@ingram-tech/nk-auth 0.2.0

package/README.md

@@ -0,0 +1,175 @@
+# @ingram-tech/nk-auth
+
+The Ingram **[Better Auth](https://better-auth.com) foundation**: a toolkit of
+composable presets each Ingram Next.js site spreads into its *own*
+`betterAuth()` call. It is **not** a `betterAuth()` wrapper — the site stays
+plain Better Auth (prime directive), keeping full plugin type inference. Import
+only what you need from focused subpaths.
+
+`better-auth`, `pg`, `@better-auth/passkey`, `@supabase/supabase-js` are
+**peer dependencies** so there's exactly one Better Auth copy in the app.
+
+| Export (subpath) | For |
+| --- | --- |
+| `rlsJwtOptions` (`./jwt`) | Supabase RLS bridge token (`role:"authenticated"`) |
+| `backendJwtOptions` / `verifyBackendJwt` (`./jwt`) | a JWT for the site's own backend API (custom `audience`) |
+| `nkOrganizationDefaults`, `lastActiveOrganizationHooks`, `lastActiveOrganizationUserField` (`./organization`) | org-plugin defaults + active-org restore/persist |
+| `createAuthPool` (`./pool`) | `pg` Pool with optional SSL CA verification |
+| `bcryptPassword`, `makeEmailSenders`, `makePasskeyOptions`, `uuidGenerateId` (`./`) | password migration, email hooks, passkeys, UUID ids |
+| `createServerSupabase` (`./`) | RLS-aware supabase-js client (attaches the session JWT) |
+
+> **Supabase Auth → Better Auth + RLS migration?** Read
+> [`docs/better-auth-migration.md`](../../docs/better-auth-migration.md) — the
+> RLS bridge, the migration runbook, and the gotchas.
+>
+> **Backend-JWT + org sites** (e.g. integrain): compose `createAuthPool`,
+> `backendJwtOptions({ audience })`, `nkOrganizationDefaults`, and
+> `lastActiveOrganizationHooks(pool)` in your `betterAuth()`; verify backend
+> tokens with `verifyBackendJwt`. Keep app-specific bits (SSO restrictions,
+> permissions/roles, connectors) in the app.
+>
+> **Note:** pin `kysely@0.28.x` in the consuming app (0.29 moved
+> `DEFAULT_MIGRATION_TABLE` out of its barrel, breaking the adapter + the
+> Turbopack build).
+
+## Install
+
+```bash
+bun add @ingram-tech/nk-auth @supabase/supabase-js better-auth @better-auth/passkey pg bcrypt
+```
+
+Set the env contract (validated by `keys.ts`):
+
+```dotenv
+BETTER_AUTH_SECRET=…            # openssl rand -hex 32
+BETTER_AUTH_URL=https://example.com
+DATABASE_URL=…                  # DIRECT Postgres (session pooler / :5432), NOT PostgREST
+NEXT_PUBLIC_SUPABASE_URL=…
+NEXT_PUBLIC_SUPABASE_ANON_KEY=…
+```
+
+## 1. Apply the schema
+
+```bash
+cp node_modules/@ingram-tech/nk-auth/migrations/0001_better_auth.sql \
+   supabase/migrations/$(date +%Y%m%d%H%M%S)_better_auth.sql
+```
+
+It creates Better Auth's tables (`user`, `session`, `account`, `verification`,
+`jwks`, `passkey`), defaults new user ids to UUIDs, and puts **deny-all RLS** on
+all of them (they're exposed via PostgREST; Better Auth uses its own privileged
+connection). Reconcile against your pinned `better-auth` with
+`npx @better-auth/cli generate` after upgrades.
+
+## 2. Configure the server
+
+This package is **not** a `betterAuth()` wrapper — your site calls `betterAuth`
+itself and spreads in our presets. That keeps full Better Auth type inference at
+the call site (so `auth.api.*` stays typed) and keeps the site plain Better Auth,
+per the prime directive. The presets carry the RLS-preserving bits.
+
+```ts
+// lib/auth.ts
+import { passkey } from "@better-auth/passkey";
+import { fromAddress, sendEmail } from "@ingram-tech/email";
+import {
+	authEnv,
+	bcryptPassword,
+	makeEmailSenders,
+	makePasskeyOptions,
+	rlsJwtOptions,
+	uuidGenerateId,
+} from "@ingram-tech/nk-auth";
+import { betterAuth } from "better-auth";
+import { jwt } from "better-auth/plugins/jwt";
+import { Pool } from "pg";
+
+const env = authEnv();
+const email = makeEmailSenders(({ to, subject, url }) =>
+	sendEmail({ to, from: fromAddress(), subject, text: url, html: url }),
+);
+
+export const auth = betterAuth({
+	database: new Pool({ connectionString: env.databaseUrl }),
+	secret: env.secret,
+	baseURL: env.baseURL,
+	advanced: { database: { generateId: uuidGenerateId } }, // UUID-shaped ids
+	emailAndPassword: {
+		enabled: true,
+		password: bcryptPassword, // verifies migrated Supabase bcrypt hashes
+		sendResetPassword: email.sendResetPassword,
+	},
+	emailVerification: { sendVerificationEmail: email.sendVerificationEmail },
+	socialProviders: {
+		google: {
+			clientId: process.env.GOOGLE_CLIENT_ID ?? "",
+			clientSecret: process.env.GOOGLE_CLIENT_SECRET ?? "",
+		},
+	},
+	plugins: [
+		jwt(rlsJwtOptions), // the RLS bridge
+		passkey(makePasskeyOptions({ rpId: "example.com", rpName: "Example", origin: env.baseURL })),
+	],
+});
+```
+
+```ts
+// app/api/auth/[...all]/route.ts — a standard Next.js route handler
+import { auth } from "@/lib/auth";
+export const { GET, POST } = auth.handler;
+```
+
+## 3. Query data with RLS intact
+
+Always go through `createServerSupabase` instead of constructing supabase-js
+yourself — it attaches the Better Auth JWT so `auth.uid()` keeps working. Wire
+`getToken` to your instance's jwt endpoint (fully typed because *your* site owns
+the `betterAuth` call):
+
+```ts
+import { authEnv, createServerSupabase } from "@ingram-tech/nk-auth";
+import { auth } from "@/lib/auth";
+
+export async function GET(request: Request) {
+	const env = authEnv();
+	const supabase = createServerSupabase({
+		getToken: async () =>
+			(await auth.api.getToken({ headers: request.headers }))?.token ?? null,
+		supabaseUrl: env.supabaseUrl,
+		supabaseAnonKey: env.supabaseAnonKey,
+	});
+	// Reads/writes run as the signed-in user; existing RLS policies apply.
+	const { data, error } = await supabase.from("notes").select("*");
+	if (error) throw new Error(error.message);
+	return Response.json(data);
+}
+```
+
+## 4. Client
+
+Assemble the client in a `"use client"` module (full plugin inference is
+preserved here too):
+
+```tsx
+"use client";
+import {
+	createAuthClient,
+	jwtClient,
+	passkeyClient,
+} from "@ingram-tech/nk-auth/client";
+
+export const authClient = createAuthClient({
+	baseURL: process.env.NEXT_PUBLIC_SITE_URL ?? "",
+	plugins: [jwtClient(), passkeyClient()],
+});
+// authClient.signIn.email(...), signIn.social(...), useSession(), passkey.*
+```
+
+## RLS bridge (the important part)
+
+`auth.uid()` reads the `sub` claim of the JWT PostgREST receives. The `jwt`
+plugin (configured here) mints an asymmetric token with `sub` = the user's UUID
+and `role: "authenticated"`, exposed at `/api/auth/jwks`. Register that JWKS URL
+as a Supabase **third-party auth** issuer, and every existing policy works
+unchanged. Full rationale and the HS256 fallback:
+[`docs/better-auth-migration.md`](../../docs/better-auth-migration.md).

