@henosia/app-next 1.0.4 → 1.0.6

package/.agents/skills/henosia-app-next/SKILL.md

@@ -16,8 +16,8 @@ enabled: false # flip to true to enable during Henosia Auth integration in proje
 
 `@henosia/app-next` is the Henosia integration for Next.js apps. It provides:
 
-- Henosia Auth middleware (pre-check + token refresh + optional Supabase session exchange).
-- better-auth and Henosia Platform catch-all Route Handlers.
+- Henosia Auth middleware (edge-safe session-cookie pre-check that delegates server-only session sync to the auth route).
+- better-auth and Henosia Platform catch-all Route Handlers, including token refresh, organization-context sync, and optional Supabase session exchange.
 - A React `authClient` (better-auth) and a `useAppSwitcher` hook.
 - Optional Supabase server/browser client factories.
 - Server-side auth guards — see the **`henosia-auth-guards` skill** for those
@@ -27,7 +27,7 @@ enabled: false # flip to true to enable during Henosia Auth integration in proje
 ## Authoritative reference
 
 For complete and up-to-date package usage details (peer dependencies, subpath
-exports, Supabase exchange behavior, app-switcher hook options), read:
+exports, middleware-backed route-handler session sync, Supabase exchange behavior, app-switcher hook options), read:
 
 - `node_modules/@henosia/app-next/README.md`
 
@@ -171,13 +171,14 @@ README section.
 12. **(Optional) Add Supabase helpers.** When `NEXT_PUBLIC_SUPABASE_URL` is
     set in the Henosia builder env, install the Supabase peer deps and copy
     `lib/supabase/server.ts` and `lib/supabase/client.ts` from the template.
-    The middleware automatically exchanges the Henosia Auth token for a
-    Supabase session — no extra wiring required. See README "5. (Optional)
-    Supabase helpers".
+    The Henosia Auth middleware delegates to the auth route handler, which
+    exchanges the Henosia Auth token for a Supabase session before protected
+    requests render and during session refresh — no extra wiring required. See
+    README "5. (Optional) Supabase helpers".
 13. **Protect every non-public page, layout, server action, and route
     handler.** Use the **`henosia-auth-guards` skill**. The middleware is a
-    pre-check only — it does **not** satisfy the per-route authorization
-    requirement.
+    pre-check and session-sync entrypoint only — it does **not** satisfy the
+    per-route authorization requirement.
 14. Carefully remove the old auth flow components and routes that Henosia Auth replaces 
 
 ## Subpath imports cheat sheet

package/README.md

@@ -1,6 +1,6 @@
 # @henosia/app-next
 
-Henosia integration for Next.js apps: Provides middleware and better-auth setup for Henosia Auth, Henosia Platform API route handlers, and (optionally) automatic Supabase sign in.
+Henosia integration for Next.js apps: Provides edge-safe middleware, better-auth setup for Henosia Auth, Henosia Platform API route handlers, and (optionally) automatic Supabase sign in.
 
