, providerId, baseURL, ctx) {
 			if (!metadataResponse.ok) throw ctx.error("BAD_REQUEST", { message: `Failed to fetch IdP metadata from URL: ${metadataResponse.status} ${metadataResponse.statusText}` });
 			idpMetadataXml = await metadataResponse.text();
 		} catch (e) {
-			ctx.context.logger.error("Failed to fetch IdP metadata from URL", { error: e });
+			ctx.context.logger.error("[Dash] Failed to fetch IdP metadata from URL:", e);
 			throw ctx.error("BAD_REQUEST", { message: "Failed to fetch IdP metadata from URL" });
 		}
 	}
@@ -5351,10 +5655,7 @@ async function resolveSAMLConfig(samlConfig, providerId, baseURL, ctx) {
 		const warnings = validateSAMLMetadataAlgorithms(idpMetadataXml);
 		if (warnings.length > 0) {
 			metadataAlgorithmWarnings.push(...warnings);
-			ctx.context.logger.warn("SAML IdP metadata uses deprecated algorithms", {
-				providerId,
-				warnings
-			});
+			ctx.context.logger.warn("[Dash] SAML IdP metadata uses deprecated algorithms:", providerId, warnings);
 		}
 	}
 	const idpMetadata = idpMetadataXml ? { metadata: idpMetadataXml } : {
@@ -5370,8 +5671,8 @@ async function resolveSAMLConfig(samlConfig, providerId, baseURL, ctx) {
 			callbackUrl: `${baseURL}/sso/saml2/sp/acs/${providerId}`,
 			idpMetadata,
 			spMetadata: {},
-			...samlConfig.entryPoint ? { entryPoint: samlConfig.entryPoint } : {},
-			...samlConfig.cert ? { cert: samlConfig.cert } : {},
+			entryPoint: samlConfig.entryPoint ?? "",
+			cert: samlConfig.cert ?? "",
 			...samlConfig.mapping ? { mapping: samlConfig.mapping } : {}
 		},
 		...metadataAlgorithmWarnings.length > 0 ? { warnings: metadataAlgorithmWarnings } : {}
@@ -5417,20 +5718,13 @@ async function resolveOIDCConfig(oidcConfig, domain, ctx) {
 		};
 	} catch (e) {
 		if (e instanceof DiscoveryError) {
-			ctx.context.logger.error("OIDC discovery failed", {
-				code: e.code,
-				message: e.message,
-				details: e.details
-			});
+			ctx.context.logger.error("[Dash] OIDC discovery failed:", e);
 			throw ctx.error("BAD_REQUEST", {
 				message: `OIDC discovery failed: ${e.message}`,
 				code: e.code
 			});
 		}
-		ctx.context.logger.error("OIDC discovery failed", {
-			issuer,
-			error: e
-		});
+		ctx.context.logger.error("[Dash] OIDC discovery failed:", e);
 		throw ctx.error("BAD_REQUEST", {
 			message: `OIDC discovery failed: Unable to discover configuration from ${issuer}`,
 			code: "OIDC_DISCOVERY_FAILED"
@@ -5448,7 +5742,7 @@ const listOrganizationSsoProviders = (options) => {
 		use: [jwtMiddleware(options, z$1.object({ organizationId: z$1.string() }))]
 	}, async (ctx) => {
 		requireOrganizationAccess(ctx);
-		if (!ctx.context.options.plugins?.find((p) => p.id === "sso")) return [];
+		if (!ctx.context.getPlugin("sso")) return [];
 		try {
 			return await ctx.context.adapter.findMany({
 				model: "ssoProvider",
@@ -5457,7 +5751,8 @@ const listOrganizationSsoProviders = (options) => {
 					value: ctx.params.id
 				}]
 			});
-		} catch {
+		} catch (error) {
+			ctx.context.logger.warn("[Dash] Failed to list SSO providers:", error);
 			return [];
 		}
 	});
@@ -5477,7 +5772,7 @@ const createSsoProvider = (options) => {
 	}, async (ctx) => {
 		requireOrganizationAccess(ctx);
 		const ssoPlugin = getSSOPlugin(ctx);
-		if (!ssoPlugin) throw ctx.error("BAD_REQUEST", { message: "SSO plugin is not enabled" });
+		if (!ssoPlugin?.endpoints?.registerSSOProvider) throw ctx.error("BAD_REQUEST", { message: "SSO plugin is not enabled or feature is not supported in your plugin version" });
 		const organizationId = ctx.params.id;
 		const { providerId, domain, protocol, samlConfig, oidcConfig, userId } = ctx.body;
 		const registerBody = {
@@ -5508,17 +5803,18 @@ const createSsoProvider = (options) => {
 			return {
 				success: true,
 				provider: {
-					id: result.id,
+					id: result.providerId,
 					providerId: result.providerId || providerId,
 					domain: result.domain || domain
 				},
 				domainVerification: {
 					txtRecordName: `better-auth-token-${providerId}`,
-					verificationToken: result.domainVerificationToken || null
+					verificationToken: result.domainVerificationToken ?? null
 				}
 			};
 		} catch (e) {
 			if (e instanceof APIError$1) throw e;
+			ctx.context.logger.error("[Dash] Failed to create SSO provider:", e);
 			throw ctx.error("BAD_REQUEST", { message: e instanceof Error ? e.message : "Failed to create SSO provider" });
 		}
 	});
@@ -5537,7 +5833,7 @@ const updateSsoProvider = (options) => {
 	}, async (ctx) => {
 		requireOrganizationAccess(ctx);
 		const ssoPlugin = getSSOPlugin(ctx);
-		if (!ssoPlugin) throw ctx.error("BAD_REQUEST", { message: "SSO plugin is not enabled" });
+		if (!ssoPlugin?.endpoints?.updateSSOProvider) throw ctx.error("BAD_REQUEST", { message: "SSO plugin is not enabled or feature is not supported in your plugin version" });
 		const organizationId = ctx.params.id;
 		const { providerId, domain, protocol, samlConfig, oidcConfig } = ctx.body;
 		const existingProvider = await ctx.context.adapter.findOne({
@@ -5591,13 +5887,14 @@ const updateSsoProvider = (options) => {
 			return {
 				success: true,
 				provider: {
