lytx 0.3.2 → 0.3.8

package/.env.example

@@ -24,6 +24,7 @@ RESEND_API_KEY=
 
 # AI features (optional)
 AI_API_KEY=
+AI_ACCOUNT_ID=
 AI_PROVIDER=openai
 AI_BASE_URL=
 AI_MODEL=

package/README.md

@@ -72,7 +72,8 @@ export default app satisfies ExportedHandler<Env>;
 - `trackingRoutePrefix` (prefix all tracking routes, e.g. `/collect`)
 - `tagRoutes.scriptPath` + `tagRoutes.eventPath` (custom v2 route paths)
 - `auth.emailPasswordEnabled`, `auth.requireEmailVerification`, `auth.socialProviders.google`, `auth.socialProviders.github`
-- `ai.provider`, `ai.baseURL`, `ai.model`, `ai.apiKey` (runtime AI vendor/model overrides)
+- `auth.signupMode` (`"open" | "bootstrap_then_invite" | "invite_only"`; default is `"bootstrap_then_invite"`)
+- `ai.provider`, `ai.model`, `ai.baseURL`, `ai.apiKey`, `ai.accountId` (runtime AI vendor/model overrides; blank values are ignored; provider/model include preset autocomplete values)
 - `features.reportBuilderEnabled` + `features.askAiEnabled`
 - `names.*` (typed resource binding names for D1/KV/Queue/DO)
 - `domains.app` + `domains.tracking` (typed host/domain values)
@@ -347,6 +348,40 @@ LYTX_TRACKING_DOMAIN=collect.example.com
 
 Use `createLytxApp({ tagRoutes: { pathPrefix: "/collect" } })` to prefix tracking script and ingestion endpoints.
 
+### Auth setup (important)
+
+`createLytxApp` defaults to bootstrap-safe auth behavior:
+
+- `auth.signupMode` defaults to `"bootstrap_then_invite"`.
+- First account signup is allowed and becomes the initial admin.
+- After the first account exists, public signup is automatically closed.
+- New users can then register only through team invites.
+
+This default applies when:
+
+- `auth` is omitted entirely, or
+- `auth: {}` is passed.
+
+Use these explicit modes when you need different behavior:
+
+```tsx
+createLytxApp({
+  auth: {
+    // "bootstrap_then_invite" is the default
+    signupMode: "bootstrap_then_invite",
+    // signupMode: "invite_only", // never allow public signup
+    // signupMode: "open", // always allow public signup
+  },
+});
+```
+
+If you need to bootstrap an admin user without public signup, use the CLI:
+
+```bash
+cd core
+bun run cli/bootstrap-admin.ts --email admin@example.com --password "StrongPassword123"
+```
+
 ### Environment variables
 
 Add these to your `.env` (local) or worker secrets (production):
@@ -369,6 +404,7 @@ RESEND_API_KEY=...
 
 # AI features (optional)
 AI_API_KEY=...
+AI_ACCOUNT_ID=...
 AI_PROVIDER=openai
 AI_BASE_URL=...
 AI_MODEL=...

package/alchemy.run.ts

@@ -139,6 +139,7 @@ export const worker = await Redwood(resourceNames.workerName, {
     RESEND_API_KEY: alchemy.secret(process.env.RESEND_API_KEY),
     ENCRYPTION_KEY: alchemy.secret(process.env.ENCRYPTION_KEY),
     AI_API_KEY: alchemy.secret(process.env.AI_API_KEY),
+    AI_ACCOUNT_ID: process.env.AI_ACCOUNT_ID ?? "",
     AI_PROVIDER: process.env.AI_PROVIDER ?? "openai",
     SEED_DATA_SECRET: alchemy.secret(process.env.SEED_DATA_SECRET),
     BETTER_AUTH_URL: process.env.BETTER_AUTH_URL,

package/cli/setup.ts

@@ -350,6 +350,7 @@ EMAIL_FROM=noreply@yourdomain.com
 
 # AI features (optional)
 AI_API_KEY=
+AI_ACCOUNT_ID=
 AI_PROVIDER=openai
 AI_BASE_URL=
 AI_MODEL=

package/index.d.ts

@@ -49,9 +49,14 @@ export { SiteDurableObject } from "./db/durable/siteDurableObject";
 export type {
   CreateLytxAppConfig,
   LytxDbAdapter,
+  LytxSignupMode,
   LytxEventStore,
   LytxDbConfig,
   LytxAiConfig,
+  LytxAiProviderPreset,
+  LytxAiProvider,
+  LytxAiModelPreset,
+  LytxAiModel,
 } from "./src/config/createLytxAppConfig";
 export function createLytxApp(
   config?: CreateLytxAppConfig,

