@ingram-tech/nk-auth 0.2.1 → 0.4.0

package/README.md

@@ -22,7 +22,7 @@ only what you need from focused subpaths.
 > [`docs/better-auth-migration.md`](../../docs/better-auth-migration.md) — the
 > RLS bridge, the migration runbook, and the gotchas.
 >
-> **Backend-JWT + org sites** (e.g. integrain): compose `createAuthPool`,
+> **Backend-JWT + org sites** (a backend API plus the org plugin): compose `createAuthPool`,
 > `backendJwtOptions({ audience })`, `nkOrganizationDefaults`, and
 > `lastActiveOrganizationHooks(pool)` in your `betterAuth()`; verify backend
 > tokens with `verifyBackendJwt`. Keep app-specific bits (SSO restrictions,
@@ -73,6 +73,7 @@ per the prime directive. The presets carry the RLS-preserving bits.
 import { passkey } from "@better-auth/passkey";
 import { fromAddress, sendEmail } from "@ingram-tech/email";
 import {
+	authBasePath,
 	authEnv,
 	bcryptPassword,
 	makeEmailSenders,
@@ -93,7 +94,13 @@ export const auth = betterAuth({
 	database: new Pool({ connectionString: env.databaseUrl }),
 	secret: env.secret,
 	baseURL: env.baseURL,
-	advanced: { database: { generateId: uuidGenerateId } }, // UUID-shaped ids
+	basePath: authBasePath, // mount at /auth, not the framework default /api/auth
+	advanced: { database: { generateId: uuidGenerateId } }, // UUIDv7 ids
+	// ^ stored as hyphenated UUIDv7 (uuid columns / Supabase RLS stay valid).
+	// To show those same ids as prefixed base58 on the wire/UI — `team_…`,
+	// matching the Ingram Cloud API's `agt_`/`smt_` ids — skin them with
+	// `toPrefixedId(uuid, "team")` / recover with `fromPrefixedId`. `base58Id`
+	// mints a fresh one directly for text-id sites. All from `@ingram-tech/nk-auth`.
 	emailAndPassword: {
 		enabled: true,
 		password: bcryptPassword, // verifies migrated Supabase bcrypt hashes
@@ -114,7 +121,9 @@ export const auth = betterAuth({
 ```
 
 ```ts
-// app/api/auth/[...all]/route.ts — a standard Next.js route handler
+// app/auth/[...all]/route.ts — a standard Next.js route handler.
+// Lives at /auth (set via `basePath: authBasePath`), NOT /api/auth: auth is a
+// user-facing surface (sign-in, OAuth callbacks), not an internal machine API.
 import { auth } from "@/lib/auth";
 export const { GET, POST } = auth.handler;
 ```
@@ -153,6 +162,7 @@ preserved here too):
 ```tsx
 "use client";
 import {
+	authBasePath,
 	createAuthClient,
 	jwtClient,
 	passkeyClient,
@@ -160,6 +170,7 @@ import {
 
 export const authClient = createAuthClient({
 	baseURL: process.env.NEXT_PUBLIC_SITE_URL ?? "",
+	basePath: authBasePath, // matches the server: /auth
 	plugins: [jwtClient(), passkeyClient()],
 });
 // authClient.signIn.email(...), signIn.social(...), useSession(), passkey.*
@@ -169,7 +180,7 @@ export const authClient = createAuthClient({
 
 `auth.uid()` reads the `sub` claim of the JWT PostgREST receives. The `jwt`
 plugin (configured here) mints an asymmetric token with `sub` = the user's UUID
-and `role: "authenticated"`, exposed at `/api/auth/jwks`. Register that JWKS URL
+and `role: "authenticated"`, exposed at `/auth/jwks`. Register that JWKS URL
 as a Supabase **third-party auth** issuer, and every existing policy works
 unchanged. Full rationale and the HS256 fallback:
 [`docs/better-auth-migration.md`](../../docs/better-auth-migration.md).

package/dist/client.d.ts

@@ -20,4 +20,5 @@
 export { passkeyClient } from "@better-auth/passkey/client";
 export { jwtClient } from "better-auth/client/plugins";
 export { createAuthClient } from "better-auth/react";
+export { authBasePath } from "./paths";
 //# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,OAAO,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAC5D,OAAO,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,OAAO,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAC5D,OAAO,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAErD,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC"}

package/dist/client.js

@@ -20,4 +20,6 @@
 export { passkeyClient } from "@better-auth/passkey/client";
 export { jwtClient } from "better-auth/client/plugins";
 export { createAuthClient } from "better-auth/react";
+// Re-exported here too so the client can set `basePath` without a server import.
+export { authBasePath } from "./paths";
 //# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -1 +1 @@
-{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,OAAO,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAC5D,OAAO,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,OAAO,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAC5D,OAAO,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,iFAAiF;AACjF,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC"}