-					id: result.id || existingProvider.id,
-					providerId: result.providerId || existingProvider.providerId,
-					domain: result.domain || domain
+					id: existingProvider.id,
+					providerId: result.providerId ?? existingProvider.providerId,
+					domain: result.domain ?? domain
 				}
 			};
 		} catch (e) {
 			if (e instanceof APIError$1) throw e;
+			ctx.context.logger.error("[Dash] Failed to update SSO provider:", e);
 			throw ctx.error("BAD_REQUEST", { message: e instanceof Error ? e.message : "Failed to update SSO provider" });
 		}
 	});
@@ -5610,7 +5907,7 @@ const requestSsoVerificationToken = (options) => {
 	}, async (ctx) => {
 		requireOrganizationAccess(ctx);
 		const ssoPlugin = getSSOPlugin(ctx);
-		if (!ssoPlugin || !ssoPlugin.options?.domainVerification?.enabled) throw ctx.error("BAD_REQUEST", { message: "SSO plugin with domain verification is not enabled" });
+		if (!ssoPlugin?.endpoints?.requestDomainVerification || !ssoPlugin.options?.domainVerification?.enabled) throw ctx.error("BAD_REQUEST", { message: "SSO plugin with domain verification is not enabled or feature is not supported in your plugin version" });
 		const organizationId = ctx.params.id;
 		const { providerId } = ctx.body;
 		const provider = await ctx.context.adapter.findOne({
@@ -5642,6 +5939,7 @@ const requestSsoVerificationToken = (options) => {
 			};
 		} catch (e) {
 			if (e instanceof APIError$1) throw e;
+			ctx.context.logger.error("[Dash] Failed to request verification token:", e);
 			throw ctx.error("BAD_REQUEST", { message: e instanceof Error ? e.message : "Failed to request verification token" });
 		}
 	});
@@ -5654,7 +5952,7 @@ const verifySsoProviderDomain = (options) => {
 	}, async (ctx) => {
 		requireOrganizationAccess(ctx);
 		const ssoPlugin = getSSOPlugin(ctx);
-		if (!ssoPlugin || !ssoPlugin.options?.domainVerification?.enabled) throw ctx.error("BAD_REQUEST", { message: "SSO plugin with domain verification is not enabled" });
+		if (!ssoPlugin?.endpoints?.verifyDomain || !ssoPlugin.options?.domainVerification?.enabled) throw ctx.error("BAD_REQUEST", { message: "SSO plugin with domain verification is not enabled or feature is not supported in your plugin version" });
 		const organizationId = ctx.params.id;
 		const { providerId } = ctx.body;
 		const provider = await ctx.context.adapter.findOne({
@@ -5704,7 +6002,7 @@ const deleteSsoProvider = (options) => {
 	}, async (ctx) => {
 		requireOrganizationAccess(ctx);
 		const ssoPlugin = getSSOPlugin(ctx);
-		if (!ssoPlugin) throw ctx.error("BAD_REQUEST", { message: "SSO plugin is not enabled" });
+		if (!ssoPlugin?.endpoints?.deleteSSOProvider) throw ctx.error("BAD_REQUEST", { message: "SSO plugin is not enabled or feature is not supported in your plugin version" });
 		const organizationId = ctx.params.id;
 		const { providerId } = ctx.body;
 		const provider = await ctx.context.adapter.findOne({
@@ -5732,6 +6030,7 @@ const deleteSsoProvider = (options) => {
 			};
 		} catch (e) {
 			if (e instanceof APIError$1) throw e;
+			ctx.context.logger.error("[Dash] Failed to delete SSO provider:", e);
 			throw ctx.error("BAD_REQUEST", { message: e instanceof Error ? e.message : "Failed to delete SSO provider" });
 		}
 	});
@@ -5783,7 +6082,7 @@ const resendInvitation = (options) => {
 		}))],
 		body: z$1.object({ invitationId: z$1.string() })
 	}, async (ctx) => {
-		const organizationPlugin = ctx.context.options.plugins?.find((p) => p.id === "organization");
+		const organizationPlugin = ctx.context.getPlugin("organization");
 		if (!organizationPlugin) throw ctx.error("BAD_REQUEST", { message: "Organization plugin is not enabled" });
 		const { invitationId, organizationId } = ctx.context.payload;
 		const invitation = await ctx.context.adapter.findOne({
@@ -5805,7 +6104,7 @@ const resendInvitation = (options) => {
 		if (!invitedByUser) throw ctx.error("BAD_REQUEST", { message: "Inviter user not found" });
 		if (!organizationPlugin.endpoints?.createInvitation) throw ctx.error("INTERNAL_SERVER_ERROR", { message: "Organization plugin endpoints not available" });
 		await organizationPlugin.endpoints.createInvitation({
-			headers: ctx.request?.headers,
+			headers: ctx.request?.headers ?? new Headers(),
 			body: {
 				email: invitation.email,
 				role: invitation.role,
@@ -5901,27 +6200,41 @@ const revokeAllSessions = (options) => createAuthEndpoint("/dash/sessions/revoke
 	await ctx.context.internalAdapter.deleteSessions(userId);
 	return ctx.json({ success: true });
 });
+const revokeManySessions = (options) => createAuthEndpoint("/dash/sessions/revoke-many", {
+	method: "POST",
+	use: [jwtMiddleware(options, z$1.object({ userIds: z$1.string().array() }))]
+}, async (ctx) => {
+	const { userIds } = ctx.context.payload;
+	await withConcurrency(chunkArray(userIds, { batchSize: 50 }), async (chunk) => {
+		for (const userId of chunk) await ctx.context.internalAdapter.deleteSessions(userId);
+	}, { concurrency: 3 });
+	return ctx.json({
+		success: true,
+		revokedCount: userIds.length
+	});
+});
 
 //#endregion
 //#region src/routes/users.ts
+function parseWhereClause(val) {
+	if (!val) return [];
