@sonicjs-cms/core 2.18.1 → 3.0.0-beta.2

package/dist/chunk-NMPEMSU4.js

@@ -0,0 +1,154 @@
+// package.json
+var package_default = {
+  name: "@sonicjs-cms/core",
+  version: "3.0.0-beta.2",
+  description: "Core framework for SonicJS headless CMS - Edge-first, TypeScript-native CMS built for Cloudflare Workers",
+  type: "module",
+  main: "./dist/index.cjs",
+  module: "./dist/index.js",
+  types: "./dist/index.d.ts",
+  bin: {
+    "sonicjs-db-reset": "./bin/db-reset.js"
+  },
+  exports: {
+    ".": {
+      types: "./dist/index.d.ts",
+      import: "./dist/index.js",
+      require: "./dist/index.cjs"
+    },
+    "./services": {
+      types: "./dist/services.d.ts",
+      import: "./dist/services.js",
+      require: "./dist/services.cjs"
+    },
+    "./middleware": {
+      types: "./dist/middleware.d.ts",
+      import: "./dist/middleware.js",
+      require: "./dist/middleware.cjs"
+    },
+    "./routes": {
+      types: "./dist/routes.d.ts",
+      import: "./dist/routes.js",
+      require: "./dist/routes.cjs"
+    },
+    "./templates": {
+      types: "./dist/templates.d.ts",
+      import: "./dist/templates.js",
+      require: "./dist/templates.cjs"
+    },
+    "./plugins": {
+      types: "./dist/plugins.d.ts",
+      import: "./dist/plugins.js",
+      require: "./dist/plugins.cjs"
+    },
+    "./utils": {
+      types: "./dist/utils.d.ts",
+      import: "./dist/utils.js",
+      require: "./dist/utils.cjs"
+    },
+    "./types": {
+      types: "./dist/types.d.ts",
+      import: "./dist/types.js",
+      require: "./dist/types.cjs"
+    },
+    "./package.json": "./package.json"
+  },
+  files: [
+    "bin",
+    "dist",
+    "migrations",
+    "README.md",
+    "LICENSE"
+  ],
+  scripts: {
+    "generate:migrations": "npx tsx scripts/generate-migrations.ts",
+    prebuild: "npm run generate:migrations",
+    build: "tsup",
+    dev: "tsup --watch",
+    "type-check": "tsc --noEmit",
+    lint: "eslint src/",
+    "lint:fix": "eslint src/ --fix",
+    test: "vitest run",
+    "test:cov": "vitest run --coverage",
+    "test:watch": "vitest",
+    prepublishOnly: "npm run build",
+    prepare: "npm run build"
+  },
+  keywords: [
+    "cms",
+    "headless-cms",
+    "cloudflare",
+    "workers",
+    "edge",
+    "typescript",
+    "hono",
+    "content-management",
+    "api",
+    "sonicjs"
+  ],
+  author: "SonicJS Team",
+  license: "MIT",
+  repository: {
+    type: "git",
+    url: "git+https://github.com/sonicjs/sonicjs.git",
+    directory: "packages/core"
+  },
+  bugs: {
+    url: "https://github.com/sonicjs/sonicjs/issues"
+  },
+  homepage: "https://sonicjs.com",
+  peerDependencies: {
+    "@cloudflare/workers-types": "^4.0.0",
+    "drizzle-orm": "^0.44.0",
+    hono: "^4.0.0",
+    zod: "^3.0.0 || ^4.0.0"
+  },
+  dependencies: {
+    "@cf-wasm/resvg": "^0.3.3",
+    "better-auth": "^1.6.13",
+    "better-auth-cloudflare": "^0.3.0",
+    "csv-parse": "^6.2.1",
+    "drizzle-zod": "^0.8.3",
+    "highlight.js": "^11.11.1",
+    linkedom: "^0.18.12",
+    marked: "^16.4.1",
+    "qrcode-svg": "^1.1.0",
+    semver: "^7.7.3",
+    "tiny-lru": "^13.0.0"
+  },
+  devDependencies: {
+    "@cloudflare/workers-types": "^4.20251014.0",
+    "@types/better-sqlite3": "^7.6.13",
+    "@types/node": "^24.9.2",
+    "@types/qrcode-svg": "^1.1.5",
+    "@typescript-eslint/eslint-plugin": "^8.50.0",
+    "@typescript-eslint/parser": "^8.50.0",
+    "@vitest/coverage-v8": "^4.1.9",
+    "better-sqlite3": "^12.10.0",
+    "drizzle-orm": "^0.45.2",
+    eslint: "^9.39.2",
+    glob: "^10.5.0",
+    hono: "^4.12.26",
+    tsup: "^8.5.0",
+    typescript: "^5.9.3",
+    vitest: "^4.1.9",
+    zod: "^4.1.12"
+  },
+  engines: {
+    node: ">=18.0.0"
+  },
+  publishConfig: {
+    access: "public",
+    registry: "https://registry.npmjs.org/"
+  }
+};
+
+// src/utils/version.ts
+var SONICJS_VERSION = package_default.version;
+function getCoreVersion() {
+  return SONICJS_VERSION;
+}
+
+export { SONICJS_VERSION, getCoreVersion, package_default };
+//# sourceMappingURL=chunk-NMPEMSU4.js.map
+//# sourceMappingURL=chunk-NMPEMSU4.js.map

package/dist/chunk-NMPEMSU4.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../package.json","../src/utils/version.ts"],"names":[],"mappings":";AAAA,IAAA,eAAA,GAAA;AAAA,EACE,IAAA,EAAQ,mBAAA;AAAA,EACR,OAAA,EAAW,cAAA;AAAA,EACX,WAAA,EAAe,0GAAA;AAAA,EACf,IAAA,EAAQ,QAAA;AAAA,EACR,IAAA,EAAQ,kBAAA;AAAA,EACR,MAAA,EAAU,iBAAA;AAAA,EACV,KAAA,EAAS,mBAAA;AAAA,EACT,GAAA,EAAO;AAAA,IACL,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA,OAAA,EAAW;AAAA,IACT,GAAA,EAAK;AAAA,MACH,KAAA,EAAS,mBAAA;AAAA,MACT,MAAA,EAAU,iBAAA;AAAA,MACV,OAAA,EAAW;AAAA,KACb;AAAA,IACA,YAAA,EAAc;AAAA,MACZ,KAAA,EAAS,sBAAA;AAAA,MACT,MAAA,EAAU,oBAAA;AAAA,MACV,OAAA,EAAW;AAAA,KACb;AAAA,IACA,cAAA,EAAgB;AAAA,MACd,KAAA,EAAS,wBAAA;AAAA,MACT,MAAA,EAAU,sBAAA;AAAA,MACV,OAAA,EAAW;AAAA,KACb;AAAA,IACA,UAAA,EAAY;AAAA,MACV,KAAA,EAAS,oBAAA;AAAA,MACT,MAAA,EAAU,kBAAA;AAAA,MACV,OAAA,EAAW;AAAA,KACb;AAAA,IACA,aAAA,EAAe;AAAA,MACb,KAAA,EAAS,uBAAA;AAAA,MACT,MAAA,EAAU,qBAAA;AAAA,MACV,OAAA,EAAW;AAAA,KACb;AAAA,IACA,WAAA,EAAa;AAAA,MACX,KAAA,EAAS,qBAAA;AAAA,MACT,MAAA,EAAU,mBAAA;AAAA,MACV,OAAA,EAAW;AAAA,KACb;AAAA,IACA,SAAA,EAAW;AAAA,MACT,KAAA,EAAS,mBAAA;AAAA,MACT,MAAA,EAAU,iBAAA;AAAA,MACV,OAAA,EAAW;AAAA,KACb;AAAA,IACA,SAAA,EAAW;AAAA,MACT,KAAA,EAAS,mBAAA;AAAA,MACT,MAAA,EAAU,iBAAA;AAAA,MACV,OAAA,EAAW;AAAA,KACb;AAAA,IACA,gBAAA,EAAkB;AAAA,GACpB;AAAA,EACA,KAAA,EAAS;AAAA,IACP,KAAA;AAAA,IACA,MAAA;AAAA,IACA,YAAA;AAAA,IACA,WAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,OAAA,EAAW;AAAA,IACT,qBAAA,EAAuB,wCAAA;AAAA,IACvB,QAAA,EAAY,6BAAA;AAAA,IACZ,KAAA,EAAS,MAAA;AAAA,IACT,GAAA,EAAO,cAAA;AAAA,IACP,YAAA,EAAc,cAAA;AAAA,IACd,IAAA,EAAQ,aAAA;AAAA,IACR,UAAA,EAAY,mBAAA;AAAA,IACZ,IAAA,EAAQ,YAAA;AAAA,IACR,UAAA,EAAY,uBAAA;AAAA,IACZ,YAAA,EAAc,QAAA;AAAA,IACd,cAAA,EAAkB,eAAA;AAAA,IAClB,OAAA,EAAW;AAAA,GACb;AAAA,EACA,QAAA,EAAY;AAAA,IACV,KAAA;AAAA,IACA,cAAA;AAAA,IACA,YAAA;AAAA,IACA,SAAA;AAAA,IACA,MAAA;AAAA,IACA,YAAA;AAAA,IACA,MAAA;AAAA,IACA,oBAAA;AAAA,IACA,KAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,MAAA,EAAU,cAAA;AAAA,EACV,OAAA,EAAW,KAAA;AAAA,EACX,UAAA,EAAc;AAAA,IACZ,IAAA,EAAQ,KAAA;AAAA,IACR,GAAA,EAAO,4CAAA;AAAA,IACP,SAAA,EAAa;AAAA,GACf;AAAA,EACA,IAAA,EAAQ;AAAA,IACN,GAAA,EAAO;AAAA,GACT;AAAA,EACA,QAAA,EAAY,qBAAA;AAAA,EACZ,gBAAA,EAAoB;AAAA,IAClB,2BAAA,EAA6B,QAAA;AAAA,IAC7B,aAAA,EAAe,SAAA;AAAA,IACf,IAAA,EAAQ,QAAA;AAAA,IACR,GAAA,EAAO;AAAA,GACT;AAAA,EACA,YAAA,EAAgB;AAAA,IACd,gBAAA,EAAkB,QAAA;AAAA,IAClB,aAAA,EAAe,SAAA;AAAA,IACf,wBAAA,EAA0B,QAAA;AAAA,IAC1B,WAAA,EAAa,QAAA;AAAA,IACb,aAAA,EAAe,QAAA;AAAA,IACf,cAAA,EAAgB,UAAA;AAAA,IAChB,QAAA,EAAY,UAAA;AAAA,IACZ,MAAA,EAAU,SAAA;AAAA,IACV,YAAA,EAAc,QAAA;AAAA,IACd,MAAA,EAAU,QAAA;AAAA,IACV,UAAA,EAAY;AAAA,GACd;AAAA,EACA,eAAA,EAAmB;AAAA,IACjB,2BAAA,EAA6B,eAAA;AAAA,IAC7B,uBAAA,EAAyB,SAAA;AAAA,IACzB,aAAA,EAAe,SAAA;AAAA,IACf,mBAAA,EAAqB,QAAA;AAAA,IACrB,kCAAA,EAAoC,SAAA;AAAA,IACpC,2BAAA,EAA6B,SAAA;AAAA,IAC7B,qBAAA,EAAuB,QAAA;AAAA,IACvB,gBAAA,EAAkB,UAAA;AAAA,IAClB,aAAA,EAAe,SAAA;AAAA,IACf,MAAA,EAAU,SAAA;AAAA,IACV,IAAA,EAAQ,SAAA;AAAA,IACR,IAAA,EAAQ,UAAA;AAAA,IACR,IAAA,EAAQ,QAAA;AAAA,IACR,UAAA,EAAc,QAAA;AAAA,IACd,MAAA,EAAU,QAAA;AAAA,IACV,GAAA,EAAO;AAAA,GACT;AAAA,EACA,OAAA,EAAW;AAAA,IACT,IAAA,EAAQ;AAAA,GACV;AAAA,EACA,aAAA,EAAiB;AAAA,IACf,MAAA,EAAU,QAAA;AAAA,IACV,QAAA,EAAY;AAAA;AAEhB;;;ACtIO,IAAM,kBAAkB,eAAA,CAAI;AAK5B,SAAS,cAAA,GAAyB;AACvC,EAAA,OAAO,eAAA;AACT","file":"chunk-NMPEMSU4.js","sourcesContent":["{\n  \"name\": \"@sonicjs-cms/core\",\n  \"version\": \"3.0.0-beta.2\",\n  \"description\": \"Core framework for SonicJS headless CMS - Edge-first, TypeScript-native CMS built for Cloudflare Workers\",\n  \"type\": \"module\",\n  \"main\": \"./dist/index.cjs\",\n  \"module\": \"./dist/index.js\",\n  \"types\": \"./dist/index.d.ts\",\n  \"bin\": {\n    \"sonicjs-db-reset\": \"./bin/db-reset.js\"\n  },\n  \"exports\": {\n    \".\": {\n      \"types\": \"./dist/index.d.ts\",\n      \"import\": \"./dist/index.js\",\n      \"require\": \"./dist/index.cjs\"\n    },\n    \"./services\": {\n      \"types\": \"./dist/services.d.ts\",\n      \"import\": \"./dist/services.js\",\n      \"require\": \"./dist/services.cjs\"\n    },\n    \"./middleware\": {\n      \"types\": \"./dist/middleware.d.ts\",\n      \"import\": \"./dist/middleware.js\",\n      \"require\": \"./dist/middleware.cjs\"\n    },\n    \"./routes\": {\n      \"types\": \"./dist/routes.d.ts\",\n      \"import\": \"./dist/routes.js\",\n      \"require\": \"./dist/routes.cjs\"\n    },\n    \"./templates\": {\n      \"types\": \"./dist/templates.d.ts\",\n      \"import\": \"./dist/templates.js\",\n      \"require\": \"./dist/templates.cjs\"\n    },\n    \"./plugins\": {\n      \"types\": \"./dist/plugins.d.ts\",\n      \"import\": \"./dist/plugins.js\",\n      \"require\": \"./dist/plugins.cjs\"\n    },\n    \"./utils\": {\n      \"types\": \"./dist/utils.d.ts\",\n      \"import\": \"./dist/utils.js\",\n      \"require\": \"./dist/utils.cjs\"\n    },\n    \"./types\": {\n      \"types\": \"./dist/types.d.ts\",\n      \"import\": \"./dist/types.js\",\n      \"require\": \"./dist/types.cjs\"\n    },\n    \"./package.json\": \"./package.json\"\n  },\n  \"files\": [\n    \"bin\",\n    \"dist\",\n    \"migrations\",\n    \"README.md\",\n    \"LICENSE\"\n  ],\n  \"scripts\": {\n    \"generate:migrations\": \"npx tsx scripts/generate-migrations.ts\",\n    \"prebuild\": \"npm run generate:migrations\",\n    \"build\": \"tsup\",\n    \"dev\": \"tsup --watch\",\n    \"type-check\": \"tsc --noEmit\",\n    \"lint\": \"eslint src/\",\n    \"lint:fix\": \"eslint src/ --fix\",\n    \"test\": \"vitest run\",\n    \"test:cov\": \"vitest run --coverage\",\n    \"test:watch\": \"vitest\",\n    \"prepublishOnly\": \"npm run build\",\n    \"prepare\": \"npm run build\"\n  },\n  \"keywords\": [\n    \"cms\",\n    \"headless-cms\",\n    \"cloudflare\",\n    \"workers\",\n    \"edge\",\n    \"typescript\",\n    \"hono\",\n    \"content-management\",\n    \"api\",\n    \"sonicjs\"\n  ],\n  \"author\": \"SonicJS Team\",\n  \"license\": \"MIT\",\n  \"repository\": {\n    \"type\": \"git\",\n    \"url\": \"git+https://github.com/sonicjs/sonicjs.git\",\n    \"directory\": \"packages/core\"\n  },\n  \"bugs\": {\n    \"url\": \"https://github.com/sonicjs/sonicjs/issues\"\n  },\n  \"homepage\": \"https://sonicjs.com\",\n  \"peerDependencies\": {\n    \"@cloudflare/workers-types\": \"^4.0.0\",\n    \"drizzle-orm\": \"^0.44.0\",\n    \"hono\": \"^4.0.0\",\n    \"zod\": \"^3.0.0 || ^4.0.0\"\n  },\n  \"dependencies\": {\n    \"@cf-wasm/resvg\": \"^0.3.3\",\n    \"better-auth\": \"^1.6.13\",\n    \"better-auth-cloudflare\": \"^0.3.0\",\n    \"csv-parse\": \"^6.2.1\",\n    \"drizzle-zod\": \"^0.8.3\",\n    \"highlight.js\": \"^11.11.1\",\n    \"linkedom\": \"^0.18.12\",\n    \"marked\": \"^16.4.1\",\n    \"qrcode-svg\": \"^1.1.0\",\n    \"semver\": \"^7.7.3\",\n    \"tiny-lru\": \"^13.0.0\"\n  },\n  \"devDependencies\": {\n    \"@cloudflare/workers-types\": \"^4.20251014.0\",\n    \"@types/better-sqlite3\": \"^7.6.13\",\n    \"@types/node\": \"^24.9.2\",\n    \"@types/qrcode-svg\": \"^1.1.5\",\n    \"@typescript-eslint/eslint-plugin\": \"^8.50.0\",\n    \"@typescript-eslint/parser\": \"^8.50.0\",\n    \"@vitest/coverage-v8\": \"^4.1.9\",\n    \"better-sqlite3\": \"^12.10.0\",\n    \"drizzle-orm\": \"^0.45.2\",\n    \"eslint\": \"^9.39.2\",\n    \"glob\": \"^10.5.0\",\n    \"hono\": \"^4.12.26\",\n    \"tsup\": \"^8.5.0\",\n    \"typescript\": \"^5.9.3\",\n    \"vitest\": \"^4.1.9\",\n    \"zod\": \"^4.1.12\"\n  },\n  \"engines\": {\n    \"node\": \">=18.0.0\"\n  },\n  \"publishConfig\": {\n    \"access\": \"public\",\n    \"registry\": \"https://registry.npmjs.org/\"\n  }\n}\n","/**\n * Version utility\n *\n * Provides the current version of @sonicjs-cms/core package\n */\n\nimport pkg from '../../package.json'\n\nexport const SONICJS_VERSION = pkg.version\n\n/**\n * Get the current SonicJS core version\n */\nexport function getCoreVersion(): string {\n  return SONICJS_VERSION\n}\n"]}

package/dist/chunk-NUKJ54GA.cjs

@@ -0,0 +1,245 @@
+'use strict';
+
+var chunkHIKBY7MS_cjs = require('./chunk-HIKBY7MS.cjs');
+var chunkYP7GW2G5_cjs = require('./chunk-YP7GW2G5.cjs');
+var betterAuth = require('better-auth');
+var betterAuthCloudflare = require('better-auth-cloudflare');
+var crypto$1 = require('better-auth/crypto');
+var api = require('better-auth/api');
+var magicLink = require('better-auth/plugins/magic-link');
+var emailOtp = require('better-auth/plugins/email-otp');
+var organization = require('better-auth/plugins/organization');
+var d1 = require('drizzle-orm/d1');
+
+async function sendViaEmailPlugin(db, to, subject, html) {
+  try {
+    const row = await db.prepare("SELECT settings FROM plugins WHERE id = 'email'").first();
+    if (row?.settings) {
+      const { apiKey, fromEmail, fromName } = JSON.parse(row.settings);
+      if (apiKey && fromEmail) {
+        await fetch("https://api.resend.com/emails", {
+          method: "POST",
+          headers: { Authorization: `Bearer ${apiKey}`, "Content-Type": "application/json" },
+          body: JSON.stringify({
+            from: `${fromName ?? "SonicJS"} <${fromEmail}>`,
+            to: [to],
+            subject,
+            html
+          })
+        });
+        return;
+      }
+    }
+  } catch {
+  }
+  console.log(`[email-dev] To:${to} | Subject:${subject}`);
+}
+async function verifyLegacyPbkdf2(password, stored) {
+  const parts = stored.split(":");
+  if (parts.length !== 4) return false;
+  const iterations = parseInt(parts[1], 10);
+  const saltBytes = parts[2].match(/.{2}/g);
+  if (!saltBytes || !Number.isFinite(iterations)) return false;
+  const salt = new Uint8Array(saltBytes.map((b) => parseInt(b, 16)));
+  const km = await crypto.subtle.importKey("raw", new TextEncoder().encode(password), "PBKDF2", false, ["deriveBits"]);
+  const bits = await crypto.subtle.deriveBits({ name: "PBKDF2", salt, iterations, hash: "SHA-256" }, km, 256);
+  const actual = Array.from(new Uint8Array(bits)).map((b) => b.toString(16).padStart(2, "0")).join("");
+  const expected = parts[3];
+  if (actual.length !== expected.length) return false;
+  let diff = 0;
+  for (let i = 0; i < actual.length; i++) diff |= actual.charCodeAt(i) ^ expected.charCodeAt(i);
+  return diff === 0;
+}
+function getDefaultAuthOptions(env, requestBaseURL) {
+  const db = d1.drizzle(env.DB);
+  return {
+    secret: env.BETTER_AUTH_SECRET,
+    baseURL: env.BETTER_AUTH_URL || requestBaseURL,
+    appName: "SonicJS",
+    ...betterAuthCloudflare.withCloudflare(
+      {
+        autoDetectIpAddress: true,
+        geolocationTracking: false,
+        cf: {},
+        d1: {
+          db,
+          options: {
+            // Keys MUST match modelName values — BA resolves by modelName, not by JS variable name.
+            schema: { auth_user: chunkYP7GW2G5_cjs.authUser, auth_session: chunkYP7GW2G5_cjs.authSession, auth_account: chunkYP7GW2G5_cjs.authAccount, auth_verification: chunkYP7GW2G5_cjs.authVerification, auth_tenant: chunkYP7GW2G5_cjs.authTenant, auth_tenant_member: chunkYP7GW2G5_cjs.authTenantMember, auth_tenant_invitation: chunkYP7GW2G5_cjs.authTenantInvitation, auth_tenant_team: chunkYP7GW2G5_cjs.authTenantTeam }
+          }
+        },
+        kv: env.CACHE_KV
+        // session secondary storage → getSession skips D1
+      },
+      {
+        basePath: "/auth",
+        emailAndPassword: {
+          enabled: true,
+          autoSignIn: true,
+          // Transparent migration of SonicJS legacy PBKDF2 hashes: verify against
+          // the old format on login, then re-hash to scrypt and persist. No
+          // mass-rehash, no forced password resets.
