@wopr-network/platform-core 0.1.0

package/dist/email/templates.js

@@ -0,0 +1,359 @@
+/**
+ * Email Templates — HTML and plain text templates for all transactional emails.
+ *
+ * Each template has an HTML and a plain text version. HTML uses inline styles
+ * for maximum email client compatibility. All user-supplied values are escaped
+ * to prevent XSS.
+ */
+import { escapeHtml } from "./resend-adapter.js";
+// ---------------------------------------------------------------------------
+// Shared layout helpers
+// ---------------------------------------------------------------------------
+function wrapHtml(title, bodyContent) {
+    return `<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>${escapeHtml(title)}</title>
+</head>
+<body style="margin: 0; padding: 0; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; background-color: #f4f4f4;">
+  <table role="presentation" style="width: 100%; border-collapse: collapse;">
+    <tr>
+      <td style="padding: 40px 0; text-align: center;">
+        <table role="presentation" style="width: 600px; margin: 0 auto; background-color: #ffffff; border-radius: 8px; box-shadow: 0 2px 4px rgba(0,0,0,0.1);">
+          ${bodyContent}
+        </table>
+        <p style="margin-top: 20px; color: #a0aec0; font-size: 12px;">&copy; ${new Date().getFullYear()} WOPR Network. All rights reserved.</p>
+      </td>
+    </tr>
+  </table>
+</body>
+</html>`;
+}
+function heading(text) {
+    return `<tr>
+  <td style="padding: 40px 40px 20px 40px; text-align: center;">
+    <h1 style="margin: 0; font-size: 24px; font-weight: 600; color: #1a1a1a;">${escapeHtml(text)}</h1>
+  </td>
+</tr>`;
+}
+function paragraph(html) {
+    return `<tr>
+  <td style="padding: 0 40px 20px 40px; color: #4a5568; font-size: 16px; line-height: 24px;">
+    ${html}
+  </td>
+</tr>`;
+}
+function button(url, label, color = "#2563eb") {
+    return `<tr>
+  <td style="padding: 0 40px 30px 40px; text-align: center;">
+    <a href="${escapeHtml(url)}" style="display: inline-block; padding: 12px 32px; background-color: ${color}; color: #ffffff; text-decoration: none; font-weight: 600; border-radius: 6px; font-size: 16px;">${escapeHtml(label)}</a>
+  </td>
+</tr>`;
+}
+function footer(text) {
+    return `<tr>
+  <td style="padding: 0 40px 40px 40px; color: #718096; font-size: 14px; line-height: 20px; border-top: 1px solid #e2e8f0;">
+    <p style="margin-top: 20px;">${text}</p>
+  </td>
+</tr>`;
+}
+function unsubscribeFooter(unsubscribeUrl) {
+    if (!unsubscribeUrl)
+        return "";
+    return `<tr>
+  <td style="padding: 0 40px 20px 40px; text-align: center; color: #a0aec0; font-size: 12px;">
+    <a href="${escapeHtml(unsubscribeUrl)}" style="color: #a0aec0; text-decoration: underline;">Unsubscribe from billing notifications</a>
+  </td>
+</tr>`;
+}
+function unsubscribeText(unsubscribeUrl) {
+    if (!unsubscribeUrl)
+        return "";
+    return `\n\nTo unsubscribe from billing notifications: ${unsubscribeUrl}`;
+}
+/** Build the unsubscribe URL from a creditsUrl by deriving the origin. */
+function buildUnsubscribeUrl(creditsUrl) {
+    try {
+        const base = new URL(creditsUrl);
+        return `${base.origin}/settings/notifications`;
+    }
+    catch {
+        // If creditsUrl is not a valid absolute URL, fall back to simple concatenation.