+	const parsed = JSON.parse(val);
+	if (!Array.isArray(parsed)) return [];
+	return parsed;
+}
+const getUsersQuerySchema = z$1.object({
+	limit: z$1.number().or(z$1.string().transform(Number)).optional(),
+	offset: z$1.number().or(z$1.string().transform(Number)).optional(),
+	sortBy: z$1.string().optional(),
+	sortOrder: z$1.enum(["asc", "desc"]).optional(),
+	where: z$1.string().transform(parseWhereClause).optional(),
+	countWhere: z$1.string().transform(parseWhereClause).optional()
+}).optional();
 const getUsers = (options) => {
 	return createAuthEndpoint("/dash/list-users", {
 		method: "GET",
 		use: [jwtMiddleware(options)],
-		query: z$1.object({
-			limit: z$1.number().or(z$1.string().transform(Number)).optional(),
-			offset: z$1.number().or(z$1.string().transform(Number)).optional(),
-			sortBy: z$1.string().optional(),
-			sortOrder: z$1.enum(["asc", "desc"]).optional(),
-			where: z$1.string().transform((val) => {
-				if (!val) return [];
-				return JSON.parse(val);
-			}).optional(),
-			countWhere: z$1.string().transform((val) => {
-				if (!val) return [];
-				return JSON.parse(val);
-			}).optional()
-		}).optional()
+		query: getUsersQuerySchema
 	}, async (ctx) => {
 		const activityTrackingEnabled = (() => {
 			if (!options.activityTracking?.enabled) return false;
@@ -5930,6 +6243,8 @@ const getUsers = (options) => {
 			if (fields.lastActiveAt.type !== "date") return false;
 			return true;
 		})();
+		const where = ctx.query?.where?.length ? ctx.query.where : void 0;
+		const countWhere = ctx.query?.countWhere?.length ? ctx.query.countWhere : void 0;
 		const userQuery = ctx.context.adapter.findMany({
 			model: "user",
 			limit: ctx.query?.limit || 10,
@@ -5938,11 +6253,11 @@ const getUsers = (options) => {
 				field: ctx.query?.sortBy || "createdAt",
 				direction: ctx.query?.sortOrder || "desc"
 			},
-			where: ctx.query?.where
+			where
 		});
 		const totalQuery = ctx.context.adapter.count({
 			model: "user",
-			where: ctx.query?.countWhere
+			where: countWhere
 		});
 		const onlineUsersQuery = activityTrackingEnabled ? ctx.context.adapter.count({
 			model: "user",
@@ -5951,13 +6266,16 @@ const getUsers = (options) => {
 				value: /* @__PURE__ */ new Date(Date.now() - 1e3 * 60 * 2),
 				operator: "gte"
 			}]
+		}).catch((e) => {
+			ctx.context.logger.error("[Dash] Failed to count online users:", e);
+			return 0;
 		}) : Promise.resolve(0);
 		const [users, total, onlineUsers] = await Promise.all([
 			userQuery,
 			totalQuery,
 			onlineUsersQuery
 		]);
-		const hasAdminPlugin = ctx.context.options.plugins?.some((p) => p.id === "admin");
+		const hasAdminPlugin = ctx.context.hasPlugin("admin");
 		return {
 			users: users.map((user) => {
 				const u = user;
@@ -5976,6 +6294,30 @@ const getUsers = (options) => {
 		};
 	});
 };
+const exportUsers = (options) => {
+	return createAuthEndpoint("/dash/export-users", {
+		method: "GET",
+		use: [jwtMiddleware(options)],
+		query: getUsersQuerySchema
+	}, async (ctx) => {
+		const hasAdminPlugin = ctx.context.hasPlugin("admin");
+		return exportFactory({
+			model: "user",
+			limit: ctx.query?.limit,
+			offset: ctx.query?.offset ? ctx.query.offset : 0,
+			sortBy: {
+				field: ctx.query?.sortBy || "createdAt",
+				direction: ctx.query?.sortOrder || "desc"
+			},
+			where: ctx.query?.where
+		}, { processRow: (u) => ({
+			...u,
+			banned: hasAdminPlugin ? u.banned ?? false : false,
+			banReason: hasAdminPlugin ? u.banReason ?? null : null,
+			banExpires: hasAdminPlugin ? u.banExpires ?? null : null
+		}) })(ctx);
+	});
+};
 const getOnlineUsersCount = (options) => {
 	return createAuthEndpoint("/dash/online-users-count", {
 		method: "GET",
@@ -6006,11 +6348,46 @@ const deleteUser = (options) => {
 				}]
 			});
 		} catch (e) {
-			logger.error(e);
+			ctx.context.logger.error("[Dash] Failed to delete user:", e);
 			throw ctx.error("INTERNAL_SERVER_ERROR", { message: "Internal server error" });
 		}
 	});
 };
+const deleteManyUsers = (options) => {
+	return createAuthEndpoint("/dash/delete-many-users", {
+		method: "POST",
+		use: [jwtMiddleware(options, z$1.object({ userIds: z$1.string().array() }))]
+	}, async (ctx) => {
+		const { userIds } = ctx.context.payload;
+		const deletedUserIds = /* @__PURE__ */ new Set();
+		const skippedUserIds = /* @__PURE__ */ new Set();
+		const start = performance.now();
+		await withConcurrency(chunkArray(userIds), async (chunk) => {
+			const where = [{
+				field: "id",
+				value: chunk,
+				operator: "in"
+			}];
+			await ctx.context.adapter.deleteMany({
+				model: "user",
+				where
+			});
+			const remainingUsers = await ctx.context.adapter.findMany({
+				model: "user",
+				where
+			});
+			for (const id of chunk) if (!remainingUsers.some((u) => u.id === id)) deletedUserIds.add(id);
+			else skippedUserIds.add(id);
+		});
+		const end = performance.now();
+		console.log(`Time taken to bulk delete ${deletedUserIds.size} users: ${(end - start) / 1e3}s`, skippedUserIds.size > 0 ? `Failed: ${skippedUserIds.size}` : "");
+		return ctx.json({
+			success: deletedUserIds.size > 0,
+			skippedUserIds: Array.from(skippedUserIds),
