@snapback/cli 1.1.12 → 1.1.15

package/dist/auth-HFJRXXG2.js

@@ -0,0 +1,1446 @@
+#!/usr/bin/env node --no-warnings=ExperimentalWarning
+import { config, EntitlementsServiceImpl, getBaseUrl, ENABLE_ENHANCED_2FA, ENABLE_SSO, ENABLE_CAPTCHA, ENABLE_MULTI_SESSION, getOrganizationWithPurchasesAndMembersCount, getPendingInvitationByEmail } from './chunk-23G5VYA3.js';
+import './chunk-GQ73B37K.js';
+import { combinedSchema, db } from './chunk-HR34NJP7.js';
+import { trackEvent } from './chunk-XYU5FFE3.js';
+import './chunk-ICKSHS3A.js';
+import { logger } from './chunk-PL4HF4M2.js';
+import { createLogger, LogLevel } from './chunk-WS36HDEU.js';
+import './chunk-5EOPYJ4Y.js';
+import './chunk-CBGOC6RV.js';
+import { __name } from './chunk-7ADPL4Q3.js';
+import { passkey } from '@better-auth/passkey';
+import { sso } from '@better-auth/sso';
+import { render } from '@react-email/render';
+import { betterAuth } from 'better-auth';
+import { drizzleAdapter } from 'better-auth/adapters/drizzle';
+import { bearer, anonymous, deviceAuthorization, admin as admin$1, apiKey, jwt, magicLink, openAPI, organization, haveIBeenPwned, twoFactor, username, captcha, multiSession, createAuthMiddleware } from 'better-auth/plugins';
+import 'cookie';
+import { nanoid } from 'nanoid';
+import { createAccessControl } from 'better-auth/plugins/access';
+import { APIError } from 'better-auth/api';
+import 'drizzle-orm';
+import Stripe from 'stripe';
+
+process.env.SNAPBACK_CLI='true';
+
+// ../../packages/config/dist/client.js
+config.payments.plans;
+
+// ../../packages/integrations/dist/email/handlers/billing-events.js
+(class {
+  static {
+    __name(this, "BillingEmailHandler");
+  }
+  emailService;
+  constructor(emailService2) {
+    this.emailService = emailService2;
+  }
+  /**
+   * Send welcome email after successful subscription
+   */
+  async sendWelcome(params) {
+    const request = {
+      to: {
+        email: params.to,
+        userId: params.userId
+      },
+      category: "onboarding",
+      priority: "high",
+      template: {
+        id: "product.welcome",
+        props: {
+          firstName: params.firstName,
+          planName: params.planName,
+          planFeatures: params.planFeatures,
+          dashboardUrl: params.dashboardUrl,
+          docsUrl: params.docsUrl,
+          pioneerTier: params.pioneerTier,
+          pioneerPoints: params.pioneerPoints
+        }
+      }
+    };
+    await this.emailService.send(request);
+  }
+  /**
+   * Send subscription cancellation confirmation
+   */
+  async sendCancellationConfirmation(params) {
+    const request = {
+      to: {
+        email: params.to,
+        userId: params.userId
+      },
+      category: "billing",
+      priority: "high",
+      template: {
+        id: "product.system-alert",
+        props: {
+          alertType: "subscription_cancelled",
+          title: "Subscription Cancelled",
+          message: `Your ${params.planName} subscription has been cancelled and will remain active until ${params.cancellationDate.toLocaleDateString()}. Your data will be retained for ${params.dataRetentionDays} days after that date.`,
+          severity: "info",
+          actionRequired: false,
+          additionalDetails: "You can reactivate your subscription at any time before the retention period ends.",
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        }
+      }
+    };
+    await this.emailService.send(request);
+  }
+  /**
+   * Send payment failure alert
+   */
+  async sendPaymentFailed(params) {
+    const request = {
+      to: {
+        email: params.to,
+        userId: params.userId
+      },
+      category: "billing",
+      priority: "critical",
+      template: {
+        id: "product.system-alert",
+        props: {
+          alertType: "payment_failed",
+          title: "Payment Failed",
+          message: `We were unable to process your payment of ${params.amount} ${params.currency} for your ${params.planName} subscription. We'll automatically retry on ${params.retryDate.toLocaleDateString()}.`,
+          severity: "warning",
+          actionRequired: true,
+          actionUrl: params.updatePaymentUrl,
+          actionLabel: "Update Payment Method",
+          additionalDetails: "To avoid service interruption, please update your payment method or ensure sufficient funds are available.",
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        }
+      }
+    };
+    await this.emailService.send(request);
+  }
+  /**
+   * Send subscription upgraded notification
+   */
+  async sendSubscriptionUpgraded(params) {
+    const request = {
+      to: {
+        email: params.to,
+        userId: params.userId
+      },
+      category: "billing",
+      priority: "normal",
+      template: {
+        id: "product.system-alert",
+        props: {
+          alertType: "subscription_upgraded",
+          title: "Subscription Upgraded",
+          message: `You've successfully upgraded from ${params.oldPlan} to ${params.newPlan}. Your new features are now active!`,
+          severity: "info",
+          actionRequired: false,
+          actionUrl: params.dashboardUrl,
+          actionLabel: "Explore New Features",
+          additionalDetails: `New features: ${params.newFeatures.join(", ")}`,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        }
+      }
+    };
+    await this.emailService.send(request);
+  }
+  /**
+   * Send trial ending reminder
+   */
+  async sendTrialEnding(params) {
+    const request = {
+      to: {
+        email: params.to,
+        userId: params.userId
+      },
+      category: "billing",
+      priority: "high",
+      template: {
+        id: "product.system-alert",
+        props: {
+          alertType: "trial_ending",
+          title: `Your ${params.planName} Trial Ends Soon`,
+          message: `Your free trial ends in ${params.daysRemaining} day${params.daysRemaining !== 1 ? "s" : ""} on ${params.trialEndDate.toLocaleDateString()}. Upgrade now to keep your data and continue using SnapBack.`,
+          severity: "warning",
+          actionRequired: true,
+          actionUrl: params.upgradeUrl,
+          actionLabel: "Upgrade Now",
+          additionalDetails: "After your trial ends, you can still access your account but snapshot capture will be disabled until you upgrade.",
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        }
+      }
+    };
+    await this.emailService.send(request);
+  }
+  /**
+   * Send suspension notice (Day 8 of grace period)
+   *
+   * Called when subscription transitions from past_due to suspended
+   * after 7-day grace period expires without successful payment.
