@payez/next-mvp 4.0.45 → 4.0.47

package/dist/lib/{nextauth-secret.js → auth-secret.js}

@@ -1,24 +1,37 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.resolveNextAuthSecret = resolveNextAuthSecret;
+exports.resolveAuthSecret = resolveAuthSecret;
 require("server-only");
 const secret_validation_1 = require("./secret-validation");
 const crypto_1 = require("crypto");
 let cachedSecret = null;
 let lastFetchedAt = 0;
 /**
- * Resolve the NextAuth secret (server-only).
+ * Resolve the Better Auth signing secret (server-only).
  *
  * Priority:
- * 1) Use process.env.NEXTAUTH_SECRET if present (allows overrides/production)
- * 2) Fetch from IDP broker endpoint - IDP handles all Key Vault/signing
- * 3) Cache result in-memory and set process.env.NEXTAUTH_SECRET for subsequent calls
+ * 1) Use process.env.BETTER_AUTH_SECRET (preferred) or NEXTAUTH_SECRET (legacy)
+ *    if present — allows overrides/production via env.
+ * 2) Fetch from IDP broker endpoint — IDP handles all Key Vault/signing.
+ * 3) Cache result in-memory and set process.env.BETTER_AUTH_SECRET for
+ *    subsequent calls.
+ *
+ * NOTE on naming: this secret is the cryptographic key Better Auth uses to
+ * sign session JWTs. The IDP backend still names the broker endpoint and
+ * response field with the legacy "next-auth" / "nextAuthSecret" names; we
+ * read both new and legacy on the wire during the migration window.
  */
-async function resolveNextAuthSecret() {
-    // Check if already in environment
-    if (process.env.NEXTAUTH_SECRET && process.env.NEXTAUTH_SECRET.trim() !== '') {
+async function resolveAuthSecret() {
+    // Check if already in environment (prefer new name, fall back to legacy)
+    const envSecret = (process.env.BETTER_AUTH_SECRET && process.env.BETTER_AUTH_SECRET.trim() !== ''
+        ? process.env.BETTER_AUTH_SECRET
+        : undefined) ||
+        (process.env.NEXTAUTH_SECRET && process.env.NEXTAUTH_SECRET.trim() !== ''
+            ? process.env.NEXTAUTH_SECRET
+            : undefined);
+    if (envSecret) {
         // Silent - already configured
-        return process.env.NEXTAUTH_SECRET;
+        return envSecret;
     }
     // Check if cached and fresh (within 5 minutes)
     if (cachedSecret && Date.now() - lastFetchedAt < 5 * 60 * 1000) {
@@ -64,7 +77,8 @@ async function resolveNextAuthSecret() {
     if (!client_assertion || typeof client_assertion !== 'string') {
         throw new Error('IDP did not return a valid signed client assertion');
     }
-    // Step 2: Use the signed assertion to fetch the NextAuth secret
+    // Step 2: Use the signed assertion to fetch the auth secret
+    // (Endpoint is still served at /next-auth/secret on the IDP — legacy path.)
     const proxyUrl = new URL(`${base.replace(/\/$/, '')}/api/ExternalAuth/next-auth/secret`);
     const proxyResp = await fetch(proxyUrl.toString(), {
         method: 'POST',
@@ -83,18 +97,20 @@ async function resolveNextAuthSecret() {
     }
     const proxyBody = await proxyResp.json().catch(() => ({}));
     const secret = (proxyBody?.data?.secret ?? proxyBody?.secret);
-    const configuration = (proxyBody?.data?.configuration ?? proxyBody?.configuration);
     // Configuration is available but we don't log it verbosely
     if (!secret || typeof secret !== 'string') {
-        throw new Error('Proxy did not return a valid NextAuth secret');
+        throw new Error('Proxy did not return a valid auth secret');
     }
-    const validation = (0, secret_validation_1.validateNextAuthSecret)(secret);
+    const validation = (0, secret_validation_1.validateAuthSecret)(secret);
     if (!validation.valid) {
-        throw new Error(`Fetched NextAuth secret failed validation: ${validation.reason}`);
+        throw new Error(`Fetched auth secret failed validation: ${validation.reason}`);
     }
     cachedSecret = secret;
     lastFetchedAt = Date.now();
+    process.env.BETTER_AUTH_SECRET = secret;
+    // Also set legacy name during transition so any consumer still reading
+    // process.env.NEXTAUTH_SECRET keeps working until they upgrade.
     process.env.NEXTAUTH_SECRET = secret;
-    console.log('[NEXTAUTH-SECRET] Resolved from IDP (length:', secret.length + ')');
+    console.log('[AUTH-SECRET] Resolved from IDP (length:', secret.length + ')');
     return secret;
 }