 ## Installation
 
@@ -133,13 +133,18 @@ import {
 ```
 
 `requireHenosiaAuth` or `routeWithHenosiaAuth` MUST be called from any protected page/route handler/server action — the
-middleware only performs a fast pre-check.
+middleware is only the request pre-check and session-sync entrypoint. It keeps the middleware bundle Edge-safe by
+delegating token refresh, organization-context cookie updates, and optional Supabase session exchange to the
+`/api/auth/henosia-session-sync` route handled by the auth catch-all route.
+
+The sync route is mounted automatically when you re-export `GET, POST` from `@henosia/app-next/api/auth`; no extra app
+route is required.
 
 ## App-switcher hook
 
 `@henosia/app-next/platform/app-switcher` exposes the `useAppSwitcher` React hook used to build a custom
-app-switcher UI. It reads the current organization context from the cookie set by the middleware and queries
-the catch-all platform route mounted in [step 3](#3-henosia-platform-catch-all-route).
+app-switcher UI. It reads the current organization context from the catch-all platform route mounted in
+[step 3](#3-henosia-platform-catch-all-route), with the cached organization cookie as an immediate fallback.
 
 Requires a `@tanstack/react-query` `QueryClientProvider` higher up in the tree.
 

package/dist/api/auth.d.mts

@@ -1,6 +1,8 @@
 
+import { NextRequest } from "next/server.js";
+
 //#region src/api/auth.d.ts
-declare const GET: (request: Request) => Promise<Response>;
+declare const GET: (request: NextRequest) => Promise<Response>;
 declare const POST: (request: Request) => Promise<Response>;
 //#endregion
 export { GET, POST };

package/dist/api/auth.mjs

@@ -1,6 +1,10 @@
 /*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
-import { auth } from "../auth/server.mjs";
+import "../shared.mjs";
+import { o as getSetCookieHeaders } from "../middleware-shared-CZbIZuBw.mjs";
+import { auth, isUnauthorizedException, verifyHenosiaAuthToken } from "../auth/server.mjs";
+import { n as syncHenosiaAuthSession, t as handleHenosiaAuthSessionSync } from "../session-sync-Cva_oreV.mjs";
 import { toNextJsHandler } from "better-auth/next-js";
+import { NextResponse } from "next/server.js";
 //#region src/api/auth.ts
 /**
 * Catch-all Next.js route handler for better-auth.
@@ -12,7 +16,33 @@ import { toNextJsHandler } from "better-auth/next-js";
 * ```
 */
 const handlers = toNextJsHandler(auth);
-const GET = handlers.GET;
+const GET = async (request) => {
+	const { pathname } = new URL(request.url);
+	if (pathname === "/api/auth/henosia-session-sync") return handleHenosiaAuthSessionSync(request);
+	if (pathname !== "/api/auth/get-session") return handlers.GET(request);
+	let verified = null;
+	const refreshedCookieResponse = new NextResponse(null);
+	try {
+		verified = await verifyHenosiaAuthToken(request);
+		verified.transferBetterAuthCookiesToNext(request, refreshedCookieResponse);
+	} catch (e) {
+		if (!isUnauthorizedException(e)) {
+			console.error("[Henosia Auth] get-session refresh error", e);
+			throw e;
+		}
+	}
+	const betterAuthResponse = await handlers.GET(request);
+	const response = new NextResponse(betterAuthResponse.body, {
+		headers: betterAuthResponse.headers,
+		status: betterAuthResponse.status,
+		statusText: betterAuthResponse.statusText
+	});
+	if (verified) {
+		for (const setCookie of getSetCookieHeaders(refreshedCookieResponse.headers)) response.headers.append("set-cookie", setCookie);