+        return `${creditsUrl.replace(/\/+$/, "").split("/").slice(0, 3).join("/")}/settings/notifications`;
+    }
+}
+// ---------------------------------------------------------------------------
+// 1. Verify Email
+// ---------------------------------------------------------------------------
+export function verifyEmailTemplate(verifyUrl, email) {
+    const escapedEmail = escapeHtml(email);
+    const escapedUrl = escapeHtml(verifyUrl);
+    const html = wrapHtml("Verify Your Email", [
+        heading("Verify Your Email"),
+        paragraph(`<p>Thanks for signing up for WOPR! Please verify your email address (<strong>${escapedEmail}</strong>) to activate your account.</p>
+    <p>Click the button below to verify. This link will expire in 24 hours.</p>`),
+        button(verifyUrl, "Verify Email"),
+        paragraph(`<p style="color: #718096; font-size: 14px;">Or copy and paste this URL into your browser:</p>
+    <p style="word-break: break-all; color: #2563eb; font-size: 14px;">${escapedUrl}</p>`),
+        footer("If you didn't create a WOPR account, you can safely ignore this email."),
+    ].join("\n"));
+    const text = `Verify Your Email
+
+Thanks for signing up for WOPR! Please verify your email address (${email}) to activate your account.
+
+Click the link below to verify. This link will expire in 24 hours.
+
+${verifyUrl}
+
+If you didn't create a WOPR account, you can safely ignore this email.
+
+(c) ${new Date().getFullYear()} WOPR Network. All rights reserved.`;
+    return { subject: "Verify your WOPR account", html, text };
+}
+// ---------------------------------------------------------------------------
+// 2. Welcome
+// ---------------------------------------------------------------------------
+export function welcomeTemplate(email) {
+    const escapedEmail = escapeHtml(email);
+    const html = wrapHtml("Welcome to WOPR", [
+        heading("Welcome to WOPR!"),
+        paragraph(`<p>Hi <strong>${escapedEmail}</strong>,</p>
+    <p>Your email has been verified and your account is now active. You've been granted <strong>$5.00 in free credits</strong> to get started.</p>
+    <p>You can now create bots, connect them to Discord, Slack, and more.</p>`),
+        footer("Happy building!"),
+    ].join("\n"));
+    const text = `Welcome to WOPR!
+
+Hi ${email},
+
+Your email has been verified and your account is now active. You've been granted $5.00 in free credits to get started.
+
+You can now create bots, connect them to Discord, Slack, and more.
+
+Happy building!
+
+(c) ${new Date().getFullYear()} WOPR Network. All rights reserved.`;
+    return { subject: "Welcome to WOPR", html, text };
+}
+// ---------------------------------------------------------------------------
+// 3. Password Reset (supersedes WOP-346 inline template)
+// ---------------------------------------------------------------------------
+export function passwordResetEmailTemplate(resetUrl, email) {
+    const escapedEmail = escapeHtml(email);
+    const escapedUrl = escapeHtml(resetUrl);
+    const html = wrapHtml("Reset Your Password", [
+        heading("Reset Your Password"),
+        paragraph(`<p>Hi there,</p>
+    <p>You requested a password reset for your WOPR account (<strong>${escapedEmail}</strong>).</p>
+    <p>Click the button below to create a new password. This link will expire in 1 hour.</p>`),
+        button(resetUrl, "Reset Password"),
+        paragraph(`<p style="color: #718096; font-size: 14px;">Or copy and paste this URL into your browser:</p>
+    <p style="word-break: break-all; color: #2563eb; font-size: 14px;">${escapedUrl}</p>`),
+        footer("If you didn't request this password reset, you can safely ignore this email."),
+    ].join("\n"));
+    const text = `Reset Your Password
+
+Hi there,
+
+You requested a password reset for your WOPR account (${email}).
+
+Click the link below to create a new password. This link will expire in 1 hour.
+
+${resetUrl}
+
+If you didn't request this password reset, you can safely ignore this email.