package/dist/lib/demo-mode.js

@@ -12,5 +12,7 @@ function isDemoMode() {
 function isAuthConfigured() {
     if (isDemoMode())
         return false;
-    return !!(process.env.NEXTAUTH_SECRET || (process.env.NEXT_CLIENT_ID && process.env.NEXT_CLIENT_PRIVATE_KEY_PEM));
+    return !!(process.env.BETTER_AUTH_SECRET ||
+        process.env.NEXTAUTH_SECRET ||
+        (process.env.NEXT_CLIENT_ID && process.env.NEXT_CLIENT_PRIVATE_KEY_PEM));
 }

package/dist/lib/idp-client-config.d.ts

@@ -5,7 +5,7 @@
  * - OAuth provider credentials (from Key Vault)
  * - 2FA/MFA settings
  * - Session configuration
- * - NextAuth secret
+ * - Better Auth signing secret
  * - Branding
  *
  * CACHING STRATEGY:
@@ -47,7 +47,11 @@ export interface BrandingConfig {
 export interface IDPClientConfig {
     clientId: string;
     clientSlug: string;
-    nextAuthSecret: string;
+    /**
+     * Cryptographic secret used by Better Auth to sign session JWTs.
+     * Historically named "nextAuthSecret" — kept under the new name now.
+     */
+    authSecret: string;
     configCacheTtlSeconds: number;
     oauthProviders: OAuthProviderConfig[];
     authSettings: AuthSettings;

