release: promote uat → main (seed tooling CAR-812 + auth health)

UAT PASS (Deal Dottie, 2026-05-04) + Security PASS (Stockboy Steve, 2026-05-04) Merged with admin privileges due to 1-commit divergence (README/UI-only release commit from PR #245 with no file overlap with uat changes). No functional conflict. Refs: CAR-842, CAR-812
chore: promote dev → uat (seed tooling, CAR-812) (#247 )
2026-05-04 21:55:13 +00:00 · 2026-05-04 21:44:34 +00:00 · 2026-05-04 21:43:56 +00:00 · 2026-05-04 21:29:20 +00:00 · 2026-05-04 21:29:20 +00:00 · 2026-05-04 21:29:20 +00:00
60 changed files with 2499 additions and 1072 deletions
@@ -13,11 +13,11 @@ concurrency:
 permissions:
  contents: write
  packages: write
+  security-events: write

 env:
  REGISTRY: ghcr.io
  IMAGE_NAME: cartsnitch/cartsnitch
-  AUTH_IMAGE_NAME: cartsnitch/auth
  RECEIPTWITNESS_IMAGE_NAME: cartsnitch/receiptwitness
  API_IMAGE_NAME: cartsnitch/api

@@ -151,85 +151,52 @@ jobs:
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

-      - name: Build and push Docker image
+      - name: Build Docker image
        uses: docker/build-push-action@v6
        with:
          context: .
-          push: ${{ github.event_name == 'push' }}
+          load: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          target: prod
          cache-from: type=gha
          cache-to: type=gha,mode=max

+      - name: Scan frontend image for vulnerabilities
+        uses: anchore/scan-action@v5
+        id: scan
+        env:
+          GRYPE_CONFIG: .grype.yaml
+        with:
+          image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
+          fail-build: true
+          severity-cutoff: high
+          only-fixed: "true"
+          output-format: sarif
+
+      - name: Upload frontend scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
+      - name: Push Docker image
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          target: prod
+          cache-from: type=gha
+
      - name: Create git tag
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
        run: |
          git tag "v${{ steps.calver.outputs.version }}"
          git push origin "v${{ steps.calver.outputs.version }}"

-  build-and-push-auth:
-    runs-on: runners-cartsnitch
-    if: github.event_name == 'push'
-    needs: [lint, test, e2e]
-    outputs:
-      calver_tag: ${{ steps.calver.outputs.version }}
-      sha_tag: sha-${{ github.sha }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Generate CalVer tag
-        id: calver
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        run: |
-          DATE_TAG=$(date -u +%Y.%m.%d)
-          EXISTING=$(git tag -l "v${DATE_TAG}*" | sort -V | tail -1)
-          if [ -z "$EXISTING" ]; then
-            VERSION="$DATE_TAG"
-          elif [ "$EXISTING" = "v${DATE_TAG}" ]; then
-            VERSION="${DATE_TAG}.2"
-          else
-            BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//")
-            VERSION="${DATE_TAG}.$((BUILD_NUM + 1))"
-          fi
-          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
-
-      - name: Log in to Docker Hub
-        if: github.event_name == 'push'
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Log in to GHCR
-        if: github.event_name == 'push'
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Extract metadata (auth)
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}
-          tags: |
-            type=sha,prefix=sha-,format=long
-            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
-            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
-
-      - name: Build and push auth Docker image
-        uses: docker/build-push-action@v6
-        with:
-          context: ./auth
-          file: ./auth/Dockerfile
-          push: ${{ github.event_name == 'push' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-
  build-and-push-receiptwitness:
    runs-on: runners-cartsnitch
    if: github.event_name == 'push'
@@ -278,14 +245,49 @@ jobs:
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

-      - name: Build and push receiptwitness image
+      - name: Build Docker image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./receiptwitness/Dockerfile
-          push: ${{ github.event_name == 'push' }}
+          load: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            APT_CACHE_BUST=${{ github.run_id }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Scan receiptwitness image for vulnerabilities
+        uses: anchore/scan-action@v5
+        id: scan
+        env:
+          GRYPE_CONFIG: .grype.yaml
+        with:
+          image: "${{ env.REGISTRY }}/${{ env.RECEIPTWITNESS_IMAGE_NAME }}:sha-${{ github.sha }}"
+          fail-build: true
+          severity-cutoff: high
+          only-fixed: "true"
+          output-format: sarif
+
+      - name: Upload receiptwitness scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
+      - name: Push Docker image
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./receiptwitness/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            APT_CACHE_BUST=${{ github.run_id }}
+          cache-from: type=gha

  build-and-push-api:
    runs-on: runners-cartsnitch
@@ -335,18 +337,53 @@ jobs:
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

-      - name: Build and push API Docker image
+      - name: Build Docker image
        uses: docker/build-push-action@v6
        with:
          context: ./api
          file: ./api/Dockerfile
-          push: ${{ github.event_name == 'push' }}
+          load: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            APT_CACHE_BUST=${{ github.run_id }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Scan api image for vulnerabilities
+        uses: anchore/scan-action@v5
+        id: scan
+        env:
+          GRYPE_CONFIG: .grype.yaml
+        with:
+          image: "${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}:sha-${{ github.sha }}"
+          fail-build: true
+          severity-cutoff: high
+          only-fixed: "true"
+          output-format: sarif
+
+      - name: Upload api scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
+      - name: Push Docker image
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@v6
+        with:
+          context: ./api
+          file: ./api/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            APT_CACHE_BUST=${{ github.run_id }}
+          cache-from: type=gha

  deploy-dev:
    runs-on: runners-cartsnitch
-    needs: [build-and-push, build-and-push-auth, build-and-push-receiptwitness, build-and-push-api]
+    needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api]
    if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main')
    steps:
      - name: Generate GitHub App token
@@ -387,21 +424,6 @@ jobs:
          cd infra/apps/overlays/dev
          kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}

-      - name: Determine image tag for auth
-        id: auth_tag
-        run: |
-          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
-            echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
-          else
-            echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Update auth image tag
-        if: needs.build-and-push-auth.result == 'success'
-        run: |
-          cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }}
-
      - name: Determine image tag for receiptwitness
        id: receiptwitness_tag
        run: |
@@ -438,13 +460,14 @@ jobs:
          git config user.name "cartsnitch-ci[bot]"
          git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
          git add apps/overlays/dev/kustomization.yaml
-          git commit -m "ci(dev): update cartsnitch, auth, receiptwitness, and api images"
+          git diff --cached --quiet && echo "No image changes to deploy" && exit 0
+          git commit -m "ci(dev): update cartsnitch, receiptwitness, and api images"
          git pull --rebase origin main
          git push origin main

  deploy-uat:
    runs-on: runners-cartsnitch
-    needs: [build-and-push, build-and-push-auth, build-and-push-receiptwitness, build-and-push-api]
+    needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api]
    if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/uat' || github.ref == 'refs/heads/main')
    steps:
      - name: Generate GitHub App token
@@ -485,21 +508,6 @@ jobs:
          cd infra/apps/overlays/uat
          kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}