package/dist/id.d.ts

@@ -0,0 +1,32 @@
+/**
+ * The Ingram id codec — a UUIDv7 and its base58 skin. Dependency-light on
+ * purpose (only `node:crypto`), so a site can import it without pulling the
+ * bcrypt / passkey machinery in `./options`: `@ingram-tech/nk-auth/id`.
+ *
+ * The Python twin lives in cloud.ingram.tech's `v1/core.py` (`new_id`); the
+ * byte → string vectors in `id.test.ts` and that repo's `tests/test_ids.py` are
+ * kept identical, so a Better-Auth id (stored as a hyphenated UUIDv7 by
+ * {@link uuidGenerateId}) and an `agt_`/`smt_` id from the API are the same
+ * encoding of the same 16 bytes.
+ *
+ * The split is deliberate: keep storing the hyphenated UUIDv7 at rest (so
+ * Supabase `auth.uid()::uuid` / uuid columns keep working) and use
+ * {@link toPrefixedId} to skin it as a prefixed base58 id for the wire / display,
+ * {@link fromPrefixedId} to recover it. {@link base58Id} mints a fresh one
+ * directly, for text-id sites that want API-style ids natively.
+ */
+/**
+ * `advanced.database.generateId` for Better Auth — mints a **UUIDv7** (RFC 9562):
+ * a 48-bit Unix-ms timestamp prefix + random tail, version `7`, variant `10`.
+ * Keeps ids UUID-shaped (Supabase `auth.uid()::uuid`) while staying time-ordered
+ * for index locality. Node/Bun's `randomUUID` is v4-only, so we lay the bytes out
+ * by hand.
+ */
+export declare const uuidGenerateId: () => string;
+/** Skin a stored hyphenated UUIDv7 as a prefixed base58 id, e.g. `team_…`. */
+export declare function toPrefixedId(uuid: string, prefix: string): string;
+/** Inverse of {@link toPrefixedId}: recover the hyphenated UUIDv7. */
+export declare function fromPrefixedId(id: string): string;
+/** Mint a fresh prefixed base58 id (UUIDv7 core), for text-id sites / API parity. */
+export declare function base58Id(prefix: string): string;
+//# sourceMappingURL=id.d.ts.map

package/dist/id.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"id.d.ts","sourceRoot":"","sources":["../src/id.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;GAgBG;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,cAAc,QAAO,MAYjC,CAAC;AAqDF,8EAA8E;AAC9E,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAEjE;AAED,sEAAsE;AACtE,wBAAgB,cAAc,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,CAGjD;AAED,qFAAqF;AACrF,wBAAgB,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAE/C"}

