From 0e4d4bd686c9c7014a149289f2e87b2c359c395d Mon Sep 17 00:00:00 2001
From: JoachimLK <joachim.l.kolle.pers@gmail.com>
Date: Mon, 13 Apr 2026 10:30:18 +0200
Subject: [PATCH 1/8] feat: implement social sign-in for Google, GitHub, and
 Microsoft with configuration support

---
 .env.example               | 21 ++++++++++
 app/pages/auth/sign-in.vue | 83 ++++++++++++++++++++++++++++++++++++++
 app/pages/auth/sign-up.vue | 83 ++++++++++++++++++++++++++++++++++++++
 nuxt.config.ts             | 15 +++++++
 server/utils/auth.ts       | 31 ++++++++++++++
 server/utils/env.ts        | 16 +++++++-
 6 files changed, 248 insertions(+), 1 deletion(-)

diff --git a/.env.example b/.env.example
index 4e220d6..2f3a864 100644
--- a/.env.example
+++ b/.env.example
@@ -96,3 +96,24 @@ NUXT_PUBLIC_SITE_URL=http://localhost:3000
 
 # Display name for the SSO button (default: "SSO")
 # OIDC_PROVIDER_NAME=Company SSO
+
+# ─── Optional: Social Sign-In (Google, GitHub, Microsoft) ────────────────────
+# Enable social login buttons on the sign-in and sign-up pages.
+# Each provider requires both CLIENT_ID and CLIENT_SECRET to be set.
+# When configured, "Continue with <Provider>" buttons appear on the auth pages.
+
+# Google — Create credentials at https://console.cloud.google.com/apis/credentials
+# Redirect URI: https://yourdomain.com/api/auth/callback/google
+# AUTH_GOOGLE_CLIENT_ID=your-google-client-id.apps.googleusercontent.com
+# AUTH_GOOGLE_CLIENT_SECRET=GOCSPX-your-google-client-secret
+
+# GitHub — Create an OAuth App at https://github.com/settings/developers
+# Redirect URI: https://yourdomain.com/api/auth/callback/github
+# AUTH_GITHUB_CLIENT_ID=your-github-client-id
+# AUTH_GITHUB_CLIENT_SECRET=your-github-client-secret
+
+# Microsoft — Register an app at https://portal.azure.com → App registrations
+# Redirect URI: https://yourdomain.com/api/auth/callback/microsoft
+# AUTH_MICROSOFT_CLIENT_ID=your-microsoft-client-id
+# AUTH_MICROSOFT_CLIENT_SECRET=your-microsoft-client-secret
+# AUTH_MICROSOFT_TENANT_ID=common
diff --git a/app/pages/auth/sign-in.vue b/app/pages/auth/sign-in.vue
index fa3732b..4d05e56 100644
--- a/app/pages/auth/sign-in.vue
+++ b/app/pages/auth/sign-in.vue
@@ -16,6 +16,7 @@ const email = ref("");
 const password = ref("");
 const error = ref("");
 const isLoading = ref(false);
+const socialLoading = ref<string | null>(null);
 const ssoRedirecting = ref(false);
 const route = useRoute();
 const config = useRuntimeConfig();
@@ -26,6 +27,14 @@ const oidcProviderName = computed(
     () => (config.public.oidcProviderName as string) || "SSO",
 );
 
+const socialProviders = computed(() => {
+    const providers: { id: string; name: string }[] = [];
+    if (config.public.authGoogleEnabled) providers.push({ id: "google", name: "Google" });
+    if (config.public.authGithubEnabled) providers.push({ id: "github", name: "GitHub" });
+    if (config.public.authMicrosoftEnabled) providers.push({ id: "microsoft", name: "Microsoft" });
+    return providers;
+});
+
 onMounted(() => track("signin_page_viewed"));
 
 if (route.query.live === "1") {
@@ -163,6 +172,31 @@ async function handleEnterpriseSso() {
         ssoRedirecting.value = false;
     }
 }
+
+/**
+ * Social sign-in — Google, GitHub, Microsoft.
+ * Uses better-auth's built-in signIn.social() which handles the full OAuth redirect flow.
+ */
+async function handleSocialSignIn(providerId: string) {
+    socialLoading.value = providerId;
+    error.value = "";
+    const pendingInvitation = route.query.invitation as string | undefined;
+    const callbackURL = pendingInvitation
+        ? localePath(`/auth/accept-invitation/${pendingInvitation}`)
+        : localePath("/dashboard");
+    try {
+        await authClient.signIn.social({
+            provider: providerId as "google" | "github" | "microsoft",
+            callbackURL,
+        });
+    } catch (e: unknown) {
+        error.value =
+            e instanceof Error
+                ? e.message
+                : "Social sign-in failed. Please try again.";
+        socialLoading.value = null;
+    }
+}
 </script>
 
 <template>
@@ -180,6 +214,55 @@ async function handleEnterpriseSso() {
             {{ error }}
         </div>
 
+        <!-- Social sign-in providers (Google, GitHub, Microsoft) -->
+        <template v-if="socialProviders.length">
+            <div class="flex flex-col gap-2.5">
+                <button
+                    v-for="provider in socialProviders"
+                    :key="provider.id"
+                    type="button"
+                    :disabled="!!socialLoading || isLoading || ssoRedirecting"
+                    class="relative px-4 py-2.5 rounded-lg text-sm font-medium shadow-sm transition-all flex items-center justify-center gap-3 disabled:opacity-60 disabled:cursor-not-allowed border border-surface-200 dark:border-surface-700 bg-white dark:bg-surface-800 text-surface-800 dark:text-surface-200 hover:bg-surface-50 dark:hover:bg-surface-750 hover:border-surface-300 dark:hover:border-surface-600"
+                    @click="handleSocialSignIn(provider.id)"
+                >
+                    <template v-if="socialLoading === provider.id">
+                        <svg class="animate-spin size-4 text-surface-400" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24"><circle class="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" stroke-width="4" /><path class="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z" /></svg>
+                        Redirecting…
+                    </template>
+                    <template v-else>
+                        <!-- Google icon -->
+                        <svg v-if="provider.id === 'google'" class="size-5" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
+                            <path d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92a5.06 5.06 0 01-2.2 3.32v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.1z" fill="#4285F4"/>
+                            <path d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z" fill="#34A853"/>
+                            <path d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l2.85-2.22.81-.62z" fill="#FBBC05"/>
+                            <path d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z" fill="#EA4335"/>
+                        </svg>
+                        <!-- GitHub icon -->
+                        <svg v-else-if="provider.id === 'github'" class="size-5 text-surface-900 dark:text-surface-100" viewBox="0 0 24 24" fill="currentColor" xmlns="http://www.w3.org/2000/svg">
+                            <path d="M12 0c-6.626 0-12 5.373-12 12 0 5.302 3.438 9.8 8.207 11.387.599.111.793-.261.793-.577v-2.234c-3.338.726-4.033-1.416-4.033-1.416-.546-1.387-1.333-1.756-1.333-1.756-1.089-.745.083-.729.083-.729 1.205.084 1.839 1.237 1.839 1.237 1.07 1.834 2.807 1.304 3.492.997.107-.775.418-1.305.762-1.604-2.665-.305-5.467-1.334-5.467-5.931 0-1.311.469-2.381 1.236-3.221-.124-.303-.535-1.524.117-3.176 0 0 1.008-.322 3.301 1.23.957-.266 1.983-.399 3.003-.404 1.02.005 2.047.138 3.006.404 2.291-1.552 3.297-1.23 3.297-1.23.653 1.653.242 2.874.118 3.176.77.84 1.235 1.911 1.235 3.221 0 4.609-2.807 5.624-5.479 5.921.43.372.823 1.102.823 2.222v3.293c0 .319.192.694.801.576 4.765-1.589 8.199-6.086 8.199-11.386 0-6.627-5.373-12-12-12z"/>
+                        </svg>
+                        <!-- Microsoft icon -->
+                        <svg v-else-if="provider.id === 'microsoft'" class="size-5" viewBox="0 0 23 23" xmlns="http://www.w3.org/2000/svg">
+                            <rect x="1" y="1" width="10" height="10" fill="#F25022"/>
+                            <rect x="12" y="1" width="10" height="10" fill="#7FBA00"/>
+                            <rect x="1" y="12" width="10" height="10" fill="#00A4EF"/>
+                            <rect x="12" y="12" width="10" height="10" fill="#FFB900"/>
+                        </svg>
+                        Continue with {{ provider.name }}
+                    </template>
+                </button>
+            </div>
+
+            <div v-if="!oidcEnabled" class="relative">
+                <div class="absolute inset-0 flex items-center">
+                    <div class="w-full border-t border-surface-200 dark:border-surface-700" />
+                </div>
+                <div class="relative flex justify-center text-xs">
+                    <span class="bg-white dark:bg-surface-900 px-2 text-surface-400">or continue with email</span>
+                </div>
+            </div>
+        </template>
+
         <!-- Self-hosted OIDC SSO — only shown when global OIDC is configured via environment variables -->
         <template v-if="oidcEnabled">
             <button
diff --git a/app/pages/auth/sign-up.vue b/app/pages/auth/sign-up.vue
index 5757981..976d16e 100644
--- a/app/pages/auth/sign-up.vue
+++ b/app/pages/auth/sign-up.vue
@@ -24,6 +24,15 @@ const oidcEnabled = computed(() => config.public.oidcEnabled as boolean);
 const oidcProviderName = computed(
     () => (config.public.oidcProviderName as string) || "SSO",
 );
+const socialLoading = ref<string | null>(null);
+
+const socialProviders = computed(() => {
+    const providers: { id: string; name: string }[] = [];
+    if (config.public.authGoogleEnabled) providers.push({ id: "google", name: "Google" });
+    if (config.public.authGithubEnabled) providers.push({ id: "github", name: "GitHub" });
+    if (config.public.authMicrosoftEnabled) providers.push({ id: "microsoft", name: "Microsoft" });
+    return providers;
+});
 
 onMounted(() => track("signup_page_viewed"));
 
@@ -108,6 +117,31 @@ async function handleSsoSignUp() {
         isLoading.value = false;
     }
 }
+
+/**
+ * Social sign-up — Google, GitHub, Microsoft.
+ * Uses better-auth's built-in signIn.social() which handles the full OAuth redirect flow.
+ * New users are auto-registered on first social login.
+ */
+async function handleSocialSignUp(providerId: string) {
+    socialLoading.value = providerId;
+    error.value = "";
+    const callbackURL = pendingInvitation.value
+        ? localePath(`/auth/accept-invitation/${pendingInvitation.value}`)
+        : localePath("/onboarding/create-org");
+    try {
+        await authClient.signIn.social({
+            provider: providerId as "google" | "github" | "microsoft",
+            callbackURL,
+        });
+    } catch (e: unknown) {
+        error.value =
+            e instanceof Error
+                ? e.message
+                : "Social sign-up failed. Please try again.";
+        socialLoading.value = null;
+    }
+}
 </script>
 
 <template>
@@ -125,6 +159,55 @@ async function handleSsoSignUp() {
             {{ error }}
         </div>
 
+        <!-- Social sign-up providers (Google, GitHub, Microsoft) -->
+        <template v-if="socialProviders.length">
+            <div class="flex flex-col gap-2.5">
+                <button
+                    v-for="provider in socialProviders"
+                    :key="provider.id"
+                    type="button"
+                    :disabled="!!socialLoading || isLoading"
+                    class="relative px-4 py-2.5 rounded-lg text-sm font-medium shadow-sm transition-all flex items-center justify-center gap-3 disabled:opacity-60 disabled:cursor-not-allowed border border-surface-200 dark:border-surface-700 bg-white dark:bg-surface-800 text-surface-800 dark:text-surface-200 hover:bg-surface-50 dark:hover:bg-surface-750 hover:border-surface-300 dark:hover:border-surface-600"
+                    @click="handleSocialSignUp(provider.id)"
+                >
+                    <template v-if="socialLoading === provider.id">
+                        <svg class="animate-spin size-4 text-surface-400" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24"><circle class="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" stroke-width="4" /><path class="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z" /></svg>
+                        Redirecting…
+                    </template>
+                    <template v-else>
+                        <!-- Google icon -->
+                        <svg v-if="provider.id === 'google'" class="size-5" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
+                            <path d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92a5.06 5.06 0 01-2.2 3.32v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.1z" fill="#4285F4"/>
+                            <path d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z" fill="#34A853"/>
+                            <path d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l2.85-2.22.81-.62z" fill="#FBBC05"/>
+                            <path d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z" fill="#EA4335"/>
+                        </svg>
+                        <!-- GitHub icon -->
+                        <svg v-else-if="provider.id === 'github'" class="size-5 text-surface-900 dark:text-surface-100" viewBox="0 0 24 24" fill="currentColor" xmlns="http://www.w3.org/2000/svg">
+                            <path d="M12 0c-6.626 0-12 5.373-12 12 0 5.302 3.438 9.8 8.207 11.387.599.111.793-.261.793-.577v-2.234c-3.338.726-4.033-1.416-4.033-1.416-.546-1.387-1.333-1.756-1.333-1.756-1.089-.745.083-.729.083-.729 1.205.084 1.839 1.237 1.839 1.237 1.07 1.834 2.807 1.304 3.492.997.107-.775.418-1.305.762-1.604-2.665-.305-5.467-1.334-5.467-5.931 0-1.311.469-2.381 1.236-3.221-.124-.303-.535-1.524.117-3.176 0 0 1.008-.322 3.301 1.23.957-.266 1.983-.399 3.003-.404 1.02.005 2.047.138 3.006.404 2.291-1.552 3.297-1.23 3.297-1.23.653 1.653.242 2.874.118 3.176.77.84 1.235 1.911 1.235 3.221 0 4.609-2.807 5.624-5.479 5.921.43.372.823 1.102.823 2.222v3.293c0 .319.192.694.801.576 4.765-1.589 8.199-6.086 8.199-11.386 0-6.627-5.373-12-12-12z"/>
+                        </svg>
+                        <!-- Microsoft icon -->
+                        <svg v-else-if="provider.id === 'microsoft'" class="size-5" viewBox="0 0 23 23" xmlns="http://www.w3.org/2000/svg">
+                            <rect x="1" y="1" width="10" height="10" fill="#F25022"/>
+                            <rect x="12" y="1" width="10" height="10" fill="#7FBA00"/>
+                            <rect x="1" y="12" width="10" height="10" fill="#00A4EF"/>
+                            <rect x="12" y="12" width="10" height="10" fill="#FFB900"/>
+                        </svg>
+                        Continue with {{ provider.name }}
+                    </template>
+                </button>
+            </div>
+
+            <div v-if="!oidcEnabled" class="relative">
+                <div class="absolute inset-0 flex items-center">
+                    <div class="w-full border-t border-surface-200 dark:border-surface-700" />
+                </div>
+                <div class="relative flex justify-center text-xs">
+                    <span class="bg-white dark:bg-surface-900 px-2 text-surface-400">or continue with email</span>
+                </div>
+            </div>
+        </template>
+
         <!-- SSO sign-up — only shown when OIDC is configured via environment variables -->
         <template v-if="oidcEnabled">
             <button
diff --git a/nuxt.config.ts b/nuxt.config.ts
index b8a1a9e..e4c69bb 100644
--- a/nuxt.config.ts
+++ b/nuxt.config.ts
@@ -222,6 +222,21 @@ export default defineNuxtConfig({
       ),
       /** Display name for the SSO provider button */
       oidcProviderName: process.env.OIDC_PROVIDER_NAME || "SSO",
+      /** Whether Google social sign-in is enabled */
+      authGoogleEnabled: !!(
+        process.env.AUTH_GOOGLE_CLIENT_ID &&
+        process.env.AUTH_GOOGLE_CLIENT_SECRET
+      ),
+      /** Whether GitHub social sign-in is enabled */
+      authGithubEnabled: !!(
+        process.env.AUTH_GITHUB_CLIENT_ID &&
+        process.env.AUTH_GITHUB_CLIENT_SECRET
+      ),
+      /** Whether Microsoft social sign-in is enabled */
+      authMicrosoftEnabled: !!(
+        process.env.AUTH_MICROSOFT_CLIENT_ID &&
+        process.env.AUTH_MICROSOFT_CLIENT_SECRET
+      ),
     },
   },
 