+   */
+  async sendSuspensionNotice(params) {
+    const request = {
+      to: {
+        email: params.to,
+        userId: params.userId
+      },
+      category: "billing",
+      priority: "critical",
+      template: {
+        id: "product.system-alert",
+        props: {
+          alertType: "subscription_suspended",
+          title: "Your Subscription Has Been Suspended",
+          message: `Your ${params.planName} subscription has been suspended due to payment issues. Cloud features including snapshot sync, pattern library, and history are now paused.`,
+          severity: "error",
+          actionRequired: true,
+          actionUrl: params.reactivateUrl,
+          actionLabel: "Reactivate Now",
+          additionalDetails: "Update your payment method to restore full access. Your local CLI features remain available, but cloud syncing is disabled until payment is resolved.",
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        }
+      }
+    };
+    await this.emailService.send(request);
+  }
+});
+
+// ../../packages/integrations/dist/email/provider/resend.js
+var from = process.env.MAIL_FROM || "noreply@snapback.dev";
+var send = /* @__PURE__ */ __name(async ({ to, subject, html }) => {
+  logger.info("\u{1F4E7} Resend: Sending email", {
+    to,
+    subject,
+    from
+  });
+  const response = await fetch("https://api.resend.com/emails", {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${process.env.RESEND_API_KEY}`
+    },
+    body: JSON.stringify({
+      from,
+      to,
+      subject,
+      html
+    })
+  });
+  if (!response.ok) {
+    const errorData = await response.json();
+    logger.error("\u274C Resend: Email send failed", {
+      status: response.status,
+      statusText: response.statusText,
+      error: errorData,
+      to,
+      subject
+    });
+    throw new Error("Could not send email");
+  }
+  const data = await response.json();
+  logger.info("\u2705 Resend: Email sent successfully", {
+    to,
+    subject,
+    emailId: data.id
+  });
+}, "send");
+(class {
+  static {
+    __name(this, "EmailService");
+  }
+  middlewares = [];
+  templateRegistry;
+  providers = /* @__PURE__ */ new Map();
+  /**
+   * Add middleware to the processing chain
+   */
+  use(middleware) {
+    this.middlewares.push(middleware);
+    return this;
+  }
+  /**
+   * Primary send method with composable middleware
+   */
+  async send(request) {
+    if (request.dryRun) {
+      return this.handleDryRun(request);
+    }
+    const execute = this.middlewares.reduceRight((next, middleware) => () => middleware(request, next), () => this.executeDelivery(request));
+    return execute();
+  }
+  /**
+   * Template-based convenience method
+   */
+  async sendFromTemplate(options) {
+    const template = await this.templateRegistry?.get(options.templateId);
+    if (!template) {
+      return {
+        success: false,
+        error: `Template not found: ${options.templateId}`
+      };
+    }
+    const validation = template.schema.safeParse(options.context);
+    if (!validation.success) {
+      return {
+        success: false,
+        error: `Invalid template context: ${validation.error.message}`
+      };
+    }
+    const category = template.category;
+    const priority = this.getPriorityForCategory(category);
+    return this.send({
+      to: options.to,
+      provider: "auto",
+      category,
+      priority,
+      template: {
+        id: options.templateId,
+        props: validation.data
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Batch sending for digests
+   */
+  async sendBatch(requests) {
+    const results = await Promise.allSettled(requests.map((request) => this.send(request)));
+    const succeeded = results.filter((r) => r.status === "fulfilled" && r.value.success).length;
+    return {
+      total: requests.length,
+      succeeded,
+      failed: requests.length - succeeded,
+      results: results.map((r) => r.status === "fulfilled" ? r.value : {
+        success: false,
+        error: "Promise rejected"
+      })
+    };
+  }
+  /**
+   * Execute email delivery (called after middleware chain)
+   */
+  async executeDelivery(request) {
+    try {
+      const template = await this.templateRegistry?.get(request.template.id);
+      if (!template) {
+        throw new Error(`Template not found: ${request.template.id}`);
+      }
+      const html = await render(template.component(request.template.props));
+      const text = await render(template.component(request.template.props), {
+        plainText: true
+      });
+      const provider = this.selectProvider(request);
+      const result = await provider.send({
+        from: "SnapBack <noreply@snapback.dev>",
+        to: request.to.email,
+        subject: template.subject(request.template.props),
+        html,
+        text,
+        metadata: request.metadata
+      });
+      await this.trackDelivery({
+        userId: request.to.userId,
+        templateId: request.template.id,
+        category: request.category,
+        provider: request.provider || "resend",
+        recipientEmail: request.to.email,
+        subject: template.subject(request.template.props),
+        status: result.status,
+        emailId: result.id,
+        metadata: request.metadata
+      });
+      return {
+        success: result.status === "sent",
+        emailId: result.id,
+        error: result.error
+      };
+    } catch (error) {
+      return {
+        success: false,
+        error: error instanceof Error ? error.message : "Unknown error"
+      };
+    }
+  }