package/dist/id.js

@@ -0,0 +1,101 @@
+import { randomBytes } from "node:crypto";
+/**
+ * The Ingram id codec — a UUIDv7 and its base58 skin. Dependency-light on
+ * purpose (only `node:crypto`), so a site can import it without pulling the
+ * bcrypt / passkey machinery in `./options`: `@ingram-tech/nk-auth/id`.
+ *
+ * The Python twin lives in cloud.ingram.tech's `v1/core.py` (`new_id`); the
+ * byte → string vectors in `id.test.ts` and that repo's `tests/test_ids.py` are
+ * kept identical, so a Better-Auth id (stored as a hyphenated UUIDv7 by
+ * {@link uuidGenerateId}) and an `agt_`/`smt_` id from the API are the same
+ * encoding of the same 16 bytes.
+ *
+ * The split is deliberate: keep storing the hyphenated UUIDv7 at rest (so
+ * Supabase `auth.uid()::uuid` / uuid columns keep working) and use
+ * {@link toPrefixedId} to skin it as a prefixed base58 id for the wire / display,
+ * {@link fromPrefixedId} to recover it. {@link base58Id} mints a fresh one
+ * directly, for text-id sites that want API-style ids natively.
+ */
+/**
+ * `advanced.database.generateId` for Better Auth — mints a **UUIDv7** (RFC 9562):
+ * a 48-bit Unix-ms timestamp prefix + random tail, version `7`, variant `10`.
+ * Keeps ids UUID-shaped (Supabase `auth.uid()::uuid`) while staying time-ordered
+ * for index locality. Node/Bun's `randomUUID` is v4-only, so we lay the bytes out
+ * by hand.
+ */
+export const uuidGenerateId = () => {
+    const bytes = randomBytes(16);
+    const ts = Date.now();
+    bytes[0] = Math.floor(ts / 2 ** 40) & 0xff;
+    bytes[1] = Math.floor(ts / 2 ** 32) & 0xff;
+    bytes[2] = Math.floor(ts / 2 ** 24) & 0xff;
+    bytes[3] = Math.floor(ts / 2 ** 16) & 0xff;
+    bytes[4] = Math.floor(ts / 2 ** 8) & 0xff;
+    bytes[5] = ts & 0xff;
+    bytes[6] = ((bytes[6] ?? 0) & 0x0f) | 0x70; // version 7
+    bytes[8] = ((bytes[8] ?? 0) & 0x3f) | 0x80; // variant 10
+    return bytesToUuid(bytes);
+};
+const B58 = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+// ceil(128 / log2(58)): a 16-byte value never needs more than 22 digits. We
+// left-pad to it so every body is uniform width and sorts lexically ==
+// chronologically (UUIDv7's ms-timestamp prefix lives in the high bytes).
+const WIDTH = 22;
+/** Big-endian base58 (Bitcoin alphabet) of 16 bytes, left-padded to `WIDTH`. */
+function encode58(bytes) {
+    let n = 0n;
+    for (const b of bytes)
+        n = (n << 8n) | BigInt(b);
+    let out = "";
+    while (n > 0n) {
+        out = B58.charAt(Number(n % 58n)) + out;
+        n /= 58n;
+    }
+    return out.padStart(WIDTH, B58.charAt(0));
+}
+/** Inverse of {@link encode58}: a base58 body back to 16 bytes. */
+function decode58(body) {
+    let n = 0n;
+    for (const ch of body) {
+        const v = B58.indexOf(ch);
+        if (v < 0)
+            throw new Error(`invalid base58 char: ${ch}`);
+        n = n * 58n + BigInt(v);
+    }
+    const bytes = new Uint8Array(16);
+    for (let i = 15; i >= 0; i--) {
+        bytes[i] = Number(n & 0xffn);
+        n >>= 8n;
+    }
+    return bytes;
+}
+/** A hyphenated UUID string → its 16 raw bytes. */
+function uuidToBytes(uuid) {
+    const hex = uuid.replace(/-/g, "");
+    if (!/^[0-9a-fA-F]{32}$/.test(hex))
+        throw new Error(`not a uuid: ${uuid}`);
+    const bytes = new Uint8Array(16);
+    for (let i = 0; i < 16; i++) {
+        bytes[i] = Number.parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+    }
+    return bytes;
+}
+/** 16 raw bytes → a canonical hyphenated UUID string. */
+function bytesToUuid(bytes) {
+    const hex = Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+    return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
+}
+/** Skin a stored hyphenated UUIDv7 as a prefixed base58 id, e.g. `team_…`. */
+export function toPrefixedId(uuid, prefix) {
+    return `${prefix}_${encode58(uuidToBytes(uuid))}`;
+}
+/** Inverse of {@link toPrefixedId}: recover the hyphenated UUIDv7. */
+export function fromPrefixedId(id) {
+    const body = id.slice(id.indexOf("_") + 1);
+    return bytesToUuid(decode58(body));
+}
+/** Mint a fresh prefixed base58 id (UUIDv7 core), for text-id sites / API parity. */
+export function base58Id(prefix) {
+    return toPrefixedId(uuidGenerateId(), prefix);
+}
+//# sourceMappingURL=id.js.map

package/dist/id.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"id.js","sourceRoot":"","sources":["../src/id.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C;;;;;;;;;;;;;;;;GAgBG;AAEH;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,GAAW,EAAE;IAC1C,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC9B,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACtB,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;IAC3C,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;IAC3C,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;IAC3C,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;IAC3C,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;IAC1C,KAAK,CAAC,CAAC,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;IACrB,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,YAAY;IACxD,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,aAAa;IACzD,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC;AAC3B,CAAC,CAAC;AAEF,MAAM,GAAG,GAAG,4DAA4D,CAAC;AACzE,4EAA4E;AAC5E,uEAAuE;AACvE,0EAA0E;AAC1E,MAAM,KAAK,GAAG,EAAE,CAAC;AAEjB,gFAAgF;AAChF,SAAS,QAAQ,CAAC,KAAiB;IAClC,IAAI,CAAC,GAAG,EAAE,CAAC;IACX,KAAK,MAAM,CAAC,IAAI,KAAK;QAAE,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IACjD,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC;QACf,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,GAAG,GAAG,CAAC;QACxC,CAAC,IAAI,GAAG,CAAC;IACV,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,CAAC,KAAK,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;AAC3C,CAAC;AAED,mEAAmE;AACnE,SAAS,QAAQ,CAAC,IAAY;IAC7B,IAAI,CAAC,GAAG,EAAE,CAAC;IACX,KAAK,MAAM,EAAE,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAC1B,IAAI,CAAC,GAAG,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,wBAAwB,EAAE,EAAE,CAAC,CAAC;QACzD,CAAC,GAAG,CAAC,GAAG,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IACzB,CAAC;IACD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,KAAK,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC9B,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC;QAC7B,CAAC,KAAK,EAAE,CAAC;IACV,CAAC;IACD,OAAO,KAAK,CAAC;AACd,CAAC;AAED,mDAAmD;AACnD,SAAS,WAAW,CAAC,IAAY;IAChC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACnC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC;IAC3E,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO,KAAK,CAAC;AACd,CAAC;AAED,yDAAyD;AACzD,SAAS,WAAW,CAAC,KAAiB;IACrC,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC/E,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC;AAC5G,CAAC;AAED,8EAA8E;AAC9E,MAAM,UAAU,YAAY,CAAC,IAAY,EAAE,MAAc;IACxD,OAAO,GAAG,MAAM,IAAI,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;AACnD,CAAC;AAED,sEAAsE;AACtE,MAAM,UAAU,cAAc,CAAC,EAAU;IACxC,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3C,OAAO,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;AACpC,CAAC;AAED,qFAAqF;AACrF,MAAM,UAAU,QAAQ,CAAC,MAAc;IACtC,OAAO,YAAY,CAAC,cAAc,EAAE,EAAE,MAAM,CAAC,CAAC;AAC/C,CAAC"}

