@objectstack/plugin-auth 3.2.1 → 3.2.2

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @objectstack/plugin-auth@3.2.1 build /home/runner/work/spec/spec/packages/plugins/plugin-auth
+> @objectstack/plugin-auth@3.2.2 build /home/runner/work/spec/spec/packages/plugins/plugin-auth
 > tsup --config ../../../tsup.config.ts
 
 CLI Building entry: src/index.ts
@@ -10,13 +10,13 @@
 CLI Cleaning output folder
 ESM Build start
 CJS Build start
-CJS dist/index.js     20.36 KB
-CJS dist/index.js.map 42.16 KB
+ESM dist/index.mjs     20.62 KB
+ESM dist/index.mjs.map 44.89 KB
+ESM ⚡️ Build success in 61ms
+CJS dist/index.js     22.36 KB
+CJS dist/index.js.map 45.45 KB
 CJS ⚡️ Build success in 65ms
-ESM dist/index.mjs     18.61 KB
-ESM dist/index.mjs.map 41.60 KB
-ESM ⚡️ Build success in 66ms
 DTS Build start
-DTS ⚡️ Build success in 7708ms
-DTS dist/index.d.mts 408.46 KB
-DTS dist/index.d.ts  408.46 KB
+DTS ⚡️ Build success in 7813ms
+DTS dist/index.d.mts 409.21 KB
+DTS dist/index.d.ts  409.21 KB

package/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## 3.2.2
+
+### Patch Changes
+
+- cfaabbb: fix: AuthPlugin error handling & database adapter config
+
+  - `AuthManager.handleRequest()` now inspects `response.status >= 500` and logs the error body via `console.error`, since better-auth catches internal errors and returns 500 Responses without throwing.
+  - `AuthPlugin.registerAuthRoutes()` also logs 500+ responses via `ctx.logger.error` for structured plugin logging.
+  - `createDatabaseConfig()` now wraps the ObjectQL adapter as a `DBAdapterInstance` factory function so better-auth's `getBaseAdapter()` correctly recognises it (via `typeof database === "function"` check) instead of falling through to the Kysely adapter path.
+
+- Updated dependencies [46defbb]
+  - @objectstack/spec@3.2.2
+  - @objectstack/core@3.2.2
+
 ## 3.2.1
 
 ### Patch Changes

package/README.md

@@ -232,13 +232,22 @@ const adapter = createObjectQLAdapter(dataEngine);
 // Mapping: { user: 'sys_user', session: 'sys_session', account: 'sys_account', verification: 'sys_verification' }
 console.log(AUTH_MODEL_TO_PROTOCOL);
 
-// Better-auth uses this adapter for all database operations
+// better-auth requires a DBAdapterInstance (factory function), not a raw adapter object.
+// Passing a plain object falls through to the Kysely adapter path and fails silently.
+// Wrap the adapter in a factory function:
 const auth = betterAuth({
-  database: adapter,
+  database: (options) => ({
+    id: 'objectql',
+    ...adapter,
+    transaction: async (cb) => cb(adapter),
+  }),
   // ... other config
 });
 ```
 
+> **Note:** `AuthManager` handles this wrapping automatically when you provide a `dataEngine`.
+> You only need the factory pattern above when using `createObjectQLAdapter()` directly.
+
 ## Development
 
 ```bash

package/dist/index.d.mts

@@ -117,6 +117,15 @@ declare class AuthManager {
     private createAuthInstance;
     /**
      * Create database configuration using ObjectQL adapter
+     *
+     * better-auth resolves the `database` option as follows:
+     * - `undefined`            → in-memory adapter
+     * - `typeof fn === "function"` → treated as `DBAdapterInstance`, called with `(options)`
+     * - otherwise              → forwarded to Kysely adapter factory (pool/dialect)
+     *
+     * A raw `CustomAdapter` object would fall into the third branch and fail
+     * silently.  We therefore wrap the ObjectQL adapter in a factory function
+     * so it is correctly recognised as a `DBAdapterInstance`.
      */
     private createDatabaseConfig;
     /**
@@ -132,6 +141,10 @@ declare class AuthManager {
      * Handle an authentication request
      * Forwards the request directly to better-auth's universal handler
      *
+     * better-auth catches internal errors (database / adapter / ORM) and
+     * returns a 500 Response instead of throwing.  We therefore inspect the
+     * response status and log server errors so they are not silently swallowed.
+     *
      * @param request - Web standard Request object
      * @returns Web standard Response object
      */
@@ -1250,7 +1263,7 @@ declare class AuthManager {
             }>)[];
             metadata: {
                 $Infer: {
-                    body: Partial<better_auth.AdditionalSessionFieldsInput<Option>>;
+                    body: Partial<better_auth.AdditionalSessionFieldsInput<any>>;
                 };
                 openapi: {
                     operationId: string;
@@ -1316,7 +1329,7 @@ declare class AuthManager {
             }>)[];
             metadata: {
                 $Infer: {
-                    body: Partial<better_auth.AdditionalUserFieldsInput<Option>> & {
+                    body: Partial<better_auth.AdditionalUserFieldsInput<any>> & {
                         name?: string | undefined;
                         image?: string | undefined | null;
                     };

package/dist/index.d.ts

@@ -117,6 +117,15 @@ declare class AuthManager {
     private createAuthInstance;
     /**
      * Create database configuration using ObjectQL adapter
+     *
+     * better-auth resolves the `database` option as follows:
+     * - `undefined`            → in-memory adapter
+     * - `typeof fn === "function"` → treated as `DBAdapterInstance`, called with `(options)`
+     * - otherwise              → forwarded to Kysely adapter factory (pool/dialect)
+     *
+     * A raw `CustomAdapter` object would fall into the third branch and fail
+     * silently.  We therefore wrap the ObjectQL adapter in a factory function
+     * so it is correctly recognised as a `DBAdapterInstance`.
      */
     private createDatabaseConfig;
     /**
@@ -132,6 +141,10 @@ declare class AuthManager {
      * Handle an authentication request
      * Forwards the request directly to better-auth's universal handler
      *
+     * better-auth catches internal errors (database / adapter / ORM) and
+     * returns a 500 Response instead of throwing.  We therefore inspect the
+     * response status and log server errors so they are not silently swallowed.
+     *
      * @param request - Web standard Request object
      * @returns Web standard Response object
      */
@@ -1250,7 +1263,7 @@ declare class AuthManager {
             }>)[];
             metadata: {
                 $Infer: {
-                    body: Partial<better_auth.AdditionalSessionFieldsInput<Option>>;
+                    body: Partial<better_auth.AdditionalSessionFieldsInput<any>>;
                 };
                 openapi: {
                     operationId: string;
@@ -1316,7 +1329,7 @@ declare class AuthManager {
             }>)[];
             metadata: {
                 $Infer: {
-                    body: Partial<better_auth.AdditionalUserFieldsInput<Option>> & {
+                    body: Partial<better_auth.AdditionalUserFieldsInput<any>> & {
                         name?: string | undefined;
                         image?: string | undefined | null;
                     };

package/dist/index.js

@@ -178,6 +178,8 @@ var AuthManager = class {
       // Base configuration
       secret: this.config.secret || this.generateSecret(),
       baseURL: this.config.baseUrl || "http://localhost:3000",
+      basePath: "/",
+      // ← 关键修复！告诉 better-auth 路径已被剥离
       // Database adapter configuration
       // For now, we configure a basic setup that will be enhanced
       // when database URL is provided and drizzle-orm is available
@@ -198,10 +200,28 @@ var AuthManager = class {
   }
   /**
    * Create database configuration using ObjectQL adapter
+   *
+   * better-auth resolves the `database` option as follows:
+   * - `undefined`            → in-memory adapter
+   * - `typeof fn === "function"` → treated as `DBAdapterInstance`, called with `(options)`
+   * - otherwise              → forwarded to Kysely adapter factory (pool/dialect)
+   *
+   * A raw `CustomAdapter` object would fall into the third branch and fail
+   * silently.  We therefore wrap the ObjectQL adapter in a factory function
+   * so it is correctly recognised as a `DBAdapterInstance`.
    */
   createDatabaseConfig() {
     if (this.config.dataEngine) {
-      return createObjectQLAdapter(this.config.dataEngine);
+      const adapter = createObjectQLAdapter(this.config.dataEngine);
+      return (_options) => ({
+        id: "objectql",
+        ...adapter,
+        // ObjectQL does not yet expose a separate transaction context,
+        // so we pass the adapter itself.  better-auth patches this
+        // automatically when missing, but providing it avoids a
+        // runtime warning from getBaseAdapter().
+        transaction: async (cb) => cb(adapter)
+      });
     }
     console.warn(
       "\u26A0\uFE0F  WARNING: No dataEngine provided to AuthManager! Using in-memory storage. This is NOT suitable for production. Please provide a dataEngine instance (e.g., ObjectQL) in AuthManagerOptions."
@@ -232,13 +252,26 @@ var AuthManager = class {
   /**
    * Handle an authentication request
    * Forwards the request directly to better-auth's universal handler
+   *
+   * better-auth catches internal errors (database / adapter / ORM) and
+   * returns a 500 Response instead of throwing.  We therefore inspect the
+   * response status and log server errors so they are not silently swallowed.
    * 
    * @param request - Web standard Request object
    * @returns Web standard Response object
    */
   async handleRequest(request) {
     const auth = this.getOrCreateAuth();
-    return await auth.handler(request);
+    const response = await auth.handler(request);
+    if (response.status >= 500) {
+      try {
+        const body = await response.clone().text();
+        console.error("[AuthManager] better-auth returned error:", response.status, body);
+      } catch {
+        console.error("[AuthManager] better-auth returned error:", response.status, "(unable to read body)");
+      }
+    }
+    return response;
   }
   /**
    * Get the better-auth API for programmatic access
@@ -285,19 +318,21 @@ var AuthPlugin = class {
       throw new Error("Auth manager not initialized");
     }
     if (this.options.registerRoutes) {
-      let httpServer = null;
-      try {
-        httpServer = ctx.getService("http-server");
-      } catch {
-      }
-      if (httpServer) {
-        this.registerAuthRoutes(httpServer, ctx);
-        ctx.logger.info(`Auth routes registered at ${this.options.basePath}`);
-      } else {
-        ctx.logger.warn(
-          "No HTTP server available \u2014 auth routes not registered. Auth service is still available for MSW/mock environments via HttpDispatcher."
-        );
-      }
+      ctx.hook("kernel:ready", async () => {
+        let httpServer = null;
+        try {
+          httpServer = ctx.getService("http-server");
+        } catch {
+        }
+        if (httpServer) {
+          this.registerAuthRoutes(httpServer, ctx);
+          ctx.logger.info(`Auth routes registered at ${this.options.basePath}`);
+        } else {
+          ctx.logger.warn(
+            "No HTTP server available \u2014 auth routes not registered. Auth service is still available for MSW/mock environments via HttpDispatcher."
+          );
+        }
+      });
     }
     try {
       const ql = ctx.getService("objectql");
@@ -355,6 +390,14 @@ var AuthPlugin = class {
           // Required for Request with body
         });
         const response = await this.authManager.handleRequest(rewrittenRequest);
+        if (response.status >= 500) {
+          try {
+            const body = await response.clone().text();
+            ctx.logger.error("[AuthPlugin] better-auth returned server error", new Error(`HTTP ${response.status}: ${body}`));
+          } catch {
+            ctx.logger.error("[AuthPlugin] better-auth returned server error", new Error(`HTTP ${response.status}: (unable to read body)`));
+          }
+        }
         return response;
       } catch (error) {
         const err = error instanceof Error ? error : new Error(String(error));