+			deletedUserIds: Array.from(deletedUserIds)
+		});
+	});
+};
 const impersonateUser = (options) => {
 	return createAuthEndpoint("/dash/impersonate-user", {
 		method: "GET",
@@ -6096,10 +6473,10 @@ const createUser = (options) => {
 		const organizationId = ctx.context.payload?.organizationId || userData.organizationId;
 		const organizationRole = ctx.context.payload?.organizationRole || userData.organizationRole;
 		if (organizationId) {
-			const organizationPlugin = ctx.context.options.plugins?.find((p) => p.id === "organization");
+			const organizationPlugin = ctx.context.getPlugin("organization");
 			if (organizationPlugin) {
-				const orgOptions = organizationPlugin?.options || {};
-				const role = organizationRole || orgOptions.defaultRole || "member";
+				const orgOptions = organizationPlugin.options || {};
+				const role = organizationRole || "member";
 				const organization = await ctx.context.adapter.findOne({
 					model: "organization",
 					where: [{
@@ -6188,22 +6565,33 @@ const unlinkAccount = (options) => {
 const getUserDetails = (options) => {
 	return createAuthEndpoint("/dash/user", {
 		method: "GET",
-		use: [jwtMiddleware(options, z$1.object({ userId: z$1.string() }))]
+		use: [jwtMiddleware(options, z$1.object({ userId: z$1.string() }))],
+		query: z$1.object({ minimal: z$1.boolean().or(z$1.string().transform((val) => val === "true")).optional() }).optional()
 	}, async (ctx) => {
 		const { userId } = ctx.context.payload;
-		const hasAdminPlugin = ctx.context.options.plugins?.some((p) => p.id === "admin");
+		const minimal = !!ctx.query?.minimal;
+		const hasAdminPlugin = ctx.context.hasPlugin("admin");
 		const user = await ctx.context.adapter.findOne({
 			model: "user",
 			where: [{
 				field: "id",
 				value: userId
 			}],
-			join: {
+			...minimal ? {} : { join: {
 				account: true,
 				session: true
-			}
+			} }
 		});
 		if (!user) throw ctx.error("NOT_FOUND", { message: "User not found" });
+		if (minimal) return {
+			...user,
+			lastActiveAt: user.lastActiveAt ?? null,
+			banned: hasAdminPlugin ? user.banned ?? false : false,
+			banReason: hasAdminPlugin ? user.banReason ?? null : null,
+			banExpires: hasAdminPlugin ? user.banExpires ?? null : null,
+			account: [],
+			session: []
+		};
 		const activityTrackingEnabled = !!options.activityTracking?.enabled;
 		const sessions = user.session || [];
 		let lastActiveAt = null;
@@ -6220,13 +6608,18 @@ const getUserDetails = (options) => {
 					shouldUpdateLastActiveAt = true;
 				}
 			}
-			if (shouldUpdateLastActiveAt && lastActiveAt) try {
-				await ctx.context.internalAdapter.updateUser(userId, {
-					lastActiveAt,
-					updatedAt: /* @__PURE__ */ new Date()
-				});
-			} catch (error) {
-				ctx.context.logger.error("Failed to update user lastActiveAt:", error);
+			if (shouldUpdateLastActiveAt && lastActiveAt) {
+				const updateActivity = async () => {
+					try {
+						await ctx.context.internalAdapter.updateUser(userId, {
+							lastActiveAt,
+							updatedAt: /* @__PURE__ */ new Date()
+						});
+					} catch (error) {
+						ctx.context.logger.error("[Dash] Failed to update user lastActiveAt:", error);
+					}
+				};
+				updateActivity();
 			}
 		}
 		return {
@@ -6244,43 +6637,41 @@ const getUserOrganizations = (options) => {
 		use: [jwtMiddleware(options, z$1.object({ userId: z$1.string() }))]
 	}, async (ctx) => {
 		const { userId } = ctx.context.payload;
-		const isOrgEnabled = ctx.context.options.plugins?.find((p) => p.id === "organization");
+		const isOrgEnabled = ctx.context.getPlugin("organization");
 		if (!isOrgEnabled) return { organizations: [] };
-		const member = await ctx.context.adapter.findMany({
+		const isTeamEnabled = isOrgEnabled.options?.teams?.enabled;
+		const [member, teamMembers] = await Promise.all([ctx.context.adapter.findMany({
 			model: "member",
 			where: [{
 				field: "userId",
 				value: userId
 			}]
-		});
-		if (member.length === 0) return { organizations: [] };
-		const organizations = await ctx.context.adapter.findMany({
-			model: "organization",
-			where: [{
-				field: "id",
-				value: member.map((m) => m.organizationId),
-				operator: "in"
-			}]
-		});
-		const isTeamEnabled = isOrgEnabled.options?.teams?.enabled;
-		const teamMembers = isTeamEnabled ? await ctx.context.adapter.findMany({
+		}), isTeamEnabled ? ctx.context.adapter.findMany({
 			model: "teamMember",
 			where: [{
 				field: "userId",
 				value: userId
 			}]
 		}).catch((e) => {
-			ctx.context.logger.error(e);
+			ctx.context.logger.error("[Dash] Failed to fetch team members:", e);
 			return [];
-		}) : [];
-		const teams = isTeamEnabled && teamMembers.length > 0 ? await ctx.context.adapter.findMany({
+		}) : Promise.resolve([])]);
+		if (member.length === 0) return { organizations: [] };
+		const [organizations, teams] = await Promise.all([ctx.context.adapter.findMany({
+			model: "organization",
+			where: [{
+				field: "id",
+				value: member.map((m) => m.organizationId),
+				operator: "in"
+			}]
+		}), isTeamEnabled && teamMembers.length > 0 ? ctx.context.adapter.findMany({
 			model: "team",
 			where: [{