package/dist/index.d.ts

@@ -1,7 +1,9 @@
 export { type BackendJwtConfig, backendJwtOptions, rlsJwtOptions, verifyBackendJwt, } from "./jwt";
+export { base58Id, fromPrefixedId, toPrefixedId, uuidGenerateId } from "./id";
 export { type AuthEnv, authEnv, isConfigured } from "./keys";
-export { bcryptPassword, makeEmailSenders, makePasskeyOptions, type PasskeyConfig, type SendEmail, uuidGenerateId, } from "./options";
+export { bcryptPassword, makeEmailSenders, makePasskeyOptions, type PasskeyConfig, type SendEmail, } from "./options";
 export { lastActiveOrganizationHooks, lastActiveOrganizationUserField, nkOrganizationDefaults, } from "./organization";
+export { authBasePath } from "./paths";
 export { createAuthPool } from "./pool";
-export { createServerSupabase, type ServerSupabaseConfig, } from "./supabase";
+export { createServerSupabase, type ServerSupabaseConfig } from "./supabase";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAKA,OAAO,EACN,KAAK,gBAAgB,EACrB,iBAAiB,EACjB,aAAa,EACb,gBAAgB,GAChB,MAAM,OAAO,CAAC;AACf,OAAO,EAAE,KAAK,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AAC7D,OAAO,EACN,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,KAAK,aAAa,EAClB,KAAK,SAAS,EACd,cAAc,GACd,MAAM,WAAW,CAAC;AACnB,OAAO,EACN,2BAA2B,EAC3B,+BAA+B,EAC/B,sBAAsB,GACtB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAC;AACxC,OAAO,EACN,oBAAoB,EACpB,KAAK,oBAAoB,GACzB,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAKA,OAAO,EACN,KAAK,gBAAgB,EACrB,iBAAiB,EACjB,aAAa,EACb,gBAAgB,GAChB,MAAM,OAAO,CAAC;AACf,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,MAAM,CAAC;AAC9E,OAAO,EAAE,KAAK,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AAC7D,OAAO,EACN,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,KAAK,aAAa,EAClB,KAAK,SAAS,GACd,MAAM,WAAW,CAAC;AACnB,OAAO,EACN,2BAA2B,EAC3B,+BAA+B,EAC/B,sBAAsB,GACtB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAC;AACxC,OAAO,EAAE,oBAAoB,EAAE,KAAK,oBAAoB,EAAE,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -3,9 +3,11 @@
 // React. Focused subpaths (./jwt, ./organization, ./pool) let a site import
 // only what it needs (e.g. avoid bcrypt/supabase when it uses neither).
 export { backendJwtOptions, rlsJwtOptions, verifyBackendJwt, } from "./jwt";
+export { base58Id, fromPrefixedId, toPrefixedId, uuidGenerateId } from "./id";
 export { authEnv, isConfigured } from "./keys";
-export { bcryptPassword, makeEmailSenders, makePasskeyOptions, uuidGenerateId, } from "./options";
+export { bcryptPassword, makeEmailSenders, makePasskeyOptions, } from "./options";
 export { lastActiveOrganizationHooks, lastActiveOrganizationUserField, nkOrganizationDefaults, } from "./organization";
+export { authBasePath } from "./paths";
 export { createAuthPool } from "./pool";
-export { createServerSupabase, } from "./supabase";
+export { createServerSupabase } from "./supabase";
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAC/E,+EAA+E;AAC/E,4EAA4E;AAC5E,wEAAwE;AAExE,OAAO,EAEN,iBAAiB,EACjB,aAAa,EACb,gBAAgB,GAChB,MAAM,OAAO,CAAC;AACf,OAAO,EAAgB,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AAC7D,OAAO,EACN,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAGlB,cAAc,GACd,MAAM,WAAW,CAAC;AACnB,OAAO,EACN,2BAA2B,EAC3B,+BAA+B,EAC/B,sBAAsB,GACtB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAC;AACxC,OAAO,EACN,oBAAoB,GAEpB,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAC/E,+EAA+E;AAC/E,4EAA4E;AAC5E,wEAAwE;AAExE,OAAO,EAEN,iBAAiB,EACjB,aAAa,EACb,gBAAgB,GAChB,MAAM,OAAO,CAAC;AACf,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,MAAM,CAAC;AAC9E,OAAO,EAAgB,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AAC7D,OAAO,EACN,cAAc,EACd,gBAAgB,EAChB,kBAAkB,GAGlB,MAAM,WAAW,CAAC;AACnB,OAAO,EACN,2BAA2B,EAC3B,+BAA+B,EAC/B,sBAAsB,GACtB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAC;AACxC,OAAO,EAAE,oBAAoB,EAA6B,MAAM,YAAY,CAAC"}

