sa2kit 3.2.0 → 3.2.2

package/dist/common/auth/server/index.mjs

@@ -1,9 +1,11 @@
-import { authDrizzleSchema } from '../../../chunk-EBHPTFG6.mjs';
+import { account, authDrizzleSchema } from '../../../chunk-EBHPTFG6.mjs';
 export { account, accountRelations, authDrizzleSchema, session, sessionRelations, user, userRelations, userRole, verification, verifications } from '../../../chunk-EBHPTFG6.mjs';
 import '../../../chunk-MAI35PU6.mjs';
 import { betterAuth } from 'better-auth';
 import { drizzleAdapter } from '@better-auth/drizzle-adapter';
 import { bearer, emailOTP, phoneNumber } from 'better-auth/plugins';
+import { and, eq } from 'drizzle-orm';
+import { hashPassword } from 'better-auth/crypto';
 import { toNextJsHandler } from 'better-auth/next-js';
 
 // src/common/auth/server/plugins/dev-otp.ts
@@ -17,6 +19,70 @@ function createDevOtpLogger(enabled) {
 }
 var defaultPhoneValidator = (phoneNumber2) => /^1\d{10}$/.test(phoneNumber2);
 var defaultTempEmailFromPhone = (phoneNumber2) => `${phoneNumber2.replace(/\D/g, "")}@phone.sa2kit.local`;
+function createId() {
+  return globalThis.crypto?.randomUUID?.() ?? `acc_${Date.now()}_${Math.random().toString(36).slice(2)}`;
+}
+async function upsertCredentialPassword(db, userId, plainPassword) {
+  const database = db;
+  const now = /* @__PURE__ */ new Date();
+  const passwordHash = await hashPassword(plainPassword);
+  const existing = await database.select({ id: account.id }).from(account).where(and(eq(account.userId, userId), eq(account.providerId, "credential"))).limit(1);
+  if (existing[0]) {
+    await database.update(account).set({ password: passwordHash, updatedAt: now }).where(eq(account.id, existing[0].id));
+    return;
+  }
+  await database.insert(account).values({
+    id: createId(),
+    accountId: userId,
+    providerId: "credential",
+    userId,
+    password: passwordHash,
+    createdAt: now,
+    updatedAt: now
+  });
+}
+
+// src/common/auth/server/phone-signup-intent.ts
+var pendingByPhone = /* @__PURE__ */ new Map();
+var TTL_MS = 5 * 60 * 1e3;
+function normalizePhone(phoneNumber2) {
+  return phoneNumber2.replace(/\D/g, "");
+}
+function stashPhoneSignupPassword(phoneNumber2, password) {
+  pendingByPhone.set(normalizePhone(phoneNumber2), {
+    password,
+    expiresAt: Date.now() + TTL_MS
+  });
+}
+function consumePhoneSignupPassword(phoneNumber2) {
+  const key = normalizePhone(phoneNumber2);
+  const entry = pendingByPhone.get(key);
+  pendingByPhone.delete(key);
+  if (!entry) return void 0;
+  if (entry.expiresAt < Date.now()) return void 0;
+  return entry.password;
+}
+async function handlePhoneSignupIntentRequest(request) {
+  if (request.method !== "POST") {
+    return new Response("Method Not Allowed", { status: 405 });
+  }
+  let body;
+  try {
+    body = await request.json();
+  } catch {
+    return Response.json({ error: "invalid_json" }, { status: 400 });
+  }
+  const phoneNumber2 = String(body.phoneNumber ?? "").trim();
+  const password = String(body.password ?? "");
+  if (!defaultPhoneValidator(phoneNumber2)) {
+    return Response.json({ error: "invalid_phone" }, { status: 400 });
+  }
+  if (password.length < 6) {
+    return Response.json({ error: "invalid_password" }, { status: 400 });
+  }
+  stashPhoneSignupPassword(phoneNumber2, password);
+  return Response.json({ ok: true });