+  /**
+   * Handle dry-run mode (no actual email sent)
+   */
+  async handleDryRun(request) {
+    console.log("\u{1F50D} DRY RUN MODE - Email not sent");
+    console.log("  Template:", request.template.id);
+    console.log("  To:", request.to.email);
+    console.log("  Category:", request.category);
+    console.log("  Priority:", request.priority);
+    return {
+      success: true,
+      emailId: `dry-run-${Date.now()}`
+    };
+  }
+  /**
+   * Select provider based on category or explicit request
+   */
+  selectProvider(request) {
+    if (request.provider && request.provider !== "auto") {
+      return this.providers.get(request.provider);
+    }
+    const provider = request.category === "marketing" ? "hubspot" : "resend";
+    return this.providers.get(provider);
+  }
+  /**
+   * Get default priority for email category
+   */
+  getPriorityForCategory(category) {
+    const priorityMap = {
+      authentication: "critical",
+      billing: "high",
+      onboarding: "high",
+      product: "normal",
+      marketing: "low"
+    };
+    return priorityMap[category] || "normal";
+  }
+  /**
+   * Track email delivery in database
+   */
+  async trackDelivery(_data) {
+  }
+  /**
+   * Register email provider
+   */
+  registerProvider(name, provider) {
+    this.providers.set(name, provider);
+  }
+  /**
+   * Set template registry
+   */
+  setTemplateRegistry(registry) {
+    this.templateRegistry = registry;
+  }
+});
+var statement = {
+  // Snapshot management permissions
+  snapshot: [
+    "create",
+    "read",
+    "update",
+    "delete",
+    "restore"
+  ],
+  // API key management permissions
+  apiKey: [
+    "create",
+    "read",
+    "revoke"
+  ],
+  // Member management permissions
+  member: [
+    "invite",
+    "remove",
+    "update"
+  ],
+  // Organization settings permissions
+  organization: [
+    "read",
+    "update",
+    "delete"
+  ],
+  // Billing and subscription permissions
+  billing: [
+    "read",
+    "update"
+  ],
+  // Analytics and reporting permissions
+  analytics: [
+    "read"
+  ]
+};
+var ac = createAccessControl(statement);
+var member = ac.newRole({
+  snapshot: [
+    "create",
+    "read",
+    "restore"
+  ],
+  analytics: [
+    "read"
+  ]
+});
+var admin = ac.newRole({
+  snapshot: [
+    "create",
+    "read",
+    "update",
+    "delete",
+    "restore"
+  ],
+  apiKey: [
+    "create",
+    "read",
+    "revoke"
+  ],
+  member: [
+    "invite",
+    "update"
+  ],
+  organization: [
+    "read",
+    "update"
+  ],
+  billing: [
+    "read"
+  ],
+  analytics: [
+    "read"
+  ]
+});
+var owner = ac.newRole({
+  snapshot: [
+    "create",
+    "read",
+    "update",
+    "delete",
+    "restore"
+  ],
+  apiKey: [
+    "create",
+    "read",
+    "revoke"
+  ],
+  member: [
+    "invite",
+    "remove",
+    "update"
+  ],
+  organization: [
+    "read",
+    "update",
+    "delete"
+  ],
+  billing: [
+    "read",
+    "update"
+  ],
+  analytics: [
+    "read"
+  ]
+});
+var config2 = {
+  auth: {
+    enableSignup: process.env.ENABLE_SIGNUP !== "false"
+  }
+};
+var invitationOnlyPlugin = /* @__PURE__ */ __name(() => ({
+  id: "invitationOnlyPlugin",
+  hooks: {
+    before: [
+      {
+        matcher: /* @__PURE__ */ __name((context) => context.path?.startsWith("/sign-up/email") ?? false, "matcher"),
+        handler: createAuthMiddleware(async (ctx) => {
+          if (config2.auth.enableSignup) {
+            return;
+          }
+          const { email } = ctx.body;
+          const hasInvitation = await getPendingInvitationByEmail(email);
+          if (!hasInvitation) {
+            throw new APIError("BAD_REQUEST", {
+              code: "INVALID_INVITATION",
+              message: "No invitation found for this email"
+            });
+          }
+        })
+      }
+    ]
+  },
+  $ERROR_CODES: {
+    INVALID_INVITATION: "No invitation found for this email"
+  }
+}), "invitationOnlyPlugin");
+var { subscriptions, webhookEvents, user } = combinedSchema;
+var stripeClient = null;
+new EntitlementsServiceImpl();
+({
+  pro: process.env.STRIPE_PRO_MONTHLY_PRICE_ID,
+  team: process.env.STRIPE_TEAM_MONTHLY_PRICE_ID,
+  enterprise: process.env.STRIPE_ENTERPRISE_MONTHLY_PRICE_ID
+});
+function getStripeClient() {
+  if (stripeClient) {
+    return stripeClient;
+  }
+  const stripeSecretKey = process.env.STRIPE_SECRET_KEY;
+  if (!stripeSecretKey) {
+    throw new Error("Missing env variable STRIPE_SECRET_KEY");
+  }
+  stripeClient = new Stripe(stripeSecretKey);
+  return stripeClient;
+}
+__name(getStripeClient, "getStripeClient");
+var setSubscriptionSeats = /* @__PURE__ */ __name(async (options) => {
+  const stripeClient2 = getStripeClient();
+  const subscription = await stripeClient2.subscriptions.retrieve(options.id);
+  if (!subscription) {
+    throw new Error("Subscription not found.");
+  }
+  await stripeClient2.subscriptions.update(options.id, {
+    items: [
+      {
+        id: subscription.items.data[0].id,
+        quantity: options.seats
+      }
+    ]
+  });
+}, "setSubscriptionSeats");
+
+// ../../packages/integrations/dist/stripe/lib/customer.js
+createLogger({
+  name: "payments",
+  level: LogLevel.INFO
+});
+
+// ../../packages/integrations/dist/stripe/lib/helper.js
+config.payments.plans;
+
+// ../../packages/auth/dist/lib/organization.js
+async function updateSeatsInOrganizationSubscription(organizationId) {
+  const organization2 = await getOrganizationWithPurchasesAndMembersCount(organizationId);
+  if (!organization2?.purchases || !Array.isArray(organization2.purchases) || organization2.purchases.length === 0) {