package/dist/lib/idp-client-config.js

@@ -6,7 +6,7 @@
  * - OAuth provider credentials (from Key Vault)
  * - 2FA/MFA settings
  * - Session configuration
- * - NextAuth secret
+ * - Better Auth signing secret
  * - Branding
  *
  * CACHING STRATEGY:
@@ -115,13 +115,14 @@ async function getIDPClientConfig(forceRefresh = false) {
             // Restore to in-memory cache
             cachedConfig = redisConfig;
             cacheExpiry = Date.now() + ((redisConfig.configCacheTtlSeconds || 300) * 1000);
-            // Set NEXTAUTH_SECRET from cached config
-            if (redisConfig.nextAuthSecret) {
-                process.env.NEXTAUTH_SECRET = redisConfig.nextAuthSecret;
+            // Set BETTER_AUTH_SECRET from cached config (also set legacy
+            // NEXTAUTH_SECRET during the rename transition).
+            if (redisConfig.authSecret) {
+                process.env.BETTER_AUTH_SECRET = redisConfig.authSecret;
+                process.env.NEXTAUTH_SECRET = redisConfig.authSecret;
             }
-            // Set IDENTITY_CLIENT_BASE_EXTERNAL_URL from cached config
-            // AUTH_TRUST_HOST=true tells NextAuth to derive OAuth callback URLs from headers.
-            // Only set if not already defined (allows deployment override for beta/staging)
+            // Set IDENTITY_CLIENT_BASE_EXTERNAL_URL from cached config.
+            // Only set if not already defined (allows deployment override for beta/staging).
             if (redisConfig.baseClientUrl && !process.env.IDENTITY_CLIENT_BASE_EXTERNAL_URL) {
                 process.env.IDENTITY_CLIENT_BASE_EXTERNAL_URL = redisConfig.baseClientUrl;
             }
@@ -149,16 +150,17 @@ async function getIDPClientConfig(forceRefresh = false) {
         cacheExpiry = Date.now() + ((config.configCacheTtlSeconds || 300) * 1000);
         // Store in Redis for persistence across module reloads
         await setConfigInRedis(config);
-        // Set NEXTAUTH_SECRET from config
-        if (config.nextAuthSecret) {
-            process.env.NEXTAUTH_SECRET = config.nextAuthSecret;
+        // Set BETTER_AUTH_SECRET from config (also set legacy
+        // NEXTAUTH_SECRET during the rename transition).
+        if (config.authSecret) {
+            process.env.BETTER_AUTH_SECRET = config.authSecret;
+            process.env.NEXTAUTH_SECRET = config.authSecret;
         }
         else {
-            throw new Error('[IDP_CONFIG] FATAL: IDP did not return nextAuthSecret');
+            throw new Error('[IDP_CONFIG] FATAL: IDP did not return authSecret');
         }
-        // Set IDENTITY_CLIENT_BASE_EXTERNAL_URL from config
-        // AUTH_TRUST_HOST=true tells NextAuth to derive OAuth callback URLs from headers.
-        // Only set if not already defined (allows deployment override for beta/staging)
+        // Set IDENTITY_CLIENT_BASE_EXTERNAL_URL from config.
+        // Only set if not already defined (allows deployment override for beta/staging).
         if (config.baseClientUrl && !process.env.IDENTITY_CLIENT_BASE_EXTERNAL_URL) {
             process.env.IDENTITY_CLIENT_BASE_EXTERNAL_URL = config.baseClientUrl;
             console.log("[IDP_CONFIG] Set IDENTITY_CLIENT_BASE_EXTERNAL_URL:", config.baseClientUrl);
@@ -230,7 +232,13 @@ async function fetchConfigFromInternalIDP(internalIdpUrl, clientIdStr) {
     const config = {
         clientId: String(rawClientId),
         clientSlug: configData.clientSlug ?? configData.client_slug ?? configData.slug ?? '',
-        nextAuthSecret: configData.nextAuthSecret ?? configData.next_auth_secret ?? '',
+        // Wire compatibility: accept new authSecret first, fall back to legacy
+        // nextAuthSecret/next_auth_secret while IDP rename rolls out.
+        authSecret: configData.authSecret ??
+            configData.auth_secret ??
+            configData.nextAuthSecret ??
+            configData.next_auth_secret ??
+            '',
         configCacheTtlSeconds: configData.configCacheTtlSeconds ?? configData.config_cache_ttl_seconds ?? 300,
         oauthProviders: (configData.oauthProviders ?? configData.oauth_providers ?? []).map((p) => ({
             provider: p.provider ?? '',
@@ -260,8 +268,8 @@ async function fetchConfigFromInternalIDP(internalIdpUrl, clientIdStr) {
         },
         baseClientUrl: configData.baseClientUrl ?? configData.base_client_url ?? configData.BaseClientUrl
     };
-    if (!config.nextAuthSecret) {
-        throw new Error('[IDP_CONFIG] FATAL: Internal IDP did not return nextAuthSecret');
+    if (!config.authSecret) {
+        throw new Error('[IDP_CONFIG] FATAL: Internal IDP did not return authSecret');
     }
     console.log(`[IDP_CONFIG] Internal IDP config loaded for ${clientIdStr}`);
     consecutiveFailures = 0;
@@ -366,11 +374,17 @@ async function fetchConfigFromIDP(idpUrl, clientIdStr) {
         if (rawClientId === undefined || rawClientId === null) {
             throw new Error(`[IDP_CONFIG] FATAL: IDP response missing clientId/client_id. Got: ${JSON.stringify(Object.keys(configData))}`);
         }
-        // Map response to our interface (IDP always returns snake_case)
+        // Map response to our interface (IDP returns camelCase or snake_case).
+        // Wire compatibility: accept new authSecret first, fall back to legacy
+        // nextAuthSecret/next_auth_secret while IDP rename rolls out.
         const config = {
             clientId: String(rawClientId),
             clientSlug: configData.clientSlug ?? configData.client_slug ?? configData.slug ?? '',
-            nextAuthSecret: configData.nextAuthSecret ?? configData.next_auth_secret ?? '',
+            authSecret: configData.authSecret ??
+                configData.auth_secret ??
+                configData.nextAuthSecret ??
+                configData.next_auth_secret ??
+                '',
             configCacheTtlSeconds: configData.configCacheTtlSeconds ?? configData.config_cache_ttl_seconds ?? 300,
             oauthProviders: (configData.oauthProviders ?? configData.oauth_providers ?? []).map((p) => ({
                 provider: p.provider ?? '',
@@ -418,8 +432,8 @@ async function fetchConfigFromIDP(idpUrl, clientIdStr) {
         if (!config.clientId) {
             throw new Error('[IDP_CONFIG] FATAL: clientId is empty or missing after parsing');
         }
-        if (!config.nextAuthSecret) {
-            throw new Error('[IDP_CONFIG] FATAL: nextAuthSecret is empty after parsing');
+        if (!config.authSecret) {
+            throw new Error('[IDP_CONFIG] FATAL: authSecret is empty after parsing');
         }
         // Success - reset failure tracking
         consecutiveFailures = 0;