diff --git a/server/utils/auth.ts b/server/utils/auth.ts
index 8aff956..3363e1e 100644
--- a/server/utils/auth.ts
+++ b/server/utils/auth.ts
@@ -161,6 +161,37 @@ function getAuth(): Auth {
       emailAndPassword: {
         enabled: true,
       },
+      socialProviders: {
+        // ── Social Sign-In (Google, GitHub, Microsoft) ────────────
+        // Each provider is enabled only when its client ID + secret are set.
+        ...(env.AUTH_GOOGLE_CLIENT_ID && env.AUTH_GOOGLE_CLIENT_SECRET
+          ? {
+              google: {
+                clientId: env.AUTH_GOOGLE_CLIENT_ID,
+                clientSecret: env.AUTH_GOOGLE_CLIENT_SECRET,
+                prompt: "select_account",
+              },
+            }
+          : {}),
+        ...(env.AUTH_GITHUB_CLIENT_ID && env.AUTH_GITHUB_CLIENT_SECRET
+          ? {
+              github: {
+                clientId: env.AUTH_GITHUB_CLIENT_ID,
+                clientSecret: env.AUTH_GITHUB_CLIENT_SECRET,
+              },
+            }
+          : {}),
+        ...(env.AUTH_MICROSOFT_CLIENT_ID && env.AUTH_MICROSOFT_CLIENT_SECRET
+          ? {
+              microsoft: {
+                clientId: env.AUTH_MICROSOFT_CLIENT_ID,
+                clientSecret: env.AUTH_MICROSOFT_CLIENT_SECRET,
+                tenantId: env.AUTH_MICROSOFT_TENANT_ID || "common",
+                prompt: "select_account",
+              },
+            }
+          : {}),
+      },
       plugins: [
         organization({
           // ── Access Control ──────────────────────────────────────
diff --git a/server/utils/env.ts b/server/utils/env.ts
index e75245b..0a26555 100644
--- a/server/utils/env.ts
+++ b/server/utils/env.ts
@@ -108,6 +108,20 @@ export const envSchema = z
     GOOGLE_CLIENT_ID: emptyToUndefined.pipe(z.string().min(1)).optional(),
     /** Google OAuth2 Client Secret for Calendar integration. */
     GOOGLE_CLIENT_SECRET: emptyToUndefined.pipe(z.string().min(1)).optional(),
+    /** Google OAuth2 Client ID for social sign-in. Obtain from Google Cloud Console → Credentials. */
+    AUTH_GOOGLE_CLIENT_ID: emptyToUndefined.pipe(z.string().min(1)).optional(),
+    /** Google OAuth2 Client Secret for social sign-in. */
+    AUTH_GOOGLE_CLIENT_SECRET: emptyToUndefined.pipe(z.string().min(1)).optional(),
+    /** GitHub OAuth App Client ID for social sign-in. Obtain from GitHub Developer Settings. */
+    AUTH_GITHUB_CLIENT_ID: emptyToUndefined.pipe(z.string().min(1)).optional(),
+    /** GitHub OAuth App Client Secret for social sign-in. */
+    AUTH_GITHUB_CLIENT_SECRET: emptyToUndefined.pipe(z.string().min(1)).optional(),
+    /** Microsoft Entra ID Client ID for social sign-in. Obtain from Azure Portal → App Registrations. */
+    AUTH_MICROSOFT_CLIENT_ID: emptyToUndefined.pipe(z.string().min(1)).optional(),
+    /** Microsoft Entra ID Client Secret for social sign-in. */
+    AUTH_MICROSOFT_CLIENT_SECRET: emptyToUndefined.pipe(z.string().min(1)).optional(),
+    /** Microsoft Entra ID Tenant ID. Defaults to 'common' (multi-tenant). */
+    AUTH_MICROSOFT_TENANT_ID: emptyToUndefined.pipe(z.string().min(1)).optional().default('common'),
     /** Shared secret for authenticating cron/scheduled job requests (e.g., webhook renewal). */
     CRON_SECRET: emptyToUndefined.pipe(z.string().min(16)).optional(),
     /** OIDC client ID for SSO authentication (e.g., Keycloak, Authentik, Authelia, Okta). */
@@ -188,7 +202,7 @@ export const env = new Proxy({} as z.infer<typeof envSchema>, {
             `Ensure these variables are set in your Railway service (Settings → Variables).\n` +
             `Required: DATABASE_URL, BETTER_AUTH_SECRET, S3_ENDPOINT, S3_ACCESS_KEY, S3_SECRET_KEY, S3_BUCKET\n` +
             `Required when not on Railway: BETTER_AUTH_URL (or generate a Railway domain)\n` +
-            `Optional: BETTER_AUTH_TRUSTED_ORIGINS, S3_REGION (default: us-east-1), S3_FORCE_PATH_STYLE (default: true), TRUSTED_PROXY_IP, DEMO_ORG_SLUG, RESEND_API_KEY, RESEND_FROM_EMAIL, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET, OIDC_DISCOVERY_URL, OIDC_PROVIDER_NAME\n`,
+            `Optional: BETTER_AUTH_TRUSTED_ORIGINS, S3_REGION (default: us-east-1), S3_FORCE_PATH_STYLE (default: true), TRUSTED_PROXY_IP, DEMO_ORG_SLUG, RESEND_API_KEY, RESEND_FROM_EMAIL, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET, OIDC_DISCOVERY_URL, OIDC_PROVIDER_NAME, AUTH_GOOGLE_CLIENT_ID, AUTH_GOOGLE_CLIENT_SECRET, AUTH_GITHUB_CLIENT_ID, AUTH_GITHUB_CLIENT_SECRET, AUTH_MICROSOFT_CLIENT_ID, AUTH_MICROSOFT_CLIENT_SECRET, AUTH_MICROSOFT_TENANT_ID\n`,
         );
         throw result.error;
       }

From d8d0e6ebbcb6456797051f6baeb6bddaec43f033 Mon Sep 17 00:00:00 2001
From: JoachimLK <joachim.l.kolle.pers@gmail.com>
Date: Mon, 13 Apr 2026 10:51:03 +0200
Subject: [PATCH 2/8] feat: update button styles for social sign-in and sign-up
 to improve user interaction

---
 app/pages/auth/sign-in.vue | 8 ++++----
 app/pages/auth/sign-up.vue | 6 +++---
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/app/pages/auth/sign-in.vue b/app/pages/auth/sign-in.vue
index 4d05e56..d51ff0a 100644
--- a/app/pages/auth/sign-in.vue
+++ b/app/pages/auth/sign-in.vue
@@ -222,7 +222,7 @@ async function handleSocialSignIn(providerId: string) {
                     :key="provider.id"
                     type="button"
                     :disabled="!!socialLoading || isLoading || ssoRedirecting"
-                    class="relative px-4 py-2.5 rounded-lg text-sm font-medium shadow-sm transition-all flex items-center justify-center gap-3 disabled:opacity-60 disabled:cursor-not-allowed border border-surface-200 dark:border-surface-700 bg-white dark:bg-surface-800 text-surface-800 dark:text-surface-200 hover:bg-surface-50 dark:hover:bg-surface-750 hover:border-surface-300 dark:hover:border-surface-600"
+                    class="relative px-4 py-2.5 rounded-lg text-sm font-medium shadow-sm transition-all flex items-center justify-center gap-3 cursor-pointer disabled:opacity-60 disabled:cursor-not-allowed border border-surface-200 dark:border-surface-700 bg-white dark:bg-surface-800 text-surface-800 dark:text-surface-200 hover:bg-surface-50 dark:hover:bg-surface-700 hover:border-surface-300 dark:hover:border-surface-600"
                     @click="handleSocialSignIn(provider.id)"
                 >
                     <template v-if="socialLoading === provider.id">
@@ -268,7 +268,7 @@ async function handleSocialSignIn(providerId: string) {
             <button
                 type="button"
                 :disabled="isLoading"
-                class="px-4 py-2.5 bg-surface-900 dark:bg-white text-white dark:text-surface-900 rounded-lg text-sm font-semibold shadow-md hover:bg-surface-800 dark:hover:bg-surface-100 disabled:opacity-60 disabled:cursor-not-allowed transition-all flex items-center justify-center gap-2.5 ring-1 ring-surface-700 dark:ring-surface-300"
+                class="px-4 py-2.5 bg-surface-900 dark:bg-white text-white dark:text-surface-900 rounded-lg text-sm font-semibold shadow-md cursor-pointer hover:bg-surface-800 dark:hover:bg-surface-100 disabled:opacity-60 disabled:cursor-not-allowed transition-all flex items-center justify-center gap-2.5 ring-1 ring-surface-700 dark:ring-surface-300"
                 @click="handleSelfHostedSso"
             >
                 <template v-if="isLoading">Redirecting…</template>
@@ -323,7 +323,7 @@ async function handleSocialSignIn(providerId: string) {
         <button
             type="submit"
             :disabled="isLoading"
-            class="mt-2 px-4 py-2.5 bg-brand-600 text-white rounded-md text-sm font-medium hover:bg-brand-700 disabled:opacity-60 disabled:cursor-not-allowed transition-colors"
+            class="mt-2 px-4 py-2.5 bg-brand-600 text-white rounded-md text-sm font-medium cursor-pointer hover:bg-brand-700 disabled:opacity-60 disabled:cursor-not-allowed transition-colors"
         >
             {{ isLoading ? "Signing in…" : "Sign in" }}
         </button>
@@ -347,7 +347,7 @@ async function handleSocialSignIn(providerId: string) {
             <button
                 type="button"
                 :disabled="ssoRedirecting"
-                class="px-4 py-2.5 bg-surface-900 dark:bg-white text-white dark:text-surface-900 rounded-lg text-sm font-semibold shadow-md hover:bg-surface-800 dark:hover:bg-surface-100 disabled:opacity-60 disabled:cursor-not-allowed transition-all flex items-center justify-center gap-2.5 ring-1 ring-surface-700 dark:ring-surface-300"
+                class="px-4 py-2.5 bg-surface-900 dark:bg-white text-white dark:text-surface-900 rounded-lg text-sm font-semibold shadow-md cursor-pointer hover:bg-surface-800 dark:hover:bg-surface-100 disabled:opacity-60 disabled:cursor-not-allowed transition-all flex items-center justify-center gap-2.5 ring-1 ring-surface-700 dark:ring-surface-300"
                 @click="handleEnterpriseSso"
             >
                 <ShieldCheck class="size-4" />
diff --git a/app/pages/auth/sign-up.vue b/app/pages/auth/sign-up.vue
index 976d16e..9de30b8 100644
--- a/app/pages/auth/sign-up.vue
+++ b/app/pages/auth/sign-up.vue
@@ -167,7 +167,7 @@ async function handleSocialSignUp(providerId: string) {
                     :key="provider.id"
                     type="button"
                     :disabled="!!socialLoading || isLoading"
-                    class="relative px-4 py-2.5 rounded-lg text-sm font-medium shadow-sm transition-all flex items-center justify-center gap-3 disabled:opacity-60 disabled:cursor-not-allowed border border-surface-200 dark:border-surface-700 bg-white dark:bg-surface-800 text-surface-800 dark:text-surface-200 hover:bg-surface-50 dark:hover:bg-surface-750 hover:border-surface-300 dark:hover:border-surface-600"
+                    class="relative px-4 py-2.5 rounded-lg text-sm font-medium shadow-sm transition-all flex items-center justify-center gap-3 cursor-pointer disabled:opacity-60 disabled:cursor-not-allowed border border-surface-200 dark:border-surface-700 bg-white dark:bg-surface-800 text-surface-800 dark:text-surface-200 hover:bg-surface-50 dark:hover:bg-surface-700 hover:border-surface-300 dark:hover:border-surface-600"
                     @click="handleSocialSignUp(provider.id)"
                 >
                     <template v-if="socialLoading === provider.id">
@@ -213,7 +213,7 @@ async function handleSocialSignUp(providerId: string) {
             <button
                 type="button"
                 :disabled="isLoading"
-                class="px-4 py-2.5 bg-surface-800 dark:bg-surface-200 text-white dark:text-surface-900 rounded-md text-sm font-medium hover:bg-surface-900 dark:hover:bg-surface-300 disabled:opacity-60 disabled:cursor-not-allowed transition-colors flex items-center justify-center gap-2"
+                class="px-4 py-2.5 bg-surface-800 dark:bg-surface-200 text-white dark:text-surface-900 rounded-md text-sm font-medium cursor-pointer hover:bg-surface-900 dark:hover:bg-surface-300 disabled:opacity-60 disabled:cursor-not-allowed transition-colors flex items-center justify-center gap-2"
                 @click="handleSsoSignUp"
             >
                 <template v-if="isLoading">Redirecting…</template>
@@ -294,7 +294,7 @@ async function handleSocialSignUp(providerId: string) {
         <button
             type="submit"
             :disabled="isLoading"
-            class="mt-2 px-4 py-2.5 bg-brand-600 text-white rounded-md text-sm font-medium hover:bg-brand-700 disabled:opacity-60 disabled:cursor-not-allowed transition-colors"
+            class="mt-2 px-4 py-2.5 bg-brand-600 text-white rounded-md text-sm font-medium cursor-pointer hover:bg-brand-700 disabled:opacity-60 disabled:cursor-not-allowed transition-colors"
         >
             {{ isLoading ? "Creating account…" : "Sign up" }}
         </button>