+    return;
+  }
+  const activeSubscription = organization2.purchases.find((purchase) => purchase.type === "SUBSCRIPTION");
+  if (!activeSubscription?.subscriptionId) {
+    return;
+  }
+  try {
+    await setSubscriptionSeats({
+      id: activeSubscription.subscriptionId,
+      seats: organization2.membersCount
+    });
+  } catch (error) {
+    logger.error("Could not update seats in organization subscription", {
+      organizationId,
+      error
+    });
+  }
+}
+__name(updateSeatsInOrganizationSubscription, "updateSeatsInOrganizationSubscription");
+
+// ../../packages/auth/dist/auth.js
+var appUrl = process.env.APP_URL || getBaseUrl();
+var authBaseUrl = process.env.BETTER_AUTH_URL || process.env.BETTER_AUTH_BASE_URL || process.env.APP_URL || `http://localhost:${process.env.PORT || 3e3}`;
+var isLocalDev = (process.env.BETTER_AUTH_URL || "").includes("localhost");
+var isDevelopment = process.env.NODE_ENV !== "production" || isLocalDev;
+var trustedOrigins = isDevelopment ? [
+  appUrl,
+  authBaseUrl,
+  "http://localhost:3000",
+  "http://localhost:3001",
+  "http://localhost:3002",
+  "http://localhost:3003"
+] : [
+  appUrl,
+  authBaseUrl
+].filter((url, index, arr) => arr.indexOf(url) === index);
+var g = global;
+if (!g.__SNAPBACK_AUTH_REDIS__) {
+  g.__SNAPBACK_AUTH_REDIS__ = {
+    client: null,
+    available: false,
+    reconnectAttempts: 0
+  };
+}
+function getRedisClient() {
+  return g.__SNAPBACK_AUTH_REDIS__.client;
+}
+__name(getRedisClient, "getRedisClient");
+function isRedisAvailable() {
+  return g.__SNAPBACK_AUTH_REDIS__.available;
+}
+__name(isRedisAvailable, "isRedisAvailable");
+var redisClient = g.__SNAPBACK_AUTH_REDIS__.client;
+var redisAvailable = g.__SNAPBACK_AUTH_REDIS__.available;
+var authRedisReconnectAttempts = g.__SNAPBACK_AUTH_REDIS__.reconnectAttempts;
+async function initializeRedis() {
+  if (g.__SNAPBACK_AUTH_REDIS__.client) {
+    redisClient = g.__SNAPBACK_AUTH_REDIS__.client;
+    redisAvailable = g.__SNAPBACK_AUTH_REDIS__.available;
+    authRedisReconnectAttempts = g.__SNAPBACK_AUTH_REDIS__.reconnectAttempts;
+    return;
+  }
+  if (!process.env.REDIS_URL) {
+    if (process.env.MCP_QUIET !== "1") {
+      logger.warn("REDIS_URL not configured - rate limiting will use database fallback");
+    }
+    return;
+  }
+  try {
+    const redis = await import('redis').catch(() => null);
+    if (!redis) {
+      logger.warn("Redis module not available");
+      return;
+    }
+    const redisUrl = process.env.REDIS_URL;
+    if (!redisUrl.startsWith("redis://") && !redisUrl.startsWith("rediss://")) {
+      logger.error("Invalid REDIS_URL format", {
+        error: "REDIS_URL must start with 'redis://' or 'rediss://' protocol",
+        example: "redis://localhost:6379",
+        provided: `${redisUrl.split(":")[0]}:...`
+      });
+      g.__SNAPBACK_AUTH_REDIS__.available = false;
+      redisAvailable = false;
+      return;
+    }
+    const client = redis.createClient({
+      url: redisUrl,
+      socket: {
+        // Connection timeout - how long to wait for initial connection
+        connectTimeout: 1e4,
+        // TCP keepalive - prevents silent connection drops
+        keepAlive: 5e3,
+        // Reconnection strategy with exponential backoff + jitter
+        reconnectStrategy: /* @__PURE__ */ __name((retries, cause) => {
+          if (cause?.name === "SocketTimeoutError" || cause?.message?.includes("socket timeout")) {
+            logger.warn("Redis socket timeout for Better Auth - not reconnecting", {
+              cause: cause?.message
+            });
+            return false;
+          }
+          g.__SNAPBACK_AUTH_REDIS__.reconnectAttempts++;
+          authRedisReconnectAttempts++;
+          if (retries > 20) {
+            logger.error("Redis max retries exceeded", {
+              retries,
+              cause: cause?.message
+            });
+            return new Error("Max retries reached");
+          }
+          const baseDelay = Math.min(2 ** retries * 100, 3e4);
+          const jitter = Math.floor(Math.random() * 200);
+          const delay = baseDelay + jitter;
+          if (process.env.MCP_QUIET !== "1" && retries % 5 === 0) {
+            logger.debug("Redis reconnecting for Better Auth", {
+              retries,
+              delay
+            });
+          }
+          return delay;
+        }, "reconnectStrategy")
+      },
+      // Application-level ping to keep connection alive
+      pingInterval: 6e4
+    });
+    client.on("error", (err) => {
+      if (err.message.includes("ECONNRESET") || err.message.includes("ECONNREFUSED")) {
+        logger.debug("Redis connection error (will reconnect)", {
+          error: err.message
+        });
+      } else {
+        logger.warn("Redis connection error", {
+          error: err.message
+        });
+      }
+      g.__SNAPBACK_AUTH_REDIS__.available = false;
+      redisAvailable = false;
+    });
+    client.on("connect", () => {
+      if (process.env.MCP_QUIET !== "1" && !g.__SNAPBACK_REDIS_CONNECT_LOGGED__) {
+        g.__SNAPBACK_REDIS_CONNECT_LOGGED__ = true;
+        logger.info("Redis connected for Better Auth secondary storage");
+      }
+      g.__SNAPBACK_AUTH_REDIS__.available = true;
+      redisAvailable = true;
+    });
+    client.on("ready", () => {
+      g.__SNAPBACK_AUTH_REDIS__.reconnectAttempts = 0;
+      authRedisReconnectAttempts = 0;
+      g.__SNAPBACK_AUTH_REDIS__.available = true;
+      redisAvailable = true;
+    });
+    client.on("reconnecting", () => {