package/dist/client.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Browser auth re-exports, at "@ingram-tech/nk-auth/client" so the server entry
+ * never pulls in React. A site builds its own client to preserve full plugin
+ * type inference:
+ *
+ *   "use client";
+ *   import {
+ *     createAuthClient, jwtClient, passkeyClient,
+ *   } from "@ingram-tech/nk-auth/client";
+ *
+ *   export const authClient = createAuthClient({
+ *     baseURL: process.env.NEXT_PUBLIC_SITE_URL,
+ *     plugins: [jwtClient(), passkeyClient()],
+ *   });
+ *
+ * This exposes the call surface that replaces `supabase.auth.*`:
+ *   signUp.email / signIn.email / signIn.social / signOut / useSession,
+ *   plus passkey.* (register / authenticate).
+ */
+export { passkeyClient } from "@better-auth/passkey/client";
+export { jwtClient } from "better-auth/client/plugins";
+export { createAuthClient } from "better-auth/react";
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,OAAO,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAC5D,OAAO,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/client.js

@@ -0,0 +1,23 @@
+/**
+ * Browser auth re-exports, at "@ingram-tech/nk-auth/client" so the server entry
+ * never pulls in React. A site builds its own client to preserve full plugin
+ * type inference:
+ *
+ *   "use client";
+ *   import {
+ *     createAuthClient, jwtClient, passkeyClient,
+ *   } from "@ingram-tech/nk-auth/client";
+ *
+ *   export const authClient = createAuthClient({
+ *     baseURL: process.env.NEXT_PUBLIC_SITE_URL,
+ *     plugins: [jwtClient(), passkeyClient()],
+ *   });
+ *
+ * This exposes the call surface that replaces `supabase.auth.*`:
+ *   signUp.email / signIn.email / signIn.social / signOut / useSession,
+ *   plus passkey.* (register / authenticate).
+ */
+export { passkeyClient } from "@better-auth/passkey/client";
+export { jwtClient } from "better-auth/client/plugins";
+export { createAuthClient } from "better-auth/react";
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,OAAO,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAC5D,OAAO,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+export { type BackendJwtConfig, backendJwtOptions, rlsJwtOptions, verifyBackendJwt, } from "./jwt";
+export { type AuthEnv, authEnv, isConfigured } from "./keys";
+export { bcryptPassword, makeEmailSenders, makePasskeyOptions, type PasskeyConfig, type SendEmail, uuidGenerateId, } from "./options";
+export { lastActiveOrganizationHooks, lastActiveOrganizationUserField, nkOrganizationDefaults, } from "./organization";
+export { createAuthPool } from "./pool";
+export { createServerSupabase, type ServerSupabaseConfig, } from "./supabase";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAKA,OAAO,EACN,KAAK,gBAAgB,EACrB,iBAAiB,EACjB,aAAa,EACb,gBAAgB,GAChB,MAAM,OAAO,CAAC;AACf,OAAO,EAAE,KAAK,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AAC7D,OAAO,EACN,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,KAAK,aAAa,EAClB,KAAK,SAAS,EACd,cAAc,GACd,MAAM,WAAW,CAAC;AACnB,OAAO,EACN,2BAA2B,EAC3B,+BAA+B,EAC/B,sBAAsB,GACtB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAC;AACxC,OAAO,EACN,oBAAoB,EACpB,KAAK,oBAAoB,GACzB,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,11 @@
+// Server entry — the Ingram Better Auth foundation. Browser re-exports live at
+// "@ingram-tech/nk-auth/client" so importing the server presets never pulls in
+// React. Focused subpaths (./jwt, ./organization, ./pool) let a site import
+// only what it needs (e.g. avoid bcrypt/supabase when it uses neither).
+export { backendJwtOptions, rlsJwtOptions, verifyBackendJwt, } from "./jwt";
+export { authEnv, isConfigured } from "./keys";
+export { bcryptPassword, makeEmailSenders, makePasskeyOptions, uuidGenerateId, } from "./options";
+export { lastActiveOrganizationHooks, lastActiveOrganizationUserField, nkOrganizationDefaults, } from "./organization";
+export { createAuthPool } from "./pool";
+export { createServerSupabase, } from "./supabase";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAC/E,+EAA+E;AAC/E,4EAA4E;AAC5E,wEAAwE;AAExE,OAAO,EAEN,iBAAiB,EACjB,aAAa,EACb,gBAAgB,GAChB,MAAM,OAAO,CAAC;AACf,OAAO,EAAgB,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AAC7D,OAAO,EACN,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAGlB,cAAc,GACd,MAAM,WAAW,CAAC;AACnB,OAAO,EACN,2BAA2B,EAC3B,+BAA+B,EAC/B,sBAAsB,GACtB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAC;AACxC,OAAO,EACN,oBAAoB,GAEpB,MAAM,YAAY,CAAC"}

