@brokr/sdk 1.0.0 → 2.0.0

package/dist/auth.mjs

@@ -1,26 +1,616 @@
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __esm = (fn, res) => function __init() {
-  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+// src/fix-registry.ts
+var FIX_REGISTRY = {
+  AUTH_TOKEN_INVALID: [
+    "\u2192 Run `brokr env pull --stack <name>` to refresh your token",
+    "\u2192 Or run `brokr link account` to re-authenticate"
+  ].join("\n"),
+  AUTH_SESSION_EXPIRED: [
+    "\u2192 Run `brokr link account` to re-authenticate"
+  ].join("\n"),
+  BROKR_TOKEN_MISSING: [
+    "\u2192 Run `brokr env pull --stack <name>` to sync your environment",
+    "\u2192 Or add BROKR_TOKEN to your .env.local manually"
+  ].join("\n"),
+  DATABASE_PROVISION_FAILED: [
+    "\u2192 Run `brokr status <stack>` to check current state",
+    "\u2192 Run `brokr retry <stack>` to re-trigger provisioning"
+  ].join("\n"),
+  DATABASE_QUOTA_REACHED: [
+    "\u2192 Upgrade your plan or delete unused databases",
+    "\u2192 Check usage at brokr.sh/billing"
+  ].join("\n"),
+  DATABASE_HEALTH_TIMEOUT: [
+    "\u2192 Run `brokr status <stack>` to check database state",
+    "\u2192 If persistent, check provider status page"
+  ].join("\n"),
+  DEPLOYMENT_FAILED: [
+    "\u2192 Run `brokr logs --stack <name>` to see build logs",
+    "\u2192 Fix the build error and run `brokr deploy`"
+  ].join("\n"),
+  DEPLOYMENT_RATE_LIMITED: [
+    "\u2192 Wait a minute and retry",
+    "\u2192 Vercel rate limits apply per project"
+  ].join("\n"),
+  REPO_ALREADY_EXISTS: [
+    "\u2192 Use a different stack name",
+    "\u2192 Or run `brokr status <stack>` to check the existing stack"
+  ].join("\n"),
+  REPO_CREATE_FAILED: [
+    "\u2192 Check your GitHub connection: `brokr link account`",
+    "\u2192 Ensure the Brokr GitHub App is installed"
+  ].join("\n"),
+  EMAIL_DOMAIN_FAILED: [
+    "\u2192 Check DNS records are propagated",
+    "\u2192 Run `brokr status <stack>` for details"
+  ].join("\n"),
+  DNS_RECORD_FAILED: [
+    "\u2192 Check Cloudflare dashboard for zone status",
+    "\u2192 Retry with `brokr retry <stack>`"
+  ].join("\n"),
+  INSUFFICIENT_CREDITS: [
+    "\u2192 Top up credits at brokr.sh/billing",
+    "\u2192 Or run `brokr billing topup`"
+  ].join("\n"),
+  AI_BUDGET_EXCEEDED: [
+    "\u2192 Top up credits at brokr.sh/billing",
+    "\u2192 Or run `brokr billing topup`"
+  ].join("\n"),
+  AI_PROVIDER_UNAVAILABLE: [
+    "\u2192 The AI provider is temporarily down",
+    "\u2192 Retry in a few seconds \u2014 this is usually transient"
+  ].join("\n"),
+  AI_MODEL_NOT_FOUND: [
+    "\u2192 Check the model name in your configuration",
+    "\u2192 See available models at brokr.sh/docs/ai-models"
+  ].join("\n"),
+  ENV_VAR_MISSING: [
+    "\u2192 Run `brokr env pull --stack <name>` to sync environment",
+    "\u2192 Check required vars in your template README"
+  ].join("\n"),
+  STACK_LIMIT_REACHED: [
+    "\u2192 Delete unused stacks with `brokr delete <stack>`",
+    "\u2192 Or upgrade your plan at brokr.sh/billing"
+  ].join("\n"),
+  STACK_NOT_FOUND: [
+    "\u2192 Check the stack name: `brokr list`",
+    "\u2192 Create a new stack: `brokr create --name <name>`"
+  ].join("\n"),
+  RATE_LIMITED: [
+    "\u2192 Wait a moment and retry",
+    "\u2192 If persistent, check brokr.sh/status"
+  ].join("\n"),
+  GATEWAY_AUTH_FAILED: [
+    "\u2192 Your BROKR_TOKEN may be expired",
+    "\u2192 Run `brokr env pull --stack <name>` to refresh"
+  ].join("\n"),
+  BROKR_TOKEN_INVALID: [
+    "\u2192 Your BROKR_TOKEN has expired or been revoked",
+    "\u2192 Run `brokr env pull --stack <name>` to get a fresh token"
+  ].join("\n"),
+  AI_STREAM_ERROR: [
+    "\u2192 The AI stream was interrupted",
+    "\u2192 Retry the request \u2014 this is usually transient"
+  ].join("\n"),
+  EMAIL_SEND_FAILED: [
+    "\u2192 Email delivery failed",
+    "\u2192 Check that your domain DNS is verified: `brokr status <stack>`"