 				field: "id",
 				value: teamMembers.map((tm) => tm.teamId),
 				operator: "in"
 			}]
-		}) : [];
+		}) : Promise.resolve([])]);
 		return { organizations: organizations.map((organization) => ({
 			id: organization.id,
 			name: organization.name,
@@ -6314,9 +6705,25 @@ const updateUser = (options) => createAuthEndpoint("/dash/update-user", {
 	if (!user) throw new APIError("NOT_FOUND", { message: "User not found" });
 	return user;
 });
-async function countUniqueActiveUsers(adapter, where) {
+async function countUniqueActiveUsers(adapter, range, activityTrackingEnabled) {
+	const field = activityTrackingEnabled ? "lastActiveAt" : "updatedAt";
+	const where = [{
+		field,
+		operator: "gte",
+		value: range.from
+	}];
+	if (range.to !== void 0) where.push({
+		field,
+		operator: "lt",
+		value: range.to
+	});
+	if (activityTrackingEnabled) return adapter.count({
+		model: "user",
+		where
+	});
 	const sessions = await adapter.findMany({
 		model: "session",
+		select: ["userId"],
 		where
 	});
 	return new Set(sessions.map((s) => s.userId)).size;
@@ -6332,6 +6739,7 @@ const getUserStats = (options) => createAuthEndpoint("/dash/user-stats", {
 	const twoWeeksAgo = /* @__PURE__ */ new Date(now.getTime() - 336 * 60 * 60 * 1e3);
 	const oneMonthAgo = /* @__PURE__ */ new Date(now.getTime() - 720 * 60 * 60 * 1e3);
 	const twoMonthsAgo = /* @__PURE__ */ new Date(now.getTime() - 1440 * 60 * 60 * 1e3);
+	const activityTrackingEnabled = !!options.activityTracking?.enabled;
 	const [dailyCount, previousDailyCount, weeklyCount, previousWeeklyCount, monthlyCount, previousMonthlyCount, totalCount, dailyActiveCount, previousDailyActiveCount, weeklyActiveCount, previousWeeklyActiveCount, monthlyActiveCount, previousMonthlyActiveCount] = await Promise.all([
 		ctx.context.adapter.count({
 			model: "user",
@@ -6394,48 +6802,21 @@ const getUserStats = (options) => createAuthEndpoint("/dash/user-stats", {
 			}]
 		}),
 		ctx.context.adapter.count({ model: "user" }),
-		countUniqueActiveUsers(ctx.context.adapter, [{
-			field: "updatedAt",
-			operator: "gte",
-			value: oneDayAgo
-		}]),
-		countUniqueActiveUsers(ctx.context.adapter, [{
-			field: "updatedAt",
-			operator: "gte",
-			value: twoDaysAgo
-		}, {
-			field: "updatedAt",
-			operator: "lt",
-			value: oneDayAgo
-		}]),
-		countUniqueActiveUsers(ctx.context.adapter, [{
-			field: "updatedAt",
-			operator: "gte",
-			value: oneWeekAgo
-		}]),
-		countUniqueActiveUsers(ctx.context.adapter, [{
-			field: "updatedAt",
-			operator: "gte",
-			value: twoWeeksAgo
-		}, {
-			field: "updatedAt",
-			operator: "lt",
-			value: oneWeekAgo
-		}]),
-		countUniqueActiveUsers(ctx.context.adapter, [{
-			field: "updatedAt",
-			operator: "gte",
-			value: oneMonthAgo
-		}]),
-		countUniqueActiveUsers(ctx.context.adapter, [{
-			field: "updatedAt",
-			operator: "gte",
-			value: twoMonthsAgo
-		}, {
-			field: "updatedAt",
-			operator: "lt",
-			value: oneMonthAgo
-		}])
+		countUniqueActiveUsers(ctx.context.adapter, { from: oneDayAgo }, activityTrackingEnabled),
+		countUniqueActiveUsers(ctx.context.adapter, {
+			from: twoDaysAgo,
+			to: oneDayAgo
+		}, activityTrackingEnabled),
+		countUniqueActiveUsers(ctx.context.adapter, { from: oneWeekAgo }, activityTrackingEnabled),
+		countUniqueActiveUsers(ctx.context.adapter, {
+			from: twoWeeksAgo,
+			to: oneWeekAgo
+		}, activityTrackingEnabled),
+		countUniqueActiveUsers(ctx.context.adapter, { from: oneMonthAgo }, activityTrackingEnabled),
+		countUniqueActiveUsers(ctx.context.adapter, {
+			from: twoMonthsAgo,
+			to: oneMonthAgo
+		}, activityTrackingEnabled)
 	]);
 	const calculatePercentage = (current, previous) => {
 		if (previous === 0) return current > 0 ? 100 : 0;
@@ -6482,6 +6863,7 @@ const getUserGraphData = (options) => createAuthEndpoint("/dash/user-graph-data"
 }, async (ctx) => {
 	const { period } = ctx.query;
 	const now = /* @__PURE__ */ new Date();
+	const activityTrackingEnabled = !!options.activityTracking?.enabled;
 	const intervals = period === "daily" ? 7 : period === "weekly" ? 8 : 6;
 	const msPerInterval = period === "daily" ? 1440 * 60 * 1e3 : period === "weekly" ? 10080 * 60 * 1e3 : 720 * 60 * 60 * 1e3;
 	const intervalData = [];
@@ -6522,15 +6904,10 @@ const getUserGraphData = (options) => createAuthEndpoint("/dash/user-graph-data"
 				value: interval.endDate
 			}]
 		}),
-		countUniqueActiveUsers(ctx.context.adapter, [{
-			field: "updatedAt",
-			operator: "gt",
-			value: interval.startDate
-		}, {
-			field: "updatedAt",
-			operator: "lte",
-			value: interval.endDate
-		}])
+		countUniqueActiveUsers(ctx.context.adapter, {
+			from: interval.startDate,
+			to: interval.endDate
+		}, activityTrackingEnabled)
 	]);
 	const results = await Promise.all(allQueries);
 	return {
@@ -6565,9 +6942,10 @@ const getUserRetentionData = (options) => createAuthEndpoint("/dash/user-retenti
 	* M-N retention:
 	*   users created during Month(-N) who are active during "this month"
 	*
-	* Active is determined by session activity (session.updatedAt in the active window).
+	* Active: user.lastActiveAt when activity tracking enabled, else session.updatedAt.
