appos 0.4.3-0 → 0.5.0-0

package/dist/exports/api/index.d.mts

@@ -1,5 +1,5 @@
-import { C as defineTestDatabase, D as defineLogger, E as Logger, S as defineMigrationOpts, T as DefineLoggerOptions, _ as DefineTestDatabaseOptions, a as AuthConfig, b as dbChanges, c as DefineAuthOptions, d as createAccessControl, f as defineAuth, g as DefineDatabaseOptions, h as Database, i as Auth, l as Role, n as AccessController, o as AuthPasskeyConfig, p as defineEndpointRateLimits, r as AuditAction, s as AuthSessionConfig, t as AccessControlRoles, u as auditActionSchema, v as MigrationType, w as migrationsSchema, x as defineDatabase, y as QualifiedTableNames } from "../auth-By0xx0MI.mjs";
-import { $ as StorageAttachment, A as defaultI18nConfig, At as EventBus, B as ServerConfig, Bt as Cache, C as scanAPIRoutes, Ct as defineQueue, D as loadMiddleware, Dt as DbChangeInput, E as defineMiddleware, Et as loadWorkflows, F as DefineAppContextOpts, Ft as defineEventBus, G as DefineStorageOptions, H as defineAppContainer, Ht as defineCache, I as SessionData, It as loadEvents, J as defineS3Disk, K as Storage, L as defineAppContext, Lt as Config, M as i18n, Mt as dbChangeInputSchema, N as defineAuthSchema, Nt as dbChangesEvent, Ot as DefineEventBusOptions, P as AppContext, Pt as defineEvent, Q as NewStorageVariantRecord, R as AppContainer, Rt as baseSchema, S as registerRoutes, St as WorkflowStartOptions, T as Middleware, Tt as defineWorkflow, U as DatabaseWithStorage, V as WorkerConfig, Vt as DefineCacheOptions, W as DefineS3DiskOptions, X as NewStorageAttachment, Y as defineStorage, Z as NewStorageBlob, _ as defineOpenAPIConfig, _t as QueueFactoryContext, a as defineRedisClient, at as defineStorageSchema, b as generateOpenAPIDocument, bt as WorkflowContext, c as DefineOpenAPIConfigInput, ct as Mailer, d as OpenAPIMethodSpec, dt as MailerPayloadReact, et as StorageBlob, f as OpenAPIObjectConfigV31, ft as MailerWithQueue, g as defineOpenAPI, gt as QueueFactory, h as ValidationErrorResponse, ht as Queue, i as RedisClient, it as StorageVariantRecord, j as defineI18n, jt as EventContext, k as I18nInitOptions, kt as Event, l as DefineOpenAPIReturn, lt as MailerPayload, m as RouteModule, mt as DefineQueueOptions, nt as StorageRelationsConfig, o as withOtelSpan, ot as DefineMailerOptions, p as OpenAPIRegistration, pt as defineMailer, q as StorageService, r as DefineRedisClientOptions, rt as StorageTables, s as DefineOpenAPIConfig, st as DefineMailerOptionsWithQueue, t as CustomTypeOptions, tt as StorageRelations, u as HandlerParams, ut as MailerPayloadHtml, v as defineOpenAPIEndpoint, vt as QueueRateLimit, w as writeOpenAPISpecs, wt as defineScheduledWorkflow, x as loadAndRegisterAPIRoutes, xt as WorkflowHandle, y as defineTypedResponses, yt as ScheduledWorkflowContext, z as Container, zt as defineConfig } from "../index-Bpo5QE7k.mjs";
+import { A as defineLogger, C as dbChanges, D as migrationsSchema, E as defineTestDatabase, O as DefineLoggerOptions, S as QualifiedTableNames, T as defineMigrationOpts, a as AuthCaptchaConfig, b as DefineTestDatabaseOptions, c as AuthSessionConfig, d as Role, f as auditActionSchema, g as defineEndpointRateLimits, h as defineAuth, i as Auth, k as Logger, l as CaptchaProvider, m as createAccessControl, n as AccessController, o as AuthConfig, p as captchaProviders, r as AuditAction, s as AuthPasskeyConfig, t as AccessControlRoles, u as DefineAuthOptions, v as Database, w as defineDatabase, x as MigrationType, y as DefineDatabaseOptions } from "../auth-DVv5fNvd.mjs";
+import { $ as StorageAttachment, A as defaultI18nConfig, At as EventBus, B as ServerConfig, Bt as Cache, C as scanAPIRoutes, Ct as defineQueue, D as loadMiddleware, Dt as DbChangeInput, E as defineMiddleware, Et as loadWorkflows, F as DefineAppContextOpts, Ft as defineEventBus, G as DefineStorageOptions, H as defineAppContainer, Ht as defineCache, I as SessionData, It as loadEvents, J as defineS3Disk, K as Storage, L as defineAppContext, Lt as Config, M as i18n, Mt as dbChangeInputSchema, N as defineAuthSchema, Nt as dbChangesEvent, Ot as DefineEventBusOptions, P as AppContext, Pt as defineEvent, Q as NewStorageVariantRecord, R as AppContainer, Rt as baseSchema, S as registerRoutes, St as WorkflowStartOptions, T as Middleware, Tt as defineWorkflow, U as DatabaseWithStorage, V as WorkerConfig, Vt as DefineCacheOptions, W as DefineS3DiskOptions, X as NewStorageAttachment, Y as defineStorage, Z as NewStorageBlob, _ as defineOpenAPIConfig, _t as QueueFactoryContext, a as defineRedisClient, at as defineStorageSchema, b as generateOpenAPIDocument, bt as WorkflowContext, c as DefineOpenAPIConfigInput, ct as Mailer, d as OpenAPIMethodSpec, dt as MailerPayloadReact, et as StorageBlob, f as OpenAPIObjectConfigV31, ft as MailerWithQueue, g as defineOpenAPI, gt as QueueFactory, h as ValidationErrorResponse, ht as Queue, i as RedisClient, it as StorageVariantRecord, j as defineI18n, jt as EventContext, k as I18nInitOptions, kt as Event, l as DefineOpenAPIReturn, lt as MailerPayload, m as RouteModule, mt as DefineQueueOptions, nt as StorageRelationsConfig, o as withOtelSpan, ot as DefineMailerOptions, p as OpenAPIRegistration, pt as defineMailer, q as StorageService, r as DefineRedisClientOptions, rt as StorageTables, s as DefineOpenAPIConfig, st as DefineMailerOptionsWithQueue, t as CustomTypeOptions, tt as StorageRelations, u as HandlerParams, ut as MailerPayloadHtml, v as defineOpenAPIEndpoint, vt as QueueRateLimit, w as writeOpenAPISpecs, wt as defineScheduledWorkflow, x as loadAndRegisterAPIRoutes, xt as WorkflowHandle, y as defineTypedResponses, yt as ScheduledWorkflowContext, z as Container, zt as defineConfig } from "../index-D3decHVs.mjs";