+      if (process.env.MCP_QUIET !== "1") {
+        logger.debug("Redis reconnecting for Better Auth...");
+      }
+    });
+    await client.connect();
+    g.__SNAPBACK_AUTH_REDIS__.client = client;
+    g.__SNAPBACK_AUTH_REDIS__.available = true;
+    redisClient = client;
+    redisAvailable = true;
+    if (process.env.MCP_QUIET !== "1" && !g.__SNAPBACK_REDIS_INIT_LOGGED__) {
+      g.__SNAPBACK_REDIS_INIT_LOGGED__ = true;
+      logger.info("\u2705 Better Auth Redis secondary storage initialized with production config");
+    }
+  } catch (error) {
+    logger.warn("Redis initialization failed - using database fallback", {
+      error: error instanceof Error ? error.message : String(error)
+    });
+    g.__SNAPBACK_AUTH_REDIS__.available = false;
+    redisAvailable = false;
+  }
+}
+__name(initializeRedis, "initializeRedis");
+function getAuthRedisReconnectAttempts() {
+  return authRedisReconnectAttempts;
+}
+__name(getAuthRedisReconnectAttempts, "getAuthRedisReconnectAttempts");
+initializeRedis().catch((err) => {
+  logger.error("Failed to initialize Redis for Better Auth", {
+    error: err instanceof Error ? err.message : String(err)
+  });
+});
+var _auth = betterAuth({
+  // ✅ Base URL for callbacks and redirects (required by Better Auth)
+  // Uses BETTER_AUTH_URL env var, falling back to localhost with PORT
+  baseURL: authBaseUrl,
+  // Extend the user schema with additional fields
+  schema: {
+    user: {
+      fields: {
+        onboardingComplete: {
+          type: "boolean",
+          required: false,
+          defaultValue: false
+        },
+        deviceFingerprint: {
+          type: "string",
+          required: false
+        }
+      }
+    }
+  },
+  appName: "SnapBack",
+  // ✅ SECURITY: Prevent account enumeration attacks
+  // OWASP ASVS 2.2.1 - Don't reveal whether username exists
+  disablePaths: [
+    "/is-username-available"
+  ],
+  endpoints: {
+    GET: {
+      "/health": {
+        async handler() {
+          return new Response("OK", {
+            status: 200
+          });
+        }
+      }
+    }
+  },
+  emailAndPassword: {
+    enabled: true
+  },
+  socialProviders: {
+    // Only include social providers if credentials are configured
+    // This prevents Better Auth from logging warnings that corrupt MCP stdio
+    // Note: Access process.env directly for Vercel compatibility (t3-env wrapper issue)
+    ...process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET ? {
+      github: {
+        clientId: process.env.GITHUB_CLIENT_ID,
+        clientSecret: process.env.GITHUB_CLIENT_SECRET
+      }
+    } : {},
+    ...process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET ? {
+      google: {
+        clientId: process.env.GOOGLE_CLIENT_ID,
+        clientSecret: process.env.GOOGLE_CLIENT_SECRET
+      }
+    } : {}
+  },
+  database: drizzleAdapter(db, {
+    provider: "pg",
+    schema: combinedSchema
+  }),
+  session: {
+    expiresIn: 60 * 60 * 24 * 7,
+    updateAge: 60 * 60 * 24,
+    // ✅ CRITICAL FIX: Always store sessions in DB so findSession() falls back
+    // to the primary DB when Redis (secondaryStorage) is unavailable or misses.
+    // Without this, a Redis miss in serverless (Vercel cold start, connection lag)
+    // causes findSession to return null WITHOUT checking the DB, silently breaking
+    // bearer token validation (CLI device auth, auto-provision API key).
+    storeSessionInDatabase: true,
+    // ✅ OPTIMIZATION: Cookie cache for 80% database load reduction
+    // Note: When database/secondaryStorage is configured, we use cookieCache
+    // WITHOUT refreshCache (which is only for stateless/DB-less setups)
+    // The cache reduces DB queries by storing session data in signed cookies
+    cookieCache: {
+      enabled: true,
+      maxAge: 5 * 60,
+      strategy: "jwe"
+    }
+  },
+  account: {
+    accountLinking: {
+      enabled: true,
+      trustedProviders: [
+        "google",
+        "github"
+      ]
+    }
+  },
+  trustedOrigins,
+  // ✅ OPTIMIZATION: Redis secondary storage for distributed rate limiting
+  // Uses a lazy wrapper so Redis connects asynchronously without blocking
+  // betterAuth() initialization. Each call checks redisAvailable at runtime.
+  secondaryStorage: {
+    get: /* @__PURE__ */ __name(async (key) => {
+      if (!redisAvailable || !redisClient) return null;
+      try {
+        return await redisClient.get(key);
+      } catch (error) {
+        logger.error("Redis get failed", {
+          key,
+          error
+        });
+        return null;
+      }
+    }, "get"),
+    set: /* @__PURE__ */ __name(async (key, value, ttl) => {
+      if (!redisAvailable || !redisClient) return;
+      try {
+        if (ttl) {
+          await redisClient.set(key, value, {
+            EX: ttl
+          });
+        } else {
+          await redisClient.set(key, value);
+        }
+      } catch (error) {
+        logger.error("Redis set failed", {
+          key,
+          error
+        });
+      }
+    }, "set"),
+    delete: /* @__PURE__ */ __name(async (key) => {
+      if (!redisAvailable || !redisClient) return;
+      try {
+        await redisClient.del(key);
+      } catch (error) {
+        logger.error("Redis delete failed", {
+          key,
+          error
+        });
+      }
+    }, "delete")
+  },
+  advanced: {
+    // ✅ FIX: Use isDevelopment (not NODE_ENV) so Doppler prd config running locally
+    // still gets dev-friendly cookie settings. isDevelopment checks BETTER_AUTH_URL
+    // for localhost, which Doppler overrides correctly.