+}
 
 // src/common/auth/server/create-auth.ts
 function createSa2kitAuth(config) {
@@ -64,7 +130,13 @@ function createSa2kitAuth(config) {
         async sendOTP({ phoneNumber: phone, code }) {
           devLog?.("sms", phone, code);
           if (config.sms?.sendOTP) {
-            void config.sms.sendOTP(phone, code);
+            await config.sms.sendOTP(phone, code);
+          }
+        },
+        async callbackOnVerification({ phoneNumber: phone, user: user2 }) {
+          const pendingPassword = consumePhoneSignupPassword(phone);
+          if (pendingPassword && user2?.id) {
+            await upsertCredentialPassword(config.db, String(user2.id), pendingPassword);
           }
         },
         signUpOnVerification: {
@@ -76,6 +148,530 @@ function createSa2kitAuth(config) {
   });
   return auth;
 }
+
+// src/common/auth/server/env/auth-env-catalog.ts
+var AUTH_FEATURES = [
+  {
+    id: "core",
+    name: "\u6838\u5FC3\u8BA4\u8BC1",
+    description: "Better Auth \u670D\u52A1\u7AEF\u57FA\u7840\u80FD\u529B\uFF08\u4F1A\u8BDD\u3001Cookie\u3001API \u8DEF\u7531\uFF09",
+    envKeys: ["BETTER_AUTH_SECRET", "BETTER_AUTH_URL"]
+  },
+  {
+    id: "client",
+    name: "Web \u5BA2\u6237\u7AEF",
+    description: "\u6D4F\u89C8\u5668\u7AEF AuthProvider / \u767B\u5F55\u5F39\u7A97\u8BF7\u6C42\u6B63\u786E origin",
+    envKeys: ["NEXT_PUBLIC_APP_URL"]
+  },
+  {
+    id: "trusted_origins",
+    name: "\u8DE8\u57DF\u4FE1\u4EFB\u6E90",
+    description: "\u591A\u57DF\u540D / \u9884\u89C8\u73AF\u5883 CORS \u4E0E Cookie",
+    envKeys: ["BETTER_AUTH_TRUSTED_ORIGINS"]
+  },
+  {
+    id: "sms_phone_otp",
+    name: "\u624B\u673A\u77ED\u4FE1 OTP",
+    description: "\u624B\u673A\u53F7\u6CE8\u518C / \u767B\u5F55 / \u627E\u56DE\u5BC6\u7801\u7684\u77ED\u4FE1\u9A8C\u8BC1\u7801",
+    envKeys: [
+      "SA2KIT_SMS_PROVIDER",
+      "ALIYUN_SMS_ACCESS_KEY_ID",
+      "ALIYUN_SMS_ACCESS_KEY_SECRET",
+      "ALIYUN_SMS_SIGN_NAME",
+      "ALIYUN_SMS_TEMPLATE_CODE",
+      "ALIYUN_SMS_COUNTRY_CODE",
+      "ALIYUN_SMS_CODE_VALID_MINUTES",
+      "ALIYUN_SMS_ENDPOINT"
+    ]
+  },
+  {
+    id: "email_otp",
+    name: "\u90AE\u7BB1 OTP",
+    description: "\u90AE\u7BB1\u9A8C\u8BC1\u7801\uFF08\u9700\u5728 createSa2kitAuth \u4F20\u5165 email.sendVerificationOTP\uFF09",
+    envKeys: ["SA2KIT_EMAIL_PROVIDER"]
+  },
+  {
+    id: "database",
+    name: "\u6570\u636E\u5E93",
+    description: "Drizzle + PostgreSQL \u6301\u4E45\u5316 user/session\uFF08\u7531\u5BBF\u4E3B\u9879\u76EE\u914D\u7F6E\uFF09",
+    envKeys: ["DATABASE_URL"]
+  }
+];
+var AUTH_ENV_CATALOG = [
+  {
+    key: "BETTER_AUTH_SECRET",
+    featureId: "core",
+    required: true,
+    placement: ["env_file", "github_secret", "runtime_env"],
+    description: "Better Auth \u7B7E\u540D\u5BC6\u94A5\uFF0C\u81F3\u5C11 32 \u5B57\u7B26\u3002\u53EF\u517C\u5BB9\u8BFB\u53D6 NEXTAUTH_SECRET\u3002",
+    example: "openssl rand -base64 32",
+    secret: true
+  },
+  {
+    key: "BETTER_AUTH_URL",
+    featureId: "core",
+    required: true,
+    placement: ["env_file", "github_secret", "runtime_env"],
+    description: "\u5BF9\u5916\u53EF\u8BBF\u95EE\u7684\u7AD9\u70B9 URL\uFF08\u542B\u534F\u8BAE\u4E0E\u7AEF\u53E3\uFF09\u3002\u53EF\u56DE\u9000 NEXT_PUBLIC_APP_URL / NEXTAUTH_URL\u3002",
+    example: "https://example.com"
+  },
+  {