+  ].join("\n"),
+  EMAIL_NOT_CONFIGURED: [
+    "\u2192 Email is not set up for this stack",
+    "\u2192 Add email capability: `brokr add email --stack <name>`"
+  ].join("\n"),
+  EMAIL_INVALID_FROM: [
+    "\u2192 The from address must match your verified domain",
+    "\u2192 Check your domain: `brokr status <stack>`"
+  ].join("\n"),
+  STORAGE_UPLOAD_FAILED: [
+    "\u2192 File upload failed",
+    "\u2192 Check file size limits and retry"
+  ].join("\n"),
+  STORAGE_NOT_FOUND: [
+    "\u2192 The requested file does not exist",
+    "\u2192 Check the key and try again"
+  ].join("\n"),
+  PAYMENTS_NOT_CONFIGURED: [
+    "\u2192 Payments are not set up for this stack",
+    "\u2192 Run `brokr payments sync` to configure Stripe"
+  ].join("\n"),
+  PAYMENTS_FAILED: [
+    "\u2192 Payment processing failed",
+    "\u2192 Check your Stripe dashboard for details"
+  ].join("\n"),
+  GATEWAY_INTERNAL: [
+    "\u2192 The Brokr gateway encountered an internal error",
+    "\u2192 Check brokr.sh/status for service health"
+  ].join("\n"),
+  UPSTREAM_ERROR: [
+    "\u2192 An upstream service is temporarily unavailable",
+    "\u2192 Retry in a few seconds \u2014 this is usually transient"
+  ].join("\n"),
+  NETWORK_ERROR: [
+    "\u2192 Could not reach the Brokr gateway",
+    "\u2192 Check your internet connection",
+    "\u2192 Check brokr.sh/status for service health"
+  ].join("\n"),
+  TIMEOUT: [
+    "\u2192 Request timed out",
+    "\u2192 Retry \u2014 if persistent, check brokr.sh/status"
+  ].join("\n")
 };
 
-// src/runtime.ts
-var BrokrError;
-var init_runtime = __esm({
-  "src/runtime.ts"() {
-    "use strict";
-    BrokrError = class extends Error {
-      constructor(message, code, capability, retryable = false) {
-        super(message);
-        this.code = code;
-        this.capability = capability;
-        this.retryable = retryable;
-        this.name = "BrokrError";
-      }
+// src/errors.ts
+var BrokrError = class extends Error {
+  constructor(message, code, capability, retryable = false, errorCode, requestId, hint) {
+    super(message);
+    this.code = code;
+    this.capability = capability;
+    this.retryable = retryable;
+    this.errorCode = errorCode;
+    this.requestId = requestId;
+    this.hint = hint;
+    this.name = "BrokrError";
+  }
+  /** Multi-line terminal fix block — looked up from error code. */
+  get fix() {
+    if (!this.errorCode) return void 0;
+    return FIX_REGISTRY[this.errorCode];
+  }
+  /** Documentation URL for this error code. */
+  get docsUrl() {
+    if (!this.errorCode) return void 0;
+    return `https://brokr.sh/errors/${this.errorCode.toLowerCase().replace(/_/g, "-")}`;
+  }
+  /** Safe message for end users — zero technical language. */
+  toUserMessage() {
+    switch (this.code) {
+      case "RATE_LIMITED":
+        return "Please wait a moment and try again.";
+      case "TIMEOUT":
+        return "The request took too long. Please try again.";
+      case "NETWORK_ERROR":
+        return "Connection issue. Check your internet and try again.";
+      case "BROKR_TOKEN_MISSING":
+        return "App is not connected to Brokr. Contact the developer.";
+      case "BROKR_TOKEN_INVALID":
+        return "Session expired. Please refresh.";
+      case "AI_BUDGET_EXCEEDED":
+        return "AI usage limit reached. The developer needs to add credits.";
+      case "AI_PROVIDER_UNAVAILABLE":
+        return "AI service is temporarily down. Please retry shortly.";
+      case "AI_PROVIDER_RATE_LIMITED":
+        return "Too many AI requests. Please wait a moment.";
+      case "INSUFFICIENT_CREDITS":
+        return "Not enough credits. Please top up your balance.";
+      case "STORAGE_UPLOAD_FAILED":
+        return "File upload failed. Please try again.";
+      case "STORAGE_NOT_FOUND":
+        return "File not found.";
+      case "EMAIL_SEND_FAILED":