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/index.ts","../src/auth-manager.ts","../src/objectql-adapter.ts","../src/auth-plugin.ts","../src/objects/auth-user.object.ts","../src/objects/auth-session.object.ts","../src/objects/auth-account.object.ts","../src/objects/auth-verification.object.ts"],"sourcesContent":["// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\n/**\n * @objectstack/plugin-auth\n * \n * Authentication & Identity Plugin for ObjectStack\n * Powered by better-auth for robust, secure authentication\n * Uses ObjectQL for data persistence (no third-party ORM required)\n */\n\nexport * from './auth-plugin.js';\nexport * from './auth-manager.js';\nexport * from './objectql-adapter.js';\nexport * from './objects/index.js';\nexport type { AuthConfig, AuthProviderConfig, AuthPluginConfig } from '@objectstack/spec/system';\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { betterAuth } from 'better-auth';\nimport type { Auth, BetterAuthOptions } from 'better-auth';\nimport type { AuthConfig } from '@objectstack/spec/system';\nimport type { IDataEngine } from '@objectstack/core';\nimport { createObjectQLAdapter } from './objectql-adapter.js';\n\n/**\n * Extended options for AuthManager\n */\nexport interface AuthManagerOptions extends Partial<AuthConfig> {\n  /**\n   * Better-Auth instance (for advanced use cases)\n   * If not provided, one will be created from config\n   */\n  authInstance?: Auth<any>;\n  \n  /**\n   * ObjectQL Data Engine instance\n   * Required for database operations using ObjectQL instead of third-party ORMs\n   */\n  dataEngine?: IDataEngine;\n}\n\n/**\n * Authentication Manager\n * \n * Wraps better-auth and provides authentication services for ObjectStack.\n * Supports multiple authentication methods:\n * - Email/password\n * - OAuth providers (Google, GitHub, etc.)\n * - Magic links\n * - Two-factor authentication\n * - Passkeys\n * - Organization/teams\n */\nexport class AuthManager {\n  private auth: Auth<any> | null = null;\n  private config: AuthManagerOptions;\n\n  constructor(config: AuthManagerOptions) {\n    this.config = config;\n    \n    // Use provided auth instance\n    if (config.authInstance) {\n      this.auth = config.authInstance;\n    }\n    // Don't create auth instance automatically to avoid database initialization errors\n    // It will be created lazily when needed\n  }\n\n  /**\n   * Get or create the better-auth instance (lazy initialization)\n   */\n  private getOrCreateAuth(): Auth<any> {\n    if (!this.auth) {\n      this.auth = this.createAuthInstance();\n    }\n    return this.auth;\n  }\n\n  /**\n   * Create a better-auth instance from configuration\n   */\n  private createAuthInstance(): Auth<any> {\n    const betterAuthConfig: BetterAuthOptions = {\n      // Base configuration\n      secret: this.config.secret || this.generateSecret(),\n      baseURL: this.config.baseUrl || 'http://localhost:3000',\n      \n      // Database adapter configuration\n      // For now, we configure a basic setup that will be enhanced\n      // when database URL is provided and drizzle-orm is available\n      database: this.createDatabaseConfig(),\n      \n      // Email configuration\n      emailAndPassword: {\n        enabled: true,\n      },\n      \n      // Session configuration\n      session: {\n        expiresIn: this.config.session?.expiresIn || 60 * 60 * 24 * 7, // 7 days default\n        updateAge: this.config.session?.updateAge || 60 * 60 * 24, // 1 day default\n      },\n    };\n\n    return betterAuth(betterAuthConfig);\n  }\n\n  /**\n   * Create database configuration using ObjectQL adapter\n   */\n  private createDatabaseConfig(): any {\n    // Use ObjectQL adapter if dataEngine is provided\n    if (this.config.dataEngine) {\n      return createObjectQLAdapter(this.config.dataEngine);\n    }\n    \n    // Fallback warning if no dataEngine is provided\n    console.warn(\n      '⚠️  WARNING: No dataEngine provided to AuthManager! ' +\n      'Using in-memory storage. This is NOT suitable for production. ' +\n      'Please provide a dataEngine instance (e.g., ObjectQL) in AuthManagerOptions.'\n    );\n    \n    // Return a minimal in-memory configuration as fallback\n    // This allows the system to work in development/testing without a real database\n    return undefined; // better-auth will use its default in-memory adapter\n  }\n\n  /**\n   * Generate a secure secret if not provided\n   */\n  private generateSecret(): string {\n    const envSecret = process.env.AUTH_SECRET;\n    \n    if (!envSecret) {\n      // In production, a secret MUST be provided\n      // For development/testing, we'll use a fallback but warn about it\n      const fallbackSecret = 'dev-secret-' + Date.now();\n      \n      console.warn(\n        '⚠️  WARNING: No AUTH_SECRET environment variable set! ' +\n        'Using a temporary development secret. ' +\n        'This is NOT secure for production use. ' +\n        'Please set AUTH_SECRET in your environment variables.'\n      );\n      \n      return fallbackSecret;\n    }\n    \n    return envSecret;\n  }\n\n  /**\n   * Get the underlying better-auth instance\n   * Useful for advanced use cases\n   */\n  getAuthInstance(): Auth<any> {\n    return this.getOrCreateAuth();\n  }\n\n  /**\n   * Handle an authentication request\n   * Forwards the request directly to better-auth's universal handler\n   * \n   * @param request - Web standard Request object\n   * @returns Web standard Response object\n   */\n  async handleRequest(request: Request): Promise<Response> {\n    const auth = this.getOrCreateAuth();\n    return await auth.handler(request);\n  }\n\n  /**\n   * Get the better-auth API for programmatic access\n   * Use this for server-side operations (e.g., creating users, checking sessions)\n   */\n  get api() {\n    return this.getOrCreateAuth().api;\n  }\n}\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport type { IDataEngine } from '@objectstack/core';\nimport type { CleanedWhere } from 'better-auth/adapters';\nimport { SystemObjectName } from '@objectstack/spec/system';\n\n/**\n * Mapping from better-auth model names to ObjectStack protocol object names.\n *\n * better-auth uses hardcoded model names ('user', 'session', 'account', 'verification')\n * while ObjectStack's protocol layer uses `sys_` prefixed names. This map bridges the two.\n */\nexport const AUTH_MODEL_TO_PROTOCOL: Record<string, string> = {\n  user: SystemObjectName.USER,\n  session: SystemObjectName.SESSION,\n  account: SystemObjectName.ACCOUNT,\n  verification: SystemObjectName.VERIFICATION,\n};\n\n/**\n * Resolve a better-auth model name to the ObjectStack protocol object name.\n * Falls back to the original model name for custom / non-core models.\n */\nexport function resolveProtocolName(model: string): string {\n  return AUTH_MODEL_TO_PROTOCOL[model] ?? model;\n}\n\n/**\n * ObjectQL Adapter for better-auth\n * \n * Bridges better-auth's database adapter interface with ObjectQL's IDataEngine.\n * This allows better-auth to use ObjectQL for data persistence instead of\n * third-party ORMs like drizzle-orm.\n * \n * Model names from better-auth (e.g. 'user') are automatically mapped to\n * ObjectStack protocol names (e.g. 'sys_user') via {@link AUTH_MODEL_TO_PROTOCOL}.\n * \n * @param dataEngine - ObjectQL data engine instance\n * @returns better-auth CustomAdapter\n */\nexport function createObjectQLAdapter(dataEngine: IDataEngine) {\n  /**\n   * Convert better-auth where clause to ObjectQL query format\n   */\n  function convertWhere(where: CleanedWhere[]): Record<string, any> {\n    const filter: Record<string, any> = {};\n    \n    for (const condition of where) {\n      // Use field names as-is (no conversion needed)\n      const fieldName = condition.field;\n      \n      if (condition.operator === 'eq') {\n        filter[fieldName] = condition.value;\n      } else if (condition.operator === 'ne') {\n        filter[fieldName] = { $ne: condition.value };\n      } else if (condition.operator === 'in') {\n        filter[fieldName] = { $in: condition.value };\n      } else if (condition.operator === 'gt') {\n        filter[fieldName] = { $gt: condition.value };\n      } else if (condition.operator === 'gte') {\n        filter[fieldName] = { $gte: condition.value };\n      } else if (condition.operator === 'lt') {\n        filter[fieldName] = { $lt: condition.value };\n      } else if (condition.operator === 'lte') {\n        filter[fieldName] = { $lte: condition.value };\n      } else if (condition.operator === 'contains') {\n        filter[fieldName] = { $regex: condition.value };\n      }\n    }\n    \n    return filter;\n  }\n\n  return {\n    create: async <T extends Record<string, any>>({ model, data, select: _select }: { model: string; data: T; select?: string[] }): Promise<T> => {\n      const objectName = resolveProtocolName(model);\n      \n      // Note: select parameter is currently not supported by ObjectQL's insert operation\n      // The full record is always returned after insertion\n      const result = await dataEngine.insert(objectName, data);\n      return result as T;\n    },\n    \n    findOne: async <T>({ model, where, select, join: _join }: { model: string; where: CleanedWhere[]; select?: string[]; join?: any }): Promise<T | null> => {\n      const objectName = resolveProtocolName(model);\n      const filter = convertWhere(where);\n      \n      // Note: join parameter is not currently supported by ObjectQL's findOne operation\n      // Joins/populate functionality is planned for future ObjectQL releases\n      // For now, related data must be fetched separately\n      \n      const result = await dataEngine.findOne(objectName, {\n        filter,\n        select,\n      });\n      \n      return result ? result as T : null;\n    },\n    \n    findMany: async <T>({ model, where, limit, offset, sortBy, join: _join }: { model: string; where?: CleanedWhere[]; limit: number; offset?: number; sortBy?: { field: string; direction: 'asc' | 'desc' }; join?: any }): Promise<T[]> => {\n      const objectName = resolveProtocolName(model);\n      const filter = where ? convertWhere(where) : {};\n      \n      // Note: join parameter is not currently supported by ObjectQL's find operation\n      // Joins/populate functionality is planned for future ObjectQL releases\n      \n      const sort = sortBy ? [{\n        field: sortBy.field,\n        order: sortBy.direction as 'asc' | 'desc',\n      }] : undefined;\n      \n      const results = await dataEngine.find(objectName, {\n        filter,\n        limit: limit || 100,\n        skip: offset,\n        sort,\n      });\n      \n      return results as T[];\n    },\n    \n    count: async ({ model, where }: { model: string; where?: CleanedWhere[] }): Promise<number> => {\n      const objectName = resolveProtocolName(model);\n      const filter = where ? convertWhere(where) : {};\n      \n      return await dataEngine.count(objectName, { filter });\n    },\n    \n    update: async <T>({ model, where, update }: { model: string; where: CleanedWhere[]; update: Record<string, any> }): Promise<T | null> => {\n      const objectName = resolveProtocolName(model);\n      const filter = convertWhere(where);\n      \n      // Find the record first to get its ID\n      const record = await dataEngine.findOne(objectName, { filter });\n      if (!record) {\n        return null;\n      }\n      \n      const result = await dataEngine.update(objectName, {\n        ...update,\n        id: record.id,\n      });\n      \n      return result ? result as T : null;\n    },\n    \n    updateMany: async ({ model, where, update }: { model: string; where: CleanedWhere[]; update: Record<string, any> }): Promise<number> => {\n      const objectName = resolveProtocolName(model);\n      const filter = convertWhere(where);\n      \n      // Note: Sequential updates are used here because ObjectQL's IDataEngine interface\n      // requires an ID for updates. A future optimization could use a bulk update\n      // operation if ObjectQL adds support for filter-based updates without IDs.\n      \n      // Find all matching records\n      const records = await dataEngine.find(objectName, { filter });\n      \n      // Update each record\n      for (const record of records) {\n        await dataEngine.update(objectName, {\n          ...update,\n          id: record.id,\n        });\n      }\n      \n      return records.length;\n    },\n    \n    delete: async ({ model, where }: { model: string; where: CleanedWhere[] }): Promise<void> => {\n      const objectName = resolveProtocolName(model);\n      const filter = convertWhere(where);\n      \n      // Note: We need to find the record first to get its ID because ObjectQL's\n      // delete operation requires an ID. Direct filter-based delete would be more\n      // efficient if supported by ObjectQL in the future.\n      const record = await dataEngine.findOne(objectName, { filter });\n      if (!record) {\n        return;\n      }\n      \n      await dataEngine.delete(objectName, { filter: { id: record.id } });\n    },\n    \n    deleteMany: async ({ model, where }: { model: string; where: CleanedWhere[] }): Promise<number> => {\n      const objectName = resolveProtocolName(model);\n      const filter = convertWhere(where);\n      \n      // Note: Sequential deletes are used here because ObjectQL's delete operation\n      // requires an ID in the filter. A future optimization could use a single\n      // delete call with the original filter if ObjectQL supports it.\n      \n      // Find all matching records\n      const records = await dataEngine.find(objectName, { filter });\n      \n      // Delete each record\n      for (const record of records) {\n        await dataEngine.delete(objectName, { filter: { id: record.id } });\n      }\n      \n      return records.length;\n    },\n  };\n}\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { Plugin, PluginContext, IHttpServer } from '@objectstack/core';\nimport { AuthConfig } from '@objectstack/spec/system';\nimport { AuthManager } from './auth-manager.js';\n\n/**\n * Auth Plugin Options\n * Extends AuthConfig from spec with additional runtime options\n */\nexport interface AuthPluginOptions extends Partial<AuthConfig> {\n  /**\n   * Whether to automatically register auth routes\n   * @default true\n   */\n  registerRoutes?: boolean;\n  \n  /**\n   * Base path for auth routes\n   * @default '/api/v1/auth'\n   */\n  basePath?: string;\n}\n\n/**\n * Authentication Plugin\n * \n * Provides authentication and identity services for ObjectStack applications.\n * \n * **Dual-Mode Operation:**\n * - **Server mode** (HonoServerPlugin active): Registers HTTP routes at basePath,\n *   forwarding all auth requests to better-auth's universal handler.