package/dist/options.d.ts

@@ -1,4 +1,5 @@
 import type { PasskeyOptions } from "@better-auth/passkey";
+export { uuidGenerateId } from "./id";
 /**
  * Portable Better Auth building blocks for Ingram sites.
  *
@@ -7,9 +8,6 @@ import type { PasskeyOptions } from "@better-auth/passkey";
  * call site (where `declaration` is off) and respects the prime directive — the
  * site stays plain Better Auth, we just ship the shared config. JWT + org
  * presets live in `./jwt` and `./organization`. See docs/better-auth-migration.md.
- *
- * `uuidGenerateId` keeps new-user ids UUID-shaped (needed for Supabase
- * `auth.uid()::uuid` on RLS sites).
  */
 /**
  * `emailAndPassword.password` config. Verifies with bcrypt so passwords
@@ -22,8 +20,6 @@ export declare const bcryptPassword: {
         password: string;
     }) => Promise<boolean>;
 };
-/** `advanced.database.generateId` — keeps new-user ids UUID-shaped. */
-export declare const uuidGenerateId: () => string;
 export interface PasskeyConfig {
     /** Relying-party id: the registrable domain, e.g. "example.com". */
     rpId: string;

package/dist/options.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"options.d.ts","sourceRoot":"","sources":["../src/options.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAG3D;;;;;;;;;;;GAWG;AAEH;;;GAGG;AACH,eAAO,MAAM,cAAc;qBACT,MAAM,KAAG,OAAO,CAAC,MAAM,CAAC;kCAItC;QACF,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;KACjB,KAAG,OAAO,CAAC,OAAO,CAAC;CACpB,CAAC;AAEF,uEAAuE;AACvE,eAAO,MAAM,cAAc,QAAO,MAAsB,CAAC;AAEzD,MAAM,WAAW,aAAa;IAC7B,oEAAoE;IACpE,IAAI,EAAE,MAAM,CAAC;IACb,kCAAkC;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,sDAAsD;IACtD,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;CAC1B;AAED,iFAAiF;AACjF,eAAO,MAAM,kBAAkB,GAAI,KAAK,aAAa,KAAG,cAItD,CAAC;AAEH,iFAAiF;AACjF,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,EAAE;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACZ,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;AAEvB;;;GAGG;AACH,eAAO,MAAM,gBAAgB,GAAI,MAAM,SAAS;wCAI5C;QACF,IAAI,EAAE;YAAE,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC;QACxB,GAAG,EAAE,MAAM,CAAC;KACZ,KAAG,OAAO,CAAC,IAAI,CAAC;4CAMd;QACF,IAAI,EAAE;YAAE,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC;QACxB,GAAG,EAAE,MAAM,CAAC;KACZ,KAAG,OAAO,CAAC,IAAI,CAAC;CAGhB,CAAC"}
+{"version":3,"file":"options.d.ts","sourceRoot":"","sources":["../src/options.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAM3D,OAAO,EAAE,cAAc,EAAE,MAAM,MAAM,CAAC;AAEtC;;;;;;;;GAQG;AAEH;;;GAGG;AACH,eAAO,MAAM,cAAc;qBACT,MAAM,KAAG,OAAO,CAAC,MAAM,CAAC;kCAItC;QACF,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;KACjB,KAAG,OAAO,CAAC,OAAO,CAAC;CACpB,CAAC;AAEF,MAAM,WAAW,aAAa;IAC7B,oEAAoE;IACpE,IAAI,EAAE,MAAM,CAAC;IACb,kCAAkC;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,sDAAsD;IACtD,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;CAC1B;AAED,iFAAiF;AACjF,eAAO,MAAM,kBAAkB,GAAI,KAAK,aAAa,KAAG,cAItD,CAAC;AAEH,iFAAiF;AACjF,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,EAAE;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACZ,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;AAEvB;;;GAGG;AACH,eAAO,MAAM,gBAAgB,GAAI,MAAM,SAAS;wCAI5C;QACF,IAAI,EAAE;YAAE,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC;QACxB,GAAG,EAAE,MAAM,CAAC;KACZ,KAAG,OAAO,CAAC,IAAI,CAAC;4CAMd;QACF,IAAI,EAAE;YAAE,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC;QACxB,GAAG,EAAE,MAAM,CAAC;KACZ,KAAG,OAAO,CAAC,IAAI,CAAC;CAGhB,CAAC"}