+          password: {
+            verify: async ({ hash, password }) => {
+              if (hash.startsWith("pbkdf2:")) {
+                const ok = await verifyLegacyPbkdf2(password, hash);
+                if (ok) {
+                  const upgraded = await crypto$1.hashPassword(password);
+                  await env.DB.prepare(
+                    "UPDATE auth_account SET password = ?, updated_at = ? WHERE password = ? AND provider_id = 'credential'"
+                  ).bind(upgraded, Math.floor(Date.now() / 1e3), hash).run();
+                }
+                return ok;
+              }
+              return crypto$1.verifyPassword({ hash, password });
+            }
+          }
+        },
+        user: {
+          modelName: "auth_user",
+          // Field-mapping values are Drizzle *property keys* (camelCase), which
+          // already match Better Auth's defaults for emailVerified/createdAt/
+          // updatedAt. Only `image` differs (SonicJS uses `avatar`).
+          fields: {
+            image: "avatar"
+          },
+          additionalFields: {
+            role: { type: "string", required: false, defaultValue: "viewer", input: false },
+            firstName: { type: "string", required: false, defaultValue: "", input: true },
+            lastName: { type: "string", required: false, defaultValue: "", input: true },
+            isSuperAdmin: { type: "boolean", required: false, defaultValue: false, input: false }
+          }
+        },
+        session: {
+          modelName: "auth_session",
+          // Drizzle property keys already match Better Auth defaults (userId,
+          // expiresAt, ipAddress, …) — no field overrides needed.
+          expiresIn: 60 * 60 * 24 * 7,
+          // 7 days
+          updateAge: 60 * 60 * 24
+          // refresh once per day
+        },
+        account: { modelName: "auth_account" },
+        verification: { modelName: "auth_verification" },
+        databaseHooks: {
+          user: {
+            create: {
+              before: async (userData) => {
+                const isFirst = await chunkHIKBY7MS_cjs.isFirstUserRegistration(env.DB);
+                if (!isFirst) {
+                  const enabled = await chunkHIKBY7MS_cjs.isRegistrationEnabled(env.DB);
+                  if (!enabled) {
+                    throw new api.APIError("BAD_REQUEST", { message: "Registration is currently disabled." });
+                  }
+                }
+                const d = userData;
+                const name = (d.name ?? "User").toString();
+                const parts = name.trim().split(/\s+/);
+                const firstName = d.firstName || parts[0] || "User";
+                const lastName = d.lastName || parts.slice(1).join(" ") || firstName;
+                return { data: { ...userData, name, firstName, lastName, role: "viewer" } };
+              },
+              after: async (user) => {
+                try {
+                  const { RbacService } = await import('./rbac-VONLJJKB.cjs');
+                  const rbac = new RbacService(env.DB);
+                  const roleName = await rbac.countPortalAdmins(user.id) === 0 ? "admin" : "viewer";
+                  await rbac.addUserRoleByName(user.id, roleName);
+                } catch {
+                }
+              }
+            }
+          }
+        }
+      }
+    ),
+    // ── Phase 4: BA-native login methods ─────────────────────────────────────
+    // Magic-link and Email-OTP replace the standalone SonicJS plugins that
+    // minted JWT cookies. Social providers replace the bespoke oauth-providers
+    // plugin. All are gated on the relevant env vars / email service config
+    // so they activate only when configured.
+    plugins: [
+      // Magic-link passwordless auth. Sends a one-time link to the user's inbox;
+      // the link resolves to a BA session. Requires a working email service.
+      magicLink.magicLink({
+        sendMagicLink: async ({ email, url }, _request) => {
+          await sendViaEmailPlugin(
+            env.DB,
+            email,
+            "Your sign-in link",
+            `<div style="font-family:sans-serif;max-width:600px">
+              <h2>Sign in to SonicJS</h2>
+              <p>Click the link below to sign in. Expires in 15 minutes.</p>
+              <p><a href="${url}" style="background:#465FFF;color:#fff;padding:12px 24px;border-radius:6px;text-decoration:none">Sign in</a></p>
+              <p style="color:#666;font-size:12px">Or copy: ${url}</p>
+            </div>`
+          );
+        },
+        expiresIn: 15 * 60
+      }),
+      // Email OTP — 6-digit code sent to inbox. Replaces the otp-login-plugin.
+      emailOtp.emailOTP({
+        sendVerificationOTP: async (params, _request) => {
+          await sendViaEmailPlugin(
+            env.DB,
+            params.email,
+            "Your sign-in code",
+            `<div style="font-family:sans-serif;max-width:600px">
+              <h2>Your one-time code</h2>
+              <p style="font-size:36px;font-weight:bold;letter-spacing:8px;color:#465FFF">${params.otp}</p>
+              <p style="color:#666">Expires in 10 minutes. Do not share this code.</p>
+            </div>`
+          );
+        },
+        otpLength: 6,
+        expiresIn: 10 * 60
+      }),
+      organization.organization({
+        schema: {
+          organization: {
+            modelName: "auth_tenant",
+            additionalFields: {
+              status: { type: "string", required: false, defaultValue: "active", input: true },
+              domain: { type: "string", required: false, input: true },
+              notes: { type: "string", required: false, defaultValue: "", input: true }
+            }
+          },
+          member: {
+            modelName: "auth_tenant_member",
+            fields: { organizationId: "tenant_id" }
+          },
+          invitation: {
+            modelName: "auth_tenant_invitation",
+            fields: { organizationId: "tenant_id" }
+          },
+          team: {
+            modelName: "auth_tenant_team",
+            fields: { organizationId: "tenant_id" }
+          }
+        }
+      })
+    ],
+    // ── Phase 4: Social providers ─────────────────────────────────────────
+    // Activated when the relevant env vars are set. Replaces the bespoke
+    // oauth-providers SonicJS plugin. Set via wrangler secret put / .dev.vars.
+    socialProviders: {
+      ...env.GITHUB_CLIENT_ID && env.GITHUB_CLIENT_SECRET ? { github: { clientId: env.GITHUB_CLIENT_ID, clientSecret: env.GITHUB_CLIENT_SECRET } } : {},
+      ...env.GOOGLE_CLIENT_ID && env.GOOGLE_CLIENT_SECRET ? { google: { clientId: env.GOOGLE_CLIENT_ID, clientSecret: env.GOOGLE_CLIENT_SECRET } } : {}
+    }
+  };
+}
+function createAuth(env, extendBetterAuth, requestBaseURL) {
+  if (!env.BETTER_AUTH_SECRET || env.BETTER_AUTH_SECRET.length < 16) {
+    throw new Error(
+      "BETTER_AUTH_SECRET is missing or too short. Set it as a Wrangler secret (wrangler secret put BETTER_AUTH_SECRET) or in a gitignored .dev.vars for local dev. Refusing to initialize auth without a strong signing secret."