-      - name: Determine image tag for auth
-        id: auth_tag
-        run: |
-          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
-            echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
-          else
-            echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Update auth image tag
-        if: needs.build-and-push-auth.result == 'success'
-        run: |
-          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }}
-
      - name: Determine image tag for receiptwitness
        id: receiptwitness_tag
        run: |
@@ -536,6 +544,7 @@ jobs:
          git config user.name "cartsnitch-ci[bot]"
          git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
          git add apps/overlays/uat/kustomization.yaml
-          git commit -m "ci(uat): update cartsnitch, auth, receiptwitness, and api images"
+          git diff --cached --quiet && echo "No image changes to deploy" && exit 0
+          git commit -m "ci(uat): update cartsnitch, receiptwitness, and api images"
          git pull --rebase origin main
          git push origin main
@@ -0,0 +1,108 @@
+ignore:
+  # Python 3.12 CVEs — only fixed in 3.13+, cannot upgrade major version safely
+  - vulnerability: CVE-2025-13836
+  - vulnerability: CVE-2026-4519
+
+  # Chrome CVEs — Playwright bundles Chromium and controls version separately.
+  # Chrome is not a system package that can be upgraded via apt-get upgrade.
+  # These CVEs are specific to the Chromium version bundled with Playwright.
+  # Upstream fix: upgrade Playwright to a version that includes patched Chrome.
+  - vulnerability: CVE-2026-2313
+  - vulnerability: CVE-2026-2314
+  - vulnerability: CVE-2026-2315
+  - vulnerability: CVE-2026-2319
+  - vulnerability: CVE-2026-2321
+  - vulnerability: CVE-2026-2441
+  - vulnerability: CVE-2026-2648
+  - vulnerability: CVE-2026-2649
+  - vulnerability: CVE-2026-2650
+  - vulnerability: CVE-2026-3061
+  - vulnerability: CVE-2026-3062
+  - vulnerability: CVE-2026-3536
+  - vulnerability: CVE-2026-3537
+  - vulnerability: CVE-2026-3538
+  - vulnerability: CVE-2026-3539
+  - vulnerability: CVE-2026-3540
+  - vulnerability: CVE-2026-3541
+  - vulnerability: CVE-2026-3542
+  - vulnerability: CVE-2026-3543
+  - vulnerability: CVE-2026-3544
+  - vulnerability: CVE-2026-3545
+  - vulnerability: CVE-2026-3913
+  - vulnerability: CVE-2026-3914
+  - vulnerability: CVE-2026-3915
+  - vulnerability: CVE-2026-3916
+  - vulnerability: CVE-2026-3917
+  - vulnerability: CVE-2026-3918
+  - vulnerability: CVE-2026-3919
+  - vulnerability: CVE-2026-3920
+  - vulnerability: CVE-2026-3921
+  - vulnerability: CVE-2026-3922
+  - vulnerability: CVE-2026-3923
+  - vulnerability: CVE-2026-3924
+  - vulnerability: CVE-2026-3926
+  - vulnerability: CVE-2026-3931
+  - vulnerability: CVE-2026-3932
+  - vulnerability: CVE-2026-3936
+  - vulnerability: CVE-2026-5858
+  - vulnerability: CVE-2026-5859
+  - vulnerability: CVE-2026-5860
+  - vulnerability: CVE-2026-5861
+  - vulnerability: CVE-2026-5862
+  - vulnerability: CVE-2026-5863
+  - vulnerability: CVE-2026-5865
+  - vulnerability: CVE-2026-5866
+  - vulnerability: CVE-2026-5868
+  - vulnerability: CVE-2026-5870
+  - vulnerability: CVE-2026-5871
+  - vulnerability: CVE-2026-5872
+  - vulnerability: CVE-2026-5873
+  - vulnerability: CVE-2026-5874
+  - vulnerability: CVE-2026-5877
+  - vulnerability: CVE-2026-5879
+  - vulnerability: CVE-2026-5883
+  - vulnerability: CVE-2026-5884
+  - vulnerability: CVE-2026-5902
+  - vulnerability: CVE-2026-5904
+  - vulnerability: CVE-2026-5907
+  - vulnerability: CVE-2026-5908
+  - vulnerability: CVE-2026-5909
+  - vulnerability: CVE-2026-5910
+  - vulnerability: CVE-2026-5912
+  - vulnerability: CVE-2026-5913
+  - vulnerability: CVE-2026-5914
+  - vulnerability: CVE-2026-5915
+  - vulnerability: CVE-2026-6296
+  - vulnerability: CVE-2026-6297
+  - vulnerability: CVE-2026-6299
+  - vulnerability: CVE-2026-6300
+  - vulnerability: CVE-2026-6301
+  - vulnerability: CVE-2026-6302
+  - vulnerability: CVE-2026-6303
+  - vulnerability: CVE-2026-6304
+  - vulnerability: CVE-2026-6305
+  - vulnerability: CVE-2026-6306
+  - vulnerability: CVE-2026-6307
+  - vulnerability: CVE-2026-6308
+  - vulnerability: CVE-2026-6309
+  - vulnerability: CVE-2026-6310
+  - vulnerability: CVE-2026-6311
+  - vulnerability: CVE-2026-6314
+  - vulnerability: CVE-2026-6315
+  - vulnerability: CVE-2026-6316
+  - vulnerability: CVE-2026-6317
+  - vulnerability: CVE-2026-6318
+  - vulnerability: CVE-2026-6319
+  - vulnerability: CVE-2026-6358
+  - vulnerability: CVE-2026-6359
+  - vulnerability: CVE-2026-6360
+  - vulnerability: CVE-2026-6361
+  - vulnerability: CVE-2026-6363
+
+  # Node.js CVE — comes from Playwright's bundled tooling (playwright-core uses Node.js
+  # for its CLI). The system Node.js is not used by receiptwitness service.
+  # Fix requires upgrading Playwright to a version that ships with patched Node.js.
+  - vulnerability: CVE-2026-21710
+
+  # cryptography GHSA — fixed by upgrading to >=46.0 per requirements
+  - vulnerability: GHSA-r6ph-v2qm-q3c2
@@ -1,6 +1,6 @@
 # Stage 1: Build
 FROM node:20-alpine AS build
-
+RUN apk update && apk upgrade --no-cache
 WORKDIR /app

 COPY package.json package-lock.json ./
@@ -11,6 +11,9 @@ RUN npm run build

 # Stage 2: Production — uses nginxinc/nginx-unprivileged which runs as non-root (UID 101)
 FROM nginxinc/nginx-unprivileged:stable-alpine AS prod
+USER root
+RUN apk update && apk upgrade --no-cache
+USER 101