+    key: "NEXT_PUBLIC_APP_URL",
+    featureId: "client",
+    required: true,
+    placement: ["env_file", "github_secret", "runtime_env"],
+    description: "\u6D4F\u89C8\u5668\u7AEF auth client \u7684 baseURL\u3002",
+    example: "https://example.com"
+  },
+  {
+    key: "BETTER_AUTH_TRUSTED_ORIGINS",
+    featureId: "trusted_origins",
+    required: false,
+    placement: ["env_file", "github_secret", "runtime_env"],
+    description: "\u9017\u53F7\u5206\u9694\u7684\u53EF\u4FE1 origin \u5217\u8868\uFF0C\u7528\u4E8E\u9884\u89C8\u57DF / \u591A\u57DF\u540D\u90E8\u7F72\u3002",
+    example: "https://example.com,https://www.example.com"
+  },
+  {
+    key: "SA2KIT_SMS_PROVIDER",
+    featureId: "sms_phone_otp",
+    required: false,
+    placement: ["env_file", "github_secret", "runtime_env"],
+    description: "\u77ED\u4FE1 provider\uFF1Aconsole\uFF08\u5F00\u53D1\u65E5\u5FD7\uFF09| aliyun-pnvs\uFF08\u751F\u4EA7\uFF09| none\u3002\u5F00\u53D1\u9ED8\u8BA4 console\uFF0C\u751F\u4EA7\u672A\u914D\u7F6E\u5219\u65E0\u6CD5\u53D1\u77ED\u4FE1\u3002",
+    example: "aliyun-pnvs"
+  },
+  {
+    key: "ALIYUN_SMS_ACCESS_KEY_ID",
+    featureId: "sms_phone_otp",
+    required: false,
+    placement: ["env_file", "github_secret", "runtime_env"],
+    description: "\u963F\u91CC\u4E91 RAM AccessKey ID\uFF08\u77ED\u4FE1\u8BA4\u8BC1 SendSmsVerifyCode\uFF09\u3002",
+    secret: true
+  },
+  {
+    key: "ALIYUN_SMS_ACCESS_KEY_SECRET",
+    featureId: "sms_phone_otp",
+    required: false,
+    placement: ["env_file", "github_secret", "runtime_env"],
+    description: "\u963F\u91CC\u4E91 RAM AccessKey Secret\u3002",
+    secret: true
+  },
+  {
+    key: "ALIYUN_SMS_SIGN_NAME",
+    featureId: "sms_phone_otp",
+    required: false,
+    placement: ["env_file", "github_secret", "runtime_env"],
+    description: "\u77ED\u4FE1\u8BA4\u8BC1\u63A7\u5236\u53F0\u8D60\u9001/\u7533\u8BF7\u7684\u7B7E\u540D\u540D\u79F0\u3002",
+    example: "\u901F\u901A\u4E92\u8054\u9A8C\u8BC1\u7801"
+  },
+  {
+    key: "ALIYUN_SMS_TEMPLATE_CODE",
+    featureId: "sms_phone_otp",
+    required: false,
+    placement: ["env_file", "github_secret", "runtime_env"],
+    description: "\u77ED\u4FE1\u8BA4\u8BC1\u63A7\u5236\u53F0\u8D60\u9001/\u7533\u8BF7\u7684\u6A21\u677F CODE\u3002",
+    example: "100001"
+  },
+  {
+    key: "ALIYUN_SMS_COUNTRY_CODE",
+    featureId: "sms_phone_otp",
+    required: false,
+    placement: ["env_file", "runtime_env"],
+    description: "\u56FD\u5BB6\u7801\uFF0C\u9ED8\u8BA4 86\uFF08\u4E2D\u56FD\u5927\u9646\uFF09\u3002",
+    example: "86"
+  },
+  {
+    key: "ALIYUN_SMS_CODE_VALID_MINUTES",
+    featureId: "sms_phone_otp",
+    required: false,
+    placement: ["env_file", "runtime_env"],
+    description: "\u77ED\u4FE1\u6A21\u677F\u4E2D\u5C55\u793A\u7684\u6709\u6548\u5206\u949F\u6570\uFF0C\u9ED8\u8BA4 5\uFF08\u4E0E Better Auth OTP \u6709\u6548\u671F\u72EC\u7ACB\uFF09\u3002",
+    example: "5"
+  },
+  {
+    key: "ALIYUN_SMS_ENDPOINT",
+    featureId: "sms_phone_otp",
+    required: false,
+    placement: ["env_file", "runtime_env"],
+    description: "\u53EF\u9009\uFF0C\u9ED8\u8BA4 https://dypnsapi.aliyuncs.com"
+  },
+  {
+    key: "SA2KIT_EMAIL_PROVIDER",
+    featureId: "email_otp",
+    required: false,
+    placement: ["env_file", "github_secret", "runtime_env"],