+        return "Email could not be sent. Please try again.";
+      case "EMAIL_NOT_CONFIGURED":
+        return "Email is not set up for this app.";
+      case "PAYMENTS_NOT_CONFIGURED":
+        return "Payments are not configured. Contact the developer.";
+      case "PAYMENTS_FAILED":
+        return "Payment processing failed. Please try again.";
+      case "NOT_FOUND":
+        return "The requested resource was not found.";
+      case "VALIDATION_ERROR":
+        return "Invalid input. Please check your data and try again.";
+      default:
+        return "Something went wrong. We're looking into it.";
+    }
+  }
+  toString() {
+    return `${this.name} [${this.errorCode ?? this.code}]: ${this.message}`;
+  }
+  toJSON() {
+    return {
+      name: this.name,
+      code: this.code,
+      errorCode: this.errorCode,
+      message: this.message,
+      capability: this.capability,
+      retryable: this.retryable,
+      requestId: this.requestId,
+      hint: this.hint,
+      component: this.component
     };
   }
-});
+};
 
 // src/auth.ts
+function resolveAppUrl(appUrl) {
+  if (appUrl) return appUrl;
+  throw new BrokrError(
+    "[brokr] BROKR_AUTH_URL is not set. Auth may not be provisioned.",
+    "AUTH_NOT_CONFIGURED",
+    "auth"
+  );
+}
+function mapSessionUser(raw) {
+  return {
+    id: raw.id,
+    email: raw.email,
+    name: raw.name ?? null,
+    image: raw.image ?? null,
+    emailVerified: raw.emailVerified ? /* @__PURE__ */ new Date() : null
+  };
+}
+function pluralizeResource(resource) {
+  if (resource.endsWith("s")) return resource;
+  if (resource.endsWith("y") && !/[aeiou]y$/i.test(resource)) return resource.slice(0, -1) + "ies";
+  return resource + "s";
+}
+function validateSqlIdentifier(name, label) {
+  if (!/^[a-zA-Z_][a-zA-Z0-9_]*$/.test(name)) {
+    throw new BrokrError(
+      `[brokr] Invalid ${label}: "${name}". Must be alphanumeric with underscores only.`,
+      "INVALID_IDENTIFIER",
+      "auth"
+    );
+  }
+}
+var _ownershipPool = null;
+async function getOwnershipPool(dbUrl) {
+  let Pool;
+  try {
+    const mod = await import("@neondatabase/serverless");
+    Pool = mod.Pool;
+  } catch {
+    throw new BrokrError(
+      "[brokr] @neondatabase/serverless is required for ownership checks. Run: npm install @neondatabase/serverless",
+      "MISSING_DEPENDENCY",
+      "auth"
+    );
+  }
+  if (_ownershipPool && _ownershipPool.dbUrl === dbUrl) {
+    return _ownershipPool.pool;
+  }
+  const pool = new Pool({ connectionString: dbUrl, max: 3 });
+  _ownershipPool = { pool, dbUrl };
+  return pool;
+}
+async function authApiFetch(appUrl, path, options) {
+  const headers = { "Content-Type": "application/json" };
+  if (options?.cookies) headers.cookie = options.cookies;
+  if (typeof window === "undefined") {
+    headers.Origin = process.env.BETTER_AUTH_URL ?? process.env.NEXT_PUBLIC_APP_URL ?? process.env.APP_URL ?? process.env.BROKR_AUTH_URL ?? (process.env.VERCEL_URL ? `https://${process.env.VERCEL_URL}` : void 0) ?? appUrl;
+  }
+  const res = await fetch(`${appUrl}${path}`, {
+    method: options?.method ?? "GET",
+    headers,
+    body: options?.body ? JSON.stringify(options.body) : void 0
+  });
+  if (!res.ok) {
+    const data = await res.json().catch(() => ({}));
+    throw new BrokrError(
+      data.message ?? `[brokr] Auth API call failed (HTTP ${res.status})`,
+      "AUTH_API_FAILED",
+      "auth"
+    );
+  }
+  return res.json();
+}
+var BrokrAuthClient = class {
+  constructor(_token, _gatewayUrl, appUrl) {
+    this._appUrl = appUrl ?? (typeof process !== "undefined" ? process.env.BROKR_AUTH_URL : void 0);
+  }
+  // -------------------------------------------------------------------------
+  // Identity — read user/session from incoming request
+  // -------------------------------------------------------------------------
+  /**
+   * Get user from request headers. Returns null if not authenticated.