\n * - **MSW/Mock mode** (no HTTP server): Gracefully skips route registration but\n *   still registers the `auth` service, allowing HttpDispatcher.handleAuth() to\n *   simulate auth flows (sign-up, sign-in, etc.) for development and testing.\n * \n * Features:\n * - Session management\n * - User registration/login\n * - OAuth providers (Google, GitHub, etc.)\n * - Organization/team support\n * - 2FA, passkeys, magic links\n * \n * This plugin registers:\n * - `auth` service (auth manager instance) — always\n * - HTTP routes for authentication endpoints — only when HTTP server is available\n * \n * Integrates with better-auth library to provide comprehensive\n * authentication capabilities including email/password, OAuth, 2FA,\n * magic links, passkeys, and organization support.\n */\nexport class AuthPlugin implements Plugin {\n  name = 'com.objectstack.auth';\n  type = 'standard';\n  version = '1.0.0';\n  dependencies: string[] = []; // HTTP server is optional; routes are registered only when available\n  \n  private options: AuthPluginOptions;\n  private authManager: AuthManager | null = null;\n\n  constructor(options: AuthPluginOptions = {}) {\n    this.options = {\n      registerRoutes: true,\n      basePath: '/api/v1/auth',\n      ...options\n    };\n  }\n\n  async init(ctx: PluginContext): Promise<void> {\n    ctx.logger.info('Initializing Auth Plugin...');\n\n    // Validate required configuration\n    if (!this.options.secret) {\n      throw new Error('AuthPlugin: secret is required');\n    }\n\n    // Get data engine service for database operations\n    const dataEngine = ctx.getService<any>('data');\n    if (!dataEngine) {\n      ctx.logger.warn('No data engine service found - auth will use in-memory storage');\n    }\n\n    // Initialize auth manager with data engine\n    this.authManager = new AuthManager({\n      ...this.options,\n      dataEngine,\n    });\n\n    // Register auth service\n    ctx.registerService('auth', this.authManager);\n    \n    ctx.logger.info('Auth Plugin initialized successfully');\n  }\n\n  async start(ctx: PluginContext): Promise<void> {\n    ctx.logger.info('Starting Auth Plugin...');\n\n    if (!this.authManager) {\n      throw new Error('Auth manager not initialized');\n    }\n\n    // Register HTTP routes if enabled and HTTP server is available\n    if (this.options.registerRoutes) {\n      let httpServer: IHttpServer | null = null;\n      try {\n        httpServer = ctx.getService<IHttpServer>('http-server');\n      } catch {\n        // Service not found — expected in MSW/mock mode\n      }\n\n      if (httpServer) {\n        // Route registration errors should propagate (server misconfiguration)\n        this.registerAuthRoutes(httpServer, ctx);\n        ctx.logger.info(`Auth routes registered at ${this.options.basePath}`);\n      } else {\n        ctx.logger.warn(\n          'No HTTP server available — auth routes not registered. ' +\n          'Auth service is still available for MSW/mock environments via HttpDispatcher.'\n        );\n      }\n    }\n\n    // Register auth middleware on ObjectQL engine (if available)\n    try {\n      const ql = ctx.getService<any>('objectql');\n      if (ql && typeof ql.registerMiddleware === 'function') {\n        ql.registerMiddleware(async (opCtx: any, next: () => Promise<void>) => {\n          // If context already has userId or isSystem, skip auth resolution\n          if (opCtx.context?.userId || opCtx.context?.isSystem) {\n            return next();\n          }\n          // Future: resolve session from AsyncLocalStorage or request context\n          await next();\n        });\n        ctx.logger.info('Auth middleware registered on ObjectQL engine');\n      }\n    } catch (_e) {\n      ctx.logger.debug('ObjectQL engine not available, skipping auth middleware registration');\n    }\n\n    ctx.logger.info('Auth Plugin started successfully');\n  }\n\n  async destroy(): Promise<void> {\n    // Cleanup if needed\n    this.authManager = null;\n  }\n\n  /**\n   * Register authentication routes with HTTP server\n   * \n   * Uses better-auth's universal handler for all authentication requests.\n   * This forwards all requests under basePath to better-auth, which handles:\n   * - Email/password authentication\n   * - OAuth providers (Google, GitHub, etc.)\n   * - Session management\n   * - Password reset\n   * - Email verification\n   * - 2FA, passkeys, magic links (if enabled)\n   */\n  private registerAuthRoutes(httpServer: IHttpServer, ctx: PluginContext): void {\n    if (!this.authManager) return;\n\n    const basePath = this.options.basePath || '/api/v1/auth';\n\n    // Get raw Hono app to use native wildcard routing\n    // Type assertion is safe here because we explicitly require Hono server as a dependency\n    if (!('getRawApp' in httpServer) || typeof (httpServer as any).getRawApp !== 'function') {\n      ctx.logger.error('HTTP server does not support getRawApp() - wildcard routing requires Hono server');\n      throw new Error(\n        'AuthPlugin requires HonoServerPlugin for wildcard routing support. ' +\n        'Please ensure HonoServerPlugin is loaded before AuthPlugin.'\n      );\n    }\n\n    const rawApp = (httpServer as any).getRawApp();\n\n    // Register wildcard route to forward all auth requests to better-auth\n    // Better-auth expects requests at its baseURL, so we need to preserve the full path\n    rawApp.all(`${basePath}/*`, async (c: any) => {\n      try {\n        // Get the Web standard Request from Hono context\n        const request = c.req.raw as Request;\n        \n        // Create a new Request with the path rewritten to match better-auth's expectations\n        // Better-auth expects paths like /sign-in/email, /sign-up/email, etc.\n        // We need to strip our basePath prefix\n        const url = new URL(request.url);\n        const authPath = url.pathname.replace(basePath, '');\n        const rewrittenUrl = new URL(authPath || '/', url.origin);\n        rewrittenUrl.search = url.search; // Preserve query params\n        \n        const rewrittenRequest = new Request(rewrittenUrl, {\n          method: request.method,\n          headers: request.headers,\n          body: request.body,\n          duplex: 'half' as any, // Required for Request with body\n        });\n\n        // Forward to better-auth handler\n        const response = await this.authManager!.handleRequest(rewrittenRequest);\n        \n        return response;\n      } catch (error) {\n        const err = error instanceof Error ? error : new Error(String(error));\n        ctx.logger.error('Auth request error:', err);\n        \n        // Return error response\n        return new Response(\n          JSON.stringify({\n            success: false,\n            error: err.message,\n          }),\n          {\n            status: 500,\n            headers: { 'Content-Type': 'application/json' },\n          }\n        );\n      }\n    });\n\n    ctx.logger.info(`Auth routes registered: All requests under ${basePath}/* forwarded to better-auth`);\n  }\n}\n\n\n\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * Auth User Object\n * \n * Uses better-auth's native schema for seamless migration:\n * - id: string\n * - created_at: Date\n * - updated_at: Date\n * - email: string (unique, lowercase)\n * - email_verified: boolean\n * - name: string\n * - image: string | null\n */\nexport const AuthUser = ObjectSchema.create({\n  name: 'sys_user',\n  label: 'User',\n  pluralLabel: 'Users',\n  icon: 'user',\n  description: 'User accounts for authentication',\n  titleFormat: '{name} ({email})',\n  compactLayout: ['name', 'email', 'email_verified'],\n  \n  fields: {\n    // ID is auto-generated by ObjectQL\n    id: Field.text({\n      label: 'User ID',\n      required: true,\n      readonly: true,\n    }),\n    \n    created_at: Field.datetime({\n      label: 'Created At',\n      defaultValue: 'NOW()',\n      readonly: true,\n    }),\n    \n    updated_at: Field.datetime({\n      label: 'Updated At',\n      defaultValue: 'NOW()',\n      readonly: true,\n    }),\n    \n    email: Field.email({\n      label: 'Email',\n      required: true,\n      searchable: true,\n    }),\n    \n    email_verified: Field.boolean({\n      label: 'Email Verified',\n      defaultValue: false,\n    }),\n    \n    name: Field.text({\n      label: 'Name',\n      required: true,\n      searchable: true,\n      maxLength: 255,\n    }),\n    \n    image: Field.url({\n      label: 'Profile Image',\n      required: false,\n    }),\n  },\n  \n  // Database indexes for performance\n  indexes: [\n    { fields: ['email'], unique: true },\n    { fields: ['created_at'], unique: false },\n  ],\n  \n  // Enable features\n  enable: {\n    trackHistory: true,\n    searchable: true,\n    apiEnabled: true,\n    apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n    trash: true,\n    mru: true,\n  },\n  \n  // Validation Rules\n  validations: [\n    {\n      name: 'email_unique',\n      type: 'unique',\n      severity: 'error',\n      message: 'Email must be unique',\n      fields: ['email'],\n      caseSensitive: false,\n    },\n  ],\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * Auth Session Object\n * \n * Uses better-auth's native schema for seamless migration:\n * - id: string\n * - created_at: Date\n * - updated_at: Date\n * - user_id: string\n * - expires_at: Date\n * - token: string\n * - ip_address: string | null\n * - user_agent: string | null\n */\nexport const AuthSession = ObjectSchema.create({\n  name: 'sys_session',\n  label: 'Session',\n  pluralLabel: 'Sessions',\n  icon: 'key',\n  description: 'Active user sessions',\n  titleFormat: 'Session {token}',\n  compactLayout: ['user_id', 'expires_at', 'ip_address'],\n  \n  fields: {\n    id: Field.text({\n      label: 'Session ID',\n      required: true,\n      readonly: true,\n    }),\n    \n    created_at: Field.datetime({\n      label: 'Created At',\n      defaultValue: 'NOW()',\n      readonly: true,\n    }),\n    \n    updated_at: Field.datetime({\n      label: 'Updated At',\n      defaultValue: 'NOW()',\n      readonly: true,\n    }),\n    \n    user_id: Field.text({\n      label: 'User ID',\n      required: true,\n    }),\n    \n    expires_at: Field.datetime({\n      label: 'Expires At',\n      required: true,\n    }),\n    \n    token: Field.text({\n      label: 'Session Token',\n      required: true,\n    }),\n    \n    ip_address: Field.text({\n      label: 'IP Address',\n      required: false,\n      maxLength: 45, // Support IPv6\n    }),\n    \n    user_agent: Field.textarea({\n      label: 'User Agent',\n      required: false,\n    }),\n  },\n  \n  // Database indexes for performance\n  indexes: [\n    { fields: ['token'], unique: true },\n    { fields: ['user_id'], unique: false },\n    { fields: ['expires_at'], unique: false },\n  ],\n  \n  // Enable features\n  enable: {\n    trackHistory: false, // Sessions don't need history tracking\n    searchable: false,\n    apiEnabled: true,\n    apiMethods: ['get', 'list', 'create', 'delete'], // No update for sessions\n    trash: false, // Sessions should be hard deleted\n    mru: false,\n  },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * Auth Account Object\n * \n * Uses better-auth's native schema for seamless migration:\n * - id: string\n * - created_at: Date\n * - updated_at: Date\n * - provider_id: string (e.g., 'google', 'github')\n * - account_id: string (provider's user ID)\n * - user_id: string (link to user table)\n * - access_token: string | null\n * - refresh_token: string | null\n * - id_token: string | null\n * - access_token_expires_at: Date | null\n * - refresh_token_expires_at: Date | null\n * - scope: string | null\n * - password: string | null (for email/password provider)\n */\nexport const AuthAccount = ObjectSchema.create({\n  name: 'sys_account',\n  label: 'Account',\n  pluralLabel: 'Accounts',\n  icon: 'link',\n  description: 'OAuth and authentication provider accounts',\n  titleFormat: '{provider_id} - {account_id}',\n  compactLayout: ['provider_id', 'user_id', 'account_id'],\n  \n  fields: {\n    id: Field.text({\n      label: 'Account ID',\n      required: true,\n      readonly: true,\n    }),\n    \n    created_at: Field.datetime({\n      label: 'Created At',\n      defaultValue: 'NOW()',\n      readonly: true,\n    }),\n    \n    updated_at: Field.datetime({\n      label: 'Updated At',\n      defaultValue: 'NOW()',\n      readonly: true,\n    }),\n    \n    provider_id: Field.text({\n      label: 'Provider ID',\n      required: true,\n      description: 'OAuth provider identifier (google, github, etc.)',\n    }),\n    \n    account_id: Field.text({\n      label: 'Provider Account ID',\n      required: true,\n      description: \"User's ID in the provider's system\",\n    }),\n    \n    user_id: Field.text({\n      label: 'User ID',\n      required: true,\n      description: 'Link to user table',\n    }),\n    \n    access_token: Field.textarea({\n      label: 'Access Token',\n      required: false,\n    }),\n    \n    refresh_token: Field.textarea({\n      label: 'Refresh Token',\n      required: false,\n    }),\n    \n    id_token: Field.textarea({\n      label: 'ID Token',\n      required: false,\n    }),\n    \n    access_token_expires_at: Field.datetime({\n      label: 'Access Token Expires At',\n      required: false,\n    }),\n    \n    refresh_token_expires_at: Field.datetime({\n      label: 'Refresh Token Expires At',\n      required: false,\n    }),\n    \n    scope: Field.text({\n      label: 'OAuth Scope',\n      required: false,\n    }),\n    \n    password: Field.text({\n      label: 'Password Hash',\n      required: false,\n      description: 'Hashed password for email/password provider',\n    }),\n  },\n  \n  // Database indexes for performance\n  indexes: [\n    { fields: ['user_id'], unique: false },\n    { fields: ['provider_id', 'account_id'], unique: true },\n  ],\n  \n  // Enable features\n  enable: {\n    trackHistory: false,\n    searchable: false,\n    apiEnabled: true,\n    apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n    trash: true,\n    mru: false,\n  },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * Auth Verification Object\n * \n * Uses better-auth's native schema for seamless migration:\n * - id: string\n * - created_at: Date\n * - updated_at: Date\n * - value: string (verification token/code)\n * - expires_at: Date\n * - identifier: string (email or phone number)\n */\nexport const AuthVerification = ObjectSchema.create({\n  name: 'sys_verification',\n  label: 'Verification',\n  pluralLabel: 'Verifications',\n  icon: 'shield-check',\n  description: 'Email and phone verification tokens',\n  titleFormat: 'Verification for {identifier}',\n  compactLayout: ['identifier', 'expires_at', 'created_at'],\n  \n  fields: {\n    id: Field.text({\n      label: 'Verification ID',\n      required: true,\n      readonly: true,\n    }),\n    \n    created_at: Field.datetime({\n      label: 'Created