+
+(c) ${new Date().getFullYear()} WOPR Network. All rights reserved.`;
+    return { subject: "Reset your WOPR password", html, text };
+}
+// ---------------------------------------------------------------------------
+// 4. Credit Purchase
+// ---------------------------------------------------------------------------
+export function creditPurchaseTemplate(email, amountDollars, newBalanceDollars, creditsUrl) {
+    const escapedEmail = escapeHtml(email);
+    const escapedAmount = escapeHtml(amountDollars);
+    const balanceLine = newBalanceDollars
+        ? `<p>Your new balance is <strong>${escapeHtml(newBalanceDollars)}</strong>.</p>`
+        : "<p>Your updated balance is now available in your dashboard.</p>";
+    const balanceTextLine = newBalanceDollars
+        ? `Your new balance is ${newBalanceDollars}.`
+        : "Your updated balance is now available in your dashboard.";
+    const parts = [
+        heading("Credits Added to Your Account"),
+        paragraph(`<p>Hi <strong>${escapedEmail}</strong>,</p>
+    <p><strong>${escapedAmount}</strong> in credits has been added to your WOPR account.</p>
+    ${balanceLine}`),
+    ];
+    if (creditsUrl)
+        parts.push(button(creditsUrl, "View Credits"));
+    parts.push(footer("Thank you for supporting WOPR!"));
+    parts.push(unsubscribeFooter(creditsUrl ? buildUnsubscribeUrl(creditsUrl) : undefined));
+    const html = wrapHtml("Credits Added", parts.join("\n"));
+    const text = `Credits Added to Your Account
+
+Hi ${email},
+
+${amountDollars} in credits has been added to your WOPR account.
+${balanceTextLine}
+${creditsUrl ? `\nView your credits: ${creditsUrl}` : ""}
+Thank you for supporting WOPR!${unsubscribeText(creditsUrl ? buildUnsubscribeUrl(creditsUrl) : undefined)}
+
+(c) ${new Date().getFullYear()} WOPR Network. All rights reserved.`;
+    return { subject: "Credits added to your account", html, text };
+}
+// ---------------------------------------------------------------------------
+// 5. Low Balance
+// ---------------------------------------------------------------------------
+export function lowBalanceTemplate(email, balanceDollars, estimatedDaysRemaining, creditsUrl) {
+    const escapedEmail = escapeHtml(email);
+    const escapedBalance = escapeHtml(balanceDollars);
+    const daysLine = estimatedDaysRemaining != null
+        ? `<p>At your current usage, your credits will run out in approximately <strong>${estimatedDaysRemaining} day${estimatedDaysRemaining === 1 ? "" : "s"}</strong>.</p>`
+        : "";
+    const daysTextLine = estimatedDaysRemaining != null
+        ? `At your current usage, your credits will run out in approximately ${estimatedDaysRemaining} day${estimatedDaysRemaining === 1 ? "" : "s"}.`
+        : "";
+    const parts = [
+        heading("Your WOPR Credits Are Running Low"),
+        paragraph(`<p>Hi <strong>${escapedEmail}</strong>,</p>
+    <p>Your WOPR credit balance is now <strong>${escapedBalance}</strong>. When your balance reaches $0, your bots will be paused.</p>
+    ${daysLine}
+    <p>Top up your credits to keep your bots running.</p>`),
+    ];
+    if (creditsUrl)
+        parts.push(button(creditsUrl, "Buy Credits"));
+    parts.push(footer("This is an automated notification based on your account balance."));
+    parts.push(unsubscribeFooter(creditsUrl ? buildUnsubscribeUrl(creditsUrl) : undefined));
+    const html = wrapHtml("Low Balance", parts.join("\n"));
+    const text = `Your WOPR Credits Are Running Low
+
+Hi ${email},
+
+Your WOPR credit balance is now ${balanceDollars}. When your balance reaches $0, your bots will be paused.
+${daysTextLine ? `${daysTextLine}\n` : ""}
+Top up your credits to keep your bots running.
+${creditsUrl ? `\nBuy credits: ${creditsUrl}` : ""}${unsubscribeText(creditsUrl ? buildUnsubscribeUrl(creditsUrl) : undefined)}
+
+(c) ${new Date().getFullYear()} WOPR Network. All rights reserved.`;
+    return { subject: "Your WOPR credits are running low", html, text };
+}
+// ---------------------------------------------------------------------------
+// 6. Bot Suspended
+// ---------------------------------------------------------------------------
+export function botSuspendedTemplate(email, botName, reason, creditsUrl) {
+    const escapedEmail = escapeHtml(email);
+    const escapedBotName = escapeHtml(botName);
+    const escapedReason = escapeHtml(reason);
+    const parts = [
+        heading("Your Bot Has Been Suspended"),
+        paragraph(`<p>Hi <strong>${escapedEmail}</strong>,</p>
+    <p>Your bot <strong>${escapedBotName}</strong> has been suspended.</p>
+    <p><strong>Reason:</strong> ${escapedReason}</p>
+    <p>Buy credits to reactivate instantly. Your data is preserved for 30 days.</p>`),
+    ];
+    if (creditsUrl)
+        parts.push(button(creditsUrl, "Buy Credits to Reactivate"));
+    parts.push(footer("If you need help, reply to this email or contact support@wopr.bot."));
+    parts.push(unsubscribeFooter(creditsUrl ? buildUnsubscribeUrl(creditsUrl) : undefined));
+    const html = wrapHtml("Bot Suspended", parts.join("\n"));
+    const text = `Your Bot Has Been Suspended
+
+Hi ${email},
+
+Your bot "${botName}" has been suspended.