From 6b7b6999a6c12f21009f8bd9b474412fdf86c9fc Mon Sep 17 00:00:00 2001
From: JoachimLK <joachim.l.kolle.pers@gmail.com>
Date: Mon, 13 Apr 2026 11:01:18 +0200
Subject: [PATCH 3/8] feat: add Nitro plugin to recompute public auth-provider
 flags at server startup

---
 server/plugins/auth-flags.ts | 41 ++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 server/plugins/auth-flags.ts

diff --git a/server/plugins/auth-flags.ts b/server/plugins/auth-flags.ts
new file mode 100644
index 0000000..c0e181e
--- /dev/null
+++ b/server/plugins/auth-flags.ts
@@ -0,0 +1,41 @@
+/**
+ * Nitro plugin: recompute public auth-provider flags at server startup.
+ *
+ * The runtimeConfig.public booleans (authGoogleEnabled, authGithubEnabled, …)
+ * are evaluated at **build time** from process.env. When the Docker image is
+ * built without OAuth credentials (e.g. Railway injects them at runtime),
+ * those flags are baked in as `false` and the sign-in buttons never appear.
+ *
+ * This plugin runs once at startup and patches the public runtimeConfig so
+ * SSR-rendered pages (and the serialised `__NUXT__` payload) reflect the
+ * actual runtime environment.
+ */
+export default defineNitroPlugin(() => {
+  const cfg = useRuntimeConfig();
+
+  cfg.public.authGoogleEnabled = !!(
+    process.env.AUTH_GOOGLE_CLIENT_ID &&
+    process.env.AUTH_GOOGLE_CLIENT_SECRET
+  );
+
+  cfg.public.authGithubEnabled = !!(
+    process.env.AUTH_GITHUB_CLIENT_ID &&
+    process.env.AUTH_GITHUB_CLIENT_SECRET
+  );
+
+  cfg.public.authMicrosoftEnabled = !!(
+    process.env.AUTH_MICROSOFT_CLIENT_ID &&
+    process.env.AUTH_MICROSOFT_CLIENT_SECRET
+  );
+
+  cfg.public.oidcEnabled = !!(
+    process.env.OIDC_CLIENT_ID &&
+    process.env.OIDC_CLIENT_SECRET &&
+    process.env.OIDC_DISCOVERY_URL
+  );
+
+  cfg.public.feedbackEnabled = !!(
+    process.env.GITHUB_FEEDBACK_TOKEN &&
+    process.env.GITHUB_FEEDBACK_REPO
+  );
+});

From 39e098ece0e8823513be402a8d68636bd3ebea3d Mon Sep 17 00:00:00 2001
From: JoachimLK <joachim.l.kolle.pers@gmail.com>
Date: Mon, 13 Apr 2026 11:13:13 +0200
Subject: [PATCH 4/8] feat: add docker entrypoint script to derive
 NUXT_PUBLIC_* flags from environment variables

---
 Dockerfile                   |  5 ++++-
 docker-entrypoint.sh         | 29 +++++++++++++++++++++++++
 server/plugins/auth-flags.ts | 41 ------------------------------------
 3 files changed, 33 insertions(+), 42 deletions(-)
 create mode 100644 docker-entrypoint.sh
 delete mode 100644 server/plugins/auth-flags.ts

diff --git a/Dockerfile b/Dockerfile
index 8330375..d9ca8a7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -51,8 +51,11 @@ COPY --chown=reqcore:reqcore --from=builder /app/drizzle.config.ts ./drizzle.con
 COPY --chown=reqcore:reqcore --from=builder /app/node_modules ./node_modules
 COPY --chown=reqcore:reqcore --from=builder /app/server ./server
 
+COPY --chown=reqcore:reqcore docker-entrypoint.sh ./docker-entrypoint.sh
+RUN chmod +x docker-entrypoint.sh
+
 USER reqcore
 
 EXPOSE 3000
 
-CMD ["node", ".output/server/index.mjs"]
+ENTRYPOINT ["./docker-entrypoint.sh"]
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
new file mode 100644
index 0000000..1280c0c
--- /dev/null
+++ b/docker-entrypoint.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+# ─── Docker entrypoint ──────────────────────────────────────────────────────
+# Derives NUXT_PUBLIC_* boolean flags from credential env vars so that
+# Nitro's built-in env resolution picks them up BEFORE runtimeConfig is frozen.
+# Without this, flags like authGoogleEnabled are always false when the Docker
+# image is built without OAuth credentials (Railway injects them at runtime).
+# ─────────────────────────────────────────────────────────────────────────────
+
+if [ -n "$AUTH_GOOGLE_CLIENT_ID" ] && [ -n "$AUTH_GOOGLE_CLIENT_SECRET" ]; then
+  export NUXT_PUBLIC_AUTH_GOOGLE_ENABLED=true
+fi
+
+if [ -n "$AUTH_GITHUB_CLIENT_ID" ] && [ -n "$AUTH_GITHUB_CLIENT_SECRET" ]; then
+  export NUXT_PUBLIC_AUTH_GITHUB_ENABLED=true
+fi
+
+if [ -n "$AUTH_MICROSOFT_CLIENT_ID" ] && [ -n "$AUTH_MICROSOFT_CLIENT_SECRET" ]; then
+  export NUXT_PUBLIC_AUTH_MICROSOFT_ENABLED=true
+fi
+
+if [ -n "$OIDC_CLIENT_ID" ] && [ -n "$OIDC_CLIENT_SECRET" ] && [ -n "$OIDC_DISCOVERY_URL" ]; then
+  export NUXT_PUBLIC_OIDC_ENABLED=true
+fi
+
+if [ -n "$GITHUB_FEEDBACK_TOKEN" ] && [ -n "$GITHUB_FEEDBACK_REPO" ]; then
+  export NUXT_PUBLIC_FEEDBACK_ENABLED=true
+fi
+
+exec node .output/server/index.mjs
diff --git a/server/plugins/auth-flags.ts b/server/plugins/auth-flags.ts
deleted file mode 100644
index c0e181e..0000000
--- a/server/plugins/auth-flags.ts
+++ /dev/null
@@ -1,41 +0,0 @@
-/**
- * Nitro plugin: recompute public auth-provider flags at server startup.
- *
- * The runtimeConfig.public booleans (authGoogleEnabled, authGithubEnabled, …)
- * are evaluated at **build time** from process.env. When the Docker image is
- * built without OAuth credentials (e.g. Railway injects them at runtime),
- * those flags are baked in as `false` and the sign-in buttons never appear.
- *
- * This plugin runs once at startup and patches the public runtimeConfig so
- * SSR-rendered pages (and the serialised `__NUXT__` payload) reflect the
- * actual runtime environment.
- */
-export default defineNitroPlugin(() => {
-  const cfg = useRuntimeConfig();
-
-  cfg.public.authGoogleEnabled = !!(
-    process.env.AUTH_GOOGLE_CLIENT_ID &&
-    process.env.AUTH_GOOGLE_CLIENT_SECRET
-  );
-
-  cfg.public.authGithubEnabled = !!(
-    process.env.AUTH_GITHUB_CLIENT_ID &&
-    process.env.AUTH_GITHUB_CLIENT_SECRET
-  );
-
-  cfg.public.authMicrosoftEnabled = !!(
-    process.env.AUTH_MICROSOFT_CLIENT_ID &&
-    process.env.AUTH_MICROSOFT_CLIENT_SECRET
-  );
-
-  cfg.public.oidcEnabled = !!(
-    process.env.OIDC_CLIENT_ID &&
-    process.env.OIDC_CLIENT_SECRET &&
-    process.env.OIDC_DISCOVERY_URL
-  );
-
-  cfg.public.feedbackEnabled = !!(
-    process.env.GITHUB_FEEDBACK_TOKEN &&
-    process.env.GITHUB_FEEDBACK_REPO
-  );
-});

From ad91cc9ae61ee7d30c95fed4bc52cf09596ada1e Mon Sep 17 00:00:00 2001
From: JoachimLK <joachim.l.kolle.pers@gmail.com>
Date: Mon, 13 Apr 2026 11:53:23 +0200
Subject: [PATCH 5/8] feat: refactor authentication handling to use
 runtime-config for providers and remove entrypoint script

---
 Dockerfile                       |  5 +----
 app/pages/auth/sign-in.vue       | 12 +++++++-----
 app/pages/auth/sign-up.vue       | 12 ++++++------
 docker-entrypoint.sh             | 29 -----------------------------
 server/api/auth/providers.get.ts | 30 ++++++++++++++++++++++++++++++
 5 files changed, 44 insertions(+), 44 deletions(-)
 delete mode 100644 docker-entrypoint.sh
 create mode 100644 server/api/auth/providers.get.ts

diff --git a/Dockerfile b/Dockerfile
index d9ca8a7..8330375 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -51,11 +51,8 @@ COPY --chown=reqcore:reqcore --from=builder /app/drizzle.config.ts ./drizzle.con
 COPY --chown=reqcore:reqcore --from=builder /app/node_modules ./node_modules
 COPY --chown=reqcore:reqcore --from=builder /app/server ./server
 
-COPY --chown=reqcore:reqcore docker-entrypoint.sh ./docker-entrypoint.sh
-RUN chmod +x docker-entrypoint.sh
-
 USER reqcore
 
 EXPOSE 3000
 
-ENTRYPOINT ["./docker-entrypoint.sh"]
+CMD ["node", ".output/server/index.mjs"]
diff --git a/app/pages/auth/sign-in.vue b/app/pages/auth/sign-in.vue
index d51ff0a..0f24f55 100644
--- a/app/pages/auth/sign-in.vue
+++ b/app/pages/auth/sign-in.vue
@@ -22,16 +22,18 @@ const route = useRoute();
 const config = useRuntimeConfig();
 const localePath = useLocalePath();
 const { track } = useTrack();
-const oidcEnabled = computed(() => config.public.oidcEnabled as boolean);
+
+const { data: authProviders } = await useFetch('/api/auth/providers');
+const oidcEnabled = computed(() => authProviders.value?.oidc ?? false);
 const oidcProviderName = computed(
-    () => (config.public.oidcProviderName as string) || "SSO",
+    () => authProviders.value?.oidcProviderName || "SSO",
 );
 
 const socialProviders = computed(() => {
     const providers: { id: string; name: string }[] = [];
-    if (config.public.authGoogleEnabled) providers.push({ id: "google", name: "Google" });
-    if (config.public.authGithubEnabled) providers.push({ id: "github", name: "GitHub" });
-    if (config.public.authMicrosoftEnabled) providers.push({ id: "microsoft", name: "Microsoft" });
+    if (authProviders.value?.google) providers.push({ id: "google", name: "Google" });
+    if (authProviders.value?.github) providers.push({ id: "github", name: "GitHub" });
+    if (authProviders.value?.microsoft) providers.push({ id: "microsoft", name: "Microsoft" });
     return providers;
 });
 
diff --git a/app/pages/auth/sign-up.vue b/app/pages/auth/sign-up.vue
index 9de30b8..22a0ce6 100644
--- a/app/pages/auth/sign-up.vue
+++ b/app/pages/auth/sign-up.vue
@@ -19,18 +19,18 @@ const error = ref("");
 const isLoading = ref(false);
 const localePath = useLocalePath();
 const { track } = useTrack();
-const config = useRuntimeConfig();
-const oidcEnabled = computed(() => config.public.oidcEnabled as boolean);
+const { data: authProviders } = await useFetch('/api/auth/providers');
+const oidcEnabled = computed(() => authProviders.value?.oidc ?? false);
 const oidcProviderName = computed(
-    () => (config.public.oidcProviderName as string) || "SSO",
+    () => authProviders.value?.oidcProviderName || "SSO",
 );
 const socialLoading = ref<string | null>(null);
 
 const socialProviders = computed(() => {
     const providers: { id: string; name: string }[] = [];
-    if (config.public.authGoogleEnabled) providers.push({ id: "google", name: "Google" });
-    if (config.public.authGithubEnabled) providers.push({ id: "github", name: "GitHub" });
-    if (config.public.authMicrosoftEnabled) providers.push({ id: "microsoft", name: "Microsoft" });
+    if (authProviders.value?.google) providers.push({ id: "google", name: "Google" });
+    if (authProviders.value?.github) providers.push({ id: "github", name: "GitHub" });
+    if (authProviders.value?.microsoft) providers.push({ id: "microsoft", name: "Microsoft" });
     return providers;
 });
 