package/index.ts

@@ -71,9 +71,14 @@ export { createLytxApp } from "./src/worker";
 export type {
   CreateLytxAppConfig,
   LytxDbAdapter,
+  LytxSignupMode,
   LytxEventStore,
   LytxDbConfig,
   LytxAiConfig,
+  LytxAiProviderPreset,
+  LytxAiProvider,
+  LytxAiModelPreset,
+  LytxAiModel,
 } from "./src/config/createLytxAppConfig";
 export { DEFAULT_LYTX_RESOURCE_NAMES, resolveLytxResourceNames } from "./src/config/resourceNames";
 export type { LytxResourceNames, LytxResourceNamingOptions, LytxResourceStagePosition } from "./src/config/resourceNames";

package/lib/auth.ts

@@ -3,10 +3,12 @@ import { drizzleAdapter } from "better-auth/adapters/drizzle";
 import { customSession } from "better-auth/plugins";
 import { env } from "cloudflare:workers";
 import { IS_DEV } from "rwsdk/constants";
+import { and, eq } from "drizzle-orm";
 
 import { d1_client } from "@db/d1/client";
 import type { DBAdapter } from "@db/d1/schema";
 import * as schema from "@db/d1/schema";
+import { invited_user, user as user_table } from "@db/d1/schema";
 import { createNewAccount, getSitesForUser } from "@db/d1/sites";
 import type { SitesContext } from "@db/d1/sites";
 import { sendVerificationEmail } from "@lib/sendMail";
@@ -16,10 +18,21 @@ type SocialProviderToggles = {
   github?: boolean;
 };
 
+export const SIGNUP_MODES = ["open", "bootstrap_then_invite", "invite_only"] as const;
+export type SignupMode = (typeof SIGNUP_MODES)[number];
+
+export type SignupAccessState = {
+  mode: SignupMode;
+  hasUsers: boolean;
+  publicSignupOpen: boolean;
+  bootstrapSignupOpen: boolean;
+};
+
 export type AuthRuntimeConfig = {
   emailPasswordEnabled?: boolean;
   requireEmailVerification?: boolean;
   socialProviders?: SocialProviderToggles;
+  signupMode?: SignupMode;
 };
 
 type TeamSummary = {
@@ -68,25 +81,32 @@ export type AuthProviderAvailability = {
   github: boolean;
 };
 
-let auth_runtime_config: AuthRuntimeConfig = {
+const DEFAULT_AUTH_RUNTIME_CONFIG: AuthRuntimeConfig = {
   emailPasswordEnabled: true,
   requireEmailVerification: true,
+  signupMode: "bootstrap_then_invite",
   socialProviders: {},
 };
 
+let auth_runtime_config: AuthRuntimeConfig = {
+  ...DEFAULT_AUTH_RUNTIME_CONFIG,
+};
+
 let auth_instance: ReturnType<typeof betterAuth> | null = null;
 
 const hasGoogleCredentials = () => Boolean(env.GOOGLE_CLIENT_ID?.trim() && env.GOOGLE_CLIENT_SECRET?.trim());
 const hasGithubCredentials = () => Boolean(env.GITHUB_CLIENT_ID?.trim() && env.GITHUB_CLIENT_SECRET?.trim());
 
 export function setAuthRuntimeConfig(config: AuthRuntimeConfig = {}) {
+  const socialProviders = {
+    ...DEFAULT_AUTH_RUNTIME_CONFIG.socialProviders,
+    ...config.socialProviders,
+  };
+
   auth_runtime_config = {
-    ...auth_runtime_config,
+    ...DEFAULT_AUTH_RUNTIME_CONFIG,
     ...config,
-    socialProviders: {
-      ...auth_runtime_config.socialProviders,
-      ...config.socialProviders,
-    },
+    socialProviders,
   };
 
   auth_instance = null;
@@ -102,6 +122,101 @@ export function getAuthProviderAvailability(): AuthProviderAvailability {
   };
 }
 