+
+Reason: ${reason}
+
+Buy credits to reactivate instantly. Your data is preserved for 30 days.
+${creditsUrl ? `\nBuy credits: ${creditsUrl}` : ""}
+If you need help, reply to this email or contact support@wopr.bot.${unsubscribeText(creditsUrl ? buildUnsubscribeUrl(creditsUrl) : undefined)}
+
+(c) ${new Date().getFullYear()} WOPR Network. All rights reserved.`;
+    return { subject: "Your bot has been suspended", html, text };
+}
+// ---------------------------------------------------------------------------
+// 7. Bot Destruction Warning
+// ---------------------------------------------------------------------------
+export function botDestructionTemplate(email, botName, daysRemaining, creditsUrl) {
+    const escapedEmail = escapeHtml(email);
+    const escapedBotName = escapeHtml(botName);
+    const days = String(daysRemaining);
+    const deadline = new Date(Date.now() + daysRemaining * 24 * 60 * 60 * 1000).toLocaleDateString("en-US", {
+        month: "long",
+        day: "numeric",
+        year: "numeric",
+    });
+    const parts = [
+        heading("URGENT: Bot Data Will Be Deleted"),
+        paragraph(`<p>Hi <strong>${escapedEmail}</strong>,</p>
+    <p>Your bot <strong>${escapedBotName}</strong> has been suspended and its data will be permanently deleted in <strong>${escapeHtml(days)} days</strong> (by ${escapeHtml(deadline)}).</p>
+    <p>Buy credits before the deadline to save your data.</p>`),
+    ];
+    if (creditsUrl)
+        parts.push(button(creditsUrl, "Buy Credits Now", "#dc2626"));
+    parts.push(footer("This action is irreversible. All bot configuration, history, and connected services will be removed."));
+    parts.push(unsubscribeFooter(creditsUrl ? buildUnsubscribeUrl(creditsUrl) : undefined));
+    const html = wrapHtml("Bot Data Deletion", parts.join("\n"));
+    const text = `URGENT: Bot Data Will Be Deleted
+
+Hi ${email},
+
+Your bot "${botName}" has been suspended and its data will be permanently deleted in ${daysRemaining} days (by ${deadline}).
+
+Buy credits before the deadline to save your data.
+${creditsUrl ? `\nBuy credits now: ${creditsUrl}` : ""}
+This action is irreversible. All bot configuration, history, and connected services will be removed.${unsubscribeText(creditsUrl ? buildUnsubscribeUrl(creditsUrl) : undefined)}
+
+(c) ${new Date().getFullYear()} WOPR Network. All rights reserved.`;
+    return { subject: `URGENT: Your bot data will be deleted in ${daysRemaining} days`, html, text };
+}
+// ---------------------------------------------------------------------------
+// 8. Data Deleted Confirmation
+// ---------------------------------------------------------------------------
+export function dataDeletedTemplate(email, creditsUrl) {
+    const escapedEmail = escapeHtml(email);
+    const parts = [
+        heading("Your Bot Data Has Been Deleted"),
+        paragraph(`<p>Hi <strong>${escapedEmail}</strong>,</p>
+    <p>Your suspended bot data has been permanently deleted after 30 days of inactivity.</p>
+    <p>You can create a new bot anytime by adding credits to your account.</p>`),
+    ];
+    if (creditsUrl)
+        parts.push(button(creditsUrl, "Add Credits"));
+    parts.push(footer("If you have questions, contact support@wopr.bot."));
+    parts.push(unsubscribeFooter(creditsUrl ? buildUnsubscribeUrl(creditsUrl) : undefined));
+    const html = wrapHtml("Data Deleted", parts.join("\n"));
+    const text = `Your Bot Data Has Been Deleted
+
+Hi ${email},
+
+Your suspended bot data has been permanently deleted after 30 days of inactivity.