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
deleted file mode 100644
index 1280c0c..0000000
--- a/docker-entrypoint.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/bin/sh
-# ─── Docker entrypoint ──────────────────────────────────────────────────────
-# Derives NUXT_PUBLIC_* boolean flags from credential env vars so that
-# Nitro's built-in env resolution picks them up BEFORE runtimeConfig is frozen.
-# Without this, flags like authGoogleEnabled are always false when the Docker
-# image is built without OAuth credentials (Railway injects them at runtime).
-# ─────────────────────────────────────────────────────────────────────────────
-
-if [ -n "$AUTH_GOOGLE_CLIENT_ID" ] && [ -n "$AUTH_GOOGLE_CLIENT_SECRET" ]; then
-  export NUXT_PUBLIC_AUTH_GOOGLE_ENABLED=true
-fi
-
-if [ -n "$AUTH_GITHUB_CLIENT_ID" ] && [ -n "$AUTH_GITHUB_CLIENT_SECRET" ]; then
-  export NUXT_PUBLIC_AUTH_GITHUB_ENABLED=true
-fi
-
-if [ -n "$AUTH_MICROSOFT_CLIENT_ID" ] && [ -n "$AUTH_MICROSOFT_CLIENT_SECRET" ]; then
-  export NUXT_PUBLIC_AUTH_MICROSOFT_ENABLED=true
-fi
-
-if [ -n "$OIDC_CLIENT_ID" ] && [ -n "$OIDC_CLIENT_SECRET" ] && [ -n "$OIDC_DISCOVERY_URL" ]; then
-  export NUXT_PUBLIC_OIDC_ENABLED=true
-fi
-
-if [ -n "$GITHUB_FEEDBACK_TOKEN" ] && [ -n "$GITHUB_FEEDBACK_REPO" ]; then
-  export NUXT_PUBLIC_FEEDBACK_ENABLED=true
-fi
-
-exec node .output/server/index.mjs
diff --git a/server/api/auth/providers.get.ts b/server/api/auth/providers.get.ts
new file mode 100644
index 0000000..679acf2
--- /dev/null
+++ b/server/api/auth/providers.get.ts
@@ -0,0 +1,30 @@
+/**
+ * GET /api/auth/providers
+ *
+ * Returns which authentication providers are enabled at runtime.
+ * This replaces build-time runtimeConfig flags so that Docker images
+ * built without OAuth credentials still show the correct buttons when
+ * credentials are injected at runtime (e.g. Railway, self-hosting).
+ */
+export default defineEventHandler(() => {
+  return {
+    google: !!(
+      process.env.AUTH_GOOGLE_CLIENT_ID &&
+      process.env.AUTH_GOOGLE_CLIENT_SECRET
+    ),
+    github: !!(
+      process.env.AUTH_GITHUB_CLIENT_ID &&
+      process.env.AUTH_GITHUB_CLIENT_SECRET
+    ),
+    microsoft: !!(
+      process.env.AUTH_MICROSOFT_CLIENT_ID &&
+      process.env.AUTH_MICROSOFT_CLIENT_SECRET
+    ),
+    oidc: !!(
+      process.env.OIDC_CLIENT_ID &&
+      process.env.OIDC_CLIENT_SECRET &&
+      process.env.OIDC_DISCOVERY_URL
+    ),
+    oidcProviderName: process.env.OIDC_PROVIDER_NAME || "SSO",
+  };
+});

From aaae17f66c6ee3f669843526c38d9f38983aa662 Mon Sep 17 00:00:00 2001
From: JoachimLK <joachim.l.kolle.pers@gmail.com>
Date: Mon, 13 Apr 2026 12:32:54 +0200
Subject: [PATCH 6/8] feat: enhance authentication security with stricter
 password policy, email verification, and session management

---
 server/database/schema/auth.ts             |  17 ++
 server/utils/auth.ts                       |  69 ++++++-
 server/utils/email.ts                      | 216 +++++++++++++++++++++
 server/utils/rateLimit.ts                  |  13 +-
 tests/unit/auth-security-hardening.test.ts | 158 +++++++++++++++
 5 files changed, 470 insertions(+), 3 deletions(-)
 create mode 100644 tests/unit/auth-security-hardening.test.ts

diff --git a/server/database/schema/auth.ts b/server/database/schema/auth.ts
index 743f513..26e84f7 100644
--- a/server/database/schema/auth.ts
+++ b/server/database/schema/auth.ts
@@ -3,6 +3,8 @@ import {
   text,
   timestamp,
   boolean,
+  integer,
+  bigint,
   index,
   uniqueIndex,
 } from 'drizzle-orm/pg-core'
@@ -105,6 +107,21 @@ export const invitation = pgTable('invitation', {
   index('invitation_email_idx').on(t.email),
 ]))
 
+// ─────────────────────────────────────────────
+// Better Auth Rate Limit Table (database-backed)
+// ─────────────────────────────────────────────
+// Required when rateLimit.storage is set to "database" in the Better Auth config.
+// Stores per-IP request counts with sliding window timestamps.
+
+export const rateLimit = pgTable('rate_limit', {
+  id: text('id').primaryKey(),
+  key: text('key').notNull(),
+  count: integer('count').notNull(),
+  lastRequest: bigint('last_request', { mode: 'bigint' }).notNull(),
+}, (t) => ([
+  index('rate_limit_key_idx').on(t.key),
+]))
+
 // ─────────────────────────────────────────────
 // Relations (enables Drizzle relational queries)
 // ─────────────────────────────────────────────
diff --git a/server/utils/auth.ts b/server/utils/auth.ts
index 3363e1e..7bbb1a1 100644
--- a/server/utils/auth.ts
+++ b/server/utils/auth.ts
@@ -4,7 +4,8 @@ import { organization, genericOAuth } from "better-auth/plugins";
 import { sso } from "@better-auth/sso";
 import { eq } from "drizzle-orm";
 import { ac, owner, admin, member } from "~~/shared/permissions";
-import { sendOrgInvitationEmail } from "./email";
+import { sendOrgInvitationEmail, sendPasswordResetEmail } from "./email";
+import { encrypt } from "./encryption";
 import * as schema from "../database/schema";
 
 type Auth = ReturnType<typeof betterAuth>;
@@ -158,9 +159,75 @@ function getAuth(): Auth {
         schema,
       }),
       secret: env.BETTER_AUTH_SECRET,
+
+      // ── Session Hardening ────────────────────────────────────
+      // Explicit session duration for an ATS handling sensitive hiring data.
+      // Default Better Auth values (7 days / 1 day) are too permissive.
+      session: {
+        expiresIn: 60 * 60 * 24, // 24 hours
+        updateAge: 60 * 60,      // Refresh session every 1 hour
+      },
+
       emailAndPassword: {
         enabled: true,
+        // Server-side password policy — prevents bypass via direct API calls.
+        // Client-side validation (sign-up.vue) is UX only; this is the enforcement.
+        minPasswordLength: 8,
+        maxPasswordLength: 128,
+        // Password reset via email.
+        async sendResetPassword({ user, url, token }, request) {
+          void sendPasswordResetEmail({ user, url, token });
+        },
+      },
+
+      // ── OAuth Token Encryption at Rest ──────────────────────
+      // AES-256-GCM encrypt OAuth tokens before storing in the database.
+      // Uses the existing encryption.ts utility with BETTER_AUTH_SECRET as the key.
+      databaseHooks: {
+        account: {
+          create: {
+            before: async (account) => {
+              const secret = env.BETTER_AUTH_SECRET;
+              return {
+                data: {
+                  ...account,
+                  ...(account.accessToken ? { accessToken: encrypt(account.accessToken, secret) } : {}),
+                  ...(account.refreshToken ? { refreshToken: encrypt(account.refreshToken, secret) } : {}),
+                  ...(account.idToken ? { idToken: encrypt(account.idToken, secret) } : {}),
+                },
+              };
+            },
+          },
+          update: {
+            before: async (account) => {
+              const secret = env.BETTER_AUTH_SECRET;
+              return {
+                data: {
+                  ...account,
+                  ...(account.accessToken ? { accessToken: encrypt(account.accessToken, secret) } : {}),
+                  ...(account.refreshToken ? { refreshToken: encrypt(account.refreshToken, secret) } : {}),
+                  ...(account.idToken ? { idToken: encrypt(account.idToken, secret) } : {}),
+                },
+              };
+            },
+          },
+        },
       },
+
+      // ── Rate Limiting (built-in, database-backed) ──────────
+      // Uses DB storage so limits persist across restarts and share
+      // state across instances (horizontal scaling).
+      // Complements the external IP-based rate limiter in api-rate-limit.ts
+      // with account-level throttling for auth-sensitive endpoints.
+      // Disabled in CI/test (GITHUB_ACTIONS or NODE_ENV !== 'production')
+      // to prevent E2E test flakiness.
+      rateLimit: {
+        enabled: !process.env.CI && !process.env.GITHUB_ACTIONS,
+        window: 60,
+        max: 100,        // 100 requests per minute per IP — stops bots, not humans
+        storage: "database",
+      },
+
       socialProviders: {
         // ── Social Sign-In (Google, GitHub, Microsoft) ────────────
         // Each provider is enabled only when its client ID + secret are set.
diff --git a/server/utils/email.ts b/server/utils/email.ts
index f5e17bd..2365540 100644
--- a/server/utils/email.ts
+++ b/server/utils/email.ts
@@ -16,6 +16,88 @@ function getResendClient(): Resend | null {
   return _resend
 }
 
+/**
+ * Send an email verification link via Resend.
+ * Falls back to console.info when RESEND_API_KEY is not set.
+ *
+ * Called by Better Auth when requireEmailVerification is enabled.
+ * Not awaited by the caller (fire-and-forget) to prevent timing attacks.
+ */
+export async function sendVerificationEmail(data: {
+  user: { email: string; name: string }
+  url: string
+  token: string
+}): Promise<void> {
+  const resend = getResendClient()
+
+  if (!resend) {
+    console.info(
+      `[Reqcore] Verification email → ${data.user.email} | ` +
+      `Link: ${data.url}`,
+    )
+    return
+  }
+
+  const fromEmail = env.RESEND_FROM_EMAIL
+
+  const { error } = await resend.emails.send({
+    from: fromEmail,
+    to: [data.user.email],
+    subject: 'Verify your email address — Reqcore',
+    html: buildVerificationHtml({ url: data.url }),
+    text: buildVerificationText({ url: data.url }),
+    tags: [{ name: 'category', value: 'verification' }],
+  })
+
+  if (error) {
+    logError('email.verification_send_failed', {
+      provider: 'resend',
+      error_message: error.message,
+    })
+  }
+}
+
+/**
+ * Send a password reset link via Resend.
+ * Falls back to console.info when RESEND_API_KEY is not set.
+ *
+ * Called by Better Auth when sendResetPassword is configured.
+ * Not awaited by the caller (fire-and-forget) to prevent timing attacks.
+ */
+export async function sendPasswordResetEmail(data: {
+  user: { email: string; name: string }
+  url: string
+  token: string
+}): Promise<void> {
+  const resend = getResendClient()
+
+  if (!resend) {
+    console.info(
+      `[Reqcore] Password reset email → ${data.user.email} | ` +
+      `Link: ${data.url}`,
+    )
+    return
+  }
+
+  const fromEmail = env.RESEND_FROM_EMAIL
+
+  const { error } = await resend.emails.send({
+    from: fromEmail,
+    to: [data.user.email],
+    subject: 'Reset your password — Reqcore',
+    html: buildPasswordResetHtml({ url: data.url }),
+    text: buildPasswordResetText({ url: data.url }),
+    tags: [{ name: 'category', value: 'password-reset' }],
+  })
+
+  if (error) {
+    logError('email.password_reset_send_failed', {
+      provider: 'resend',
+      error_message: error.message,
+    })
+  }
+}
+
 /**
  * Send an organization invitation email via Resend.
  * Falls back to console.info when RESEND_API_KEY is not set.
@@ -186,6 +268,140 @@ function escapeHtml(str: string): string {
     .replace(/'/g, '&#39;')
 }
 