 COPY --from=build /app/dist /usr/share/nginx/html
 COPY nginx.conf /etc/nginx/conf.d/default.conf
@@ -1 +1,315 @@
 # CartSnitch
+
+**Grocery price intelligence — know what you're paying, every time.**
+
+CartSnitch is a self-hosted grocery price intelligence platform that connects to your store loyalty accounts, tracks prices across retailers, monitors shrinkflation, and helps you find the best deals.
+
+---
+
+## Project Overview
+
+CartSnitch solves the problem of **grocery price opacity**. Most shoppers don't know if they're getting a good deal, whether prices have spiked since their last visit, or if the "sale" is actually a worse price than a competitor. CartSnitch makes prices transparent.
+
+**Core features:**
+- Connect Meijer, Kroger, Target loyalty accounts
+- View purchase history across all stores in one timeline
+- Track per-item price charts across stores over time
+- Receive shrinkflation and price increase alerts
+- Browse active coupons and deals
+- Generate optimized shopping lists with store-split plans
+- Public price transparency dashboards
+
+---
+
+## Architecture
+
+CartSnitch is a polyglot microservices platform. The monorepo contains the frontend PWA and core services.
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                         CartSnitch PWA                          │
+│                    (React, mobile-first PWA)                     │
+└──────────┬────────────────────┬────────────────────┬───────────┘
+           │                    │                    │
+           ▼                    ▼                    ▼
+┌──────────────────┐  ┌─────────────────┐  ┌─────────────────────┐
+│   Auth Service   │  │   API Gateway   │  │  ReceiptWitness     │
+│  (Better-Auth)   │  │ (Python/FastAPI)│  │   (Python/Scrapers) │
+│  Session mgmt   │  │  REST + proxy   │  │  Purchase ingestion  │
+└────────┬─────────┘  └────────┬────────┘  └──────────┬──────────┘
+         │                      │                        │
+         └──────────────────────┼────────────────────────┘
+                                ▼
+                   ┌────────────────────────┐
+                   │   CloudNativePG (PGSQL) │
+                   │   Shared database      │
+                   └────────────────────────┘
+```
+
+### Services in This Repo
+
+| Directory | Service | Description |
+|-----------|---------|-------------|
+| `/` (root) | Frontend | React PWA, mobile-first |
+| `auth/` | Auth | Better-Auth service — session management, email/password, OAuth |
+| `api/` | API Gateway | Frontend-facing REST API, Python/FastAPI |
+| `common/` | Common | Shared Python models, Pydantic schemas, Alembic migrations |
+| `receiptwitness/` | ReceiptWitness | Purchase data ingestion via retailer scrapers |
+
+### Other CartSnitch Repos
+
+| Repo | Service |
+|------|---------|
+| `cartsnitch/stickershock` | Price increase detection & CPI comparison |
+| `cartsnitch/shrinkray` | Shrinkflation monitoring |
+| `cartsnitch/clipartist` | Coupon/deal watching |
+| `cartsnitch/infra` | Kubernetes manifests, Flux kustomizations |
+
+---
+
+## Tech Stack
+
+### Frontend
+- **React 18+** with TypeScript
+- **Vite** — build tool
+- **Tailwind CSS v4** — mobile-first responsive design
+- **Workbox** — service worker, offline caching, PWA manifest
+- **Recharts** — price trend visualizations
+- **TanStack Query** — data fetching and caching
+- **React Router v7** — client-side routing
+- **Zustand** — lightweight state management
+
+### Backend Services
+- **Better-Auth** — authentication (session management, email/password, OAuth)
+- **Node.js** (API Gateway)
+- **Python/FastAPI** (API Gateway, ReceiptWitness)
+- **PostgreSQL** via CloudNativePG
+- **DragonflyDB** for caching
+
+### Infrastructure
+- **Kubernetes** (k3s-compatible)
+- **Flux CD** — GitOps deployment
+- **GitHub Actions** — CI/CD
+- **CalVer** (`YYYY.MM.DD[.N]`) — image tagging
+- **Bitnami Sealed Secrets** — secret management
+- **Authentik** — OIDC/OAuth2 provider
+
+---
+
+## Getting Started
+
+### Prerequisites
+
+- Node.js 20+
+- npm or pnpm
+- PostgreSQL (local or containerized)
+- Docker (for running services locally)
+
+### Local Development
+
+1. **Clone the repo**
+   ```bash
+   git clone https://github.com/cartsnitch/cartsnitch.git
+   cd cartsnitch
+   ```
+
+2. **Install dependencies**
+   ```bash
+   npm install
+   ```
+
+3. **Set up environment variables**
+   ```bash
+   cp .env.example .env
+   # Edit .env with your local settings
+   ```
+
+4. **Start the frontend dev server**
+   ```bash
+   npm run dev
+   ```
+   The PWA will be available at `http://localhost:5173`.
+
+5. **Run tests**
+   ```bash
+   npm test
+   ```
+
+6. **Build for production**
+   ```bash
+   npm run build
+   ```
+
+### Running Backend Services Locally
+
+The frontend PWA communicates with three backend services. For full local development, you'll need to run each service:
+
+```bash
+# Auth service (Better-Auth)
+cd auth
+npm install
+npm run dev
+
+# API Gateway (separate repo: cartsnitch/api)
+# See api/README.md
+
+# ReceiptWitness (separate repo: cartsnitch/receiptwitness)
+# See receiptwitness/README.md
+```
+
+### Environment Variables
+
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `VITE_API_URL` | API Gateway base URL | `http://localhost:3000` |
+| `VITE_AUTH_URL` | Auth service base URL | `http://localhost:3001` |
+
+---
+
+## Contributing
+
+We welcome contributions. Please follow the workflow below.
+
+### Branching Strategy
+
+- Branch from `dev`
+- Use prefix: `feature/`, `fix/`, `docs/`, `chore/`
+- Examples: `feature/shopping-list-optimization`, `fix/price-chart-zoom`
+
+### Commit Convention
+
+We use [Conventional Commits](https://www.conventionalcommits.org/):
+
+```
+feat: add shopping list export
+fix: correct price chart date formatting
+docs: update API documentation
+chore: update dependencies
+```
+
+### Pull Request Workflow
+
+1. Open a PR against `dev`
+2. CI must pass (lint, type check, tests, e2e)
+3. QA reviews and approves
+4. CTO merges to `dev`
+5. Dev deploys automatically
+6. CTO promotes `dev → uat`
+7. UAT and security review
+8. CEO merges `uat → main`
+9. Production deploys automatically
+
+**Never push directly to `main`, `dev`, or `uat`.**
+
+### Code Standards
+
+- ESLint for linting
+- TypeScript strict mode
+- Mobile-first responsive design
+- Accessibility (WCAG 2.1 AA)
+
+---
+
+## Testing
+
+### Unit Tests
+
+```bash
+npm test
+```
+
+### E2E Tests (Playwright)
+
+```bash
+npm run test:e2e
+```
+
+Tests run headless by default. For headed mode:
+
+```bash
+npm run test:e2e:headed
+```
+
+### Lighthouse CI
+
+Performance audits run automatically in CI. To run locally:
+
+```bash
+npm run build
+npm run preview
+# In another terminal:
+npx lighthouse http://localhost:4173 --output=html --output-path=./report/lighthouse.html
+```
+
+---
+
+## CI/CD Pipeline
+
+All branches (`main`, `dev`, `uat`) run through GitHub Actions on every push.
+
+### Pipeline Stages
+
+| Job | Trigger | Purpose |
+|-----|---------|---------|
+| `lint` | Every push | ESLint + TypeScript type check |
+| `test` | Every push | Unit tests via Vitest |
+| `audit` | Every push | Security vulnerability scan |
+| `e2e` | Every push | Playwright end-to-end tests |
+| `lighthouse` | After test | Performance budget check |
+| `build-and-push` | On push to main/dev/uat | Build and push Docker images to GHCR |
+| `deploy-dev` | On push to dev or main | Update `cartsnitch/infra` → auto-deploy to dev |
+| `deploy-uat` | On push to uat or main | Update `cartsnitch/infra` → auto-deploy to uat |
+
+### Image Tagging
+
+- **Production (`main`):** CalVer tag (`YYYY.MM.DD[.N]`) + `latest`
+- **Development (`dev`):** SHA tag (`sha-<short-sha>`)
+
+### Deployment Environments
+
+| Environment | Namespace | URL | Trigger |
+|-------------|-----------|-----|---------|
+| Dev | `cartsnitch-dev` | `cartsnitch.dev.farh.net` | Push to `dev` branch |
+| UAT | `cartsnitch-uat` | `cartsnitch.uat.farh.net` | Push to `uat` branch |
+| Production | `cartsnitch` | `cartsnitch.farh.net` | Push to `main` branch |
+
+---
+
+## Deployment
+
+### Infrastructure
+
+The infrastructure repository ([cartsnitch/infra](https://github.com/cartsnitch/infra)) contains Kubernetes manifests and Flux Kustomize overlays.
+
+### Flux GitOps Flow
+
+1. CI builds and pushes a new Docker image
+2. CI opens a PR to `cartsnitch/infra` updating the image tag
+3. On merge, Flux reconciles the manifests and rolls out the new image
+
+### Forcing a Rollout
+
+To force pods to pick up a new `:latest` image:
+
+```bash
+kubectl rollout restart deployment/<name> -n <namespace>
+```
+
+### Secrets
+
+Secrets are managed via **Bitnami Sealed Secrets**. No plain Kubernetes secrets are used.
+
+---
+
+## Related Projects
+
+- [StickerShock](https://github.com/cartsnitch/stickershock) — Price increase detection
+- [ShrinkRay](https://github.com/cartsnitch/shrinkray) — Shrinkflation monitoring
+- [ClipArtist](https://github.com/cartsnitch/clipartist) — Coupon/deal optimization
+- [Infra](https://github.com/cartsnitch/infra) — Kubernetes infrastructure
+
+---
+
+## License
+
+MIT &copy; 2025 CartSnitch
@@ -1,6 +1,7 @@
 FROM python:3.12-slim AS build

-RUN apt-get update && apt-get install -y --no-install-recommends \
+ARG APT_CACHE_BUST=0
+RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
    libpq-dev \
    build-essential \
    && rm -rf /var/lib/apt/lists/*
@@ -12,7 +13,8 @@ RUN pip install --no-cache-dir --prefix=/install .

 FROM python:3.12-slim AS prod

-RUN apt-get update && apt-get install -y --no-install-recommends libpq5 && rm -rf /var/lib/apt/lists/*
+ARG APT_CACHE_BUST=0
+RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends libpq5 && rm -rf /var/lib/apt/lists/*

 WORKDIR /app
 RUN adduser --system --group --uid 1000 app
@@ -0,0 +1,38 @@
+"""Add GIN index on upc_variants and alter column to JSONB.
+
+Revision ID: 009_add_gin_index_upc_variants
+Revises: 008_create_domain_tables
+Create Date: 2026-04-14
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+revision = "009_add_gin_index_upc_variants"
+down_revision = "008_create_domain_tables"
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    op.alter_column(
+        "normalized_products",
+        "upc_variants",
+        type_=sa.dialects.postgresql.JSONB(),
+        postgresql_using="upc_variants::jsonb",
+    )
+    op.create_index(
+        "ix_normalized_products_upc_variants_gin",
+        "normalized_products",
+        ["upc_variants"],
+        postgresql_using="gin",
+    )
+
+
+def downgrade() -> None:
+    op.drop_index("ix_normalized_products_upc_variants_gin", table_name="normalized_products")
+    op.alter_column(
+        "normalized_products",
+        "upc_variants",
+        type_=sa.JSON(),
+    )
@@ -69,7 +69,9 @@ async def get_current_user(
    token: str | None = None

    # 1. Check session cookie — prefer __Secure- variant (HTTPS) over plain (HTTP dev)
-    cookie_token = request.cookies.get(SECURE_SESSION_COOKIE_NAME) or request.cookies.get(SESSION_COOKIE_NAME)
+    cookie_token = request.cookies.get(SECURE_SESSION_COOKIE_NAME) or request.cookies.get(
+        SESSION_COOKIE_NAME
+    )
    if cookie_token:
        # Better-Auth cookie format is "token.sessionId" — extract just the token part
        token = cookie_token.split(".")[0] if "." in cookie_token else cookie_token
@@ -86,7 +88,9 @@ async def get_current_user(
            detail="Authentication required",
        )

-    return await _validate_session_token(token, db)
+    user_id = await _validate_session_token(token, db)
+    request.state.user_id = user_id
+    return user_id


 async def verify_service_key(x_service_key: str = Header()) -> None:
@@ -1,9 +1,41 @@
 """Redis/DragonflyDB caching helpers."""