+
+You can create a new bot anytime by adding credits to your account.
+${creditsUrl ? `\nAdd credits: ${creditsUrl}` : ""}
+If you have questions, contact support@wopr.bot.${unsubscribeText(creditsUrl ? buildUnsubscribeUrl(creditsUrl) : undefined)}
+
+(c) ${new Date().getFullYear()} WOPR Network. All rights reserved.`;
+    return { subject: "Your bot data has been deleted", html, text };
+}
+// ---------------------------------------------------------------------------
+// Org Invite
+// ---------------------------------------------------------------------------
+export function orgInviteEmailTemplate(inviteUrl, orgName) {
+    const safeOrg = escapeHtml(orgName);
+    const safeUrl = escapeHtml(inviteUrl);
+    const html = wrapHtml(`You're invited to join ${safeOrg}`, [
+        heading(`Join ${safeOrg}`),
+        paragraph(`You've been invited to join <strong>${safeOrg}</strong> on WOPR Network. Click the button below to accept the invitation.`),
+        button(safeUrl, "Accept Invitation"),
+        footer("This invitation expires in 7 days. If you didn't expect this email, you can safely ignore it."),
+    ].join("\n"));
+    const text = `You're invited to join ${orgName} on WOPR Network.
+
+Accept the invitation: ${inviteUrl}
+
+This invitation expires in 7 days.`;
+    return { subject: `You're invited to join ${orgName}`, html, text };
+}

package/dist/email/templates.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/email/templates.test.js

@@ -0,0 +1,170 @@
+import { describe, expect, it } from "vitest";
+import { botDestructionTemplate, botSuspendedTemplate, creditPurchaseTemplate, dataDeletedTemplate, lowBalanceTemplate, passwordResetEmailTemplate, verifyEmailTemplate, welcomeTemplate, } from "./templates.js";
+describe("verifyEmailTemplate", () => {
+    it("should generate HTML and text with verify URL", () => {
+        const result = verifyEmailTemplate("https://wopr.bot/auth/verify?token=abc123", "user@test.com");
+        expect(result.subject).toBe("Verify your WOPR account");
+        expect(result.html).toContain("Verify Your Email");
+        expect(result.html).toContain("https://wopr.bot/auth/verify?token=abc123");
+        expect(result.html).toContain("user@test.com");
+        expect(result.html).toContain("<!DOCTYPE html>");
+        expect(result.text).toContain("https://wopr.bot/auth/verify?token=abc123");
+        expect(result.text).toContain("user@test.com");
+        expect(result.text).not.toContain("<");
+    });
+    it("should escape HTML in email and URL", () => {
+        const result = verifyEmailTemplate("https://evil.com/<script>", "<script>alert('xss')</script>@evil.com");
+        expect(result.html).toContain("&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;@evil.com");
+        expect(result.html).toContain("&lt;script&gt;");
+    });
+    it("should include 24-hour expiry notice", () => {
+        const result = verifyEmailTemplate("https://wopr.bot/verify?token=x", "a@b.com");
+        expect(result.html).toContain("24 hours");
+        expect(result.text).toContain("24 hours");
+    });
+});
+describe("welcomeTemplate", () => {
+    it("should generate welcome email with credit info", () => {
+        const result = welcomeTemplate("user@test.com");
+        expect(result.subject).toBe("Welcome to WOPR");
+        expect(result.html).toContain("Welcome to WOPR");
+        expect(result.html).toContain("$5.00 in free credits");
+        expect(result.html).toContain("user@test.com");
+        expect(result.text).toContain("$5.00 in free credits");
+        expect(result.text).not.toContain("<");
+    });
+});
+describe("passwordResetEmailTemplate", () => {
+    it("should generate password reset email", () => {
+        const result = passwordResetEmailTemplate("https://wopr.bot/reset?token=abc", "user@test.com");
+        expect(result.subject).toBe("Reset your WOPR password");
+        expect(result.html).toContain("Reset Your Password");