+    );
+  }
+  const defaults = getDefaultAuthOptions(env, requestBaseURL);
+  const options = extendBetterAuth ? extendBetterAuth(defaults) : defaults;
+  return betterAuth.betterAuth(options);
+}
+
+exports.createAuth = createAuth;
+exports.getDefaultAuthOptions = getDefaultAuthOptions;
+//# sourceMappingURL=chunk-NUKJ54GA.cjs.map
+//# sourceMappingURL=chunk-NUKJ54GA.cjs.map

package/dist/chunk-NUKJ54GA.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/auth/config.ts"],"names":["drizzle","withCloudflare","authUser","authSession","authAccount","authVerification","authTenant","authTenantMember","authTenantInvitation","authTenantTeam","baHashPassword","baVerifyPassword","isFirstUserRegistration","isRegistrationEnabled","APIError","magicLink","emailOTP","organization","betterAuth"],"mappings":";;;;;;;;;;;;;AAeA,eAAe,kBAAA,CACb,EAAA,EACA,EAAA,EACA,OAAA,EACA,IAAA,EACe;AACf,EAAA,IAAI;AACF,IAAA,MAAM,MAAO,MAAM,EAAA,CAChB,OAAA,CAAQ,iDAAiD,EACzD,KAAA,EAAM;AACT,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,MAAM,EAAE,QAAQ,SAAA,EAAW,QAAA,KAAa,IAAA,CAAK,KAAA,CAAM,IAAI,QAAQ,CAAA;AAG/D,MAAA,IAAI,UAAU,SAAA,EAAW;AACvB,QAAA,MAAM,MAAM,+BAAA,EAAiC;AAAA,UAC3C,MAAA,EAAQ,MAAA;AAAA,UACR,SAAS,EAAE,aAAA,EAAe,UAAU,MAAM,CAAA,CAAA,EAAI,gBAAgB,kBAAA,EAAmB;AAAA,UACjF,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,YACnB,IAAA,EAAM,CAAA,EAAG,QAAA,IAAY,SAAS,KAAK,SAAS,CAAA,CAAA,CAAA;AAAA,YAC5C,EAAA,EAAI,CAAC,EAAE,CAAA;AAAA,YACP,OAAA;AAAA,YACA;AAAA,WACD;AAAA,SACF,CAAA;AACD,QAAA;AAAA,MACF;AAAA,IACF;AAAA,EACF,CAAA,CAAA,MAAQ;AAAA,EAAgC;AACxC,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,eAAA,EAAkB,EAAE,CAAA,WAAA,EAAc,OAAO,CAAA,CAAE,CAAA;AACzD;AAmBA,eAAe,kBAAA,CAAmB,UAAkB,MAAA,EAAkC;AACpF,EAAA,MAAM,KAAA,GAAQ,MAAA,CAAO,KAAA,CAAM,GAAG,CAAA;AAC9B,EAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG,OAAO,KAAA;AAC/B,EAAA,MAAM,UAAA,GAAa,QAAA,CAAS,KAAA,CAAM,CAAC,GAAI,EAAE,CAAA;AACzC,EAAA,MAAM,SAAA,GAAY,KAAA,CAAM,CAAC,CAAA,CAAG,MAAM,OAAO,CAAA;AACzC,EAAA,IAAI,CAAC,SAAA,IAAa,CAAC,OAAO,QAAA,CAAS,UAAU,GAAG,OAAO,KAAA;AACvD,EAAA,MAAM,IAAA,GAAO,IAAI,UAAA,CAAW,SAAA,CAAU,GAAA,CAAI,CAAC,CAAA,KAAM,QAAA,CAAS,CAAA,EAAG,EAAE,CAAC,CAAC,CAAA;AACjE,EAAA,MAAM,KAAK,MAAM,MAAA,CAAO,MAAA,CAAO,SAAA,CAAU,OAAO,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,QAAQ,CAAA,EAAG,QAAA,EAAU,KAAA,EAAO,CAAC,YAAY,CAAC,CAAA;AACnH,EAAA,MAAM,IAAA,GAAO,MAAM,MAAA,CAAO,MAAA,CAAO,WAAW,EAAE,IAAA,EAAM,QAAA,EAAU,IAAA,EAAM,UAAA,EAAY,IAAA,EAAM,SAAA,EAAU,EAAG,IAAI,GAAG,CAAA;AAC1G,EAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,IAAI,WAAW,IAAI,CAAC,EAAE,GAAA,CAAI,CAAC,MAAM,CAAA,CAAE,QAAA,CAAS,EAAE,CAAA,CAAE,QAAA,CAAS,GAAG,GAAG,CAAC,CAAA,CAAE,IAAA,CAAK,EAAE,CAAA;AACnG,EAAA,MAAM,QAAA,GAAW,MAAM,CAAC,CAAA;AACxB,EAAA,IAAI,MAAA,CAAO,MAAA,KAAW,QAAA,CAAS,MAAA,EAAQ,OAAO,KAAA;AAC9C,EAAA,IAAI,IAAA,GAAO,CAAA;AACX,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,MAAA,CAAO,MAAA,EAAQ,CAAA,EAAA,EAAK,IAAA,IAAQ,MAAA,CAAO,UAAA,CAAW,CAAC,CAAA,GAAI,QAAA,CAAS,WAAW,CAAC,CAAA;AAC5F,EAAA,OAAO,IAAA,KAAS,CAAA;AAClB;AAMO,SAAS,qBAAA,CAAsB,KAAe,cAAA,EAAyB;AAC5E,EAAA,MAAM,EAAA,GAAKA,UAAA,CAAQ,GAAA,CAAI,EAAE,CAAA;AAEzB,EAAA,OAAO;AAAA,IACL,QAAQ,GAAA,CAAI,kBAAA;AAAA,IACZ,OAAA,EAAS,IAAI,eAAA,IAAmB,cAAA;AAAA,IAChC,OAAA,EAAS,SAAA;AAAA,IACT,GAAGC,mCAAA;AAAA,MACD;AAAA,QACE,mBAAA,EAAqB,IAAA;AAAA,QACrB,mBAAA,EAAqB,KAAA;AAAA,QACrB,IAAI,EAAC;AAAA,QACL,EAAA,EAAI;AAAA,UACF,EAAA;AAAA,UACA,OAAA,EAAS;AAAA;AAAA,YAEP,QAAQ,EAAE,SAAA,EAAWC,0BAAA,EAAU,YAAA,EAAcC,+BAAa,YAAA,EAAcC,6BAAA,EAAa,iBAAA,EAAmBC,kCAAA,EAAkB,aAAaC,4BAAA,EAAY,kBAAA,EAAoBC,oCAAkB,sBAAA,EAAwBC,sCAAA,EAAsB,kBAAkBC,gCAAA;AAAe;AAC1Q,SACF;AAAA,QACA,IAAI,GAAA,CAAI;AAAA;AAAA,OACV;AAAA,MACA;AAAA,QACE,QAAA,EAAU,OAAA;AAAA,QACV,gBAAA,EAAkB;AAAA,UAChB,OAAA,EAAS,IAAA;AAAA,UACT,UAAA,EAAY,IAAA;AAAA;AAAA;AAAA;AAAA,UAIZ,QAAA,EAAU;AAAA,YACR,MAAA,EAAQ,OAAO,EAAE,IAAA,EAAM,UAAS,KAA0C;AACxE,cAAA,IAAI,IAAA,CAAK,UAAA,CAAW,SAAS,CAAA,EAAG;AAC9B,gBAAA,MAAM,EAAA,GAAK,MAAM,kBAAA,CAAmB,QAAA,EAAU,IAAI,CAAA;AAClD,gBAAA,IAAI,EAAA,EAAI;AACN,kBAAA,MAAM,QAAA,GAAW,MAAMC,qBAAA,CAAe,QAAQ,CAAA;AAC9C,kBAAA,MAAM,IAAI,EAAA,CAAG,OAAA;AAAA,oBACX;AAAA,mBACF,CACG,IAAA,CAAK,QAAA,EAAU,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,EAAI,GAAI,GAAI,CAAA,EAAG,IAAI,CAAA,CAClD,GAAA,EAAI;AAAA,gBACT;AACA,gBAAA,OAAO,EAAA;AAAA,cACT;AACA,cAAA,OAAOC,uBAAA,CAAiB,EAAE,IAAA,EAAM,QAAA,EAAU,CAAA;AAAA,YAC5C;AAAA;AACF,SACF;AAAA,QACA,IAAA,EAAM;AAAA,UACJ,SAAA,EAAW,WAAA;AAAA;AAAA;AAAA;AAAA,UAIX,MAAA,EAAQ;AAAA,YACN,KAAA,EAAO;AAAA,WACT;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,EAAE,IAAA,EAAM,QAAA,EAAU,UAAU,KAAA,EAAO,YAAA,EAAc,QAAA,EAAU,KAAA,EAAO,KAAA,EAAM;AAAA,YAC9E,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAU,UAAU,KAAA,EAAO,YAAA,EAAc,EAAA,EAAI,KAAA,EAAO,IAAA,EAAK;AAAA,YAC5E,QAAA,EAAU,EAAE,IAAA,EAAM,QAAA,EAAU,UAAU,KAAA,EAAO,YAAA,EAAc,EAAA,EAAI,KAAA,EAAO,IAAA,EAAK;AAAA,YAC3E,YAAA,EAAc,EAAE,IAAA,EAAM,SAAA,EAAW,UAAU,KAAA,EAAO,YAAA,EAAc,KAAA,EAAO,KAAA,EAAO,KAAA;AAAM;AACtF,SACF;AAAA,QACA,OAAA,EAAS;AAAA,UACP,SAAA,EAAW,cAAA;AAAA;AAAA;AAAA,UAGX,SAAA,EAAW,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,CAAA;AAAA;AAAA,UAC1B,SAAA,EAAW,KAAK,EAAA,GAAK;AAAA;AAAA,SACvB;AAAA,QACA,OAAA,EAAS,EAAE,SAAA,EAAW,cAAA,EAAe;AAAA,QACrC,YAAA,EAAc,EAAE,SAAA,EAAW,mBAAA,EAAoB;AAAA,QAC/C,aAAA,EAAe;AAAA,UACb,IAAA,EAAM;AAAA,YACJ,MAAA,EAAQ;AAAA,cACN,MAAA,EAAQ,OAAO,QAAA,KAAsC;AACnD,gBAAA,MAAM,OAAA,GAAU,MAAMC,yCAAA,CAAwB,GAAA,CAAI,EAAE,CAAA;AACpD,gBAAA,IAAI,CAAC,OAAA,EAAS;AACZ,kBAAA,MAAM,OAAA,GAAU,MAAMC,uCAAA,CAAsB,GAAA,CAAI,EAAE,CAAA;AAClD,kBAAA,IAAI,CAAC,OAAA,EAAS;AACZ,oBAAA,MAAM,IAAIC,YAAA,CAAS,aAAA,EAAe,EAAE,OAAA,EAAS,uCAAuC,CAAA;AAAA,kBACtF;AAAA,gBACF;AACA,gBAAA,MAAM,CAAA,GAAI,QAAA;AAGV,gBAAA,MAAM,IAAA,GAAA,CAAQ,CAAA,CAAE,IAAA,IAAQ,MAAA,EAAQ,QAAA,EAAS;AACzC,gBAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,IAAA,EAAK,CAAE,MAAM,KAAK,CAAA;AAGrC,gBAAA,MAAM,SAAA,GAAY,CAAA,CAAE,SAAA,IAAa,KAAA,CAAM,CAAC,CAAA,IAAK,MAAA;AAC7C,gBAAA,MAAM,QAAA,GAAW,EAAE,QAAA,IAAY,KAAA,CAAM,MAAM,CAAC,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA,IAAK,SAAA;AAC3D,gBAAA,OAAO,EAAE,IAAA,EAAM,EAAE,GAAG,QAAA,EAAU,MAAM,SAAA,EAAW,QAAA,EAAU,IAAA,EAAM,QAAA,EAAS,EAAE;AAAA,cAC5E,CAAA;AAAA,cACA,KAAA,EAAO,OAAO,IAAA,KAAyB;AAIrC,gBAAA,IAAI;AAIF,kBAAA,MAAM,EAAE,WAAA,EAAY,GAAI,MAAM,OAAO,qBAAkB,CAAA;AACvD,kBAAA,MAAM,IAAA,GAAO,IAAI,WAAA,CAAY,GAAA,CAAI,EAAE,CAAA;AACnC,kBAAA,MAAM,QAAA,GAAY,MAAM,IAAA,CAAK,iBAAA,CAAkB,KAAK,EAAE,CAAA,KAAO,IAAI,OAAA,GAAU,QAAA;AAC3E,kBAAA,MAAM,IAAA,CAAK,iBAAA,CAAkB,IAAA,CAAK,EAAA,EAAI,QAAQ,CAAA;AAAA,gBAChD,CAAA,CAAA,MAAQ;AAAA,gBAER;AAAA,cACF;AAAA;AACF;AACF;AACF;AACF,KACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQA,OAAA,EAAS;AAAA;AAAA;AAAA,MAGPC,mBAAA,CAAU;AAAA,QACR,eAAe,OAAO,EAAE,KAAA,EAAO,GAAA,IAAuC,QAAA,KAAkB;AACtF,UAAA,MAAM,kBAAA;AAAA,YACJ,GAAA,CAAI,EAAA;AAAA,YAAI,KAAA;AAAA,YACR,mBAAA;AAAA,YACA,CAAA;AAAA;AAAA;AAAA,0BAAA,EAGgB,GAAG,CAAA;AAAA,4DAAA,EAC+B,GAAG,CAAA;AAAA,kBAAA;AAAA,WAEvD;AAAA,QACF,CAAA;AAAA,QACA,WAAW,EAAA,GAAK;AAAA,OACjB,CAAA;AAAA;AAAA,MAGDC,iBAAA,CAAS;AAAA,QACP,mBAAA,EAAqB,OAAO,MAAA,EAAsD,QAAA,KAAkB;AAClG,UAAA,MAAM,kBAAA;AAAA,YACJ,GAAA,CAAI,EAAA;AAAA,YAAI,MAAA,CAAO,KAAA;AAAA,YACf,mBAAA;AAAA,YACA,CAAA;AAAA;AAAA,0FAAA,EAEgF,OAAO,GAAG,CAAA;AAAA;AAAA,kBAAA;AAAA,WAG5F;AAAA,QACF,CAAA;AAAA,QACA,SAAA,EAAW,CAAA;AAAA,QACX,WAAW,EAAA,GAAK;AAAA,OACjB,CAAA;AAAA,MAEDC,yBAAA,CAAa;AAAA,QACX,MAAA,EAAQ;AAAA,UACN,YAAA,EAAc;AAAA,YACZ,SAAA,EAAW,aAAA;AAAA,YACX,gBAAA,EAAkB;AAAA,cAChB,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,UAAU,KAAA,EAAO,YAAA,EAAc,QAAA,EAAU,KAAA,EAAO,IAAA,EAAK;AAAA,cAC/E,QAAQ,EAAE,IAAA,EAAM,UAAU,QAAA,EAAU,KAAA,EAAO,OAAO,IAAA,EAAK;AAAA,cACvD,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAU,UAAU,KAAA,EAAO,YAAA,EAAc,EAAA,EAAI,KAAA,EAAO,IAAA;AAAK;AAC1E,WACF;AAAA,UACA,MAAA,EAAQ;AAAA,YACN,SAAA,EAAW,oBAAA;AAAA,YACX,MAAA,EAAQ,EAAE,cAAA,EAAgB,WAAA;AAAY,WACxC;AAAA,UACA,UAAA,EAAY;AAAA,YACV,SAAA,EAAW,wBAAA;AAAA,YACX,MAAA,EAAQ,EAAE,cAAA,EAAgB,WAAA;AAAY,WACxC;AAAA,UACA,IAAA,EAAM;AAAA,YACJ,SAAA,EAAW,kBAAA;AAAA,YACX,MAAA,EAAQ,EAAE,cAAA,EAAgB,WAAA;AAAY;AACxC;AACF,OACD;AAAA,KACH;AAAA;AAAA;AAAA;AAAA,IAKA,eAAA,EAAiB;AAAA,MACf,GAAI,GAAA,CAAI,gBAAA,IAAoB,GAAA,CAAI,oBAAA,GAC5B,EAAE,MAAA,EAAQ,EAAE,QAAA,EAAU,GAAA,CAAI,kBAAkB,YAAA,EAAc,GAAA,CAAI,oBAAA,EAAqB,KACnF,EAAC;AAAA,MACL,GAAI,GAAA,CAAI,gBAAA,IAAoB,GAAA,CAAI,oBAAA,GAC5B,EAAE,MAAA,EAAQ,EAAE,QAAA,EAAU,GAAA,CAAI,kBAAkB,YAAA,EAAc,GAAA,CAAI,oBAAA,EAAqB,KACnF;AAAC;AACP,GACF;AACF;AAMO,SAAS,UAAA,CAAW,GAAA,EAAe,gBAAA,EAAqC,cAAA,EAAyB;AAItG,EAAA,IAAI,CAAC,GAAA,CAAI,kBAAA,IAAsB,GAAA,CAAI,kBAAA,CAAmB,SAAS,EAAA,EAAI;AACjE,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KAGF;AAAA,EACF;AACA,EAAA,MAAM,QAAA,GAAW,qBAAA,CAAsB,GAAA,EAAK,cAAc,CAAA;AAC1D,EAAA,MAAM,OAAA,GAAU,gBAAA,GAAmB,gBAAA,CAAiB,QAAQ,CAAA,GAAI,QAAA;AAChE,EAAA,OAAOC,sBAAW,OAA2C,CAAA;AAC/D","file":"chunk-NUKJ54GA.cjs","sourcesContent":["/**\n * Better Auth configuration for SonicJS — via the better-auth-cloudflare shim.\n *\n * A fresh auth instance is built per request (Workers lifecycle). The existing\n * `auth_user` table is used as Better Auth's user model. Legacy SonicJS PBKDF2\n * hashes are verified and transparently upgraded to scrypt on first login. KV\n * (CACHE_KV) is used as session secondary storage so getSession does not hit D1\n * on every request.\n *\n * Extend via config.auth.extendBetterAuth in createSonicJSApp() to add social\n * providers, magic link, 2FA, etc.\n */\n/** Send an email via the SonicJS email plugin (Resend).\n *  Loads apiKey/fromEmail/fromName from the `plugins` table at runtime.\n *  Falls back to console.log when the plugin is unconfigured (local dev). */\nasync function sendViaEmailPlugin(\n  db: D1Database,\n  to: string,\n  subject: string,\n  html: string\n): Promise<void> {\n  try {\n    const row = (await db\n      .prepare(\"SELECT settings FROM plugins WHERE id = 'email'\")\n      .first()) as { settings: string } | null\n    if (row?.settings) {\n      const { apiKey, fromEmail, fromName } = JSON.parse(row.settings) as {\n        apiKey?: string; fromEmail?: string; fromName?: string\n      }\n      if (apiKey && fromEmail) {\n        await fetch('https://api.resend.com/emails', {\n          method: 'POST',\n          headers: { Authorization: `Bearer ${apiKey}`, 'Content-Type': 'application/json' },\n          body: JSON.stringify({\n            from: `${fromName ?? 'SonicJS'} <${fromEmail}>`,\n            to: [to],\n            subject,\n            html,\n          }),\n        })\n        return\n      }\n    }\n  } catch { /* fall through to dev log */ }\n  console.log(`[email-dev] To:${to} | Subject:${subject}`)\n}\n\nimport { betterAuth } from 'better-auth'\nimport { withCloudflare } from 'better-auth-cloudflare'\nimport { hashPassword as baHashPassword, verifyPassword as baVerifyPassword } from 'better-auth/crypto'\nimport { APIError } from 'better-auth/api'\nimport { magicLink } from 'better-auth/plugins/magic-link'\nimport { emailOTP } from 'better-auth/plugins/email-otp'\nimport { organization } from 'better-auth/plugins/organization'\nimport { drizzle } from 'drizzle-orm/d1'\nimport { authUser, authSession, authAccount, authVerification, authTenant, authTenantMember, authTenantInvitation, authTenantTeam } from '../db/schema'\nimport { isRegistrationEnabled, isFirstUserRegistration } from '../services/auth-validation'\nimport type { Bindings } from '../app'\n\n/**\n * Verify a password against a SonicJS legacy PBKDF2 hash:\n *   pbkdf2:<iterations>:<saltHex>:<hashHex>   (PBKDF2-SHA256, 256-bit)\n * Mirrors AuthManager.verifyPassword in middleware/auth.ts.