@objectstack/plugin-auth 6.7.0 → 6.7.1

package/dist/index.mjs

@@ -830,6 +830,22 @@ var AuthManager = class {
         // never seed `sys_environment`) keep working: any lookup error
         // is treated as "no envs to protect".
         organizationHooks: {
+          // Gate fresh organization creation behind `OS_MULTI_ORG_ENABLED`.
+          // The plugin itself is always installed (so list/update/invite endpoints
+          // keep responding); only the `create` operation is denied when the
+          // deployment is provisioned in single-org mode. Default is enabled
+          // to preserve historical behaviour.
+          beforeCreateOrganization: async () => {
+            const flag = String(
+              globalThis?.process?.env?.OS_MULTI_ORG_ENABLED ?? "true"
+            ).toLowerCase();
+            if (flag === "false") {
+              const { APIError } = await import("better-auth/api");
+              throw new APIError("FORBIDDEN", {
+                message: "Creating additional organizations is disabled on this deployment."
+              });
+            }
+          },
           beforeUpdateOrganization: async ({ organization: organization2, member }) => {
             const newSlug = organization2?.slug;
             const orgId = member?.organizationId;
@@ -1210,11 +1226,15 @@ var AuthManager = class {
       requireEmailVerification: emailPasswordConfig.requireEmailVerification ?? false
     };
     const pluginConfig = this.config.plugins ?? {};
+    const multiOrgEnabled = String(
+      globalThis?.process?.env?.OS_MULTI_ORG_ENABLED ?? "true"
+    ).toLowerCase() !== "false";
     const features = {
       twoFactor: pluginConfig.twoFactor ?? false,
       passkeys: pluginConfig.passkeys ?? false,
       magicLink: pluginConfig.magicLink ?? false,
       organization: pluginConfig.organization ?? true,
+      multiOrgEnabled,
       oidcProvider: pluginConfig.oidcProvider ?? false,
       deviceAuthorization: pluginConfig.deviceAuthorization ?? false
     };