+// ─────────────────────────────────────────────
+// Email verification & password reset templates
+// ─────────────────────────────────────────────
+
+function buildVerificationHtml(params: { url: string }): string {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>Verify your email</title>
+</head>
+<body style="margin:0;padding:0;background-color:#f4f4f5;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,'Helvetica Neue',Arial,sans-serif;">
+  <table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="background-color:#f4f4f5;padding:40px 20px;">
+    <tr>
+      <td align="center">
+        <table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="max-width:480px;background-color:#ffffff;border-radius:12px;overflow:hidden;border:1px solid #e4e4e7;">
+          <tr>
+            <td style="padding:32px 32px 24px;text-align:center;border-bottom:1px solid #f4f4f5;">
+              <h1 style="margin:0;font-size:20px;font-weight:600;color:#09090b;">Reqcore</h1>
+            </td>
+          </tr>
+          <tr>
+            <td style="padding:32px;">
+              <h2 style="margin:0 0 16px;font-size:18px;font-weight:600;color:#09090b;">Verify your email</h2>
+              <p style="margin:0 0 24px;font-size:14px;line-height:1.6;color:#3f3f46;">
+                Click the button below to verify your email address and activate your account.
+              </p>
+              <table role="presentation" width="100%" cellpadding="0" cellspacing="0">
+                <tr>
+                  <td align="center">
+                    <a href="${escapeHtml(params.url)}" target="_blank" rel="noopener noreferrer"
+                       style="display:inline-block;padding:12px 32px;background-color:#2563eb;color:#ffffff;text-decoration:none;font-size:14px;font-weight:600;border-radius:8px;line-height:1;">
+                      Verify Email
+                    </a>
+                  </td>
+                </tr>
+              </table>
+              <p style="margin:24px 0 0;font-size:12px;line-height:1.5;color:#71717a;">
+                If you didn't create an account, you can safely ignore this email.
+              </p>
+            </td>
+          </tr>
+          <tr>
+            <td style="padding:16px 32px;text-align:center;border-top:1px solid #f4f4f5;background-color:#fafafa;">
+              <p style="margin:0;font-size:12px;color:#a1a1aa;">Sent by Reqcore &mdash; Open-source applicant tracking</p>
+            </td>
+          </tr>
+        </table>
+      </td>
+    </tr>
+  </table>
+</body>
+</html>`
+}
+
+function buildVerificationText(params: { url: string }): string {
+  return [
+    'Verify your email address',
+    '',
+    'Click the link below to verify your email and activate your Reqcore account:',
+    params.url,
+    '',
+    'If you didn\'t create an account, you can safely ignore this email.',
+    '',
+    '— Reqcore',
+  ].join('\n')
+}
+
+function buildPasswordResetHtml(params: { url: string }): string {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>Reset your password</title>
+</head>
+<body style="margin:0;padding:0;background-color:#f4f4f5;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,'Helvetica Neue',Arial,sans-serif;">
+  <table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="background-color:#f4f4f5;padding:40px 20px;">
+    <tr>
+      <td align="center">
+        <table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="max-width:480px;background-color:#ffffff;border-radius:12px;overflow:hidden;border:1px solid #e4e4e7;">
+          <tr>
+            <td style="padding:32px 32px 24px;text-align:center;border-bottom:1px solid #f4f4f5;">
+              <h1 style="margin:0;font-size:20px;font-weight:600;color:#09090b;">Reqcore</h1>
+            </td>
+          </tr>
+          <tr>
+            <td style="padding:32px;">
+              <h2 style="margin:0 0 16px;font-size:18px;font-weight:600;color:#09090b;">Reset your password</h2>
+              <p style="margin:0 0 24px;font-size:14px;line-height:1.6;color:#3f3f46;">
+                Click the button below to reset your password. This link will expire shortly.
+              </p>
+              <table role="presentation" width="100%" cellpadding="0" cellspacing="0">
+                <tr>
+                  <td align="center">
+                    <a href="${escapeHtml(params.url)}" target="_blank" rel="noopener noreferrer"
+                       style="display:inline-block;padding:12px 32px;background-color:#2563eb;color:#ffffff;text-decoration:none;font-size:14px;font-weight:600;border-radius:8px;line-height:1;">
+                      Reset Password
+                    </a>
+                  </td>
+                </tr>
+              </table>
+              <p style="margin:24px 0 0;font-size:12px;line-height:1.5;color:#71717a;">
+                If you didn't request a password reset, you can safely ignore this email.
+              </p>
+            </td>
+          </tr>
+          <tr>
+            <td style="padding:16px 32px;text-align:center;border-top:1px solid #f4f4f5;background-color:#fafafa;">
+              <p style="margin:0;font-size:12px;color:#a1a1aa;">Sent by Reqcore &mdash; Open-source applicant tracking</p>
+            </td>
+          </tr>
+        </table>
+      </td>
+    </tr>
+  </table>
+</body>
+</html>`
+}
+
+function buildPasswordResetText(params: { url: string }): string {
+  return [
+    'Reset your password',
+    '',
+    'Click the link below to reset your Reqcore password:',
+    params.url,
+    '',
+    'If you didn\'t request this, you can safely ignore this email.',
+    '',
+    '— Reqcore',
+  ].join('\n')
+}
+
 // ─────────────────────────────────────────────
 // Interview invitation emails
 // ─────────────────────────────────────────────
diff --git a/server/utils/rateLimit.ts b/server/utils/rateLimit.ts
index 96bbe4c..e2e41c6 100644
--- a/server/utils/rateLimit.ts
+++ b/server/utils/rateLimit.ts
@@ -27,8 +27,10 @@ interface RateLimitEntry {
  * Uses a sliding window algorithm — each request records a timestamp,
  * and only timestamps within the current window are counted.
  *
- * For production at scale, replace with a Redis-backed implementation
- * (e.g. `@upstash/ratelimit`) to handle multi-instance deployments.
+ * WARNING: This is an in-memory implementation that resets on restart and
+ * does not share state across instances. For production at scale, replace
+ * with a Redis-backed implementation (e.g. `@upstash/ratelimit`) to
+ * handle multi-instance deployments.
  *
  * @example
  * ```ts
@@ -44,6 +46,13 @@ export function createRateLimiter(config: RateLimitConfig) {
   const { windowMs, maxRequests, message = 'Too many requests, please try again later' } = config
   const store = new Map<string, RateLimitEntry>()
 
+  if (process.env.NODE_ENV === 'production') {
+    console.warn(
+      '[Reqcore] In-memory rate limiter active. State resets on restart and is not shared across instances. ' +
+      'For horizontal scaling, replace with a Redis-backed implementation (e.g. @upstash/ratelimit).',
+    )
+  }
+
   // Periodically prune stale entries to prevent unbounded memory growth
   const PRUNE_INTERVAL = Math.max(windowMs * 2, 60_000)
   setInterval(() => {
diff --git a/tests/unit/auth-security-hardening.test.ts b/tests/unit/auth-security-hardening.test.ts
new file mode 100644
index 0000000..59956c9
--- /dev/null
+++ b/tests/unit/auth-security-hardening.test.ts
@@ -0,0 +1,158 @@
+import { describe, it, expect } from 'vitest'
+import { encrypt, decrypt } from '../../server/utils/encryption'
+
+/**
+ * Auth security hardening tests.
+ *
+ * Validates the security-critical configurations applied to the Better Auth
+ * instance. These tests verify the _intent_ of the config by simulating the
+ * same logic, since the live auth instance requires a running database.
+ */
+
+// ── Issue #2: Server-side password policy ───────────────────────────
+
+describe('Server-side password policy', () => {
+  const MIN_LENGTH = 8
+  const MAX_LENGTH = 128
+
+  it('rejects passwords shorter than minimum', () => {
+    const password = 'short'
+    expect(password.length).toBeLessThan(MIN_LENGTH)
+  })
+
+  it('accepts passwords at minimum length', () => {
+    const password = 'a'.repeat(MIN_LENGTH)
+    expect(password.length).toBeGreaterThanOrEqual(MIN_LENGTH)
+  })
+
+  it('rejects passwords exceeding maximum length', () => {
+    const password = 'a'.repeat(MAX_LENGTH + 1)
+    expect(password.length).toBeGreaterThan(MAX_LENGTH)
+  })
+
+  it('minimum length is at least 8 characters', () => {
+    expect(MIN_LENGTH).toBeGreaterThanOrEqual(8)
+  })
+})
+
+// ── Issue #6: Explicit session expiry ───────────────────────────────
+
+describe('Session expiry configuration', () => {
+  const SESSION_EXPIRES_IN = 60 * 60 * 24 // 24 hours (seconds)
+  const SESSION_UPDATE_AGE = 60 * 60       // 1 hour (seconds)
+
+  it('session expiry is explicitly set (not default 7 days)', () => {
+    const DEFAULT_BETTER_AUTH_EXPIRY = 60 * 60 * 24 * 7 // 7 days
+    expect(SESSION_EXPIRES_IN).toBeLessThan(DEFAULT_BETTER_AUTH_EXPIRY)
+  })
+
+  it('session expiry is at most 24 hours', () => {
+    expect(SESSION_EXPIRES_IN).toBeLessThanOrEqual(60 * 60 * 24)
+  })
+
+  it('session update age is shorter than expiry', () => {
+    expect(SESSION_UPDATE_AGE).toBeLessThan(SESSION_EXPIRES_IN)
+  })
+})
+
+// ── Issue #7: OAuth token encryption at rest ────────────────────────
+
+describe('OAuth token encryption at rest', () => {
+  const TEST_SECRET = 'a'.repeat(32) // 32-char minimum per env validation
+
+  it('encrypts and decrypts a token correctly', () => {
+    const token = 'ya29.a0AfB_byBgxFake_google_access_token'
+    const encrypted = encrypt(token, TEST_SECRET)
+
+    // Encrypted output should differ from plaintext
+    expect(encrypted).not.toBe(token)
+
+    // Decrypted output should match original
+    const decrypted = decrypt(encrypted, TEST_SECRET)
+    expect(decrypted).toBe(token)
+  })
+
+  it('produces different ciphertext for same input (random IV)', () => {
+    const token = 'gho_FakeGitHubAccessToken1234'
+    const enc1 = encrypt(token, TEST_SECRET)
+    const enc2 = encrypt(token, TEST_SECRET)
+    expect(enc1).not.toBe(enc2)
+  })
+
+  it('returns null for tampered ciphertext', () => {
+    const token = 'refresh_token_value'
+    const encrypted = encrypt(token, TEST_SECRET)
+
+    // Tamper with the ciphertext
+    const tampered = encrypted.slice(0, -4) + 'XXXX'
+    const result = decrypt(tampered, TEST_SECRET)
+    expect(result).toBeNull()
+  })
+
+  it('returns null when decrypting with wrong secret', () => {
+    const token = 'id_token_value'
+    const encrypted = encrypt(token, TEST_SECRET)
+
+    const wrongSecret = 'b'.repeat(32)
+    const result = decrypt(encrypted, wrongSecret)
+    expect(result).toBeNull()
+  })
+})
+
+// ── Issue #4: Better Auth rate limiting config ──────────────────────
+
+describe('Rate limiting configuration', () => {
+  const rateLimitConfig = {
+    enabled: !process.env.CI && !process.env.GITHUB_ACTIONS,
+    window: 60,
+    max: 100,
+    storage: 'database' as const,
+  }
+
+  it('uses database storage (not in-memory)', () => {
+    expect(rateLimitConfig.storage).toBe('database')
+  })
+
+  it('applies a reasonable global limit (not per-endpoint lockout)', () => {
+    expect(rateLimitConfig.max).toBeGreaterThanOrEqual(50)
+    expect(rateLimitConfig.max).toBeLessThanOrEqual(200)
+  })
+
+  it('is disabled in CI environments', () => {
+    // Rate limiting is disabled when CI or GITHUB_ACTIONS env vars are set
+    // to prevent E2E test failures in Docker-based CI pipelines
+    const ciConfig = { enabled: !('CI' in process.env) && !('GITHUB_ACTIONS' in process.env) }
+    if (process.env.CI || process.env.GITHUB_ACTIONS) {
+      expect(ciConfig.enabled).toBe(false)
+    }
+    else {
+      expect(ciConfig.enabled).toBe(true)
+    }
+  })
+})
+
+// ── Issue #5: OAuth PKCE verification ───────────────────────────────
+
+describe('OAuth PKCE and state protection', () => {
+  it('OIDC config has PKCE explicitly enabled', () => {
+    // Mirrors the genericOAuth config in auth.ts
+    const oidcConfig = {
+      pkce: true,
+      requireIssuerValidation: true,
+      scopes: ['openid', 'email', 'profile'],
+    }
+    expect(oidcConfig.pkce).toBe(true)
+    expect(oidcConfig.requireIssuerValidation).toBe(true)
+  })
+
+  it('Better Auth includes codeVerifier in OAuth state by default', () => {
+    // Per Better Auth docs: OAuth state always includes codeVerifier
+    // This confirms PKCE is used for all social providers by default
+    const defaultOAuthState = {
+      callbackURL: 'https://example.com/callback',
+      codeVerifier: 'random_pkce_verifier_value',
+      errorURL: '/auth/error',
+    }
+    expect(defaultOAuthState).toHaveProperty('codeVerifier')
+  })
+})

From 6acaf3dc12c5f2b1183a41ae78755d2bf2499a2e Mon Sep 17 00:00:00 2001
From: JoachimLK <joachim.l.kolle.pers@gmail.com>
Date: Mon, 13 Apr 2026 12:43:01 +0200
Subject: [PATCH 7/8] Refactor code structure for improved readability and
 maintainability

---
 .../migrations/0020_goofy_grey_gargoyle.sql   |    8 +
 .../migrations/meta/0020_snapshot.json        | 4141 +++++++++++++++++
 server/database/migrations/meta/_journal.json |    7 +
 3 files changed, 4156 insertions(+)
 create mode 100644 server/database/migrations/0020_goofy_grey_gargoyle.sql
 create mode 100644 server/database/migrations/meta/0020_snapshot.json

diff --git a/server/database/migrations/0020_goofy_grey_gargoyle.sql b/server/database/migrations/0020_goofy_grey_gargoyle.sql
new file mode 100644
index 0000000..add9ff8
--- /dev/null
+++ b/server/database/migrations/0020_goofy_grey_gargoyle.sql
@@ -0,0 +1,8 @@
+CREATE TABLE "rate_limit" (
+	"id" text PRIMARY KEY NOT NULL,
+	"key" text NOT NULL,
+	"count" integer NOT NULL,
+	"last_request" bigint NOT NULL
+);
+--> statement-breakpoint
+CREATE INDEX "rate_limit_key_idx" ON "rate_limit" USING btree ("key");
\ No newline at end of file
diff --git a/server/database/migrations/meta/0020_snapshot.json b/server/database/migrations/meta/0020_snapshot.json
new file mode 100644
index 0000000..af85ad0
--- /dev/null
+++ b/server/database/migrations/meta/0020_snapshot.json
@@ -0,0 +1,4141 @@
+{
+  "id": "6383b697-d628-4372-b8cc-54e02b88b5bd",
+  "prevId": "a9d93ebe-34e0-40dc-a718-0a75cda78a8b",
+  "version": "7",
+  "dialect": "postgresql",
+  "tables": {
+    "public.account": {
+      "name": "account",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "account_id": {
+          "name": "account_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "provider_id": {
+          "name": "provider_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "access_token": {
+          "name": "access_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refresh_token": {
+          "name": "refresh_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "id_token": {
+          "name": "id_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "access_token_expires_at": {
+          "name": "access_token_expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refresh_token_expires_at": {
+          "name": "refresh_token_expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "scope": {
+          "name": "scope",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "account_user_id_idx": {
+          "name": "account_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "account_user_id_user_id_fk": {
+          "name": "account_user_id_user_id_fk",
+          "tableFrom": "account",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.invitation": {
+      "name": "invitation",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "inviter_id": {
+          "name": "inviter_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role": {
+          "name": "role",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'pending'"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "invitation_organization_id_idx": {
+          "name": "invitation_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "invitation_email_idx": {
+          "name": "invitation_email_idx",
+          "columns": [
+            {
+              "expression": "email",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "invitation_inviter_id_user_id_fk": {
+          "name": "invitation_inviter_id_user_id_fk",
+          "tableFrom": "invitation",
+          "tableTo": "user",
+          "columnsFrom": [
+            "inviter_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "invitation_organization_id_organization_id_fk": {
+          "name": "invitation_organization_id_organization_id_fk",
+          "tableFrom": "invitation",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.member": {
+      "name": "member",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role": {
+          "name": "role",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'member'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "member_user_id_idx": {
+          "name": "member_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "member_organization_id_idx": {
+          "name": "member_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "member_user_org_unique_idx": {
+          "name": "member_user_org_unique_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "member_user_id_user_id_fk": {
+          "name": "member_user_id_user_id_fk",
+          "tableFrom": "member",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "member_organization_id_organization_id_fk": {
+          "name": "member_organization_id_organization_id_fk",
+          "tableFrom": "member",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.organization": {
+      "name": "organization",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "slug": {
+          "name": "slug",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "logo": {
+          "name": "logo",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "organization_slug_unique": {
+          "name": "organization_slug_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "slug"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.rate_limit": {
+      "name": "rate_limit",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "count": {
+          "name": "count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "last_request": {
+          "name": "last_request",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {
+        "rate_limit_key_idx": {
+          "name": "rate_limit_key_idx",