+    description: "\u90AE\u7BB1 OTP \u7531\u5BBF\u4E3B\u5B9E\u73B0 config.email.sendVerificationOTP\uFF1B\u6B64\u53D8\u91CF\u4EC5\u7528\u4E8E env \u68C0\u67E5\u63D0\u793A\u3002",
+    example: "resend | smtp | console"
+  },
+  {
+    key: "DATABASE_URL",
+    featureId: "database",
+    required: true,
+    placement: ["env_file", "github_secret", "runtime_env", "database"],
+    description: "PostgreSQL \u8FDE\u63A5\u4E32\uFF08\u5BBF\u4E3B\u9879\u76EE Drizzle \u4F7F\u7528\uFF0C\u975E sa2kit \u76F4\u63A5\u8BFB\u53D6\uFF09\u3002",
+    secret: true
+  },
+  {
+    key: "SA2KIT_AUTH_LOG_OTP",
+    featureId: "sms_phone_otp",
+    required: false,
+    placement: ["env_file", "runtime_env"],
+    description: "\u8BBE\u4E3A 1 \u65F6\u5728\u975E\u751F\u4EA7\u73AF\u5883\u5C06 OTP \u6253\u5370\u5230\u670D\u52A1\u7AEF\u65E5\u5FD7\uFF1B\u751F\u4EA7\u73AF\u5883\u5FFD\u7565\u3002\u8BBE\u4E3A 0 \u53EF\u5173\u95ED\u5F00\u53D1\u65E5\u5FD7\u3002",
+    example: "1"
+  }
+];
+var AUTH_ENV_ALIASES = {
+  BETTER_AUTH_SECRET: ["NEXTAUTH_SECRET"],
+  BETTER_AUTH_URL: ["NEXT_PUBLIC_APP_URL", "NEXTAUTH_URL"]
+};
+
+// src/common/auth/server/sms/providers/aliyun-pnvs.ts
+async function loadPopCore() {
+  try {
+    const mod = await import('@alicloud/pop-core');
+    return mod.default ?? mod;
+  } catch {
+    throw new Error(
+      "\u542F\u7528 SA2KIT_SMS_PROVIDER=aliyun-pnvs \u9700\u8981\u5B89\u88C5 @alicloud/pop-core\uFF1Apnpm add @alicloud/pop-core"
+    );
+  }
+}
+function createAliyunPnvsSmsProvider(config) {
+  return {
+    async sendOTP(phoneNumber2, code) {
+      const Core = await loadPopCore();
+      const client = new Core({
+        accessKeyId: config.accessKeyId,
+        accessKeySecret: config.accessKeySecret,
+        endpoint: config.endpoint ?? "https://dypnsapi.aliyuncs.com",
+        apiVersion: "2017-05-25"
+      });
+      const minutes = String(config.codeValidMinutes ?? 5);
+      const result = await client.request(
+        "SendSmsVerifyCode",
+        {
+          PhoneNumber: phoneNumber2,
+          CountryCode: config.countryCode ?? "86",
+          SignName: config.signName,
+          TemplateCode: config.templateCode,
+          TemplateParam: JSON.stringify({ code, min: minutes })
+        },
+        { method: "POST" }
+      );
+      if (result.Code !== "OK" && result.Success !== true) {
+        throw new Error(
+          `\u963F\u91CC\u4E91\u77ED\u4FE1\u8BA4\u8BC1\u53D1\u9001\u5931\u8D25: ${result.Message ?? result.Code ?? "unknown error"}`
+        );
+      }
+    }
+  };
+}
+
+// src/common/auth/server/sms/providers/console.ts
+function createConsoleSmsProvider() {
+  return {
+    async sendOTP(phoneNumber2, code) {
+      console.info(`[sa2kit/auth][sms][console] ${phoneNumber2} => ${code}`);
+    }
+  };
+}
+
+// src/common/auth/server/sms/create-sms-provider-from-env.ts
+function readEnv(key) {
+  const value = process.env[key];
+  return value && value.trim().length > 0 ? value.trim() : void 0;
+}
+function resolveSmsProviderId(explicit) {
+  if (explicit) return explicit;
+  const fromEnv = readEnv("SA2KIT_SMS_PROVIDER");
+  if (fromEnv) return fromEnv;
+  if (process.env.NODE_ENV !== "production") return "console";
+  return void 0;
+}
+function createSmsProviderFromEnv(options) {
+  const providerId = resolveSmsProviderId(options?.providerId);
+  if (!providerId || providerId === "none") return void 0;