+   * Calls the app's own Better Auth API.
+   */
+  async user(headers) {
+    const session = await this.session(headers);
+    return session?.user ?? null;
+  }
+  /**
+   * Get user from request headers. Throws 401 if not authenticated.
+   */
+  async requireUser(headers) {
+    const u = await this.user(headers);
+    if (!u) {
+      throw new BrokrError("[brokr] Authentication required. The request has no valid session. Check that cookies are being forwarded.", "UNAUTHORIZED", "auth");
+    }
+    return u;
+  }
+  /**
+   * Get full session from request headers. Returns null if not authenticated.
+   */
+  async session(headers) {
+    const appUrl = resolveAppUrl(this._appUrl);
+    const cookieHeader = headers.get("cookie") ?? "";
+    if (!cookieHeader) return null;
+    const res = await fetch(`${appUrl}/api/auth/get-session`, {
+      method: "GET",
+      headers: { cookie: cookieHeader }
+    });
+    if (!res.ok) return null;
+    const data = await res.json();
+    if (!data?.user || !data?.session) return null;
+    return {
+      user: mapSessionUser(data.user),
+      sessionId: data.session.id,
+      expiresAt: new Date(data.session.expiresAt)
+    };
+  }
+  /**
+   * Get full session. Throws 401 if not authenticated.
+   */
+  async requireSession(headers) {
+    const s = await this.session(headers);
+    if (!s) {
+      throw new BrokrError("[brokr] Authentication required. The request has no valid session. Check that cookies are being forwarded.", "UNAUTHORIZED", "auth");
+    }
+    return s;
+  }
+  // -------------------------------------------------------------------------
+  // Legacy aliases (backward compat)
+  // -------------------------------------------------------------------------
+  /** @deprecated Use user(request.headers) instead. */
+  async currentUser(request) {
+    return this.user(request.headers);
+  }
+  /** @deprecated Use session(request.headers) instead. */
+  async getSession(request) {
+    return this.session(request.headers);
+  }
+  // -------------------------------------------------------------------------
+  // Auth actions — call Better Auth endpoints on the stack's app
+  // -------------------------------------------------------------------------
+  /**
+   * Sign in with email and password.
+   */
+  async signIn(params) {
+    const appUrl = resolveAppUrl(this._appUrl);
+    const data = await authApiFetch(appUrl, "/api/auth/sign-in/email", {
+      method: "POST",
+      body: params
+    });
+    return {
+      user: mapSessionUser(data.user),
+      sessionId: data.session.id,
+      expiresAt: new Date(data.session.expiresAt)
+    };
+  }
+  /**
+   * Sign in with OAuth provider. Returns redirect URL.
+   */
+  async signInWithProvider(provider, options) {
+    const appUrl = resolveAppUrl(this._appUrl);
+    const redirectTo = options?.redirectTo ?? "/";
+    if (!redirectTo.startsWith("/") || redirectTo.startsWith("//")) {
+      throw new BrokrError("[brokr] redirectTo must be a relative path (start with /)", "INVALID_REDIRECT", "auth");
+    }
+    if (!/^[a-z][a-z0-9_-]*$/.test(provider)) {
+      throw new BrokrError(`[brokr] Invalid provider name: "${provider}". Must be lowercase alphanumeric.`, "INVALID_PROVIDER", "auth");
+    }
+    const params = new URLSearchParams({ provider, callbackURL: redirectTo });
+    return { redirectUrl: `${appUrl}/api/auth/sign-in/social?${params}` };
+  }
+  /**
+   * Sign up with email and password.