 	*/
 	const { period } = ctx.query;
+	const activityTrackingEnabled = !!options.activityTracking?.enabled;
 	const now = /* @__PURE__ */ new Date();
 	const startOfUtcDay = (d) => new Date(Date.UTC(d.getUTCFullYear(), d.getUTCMonth(), d.getUTCDate()));
 	const startOfUtcMonth = (d) => new Date(Date.UTC(d.getUTCFullYear(), d.getUTCMonth(), 1));
@@ -6598,6 +6976,7 @@ const getUserRetentionData = (options) => createAuthEndpoint("/dash/user-retenti
 		const cohortEnd = period === "daily" ? addUtcDays(cohortStart, 1) : period === "weekly" ? addUtcDays(cohortStart, 7) : addUtcMonths(cohortStart, 1);
 		const cohortUsers = await ctx.context.adapter.findMany({
 			model: "user",
+			select: ["id"],
 			where: [{
 				field: "createdAt",
 				operator: "gte",
@@ -6624,27 +7003,57 @@ const getUserRetentionData = (options) => createAuthEndpoint("/dash/user-retenti
 			continue;
 		}
 		const cohortUserIds = cohortUsers.map((u) => u.id);
-		const sessionsInActiveWindow = await ctx.context.adapter.findMany({
-			model: "session",
+		let retained;
+		if (activityTrackingEnabled) retained = await ctx.context.adapter.count({
+			model: "user",
 			where: [
 				{
-					field: "userId",
+					field: "id",
 					operator: "in",
 					value: cohortUserIds
 				},
 				{
-					field: "updatedAt",
+					field: "lastActiveAt",
 					operator: "gte",
 					value: activeStart
 				},
 				{
-					field: "updatedAt",
+					field: "lastActiveAt",
 					operator: "lt",
 					value: activeEnd
 				}
 			]
-		}).catch(() => []);
-		const retained = new Set(sessionsInActiveWindow.map((s) => s.userId)).size;
+		}).catch((error) => {
+			ctx.context.logger.warn("[Dash] Failed to count retained users by lastActiveAt:", error);
+			return 0;
+		});
+		else {
+			const sessionsInActiveWindow = await ctx.context.adapter.findMany({
+				model: "session",
+				select: ["userId"],
+				where: [
+					{
+						field: "userId",
+						operator: "in",
+						value: cohortUserIds
+					},
+					{
+						field: "updatedAt",
+						operator: "gte",
+						value: activeStart
+					},
+					{
+						field: "updatedAt",
+						operator: "lt",
+						value: activeEnd
+					}
+				]
+			}).catch((error) => {
+				ctx.context.logger.warn("[Dash] Failed to fetch cohort sessions:", error);
+				return [];
+			});
+			retained = new Set(sessionsInActiveWindow.map((s) => s.userId)).size;
+		}
 		const retentionRate = cohortSize > 0 ? Math.round(retained / cohortSize * 100 * 10) / 10 : 0;
 		data.push({
 			n,
@@ -6696,6 +7105,57 @@ const banUser = (options) => createAuthEndpoint("/dash/ban-user", {
 	});
 	return { success: true };
 });
+const banManyUsers = (options) => {
+	return createAuthEndpoint("/dash/ban-many-users", {
+		method: "POST",
+		use: [jwtMiddleware(options, z$1.object({ userIds: z$1.string().array() }))],
+		body: z$1.object({
+			banReason: z$1.string().optional(),
+			banExpires: z$1.number().optional()
+		})
+	}, async (ctx) => {
+		const { userIds } = ctx.context.payload;
+		const { banReason, banExpires } = ctx.body;
+		const start = performance.now();
+		await withConcurrency(chunkArray(userIds, { batchSize: 50 }), async (chunk) => {
+			await ctx.context.adapter.updateMany({
+				model: "user",
+				where: [{
+					field: "id",
+					value: chunk,
+					operator: "in"
+				}],
+				update: {
+					banned: true,
+					banReason: banReason || null,
+					banExpires: banExpires ? new Date(banExpires) : null
+				}
+			});
+		}, { concurrency: 3 });
+		const skippedUserIds = (await ctx.context.adapter.findMany({
+			model: "user",
+			where: [{
+				field: "id",
+				value: userIds,
+				operator: "in",
+				connector: "AND"
+			}, {
+				field: "banned",
+				value: false,
+				operator: "eq"
+			}],
+			select: ["id"]
+		})).map((u) => u.id);
+		const bannedUserIds = userIds.filter((id) => !skippedUserIds.includes(id));
+		const end = performance.now();
+		console.log(`Time taken to ban ${bannedUserIds.length} users: ${(end - start) / 1e3}s`, skippedUserIds.length > 0 ? `Skipped: ${skippedUserIds.length}` : "");
+		return ctx.json({
+			success: bannedUserIds.length > 0,
+			bannedUserIds,
+			skippedUserIds
+		});
+	});
+};
 const unbanUser = (options) => createAuthEndpoint("/dash/unban-user", {
 	method: "POST",
 	use: [jwtMiddleware(options, z$1.object({ userId: z$1.string() }))]
@@ -6730,6 +7190,63 @@ const sendVerificationEmail = (options) => createAuthEndpoint("/dash/send-verifi
 	}, user);
 	return { success: true };
 });
+const sendManyVerificationEmails = (options) => {
+	return createAuthEndpoint("/dash/send-many-verification-emails", {
+		method: "POST",
+		use: [jwtMiddleware(options, z$1.object({ userIds: z$1.string().array() }))],
+		body: z$1.object({ callbackUrl: z$1.string().url() })
+	}, async (ctx) => {
+		if (!ctx.context.options.emailVerification?.sendVerificationEmail) throw ctx.error("BAD_REQUEST", { message: "Email verification is not enabled" });
+		const { userIds } = ctx.context.payload;
+		const { callbackUrl } = ctx.body;
+		const sentEmailUserIds = /* @__PURE__ */ new Set();
+		const skippedEmailUserIds = /* @__PURE__ */ new Set();
+		const start = performance.now();
+		await withConcurrency(chunkArray(userIds, { batchSize: 20 }), async (chunk) => {
+			const users = await ctx.context.adapter.findMany({
+				model: "user",
+				where: [{
+					field: "id",
+					value: chunk,
+					operator: "in"
+				}, {