+function getSignupMode(): SignupMode {
+  return auth_runtime_config.signupMode ?? "bootstrap_then_invite";
+}
+
+function isMissingTableError(error: unknown): boolean {
+  if (!error || typeof error !== "object") return false;
+  const message = (error as { message?: unknown }).message;
+  return typeof message === "string" && message.includes("no such table");
+}
+
+async function hasAnyUserAccount(): Promise<boolean> {
+  try {
+    const users = await d1_client.select({ id: user_table.id }).from(user_table).limit(1);
+    return typeof users[0]?.id === "string";
+  } catch (error) {
+    if (isMissingTableError(error)) {
+      if (IS_DEV) {
+        console.warn("Signup bootstrap check: user table missing, treating as zero users");
+      }
+      return false;
+    }
+    throw error;
+  }
+}
+
+async function hasPendingInviteForEmail(email: string): Promise<boolean> {
+  const normalizedEmail = email.trim().toLowerCase();
+  if (!normalizedEmail) return false;
+
+  try {
+    const invites = await d1_client
+      .select({ id: invited_user.id })
+      .from(invited_user)
+      .where(and(eq(invited_user.email, normalizedEmail), eq(invited_user.accepted, false)))
+      .limit(1);
+
+    return typeof invites[0]?.id === "number";
+  } catch (error) {
+    if (isMissingTableError(error)) {
+      if (IS_DEV) {
+        console.warn("Signup invite check: invited_user table missing, treating as no invite");
+      }
+      return false;
+    }
+    throw error;
+  }
+}
+
+export async function getSignupAccessState(): Promise<SignupAccessState> {
+  const mode = getSignupMode();
+
+  if (mode === "open") {
+    return {
+      mode,
+      hasUsers: true,
+      publicSignupOpen: true,
+      bootstrapSignupOpen: false,
+    };
+  }
+
+  if (mode === "invite_only") {
+    return {
+      mode,
+      hasUsers: true,
+      publicSignupOpen: false,
+      bootstrapSignupOpen: false,
+    };
+  }
+
+  const hasUsers = await hasAnyUserAccount();
+  return {
+    mode,
+    hasUsers,
+    publicSignupOpen: !hasUsers,
+    bootstrapSignupOpen: !hasUsers,
+  };
+}
+
+export async function isPublicSignupOpen(): Promise<boolean> {
+  const state = await getSignupAccessState();
+  return state.publicSignupOpen;
+}
+
+export async function canRegisterEmail(email: string): Promise<boolean> {
+  const signupMode = getSignupMode();
+  if (signupMode === "open") return true;
+
+  const invited = await hasPendingInviteForEmail(email);
+  if (invited) return true;
+
+  if (signupMode === "invite_only") return false;
+  const state = await getSignupAccessState();
+  return state.bootstrapSignupOpen;
+}
+
 function getTrustedOrigins() {
   if (!IS_DEV) return [env.BETTER_AUTH_URL];
   return [
@@ -245,6 +360,13 @@ function createAuthInstance() {
     databaseHooks: {
       user: {
         create: {
+          before: async (userRecord) => {
+            const email = typeof userRecord.email === "string" ? userRecord.email : "";
+            const allowed = await canRegisterEmail(email);
+            if (!allowed) {
+              throw new Error("Public sign up is disabled. Ask an admin for an invitation.");
+            }
+          },
           after: async (user) => {
             await createNewAccount(user);
           },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lytx",
-  "version": "0.3.2",
+  "version": "0.3.8",
   "private": false,
   "license": "MIT",
   "publishConfig": {
@@ -103,6 +103,8 @@
     "wrangler": "^4.59.3"
   },
   "dependencies": {
+    "@ai-sdk/anthropic": "^3.0.46",
+    "@ai-sdk/google": "^3.0.30",
     "@ai-sdk/openai-compatible": "^2.0.26",
     "@ai-sdk/react": "^3.0.70",
     "@fontsource/montserrat": "^5.2.8",
@@ -137,6 +139,7 @@
     "react-simple-maps": "^3.0.0",
     "rwsdk": "1.0.0-beta.49",
     "vite": "^7.3.1",
+    "workers-ai-provider": "^3.1.2",
     "zod": "^4.3.6"
   }
 }

package/src/api/ai_api.ts

@@ -4,6 +4,9 @@ import type { RequestInfo } from "rwsdk/worker";
 import { convertToModelMessages, generateText, streamText, tool } from "ai";
 import { IS_DEV } from "rwsdk/constants";
 import { createOpenAICompatible } from "@ai-sdk/openai-compatible";
+import { createAnthropic } from "@ai-sdk/anthropic";
+import { createGoogleGenerativeAI } from "@ai-sdk/google";
+import { createWorkersAI } from "workers-ai-provider";
 import { z } from "zod";
 
 import type { AppContext } from "@/types/app-context";
@@ -23,9 +26,10 @@ import { parseDateParam, parseSiteIdParam } from "@/utilities/dashboardParams";
 
 type AiConfig = {
   provider: string;
-  baseURL: string;
+  baseURL?: string;
   model: string;
   apiKey: string;
+  accountId?: string;
 };
 
 type AiRuntimeOverrides = {
@@ -33,6 +37,7 @@ type AiRuntimeOverrides = {
   baseURL?: string;
   model?: string;
   apiKey?: string;
+  accountId?: string;
 };
 
 type NivoChartType = "bar" | "line" | "pie";
@@ -42,6 +47,21 @@ const DEFAULT_AI_PROVIDER = "openai";
 const DEFAULT_AI_BASE_URL = "https://api.openai.com/v1";
 const MAX_METRIC_LIMIT = 100;
 