package/dist/lib/secret-validation.d.ts

@@ -1,4 +1,4 @@
-export declare function validateNextAuthSecret(secret: string): {
+export declare function validateAuthSecret(secret: string): {
     valid: boolean;
     reason?: string;
 };

package/dist/lib/secret-validation.js

@@ -1,7 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.validateNextAuthSecret = validateNextAuthSecret;
-function validateNextAuthSecret(secret) {
+exports.validateAuthSecret = validateAuthSecret;
+function validateAuthSecret(secret) {
     if (!secret || typeof secret !== 'string')
         return { valid: false, reason: 'missing' };
     if (secret.length < 32)

package/dist/lib/startup-init.d.ts

@@ -4,8 +4,8 @@
  * This module ensures that critical initialization tasks are completed
  * before the application serves requests.
  *
- * Now uses unified IDP client config for:
- * - NEXTAUTH_SECRET
+ * Uses unified IDP client config for:
+ * - BETTER_AUTH_SECRET (the Better Auth signing secret)
  * - OAuth provider configuration
  * - Auth settings (2FA, session timeouts, etc.)
  */
@@ -27,7 +27,7 @@ export declare function logStartupStatus(): void;
  */
 export declare function getStartupIDPConfig(): IDPClientConfig | null;
 /**
- * Check if initialization failed (NEXTAUTH_SECRET couldn't be retrieved)
+ * Check if initialization failed (auth signing secret couldn't be retrieved)
  */
 export declare function isInitializationFailed(): boolean;
 /**