+		await syncHenosiaAuthSession(request, response, verified, { transferBetterAuthCookies: false });
+	}
+	return response;
+};
 const POST = handlers.POST;
 //#endregion
 export { GET, POST };

package/dist/api/platform.mjs

@@ -1,31 +1,67 @@
 /*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
+import { HENOSIA_AUTH_INVALID_SESSION_BODY } from "../shared.mjs";
 import { henosiaAuthConfig, isUnauthorizedException, verifyHenosiaAuthToken } from "../auth/server.mjs";
 import { applySecurityHeaders } from "../auth/server-guards.mjs";
+import { r as syncOrganizationContextCookie } from "../session-sync-Cva_oreV.mjs";
+import { NextResponse } from "next/server.js";
 //#region src/api/platform/v1/app-switcher.ts
 /**
 * Handler for the Henosia Platform `app-switcher` endpoint.
 * Proxies the authenticated request to the Henosia Auth platform service using the verified id token.
 */
 async function handleAppSwitcher(request) {
+	let verified = null;
 	try {
-		const { accessTokenResponse } = await verifyHenosiaAuthToken(request);
+		verified = await verifyHenosiaAuthToken(request);
 		const fetchUrl = new URL(henosiaAuthConfig.henosiaAuthPlatformServiceBaseUrl.get());
 		fetchUrl.pathname = request.nextUrl.pathname;
 		const response = await fetch(fetchUrl, {
 			method: "GET",
 			redirect: "error",
-			headers: { authorization: `Bearer ${accessTokenResponse.idToken}` }
+			headers: { authorization: `Bearer ${verified.accessTokenResponse.idToken}` }
 		});
-		return applySecurityHeaders(Response.json(await response.json(), {
+		if (!response.ok) {
+			const nextResponse = createUpstreamResponse(response);
+			applySecurityHeaders(nextResponse);
+			return applyVerifiedAuthCookies(request, nextResponse, verified);
+		}
+		const body = await response.json();
+		const responseBody = isObjectRecord(body) ? body : {};
+		const nextResponse = NextResponse.json({
+			...responseBody,
+			organization: verified.payload["https://henosia.com/organization"] ?? null
+		}, {
 			status: response.status,
 			statusText: response.statusText
-		}));
+		});
+		applySecurityHeaders(nextResponse);
+		return applyVerifiedAuthCookies(request, nextResponse, verified);
 	} catch (e) {
-		if (isUnauthorizedException(e)) return Response.json({ error: "Your session is invalid or expired. Please reload the page to sign in again." }, { status: 401 });
+		if (isUnauthorizedException(e)) return applySecurityHeaders(NextResponse.json(HENOSIA_AUTH_INVALID_SESSION_BODY, { status: 401 }));
 		console.error("[Henosia Platform] App Switcher API error", e);
-		return Response.json({ error: "Server error" }, { status: 500 });
+		const response = NextResponse.json({ error: "Server error" }, { status: 500 });
+		applySecurityHeaders(response);
+		return verified ? applyVerifiedAuthCookies(request, response, verified) : response;
 	}
 }
+function applyVerifiedAuthCookies(request, response, verified) {
+	verified.transferBetterAuthCookiesToNext(request, response);
+	syncOrganizationContextCookie(request, response, verified.payload);
+	return response;
+}
+function createUpstreamResponse(response) {
+	const headers = new Headers();
+	const contentType = response.headers.get("content-type");
+	if (contentType) headers.set("content-type", contentType);
+	return new NextResponse(response.body, {
+		headers,
+		status: response.status,
+		statusText: response.statusText
+	});
+}
+function isObjectRecord(value) {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+}
 //#endregion
 //#region src/api/platform.ts
 /**