\n */\nasync function verifyLegacyPbkdf2(password: string, stored: string): Promise<boolean> {\n  const parts = stored.split(':')\n  if (parts.length !== 4) return false\n  const iterations = parseInt(parts[1]!, 10)\n  const saltBytes = parts[2]!.match(/.{2}/g)\n  if (!saltBytes || !Number.isFinite(iterations)) return false\n  const salt = new Uint8Array(saltBytes.map((b) => parseInt(b, 16)))\n  const km = await crypto.subtle.importKey('raw', new TextEncoder().encode(password), 'PBKDF2', false, ['deriveBits'])\n  const bits = await crypto.subtle.deriveBits({ name: 'PBKDF2', salt, iterations, hash: 'SHA-256' }, km, 256)\n  const actual = Array.from(new Uint8Array(bits)).map((b) => b.toString(16).padStart(2, '0')).join('')\n  const expected = parts[3]!\n  if (actual.length !== expected.length) return false\n  let diff = 0\n  for (let i = 0; i < actual.length; i++) diff |= actual.charCodeAt(i) ^ expected.charCodeAt(i)\n  return diff === 0\n}\n\n/**\n * Build the default Better Auth options used by SonicJS (through the CF shim).\n * Exported so apps can extend via config.auth.extendBetterAuth.\n */\nexport function getDefaultAuthOptions(env: Bindings, requestBaseURL?: string) {\n  const db = drizzle(env.DB)\n\n  return {\n    secret: env.BETTER_AUTH_SECRET,\n    baseURL: env.BETTER_AUTH_URL || requestBaseURL,\n    appName: 'SonicJS',\n    ...withCloudflare(\n      {\n        autoDetectIpAddress: true,\n        geolocationTracking: false,\n        cf: {},\n        d1: {\n          db,\n          options: {\n            // Keys MUST match modelName values — BA resolves by modelName, not by JS variable name.\n            schema: { auth_user: authUser, auth_session: authSession, auth_account: authAccount, auth_verification: authVerification, auth_tenant: authTenant, auth_tenant_member: authTenantMember, auth_tenant_invitation: authTenantInvitation, auth_tenant_team: authTenantTeam },\n          },\n        },\n        kv: env.CACHE_KV, // session secondary storage → getSession skips D1\n      },\n      {\n        basePath: '/auth',\n        emailAndPassword: {\n          enabled: true,\n          autoSignIn: true,\n          // Transparent migration of SonicJS legacy PBKDF2 hashes: verify against\n          // the old format on login, then re-hash to scrypt and persist. No\n          // mass-rehash, no forced password resets.\n          password: {\n            verify: async ({ hash, password }: { hash: string; password: string }) => {\n              if (hash.startsWith('pbkdf2:')) {\n                const ok = await verifyLegacyPbkdf2(password, hash)\n                if (ok) {\n                  const upgraded = await baHashPassword(password)\n                  await env.DB.prepare(\n                    \"UPDATE auth_account SET password = ?, updated_at = ? WHERE password = ? AND provider_id = 'credential'\"\n                  )\n                    .bind(upgraded, Math.floor(Date.now() / 1000), hash)\n                    .run()\n                }\n                return ok\n              }\n              return baVerifyPassword({ hash, password })\n            },\n          },\n        },\n        user: {\n          modelName: 'auth_user',\n          // Field-mapping values are Drizzle *property keys* (camelCase), which\n          // already match Better Auth's defaults for emailVerified/createdAt/\n          // updatedAt. Only `image` differs (SonicJS uses `avatar`).\n          fields: {\n            image: 'avatar',\n          },\n          additionalFields: {\n            role: { type: 'string', required: false, defaultValue: 'viewer', input: false },\n            firstName: { type: 'string', required: false, defaultValue: '', input: true },\n            lastName: { type: 'string', required: false, defaultValue: '', input: true },\n            isSuperAdmin: { type: 'boolean', required: false, defaultValue: false, input: false },\n          },\n        },\n        session: {\n          modelName: 'auth_session',\n          // Drizzle property keys already match Better Auth defaults (userId,\n          // expiresAt, ipAddress, …) — no field overrides needed.\n          expiresIn: 60 * 60 * 24 * 7, // 7 days\n          updateAge: 60 * 60 * 24, // refresh once per day\n        },\n        account: { modelName: 'auth_account' },\n        verification: { modelName: 'auth_verification' },\n        databaseHooks: {\n          user: {\n            create: {\n              before: async (userData: Record<string, unknown>) => {\n                const isFirst = await isFirstUserRegistration(env.DB)\n                if (!isFirst) {\n                  const enabled = await isRegistrationEnabled(env.DB)\n                  if (!enabled) {\n                    throw new APIError('BAD_REQUEST', { message: 'Registration is currently disabled.' })\n                  }\n                }\n                const d = userData as {\n                  name?: string; email?: string; firstName?: string; lastName?: string\n                }\n                const name = (d.name ?? 'User').toString()\n                const parts = name.trim().split(/\\s+/)\n                // Prefer explicitly-provided fields (registration form); fall back\n                // to values derived from name/email.\n                const firstName = d.firstName || parts[0] || 'User'\n                const lastName = d.lastName || parts.slice(1).join(' ') || firstName\n                return { data: { ...userData, name, firstName, lastName, role: 'viewer' } }\n              },\n              after: async (user: { id: string }) => {\n                // Assign dynamic RBAC membership. The first real user receives\n                // Administrator so fresh installs can enter the portal; later\n                // self-registered users receive Viewer.