+					field: "emailVerified",
+					value: false
+				}]
+			});
+			if (chunk.length - users.length > 0) for (const id of chunk.filter((id$1) => !users.some((u) => u.id === id$1))) skippedEmailUserIds.add(id);
+			for (const result of await Promise.allSettled(users.map(async (user) => {
+				try {
+					await sendVerificationEmailFn({
+						...ctx,
+						body: {
+							...ctx.body,
+							callbackURL: callbackUrl
+						}
+					}, user);
+				} catch {
+					return {
+						success: false,
+						id: user.id
+					};
+				}
+				return {
+					success: true,
+					id: user.id
+				};
+			}))) if (result.status === "fulfilled") if (result.value.success) sentEmailUserIds.add(result.value.id);
+			else skippedEmailUserIds.add(result.value.id);
+			else for (const { id } of users) skippedEmailUserIds.add(id);
+		}, { concurrency: 2 });
+		const end = performance.now();
+		console.log(`Time taken to send verification emails to ${sentEmailUserIds.size} users: ${Math.round((end - start) / 1e3)}s`, skippedEmailUserIds.size > 0 ? `Skipped: ${skippedEmailUserIds.size}` : "");
+		return ctx.json({
+			success: sentEmailUserIds.size > 0,
+			sentEmailUserIds: Array.from(sentEmailUserIds),
+			skippedEmailUserIds: Array.from(skippedEmailUserIds)
+		});
+	});
+};
 const sendResetPasswordEmail = (options) => createAuthEndpoint("/dash/send-reset-password-email", {
 	method: "POST",
 	use: [jwtMiddleware(options, z$1.object({ userId: z$1.string() }))],
@@ -6748,6 +7265,11 @@ const getUserMapData = (options) => createAuthEndpoint("/dash/user-map-data", {
 }, async (ctx) => {
 	const sessions = await ctx.context.adapter.findMany({
 		model: "session",
+		select: [
+			"country",
+			"city",
+			"userId"
+		],
 		limit: 1e4
 	});
 	const countryMap = /* @__PURE__ */ new Map();
@@ -6790,7 +7312,7 @@ const enableTwoFactor = (options) => createAuthEndpoint("/dash/enable-two-factor
 	use: [jwtMiddleware(options, z$1.object({ userId: z$1.string() }))]
 }, async (ctx) => {
 	const { userId } = ctx.context.payload;
-	const twoFactorPlugin = ctx.context.options.plugins?.find((p) => p.id === "two-factor");
+	const twoFactorPlugin = ctx.context.getPlugin("two-factor");
 	if (!twoFactorPlugin) throw new APIError("BAD_REQUEST", { message: "Two-factor authentication plugin is not enabled" });
 	if (await ctx.context.adapter.findOne({
 		model: "twoFactor",
@@ -6841,7 +7363,7 @@ const viewTwoFactorTotpUri = (options) => createAuthEndpoint("/dash/view-two-fac
 	use: [jwtMiddleware(options, z$1.object({ userId: z$1.string() }))]
 }, async (ctx) => {
 	const { userId } = ctx.context.payload;
-	const twoFactorPlugin = ctx.context.options.plugins?.find((p) => p.id === "two-factor");
+	const twoFactorPlugin = ctx.context.getPlugin("two-factor");
 	if (!twoFactorPlugin) throw new APIError("BAD_REQUEST", { message: "Two-factor authentication plugin is not enabled" });
 	const twoFactorRecord = await ctx.context.adapter.findOne({
 		model: "twoFactor",
@@ -6901,7 +7423,7 @@ const disableTwoFactor = (options) => createAuthEndpoint("/dash/disable-two-fact
 	use: [jwtMiddleware(options, z$1.object({ userId: z$1.string() }))]
 }, async (ctx) => {
 	const { userId } = ctx.context.payload;
-	if (!ctx.context.options.plugins?.find((p) => p.id === "two-factor")) throw new APIError("BAD_REQUEST", { message: "Two-factor authentication is not enabled" });
+	if (!ctx.context.getPlugin("two-factor")) throw new APIError("BAD_REQUEST", { message: "Two-factor authentication is not enabled" });
 	await ctx.context.adapter.delete({
 		model: "twoFactor",
 		where: [{
@@ -6965,12 +7487,12 @@ async function sha256(message) {
 /**
 * Check if a hash has the required number of leading zero bits
 */
-function hasLeadingZeroBits(hash, bits) {
+function hasLeadingZeroBits(hash$1, bits) {
 	const fullHexChars = Math.floor(bits / 4);
 	const remainingBits = bits % 4;
-	for (let i = 0; i < fullHexChars; i++) if (hash[i] !== "0") return false;
-	if (remainingBits > 0 && fullHexChars < hash.length) {
-		if (parseInt(hash[fullHexChars], 16) > (1 << 4 - remainingBits) - 1) return false;
+	for (let i = 0; i < fullHexChars; i++) if (hash$1[i] !== "0") return false;
+	if (remainingBits > 0 && fullHexChars < hash$1.length) {
+		if (parseInt(hash$1[fullHexChars], 16) > (1 << 4 - remainingBits) - 1) return false;
 	}
 	return true;
 }
@@ -7069,6 +7591,7 @@ function createSMSSender(config) {
 				messageId: (await response.json()).messageId
 			};
 		} catch (error) {
+			logger.warn("[Dash] SMS send failed:", error);
 			return {
 				success: false,
 				error: error instanceof Error ? error.message : "Failed to send SMS"
@@ -7127,7 +7650,7 @@ const dash = (options) => {
 	return {
 		id: "dash",
 		init(ctx) {
-			const organizationPlugin = ctx.options.plugins?.find((p) => p.id === "organization");
+			const organizationPlugin = ctx.getPlugin("organization");
 			if (organizationPlugin) {
 				const instrumentOrganizationHooks = (organizationPluginOptions) => {
 					const organizationHooks = organizationPluginOptions.organizationHooks = organizationPluginOptions.organizationHooks ?? {};
@@ -7217,7 +7740,7 @@ const dash = (options) => {
 					};
 				};
 				instrumentOrganizationHooks(organizationPlugin.options = organizationPlugin.options ?? {});
-			} else logger.debug("Organization plugin not active. Skipping instrumentation");
+			} else logger.debug("[Dash] Organization plugin not active. Skipping instrumentation");