+    useSecureCookies: !isDevelopment,
+    crossSiteRequestForgery: {
+      enabled: true,
+      // Verify origin header matches trusted origins
+      checkOrigin: true
+    },
+    // ✅ OPTIMIZATION: Explicit ID generation using nanoid
+    database: {
+      generateId: /* @__PURE__ */ __name(() => nanoid(), "generateId"),
+      defaultFindManyLimit: 100,
+      experimentalJoins: false
+    },
+    // ✅ OPTIMIZATION: IP tracking configuration for security audit
+    ipAddress: {
+      ipAddressHeaders: [
+        "cf-connecting-ip",
+        "x-real-ip",
+        "x-forwarded-for",
+        "x-client-ip"
+      ],
+      disableIpTracking: false
+    },
+    // ✅ OPTIMIZATION: Enhanced cookie configuration
+    // ✅ FIX: Use isDevelopment consistently (not env.NODE_ENV === "production")
+    // Doppler prd sets NODE_ENV=production even when running locally, which would
+    // incorrectly set domain=".snapback.dev" on localhost cookies.
+    crossSubDomainCookies: {
+      enabled: !isDevelopment,
+      domain: !isDevelopment ? ".snapback.dev" : void 0
+    },
+    defaultCookieAttributes: {
+      sameSite: "lax",
+      secure: !isDevelopment,
+      httpOnly: true,
+      path: "/"
+    },
+    // ✅ FIX: OAuth state/pkce cookies need SameSite=None for cross-site redirects
+    // See: https://github.com/better-auth/better-auth/issues/6483
+    // Note: In development (localhost), browsers allow SameSite=None without Secure
+    cookies: {
+      state: {
+        name: "snapback.state",
+        attributes: {
+          sameSite: isDevelopment ? "lax" : "none",
+          secure: !isDevelopment,
+          httpOnly: true,
+          path: "/",
+          maxAge: 600
+        }
+      },
+      pkce: {
+        name: "snapback.pkce",
+        attributes: {
+          sameSite: isDevelopment ? "lax" : "none",
+          secure: !isDevelopment,
+          httpOnly: true,
+          path: "/",
+          maxAge: 600
+        }
+      }
+    },
+    cookiePrefix: "snapback"
+  },
+  // Rate limiting configuration (replaces 340+ lines of custom rate limit code)
+  rateLimit: {
+    window: 60,
+    max: 100,
+    // ✅ OPTIMIZATION: Use Redis for distributed rate limiting via secondaryStorage.
+    // secondaryStorage lazy-checks redisAvailable at runtime, so this is always safe.
+    storage: "secondary-storage",
+    customRules: {
+      // Strict limits for authentication endpoints
+      "/sign-in/email": {
+        window: 10,
+        max: 3
+      },
+      "/sign-in/social": {
+        window: 10,
+        max: 5
+      },
+      "/sign-up": {
+        window: 60,
+        max: 5
+      },
+      "/password-reset": {
+        window: 60,
+        max: 3
+      },
+      // RFC 8628 Device Authorization - protect against brute-force of user codes
+      "/device/*": {
+        window: 60,
+        max: isDevelopment ? 100 : 10
+      },
+      // Higher limits for normal API endpoints
+      "/api/*": {
+        window: 60,
+        max: 500
+      },
+      // No rate limiting for health checks
+      "/health": false,
+      "/health/ready": false,
+      "/health/live": false
+    }
+  },
+  // Use database hooks for audit logging (replaces 371 lines of custom auth-audit.ts)
+  // Also includes rate limiting configuration (replaces 340+ lines of custom rate limit code)
+  databaseHooks: {
+    session: {
+      create: {
+        after: /* @__PURE__ */ __name(async (session) => {
+          await trackEvent("session.created", {
+            userId: session.userId
+          });
+          await trackEvent("auth.signin", {
+            userId: session.userId,
+            timestamp: (/* @__PURE__ */ new Date()).toISOString()
+          });
+          try {
+            const { db: db2 } = await import('./dist-YZBJAYEJ.js');
+            const { sql } = await import('drizzle-orm');
+            if (db2) {
+              const result = await db2.execute(sql`
+								DELETE FROM session
+								WHERE "userId" = ${session.userId}
+								AND id != ${session.id}
+							`);
+              const rotatedCount = result.rowCount || 0;
+              if (rotatedCount > 0) {
+                logger.info("Session regenerated on login - old sessions invalidated", {
+                  userId: session.userId,
+                  sessionId: session.id,
+                  rotatedCount
+                });
+                await trackEvent("session.regenerated", {
+                  userId: session.userId,
+                  reason: "login",
+                  rotatedCount
+                });
+              }
+            }
+          } catch (error) {
+            logger.warn("Session regeneration failed on login", {
+              userId: session.userId,
+              error: error instanceof Error ? error.message : String(error)
+            });
+          }
+          try {
+            if (!session.activeOrganizationId) {
+              const { db: db2, combinedSchema: combinedSchema2 } = await import('./dist-YZBJAYEJ.js');
+              const { sql } = await import('drizzle-orm');
+              if (db2) {
+                const { member: member2, session: sessionTable } = combinedSchema2;
+                const membership = await db2.select({
+                  organizationId: member2.organizationId
+                }).from(member2).where(sql`${member2.userId} = ${session.userId}`).orderBy(member2.createdAt).limit(1);
+                if (membership.length > 0 && membership[0]?.organizationId) {
+                  await db2.update(sessionTable).set({
+                    activeOrganizationId: membership[0].organizationId
+                  }).where(sql`${sessionTable.id} = ${session.id}`);
+                  logger.info("Auto-set active organization for session", {
+                    userId: session.userId,
+                    sessionId: session.id,
+                    organizationId: membership[0].organizationId
+                  });
+                }
+              }
+            }
+          } catch (error) {
+            logger.warn("Failed to auto-set active organization", {
+              userId: session.userId,
+              sessionId: session.id,
+              error: error instanceof Error ? error.message : String(error)
+            });
+          }
+        }, "after")
+      },
+      delete: {
+        after: /* @__PURE__ */ __name(async (session) => {
+          await trackEvent("session.revoked", {
+            userId: session.userId
+          });
+          await trackEvent("auth.signout", {
+            userId: session.userId,
+            timestamp: (/* @__PURE__ */ new Date()).toISOString()
+          });
+        }, "after")
+      }
+    },
+    user: {
+      create: {
+        after: /* @__PURE__ */ __name(async (user2) => {
+          await trackEvent("auth.signup", {
+            userId: user2.id,
+            timestamp: (/* @__PURE__ */ new Date()).toISOString()
+          });
+          try {
+            const { onOAuthSuccess } = await import('./pioneer-oauth-hook-V2JKEXM7.js');
+            await onOAuthSuccess(user2);
+          } catch (error) {
+            logger.error("Pioneer OAuth hook failed", {
+              userId: user2.id,
+              error
+            });
+          }
+          try {
+            const { autoProvisionOrganization } = await import('./auto-provision-organization-SF6XM7X4.js');
+            const result = await autoProvisionOrganization(user2);
+            if (!result.success) {
+              logger.warn("Auto-org provisioning failed", {
+                userId: user2.id,
+                error: result.error
+              });
+            }
+          } catch (error) {
+            logger.error("Auto-org provisioning error", {
+              userId: user2.id,
+              error
+            });
+          }
+        }, "after")
+      }
+    }
+  },
+  plugins: [
+    // ✅ CRITICAL: Bearer plugin enables getSession to validate Bearer tokens
+    // Required for CLI device flow where access_token is passed via Authorization header
+    // Without this, getSession only checks session cookies, not Bearer tokens
+    bearer(),
+    // ✅ ZERO-CONFIG: Anonymous plugin enables unauthenticated MCP usage (free tier)
+    // Users get a real anonymous session on first install — no credentials required.