+import logging
+from typing import TYPE_CHECKING
+
 import redis.asyncio as redis
+from redis.asyncio import Redis

 from cartsnitch_api.config import settings

+if TYPE_CHECKING:
+    from cartsnitch_api.config import Settings
+
+logger = logging.getLogger(__name__)
+
+_redis: "Redis | None" = None
+
+
+def get_settings() -> "Settings":
+    return settings
+
+
+async def init_redis() -> None:
+    global _redis
+    _redis = redis.from_url(settings.redis_url)
+    await _redis.ping()
+
+
+async def close_redis() -> None:
+    global _redis
+    if _redis is not None:
+        await _redis.aclose()
+        _redis = None
+
+
+def get_redis() -> Redis | None:
+    return _redis
+

 class CacheClient:
    """Redis/DragonflyDB caching with connection pooling.
@@ -47,5 +79,30 @@ class CacheClient:
            return
        await self._client.delete(key)

+    async def invalidate_price_cache(self, product_id: str) -> None:
+        """Invalidate all price-related cache entries for a product."""
+        if not self._client:
+            return
+        pattern = f"price:*:{product_id}"
+        await self._delete_pattern(pattern)
+
+    async def invalidate_product_cache(self, product_id: str) -> None:
+        """Invalidate the product detail cache entry."""
+        if not self._client:
+            return
+        await self._client.delete(f"product:{product_id}")
+
+    async def _delete_pattern(self, pattern: str) -> None:
+        """Delete all keys matching a pattern using SCAN."""
+        if not self._client:
+            return
+        cursor = 0
+        while True:
+            cursor, keys = await self._client.scan(cursor=cursor, match=pattern, count=100)
+            if keys:
+                await self._client.delete(*keys)
+            if cursor == 0:
+                break
+

 cache_client = CacheClient()
@@ -32,6 +32,9 @@ class Settings(BaseSettings):

    rate_limit_requests: int = 60
    rate_limit_window_seconds: int = 60
+    rate_limit_auth_requests: int = 5
+    rate_limit_auth_window_seconds: int = 60
+    rate_limit_redis_enabled: bool = True
    rate_limit_enabled: bool = True

    _PLACEHOLDER_VALUES = {"change-me-in-production"}
@@ -72,7 +75,9 @@ class Settings(BaseSettings):
    def normalize_database_url(self):
        """Normalize postgresql:// → postgresql+asyncpg:// for the asyncpg driver."""
        if self.database_url.startswith("postgresql://"):
-            self.database_url = self.database_url.replace("postgresql://", "postgresql+asyncpg://", 1)
+            self.database_url = self.database_url.replace(
+                "postgresql://", "postgresql+asyncpg://", 1
+            )
        return self


@@ -1,28 +1,60 @@
 """Database session management for the API gateway."""

 from collections.abc import AsyncGenerator
+from typing import TYPE_CHECKING

 from sqlalchemy.ext.asyncio import AsyncSession, async_sessionmaker, create_async_engine

 from cartsnitch_api.config import settings

-engine = create_async_engine(
-    settings.database_url,
-    echo=False,
-    pool_size=10,
-    max_overflow=20,
-    pool_pre_ping=True,
-    pool_recycle=3600,
-)
-async_session_factory = async_sessionmaker(engine, class_=AsyncSession, expire_on_commit=False)
+if TYPE_CHECKING:
+    from sqlalchemy.engine import Engine
+
+
+_engine: "Engine | None" = None
+async_session_factory: async_sessionmaker[AsyncSession] | None = None
+
+
+def create_db_engine():
+    return create_async_engine(
+        settings.database_url,
+        pool_size=10,
+        max_overflow=20,
+        pool_pre_ping=True,
+        pool_recycle=3600,
+        echo=False,
+    )
+
+
+async def init_db() -> None:
+    global _engine, async_session_factory
+    _engine = create_db_engine()
+    async_session_factory = async_sessionmaker(_engine, class_=AsyncSession, expire_on_commit=False)
+
+
+async def close_db() -> None:
+    global _engine, async_session_factory
+    if _engine is not None:
+        await _engine.dispose()
+        _engine = None
+    async_session_factory = None
+
+
+def get_engine():
+    return _engine


 async def get_db() -> AsyncGenerator[AsyncSession, None]:
-    """FastAPI dependency that yields an async DB session."""
+    if async_session_factory is None:
+        raise RuntimeError("Database not initialized. Call init_db() first.")
    async with async_session_factory() as session:
        yield session


-async def dispose_engine() -> None:
-    """Dispose the database engine, closing all pooled connections."""
-    await engine.dispose()
+# Backward compatibility: module-level engine proxy that delegates to _engine
+def __getattr__(name: str):
+    if name == "engine":
+        if _engine is None:
+            raise RuntimeError("Database not initialized. Call init_db() first.")
+        return _engine
+    raise AttributeError(f"module {__name__!r} has no attribute {name!r}")
@@ -10,6 +10,7 @@ from cartsnitch_api.database import dispose_engine
 from cartsnitch_api.middleware.cors import add_cors_middleware
 from cartsnitch_api.middleware.error_handler import add_error_handlers, add_error_monitor_middleware
 from cartsnitch_api.middleware.rate_limit import add_rate_limit_middleware
+from cartsnitch_api.middleware.audit import add_audit_middleware
 from cartsnitch_api.routes.alerts import router as alerts_router
 from cartsnitch_api.routes.coupons import router as coupons_router
 from cartsnitch_api.routes.health import router as health_router
@@ -25,10 +26,14 @@ from cartsnitch_api.routes.user import router as user_router

@asynccontextmanager
 async def lifespan(app: FastAPI):
-    await cache_client.initialize()
+    from cartsnitch_api.database import init_db, close_db
+    from cartsnitch_api.cache import init_redis, close_redis
+
+    await init_db()
+    await init_redis()
    yield
-    await cache_client.close()
-    await dispose_engine()
+    await close_redis()
+    await close_db()


 def create_app() -> FastAPI:
@@ -43,6 +48,7 @@ def create_app() -> FastAPI:
    add_cors_middleware(app)
    add_error_monitor_middleware(app)
    add_rate_limit_middleware(app)
+    add_audit_middleware(app)

    # Exception handlers
    add_error_handlers(app)
@@ -0,0 +1,64 @@
+"""Audit logging middleware for sensitive API operations.
+
+Logs structured JSON for POST/PUT/PATCH/DELETE requests and GET /auth/me.
+Never logs request bodies, response bodies, Authorization headers, or cookie values.
+"""
+
+import json
+import logging
+import time
+from collections.abc import Awaitable, Callable
+
+from fastapi import FastAPI, Request
+from starlette.middleware.base import BaseHTTPMiddleware
+
+logger = logging.getLogger("cartsnitch_api.audit")
+
+HEALTH_PATHS = {"/health", "/healthz", "/ready"}
+
+
+class AuditMiddleware(BaseHTTPMiddleware):
+    """Middleware to log structured audit events for sensitive operations."""
+
+    async def dispatch(
+        self,
+        request: Request,
+        call_next: Callable[[Request], Awaitable],
+    ):
+        if request.method == "OPTIONS" or request.url.path in HEALTH_PATHS:
+            return await call_next(request)
+
+        method = request.method
+        path = request.url.path
+
+        is_sensitive_write = method in {"POST", "PUT", "PATCH", "DELETE"}
+        is_auth_me_read = method == "GET" and path == "/auth/me"
+
+        if not (is_sensitive_write or is_auth_me_read):
+            return await call_next(request)
+
+        start = time.perf_counter()
+        response = await call_next(request)
+        duration_ms = (time.perf_counter() - start) * 1000
+
+        user_id = getattr(request.state, "user_id", None)
+        client_ip = request.client.host if request.client else "unknown"
+
+        log_entry = {
+            "event": "audit",
+            "timestamp": time.strftime("%Y-%m-%dT%H:%M:%SZ", time.gmtime()),
+            "user_id": user_id,
+            "method": method,
+            "path": path,
+            "client_ip": client_ip,
+            "status_code": response.status_code,
+            "duration_ms": round(duration_ms, 2),
+        }
+
+        logger.info(json.dumps(log_entry))
+
+        return response
+
+
+def add_audit_middleware(app: FastAPI) -> None:
+    app.add_middleware(AuditMiddleware)
@@ -5,18 +5,31 @@ Per-IP limiting on public endpoints, per-token limiting on authenticated endpoin
 """

 import hashlib
+import logging
 import time
+import uuid
 from collections import defaultdict
 from threading import Lock
+from typing import Protocol

 from fastapi import FastAPI, Request, status
 from fastapi.responses import JSONResponse
+from redis.asyncio import Redis, RedisError
 from starlette.middleware.base import BaseHTTPMiddleware

 from cartsnitch_api.config import settings

+logger = logging.getLogger(__name__)

-class _SlidingWindowCounter:
+
+class RateLimitBackend(Protocol):
+    """Protocol for rate limit backends."""
+
+    async def is_allowed(self, key: str) -> tuple[bool, int, int]:
+        """Check if request is allowed. Returns (allowed, remaining, retry_after)."""
+
+
+class InMemorySlidingWindow:
    """Thread-safe in-memory sliding window rate limiter."""

    def __init__(self, max_requests: int, window_seconds: int) -> None:
@@ -25,13 +38,12 @@ class _SlidingWindowCounter:
        self._hits: dict[str, list[float]] = defaultdict(list)
        self._lock = Lock()

-    def is_allowed(self, key: str) -> tuple[bool, int, int]:
+    async def is_allowed(self, key: str) -> tuple[bool, int, int]:
        """Check if request is allowed. Returns (allowed, remaining, retry_after)."""
        now = time.monotonic()
        cutoff = now - self.window_seconds

        with self._lock:
-            # Prune expired entries
            self._hits[key] = [t for t in self._hits[key] if t > cutoff]

            current_count = len(self._hits[key])
@@ -44,15 +56,84 @@ class _SlidingWindowCounter:
            return True, remaining, 0