+const OPENAI_COMPATIBLE_PROVIDERS = new Set([
+  "openai",
+  "openrouter",
+  "groq",
+  "deepseek",
+  "xai",
+  "ollama",
+  "custom",
+]);
+
+const AI_PROVIDER_ALIASES: Record<string, string> = {
+  claude: "anthropic",
+  gemini: "google",
+};
+
 const AI_PROVIDER_BASE_URLS: Record<string, string> = {
   openai: "https://api.openai.com/v1",
   openrouter: "https://openrouter.ai/api/v1",
@@ -49,6 +69,8 @@ const AI_PROVIDER_BASE_URLS: Record<string, string> = {
   deepseek: "https://api.deepseek.com/v1",
   xai: "https://api.x.ai/v1",
   ollama: "http://localhost:11434/v1",
+  anthropic: "https://api.anthropic.com/v1",
+  google: "https://generativelanguage.googleapis.com/v1beta",
 };
 
 const AI_PROVIDER_DEFAULT_MODELS: Record<string, string> = {
@@ -58,6 +80,9 @@ const AI_PROVIDER_DEFAULT_MODELS: Record<string, string> = {
   deepseek: "deepseek-chat",
   xai: "grok-2-latest",
   ollama: "llama3.2",
+  anthropic: "claude-3-5-sonnet-latest",
+  google: "gemini-2.5-flash",
+  cloudflare: "@cf/meta/llama-3.1-8b-instruct",
 };
 
 let aiRuntimeOverrides: AiRuntimeOverrides = {};
@@ -68,8 +93,16 @@ function normalizeOptionalString(value: unknown): string | null {
   return trimmed.length > 0 ? trimmed : null;
 }
 
-function resolveAiBaseUrl(provider: string, explicitBaseUrl: string | null): string {
+function normalizeProviderName(value: string): string {
+  const normalized = value.trim().toLowerCase();
+  return AI_PROVIDER_ALIASES[normalized] ?? normalized;
+}
+
+function resolveAiBaseUrl(provider: string, explicitBaseUrl: string | null): string | undefined {
   if (explicitBaseUrl) return explicitBaseUrl;
+  if (!OPENAI_COMPATIBLE_PROVIDERS.has(provider) && provider !== "anthropic" && provider !== "google") {
+    return undefined;
+  }
   return AI_PROVIDER_BASE_URLS[provider] ?? DEFAULT_AI_BASE_URL;
 }
 
@@ -78,12 +111,66 @@ function resolveAiModel(provider: string, explicitModel: string | null): string
   return AI_PROVIDER_DEFAULT_MODELS[provider] ?? DEFAULT_AI_MODEL;
 }
 
+function getWorkersAiBinding(envValues: Record<string, unknown>): Ai | null {
+  const binding = envValues.AI;
+  if (!binding || typeof binding !== "object") return null;
+  return binding as Ai;
+}
+
+function createAiLanguageModel(aiConfig: AiConfig) {
+  if (aiConfig.provider === "anthropic") {
+    const anthropic = createAnthropic({
+      apiKey: aiConfig.apiKey,
+      ...(aiConfig.baseURL ? { baseURL: aiConfig.baseURL } : {}),
+    });
+    return anthropic(aiConfig.model);
+  }
+
+  if (aiConfig.provider === "google") {
+    const google = createGoogleGenerativeAI({
+      apiKey: aiConfig.apiKey,
+      ...(aiConfig.baseURL ? { baseURL: aiConfig.baseURL } : {}),
+    });
+    return google(aiConfig.model);
+  }
+
+  if (aiConfig.provider === "cloudflare") {
+    const envValues = env as unknown as Record<string, unknown>;
+    const binding = getWorkersAiBinding(envValues);
+    if (binding) {
+      const workersAi = createWorkersAI({ binding });
+      return workersAi(aiConfig.model);
+    }
+
+    if (aiConfig.accountId && aiConfig.apiKey) {
+      const workersAi = createWorkersAI({
+        accountId: aiConfig.accountId,
+        apiKey: aiConfig.apiKey,
+      });
+      return workersAi(aiConfig.model);
+    }
+
+    throw new Error("Cloudflare provider requires env.AI binding or AI_ACCOUNT_ID + AI_API_KEY");
+  }
+
+  const modelProvider = createOpenAICompatible({
+    baseURL: aiConfig.baseURL ?? DEFAULT_AI_BASE_URL,
+    name: "team-model",
+    apiKey: aiConfig.apiKey,
+    includeUsage: true,
+  });
+
+  return modelProvider.chatModel(aiConfig.model);
+}
+
 export function setAiRuntimeOverrides(overrides: AiRuntimeOverrides = {}): void {
+  const provider = normalizeOptionalString(overrides.provider);
   aiRuntimeOverrides = {
-    provider: normalizeOptionalString(overrides.provider) ?? undefined,
+    provider: provider ? normalizeProviderName(provider) : undefined,
     baseURL: normalizeOptionalString(overrides.baseURL) ?? undefined,
     model: normalizeOptionalString(overrides.model) ?? undefined,
     apiKey: normalizeOptionalString(overrides.apiKey) ?? undefined,
+    accountId: normalizeOptionalString(overrides.accountId) ?? undefined,
   };
 }
 