package/dist/jwt.d.ts

@@ -0,0 +1,42 @@
+import type { JwtOptions } from "better-auth/plugins/jwt";
+import { type JWTPayload } from "jose";
+/**
+ * `jwt` plugin presets. Two shapes, because Ingram sites mint JWTs for two
+ * different audiences:
+ *
+ *   - `rlsJwtOptions` — a Supabase RLS bridge token (`role: "authenticated"`),
+ *     so PostgREST's `auth.uid()` keeps working. See docs/better-auth-migration.md.
+ *   - `backendJwtOptions` — a short-lived token for a site's OWN backend API
+ *     (a specific `audience`), typically carrying extra claims the site adds via
+ *     `auth.api.signJWT`.
+ *
+ * Both default to EdDSA (Better Auth's default), exposed at `/api/auth/jwks`.
+ */
+/** Supabase RLS bridge: mints `sub` = user id, `role`/`aud` = "authenticated". */
+export declare const rlsJwtOptions: JwtOptions;
+export interface BackendJwtConfig {
+    /** Expected audience of the site's backend, e.g. "ingram-wiki-backend". */
+    audience: string;
+    /** Token lifetime, e.g. "15m". */
+    expirationTime?: string;
+    /**
+     * Don't auto-attach the JWT to the `set-auth-jwt` response header — set when
+     * the site mints tokens on demand via `auth.api.signJWT` instead.
+     */
+    disableSettingJwtHeader?: boolean;
+}
+/** `jwt` plugin options for a backend-API token (custom audience). */
+export declare const backendJwtOptions: (config: BackendJwtConfig) => JwtOptions;
+/**
+ * Verify a Better-Auth-minted backend JWT (EdDSA) against the issuer's JWKS.
+ * For use by the backend that consumes `backendJwtOptions` tokens. Throws on an
+ * invalid/expired token or audience/issuer mismatch; returns the claims.
+ */
+export declare const verifyBackendJwt: (params: {
+    token: string;
+    /** The issuer's JWKS endpoint, e.g. `${BETTER_AUTH_URL}/api/auth/jwks`. */
+    jwksUrl: string | URL;
+    audience: string;
+    issuer: string;
+}) => Promise<JWTPayload>;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAsB,KAAK,UAAU,EAAa,MAAM,MAAM,CAAC;AAEtE;;;;;;;;;;;GAWG;AAEH,kFAAkF;AAClF,eAAO,MAAM,aAAa,EAAE,UAS3B,CAAC;AAEF,MAAM,WAAW,gBAAgB;IAChC,2EAA2E;IAC3E,QAAQ,EAAE,MAAM,CAAC;IACjB,kCAAkC;IAClC,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;OAGG;IACH,uBAAuB,CAAC,EAAE,OAAO,CAAC;CAClC;AAED,sEAAsE;AACtE,eAAO,MAAM,iBAAiB,GAAI,QAAQ,gBAAgB,KAAG,UAM3D,CAAC;AAIH;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,GAAU,QAAQ;IAC9C,KAAK,EAAE,MAAM,CAAC;IACd,2EAA2E;IAC3E,OAAO,EAAE,MAAM,GAAG,GAAG,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;CACf,KAAG,OAAO,CAAC,UAAU,CAerB,CAAC"}

package/dist/jwt.js

@@ -0,0 +1,54 @@
+import { createRemoteJWKSet, jwtVerify } from "jose";
+/**
+ * `jwt` plugin presets. Two shapes, because Ingram sites mint JWTs for two
+ * different audiences:
+ *
+ *   - `rlsJwtOptions` — a Supabase RLS bridge token (`role: "authenticated"`),
+ *     so PostgREST's `auth.uid()` keeps working. See docs/better-auth-migration.md.
+ *   - `backendJwtOptions` — a short-lived token for a site's OWN backend API
+ *     (a specific `audience`), typically carrying extra claims the site adds via
+ *     `auth.api.signJWT`.
+ *
+ * Both default to EdDSA (Better Auth's default), exposed at `/api/auth/jwks`.
+ */
+/** Supabase RLS bridge: mints `sub` = user id, `role`/`aud` = "authenticated". */
+export const rlsJwtOptions = {
+    jwks: { keyPairConfig: { alg: "EdDSA" } },
+    jwt: {
+        definePayload: ({ user }) => ({
+            sub: user.id,
+            role: "authenticated",
+            aud: "authenticated",
+        }),
+    },
+};
+/** `jwt` plugin options for a backend-API token (custom audience). */
+export const backendJwtOptions = (config) => ({
+    disableSettingJwtHeader: config.disableSettingJwtHeader,
+    jwt: {
+        audience: config.audience,
+        expirationTime: config.expirationTime,
+    },
+});
+const jwksCache = new Map();
+/**
+ * Verify a Better-Auth-minted backend JWT (EdDSA) against the issuer's JWKS.
+ * For use by the backend that consumes `backendJwtOptions` tokens. Throws on an
+ * invalid/expired token or audience/issuer mismatch; returns the claims.
+ */
+export const verifyBackendJwt = async (params) => {
+    const url = typeof params.jwksUrl === "string" ? new URL(params.jwksUrl) : params.jwksUrl;
+    const cacheKey = url.toString();
+    let jwks = jwksCache.get(cacheKey);
+    if (!jwks) {
+        jwks = createRemoteJWKSet(url);
+        jwksCache.set(cacheKey, jwks);
+    }
+    const { payload } = await jwtVerify(params.token, jwks, {
+        audience: params.audience,
+        issuer: params.issuer,
+        algorithms: ["EdDSA"],
+    });
+    return payload;
+};
+//# sourceMappingURL=jwt.js.map

package/dist/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAmB,SAAS,EAAE,MAAM,MAAM,CAAC;AAEtE;;;;;;;;;;;GAWG;AAEH,kFAAkF;AAClF,MAAM,CAAC,MAAM,aAAa,GAAe;IACxC,IAAI,EAAE,EAAE,aAAa,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE;IACzC,GAAG,EAAE;QACJ,aAAa,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;YAC7B,GAAG,EAAE,IAAI,CAAC,EAAE;YACZ,IAAI,EAAE,eAAe;YACrB,GAAG,EAAE,eAAe;SACpB,CAAC;KACF;CACD,CAAC;AAcF,sEAAsE;AACtE,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,MAAwB,EAAc,EAAE,CAAC,CAAC;IAC3E,uBAAuB,EAAE,MAAM,CAAC,uBAAuB;IACvD,GAAG,EAAE;QACJ,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,cAAc,EAAE,MAAM,CAAC,cAAc;KACrC;CACD,CAAC,CAAC;AAEH,MAAM,SAAS,GAAG,IAAI,GAAG,EAAiD,CAAC;AAE3E;;;;GAIG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,KAAK,EAAE,MAMtC,EAAuB,EAAE;IACzB,MAAM,GAAG,GACR,OAAO,MAAM,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;IAC/E,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAChC,IAAI,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACnC,IAAI,CAAC,IAAI,EAAE,CAAC;QACX,IAAI,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;QAC/B,SAAS,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IAC/B,CAAC;IACD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE;QACvD,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,UAAU,EAAE,CAAC,OAAO,CAAC;KACrB,CAAC,CAAC;IACH,OAAO,OAAO,CAAC;AAChB,CAAC,CAAC"}