+   */
+  async signUp(params) {
+    const appUrl = resolveAppUrl(this._appUrl);
+    const data = await authApiFetch(appUrl, "/api/auth/sign-up/email", {
+      method: "POST",
+      body: params
+    });
+    return {
+      user: mapSessionUser(data.user),
+      sessionId: data.session.id,
+      expiresAt: new Date(data.session.expiresAt)
+    };
+  }
+  /**
+   * Sign out the current user.
+   */
+  async signOut(headers) {
+    const appUrl = resolveAppUrl(this._appUrl);
+    const cookies = headers?.get("cookie") ?? "";
+    await authApiFetch(appUrl, "/api/auth/sign-out", {
+      method: "POST",
+      cookies
+    });
+  }
+  /**
+   * Send a magic link email.
+   */
+  async sendMagicLink(email, options) {
+    const appUrl = resolveAppUrl(this._appUrl);
+    await authApiFetch(appUrl, "/api/auth/magic-link/send", {
+      method: "POST",
+      body: { email, callbackURL: options?.redirectTo ?? "/" }
+    });
+  }
+  /**
+   * Send a password reset email.
+   */
+  async sendPasswordReset(params) {
+    const appUrl = resolveAppUrl(this._appUrl);
+    await authApiFetch(appUrl, "/api/auth/forget-password", {
+      method: "POST",
+      body: params
+    });
+  }
+  /**
+   * Reset password with token from email.
+   */
+  async resetPassword(params) {
+    const appUrl = resolveAppUrl(this._appUrl);
+    await authApiFetch(appUrl, "/api/auth/reset-password", {
+      method: "POST",
+      body: { token: params.token, newPassword: params.password }
+    });
+  }
+  /**
+   * Verify email with token from email.
+   */
+  async verifyEmail(params) {
+    const appUrl = resolveAppUrl(this._appUrl);
+    await authApiFetch(appUrl, "/api/auth/verify-email", {
+      method: "POST",
+      body: params
+    });
+  }
+  /**
+   * Update the current user's profile.
+   */
+  async updateUser(params, headers) {
+    const appUrl = resolveAppUrl(this._appUrl);
+    const cookies = headers?.get("cookie") ?? "";
+    await authApiFetch(appUrl, "/api/auth/update-user", {
+      method: "POST",
+      body: params,
+      cookies
+    });
+  }
+  // -------------------------------------------------------------------------
+  // Session management
+  // -------------------------------------------------------------------------
+  /** Session management sub-client. */
+  get sessions() {
+    if (!this._sessions) {
+      this._sessions = new BrokrSessionsClient(this._appUrl);
+    }
+    return this._sessions;
+  }
+  // -------------------------------------------------------------------------
+  // Ownership — queries the stack's own DB via gateway → server
+  // -------------------------------------------------------------------------
+  /**
+   * Check if the current user owns a resource. Throws 403 if not.
+   *
+   * Queries the developer's own database directly via DATABASE_URL.
+   * Convention: pluralizes resource name → table, assumes `id` PK + `user_id` owner column.
+   * Override with `opts.table` and `opts.ownerColumn` for non-standard schemas.
+   *
+   * @example
+   * ```ts
+   * await brokr.auth.requireOwner('conversation', conversationId, request.headers);
+   * // Under the hood: SELECT 1 FROM conversations WHERE id = $1 AND user_id = $2
+   * ```
+   */
+  async requireOwner(resource, id, headers, opts) {
+    const isOwner = await this.isOwner(resource, id, headers, opts);
+    if (!isOwner) {
+      throw new BrokrError(
+        `[brokr] Access denied \u2014 current user does not own this ${resource}. Verify the resource ID and that the user is the owner.`,
+        "FORBIDDEN",
+        "auth"
+      );
+    }
+  }
+  /**
+   * Check if the current user owns a resource. Returns boolean.
+   *
+   * Runs a direct query against the developer's database (DATABASE_URL).
+   * No gateway round-trip — this is a local DB operation.
