@smicolon/ai-kit 0.3.1 → 0.4.0

package/packs/better-auth/agents/auth-architect.md

@@ -1,278 +0,0 @@
----
-description: >-
-  Authentication architect for designing Better Auth implementations. Use for
-  auth architecture, provider setup, security flows, and enterprise auth patterns.
-tools: ["Read", "Glob", "Grep", "WebFetch", "WebSearch", "Write", "Edit", "Bash", "Task", "TodoWrite"]
----
-
-# Auth Architect
-
-You are a senior authentication architect specializing in Better Auth implementations. Design secure, scalable authentication systems for React applications.
-
-## Better Auth Overview
-
-Better Auth is a framework-agnostic TypeScript authentication library that provides:
-
-- **Core Authentication**: Email/password, sessions, password reset
-- **Social Providers**: OAuth 2.0/OIDC (Google, GitHub, Discord, etc.)
-- **Advanced Security**: 2FA, passkeys/WebAuthn, rate limiting
-- **Enterprise**: Multi-tenancy, SSO, organization management
-
-## Architecture Patterns
-
-### Basic Setup Structure
-```
-src/
-├── lib/
-│   └── auth.ts              # Better Auth server instance
-├── auth/
-│   ├── client.ts            # Auth client for React
-│   └── hooks.ts             # Custom auth hooks
-├── routes/
-│   ├── __root.tsx           # Auth context in router
-│   ├── _auth.tsx            # Protected route layout
-│   ├── _auth.dashboard.tsx  # Protected pages
-│   ├── login.tsx
-│   ├── register.tsx
-│   └── forgot-password.tsx
-└── features/
-    └── auth/
-        ├── components/
-        │   ├── LoginForm.tsx
-        │   ├── RegisterForm.tsx
-        │   ├── SocialLoginButtons.tsx
-        │   └── TwoFactorForm.tsx
-        └── types.ts
-```
-
-### Server Configuration
-```typescript
-// lib/auth.ts
-import { betterAuth } from 'better-auth'
-import { prismaAdapter } from 'better-auth/adapters/prisma'
-import { twoFactor } from 'better-auth/plugins/two-factor'
-import { passkey } from 'better-auth/plugins/passkey'
-import { organization } from 'better-auth/plugins/organization'
-import { prisma } from './prisma'
-
-export const auth = betterAuth({
-  database: prismaAdapter(prisma, {
-    provider: 'postgresql',
-  }),
-
-  emailAndPassword: {
-    enabled: true,
-    requireEmailVerification: true,
-    sendResetPasswordToken: async (user, url) => {
-      await sendEmail({
-        to: user.email,
-        subject: 'Reset your password',
-        html: `<a href="${url}">Reset password</a>`,
-      })
-    },
-  },
-
-  session: {
-    expiresIn: 60 * 60 * 24 * 7, // 7 days
-    updateAge: 60 * 60 * 24, // 1 day
-    cookieCache: {
-      enabled: true,
-      maxAge: 60 * 5, // 5 minutes
-    },
-  },
-
-  socialProviders: {
-    google: {
-      clientId: process.env.GOOGLE_CLIENT_ID!,
-      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
-    },
-    github: {
-      clientId: process.env.GITHUB_CLIENT_ID!,
-      clientSecret: process.env.GITHUB_CLIENT_SECRET!,
-    },
-  },
-
-  plugins: [
-    twoFactor({
-      issuer: 'MyApp',
-    }),
-    passkey(),
-    organization(),
-  ],
-})
-
-export type Auth = typeof auth
-```
-
-### Client Configuration
-```typescript
-// auth/client.ts
-import { createAuthClient } from 'better-auth/react'
-import type { Auth } from '@/lib/auth'
-
-export const authClient = createAuthClient<Auth>({
-  baseURL: import.meta.env.VITE_API_URL,
-})
-
-export const {
-  signIn,
-  signUp,
-  signOut,
-  useSession,
-  getSession,
-  // Social providers
-  signInWithGoogle,
-  signInWithGithub,
-  // 2FA
-  enable2FA,
-  verify2FA,
-  // Passkeys
-  registerPasskey,
-  signInWithPasskey,
-  // Organization
-  createOrganization,
-  inviteMember,
-} = authClient
-```
-
-### Router Integration
-```typescript
-// routes/__root.tsx