At',\n      defaultValue: 'NOW()',\n      readonly: true,\n    }),\n    \n    updated_at: Field.datetime({\n      label: 'Updated At',\n      defaultValue: 'NOW()',\n      readonly: true,\n    }),\n    \n    value: Field.text({\n      label: 'Verification Token',\n      required: true,\n      description: 'Token or code for verification',\n    }),\n    \n    expires_at: Field.datetime({\n      label: 'Expires At',\n      required: true,\n    }),\n    \n    identifier: Field.text({\n      label: 'Identifier',\n      required: true,\n      description: 'Email address or phone number',\n    }),\n  },\n  \n  // Database indexes for performance\n  indexes: [\n    { fields: ['value'], unique: true },\n    { fields: ['identifier'], unique: false },\n    { fields: ['expires_at'], unique: false },\n  ],\n  \n  // Enable features\n  enable: {\n    trackHistory: false,\n    searchable: false,\n    apiEnabled: true,\n    apiMethods: ['get', 'create', 'delete'], // No list or update\n    trash: false, // Hard delete expired tokens\n    mru: false,\n  },\n});\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACEA,yBAA2B;;;ACE3B,oBAAiC;AAQ1B,IAAM,yBAAiD;AAAA,EAC5D,MAAM,+BAAiB;AAAA,EACvB,SAAS,+BAAiB;AAAA,EAC1B,SAAS,+BAAiB;AAAA,EAC1B,cAAc,+BAAiB;AACjC;AAMO,SAAS,oBAAoB,OAAuB;AACzD,SAAO,uBAAuB,KAAK,KAAK;AAC1C;AAeO,SAAS,sBAAsB,YAAyB;AAI7D,WAAS,aAAa,OAA4C;AAChE,UAAM,SAA8B,CAAC;AAErC,eAAW,aAAa,OAAO;AAE7B,YAAM,YAAY,UAAU;AAE5B,UAAI,UAAU,aAAa,MAAM;AAC/B,eAAO,SAAS,IAAI,UAAU;AAAA,MAChC,WAAW,UAAU,aAAa,MAAM;AACtC,eAAO,SAAS,IAAI,EAAE,KAAK,UAAU,MAAM;AAAA,MAC7C,WAAW,UAAU,aAAa,MAAM;AACtC,eAAO,SAAS,IAAI,EAAE,KAAK,UAAU,MAAM;AAAA,MAC7C,WAAW,UAAU,aAAa,MAAM;AACtC,eAAO,SAAS,IAAI,EAAE,KAAK,UAAU,MAAM;AAAA,MAC7C,WAAW,UAAU,aAAa,OAAO;AACvC,eAAO,SAAS,IAAI,EAAE,MAAM,UAAU,MAAM;AAAA,MAC9C,WAAW,UAAU,aAAa,MAAM;AACtC,eAAO,SAAS,IAAI,EAAE,KAAK,UAAU,MAAM;AAAA,MAC7C,WAAW,UAAU,aAAa,OAAO;AACvC,eAAO,SAAS,IAAI,EAAE,MAAM,UAAU,MAAM;AAAA,MAC9C,WAAW,UAAU,aAAa,YAAY;AAC5C,eAAO,SAAS,IAAI,EAAE,QAAQ,UAAU,MAAM;AAAA,MAChD;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAEA,SAAO;AAAA,IACL,QAAQ,OAAsC,EAAE,OAAO,MAAM,QAAQ,QAAQ,MAAiE;AAC5I,YAAM,aAAa,oBAAoB,KAAK;AAI5C,YAAM,SAAS,MAAM,WAAW,OAAO,YAAY,IAAI;AACvD,aAAO;AAAA,IACT;AAAA,IAEA,SAAS,OAAU,EAAE,OAAO,OAAO,QAAQ,MAAM,MAAM,MAAkG;AACvJ,YAAM,aAAa,oBAAoB,KAAK;AAC5C,YAAM,SAAS,aAAa,KAAK;AAMjC,YAAM,SAAS,MAAM,WAAW,QAAQ,YAAY;AAAA,QAClD;AAAA,QACA;AAAA,MACF,CAAC;AAED,aAAO,SAAS,SAAc;AAAA,IAChC;AAAA,IAEA,UAAU,OAAU,EAAE,OAAO,OAAO,OAAO,QAAQ,QAAQ,MAAM,MAAM,MAAkK;AACvO,YAAM,aAAa,oBAAoB,KAAK;AAC5C,YAAM,SAAS,QAAQ,aAAa,KAAK,IAAI,CAAC;AAK9C,YAAM,OAAO,SAAS,CAAC;AAAA,QACrB,OAAO,OAAO;AAAA,QACd,OAAO,OAAO;AAAA,MAChB,CAAC,IAAI;AAEL,YAAM,UAAU,MAAM,WAAW,KAAK,YAAY;AAAA,QAChD;AAAA,QACA,OAAO,SAAS;AAAA,QAChB,MAAM;AAAA,QACN;AAAA,MACF,CAAC;AAED,aAAO;AAAA,IACT;AAAA,IAEA,OAAO,OAAO,EAAE,OAAO,MAAM,MAAkE;AAC7F,YAAM,aAAa,oBAAoB,KAAK;AAC5C,YAAM,SAAS,QAAQ,aAAa,KAAK,IAAI,CAAC;AAE9C,aAAO,MAAM,WAAW,MAAM,YAAY,EAAE,OAAO,CAAC;AAAA,IACtD;AAAA,IAEA,QAAQ,OAAU,EAAE,OAAO,OAAO,OAAO,MAAgG;AACvI,YAAM,aAAa,oBAAoB,KAAK;AAC5C,YAAM,SAAS,aAAa,KAAK;AAGjC,YAAM,SAAS,MAAM,WAAW,QAAQ,YAAY,EAAE,OAAO,CAAC;AAC9D,UAAI,CAAC,QAAQ;AACX,eAAO;AAAA,MACT;AAEA,YAAM,SAAS,MAAM,WAAW,OAAO,YAAY;AAAA,QACjD,GAAG;AAAA,QACH,IAAI,OAAO;AAAA,MACb,CAAC;AAED,aAAO,SAAS,SAAc;AAAA,IAChC;AAAA,IAEA,YAAY,OAAO,EAAE,OAAO,OAAO,OAAO,MAA8F;AACtI,YAAM,aAAa,oBAAoB,KAAK;AAC5C,YAAM,SAAS,aAAa,KAAK;AAOjC,YAAM,UAAU,MAAM,WAAW,KAAK,YAAY,EAAE,OAAO,CAAC;AAG5D,iBAAW,UAAU,SAAS;AAC5B,cAAM,WAAW,OAAO,YAAY;AAAA,UAClC,GAAG;AAAA,UACH,IAAI,OAAO;AAAA,QACb,CAAC;AAAA,MACH;AAEA,aAAO,QAAQ;AAAA,IACjB;AAAA,IAEA,QAAQ,OAAO,EAAE,OAAO,MAAM,MAA+D;AAC3F,YAAM,aAAa,oBAAoB,KAAK;AAC5C,YAAM,SAAS,aAAa,KAAK;AAKjC,YAAM,SAAS,MAAM,WAAW,QAAQ,YAAY,EAAE,OAAO,CAAC;AAC9D,UAAI,CAAC,QAAQ;AACX;AAAA,MACF;AAEA,YAAM,WAAW,OAAO,YAAY,EAAE,QAAQ,EAAE,IAAI,OAAO,GAAG,EAAE,CAAC;AAAA,IACnE;AAAA,IAEA,YAAY,OAAO,EAAE,OAAO,MAAM,MAAiE;AACjG,YAAM,aAAa,oBAAoB,KAAK;AAC5C,YAAM,SAAS,aAAa,KAAK;AAOjC,YAAM,UAAU,MAAM,WAAW,KAAK,YAAY,EAAE,OAAO,CAAC;AAG5D,iBAAW,UAAU,SAAS;AAC5B,cAAM,WAAW,OAAO,YAAY,EAAE,QAAQ,EAAE,IAAI,OAAO,GAAG,EAAE,CAAC;AAAA,MACnE;AAEA,aAAO,QAAQ;AAAA,IACjB;AAAA,EACF;AACF;;;ADrKO,IAAM,cAAN,MAAkB;AAAA,EAIvB,YAAY,QAA4B;AAHxC,SAAQ,OAAyB;AAI/B,SAAK,SAAS;AAGd,QAAI,OAAO,cAAc;AACvB,WAAK,OAAO,OAAO;AAAA,IACrB;AAAA,EAGF;AAAA;AAAA;AAAA;AAAA,EAKQ,kBAA6B;AACnC,QAAI,CAAC,KAAK,MAAM;AACd,WAAK,OAAO,KAAK,mBAAmB;AAAA,IACtC;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKQ,qBAAgC;AACtC,UAAM,mBAAsC;AAAA;AAAA,MAE1C,QAAQ,KAAK,OAAO,UAAU,KAAK,eAAe;AAAA,MAClD,SAAS,KAAK,OAAO,WAAW;AAAA;AAAA;AAAA;AAAA,MAKhC,UAAU,KAAK,qBAAqB;AAAA;AAAA,MAGpC,kBAAkB;AAAA,QAChB,SAAS;AAAA,MACX;AAAA;AAAA,MAGA,SAAS;AAAA,QACP,WAAW,KAAK,OAAO,SAAS,aAAa,KAAK,KAAK,KAAK;AAAA;AAAA,QAC5D,WAAW,KAAK,OAAO,SAAS,aAAa,KAAK,KAAK;AAAA;AAAA,MACzD;AAAA,IACF;AAEA,eAAO,+BAAW,gBAAgB;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA,EAKQ,uBAA4B;AAElC,QAAI,KAAK,OAAO,YAAY;AAC1B,aAAO,sBAAsB,KAAK,OAAO,UAAU;AAAA,IACrD;AAGA,YAAQ;AAAA,MACN;AAAA,IAGF;AAIA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,iBAAyB;AAC/B,UAAM,YAAY,QAAQ,IAAI;AAE9B,QAAI,CAAC,WAAW;AAGd,YAAM,iBAAiB,gBAAgB,KAAK,IAAI;AAEhD,cAAQ;AAAA,QACN;AAAA,MAIF;AAEA,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,kBAA6B;AAC3B,WAAO,KAAK,gBAAgB;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,cAAc,SAAqC;AACvD,UAAM,OAAO,KAAK,gBAAgB;AAClC,WAAO,MAAM,KAAK,QAAQ,OAAO;AAAA,EACnC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,MAAM;AACR,WAAO,KAAK,gBAAgB,EAAE;AAAA,EAChC;AACF;;;AEhHO,IAAM,aAAN,MAAmC;AAAA,EASxC,YAAY,UAA6B,CAAC,GAAG;AAR7C,gBAAO;AACP,gBAAO;AACP,mBAAU;AACV,wBAAyB,CAAC;AAG1B,SAAQ,cAAkC;AAGxC,SAAK,UAAU;AAAA,MACb,gBAAgB;AAAA,MAChB,UAAU;AAAA,MACV,GAAG;AAAA,IACL;AAAA,EACF;AAAA,EAEA,MAAM,KAAK,KAAmC;AAC5C,QAAI,OAAO,KAAK,6BAA6B;AAG7C,QAAI,CAAC,KAAK,QAAQ,QAAQ;AACxB,YAAM,IAAI,MAAM,gCAAgC;AAAA,IAClD;AAGA,UAAM,aAAa,IAAI,WAAgB,MAAM;AAC7C,QAAI,CAAC,YAAY;AACf,UAAI,OAAO,KAAK,gEAAgE;AAAA,IAClF;AAGA,SAAK,cAAc,IAAI,YAAY;AAAA,MACjC,GAAG,KAAK;AAAA,MACR;AAAA,IACF,CAAC;AAGD,QAAI,gBAAgB,QAAQ,KAAK,WAAW;AAE5C,QAAI,OAAO,KAAK,sCAAsC;AAAA,EACxD;AAAA,EAEA,MAAM,MAAM,KAAmC;AAC7C,QAAI,OAAO,KAAK,yBAAyB;AAEzC,QAAI,CAAC,KAAK,aAAa;AACrB,YAAM,IAAI,MAAM,8BAA8B;AAAA,IAChD;AAGA,QAAI,KAAK,QAAQ,gBAAgB;AAC/B,UAAI,aAAiC;AACrC,UAAI;AACF,qBAAa,IAAI,WAAwB,aAAa;AAAA,MACxD,QAAQ;AAAA,MAER;AAEA,UAAI,YAAY;AAEd,aAAK,mBAAmB,YAAY,GAAG;AACvC,YAAI,OAAO,KAAK,6BAA6B,KAAK,QAAQ,QAAQ,EAAE;AAAA,MACtE,OAAO;AACL,YAAI,OAAO;AAAA,UACT;AAAA,QAEF;AAAA,MACF;AAAA,IACF;AAGA,QAAI;AACF,YAAM,KAAK,IAAI,WAAgB,UAAU;AACzC,UAAI,MAAM,OAAO,GAAG,uBAAuB,YAAY;AACrD,WAAG,mBAAmB,OAAO,OAAY,SAA8B;AAErE,cAAI,MAAM,SAAS,UAAU,MAAM,SAAS,UAAU;AACpD,mBAAO,KAAK;AAAA,UACd;AAEA,gBAAM,KAAK;AAAA,QACb,CAAC;AACD,YAAI,OAAO,KAAK,+CAA+C;AAAA,MACjE;AAAA,IACF,SAAS,IAAI;AACX,UAAI,OAAO,MAAM,sEAAsE;AAAA,IACzF;AAEA,QAAI,OAAO,KAAK,kCAAkC;AAAA,EACpD;AAAA,EAEA,MAAM,UAAyB;AAE7B,SAAK,cAAc;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcQ,mBAAmB,YAAyB,KAA0B;AAC5E,QAAI,CAAC,KAAK,YAAa;AAEvB,UAAM,WAAW,KAAK,QAAQ,YAAY;AAI1C,QAAI,EAAE,eAAe,eAAe,OAAQ,WAAmB,cAAc,YAAY;AACvF,UAAI,OAAO,MAAM,kFAAkF;AACnG,YAAM,IAAI;AAAA,QACR;AAAA,MAEF;AAAA,IACF;AAEA,UAAM,SAAU,WAAmB,UAAU;AAI7C,WAAO,IAAI,GAAG,QAAQ,MAAM,OAAO,MAAW;AAC5C,UAAI;AAEF,cAAM,UAAU,EAAE,IAAI;AAKtB,cAAM,MAAM,IAAI,IAAI,QAAQ,GAAG;AAC/B,cAAM,WAAW,IAAI,SAAS,QAAQ,UAAU,EAAE;AAClD,cAAM,eAAe,IAAI,IAAI,YAAY,KAAK,IAAI,MAAM;AACxD,qBAAa,SAAS,IAAI;AAE1B,cAAM,mBAAmB,IAAI,QAAQ,cAAc;AAAA,UACjD,QAAQ,QAAQ;AAAA,UAChB,SAAS,QAAQ;AAAA,UACjB,MAAM,QAAQ;AAAA,UACd,QAAQ;AAAA;AAAA,QACV,CAAC;AAGD,cAAM,WAAW,MAAM,KAAK,YAAa,cAAc,gBAAgB;AAEvE,eAAO;AAAA,MACT,SAAS,OAAO;AACd,cAAM,MAAM,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC;AACpE,YAAI,OAAO,MAAM,uBAAuB,GAAG;AAG3C,eAAO,IAAI;AAAA,UACT,KAAK,UAAU;AAAA,YACb,SAAS;AAAA,YACT,OAAO,IAAI;AAAA,UACb,CAAC;AAAA,UACD;AAAA,YACE,QAAQ;AAAA,YACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,UAChD;AAAA,QACF;AAAA,MACF;AAAA,IACF,CAAC;AAED,QAAI,OAAO,KAAK,8CAA8C,QAAQ,6BAA6B;AAAA,EACrG;AACF;;;AC7NA,kBAAoC;AAc7B,IAAM,WAAW,yBAAa,OAAO;AAAA,EAC1C,MAAM;AAAA,EACN,OAAO;AAAA,EACP,aAAa;AAAA,EACb,MAAM;AAAA,EACN,aAAa;AAAA,EACb,aAAa;AAAA,EACb,eAAe,CAAC,QAAQ,SAAS,gBAAgB;AAAA,EAEjD,QAAQ;AAAA;AAAA,IAEN,IAAI,kBAAM,KAAK;AAAA,MACb,OAAO;AAAA,MACP,UAAU;AAAA,MACV,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,kBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,cAAc;AAAA,MACd,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,kBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,cAAc;AAAA,MACd,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,OAAO,kBAAM,MAAM;AAAA,MACjB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,YAAY;AAAA,IACd,CAAC;AAAA,IAED,gBAAgB,kBAAM,QAAQ;AAAA,MAC5B,OAAO;AAAA,MACP,cAAc;AAAA,IAChB,CAAC;AAAA,IAED,MAAM,kBAAM,KAAK;AAAA,MACf,OAAO;AAAA,MACP,UAAU;AAAA,MACV,YAAY;AAAA,MACZ,WAAW;AAAA,IACb,CAAC;AAAA,IAED,OAAO,kBAAM,IAAI;AAAA,MACf,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,EACH;AAAA;AAAA,EAGA,SAAS;AAAA,IACP,EAAE,QAAQ,CAAC,OAAO,GAAG,QAAQ,KAAK;AAAA,IAClC,EAAE,QAAQ,CAAC,YAAY,GAAG,QAAQ,MAAM;AAAA,EAC1C;AAAA;AAAA,EAGA,QAAQ;AAAA,IACN,cAAc;AAAA,IACd,YAAY;AAAA,IACZ,YAAY;AAAA,IACZ,YAAY,CAAC,OAAO,QAAQ,UAAU,UAAU,QAAQ;AAAA,IACxD,OAAO;AAAA,IACP,KAAK;AAAA,EACP;AAAA;AAAA,EAGA,aAAa;AAAA,IACX;AAAA,MACE,MAAM;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,MACT,QAAQ,CAAC,OAAO;AAAA,MAChB,eAAe;AAAA,IACjB;AAAA,EACF;AACF,CAAC;;;AC9FD,IAAAA,eAAoC;AAe7B,IAAM,cAAc,0BAAa,OAAO;AAAA,EAC7C,MAAM;AAAA,EACN,OAAO;AAAA,EACP,aAAa;AAAA,EACb,MAAM;AAAA,EACN,aAAa;AAAA,EACb,aAAa;AAAA,EACb,eAAe,CAAC,WAAW,cAAc,YAAY;AAAA,EAErD,QAAQ;AAAA,IACN,IAAI,mBAAM,KAAK;AAAA,MACb,OAAO;AAAA,MACP,UAAU;AAAA,MACV,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,mBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,cAAc;AAAA,MACd,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,mBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,cAAc;AAAA,MACd,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,SAAS,mBAAM,KAAK;AAAA,MAClB,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,mBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,OAAO,mBAAM,KAAK;AAAA,MAChB,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,mBAAM,KAAK;AAAA,MACrB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,WAAW;AAAA;AAAA,IACb,CAAC;AAAA,IAED,YAAY,mBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,EACH;AAAA;AAAA,EAGA,SAAS;AAAA,IACP,EAAE,QAAQ,CAAC,OAAO,GAAG,QAAQ,KAAK;AAAA,IAClC,EAAE,QAAQ,CAAC,SAAS,GAAG,QAAQ,MAAM;AAAA,IACrC,EAAE,QAAQ,CAAC,YAAY,GAAG,QAAQ,MAAM;AAAA,EAC1C;AAAA;AAAA,EAGA,QAAQ;AAAA,IACN,cAAc;AAAA;AAAA,IACd,YAAY;AAAA,IACZ,YAAY;AAAA,IACZ,YAAY,CAAC,OAAO,QAAQ,UAAU,QAAQ;AAAA;AAAA,IAC9C,OAAO;AAAA;AAAA,IACP,KAAK;AAAA,EACP;AACF,CAAC;;;ACtFD,IAAAC,eAAoC;AAoB7B,IAAM,cAAc,0BAAa,OAAO;AAAA,EAC7C,MAAM;AAAA,EACN,OAAO;AAAA,EACP,aAAa;AAAA,EACb,MAAM;AAAA,EACN,aAAa;AAAA,EACb,aAAa;AAAA,EACb,eAAe,CAAC,eAAe,WAAW,YAAY;AAAA,EAEtD,QAAQ;AAAA,IACN,IAAI,mBAAM,KAAK;AAAA,MACb,OAAO;AAAA,MACP,UAAU;AAAA,MACV,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,mBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,cAAc;AAAA,MACd,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,mBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,cAAc;AAAA,MACd,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,aAAa,mBAAM,KAAK;AAAA,MACtB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,YAAY,mBAAM,KAAK;AAAA,MACrB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,SAAS,mBAAM,KAAK;AAAA,MAClB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,cAAc,mBAAM,SAAS;AAAA,MAC3B,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,eAAe,mBAAM,SAAS;AAAA,MAC5B,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,UAAU,mBAAM,SAAS;AAAA,MACvB,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,yBAAyB,mBAAM,SAAS;AAAA,MACtC,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,0BAA0B,mBAAM,SAAS;AAAA,MACvC,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,OAAO,mBAAM,KAAK;AAAA,MAChB,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,UAAU,mBAAM,KAAK;AAAA,MACnB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,EACH;AAAA;AAAA,EAGA,SAAS;AAAA,IACP,EAAE,QAAQ,CAAC,SAAS,GAAG,QAAQ,MAAM;AAAA,IACrC,EAAE,QAAQ,CAAC,eAAe,YAAY,GAAG,QAAQ,KAAK;AAAA,EACxD;AAAA;AAAA,EAGA,QAAQ;AAAA,IACN,cAAc;AAAA,IACd,YAAY;AAAA,IACZ,YAAY;AAAA,IACZ,YAAY,CAAC,OAAO,QAAQ,UAAU,UAAU,QAAQ;AAAA,IACxD,OAAO;AAAA,IACP,KAAK;AAAA,EACP;AACF,CAAC;;;ACtHD,IAAAC,eAAoC;AAa7B,IAAM,mBAAmB,0BAAa,OAAO;AAAA,EAClD,MAAM;AAAA,EACN,OAAO;AAAA,EACP,aAAa;AAAA,EACb,MAAM;AAAA,EACN,aAAa;AAAA,EACb,aAAa;AAAA,EACb,eAAe,CAAC,cAAc,cAAc,YAAY;AAAA,EAExD,QAAQ;AAAA,IACN,IAAI,mBAAM,KAAK;AAAA,MACb,OAAO;AAAA,MACP,UAAU;AAAA,MACV,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,mBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,cAAc;AAAA,MACd,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,mBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,cAAc;AAAA,MACd,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,OAAO,mBAAM,KAAK;AAAA,MAChB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,YAAY,mBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,mBAAM,KAAK;AAAA,MACrB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,EACH;AAAA;AAAA,EAGA,SAAS;AAAA,IACP,EAAE,QAAQ,CAAC,OAAO,GAAG,QAAQ,KAAK;AAAA,IAClC,EAAE,QAAQ,CAAC,YAAY,GAAG,QAAQ,MAAM;AAAA,IACxC,EAAE,QAAQ,CAAC,YAAY,GAAG,QAAQ,MAAM;AAAA,EAC1C;AAAA;AAAA,EAGA,QAAQ;AAAA,IACN,cAAc;AAAA,IACd,YAAY;AAAA,IACZ,YAAY;AAAA,IACZ,YAAY,CAAC,OAAO,UAAU,QAAQ;AAAA;AAAA,IACtC,OAAO;AAAA;AAAA,IACP,KAAK;AAAA,EACP;AACF,CAAC;","names":["import_data","import_data","import_data"]}