package/dist/keys.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Environment contract for @ingram-tech/nk-auth.
+ *
+ * Following the "each package owns its own env validation" pattern. Env vars are
+ * external input, so we parse them with Zod (per docs/code-style.md) rather than
+ * reading `process.env` ad hoc. `authEnv()` returns a validated, config-shaped
+ * object you can spread straight into `createAuth` / `createServerSupabase`.
+ *
+ * Required:
+ *   BETTER_AUTH_SECRET             — session/CSRF signing key (`openssl rand -hex 32`)
+ *   BETTER_AUTH_URL                — canonical site origin, e.g. "https://example.com"
+ *   DATABASE_URL                   — DIRECT Postgres connection for Better Auth
+ *                                    (session-mode pooler or :5432, NOT PostgREST)
+ *   NEXT_PUBLIC_SUPABASE_URL       — Supabase project URL (for the data client)
+ *   NEXT_PUBLIC_SUPABASE_ANON_KEY  — Supabase anon key (RLS still enforced)
+ */
+export interface AuthEnv {
+    secret: string;
+    baseURL: string;
+    databaseUrl: string;
+    supabaseUrl: string;
+    supabaseAnonKey: string;
+}
+/**
+ * Read and validate all nk-auth env vars at once. Throws a single error listing
+ * everything missing/invalid, so a misconfigured site fails fast at startup
+ * rather than at first sign-in.
+ */
+export declare const authEnv: () => AuthEnv;
+/** Whether nk-auth is fully configured (lets callers degrade in local/dev). */
+export declare const isConfigured: () => boolean;
+//# sourceMappingURL=keys.d.ts.map

package/dist/keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.d.ts","sourceRoot":"","sources":["../src/keys.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAYH,MAAM,WAAW,OAAO;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;CACxB;AAED;;;;GAIG;AACH,eAAO,MAAM,OAAO,QAAO,OAgB1B,CAAC;AAEF,+EAA+E;AAC/E,eAAO,MAAM,YAAY,QAAO,OAAgD,CAAC"}

package/dist/keys.js

@@ -0,0 +1,49 @@
+/**
+ * Environment contract for @ingram-tech/nk-auth.
+ *
+ * Following the "each package owns its own env validation" pattern. Env vars are
+ * external input, so we parse them with Zod (per docs/code-style.md) rather than
+ * reading `process.env` ad hoc. `authEnv()` returns a validated, config-shaped
+ * object you can spread straight into `createAuth` / `createServerSupabase`.
+ *
+ * Required:
+ *   BETTER_AUTH_SECRET             — session/CSRF signing key (`openssl rand -hex 32`)
+ *   BETTER_AUTH_URL                — canonical site origin, e.g. "https://example.com"
+ *   DATABASE_URL                   — DIRECT Postgres connection for Better Auth
+ *                                    (session-mode pooler or :5432, NOT PostgREST)
+ *   NEXT_PUBLIC_SUPABASE_URL       — Supabase project URL (for the data client)
+ *   NEXT_PUBLIC_SUPABASE_ANON_KEY  — Supabase anon key (RLS still enforced)
+ */
+import { z } from "zod";
+const schema = z.object({
+    BETTER_AUTH_SECRET: z.string().min(1),
+    BETTER_AUTH_URL: z.string().url(),
+    DATABASE_URL: z.string().min(1),
+    NEXT_PUBLIC_SUPABASE_URL: z.string().url(),
+    NEXT_PUBLIC_SUPABASE_ANON_KEY: z.string().min(1),
+});
+/**
+ * Read and validate all nk-auth env vars at once. Throws a single error listing
+ * everything missing/invalid, so a misconfigured site fails fast at startup
+ * rather than at first sign-in.
+ */
+export const authEnv = () => {
+    const result = schema.safeParse(process.env);
+    if (!result.success) {
+        const issues = result.error.issues
+            .map((issue) => `${issue.path.join(".")}: ${issue.message}`)
+            .join(", ");
+        throw new Error(`@ingram-tech/nk-auth: invalid environment — ${issues}`);
+    }
+    const env = result.data;
+    return {
+        secret: env.BETTER_AUTH_SECRET,
+        baseURL: env.BETTER_AUTH_URL,
+        databaseUrl: env.DATABASE_URL,
+        supabaseUrl: env.NEXT_PUBLIC_SUPABASE_URL,
+        supabaseAnonKey: env.NEXT_PUBLIC_SUPABASE_ANON_KEY,
+    };
+};
+/** Whether nk-auth is fully configured (lets callers degrade in local/dev). */
+export const isConfigured = () => schema.safeParse(process.env).success;
+//# sourceMappingURL=keys.js.map

package/dist/keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.js","sourceRoot":"","sources":["../src/keys.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC;IACvB,kBAAkB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrC,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IACjC,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC/B,wBAAwB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAC1C,6BAA6B,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CAChD,CAAC,CAAC;AAUH;;;;GAIG;AACH,MAAM,CAAC,MAAM,OAAO,GAAG,GAAY,EAAE;IACpC,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC7C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACrB,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM;aAChC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC;aAC3D,IAAI,CAAC,IAAI,CAAC,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,+CAA+C,MAAM,EAAE,CAAC,CAAC;IAC1E,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC;IACxB,OAAO;QACN,MAAM,EAAE,GAAG,CAAC,kBAAkB;QAC9B,OAAO,EAAE,GAAG,CAAC,eAAe;QAC5B,WAAW,EAAE,GAAG,CAAC,YAAY;QAC7B,WAAW,EAAE,GAAG,CAAC,wBAAwB;QACzC,eAAe,EAAE,GAAG,CAAC,6BAA6B;KAClD,CAAC;AACH,CAAC,CAAC;AAEF,+EAA+E;AAC/E,MAAM,CAAC,MAAM,YAAY,GAAG,GAAY,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC"}