+          "columns": [
+            {
+              "expression": "key",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.session": {
+      "name": "session",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "token": {
+          "name": "token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "ip_address": {
+          "name": "ip_address",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_agent": {
+          "name": "user_agent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "active_organization_id": {
+          "name": "active_organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {
+        "session_user_id_idx": {
+          "name": "session_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "session_user_id_user_id_fk": {
+          "name": "session_user_id_user_id_fk",
+          "tableFrom": "session",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "session_token_unique": {
+          "name": "session_token_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "token"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.user": {
+      "name": "user",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "email_verified": {
+          "name": "email_verified",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "image": {
+          "name": "image",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "user_email_unique": {
+          "name": "user_email_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "email"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.verification": {
+      "name": "verification",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "identifier": {
+          "name": "identifier",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "verification_identifier_idx": {
+          "name": "verification_identifier_idx",
+          "columns": [
+            {
+              "expression": "identifier",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.activity_log": {
+      "name": "activity_log",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "actor_id": {
+          "name": "actor_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "action": {
+          "name": "action",
+          "type": "activity_action",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "resource_type": {
+          "name": "resource_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "resource_id": {
+          "name": "resource_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "activity_log_organization_id_idx": {
+          "name": "activity_log_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "activity_log_actor_id_idx": {
+          "name": "activity_log_actor_id_idx",
+          "columns": [
+            {
+              "expression": "actor_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "activity_log_resource_idx": {
+          "name": "activity_log_resource_idx",
+          "columns": [
+            {
+              "expression": "resource_type",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "resource_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "activity_log_created_at_idx": {
+          "name": "activity_log_created_at_idx",
+          "columns": [
+            {
+              "expression": "created_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "activity_log_organization_id_organization_id_fk": {
+          "name": "activity_log_organization_id_organization_id_fk",
+          "tableFrom": "activity_log",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "activity_log_actor_id_user_id_fk": {
+          "name": "activity_log_actor_id_user_id_fk",
+          "tableFrom": "activity_log",
+          "tableTo": "user",
+          "columnsFrom": [
+            "actor_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.ai_config": {
+      "name": "ai_config",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "provider": {
+          "name": "provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'openai'"
+        },
+        "model": {
+          "name": "model",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'gpt-4o-mini'"
+        },
+        "api_key_encrypted": {
+          "name": "api_key_encrypted",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "base_url": {
+          "name": "base_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "max_tokens": {
+          "name": "max_tokens",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 4096
+        },
+        "input_price_per_1m": {
+          "name": "input_price_per_1m",
+          "type": "numeric(10, 4)",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "output_price_per_1m": {
+          "name": "output_price_per_1m",
+          "type": "numeric(10, 4)",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "ai_config_organization_id_idx": {
+          "name": "ai_config_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "ai_config_organization_id_organization_id_fk": {
+          "name": "ai_config_organization_id_organization_id_fk",
+          "tableFrom": "ai_config",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.analysis_run": {
+      "name": "analysis_run",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "application_id": {
+          "name": "application_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "status": {
+          "name": "status",
+          "type": "analysis_run_status",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'completed'"
+        },
+        "provider": {
+          "name": "provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "model": {
+          "name": "model",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "criteria_snapshot": {
+          "name": "criteria_snapshot",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "composite_score": {
+          "name": "composite_score",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "prompt_tokens": {
+          "name": "prompt_tokens",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "completion_tokens": {
+          "name": "completion_tokens",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "raw_response": {
+          "name": "raw_response",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "error_message": {
+          "name": "error_message",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "scored_by_id": {
+          "name": "scored_by_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "analysis_run_organization_id_idx": {
+          "name": "analysis_run_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "analysis_run_application_id_idx": {
+          "name": "analysis_run_application_id_idx",
+          "columns": [
+            {
+              "expression": "application_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "analysis_run_created_at_idx": {
+          "name": "analysis_run_created_at_idx",
+          "columns": [
+            {
+              "expression": "created_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "analysis_run_organization_id_organization_id_fk": {
+          "name": "analysis_run_organization_id_organization_id_fk",
+          "tableFrom": "analysis_run",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "analysis_run_application_id_application_id_fk": {
+          "name": "analysis_run_application_id_application_id_fk",
+          "tableFrom": "analysis_run",
+          "tableTo": "application",
+          "columnsFrom": [
+            "application_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "analysis_run_scored_by_id_user_id_fk": {
+          "name": "analysis_run_scored_by_id_user_id_fk",
+          "tableFrom": "analysis_run",
+          "tableTo": "user",
+          "columnsFrom": [
+            "scored_by_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.application": {
+      "name": "application",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "candidate_id": {
+          "name": "candidate_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "job_id": {
+          "name": "job_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "status": {
+          "name": "status",
+          "type": "application_status",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'new'"
+        },
+        "score": {
+          "name": "score",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "notes": {
+          "name": "notes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cover_letter_text": {
+          "name": "cover_letter_text",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "application_organization_id_idx": {
+          "name": "application_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "application_candidate_id_idx": {
+          "name": "application_candidate_id_idx",
+          "columns": [
+            {
+              "expression": "candidate_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "application_job_id_idx": {
+          "name": "application_job_id_idx",
+          "columns": [
+            {
+              "expression": "job_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "application_org_candidate_job_idx": {
+          "name": "application_org_candidate_job_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "candidate_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "job_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "application_organization_id_organization_id_fk": {
+          "name": "application_organization_id_organization_id_fk",
+          "tableFrom": "application",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "application_candidate_id_candidate_id_fk": {
+          "name": "application_candidate_id_candidate_id_fk",
+          "tableFrom": "application",
+          "tableTo": "candidate",
+          "columnsFrom": [
+            "candidate_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "application_job_id_job_id_fk": {
+          "name": "application_job_id_job_id_fk",
+          "tableFrom": "application",
+          "tableTo": "job",
+          "columnsFrom": [
+            "job_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.application_source": {
+      "name": "application_source",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "application_id": {
+          "name": "application_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "channel": {
+          "name": "channel",
+          "type": "source_channel",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'direct'"
+        },
+        "tracking_link_id": {
+          "name": "tracking_link_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "utm_source": {
+          "name": "utm_source",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "utm_medium": {
+          "name": "utm_medium",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "utm_campaign": {
+          "name": "utm_campaign",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "utm_term": {
+          "name": "utm_term",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "utm_content": {
+          "name": "utm_content",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "referrer_domain": {
+          "name": "referrer_domain",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "application_source_organization_id_idx": {
+          "name": "application_source_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "application_source_application_id_idx": {
+          "name": "application_source_application_id_idx",
+          "columns": [
+            {
+              "expression": "application_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "application_source_channel_idx": {
+          "name": "application_source_channel_idx",
+          "columns": [
+            {
+              "expression": "channel",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "application_source_tracking_link_id_idx": {
+          "name": "application_source_tracking_link_id_idx",
+          "columns": [
+            {
+              "expression": "tracking_link_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "application_source_application_idx": {
+          "name": "application_source_application_idx",
+          "columns": [
+            {
+              "expression": "application_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "application_source_organization_id_organization_id_fk": {
+          "name": "application_source_organization_id_organization_id_fk",
+          "tableFrom": "application_source",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "application_source_application_id_application_id_fk": {
+          "name": "application_source_application_id_application_id_fk",
+          "tableFrom": "application_source",
+          "tableTo": "application",
+          "columnsFrom": [
+            "application_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "application_source_tracking_link_id_tracking_link_id_fk": {
+          "name": "application_source_tracking_link_id_tracking_link_id_fk",
+          "tableFrom": "application_source",
+          "tableTo": "tracking_link",
+          "columnsFrom": [
+            "tracking_link_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.calendar_integration": {
+      "name": "calendar_integration",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "provider": {
+          "name": "provider",
+          "type": "calendar_provider",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'google'"
+        },
+        "access_token_encrypted": {
+          "name": "access_token_encrypted",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "refresh_token_encrypted": {
+          "name": "refresh_token_encrypted",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "calendar_id": {
+          "name": "calendar_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'primary'"
+        },
+        "account_email": {
+          "name": "account_email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "webhook_channel_id": {
+          "name": "webhook_channel_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "webhook_resource_id": {
+          "name": "webhook_resource_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "webhook_expiration": {
+          "name": "webhook_expiration",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "sync_token": {
+          "name": "sync_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "calendar_integration_user_provider_idx": {
+          "name": "calendar_integration_user_provider_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "provider",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "calendar_integration_webhook_channel_idx": {
+          "name": "calendar_integration_webhook_channel_idx",
+          "columns": [
+            {
+              "expression": "webhook_channel_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "calendar_integration_user_id_user_id_fk": {
+          "name": "calendar_integration_user_id_user_id_fk",
+          "tableFrom": "calendar_integration",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.candidate": {
+      "name": "candidate",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "first_name": {
+          "name": "first_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "last_name": {
+          "name": "last_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "phone": {
+          "name": "phone",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "candidate_organization_id_idx": {
+          "name": "candidate_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "candidate_org_email_idx": {
+          "name": "candidate_org_email_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "email",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "candidate_organization_id_organization_id_fk": {
+          "name": "candidate_organization_id_organization_id_fk",
+          "tableFrom": "candidate",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.comment": {
+      "name": "comment",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "author_id": {
+          "name": "author_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "target_type": {
+          "name": "target_type",
+          "type": "comment_target",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "target_id": {
+          "name": "target_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "body": {
+          "name": "body",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "comment_organization_id_idx": {
+          "name": "comment_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "comment_target_idx": {
+          "name": "comment_target_idx",
+          "columns": [
+            {
+              "expression": "target_type",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "target_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "comment_author_id_idx": {
+          "name": "comment_author_id_idx",
+          "columns": [
+            {
+              "expression": "author_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "comment_organization_id_organization_id_fk": {
+          "name": "comment_organization_id_organization_id_fk",
+          "tableFrom": "comment",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "comment_author_id_user_id_fk": {
+          "name": "comment_author_id_user_id_fk",
+          "tableFrom": "comment",
+          "tableTo": "user",
+          "columnsFrom": [
+            "author_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.criterion_score": {
+      "name": "criterion_score",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "application_id": {
+          "name": "application_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "criterion_key": {
+          "name": "criterion_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "max_score": {
+          "name": "max_score",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "applicant_score": {
+          "name": "applicant_score",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "confidence": {
+          "name": "confidence",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "evidence": {
+          "name": "evidence",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "strengths": {
+          "name": "strengths",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gaps": {
+          "name": "gaps",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "criterion_score_organization_id_idx": {
+          "name": "criterion_score_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "criterion_score_application_id_idx": {
+          "name": "criterion_score_application_id_idx",
+          "columns": [
+            {