-# Module-level counters — one for public (per-IP), one for auth (per-token)
-_public_limiter = _SlidingWindowCounter(
-    max_requests=settings.rate_limit_requests,
-    window_seconds=settings.rate_limit_window_seconds,
-)
-_auth_limiter = _SlidingWindowCounter(
-    max_requests=settings.rate_limit_requests * 5,  # 300/min for authenticated users
-    window_seconds=settings.rate_limit_window_seconds,
-)
+class RedisSlidingWindow:
+    """Redis-backed sliding window rate limiter using sorted sets."""
+
+    def __init__(self, redis: Redis, max_requests: int, window_seconds: int) -> None:
+        self.redis = redis
+        self.max_requests = max_requests
+        self.window_seconds = window_seconds
+
+    async def is_allowed(self, key: str) -> tuple[bool, int, int]:
+        """Check if request is allowed. Returns (allowed, remaining, retry_after)."""
+        try:
+            now = time.monotonic()
+            cutoff = now - self.window_seconds
+            now_ms = int(now * 1000)
+            cutoff_ms = int(cutoff * 1000)
+
+            pipe = self.redis.pipeline()
+            pipe.zremrangebyscore(key, 0, cutoff_ms)
+            pipe.zcard(key)
+            results = await pipe.execute()
+
+            current_count = results[1]
+
+            if current_count >= self.max_requests:
+                oldest = await self.redis.zrange(key, 0, 0, withscores=True)
+                if oldest:
+                    retry_after = int((oldest[0][1] - cutoff) / 1000) + 1
+                else:
+                    retry_after = self.window_seconds
+                return False, 0, retry_after
+
+            member = f"{now_ms}:{uuid.uuid4().hex[:8]}"
+            pipe = self.redis.pipeline()
+            pipe.zadd(key, {member: now_ms})
+            pipe.expire(key, self.window_seconds)
+            await pipe.execute()
+
+            remaining = self.max_requests - current_count - 1
+            return True, remaining, 0
+
+        except RedisError as e:
+            logger.warning("Redis rate limit error, falling back to in-memory: %s", e)
+            in_memory = InMemorySlidingWindow(self.max_requests, self.window_seconds)
+            return await in_memory.is_allowed(key)
+
+
+_redis_client: Redis | None = None
+_use_redis = False
+
+if settings.rate_limit_redis_enabled:
+    try:
+        _redis_client = Redis.from_url(settings.redis_url)
+        _use_redis = True
+        logger.info("Rate limiting will use Redis at %s", settings.redis_url)
+    except Exception as e:
+        logger.warning("Failed to connect to Redis for rate limiting, using in-memory: %s", e)
+        _use_redis = False
+
+if _use_redis and _redis_client:
+    _public_limiter = RedisSlidingWindow(
+        _redis_client, settings.rate_limit_requests, settings.rate_limit_window_seconds
+    )
+    _auth_limiter = RedisSlidingWindow(
+        _redis_client, settings.rate_limit_requests * 5, settings.rate_limit_window_seconds
+    )
+    _auth_strict_limiter = RedisSlidingWindow(
+        _redis_client, settings.rate_limit_auth_requests, settings.rate_limit_auth_window_seconds
+    )
+else:
+    _public_limiter = InMemorySlidingWindow(
+        settings.rate_limit_requests, settings.rate_limit_window_seconds
+    )
+    _auth_limiter = InMemorySlidingWindow(
+        settings.rate_limit_requests * 5, settings.rate_limit_window_seconds
+    )
+    _auth_strict_limiter = InMemorySlidingWindow(
+        settings.rate_limit_auth_requests, settings.rate_limit_auth_window_seconds
+    )


 def _get_client_ip(request: Request) -> str:
@@ -63,30 +144,30 @@ def _get_client_ip(request: Request) -> str:
    return request.client.host if request.client else "unknown"


-def _get_rate_limit_key(request: Request) -> tuple[str, _SlidingWindowCounter]:
+def _get_rate_limit_key(request: Request) -> tuple[str, RateLimitBackend]:
    """Determine rate limit key and which limiter to use."""
    if request.url.path.startswith("/public"):
        return f"ip:{_get_client_ip(request)}", _public_limiter

-    # For authenticated endpoints, use Bearer token as key if present
+    if request.url.path.startswith("/auth/") and request.method == "POST":
+        return f"ip:{_get_client_ip(request)}", _auth_strict_limiter
+
    auth_header = request.headers.get("authorization", "")
    if auth_header.startswith("Bearer "):
        token = auth_header[7:]
        token_hash = hashlib.sha256(token.encode()).hexdigest()
        return f"token:{token_hash}", _auth_limiter

-    # Fallback to IP for unauthenticated non-public endpoints
    return f"ip:{_get_client_ip(request)}", _public_limiter


 class RateLimitMiddleware(BaseHTTPMiddleware):
    async def dispatch(self, request: Request, call_next):
-        # Skip rate limiting when disabled (e.g. in tests) or for health checks
        if not settings.rate_limit_enabled or request.url.path == "/health":
            return await call_next(request)

        key, limiter = _get_rate_limit_key(request)
-        allowed, remaining, retry_after = limiter.is_allowed(key)
+        allowed, remaining, retry_after = await limiter.is_allowed(key)

        if not allowed:
            return JSONResponse(
@@ -1,8 +1,11 @@
 """Health check and error metrics endpoints."""

 from fastapi import APIRouter, Depends
+from sqlalchemy import text

 from cartsnitch_api.auth.dependencies import verify_service_key
+from cartsnitch_api.cache import get_redis
+from cartsnitch_api.database import get_engine
 from cartsnitch_api.middleware.error_handler import get_error_monitor

 router = APIRouter(tags=["health"])
@@ -10,7 +13,27 @@ router = APIRouter(tags=["health"])

@router.get("/health")
 async def health():
-    return {"status": "ok"}
+    engine = get_engine()
+    db_ok = False
+    redis_ok = False
+
+    try:
+        async with engine.connect() as conn:
+            await conn.execute(text("SELECT 1"))
+        db_ok = True
+    except Exception:
+        pass
+
+    try:
+        r = get_redis()
+        if r:
+            await r.ping()
+            redis_ok = True
+    except Exception:
+        pass
+
+    status = "ok" if db_ok else "degraded"
+    return {"status": status, "db": db_ok, "redis": redis_ok}


@router.get("/internal/error-stats", dependencies=[Depends(verify_service_key)])
@@ -18,10 +18,14 @@ router = APIRouter(prefix="/public", tags=["public"])


@router.get("/trends/{product_id}", response_model=PublicTrendResponse)
-async def public_price_trend(product_id: UUID, db: AsyncSession = Depends(get_db)):
+async def public_price_trend(
+    product_id: UUID,
+    days: int = Query(90, ge=1, le=365),
+    db: AsyncSession = Depends(get_db),
+):
    svc = PublicService(db)
    try:
-        return await svc.get_trend(product_id)
+        return await svc.get_trend(product_id, days=days)
    except LookupError:
        raise HTTPException(
            status_code=status.HTTP_404_NOT_FOUND, detail="Product not found"
@@ -31,6 +35,7 @@ async def public_price_trend(product_id: UUID, db: AsyncSession = Depends(get_db
@router.get("/store-comparison", response_model=PublicStoreComparisonResponse)
 async def public_store_comparison(
    product_ids: Annotated[list[UUID], Query(max_length=20)],
+    category: str | None = Query(None, max_length=100, pattern=r"^[a-zA-Z0-9 _-]+$"),
    db: AsyncSession = Depends(get_db),
 ):
    if not product_ids:
@@ -39,10 +44,14 @@ async def public_store_comparison(
            detail="At least one product_id is required",
        )
    svc = PublicService(db)
-    return await svc.get_store_comparison(product_ids)
+    return await svc.get_store_comparison(product_ids, category=category)


@router.get("/inflation", response_model=PublicInflationResponse)
-async def public_inflation(db: AsyncSession = Depends(get_db)):
+async def public_inflation(
+    category: str | None = Query(None, max_length=100, pattern=r"^[a-zA-Z0-9 _-]+$"),
+    period: str = Query("all-time", pattern=r"^(all-time|1y|6m|3m|1m)$"),
+    db: AsyncSession = Depends(get_db),
+):
    svc = PublicService(db)
-    return await svc.get_inflation()
+    return await svc.get_inflation(category=category, period=period)
@@ -1,5 +1,6 @@
 """Public service — unauthenticated price transparency endpoints."""

