@mars-stack/cli 0.2.0 → 1.0.2

package/template/src/app/privacy/page.tsx

@@ -0,0 +1,178 @@
+import Link from 'next/link';
+import { appConfig } from '@/config/app.config';
+import { routes } from '@/config/routes';
+
+export default function PrivacyPage() {
+  const companyName = appConfig.legal.companyName || appConfig.name;
+
+  return (
+    <main className="mx-auto max-w-3xl px-6 py-16">
+      <h1 className="text-4xl font-bold leading-tight text-text-primary mb-2">Privacy Policy</h1>
+      <p className="text-base leading-relaxed text-text-muted mb-4">
+        Last updated: {'[Replace this content: add date]'}
+      </p>
+
+      <hr className="my-8 border-border-default" />
+
+      <section className="mb-10">
+        <h2 className="text-3xl font-bold leading-tight text-text-primary mb-2">1. Introduction</h2>
+        <p className="text-base leading-relaxed text-text-secondary mb-4">
+          {/* Replace this content: describe your privacy commitment */}
+          {companyName} (&quot;we&quot;, &quot;us&quot;, or &quot;our&quot;) respects your privacy and
+          is committed to protecting your personal data. This Privacy Policy explains how we collect,
+          use, disclose, and safeguard your information when you use our service.
+        </p>
+      </section>
+
+      <section className="mb-10">
+        <h2 className="text-3xl font-bold leading-tight text-text-primary mb-2">2. Data We Collect</h2>
+        <p className="text-base leading-relaxed text-text-secondary mb-4">
+          {/* Replace this content: list all categories of data you collect */}
+          We may collect the following types of information:
+        </p>
+        <ul className="mb-4 ml-6 list-disc space-y-2 text-text-secondary">
+          <li>
+            <strong className="text-text-primary">Account information</strong> — name, email address,
+            and password when you register.
+          </li>
+          <li>
+            <strong className="text-text-primary">Usage data</strong> — pages visited, features used,
+            timestamps, and referring URLs.
+          </li>
+          <li>
+            <strong className="text-text-primary">Device information</strong> — browser type,
+            operating system, IP address, and device identifiers.
+          </li>
+          <li>
+            <strong className="text-text-primary">Cookies</strong> — session cookies and preferences.
+            See our cookie policy for details.
+          </li>
+          {/* Replace this content: add or remove data categories as needed */}
+        </ul>
+      </section>
+
+      <section className="mb-10">
+        <h2 className="text-3xl font-bold leading-tight text-text-primary mb-2">3. How We Use Your Data</h2>
+        <p className="text-base leading-relaxed text-text-secondary mb-4">
+          {/* Replace this content: describe each purpose for data processing */}
+          We use the information we collect for the following purposes:
+        </p>
+        <ul className="mb-4 ml-6 list-disc space-y-2 text-text-secondary">
+          <li>To provide, maintain, and improve our service.</li>
+          <li>To authenticate users and manage accounts.</li>
+          <li>To communicate with you about updates, security alerts, and support.</li>
+          <li>To detect, prevent, and address technical issues and abuse.</li>
+          <li>To comply with legal obligations.</li>
+          {/* Replace this content: add or remove purposes as needed */}
+        </ul>
+      </section>
+
+      <section className="mb-10">
+        <h2 className="text-3xl font-bold leading-tight text-text-primary mb-2">4. Data Sharing &amp; Disclosure</h2>
+        <p className="text-base leading-relaxed text-text-secondary mb-4">
+          {/* Replace this content: list third parties and data processors */}
+          We do not sell your personal data. We may share your information with third-party service
+          providers who assist us in operating our service, subject to confidentiality obligations.
+          We may also disclose your information if required by law or to protect our rights.
+        </p>
+      </section>
+
+      <section className="mb-10">
+        <h2 className="text-3xl font-bold leading-tight text-text-primary mb-2">5. Data Retention</h2>
+        <p className="text-base leading-relaxed text-text-secondary mb-4">
+          {/* Replace this content: specify your data retention periods */}
+          We retain your personal data only for as long as necessary to fulfil the purposes for which
