@opensaas/stack-auth 0.20.1 → 0.22.0

package/dist/lists/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/lists/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAA;AAC3C,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAA;AAyBrF;;;GAGG;AACH,MAAM,UAAU,cAAc,CAC5B,MAA6B;IAE7B,OAAO,IAAI,CAAC;QACV,MAAM,EAAE;YACN,8BAA8B;YAC9B,IAAI,EAAE,IAAI,CAAC;gBACT,UAAU,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE;aACjC,CAAC;YACF,KAAK,EAAE,IAAI,CAAC;gBACV,UAAU,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE;gBAChC,SAAS,EAAE,QAAQ;aACpB,CAAC;YACF,aAAa,EAAE,QAAQ,CAAC;gBACtB,YAAY,EAAE,KAAK;aACpB,CAAC;YACF,KAAK,EAAE,IAAI,EAAE;YAEb,qCAAqC;YACrC,QAAQ,EAAE,YAAY,CAAC;gBACrB,GAAG,EAAE,cAAc;gBACnB,IAAI,EAAE,IAAI;aACX,CAAC;YACF,QAAQ,EAAE,YAAY,CAAC;gBACrB,GAAG,EAAE,cAAc;gBACnB,IAAI,EAAE,IAAI;aACX,CAAC;YAEF,iCAAiC;YACjC,GAAG,CAAC,MAAM,EAAE,MAAM,IAAI,EAAE,CAAC;SAC1B;QACD,MAAM,EAAE,MAAM,EAAE,MAAM,IAAI;YACxB,SAAS,EAAE;gBACT,sDAAsD;gBACtD,KAAK,EAAE,GAAG,EAAE,CAAC,IAAI;gBACjB,qCAAqC;gBACrC,MAAM,EAAE,GAAG,EAAE,CAAC,IAAI;gBAClB,mCAAmC;gBACnC,MAAM,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE;oBAC5B,IAAI,CAAC,OAAO;wBAAE,OAAO,KAAK,CAAA;oBAC1B,MAAM,MAAM,GAAI,OAA+B,CAAC,MAAM,CAAA;oBACtD,MAAM,MAAM,GAAI,IAAwB,EAAE,EAAE,CAAA;oBAC5C,OAAO,MAAM,KAAK,MAAM,CAAA;gBAC1B,CAAC;gBACD,mCAAmC;gBACnC,MAAM,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE;oBAC5B,IAAI,CAAC,OAAO;wBAAE,OAAO,KAAK,CAAA;oBAC1B,MAAM,MAAM,GAAI,OAA+B,CAAC,MAAM,CAAA;oBACtD,MAAM,MAAM,GAAI,IAAwB,EAAE,EAAE,CAAA;oBAC5C,OAAO,MAAM,KAAK,MAAM,CAAA;gBAC1B,CAAC;aACF;SACF;QACD,KAAK,EAAE,MAAM,EAAE,KAAK;KACrB,CAAC,CAAA;AACJ,CAAC;AAED;;;GAGG;AACH,qGAAqG;AACrG,MAAM,UAAU,iBAAiB;IAC/B,OAAO,IAAI,CAAC;QACV,MAAM,EAAE;YACN,wDAAwD;YACxD,KAAK,EAAE,IAAI,CAAC;gBACV,UAAU,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE;gBAChC,SAAS,EAAE,QAAQ;aACpB,CAAC;YACF,uBAAuB;YACvB,SAAS,EAAE,SAAS,EAAE;YACtB,oCAAoC;YACpC,SAAS,EAAE,IAAI,EAAE;YACjB,oCAAoC;YACpC,SAAS,EAAE,IAAI,EAAE;YACjB,uDAAuD;YACvD,IAAI,EAAE,YAAY,CAAC;gBACjB,GAAG,EAAE,eAAe;aACrB,CAAC;SACH;QACD,MAAM,EAAE;YACN,SAAS,EAAE;gBACT,kDAAkD;gBAClD,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE;oBACrB,IAAI,CAAC,OAAO;wBAAE,OAAO,KAAK,CAAA;oBAC1B,MAAM,MAAM,GAAI,OAA+B,CAAC,MAAM,CAAA;oBACtD,IAAI,CAAC,MAAM;wBAAE,OAAO,KAAK,CAAA;oBACzB,+CAA+C;oBAC/C,OAAO;wBACL,IAAI,EAAE;4BACJ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;yBACvB;qBACyB,CAAA;gBAC9B,CAAC;gBACD,uCAAuC;gBACvC,MAAM,EAAE,GAAG,EAAE,CAAC,IAAI;gBAClB,oBAAoB;gBACpB,MAAM,EAAE,GAAG,EAAE,CAAC,KAAK;gBACnB,gDAAgD;gBAChD,MAAM,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE;oBAC5B,IAAI,CAAC,OAAO;wBAAE,OAAO,KAAK,CAAA;oBAC1B,MAAM,MAAM,GAAI,OAA+B,CAAC,MAAM,CAAA;oBACtD,MAAM,UAAU,GAAI,IAAmC,EAAE,IAAI,EAAE,EAAE,CAAA;oBACjE,OAAO,MAAM,KAAK,UAAU,CAAA;gBAC9B,CAAC;aACF;SACF;KACF,CAAC,CAAA;AACJ,CAAC;AAED;;;GAGG;AACH,qGAAqG;AACrG,MAAM,UAAU,iBAAiB;IAC/B,OAAO,IAAI,CAAC;QACV,MAAM,EAAE;YACN,mCAAmC;YACnC,SAAS,EAAE,IAAI,CAAC;gBACd,UAAU,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE;aACjC,CAAC;YACF,gEAAgE;YAChE,UAAU,EAAE,IAAI,CAAC;gBACf,UAAU,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE;aACjC,CAAC;YACF,uDAAuD;YACvD,IAAI,EAAE,YAAY,CAAC;gBACjB,GAAG,EAAE,eAAe;aACrB,CAAC;YACF,eAAe;YACf,WAAW,EAAE,IAAI,EAAE;YACnB,YAAY,EAAE,IAAI,EAAE;YACpB,oBAAoB,EAAE,SAAS,EAAE;YACjC,qBAAqB,EAAE,SAAS,EAAE;YAClC,KAAK,EAAE,IAAI,EAAE;YACb,OAAO,EAAE,IAAI,EAAE;YACf,8EAA8E;YAC9E,QAAQ,EAAE,IAAI,EAAE;SACjB;QACD,MAAM,EAAE;YACN,SAAS,EAAE;gBACT,kDAAkD;gBAClD,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE;oBACrB,IAAI,CAAC,OAAO;wBAAE,OAAO,KAAK,CAAA;oBAC1B,MAAM,MAAM,GAAI,OAA+B,CAAC,MAAM,CAAA;oBACtD,IAAI,CAAC,MAAM;wBAAE,OAAO,KAAK,CAAA;oBACzB,+CAA+C;oBAC/C,OAAO;wBACL,IAAI,EAAE;4BACJ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;yBACvB;qBACyB,CAAA;gBAC9B,CAAC;gBACD,uCAAuC;gBACvC,MAAM,EAAE,GAAG,EAAE,CAAC,IAAI;gBAClB,sDAAsD;gBACtD,MAAM,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE;oBAC5B,IAAI,CAAC,OAAO;wBAAE,OAAO,KAAK,CAAA;oBAC1B,MAAM,MAAM,GAAI,OAA+B,CAAC,MAAM,CAAA;oBACtD,MAAM,UAAU,GAAI,IAAmC,EAAE,IAAI,EAAE,EAAE,CAAA;oBACjE,OAAO,MAAM,KAAK,UAAU,CAAA;gBAC9B,CAAC;gBACD,0CAA0C;gBAC1C,MAAM,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE;oBAC5B,IAAI,CAAC,OAAO;wBAAE,OAAO,KAAK,CAAA;oBAC1B,MAAM,MAAM,GAAI,OAA+B,CAAC,MAAM,CAAA;oBACtD,MAAM,UAAU,GAAI,IAAmC,EAAE,IAAI,EAAE,EAAE,CAAA;oBACjE,OAAO,MAAM,KAAK,UAAU,CAAA;gBAC9B,CAAC;aACF;SACF;KACF,CAAC,CAAA;AACJ,CAAC;AAED;;;GAGG;AACH,qGAAqG;AACrG,MAAM,UAAU,sBAAsB;IACpC,OAAO,IAAI,CAAC;QACV,MAAM,EAAE;YACN,mCAAmC;YACnC,UAAU,EAAE,IAAI,CAAC;gBACf,UAAU,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE;aACjC,CAAC;YACF,cAAc;YACd,KAAK,EAAE,IAAI,CAAC;gBACV,UAAU,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE;aACjC,CAAC;YACF,uBAAuB;YACvB,SAAS,EAAE,SAAS,EAAE;SACvB;QACD,MAAM,EAAE;YACN,SAAS,EAAE;gBACT,mEAAmE;gBACnE,KAAK,EAAE,GAAG,EAAE,CAAC,KAAK;gBAClB,0CAA0C;gBAC1C,MAAM,EAAE,GAAG,EAAE,CAAC,IAAI;gBAClB,aAAa;gBACb,MAAM,EAAE,GAAG,EAAE,CAAC,KAAK;gBACnB,0CAA0C;gBAC1C,MAAM,EAAE,GAAG,EAAE,CAAC,IAAI;aACnB;SACF;KACF,CAAC,CAAA;AACJ,CAAC;AAED;;;GAGG;AACH,qGAAqG;AACrG,MAAM,UAAU,YAAY,CAAC,UAAiC;IAC5D,OAAO;QACL,IAAI,EAAE,cAAc,CAAC,UAAU,CAAC;QAChC,OAAO,EAAE,iBAAiB,EAAE;QAC5B,OAAO,EAAE,iBAAiB,EAAE;QAC5B,YAAY,EAAE,sBAAsB,EAAE;KACvC,CAAA;AACH,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/lists/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,MAAM,gCAAgC,CAAA;AAwBhE;;;;;GAKG;AACH,MAAM,cAAc,GAAyB;IAC3C,IAAI,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE;IACvC,OAAO,EAAE,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE;IAC7C,OAAO,EAAE,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE;IAC7C,YAAY,EAAE,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,EAAE,EAAE,EAAE;CACxD,CAAA;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAC5B,MAA6B;IAG7B,OAAO,eAAe,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC,KAAK,CAAC,IAAI,CAAA;AAC3D,CAAC;AAED;;GAEG;AACH,qGAAqG;AACrG,MAAM,UAAU,iBAAiB;IAC/B,OAAO,eAAe,CAAC,cAAc,CAAC,CAAC,KAAK,CAAC,OAAO,CAAA;AACtD,CAAC;AAED;;GAEG;AACH,qGAAqG;AACrG,MAAM,UAAU,iBAAiB;IAC/B,OAAO,eAAe,CAAC,cAAc,CAAC,CAAC,KAAK,CAAC,OAAO,CAAA;AACtD,CAAC;AAED;;GAEG;AACH,qGAAqG;AACrG,MAAM,UAAU,sBAAsB;IACpC,OAAO,eAAe,CAAC,cAAc,CAAC,CAAC,KAAK,CAAC,YAAY,CAAA;AAC3D,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,YAAY,CAC1B,UAAiC,EACjC,SAA+B,cAAc;IAG7C,OAAO,eAAe,CAAC,MAAM,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,KAAK,CAAA;AACxD,CAAC"}

package/dist/server/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAExC,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAA;AACpD,OAAO,KAAK,EAAE,cAAc,EAAkB,aAAa,EAAE,MAAM,sBAAsB,CAAA;AAezF;;;;;;;;;;;;;GAaG;AACH,wBAAgB,UAAU,CACxB,cAAc,EAAE,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC,EACxD,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC,iDAmIhD;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,UAAU,CAAC,OAAO,UAAU,CAAC,EACnC,aAAa,EAAE,MAAM,EAAE,2CA0BxB;AAED,YAAY,EAAE,iBAAiB,EAAE,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAExC,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAA;AACpD,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AAgCzE;;;;;;;;;;;;;GAaG;AACH,wBAAgB,UAAU,CACxB,cAAc,EAAE,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC,EACxD,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC,iDAyIhD;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,UAAU,CAAC,OAAO,UAAU,CAAC,EACnC,aAAa,EAAE,MAAM,EAAE,2CA0BxB;AAED,YAAY,EAAE,iBAAiB,EAAE,CAAA"}

package/dist/server/index.js

@@ -8,6 +8,21 @@ function getDatabaseConfig(dbConfig, context) {
         provider: dbConfig.provider,
     });
 }
+/**
+ * Translate a normalized OpenSaaS auth model config into the better-auth
+ * per-model options (`modelName` + `fields` column map). Returns `undefined`
+ * when there is nothing to override so the running auth instance keeps
+ * better-auth's own defaults untouched.