 import "../orm-CJrd147z.mjs";
 import "../instrumentation-CFIspF8-.mjs";
-export { AccessControlRoles, AccessController, AppContainer, AppContext, AuditAction, Auth, AuthConfig, AuthPasskeyConfig, AuthSessionConfig, Cache, Config, Container, CustomTypeOptions, Database, DatabaseWithStorage, DbChangeInput, DefineAppContextOpts, DefineAuthOptions, DefineCacheOptions, DefineDatabaseOptions, DefineEventBusOptions, DefineLoggerOptions, DefineMailerOptions, DefineMailerOptionsWithQueue, DefineOpenAPIConfig, DefineOpenAPIConfigInput, DefineOpenAPIReturn, DefineQueueOptions, DefineRedisClientOptions, DefineS3DiskOptions, DefineStorageOptions, DefineTestDatabaseOptions, Event, EventBus, EventContext, HandlerParams, I18nInitOptions, Logger, Mailer, MailerPayload, MailerPayloadHtml, MailerPayloadReact, MailerWithQueue, Middleware, MigrationType, NewStorageAttachment, NewStorageBlob, NewStorageVariantRecord, OpenAPIMethodSpec, OpenAPIObjectConfigV31, OpenAPIRegistration, QualifiedTableNames, Queue, QueueFactory, QueueFactoryContext, QueueRateLimit, RedisClient, Role, RouteModule, ScheduledWorkflowContext, ServerConfig, SessionData, Storage, StorageAttachment, StorageBlob, StorageRelations, StorageRelationsConfig, StorageService, StorageTables, StorageVariantRecord, ValidationErrorResponse, WorkerConfig, WorkflowContext, WorkflowHandle, WorkflowStartOptions, auditActionSchema, baseSchema, createAccessControl, dbChangeInputSchema, dbChanges, dbChangesEvent, defaultI18nConfig, defineAppContainer, defineAppContext, defineAuth, defineAuthSchema, defineCache, defineConfig, defineDatabase, defineEndpointRateLimits, defineEvent, defineEventBus, defineI18n, defineLogger, defineMailer, defineMiddleware, defineMigrationOpts, defineOpenAPI, defineOpenAPIConfig, defineOpenAPIEndpoint, defineQueue, defineRedisClient, defineS3Disk, defineScheduledWorkflow, defineStorage, defineStorageSchema, defineTestDatabase, defineTypedResponses, defineWorkflow, generateOpenAPIDocument, i18n, loadAndRegisterAPIRoutes, loadEvents, loadMiddleware, loadWorkflows, migrationsSchema, registerRoutes, scanAPIRoutes, withOtelSpan, writeOpenAPISpecs };
+export { AccessControlRoles, AccessController, AppContainer, AppContext, AuditAction, Auth, AuthCaptchaConfig, AuthConfig, AuthPasskeyConfig, AuthSessionConfig, Cache, CaptchaProvider, Config, Container, CustomTypeOptions, Database, DatabaseWithStorage, DbChangeInput, DefineAppContextOpts, DefineAuthOptions, DefineCacheOptions, DefineDatabaseOptions, DefineEventBusOptions, DefineLoggerOptions, DefineMailerOptions, DefineMailerOptionsWithQueue, DefineOpenAPIConfig, DefineOpenAPIConfigInput, DefineOpenAPIReturn, DefineQueueOptions, DefineRedisClientOptions, DefineS3DiskOptions, DefineStorageOptions, DefineTestDatabaseOptions, Event, EventBus, EventContext, HandlerParams, I18nInitOptions, Logger, Mailer, MailerPayload, MailerPayloadHtml, MailerPayloadReact, MailerWithQueue, Middleware, MigrationType, NewStorageAttachment, NewStorageBlob, NewStorageVariantRecord, OpenAPIMethodSpec, OpenAPIObjectConfigV31, OpenAPIRegistration, QualifiedTableNames, Queue, QueueFactory, QueueFactoryContext, QueueRateLimit, RedisClient, Role, RouteModule, ScheduledWorkflowContext, ServerConfig, SessionData, Storage, StorageAttachment, StorageBlob, StorageRelations, StorageRelationsConfig, StorageService, StorageTables, StorageVariantRecord, ValidationErrorResponse, WorkerConfig, WorkflowContext, WorkflowHandle, WorkflowStartOptions, auditActionSchema, baseSchema, captchaProviders, createAccessControl, dbChangeInputSchema, dbChanges, dbChangesEvent, defaultI18nConfig, defineAppContainer, defineAppContext, defineAuth, defineAuthSchema, defineCache, defineConfig, defineDatabase, defineEndpointRateLimits, defineEvent, defineEventBus, defineI18n, defineLogger, defineMailer, defineMiddleware, defineMigrationOpts, defineOpenAPI, defineOpenAPIConfig, defineOpenAPIEndpoint, defineQueue, defineRedisClient, defineS3Disk, defineScheduledWorkflow, defineStorage, defineStorageSchema, defineTestDatabase, defineTypedResponses, defineWorkflow, generateOpenAPIDocument, i18n, loadAndRegisterAPIRoutes, loadEvents, loadMiddleware, loadWorkflows, migrationsSchema, registerRoutes, scanAPIRoutes, withOtelSpan, writeOpenAPISpecs };