\n                try {\n                  // RBAC roles/assignments are document-backed (services/rbac.ts).\n                  // First real portal admin → Administrator; later users → Viewer.\n                  // setUserRoles (via addUserRoleByName) also projects auth_user.role.\n                  const { RbacService } = await import('../services/rbac')\n                  const rbac = new RbacService(env.DB)\n                  const roleName = (await rbac.countPortalAdmins(user.id)) === 0 ? 'admin' : 'viewer'\n                  await rbac.addUserRoleByName(user.id, roleName)\n                } catch {\n                  /* rbac docs may not be seeded yet on older schemas — non-fatal */\n                }\n              },\n            },\n          },\n        },\n      }\n    ),\n\n    // ── Phase 4: BA-native login methods ─────────────────────────────────────\n    // Magic-link and Email-OTP replace the standalone SonicJS plugins that\n    // minted JWT cookies. Social providers replace the bespoke oauth-providers\n    // plugin. All are gated on the relevant env vars / email service config\n    // so they activate only when configured.\n\n    plugins: [\n      // Magic-link passwordless auth. Sends a one-time link to the user's inbox;\n      // the link resolves to a BA session. Requires a working email service.\n      magicLink({\n        sendMagicLink: async ({ email, url }: { email: string; url: string }, _request: any) => {\n          await sendViaEmailPlugin(\n            env.DB, email,\n            'Your sign-in link',\n            `<div style=\"font-family:sans-serif;max-width:600px\">\n              <h2>Sign in to SonicJS</h2>\n              <p>Click the link below to sign in. Expires in 15 minutes.</p>\n              <p><a href=\"${url}\" style=\"background:#465FFF;color:#fff;padding:12px 24px;border-radius:6px;text-decoration:none\">Sign in</a></p>\n              <p style=\"color:#666;font-size:12px\">Or copy: ${url}</p>\n            </div>`\n          )\n        },\n        expiresIn: 15 * 60,\n      }),\n\n      // Email OTP — 6-digit code sent to inbox. Replaces the otp-login-plugin.\n      emailOTP({\n        sendVerificationOTP: async (params: { email: string; otp: string; type: string }, _request: any) => {\n          await sendViaEmailPlugin(\n            env.DB, params.email,\n            'Your sign-in code',\n            `<div style=\"font-family:sans-serif;max-width:600px\">\n              <h2>Your one-time code</h2>\n              <p style=\"font-size:36px;font-weight:bold;letter-spacing:8px;color:#465FFF\">${params.otp}</p>\n              <p style=\"color:#666\">Expires in 10 minutes. Do not share this code.</p>\n            </div>`\n          )\n        },\n        otpLength: 6,\n        expiresIn: 10 * 60,\n      }),\n\n      organization({\n        schema: {\n          organization: {\n            modelName: 'auth_tenant',\n            additionalFields: {\n              status: { type: 'string', required: false, defaultValue: 'active', input: true },\n              domain: { type: 'string', required: false, input: true },\n              notes: { type: 'string', required: false, defaultValue: '', input: true },\n            },\n          },\n          member: {\n            modelName: 'auth_tenant_member',\n            fields: { organizationId: 'tenant_id' },\n          },\n          invitation: {\n            modelName: 'auth_tenant_invitation',\n            fields: { organizationId: 'tenant_id' },\n          },\n          team: {\n            modelName: 'auth_tenant_team',\n            fields: { organizationId: 'tenant_id' },\n          },\n        },\n      }),\n    ],\n\n    // ── Phase 4: Social providers ─────────────────────────────────────────\n    // Activated when the relevant env vars are set. Replaces the bespoke\n    // oauth-providers SonicJS plugin. Set via wrangler secret put / .dev.vars.\n    socialProviders: {\n      ...(env.GITHUB_CLIENT_ID && env.GITHUB_CLIENT_SECRET\n        ? { github: { clientId: env.GITHUB_CLIENT_ID, clientSecret: env.GITHUB_CLIENT_SECRET } }\n        : {}),\n      ...(env.GOOGLE_CLIENT_ID && env.GOOGLE_CLIENT_SECRET\n        ? { google: { clientId: env.GOOGLE_CLIENT_ID, clientSecret: env.GOOGLE_CLIENT_SECRET } }\n        : {}),\n    },\n  }\n}\n\nexport type BetterAuthDefaultOptions = ReturnType<typeof getDefaultAuthOptions>\nexport type ExtendBetterAuth = (opts: BetterAuthDefaultOptions) => BetterAuthDefaultOptions\n\n/** Create a Better Auth instance for this request. */\nexport function createAuth(env: Bindings, extendBetterAuth?: ExtendBetterAuth, requestBaseURL?: string) {\n  // Hard-fail rather than sign sessions with an undefined/blank secret. The\n  // secret must be provided via `wrangler secret put BETTER_AUTH_SECRET`\n  // (prod/preview) or a gitignored `.dev.vars` (local) — never committed.\n  if (!env.BETTER_AUTH_SECRET || env.BETTER_AUTH_SECRET.length < 16) {\n    throw new Error(\n      'BETTER_AUTH_SECRET is missing or too short. Set it as a Wrangler secret ' +\n        '(wrangler secret put BETTER_AUTH_SECRET) or in a gitignored .dev.vars for local dev. ' +\n        'Refusing to initialize auth without a strong signing secret.'\n    )\n  }\n  const defaults = getDefaultAuthOptions(env, requestBaseURL)\n  const options = extendBetterAuth ? extendBetterAuth(defaults) : defaults\n  return betterAuth(options as Parameters<typeof betterAuth>[0])\n}\n\nexport type SonicJSAuth = ReturnType<typeof createAuth>\n"]}