package/dist/auth/middleware.d.mts

@@ -23,31 +23,16 @@ interface HenosiaAuthMiddlewareOptions {
   additionalUnauthenticatedPathNamePrefixes?: ReadonlyArray<string>;
 }
 /**
- * Creates a Next.js middleware function that performs the Henosia Auth pre-check.
+ * Creates a Next.js middleware function that performs the Henosia Auth edge pre-check.
  *
  * The returned function:
- * - Returns a redirect to the sign-in page when no valid session cookie is present.
- * - Verifies the Henosia Auth JWT, transferring any refreshed cookies onto the response.
- * - Optionally exchanges the Henosia Auth token for a Supabase session if `NEXT_PUBLIC_SUPABASE_URL` is set.
- * - Returns the resulting `NextResponse` (a `NextResponse.next({ request })` when authenticated, a redirect or
- *   401 JSON response otherwise) so the caller can compose additional logic on top.
+ * - Returns a redirect to the sign-in page when no session cookie is present.
+ * - Returns a 401 JSON response for non-GET requests without a session cookie.
+ * - Delegates token refresh, organization-context sync, and optional Supabase exchange to the server auth route.
+ * - Avoids importing the server auth graph so the middleware can be bundled for Edge runtimes.
  *
  * **Important**: this middleware performs an auth *pre-check*. Authorization MUST still be performed at the
- * relevant pages and route handlers using {@link verifyHenosiaAuthToken}.
- *
- * @example Composing with custom logic
- * ```ts
- * import { type NextRequest, NextResponse } from 'next/server'
- * import { createHenosiaAuthMiddleware } from '@henosia/app-next/middleware'
- *
- * const henosiaAuth = createHenosiaAuthMiddleware()
- *
- * export async function middleware(request: NextRequest) {
- *   // Add app-specific logic here ...
- *   return await henosiaAuth(request)
- * }
- *
- * ```
+ * relevant pages and route handlers using `requireHenosiaAuth` or `routeWithHenosiaAuth` from `@henosia/app-next`.
  */
 declare function createHenosiaAuthMiddleware(options?: HenosiaAuthMiddlewareOptions): (request: NextRequest) => Promise<NextResponse>;
 //#endregion