+    // When user runs `snap login`, Better Auth links the anonymous account to the real
+    // user via onLinkAccount, migrating any session history automatically.
+    // Requires: isAnonymous boolean column on users table (see migration note below)
+    anonymous({
+      onLinkAccount: /* @__PURE__ */ __name(async ({ anonymousUser, newUser }) => {
+        logger.info("[Auth] Anonymous account linked", {
+          anonymousUserId: anonymousUser.user.id,
+          newUserId: newUser.user.id
+        });
+      }, "onLinkAccount")
+    }),
+    // ✅ RFC 8628 Device Authorization Grant Flow (for WSL, Remote SSH, Codespaces)
+    deviceAuthorization({
+      // IMPORTANT: Must point to /link page on web app where users verify their device code
+      // Better Auth uses baseURL to construct full URI, but baseURL might point to API
+      // Users need to visit the web app to verify their device code
+      verificationUri: `${appUrl}/link`
+    }),
+    admin$1(),
+    apiKey({
+      // ✅ CONSOLIDATED: Single source of truth for API key management
+      // Replaces: KeysDb, apikeys-service, in-memory keys.ts
+      // Key format: sk_live_[64 chars] or sk_test_[64 chars]
+      defaultPrefix: "sk_live_",
+      defaultKeyLength: 64,
+      // Schema mapping - use our existing apiKeys table with snake_case columns
+      schema: {
+        apikey: {
+          modelName: "apiKeys",
+          fields: {
+            // Map Better Auth field names to our Drizzle schema property names
+            userId: "userId",
+            name: "name",
+            key: "key",
+            start: "start",
+            prefix: "prefix",
+            createdAt: "createdAt",
+            updatedAt: "updatedAt"
+          }
+        }
+      },
+      // Permissions model: { resource: [actions] }
+      permissions: {
+        defaultPermissions: {
+          "snapback:analyze": [
+            "read"
+          ],
+          "snapback:snapshot": [
+            "read",
+            "write"
+          ],
+          "snapback:context": [
+            "read"
+          ],
+          // MCP server tool access - enables API key usage with MCP protocol
+          mcp: [
+            "tools"
+          ],
+          // API access levels
+          api: [
+            "read",
+            "write"
+          ],
+          // CLI operations
+          cli: [
+            "snapshots"
+          ]
+        }
+      },
+      // Enable automatic session creation for API key-authenticated requests
+      // This eliminates need for separate verifyApiKey + getSession calls
+      enableSessionForAPIKeys: true,
+      // Global rate limiting for all API keys
+      rateLimit: {
+        enabled: true,
+        timeWindow: 864e5,
+        maxRequests: 1e4
+      },
+      // Enable metadata storage for additional key info
+      enableMetadata: true
+    }),
+    // ✅ LEVEL 4: JWT plugin with device-specific token issuance
+    jwt({
+      issuer: appUrl,
+      audience: [
+        "vscode",
+        "mcp",
+        "cli"
+      ],
+      expirationTime: 60 * 15
+    }),
+    magicLink({
+      // SECURITY: Token expiration (default 5 min per Better Auth)
+      // Links older than this are rejected
+      expiresIn: 300,
+      async sendMagicLink({ email, url }) {
+        await send({
+          to: email,
+          subject: "Sign in to SnapBack",
+          text: `Click the link to sign in: ${url}`,
+          html: `<p>Click the link to sign in: <a href="${url}">${url}</a></p>`
+        });
+      }
+    }),
+    openAPI(),
+    // ✅ OPTIMIZATION: Organization plugin with RBAC configuration
+    // ✅ SECURITY: Session rotation on privilege escalation
+    // Note: Call rotateSessionsOnOrgRoleChange() manually after updateMemberRole()
+    // See: src/lib/session-rotation.ts
+    organization({
+      // Access control instance from organization-permissions.ts
+      ac,
+      // Define roles and permissions
+      roles: {
+        owner,
+        admin,
+        member
+      },
+      // Organization creation settings
+      allowUserToCreateOrganization: true,
+      organizationLimit: 5,
+      // SECURITY: Invitation expiration (7 days per OWASP recommendation)
+      // After this period, invitations must be re-sent
+      invitationExpiresIn: 7 * 24 * 60 * 60,
+      // Send invitation emails
+      async sendInvitationEmail({ invitation, organization: organization2 }) {
+        const { id, email, expiresAt } = invitation;
+        const url = new URL(appUrl);
+        url.pathname = "/accept-invitation";
+        url.searchParams.set("invitationId", id);
+        url.searchParams.set("email", email);
+        const expiresInDays = Math.ceil((expiresAt.getTime() - Date.now()) / (1e3 * 60 * 60 * 24));
+        await send({
+          to: email,
+          subject: `You've been invited to join ${organization2.name} on SnapBack`,
+          text: `You've been invited to join ${organization2.name}. Click the link to accept: ${url.toString()}
+
+This invitation expires in ${expiresInDays} days.`,
+          html: `<p>You've been invited to join <strong>${organization2.name}</strong> on SnapBack.</p><p><a href="${url.toString()}">Click here to accept the invitation</a></p><p><small>This invitation expires in ${expiresInDays} days.</small></p>`
+        });
+      }
+    }),
+    invitationOnlyPlugin(),
+    // ✅ SECURITY: Password breach detection via HaveIBeenPwned