+          it was collected, including to satisfy any legal, accounting, or reporting requirements.
+          [Replace this content: add specific retention periods for each data category.]
+        </p>
+      </section>
+
+      <section className="mb-10">
+        <h2 className="text-3xl font-bold leading-tight text-text-primary mb-2">6. Data Security</h2>
+        <p className="text-base leading-relaxed text-text-secondary mb-4">
+          {/* Replace this content: describe your security measures */}
+          We implement appropriate technical and organisational measures to protect your personal data
+          against unauthorised access, alteration, disclosure, or destruction. However, no method of
+          transmission over the Internet is 100% secure.
+        </p>
+      </section>
+
+      <section className="mb-10">
+        <h2 className="text-3xl font-bold leading-tight text-text-primary mb-2">7. Your Rights</h2>
+        <p className="text-base leading-relaxed text-text-secondary mb-4">
+          {/* Replace this content: list rights applicable in your jurisdiction (GDPR, CCPA, etc.) */}
+          Depending on your location, you may have the following rights regarding your personal data:
+        </p>
+        <ul className="mb-4 ml-6 list-disc space-y-2 text-text-secondary">
+          <li>The right to access the personal data we hold about you.</li>
+          <li>The right to request correction of inaccurate data.</li>
+          <li>The right to request deletion of your data.</li>
+          <li>The right to restrict or object to processing.</li>
+          <li>The right to data portability.</li>
+          <li>The right to withdraw consent at any time.</li>
+          {/* Replace this content: add jurisdiction-specific rights */}
+        </ul>
+        <p className="text-base leading-relaxed text-text-secondary mb-4">
+          To exercise any of these rights, please contact us at{' '}
+          <a
+            href={`mailto:${appConfig.support.email}`}
+            className="text-text-link hover:text-text-link-hover transition-colors hover:underline"
+          >
+            {appConfig.support.email}
+          </a>
+          .
+        </p>
+      </section>
+
+      <section className="mb-10">
+        <h2 className="text-3xl font-bold leading-tight text-text-primary mb-2">8. International Transfers</h2>
+        <p className="text-base leading-relaxed text-text-secondary mb-4">
+          {/* Replace this content: describe your data transfer mechanisms */}
+          [Replace this content: describe where data is stored and any international transfer
+          mechanisms you use, such as Standard Contractual Clauses or adequacy decisions.]
+        </p>
+      </section>
+
+      <section className="mb-10">
+        <h2 className="text-3xl font-bold leading-tight text-text-primary mb-2">9. Changes to This Policy</h2>
+        <p className="text-base leading-relaxed text-text-secondary mb-4">
+          We may update this Privacy Policy from time to time. We will notify you of any changes by
+          posting the new Privacy Policy on this page and updating the &quot;Last updated&quot; date.
+          You are advised to review this page periodically for any changes.
+        </p>
+      </section>
+
+      <section>
+        <h2 className="text-3xl font-bold leading-tight text-text-primary mb-2">10. Contact Us</h2>
+        <p className="text-base leading-relaxed text-text-secondary mb-4">
+          If you have any questions about this Privacy Policy, please contact us at{' '}
+          <a
+            href={`mailto:${appConfig.support.email}`}
+            className="text-text-link hover:text-text-link-hover transition-colors hover:underline"
+          >
+            {appConfig.support.email}
+          </a>
+          .
+        </p>
+        {appConfig.legal.address && (
+          <p className="text-base leading-relaxed text-text-secondary mb-4">
+            {companyName}
+            <br />
+            {appConfig.legal.address}
+          </p>
+        )}
+      </section>
+
+      <hr className="my-8 border-border-default" />
+
+      <nav className="flex gap-6">
+        <Link href={routes.terms} className="text-sm text-text-link hover:text-text-link-hover transition-colors hover:underline">
+          Terms of Service
+        </Link>
+        <Link href={routes.home} className="text-sm text-text-link hover:text-text-link-hover transition-colors hover:underline">
+          Home
+        </Link>
+      </nav>
+    </main>
+  );
+}