package/dist/auth/middleware.mjs

@@ -1,57 +1,19 @@
 /*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
-import { HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE } from "../shared.mjs";
-import { HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, cookiePrefix, henosiaAuthConfig, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken } from "./server.mjs";
-import { getSessionCookie } from "better-auth/cookies";
+import { HENOSIA_AUTH_INVALID_SESSION_BODY, HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_FETCH_DEST_HEADER, HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_METHOD_HEADER, HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_URL_HEADER, HENOSIA_AUTH_SESSION_SYNC_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME } from "../shared.mjs";
+import { a as getHenosiaSessionCookie, c as removeCachedAccountData, n as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, o as getSetCookieHeaders, r as applySetCookieHeadersToRequestHeaders, s as isPageRequest, t as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES } from "../middleware-shared-CZbIZuBw.mjs";
 import { NextResponse } from "next/server.js";
-//#region src/auth/utils.ts
-function delayWithCancel(delayMs) {
-	let timer;
-	let reject = null;
-	const promise = new Promise((resolve, _reject) => {
-		reject = _reject;
-		timer = setTimeout(() => resolve(), delayMs);
-	});
-	const cancel = () => {
-		clearTimeout(timer);
-		queueMicrotask(() => {
-			reject();
-			reject = null;
-		});
-	};
-	return {
-		promise,
-		cancel
-	};
-}
-//#endregion
 //#region src/auth/middleware.ts
-const INVALID_SESSION_BODY = { error: "Your session is invalid or expired. Please reload the page to sign in again." };
 /**
-* Creates a Next.js middleware function that performs the Henosia Auth pre-check.
+* Creates a Next.js middleware function that performs the Henosia Auth edge pre-check.
 *
 * The returned function:
-* - Returns a redirect to the sign-in page when no valid session cookie is present.
-* - Verifies the Henosia Auth JWT, transferring any refreshed cookies onto the response.
-* - Optionally exchanges the Henosia Auth token for a Supabase session if `NEXT_PUBLIC_SUPABASE_URL` is set.
-* - Returns the resulting `NextResponse` (a `NextResponse.next({ request })` when authenticated, a redirect or
-*   401 JSON response otherwise) so the caller can compose additional logic on top.
+* - Returns a redirect to the sign-in page when no session cookie is present.
+* - Returns a 401 JSON response for non-GET requests without a session cookie.
+* - Delegates token refresh, organization-context sync, and optional Supabase exchange to the server auth route.
+* - Avoids importing the server auth graph so the middleware can be bundled for Edge runtimes.
 *
 * **Important**: this middleware performs an auth *pre-check*. Authorization MUST still be performed at the
-* relevant pages and route handlers using {@link verifyHenosiaAuthToken}.
-*
-* @example Composing with custom logic
-* ```ts
-* import { type NextRequest, NextResponse } from 'next/server'
-* import { createHenosiaAuthMiddleware } from '@henosia/app-next/middleware'
-*
-* const henosiaAuth = createHenosiaAuthMiddleware()
-*
-* export async function middleware(request: NextRequest) {
-*   // Add app-specific logic here ...
-*   return await henosiaAuth(request)
-* }
-*
-* ```
+* relevant pages and route handlers using `requireHenosiaAuth` or `routeWithHenosiaAuth` from `@henosia/app-next`.
 */
 function createHenosiaAuthMiddleware(options = {}) {
 	const unauthenticatedPathNames = new Set([...HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, ...options.additionalUnauthenticatedPathNames ?? []]);
@@ -59,98 +21,51 @@ function createHenosiaAuthMiddleware(options = {}) {
 	if (unauthenticatedPathNamePrefixes.find((p) => p === "/" || !p.trim() || !p.endsWith("/"))) throw new Error("[Henosia Auth] Invalid path name prefixes in additionalUnauthenticatedPathNamePrefixes. Values must be non-empty sub paths ending with slash");
 	if (unauthenticatedPathNames.has("/")) throw new Error(`[Henosia Auth] Invalid path name '/' in additionalUnauthenticatedPathNames. Values must be non-root paths`);
 	return async function henosiaAuthMiddleware(request) {
-		const response = NextResponse.next({ request });
 		const { pathname } = request.nextUrl;
-		if (pathname === "/sign-in") removeCachedAccountData(response);
-		if (pathname === "/api/auth/get-session") {
-			try {
-				const { transferBetterAuthCookiesToNext } = await verifyHenosiaAuthToken(request);
-				transferBetterAuthCookiesToNext(request, response);
-			} catch (e) {
-				if (!isUnauthorizedException(e)) {
-					console.error("[Henosia Auth] Middleware error", e);
-					throw e;
-				}
-			}
+		if (pathname === "/sign-in") {
+			const response = NextResponse.next({ request });
+			removeCachedAccountData(response);
 			return response;
 		}
-		if (unauthenticatedPathNames.has(pathname) || !!unauthenticatedPathNamePrefixes.find((p) => pathname.startsWith(p))) return response;
-		if (!getSessionCookie(request, { cookiePrefix })) {
-			if (request.method !== "GET") return NextResponse.json(INVALID_SESSION_BODY, { status: 401 });