+from datetime import date, timedelta
 from uuid import UUID

 from sqlalchemy import and_, func, select
@@ -13,7 +14,7 @@ class PublicService:
    def __init__(self, db: AsyncSession) -> None:
        self.db = db

-    async def get_trend(self, product_id: UUID) -> dict:
+    async def get_trend(self, product_id: UUID, days: int = 90) -> dict:
        from cartsnitch_api.models import NormalizedProduct, PriceHistory

        result = await self.db.execute(
@@ -23,9 +24,13 @@ class PublicService:
        if not product:
            raise LookupError("Product not found")

+        date_threshold = date.today() - timedelta(days=days)
        prices_result = await self.db.execute(
            select(PriceHistory)
-            .where(PriceHistory.normalized_product_id == product_id)
+            .where(
+                PriceHistory.normalized_product_id == product_id,
+                PriceHistory.observed_date >= date_threshold,
+            )
            .options(selectinload(PriceHistory.store))
            .order_by(PriceHistory.observed_date)
        )
@@ -45,20 +50,25 @@ class PublicService:
            ],
        }

-    async def get_store_comparison(self, product_ids: list[UUID]) -> dict:
+    async def get_store_comparison(
+        self, product_ids: list[UUID], category: str | None = None
+    ) -> dict:
        from cartsnitch_api.models import NormalizedProduct, PriceHistory

        if not product_ids:
            return {"products": []}

-        # Fetch all products in one query
-        prod_result = await self.db.execute(
-            select(NormalizedProduct).where(NormalizedProduct.id.in_(product_ids))
-        )
+        product_query = select(NormalizedProduct).where(NormalizedProduct.id.in_(product_ids))
+        if category:
+            product_query = product_query.where(NormalizedProduct.category == category)
+        prod_result = await self.db.execute(product_query)
        products_by_id = {p.id: p for p in prod_result.scalars().all()}

-        # Latest prices for all requested products in one query
-        subq = latest_price_per_store(product_ids)
+        if not products_by_id:
+            return {"products": []}
+
+        filtered_product_ids = list(products_by_id.keys())
+        subq = latest_price_per_store(filtered_product_ids)
        prices_result = await self.db.execute(
            select(PriceHistory)
            .join(
@@ -69,18 +79,17 @@ class PublicService:
                    PriceHistory.normalized_product_id == subq.c.normalized_product_id,
                ),
            )
-            .where(PriceHistory.normalized_product_id.in_(product_ids))
+            .where(PriceHistory.normalized_product_id.in_(filtered_product_ids))
            .options(selectinload(PriceHistory.store))
        )
        all_prices = prices_result.scalars().all()

-        # Group by product
        prices_by_product: dict[UUID, list] = {}
        for ph in all_prices:
            prices_by_product.setdefault(ph.normalized_product_id, []).append(ph)

        products = []
-        for pid in product_ids:
+        for pid in filtered_product_ids:
            product = products_by_id.get(pid)
            if not product:
                continue
@@ -102,19 +111,29 @@ class PublicService:

        return {"products": products}

-    async def get_inflation(self) -> dict:
+    async def get_inflation(self, category: str | None = None, period: str = "all-time") -> dict:
        """Aggregate price change stats. Compares average prices across periods."""
        from cartsnitch_api.models import NormalizedProduct, PriceHistory

-        # Get average prices grouped by category for recent vs older data
-        result = await self.db.execute(
-            select(
-                NormalizedProduct.category,
-                func.avg(PriceHistory.regular_price),
-            )
-            .join(NormalizedProduct)
-            .group_by(NormalizedProduct.category)
-        )
+        date_threshold = None
+        if period != "all-time":
+            days_map = {"1y": 365, "6m": 180, "3m": 90, "1m": 30}
+            days = days_map.get(period, 365)
+            date_threshold = date.today() - timedelta(days=days)
+
+        query = select(
+            NormalizedProduct.category,
+            func.avg(PriceHistory.regular_price),
+        ).join(NormalizedProduct)
+
+        if category:
+            query = query.where(NormalizedProduct.category == category)
+        if date_threshold:
+            query = query.where(PriceHistory.observed_date >= date_threshold)
+
+        query = query.group_by(NormalizedProduct.category)
+
+        result = await self.db.execute(query)
        categories = {}
        for row in result.all():
            cat, avg_price = row
@@ -122,7 +141,7 @@ class PublicService:
                categories[cat] = float(avg_price) if avg_price else 0.0

        return {
-            "period": "all-time",
+            "period": period,
            "cartsnitch_index": sum(categories.values()) / max(len(categories), 1),
            "cpi_baseline": 100.0,
            "categories": categories,
@@ -0,0 +1,50 @@
+"""Tests for Redis/DragonflyDB caching lifecycle."""
+
+import pytest
+
+from cartsnitch_api.cache import CacheClient, close_redis, get_redis, init_redis
+
+
+@pytest.mark.asyncio
+async def test_init_redis_creates_client():
+    """Test that init_redis creates the Redis client."""
+    await init_redis()
+    try:
+        r = get_redis()
+        assert r is not None
+        await r.ping()
+    finally:
+        await close_redis()
+
+
+@pytest.mark.asyncio
+async def test_close_redis_clears_client():
+    """Test that close_redis properly closes and clears the client."""
+    await init_redis()
+    await close_redis()
+    assert get_redis() is None
+
+
+@pytest.mark.asyncio
+async def test_cache_client_get_returns_none_when_not_connected():
+    """Test that CacheClient.get returns None gracefully when Redis is down."""
+    client = CacheClient()
+    # Without init_redis, get should return None
+    result = await client.get("test-key")
+    assert result is None
+
+
+@pytest.mark.asyncio
+async def test_cache_client_set_does_not_raise_when_not_connected():
+    """Test that CacheClient.set does not raise when Redis is down."""
+    client = CacheClient()
+    # Without init_redis, set should not raise
+    await client.set("test-key", "test-value", ttl_seconds=60)
+
+
+@pytest.mark.asyncio
+async def test_cache_client_delete_does_not_raise_when_not_connected():
+    """Test that CacheClient.delete does not raise when Redis is down."""
+    client = CacheClient()
+    # Without init_redis, delete should not raise
+    await client.delete("test-key")
@@ -0,0 +1,62 @@
+"""Tests for database initialization and lifecycle."""
+
+import pytest
+from sqlalchemy.ext.asyncio import AsyncSession, async_sessionmaker, create_async_engine
+
+from cartsnitch_api.database import (
+    close_db,
+    create_db_engine,
+    get_engine,
+    init_db,
+)
+
+
+@pytest.mark.asyncio
+async def test_create_db_engine_creates_engine_with_pool_settings():
+    """Test that create_db_engine creates engine with correct pool settings."""
+    engine = create_db_engine()
+    assert engine is not None
+    pool = engine.pool
+    assert pool.size() == 10
+    assert pool._max_overflow == 20
+    await engine.dispose()
+
+
+@pytest.mark.asyncio
+async def test_init_db_sets_engine_and_factory():
+    """Test that init_db properly initializes the engine and session factory."""
+    await init_db()
+    try:
+        eng = get_engine()
+        assert eng is not None
+        from cartsnitch_api import database
+
+        assert database.async_session_factory is not None
+    finally:
+        await close_db()
+
+
+@pytest.mark.asyncio
+async def test_close_db_disposes_engine():
+    """Test that close_db properly disposes the engine."""
+    await init_db()
+    await close_db()
+    assert get_engine() is None
+    from cartsnitch_api import database
+
+    assert database.async_session_factory is None
+
+
+@pytest.mark.asyncio
+async def test_get_db_yields_session_after_init():
+    """Test that get_db yields working sessions after init_db."""
+    await init_db()
+    try:
+        from cartsnitch_api.database import get_db
+
+        gen = get_db()
+        session = await gen.__anext__()
+        assert isinstance(session, AsyncSession)
+        await gen.aclose()
+    finally:
+        await close_db()
@@ -1,49 +1,184 @@
 """Tests for rate limiting middleware."""

-from unittest.mock import MagicMock
+import time
+from unittest.mock import AsyncMock, MagicMock, patch

 import pytest

-from cartsnitch_api.middleware.rate_limit import _SlidingWindowCounter, _get_rate_limit_key
+from cartsnitch_api.config import settings
+from cartsnitch_api.middleware.rate_limit import (
+    InMemorySlidingWindow,
+    RedisSlidingWindow,
+    _get_client_ip,
+    _get_rate_limit_key,
+)


-class TestSlidingWindowCounter:
+class TestInMemorySlidingWindow:
    def test_allows_within_limit(self):
-        counter = _SlidingWindowCounter(max_requests=5, window_seconds=60)
+        limiter = InMemorySlidingWindow(max_requests=5, window_seconds=60)
        for i in range(5):
-            allowed, remaining, retry = counter.is_allowed("test-key")
+            allowed, remaining, retry = limiter.is_allowed("test-key")
            assert allowed is True
            assert remaining == 4 - i

    def test_blocks_over_limit(self):
-        counter = _SlidingWindowCounter(max_requests=3, window_seconds=60)
+        limiter = InMemorySlidingWindow(max_requests=3, window_seconds=60)
        for _ in range(3):
-            counter.is_allowed("test-key")
+            limiter.is_allowed("test-key")

-        allowed, remaining, retry = counter.is_allowed("test-key")
+        allowed, remaining, retry = limiter.is_allowed("test-key")
        assert allowed is False
        assert remaining == 0
        assert retry > 0

    def test_separate_keys(self):
-        counter = _SlidingWindowCounter(max_requests=2, window_seconds=60)
-        # Fill key-a
-        counter.is_allowed("key-a")
-        counter.is_allowed("key-a")
-        allowed_a, _, _ = counter.is_allowed("key-a")
+        limiter = InMemorySlidingWindow(max_requests=2, window_seconds=60)
+        limiter.is_allowed("key-a")
+        limiter.is_allowed("key-a")
+        allowed_a, _, _ = limiter.is_allowed("key-a")
        assert allowed_a is False