+   */
+  async isOwner(resource, id, headers, opts) {
+    const user = await this.requireUser(headers);
+    const dbUrl = typeof process !== "undefined" ? process.env.DATABASE_URL : void 0;
+    if (!dbUrl) {
+      throw new BrokrError(
+        "[brokr] DATABASE_URL is not set. Cannot check ownership without a database.",
+        "DB_NOT_CONFIGURED",
+        "auth"
+      );
+    }
+    const tableName = opts?.table ?? pluralizeResource(resource);
+    const ownerCol = opts?.ownerColumn ?? "user_id";
+    validateSqlIdentifier(tableName, "table name");
+    validateSqlIdentifier(ownerCol, "owner column");
+    const pool = await getOwnershipPool(dbUrl);
+    try {
+      const result = await pool.query(
+        `SELECT 1 FROM "${tableName}" WHERE id = $1 AND "${ownerCol}" = $2 LIMIT 1`,
+        [id, user.id]
+      );
+      return (result.rowCount ?? 0) > 0;
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error("[brokr] Ownership check error:", msg);
+      if (msg.includes("does not exist")) {
+        throw new BrokrError(
+          `[brokr] Table "${tableName}" does not exist. Check your resource name or provide { table: '...' }.`,
+          "TABLE_NOT_FOUND",
+          "auth"
+        );
+      }
+      throw new BrokrError(
+        "[brokr] Ownership check failed. Check your DATABASE_URL and that the database is accessible.",
+        "DB_QUERY_FAILED",
+        "auth"
+      );
+    }
+  }
+  /**
+   * Check if the current user matches a specific userId. Throws 403 if not.
+   */
+  async requireCurrentUser(userId, headers) {
+    const user = await this.requireUser(headers);
+    if (user.id !== userId) {
+      throw new BrokrError("[brokr] Access denied.", "FORBIDDEN", "auth");
+    }
+  }
+  // -------------------------------------------------------------------------
+  // Legacy alias
+  // -------------------------------------------------------------------------
+  /** @deprecated Use signInWithProvider() instead. */
+  async getOAuthUrl(provider, options) {
+    return this.signInWithProvider(provider, options);
+  }
+};
+var BrokrSessionsClient = class {
+  constructor(appUrl) {
+    this._appUrl = appUrl;
+  }
+  /**
+   * List all active sessions for the current user.
+   */
+  async list(headers) {
+    const appUrl = resolveAppUrl(this._appUrl);
+    const cookies = headers.get("cookie") ?? "";
+    const data = await authApiFetch(appUrl, "/api/auth/list-sessions", { cookies });
+    const sessionToken = parseCookieValue(cookies, "better-auth.session_token") ?? parseCookieValue(cookies, "__Secure-better-auth.session_token");
+    return data.map((s) => ({
+      id: s.id,
+      createdAt: new Date(s.createdAt),
+      expiresAt: new Date(s.expiresAt),
+      userAgent: s.userAgent,
+      ipAddress: s.ipAddress,
+      isCurrent: s.token === sessionToken
+    }));
+  }
+  /**
+   * Revoke a specific session by ID.
+   */
+  async revoke(sessionId, headers) {
+    const appUrl = resolveAppUrl(this._appUrl);
+    const cookies = headers.get("cookie") ?? "";
+    await authApiFetch(appUrl, "/api/auth/revoke-session", {
+      method: "POST",
+      body: { id: sessionId },
+      cookies
+    });
+  }
+  /**
+   * Revoke all sessions except the current one.