package/dist/exports/api/index.mjs

@@ -1,14 +1,14 @@
 import { t as defineAppContext } from "../app-context-LF4QmPUC.mjs";
-import { _ as defineAuthSchema, a as loadWorkflows, c as generatePreview, d as dbChangeInputSchema, f as dbChangesEvent, g as defineRedisClient, h as loadEvents, i as defineWorkflow, l as generateImageVariant, m as defineEventBus, n as defineQueue, o as purgeAttachment, p as defineEvent, r as defineScheduledWorkflow, t as sendEmail, u as extractBlobMetadata } from "../send-email-Bgcdjy-e.mjs";
-import { f as PUBLIC_DIR, l as LOCALES_DIR } from "../constants-BePPc_yF.mjs";
-import { _ as defineMigrationOpts, a as generateOpenAPIDocument, c as scanAPIRoutes, d as loadMiddleware, f as ui_default$2, g as defineDatabase, h as dbChanges, i as defineTypedResponses, l as writeOpenAPISpecs, m as ui_default, n as defineOpenAPIConfig, o as loadAndRegisterAPIRoutes, p as ui_default$1, r as defineOpenAPIEndpoint, s as registerRoutes, t as defineOpenAPI, u as defineMiddleware, v as defineTestDatabase, y as migrationsSchema } from "../openapi-crG3j4xx.mjs";
+import { _ as defineAuthSchema, a as loadWorkflows, c as generatePreview, d as dbChangeInputSchema, f as dbChangesEvent, g as defineRedisClient, h as loadEvents, i as defineWorkflow, l as generateImageVariant, m as defineEventBus, n as defineQueue, o as purgeAttachment, p as defineEvent, r as defineScheduledWorkflow, t as sendEmail, u as extractBlobMetadata } from "../send-email-CXxlkfFL.mjs";
+import { p as PUBLIC_DIR, u as LOCALES_DIR } from "../constants-BicCnEiJ.mjs";
+import { _ as defineMigrationOpts, a as generateOpenAPIDocument, c as scanAPIRoutes, d as loadMiddleware, f as ui_default$2, g as defineDatabase, h as dbChanges, i as defineTypedResponses, l as writeOpenAPISpecs, m as ui_default, n as defineOpenAPIConfig, o as loadAndRegisterAPIRoutes, p as ui_default$1, r as defineOpenAPIEndpoint, s as registerRoutes, t as defineOpenAPI, u as defineMiddleware, v as defineTestDatabase, y as migrationsSchema } from "../openapi-uisUTLq7.mjs";
 import { t as instrumentation_exports } from "../instrumentation-DkoLNAtz.mjs";
 import { _ as pgTable, c as orm_exports, t as index, w as unique } from "../orm-COJ9l6sS.mjs";
 import { passkey } from "@better-auth/passkey";
 import { sso } from "@better-auth/sso";
 import { betterAuth } from "better-auth";
 import { drizzleAdapter } from "better-auth/adapters/drizzle";
-import { admin, anonymous, apiKey, emailOTP, magicLink, multiSession, phoneNumber, twoFactor, username } from "better-auth/plugins";
+import { admin, anonymous, apiKey, captcha, emailOTP, lastLoginMethod, magicLink, multiSession, phoneNumber, twoFactor, username } from "better-auth/plugins";
 import { createAccessControl } from "better-auth/plugins/access";
 import { z } from "zod";
 import "@better-auth/passkey/client";
@@ -45,6 +45,21 @@ const AUTH_BASE_URL = "";
 //#endregion
 //#region src/api/auth.ts
 /**
+* Array of all supported captcha providers.
+* Use with z.enum() for config validation.
+*
+* @example
+* ```ts
+* CAPTCHA_PROVIDER: z.enum(captchaProviders).optional(),
+* ```
+*/
+const captchaProviders = [
+	"cloudflare-turnstile",
+	"google-recaptcha",
+	"hcaptcha",
+	"captchafox"
+];
+/**
 * Standard audit log actions following OCSF/CADF standards. Zod enum provides
 * both runtime validation and TypeScript type.
 *
@@ -204,20 +219,30 @@ function defineAuth(opts) {
 		trustEmailVerified: config.plugins.sso.trustEmailVerified,
 		domainVerification: config.plugins.sso.domainVerification ? { enabled: true } : void 0
 	}));
+	if (config.plugins?.lastUsedMethod) plugins.push(lastLoginMethod({ storeInDatabase: config.plugins.lastUsedMethod.storeInDatabase }));
+	if (config.plugins?.captcha) {
+		const captchaConfig = opts.captcha;
+		plugins.push(captcha({
+			provider: config.plugins.captcha.provider,
+			secretKey: captchaConfig?.secretKey ?? "",
+			endpoints: config.plugins.captcha.endpoints,
+			minScore: captchaConfig?.minScore
+		}));
+	}
 	const socialProviders = {};
-	if (config.oauth?.google) socialProviders.google = {
+	if (config.methods?.oauth?.google) socialProviders.google = {
 		clientId: oauth?.google?.clientId ?? process.env.GOOGLE_CLIENT_ID ?? "",
 		clientSecret: oauth?.google?.clientSecret ?? process.env.GOOGLE_CLIENT_SECRET ?? ""
 	};
-	if (config.oauth?.github) socialProviders.github = {
+	if (config.methods?.oauth?.github) socialProviders.github = {
 		clientId: oauth?.github?.clientId ?? process.env.GITHUB_CLIENT_ID ?? "",
 		clientSecret: oauth?.github?.clientSecret ?? process.env.GITHUB_CLIENT_SECRET ?? ""
 	};
-	if (config.oauth?.apple) socialProviders.apple = {
+	if (config.methods?.oauth?.apple) socialProviders.apple = {
 		clientId: oauth?.apple?.clientId ?? process.env.APPLE_CLIENT_ID ?? "",
 		clientSecret: oauth?.apple?.clientSecret ?? process.env.APPLE_CLIENT_SECRET ?? ""
 	};
-	if (config.oauth?.facebook) socialProviders.facebook = {
+	if (config.methods?.oauth?.facebook) socialProviders.facebook = {
 		clientId: oauth?.facebook?.clientId ?? process.env.FACEBOOK_CLIENT_ID ?? "",
 		clientSecret: oauth?.facebook?.clientSecret ?? process.env.FACEBOOK_CLIENT_SECRET ?? ""
 	};
@@ -1515,4 +1540,4 @@ function defineStorageSchema() {
 }
 