+        expect(result.html).toContain("https://wopr.bot/reset?token=abc");
+        expect(result.html).toContain("1 hour");
+        expect(result.text).toContain("https://wopr.bot/reset?token=abc");
+        expect(result.text).not.toContain("<");
+    });
+});
+describe("creditPurchaseTemplate", () => {
+    it("should generate credit purchase confirmation", () => {
+        const result = creditPurchaseTemplate("user@test.com", "$10.00");
+        expect(result.subject).toBe("Credits added to your account");
+        expect(result.html).toContain("$10.00");
+        expect(result.html).toContain("Credits Added");
+        expect(result.text).toContain("$10.00");
+    });
+});
+describe("lowBalanceTemplate", () => {
+    it("should generate low balance warning", () => {
+        const result = lowBalanceTemplate("user@test.com", "$0.50");
+        expect(result.subject).toBe("Your WOPR credits are running low");
+        expect(result.html).toContain("$0.50");
+        expect(result.html).toContain("Running Low");
+        expect(result.text).toContain("$0.50");
+        expect(result.text).toContain("paused");
+    });
+});
+describe("botSuspendedTemplate", () => {
+    it("should generate bot suspended notification", () => {
+        const result = botSuspendedTemplate("user@test.com", "MyBot", "Terms of service violation");
+        expect(result.subject).toBe("Your bot has been suspended");
+        expect(result.html).toContain("MyBot");
+        expect(result.html).toContain("Terms of service violation");
+        expect(result.html).toContain("30 days");
+        expect(result.text).toContain("MyBot");
+        expect(result.text).toContain("Terms of service violation");
+        expect(result.text).toContain("30 days");
+    });
+    it("should escape HTML in bot name and reason", () => {
+        const result = botSuspendedTemplate("user@test.com", "<script>bot</script>", "<b>reason</b>");
+        expect(result.html).toContain("&lt;script&gt;bot&lt;/script&gt;");
+        expect(result.html).toContain("&lt;b&gt;reason&lt;/b&gt;");
+    });
+    it("should include CTA button when creditsUrl is provided", () => {
+        const result = botSuspendedTemplate("user@test.com", "MyBot", "Insufficient credits", "https://app.wopr.bot/credits");
+        expect(result.html).toContain("Buy Credits to Reactivate");
+        expect(result.html).toContain("https://app.wopr.bot/credits");
+    });
+});
+describe("botDestructionTemplate", () => {
+    it("should generate bot destruction warning with days", () => {
+        const result = botDestructionTemplate("user@test.com", "MyBot", 7);
+        expect(result.subject).toBe("URGENT: Your bot data will be deleted in 7 days");
+        expect(result.html).toContain("MyBot");
+        expect(result.html).toContain("7 days");
+        expect(result.html).toContain("permanently deleted");
+        expect(result.text).toContain("7 days");
+        expect(result.text).toContain("irreversible");
+    });
+    it("should include CTA button when creditsUrl is provided", () => {
+        const result = botDestructionTemplate("user@test.com", "MyBot", 5, "https://app.wopr.bot/credits");
+        expect(result.html).toContain("Buy Credits Now");
+        expect(result.html).toContain("https://app.wopr.bot/credits");
+        expect(result.text).toContain("https://app.wopr.bot/credits");
+    });
+});
+describe("dataDeletedTemplate", () => {
+    it("should generate data deleted confirmation", () => {
+        const result = dataDeletedTemplate("user@test.com");
+        expect(result.subject).toBe("Your bot data has been deleted");
+        expect(result.html).toContain("permanently deleted");
+        expect(result.html).toContain("new bot");
+        expect(result.text).toContain("permanently deleted");
+        expect(result.text).toContain("new bot");
+    });
+    it("should include CTA button when creditsUrl is provided", () => {