+   */
+  async revokeOthers(headers) {
+    const appUrl = resolveAppUrl(this._appUrl);
+    const cookies = headers.get("cookie") ?? "";
+    await authApiFetch(appUrl, "/api/auth/revoke-other-sessions", {
+      method: "POST",
+      cookies
+    });
+  }
+};
 function parseCookies(cookieHeader) {
   const cookies = /* @__PURE__ */ new Map();
   for (const pair of cookieHeader.split(";")) {
@@ -32,6 +622,9 @@ function parseCookies(cookieHeader) {
   }
   return cookies;
 }
+function parseCookieValue(cookieHeader, name) {
+  return parseCookies(cookieHeader).get(name);
+}
 function authMiddleware(options) {
   const { protectedRoutes = [], publicOnlyRoutes = [] } = options;
   return async function middleware(request) {
@@ -42,7 +635,7 @@ function authMiddleware(options) {
     if (!isProtected && !isPublicOnly) return void 0;
     const cookieHeader = request.headers.get("cookie") ?? "";
     const cookies = parseCookies(cookieHeader);
-    const hasSession = cookies.has("better-auth.session_token");
+    const hasSession = cookies.has("better-auth.session_token") || cookies.has("__Secure-better-auth.session_token");
     if (isProtected && !hasSession) {
       return Response.redirect(new URL("/sign-in", request.url).toString(), 302);
     }
@@ -52,99 +645,6 @@ function authMiddleware(options) {
     return void 0;
   };
 }
-var BrokrAuthClient;
-var init_auth = __esm({
-  "src/auth.ts"() {
-    init_runtime();
-    BrokrAuthClient = class {
-      constructor(token, gatewayUrl, appUrl) {
-        this._token = token;
-        this._gatewayUrl = gatewayUrl;
-        this._appUrl = appUrl ?? (typeof process !== "undefined" ? process.env.BETTER_AUTH_URL : void 0);
-      }
-      /**
-       * Get current user from an incoming request's cookies.
-       * Calls the local Better Auth API (runs inside your app).
-       */
-      async currentUser(request) {
-        const session = await this.getSession(request);
-        return session?.user ?? null;
-      }
-      /**
-       * Get the full session (user + metadata) from an incoming request.
-       * Calls the local Better Auth API.
-       */
-      async getSession(request) {
-        const appUrl = this._appUrl;
-        if (!appUrl) {
-          throw new BrokrError(
-            "[brokr] BETTER_AUTH_URL is not set. Auth may not be provisioned.",
-            "AUTH_NOT_CONFIGURED",
-            "auth"
-          );
-        }
-        const cookieHeader = request.headers.get("cookie") ?? "";
-        if (!cookieHeader) return null;
-        const res = await fetch(`${appUrl}/api/auth/get-session`, {
-          method: "GET",
-          headers: { cookie: cookieHeader }
-        });
-        if (!res.ok) return null;
-        const data = await res.json();
-        if (!data?.user || !data?.session) return null;
-        return {
-          user: {
-            id: data.user.id,
-            email: data.user.email,
-            name: data.user.name ?? null,
-            avatarUrl: data.user.image ?? null,
-            emailVerified: data.user.emailVerified ? /* @__PURE__ */ new Date() : null
-          },
-          sessionId: data.session.id,
-          expiresAt: new Date(data.session.expiresAt)
-        };
-      }
-      /**
-       * Generate an OAuth authorization URL.
-       */
-      async getOAuthUrl(provider, options) {
-        const appUrl = this._appUrl;
-        if (!appUrl) {
-          throw new BrokrError("[brokr] BETTER_AUTH_URL is not set.", "AUTH_NOT_CONFIGURED", "auth");
-        }
-        const redirectTo = options?.redirectTo ?? "/";
-        if (!redirectTo.startsWith("/") || redirectTo.startsWith("//")) {
-          throw new BrokrError("[brokr] redirectTo must be a relative path (start with /)", "INVALID_REDIRECT", "auth");
-        }
-        const params = new URLSearchParams({ callbackURL: redirectTo });
-        return { redirectUrl: `${appUrl}/api/auth/sign-in/social?provider=${provider}&${params}` };
-      }
-      /**
-       * Send a magic link email (requires email capability).
-       */
-      async sendMagicLink(email, options) {
-        const appUrl = this._appUrl;
-        if (!appUrl) {
-          throw new BrokrError("[brokr] BETTER_AUTH_URL is not set.", "AUTH_NOT_CONFIGURED", "auth");
-        }
-        const res = await fetch(`${appUrl}/api/auth/magic-link/send`, {
-          method: "POST",
-          headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({ email, callbackURL: options?.redirectTo ?? "/" })
-        });
-        if (!res.ok) {
-          const data = await res.json().catch(() => ({}));
-          throw new BrokrError(
-            data.message ?? `[brokr] Failed to send magic link (HTTP ${res.status})`,
-            "AUTH_MAGIC_LINK_FAILED",
-            "auth"
-          );
-        }
-      }
-    };
-  }
-});
-init_auth();
 export {
   BrokrAuthClient,
   authMiddleware