package/template/src/app/providers.tsx

@@ -0,0 +1,8 @@
+'use client';
+
+import { AuthProvider } from '@/features/auth/context/AuthContext';
+import type { ReactNode } from 'react';
+
+export function Providers({ children }: { children: ReactNode }) {
+  return <AuthProvider>{children}</AuthProvider>;
+}

package/template/src/app/terms/page.tsx

@@ -0,0 +1,139 @@
+import Link from 'next/link';
+import { appConfig } from '@/config/app.config';
+import { routes } from '@/config/routes';
+
+export default function TermsPage() {
+  const companyName = appConfig.legal.companyName || appConfig.name;
+
+  return (
+    <main className="mx-auto max-w-3xl px-6 py-16">
+      <h1 className="text-4xl font-bold leading-tight text-text-primary mb-2">Terms of Service</h1>
+      <p className="text-base leading-relaxed text-text-muted mb-4">
+        Last updated: {'[Replace this content: add date]'}
+      </p>
+
+      <hr className="my-8 border-border-default" />
+
+      <section className="mb-10">
+        <h2 className="text-3xl font-bold leading-tight text-text-primary mb-2">1. Agreement to Terms</h2>
+        <p className="text-base leading-relaxed text-text-secondary mb-4">
+          {/* Replace this content: describe your terms of service agreement */}
+          By accessing or using the services provided by {companyName} (&quot;we&quot;, &quot;us&quot;, or &quot;our&quot;),
+          you agree to be bound by these Terms of Service. If you do not agree to these terms, do not
+          use our services.
+        </p>
+      </section>
+
+      <section className="mb-10">
+        <h2 className="text-3xl font-bold leading-tight text-text-primary mb-2">2. User Accounts</h2>
+        <p className="text-base leading-relaxed text-text-secondary mb-4">
+          {/* Replace this content: describe your account requirements */}
+          When you create an account with us, you must provide accurate, complete, and current
+          information. You are responsible for safeguarding the password that you use to access our
+          service and for any activities or actions under your password.
+        </p>
+        <p className="text-base leading-relaxed text-text-secondary mb-4">
+          {/* Replace this content: describe account termination policy */}
+          We reserve the right to suspend or terminate your account if any information provided during
+          the registration process or thereafter proves to be inaccurate, not current, or incomplete.
+        </p>
+      </section>
+
+      <section className="mb-10">
+        <h2 className="text-3xl font-bold leading-tight text-text-primary mb-2">3. Acceptable Use</h2>
+        <p className="text-base leading-relaxed text-text-secondary mb-4">
+          {/* Replace this content: describe your acceptable use policy */}
+          You agree not to use the service for any unlawful purpose or in any way that could damage,
+          disable, overburden, or impair our servers or networks. You must not attempt to gain
+          unauthorized access to any part of the service, other accounts, or computer systems through
+          hacking, password mining, or any other means.
+        </p>
+      </section>
+
+      <section className="mb-10">
+        <h2 className="text-3xl font-bold leading-tight text-text-primary mb-2">4. Intellectual Property</h2>
+        <p className="text-base leading-relaxed text-text-secondary mb-4">
+          {/* Replace this content: describe IP ownership and licensing */}
+          The service and its original content, features, and functionality are and will remain the
+          exclusive property of {companyName}. Our service is protected by copyright, trademark, and
+          other laws. Our trademarks may not be used in connection with any product or service without
+          prior written consent.
+        </p>
+      </section>
+
+      <section className="mb-10">
+        <h2 className="text-3xl font-bold leading-tight text-text-primary mb-2">5. Payment Terms</h2>
+        <p className="text-base leading-relaxed text-text-secondary mb-4">
+          {/* Replace this content: describe your billing and payment terms, or remove this section if not applicable */}
+          [Replace this content: add your payment terms, billing cycles, refund policy, and
+          cancellation procedures.]
+        </p>
+      </section>
+
+      <section className="mb-10">
+        <h2 className="text-3xl font-bold leading-tight text-text-primary mb-2">6. Limitation of Liability</h2>
+        <p className="text-base leading-relaxed text-text-secondary mb-4">
+          {/* Replace this content: consult a lawyer for your jurisdiction */}
+          In no event shall {companyName}, nor its directors, employees, partners, agents, suppliers,
+          or affiliates, be liable for any indirect, incidental, special, consequential, or punitive
+          damages, including without limitation, loss of profits, data, use, goodwill, or other
+          intangible losses, resulting from your access to or use of, or inability to access or use,
+          the service.
+        </p>
+      </section>
+
+      <section className="mb-10">
+        <h2 className="text-3xl font-bold leading-tight text-text-primary mb-2">7. Termination</h2>
+        <p className="text-base leading-relaxed text-text-secondary mb-4">
+          {/* Replace this content: describe termination conditions */}
+          We may terminate or suspend your account immediately, without prior notice or liability, for
+          any reason whatsoever, including without limitation if you breach the Terms. Upon
+          termination, your right to use the service will immediately cease.
+        </p>
+      </section>
+
+      <section className="mb-10">
+        <h2 className="text-3xl font-bold leading-tight text-text-primary mb-2">8. Governing Law</h2>
+        <p className="text-base leading-relaxed text-text-secondary mb-4">
+          {/* Replace this content: specify your legal jurisdiction */}
+          These Terms shall be governed and construed in accordance with the laws of [Replace this
+          content: add your jurisdiction], without regard to its conflict of law provisions.
+        </p>
+      </section>
+
+      <section className="mb-10">
+        <h2 className="text-3xl font-bold leading-tight text-text-primary mb-2">9. Changes to Terms</h2>
+        <p className="text-base leading-relaxed text-text-secondary mb-4">
+          We reserve the right to modify or replace these Terms at any time. If a revision is
+          material, we will provide at least 30 days&apos; notice prior to any new terms taking
+          effect. What constitutes a material change will be determined at our sole discretion.
+        </p>
+      </section>
+
+      <section>
+        <h2 className="text-3xl font-bold leading-tight text-text-primary mb-2">10. Contact Us</h2>
+        <p className="text-base leading-relaxed text-text-secondary mb-4">
+          If you have any questions about these Terms, please contact us at{' '}
+          <a
+            href={`mailto:${appConfig.support.email}`}
+            className="text-text-link hover:text-text-link-hover transition-colors hover:underline"
+          >
+            {appConfig.support.email}
+          </a>
+          .
+        </p>
+      </section>
+
+      <hr className="my-8 border-border-default" />
+
+      <nav className="flex gap-6">
+        <Link href={routes.privacy} className="text-sm text-text-link hover:text-text-link-hover transition-colors hover:underline">
+          Privacy Policy
+        </Link>
+        <Link href={routes.home} className="text-sm text-text-link hover:text-text-link-hover transition-colors hover:underline">
+          Home
+        </Link>
+      </nav>
+    </main>
+  );
+}