+  if (providerId === "console") {
+    return createConsoleSmsProvider();
+  }
+  if (providerId === "aliyun-pnvs") {
+    const accessKeyId = readEnv("ALIYUN_SMS_ACCESS_KEY_ID");
+    const accessKeySecret = readEnv("ALIYUN_SMS_ACCESS_KEY_SECRET");
+    const signName = readEnv("ALIYUN_SMS_SIGN_NAME");
+    const templateCode = readEnv("ALIYUN_SMS_TEMPLATE_CODE");
+    if (!accessKeyId || !accessKeySecret || !signName || !templateCode) {
+      throw new Error(
+        "SA2KIT_SMS_PROVIDER=aliyun-pnvs \u9700\u8981 ALIYUN_SMS_ACCESS_KEY_ID\u3001ALIYUN_SMS_ACCESS_KEY_SECRET\u3001ALIYUN_SMS_SIGN_NAME\u3001ALIYUN_SMS_TEMPLATE_CODE"
+      );
+    }
+    const codeValidMinutes = Number.parseInt(readEnv("ALIYUN_SMS_CODE_VALID_MINUTES") ?? "5", 10);
+    return createAliyunPnvsSmsProvider({
+      accessKeyId,
+      accessKeySecret,
+      signName,
+      templateCode,
+      countryCode: readEnv("ALIYUN_SMS_COUNTRY_CODE") ?? "86",
+      codeValidMinutes: Number.isFinite(codeValidMinutes) ? codeValidMinutes : 5,
+      endpoint: readEnv("ALIYUN_SMS_ENDPOINT")
+    });
+  }
+  throw new Error(`\u672A\u77E5\u7684 SA2KIT_SMS_PROVIDER: ${providerId}`);
+}
+
+// src/common/auth/server/env/resolve-auth-env.ts
+function readEnv2(key) {
+  const value = process.env[key];
+  return value && value.trim().length > 0 ? value.trim() : void 0;
+}
+function readEnvWithAliases(key) {
+  const direct = readEnv2(key);
+  if (direct) return direct;
+  for (const alias of AUTH_ENV_ALIASES[key] ?? []) {
+    const value = readEnv2(alias);
+    if (value) return value;
+  }
+  return void 0;
+}
+function parseTrustedOrigins(baseURL) {
+  const fromEnv = readEnv2("BETTER_AUTH_TRUSTED_ORIGINS");
+  const defaults = [baseURL, "http://localhost:3000", "http://127.0.0.1:3000"];
+  const extra = fromEnv ? fromEnv.split(",").map((item) => item.trim()).filter(Boolean) : [];
+  return [...defaults, ...extra].filter((origin, index, list) => list.indexOf(origin) === index);
+}
+function resolveAuthEnv(input) {
+  const baseURL = input.baseURL ?? readEnvWithAliases("BETTER_AUTH_URL") ?? readEnv2("NEXT_PUBLIC_APP_URL") ?? "http://localhost:3000";
+  const secret = input.secret ?? readEnvWithAliases("BETTER_AUTH_SECRET") ?? (process.env.NODE_ENV !== "production" ? "dev-better-auth-secret-min-32-chars!!" : void 0);
+  if (!secret || secret.length < 32) {
+    throw new Error("BETTER_AUTH_SECRET \u81F3\u5C11 32 \u5B57\u7B26\uFF08\u6216\u5F00\u53D1\u73AF\u5883\u4F7F\u7528\u9ED8\u8BA4 dev secret\uFF09");
+  }
+  const smsProvider = createSmsProviderFromEnv();
+  const sms = input.sms ?? (smsProvider ? { sendOTP: smsProvider.sendOTP.bind(smsProvider) } : void 0);
+  const config = {
+    db: input.db,
+    baseURL,
+    secret,
+    trustedOrigins: input.trustedOrigins ?? parseTrustedOrigins(baseURL),
+    basePath: input.basePath,
+    sms,
+    email: input.email,
+    phoneNumberValidator: input.phoneNumberValidator,
+    logOtpInDev: input.logOtpInDev ?? (process.env.SA2KIT_AUTH_LOG_OTP === "1" || process.env.NODE_ENV !== "production")
+  };
+  const envSnapshot = {
+    BETTER_AUTH_SECRET: readEnvWithAliases("BETTER_AUTH_SECRET") ? "[set]" : void 0,
+    BETTER_AUTH_URL: readEnvWithAliases("BETTER_AUTH_URL"),
+    NEXT_PUBLIC_APP_URL: readEnv2("NEXT_PUBLIC_APP_URL"),