 //#endregion
-export { StorageService, auditActionSchema, baseSchema, createAccessControl, dbChangeInputSchema, dbChanges, dbChangesEvent, defaultI18nConfig, defineAppContainer, defineAppContext, defineAuth, defineAuthSchema, defineCache, defineConfig, defineDatabase, defineEndpointRateLimits, defineEvent, defineEventBus, defineI18n, defineLogger, defineMailer, defineMiddleware, defineMigrationOpts, defineOpenAPI, defineOpenAPIConfig, defineOpenAPIEndpoint, defineQueue, defineRedisClient, defineS3Disk, defineScheduledWorkflow, defineStorage, defineStorageSchema, defineTestDatabase, defineTypedResponses, defineWorkflow, generateOpenAPIDocument, loadAndRegisterAPIRoutes, loadEvents, loadMiddleware, loadWorkflows, migrationsSchema, registerRoutes, scanAPIRoutes, withOtelSpan, writeOpenAPISpecs };
+export { StorageService, auditActionSchema, baseSchema, captchaProviders, createAccessControl, dbChangeInputSchema, dbChanges, dbChangesEvent, defaultI18nConfig, defineAppContainer, defineAppContext, defineAuth, defineAuthSchema, defineCache, defineConfig, defineDatabase, defineEndpointRateLimits, defineEvent, defineEventBus, defineI18n, defineLogger, defineMailer, defineMiddleware, defineMigrationOpts, defineOpenAPI, defineOpenAPIConfig, defineOpenAPIEndpoint, defineQueue, defineRedisClient, defineS3Disk, defineScheduledWorkflow, defineStorage, defineStorageSchema, defineTestDatabase, defineTypedResponses, defineWorkflow, generateOpenAPIDocument, loadAndRegisterAPIRoutes, loadEvents, loadMiddleware, loadWorkflows, migrationsSchema, registerRoutes, scanAPIRoutes, withOtelSpan, writeOpenAPISpecs };

package/dist/exports/api/workflows/index.d.mts

@@ -1,5 +1,5 @@
-import "../../auth-By0xx0MI.mjs";
-import { St as WorkflowStartOptions, xt as WorkflowHandle, z as Container } from "../../index-Bpo5QE7k.mjs";
+import "../../auth-DVv5fNvd.mjs";
+import { St as WorkflowStartOptions, xt as WorkflowHandle, z as Container } from "../../index-D3decHVs.mjs";
 import "../../orm-CJrd147z.mjs";
 import "../../instrumentation-CFIspF8-.mjs";
 import { z } from "zod";