@@ -107,7 +194,7 @@ function getAiConfigFromEnv(): AiConfig | null {
     normalizeOptionalString(aiRuntimeOverrides.provider)
     ?? normalizeOptionalString(envValues.AI_PROVIDER)
     ?? DEFAULT_AI_PROVIDER;
-  const provider = providerRaw.toLowerCase();
+  const provider = normalizeProviderName(providerRaw);
   const baseURL = resolveAiBaseUrl(
     provider,
     normalizeOptionalString(aiRuntimeOverrides.baseURL) ?? normalizeOptionalString(envValues.AI_BASE_URL),
@@ -120,10 +207,22 @@ function getAiConfigFromEnv(): AiConfig | null {
     normalizeOptionalString(aiRuntimeOverrides.apiKey)
     ?? normalizeOptionalString(envValues.AI_API_KEY)
     ?? "";
+  const accountId =
+    normalizeOptionalString(aiRuntimeOverrides.accountId)
+    ?? normalizeOptionalString(envValues.AI_ACCOUNT_ID)
+    ?? undefined;
+
+  if (provider === "cloudflare") {
+    const hasBinding = Boolean(getWorkersAiBinding(envValues));
+    if (!hasBinding && (!accountId || !apiKey)) {
+      return null;
+    }
+    return { provider, baseURL, model, apiKey, accountId };
+  }
 
   if (!apiKey) return null;
 
-  return { provider, baseURL, model, apiKey };
+  return { provider, baseURL, model, apiKey, accountId };
 }
 
 function clampLimit(value: unknown, fallback = 10): number {
@@ -657,19 +756,14 @@ export const aiTagSuggestRoute = route(
       );
     }
 
-    const modelProvider = createOpenAICompatible({
-      baseURL: aiConfig.baseURL,
-      name: "team-model",
-      apiKey: aiConfig.apiKey,
-      includeUsage: true,
-    });
+    const aiModel = createAiLanguageModel(aiConfig);
 
     const prompt = `Analyze this page HTML and suggest DOM events to track.\n\nContext:\n- Selected site domain: ${site.domain ?? "unknown"}\n- Target URL: ${url.toString()}\n- Lytx tag id (account): ${tagId}\n- Tag script detected on page: ${tagFound}\n- Tracking events seen recently: ${trackingOk === null ? "unknown" : trackingOk}\n\nHTML (truncated):\n${truncateUtf8(html, 60_000)}`;
     const aiStartedAt = Date.now();
 
     try {
       const result = await generateText({
-        model: modelProvider.chatModel(aiConfig.model),
+        model: aiModel,
         system: getSiteTagSystemPrompt(),
         prompt,
       });
@@ -828,12 +922,7 @@ export const aiChatRoute = route(
       );
     }
 
-    const modelProvider = createOpenAICompatible({
-      baseURL: aiConfig.baseURL,
-      name: "team-model",
-      apiKey: aiConfig.apiKey,
-      includeUsage: true,
-    });
+    const aiModel = createAiLanguageModel(aiConfig);
 
     const system = `${getSchemaPrompt()}\n\n${getTeamContextPrompt(ctx, siteId, defaultToolSiteId)}`;
 
@@ -1053,7 +1142,7 @@ export const aiChatRoute = route(
       };
 
       const result = streamText({
-        model: modelProvider.chatModel(aiConfig.model),
+        model: aiModel,
         system,
         messages: modelMessages,
         tools,

package/src/app/components/NewSiteSetup.tsx

@@ -49,7 +49,7 @@ export const NewSiteSetup: React.FC<NewSiteSetupProps> = ({
 
       const siteData = await response.json();
       onSiteCreated?.(siteData);
-      window.location.href = "/dashboard/settings";
+      window.location.href = "/dashboard";
     } catch (err) {
       setError(err instanceof Error ? err.message : "An error occurred");
     } finally {

package/src/config/createLytxAppConfig.ts

@@ -4,8 +4,37 @@ export const CREATE_LYTX_APP_CONFIG_DOC_URL =
   "https://github.com/lytx-io/lytx/blob/master/core/docs/oss-contract.md#supported-extension-and-customization-points";
 