-        # key-b should still be allowed
-        allowed_b, remaining, _ = counter.is_allowed("key-b")
+        allowed_b, remaining, _ = limiter.is_allowed("key-b")
        assert allowed_b is True
        assert remaining == 1

+    def test_resets_after_window_expires(self):
+        limiter = InMemorySlidingWindow(max_requests=2, window_seconds=1)
+        for _ in range(2):
+            limiter.is_allowed("test-key")
+        allowed, remaining, _ = limiter.is_allowed("test-key")
+        assert allowed is False
+
+        time.sleep(1.1)
+        allowed, remaining, _ = limiter.is_allowed("test-key")
+        assert allowed is True
+        assert remaining == 1
+
+
+class TestGetClientIp:
+    def test_x_forwarded_for_single(self):
+        req = MagicMock()
+        req.headers = {"x-forwarded-for": "192.168.1.1"}
+        req.client = None
+        assert _get_client_ip(req) == "192.168.1.1"
+
+    def test_x_forwarded_for_multiple(self):
+        req = MagicMock()
+        req.headers = {"x-forwarded-for": "192.168.1.1, 10.0.0.1, 172.16.0.1"}
+        req.client = None
+        assert _get_client_ip(req) == "192.168.1.1"
+
+    def test_x_forwarded_for_with_port(self):
+        req = MagicMock()
+        req.headers = {"x-forwarded-for": "192.168.1.1:8080"}
+        req.client = None
+        assert _get_client_ip(req) == "192.168.1.1"
+
+    def test_no_forwarded_header(self):
+        req = MagicMock()
+        req.headers = {}
+        req.client.host = "127.0.0.1"
+        assert _get_client_ip(req) == "127.0.0.1"
+
+    def test_no_client(self):
+        req = MagicMock()
+        req.headers = {}
+        req.client = None
+        assert _get_client_ip(req) == "unknown"
+
+
+class TestGetRateLimitKey:
+    def _make_request(
+        self,
+        path: str = "/purchases",
+        method: str = "GET",
+        auth_header: str = "",
+        headers: dict | None = None,
+    ) -> MagicMock:
+        req = MagicMock()
+        req.url.path = path
+        req.method = method
+        req.headers = dict(headers) if headers else {}
+        if auth_header:
+            req.headers["authorization"] = auth_header
+        return req
+
+    def test_public_path_uses_public_limiter(self):
+        req = self._make_request("/public/inflation")
+        key, limiter = _get_rate_limit_key(req)
+        assert key.startswith("ip:")
+        assert limiter.max_requests == settings.rate_limit_requests
+
+    def test_auth_post_path_uses_strict_limiter(self):
+        req = self._make_request("/auth/login", method="POST")
+        key, limiter = _get_rate_limit_key(req)
+        assert key.startswith("ip:")
+        assert limiter.max_requests == settings.rate_limit_auth_requests
+        assert limiter.window_seconds == settings.rate_limit_auth_window_seconds
+
+    def test_auth_get_path_uses_auth_limiter(self):
+        req = self._make_request("/auth/me", method="GET")
+        key, limiter = _get_rate_limit_key(req)
+        assert key.startswith("ip:")
+        assert limiter.max_requests == settings.rate_limit_requests * 5
+
+    def test_authenticated_token_uses_auth_limiter(self):
+        req = self._make_request("/purchases", auth_header="Bearer token123")
+        key, limiter = _get_rate_limit_key(req)
+        assert key.startswith("token:")
+        assert limiter.max_requests == settings.rate_limit_requests * 5
+
+    def test_distinct_tokens_produce_distinct_keys(self):
+        req1 = self._make_request("/purchases", auth_header="Bearer token_alpha_12345")
+        req2 = self._make_request("/purchases", auth_header="Bearer token_beta_67890")
+        key1, _ = _get_rate_limit_key(req1)
+        key2, _ = _get_rate_limit_key(req2)
+        assert key1 != key2
+
+    def test_same_token_produces_same_key(self):
+        req1 = self._make_request("/purchases", auth_header="Bearer same_token_value_abc")
+        req2 = self._make_request("/purchases", auth_header="Bearer same_token_value_abc")
+        key1, _ = _get_rate_limit_key(req1)
+        key2, _ = _get_rate_limit_key(req2)
+        assert key1 == key2
+
+    def test_key_does_not_contain_raw_token_suffix(self):
+        raw_token = "my_secret_jwt_token_xyz"
+        req = self._make_request("/purchases", auth_header=f"Bearer {raw_token}")
+        key, _ = _get_rate_limit_key(req)
+        assert raw_token[-16:] not in key
+        assert raw_token not in key
+
+
+class TestRedisSlidingWindowFallback:
+    @pytest.mark.asyncio
+    async def test_fallback_on_redis_connection_error(self):
+        mock_redis = AsyncMock()
+        mock_redis.pipeline.return_value = AsyncMock()
+        pipe_mock = AsyncMock()
+        pipe_mock.execute.side_effect = Exception("Connection refused")
+        mock_redis.pipeline.return_value = pipe_mock
+
+        limiter = RedisSlidingWindow(mock_redis, max_requests=5, window_seconds=60)
+        allowed, remaining, retry = await limiter.is_allowed("test-key")
+        assert allowed is True
+        assert remaining == 4
+
+    @pytest.mark.asyncio
+    async def test_fallback_on_redis_error_during_pipeline(self):
+        mock_redis = AsyncMock()
+        pipe_mock = AsyncMock()
+        pipe_mock.execute.side_effect = Exception("Redis error")
+        mock_redis.pipeline.return_value = pipe_mock
+
+        limiter = RedisSlidingWindow(mock_redis, max_requests=3, window_seconds=60)
+        allowed, remaining, retry = await limiter.is_allowed("test-key")
+        assert allowed is True
+

@pytest.mark.asyncio
 async def test_rate_limit_returns_429(client):
-    """Public endpoint should return 429 after limit exceeded."""
-    # The default limit is 60/min — we won't hit it in normal tests,
-    # but we verify the middleware adds rate limit headers.
    resp = await client.get("/public/inflation")
    assert "x-ratelimit-limit" in resp.headers
    assert "x-ratelimit-remaining" in resp.headers
@@ -51,36 +186,6 @@ async def test_rate_limit_returns_429(client):