+    BETTER_AUTH_TRUSTED_ORIGINS: readEnv2("BETTER_AUTH_TRUSTED_ORIGINS"),
+    SA2KIT_SMS_PROVIDER: String(resolveSmsProviderId() ?? ""),
+    ALIYUN_SMS_ACCESS_KEY_ID: readEnv2("ALIYUN_SMS_ACCESS_KEY_ID") ? "[set]" : void 0,
+    ALIYUN_SMS_ACCESS_KEY_SECRET: readEnv2("ALIYUN_SMS_ACCESS_KEY_SECRET") ? "[set]" : void 0,
+    ALIYUN_SMS_SIGN_NAME: readEnv2("ALIYUN_SMS_SIGN_NAME"),
+    ALIYUN_SMS_TEMPLATE_CODE: readEnv2("ALIYUN_SMS_TEMPLATE_CODE"),
+    SA2KIT_EMAIL_PROVIDER: readEnv2("SA2KIT_EMAIL_PROVIDER"),
+    DATABASE_URL: readEnv2("DATABASE_URL") ? "[set]" : void 0,
+    NODE_ENV: process.env.NODE_ENV
+  };
+  return { config, envSnapshot };
+}
+
+// src/common/auth/server/env/check-auth-env.ts
+function isSet(snapshot, key) {
+  const value = snapshot[key];
+  return value !== void 0 && value !== "[unset]" && value.length > 0;
+}
+function featureById(id) {
+  return AUTH_FEATURES.find((f) => f.id === id);
+}
+function varsForFeature(featureId) {
+  return AUTH_ENV_CATALOG.filter((item) => item.featureId === featureId);
+}
+function checkAuthEnv(envSnapshot) {
+  const issues = [];
+  const enabledFeatures = [];
+  const disabledFeatures = [];
+  const checkRequiredFeature = (featureId, productionOnly = false) => {
+    const feature = featureById(featureId);
+    const requiredVars = varsForFeature(featureId).filter((item) => item.required);
+    const missing = requiredVars.filter((item) => !isSet(envSnapshot, item.key)).map((item) => item.key);
+    if (missing.length === 0) {
+      enabledFeatures.push(featureId);
+      return;
+    }
+    if (productionOnly && envSnapshot.NODE_ENV !== "production") {
+      disabledFeatures.push(featureId);
+      issues.push({
+        level: "info",
+        featureId,
+        featureName: feature.name,
+        message: `\u5F00\u53D1\u73AF\u5883\u53EF\u6682\u7F3A\uFF1A${missing.join(", ")}`,
+        missingKeys: missing
+      });
+      return;
+    }
+    disabledFeatures.push(featureId);
+    issues.push({
+      level: "error",
+      featureId,
+      featureName: feature.name,
+      message: `\u7F3A\u5C11\u5FC5\u9700\u73AF\u5883\u53D8\u91CF\uFF1A${missing.join(", ")}`,
+      missingKeys: missing
+    });
+  };
+  checkRequiredFeature("core");
+  checkRequiredFeature("client", true);
+  checkRequiredFeature("database", true);
+  const smsFeature = featureById("sms_phone_otp");
+  const smsProvider = envSnapshot.SA2KIT_SMS_PROVIDER;
+  if (smsProvider === "aliyun-pnvs") {
+    const aliyunKeys = [
+      "ALIYUN_SMS_ACCESS_KEY_ID",
+      "ALIYUN_SMS_ACCESS_KEY_SECRET",
+      "ALIYUN_SMS_SIGN_NAME",
+      "ALIYUN_SMS_TEMPLATE_CODE"
+    ];
+    const missing = aliyunKeys.filter((key) => !isSet(envSnapshot, key));
+    if (missing.length === 0) {
+      enabledFeatures.push("sms_phone_otp");
+    } else {
+      disabledFeatures.push("sms_phone_otp");
+      issues.push({
+        level: "error",
+        featureId: "sms_phone_otp",
+        featureName: smsFeature.name,
+        message: `SA2KIT_SMS_PROVIDER=aliyun-pnvs \u4F46\u7F3A\u5C11\uFF1A${missing.join(", ")}`,
+        missingKeys: missing,
+        hints: ["\u5728 GitHub Secrets \u6216 .env.production \u4E2D\u914D\u7F6E ALIYUN_SMS_*"]
+      });
+    }
+  } else if (smsProvider === "console") {
+    enabledFeatures.push("sms_phone_otp");
+    if (envSnapshot.NODE_ENV === "production") {
+      issues.push({