package/dist/lib/startup-init.js

@@ -5,8 +5,8 @@
  * This module ensures that critical initialization tasks are completed
  * before the application serves requests.
  *
- * Now uses unified IDP client config for:
- * - NEXTAUTH_SECRET
+ * Uses unified IDP client config for:
+ * - BETTER_AUTH_SECRET (the Better Auth signing secret)
  * - OAuth provider configuration
  * - Auth settings (2FA, session timeouts, etc.)
  */
@@ -105,7 +105,7 @@ function logStartupStatus() {
         console.log('║            🚀 PayEz Next MVP - Starting Up                    ║');
         console.log('║                                                              ║');
         console.log('║  Async initialization in progress...                         ║');
-        console.log('║  - Resolving NEXTAUTH_SECRET from IDP                       ║');
+        console.log('║  - Resolving BETTER_AUTH_SECRET from IDP                     ║');
         console.log('║  - Verifying environment configuration                       ║');
         console.log('║                                                              ║');
         console.log('║  Check logs below for detailed initialization status:        ║');
@@ -144,15 +144,20 @@ async function performInitialization() {
             console.log('[STARTUP] Client config loaded successfully');
             console.log('[STARTUP]    - Client ID:', config.clientId);
             console.log('[STARTUP]    - Client Slug:', config.clientSlug);
-            console.log('[STARTUP]    - Secret length:', config.nextAuthSecret?.length || 0, 'chars');
+            console.log('[STARTUP]    - Secret length:', config.authSecret?.length || 0, 'chars');
             console.log('[STARTUP]    - OAuth Providers:', config.oauthProviders?.filter(p => p.enabled).map(p => p.provider).join(', ') || 'none');
             console.log('[STARTUP]    - Require 2FA:', config.authSettings?.require2FA);
             console.log('[STARTUP]    - Cache TTL:', config.configCacheTtlSeconds, 'seconds');
             console.log('[STARTUP]    - Base Client URL:', config.baseClientUrl || '(not set)');
-            // Set NEXTAUTH_SECRET from IDP response if not already set
-            if (config.nextAuthSecret && !process.env.NEXTAUTH_SECRET) {
-                process.env.NEXTAUTH_SECRET = config.nextAuthSecret;
-                console.log('[STARTUP] Set NEXTAUTH_SECRET from IDP config');
+            // Set BETTER_AUTH_SECRET from IDP response if not already set.
+            // Also mirror to legacy NEXTAUTH_SECRET during the rename transition
+            // so any consumer code still reading the old name keeps working.
+            if (config.authSecret && !process.env.BETTER_AUTH_SECRET) {
+                process.env.BETTER_AUTH_SECRET = config.authSecret;
+                console.log('[STARTUP] Set BETTER_AUTH_SECRET from IDP config');
+            }
+            if (config.authSecret && !process.env.NEXTAUTH_SECRET) {
+                process.env.NEXTAUTH_SECRET = config.authSecret;
             }
         }
         catch (error) {
@@ -161,15 +166,15 @@ async function performInitialization() {
             // No fallback available — IDP config is the only source for the auth secret
             console.error('[STARTUP] No fallback available for auth secret resolution');
         }
-        // Step 2: Verify NEXTAUTH_SECRET is available - FAIL FAST if not
-        console.log('[STARTUP] Step 2/2: Verifying NEXTAUTH_SECRET...');
-        const secret = process.env.NEXTAUTH_SECRET;
+        // Step 2: Verify BETTER_AUTH_SECRET is available - FAIL FAST if not
+        console.log('[STARTUP] Step 2/2: Verifying BETTER_AUTH_SECRET...');
+        const secret = process.env.BETTER_AUTH_SECRET || process.env.NEXTAUTH_SECRET;
         if (!secret || secret.trim() === '') {
             console.error('');
             console.error('╔══════════════════════════════════════════════════════════════╗');
-            console.error('║   ❌ FATAL: NEXTAUTH_SECRET NOT AVAILABLE                     ║');
+            console.error('║   ❌ FATAL: BETTER_AUTH_SECRET NOT AVAILABLE                  ║');
             console.error('║                                                              ║');
-            console.error('║   The app cannot start without a valid NEXTAUTH_SECRET.      ║');
+            console.error('║   The app cannot start without a valid auth signing secret.  ║');
             console.error('║   This should be fetched from IDP at startup.                ║');
             console.error('║                                                              ║');
             console.error('║   Possible causes:                                           ║');
@@ -179,9 +184,9 @@ async function performInitialization() {
             console.error('║   • Network connectivity issue                               ║');
             console.error('╚══════════════════════════════════════════════════════════════╝');
             console.error('');
-            throw new Error('FATAL: NEXTAUTH_SECRET not available - cannot start without valid secret from IDP');
+            throw new Error('FATAL: BETTER_AUTH_SECRET not available - cannot start without valid secret from IDP');
         }
-        console.log('[STARTUP] NEXTAUTH_SECRET verified (' + secret.length + ' chars)');
+        console.log('[STARTUP] BETTER_AUTH_SECRET verified (' + secret.length + ' chars)');
         // Step 3: Validate cookie name consistency
         // This catches bugs where getJwtCookieName() returns a different name than
         // what auth-options.ts configures, which causes sessions to fail in production
@@ -210,9 +215,9 @@ async function performInitialization() {
             : '';
         console.error(`
 ╔══════════════════════════════════════════════════════════════╗
-║   ❌ FATAL: NEXTAUTH_SECRET NOT AVAILABLE                     ║
+║   ❌ FATAL: BETTER_AUTH_SECRET NOT AVAILABLE                  ║
 ║                                                              ║
-║   The app cannot start without a valid NEXTAUTH_SECRET.      ║
+║   The app cannot start without a valid auth signing secret.  ║
 ║   This should be fetched from IDP at startup.                ║
 ║                                                              ║
 ${connectionLine}║   Possible causes:                                           ║
@@ -240,7 +245,7 @@ function getStartupIDPConfig() {
     return cachedIDPConfig;
 }
 /**
- * Check if initialization failed (NEXTAUTH_SECRET couldn't be retrieved)
+ * Check if initialization failed (auth signing secret couldn't be retrieved)
  */
 function isInitializationFailed() {
     return initializationFailed;