 const dbAdapterValues = ["sqlite", "postgres", "singlestore", "analytics_engine"] as const;
+const signupModeValues = ["open", "bootstrap_then_invite", "invite_only"] as const;
+
+export const LYTX_AI_PROVIDER_PRESETS = [
+  "openai",
+  "openrouter",
+  "groq",
+  "deepseek",
+  "xai",
+  "ollama",
+  "anthropic",
+  "claude",
+  "google",
+  "gemini",
+  "cloudflare",
+  "custom",
+] as const;
+
+export const LYTX_AI_MODEL_PRESETS = [
+  "gpt-5-mini",
+  "openai/gpt-4o-mini",
+  "llama-3.1-70b-versatile",
+  "deepseek-chat",
+  "grok-2-latest",
+  "llama3.2",
+  "claude-3-5-sonnet-latest",
+  "gemini-2.5-flash",
+  "@cf/meta/llama-3.1-8b-instruct",
+] as const;
 
 const dbAdapterSchema = z.enum(dbAdapterValues);
+const signupModeSchema = z.enum(signupModeValues);
 const eventStoreSchema = z.enum([...dbAdapterValues, "durable_objects"] as const);
 
 const dbConfigSchema = z
@@ -16,6 +45,7 @@ const dbConfigSchema = z
   .strict();
 
 export type LytxDbAdapter = z.infer<typeof dbAdapterSchema>;
+export type LytxSignupMode = z.infer<typeof signupModeSchema>;
 export type LytxEventStore = z.infer<typeof eventStoreSchema>;
 export type LytxDbConfig = z.input<typeof dbConfigSchema>;
 
@@ -56,17 +86,43 @@ const domainSchema = z
   }, "Domain must be a valid hostname or URL");
 
 const envKeySchema = z.string().trim().min(1, "Env var value cannot be empty");
+const optionalTrimmedStringSchema = z.string().trim().optional();
+
+const optionalUrlSchema = (message: string) =>
+  z
+    .string()
+    .trim()
+    .optional()
+    .refine((value) => {
+      if (!value) return true;
+      try {
+        new URL(value);
+        return true;
+      } catch {
+        return false;
+      }
+    }, message);
 
 const aiRuntimeConfigSchema = z
   .object({
-    provider: envKeySchema.optional(),
-    baseURL: z.string().trim().url("ai.baseURL must be a valid URL").optional(),
-    model: envKeySchema.optional(),
-    apiKey: envKeySchema.optional(),
+    provider: optionalTrimmedStringSchema,
+    baseURL: optionalUrlSchema("ai.baseURL must be a valid URL"),
+    model: optionalTrimmedStringSchema,
+    apiKey: optionalTrimmedStringSchema,
+    accountId: optionalTrimmedStringSchema,
   })
   .strict();
 
-export type LytxAiConfig = z.input<typeof aiRuntimeConfigSchema>;
+export type LytxAiProviderPreset = (typeof LYTX_AI_PROVIDER_PRESETS)[number];
+export type LytxAiProvider = LytxAiProviderPreset | (string & {});
+export type LytxAiModelPreset = (typeof LYTX_AI_MODEL_PRESETS)[number];
+export type LytxAiModel = LytxAiModelPreset | (string & {});
+
+type BaseLytxAiConfig = z.input<typeof aiRuntimeConfigSchema>;
+export type LytxAiConfig = Omit<BaseLytxAiConfig, "provider" | "model"> & {
+  provider?: LytxAiProvider;
+  model?: LytxAiModel;
+};
 
 const createLytxAppConfigSchema = z
   .object({
@@ -81,6 +137,7 @@ const createLytxAppConfigSchema = z
       .object({
         emailPasswordEnabled: z.boolean().optional(),
         requireEmailVerification: z.boolean().optional(),
+        signupMode: signupModeSchema.optional(),
         socialProviders: z
           .object({
             google: z.boolean().optional(),
@@ -136,6 +193,7 @@ const createLytxAppConfigSchema = z
         BETTER_AUTH_URL: z.string().trim().url("BETTER_AUTH_URL must be a valid URL").optional(),
         ENCRYPTION_KEY: envKeySchema.optional(),
         AI_API_KEY: envKeySchema.optional(),
+        AI_ACCOUNT_ID: envKeySchema.optional(),
         AI_BASE_URL: z.string().trim().url("AI_BASE_URL must be a valid URL").optional(),
         AI_PROVIDER: envKeySchema.optional(),
         AI_MODEL: envKeySchema.optional(),
@@ -242,7 +300,11 @@ const createLytxAppConfigSchema = z
     }
   });
 
-export type CreateLytxAppConfig = z.input<typeof createLytxAppConfigSchema>;
+type BaseCreateLytxAppConfig = z.input<typeof createLytxAppConfigSchema>;
+export type CreateLytxAppConfig = Omit<BaseCreateLytxAppConfig, "ai"> & {
+  ai?: LytxAiConfig;
+};
+type ParsedCreateLytxAppConfig = z.output<typeof createLytxAppConfigSchema>;
 
 function formatValidationErrors(error: z.ZodError): string {
   const lines = error.issues.map((issue) => {
@@ -257,10 +319,31 @@ function formatValidationErrors(error: z.ZodError): string {
   ].join("\n");
 }
 
-export function parseCreateLytxAppConfig(config: CreateLytxAppConfig): CreateLytxAppConfig {
+function normalizeOptionalValue(value: string | undefined): string | undefined {
+  if (typeof value !== "string") return undefined;
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : undefined;
+}
+
+export function parseCreateLytxAppConfig(config: CreateLytxAppConfig): ParsedCreateLytxAppConfig {
   const parsed = createLytxAppConfigSchema.safeParse(config ?? {});
   if (!parsed.success) {
     throw new Error(formatValidationErrors(parsed.error));
   }
-  return parsed.data;
+
+  const normalized: ParsedCreateLytxAppConfig = {
+    ...parsed.data,
+    ai: parsed.data.ai
+      ? {
+          ...parsed.data.ai,
+          provider: normalizeOptionalValue(parsed.data.ai.provider),
+          baseURL: normalizeOptionalValue(parsed.data.ai.baseURL),
+          model: normalizeOptionalValue(parsed.data.ai.model),
+          apiKey: normalizeOptionalValue(parsed.data.ai.apiKey),
+          accountId: normalizeOptionalValue(parsed.data.ai.accountId),
+        }
+      : undefined,
+  };
+
+  return normalized;
 }

package/src/pages/Login.tsx

@@ -11,6 +11,7 @@ type AuthProviders = {
 type LoginProps = {
   authProviders?: AuthProviders;
   emailPasswordEnabled?: boolean;
+  allowSignupLink?: boolean;
 };
 
 type AuthUiStatus =
@@ -58,7 +59,11 @@ function isEmailVerificationError(message: string) {
   );
 }
 
-export function Login({ authProviders = { google: true, github: true }, emailPasswordEnabled = true }: LoginProps) {
+export function Login({
+  authProviders = { google: true, github: true },
+  emailPasswordEnabled = true,
+  allowSignupLink = true,
+}: LoginProps) {
   const [status, setStatus] = useState<AuthUiStatus>({ type: "idle" });
   const [email, setEmail] = useState("");
   const [isResending, setIsResending] = useState(false);
@@ -274,7 +279,9 @@ export function Login({ authProviders = { google: true, github: true }, emailPas
           </div>
         )}
         <div className="h-5 my-4">
-          <a href="/signup" className="text-slate-600 hover:text-slate-900 dark:text-slate-400 dark:hover:text-white transition-colors">Create an account</a>
+          {allowSignupLink ? (
+            <a href="/signup" className="text-slate-600 hover:text-slate-900 dark:text-slate-400 dark:hover:text-white transition-colors">Create an account</a>
+          ) : null}
         </div>
       </div>
     </div>

package/src/pages/Signup.tsx

@@ -11,6 +11,8 @@ type AuthProviders = {
 type SignupProps = {
   authProviders?: AuthProviders;
   emailPasswordEnabled?: boolean;
+  publicSignupOpen?: boolean;
+  bootstrapSignupOpen?: boolean;
 };
 
 type SignupStatus =
@@ -19,7 +21,12 @@ type SignupStatus =
   | { type: "success"; message: string }
   | { type: "error"; message: string };
 
-export function Signup({ authProviders = { google: true, github: true }, emailPasswordEnabled = true }: SignupProps) {
+export function Signup({
+  authProviders = { google: true, github: true },
+  emailPasswordEnabled = true,
+  publicSignupOpen = true,
+  bootstrapSignupOpen = false,
+}: SignupProps) {
   const [status, setStatus] = useState<SignupStatus>({ type: "idle" });
   const [email, setEmail] = useState("");
   const [password, setPassword] = useState("");
@@ -62,6 +69,15 @@ export function Signup({ authProviders = { google: true, github: true }, emailPa
           <span>Lytx</span>
         </div>
         <div className="h-auto my-4">Register your account</div>
+        {!publicSignupOpen ? (
+          <div className="mb-4 px-4 w-full max-w-[300px] text-xs text-amber-700 dark:text-amber-300">
+            Public sign up is closed. Use an invited email address to register.
+          </div>
+        ) : bootstrapSignupOpen ? (
+          <div className="mb-4 px-4 w-full max-w-[300px] text-xs text-sky-700 dark:text-sky-300">
+            You are creating the first admin account for this instance. Public sign up will close after this account is created.
+          </div>
+        ) : null}
 