+		if (unauthenticatedPathNames.has(pathname) || !!unauthenticatedPathNamePrefixes.find((p) => pathname.startsWith(p))) return NextResponse.next({ request });
+		if (!getHenosiaSessionCookie(request)) {
+			if (request.method !== "GET") return NextResponse.json(HENOSIA_AUTH_INVALID_SESSION_BODY, { status: 401 });
 			return NextResponse.redirect(new URL(HENOSIA_AUTH_SIGN_IN_PATH_NAME, request.url));
 		}
-		try {
-			const { accessTokenResponse, payload, transferBetterAuthCookiesToNext } = await verifyHenosiaAuthToken(request);
-			transferBetterAuthCookiesToNext(request, response);
-			const cachedOrg = JSON.stringify(request.cookies.get("henosia.org")?.value ?? null);
-			const org = JSON.stringify(payload["https://henosia.com/organization"]);
-			if (cachedOrg !== org) response.cookies.set(HENOSIA_ORGANIZATION_CTX_COOKIE, org);
-			if (process.env.NEXT_PUBLIC_SUPABASE_URL) await exchangeHenosiaTokenForSupabaseSession(request, response, accessTokenResponse.idToken);
-		} catch (e) {
-			if (isUnauthorizedException(e)) {
-				if (!isPageRequest(request)) return NextResponse.json(INVALID_SESSION_BODY, { status: e.statusCode ?? 401 });
-				const redirectResponse = NextResponse.redirect(new URL(HENOSIA_AUTH_SIGN_IN_PATH_NAME, request.url));
-				removeCachedAccountData(redirectResponse);
-				return redirectResponse;
-			} else {
-				console.error("[Henosia Auth] Middleware error", e);
-				throw e;
-			}
+		const requestHeaders = new Headers(request.headers);
+		const syncResponse = await fetch(new URL(HENOSIA_AUTH_SESSION_SYNC_PATH_NAME, request.url), {
+			method: "GET",
+			headers: createSessionSyncHeaders(request),
+			cache: "no-store",
+			redirect: "manual"
+		});
+		if (syncResponse.status === 401) {
+			if (!isPageRequest(request)) return NextResponse.json(HENOSIA_AUTH_INVALID_SESSION_BODY, { status: 401 });
+			const redirectResponse = NextResponse.redirect(new URL(HENOSIA_AUTH_SIGN_IN_PATH_NAME, request.url));
+			removeCachedAccountData(redirectResponse);
+			return redirectResponse;
 		}
+		if (!syncResponse.ok) throw new Error(`[Henosia Auth] Session sync failed: ${syncResponse.status} ${syncResponse.statusText}`);
+		const setCookieHeaders = getSetCookieHeaders(syncResponse.headers);
+		applySetCookieHeadersToRequestHeaders(requestHeaders, setCookieHeaders);
+		const response = NextResponse.next({ request: { headers: requestHeaders } });
+		for (const setCookie of setCookieHeaders) response.headers.append("set-cookie", setCookie);
 		return response;
 	};
 }
-/**
-* Lazy-load `@supabase/ssr` so apps that don't use Supabase don't have to install it.
-*/
-async function exchangeHenosiaTokenForSupabaseSession(request, response, idToken) {
-	let createServerClient;
-	try {
-		({createServerClient} = await import("@supabase/ssr"));
-	} catch (e) {
-		console.error("[Henosia Auth] NEXT_PUBLIC_SUPABASE_URL is set but `@supabase/ssr` is not installed. Install it as a peer dependency to enable Supabase session exchange.", e);
-		return;
+function createSessionSyncHeaders(request) {
+	const headers = new Headers();
+	const cookie = request.headers.get("cookie");
+	if (cookie) headers.set("cookie", cookie);
+	headers.set(HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_URL_HEADER, request.url);
+	headers.set(HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_METHOD_HEADER, request.method);
+	const fetchDest = request.headers.get("X-Henosia-Fetch-Dest") ?? request.headers.get("Sec-Fetch-Dest");
+	if (fetchDest) headers.set(HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_FETCH_DEST_HEADER, fetchDest);
+	for (const header of ["RSC", "Next-Router-Prefetch"]) {
+		const value = request.headers.get(header);
+		if (value) headers.set(header, value);
 	}
-	const supabase = createServerClient(process.env.NEXT_PUBLIC_SUPABASE_URL, process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY, { cookies: {
-		getAll() {
-			return request.cookies.getAll();
-		},
-		setAll(cookiesToSet) {
-			cookiesToSet.forEach(({ name, value }) => request.cookies.set(name, value));
-			try {
-				cookiesToSet.forEach(({ name, value, options }) => response.cookies.set(name, value, options));
-			} catch {}
-		}
-	} });
-	const { promise: supabaseTimeout, cancel } = delayWithCancel(5e3);
-	await Promise.race([supabaseTimeout.then(() => {
-		console.error(`[Supabase] Timed out getting a valid Supabase session: ${process.env.NEXT_PUBLIC_SUPABASE_URL} may be paused or down.`);
-	}), (async () => {
-		try {
-			const { data } = await supabase.auth.getSession();
-			if (!data.session) await supabase.auth.signInWithIdToken({
-				provider: henosiaAuthConfig.henosiaAuthSupabaseProvider.get(),
-				token: idToken
-			});
-		} catch (error) {
-			console.error("[Supabase] Unable to get valid Supabase session", error);
-		} finally {
-			cancel();
-		}
-	})()]);
-}
-/**
-* Removes potentially invalid cached account data from cookies before the next better-auth sign in attempt
-*/
-function removeCachedAccountData(response) {
-	const secure = henosiaAuthConfig.baseURL.get().startsWith("https");
-	const name = `${secure ? "__Secure-" : ""}${cookiePrefix}.account_data`;
-	response.cookies.delete({
-		name,
-		secure,
-		httpOnly: true,
-		domain: new URL(henosiaAuthConfig.baseURL.get()).hostname
-	});
+	return headers;
 }
 //#endregion
 export { createHenosiaAuthMiddleware };