package/template/src/config/app.config.ts

@@ -0,0 +1,70 @@
+export const appConfig = {
+  name: 'My App',
+  tagline: 'A short description',
+  description: 'A longer description for meta tags and SEO',
+  url: 'https://myapp.com',
+  support: { email: 'support@myapp.com', phone: '' },
+  social: {
+    twitter: '',
+    tiktok: '',
+    linkedin: '',
+    github: '',
+    instagram: '',
+  },
+  legal: {
+    companyName: '',
+    registrationNumber: '',
+    address: '',
+  },
+  theme: {
+    primaryColor: 'blue-600' as string,
+    secondaryColor: 'amber-400' as string,
+    font: 'Inter' as string,
+    designDirection: 'modern-saas' as
+      | 'modern-saas'
+      | 'minimal'
+      | 'enterprise'
+      | 'creative'
+      | 'dashboard',
+  },
+  features: {
+    auth: true,
+    googleOAuth: false,
+    emailVerification: true,
+    magicLinks: false,
+    twoFactor: false,
+    admin: true,
+    darkMode: false,
+    notifications: false,
+    onboarding: false,
+    multiTenancy: false,
+    teams: false,
+    billing: false,
+    blog: false,
+    seo: true,
+    comingSoon: false,
+    cookieConsent: true,
+    analytics: false,
+    sentry: false,
+    ai: false,
+    fileUpload: false,
+    search: false,
+    realtime: false,
+    commandPalette: false,
+    featureFlags: false,
+  },
+  services: {
+    email: { provider: 'console' as 'sendgrid' | 'resend' | 'console' },
+    storage: { provider: 'local' as 'vercel' | 's3' | 'local' },
+    database: { provider: 'local' as 'vercel' | 'supabase' | 'local' },
+    payments: { provider: 'none' as 'stripe' | 'none' },
+    analytics: { provider: 'none' as 'vercel' | 'posthog' | 'google' | 'none' },
+    monitoring: { provider: 'none' as 'sentry' | 'none' },
+    ai: { provider: 'none' as 'openai' | 'anthropic' | 'none' },
+    search: { provider: 'none' as 'postgres' | 'algolia' | 'meilisearch' | 'none' },
+    realtime: { provider: 'none' as 'sse' | 'pusher' | 'ably' | 'none' },
+    jobs: { provider: 'none' as 'inngest' | 'trigger' | 'db' | 'none' },
+  },
+} as const;
+
+export type AppConfig = typeof appConfig;

package/template/src/config/routes.ts

@@ -0,0 +1,17 @@
+export const routes = {
+  home: '/',
+  signIn: '/sign-in',
+  signUp: '/register',
+  forgotPassword: '/forgotten-password',
+  resetPassword: '/reset-password',
+  verifyEmail: '/verify',
+  dashboard: '/dashboard',
+  settings: '/settings',
+  admin: '/admin',
+  about: '/about',
+  privacy: '/privacy',
+  terms: '/terms',
+  blog: '/blog',
+} as const;
+
+export type RoutePath = (typeof routes)[keyof typeof routes];

package/template/src/features/admin/index.ts

@@ -0,0 +1,11 @@
+export {
+  hasRole,
+  assertRole,
+  assertRoles,
+  canAccessResource,
+  assertCanAccessResource,
+  getRoleHierarchy,
+  hasRoleOrHigher,
+  assertRoleOrHigher,
+} from './permissions';
+export type { Role } from './permissions';

package/template/src/features/admin/permissions.ts

@@ -0,0 +1,64 @@
+import { getCurrentUser } from '@/lib/mars';
+
+export type Role = 'user' | 'editor' | 'admin';
+
+export async function hasRole(requiredRole: Role): Promise<boolean> {
+  const user = await getCurrentUser();
+  if (!user) return false;
+  if (user.role === 'admin') return true;
+  return user.role === requiredRole;
+}
+
+export async function assertRole(requiredRole: Role): Promise<void> {
+  const hasPermission = await hasRole(requiredRole);
+  if (!hasPermission) throw new Error(`Unauthorized: ${requiredRole} role required`);
+}
+
+export async function assertRoles(requiredRoles: Role[]): Promise<void> {
+  const user = await getCurrentUser();
+  if (!user) throw new Error('Unauthorized: Authentication required');
+  if (user.role === 'admin') return;
+
+  const hasPermission = requiredRoles.includes(user.role as Role);
+  if (!hasPermission) {
+    throw new Error(`Unauthorized: One of [${requiredRoles.join(', ')}] roles required`);
+  }
+}
+
+export async function canAccessResource(
+  resourceUserId: string,
+  requiredRole?: Role,
+): Promise<boolean> {
+  const user = await getCurrentUser();
+  if (!user) return false;
+  if (user.id === resourceUserId) return true;
+  if (requiredRole) return hasRole(requiredRole);
+  return user.role === 'admin';
+}
+
+export async function assertCanAccessResource(
+  resourceUserId: string,
+  requiredRole?: Role,
+): Promise<void> {
+  const canAccess = await canAccessResource(resourceUserId, requiredRole);
+  if (!canAccess) throw new Error('Unauthorized: Cannot access this resource');
+}
+
+export function getRoleHierarchy(): Record<Role, number> {
+  return { user: 1, editor: 2, admin: 3 };
+}
+
+export async function hasRoleOrHigher(minimumRole: Role): Promise<boolean> {
+  const user = await getCurrentUser();
+  if (!user) return false;
+
+  const hierarchy = getRoleHierarchy();
+  const userLevel = hierarchy[user.role as Role] || 0;
+  const requiredLevel = hierarchy[minimumRole];
+  return userLevel >= requiredLevel;
+}
+
+export async function assertRoleOrHigher(minimumRole: Role): Promise<void> {
+  const hasPermission = await hasRoleOrHigher(minimumRole);
+  if (!hasPermission) throw new Error(`Unauthorized: ${minimumRole} role or higher required`);
+}

package/template/src/features/auth/context/AuthContext.tsx

@@ -0,0 +1,96 @@
+'use client';
+
+import { createContext, useContext, useEffect, useState, type ReactNode } from 'react';
+
+export interface User {
+  id: string;
+  name: string;
+  role: string;
+  emailVerified: boolean;
+}
+
+interface AuthContextType {
+  user: User | null;
+  isLoading: boolean;
+  isAuthenticated: boolean;
+  login: (user: User) => void;
+  logout: () => Promise<void>;
+  updateUser: (updates: Partial<User>) => void;
+  refreshAuth: () => Promise<void>;
+}
+
+const AuthContext = createContext<AuthContextType | undefined>(undefined);
+
+export function useAuth() {
+  const context = useContext(AuthContext);
+  if (context === undefined) {
+    throw new Error('useAuth must be used within an AuthProvider');
+  }
+  return context;
+}
+
+interface AuthProviderProps {
+  children: ReactNode;
+  initialUser?: User | null;
+}
+
+export function AuthProvider({ children, initialUser = null }: AuthProviderProps) {
+  const [user, setUser] = useState<User | null>(initialUser);
+  const [isLoading, setIsLoading] = useState(!initialUser);
+
+  const refreshAuth = async () => {
+    try {
+      setIsLoading(true);
+      const response = await fetch('/api/auth/me', { credentials: 'include' });
+
+      if (!response.ok) {
+        setUser(null);
+        return;
+      }
+
+      const userData: { user: User | null } = await response.json();
+      setUser(userData.user ?? null);
+    } catch (error) {
+      console.error('Failed to refresh auth:', error);
+      setUser(null);
+    } finally {
+      setIsLoading(false);
+    }
+  };
+
+  const login = (userData: User) => {
+    setUser(userData);
+  };
+
+  const logout = async () => {
+    try {
+      await fetch('/api/auth/logout', { method: 'POST', credentials: 'include' });
+    } catch (error) {
+      console.error('Logout error:', error);
+    } finally {
+      setUser(null);
+    }
+  };
+
+  const updateUser = (updates: Partial<User>) => {
+    setUser((current) => (current ? { ...current, ...updates } : null));
+  };
+
+  useEffect(() => {
+    if (!initialUser) {
+      refreshAuth();
+    }
+  }, [initialUser]);
+
+  const value: AuthContextType = {
+    user,
+    isLoading,
+    isAuthenticated: !!user,
+    login,
+    logout,
+    updateUser,
+    refreshAuth,
+  };
+
+  return <AuthContext.Provider value={value}>{children}</AuthContext.Provider>;
+}

package/template/src/features/auth/context/index.ts

@@ -0,0 +1,2 @@
+export { AuthProvider, useAuth } from './AuthContext';
+export type { User } from './AuthContext';

package/template/src/features/auth/index.ts

@@ -0,0 +1,3 @@
+export type { AuthError, AuthUser, AuthErrorCode } from '@mars-stack/core/auth/types';
+export { validateEmail, validatePassword, validateRequired } from '@mars-stack/core/auth/validators';
+export { passwordSchema, hashPassword, verifyPassword } from '@mars-stack/core/auth/password';

package/template/src/features/auth/server/consent.ts

@@ -0,0 +1,66 @@
+import 'server-only';
+
+import { prisma } from '@/lib/prisma';
+import { verifySession } from '@/lib/mars';
+
+export interface ConsentPreferences {
+  termsAcceptedAt: Date | null;
+  privacyAcceptedAt: Date | null;
+  marketingOptIn: boolean;
+  marketingOptInAt: Date | null;
+}
+
+export async function getUserConsent(userId: string): Promise<ConsentPreferences | null> {
+  return prisma.user.findUnique({
+    where: { id: userId },
+    select: {
+      termsAcceptedAt: true,
+      privacyAcceptedAt: true,
+      marketingOptIn: true,
+      marketingOptInAt: true,
+    },
+  });
+}
+
+export async function updateMarketingConsent(marketingOptIn: boolean): Promise<void> {
+  const session = await verifySession();
+  const now = new Date();
+
+  await prisma.user.update({
+    where: { id: session.userId },
+    data: {
+      marketingOptIn,
+      marketingOptInAt: marketingOptIn ? now : null,
+    },
+  });
+}
+
+export async function recordTermsAcceptance(): Promise<void> {
+  const session = await verifySession();
+  const now = new Date();
+
+  await prisma.user.update({
+    where: { id: session.userId },
+    data: { termsAcceptedAt: now, privacyAcceptedAt: now },
+  });
+}
+
+export async function getMarketingOptInUsers(): Promise<
+  Array<{ id: string; email: string; name: string | null }>
+> {
+  const session = await verifySession();
+
+  const dbUser = await prisma.user.findUnique({
+    where: { id: session.userId },
+    select: { role: true },
+  });
+
+  if (!dbUser || dbUser.role !== 'admin') {
+    throw new Error('Unauthorized: Admin access required');
+  }
+
+  return prisma.user.findMany({
+    where: { marketingOptIn: true, emailVerified: { not: null } },
+    select: { id: true, email: true, name: true },
+  });
+}