+{"version":3,"sources":["../src/index.ts","../src/auth-manager.ts","../src/objectql-adapter.ts","../src/auth-plugin.ts","../src/objects/auth-user.object.ts","../src/objects/auth-session.object.ts","../src/objects/auth-account.object.ts","../src/objects/auth-verification.object.ts"],"sourcesContent":["// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\n/**\n * @objectstack/plugin-auth\n * \n * Authentication & Identity Plugin for ObjectStack\n * Powered by better-auth for robust, secure authentication\n * Uses ObjectQL for data persistence (no third-party ORM required)\n */\n\nexport * from './auth-plugin.js';\nexport * from './auth-manager.js';\nexport * from './objectql-adapter.js';\nexport * from './objects/index.js';\nexport type { AuthConfig, AuthProviderConfig, AuthPluginConfig } from '@objectstack/spec/system';\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { betterAuth } from 'better-auth';\nimport type { Auth, BetterAuthOptions } from 'better-auth';\nimport type { AuthConfig } from '@objectstack/spec/system';\nimport type { IDataEngine } from '@objectstack/core';\nimport { createObjectQLAdapter } from './objectql-adapter.js';\n\n/**\n * Extended options for AuthManager\n */\nexport interface AuthManagerOptions extends Partial<AuthConfig> {\n  /**\n   * Better-Auth instance (for advanced use cases)\n   * If not provided, one will be created from config\n   */\n  authInstance?: Auth<any>;\n  \n  /**\n   * ObjectQL Data Engine instance\n   * Required for database operations using ObjectQL instead of third-party ORMs\n   */\n  dataEngine?: IDataEngine;\n}\n\n/**\n * Authentication Manager\n * \n * Wraps better-auth and provides authentication services for ObjectStack.\n * Supports multiple authentication methods:\n * - Email/password\n * - OAuth providers (Google, GitHub, etc.)\n * - Magic links\n * - Two-factor authentication\n * - Passkeys\n * - Organization/teams\n */\nexport class AuthManager {\n  private auth: Auth<any> | null = null;\n  private config: AuthManagerOptions;\n\n  constructor(config: AuthManagerOptions) {\n    this.config = config;\n    \n    // Use provided auth instance\n    if (config.authInstance) {\n      this.auth = config.authInstance;\n    }\n    // Don't create auth instance automatically to avoid database initialization errors\n    // It will be created lazily when needed\n  }\n\n  /**\n   * Get or create the better-auth instance (lazy initialization)\n   */\n  private getOrCreateAuth(): Auth<any> {\n    if (!this.auth) {\n      this.auth = this.createAuthInstance();\n    }\n    return this.auth;\n  }\n\n  /**\n   * Create a better-auth instance from configuration\n   */\n  private createAuthInstance(): Auth<any> {\n    const betterAuthConfig: BetterAuthOptions = {\n      // Base configuration\n      secret: this.config.secret || this.generateSecret(),\n      baseURL: this.config.baseUrl || 'http://localhost:3000',\n      basePath: '/',  // ← 关键修复！告诉 better-auth 路径已被剥离\n      \n      // Database adapter configuration\n      // For now, we configure a basic setup that will be enhanced\n      // when database URL is provided and drizzle-orm is available\n      database: this.createDatabaseConfig(),\n      \n      // Email configuration\n      emailAndPassword: {\n        enabled: true,\n      },\n      \n      // Session configuration\n      session: {\n        expiresIn: this.config.session?.expiresIn || 60 * 60 * 24 * 7, // 7 days default\n        updateAge: this.config.session?.updateAge || 60 * 60 * 24, // 1 day default\n      },\n    };\n\n    return betterAuth(betterAuthConfig);\n  }\n\n  /**\n   * Create database configuration using ObjectQL adapter\n   *\n   * better-auth resolves the `database` option as follows:\n   * - `undefined`            → in-memory adapter\n   * - `typeof fn === \"function\"` → treated as `DBAdapterInstance`, called with `(options)`\n   * - otherwise              → forwarded to Kysely adapter factory (pool/dialect)\n   *\n   * A raw `CustomAdapter` object would fall into the third branch and fail\n   * silently.  We therefore wrap the ObjectQL adapter in a factory function\n   * so it is correctly recognised as a `DBAdapterInstance`.\n   */\n  private createDatabaseConfig(): any {\n    // Use ObjectQL adapter if dataEngine is provided\n    if (this.config.dataEngine) {\n      const adapter = createObjectQLAdapter(this.config.dataEngine);\n      // Return a DBAdapterInstance factory function\n      return (_options: any) => ({\n        id: 'objectql',\n        ...adapter,\n        // ObjectQL does not yet expose a separate transaction context,\n        // so we pass the adapter itself.  better-auth patches this\n        // automatically when missing, but providing it avoids a\n        // runtime warning from getBaseAdapter().\n        transaction: async <R>(cb: (trx: any) => Promise<R>): Promise<R> => cb(adapter),\n      });\n    }\n    \n    // Fallback warning if no dataEngine is provided\n    console.warn(\n      '⚠️  WARNING: No dataEngine provided to AuthManager! ' +\n      'Using in-memory storage. This is NOT suitable for production. ' +\n      'Please provide a dataEngine instance (e.g., ObjectQL) in AuthManagerOptions.'\n    );\n    \n    // Return a minimal in-memory configuration as fallback\n    // This allows the system to work in development/testing without a real database\n    return undefined; // better-auth will use its default in-memory adapter\n  }\n\n  /**\n   * Generate a secure secret if not provided\n   */\n  private generateSecret(): string {\n    const envSecret = process.env.AUTH_SECRET;\n    \n    if (!envSecret) {\n      // In production, a secret MUST be provided\n      // For development/testing, we'll use a fallback but warn about it\n      const fallbackSecret = 'dev-secret-' + Date.now();\n      \n      console.warn(\n        '⚠️  WARNING: No AUTH_SECRET environment variable set! ' +\n        'Using a temporary development secret. ' +\n        'This is NOT secure for production use. ' +\n        'Please set AUTH_SECRET in your environment variables.'\n      );\n      \n      return fallbackSecret;\n    }\n    \n    return envSecret;\n  }\n\n  /**\n   * Get the underlying better-auth instance\n   * Useful for advanced use cases\n   */\n  getAuthInstance(): Auth<any> {\n    return this.getOrCreateAuth();\n  }\n\n  /**\n   * Handle an authentication request\n   * Forwards the request directly to better-auth's universal handler\n   *\n   * better-auth catches internal errors (database / adapter / ORM) and\n   * returns a 500 Response instead of throwing.  We therefore inspect the\n   * response status and log server errors so they are not silently swallowed.\n   * \n   * @param request - Web standard Request object\n   * @returns Web standard Response object\n   */\n  async handleRequest(request: Request): Promise<Response> {\n    const auth = this.getOrCreateAuth();\n    const response = await auth.handler(request);\n\n    if (response.status >= 500) {\n      try {\n        const body = await response.clone().text();\n        console.error('[AuthManager] better-auth returned error:', response.status, body);\n      } catch {\n        console.error('[AuthManager] better-auth returned error:', response.status, '(unable to read body)');\n      }\n    }\n\n    return response;\n  }\n\n  /**\n   * Get the better-auth API for programmatic access\n   * Use this for server-side operations (e.g., creating users, checking sessions)\n   */\n  get api() {\n    return this.getOrCreateAuth().api;\n  }\n}\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport type { IDataEngine } from '@objectstack/core';\nimport type { CleanedWhere } from 'better-auth/adapters';\nimport { SystemObjectName } from '@objectstack/spec/system';\n\n/**\n * Mapping from better-auth model names to ObjectStack protocol object names.\n *\n * better-auth uses hardcoded model names ('user', 'session', 'account', 'verification')\n * while ObjectStack's protocol layer uses `sys_` prefixed names. This map bridges the two.\n */\nexport const AUTH_MODEL_TO_PROTOCOL: Record<string, string> = {\n  user: SystemObjectName.USER,\n  session: SystemObjectName.SESSION,\n  account: SystemObjectName.ACCOUNT,\n  verification: SystemObjectName.VERIFICATION,\n};\n\n/**\n * Resolve a better-auth model name to the ObjectStack protocol object name.\n * Falls back to the original model name for custom / non-core models.\n */\nexport function resolveProtocolName(model: string): string {\n  return AUTH_MODEL_TO_PROTOCOL[model] ?? model;\n}\n\n/**\n * ObjectQL Adapter for better-auth\n * \n * Bridges better-auth's database adapter interface with ObjectQL's IDataEngine.\n * This allows better-auth to use ObjectQL for data persistence instead of\n * third-party ORMs like drizzle-orm.\n * \n * Model names from better-auth (e.g. 'user') are automatically mapped to\n * ObjectStack protocol names (e.g. 'sys_user') via {@link AUTH_MODEL_TO_PROTOCOL}.\n * \n * @param dataEngine - ObjectQL data engine instance\n * @returns better-auth CustomAdapter\n */\nexport function createObjectQLAdapter(dataEngine: IDataEngine) {\n  /**\n   * Convert better-auth where clause to ObjectQL query format\n   */\n  function convertWhere(where: CleanedWhere[]): Record<string, any> {\n    const filter: Record<string, any> = {};\n    \n    for (const condition of where) {\n      // Use field names as-is (no conversion needed)\n      const fieldName = condition.field;\n      \n      if (condition.operator === 'eq') {\n        filter[fieldName] = condition.value;\n      } else if (condition.operator === 'ne') {\n        filter[fieldName] = { $ne: condition.value };\n      } else if (condition.operator === 'in') {\n        filter[fieldName] = { $in: condition.value };\n      } else if (condition.operator === 'gt') {\n        filter[fieldName] = { $gt: condition.value };\n      } else if (condition.operator === 'gte') {\n        filter[fieldName] = { $gte: condition.value };\n      } else if (condition.operator === 'lt') {\n        filter[fieldName] = { $lt: condition.value };\n      } else if (condition.operator === 'lte') {\n        filter[fieldName] = { $lte: condition.value };\n      } else if (condition.operator === 'contains') {\n        filter[fieldName] = { $regex: condition.value };\n      }\n    }\n    \n    return filter;\n  }\n\n  return {\n    create: async <T extends Record<string, any>>({ model, data, select: _select }: { model: string; data: T; select?: string[] }): Promise<T> => {\n      const objectName = resolveProtocolName(model);\n      \n      // Note: select parameter is currently not supported by ObjectQL's insert operation\n      // The full record is always returned after insertion\n      const result = await dataEngine.insert(objectName, data);\n      return result as T;\n    },\n    \n    findOne: async <T>({ model, where, select, join: _join }: { model: string; where: CleanedWhere[]; select?: string[]; join?: any }): Promise<T | null> => {\n      const objectName = resolveProtocolName(model);\n      const filter = convertWhere(where);\n      \n      // Note: join parameter is not currently supported by ObjectQL's findOne operation\n      // Joins/populate functionality is planned for future ObjectQL releases\n      // For now, related data must be fetched separately\n      \n      const result = await dataEngine.findOne(objectName, {\n        filter,\n        select,\n      });\n      \n      return result ? result as T : null;\n    },\n    \n    findMany: async <T>({ model, where, limit, offset, sortBy, join: _join }: { model: string; where?: CleanedWhere[]; limit: number; offset?: number; sortBy?: { field: string; direction: 'asc' | 'desc' }; join?: any }): Promise<T[]> => {\n      const objectName = resolveProtocolName(model);\n      const filter = where ? convertWhere(where) : {};\n      \n      // Note: join parameter is not currently supported by ObjectQL's find operation\n      // Joins/populate functionality is planned for future ObjectQL releases\n      \n      const sort = sortBy ? [{\n        field: sortBy.field,\n        order: sortBy.direction as 'asc' | 'desc',\n      }] : undefined;\n      \n      const results = await dataEngine.find(objectName, {\n        filter,\n        limit: limit || 100,\n        skip: offset,\n        sort,\n      });\n      \n      return results as T[];\n    },\n    \n    count: async ({ model, where }: { model: string; where?: CleanedWhere[] }): Promise<number> => {\n      const objectName = resolveProtocolName(model);\n      const filter = where ? convertWhere(where) : {};\n      \n      return await dataEngine.count(objectName, { filter });\n    },\n    \n    update: async <T>({ model, where, update }: { model: string; where: CleanedWhere[]; update: Record<string, any> }): Promise<T | null> => {\n      const objectName = resolveProtocolName(model);\n      const filter = convertWhere(where);\n      \n      // Find the record first to get its ID\n      const record = await dataEngine.findOne(objectName, { filter });\n      if (!record) {\n        return null;\n      }\n      \n      const result = await dataEngine.update(objectName, {\n        ...update,\n        id: record.id,\n      });\n      \n      return result ? result as T : null;\n    },\n    \n    updateMany: async ({ model, where, update }: { model: string; where: CleanedWhere[]; update: Record<string, any> }): Promise<number> => {\n      const objectName = resolveProtocolName(model);\n      const filter = convertWhere(where);\n      \n      // Note: Sequential updates are used here because ObjectQL's IDataEngine interface\n      // requires an ID for updates. A future optimization could use a bulk update\n      // operation if ObjectQL adds support for filter-based updates without IDs.\n      \n      // Find all matching records\n      const records = await dataEngine.find(objectName, { filter });\n      \n      // Update each record\n      for (const record of records) {\n        await dataEngine.update(objectName, {\n          ...update,\n          id: record.id,\n        });\n      }\n      \n      return records.length;\n    },\n    \n    delete: async ({ model, where }: { model: string; where: CleanedWhere[] }): Promise<void> => {\n      const objectName = resolveProtocolName(model);\n      const filter = convertWhere(where);\n      \n      // Note: We need to find the record first to get its ID because ObjectQL's\n      // delete operation requires an ID. Direct filter-based delete would be more\n      // efficient if supported by ObjectQL in the future.\n      const record = await dataEngine.findOne(objectName, { filter });\n      if (!record) {\n        return;\n      }\n      \n      await dataEngine.delete(objectName, { filter: { id: record.id } });\n    },\n    \n    deleteMany: async ({ model, where }: { model: string; where: CleanedWhere[] }): Promise<number> => {\n      const objectName = resolveProtocolName(model);\n      const filter = convertWhere(where);\n      \n      // Note: Sequential deletes are used here because ObjectQL's delete operation\n      // requires an ID in the filter. A future optimization could use a single\n      // delete call with the original filter if ObjectQL supports it.\n      \n      // Find all matching records\n      const records = await dataEngine.find(objectName, { filter });\n      \n      // Delete each record\n      for (const record of records) {\n        await dataEngine.delete(objectName, { filter: { id: record.id } });\n      }\n      \n      return records.length;\n    },\n  };\n}\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { Plugin, PluginContext, IHttpServer } from '@objectstack/core';\nimport { AuthConfig } from '@objectstack/spec/system';\nimport { AuthManager } from './auth-manager.js';\n\n/**\n * Auth Plugin Options\n * Extends AuthConfig from spec with additional runtime options\n */\nexport interface AuthPluginOptions extends Partial<AuthConfig> {\n  /**\n   * Whether to automatically register auth routes\n   * @default true\n   */\n  registerRoutes?: boolean;\n  \n  /**\n   * Base path for auth routes\n   * @default '/api/v1/auth'\n   */\n  basePath?: string;\n}\n\n/**\n * Authentication Plugin\n * \n * Provides authentication and identity services for ObjectStack applications.\n * \n * **Dual-Mode Operation:**\n * - **Server mode** (HonoServerPlugin active): Registers HTTP routes at basePath,\n *   forwarding all auth requests to better-auth's universal handler.