package/dist/exports/api/workflows/index.mjs

@@ -1,4 +1,4 @@
-import { s as trackDbChanges } from "../../send-email-Bgcdjy-e.mjs";
-import "../../constants-BePPc_yF.mjs";
+import { s as trackDbChanges } from "../../send-email-CXxlkfFL.mjs";
+import "../../constants-BicCnEiJ.mjs";
 
 export { trackDbChanges };

package/dist/exports/{auth-By0xx0MI.d.mts → auth-DVv5fNvd.d.mts}

@@ -1,4 +1,5 @@
-import { betterAuth } from "better-auth";
+import { PasskeyOptions } from "@better-auth/passkey";
+import { BetterAuthOptions, betterAuth } from "better-auth";
 import { Role, createAccessControl } from "better-auth/plugins/access";
 import { z } from "zod";
 import * as drizzle_orm0 from "drizzle-orm";
@@ -183,6 +184,20 @@ type AccessController = ReturnType<typeof createAccessControl>;
  * Type for roles created via ac.newRole().
  */
 type AccessControlRoles = Record<string, Role>;
+/**
+ * Array of all supported captcha providers.
+ * Use with z.enum() for config validation.
+ *
+ * @example
+ * ```ts
+ * CAPTCHA_PROVIDER: z.enum(captchaProviders).optional(),
+ * ```
+ */
+declare const captchaProviders: readonly ["cloudflare-turnstile", "google-recaptcha", "hcaptcha", "captchafox"];
+/**
+ * Captcha provider type.
+ */
+type CaptchaProvider = (typeof captchaProviders)[number];
 /**
  * Standard audit log actions following OCSF/CADF standards. Zod enum provides
  * both runtime validation and TypeScript type.
@@ -194,12 +209,12 @@ type AccessControlRoles = Record<string, Role>;
  */
 declare const auditActionSchema: z.ZodEnum<{
   DELETE: "DELETE";
+  INSERT: "INSERT";
+  UPDATE: "UPDATE";
   LOGIN: "LOGIN";
   LOGOUT: "LOGOUT";
-  INSERT: "INSERT";
   PASSWORD_CHANGE: "PASSWORD_CHANGE";
   TRUNCATE: "TRUNCATE";
-  UPDATE: "UPDATE";
 }>;
 /**
  * TypeScript type extracted from Zod enum.
@@ -296,15 +311,15 @@ interface AuthConfig {
       otpLength?: number;
       expiresIn?: number;
     };
-  };
-  /**
-   * OAuth providers - true = enabled, undefined/false = disabled.
-   **/
-  oauth?: {
-    google?: boolean;
-    github?: boolean;
-    apple?: boolean;
-    facebook?: boolean;
+    /**
+     * OAuth providers - true = enabled, undefined/false = disabled.
+     **/
+    oauth?: {
+      google?: boolean;
+      github?: boolean;
+      apple?: boolean;
+      facebook?: boolean;
+    };
   };
   /**
    * Plugins - if defined, it's enabled.
@@ -381,10 +396,58 @@ interface AuthConfig {
       trustEmailVerified?: boolean;
       domainVerification?: boolean;
     };
+    /**
+     * Last used login method plugin. If defined, enabled.
+     * Tracks the most recent authentication method used by each user.
+     **/
+    lastUsedMethod?: {
+      /**
+       * Persist last used method to database for cross-device access.
+       *
+       * @default false (cookie-only storage)
+       */
+      storeInDatabase?: boolean;
+    };
+    /**
+     * Captcha plugin. If defined, enabled.
+     * Protects auth endpoints from bots and abuse.
+     **/
+    captcha?: {
+      /**
+       * Captcha provider to use.
+       * For Google reCAPTCHA: v2 vs v3 is determined by server-side minScore config.
+       */
+      provider: "cloudflare-turnstile" | "google-recaptcha" | "hcaptcha" | "captchafox";
+      /**
+       * Public site key for the captcha widget (safe to expose in client).
+       */
+      siteKey: string;
+      /**
+       * Endpoints to protect with captcha validation.
+       * Uses substring matching via `request.url.includes(endpoint)`.
+       *
+       * @default ["/sign-up/email", "/sign-in/email", "/request-password-reset"]
+       *
+       * @example
+       * ```typescript
+       * // Protect high-risk endpoints (recommended)
+       * endpoints: [
+       *   "/sign-up/email",
+       *   "/sign-in/email",
+       *   "/sign-in/magic-link",
+       *   "/request-password-reset",
+       *   "/email-otp/send-verification-otp",
+       *   "/send-verification-email",
+       *   "/phone-number/send-otp",
+       * ]
+       * ```
+       */
+      endpoints?: string[];
+    };
   };
   /**
    * Brand configuration for auth pages.
-   * Controls the logo and app name displayed on authentication screens.
+   * Controls the logo, app name, layout, and legal URLs displayed on authentication screens.
    */
   brand?: {
     /**
@@ -405,6 +468,27 @@ interface AuthConfig {
      * @default "AppOS"
      */
     name?: string;
+    /**
+     * URL to the privacy policy page.
+     *
+     * @default "/legal/privacy-policy"
+     */
+    privacyUrl?: string;
+    /**
+     * URL to the terms of service page.
+     *
+     * @default "/legal/terms"
+     */
+    termsUrl?: string;
+    /**
+     * Layout variant for auth pages.
+     * - "centered": Card centered on page (default)
+     * - "split": Two-column layout with branding on left
+     * - "minimal": Simple centered layout without trust signals
+     *
+     * @default "centered"
+     */
+    layoutVariant?: "centered" | "split" | "minimal";
   };
   /**
    * Rate limiting configuration for auth endpoints.
@@ -508,8 +592,10 @@ type RequiredHooks<T extends AuthConfig> = (T["methods"] extends {
  * Conditionally required OAuth credentials based on config.
  * If an OAuth provider is enabled in config, its credentials are REQUIRED.
  */
-type RequiredOAuth<T extends AuthConfig> = (T["oauth"] extends {
-  google: true;
+type RequiredOAuth<T extends AuthConfig> = (T["methods"] extends {
+  oauth: {
+    google: true;
+  };
 } ? {
   google: {
     clientId: string;
@@ -520,8 +606,10 @@ type RequiredOAuth<T extends AuthConfig> = (T["oauth"] extends {
     clientId: string;
     clientSecret: string;
   };
-}) & (T["oauth"] extends {