+        const result = dataDeletedTemplate("user@test.com", "https://app.wopr.bot/credits");
+        expect(result.html).toContain("Add Credits");
+        expect(result.html).toContain("https://app.wopr.bot/credits");
+    });
+});
+describe("all templates", () => {
+    it("should produce valid HTML structure for every template", () => {
+        const templates = [
+            verifyEmailTemplate("https://x.com/verify", "a@b.com"),
+            welcomeTemplate("a@b.com"),
+            passwordResetEmailTemplate("https://x.com/reset", "a@b.com"),
+            creditPurchaseTemplate("a@b.com", "$5"),
+            lowBalanceTemplate("a@b.com", "$0.50"),
+            botSuspendedTemplate("a@b.com", "Bot", "Reason"),
+            botDestructionTemplate("a@b.com", "Bot", 3),
+            dataDeletedTemplate("a@b.com"),
+        ];
+        for (const t of templates) {
+            expect(t.html).toContain("<!DOCTYPE html>");
+            expect(t.html).toContain("<html>");
+            expect(t.html).toContain("</html>");
+            expect(t.html).toContain("WOPR Network");
+            expect(t.subject.length).toBeGreaterThan(0);
+            expect(t.text.length).toBeGreaterThan(0);
+        }
+    });
+    it("should produce plain text without HTML tags for every template", () => {
+        const templates = [
+            verifyEmailTemplate("https://x.com/verify", "a@b.com"),
+            welcomeTemplate("a@b.com"),
+            passwordResetEmailTemplate("https://x.com/reset", "a@b.com"),
+            creditPurchaseTemplate("a@b.com", "$5"),
+            lowBalanceTemplate("a@b.com", "$0.50"),
+            botSuspendedTemplate("a@b.com", "Bot", "Reason"),
+            botDestructionTemplate("a@b.com", "Bot", 3),
+            dataDeletedTemplate("a@b.com"),
+        ];
+        for (const t of templates) {
+            expect(t.text).not.toMatch(/<[a-z]/i);
+        }
+    });
+    it("should include unsubscribe link in billing emails when creditsUrl provided", () => {
+        const billingTemplates = [
+            creditPurchaseTemplate("a@b.com", "$5", "$10", "https://app.wopr.bot/credits"),
+            lowBalanceTemplate("a@b.com", "$0.50", 3, "https://app.wopr.bot/credits"),
+            botSuspendedTemplate("a@b.com", "Bot", "Reason", "https://app.wopr.bot/credits"),
+            botDestructionTemplate("a@b.com", "Bot", 3, "https://app.wopr.bot/credits"),
+            dataDeletedTemplate("a@b.com", "https://app.wopr.bot/credits"),
+        ];
+        for (const t of billingTemplates) {
+            expect(t.html).toContain("Unsubscribe");
+            expect(t.text).toContain("unsubscribe");
+        }
+    });
+});

package/dist/email/verification.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Email Verification — Token generation, validation, and verification flow.
+ *
+ * Manages the signup verification lifecycle:
+ * 1. Generate signed token on signup
+ * 2. Store token + expiry in the auth database
+ * 3. Verify token when user clicks the link
+ * 4. Mark user as verified, send welcome email, grant credits
+ */
+import type { Pool } from "pg";
+import type { IEmailVerifier } from "./require-verified.js";
+/** Add email verification columns to the better-auth user table. */
+export declare function initVerificationSchema(pool: Pool): Promise<void>;
+export interface VerificationToken {
+    token: string;
+    expiresAt: string;
+}
+/**
+ * Generate a verification token and store it against a user.
+ */
+export declare function generateVerificationToken(pool: Pool, userId: string): Promise<VerificationToken>;
+/**
+ * Verify a token: check it exists, hasn't expired, and mark the user as verified.
+ */
+export declare function verifyToken(pool: Pool, token: string): Promise<{
+    userId: string;
+    email: string;
+} | null>;
+/**
+ * Check whether a user has verified their email.
+ */
+export declare function isEmailVerified(pool: Pool, userId: string): Promise<boolean>;
+/**
+ * Get a user's email by their ID.