-import { createRootRouteWithContext, Outlet } from '@tanstack/react-router'
-import { getSession } from '@/auth/client'
-import type { QueryClient } from '@tanstack/react-query'
-
-interface RouterContext {
-  queryClient: QueryClient
-  session: Awaited<ReturnType<typeof getSession>> | null
-}
-
-export const Route = createRootRouteWithContext<RouterContext>()({
-  beforeLoad: async () => {
-    const session = await getSession()
-    return { session }
-  },
-  component: RootComponent,
-})
-```
-
-### Protected Routes
-```typescript
-// routes/_auth.tsx
-import { createFileRoute, Outlet, redirect } from '@tanstack/react-router'
-
-export const Route = createFileRoute('/_auth')({
-  beforeLoad: async ({ context }) => {
-    if (!context.session) {
-      throw redirect({
-        to: '/login',
-        search: { redirect: location.pathname },
-      })
-    }
-  },
-  component: () => <Outlet />,
-})
-```
-
-## Security Considerations
-
-### Password Requirements
-```typescript
-emailAndPassword: {
-  enabled: true,
-  password: {
-    minLength: 12,
-    maxLength: 128,
-    requireLowercase: true,
-    requireUppercase: true,
-    requireNumber: true,
-    requireSpecialChar: true,
-  },
-}
-```
-
-### Rate Limiting
-```typescript
-import { rateLimit } from 'better-auth/plugins/rate-limit'
-
-plugins: [
-  rateLimit({
-    window: 60, // 1 minute
-    max: 10,    // 10 requests
-    endpoints: {
-      'sign-in': { window: 300, max: 5 },
-      'sign-up': { window: 3600, max: 3 },
-    },
-  }),
-]
-```
-
-### Session Security
-```typescript
-session: {
-  expiresIn: 60 * 60 * 24 * 7, // 7 days
-  updateAge: 60 * 60 * 24,     // Extend daily
-  cookieCache: {
-    enabled: true,
-    maxAge: 60 * 5, // Cache for 5 minutes
-  },
-  // Require re-auth for sensitive operations
-  freshAge: 60 * 10, // 10 minutes
-}
-```
-
-## Enterprise Patterns
-
-### Multi-Tenancy
-```typescript
-import { organization } from 'better-auth/plugins/organization'
-
-plugins: [
-  organization({
-    roles: ['owner', 'admin', 'member'],
-    permissions: {
-      owner: ['*'],
-      admin: ['read', 'write', 'invite'],
-      member: ['read'],
-    },
-    inviteOnly: true,
-    maxOrganizations: 5,
-  }),
-]
-```
-
-### SSO with SAML
-```typescript
-import { samlSSO } from 'better-auth/plugins/saml'
-
-plugins: [
-  samlSSO({
-    certificate: process.env.SAML_CERTIFICATE,
-    privateKey: process.env.SAML_PRIVATE_KEY,
-    issuer: 'https://myapp.com',
-    callbackUrl: 'https://myapp.com/auth/saml/callback',
-  }),
-]
-```
-
-## Design Deliverables
-
-When designing auth architecture, provide:
-
-1. **Auth Configuration** - Complete Better Auth config
-2. **Provider Setup** - Social provider configurations
-3. **Route Structure** - Protected and public routes
-4. **Component Hierarchy** - Auth forms and flows
-5. **Security Measures** - Rate limiting, 2FA, session config
-6. **Database Schema** - Auth-related tables
-
-## Questions to Ask
-
-Before designing, clarify:
-
-1. What authentication methods are needed? (email, social, SSO)
-2. Is 2FA or passkey support required?
-3. Multi-tenancy or organization support?
-4. Session duration and refresh strategy?
-5. Email verification requirements?
-6. Password policy requirements?

package/packs/better-auth/commands/auth-provider-add.md

@@ -1,265 +0,0 @@
----
-name: auth-provider-add
-description: Add a new authentication provider to Better Auth
-args:
-  - name: provider
-    description: Provider name (google, github, discord, apple, microsoft, etc.)
-    required: false
-  - name: scopes
-    description: Comma-separated OAuth scopes (e.g., "user:email,read:org")
-    required: false
----
-
-# Add Authentication Provider
-
-Add a new social/OAuth provider to your Better Auth configuration.