-  github: true;
+}) & (T["methods"] extends {
+  oauth: {
+    github: true;
+  };
 } ? {
   github: {
     clientId: string;
@@ -532,8 +620,10 @@ type RequiredOAuth<T extends AuthConfig> = (T["oauth"] extends {
     clientId: string;
     clientSecret: string;
   };
-}) & (T["oauth"] extends {
-  apple: true;
+}) & (T["methods"] extends {
+  oauth: {
+    apple: true;
+  };
 } ? {
   apple: {
     clientId: string;
@@ -544,8 +634,10 @@ type RequiredOAuth<T extends AuthConfig> = (T["oauth"] extends {
     clientId: string;
     clientSecret: string;
   };
-}) & (T["oauth"] extends {
-  facebook: true;
+}) & (T["methods"] extends {
+  oauth: {
+    facebook: true;
+  };
 } ? {
   facebook: {
     clientId: string;
@@ -560,14 +652,22 @@ type RequiredOAuth<T extends AuthConfig> = (T["oauth"] extends {
 /**
  * Check if any OAuth provider is enabled.
  **/
-type HasOAuthEnabled<T extends AuthConfig> = T["oauth"] extends {
-  google: true;
+type HasOAuthEnabled<T extends AuthConfig> = T["methods"] extends {
+  oauth: {
+    google: true;
+  };
 } | {
-  github: true;
+  oauth: {
+    github: true;
+  };
 } | {
-  apple: true;
+  oauth: {
+    apple: true;
+  };
 } | {
-  facebook: true;
+  oauth: {
+    facebook: true;
+  };
 } ? true : false;
 /**
  * Check if passkey is enabled
@@ -575,41 +675,52 @@ type HasOAuthEnabled<T extends AuthConfig> = T["oauth"] extends {
 type HasPasskeyEnabled<T extends AuthConfig> = T["methods"] extends {
   passkey: object;
 } ? true : false;
+/**
+ * Check if captcha is enabled
+ **/
+type HasCaptchaEnabled<T extends AuthConfig> = T["plugins"] extends {
+  captcha: object;
+} ? true : false;
+/**
+ * Helper type to extract Better Auth's session options.
+ */
+type BetterAuthSessionOptions = NonNullable<BetterAuthOptions["session"]>;
 /**
  * Server-only session configuration.
+ * Derived from Better Auth's BetterAuthOptions['session'] for type safety.
  */
-interface AuthSessionConfig {
-  /**
-   * Session duration in seconds.
-   *
-   * @default 604800 (7 days)
-   */
-  expiresIn?: number;
-  /**
-   * How often to update session in seconds.
-   *
-   * @default 86400 (1 day)
-   */
-  updateAge?: number;
+type AuthSessionConfig = Pick<BetterAuthSessionOptions, "expiresIn" | "updateAge" | "freshAge">;
+/**
+ * Server-only passkey configuration (required if passkey is enabled).
+ * Derived from Better Auth's PasskeyOptions with rpID made required
+ * and origin narrowed to string (appos doesn't support array origins).
+ */
+type AuthPasskeyConfig = Required<Pick<PasskeyOptions, "rpID">> & {
   /**
-   * Session freshness in seconds for sensitive ops.
-   *
-   * @default 86400 (1 day)
+   * Origin URL for passkey verification (e.g., "http://localhost:8000").
+   * Unlike Better Auth which supports string | string[] | null, appos
+   * requires a single origin string for simplicity.
    */
-  freshAge?: number;
-}
+  origin: string;
+};
 /**
- * Server-only passkey configuration (required if passkey is enabled).
+ * Server-only captcha configuration (required if captcha is enabled).
+ * These fields align with Better Auth's captcha plugin options.
  */
-interface AuthPasskeyConfig {
+interface AuthCaptchaConfig {
   /**
-   * Relying Party ID - domain for passkey (e.g., "example.com" or "localhost").
+   * Secret key for server-side captcha validation.
+   * Keep this secret - never expose in client code.
    */
-  rpID: string;
+  secretKey: string;
   /**
-   * Origin URL for passkey verification (e.g., "http://localhost:8000").
+   * Minimum score threshold for Google reCAPTCHA v3.
+   * Scores range from 0.0 (bot) to 1.0 (human).
+   * Only applicable when using Google reCAPTCHA.
+   *
+   * @default 0.5
    */
-  origin: string;
+  minScore?: number;
 }
 /**
  * Fully type-safe options for defineAuth().
@@ -676,6 +787,10 @@ type DefineAuthOptions<T extends AuthConfig, TDb = unknown> = {
   passkey: AuthPasskeyConfig;
 } : {
   passkey?: AuthPasskeyConfig;
+}) & (HasCaptchaEnabled<T> extends true ? {
+  captcha: AuthCaptchaConfig;
+} : {
+  captcha?: AuthCaptchaConfig;
 });
 /**
  * Rate limit rule for a single endpoint.
@@ -756,4 +871,4 @@ declare function defineAuth<T extends AuthConfig, TDb extends Record<"primary",
  */
 type Auth$1<TDb extends Record<"primary", Database> & Record<string, Database> = Record<"primary", Database> & Record<string, Database>> = ReturnType<typeof defineAuth<AuthConfig, TDb>>;
 //#endregion
-export { defineTestDatabase as C, defineLogger as D, Logger as E, defineMigrationOpts as S, DefineLoggerOptions as T, DefineTestDatabaseOptions as _, AuthConfig as a, dbChanges as b, DefineAuthOptions as c, createAccessControl as d, defineAuth as f, DefineDatabaseOptions as g, Database as h, Auth$1 as i, Role as l, AuthPaths as m, AccessController as n, AuthPasskeyConfig as o, defineEndpointRateLimits as p, AuditAction as r, AuthSessionConfig as s, AccessControlRoles as t, auditActionSchema as u, MigrationType as v, migrationsSchema as w, defineDatabase as x, QualifiedTableNames as y };
+export { defineLogger as A, dbChanges as C, migrationsSchema as D, defineTestDatabase as E, DefineLoggerOptions as O, QualifiedTableNames as S, defineMigrationOpts as T, AuthPaths as _, AuthCaptchaConfig as a, DefineTestDatabaseOptions as b, AuthSessionConfig as c, Role as d, auditActionSchema as f, defineEndpointRateLimits as g, defineAuth as h, Auth$1 as i, Logger as k, CaptchaProvider as l, createAccessControl as m, AccessController as n, AuthConfig as o, captchaProviders as p, AuditAction as r, AuthPasskeyConfig as s, AccessControlRoles as t, DefineAuthOptions as u, Database as v, defineDatabase as w, MigrationType as x, DefineDatabaseOptions as y };