+ */
+export declare function getUserEmail(pool: Pool, userId: string): Promise<string | null>;
+/** PostgreSQL-backed implementation of IEmailVerifier for the auth database. */
+export declare class PgEmailVerifier implements IEmailVerifier {
+    private readonly pool;
+    constructor(pool: Pool);
+    isVerified(userId: string): Promise<boolean>;
+}

package/dist/email/verification.js

@@ -0,0 +1,83 @@
+/**
+ * Email Verification — Token generation, validation, and verification flow.
+ *
+ * Manages the signup verification lifecycle:
+ * 1. Generate signed token on signup
+ * 2. Store token + expiry in the auth database
+ * 3. Verify token when user clicks the link
+ * 4. Mark user as verified, send welcome email, grant credits
+ */
+import crypto from "node:crypto";
+const TOKEN_EXPIRY_MS = 24 * 60 * 60 * 1000; // 24 hours
+// ---------------------------------------------------------------------------
+// Schema
+// ---------------------------------------------------------------------------
+/** Add email verification columns to the better-auth user table. */
+export async function initVerificationSchema(pool) {
+    // raw SQL: better-auth manages its own schema outside Drizzle
+    await pool.query(`ALTER TABLE "user" ADD COLUMN IF NOT EXISTS email_verified BOOLEAN NOT NULL DEFAULT false`);
+    // raw SQL: better-auth manages its own schema outside Drizzle
+    await pool.query(`ALTER TABLE "user" ADD COLUMN IF NOT EXISTS verification_token TEXT`);
+    // raw SQL: better-auth manages its own schema outside Drizzle
+    await pool.query(`ALTER TABLE "user" ADD COLUMN IF NOT EXISTS verification_expires TEXT`);
+}
+/**
+ * Generate a verification token and store it against a user.
+ */
+export async function generateVerificationToken(pool, userId) {
+    const token = crypto.randomBytes(32).toString("hex");
+    const expiresAt = new Date(Date.now() + TOKEN_EXPIRY_MS).toISOString();
+    // raw SQL: better-auth manages its own schema outside Drizzle
+    await pool.query(`UPDATE "user" SET verification_token = $1, verification_expires = $2 WHERE id = $3`, [
+        token,
+        expiresAt,
+        userId,
+    ]);
+    return { token, expiresAt };
+}
+/**
+ * Verify a token: check it exists, hasn't expired, and mark the user as verified.
+ */
+export async function verifyToken(pool, token) {
+    if (!token || token.length !== 64)
+        return null;
+    // raw SQL: better-auth manages its own schema outside Drizzle
+    const { rows } = await pool.query(`SELECT id, email, verification_token, verification_expires, email_verified FROM "user" WHERE verification_token = $1`, [token]);
+    const row = rows[0];
+    if (!row)
+        return null;
+    if (row.email_verified === true)
+        return null;
+    const expiresAt = new Date(row.verification_expires).getTime();
+    if (Date.now() > expiresAt)
+        return null;
+    // raw SQL: better-auth manages its own schema outside Drizzle
+    await pool.query(`UPDATE "user" SET email_verified = true, "emailVerified" = true, verification_token = NULL, verification_expires = NULL WHERE id = $1`, [row.id]);
+    return { userId: row.id, email: row.email };
+}
+/**
+ * Check whether a user has verified their email.
+ */
+export async function isEmailVerified(pool, userId) {
+    // raw SQL: better-auth manages its own schema outside Drizzle
+    const { rows } = await pool.query(`SELECT email_verified FROM "user" WHERE id = $1`, [userId]);
+    return rows[0]?.email_verified === true;
+}
+/**
+ * Get a user's email by their ID.
+ */
+export async function getUserEmail(pool, userId) {
+    // raw SQL: better-auth manages its own schema outside Drizzle
+    const { rows } = await pool.query(`SELECT email FROM "user" WHERE id = $1`, [userId]);
+    return rows[0]?.email ?? null;
+}
+/** PostgreSQL-backed implementation of IEmailVerifier for the auth database. */
+export class PgEmailVerifier {
+    pool;
+    constructor(pool) {
+        this.pool = pool;
+    }
+    async isVerified(userId) {
+        return isEmailVerified(this.pool, userId);
+    }
+}

package/dist/email/verification.test.d.ts

@@ -0,0 +1 @@
+export {};