\n * - **MSW/Mock mode** (no HTTP server): Gracefully skips route registration but\n *   still registers the `auth` service, allowing HttpDispatcher.handleAuth() to\n *   simulate auth flows (sign-up, sign-in, etc.) for development and testing.\n * \n * Features:\n * - Session management\n * - User registration/login\n * - OAuth providers (Google, GitHub, etc.)\n * - Organization/team support\n * - 2FA, passkeys, magic links\n * \n * This plugin registers:\n * - `auth` service (auth manager instance) — always\n * - HTTP routes for authentication endpoints — only when HTTP server is available\n * \n * Integrates with better-auth library to provide comprehensive\n * authentication capabilities including email/password, OAuth, 2FA,\n * magic links, passkeys, and organization support.\n */\nexport class AuthPlugin implements Plugin {\n  name = 'com.objectstack.auth';\n  type = 'standard';\n  version = '1.0.0';\n  dependencies: string[] = []; // HTTP server is optional; routes are registered only when available\n  \n  private options: AuthPluginOptions;\n  private authManager: AuthManager | null = null;\n\n  constructor(options: AuthPluginOptions = {}) {\n    this.options = {\n      registerRoutes: true,\n      basePath: '/api/v1/auth',\n      ...options\n    };\n  }\n\n  async init(ctx: PluginContext): Promise<void> {\n    ctx.logger.info('Initializing Auth Plugin...');\n\n    // Validate required configuration\n    if (!this.options.secret) {\n      throw new Error('AuthPlugin: secret is required');\n    }\n\n    // Get data engine service for database operations\n    const dataEngine = ctx.getService<any>('data');\n    if (!dataEngine) {\n      ctx.logger.warn('No data engine service found - auth will use in-memory storage');\n    }\n\n    // Initialize auth manager with data engine\n    this.authManager = new AuthManager({\n      ...this.options,\n      dataEngine,\n    });\n\n    // Register auth service\n    ctx.registerService('auth', this.authManager);\n    \n    ctx.logger.info('Auth Plugin initialized successfully');\n  }\n\n  async start(ctx: PluginContext): Promise<void> {\n    ctx.logger.info('Starting Auth Plugin...');\n\n    if (!this.authManager) {\n      throw new Error('Auth manager not initialized');\n    }\n\n    // Defer HTTP route registration to kernel:ready hook.\n    // This ensures all plugins (including HonoServerPlugin) have completed\n    // their init and start phases before we attempt to look up the\n    // http-server service — making AuthPlugin resilient to plugin\n    // loading order.\n    if (this.options.registerRoutes) {\n      ctx.hook('kernel:ready', async () => {\n        let httpServer: IHttpServer | null = null;\n        try {\n          httpServer = ctx.getService<IHttpServer>('http-server');\n        } catch {\n          // Service not found — expected in MSW/mock mode\n        }\n\n        if (httpServer) {\n          // Route registration errors should propagate (server misconfiguration)\n          this.registerAuthRoutes(httpServer, ctx);\n          ctx.logger.info(`Auth routes registered at ${this.options.basePath}`);\n        } else {\n          ctx.logger.warn(\n            'No HTTP server available — auth routes not registered. ' +\n            'Auth service is still available for MSW/mock environments via HttpDispatcher.'\n          );\n        }\n      });\n    }\n\n    // Register auth middleware on ObjectQL engine (if available)\n    try {\n      const ql = ctx.getService<any>('objectql');\n      if (ql && typeof ql.registerMiddleware === 'function') {\n        ql.registerMiddleware(async (opCtx: any, next: () => Promise<void>) => {\n          // If context already has userId or isSystem, skip auth resolution\n          if (opCtx.context?.userId || opCtx.context?.isSystem) {\n            return next();\n          }\n          // Future: resolve session from AsyncLocalStorage or request context\n          await next();\n        });\n        ctx.logger.info('Auth middleware registered on ObjectQL engine');\n      }\n    } catch (_e) {\n      ctx.logger.debug('ObjectQL engine not available, skipping auth middleware registration');\n    }\n\n    ctx.logger.info('Auth Plugin started successfully');\n  }\n\n  async destroy(): Promise<void> {\n    // Cleanup if needed\n    this.authManager = null;\n  }\n\n  /**\n   * Register authentication routes with HTTP server\n   * \n   * Uses better-auth's universal handler for all authentication requests.\n   * This forwards all requests under basePath to better-auth, which handles:\n   * - Email/password authentication\n   * - OAuth providers (Google, GitHub, etc.)\n   * - Session management\n   * - Password reset\n   * - Email verification\n   * - 2FA, passkeys, magic links (if enabled)\n   */\n  private registerAuthRoutes(httpServer: IHttpServer, ctx: PluginContext): void {\n    if (!this.authManager) return;\n\n    const basePath = this.options.basePath || '/api/v1/auth';\n\n    // Get raw Hono app to use native wildcard routing\n    // Type assertion is safe here because we explicitly require Hono server as a dependency\n    if (!('getRawApp' in httpServer) || typeof (httpServer as any).getRawApp !== 'function') {\n      ctx.logger.error('HTTP server does not support getRawApp() - wildcard routing requires Hono server');\n      throw new Error(\n        'AuthPlugin requires HonoServerPlugin for wildcard routing support. ' +\n        'Please ensure HonoServerPlugin is loaded before AuthPlugin.'\n      );\n    }\n\n    const rawApp = (httpServer as any).getRawApp();\n\n    // Register wildcard route to forward all auth requests to better-auth\n    // Better-auth expects requests at its baseURL, so we need to preserve the full path\n    rawApp.all(`${basePath}/*`, async (c: any) => {\n      try {\n        // Get the Web standard Request from Hono context\n        const request = c.req.raw as Request;\n        \n        // Create a new Request with the path rewritten to match better-auth's expectations\n        // Better-auth expects paths like /sign-in/email, /sign-up/email, etc.\n        // We need to strip our basePath prefix\n        const url = new URL(request.url);\n        const authPath = url.pathname.replace(basePath, '');\n        const rewrittenUrl = new URL(authPath || '/', url.origin);\n        rewrittenUrl.search = url.search; // Preserve query params\n        \n        const rewrittenRequest = new Request(rewrittenUrl, {\n          method: request.method,\n          headers: request.headers,\n          body: request.body,\n          duplex: 'half' as any, // Required for Request with body\n        });\n\n        // Forward to better-auth handler\n        const response = await this.authManager!.handleRequest(rewrittenRequest);\n\n        // better-auth catches internal errors and returns error Responses\n        // without throwing, so the catch block below would never trigger.\n        // We proactively log server errors here for observability.\n        if (response.status >= 500) {\n          try {\n            const body = await response.clone().text();\n            ctx.logger.error('[AuthPlugin] better-auth returned server error', new Error(`HTTP ${response.status}: ${body}`));\n          } catch {\n            ctx.logger.error('[AuthPlugin] better-auth returned server error', new Error(`HTTP ${response.status}: (unable to read body)`));\n          }\n        }\n        \n        return response;\n      } catch (error) {\n        const err = error instanceof Error ? error : new Error(String(error));\n        ctx.logger.error('Auth request error:', err);\n        \n        // Return error response\n        return new Response(\n          JSON.stringify({\n            success: false,\n            error: err.message,\n          }),\n          {\n            status: 500,\n            headers: { 'Content-Type': 'application/json' },\n          }\n        );\n      }\n    });\n\n    ctx.logger.info(`Auth routes registered: All requests under ${basePath}/* forwarded to better-auth`);\n  }\n}\n\n\n\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * Auth User Object\n * \n * Uses better-auth's native schema for seamless migration:\n * - id: string\n * - created_at: Date\n * - updated_at: Date\n * - email: string (unique, lowercase)\n * - email_verified: boolean\n * - name: string\n * - image: string | null\n */\nexport const AuthUser = ObjectSchema.create({\n  name: 'sys_user',\n  label: 'User',\n  pluralLabel: 'Users',\n  icon: 'user',\n  description: 'User accounts for authentication',\n  titleFormat: '{name} ({email})',\n  compactLayout: ['name', 'email', 'email_verified'],\n  \n  fields: {\n    // ID is auto-generated by ObjectQL\n    id: Field.text({\n      label: 'User ID',\n      required: true,\n      readonly: true,\n    }),\n    \n    created_at: Field.datetime({\n      label: 'Created At',\n      defaultValue: 'NOW()',\n      readonly: true,\n    }),\n    \n    updated_at: Field.datetime({\n      label: 'Updated At',\n      defaultValue: 'NOW()',\n      readonly: true,\n    }),\n    \n    email: Field.email({\n      label: 'Email',\n      required: true,\n      searchable: true,\n    }),\n    \n    email_verified: Field.boolean({\n      label: 'Email Verified',\n      defaultValue: false,\n    }),\n    \n    name: Field.text({\n      label: 'Name',\n      required: true,\n      searchable: true,\n      maxLength: 255,\n    }),\n    \n    image: Field.url({\n      label: 'Profile Image',\n      required: false,\n    }),\n  },\n  \n  // Database indexes for performance\n  indexes: [\n    { fields: ['email'], unique: true },\n    { fields: ['created_at'], unique: false },\n  ],\n  \n  // Enable features\n  enable: {\n    trackHistory: true,\n    searchable: true,\n    apiEnabled: true,\n    apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n    trash: true,\n    mru: true,\n  },\n  \n  // Validation Rules\n  validations: [\n    {\n      name: 'email_unique',\n      type: 'unique',\n      severity: 'error',\n      message: 'Email must be unique',\n      fields: ['email'],\n      caseSensitive: false,\n    },\n  ],\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * Auth Session Object\n * \n * Uses better-auth's native schema for seamless migration:\n * - id: string\n * - created_at: Date\n * - updated_at: Date\n * - user_id: string\n * - expires_at: Date\n * - token: string\n * - ip_address: string | null\n * - user_agent: string | null\n */\nexport const AuthSession = ObjectSchema.create({\n  name: 'sys_session',\n  label: 'Session',\n  pluralLabel: 'Sessions',\n  icon: 'key',\n  description: 'Active user sessions',\n  titleFormat: 'Session {token}',\n  compactLayout: ['user_id', 'expires_at', 'ip_address'],\n  \n  fields: {\n    id: Field.text({\n      label: 'Session ID',\n      required: true,\n      readonly: true,\n    }),\n    \n    created_at: Field.datetime({\n      label: 'Created At',\n      defaultValue: 'NOW()',\n      readonly: true,\n    }),\n    \n    updated_at: Field.datetime({\n      label: 'Updated At',\n      defaultValue: 'NOW()',\n      readonly: true,\n    }),\n    \n    user_id: Field.text({\n      label: 'User ID',\n      required: true,\n    }),\n    \n    expires_at: Field.datetime({\n      label: 'Expires At',\n      required: true,\n    }),\n    \n    token: Field.text({\n      label: 'Session Token',\n      required: true,\n    }),\n    \n    ip_address: Field.text({\n      label: 'IP Address',\n      required: false,\n      maxLength: 45, // Support IPv6\n    }),\n    \n    user_agent: Field.textarea({\n      label: 'User Agent',\n      required: false,\n    }),\n  },\n  \n  // Database indexes for performance\n  indexes: [\n    { fields: ['token'], unique: true },\n    { fields: ['user_id'], unique: false },\n    { fields: ['expires_at'], unique: false },\n  ],\n  \n  // Enable features\n  enable: {\n    trackHistory: false, // Sessions don't need history tracking\n    searchable: false,\n    apiEnabled: true,\n    apiMethods: ['get', 'list', 'create', 'delete'], // No update for sessions\n    trash: false, // Sessions should be hard deleted\n    mru: false,\n  },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * Auth Account Object\n * \n * Uses better-auth's native schema for seamless migration:\n * - id: string\n * - created_at: Date\n * - updated_at: Date\n * - provider_id: string (e.g., 'google', 'github')\n * - account_id: string (provider's user ID)\n * - user_id: string (link to user table)\n * - access_token: string | null\n * - refresh_token: string | null\n * - id_token: string | null\n * - access_token_expires_at: Date | null\n * - refresh_token_expires_at: Date | null\n * - scope: string | null\n * - password: string | null (for email/password provider)\n */\nexport const AuthAccount = ObjectSchema.create({\n  name: 'sys_account',\n  label: 'Account',\n  pluralLabel: 'Accounts',\n  icon: 'link',\n  description: 'OAuth and authentication provider accounts',\n  titleFormat: '{provider_id} - {account_id}',\n  compactLayout: ['provider_id', 'user_id', 'account_id'],\n  \n  fields: {\n    id: Field.text({\n      label: 'Account ID',\n      required: true,\n      readonly: true,\n    }),\n    \n    created_at: Field.datetime({\n      label: 'Created At',\n      defaultValue: 'NOW()',\n      readonly: true,\n    }),\n    \n    updated_at: Field.datetime({\n      label: 'Updated At',\n      defaultValue: 'NOW()',\n      readonly: true,\n    }),\n    \n    provider_id: Field.text({\n      label: 'Provider ID',\n      required: true,\n      description: 'OAuth provider identifier (google, github, etc.)',\n    }),\n    \n    account_id: Field.text({\n      label: 'Provider Account ID',\n      required: true,\n      description: \"User's ID in the provider's system\",\n    }),\n    \n    user_id: Field.text({\n      label: 'User ID',\n      required: true,\n      description: 'Link to user table',\n    }),\n    \n    access_token: Field.textarea({\n      label: 'Access Token',\n      required: false,\n    }),\n    \n    refresh_token: Field.textarea({\n      label: 'Refresh Token',\n      required: false,\n    }),\n    \n    id_token: Field.textarea({\n      label: 'ID Token',\n      required: false,\n    }),\n    \n    access_token_expires_at: Field.datetime({\n      label: 'Access Token Expires At',\n      required: false,\n    }),\n    \n    refresh_token_expires_at: Field.datetime({\n      label: 'Refresh Token Expires At',\n      required: false,\n    }),\n    \n    scope: Field.text({\n      label: 'OAuth Scope',\n      required: false,\n    }),\n    \n    password: Field.text({\n      label: 'Password Hash',\n      required: false,\n      description: 'Hashed password for email/password provider',\n    }),\n  },\n  \n  // Database indexes for performance\n  indexes: [\n    { fields: ['user_id'], unique: false },\n    { fields: ['provider_id', 'account_id'], unique: true },\n  ],\n  \n  // Enable features\n  enable: {\n    trackHistory: false,\n    searchable: false,\n    apiEnabled: true,\n    apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n    trash: true,\n    mru: false,\n  },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * Auth Verification Object\n * \n * Uses better-auth's native schema for seamless migration:\n * - id: string\n * - created_at: Date\n * - updated_at: Date\n * - value: string (verification token/code)\n * - expires_at: Date\n * - identifier: string (email or phone number)\n */\nexport const AuthVerification = ObjectSchema.create({\n  name: 'sys_verification',\n  label: 'Verification',\n  pluralLabel: 'Verifications',\n  icon: 'shield-check',\n  description: 'Email and phone verification tokens',\n  titleFormat: 'Verification for {identifier}',\n  compactLayout: ['identifier', 'expires_at', 'created_at'],\n  \n  fields: {\n    id: Field.text({\n      label: 'Verification ID',\n      required: true,\n      readonly: true,\n    }),\n    \n    created_at: Field.datetime({\n      label: 'Created At',\n      defaultValue: 'NOW()',\n      readonly: true,\n    }),\n    \n    updated_at: Field.datetime({\n      label: 'Updated At',\n      defaultValue: 'NOW()',\n      readonly: true,\n    }),\n    \n    value: Field.text({\n      label: 'Verification Token',\n      required: true,\n      description: 'Token or code for verification',\n    }),\n    \n    expires_at: Field.datetime({\n      label: 'Expires At',\n      required: true,\n    }),\n    \n    identifier: Field.text({\n      label: 'Identifier',\n      required: true,\n      description: 'Email address or phone number',\n    }),\n  },\n  \n  // Database indexes for performance\n  indexes: [\n    { fields: ['value'], unique: true },\n    { fields: ['identifier'], unique: false },\n    { fields: ['expires_at'], unique: false },\n  ],\n  \n  // Enable features\n  enable: {\n    trackHistory: false,\n    searchable: false,\n    apiEnabled: true,\n    apiMethods: ['get', 'create', 'delete'], // No list or update\n    trash: false, // Hard delete expired tokens\n    mru: false,\n  },\n});\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACEA,yBAA2B;;;ACE3B,oBAAiC;AAQ1B,IAAM,yBAAiD;AAAA,EAC5D,MAAM,+BAAiB;AAAA,EACvB,SAAS,+BAAiB;AAAA,EAC1B,SAAS,+BAAiB;AAAA,EAC1B,cAAc,+BAAiB;AACjC;AAMO,SAAS,oBAAoB,OAAuB;AACzD,SAAO,uBAAuB,KAAK,KAAK;AAC1C;AAeO,SAAS,sBAAsB,YAAyB;AAI7D,WAAS,aAAa,OAA4C;AAChE,UAAM,SAA8B,CAAC;AAErC,eAAW,aAAa,OAAO;AAE7B,YAAM,YAAY,UAAU;AAE5B,UAAI,UAAU,aAAa,MAAM;AAC/B,eAAO,SAAS,IAAI,UAAU;AAAA,MAChC,WAAW,UAAU,aAAa,MAAM;AACtC,eAAO,SAAS,IAAI,EAAE,KAAK,UAAU,MAAM;AAAA,MAC7C,WAAW,UAAU,aAAa,MAAM;AACtC,eAAO,SAAS,IAAI,EAAE,KAAK,UAAU,MAAM;AAAA,MAC7C,WAAW,UAAU,aAAa,MAAM;AACtC,eAAO,SAAS,IAAI,EAAE,KAAK,UAAU,MAAM;AAAA,MAC7C,WAAW,UAAU,aAAa,OAAO;AACvC,eAAO,SAAS,IAAI,EAAE,MAAM,UAAU,MAAM;AAAA,MAC9C,WAAW,UAAU,aAAa,MAAM;AACtC,eAAO,SAAS,IAAI,EAAE,KAAK,UAAU,MAAM;AAAA,MAC7C,WAAW,UAAU,aAAa,OAAO;AACvC,eAAO,SAAS,IAAI,EAAE,MAAM,UAAU,MAAM;AAAA,MAC9C,WAAW,UAAU,aAAa,YAAY;AAC5C,eAAO,SAAS,IAAI,EAAE,QAAQ,UAAU,MAAM;AAAA,MAChD;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAEA,SAAO;AAAA,IACL,QAAQ,OAAsC,EAAE,OAAO,MAAM,QAAQ,QAAQ,MAAiE;AAC5I,YAAM,aAAa,oBAAoB,KAAK;AAI5C,YAAM,SAAS,MAAM,WAAW,OAAO,YAAY,IAAI;AACvD,aAAO;AAAA,IACT;AAAA,IAEA,SAAS,OAAU,EAAE,OAAO,OAAO,QAAQ,MAAM,MAAM,MAAkG;AACvJ,YAAM,aAAa,oBAAoB,KAAK;AAC5C,YAAM,SAAS,aAAa,KAAK;AAMjC,YAAM,SAAS,MAAM,WAAW,QAAQ,YAAY;AAAA,QAClD;AAAA,QACA;AAAA,MACF,CAAC;AAED,aAAO,SAAS,SAAc;AAAA,IAChC;AAAA,IAEA,UAAU,OAAU,EAAE,OAAO,OAAO,OAAO,QAAQ,QAAQ,MAAM,MAAM,MAAkK;AACvO,YAAM,aAAa,oBAAoB,KAAK;AAC5C,YAAM,SAAS,QAAQ,aAAa,KAAK,IAAI,CAAC;AAK9C,YAAM,OAAO,SAAS,CAAC;AAAA,QACrB,OAAO,OAAO;AAAA,QACd,OAAO,OAAO;AAAA,MAChB,CAAC,IAAI;AAEL,YAAM,UAAU,MAAM,WAAW,KAAK,YAAY;AAAA,QAChD;AAAA,QACA,OAAO,SAAS;AAAA,QAChB,MAAM;AAAA,QACN;AAAA,MACF,CAAC;AAED,aAAO;AAAA,IACT;AAAA,IAEA,OAAO,OAAO,EAAE,OAAO,MAAM,MAAkE;AAC7F,YAAM,aAAa,oBAAoB,KAAK;AAC5C,YAAM,SAAS,QAAQ,aAAa,KAAK,IAAI,CAAC;AAE9C,aAAO,MAAM,WAAW,MAAM,YAAY,EAAE,OAAO,CAAC;AAAA,IACtD;AAAA,IAEA,QAAQ,OAAU,EAAE,OAAO,OAAO,OAAO,MAAgG;AACvI,YAAM,aAAa,oBAAoB,KAAK;AAC5C,YAAM,SAAS,aAAa,KAAK;AAGjC,YAAM,SAAS,MAAM,WAAW,QAAQ,YAAY,EAAE,OAAO,CAAC;AAC9D,UAAI,CAAC,QAAQ;AACX,eAAO;AAAA,MACT;AAEA,YAAM,SAAS,MAAM,WAAW,OAAO,YAAY;AAAA,QACjD,GAAG;AAAA,QACH,IAAI,OAAO;AAAA,MACb,CAAC;AAED,aAAO,SAAS,SAAc;AAAA,IAChC;AAAA,IAEA,YAAY,OAAO,EAAE,OAAO,OAAO,OAAO,MAA8F;AACtI,YAAM,aAAa,oBAAoB,KAAK;AAC5C,YAAM,SAAS,aAAa,KAAK;AAOjC,YAAM,UAAU,MAAM,WAAW,KAAK,YAAY,EAAE,OAAO,CAAC;AAG5D,iBAAW,UAAU,SAAS;AAC5B,cAAM,WAAW,OAAO,YAAY;AAAA,UAClC,GAAG;AAAA,UACH,IAAI,OAAO;AAAA,QACb,CAAC;AAAA,MACH;AAEA,aAAO,QAAQ;AAAA,IACjB;AAAA,IAEA,QAAQ,OAAO,EAAE,OAAO,MAAM,MAA+D;AAC3F,YAAM,aAAa,oBAAoB,KAAK;AAC5C,YAAM,SAAS,aAAa,KAAK;AAKjC,YAAM,SAAS,MAAM,WAAW,QAAQ,YAAY,EAAE,OAAO,CAAC;AAC9D,UAAI,CAAC,QAAQ;AACX;AAAA,MACF;AAEA,YAAM,WAAW,OAAO,YAAY,EAAE,QAAQ,EAAE,IAAI,OAAO,GAAG,EAAE,CAAC;AAAA,IACnE;AAAA,IAEA,YAAY,OAAO,EAAE,OAAO,MAAM,MAAiE;AACjG,YAAM,aAAa,oBAAoB,KAAK;AAC5C,YAAM,SAAS,aAAa,KAAK;AAOjC,YAAM,UAAU,MAAM,WAAW,KAAK,YAAY,EAAE,OAAO,CAAC;AAG5D,iBAAW,UAAU,SAAS;AAC5B,cAAM,WAAW,OAAO,YAAY,EAAE,QAAQ,EAAE,IAAI,OAAO,GAAG,EAAE,CAAC;AAAA,MACnE;AAEA,aAAO,QAAQ;AAAA,IACjB;AAAA,EACF;AACF;;;ADrKO,IAAM,cAAN,MAAkB;AAAA,EAIvB,YAAY,QAA4B;AAHxC,SAAQ,OAAyB;AAI/B,SAAK,SAAS;AAGd,QAAI,OAAO,cAAc;AACvB,WAAK,OAAO,OAAO;AAAA,IACrB;AAAA,EAGF;AAAA;AAAA;AAAA;AAAA,EAKQ,kBAA6B;AACnC,QAAI,CAAC,KAAK,MAAM;AACd,WAAK,OAAO,KAAK,mBAAmB;AAAA,IACtC;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKQ,qBAAgC;AACtC,UAAM,mBAAsC;AAAA;AAAA,MAE1C,QAAQ,KAAK,OAAO,UAAU,KAAK,eAAe;AAAA,MAClD,SAAS,KAAK,OAAO,WAAW;AAAA,MAChC,UAAU;AAAA;AAAA;AAAA;AAAA;AAAA,MAKV,UAAU,KAAK,qBAAqB;AAAA;AAAA,MAGpC,kBAAkB;AAAA,QAChB,SAAS;AAAA,MACX;AAAA;AAAA,MAGA,SAAS;AAAA,QACP,WAAW,KAAK,OAAO,SAAS,aAAa,KAAK,KAAK,KAAK;AAAA;AAAA,QAC5D,WAAW,KAAK,OAAO,SAAS,aAAa,KAAK,KAAK;AAAA;AAAA,MACzD;AAAA,IACF;AAEA,eAAO,+BAAW,gBAAgB;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcQ,uBAA4B;AAElC,QAAI,KAAK,OAAO,YAAY;AAC1B,YAAM,UAAU,sBAAsB,KAAK,OAAO,UAAU;AAE5D,aAAO,CAAC,cAAmB;AAAA,QACzB,IAAI;AAAA,QACJ,GAAG;AAAA;AAAA;AAAA;AAAA;AAAA,QAKH,aAAa,OAAU,OAA6C,GAAG,OAAO;AAAA,MAChF;AAAA,IACF;AAGA,YAAQ;AAAA,MACN;AAAA,IAGF;AAIA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,iBAAyB;AAC/B,UAAM,YAAY,QAAQ,IAAI;AAE9B,QAAI,CAAC,WAAW;AAGd,YAAM,iBAAiB,gBAAgB,KAAK,IAAI;AAEhD,cAAQ;AAAA,QACN;AAAA,MAIF;AAEA,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,kBAA6B;AAC3B,WAAO,KAAK,gBAAgB;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,cAAc,SAAqC;AACvD,UAAM,OAAO,KAAK,gBAAgB;AAClC,UAAM,WAAW,MAAM,KAAK,QAAQ,OAAO;AAE3C,QAAI,SAAS,UAAU,KAAK;AAC1B,UAAI;AACF,cAAM,OAAO,MAAM,SAAS,MAAM,EAAE,KAAK;AACzC,gBAAQ,MAAM,6CAA6C,SAAS,QAAQ,IAAI;AAAA,MAClF,QAAQ;AACN,gBAAQ,MAAM,6CAA6C,SAAS,QAAQ,uBAAuB;AAAA,MACrG;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,MAAM;AACR,WAAO,KAAK,gBAAgB,EAAE;AAAA,EAChC;AACF;;;AEnJO,IAAM,aAAN,MAAmC;AAAA,EASxC,YAAY,UAA6B,CAAC,GAAG;AAR7C,gBAAO;AACP,gBAAO;AACP,mBAAU;AACV,wBAAyB,CAAC;AAG1B,SAAQ,cAAkC;AAGxC,SAAK,UAAU;AAAA,MACb,gBAAgB;AAAA,MAChB,UAAU;AAAA,MACV,GAAG;AAAA,IACL;AAAA,EACF;AAAA,EAEA,MAAM,KAAK,KAAmC;AAC5C,QAAI,OAAO,KAAK,6BAA6B;AAG7C,QAAI,CAAC,KAAK,QAAQ,QAAQ;AACxB,YAAM,IAAI,MAAM,gCAAgC;AAAA,IAClD;AAGA,UAAM,aAAa,IAAI,WAAgB,MAAM;AAC7C,QAAI,CAAC,YAAY;AACf,UAAI,OAAO,KAAK,gEAAgE;AAAA,IAClF;AAGA,SAAK,cAAc,IAAI,YAAY;AAAA,MACjC,GAAG,KAAK;AAAA,MACR;AAAA,IACF,CAAC;AAGD,QAAI,gBAAgB,QAAQ,KAAK,WAAW;AAE5C,QAAI,OAAO,KAAK,sCAAsC;AAAA,EACxD;AAAA,EAEA,MAAM,MAAM,KAAmC;AAC7C,QAAI,OAAO,KAAK,yBAAyB;AAEzC,QAAI,CAAC,KAAK,aAAa;AACrB,YAAM,IAAI,MAAM,8BAA8B;AAAA,IAChD;AAOA,QAAI,KAAK,QAAQ,gBAAgB;AAC/B,UAAI,KAAK,gBAAgB,YAAY;AACnC,YAAI,aAAiC;AACrC,YAAI;AACF,uBAAa,IAAI,WAAwB,aAAa;AAAA,QACxD,QAAQ;AAAA,QAER;AAEA,YAAI,YAAY;AAEd,eAAK,mBAAmB,YAAY,GAAG;AACvC,cAAI,OAAO,KAAK,6BAA6B,KAAK,QAAQ,QAAQ,EAAE;AAAA,QACtE,OAAO;AACL,cAAI,OAAO;AAAA,YACT;AAAA,UAEF;AAAA,QACF;AAAA,MACF,CAAC;AAAA,IACH;AAGA,QAAI;AACF,YAAM,KAAK,IAAI,WAAgB,UAAU;AACzC,UAAI,MAAM,OAAO,GAAG,uBAAuB,YAAY;AACrD,WAAG,mBAAmB,OAAO,OAAY,SAA8B;AAErE,cAAI,MAAM,SAAS,UAAU,MAAM,SAAS,UAAU;AACpD,mBAAO,KAAK;AAAA,UACd;AAEA,gBAAM,KAAK;AAAA,QACb,CAAC;AACD,YAAI,OAAO,KAAK,+CAA+C;AAAA,MACjE;AAAA,IACF,SAAS,IAAI;AACX,UAAI,OAAO,MAAM,sEAAsE;AAAA,IACzF;AAEA,QAAI,OAAO,KAAK,kCAAkC;AAAA,EACpD;AAAA,EAEA,MAAM,UAAyB;AAE7B,SAAK,cAAc;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcQ,mBAAmB,YAAyB,KAA0B;AAC5E,QAAI,CAAC,KAAK,YAAa;AAEvB,UAAM,WAAW,KAAK,QAAQ,YAAY;AAI1C,QAAI,EAAE,eAAe,eAAe,OAAQ,WAAmB,cAAc,YAAY;AACvF,UAAI,OAAO,MAAM,kFAAkF;AACnG,YAAM,IAAI;AAAA,QACR;AAAA,MAEF;AAAA,IACF;AAEA,UAAM,SAAU,WAAmB,UAAU;AAI7C,WAAO,IAAI,GAAG,QAAQ,MAAM,OAAO,MAAW;AAC5C,UAAI;AAEF,cAAM,UAAU,EAAE,IAAI;AAKtB,cAAM,MAAM,IAAI,IAAI,QAAQ,GAAG;AAC/B,cAAM,WAAW,IAAI,SAAS,QAAQ,UAAU,EAAE;AAClD,cAAM,eAAe,IAAI,IAAI,YAAY,KAAK,IAAI,MAAM;AACxD,qBAAa,SAAS,IAAI;AAE1B,cAAM,mBAAmB,IAAI,QAAQ,cAAc;AAAA,UACjD,QAAQ,QAAQ;AAAA,UAChB,SAAS,QAAQ;AAAA,UACjB,MAAM,QAAQ;AAAA,UACd,QAAQ;AAAA;AAAA,QACV,CAAC;AAGD,cAAM,WAAW,MAAM,KAAK,YAAa,cAAc,gBAAgB;AAKvE,YAAI,SAAS,UAAU,KAAK;AAC1B,cAAI;AACF,kBAAM,OAAO,MAAM,SAAS,MAAM,EAAE,KAAK;AACzC,gBAAI,OAAO,MAAM,kDAAkD,IAAI,MAAM,QAAQ,SAAS,MAAM,KAAK,IAAI,EAAE,CAAC;AAAA,UAClH,QAAQ;AACN,gBAAI,OAAO,MAAM,kDAAkD,IAAI,MAAM,QAAQ,SAAS,MAAM,yBAAyB,CAAC;AAAA,UAChI;AAAA,QACF;AAEA,eAAO;AAAA,MACT,SAAS,OAAO;AACd,cAAM,MAAM,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC;AACpE,YAAI,OAAO,MAAM,uBAAuB,GAAG;AAG3C,eAAO,IAAI;AAAA,UACT,KAAK,UAAU;AAAA,YACb,SAAS;AAAA,YACT,OAAO,IAAI;AAAA,UACb,CAAC;AAAA,UACD;AAAA,YACE,QAAQ;AAAA,YACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,UAChD;AAAA,QACF;AAAA,MACF;AAAA,IACF,CAAC;AAED,QAAI,OAAO,KAAK,8CAA8C,QAAQ,6BAA6B;AAAA,EACrG;AACF;;;AC/OA,kBAAoC;AAc7B,IAAM,WAAW,yBAAa,OAAO;AAAA,EAC1C,MAAM;AAAA,EACN,OAAO;AAAA,EACP,aAAa;AAAA,EACb,MAAM;AAAA,EACN,aAAa;AAAA,EACb,aAAa;AAAA,EACb,eAAe,CAAC,QAAQ,SAAS,gBAAgB;AAAA,EAEjD,QAAQ;AAAA;AAAA,IAEN,IAAI,kBAAM,KAAK;AAAA,MACb,OAAO;AAAA,MACP,UAAU;AAAA,MACV,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,kBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,cAAc;AAAA,MACd,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,kBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,cAAc;AAAA,MACd,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,OAAO,kBAAM,MAAM;AAAA,MACjB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,YAAY;AAAA,IACd,CAAC;AAAA,IAED,gBAAgB,kBAAM,QAAQ;AAAA,MAC5B,OAAO;AAAA,MACP,cAAc;AAAA,IAChB,CAAC;AAAA,IAED,MAAM,kBAAM,KAAK;AAAA,MACf,OAAO;AAAA,MACP,UAAU;AAAA,MACV,YAAY;AAAA,MACZ,WAAW;AAAA,IACb,CAAC;AAAA,IAED,OAAO,kBAAM,IAAI;AAAA,MACf,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,EACH;AAAA;AAAA,EAGA,SAAS;AAAA,IACP,EAAE,QAAQ,CAAC,OAAO,GAAG,QAAQ,KAAK;AAAA,IAClC,EAAE,QAAQ,CAAC,YAAY,GAAG,QAAQ,MAAM;AAAA,EAC1C;AAAA;AAAA,EAGA,QAAQ;AAAA,IACN,cAAc;AAAA,IACd,YAAY;AAAA,IACZ,YAAY;AAAA,IACZ,YAAY,CAAC,OAAO,QAAQ,UAAU,UAAU,QAAQ;AAAA,IACxD,OAAO;AAAA,IACP,KAAK;AAAA,EACP;AAAA;AAAA,EAGA,aAAa;AAAA,IACX;AAAA,MACE,MAAM;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,MACT,QAAQ,CAAC,OAAO;AAAA,MAChB,eAAe;AAAA,IACjB;AAAA,EACF;AACF,CAAC;;;AC9FD,IAAAA,eAAoC;AAe7B,IAAM,cAAc,0BAAa,OAAO;AAAA,EAC7C,MAAM;AAAA,EACN,OAAO;AAAA,EACP,aAAa;AAAA,EACb,MAAM;AAAA,EACN,aAAa;AAAA,EACb,aAAa;AAAA,EACb,eAAe,CAAC,WAAW,cAAc,YAAY;AAAA,EAErD,QAAQ;AAAA,IACN,IAAI,mBAAM,KAAK;AAAA,MACb,OAAO;AAAA,MACP,UAAU;AAAA,MACV,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,mBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,cAAc;AAAA,MACd,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,mBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,cAAc;AAAA,MACd,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,SAAS,mBAAM,KAAK;AAAA,MAClB,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,mBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,OAAO,mBAAM,KAAK;AAAA,MAChB,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,mBAAM,KAAK;AAAA,MACrB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,WAAW;AAAA;AAAA,IACb,CAAC;AAAA,IAED,YAAY,mBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,EACH;AAAA;AAAA,EAGA,SAAS;AAAA,IACP,EAAE,QAAQ,CAAC,OAAO,GAAG,QAAQ,KAAK;AAAA,IAClC,EAAE,QAAQ,CAAC,SAAS,GAAG,QAAQ,MAAM;AAAA,IACrC,EAAE,QAAQ,CAAC,YAAY,GAAG,QAAQ,MAAM;AAAA,EAC1C;AAAA;AAAA,EAGA,QAAQ;AAAA,IACN,cAAc;AAAA;AAAA,IACd,YAAY;AAAA,IACZ,YAAY;AAAA,IACZ,YAAY,CAAC,OAAO,QAAQ,UAAU,QAAQ;AAAA;AAAA,IAC9C,OAAO;AAAA;AAAA,IACP,KAAK;AAAA,EACP;AACF,CAAC;;;ACtFD,IAAAC,eAAoC;AAoB7B,IAAM,cAAc,0BAAa,OAAO;AAAA,EAC7C,MAAM;AAAA,EACN,OAAO;AAAA,EACP,aAAa;AAAA,EACb,MAAM;AAAA,EACN,aAAa;AAAA,EACb,aAAa;AAAA,EACb,eAAe,CAAC,eAAe,WAAW,YAAY;AAAA,EAEtD,QAAQ;AAAA,IACN,IAAI,mBAAM,KAAK;AAAA,MACb,OAAO;AAAA,MACP,UAAU;AAAA,MACV,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,mBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,cAAc;AAAA,MACd,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,mBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,cAAc;AAAA,MACd,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,aAAa,mBAAM,KAAK;AAAA,MACtB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,YAAY,mBAAM,KAAK;AAAA,MACrB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,SAAS,mBAAM,KAAK;AAAA,MAClB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,cAAc,mBAAM,SAAS;AAAA,MAC3B,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,eAAe,mBAAM,SAAS;AAAA,MAC5B,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,UAAU,mBAAM,SAAS;AAAA,MACvB,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,yBAAyB,mBAAM,SAAS;AAAA,MACtC,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,0BAA0B,mBAAM,SAAS;AAAA,MACvC,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,OAAO,mBAAM,KAAK;AAAA,MAChB,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,UAAU,mBAAM,KAAK;AAAA,MACnB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,EACH;AAAA;AAAA,EAGA,SAAS;AAAA,IACP,EAAE,QAAQ,CAAC,SAAS,GAAG,QAAQ,MAAM;AAAA,IACrC,EAAE,QAAQ,CAAC,eAAe,YAAY,GAAG,QAAQ,KAAK;AAAA,EACxD;AAAA;AAAA,EAGA,QAAQ;AAAA,IACN,cAAc;AAAA,IACd,YAAY;AAAA,IACZ,YAAY;AAAA,IACZ,YAAY,CAAC,OAAO,QAAQ,UAAU,UAAU,QAAQ;AAAA,IACxD,OAAO;AAAA,IACP,KAAK;AAAA,EACP;AACF,CAAC;;;ACtHD,IAAAC,eAAoC;AAa7B,IAAM,mBAAmB,0BAAa,OAAO;AAAA,EAClD,MAAM;AAAA,EACN,OAAO;AAAA,EACP,aAAa;AAAA,EACb,MAAM;AAAA,EACN,aAAa;AAAA,EACb,aAAa;AAAA,EACb,eAAe,CAAC,cAAc,cAAc,YAAY;AAAA,EAExD,QAAQ;AAAA,IACN,IAAI,mBAAM,KAAK;AAAA,MACb,OAAO;AAAA,MACP,UAAU;AAAA,MACV,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,mBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,cAAc;AAAA,MACd,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,mBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,cAAc;AAAA,MACd,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,OAAO,mBAAM,KAAK;AAAA,MAChB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,YAAY,mBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,mBAAM,KAAK;AAAA,MACrB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,EACH;AAAA;AAAA,EAGA,SAAS;AAAA,IACP,EAAE,QAAQ,CAAC,OAAO,GAAG,QAAQ,KAAK;AAAA,IAClC,EAAE,QAAQ,CAAC,YAAY,GAAG,QAAQ,MAAM;AAAA,IACxC,EAAE,QAAQ,CAAC,YAAY,GAAG,QAAQ,MAAM;AAAA,EAC1C;AAAA;AAAA,EAGA,QAAQ;AAAA,IACN,cAAc;AAAA,IACd,YAAY;AAAA,IACZ,YAAY;AAAA,IACZ,YAAY,CAAC,OAAO,UAAU,QAAQ;AAAA;AAAA,IACtC,OAAO;AAAA;AAAA,IACP,KAAK;AAAA,EACP;AACF,CAAC;","names":["import_data","import_data","import_data"]}