+ */
+function toBetterAuthModelOptions(model) {
+    const hasFields = Object.keys(model.fields).length > 0;
+    const options = {};
+    if (model.modelName)
+        options.modelName = model.modelName;
+    if (hasFields)
+        options.fields = model.fields;
+    return Object.keys(options).length > 0 ? options : undefined;
+}
 /**
  * Create a better-auth instance from OpenSaas config
  * This should be called once at app startup
@@ -44,6 +59,19 @@ export function createAuth(opensaasConfig, context) {
                 // Build better-auth configuration
                 const betterAuthConfig = {
                     database: getDatabaseConfig(resolvedConfig.db, resolvedContext),
+                    // Mirror the per-model config (modelName + field column maps) back to
+                    // better-auth so the running auth instance reads/writes the same
+                    // tables/columns the OpenSaaS Auth lists were derived from.
+                    user: toBetterAuthModelOptions(authConfig.models.user),
+                    session: {
+                        ...toBetterAuthModelOptions(authConfig.models.session),
+                        expiresIn: authConfig.session.expiresIn || 604800,
+                        updateAge: authConfig.session.updateAge
+                            ? (authConfig.session.expiresIn || 604800) / 10
+                            : 0,
+                    },
+                    account: toBetterAuthModelOptions(authConfig.models.account),
+                    verification: toBetterAuthModelOptions(authConfig.models.verification),
                     // Enable email and password if configured
                     emailAndPassword: authConfig.emailAndPassword.enabled
                         ? {
@@ -51,13 +79,6 @@ export function createAuth(opensaasConfig, context) {
                             requireEmailVerification: authConfig.emailVerification.enabled,
                         }
                         : undefined,
-                    // Configure session
-                    session: {
-                        expiresIn: authConfig.session.expiresIn || 604800,
-                        updateAge: authConfig.session.updateAge
-                            ? (authConfig.session.expiresIn || 604800) / 10
-                            : 0,
-                    },
                     // Trust host (required for production)
                     trustedOrigins: process.env.BETTER_AUTH_TRUSTED_ORIGINS?.split(',') || [],
                     // Social providers

package/dist/server/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAA;AAK3D;;GAEG;AACH,SAAS,iBAAiB,CACxB,QAAwB,EACxB,OAAsB;IAEtB,OAAO,aAAa,CAAC,OAAO,CAAC,MAAM,EAAE;QACnC,QAAQ,EAAE,QAAQ,CAAC,QAAQ;KAC5B,CAAC,CAAA;AACJ,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,UAAU,CACxB,cAAwD,EACxD,OAA+C;IAE/C,4CAA4C;IAC5C,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,cAAc,CAAC,CAAA;IACrD,MAAM,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAE/C,0CAA0C;IAC1C,IAAI,YAAY,GAAyC,IAAI,CAAA;IAC7D,IAAI,WAAW,GAAkD,IAAI,CAAA;IAErE,KAAK,UAAU,eAAe;QAC5B,IAAI,YAAY;YAAE,OAAO,YAAY,CAAA;QAErC,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,WAAW,GAAG,CAAC,KAAK,IAAI,EAAE;gBACxB,MAAM,cAAc,GAAG,MAAM,aAAa,CAAA;gBAC1C,MAAM,eAAe,GAAG,MAAM,cAAc,CAAA;gBAE5C,uCAAuC;gBACvC,MAAM,UAAU,GAAG,cAAc,CAAC,WAAW,EAAE,IAAwC,CAAA;gBAEvF,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,MAAM,IAAI,KAAK,CACb,iFAAiF,CAClF,CAAA;gBACH,CAAC;gBAED,kCAAkC;gBAClC,MAAM,gBAAgB,GAAsB;oBAC1C,QAAQ,EAAE,iBAAiB,CAAC,cAAc,CAAC,EAAE,EAAE,eAAe,CAAC;oBAE/D,0CAA0C;oBAC1C,gBAAgB,EAAE,UAAU,CAAC,gBAAgB,CAAC,OAAO;wBACnD,CAAC,CAAC;4BACE,OAAO,EAAE,IAAI;4BACb,wBAAwB,EAAE,UAAU,CAAC,iBAAiB,CAAC,OAAO;yBAC/D;wBACH,CAAC,CAAC,SAAS;oBAEb,oBAAoB;oBACpB,OAAO,EAAE;wBACP,SAAS,EAAE,UAAU,CAAC,OAAO,CAAC,SAAS,IAAI,MAAM;wBACjD,SAAS,EAAE,UAAU,CAAC,OAAO,CAAC,SAAS;4BACrC,CAAC,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC,GAAG,EAAE;4BAC/C,CAAC,CAAC,CAAC;qBACN;oBAED,uCAAuC;oBACvC,cAAc,EAAE,OAAO,CAAC,GAAG,CAAC,2BAA2B,EAAE,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE;oBAEzE,mBAAmB;oBACnB,eAAe,EAAE,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,eAAe,CAAC;yBACxD,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,MAAM,EAAE,OAAO,KAAK,KAAK,CAAC;yBAClD,MAAM,CACL,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE;wBAC1B,IAAI,MAAM,EAAE,CAAC;4BACX,GAAG,CAAC,QAAQ,CAAC,GAAG;gCACd,QAAQ,EAAE,MAAM,CAAC,QAAQ;gCACzB,YAAY,EAAE,MAAM,CAAC,YAAY;6BAClC,CAAA;wBACH,CAAC;wBACD,OAAO,GAAG,CAAA;oBACZ,CAAC,EACD,EAAgE,CACjE;oBAEH,8BAA8B;oBAC9B,SAAS,EAAE,UAAU,CAAC,SAAS;wBAC7B,CAAC,CAAC;4BACE,OAAO,EAAE,UAAU,CAAC,SAAS,CAAC,OAAO;4BACrC,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,MAAM;4BACnC,GAAG,EAAE,UAAU,CAAC,SAAS,CAAC,GAAG;yBAC9B;wBACH,CAAC,CAAC,SAAS;oBAEb,kDAAkD;oBAClD,OAAO,EAAE,UAAU,CAAC,iBAAiB,IAAI,EAAE;iBAC5C,CAAA;gBAED,YAAY,GAAG,UAAU,CAAC,gBAAgB,CAAC,CAAA;gBAC3C,OAAO,YAAY,CAAA;YACrB,CAAC,CAAC,EAAE,CAAA;QACN,CAAC;QAED,OAAO,WAAW,CAAA;IACpB,CAAC;IAED,2DAA2D;IAC3D,OAAO,IAAI,KAAK,CAAC,EAAmC,EAAE;QACpD,GAAG,CAAC,CAAC,EAAE,IAAI;YACT,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;gBACpB,oCAAoC;gBACpC,OAAO,SAAS,CAAA;YAClB,CAAC;YAED,iCAAiC;YACjC,MAAM,WAAW,GAAG,KAAK,EAAE,GAAG,IAAe,EAAE,EAAE;gBAC/C,MAAM,QAAQ,GAAG,MAAM,eAAe,EAAE,CAAA;gBACxC,MAAM,KAAK,GAAG,QAAQ,CAAC,IAA6B,CAAC,CAAA;gBACrD,IAAI,OAAO,KAAK,KAAK,UAAU,EAAE,CAAC;oBAChC,OAAQ,KAAyC,CAAC,KAAK,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;gBACzE,CAAC;gBACD,OAAO,KAAK,CAAA;YACd,CAAC,CAAA;YAED,4EAA4E;YAC5E,OAAO,IAAI,KAAK,CAAC,WAAW,EAAE;gBAC5B,GAAG,CAAC,MAAM,EAAE,OAAO;oBACjB,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;wBACvB,qCAAqC;wBACrC,OAAO,SAAS,CAAA;oBAClB,CAAC;oBACD,4DAA4D;oBAC5D,OAAO,KAAK,EAAE,GAAG,IAAe,EAAE,EAAE;wBAClC,MAAM,QAAQ,GAAG,MAAM,eAAe,EAAE,CAAA;wBACxC,MAAM,WAAW,GAAG,QAAQ,CAAC,IAA6B,CAAC,CAAA;wBAC3D,IAAI,WAAW,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;4BACnD,MAAM,UAAU,GAAI,WAAuC,CAAC,OAAiB,CAAC,CAAA;4BAC9E,IAAI,OAAO,UAAU,KAAK,UAAU,EAAE,CAAC;gCACrC,OAAQ,UAA8C,CAAC,KAAK,CAAC,WAAW,EAAE,IAAI,CAAC,CAAA;4BACjF,CAAC;4BACD,OAAO,UAAU,CAAA;wBACnB,CAAC;wBACD,MAAM,IAAI,KAAK,CACb,YAAY,MAAM,CAAC,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,6BAA6B,CACzE,CAAA;oBACH,CAAC,CAAA;gBACH,CAAC;aACF,CAAC,CAAA;QACJ,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,IAAmC,EACnC,aAAuB;IAEvB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;YACxC,OAAO,EAAE,IAAI,OAAO,EAAE;SACvB,CAAC,CAAA;QAEF,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC;YACnB,OAAO,IAAI,CAAA;QACb,CAAC;QAED,6CAA6C;QAC7C,MAAM,MAAM,GAA4B,EAAE,CAAA;QAE1C,KAAK,MAAM,KAAK,IAAI,aAAa,EAAE,CAAC;YAClC,IAAI,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACvB,MAAM,CAAC,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,EAAE,CAAA;YACjC,CAAC;iBAAM,IAAI,KAAK,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjC,MAAM,CAAC,KAAK,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,KAAkC,CAAC,CAAA;YAClE,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAA;IACf,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAA;AAM3D;;GAEG;AACH,SAAS,iBAAiB,CACxB,QAAwB,EACxB,OAAsB;IAEtB,OAAO,aAAa,CAAC,OAAO,CAAC,MAAM,EAAE;QACnC,QAAQ,EAAE,QAAQ,CAAC,QAAQ;KAC5B,CAAC,CAAA;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAS,wBAAwB,CAC/B,KAAgC;IAEhC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,MAAM,GAAG,CAAC,CAAA;IACtD,MAAM,OAAO,GAA4D,EAAE,CAAA;IAC3E,IAAI,KAAK,CAAC,SAAS;QAAE,OAAO,CAAC,SAAS,GAAG,KAAK,CAAC,SAAS,CAAA;IACxD,IAAI,SAAS;QAAE,OAAO,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAA;IAC5C,OAAO,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAA;AAC9D,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,UAAU,CACxB,cAAwD,EACxD,OAA+C;IAE/C,4CAA4C;IAC5C,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,cAAc,CAAC,CAAA;IACrD,MAAM,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;IAE/C,0CAA0C;IAC1C,IAAI,YAAY,GAAyC,IAAI,CAAA;IAC7D,IAAI,WAAW,GAAkD,IAAI,CAAA;IAErE,KAAK,UAAU,eAAe;QAC5B,IAAI,YAAY;YAAE,OAAO,YAAY,CAAA;QAErC,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,WAAW,GAAG,CAAC,KAAK,IAAI,EAAE;gBACxB,MAAM,cAAc,GAAG,MAAM,aAAa,CAAA;gBAC1C,MAAM,eAAe,GAAG,MAAM,cAAc,CAAA;gBAE5C,uCAAuC;gBACvC,MAAM,UAAU,GAAG,cAAc,CAAC,WAAW,EAAE,IAAwC,CAAA;gBAEvF,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,MAAM,IAAI,KAAK,CACb,iFAAiF,CAClF,CAAA;gBACH,CAAC;gBAED,kCAAkC;gBAClC,MAAM,gBAAgB,GAAsB;oBAC1C,QAAQ,EAAE,iBAAiB,CAAC,cAAc,CAAC,EAAE,EAAE,eAAe,CAAC;oBAE/D,sEAAsE;oBACtE,iEAAiE;oBACjE,4DAA4D;oBAC5D,IAAI,EAAE,wBAAwB,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC;oBACtD,OAAO,EAAE;wBACP,GAAG,wBAAwB,CAAC,UAAU,CAAC,MAAM,CAAC,OAAO,CAAC;wBACtD,SAAS,EAAE,UAAU,CAAC,OAAO,CAAC,SAAS,IAAI,MAAM;wBACjD,SAAS,EAAE,UAAU,CAAC,OAAO,CAAC,SAAS;4BACrC,CAAC,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC,GAAG,EAAE;4BAC/C,CAAC,CAAC,CAAC;qBACN;oBACD,OAAO,EAAE,wBAAwB,CAAC,UAAU,CAAC,MAAM,CAAC,OAAO,CAAC;oBAC5D,YAAY,EAAE,wBAAwB,CAAC,UAAU,CAAC,MAAM,CAAC,YAAY,CAAC;oBAEtE,0CAA0C;oBAC1C,gBAAgB,EAAE,UAAU,CAAC,gBAAgB,CAAC,OAAO;wBACnD,CAAC,CAAC;4BACE,OAAO,EAAE,IAAI;4BACb,wBAAwB,EAAE,UAAU,CAAC,iBAAiB,CAAC,OAAO;yBAC/D;wBACH,CAAC,CAAC,SAAS;oBAEb,uCAAuC;oBACvC,cAAc,EAAE,OAAO,CAAC,GAAG,CAAC,2BAA2B,EAAE,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE;oBAEzE,mBAAmB;oBACnB,eAAe,EAAE,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,eAAe,CAAC;yBACxD,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,MAAM,EAAE,OAAO,KAAK,KAAK,CAAC;yBAClD,MAAM,CACL,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE;wBAC1B,IAAI,MAAM,EAAE,CAAC;4BACX,GAAG,CAAC,QAAQ,CAAC,GAAG;gCACd,QAAQ,EAAE,MAAM,CAAC,QAAQ;gCACzB,YAAY,EAAE,MAAM,CAAC,YAAY;6BAClC,CAAA;wBACH,CAAC;wBACD,OAAO,GAAG,CAAA;oBACZ,CAAC,EACD,EAAgE,CACjE;oBAEH,8BAA8B;oBAC9B,SAAS,EAAE,UAAU,CAAC,SAAS;wBAC7B,CAAC,CAAC;4BACE,OAAO,EAAE,UAAU,CAAC,SAAS,CAAC,OAAO;4BACrC,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,MAAM;4BACnC,GAAG,EAAE,UAAU,CAAC,SAAS,CAAC,GAAG;yBAC9B;wBACH,CAAC,CAAC,SAAS;oBAEb,kDAAkD;oBAClD,OAAO,EAAE,UAAU,CAAC,iBAAiB,IAAI,EAAE;iBAC5C,CAAA;gBAED,YAAY,GAAG,UAAU,CAAC,gBAAgB,CAAC,CAAA;gBAC3C,OAAO,YAAY,CAAA;YACrB,CAAC,CAAC,EAAE,CAAA;QACN,CAAC;QAED,OAAO,WAAW,CAAA;IACpB,CAAC;IAED,2DAA2D;IAC3D,OAAO,IAAI,KAAK,CAAC,EAAmC,EAAE;QACpD,GAAG,CAAC,CAAC,EAAE,IAAI;YACT,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;gBACpB,oCAAoC;gBACpC,OAAO,SAAS,CAAA;YAClB,CAAC;YAED,iCAAiC;YACjC,MAAM,WAAW,GAAG,KAAK,EAAE,GAAG,IAAe,EAAE,EAAE;gBAC/C,MAAM,QAAQ,GAAG,MAAM,eAAe,EAAE,CAAA;gBACxC,MAAM,KAAK,GAAG,QAAQ,CAAC,IAA6B,CAAC,CAAA;gBACrD,IAAI,OAAO,KAAK,KAAK,UAAU,EAAE,CAAC;oBAChC,OAAQ,KAAyC,CAAC,KAAK,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;gBACzE,CAAC;gBACD,OAAO,KAAK,CAAA;YACd,CAAC,CAAA;YAED,4EAA4E;YAC5E,OAAO,IAAI,KAAK,CAAC,WAAW,EAAE;gBAC5B,GAAG,CAAC,MAAM,EAAE,OAAO;oBACjB,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;wBACvB,qCAAqC;wBACrC,OAAO,SAAS,CAAA;oBAClB,CAAC;oBACD,4DAA4D;oBAC5D,OAAO,KAAK,EAAE,GAAG,IAAe,EAAE,EAAE;wBAClC,MAAM,QAAQ,GAAG,MAAM,eAAe,EAAE,CAAA;wBACxC,MAAM,WAAW,GAAG,QAAQ,CAAC,IAA6B,CAAC,CAAA;wBAC3D,IAAI,WAAW,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;4BACnD,MAAM,UAAU,GAAI,WAAuC,CAAC,OAAiB,CAAC,CAAA;4BAC9E,IAAI,OAAO,UAAU,KAAK,UAAU,EAAE,CAAC;gCACrC,OAAQ,UAA8C,CAAC,KAAK,CAAC,WAAW,EAAE,IAAI,CAAC,CAAA;4BACjF,CAAC;4BACD,OAAO,UAAU,CAAA;wBACnB,CAAC;wBACD,MAAM,IAAI,KAAK,CACb,YAAY,MAAM,CAAC,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,6BAA6B,CACzE,CAAA;oBACH,CAAC,CAAA;gBACH,CAAC;aACF,CAAC,CAAA;QACJ,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,IAAmC,EACnC,aAAuB;IAEvB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;YACxC,OAAO,EAAE,IAAI,OAAO,EAAE;SACvB,CAAC,CAAA;QAEF,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC;YACnB,OAAO,IAAI,CAAA;QACb,CAAC;QAED,6CAA6C;QAC7C,MAAM,MAAM,GAA4B,EAAE,CAAA;QAE1C,KAAK,MAAM,KAAK,IAAI,aAAa,EAAE,CAAC;YAClC,IAAI,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACvB,MAAM,CAAC,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,EAAE,CAAA;YACjC,CAAC;iBAAM,IAAI,KAAK,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjC,MAAM,CAAC,KAAK,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,KAAkC,CAAC,CAAA;YAClE,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAA;IACf,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC"}

package/dist/server/schema-converter.d.ts

@@ -33,7 +33,7 @@ type BetterAuthTableSchema = {
 export declare function convertTableToList(tableName: string, tableSchema: BetterAuthTableSchema): ListConfig<any>;
 /**
  * Convert all Better Auth tables to OpenSaaS list configs
- * This is called by withAuth() to generate lists from Better Auth + plugins
+ * This is called by authPlugin() to generate lists from Better Auth + plugins
  */
 export declare function convertBetterAuthSchema(tables: Record<string, BetterAuthTableSchema>): Record<string, ListConfig<any>>;
 export {};

package/dist/server/schema-converter.js

@@ -237,7 +237,7 @@ export function convertTableToList(tableName, tableSchema) {
 }
 /**
  * Convert all Better Auth tables to OpenSaaS list configs
- * This is called by withAuth() to generate lists from Better Auth + plugins
+ * This is called by authPlugin() to generate lists from Better Auth + plugins
  */
 export function convertBetterAuthSchema(tables) {
     const lists = {}; // eslint-disable-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opensaas/stack-auth",
-  "version": "0.20.1",
+  "version": "0.22.0",
   "description": "Better-auth integration for OpenSaas Stack",
   "type": "module",
   "main": "./dist/index.js",
@@ -55,7 +55,7 @@
     "react": "^18.0.0 || ^19.0.0"
   },
   "devDependencies": {
-    "@types/node": "^24.12.0",
+    "@types/node": "^25.9.1",
     "@types/react": "^19.2.14",
     "@vitest/coverage-v8": "^4.0.18",
     "@vitest/ui": "^4.0.18",
@@ -64,7 +64,7 @@
     "react": "^19.2.4",
     "typescript": "^5.9.3",
     "vitest": "^4.1.0",
-    "@opensaas/stack-core": "0.20.1"
+    "@opensaas/stack-core": "0.22.0"
   },
   "scripts": {
     "build": "tsc",

package/src/config/adopt-better-auth-tables.ts

@@ -0,0 +1,146 @@
+/**
+ * "Adopt existing better-auth tables" recipe.
+ *
+ * A migrating project usually already has a working, hand-wired better-auth
+ * installation: its tables are `AuthUser`/`AuthSession`/`AuthAccount`/
+ * `AuthVerification`, mapped into a separate `auth` Postgres schema, and its
+ * application `User` (`public.User`) is a *different* model. Reconstructing the
+ * matching {@link AuthConfig} by hand — four `modelName`s plus a `schema` on each
+ * model — is repetitive and easy to get wrong.
+ *
+ * {@link adoptBetterAuthTables} produces that {@link AuthConfig} fragment from a
+ * couple of options so the migrator doesn't rebuild it from scratch. It only
+ * sets the *adoption* knobs (per-model `modelName` + the plugin-level `schema`);
+ * the developer composes it with the rest of their auth config (providers,
+ * session fields, `extendUserList`, etc.):
+ *
+ * ```typescript
+ * authPlugin({
+ *   ...adoptBetterAuthTables(),
+ *   emailAndPassword: { enabled: true },
+ *   sessionFields: ['userId', 'email', 'name'],
+ * })
+ * ```
+ *
+ * Combined with the keys/field derivation (`deriveAuthLists`) and schema
+ * placement, the generated Auth lists reach **Schema parity** with the live
+ * tables — they are modelled for runtime/types without producing a destructive
+ * auth migration. The recipe never touches the application's own domain `User`:
+ * its model names are `Auth`-prefixed by default and the plugin only ever
+ * adds/extends its *derived* keys.
+ */
+
+import type { AuthConfig, AuthModelConfig } from './types.js'
+
+/**
+ * Options for {@link adoptBetterAuthTables}.
+ *
+ * All options are optional and default to the conventions of a standard
+ * separate-schema better-auth install (an `auth` Postgres schema with
+ * `Auth`-prefixed model names).
+ */
+export type AdoptBetterAuthTablesOptions = {
+  /**
+   * The Postgres schema the live better-auth tables live in.
+   *
+   * Applied as the plugin-level {@link AuthConfig.schema}, placing every Auth
+   * list in this schema via `@@schema(...)`. Pass `'public'` (or any single
+   * schema) for an install that is not on a separate schema; pass an explicit
+   * value to match your layout.
+   *
+   * @default 'auth'
+   */
+  schema?: string
+
+  /**
+   * Prefix applied to each better-auth model name to derive the list key /
+   * table name (e.g. prefix `'Auth'` → `AuthUser`/`AuthSession`/...).
+   *
+   * A live better-auth install with `modelName: 'AuthUser'` etc. is the common
+   * case; override this if your tables use a different prefix. Set to `''` to
+   * keep the default better-auth names (`User`/`Session`/...) — but note that an
+   * unprefixed `User` will share the app's `User` key, so prefer a prefix when
+   * your domain `User` is a separate model (see {@link AuthConfig.user}).
+   *
+   * @default 'Auth'
+   */
+  modelNamePrefix?: string
+
+  /**
+   * Per-model better-auth field → column maps, keyed by model.
+   *
+   * Only needed when your live tables renamed columns away from the better-auth
+   * defaults (e.g. `name → full_name`). Merged into the matching model config so
+   * the derived field-level `@map`s match your live columns.
+   *
+   * @example
+   * ```typescript
+   * adoptBetterAuthTables({
+   *   fields: {
+   *     user: { name: 'full_name' },
+   *     session: { userId: 'user_id' },
+   *   },
+   * })
+   * ```
+   */
+  fields?: {
+    user?: Record<string, string>
+    session?: Record<string, string>
+    account?: Record<string, string>
+    verification?: Record<string, string>
+  }
+}
+
+/** The four better-auth models and their default (unprefixed) model names. */
+const MODEL_DEFAULT_NAMES = {
+  user: 'User',
+  session: 'Session',
+  account: 'Account',
+  verification: 'Verification',
+} as const
+
+/**
+ * The adoption-relevant slice of {@link AuthConfig}: the plugin-level `schema`
+ * and the per-model `modelName`/`fields`. Returned (not the full `AuthConfig`)
+ * so it spreads cleanly into the developer's own `authPlugin` config.
+ */
+export type AdoptBetterAuthTablesConfig = Pick<
+  AuthConfig,
+  'schema' | 'user' | 'session' | 'account' | 'verification'
+>
+
+/**
+ * Build the adoption {@link AuthConfig} fragment for a pre-existing better-auth
+ * installation.
+ *
+ * Returns only the model/schema knobs needed to adopt the live tables; spread it
+ * into {@link authPlugin} alongside your own auth config.
+ *
+ * @param options - Adoption conventions (schema, model-name prefix, column maps)
+ * @returns An {@link AuthConfig} fragment with `schema` + per-model `modelName`
+ *   (and any field column maps) set to match the live tables
+ */
+export function adoptBetterAuthTables(
+  options: AdoptBetterAuthTablesOptions = {},
+): AdoptBetterAuthTablesConfig {
+  const { schema = 'auth', modelNamePrefix = 'Auth', fields = {} } = options
+
+  const buildModel = (model: keyof typeof MODEL_DEFAULT_NAMES): AuthModelConfig => {
+    const config: AuthModelConfig = {
+      modelName: `${modelNamePrefix}${MODEL_DEFAULT_NAMES[model]}`,
+    }
+    const fieldMap = fields[model]
+    if (fieldMap && Object.keys(fieldMap).length > 0) {
+      config.fields = fieldMap
+    }
+    return config
+  }
+
+  return {
+    schema,
+    user: buildModel('user'),
+    session: buildModel('session'),
+    account: buildModel('account'),
+    verification: buildModel('verification'),
+  }
+}

package/src/config/derive-auth-lists.ts

@@ -0,0 +1,323 @@
+/**
+ * Pure `better-auth config → Auth lists` derivation.
+ *
+ * This module is intentionally free of side effects and plugin/runtime
+ * concerns: given the resolved better-auth model config (per-model `modelName`
+ * and `fields` column maps) plus any custom User fields, it produces the four
+ * OpenSaaS Auth lists (user/session/account/verification) with:
+ *
+ *  - list keys taken from each model's `modelName`
+ *  - a table `@@map` (list-level `db.map`) when the key differs from the
+ *    default better-auth model name
+ *  - field-level `@map` (`db.map`) for any better-auth field → column override
+ *  - relationship refs between the auth lists wired to the *derived* keys
+ *    (e.g. `Session.user → AuthUser.sessions`)
+ *
+ * When the developer supplies no `modelName`/`fields` overrides, the output is
+ * byte-for-byte the historical default set keyed `User`/`Session`/`Account`/
+ * `Verification` with the original field shapes — see the unit tests.
+ *
+ * `getAuthLists`/`convertBetterAuthSchema` (and the runtime user-key
+ * resolution) consume this module so derivation lives in exactly one place.
+ */
+
+import { list } from '@opensaas/stack-core'
+import { text, timestamp, checkbox, relationship } from '@opensaas/stack-core/fields'
+import type { ListConfig } from '@opensaas/stack-core'
+import type { ExtendUserListConfig } from '../lists/index.js'
+import type { NormalizedAuthModelConfig, NormalizedAuthModels } from './types.js'
+
+/**
+ * Default better-auth model names — used to decide whether a `@@map` is needed
+ * (only when the configured `modelName` differs from the default).
+ */
+const DEFAULT_MODEL_NAMES = {
+  user: 'User',
+  session: 'Session',
+  account: 'Account',
+  verification: 'Verification',
+} as const
+
+/**
+ * The derived Auth list set together with the keys each list was placed under.
+ * Keys are surfaced separately so callers (plugin add-vs-extend logic, runtime
+ * user-key resolution) don't have to re-derive them.
+ */
+export type DerivedAuthLists = {
+  /** Derived list keys, one per better-auth model. */
+  keys: {
+    user: string
+    session: string
+    account: string
+    verification: string
+  }
+  /** The derived list configs, keyed by their derived list keys. */
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+  lists: Record<string, ListConfig<any>>
+}
+
+/**
+ * Build the list-level `db` config (`timestamps` + `@@map` + `@@schema`) for a
+ * derived list.
+ *
+ * Always opts the list into auto-timestamps (`timestamps: true`). better-auth's
+ * adapter writes `createdAt`/`updatedAt` on every auth row and the schema
+ * converter returns `null` for those columns (it assumes the generator injects
+ * them). Now that auto-timestamps are OFF by default (ADR-0004), each derived
+ * Auth list must opt back in so the generated models keep those columns and
+ * better-auth keeps working.
+ *
+ * When the developer renames the model (e.g. `modelName: 'AuthUser'`), we also
+ * pin the physical table name to that model name via `@@map("AuthUser")` so the
+ * generated list adopts the developer's live table exactly. When a `schema` is
+ * configured (plugin-level or per-model), the list is placed in that Postgres
+ * schema via `@@schema(...)`.
+ *
+ * With no `modelName`/`schema` overrides we emit only `timestamps: true`,
+ * leaving the default `User`/`Session`/... table/schema output unchanged.
+ */
+function listDb(
+  model: NormalizedAuthModelConfig,
+  defaultModelName: string,
+): { timestamps: true; map?: string; schema?: string } {
+  const map = model.modelName !== defaultModelName ? model.modelName : undefined
+  const schema = model.schema
+  return {
+    timestamps: true,
+    ...(map !== undefined ? { map } : {}),
+    ...(schema !== undefined ? { schema } : {}),
+  }
+}
+
+/**
+ * Resolve the `db.map` (`@map` column override) for a better-auth field, or
+ * `undefined` when there is no override (so default output is unchanged).
+ *
+ * The field builders capture `options.db` in a closure when generating Prisma
+ * types, so the column map MUST be passed through the builder's `db` option
+ * rather than patched onto the returned field object.
+ */
+function fieldDb(fieldName: string, fields: Record<string, string>): { map: string } | undefined {
+  const column = fields[fieldName]
+  return column ? { map: column } : undefined
+}
+
+/**
+ * Build the foreign-key `db` config for a `user` relationship, honouring a
+ * `userId` column override from the better-auth `fields` map.
+ */
+function userForeignKeyDb(
+  fields: Record<string, string>,
+): { foreignKey: { map: string } } | undefined {
+  const column = fields.userId
+  return column ? { foreignKey: { map: column } } : undefined
+}
+
+/**
+ * Create the Auth user list, applying derived field column maps + table map and
+ * wiring the session/account relationships to the derived keys.
+ */
+function createUserList(
+  model: NormalizedAuthModelConfig,
+  keys: DerivedAuthLists['keys'],
+  userConfig: ExtendUserListConfig,
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+): ListConfig<any> {
+  const f = model.fields
+  return list({
+    fields: {
+      name: text({ validation: { isRequired: true }, db: fieldDb('name', f) }),
+      email: text({
+        validation: { isRequired: true },
+        isIndexed: 'unique',
+        db: fieldDb('email', f),
+      }),
+      emailVerified: checkbox({ defaultValue: false, db: fieldDb('emailVerified', f) }),
+      image: text({ db: fieldDb('image', f) }),
+
+      // Relationships to the other auth lists — refs follow the derived keys.
+      sessions: relationship({ ref: `${keys.session}.user`, many: true }),
+      accounts: relationship({ ref: `${keys.account}.user`, many: true }),
+
+      // Custom fields from user config
+      ...(userConfig.fields || {}),
+    },
+    db: listDb(model, DEFAULT_MODEL_NAMES.user),
+    access: userConfig.access || {
+      operation: {
+        query: () => true,
+        create: () => true,
+        update: ({ session, item }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          const itemId = (item as { id?: string })?.id
+          return userId === itemId
+        },
+        delete: ({ session, item }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          const itemId = (item as { id?: string })?.id
+          return userId === itemId
+        },
+      },
+    },
+    hooks: userConfig.hooks,
+  })
+}
+
+/**
+ * Create the Auth session list.
+ */
+function createSessionList(
+  model: NormalizedAuthModelConfig,
+  keys: DerivedAuthLists['keys'],
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+): ListConfig<any> {
+  const f = model.fields
+  return list({
+    fields: {
+      token: text({
+        validation: { isRequired: true },
+        isIndexed: 'unique',
+        db: fieldDb('token', f),
+      }),
+      expiresAt: timestamp({ db: fieldDb('expiresAt', f) }),
+      ipAddress: text({ db: fieldDb('ipAddress', f) }),
+      userAgent: text({ db: fieldDb('userAgent', f) }),
+      user: relationship({
+        ref: `${keys.user}.sessions`,
+        db: userForeignKeyDb(f),
+      }),
+    },
+    db: listDb(model, DEFAULT_MODEL_NAMES.session),
+    access: {
+      operation: {
+        query: ({ session }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          if (!userId) return false
+          return {
+            user: { id: { equals: userId } },
+          } as Record<string, unknown>
+        },
+        create: () => true,
+        update: () => false,
+        delete: ({ session, item }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          const itemUserId = (item as { user?: { id?: string } })?.user?.id
+          return userId === itemUserId
+        },
+      },
+    },
+  })
+}
+
+/**
+ * Create the Auth account list.
+ */
+function createAccountList(
+  model: NormalizedAuthModelConfig,
+  keys: DerivedAuthLists['keys'],
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+): ListConfig<any> {
+  const f = model.fields
+  return list({
+    fields: {
+      accountId: text({ validation: { isRequired: true }, db: fieldDb('accountId', f) }),
+      providerId: text({ validation: { isRequired: true }, db: fieldDb('providerId', f) }),
+      user: relationship({
+        ref: `${keys.user}.accounts`,
+        db: userForeignKeyDb(f),
+      }),
+      accessToken: text({ db: fieldDb('accessToken', f) }),
+      refreshToken: text({ db: fieldDb('refreshToken', f) }),
+      accessTokenExpiresAt: timestamp({ db: fieldDb('accessTokenExpiresAt', f) }),
+      refreshTokenExpiresAt: timestamp({ db: fieldDb('refreshTokenExpiresAt', f) }),
+      scope: text({ db: fieldDb('scope', f) }),
+      idToken: text({ db: fieldDb('idToken', f) }),
+      password: text({ db: fieldDb('password', f) }),
+    },
+    db: listDb(model, DEFAULT_MODEL_NAMES.account),
+    access: {
+      operation: {
+        query: ({ session }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          if (!userId) return false
+          return {
+            user: { id: { equals: userId } },
+          } as Record<string, unknown>
+        },
+        create: () => true,
+        update: ({ session, item }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          const itemUserId = (item as { user?: { id?: string } })?.user?.id
+          return userId === itemUserId
+        },
+        delete: ({ session, item }) => {
+          if (!session) return false
+          const userId = (session as { userId?: string }).userId
+          const itemUserId = (item as { user?: { id?: string } })?.user?.id
+          return userId === itemUserId
+        },
+      },
+    },
+  })
+}
+
+/**
+ * Create the Auth verification list.
+ */
+function createVerificationList(
+  model: NormalizedAuthModelConfig,
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+): ListConfig<any> {
+  const f = model.fields
+  return list({
+    fields: {
+      identifier: text({ validation: { isRequired: true }, db: fieldDb('identifier', f) }),
+      value: text({ validation: { isRequired: true }, db: fieldDb('value', f) }),
+      expiresAt: timestamp({ db: fieldDb('expiresAt', f) }),
+    },
+    db: listDb(model, DEFAULT_MODEL_NAMES.verification),
+    access: {
+      operation: {
+        query: () => false,
+        create: () => true,
+        update: () => false,
+        delete: () => true,
+      },
+    },
+  })
+}
+
+/**
+ * Derive the OpenSaaS Auth lists from the resolved better-auth model config.
+ *
+ * @param models - Resolved better-auth per-model config (modelName + field column maps)
+ * @param userConfig - Extra User-list fields/access/hooks supplied via `extendUserList`
+ * @returns The derived list keys and the four Auth list configs keyed by those keys
+ */
+export function deriveAuthLists(
+  models: NormalizedAuthModels,
+  userConfig: ExtendUserListConfig = {},
+): DerivedAuthLists {
+  const keys = {
+    user: models.user.modelName,
+    session: models.session.modelName,
+    account: models.account.modelName,
+    verification: models.verification.modelName,
+  }
+
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+  const lists: Record<string, ListConfig<any>> = {
+    [keys.user]: createUserList(models.user, keys, userConfig),
+    [keys.session]: createSessionList(models.session, keys),
+    [keys.account]: createAccountList(models.account, keys),
+    [keys.verification]: createVerificationList(models.verification),
+  }
+
+  return { keys, lists }
+}