package/dist/options.d.ts

@@ -0,0 +1,61 @@
+import type { PasskeyOptions } from "@better-auth/passkey";
+/**
+ * Portable Better Auth building blocks for Ingram sites.
+ *
+ * Deliberately NOT a `betterAuth()` wrapper: a site assembles its own instance
+ * and spreads these presets in. That keeps full plugin type inference at the
+ * call site (where `declaration` is off) and respects the prime directive — the
+ * site stays plain Better Auth, we just ship the shared config. JWT + org
+ * presets live in `./jwt` and `./organization`. See docs/better-auth-migration.md.
+ *
+ * `uuidGenerateId` keeps new-user ids UUID-shaped (needed for Supabase
+ * `auth.uid()::uuid` on RLS sites).
+ */
+/**
+ * `emailAndPassword.password` config. Verifies with bcrypt so passwords
+ * migrated from Supabase (bcrypt) keep working — Better Auth defaults to scrypt.
+ */
+export declare const bcryptPassword: {
+    hash: (password: string) => Promise<string>;
+    verify: ({ hash, password, }: {
+        hash: string;
+        password: string;
+    }) => Promise<boolean>;
+};
+/** `advanced.database.generateId` — keeps new-user ids UUID-shaped. */
+export declare const uuidGenerateId: () => string;
+export interface PasskeyConfig {
+    /** Relying-party id: the registrable domain, e.g. "example.com". */
+    rpId: string;
+    /** Relying-party display name. */
+    rpName: string;
+    /** Expected origin(s), e.g. "https://example.com". */
+    origin: string | string[];
+}
+/** Build `passkey` plugin options. Use as `passkey(makePasskeyOptions(cfg))`. */
+export declare const makePasskeyOptions: (cfg: PasskeyConfig) => PasskeyOptions;
+/** Send one transactional email (wire to `@ingram-tech/email`'s `sendEmail`). */
+export type SendEmail = (message: {
+    to: string;
+    subject: string;
+    url: string;
+}) => Promise<unknown>;
+/**
+ * Email callbacks for `emailAndPassword.sendResetPassword` and
+ * `emailVerification.sendVerificationEmail`, routed through your sender.
+ */
+export declare const makeEmailSenders: (send: SendEmail) => {
+    sendResetPassword: ({ user, url, }: {
+        user: {
+            email: string;
+        };
+        url: string;
+    }) => Promise<void>;
+    sendVerificationEmail: ({ user, url, }: {
+        user: {
+            email: string;
+        };
+        url: string;
+    }) => Promise<void>;
+};
+//# sourceMappingURL=options.d.ts.map

package/dist/options.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"options.d.ts","sourceRoot":"","sources":["../src/options.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAG3D;;;;;;;;;;;GAWG;AAEH;;;GAGG;AACH,eAAO,MAAM,cAAc;qBACT,MAAM,KAAG,OAAO,CAAC,MAAM,CAAC;kCAItC;QACF,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;KACjB,KAAG,OAAO,CAAC,OAAO,CAAC;CACpB,CAAC;AAEF,uEAAuE;AACvE,eAAO,MAAM,cAAc,QAAO,MAAsB,CAAC;AAEzD,MAAM,WAAW,aAAa;IAC7B,oEAAoE;IACpE,IAAI,EAAE,MAAM,CAAC;IACb,kCAAkC;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,sDAAsD;IACtD,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;CAC1B;AAED,iFAAiF;AACjF,eAAO,MAAM,kBAAkB,GAAI,KAAK,aAAa,KAAG,cAItD,CAAC;AAEH,iFAAiF;AACjF,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,EAAE;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACZ,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;AAEvB;;;GAGG;AACH,eAAO,MAAM,gBAAgB,GAAI,MAAM,SAAS;wCAI5C;QACF,IAAI,EAAE;YAAE,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC;QACxB,GAAG,EAAE,MAAM,CAAC;KACZ,KAAG,OAAO,CAAC,IAAI,CAAC;4CAMd;QACF,IAAI,EAAE;YAAE,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC;QACxB,GAAG,EAAE,MAAM,CAAC;KACZ,KAAG,OAAO,CAAC,IAAI,CAAC;CAGhB,CAAC"}

package/dist/options.js

@@ -0,0 +1,43 @@
+import { randomUUID } from "node:crypto";
+import bcrypt from "bcrypt";
+/**
+ * Portable Better Auth building blocks for Ingram sites.
+ *
+ * Deliberately NOT a `betterAuth()` wrapper: a site assembles its own instance
+ * and spreads these presets in. That keeps full plugin type inference at the
+ * call site (where `declaration` is off) and respects the prime directive — the
+ * site stays plain Better Auth, we just ship the shared config. JWT + org
+ * presets live in `./jwt` and `./organization`. See docs/better-auth-migration.md.
+ *
+ * `uuidGenerateId` keeps new-user ids UUID-shaped (needed for Supabase
+ * `auth.uid()::uuid` on RLS sites).
+ */
+/**
+ * `emailAndPassword.password` config. Verifies with bcrypt so passwords
+ * migrated from Supabase (bcrypt) keep working — Better Auth defaults to scrypt.
+ */
+export const bcryptPassword = {
+    hash: (password) => bcrypt.hash(password, 10),
+    verify: ({ hash, password, }) => bcrypt.compare(password, hash),
+};
+/** `advanced.database.generateId` — keeps new-user ids UUID-shaped. */
+export const uuidGenerateId = () => randomUUID();
+/** Build `passkey` plugin options. Use as `passkey(makePasskeyOptions(cfg))`. */
+export const makePasskeyOptions = (cfg) => ({
+    rpID: cfg.rpId,
+    rpName: cfg.rpName,
+    origin: cfg.origin,
+});
+/**
+ * Email callbacks for `emailAndPassword.sendResetPassword` and
+ * `emailVerification.sendVerificationEmail`, routed through your sender.
+ */
+export const makeEmailSenders = (send) => ({
+    sendResetPassword: async ({ user, url, }) => {
+        await send({ to: user.email, subject: "Reset your password", url });
+    },
+    sendVerificationEmail: async ({ user, url, }) => {
+        await send({ to: user.email, subject: "Verify your email", url });
+    },
+});
+//# sourceMappingURL=options.js.map

package/dist/options.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"options.js","sourceRoot":"","sources":["../src/options.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B;;;;;;;;;;;GAWG;AAEH;;;GAGG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG;IAC7B,IAAI,EAAE,CAAC,QAAgB,EAAmB,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC;IACtE,MAAM,EAAE,CAAC,EACR,IAAI,EACJ,QAAQ,GAIR,EAAoB,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC;CACtD,CAAC;AAEF,uEAAuE;AACvE,MAAM,CAAC,MAAM,cAAc,GAAG,GAAW,EAAE,CAAC,UAAU,EAAE,CAAC;AAWzD,iFAAiF;AACjF,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,GAAkB,EAAkB,EAAE,CAAC,CAAC;IAC1E,IAAI,EAAE,GAAG,CAAC,IAAI;IACd,MAAM,EAAE,GAAG,CAAC,MAAM;IAClB,MAAM,EAAE,GAAG,CAAC,MAAM;CAClB,CAAC,CAAC;AASH;;;GAGG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,IAAe,EAAE,EAAE,CAAC,CAAC;IACrD,iBAAiB,EAAE,KAAK,EAAE,EACzB,IAAI,EACJ,GAAG,GAIH,EAAiB,EAAE;QACnB,MAAM,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,qBAAqB,EAAE,GAAG,EAAE,CAAC,CAAC;IACrE,CAAC;IACD,qBAAqB,EAAE,KAAK,EAAE,EAC7B,IAAI,EACJ,GAAG,GAIH,EAAiB,EAAE;QACnB,MAAM,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,mBAAmB,EAAE,GAAG,EAAE,CAAC,CAAC;IACnE,CAAC;CACD,CAAC,CAAC"}