+        level: "warning",
+        featureId: "sms_phone_otp",
+        featureName: smsFeature.name,
+        message: "\u751F\u4EA7\u73AF\u5883\u4ECD\u5728\u4F7F\u7528 SA2KIT_SMS_PROVIDER=console\uFF0C\u9A8C\u8BC1\u7801\u4EC5\u8F93\u51FA\u5230\u65E5\u5FD7\uFF0C\u7528\u6237\u6536\u4E0D\u5230\u77ED\u4FE1\u3002",
+        hints: ["\u751F\u4EA7\u8BF7\u6539\u4E3A aliyun-pnvs \u5E76\u914D\u7F6E ALIYUN_SMS_*"]
+      });
+    }
+  } else {
+    disabledFeatures.push("sms_phone_otp");
+    issues.push({
+      level: envSnapshot.NODE_ENV === "production" ? "warning" : "info",
+      featureId: "sms_phone_otp",
+      featureName: smsFeature.name,
+      message: envSnapshot.NODE_ENV === "production" ? "\u672A\u914D\u7F6E\u77ED\u4FE1 provider\uFF0C\u624B\u673A\u53F7 OTP \u65E0\u6CD5\u9001\u8FBE\uFF08\u7528\u6237\u6536\u4E0D\u5230\u9A8C\u8BC1\u7801\uFF09\u3002" : "\u672A\u914D\u7F6E\u77ED\u4FE1 provider\uFF1B\u5F00\u53D1\u73AF\u5883\u53EF\u8BBE\u7F6E SA2KIT_SMS_PROVIDER=console \u5E76\u5728\u670D\u52A1\u7AEF\u65E5\u5FD7\u67E5\u770B OTP\u3002",
+      hints: [
+        "\u5F00\u53D1\uFF1ASA2KIT_SMS_PROVIDER=console",
+        "\u751F\u4EA7\uFF1ASA2KIT_SMS_PROVIDER=aliyun-pnvs + ALIYUN_SMS_*"
+      ]
+    });
+  }
+  if (isSet(envSnapshot, "SA2KIT_EMAIL_PROVIDER")) {
+    enabledFeatures.push("email_otp");
+  } else {
+    disabledFeatures.push("email_otp");
+    issues.push({
+      level: "info",
+      featureId: "email_otp",
+      featureName: featureById("email_otp").name,
+      message: "\u672A\u58F0\u660E SA2KIT_EMAIL_PROVIDER\uFF1B\u82E5\u9700\u90AE\u7BB1\u9A8C\u8BC1\u7801\u8BF7\u5728 createSa2kitAuth \u914D\u7F6E email.sendVerificationOTP\u3002"
+    });
+  }
+  if (isSet(envSnapshot, "BETTER_AUTH_TRUSTED_ORIGINS")) {
+    enabledFeatures.push("trusted_origins");
+  } else {
+    disabledFeatures.push("trusted_origins");
+    issues.push({
+      level: "info",
+      featureId: "trusted_origins",
+      featureName: featureById("trusted_origins").name,
+      message: "\u672A\u8BBE\u7F6E BETTER_AUTH_TRUSTED_ORIGINS\uFF0C\u4EC5\u4F7F\u7528 baseURL + localhost \u9ED8\u8BA4\u503C\u3002"
+    });
+  }
+  const ok = !issues.some((issue) => issue.level === "error");
+  return { ok, issues, enabledFeatures, disabledFeatures };
+}
+var loggedOnce = false;
+function logAuthEnvReport(report, options) {
+  if (loggedOnce && !options?.force) return;
+  loggedOnce = true;
+  const lines = ["[sa2kit/auth] \u73AF\u5883\u914D\u7F6E\u68C0\u67E5"];
+  for (const issue of report.issues) {
+    const prefix = issue.level === "error" ? "\u2717" : issue.level === "warning" ? "\u26A0" : "\u25CB";
+    lines.push(`${prefix} ${issue.featureName}: ${issue.message}`);
+    if (issue.hints?.length) {
+      for (const hint of issue.hints) {
+        lines.push(`    \u2192 ${hint}`);
+      }
+    }
+  }
+  if (report.issues.length === 0) {
+    lines.push("\u2713 \u6240\u6709\u5DF2\u542F\u7528\u80FD\u529B\u7684\u73AF\u5883\u53D8\u91CF\u5747\u5DF2\u5C31\u7EEA");
+  }
+  lines.push(`  \u5DF2\u542F\u7528: ${report.enabledFeatures.join(", ") || "\u65E0"}`);
+  console.info(lines.join("\n"));
+}
+function formatAuthEnvSetupMarkdown(report) {
+  const lines = [
+    "# sa2kit Auth \u73AF\u5883\u53D8\u91CF",
+    "",
+    "\u5B8C\u6574\u8BF4\u660E\u89C1 sa2kit \u6587\u6863\uFF1A`docs/auth-env.md`",
+    "",