+              "expression": "application_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "criterion_score_app_criterion_idx": {
+          "name": "criterion_score_app_criterion_idx",
+          "columns": [
+            {
+              "expression": "application_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "criterion_key",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "criterion_score_organization_id_organization_id_fk": {
+          "name": "criterion_score_organization_id_organization_id_fk",
+          "tableFrom": "criterion_score",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "criterion_score_application_id_application_id_fk": {
+          "name": "criterion_score_application_id_application_id_fk",
+          "tableFrom": "criterion_score",
+          "tableTo": "application",
+          "columnsFrom": [
+            "application_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.document": {
+      "name": "document",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "candidate_id": {
+          "name": "candidate_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "type": {
+          "name": "type",
+          "type": "document_type",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'resume'"
+        },
+        "storage_key": {
+          "name": "storage_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "original_filename": {
+          "name": "original_filename",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "mime_type": {
+          "name": "mime_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "size_bytes": {
+          "name": "size_bytes",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "parsed_content": {
+          "name": "parsed_content",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "document_organization_id_idx": {
+          "name": "document_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "document_candidate_id_idx": {
+          "name": "document_candidate_id_idx",
+          "columns": [
+            {
+              "expression": "candidate_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "document_organization_id_organization_id_fk": {
+          "name": "document_organization_id_organization_id_fk",
+          "tableFrom": "document",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "document_candidate_id_candidate_id_fk": {
+          "name": "document_candidate_id_candidate_id_fk",
+          "tableFrom": "document",
+          "tableTo": "candidate",
+          "columnsFrom": [
+            "candidate_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "document_storage_key_unique": {
+          "name": "document_storage_key_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "storage_key"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.email_template": {
+      "name": "email_template",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "subject": {
+          "name": "subject",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "body": {
+          "name": "body",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_by_id": {
+          "name": "created_by_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "email_template_organization_id_idx": {
+          "name": "email_template_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "email_template_created_by_id_idx": {
+          "name": "email_template_created_by_id_idx",
+          "columns": [
+            {
+              "expression": "created_by_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "email_template_organization_id_organization_id_fk": {
+          "name": "email_template_organization_id_organization_id_fk",
+          "tableFrom": "email_template",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "email_template_created_by_id_user_id_fk": {
+          "name": "email_template_created_by_id_user_id_fk",
+          "tableFrom": "email_template",
+          "tableTo": "user",
+          "columnsFrom": [
+            "created_by_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.interview": {
+      "name": "interview",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "application_id": {
+          "name": "application_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "title": {
+          "name": "title",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "type": {
+          "name": "type",
+          "type": "interview_type",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'video'"
+        },
+        "status": {
+          "name": "status",
+          "type": "interview_status",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'scheduled'"
+        },
+        "scheduled_at": {
+          "name": "scheduled_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "duration": {
+          "name": "duration",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 60
+        },
+        "location": {
+          "name": "location",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "notes": {
+          "name": "notes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "interviewers": {
+          "name": "interviewers",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_by_id": {
+          "name": "created_by_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "invitation_sent_at": {
+          "name": "invitation_sent_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "candidate_response": {
+          "name": "candidate_response",
+          "type": "candidate_response",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'pending'"
+        },
+        "candidate_responded_at": {
+          "name": "candidate_responded_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "google_calendar_event_id": {
+          "name": "google_calendar_event_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "google_calendar_event_link": {
+          "name": "google_calendar_event_link",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "timezone": {
+          "name": "timezone",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'UTC'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "interview_organization_id_idx": {
+          "name": "interview_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "interview_application_id_idx": {
+          "name": "interview_application_id_idx",
+          "columns": [
+            {
+              "expression": "application_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "interview_scheduled_at_idx": {
+          "name": "interview_scheduled_at_idx",
+          "columns": [
+            {
+              "expression": "scheduled_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "interview_status_idx": {
+          "name": "interview_status_idx",
+          "columns": [
+            {
+              "expression": "status",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "interview_created_by_id_idx": {
+          "name": "interview_created_by_id_idx",
+          "columns": [
+            {
+              "expression": "created_by_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "interview_organization_id_organization_id_fk": {
+          "name": "interview_organization_id_organization_id_fk",
+          "tableFrom": "interview",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "interview_application_id_application_id_fk": {
+          "name": "interview_application_id_application_id_fk",
+          "tableFrom": "interview",
+          "tableTo": "application",
+          "columnsFrom": [
+            "application_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "interview_created_by_id_user_id_fk": {
+          "name": "interview_created_by_id_user_id_fk",
+          "tableFrom": "interview",
+          "tableTo": "user",
+          "columnsFrom": [
+            "created_by_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.invite_link": {
+      "name": "invite_link",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_by_id": {
+          "name": "created_by_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "token": {
+          "name": "token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role": {
+          "name": "role",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'member'"
+        },
+        "max_uses": {
+          "name": "max_uses",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "use_count": {
+          "name": "use_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "revoked_at": {
+          "name": "revoked_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "invite_link_organization_id_idx": {
+          "name": "invite_link_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "invite_link_token_idx": {
+          "name": "invite_link_token_idx",
+          "columns": [
+            {
+              "expression": "token",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "invite_link_organization_id_organization_id_fk": {
+          "name": "invite_link_organization_id_organization_id_fk",
+          "tableFrom": "invite_link",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "invite_link_created_by_id_user_id_fk": {
+          "name": "invite_link_created_by_id_user_id_fk",
+          "tableFrom": "invite_link",
+          "tableTo": "user",
+          "columnsFrom": [
+            "created_by_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "invite_link_token_unique": {
+          "name": "invite_link_token_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "token"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.job": {
+      "name": "job",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "title": {
+          "name": "title",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "slug": {
+          "name": "slug",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "location": {
+          "name": "location",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "type": {
+          "name": "type",
+          "type": "job_type",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'full_time'"
+        },
+        "status": {
+          "name": "status",
+          "type": "job_status",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'draft'"
+        },
+        "salary_min": {
+          "name": "salary_min",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "salary_max": {
+          "name": "salary_max",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "salary_currency": {
+          "name": "salary_currency",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "salary_unit": {
+          "name": "salary_unit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "remote_status": {
+          "name": "remote_status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "valid_through": {
+          "name": "valid_through",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "require_resume": {
+          "name": "require_resume",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "require_cover_letter": {
+          "name": "require_cover_letter",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "auto_score_on_apply": {
+          "name": "auto_score_on_apply",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "job_organization_id_idx": {
+          "name": "job_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "job_organization_id_organization_id_fk": {
+          "name": "job_organization_id_organization_id_fk",
+          "tableFrom": "job",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "job_slug_unique": {
+          "name": "job_slug_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "slug"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.job_question": {
+      "name": "job_question",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "job_id": {
+          "name": "job_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "type": {
+          "name": "type",
+          "type": "question_type",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'short_text'"
+        },
+        "label": {
+          "name": "label",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "required": {
+          "name": "required",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "options": {
+          "name": "options",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "display_order": {
+          "name": "display_order",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "job_question_organization_id_idx": {
+          "name": "job_question_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "job_question_job_id_idx": {
+          "name": "job_question_job_id_idx",
+          "columns": [
+            {
+              "expression": "job_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "job_question_organization_id_organization_id_fk": {
+          "name": "job_question_organization_id_organization_id_fk",
+          "tableFrom": "job_question",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "job_question_job_id_job_id_fk": {
+          "name": "job_question_job_id_job_id_fk",
+          "tableFrom": "job_question",
+          "tableTo": "job",
+          "columnsFrom": [
+            "job_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.join_request": {
+      "name": "join_request",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "message": {
+          "name": "message",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "status": {
+          "name": "status",
+          "type": "join_request_status",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'pending'"
+        },
+        "reviewed_by_id": {
+          "name": "reviewed_by_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "reviewed_at": {
+          "name": "reviewed_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "join_request_organization_id_idx": {
+          "name": "join_request_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "join_request_user_id_idx": {
+          "name": "join_request_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "join_request_status_idx": {
+          "name": "join_request_status_idx",
+          "columns": [
+            {
+              "expression": "status",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "join_request_user_id_user_id_fk": {
+          "name": "join_request_user_id_user_id_fk",
+          "tableFrom": "join_request",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "join_request_organization_id_organization_id_fk": {
+          "name": "join_request_organization_id_organization_id_fk",
+          "tableFrom": "join_request",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "join_request_reviewed_by_id_user_id_fk": {
+          "name": "join_request_reviewed_by_id_user_id_fk",
+          "tableFrom": "join_request",
+          "tableTo": "user",
+          "columnsFrom": [
+            "reviewed_by_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.question_response": {
+      "name": "question_response",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "application_id": {
+          "name": "application_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "question_id": {
+          "name": "question_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "value": {
+          "name": "value",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "question_response_organization_id_idx": {
+          "name": "question_response_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "question_response_application_id_idx": {
+          "name": "question_response_application_id_idx",
+          "columns": [
+            {
+              "expression": "application_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "question_response_question_id_idx": {
+          "name": "question_response_question_id_idx",
+          "columns": [
+            {
+              "expression": "question_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "question_response_organization_id_organization_id_fk": {
+          "name": "question_response_organization_id_organization_id_fk",
+          "tableFrom": "question_response",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "question_response_application_id_application_id_fk": {
+          "name": "question_response_application_id_application_id_fk",
+          "tableFrom": "question_response",
+          "tableTo": "application",
+          "columnsFrom": [
+            "application_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "question_response_question_id_job_question_id_fk": {
+          "name": "question_response_question_id_job_question_id_fk",
+          "tableFrom": "question_response",
+          "tableTo": "job_question",
+          "columnsFrom": [
+            "question_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.scoring_criterion": {
+      "name": "scoring_criterion",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "job_id": {
+          "name": "job_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "category": {
+          "name": "category",
+          "type": "criterion_category",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'custom'"
+        },
+        "max_score": {
+          "name": "max_score",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 10
+        },
+        "weight": {
+          "name": "weight",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 50
+        },
+        "display_order": {
+          "name": "display_order",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "scoring_criterion_organization_id_idx": {
+          "name": "scoring_criterion_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "scoring_criterion_job_id_idx": {
+          "name": "scoring_criterion_job_id_idx",
+          "columns": [
+            {
+              "expression": "job_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "scoring_criterion_job_key_idx": {
+          "name": "scoring_criterion_job_key_idx",
+          "columns": [
+            {
+              "expression": "job_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "key",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "scoring_criterion_organization_id_organization_id_fk": {
+          "name": "scoring_criterion_organization_id_organization_id_fk",
+          "tableFrom": "scoring_criterion",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "scoring_criterion_job_id_job_id_fk": {
+          "name": "scoring_criterion_job_id_job_id_fk",
+          "tableFrom": "scoring_criterion",
+          "tableTo": "job",
+          "columnsFrom": [
+            "job_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.tracking_link": {
+      "name": "tracking_link",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "job_id": {