 			return { options: {
 				databaseHooks: {
 					user: {
@@ -7269,8 +7792,10 @@ const dash = (options) => {
 								const ctx$1 = _ctx;
 								if (!ctx$1 || !session.userId) return;
 								const location = ctx$1.context.location;
+								const loginMethod = getLoginMethod(ctx$1) ?? void 0;
 								const enrichedSession = {
 									...session,
+									loginMethod,
 									ipAddress: location?.ipAddress,
 									city: location?.city,
 									country: location?.country,
@@ -7303,7 +7828,9 @@ const dash = (options) => {
 										}],
 										update: { lastActiveAt: /* @__PURE__ */ new Date() }
 									});
-								} catch {}
+								} catch (error) {
+									logger.warn("[Dash] Failed to update user activity", error);
+								}
 							}
 						},
 						delete: { async after(session, _ctx) {
@@ -7387,11 +7914,19 @@ const dash = (options) => {
 		},
 		hooks: {
 			before: [{
-				matcher: (ctx) => ctx.request?.method !== "GET",
+				matcher: (ctx) => {
+					if (ctx.request?.method !== "GET") return true;
+					const path = new URL(ctx.request.url).pathname;
+					return matchesAnyRoute(path, [routes.SIGN_IN_SOCIAL_CALLBACK, routes.SIGN_IN_OAUTH_CALLBACK]);
+				},
 				handler: createIdentificationMiddleware(opts)
 			}],
 			after: [{
-				matcher: (ctx) => ctx.request?.method !== "GET",
+				matcher: (ctx) => {
+					if (ctx.request?.method !== "GET") return true;
+					const path = new URL(ctx.request.url).pathname;
+					return matchesAnyRoute(path, [routes.SIGN_IN_SOCIAL_CALLBACK, routes.SIGN_IN_OAUTH_CALLBACK]);
+				},
 				handler: createAuthMiddleware(async (_ctx) => {
 					const ctx = _ctx;
 					const trigger = getTriggerInfo(ctx, ctx.context.session?.user.id ?? UNKNOWN_USER);
@@ -7400,6 +7935,17 @@ const dash = (options) => {
 					if (matchesAnyRoute(ctx.path, [routes.SIGN_IN_EMAIL, routes.SIGN_IN_EMAIL_OTP]) && ctx.context.returned instanceof Error && body?.email) trackEmailSignInAttempt(ctx, trigger);
 					if (matchesAnyRoute(ctx.path, [routes.SIGN_IN_SOCIAL]) && ctx.context.returned instanceof Error && ctx.body.provider && ctx.body.idToken) trackSocialSignInAttempt(ctx, trigger);
 					if (matchesAnyRoute(ctx.path, [routes.SIGN_IN_SOCIAL_CALLBACK]) && ctx.context.returned instanceof Error) trackSocialSignInRedirectionAttempt(ctx, trigger);
+					const headerRequestId = ctx.request?.headers.get("X-Request-Id");
+					if (headerRequestId) ctx.setCookie(IDENTIFICATION_COOKIE_NAME, headerRequestId, {
+						maxAge: 600,
+						sameSite: "lax",
+						httpOnly: true,
+						path: "/"
+					});
+					else if (ctx.context.requestId) ctx.setCookie(IDENTIFICATION_COOKIE_NAME, "", {
+						maxAge: 0,
+						path: "/"
+					});
 				})
 			}, {
 				handler: createAuthMiddleware(async (ctx) => {
@@ -7428,10 +7974,13 @@ const dash = (options) => {
 		endpoints: {
 			getDashConfig: getConfig(opts),
 			getDashUsers: getUsers(opts),
+			exportDashUsers: exportUsers(opts),
 			getOnlineUsersCount: getOnlineUsersCount(opts),
 			createDashUser: createUser(opts),
 			deleteDashUser: deleteUser(opts),
+			deleteManyDashUsers: deleteManyUsers(opts),
 			listDashOrganizations: listOrganizations(opts),
+			exportDashOrganizations: exportOrganizations(opts),
 			getDashOrganization: getOrganization(opts),
 			listDashOrganizationMembers: listOrganizationMembers(opts),
 			listDashOrganizationInvitations: listOrganizationInvitations(opts),
@@ -7446,6 +7995,7 @@ const dash = (options) => {
 			listDashTeamMembers: listTeamMembers(opts),
 			createDashOrganization: createOrganization(opts),
 			deleteDashOrganization: deleteOrganization(opts),
+			deleteManyDashOrganizations: deleteManyOrganizations(opts),
 			getDashOrganizationOptions: getOrganizationOptions(opts),
 			deleteDashSessions: deleteSessions(opts),
 			getDashUser: getUserDetails(opts),
@@ -7456,6 +8006,7 @@ const dash = (options) => {
 			listAllDashSessions: listAllSessions(opts),
 			dashRevokeSession: revokeSession(opts),
 			dashRevokeAllSessions: revokeAllSessions(opts),
+			dashRevokeManySessions: revokeManySessions(opts),
 			dashImpersonateUser: impersonateUser(opts),
 			updateDashOrganization: updateOrganization(opts),
 			createDashTeam: createTeam(opts),
@@ -7475,8 +8026,10 @@ const dash = (options) => {
 			dashGetUserRetentionData: getUserRetentionData(opts),
 			dashGetUserMapData: getUserMapData(opts),
 			dashBanUser: banUser(opts),
+			dashBanManyUsers: banManyUsers(opts),
 			dashUnbanUser: unbanUser(opts),
 			dashSendVerificationEmail: sendVerificationEmail(opts),
+			dashSendManyVerificationEmails: sendManyVerificationEmails(opts),
 			dashSendResetPasswordEmail: sendResetPasswordEmail(opts),
 			dashEnableTwoFactor: enableTwoFactor(opts),
 			dashViewTwoFactorTotpUri: viewTwoFactorTotpUri(opts),
@@ -7506,4 +8059,4 @@ const dash = (options) => {
 };
 
 //#endregion
-export { CHALLENGE_TTL, DEFAULT_DIFFICULTY, EMAIL_TEMPLATES, SMS_TEMPLATES, USER_EVENT_TYPES, createEmailSender, createSMSSender, dash, decodePoWChallenge, encodePoWSolution, sendEmail, sendSMS, sentinel, solvePoWChallenge, verifyPoWSolution };
+export { CHALLENGE_TTL, DEFAULT_DIFFICULTY, EMAIL_TEMPLATES, SMS_TEMPLATES, USER_EVENT_TYPES, createEmailSender, createSMSSender, dash, decodePoWChallenge, encodePoWSolution, sendBulkEmails, sendEmail, sendSMS, sentinel, solvePoWChallenge, verifyPoWSolution };