package/dist/lib/test-aware-get-token.js

@@ -40,11 +40,11 @@ const app_slug_1 = require("./app-slug");
 async function getTokenTestAware(req) {
     if (process.env.TEST_MODE === 'true') {
         try {
-            let secret = process.env.NEXTAUTH_SECRET;
+            let secret = process.env.BETTER_AUTH_SECRET || process.env.NEXTAUTH_SECRET;
             if (!secret || secret.trim() === '') {
                 const { getIDPClientConfig } = await Promise.resolve().then(() => __importStar(require('./idp-client-config')));
                 const idpConfig = await getIDPClientConfig();
-                secret = idpConfig.nextAuthSecret;
+                secret = idpConfig.authSecret;
             }
             // Use app-slug prefixed cookie name
             const cookieName = (0, app_slug_1.getSessionCookieName)();

package/dist/routes/account/masked-info.d.ts

@@ -24,7 +24,7 @@ export { POST } from '../../api-handlers/account/masked-info';
  * Environment variables used:
  * - IDP_URL or NEXT_PUBLIC_IDP_URL (default: http://localhost:32785)
  * - CLIENT_ID or NEXT_PUBLIC_IDP_CLIENT_ID (required)
- * - NEXTAUTH_SECRET (required)
+ * - BETTER_AUTH_SECRET (required — fetched from IDP at startup)
  *
  * Returns:
  * - Masked email addresses

package/dist/routes/account/masked-info.js

@@ -30,7 +30,7 @@ Object.defineProperty(exports, "POST", { enumerable: true, get: function () { re
  * Environment variables used:
  * - IDP_URL or NEXT_PUBLIC_IDP_URL (default: http://localhost:32785)
  * - CLIENT_ID or NEXT_PUBLIC_IDP_CLIENT_ID (required)
- * - NEXTAUTH_SECRET (required)
+ * - BETTER_AUTH_SECRET (required — fetched from IDP at startup)
  *
  * Returns:
  * - Masked email addresses