+          "name": "job_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "channel": {
+          "name": "channel",
+          "type": "source_channel",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'custom'"
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "code": {
+          "name": "code",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "utm_source": {
+          "name": "utm_source",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "utm_medium": {
+          "name": "utm_medium",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "utm_campaign": {
+          "name": "utm_campaign",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "utm_term": {
+          "name": "utm_term",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "utm_content": {
+          "name": "utm_content",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "click_count": {
+          "name": "click_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "application_count": {
+          "name": "application_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "created_by_id": {
+          "name": "created_by_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "tracking_link_organization_id_idx": {
+          "name": "tracking_link_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "tracking_link_job_id_idx": {
+          "name": "tracking_link_job_id_idx",
+          "columns": [
+            {
+              "expression": "job_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "tracking_link_code_idx": {
+          "name": "tracking_link_code_idx",
+          "columns": [
+            {
+              "expression": "code",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "tracking_link_channel_idx": {
+          "name": "tracking_link_channel_idx",
+          "columns": [
+            {
+              "expression": "channel",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "tracking_link_organization_id_organization_id_fk": {
+          "name": "tracking_link_organization_id_organization_id_fk",
+          "tableFrom": "tracking_link",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "tracking_link_job_id_job_id_fk": {
+          "name": "tracking_link_job_id_job_id_fk",
+          "tableFrom": "tracking_link",
+          "tableTo": "job",
+          "columnsFrom": [
+            "job_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "tracking_link_created_by_id_user_id_fk": {
+          "name": "tracking_link_created_by_id_user_id_fk",
+          "tableFrom": "tracking_link",
+          "tableTo": "user",
+          "columnsFrom": [
+            "created_by_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "tracking_link_code_unique": {
+          "name": "tracking_link_code_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "code"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.sso_provider": {
+      "name": "sso_provider",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "issuer": {
+          "name": "issuer",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "domain": {
+          "name": "domain",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "oidc_config": {
+          "name": "oidc_config",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "saml_config": {
+          "name": "saml_config",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "provider_id": {
+          "name": "provider_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {
+        "sso_provider_domain_idx": {
+          "name": "sso_provider_domain_idx",
+          "columns": [
+            {
+              "expression": "domain",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "sso_provider_provider_id_idx": {
+          "name": "sso_provider_provider_id_idx",
+          "columns": [
+            {
+              "expression": "provider_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "sso_provider_organization_id_idx": {
+          "name": "sso_provider_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "sso_provider_user_id_user_id_fk": {
+          "name": "sso_provider_user_id_user_id_fk",
+          "tableFrom": "sso_provider",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "sso_provider_organization_id_organization_id_fk": {
+          "name": "sso_provider_organization_id_organization_id_fk",
+          "tableFrom": "sso_provider",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    }
+  },
+  "enums": {
+    "public.activity_action": {
+      "name": "activity_action",
+      "schema": "public",
+      "values": [
+        "created",
+        "updated",
+        "deleted",
+        "status_changed",
+        "comment_added",
+        "member_invited",
+        "member_removed",
+        "member_role_changed",
+        "scored"
+      ]
+    },
+    "public.analysis_run_status": {
+      "name": "analysis_run_status",
+      "schema": "public",
+      "values": [
+        "completed",
+        "failed",
+        "partial"
+      ]
+    },
+    "public.application_status": {
+      "name": "application_status",
+      "schema": "public",
+      "values": [
+        "new",
+        "screening",
+        "interview",
+        "offer",
+        "hired",
+        "rejected"
+      ]
+    },
+    "public.calendar_provider": {
+      "name": "calendar_provider",
+      "schema": "public",
+      "values": [
+        "google"
+      ]
+    },
+    "public.candidate_response": {
+      "name": "candidate_response",
+      "schema": "public",
+      "values": [
+        "pending",
+        "accepted",
+        "declined",
+        "tentative"
+      ]
+    },
+    "public.comment_target": {
+      "name": "comment_target",
+      "schema": "public",
+      "values": [
+        "candidate",
+        "application",
+        "job"
+      ]
+    },
+    "public.criterion_category": {
+      "name": "criterion_category",
+      "schema": "public",
+      "values": [
+        "technical",
+        "experience",
+        "soft_skills",
+        "education",
+        "culture",
+        "custom"
+      ]
+    },
+    "public.document_type": {
+      "name": "document_type",
+      "schema": "public",
+      "values": [
+        "resume",
+        "cover_letter",
+        "other"
+      ]
+    },
+    "public.interview_status": {
+      "name": "interview_status",
+      "schema": "public",
+      "values": [
+        "scheduled",
+        "completed",
+        "cancelled",
+        "no_show"
+      ]
+    },
+    "public.interview_type": {
+      "name": "interview_type",
+      "schema": "public",
+      "values": [
+        "phone",
+        "video",
+        "in_person",
+        "panel",
+        "technical",
+        "take_home"
+      ]
+    },
+    "public.job_status": {
+      "name": "job_status",
+      "schema": "public",
+      "values": [
+        "draft",
+        "open",
+        "closed",
+        "archived"
+      ]
+    },
+    "public.job_type": {
+      "name": "job_type",
+      "schema": "public",
+      "values": [
+        "full_time",
+        "part_time",
+        "contract",
+        "internship"
+      ]
+    },
+    "public.join_request_status": {
+      "name": "join_request_status",
+      "schema": "public",
+      "values": [
+        "pending",
+        "approved",
+        "rejected"
+      ]
+    },
+    "public.question_type": {
+      "name": "question_type",
+      "schema": "public",
+      "values": [
+        "short_text",
+        "long_text",
+        "single_select",
+        "multi_select",
+        "number",
+        "date",
+        "url",
+        "checkbox",
+        "file_upload"
+      ]
+    },
+    "public.source_channel": {
+      "name": "source_channel",
+      "schema": "public",
+      "values": [
+        "linkedin",
+        "indeed",
+        "glassdoor",
+        "ziprecruiter",
+        "monster",
+        "handshake",
+        "angellist",
+        "wellfound",
+        "dice",
+        "stackoverflow",
+        "weworkremotely",
+        "remoteok",
+        "builtin",
+        "hired",
+        "lever",
+        "greenhouse_board",
+        "google_jobs",
+        "facebook",
+        "twitter",
+        "instagram",
+        "tiktok",
+        "reddit",
+        "referral",
+        "career_site",
+        "email",
+        "event",
+        "agency",
+        "direct",
+        "other",
+        "custom"
+      ]
+    }
+  },
+  "schemas": {},
+  "sequences": {},
+  "roles": {},
+  "policies": {},
+  "views": {},
+  "_meta": {
+    "columns": {},
+    "schemas": {},
+    "tables": {}
+  }
+}
\ No newline at end of file
diff --git a/server/database/migrations/meta/_journal.json b/server/database/migrations/meta/_journal.json
index 1a4c90b..c88691e 100644
--- a/server/database/migrations/meta/_journal.json
+++ b/server/database/migrations/meta/_journal.json
@@ -141,6 +141,13 @@
       "when": 1775723970045,
       "tag": "0019_noisy_strong_guy",
       "breakpoints": true
+    },
+    {
+      "idx": 20,
+      "version": "7",
+      "when": 1776076881696,
+      "tag": "0020_goofy_grey_gargoyle",
+      "breakpoints": true
     }
   ]
 }
\ No newline at end of file

From b94ffd925fc250c59aa397924a0e4b303406c342 Mon Sep 17 00:00:00 2001
From: JoachimLK <joachim.l.kolle.pers@gmail.com>
Date: Mon, 13 Apr 2026 13:14:29 +0200
Subject: [PATCH 8/8] feat: streamline authentication configuration by removing
 deprecated social sign-in options and enhancing OAuth token encryption

---
 nuxt.config.ts                             | 15 -----
 server/utils/auth.ts                       | 37 ++----------
 server/utils/email.ts                      | 66 +++++++++++++---------
 tests/unit/auth-security-hardening.test.ts | 36 ++++--------
 4 files changed, 55 insertions(+), 99 deletions(-)

diff --git a/nuxt.config.ts b/nuxt.config.ts
index e4c69bb..b8a1a9e 100644
--- a/nuxt.config.ts
+++ b/nuxt.config.ts
@@ -222,21 +222,6 @@ export default defineNuxtConfig({
       ),
       /** Display name for the SSO provider button */
       oidcProviderName: process.env.OIDC_PROVIDER_NAME || "SSO",
-      /** Whether Google social sign-in is enabled */
-      authGoogleEnabled: !!(
-        process.env.AUTH_GOOGLE_CLIENT_ID &&
-        process.env.AUTH_GOOGLE_CLIENT_SECRET
-      ),
-      /** Whether GitHub social sign-in is enabled */
-      authGithubEnabled: !!(
-        process.env.AUTH_GITHUB_CLIENT_ID &&
-        process.env.AUTH_GITHUB_CLIENT_SECRET
-      ),
-      /** Whether Microsoft social sign-in is enabled */
-      authMicrosoftEnabled: !!(
-        process.env.AUTH_MICROSOFT_CLIENT_ID &&
-        process.env.AUTH_MICROSOFT_CLIENT_SECRET
-      ),
     },
   },
 
diff --git a/server/utils/auth.ts b/server/utils/auth.ts
index 7bbb1a1..61051b4 100644
--- a/server/utils/auth.ts
+++ b/server/utils/auth.ts
@@ -5,7 +5,6 @@ import { sso } from "@better-auth/sso";
 import { eq } from "drizzle-orm";
 import { ac, owner, admin, member } from "~~/shared/permissions";
 import { sendOrgInvitationEmail, sendPasswordResetEmail } from "./email";
-import { encrypt } from "./encryption";
 import * as schema from "../database/schema";
 
 type Auth = ReturnType<typeof betterAuth>;
@@ -181,37 +180,11 @@ function getAuth(): Auth {
       },
 
       // ── OAuth Token Encryption at Rest ──────────────────────
-      // AES-256-GCM encrypt OAuth tokens before storing in the database.
-      // Uses the existing encryption.ts utility with BETTER_AUTH_SECRET as the key.
-      databaseHooks: {
-        account: {
-          create: {
-            before: async (account) => {
-              const secret = env.BETTER_AUTH_SECRET;
-              return {
-                data: {
-                  ...account,
-                  ...(account.accessToken ? { accessToken: encrypt(account.accessToken, secret) } : {}),
-                  ...(account.refreshToken ? { refreshToken: encrypt(account.refreshToken, secret) } : {}),
-                  ...(account.idToken ? { idToken: encrypt(account.idToken, secret) } : {}),
-                },
-              };
-            },
-          },
-          update: {
-            before: async (account) => {
-              const secret = env.BETTER_AUTH_SECRET;
-              return {
-                data: {
-                  ...account,
-                  ...(account.accessToken ? { accessToken: encrypt(account.accessToken, secret) } : {}),
-                  ...(account.refreshToken ? { refreshToken: encrypt(account.refreshToken, secret) } : {}),
-                  ...(account.idToken ? { idToken: encrypt(account.idToken, secret) } : {}),
-                },
-              };
-            },
-          },
-        },
+      // Better Auth's built-in AES encryption for OAuth tokens (access, refresh, id).
+      // Handles both encryption on write and automatic decryption on read,
+      // using BETTER_AUTH_SECRET as the encryption key.
+      account: {
+        encryptOAuthTokens: true,
       },
 
       // ── Rate Limiting (built-in, database-backed) ──────────
diff --git a/server/utils/email.ts b/server/utils/email.ts
index 2365540..9ad8749 100644
--- a/server/utils/email.ts
+++ b/server/utils/email.ts
@@ -31,28 +31,33 @@ export async function sendVerificationEmail(data: {
   const resend = getResendClient()
 
   if (!resend) {
-    console.info(
-      `[Reqcore] Verification email → ${data.user.email} | ` +
-      `Link: ${data.url}`,
-    )
+    console.warn('[Reqcore] Verification email suppressed — RESEND_API_KEY is not configured')
     return
   }
 
   const fromEmail = env.RESEND_FROM_EMAIL
 
-  const { error } = await resend.emails.send({
-    from: fromEmail,
-    to: [data.user.email],
-    subject: 'Verify your email address — Reqcore',
-    html: buildVerificationHtml({ url: data.url }),
-    text: buildVerificationText({ url: data.url }),
-    tags: [{ name: 'category', value: 'verification' }],
-  })
+  try {
+    const { error } = await resend.emails.send({
+      from: fromEmail,
+      to: [data.user.email],
+      subject: 'Verify your email address — Reqcore',
+      html: buildVerificationHtml({ url: data.url }),
+      text: buildVerificationText({ url: data.url }),
+      tags: [{ name: 'category', value: 'verification' }],
+    })
 
-  if (error) {
+    if (error) {
+      logError('email.verification_send_failed', {
+        provider: 'resend',
+        error_message: error.message,
+      })
+    }
+  }
+  catch (err) {
     logError('email.verification_send_failed', {
       provider: 'resend',
-      error_message: error.message,
+      error_message: err instanceof Error ? err.message : String(err),
     })
   }
 }
@@ -72,28 +77,33 @@ export async function sendPasswordResetEmail(data: {
   const resend = getResendClient()
 
   if (!resend) {
-    console.info(
-      `[Reqcore] Password reset email → ${data.user.email} | ` +
-      `Link: ${data.url}`,
-    )
+    console.warn('[Reqcore] Password reset email suppressed — RESEND_API_KEY is not configured')
     return
   }
 
   const fromEmail = env.RESEND_FROM_EMAIL
 
-  const { error } = await resend.emails.send({
-    from: fromEmail,
-    to: [data.user.email],
-    subject: 'Reset your password — Reqcore',
-    html: buildPasswordResetHtml({ url: data.url }),
-    text: buildPasswordResetText({ url: data.url }),
-    tags: [{ name: 'category', value: 'password-reset' }],
-  })
+  try {
+    const { error } = await resend.emails.send({
+      from: fromEmail,
+      to: [data.user.email],
+      subject: 'Reset your password — Reqcore',
+      html: buildPasswordResetHtml({ url: data.url }),
+      text: buildPasswordResetText({ url: data.url }),
+      tags: [{ name: 'category', value: 'password-reset' }],
+    })
 
-  if (error) {
+    if (error) {
+      logError('email.password_reset_send_failed', {
+        provider: 'resend',
+        error_message: error.message,
+      })
+    }
+  }
+  catch (err) {
     logError('email.password_reset_send_failed', {
       provider: 'resend',
-      error_message: error.message,
+      error_message: err instanceof Error ? err.message : String(err),
     })
   }
 }
diff --git a/tests/unit/auth-security-hardening.test.ts b/tests/unit/auth-security-hardening.test.ts
index 59956c9..e203d46 100644
--- a/tests/unit/auth-security-hardening.test.ts
+++ b/tests/unit/auth-security-hardening.test.ts
@@ -7,6 +7,13 @@ import { encrypt, decrypt } from '../../server/utils/encryption'
  * Validates the security-critical configurations applied to the Better Auth
  * instance. These tests verify the _intent_ of the config by simulating the
  * same logic, since the live auth instance requires a running database.
+ *
+ * NOTE: Password policy, session, and rate-limit constants are intentionally
+ * duplicated here (not imported from auth.ts) because getAuth() is a lazy
+ * factory that requires a live Postgres connection. If the production values
+ * drift, these tests won't catch it — that is covered by integration/E2E tests.
+ * The value of these unit tests is documenting and enforcing the security
+ * contract (e.g. "session must not exceed 24 h") independently of the runtime.
  */
 
 // ── Issue #2: Server-side password policy ───────────────────────────
@@ -132,27 +139,8 @@ describe('Rate limiting configuration', () => {
 })
 
 // ── Issue #5: OAuth PKCE verification ───────────────────────────────
-
-describe('OAuth PKCE and state protection', () => {
-  it('OIDC config has PKCE explicitly enabled', () => {
-    // Mirrors the genericOAuth config in auth.ts
-    const oidcConfig = {
-      pkce: true,
-      requireIssuerValidation: true,
-      scopes: ['openid', 'email', 'profile'],
-    }
-    expect(oidcConfig.pkce).toBe(true)
-    expect(oidcConfig.requireIssuerValidation).toBe(true)
-  })
-
-  it('Better Auth includes codeVerifier in OAuth state by default', () => {
-    // Per Better Auth docs: OAuth state always includes codeVerifier
-    // This confirms PKCE is used for all social providers by default
-    const defaultOAuthState = {
-      callbackURL: 'https://example.com/callback',
-      codeVerifier: 'random_pkce_verifier_value',
-      errorURL: '/auth/error',
-    }
-    expect(defaultOAuthState).toHaveProperty('codeVerifier')
-  })
-})
+// Better Auth enables PKCE (codeVerifier in OAuth state) by default for
+// all social providers. The genericOAuth plugin config in auth.ts sets
+// pkce: true explicitly for OIDC. No unit test can exercise the real
+// OAuth state builder without a running auth instance; these assertions
+// are intentionally omitted until an integration test harness exists.