package/dist/organization.d.ts

@@ -0,0 +1,52 @@
+import type { Pool } from "pg";
+/**
+ * Organization-plugin building blocks shared across Ingram sites. The site
+ * still calls `organization({ ...nkOrganizationDefaults, ac, roles, ... })`
+ * itself — these only supply the generic defaults + the active-org plumbing.
+ */
+/** Sensible Ingram defaults to spread into the `organization()` plugin. */
+export declare const nkOrganizationDefaults: {
+    /** Invitations valid for one week. */
+    readonly invitationExpiresIn: number;
+    /** The user who creates an org is its owner. */
+    readonly creatorRole: "owner";
+};
+/**
+ * `user.additionalFields` entry that records the user's last active org so it
+ * can be restored on the next sign-in. Spread into `user.additionalFields`.
+ */
+export declare const lastActiveOrganizationUserField: {
+    readonly lastActiveOrganizationId: {
+        readonly type: "string";
+        readonly required: false;
+        readonly input: false;
+        readonly returned: true;
+    };
+};
+interface SessionLike {
+    userId: string;
+    activeOrganizationId?: string | null;
+}
+/**
+ * `databaseHooks` that restore the user's last active organization on session
+ * create (only if they're still a member) and persist it on session update.
+ * Requires `lastActiveOrganizationUserField` in `user.additionalFields` and the
+ * Better Auth organization tables. Spread as `databaseHooks: lastActiveOrganizationHooks(pool)`.
+ */
+export declare const lastActiveOrganizationHooks: (pool: Pool) => {
+    session: {
+        create: {
+            before: (session: SessionLike) => Promise<{
+                data: {
+                    activeOrganizationId: string;
+                    userId: string;
+                };
+            } | undefined>;
+        };
+        update: {
+            after: (session: SessionLike) => Promise<void>;
+        };
+    };
+};
+export {};
+//# sourceMappingURL=organization.d.ts.map

package/dist/organization.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"organization.d.ts","sourceRoot":"","sources":["../src/organization.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAE/B;;;;GAIG;AAEH,2EAA2E;AAC3E,eAAO,MAAM,sBAAsB;IAClC,sCAAsC;;IAEtC,gDAAgD;;CAEvC,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,+BAA+B;;;;;;;CAOlC,CAAC;AAEX,UAAU,WAAW;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,oBAAoB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACrC;AAED;;;;;GAKG;AACH,eAAO,MAAM,2BAA2B,GAAI,MAAM,IAAI;;;8BAG3B,WAAW;;;4BAb7B,MAAM;;;;;6BAqCW,WAAW;;;CAYnC,CAAC"}

package/dist/organization.js

@@ -0,0 +1,63 @@
+/**
+ * Organization-plugin building blocks shared across Ingram sites. The site
+ * still calls `organization({ ...nkOrganizationDefaults, ac, roles, ... })`
+ * itself — these only supply the generic defaults + the active-org plumbing.
+ */
+/** Sensible Ingram defaults to spread into the `organization()` plugin. */
+export const nkOrganizationDefaults = {
+    /** Invitations valid for one week. */
+    invitationExpiresIn: 60 * 60 * 24 * 7,
+    /** The user who creates an org is its owner. */
+    creatorRole: "owner",
+};
+/**
+ * `user.additionalFields` entry that records the user's last active org so it
+ * can be restored on the next sign-in. Spread into `user.additionalFields`.
+ */
+export const lastActiveOrganizationUserField = {
+    lastActiveOrganizationId: {
+        type: "string",
+        required: false,
+        input: false,
+        returned: true,
+    },
+};
+/**
+ * `databaseHooks` that restore the user's last active organization on session
+ * create (only if they're still a member) and persist it on session update.
+ * Requires `lastActiveOrganizationUserField` in `user.additionalFields` and the
+ * Better Auth organization tables. Spread as `databaseHooks: lastActiveOrganizationHooks(pool)`.
+ */
+export const lastActiveOrganizationHooks = (pool) => ({
+    session: {
+        create: {
+            before: async (session) => {
+                if (session.activeOrganizationId) {
+                    return;
+                }
+                const userResult = await pool.query('SELECT "lastActiveOrganizationId" FROM "user" WHERE id = $1', [
+                    session.userId,
+                ]);
+                const lastOrgId = userResult.rows[0]?.lastActiveOrganizationId;
+                if (!lastOrgId) {
+                    return;
+                }
+                const memberResult = await pool.query('SELECT 1 FROM member WHERE "userId" = $1 AND "organizationId" = $2 LIMIT 1', [session.userId, lastOrgId]);
+                if (memberResult.rows.length === 0) {
+                    return;
+                }
+                return { data: { ...session, activeOrganizationId: lastOrgId } };
+            },
+        },
+        update: {
+            after: async (session) => {
+                const orgId = session.activeOrganizationId;
+                if (typeof orgId !== "string" || !orgId) {
+                    return;
+                }
+                await pool.query('UPDATE "user" SET "lastActiveOrganizationId" = $1 WHERE id = $2', [orgId, session.userId]);
+            },
+        },
+    },
+});
+//# sourceMappingURL=organization.js.map

package/dist/organization.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"organization.js","sourceRoot":"","sources":["../src/organization.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AAEH,2EAA2E;AAC3E,MAAM,CAAC,MAAM,sBAAsB,GAAG;IACrC,sCAAsC;IACtC,mBAAmB,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC;IACrC,gDAAgD;IAChD,WAAW,EAAE,OAAO;CACX,CAAC;AAEX;;;GAGG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAAG;IAC9C,wBAAwB,EAAE;QACzB,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,IAAI;KACd;CACQ,CAAC;AAOX;;;;;GAKG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG,CAAC,IAAU,EAAE,EAAE,CAAC,CAAC;IAC3D,OAAO,EAAE;QACR,MAAM,EAAE;YACP,MAAM,EAAE,KAAK,EAAE,OAAoB,EAAE,EAAE;gBACtC,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;oBAClC,OAAO;gBACR,CAAC;gBACD,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,KAAK,CAEhC,6DAA6D,EAAE;oBACjE,OAAO,CAAC,MAAM;iBACd,CAAC,CAAC;gBACH,MAAM,SAAS,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,wBAAwB,CAAC;gBAC/D,IAAI,CAAC,SAAS,EAAE,CAAC;oBAChB,OAAO;gBACR,CAAC;gBACD,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,KAAK,CACpC,4EAA4E,EAC5E,CAAC,OAAO,CAAC,MAAM,EAAE,SAAS,CAAC,CAC3B,CAAC;gBACF,IAAI,YAAY,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBACpC,OAAO;gBACR,CAAC;gBACD,OAAO,EAAE,IAAI,EAAE,EAAE,GAAG,OAAO,EAAE,oBAAoB,EAAE,SAAS,EAAE,EAAE,CAAC;YAClE,CAAC;SACD;QACD,MAAM,EAAE;YACP,KAAK,EAAE,KAAK,EAAE,OAAoB,EAAE,EAAE;gBACrC,MAAM,KAAK,GAAG,OAAO,CAAC,oBAAoB,CAAC;gBAC3C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,EAAE,CAAC;oBACzC,OAAO;gBACR,CAAC;gBACD,MAAM,IAAI,CAAC,KAAK,CACf,iEAAiE,EACjE,CAAC,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,CACvB,CAAC;YACH,CAAC;SACD;KACD;CACD,CAAC,CAAC"}