package/dist/routes/account/send-code.d.ts

@@ -28,7 +28,7 @@ export { POST } from '../../api-handlers/account/send-code';
  * Environment variables used:
  * - IDP_URL or NEXT_PUBLIC_IDP_URL (default: http://localhost:32785)
  * - CLIENT_ID or NEXT_PUBLIC_IDP_CLIENT_ID (required)
- * - NEXTAUTH_SECRET (required)
+ * - BETTER_AUTH_SECRET (required — fetched from IDP at startup)
  *
  * Returns:
  * - Success status

package/dist/routes/account/send-code.js

@@ -33,7 +33,7 @@ Object.defineProperty(exports, "POST", { enumerable: true, get: function () { re
  * Environment variables used:
  * - IDP_URL or NEXT_PUBLIC_IDP_URL (default: http://localhost:32785)
  * - CLIENT_ID or NEXT_PUBLIC_IDP_CLIENT_ID (required)
- * - NEXTAUTH_SECRET (required)
+ * - BETTER_AUTH_SECRET (required — fetched from IDP at startup)
  *
  * Returns:
  * - Success status

package/dist/routes/account/verify-email.d.ts

@@ -27,7 +27,7 @@ export { POST } from '../../api-handlers/account/verify-email';
  * Environment variables used:
  * - IDP_URL or NEXT_PUBLIC_IDP_URL (default: http://localhost:32785)
  * - CLIENT_ID or NEXT_PUBLIC_IDP_CLIENT_ID (required)
- * - NEXTAUTH_SECRET (required)
+ * - BETTER_AUTH_SECRET (required — fetched from IDP at startup)
  *
  * Returns:
  * - Upgraded access token with MFA claim

package/dist/routes/account/verify-email.js

@@ -32,7 +32,7 @@ Object.defineProperty(exports, "POST", { enumerable: true, get: function () { re
  * Environment variables used:
  * - IDP_URL or NEXT_PUBLIC_IDP_URL (default: http://localhost:32785)
  * - CLIENT_ID or NEXT_PUBLIC_IDP_CLIENT_ID (required)
- * - NEXTAUTH_SECRET (required)
+ * - BETTER_AUTH_SECRET (required — fetched from IDP at startup)
  *
  * Returns:
  * - Upgraded access token with MFA claim

package/dist/routes/account/verify-sms.d.ts

@@ -27,7 +27,7 @@ export { POST } from '../../api-handlers/account/verify-sms';
  * Environment variables used:
  * - IDP_URL or NEXT_PUBLIC_IDP_URL (default: http://localhost:32785)
  * - CLIENT_ID or NEXT_PUBLIC_IDP_CLIENT_ID (required)
- * - NEXTAUTH_SECRET (required)
+ * - BETTER_AUTH_SECRET (required — fetched from IDP at startup)
  *
  * Returns:
  * - Upgraded access token with MFA claim

package/dist/routes/account/verify-sms.js

@@ -32,7 +32,7 @@ Object.defineProperty(exports, "POST", { enumerable: true, get: function () { re
  * Environment variables used:
  * - IDP_URL or NEXT_PUBLIC_IDP_URL (default: http://localhost:32785)
  * - CLIENT_ID or NEXT_PUBLIC_IDP_CLIENT_ID (required)
- * - NEXTAUTH_SECRET (required)
+ * - BETTER_AUTH_SECRET (required — fetched from IDP at startup)
  *
  * Returns:
  * - Upgraded access token with MFA claim