package/dist/options.js

@@ -1,5 +1,8 @@
-import { randomUUID } from "node:crypto";
 import bcrypt from "bcrypt";
+// `uuidGenerateId` (the `advanced.database.generateId` UUIDv7 generator) and the
+// base58 skin now live in the dependency-light `./id` module; re-exported here so
+// existing `from "@ingram-tech/nk-auth"` imports keep resolving.
+export { uuidGenerateId } from "./id";
 /**
  * Portable Better Auth building blocks for Ingram sites.
  *
@@ -8,9 +11,6 @@ import bcrypt from "bcrypt";
  * call site (where `declaration` is off) and respects the prime directive — the
  * site stays plain Better Auth, we just ship the shared config. JWT + org
  * presets live in `./jwt` and `./organization`. See docs/better-auth-migration.md.
- *
- * `uuidGenerateId` keeps new-user ids UUID-shaped (needed for Supabase
- * `auth.uid()::uuid` on RLS sites).
  */
 /**
  * `emailAndPassword.password` config. Verifies with bcrypt so passwords
@@ -20,8 +20,6 @@ export const bcryptPassword = {
     hash: (password) => bcrypt.hash(password, 10),
     verify: ({ hash, password, }) => bcrypt.compare(password, hash),
 };
-/** `advanced.database.generateId` — keeps new-user ids UUID-shaped. */
-export const uuidGenerateId = () => randomUUID();
 /** Build `passkey` plugin options. Use as `passkey(makePasskeyOptions(cfg))`. */
 export const makePasskeyOptions = (cfg) => ({
     rpID: cfg.rpId,

package/dist/options.js.map

@@ -1 +1 @@
-{"version":3,"file":"options.js","sourceRoot":"","sources":["../src/options.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B;;;;;;;;;;;GAWG;AAEH;;;GAGG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG;IAC7B,IAAI,EAAE,CAAC,QAAgB,EAAmB,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC;IACtE,MAAM,EAAE,CAAC,EACR,IAAI,EACJ,QAAQ,GAIR,EAAoB,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC;CACtD,CAAC;AAEF,uEAAuE;AACvE,MAAM,CAAC,MAAM,cAAc,GAAG,GAAW,EAAE,CAAC,UAAU,EAAE,CAAC;AAWzD,iFAAiF;AACjF,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,GAAkB,EAAkB,EAAE,CAAC,CAAC;IAC1E,IAAI,EAAE,GAAG,CAAC,IAAI;IACd,MAAM,EAAE,GAAG,CAAC,MAAM;IAClB,MAAM,EAAE,GAAG,CAAC,MAAM;CAClB,CAAC,CAAC;AASH;;;GAGG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,IAAe,EAAE,EAAE,CAAC,CAAC;IACrD,iBAAiB,EAAE,KAAK,EAAE,EACzB,IAAI,EACJ,GAAG,GAIH,EAAiB,EAAE;QACnB,MAAM,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,qBAAqB,EAAE,GAAG,EAAE,CAAC,CAAC;IACrE,CAAC;IACD,qBAAqB,EAAE,KAAK,EAAE,EAC7B,IAAI,EACJ,GAAG,GAIH,EAAiB,EAAE;QACnB,MAAM,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,mBAAmB,EAAE,GAAG,EAAE,CAAC,CAAC;IACnE,CAAC;CACD,CAAC,CAAC"}
+{"version":3,"file":"options.js","sourceRoot":"","sources":["../src/options.ts"],"names":[],"mappings":"AACA,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,iFAAiF;AACjF,kFAAkF;AAClF,iEAAiE;AACjE,OAAO,EAAE,cAAc,EAAE,MAAM,MAAM,CAAC;AAEtC;;;;;;;;GAQG;AAEH;;;GAGG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG;IAC7B,IAAI,EAAE,CAAC,QAAgB,EAAmB,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC;IACtE,MAAM,EAAE,CAAC,EACR,IAAI,EACJ,QAAQ,GAIR,EAAoB,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC;CACtD,CAAC;AAWF,iFAAiF;AACjF,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,GAAkB,EAAkB,EAAE,CAAC,CAAC;IAC1E,IAAI,EAAE,GAAG,CAAC,IAAI;IACd,MAAM,EAAE,GAAG,CAAC,MAAM;IAClB,MAAM,EAAE,GAAG,CAAC,MAAM;CAClB,CAAC,CAAC;AASH;;;GAGG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,IAAe,EAAE,EAAE,CAAC,CAAC;IACrD,iBAAiB,EAAE,KAAK,EAAE,EACzB,IAAI,EACJ,GAAG,GAIH,EAAiB,EAAE;QACnB,MAAM,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,qBAAqB,EAAE,GAAG,EAAE,CAAC,CAAC;IACrE,CAAC;IACD,qBAAqB,EAAE,KAAK,EAAE,EAC7B,IAAI,EACJ,GAAG,GAIH,EAAiB,EAAE;QACnB,MAAM,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,mBAAmB,EAAE,GAAG,EAAE,CAAC,CAAC;IACnE,CAAC;CACD,CAAC,CAAC"}

package/dist/paths.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Where Better Auth mounts in an Ingram site: **`/auth`**, not the framework
+ * default `/api/auth`. Auth is a first-class user-facing surface — sign-in,
+ * OAuth callbacks, the JWKS — not an internal machine API, so it lives at the
+ * site root alongside the other pages.
+ *
+ * Use it on both ends so server and client agree:
+ *
+ *   betterAuth({ basePath: authBasePath, ... })
+ *   createAuthClient({ baseURL, basePath: authBasePath, ... })
+ *
+ * and mount the catch-all at `app/auth/[...all]/route.ts`. OAuth redirect URIs
+ * then become `<site>/auth/callback/<provider>` and the JWKS `<site>/auth/jwks`.
+ */
+export declare const authBasePath = "/auth";
+//# sourceMappingURL=paths.d.ts.map

package/dist/paths.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"paths.d.ts","sourceRoot":"","sources":["../src/paths.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,YAAY,UAAU,CAAC"}

package/dist/paths.js

@@ -0,0 +1,16 @@
+/**
+ * Where Better Auth mounts in an Ingram site: **`/auth`**, not the framework
+ * default `/api/auth`. Auth is a first-class user-facing surface — sign-in,
+ * OAuth callbacks, the JWKS — not an internal machine API, so it lives at the
+ * site root alongside the other pages.
+ *
+ * Use it on both ends so server and client agree:
+ *
+ *   betterAuth({ basePath: authBasePath, ... })
+ *   createAuthClient({ baseURL, basePath: authBasePath, ... })
+ *
+ * and mount the catch-all at `app/auth/[...all]/route.ts`. OAuth redirect URIs
+ * then become `<site>/auth/callback/<provider>` and the JWKS `<site>/auth/jwks`.
+ */
+export const authBasePath = "/auth";
+//# sourceMappingURL=paths.js.map

package/dist/paths.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"paths.js","sourceRoot":"","sources":["../src/paths.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,OAAO,CAAC"}

package/dist/pool.d.ts

@@ -1,16 +1,17 @@
-import { Pool } from "pg";
+import type { Pool } from "pg";
 /**
- * A `pg` Pool for Better Auth's direct database connection, with the right TLS
- * for each kind of host:
+ * A `pg` Pool for Better Auth's direct database connection.
  *
- *   - `caCert` set → verify the server cert + hostname against it
- *     (equivalent to `sslmode=verify-full`).
- *   - local (`127.0.0.1`/`localhost`) → no TLS.
- *   - otherwise (managed Postgres like Supabase) → TLS **without** chain
- *     verification. Supabase's cert chain isn't in Node's trust store, so plain
- *     verification fails with "self-signed certificate in certificate chain";
- *     the connection is still encrypted. `sslmode` is stripped from the URL
- *     because `pg` ignores the `ssl` object when the URL carries SSL settings.
+ * @deprecated Thin alias for `createPool` from `@ingram-tech/nk-db` — the one
+ * place pool construction and TLS handling live. Kept so existing call sites
+ * (`lib/db.ts` calling `createAuthPool({ connectionString, caCert })`) keep
+ * working, and so Better Auth shares the **exact same pool implementation** as
+ * app queries — the "one pool per process" rule. Prefer importing `createPool`
+ * directly in new code.
+ *
+ * TLS handling (CA-verified when `caCert` is set; plain-TLS for other managed
+ * hosts; no TLS for localhost), and the local `max: 1` cap (for the PGlite
+ * socket), all live in `createPool`.
  */
 export declare const createAuthPool: (config: {
     connectionString: string;

package/dist/pool.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pool.d.ts","sourceRoot":"","sources":["../src/pool.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAK1B;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,cAAc,GAAI,QAAQ;IACtC,gBAAgB,EAAE,MAAM,CAAC;IACzB,sEAAsE;IACtE,MAAM,CAAC,EAAE,MAAM,CAAC;CAChB,KAAG,IAgBH,CAAC"}
+{"version":3,"file":"pool.d.ts","sourceRoot":"","sources":["../src/pool.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAE/B;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,cAAc,GAAI,QAAQ;IACtC,gBAAgB,EAAE,MAAM,CAAC;IACzB,sEAAsE;IACtE,MAAM,CAAC,EAAE,MAAM,CAAC;CAChB,KAAG,IAID,CAAC"}

package/dist/pool.js

@@ -1,33 +1,20 @@
-import { Pool } from "pg";
-const isLocal = (connectionString) => connectionString.includes("127.0.0.1") || connectionString.includes("localhost");
+import { createPool } from "@ingram-tech/nk-db";
 /**
- * A `pg` Pool for Better Auth's direct database connection, with the right TLS
- * for each kind of host:
+ * A `pg` Pool for Better Auth's direct database connection.
  *
- *   - `caCert` set → verify the server cert + hostname against it
- *     (equivalent to `sslmode=verify-full`).
- *   - local (`127.0.0.1`/`localhost`) → no TLS.
- *   - otherwise (managed Postgres like Supabase) → TLS **without** chain
- *     verification. Supabase's cert chain isn't in Node's trust store, so plain
- *     verification fails with "self-signed certificate in certificate chain";
- *     the connection is still encrypted. `sslmode` is stripped from the URL
- *     because `pg` ignores the `ssl` object when the URL carries SSL settings.
+ * @deprecated Thin alias for `createPool` from `@ingram-tech/nk-db` — the one
+ * place pool construction and TLS handling live. Kept so existing call sites
+ * (`lib/db.ts` calling `createAuthPool({ connectionString, caCert })`) keep
+ * working, and so Better Auth shares the **exact same pool implementation** as
+ * app queries — the "one pool per process" rule. Prefer importing `createPool`
+ * directly in new code.
+ *
+ * TLS handling (CA-verified when `caCert` is set; plain-TLS for other managed
+ * hosts; no TLS for localhost), and the local `max: 1` cap (for the PGlite
+ * socket), all live in `createPool`.
  */
-export const createAuthPool = (config) => {
-    if (config.caCert) {
-        return new Pool({
-            connectionString: config.connectionString,
-            ssl: { ca: config.caCert, rejectUnauthorized: true },
-        });
-    }
-    if (isLocal(config.connectionString)) {
-        return new Pool({ connectionString: config.connectionString });
-    }
-    const url = new URL(config.connectionString);
-    url.searchParams.delete("sslmode");
-    return new Pool({
-        connectionString: url.toString(),
-        ssl: { rejectUnauthorized: false },
-    });
-};
+export const createAuthPool = (config) => createPool({
+    connectionString: config.connectionString,
+    caCert: config.caCert,
+});
 //# sourceMappingURL=pool.js.map

package/dist/pool.js.map

@@ -1 +1 @@
-{"version":3,"file":"pool.js","sourceRoot":"","sources":["../src/pool.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAE1B,MAAM,OAAO,GAAG,CAAC,gBAAwB,EAAW,EAAE,CACrD,gBAAgB,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,gBAAgB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAElF;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,MAI9B,EAAQ,EAAE;IACV,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QACnB,OAAO,IAAI,IAAI,CAAC;YACf,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;YACzC,GAAG,EAAE,EAAE,EAAE,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,EAAE,IAAI,EAAE;SACpD,CAAC,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACtC,OAAO,IAAI,IAAI,CAAC,EAAE,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,EAAE,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IAC7C,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACnC,OAAO,IAAI,IAAI,CAAC;QACf,gBAAgB,EAAE,GAAG,CAAC,QAAQ,EAAE;QAChC,GAAG,EAAE,EAAE,kBAAkB,EAAE,KAAK,EAAE;KAClC,CAAC,CAAC;AACJ,CAAC,CAAC"}
+{"version":3,"file":"pool.js","sourceRoot":"","sources":["../src/pool.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAGhD;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,MAI9B,EAAQ,EAAE,CACV,UAAU,CAAC;IACV,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;IACzC,MAAM,EAAE,MAAM,CAAC,MAAM;CACrB,CAAC,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@ingram-tech/nk-auth",
-	"version": "0.2.1",
+	"version": "0.4.0",
 	"description": "The Ingram Better Auth foundation: composable presets (org, dual-shape JWT, Supabase RLS bridge, active-org hooks, pg pool) for Next.js sites.",
 	"license": "MIT",
 	"type": "module",
@@ -21,6 +21,10 @@
 			"types": "./dist/index.d.ts",
 			"import": "./dist/index.js"
 		},
+		"./id": {
+			"types": "./dist/id.d.ts",
+			"import": "./dist/id.js"
+		},
 		"./jwt": {
 			"types": "./dist/jwt.d.ts",
 			"import": "./dist/jwt.js"
@@ -33,6 +37,10 @@
 			"types": "./dist/pool.d.ts",
 			"import": "./dist/pool.js"
 		},
+		"./paths": {
+			"types": "./dist/paths.d.ts",
+			"import": "./dist/paths.js"
+		},
 		"./client": {
 			"types": "./dist/client.d.ts",
 			"import": "./dist/client.js"
@@ -45,6 +53,7 @@
 		"test": "vitest run"
 	},
 	"dependencies": {
+		"@ingram-tech/nk-db": "^0.2.0",
 		"bcrypt": "^5.1.1",
 		"jose": "^6.0.0",
 		"zod": "^4.0.0"
@@ -72,7 +81,7 @@
 	},
 	"devDependencies": {
 		"@better-auth/passkey": "^1.6.0",
-		"@ingram-tech/typescript-config": "0.1.0",
+		"@ingram-tech/typescript-config": "workspace:*",
 		"@supabase/supabase-js": "^2.45.0",
 		"@types/bcrypt": "^5.0.2",
 		"@types/node": "^20.0.0",