package/dist/pool.d.ts

@@ -0,0 +1,13 @@
+import { Pool } from "pg";
+/**
+ * A `pg` Pool for Better Auth's direct database connection, with optional
+ * SSL CA verification (equivalent to `sslmode=verify-full`). Keep `sslmode` out
+ * of the connection string — `pg` discards the `ssl` object when the URL
+ * carries SSL settings.
+ */
+export declare const createAuthPool: (config: {
+    connectionString: string;
+    /** PEM CA cert; when set, the server cert + hostname are verified. */
+    caCert?: string;
+}) => Pool;
+//# sourceMappingURL=pool.d.ts.map

package/dist/pool.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pool.d.ts","sourceRoot":"","sources":["../src/pool.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAE1B;;;;;GAKG;AACH,eAAO,MAAM,cAAc,GAAI,QAAQ;IACtC,gBAAgB,EAAE,MAAM,CAAC;IACzB,sEAAsE;IACtE,MAAM,CAAC,EAAE,MAAM,CAAC;CAChB,KAAG,IAMD,CAAC"}

package/dist/pool.js

@@ -0,0 +1,14 @@
+import { Pool } from "pg";
+/**
+ * A `pg` Pool for Better Auth's direct database connection, with optional
+ * SSL CA verification (equivalent to `sslmode=verify-full`). Keep `sslmode` out
+ * of the connection string — `pg` discards the `ssl` object when the URL
+ * carries SSL settings.
+ */
+export const createAuthPool = (config) => new Pool({
+    connectionString: config.connectionString,
+    ssl: config.caCert
+        ? { ca: config.caCert, rejectUnauthorized: true }
+        : undefined,
+});
+//# sourceMappingURL=pool.js.map

package/dist/pool.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pool.js","sourceRoot":"","sources":["../src/pool.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAE1B;;;;;GAKG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,MAI9B,EAAQ,EAAE,CACV,IAAI,IAAI,CAAC;IACR,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;IACzC,GAAG,EAAE,MAAM,CAAC,MAAM;QACjB,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,EAAE,IAAI,EAAE;QACjD,CAAC,CAAC,SAAS;CACZ,CAAC,CAAC"}

package/dist/supabase.d.ts

@@ -0,0 +1,26 @@
+import { type SupabaseClient } from "@supabase/supabase-js";
+/**
+ * The RLS-aware Supabase data client — the single chokepoint that keeps Row
+ * Level Security working after the move off Supabase Auth.
+ *
+ * Instead of `supabase.auth`, it pulls the Better Auth session JWT (via the
+ * injected `getToken`) and hands it to supabase-js's v2 `accessToken` callback.
+ * PostgREST then sets `request.jwt.claims`, so `auth.uid()` (and every existing
+ * policy) keeps returning the right user. With no session, `getToken` yields
+ * `null` and the request runs as `anon` — RLS is still enforced, never bypassed.
+ *
+ * Sites should import THIS rather than constructing supabase-js directly, so the
+ * token bridge can't be forgotten. (Enforce with a Biome/GritQL rule banning raw
+ * `createClient` for data — see docs/better-auth-migration.md.)
+ *
+ * Wire `getToken` to the site's own Better Auth instance, e.g.:
+ *   getToken: async () => (await auth.api.getToken({ headers }))?.token ?? null
+ */
+export interface ServerSupabaseConfig {
+    /** Returns the current request's Better Auth JWT, or null when signed out. */
+    getToken: () => Promise<string | null>;
+    supabaseUrl: string;
+    supabaseAnonKey: string;
+}
+export declare const createServerSupabase: (config: ServerSupabaseConfig) => SupabaseClient;
+//# sourceMappingURL=supabase.d.ts.map

package/dist/supabase.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"supabase.d.ts","sourceRoot":"","sources":["../src/supabase.ts"],"names":[],"mappings":"AAAA,OAAO,EAAgB,KAAK,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAE1E;;;;;;;;;;;;;;;;GAgBG;AAEH,MAAM,WAAW,oBAAoB;IACpC,8EAA8E;IAC9E,QAAQ,EAAE,MAAM,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACvC,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;CACxB;AAED,eAAO,MAAM,oBAAoB,GAAI,QAAQ,oBAAoB,KAAG,cAMjE,CAAC"}

package/dist/supabase.js

@@ -0,0 +1,8 @@
+import { createClient } from "@supabase/supabase-js";
+export const createServerSupabase = (config) => createClient(config.supabaseUrl, config.supabaseAnonKey, {
+    accessToken: async () => {
+        const token = await config.getToken();
+        return token ?? "";
+    },
+});
+//# sourceMappingURL=supabase.js.map

package/dist/supabase.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"supabase.js","sourceRoot":"","sources":["../src/supabase.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAuB,MAAM,uBAAuB,CAAC;AA2B1E,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,MAA4B,EAAkB,EAAE,CACpF,YAAY,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,eAAe,EAAE;IACxD,WAAW,EAAE,KAAK,IAAI,EAAE;QACvB,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,QAAQ,EAAE,CAAC;QACtC,OAAO,KAAK,IAAI,EAAE,CAAC;IACpB,CAAC;CACD,CAAC,CAAC"}