+    "## \u529F\u80FD \u2194 \u73AF\u5883\u53D8\u91CF",
+    ""
+  ];
+  for (const feature of AUTH_FEATURES) {
+    lines.push(`### ${feature.name} (\`${feature.id}\`)`);
+    lines.push("");
+    lines.push(feature.description);
+    lines.push("");
+    const vars = varsForFeature(feature.id);
+    lines.push("| \u53D8\u91CF | \u5FC5\u9700 | \u5B58\u653E\u4F4D\u7F6E | \u8BF4\u660E |");
+    lines.push("|------|------|----------|------|");
+    for (const item of vars) {
+      lines.push(
+        `| \`${item.key}\` | ${item.required ? "\u662F" : "\u5426"} | ${item.placement.join(", ")} | ${item.description} |`
+      );
+    }
+    lines.push("");
+  }
+  if (report) {
+    lines.push("## \u5F53\u524D\u68C0\u67E5\u7ED3\u679C");
+    lines.push("");
+    for (const issue of report.issues) {
+      lines.push(`- **${issue.featureName}** (${issue.level}): ${issue.message}`);
+    }
+  }
+  return lines.join("\n");
+}
+function checkAuthEnvFromProcessEnv(extraSnapshot) {
+  const snapshot = {
+    BETTER_AUTH_SECRET: process.env.BETTER_AUTH_SECRET || process.env.NEXTAUTH_SECRET ? "[set]" : void 0,
+    BETTER_AUTH_URL: process.env.BETTER_AUTH_URL ?? process.env.NEXT_PUBLIC_APP_URL,
+    NEXT_PUBLIC_APP_URL: process.env.NEXT_PUBLIC_APP_URL,
+    BETTER_AUTH_TRUSTED_ORIGINS: process.env.BETTER_AUTH_TRUSTED_ORIGINS,
+    SA2KIT_SMS_PROVIDER: process.env.SA2KIT_SMS_PROVIDER ?? (process.env.NODE_ENV !== "production" ? "console" : void 0),
+    ALIYUN_SMS_ACCESS_KEY_ID: process.env.ALIYUN_SMS_ACCESS_KEY_ID ? "[set]" : void 0,
+    ALIYUN_SMS_ACCESS_KEY_SECRET: process.env.ALIYUN_SMS_ACCESS_KEY_SECRET ? "[set]" : void 0,
+    ALIYUN_SMS_SIGN_NAME: process.env.ALIYUN_SMS_SIGN_NAME,
+    ALIYUN_SMS_TEMPLATE_CODE: process.env.ALIYUN_SMS_TEMPLATE_CODE,
+    SA2KIT_EMAIL_PROVIDER: process.env.SA2KIT_EMAIL_PROVIDER,
+    DATABASE_URL: process.env.DATABASE_URL ? "[set]" : void 0,
+    NODE_ENV: process.env.NODE_ENV,
+    ...extraSnapshot
+  };
+  return checkAuthEnv(snapshot);
+}
+
+// src/common/auth/server/create-auth-from-env.ts
+function createSa2kitAuthFromEnv(input, options) {
+  const resolved = resolveAuthEnv(input);
+  const report = checkAuthEnv(resolved.envSnapshot);
+  if (options?.logEnvReport !== false) {
+    logAuthEnvReport(report);
+  }
+  return createSa2kitAuth(resolved.config);
+}
 function mountNextAuthHandler(auth) {
   return toNextJsHandler(auth);
 }
@@ -123,6 +719,6 @@ function createSessionValidator(auth) {
   };
 }
 
-export { createAuthRouteHandlers, createSa2kitAuth, createSessionValidator, defaultPhoneValidator, defaultTempEmailFromPhone, getSessionUser, getSessionUserNumeric, mountAuthHandler, mountNextAuthHandler };
+export { AUTH_ENV_ALIASES, AUTH_ENV_CATALOG, AUTH_FEATURES, checkAuthEnv, checkAuthEnvFromProcessEnv, consumePhoneSignupPassword, createAliyunPnvsSmsProvider, createAuthRouteHandlers, createConsoleSmsProvider, createSa2kitAuth, createSa2kitAuthFromEnv, createSessionValidator, createSmsProviderFromEnv, defaultPhoneValidator, defaultTempEmailFromPhone, formatAuthEnvSetupMarkdown, getSessionUser, getSessionUserNumeric, handlePhoneSignupIntentRequest, logAuthEnvReport, mountAuthHandler, mountNextAuthHandler, resolveAuthEnv, resolveSmsProviderId, stashPhoneSignupPassword, upsertCredentialPassword };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map