package/dist/auth/server-guards.d.mts

@@ -1,5 +1,5 @@
 
-import { HenosiaAuthTokenClaims } from "./server.mjs";
+import { n as HenosiaAuthTokenClaims } from "../server-DfD6Dc91.mjs";
 import { NextRequest, NextResponse } from "next/server.js";
 
 //#region src/auth/server-guards.d.ts

package/dist/auth/server-guards.mjs

@@ -1,10 +1,10 @@
 /*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
 import { HENOSIA_AUTH_SIGN_IN_PATH_NAME } from "../shared.mjs";
 import { isUnauthorizedException, verifyHenosiaAuthToken } from "./server.mjs";
-import { headers } from "next/headers.js";
+import { NextResponse } from "next/server.js";
 import { cache } from "react";
+import { headers } from "next/headers.js";
 import { redirect } from "next/navigation.js";
-import { NextResponse } from "next/server.js";
 //#region src/auth/server-guards.ts
 async function buildRequestFromHeaders() {
 	const h = await headers();

package/dist/auth/server.d.mts

@@ -1,108 +1,3 @@
 
-import { i as HenosiaOrganizationContext } from "../shared-BWt7Sysv.mjs";
-import { Auth } from "better-auth";
-import { NextRequest, NextResponse } from "next/server.js";
-
-//#region src/auth/server.d.ts
-/**
- * URL pathname values that should not check for auth in middleware, e.g. the sign-in page.
- * Additional pathname values can be added for public paths, but ONLY if they should not be intercepted by the
- * middleware auth pre-check and redirect.
- */
-declare const HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES: Set<string>;
-/**
- * URL pathname prefixes that should not be blocked by auth in middleware, e.g. the better-auth API routes used to sign in.
- * Additional pathname prefixes can be added for public paths, but ONLY if they should not be intercepted by the
- * middleware auth pre-check and redirect. Include the relevant `/` ending character to prevent unexpected partial
- * route matches.
- */
-declare const HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES: string[];
-type EnvLiveGetString = {
-  get(): string;
-};
-interface HenosiaAuthConfig {
-  /** Name of the Henosia Auth OAuth2 provider */
-  provider: 'henosia';
-  /** The consuming app's own deployment or preview browser URL. Used as the better-auth base url */
-  baseURL: EnvLiveGetString;
-  /** The consuming app's own deployment or preview auth secret. Used as the better-auth secret */
-  secret: EnvLiveGetString;
-  /** OAuth client ID from HenosiaAuthClientService */
-  clientId: EnvLiveGetString;
-  /** OAuth client secret from HenosiaAuthClientService */
-  clientSecret: EnvLiveGetString;
-  /** The Henosia auth and platform service base URL, under which the OAuth client is registered */
-  henosiaAuthPlatformServiceBaseUrl: EnvLiveGetString;
-  /** The provider identifier that Henosia Auth is registered with as a OIDC-based Custom Provider in Supabase Auth */
-  henosiaAuthSupabaseProvider: EnvLiveGetString;
-  /**
-   * The project id that the JWT project claim should match in HenosiaAuthTokenClaims.
-   * Ensures that signed-in Henosia users cannot access projects that they have not been granted access to,
-   * for example that User A from Org A cannot access User B from Org B's project.
-   * */
-  projectId: EnvLiveGetString;
-}
-/**
- * Environment-provided configuration for Henosia Auth.
- * When the consuming app runs in the Henosia preview, the env vars are provided by the runtime environment and should not be
- * hard-coded or present in the `.env.local` file. The Henosia Publish feature automatically sets production versions of
- * the values on the deployed app. For self-publish flows or local development, see the `Environment settings`
- * in the Henosia builder navbar for the relevant values. The preview values cannot be used for production deployments.
- */
-declare const henosiaAuthConfig: HenosiaAuthConfig;
-interface HenosiaAuthTokenClaims {
-  /** The project id that the claim is associated with. A `null` value indicates no project access was granted. */
-  'https://henosia.com/project': string | null;
-  /** Whether the claim is associated with Henosia's preview browser in the builder */
-  'https://henosia.com/preview': boolean;
-  /** The organization that the app belongs to */
-  'https://henosia.com/organization': HenosiaOrganizationContext;
-}
-/**
- * Gets whether the specified request is for a page (a top level page or iframe page)
- */
-declare function isPageRequest(request: Request): boolean;
-/**
- * Gets whether the specified request is allowed to spend the single-use OIDC refresh token to obtain a new
- * access token.
- *
- */
-declare function isPageOrRefreshTokenRequest(request: Request): boolean;
-declare const cookiePrefix: `henosia-auth-${string}`;
-/**
- * The Henosia Auth instance.
- *
- * Typed as the minimal {@link Auth} type from better-auth (which is parameterised on the default
- * {@link BetterAuthOptions}) rather than the deeply-inferred concrete type returned by {@link betterAuth}.
- * The deeply-inferred graph references non-portable internals from `better-auth` and `zod` that cannot be
- * named in published declarations (TS2883).
- */
-declare const auth: Auth;
-/**
- * Verifies the Henosia Auth JWT on the current request, or throws in case it's missing or invalid.
- * This method must be called before allowing access to any protected pages or routes,
- * and before accessing data in server side page methods or actions.
- * @param request the current request which provides auth headers
- * @return the better-auth `getAccessToken` response, the verified token `payload` (a {@link HenosiaAuthTokenClaims}),
- *         the `Set-Cookie` headers produced while obtaining/refreshing the token, and a
- *         `transferBetterAuthCookiesToNext` helper that forwards those cookies onto a Next.js request/response pair
- * @throws APIError when the current credentials are missing or invalid
- */
-declare function verifyHenosiaAuthToken(request: Request): Promise<{
-  accessTokenResponse: {
-    accessToken: string;
-    accessTokenExpiresAt: Date | undefined;
-    scopes: string[];
-    idToken: string | undefined;
-  };
-  payload: HenosiaAuthTokenClaims;
-  setCookieHeaders: string[];
-  transferBetterAuthCookiesToNext: (nextRequest: NextRequest, response: NextResponse) => void;
-}>;
-/**
- * Determines whether the specified exception should start the sign-in flow to authenticate the user
- * @param error the error thrown by `verifyHenosiaAuthToken`
- */
-declare function isUnauthorizedException(error: unknown): boolean;
-//#endregion
+import { a as isPageOrRefreshTokenRequest, c as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, d as isPageRequest, i as henosiaAuthConfig, l as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, n as HenosiaAuthTokenClaims, o as isUnauthorizedException, r as auth, s as verifyHenosiaAuthToken, t as HenosiaAuthConfig, u as cookiePrefix } from "../server-DfD6Dc91.mjs";
 export { HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HenosiaAuthConfig, HenosiaAuthTokenClaims, auth, cookiePrefix, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken };