@opensaas/stack-auth 0.21.0 → 0.23.0

package/tests/adopt-better-auth-tables.test.ts

@@ -0,0 +1,183 @@
+import { describe, it, expect } from 'vitest'
+import { config, list } from '@opensaas/stack-core'
+import { text } from '@opensaas/stack-core/fields'
+import type { OpenSaasConfig } from '@opensaas/stack-core'
+import type { Plugin } from '@opensaas/stack-core/extend'
+import { authPlugin } from '../src/config/plugin.js'
+import { adoptBetterAuthTables } from '../src/config/adopt-better-auth-tables.js'
+
+/**
+ * Run a config through plugin `init` (via `config()`) and then the auth
+ * plugin's `beforeGenerate` hook — mirroring the CLI generate pipeline — to
+ * observe the final config the generator would consume. Mirrors the helper in
+ * `plugin-schema-placement.test.ts`.
+ */
+async function generationConfig(userConfig: OpenSaasConfig): Promise<OpenSaasConfig> {
+  const resolved = await config(userConfig)
+  let current = resolved
+  const plugins: Plugin[] = resolved.plugins ?? []
+  for (const plugin of plugins) {
+    if (plugin.beforeGenerate) {
+      current = await plugin.beforeGenerate(current)
+    }
+  }
+  return current
+}
+
+describe('adoptBetterAuthTables - recipe defaults', () => {
+  it('produces the standard separate-schema better-auth defaults', () => {
+    const fragment = adoptBetterAuthTables()
+
+    expect(fragment).toEqual({
+      schema: 'auth',
+      user: { modelName: 'AuthUser' },
+      session: { modelName: 'AuthSession' },
+      account: { modelName: 'AuthAccount' },
+      verification: { modelName: 'AuthVerification' },
+    })
+  })
+
+  it('honours a custom schema and model-name prefix', () => {
+    const fragment = adoptBetterAuthTables({ schema: 'identity', modelNamePrefix: 'BA' })
+
+    expect(fragment).toEqual({
+      schema: 'identity',
+      user: { modelName: 'BAUser' },
+      session: { modelName: 'BASession' },
+      account: { modelName: 'BAAccount' },
+      verification: { modelName: 'BAVerification' },
+    })
+  })
+
+  it('merges per-model field column maps when provided', () => {
+    const fragment = adoptBetterAuthTables({
+      fields: {
+        user: { name: 'full_name', emailVerified: 'is_verified' },
+        session: { userId: 'user_id' },
+      },
+    })
+
+    expect(fragment.user).toEqual({
+      modelName: 'AuthUser',
+      fields: { name: 'full_name', emailVerified: 'is_verified' },
+    })
+    expect(fragment.session).toEqual({
+      modelName: 'AuthSession',
+      fields: { userId: 'user_id' },
+    })
+    // Models without a field map carry no `fields` key (no empty object)
+    expect(fragment.account).toEqual({ modelName: 'AuthAccount' })
+    expect(fragment.verification).toEqual({ modelName: 'AuthVerification' })
+  })
+
+  it('omits the schema when explicitly set to public', () => {
+    const fragment = adoptBetterAuthTables({ schema: 'public' })
+    expect(fragment.schema).toBe('public')
+  })
+})
+
+describe('adoptBetterAuthTables - composes with authPlugin', () => {
+  it('spreads into authPlugin alongside the rest of the auth config', async () => {
+    const result = await config({
+      db: { provider: 'postgresql' },
+      plugins: [
+        authPlugin({
+          ...adoptBetterAuthTables(),
+          emailAndPassword: { enabled: true },
+          sessionFields: ['userId', 'email', 'name'],
+        }),
+      ],
+      lists: {},
+    })
+
+    // The recipe's derived Auth lists are present...
+    expect(result.lists).toHaveProperty('AuthUser')
+    expect(result.lists).toHaveProperty('AuthSession')
+    expect(result.lists).toHaveProperty('AuthAccount')
+    expect(result.lists).toHaveProperty('AuthVerification')
+    // ...keyed off the recipe's model names, not the default `User`/`Session`.
+    expect(result.lists).not.toHaveProperty('User')
+    expect(result.lists).not.toHaveProperty('Session')
+
+    // The rest of the auth config still applies (stored for runtime).
+    const authData = result._pluginData?.auth as { emailAndPassword?: { enabled?: boolean } }
+    expect(authData?.emailAndPassword?.enabled).toBe(true)
+  })
+})
+
+describe('adoptBetterAuthTables - clean-diff adoption (Auth lists ≠ app User)', () => {
+  it('lands every Auth list in the auth schema with @@map + @@schema and leaves the app User untouched', async () => {
+    const result = await generationConfig({
+      db: { provider: 'postgresql' },
+      plugins: [
+        authPlugin({
+          ...adoptBetterAuthTables(),
+          emailAndPassword: { enabled: true },
+        }),
+      ],
+      // The migrating app keeps its own domain User (public.User), keyed by
+      // its own subjectId — a DIFFERENT model from the better-auth user.
+      lists: {
+        User: list({
+          fields: {
+            subjectId: text({ validation: { isRequired: true } }),
+          },
+        }),
+      },
+    })
+
+    // Each Auth list is pinned to its live table name (@@map) and the `auth`
+    // schema (@@schema), with auto-timestamps preserved (ADR-0004) — exactly the
+    // shape that diffs CLEAN against a live separate-schema better-auth install.
+    expect(result.lists.AuthUser.db).toEqual({ timestamps: true, map: 'AuthUser', schema: 'auth' })
+    expect(result.lists.AuthSession.db).toEqual({
+      timestamps: true,
+      map: 'AuthSession',
+      schema: 'auth',
+    })
+    expect(result.lists.AuthAccount.db).toEqual({
+      timestamps: true,
+      map: 'AuthAccount',
+      schema: 'auth',
+    })
+    expect(result.lists.AuthVerification.db).toEqual({
+      timestamps: true,
+      map: 'AuthVerification',
+      schema: 'auth',
+    })
+
+    // The app's own domain User is preserved: its field shape is intact, NOT
+    // merged with auth fields, and it stays in `public` (not the auth schema).
+    const appUser = result.lists.User
+    expect(appUser.fields).toHaveProperty('subjectId')
+    expect(appUser.fields).not.toHaveProperty('email')
+    expect(appUser.fields).not.toHaveProperty('emailVerified')
+    expect(appUser.fields).not.toHaveProperty('sessions')
+    expect(appUser.db?.schema).toBe('public')
+
+    // The datasource lists both schemas so the multi-schema Prisma schema is valid.
+    expect(result.db.schemas).toEqual(['public', 'auth'])
+  })
+
+  it('carries field column maps through to the derived Auth lists for renamed columns', async () => {
+    const result = await config({
+      db: { provider: 'postgresql' },
+      plugins: [
+        authPlugin({
+          ...adoptBetterAuthTables({
+            fields: {
+              user: { name: 'full_name' },
+              session: { userId: 'user_id' },
+            },
+          }),
+        }),
+      ],
+      lists: {},
+    })
+
+    // Renamed columns flow through to the derived field-level @map / FK @map so
+    // the lists match the live columns.
+    expect(result.lists.AuthUser.fields.name.db?.map).toBe('full_name')
+    expect(result.lists.AuthSession.fields.user.db?.foreignKey).toEqual({ map: 'user_id' })
+  })
+})

package/tests/derive-auth-lists.test.ts

@@ -0,0 +1,232 @@
+import { describe, it, expect } from 'vitest'
+import { deriveAuthLists } from '../src/config/derive-auth-lists.js'
+import type { NormalizedAuthModels } from '../src/config/types.js'
+
+const defaultModels: NormalizedAuthModels = {
+  user: { modelName: 'User', fields: {} },
+  session: { modelName: 'Session', fields: {} },
+  account: { modelName: 'Account', fields: {} },
+  verification: { modelName: 'Verification', fields: {} },
+}
+
+describe('deriveAuthLists - default behaviour (no overrides)', () => {
+  it('keeps the historical User/Session/Account/Verification keys', () => {
+    const { keys, lists } = deriveAuthLists(defaultModels)
+
+    expect(keys).toEqual({
+      user: 'User',
+      session: 'Session',
+      account: 'Account',
+      verification: 'Verification',
+    })
+    expect(Object.keys(lists).sort()).toEqual(['Account', 'Session', 'User', 'Verification'])
+  })
+
+  it('keeps the original User field shape', () => {
+    const { lists } = deriveAuthLists(defaultModels)
+    const user = lists.User
+
+    expect(user.fields).toHaveProperty('name')
+    expect(user.fields).toHaveProperty('email')
+    expect(user.fields).toHaveProperty('emailVerified')
+    expect(user.fields).toHaveProperty('image')
+    expect(user.fields).toHaveProperty('sessions')
+    expect(user.fields).toHaveProperty('accounts')
+    expect(user.fields.email.isIndexed).toBe('unique')
+    expect(user.fields.name.validation?.isRequired).toBe(true)
+  })
+
+  it('wires relationship refs to the default keys', () => {
+    const { lists } = deriveAuthLists(defaultModels)
+    expect(lists.Session.fields.user.ref).toBe('User.sessions')
+    expect(lists.Account.fields.user.ref).toBe('User.accounts')
+    expect(lists.User.fields.sessions.ref).toBe('Session.user')
+    expect(lists.User.fields.accounts.ref).toBe('Account.user')
+  })
+
+  it('emits no table @@map and no scalar @map for default keys', () => {
+    const { lists } = deriveAuthLists(defaultModels)
+
+    expect(lists.User.db?.map).toBeUndefined()
+    expect(lists.Session.db?.map).toBeUndefined()
+    expect(lists.Account.db?.map).toBeUndefined()
+    expect(lists.Verification.db?.map).toBeUndefined()
+
+    expect(lists.User.fields.name.db?.map).toBeUndefined()
+    expect(lists.Session.fields.token.db?.map).toBeUndefined()
+    // FK column not overridden -> no foreignKey map on the relationship
+    expect(lists.Session.fields.user.db).toBeUndefined()
+  })
+
+  it('opts every auth list into auto-timestamps', () => {
+    // Auto-timestamps are OFF by default (ADR-0004), but better-auth's adapter
+    // writes createdAt/updatedAt on every auth row and the schema converter
+    // returns null for those columns assuming the generator injects them. Each
+    // derived auth list must therefore re-enable them via db.timestamps.
+    const { lists } = deriveAuthLists(defaultModels)
+
+    expect(lists.User.db?.timestamps).toBe(true)
+    expect(lists.Session.db?.timestamps).toBe(true)
+    expect(lists.Account.db?.timestamps).toBe(true)
+    expect(lists.Verification.db?.timestamps).toBe(true)
+  })
+})
+
+describe('deriveAuthLists - custom modelName overrides', () => {
+  const customModels: NormalizedAuthModels = {
+    user: { modelName: 'AuthUser', fields: {} },
+    session: { modelName: 'AuthSession', fields: {} },
+    account: { modelName: 'AuthAccount', fields: {} },
+    verification: { modelName: 'AuthVerification', fields: {} },
+  }
+
+  it('derives list keys from modelName', () => {
+    const { keys, lists } = deriveAuthLists(customModels)
+
+    expect(keys).toEqual({
+      user: 'AuthUser',
+      session: 'AuthSession',
+      account: 'AuthAccount',
+      verification: 'AuthVerification',
+    })
+    expect(Object.keys(lists).sort()).toEqual([
+      'AuthAccount',
+      'AuthSession',
+      'AuthUser',
+      'AuthVerification',
+    ])
+    // The app's own `User` key must NOT be produced by the plugin
+    expect(lists).not.toHaveProperty('User')
+  })
+
+  it('wires relationship refs to the derived keys', () => {
+    const { lists } = deriveAuthLists(customModels)
+    expect(lists.AuthSession.fields.user.ref).toBe('AuthUser.sessions')
+    expect(lists.AuthAccount.fields.user.ref).toBe('AuthUser.accounts')
+    expect(lists.AuthUser.fields.sessions.ref).toBe('AuthSession.user')
+    expect(lists.AuthUser.fields.accounts.ref).toBe('AuthAccount.user')
+  })
+
+  it('pins each renamed list to a table @@map equal to the model name', () => {
+    const { lists } = deriveAuthLists(customModels)
+
+    expect(lists.AuthUser.db?.map).toBe('AuthUser')
+    expect(lists.AuthSession.db?.map).toBe('AuthSession')
+    expect(lists.AuthAccount.db?.map).toBe('AuthAccount')
+    expect(lists.AuthVerification.db?.map).toBe('AuthVerification')
+  })
+
+  it('keeps auto-timestamps enabled alongside the table @@map', () => {
+    const { lists } = deriveAuthLists(customModels)
+
+    expect(lists.AuthUser.db?.timestamps).toBe(true)
+    expect(lists.AuthSession.db?.timestamps).toBe(true)
+    expect(lists.AuthAccount.db?.timestamps).toBe(true)
+    expect(lists.AuthVerification.db?.timestamps).toBe(true)
+  })
+})
+
+describe('deriveAuthLists - custom field column maps', () => {
+  const models: NormalizedAuthModels = {
+    user: { modelName: 'AuthUser', fields: { name: 'full_name', emailVerified: 'is_verified' } },
+    session: { modelName: 'AuthSession', fields: { token: 'session_token', userId: 'user_id' } },
+    account: { modelName: 'AuthAccount', fields: { userId: 'user_id' } },
+    verification: { modelName: 'AuthVerification', fields: {} },
+  }
+
+  it('applies @map column overrides to scalar fields', () => {
+    const { lists } = deriveAuthLists(models)
+
+    expect(lists.AuthUser.fields.name.db?.map).toBe('full_name')
+    expect(lists.AuthUser.fields.emailVerified.db?.map).toBe('is_verified')
+    expect(lists.AuthSession.fields.token.db?.map).toBe('session_token')
+  })
+
+  it('applies the userId column override to the relationship foreign key', () => {
+    const { lists } = deriveAuthLists(models)
+
+    expect(lists.AuthSession.fields.user.db?.foreignKey).toEqual({ map: 'user_id' })
+    expect(lists.AuthAccount.fields.user.db?.foreignKey).toEqual({ map: 'user_id' })
+  })
+
+  it('only maps fields that have an override, leaving others unmapped', () => {
+    const { lists } = deriveAuthLists(models)
+    // name is mapped, email is not
+    expect(lists.AuthUser.fields.name.db?.map).toBe('full_name')
+    expect(lists.AuthUser.fields.email.db?.map).toBeUndefined()
+  })
+})
+
+describe('deriveAuthLists - schema placement', () => {
+  it('places all lists in the configured schema via db.schema', () => {
+    const models: NormalizedAuthModels = {
+      user: { modelName: 'AuthUser', fields: {}, schema: 'auth' },
+      session: { modelName: 'AuthSession', fields: {}, schema: 'auth' },
+      account: { modelName: 'AuthAccount', fields: {}, schema: 'auth' },
+      verification: { modelName: 'AuthVerification', fields: {}, schema: 'auth' },
+    }
+
+    const { lists } = deriveAuthLists(models)
+
+    expect(lists.AuthUser.db?.schema).toBe('auth')
+    expect(lists.AuthSession.db?.schema).toBe('auth')
+    expect(lists.AuthAccount.db?.schema).toBe('auth')
+    expect(lists.AuthVerification.db?.schema).toBe('auth')
+  })
+
+  it('carries both @@map and @@schema for renamed + relocated lists', () => {
+    const models: NormalizedAuthModels = {
+      user: { modelName: 'AuthUser', fields: {}, schema: 'auth' },
+      session: { modelName: 'AuthSession', fields: {}, schema: 'auth' },
+      account: { modelName: 'AuthAccount', fields: {}, schema: 'auth' },
+      verification: { modelName: 'AuthVerification', fields: {}, schema: 'auth' },
+    }
+
+    const { lists } = deriveAuthLists(models)
+
+    // Auth lists always opt into auto-timestamps (ADR-0004) alongside the
+    // table @@map and @@schema placement.
+    expect(lists.AuthUser.db).toEqual({ timestamps: true, map: 'AuthUser', schema: 'auth' })
+  })
+
+  it('honours a per-model schema override alongside a different default schema', () => {
+    const models: NormalizedAuthModels = {
+      user: { modelName: 'AuthUser', fields: {}, schema: 'auth' },
+      session: { modelName: 'AuthSession', fields: {}, schema: 'auth' },
+      account: { modelName: 'AuthAccount', fields: {}, schema: 'auth' },
+      // One list targets a different schema than the rest
+      verification: { modelName: 'AuthVerification', fields: {}, schema: 'auth_internal' },
+    }
+
+    const { lists } = deriveAuthLists(models)
+
+    expect(lists.AuthUser.db?.schema).toBe('auth')
+    expect(lists.AuthVerification.db?.schema).toBe('auth_internal')
+  })
+
+  it('emits no @@schema for the default (no-schema) configuration', () => {
+    const { lists } = deriveAuthLists(defaultModels)
+
+    // Auth lists still opt into auto-timestamps (ADR-0004); the greenfield
+    // default just carries no schema/map placement.
+    expect(lists.User.db).toEqual({ timestamps: true })
+    expect(lists.User.db?.schema).toBeUndefined()
+    expect(lists.Session.db?.schema).toBeUndefined()
+    expect(lists.Account.db?.schema).toBeUndefined()
+    expect(lists.Verification.db?.schema).toBeUndefined()
+  })
+})
+
+describe('deriveAuthLists - extendUserList', () => {
+  it('adds custom fields to the derived user list', () => {
+    const { lists } = deriveAuthLists(
+      { ...defaultModels, user: { modelName: 'AuthUser', fields: {} } },
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any -- minimal custom field config for test
+      { fields: { role: { type: 'text' } as any } },
+    )
+
+    expect(lists.AuthUser.fields).toHaveProperty('role')
+    // Base fields still present
+    expect(lists.AuthUser.fields).toHaveProperty('email')
+  })
+})

package/tests/plugin-derived-keys.test.ts

@@ -0,0 +1,138 @@
+import { describe, it, expect, vi } from 'vitest'
+import { config, list } from '@opensaas/stack-core'
+import { text } from '@opensaas/stack-core/fields'
+import type { AccessContext } from '@opensaas/stack-core'
+import { authPlugin } from '../src/config/plugin.js'
+import type { AuthRuntimeServices } from '../src/runtime/types.js'
+
+describe('authPlugin - add-vs-extend with derived keys', () => {
+  it("does NOT extend or overwrite an app's own User when keys are customised", async () => {
+    // The app declares its own domain `User` (a different model from the
+    // better-auth user). The plugin renames its user model to `AuthUser`.
+    const appUserHook = vi.fn()
+    const result = await config({
+      db: { provider: 'sqlite' },
+      plugins: [
+        authPlugin({
+          user: { modelName: 'AuthUser' },
+          session: { modelName: 'AuthSession' },
+          account: { modelName: 'AuthAccount' },
+          verification: { modelName: 'AuthVerification' },
+        }),
+      ],
+      lists: {
+        User: list({
+          fields: {
+            subjectId: text({ validation: { isRequired: true } }),
+          },
+          hooks: { beforeOperation: appUserHook },
+        }),
+      },
+    })
+
+    // The plugin adds its own AuthUser/AuthSession/... lists
+    expect(result.lists).toHaveProperty('AuthUser')
+    expect(result.lists).toHaveProperty('AuthSession')
+    expect(result.lists).toHaveProperty('AuthAccount')
+    expect(result.lists).toHaveProperty('AuthVerification')
+
+    // The app's own `User` is left completely untouched: its field shape is
+    // preserved and NOT merged with auth fields (no email/name/sessions).
+    const appUser = result.lists.User
+    expect(appUser.fields).toHaveProperty('subjectId')
+    expect(appUser.fields).not.toHaveProperty('email')
+    expect(appUser.fields).not.toHaveProperty('emailVerified')
+    expect(appUser.fields).not.toHaveProperty('sessions')
+    // Its hooks are preserved (not replaced by the auth user's hooks)
+    expect(appUser.hooks?.beforeOperation).toBe(appUserHook)
+
+    // And the auth user list (AuthUser) is the one carrying auth fields
+    expect(result.lists.AuthUser.fields).toHaveProperty('email')
+    expect(result.lists.AuthUser.fields).toHaveProperty('sessions')
+  })
+
+  it('still merges auth fields into an existing list that shares the default key', async () => {
+    // Default keys: the plugin's user key is `User`, so an existing `User`
+    // is intentionally extended with auth fields (the historical behaviour).
+    const result = await config({
+      db: { provider: 'sqlite' },
+      plugins: [authPlugin({})],
+      lists: {
+        User: list({
+          fields: {
+            bio: text(),
+          },
+        }),
+      },
+    })
+
+    const user = result.lists.User
+    expect(user.fields).toHaveProperty('bio') // app field preserved
+    expect(user.fields).toHaveProperty('email') // auth field merged in
+    expect(user.fields).toHaveProperty('sessions')
+  })
+})
+
+describe('authPlugin - runtime user-key resolution', () => {
+  /**
+   * Build a minimal AccessContext whose `db` records which model key was
+   * accessed, so we can assert the runtime resolves the configured user model.
+   */
+  function makeFakeContext(session: { userId?: string } | null) {
+    const accessedKeys: string[] = []
+    const db = new Proxy(
+      {},
+      {
+        get(_target, key: string) {
+          accessedKeys.push(key)
+          return {
+            findUnique: async ({ where }: { where: { id: string } }) => ({
+              id: where.id,
+              __model: key,
+            }),
+          }
+        },
+      },
+    )
+    const context = { session, db } as unknown as AccessContext
+    return { context, accessedKeys }
+  }
+
+  it('getUser uses the default `user` db key when no modelName override', () => {
+    const plugin = authPlugin({})
+    const { context, accessedKeys } = makeFakeContext({ userId: 'u1' })
+    const services = plugin.runtime?.(context) as AuthRuntimeServices
+
+    void services.getUser('u1')
+    expect(accessedKeys).toContain('user')
+  })
+
+  it('getUser uses the configured user model db key (AuthUser -> authUser)', async () => {
+    const plugin = authPlugin({ user: { modelName: 'AuthUser' } })
+    const { context, accessedKeys } = makeFakeContext({ userId: 'u1' })
+    const services = plugin.runtime?.(context) as AuthRuntimeServices
+
+    const user = (await services.getUser('u1')) as { __model: string }
+    expect(accessedKeys).toContain('authUser')
+    expect(accessedKeys).not.toContain('user')
+    expect(user.__model).toBe('authUser')
+  })
+
+  it('getCurrentUser uses the configured user model db key', async () => {
+    const plugin = authPlugin({ user: { modelName: 'AuthUser' } })
+    const { context, accessedKeys } = makeFakeContext({ userId: 'u1' })
+    const services = plugin.runtime?.(context) as AuthRuntimeServices
+
+    const user = (await services.getCurrentUser()) as { __model: string }
+    expect(accessedKeys).toContain('authUser')
+    expect(user.__model).toBe('authUser')
+  })
+
+  it('getCurrentUser returns null when there is no session', async () => {
+    const plugin = authPlugin({ user: { modelName: 'AuthUser' } })
+    const { context } = makeFakeContext(null)
+    const services = plugin.runtime?.(context) as AuthRuntimeServices
+
+    expect(await services.getCurrentUser()).toBeNull()
+  })
+})

package/tests/plugin-schema-placement.test.ts

@@ -0,0 +1,121 @@
+import { describe, it, expect } from 'vitest'
+import { config, list } from '@opensaas/stack-core'
+import { text } from '@opensaas/stack-core/fields'
+import type { OpenSaasConfig } from '@opensaas/stack-core'
+import type { Plugin } from '@opensaas/stack-core/extend'
+import { authPlugin } from '../src/config/plugin.js'
+
+/**
+ * Run a config through plugin `init` (via `config()`) and then the auth
+ * plugin's `beforeGenerate` hook — mirroring the CLI generate pipeline — to
+ * observe the final config the generator would consume.
+ */
+async function generationConfig(userConfig: OpenSaasConfig): Promise<OpenSaasConfig> {
+  const resolved = await config(userConfig)
+  let current = resolved
+  const plugins: Plugin[] = resolved.plugins ?? []
+  for (const plugin of plugins) {
+    if (plugin.beforeGenerate) {
+      current = await plugin.beforeGenerate(current)
+    }
+  }
+  return current
+}
+
+describe('authPlugin - schema placement (greenfield default)', () => {
+  it('places Auth lists in no schema and leaves the datasource untouched when no schema option is set', async () => {
+    const result = await generationConfig({
+      db: { provider: 'postgresql' },
+      plugins: [authPlugin({})],
+      lists: {},
+    })
+
+    // Default keys, no @@schema, no @@map. Auth lists still opt into
+    // auto-timestamps (ADR-0004), so db carries only `timestamps: true`.
+    expect(result.lists.User.db).toEqual({ timestamps: true })
+    expect(result.lists.User.db?.schema).toBeUndefined()
+    expect(result.lists.User.db?.map).toBeUndefined()
+    expect(result.lists.Session.db?.schema).toBeUndefined()
+    expect(result.lists.Account.db?.schema).toBeUndefined()
+    expect(result.lists.Verification.db?.schema).toBeUndefined()
+
+    // Datasource is NOT switched to multi-schema
+    expect(result.db.schemas).toBeUndefined()
+  })
+})
+
+describe('authPlugin - schema placement (adopt existing auth-schema install)', () => {
+  it('places all Auth lists in the configured schema with @@schema + @@map and wires the datasource', async () => {
+    const result = await generationConfig({
+      db: { provider: 'postgresql' },
+      plugins: [
+        authPlugin({
+          schema: 'auth',
+          user: { modelName: 'AuthUser' },
+          session: { modelName: 'AuthSession' },
+          account: { modelName: 'AuthAccount' },
+          verification: { modelName: 'AuthVerification' },
+        }),
+      ],
+      // The app keeps its own domain User in the default schema
+      lists: {
+        User: list({
+          fields: { subjectId: text({ validation: { isRequired: true } }) },
+        }),
+      },
+    })
+
+    // Auth lists land in the `auth` schema, pinned to their live table names.
+    // Auto-timestamps stay enabled (ADR-0004) alongside the @@map + @@schema.
+    expect(result.lists.AuthUser.db).toEqual({ timestamps: true, map: 'AuthUser', schema: 'auth' })
+    expect(result.lists.AuthSession.db).toEqual({
+      timestamps: true,
+      map: 'AuthSession',
+      schema: 'auth',
+    })
+    expect(result.lists.AuthAccount.db).toEqual({
+      timestamps: true,
+      map: 'AuthAccount',
+      schema: 'auth',
+    })
+    expect(result.lists.AuthVerification.db).toEqual({
+      timestamps: true,
+      map: 'AuthVerification',
+      schema: 'auth',
+    })
+
+    // The app's own User is left in `public` (not extended/overwritten, not in `auth`)
+    expect(result.lists.User.fields).toHaveProperty('subjectId')
+    expect(result.lists.User.fields).not.toHaveProperty('email')
+    expect(result.lists.User.db?.schema).toBe('public')
+
+    // Datasource gains both schemas (public always included) so the multi-schema
+    // Prisma schema is valid
+    expect(result.db.schemas).toEqual(['public', 'auth'])
+  })
+
+  it('honours a per-list schema override on a single Auth list', async () => {
+    const result = await generationConfig({
+      db: { provider: 'postgresql' },
+      plugins: [
+        authPlugin({
+          schema: 'auth',
+          user: { modelName: 'AuthUser' },
+          session: { modelName: 'AuthSession' },
+          account: { modelName: 'AuthAccount' },
+          // Override: verification lives in a different schema
+          verification: { modelName: 'AuthVerification', schema: 'auth_internal' },
+        }),
+      ],
+      lists: {},
+    })
+
+    expect(result.lists.AuthUser.db?.schema).toBe('auth')
+    expect(result.lists.AuthVerification.db?.schema).toBe('auth_internal')
+
+    // All used schemas are listed on the datasource (order: public, then discovered)
+    expect(result.db.schemas).toContain('public')
+    expect(result.db.schemas).toContain('auth')
+    expect(result.db.schemas).toContain('auth_internal')
+  })
+})