+    // OWASP A07:2021, NIST SP 800-63B Section 5.1.1.2
+    // Automatically checks passwords during signup and password changes
+    haveIBeenPwned(),
+    // ✅ SECURITY: Two-Factor Authentication
+    // NIST SP 800-63B compliant configuration
+    twoFactor({
+      // Application name shown in authenticator apps
+      issuer: "SnapBack",
+      // Require verification on enable for security
+      skipVerificationOnEnable: false,
+      // TOTP configuration
+      totpOptions: {
+        // 6-digit codes (standard)
+        digits: 6,
+        // 30-second validity period (TOTP standard)
+        period: 30
+      },
+      // Backup codes configuration (enhanced when ENABLE_ENHANCED_2FA=true)
+      backupCodeOptions: {
+        // Number of backup codes to generate
+        amount: ENABLE_ENHANCED_2FA ? 10 : 6,
+        // Backup code length (longer for enterprise)
+        length: ENABLE_ENHANCED_2FA ? 12 : 8
+      }
+    }),
+    username({}),
+    passkey({}),
+    // =============================================================================
+    // Enterprise Auth Plugins (Feature Flag Gated)
+    // =============================================================================
+    // ✅ ENTERPRISE: SSO Plugin (SAML 2.0 / OIDC)
+    // Requires: ENABLE_SSO=true, @better-auth/sso package
+    ...ENABLE_SSO ? [
+      sso({
+        // Auto-provision users to organization based on domain
+        provisionUser: /* @__PURE__ */ __name(async ({ user: user2, userInfo }) => {
+          const emailHash = user2.email ? `email_${Math.abs(user2.email.split("").reduce((acc, char) => (acc << 5) - acc + char.charCodeAt(0) | 0, 0)).toString(16).padStart(8, "0")}` : "none";
+          logger.info("SSO user provisioning", {
+            userId: user2.id,
+            emailHash
+          });
+          if (userInfo?.email_verified && !user2.emailVerified) ;
+        }, "provisionUser"),
+        // Organization auto-provisioning settings
+        organizationProvisioning: {
+          defaultRole: "member"
+        },
+        // Allow new users via SSO (don't require pre-existing account)
+        disableImplicitSignUp: false,
+        // Trust IdP email verification status
+        trustEmailVerified: true,
+        // Domain verification for SSO providers
+        domainVerification: {
+          enabled: true
+        }
+      })
+    ] : [],
+    // ✅ SECURITY: Captcha Plugin (Bot Protection)
+    // OWASP A07:2021 - Prevents automated attacks on auth endpoints
+    // Requires: ENABLE_CAPTCHA=true, CAPTCHA_SECRET_KEY env var
+    ...ENABLE_CAPTCHA && process.env.CAPTCHA_SECRET_KEY ? [
+      captcha({
+        provider: "cloudflare-turnstile",
+        secretKey: process.env.CAPTCHA_SECRET_KEY,
+        // Protect critical auth endpoints
+        endpoints: [
+          "/sign-up/email",
+          "/sign-in/email",
+          "/forget-password",
+          "/password-reset"
+        ]
+      })
+    ] : [],
+    // ✅ ENTERPRISE: Multi-Session Plugin (Device Management)
+    // Allows users to manage active sessions across devices
+    // Requires: ENABLE_MULTI_SESSION=true
+    ...ENABLE_MULTI_SESSION ? [
+      multiSession({
+        // Enterprise limit: 10 concurrent sessions
+        maximumSessions: 10
+      })
+    ] : []
+  ],
+  onAPIError: {
+    onError(error, ctx) {
+      const errorDetails = {
+        error,
+        context: ctx
+      };
+      if (error && typeof error === "object") {
+        if ("code" in error) {
+          errorDetails.errorCode = error.code;
+        }
+        if ("message" in error) {
+          errorDetails.errorMessage = error.message;
+        }
+        if ("statusCode" in error) {
+          errorDetails.statusCode = error.statusCode;
+        }
+      }
+      let isOAuthError = false;
+      if (ctx && typeof ctx === "object") {
+        if ("request" in ctx) {
+          const request = ctx.request;
+          errorDetails.requestUrl = request.url;
+          errorDetails.requestMethod = request.method;
+          if (request.url?.includes("/api/auth/callback/")) {
+            const provider = request.url.split("/callback/")[1]?.split("?")[0];
+            errorDetails.oauthProvider = provider;
+            errorDetails.errorType = "OAuth Callback Error";
+            isOAuthError = true;
+            logger.error("OAuth Callback Error", errorDetails);
+          }
+        }
+      }
+      if (!isOAuthError) {
+        logger.error("Better Auth API Error", errorDetails);
+      }
+      trackEvent("auth.signin_failed", {
+        errorCode: errorDetails.errorCode,
+        errorMessage: errorDetails.errorMessage,
+        path: errorDetails.requestUrl,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      }).catch(() => {
+      });
+      import('./dist-E7E2T3DQ.js').then(({ captureError }) => {
+        if (captureError && error instanceof Error) {
+          captureError(error, {
+            tags: {
+              errorType: isOAuthError ? "oauth_callback" : "auth_api",
+              ...errorDetails.errorCode ? {
+                errorCode: String(errorDetails.errorCode)
+              } : {}
+            },
+            extra: errorDetails
+          });
+        }
+      }).catch(() => {
+      });
+    }
+  }
+});
+var auth = _auth;
+
+export { auth, getAuthRedisReconnectAttempts, getRedisClient, isRedisAvailable, redisAvailable, redisClient, updateSeatsInOrganizationSubscription };