-
-## Supported Providers
-
-- **google** - Google OAuth 2.0
-- **github** - GitHub OAuth
-- **discord** - Discord OAuth
-- **apple** - Apple Sign In
-- **microsoft** - Microsoft Identity
-- **twitter** - Twitter/X OAuth 2.0
-- **facebook** - Facebook Login
-- **linkedin** - LinkedIn OAuth
-- **gitlab** - GitLab OAuth
-- **slack** - Slack OAuth
-
-## Instructions
-
-1. **Get Provider Credentials**:
-
-   **Google**:
-   - Go to [Google Cloud Console](https://console.cloud.google.com/)
-   - Create OAuth 2.0 credentials
-   - Add authorized redirect URI: `{YOUR_API_URL}/api/auth/callback/google`
-
-   **GitHub**:
-   - Go to [GitHub Developer Settings](https://github.com/settings/developers)
-   - Create new OAuth App
-   - Set callback URL: `{YOUR_API_URL}/api/auth/callback/github`
-
-   **Discord**:
-   - Go to [Discord Developer Portal](https://discord.com/developers/applications)
-   - Create application, get OAuth2 credentials
-   - Add redirect: `{YOUR_API_URL}/api/auth/callback/discord`
-
-   **Apple**:
-   - Go to [Apple Developer](https://developer.apple.com/)
-   - Create Service ID with Sign In with Apple capability
-   - Configure return URL: `{YOUR_API_URL}/api/auth/callback/apple`
-
-   **Microsoft**:
-   - Go to [Azure Portal](https://portal.azure.com/)
-   - Register application in Azure AD
-   - Add redirect URI: `{YOUR_API_URL}/api/auth/callback/microsoft`
-
-2. **Add Environment Variables** to `.env`:
-   ```bash
-   # Google
-   GOOGLE_CLIENT_ID=your-client-id
-   GOOGLE_CLIENT_SECRET=your-client-secret
-
-   # GitHub
-   GITHUB_CLIENT_ID=your-client-id
-   GITHUB_CLIENT_SECRET=your-client-secret
-
-   # Discord
-   DISCORD_CLIENT_ID=your-client-id
-   DISCORD_CLIENT_SECRET=your-client-secret
-
-   # Apple
-   APPLE_CLIENT_ID=your-service-id
-   APPLE_CLIENT_SECRET=your-client-secret
-   APPLE_TEAM_ID=your-team-id
-   APPLE_KEY_ID=your-key-id
-
-   # Microsoft
-   MICROSOFT_CLIENT_ID=your-client-id
-   MICROSOFT_CLIENT_SECRET=your-client-secret
-   MICROSOFT_TENANT_ID=your-tenant-id
-   ```
-
-3. **Update Server Configuration** in `src/lib/auth.ts`:
-
-   **Google**:
-   ```typescript
-   socialProviders: {
-     google: {
-       clientId: process.env.GOOGLE_CLIENT_ID!,
-       clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
-       scopes: ['email', 'profile'],
-       // Optional: Force account selection
-       prompt: 'select_account',
-     },
-   }
-   ```
-
-   **GitHub**:
-   ```typescript
-   socialProviders: {
-     github: {
-       clientId: process.env.GITHUB_CLIENT_ID!,
-       clientSecret: process.env.GITHUB_CLIENT_SECRET!,
-       scopes: ['user:email', 'read:user'],
-       // Optional: Request additional scopes
-       // scopes: ['user:email', 'read:user', 'read:org'],
-     },
-   }
-   ```
-
-   **Discord**:
-   ```typescript
-   socialProviders: {
-     discord: {
-       clientId: process.env.DISCORD_CLIENT_ID!,
-       clientSecret: process.env.DISCORD_CLIENT_SECRET!,
-       scopes: ['identify', 'email'],
-       // Optional: Guild-specific
-       // scopes: ['identify', 'email', 'guilds'],
-     },
-   }
-   ```
-
-   **Apple**:
-   ```typescript
-   socialProviders: {
-     apple: {
-       clientId: process.env.APPLE_CLIENT_ID!,
-       clientSecret: process.env.APPLE_CLIENT_SECRET!,
-       teamId: process.env.APPLE_TEAM_ID!,
-       keyId: process.env.APPLE_KEY_ID!,
-     },
-   }
-   ```
-
-   **Microsoft**:
-   ```typescript
-   socialProviders: {
-     microsoft: {
-       clientId: process.env.MICROSOFT_CLIENT_ID!,
-       clientSecret: process.env.MICROSOFT_CLIENT_SECRET!,
-       tenantId: process.env.MICROSOFT_TENANT_ID!, // or 'common' for multi-tenant