package/dist/index.mjs

@@ -144,6 +144,8 @@ var AuthManager = class {
       // Base configuration
       secret: this.config.secret || this.generateSecret(),
       baseURL: this.config.baseUrl || "http://localhost:3000",
+      basePath: "/",
+      // ← 关键修复！告诉 better-auth 路径已被剥离
       // Database adapter configuration
       // For now, we configure a basic setup that will be enhanced
       // when database URL is provided and drizzle-orm is available
@@ -164,10 +166,28 @@ var AuthManager = class {
   }
   /**
    * Create database configuration using ObjectQL adapter
+   *
+   * better-auth resolves the `database` option as follows:
+   * - `undefined`            → in-memory adapter
+   * - `typeof fn === "function"` → treated as `DBAdapterInstance`, called with `(options)`
+   * - otherwise              → forwarded to Kysely adapter factory (pool/dialect)
+   *
+   * A raw `CustomAdapter` object would fall into the third branch and fail
+   * silently.  We therefore wrap the ObjectQL adapter in a factory function
+   * so it is correctly recognised as a `DBAdapterInstance`.
    */
   createDatabaseConfig() {
     if (this.config.dataEngine) {
-      return createObjectQLAdapter(this.config.dataEngine);
+      const adapter = createObjectQLAdapter(this.config.dataEngine);
+      return (_options) => ({
+        id: "objectql",
+        ...adapter,
+        // ObjectQL does not yet expose a separate transaction context,
+        // so we pass the adapter itself.  better-auth patches this
+        // automatically when missing, but providing it avoids a
+        // runtime warning from getBaseAdapter().
+        transaction: async (cb) => cb(adapter)
+      });
     }
     console.warn(
       "\u26A0\uFE0F  WARNING: No dataEngine provided to AuthManager! Using in-memory storage. This is NOT suitable for production. Please provide a dataEngine instance (e.g., ObjectQL) in AuthManagerOptions."
@@ -198,13 +218,26 @@ var AuthManager = class {
   /**
    * Handle an authentication request
    * Forwards the request directly to better-auth's universal handler
+   *
+   * better-auth catches internal errors (database / adapter / ORM) and
+   * returns a 500 Response instead of throwing.  We therefore inspect the
+   * response status and log server errors so they are not silently swallowed.
    * 
    * @param request - Web standard Request object
    * @returns Web standard Response object
    */
   async handleRequest(request) {
     const auth = this.getOrCreateAuth();
-    return await auth.handler(request);
+    const response = await auth.handler(request);
+    if (response.status >= 500) {
+      try {
+        const body = await response.clone().text();
+        console.error("[AuthManager] better-auth returned error:", response.status, body);
+      } catch {
+        console.error("[AuthManager] better-auth returned error:", response.status, "(unable to read body)");
+      }
+    }
+    return response;
   }
   /**
    * Get the better-auth API for programmatic access
@@ -251,19 +284,21 @@ var AuthPlugin = class {
       throw new Error("Auth manager not initialized");
     }
     if (this.options.registerRoutes) {
-      let httpServer = null;
-      try {
-        httpServer = ctx.getService("http-server");
-      } catch {
-      }
-      if (httpServer) {
-        this.registerAuthRoutes(httpServer, ctx);
-        ctx.logger.info(`Auth routes registered at ${this.options.basePath}`);
-      } else {
-        ctx.logger.warn(
-          "No HTTP server available \u2014 auth routes not registered. Auth service is still available for MSW/mock environments via HttpDispatcher."
-        );
-      }
+      ctx.hook("kernel:ready", async () => {
+        let httpServer = null;
+        try {
+          httpServer = ctx.getService("http-server");
+        } catch {
+        }
+        if (httpServer) {
+          this.registerAuthRoutes(httpServer, ctx);
+          ctx.logger.info(`Auth routes registered at ${this.options.basePath}`);
+        } else {
+          ctx.logger.warn(
+            "No HTTP server available \u2014 auth routes not registered. Auth service is still available for MSW/mock environments via HttpDispatcher."
+          );
+        }
+      });
     }
     try {
       const ql = ctx.getService("objectql");
@@ -321,6 +356,14 @@ var AuthPlugin = class {
           // Required for Request with body
         });
         const response = await this.authManager.handleRequest(rewrittenRequest);
+        if (response.status >= 500) {
+          try {
+            const body = await response.clone().text();
+            ctx.logger.error("[AuthPlugin] better-auth returned server error", new Error(`HTTP ${response.status}: ${body}`));
+          } catch {
+            ctx.logger.error("[AuthPlugin] better-auth returned server error", new Error(`HTTP ${response.status}: (unable to read body)`));
+          }
+        }
         return response;
       } catch (error) {
         const err = error instanceof Error ? error : new Error(String(error));