package/migrations/0001_better_auth.sql

@@ -0,0 +1,102 @@
+-- @ingram-tech/nk-auth — Better Auth schema for Supabase, hardened for RLS.
+--
+-- This mirrors Better Auth's core tables (user / session / account /
+-- verification), the `jwt` plugin's `jwks` table, and the `passkey` plugin's
+-- `passkey` table, for the version of `better-auth` this package depends on.
+-- Reconcile against the exact pinned version with:
+--     npx @better-auth/cli generate
+-- and re-run after upgrading better-auth.
+--
+-- TWO hardening steps the generator does NOT produce, both required (see
+-- docs/better-auth-migration.md):
+--   1. New users default to a UUID id, because Supabase's auth.uid() casts the
+--      JWT `sub` to `uuid`. A non-UUID id silently breaks RLS for new signups.
+--   2. Deny-all RLS on every Better Auth table. They live in `public` and are
+--      exposed by PostgREST; Better Auth itself reaches them through its own
+--      privileged DATABASE_URL connection, which bypasses RLS, so denying anon /
+--      authenticated access here costs nothing and closes the leak.
+
+create extension if not exists "pgcrypto" with schema "extensions";
+
+create table if not exists "public"."user" (
+	"id" text primary key default gen_random_uuid()::text, -- hardening (1)
+	"name" text not null,
+	"email" text not null unique,
+	"emailVerified" boolean not null default false,
+	"image" text,
+	"createdAt" timestamptz not null default now(),
+	"updatedAt" timestamptz not null default now()
+);
+
+create table if not exists "public"."session" (
+	"id" text primary key,
+	"expiresAt" timestamptz not null,
+	"token" text not null unique,
+	"ipAddress" text,
+	"userAgent" text,
+	"userId" text not null references "public"."user" ("id") on delete cascade,
+	"createdAt" timestamptz not null default now(),
+	"updatedAt" timestamptz not null default now()
+);
+
+create table if not exists "public"."account" (
+	"id" text primary key,
+	"accountId" text not null,
+	"providerId" text not null,
+	"userId" text not null references "public"."user" ("id") on delete cascade,
+	"accessToken" text,
+	"refreshToken" text,
+	"idToken" text,
+	"accessTokenExpiresAt" timestamptz,
+	"refreshTokenExpiresAt" timestamptz,
+	"scope" text,
+	"password" text,
+	"createdAt" timestamptz not null default now(),
+	"updatedAt" timestamptz not null default now()
+);
+
+create table if not exists "public"."verification" (
+	"id" text primary key,
+	"identifier" text not null,
+	"value" text not null,
+	"expiresAt" timestamptz not null,
+	"createdAt" timestamptz not null default now(),
+	"updatedAt" timestamptz not null default now()
+);
+
+-- `jwt` plugin: holds the asymmetric keypair used to sign the RLS bridge token.
+create table if not exists "public"."jwks" (
+	"id" text primary key,
+	"publicKey" text not null,
+	"privateKey" text not null,
+	"createdAt" timestamptz not null default now()
+);
+
+-- `passkey` plugin.
+create table if not exists "public"."passkey" (
+	"id" text primary key,
+	"name" text,
+	"publicKey" text not null,
+	"userId" text not null references "public"."user" ("id") on delete cascade,
+	"credentialID" text not null,
+	"counter" integer not null,
+	"deviceType" text not null,
+	"backedUp" boolean not null,
+	"transports" text,
+	"aaguid" text,
+	"createdAt" timestamptz default now()
+);
+
+create index if not exists "idx_session_userId" on "public"."session" ("userId");
+create index if not exists "idx_account_userId" on "public"."account" ("userId");
+create index if not exists "idx_passkey_userId" on "public"."passkey" ("userId");
+create index if not exists "idx_verification_identifier" on "public"."verification" ("identifier");
+
+-- Hardening (2): deny-all RLS. No policies = no anon/authenticated access.
+-- Better Auth's privileged connection bypasses RLS, so auth still works.
+alter table "public"."user" enable row level security;
+alter table "public"."session" enable row level security;
+alter table "public"."account" enable row level security;
+alter table "public"."verification" enable row level security;
+alter table "public"."jwks" enable row level security;
+alter table "public"."passkey" enable row level security;

package/package.json

@@ -0,0 +1,87 @@
+{
+	"name": "@ingram-tech/nk-auth",
+	"version": "0.2.0",
+	"description": "The Ingram Better Auth foundation: composable presets (org, dual-shape JWT, Supabase RLS bridge, active-org hooks, pg pool) for Next.js sites.",
+	"license": "MIT",
+	"type": "module",
+	"repository": {
+		"type": "git",
+		"url": "git+https://github.com/ingram-technologies/nextkit.git",
+		"directory": "packages/nk-auth"
+	},
+	"publishConfig": {
+		"access": "public"
+	},
+	"files": [
+		"dist",
+		"migrations"
+	],
+	"exports": {
+		".": {
+			"types": "./dist/index.d.ts",
+			"import": "./dist/index.js"
+		},
+		"./jwt": {
+			"types": "./dist/jwt.d.ts",
+			"import": "./dist/jwt.js"
+		},
+		"./organization": {
+			"types": "./dist/organization.d.ts",
+			"import": "./dist/organization.js"
+		},
+		"./pool": {
+			"types": "./dist/pool.d.ts",
+			"import": "./dist/pool.js"
+		},
+		"./client": {
+			"types": "./dist/client.d.ts",
+			"import": "./dist/client.js"
+		},
+		"./migrations/*": "./migrations/*"
+	},
+	"scripts": {
+		"build": "tsc -p tsconfig.json",
+		"type-check": "tsc -p tsconfig.json --noEmit",
+		"test": "vitest run"
+	},
+	"dependencies": {
+		"bcrypt": "^5.1.1",
+		"jose": "^6.0.0",
+		"zod": "^4.0.0"
+	},
+	"peerDependencies": {
+		"@better-auth/passkey": "^1.6.0",
+		"@supabase/supabase-js": ">=2.0.0",
+		"better-auth": "^1.6.0",
+		"pg": "^8.13.0",
+		"react": "^18.0.0 || ^19.0.0"
+	},
+	"peerDependenciesMeta": {
+		"@better-auth/passkey": {
+			"optional": true
+		},
+		"@supabase/supabase-js": {
+			"optional": true
+		},
+		"pg": {
+			"optional": true
+		},
+		"react": {
+			"optional": true
+		}
+	},
+	"devDependencies": {
+		"@better-auth/passkey": "^1.6.0",
+		"@ingram-tech/typescript-config": "0.1.0",
+		"@supabase/supabase-js": "^2.45.0",
+		"@types/bcrypt": "^5.0.2",
+		"@types/node": "^20.0.0",
+		"@types/pg": "^8.11.0",
+		"@types/react": "^19.0.0",
+		"better-auth": "^1.6.0",
+		"pg": "^8.13.0",
+		"react": "^19.0.0",
+		"typescript": "^6.0.3",
+		"vitest": "^4.1.6"
+	}
+}