         {(authProviders.google || authProviders.github) ? (
           <div className="flex flex-col gap-3 mb-6 px-4 w-full max-w-[300px]">

package/src/worker.tsx

@@ -19,7 +19,13 @@ import {
 } from "@api/tag_api";
 import { lytxTag, trackWebEvent } from "@api/tag_api_v2";
 import { authMiddleware, sessionMiddleware } from "@api/authMiddleware";
-import { getAuth, getAuthProviderAvailability, setAuthRuntimeConfig } from "@lib/auth";
+import {
+  canRegisterEmail,
+  getSignupAccessState,
+  getAuth,
+  getAuthProviderAvailability,
+  setAuthRuntimeConfig,
+} from "@lib/auth";
 import { Signup } from "@/pages/Signup";
 import { Login } from "@/pages/Login";
 import { VerifyEmail } from "@/pages/VerifyEmail";
@@ -160,12 +166,47 @@ const appRoute = <TPath extends string>(
   path: TPath,
   handlers: Parameters<typeof route<TPath, AppRequestInfo>>[1],
 ) => route<TPath, AppRequestInfo>(path, handlers);
+
+const isRecord = (value: unknown): value is Record<string, unknown> => {
+  return typeof value === "object" && value !== null;
+};
+
+const isEmailSignupRequest = (request: Request): boolean => {
+  if (request.method !== "POST") return false;
+  const url = new URL(request.url);
+  return url.pathname === "/api/auth/sign-up/email";
+};
+
+const readSignupEmail = async (request: Request): Promise<string> => {
+  try {
+    const body = await request.clone().json();
+    if (!isRecord(body) || typeof body.email !== "string") return "";
+    return body.email;
+  } catch {
+    return "";
+  }
+};
+
+const buildSignupClosedResponse = (): Response => {
+  return new Response(
+    JSON.stringify({
+      code: "SIGNUP_REQUIRES_INVITE",
+      message: "Public sign up is disabled. Ask an admin for an invitation.",
+    }),
+    {
+      status: 403,
+      headers: { "Content-Type": "application/json" },
+    },
+  );
+};
+
 export function createLytxApp(config: CreateLytxAppConfig = {}) {
   const parsed_config = parseCreateLytxAppConfig(config);
   setAuthRuntimeConfig(parsed_config.auth);
   setEmailFromAddress(parsed_config.env?.EMAIL_FROM);
   setAiRuntimeOverrides({
     apiKey: parsed_config.ai?.apiKey ?? parsed_config.env?.AI_API_KEY,
+    accountId: parsed_config.ai?.accountId ?? parsed_config.env?.AI_ACCOUNT_ID,
     model: parsed_config.ai?.model ?? parsed_config.env?.AI_MODEL,
     baseURL: parsed_config.ai?.baseURL ?? parsed_config.env?.AI_BASE_URL,
     provider: parsed_config.ai?.provider ?? parsed_config.env?.AI_PROVIDER,
@@ -244,7 +285,16 @@ export function createLytxApp(config: CreateLytxAppConfig = {}) {
     seedApi,
     ...(authEnabled
       ? [
-        route("/api/auth/*", (r) => authMiddleware(r)),
+        route("/api/auth/*", async (r) => {
+          if (isEmailSignupRequest(r.request)) {
+            const signupEmail = await readSignupEmail(r.request);
+            const allowed = await canRegisterEmail(signupEmail);
+            if (!allowed) {
+              return buildSignupClosedResponse();
+            }
+          }
+          return authMiddleware(r);
+        }),
         resendVerificationEmailRoute,
         userApiRoutes,
       ]
@@ -258,8 +308,16 @@ export function createLytxApp(config: CreateLytxAppConfig = {}) {
       ...(authEnabled
         ? [
             route("/signup", [
-              onlyAllowGetPost, () => {
-                return <Signup authProviders={authProviders} emailPasswordEnabled={emailPasswordEnabled} />;
+              onlyAllowGetPost, async () => {
+                const signupAccess = await getSignupAccessState();
+                return (
+                  <Signup
+                    authProviders={authProviders}
+                    emailPasswordEnabled={emailPasswordEnabled}
+                    publicSignupOpen={signupAccess.publicSignupOpen}
+                    bootstrapSignupOpen={signupAccess.bootstrapSignupOpen}
+                  />
+                );
               },
             ]),
         ]
@@ -268,8 +326,15 @@ export function createLytxApp(config: CreateLytxAppConfig = {}) {
         ? [
             route("/login", [
               onlyAllowGetPost,
-              () => {
-                return <Login authProviders={authProviders} emailPasswordEnabled={emailPasswordEnabled} />;
+              async () => {
+                const signupAccess = await getSignupAccessState();
+                return (
+                  <Login
+                    authProviders={authProviders}
+                    emailPasswordEnabled={emailPasswordEnabled}
+                    allowSignupLink={signupAccess.publicSignupOpen}
+                  />
+                );
               },
             ]),
           route("/verify-email", [