package/dist/exports/cli/index.d.mts

@@ -1,5 +1,5 @@
-import "../auth-By0xx0MI.mjs";
-import { z as Container } from "../index-Bpo5QE7k.mjs";
+import "../auth-DVv5fNvd.mjs";
+import { z as Container } from "../index-D3decHVs.mjs";
 import "../orm-CJrd147z.mjs";
 import "../instrumentation-CFIspF8-.mjs";
 import { z } from "zod";

package/dist/exports/cli/index.mjs

@@ -1,9 +1,9 @@
 import "../app-context-LF4QmPUC.mjs";
-import { a as loadWorkflows, h as loadEvents } from "../send-email-Bgcdjy-e.mjs";
-import { a as DATABASES_DIR, c as FIXTURES_DIR, h as WEB_DIR, i as COMMANDS_DIR, m as TEST_EXTENSIONS, n as BUILD_DIR, s as FILE_EXT, t as APPOS_DIR, u as MAIN_ENTRY } from "../constants-BePPc_yF.mjs";
-import { _ as defineMigrationOpts } from "../openapi-crG3j4xx.mjs";
+import { a as loadWorkflows, h as loadEvents } from "../send-email-CXxlkfFL.mjs";
+import { a as DATABASES_DIR, c as FILE_EXT, d as MAIN_ENTRY, g as WEB_DIR, h as TEST_EXTENSIONS, i as COMMANDS_DIR, l as FIXTURES_DIR, n as BUILD_DIR, t as APPOS_DIR } from "../constants-BicCnEiJ.mjs";
+import { _ as defineMigrationOpts } from "../openapi-uisUTLq7.mjs";
 import "../instrumentation-DkoLNAtz.mjs";
-import { t as defineServer } from "../server-BlNxgHUc.mjs";
+import { t as defineServer } from "../server-CA4aI0U6.mjs";
 import "../ssr-BsfNjYlJ.mjs";
 import { createRequire } from "node:module";
 import { z } from "zod";
@@ -431,14 +431,33 @@ var build_default = defineCommand({
 		} catch {
 			hasWebDir = false;
 		}
-		if (hasWebDir) try {
-			await ctx.spinner("Building React Router app", async () => {
-				const viteBin = await findBin("vite");
-				await ctx.exec(viteBin, ["build"]);
-			});
-			ctx.success("Built React Router app successfully");
-		} catch (error) {
-			ctx.fail(error instanceof Error ? error.message : String(error));
+		if (hasWebDir) {
+			try {
+				await ctx.spinner("Building React Router app", async () => {
+					const viteBin = await findBin("vite");
+					await ctx.exec(viteBin, ["build"]);
+				});
+				ctx.success("Built React Router app successfully");
+			} catch (error) {
+				ctx.fail(error instanceof Error ? error.message : String(error));
+			}
+			const configDir = join(dirname(createRequire(import.meta.url).resolve("appos/package.json")), "src/storybook/.storybook");
+			if (existsSync(configDir)) try {
+				await ctx.spinner("Building design system", async () => {
+					const storybookBin = await findBin("storybook");
+					await ctx.exec(storybookBin, [
+						"build",
+						"-o",
+						`${BUILD_DIR}/storybook`,
+						"--config-dir",
+						configDir,
+						"--quiet"
+					]);
+				});
+				ctx.success("Built design system successfully");
+			} catch (error) {
+				ctx.warn(`Storybook build failed: ${error instanceof Error ? error.message : String(error)}`);
+			}
 		}
 		const entryPoints = await collectEntryPoints();
 		const outdir = `./${BUILD_DIR}`;
@@ -1404,7 +1423,7 @@ var preview_default = defineCommand({
 
 //#endregion
 //#region package.json
-var version = "0.4.3-0";
+var version = "0.5.0-0";
 
 //#endregion
 //#region src/cli/commands/repl.ts
@@ -1526,6 +1545,7 @@ var start_default = defineCommand({
 		const startWorker = !opts.service || opts.service === "worker";
 		let server = null;
 		let worker = null;
+		let storybookProc = null;
 		let isShuttingDown = false;
 		/**
 		* Graceful shutdown handler.
@@ -1535,6 +1555,10 @@ var start_default = defineCommand({
 			isShuttingDown = true;
 			logger.info(`Shutdown initiated (${signal})`);
 			try {
+				if (storybookProc && !storybookProc.killed) {
+					storybookProc.kill("SIGKILL");
+					logger.info("Design system stopped");
+				}
 				if (server) {
 					await server.stop();
 					logger.info("HTTP server stopped");
@@ -1560,6 +1584,56 @@ var start_default = defineCommand({
 			server = await defineServer({ container });
 			await server.start();
 			logger.info(`HTTP server ready at http://${server.host}:${server.port} ${runtimeInfo}`);
+			if (process.env.NODE_ENV !== "production") {
+				const configDir = join(dirname(createRequire(import.meta.url).resolve("appos/package.json")), "src/storybook/.storybook");
+				let binPath = "";
+				let dir = process.cwd();
+				while (dir !== "/") {
+					const candidate = join(dir, "node_modules", ".bin");
+					if (existsSync(candidate)) {
+						binPath = candidate;
+						break;
+					}
+					dir = dirname(dir);
+				}
+				const { spawn: spawn$1 } = await import("node:child_process");
+				storybookProc = spawn$1("storybook", [
+					"dev",
+					"-p",
+					"6006",
+					"--no-open",
+					"--config-dir",
+					configDir
+				], {
+					stdio: "ignore",
+					cwd: process.cwd(),
+					env: {
+						...process.env,
+						PATH: binPath ? `${binPath}:${process.env.PATH}` : process.env.PATH
+					}
+				});
+				storybookProc.on("exit", (code) => {
+					if (code !== 0 && code !== null && !isShuttingDown) logger.error(`Design system exited with code ${code}`);
+					storybookProc = null;
+				});
+				storybookProc.on("error", (err) => {
+					if (!isShuttingDown) logger.error(`Design system spawn error: ${err.message}`);
+				});
+				/**
+				* Waits for a port to become available by polling.
+				*/
+				const waitForPort = async (port, timeout) => {
+					const start = Date.now();
+					while (Date.now() - start < timeout) try {
+						await fetch(`http://localhost:${port}`);
+						return true;
+					} catch {
+						await new Promise((r) => setTimeout(r, 200));
+					}
+					return false;
+				};
+				if (!await waitForPort(6006, 3e4) && storybookProc && !storybookProc.killed) logger.warn("Design system slow to start, /design may not be ready yet");
+			}
 		}
 	}
 });

package/dist/exports/{constants-BePPc_yF.mjs → constants-BicCnEiJ.mjs}

@@ -163,6 +163,12 @@ const FIXTURES_DIR = "__fixtures__";
 * @default [".test.ts", ".spec.ts"]
 */
 const TEST_EXTENSIONS = [".test.ts", ".spec.ts"];
+/**
+* URL path for Storybook design system.
+*
+* @default "/design"
+*/
+const DESIGN_SYSTEM_PATH = "/design";
 
 //#endregion
-export { DATABASES_DIR as a, FIXTURES_DIR as c, MIDDLEWARE_DIR as d, PUBLIC_DIR as f, WORKFLOWS_DIR as g, WEB_DIR as h, COMMANDS_DIR as i, LOCALES_DIR as l, TEST_EXTENSIONS as m, BUILD_DIR as n, EVENTS_DIR as o, ROUTES_DIR as p, BUILD_OUTPUT_DIR as r, FILE_EXT as s, APPOS_DIR as t, MAIN_ENTRY as u };
+export { WORKFLOWS_DIR as _, DATABASES_DIR as a, FILE_EXT as c, MAIN_ENTRY as d, MIDDLEWARE_DIR as f, WEB_DIR as g, TEST_EXTENSIONS as h, COMMANDS_DIR as i, FIXTURES_DIR as l, ROUTES_DIR as m, BUILD_DIR as n, DESIGN_SYSTEM_PATH as o, PUBLIC_DIR as p, BUILD_OUTPUT_DIR as r, EVENTS_DIR as s, APPOS_DIR as t, LOCALES_DIR as u };