package/dist/routes/auth/refresh.js

@@ -17,10 +17,8 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.POST = POST;
 const refresh_1 = require("../../api-handlers/auth/refresh");
-const idp_client_config_1 = require("../../lib/idp-client-config");
-// Configuration is read at runtime from IDP config (cached)
-async function getConfig() {
-    const idpConfig = await (0, idp_client_config_1.getIDPClientConfig)();
+// Configuration is read at runtime from environment.
+function getConfig() {
     const idpBaseUrl = process.env.IDP_URL;
     if (!idpBaseUrl) {
         throw new Error('[IDP_URL] FATAL: IDP_URL environment variable is REQUIRED.');
@@ -28,7 +26,6 @@ async function getConfig() {
     return {
         idpBaseUrl,
         clientId: process.env.CLIENT_ID || process.env.NEXT_PUBLIC_IDP_CLIENT_ID || '',
-        nextAuthSecret: idpConfig.nextAuthSecret || '',
         refreshEndpoint: process.env.REFRESH_ENDPOINT || '/api/ExternalAuth/refresh',
     };
 }
@@ -38,14 +35,12 @@ async function getConfig() {
  * Environment variables used:
  * - IDP_URL (REQUIRED)
  * - CLIENT_ID or NEXT_PUBLIC_IDP_CLIENT_ID (required)
- * - NEXTAUTH_SECRET (required)
  * - REFRESH_ENDPOINT (default: /api/ExternalAuth/refresh)
  */
 let _handler = null;
 async function POST(req) {
     if (!_handler) {
-        const config = await getConfig();
-        _handler = (0, refresh_1.createRefreshHandler)(config);
+        _handler = (0, refresh_1.createRefreshHandler)(getConfig());
     }
     return _handler(req);
 }

package/dist/server/auth.d.ts

@@ -1,11 +1,8 @@
 /**
- * Server-side auth utilities for Better Auth (v4.0)
+ * Server-side auth utilities for Better Auth.
  *
- * Replaces:
- * - getToken() from next-auth/jwt
- * - getServerSession() from next-auth
- *
- * All server-side auth flows go through the Better Auth instance.
+ * All server-side auth flows go through the Better Auth instance returned by
+ * getAuthInstance(); use getSession(req) for the request-scoped session.
  */
 import 'server-only';
 /**
@@ -36,7 +33,7 @@ export declare function getAuthInstance(): Promise<import("better-auth/types").A
             };
         };
     };
-    plugins: [...any[], {
+    plugins: [{
         id: "next-cookies";
         hooks: {
             before: {

package/dist/server/auth.js

@@ -1,12 +1,9 @@
 "use strict";
 /**
- * Server-side auth utilities for Better Auth (v4.0)
+ * Server-side auth utilities for Better Auth.
  *
- * Replaces:
- * - getToken() from next-auth/jwt
- * - getServerSession() from next-auth
- *
- * All server-side auth flows go through the Better Auth instance.
+ * All server-side auth flows go through the Better Auth instance returned by
+ * getAuthInstance(); use getSession(req) for the request-scoped session.
  */
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;

package/dist/server/decode-session.js

@@ -166,9 +166,9 @@ async function decodeSession(requestCookies) {
             return null;
         }
         const config = await (0, idp_client_config_1.getIDPClientConfig)();
-        const secret = config.nextAuthSecret;
+        const secret = config.authSecret;
         if (!secret) {
-            console.error('[DECODE-SESSION] No nextAuthSecret available from IDP config');
+            console.error('[DECODE-SESSION] No authSecret available from IDP config');
             return null;
         }
         const secretKey = new TextEncoder().encode(secret);

package/dist/vibe/hooks/index.d.ts

@@ -141,7 +141,7 @@ export declare function useVibeMutation<T extends VibeTableName, Op extends Muta
 /**
  * Convenience hook for creating records.
  */
-export declare function useVibeCreate<T extends VibeTableName>(table: T, options?: Omit<UseVibeMutationOptions<T, 'create'>, never>): import("@tanstack/react-query").UseMutationResult<VibeTableType<T>, VibeError, Omit<VibeTableType<T>, "id" | "created_at" | "updated_at">, unknown>;
+export declare function useVibeCreate<T extends VibeTableName>(table: T, options?: Omit<UseVibeMutationOptions<T, 'create'>, never>): import("@tanstack/react-query").UseMutationResult<VibeTableType<T>, VibeError, Omit<VibeTableType<T>, "created_at" | "id" | "updated_at">, unknown>;
 /**
  * Convenience hook for updating records.
  */