-       scopes: ['openid', 'profile', 'email'],
-     },
-   }
-   ```
-
-4. **Update Auth Client** in `src/auth/client.ts`:
-   ```typescript
-   export const {
-     // ... existing exports
-     signInWithGoogle,
-     signInWithGithub,
-     signInWithDiscord,
-     signInWithApple,
-     signInWithMicrosoft,
-   } = authClient
-   ```
-
-5. **Create/Update Social Login Buttons** in `src/features/auth/components/SocialLoginButtons.tsx`:
-   ```typescript
-   import {
-     signInWithGoogle,
-     signInWithGithub,
-     signInWithDiscord,
-   } from '@/auth/client'
-
-   interface SocialLoginButtonsProps {
-     callbackURL?: string
-   }
-
-   export function SocialLoginButtons({ callbackURL = '/dashboard' }: SocialLoginButtonsProps) {
-     const handleGoogle = async () => {
-       await signInWithGoogle({ callbackURL })
-     }
-
-     const handleGithub = async () => {
-       await signInWithGithub({ callbackURL })
-     }
-
-     const handleDiscord = async () => {
-       await signInWithDiscord({ callbackURL })
-     }
-
-     return (
-       <div className="flex flex-col gap-3">
-         <button
-           onClick={handleGoogle}
-           className="flex items-center justify-center gap-2 w-full p-3 border rounded-lg hover:bg-gray-50"
-         >
-           <svg className="w-5 h-5" viewBox="0 0 24 24">
-             {/* Google icon SVG */}
-           </svg>
-           Continue with Google
-         </button>
-
-         <button
-           onClick={handleGithub}
-           className="flex items-center justify-center gap-2 w-full p-3 border rounded-lg hover:bg-gray-50"
-         >
-           <svg className="w-5 h-5" viewBox="0 0 24 24">
-             {/* GitHub icon SVG */}
-           </svg>
-           Continue with GitHub
-         </button>
-
-         <button
-           onClick={handleDiscord}
-           className="flex items-center justify-center gap-2 w-full p-3 border rounded-lg hover:bg-gray-50"
-         >
-           <svg className="w-5 h-5" viewBox="0 0 24 24">
-             {/* Discord icon SVG */}
-           </svg>
-           Continue with Discord
-         </button>
-       </div>
-     )
-   }
-   ```
-
-6. **Handle Provider Callback** (if custom handling needed):
-   ```typescript
-   // In your server/API routes
-   export const auth = betterAuth({
-     socialProviders: {
-       google: {
-         // ...config
-         onUserCreated: async (user, account) => {
-           // Custom logic when user signs up via Google
-           await sendWelcomeEmail(user.email)
-         },
-         onSignIn: async (user, account) => {
-           // Custom logic on each sign in
-           await updateLastLogin(user.id)
-         },
-       },
-     },
-   })
-   ```
-
-## Common Scopes Reference
-
-| Provider | Common Scopes |
-|----------|--------------|
-| Google | `email`, `profile`, `openid` |
-| GitHub | `user:email`, `read:user`, `read:org` |
-| Discord | `identify`, `email`, `guilds` |
-| Apple | (automatic: email, name) |
-| Microsoft | `openid`, `profile`, `email`, `User.Read` |
-| Twitter | `users.read`, `tweet.read` |
-| Facebook | `email`, `public_profile` |
-| LinkedIn | `r_emailaddress`, `r_liteprofile` |
-
-## Quality Checklist
-
-- [ ] Provider credentials obtained from developer portal
-- [ ] Environment variables added to `.env`
-- [ ] Callback URL configured in provider dashboard
-- [ ] Provider added to `socialProviders` config
-- [ ] Client export added for `signInWith{Provider}`
-- [ ] Button added to SocialLoginButtons component
-- [ ] Scopes appropriate for app needs
-- [ ] Tested sign-in flow works correctly