@pytest.mark.asyncio
 async def test_health_skips_rate_limit(client):
-    """Health endpoint should not have rate limit headers."""
    resp = await client.get("/health")
    assert resp.status_code == 200
    assert "x-ratelimit-limit" not in resp.headers
-
-
-class TestGetRateLimitKey:
-    def _make_request(self, auth_header: str = "") -> MagicMock:
-        req = MagicMock()
-        req.url.path = "/purchases"
-        req.headers = {"authorization": auth_header} if auth_header else {}
-        return req
-
-    def test_distinct_tokens_produce_distinct_keys(self):
-        req1 = self._make_request("Bearer token_alpha_12345")
-        req2 = self._make_request("Bearer token_beta_67890")
-        key1, _ = _get_rate_limit_key(req1)
-        key2, _ = _get_rate_limit_key(req2)
-        assert key1 != key2
-
-    def test_same_token_produces_same_key(self):
-        req1 = self._make_request("Bearer same_token_value_abc")
-        req2 = self._make_request("Bearer same_token_value_abc")
-        key1, _ = _get_rate_limit_key(req1)
-        key2, _ = _get_rate_limit_key(req2)
-        assert key1 == key2
-
-    def test_key_does_not_contain_raw_token_suffix(self):
-        raw_token = "my_secret_jwt_token_xyz"
-        req = self._make_request(f"Bearer {raw_token}")
-        key, _ = _get_rate_limit_key(req)
-        assert raw_token[-16:] not in key
-        assert raw_token not in key
@@ -0,0 +1,77 @@
+"""Tests for health check endpoint."""
+
+import pytest
+from unittest.mock import AsyncMock, patch
+
+from cartsnitch_api.database import init_db, close_db
+
+
+@pytest.mark.asyncio
+async def test_health_returns_db_and_redis_fields(client):
+    """Test that health endpoint returns db and redis status fields."""
+    from cartsnitch_api.cache import init_redis, close_redis
+
+    await init_db()
+    await init_redis()
+
+    try:
+        response = await client.get("/health")
+        assert response.status_code == 200
+        data = response.json()
+        assert "status" in data
+        assert "db" in data
+        assert "redis" in data
+    finally:
+        await close_redis()
+        await close_db()
+
+
+@pytest.mark.asyncio
+async def test_health_returns_degraded_when_db_down():
+    """Test that health returns degraded when database is down."""
+    from cartsnitch_api.database import _engine
+    from cartsnitch_api.routes.health import health
+
+    # Simulate engine is None (DB not initialized)
+    with patch("cartsnitch_api.routes.health.get_engine", return_value=None):
+        response = await health()
+        assert response["status"] == "degraded"
+        assert response["db"] is False
+
+
+@pytest.mark.asyncio
+async def test_health_returns_ok_when_db_up(client):
+    """Test that health returns ok when database is up."""
+    from cartsnitch_api.database import init_db, close_db
+    from cartsnitch_api.cache import init_redis, close_redis
+
+    await init_db()
+    await init_redis()
+
+    try:
+        response = await client.get("/health")
+        assert response.status_code == 200
+        data = response.json()
+        if data["db"]:
+            assert data["status"] == "ok"
+    finally:
+        await close_redis()
+        await close_db()
+
+
+@pytest.mark.asyncio
+async def test_health_redis_down_does_not_make_unhealthy(client):
+    """Test that Redis being down does not make health return unhealthy."""
+    from cartsnitch_api.database import init_db, close_db
+
+    await init_db()
+
+    try:
+        response = await client.get("/health")
+        data = response.json()
+        # Redis being down should not make status "degraded"
+        # Only DB failure makes it degraded
+        if not data["db"]:
+            assert data["status"] == "degraded"
+    finally:
+        await close_db()
@@ -71,3 +71,97 @@ async def test_public_inflation(client, public_data):
    data = resp.json()
    assert "categories" in data
    assert "cartsnitch_index" in data
+
+
+@pytest.mark.asyncio
+async def test_trend_invalid_uuid(client):
+    resp = await client.get("/public/trends/not-a-uuid")
+    assert resp.status_code == 422
+    assert "detail" in resp.json()
+    assert "stack" not in resp.json()
+
+
+@pytest.mark.asyncio
+async def test_trend_days_zero(client, public_data):
+    pid = str(public_data["product"].id)
+    resp = await client.get(f"/public/trends/{pid}?days=0")
+    assert resp.status_code == 422
+    assert "detail" in resp.json()
+    assert "stack" not in resp.json()
+
+
+@pytest.mark.asyncio
+async def test_trend_days_negative(client, public_data):
+    pid = str(public_data["product"].id)
+    resp = await client.get(f"/public/trends/{pid}?days=-1")
+    assert resp.status_code == 422
+    assert "detail" in resp.json()
+    assert "stack" not in resp.json()
+
+
+@pytest.mark.asyncio
+async def test_trend_days_over_max(client, public_data):
+    pid = str(public_data["product"].id)
+    resp = await client.get(f"/public/trends/{pid}?days=999")
+    assert resp.status_code == 422
+    assert "detail" in resp.json()
+    assert "stack" not in resp.json()
+
+
+@pytest.mark.asyncio
+async def test_trend_days_valid(client, public_data):
+    pid = str(public_data["product"].id)
+    resp = await client.get(f"/public/trends/{pid}?days=30")
+    assert resp.status_code == 200
+    assert "product_name" in resp.json()
+
+
+@pytest.mark.asyncio
+async def test_store_comparison_empty_list(client):
+    resp = await client.get("/public/store-comparison")
+    assert resp.status_code == 400
+    assert "detail" in resp.json()
+
+
+@pytest.mark.asyncio
+async def test_store_comparison_category_xss(client, public_data):
+    pid = str(public_data["product"].id)
+    resp = await client.get(
+        f"/public/store-comparison?product_ids={pid}&category=<script>alert(1)</script>"
+    )
+    assert resp.status_code == 422
+    assert "detail" in resp.json()
+    assert "stack" not in resp.json()
+
+
+@pytest.mark.asyncio
+async def test_store_comparison_category_sql_injection(client, public_data):
+    pid = str(public_data["product"].id)
+    resp = await client.get(f"/public/store-comparison?product_ids={pid}&category='; DROP TABLE--")
+    assert resp.status_code == 422
+    assert "detail" in resp.json()
+    assert "stack" not in resp.json()
+
+
+@pytest.mark.asyncio
+async def test_inflation_invalid_period(client, public_data):
+    resp = await client.get("/public/inflation?period=10years")
+    assert resp.status_code == 422
+    assert "detail" in resp.json()
+    assert "stack" not in resp.json()
+
+
+@pytest.mark.asyncio
+async def test_inflation_valid_periods(client, public_data):
+    for period in ["all-time", "1y", "6m", "3m", "1m"]:
+        resp = await client.get(f"/public/inflation?period={period}")
+        assert resp.status_code == 200, f"period={period} failed"
+
+
+@pytest.mark.asyncio
+async def test_inflation_category_too_long(client, public_data):
+    long_category = "x" * 200
+    resp = await client.get(f"/public/inflation?category={long_category}")
+    assert resp.status_code == 422
+    assert "detail" in resp.json()
+    assert "stack" not in resp.json()
@@ -9,3 +9,7 @@ DATABASE_URL=postgresql://cartsnitch:cartsnitch@localhost:5432/cartsnitch

 # Port the auth service listens on
 PORT=3001
+
+# Resend email provider for transactional email
+RESEND_API_KEY=re_your_api_key_here
+FROM_EMAIL=CartSnitch <noreply@cartsnitch.com>
@@ -1,4 +1,5 @@
 FROM node:22-alpine AS builder
+RUN apk update && apk upgrade --no-cache
 WORKDIR /app
 COPY package.json package-lock.json* ./
 RUN npm ci
@@ -7,6 +8,7 @@ COPY src/ src/
 RUN npm run build

 FROM node:22-alpine
+RUN apk update && apk upgrade --no-cache
 WORKDIR /app
 ENV NODE_ENV=production
 COPY package.json package-lock.json* ./
@@ -8,12 +8,13 @@
      "name": "@cartsnitch/auth",
      "version": "0.1.0",
      "dependencies": {
-        "bcrypt": "^5.1.1",
+        "bcrypt": "^6.0.0",
        "better-auth": "^1.2.0",
-        "pg": "^8.13.0"
+        "pg": "^8.13.0",
+        "resend": "^6.11.0"
      },
      "devDependencies": {
-        "@types/bcrypt": "^5.0.2",
+        "@types/bcrypt": "^6.0.0",
        "@types/node": "^22.0.0",
        "@types/pg": "^8.11.0",
        "tsx": "^4.19.0",
@@ -590,26 +591,6 @@
        "node": ">=18"
      }
    },
-    "node_modules/@mapbox/node-pre-gyp": {
-      "version": "1.0.11",
-      "resolved": "https://registry.npmjs.org/@mapbox/node-pre-gyp/-/node-pre-gyp-1.0.11.tgz",
-      "integrity": "sha512-Yhlar6v9WQgUp/He7BdgzOz8lqMQ8sU+jkCq7Wx8Myc5YFJLbEe7lgui/V7G1qB1DJykHSGwreceSaD60Y0PUQ==",
-      "license": "BSD-3-Clause",
-      "dependencies": {
-        "detect-libc": "^2.0.0",
-        "https-proxy-agent": "^5.0.0",
-        "make-dir": "^3.1.0",
-        "node-fetch": "^2.6.7",
-        "nopt": "^5.0.0",
-        "npmlog": "^5.0.1",
-        "rimraf": "^3.0.2",
-        "semver": "^7.3.5",
-        "tar": "^6.1.11"
-      },
-      "bin": {
-        "node-pre-gyp": "bin/node-pre-gyp"
-      }
-    },
    "node_modules/@noble/ciphers": {
      "version": "2.1.1",
      "resolved": "https://registry.npmjs.org/@noble/ciphers/-/ciphers-2.1.1.tgz",
@@ -653,6 +634,12 @@
        "node": ">=14"
      }
    },
+    "node_modules/@stablelib/base64": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@stablelib/base64/-/base64-1.0.1.tgz",
+      "integrity": "sha512-1bnPQqSxSuc3Ii6MhBysoWCg58j97aUjuCSZrGSmDxNqtytIi0k8utUenAwTZN4V5mXXYGsVUI9zeBqy+jBOSQ==",
+      "license": "MIT"
+    },
    "node_modules/@standard-schema/spec": {
      "version": "1.1.0",
      "resolved": "https://registry.npmjs.org/@standard-schema/spec/-/spec-1.1.0.tgz",
@@ -660,9 +647,9 @@
      "license": "MIT"
    },
    "node_modules/@types/bcrypt": {
-      "version": "5.0.2",
-      "resolved": "https://registry.npmjs.org/@types/bcrypt/-/bcrypt-5.0.2.tgz",
-      "integrity": "sha512-6atioO8Y75fNcbmj0G7UjI9lXN2pQ/IGJ2FWT4a/btd0Lk9lQalHLKhkgKVZ3r+spnmWUKfbMi1GEe9wyHQfNQ==",
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/@types/bcrypt/-/bcrypt-6.0.0.tgz",
+      "integrity": "sha512-/oJGukuH3D2+D+3H4JWLaAsJ/ji86dhRidzZ/Od7H/i8g+aCmvkeCc6Ni/f9uxGLSQVCRZkX2/lqEFG2BvWtlQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -691,71 +678,18 @@
        "pg-types": "^2.2.0"
      }
    },
-    "node_modules/abbrev": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.1.1.tgz",
-      "integrity": "sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q==",
-      "license": "ISC"
-    },
-    "node_modules/agent-base": {
-      "version": "6.0.2",
-      "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-6.0.2.tgz",
-      "integrity": "sha512-RZNwNclF7+MS/8bDg70amg32dyeZGZxiDuQmZxKLAlQjr3jGyLx+4Kkk58UO7D2QdgFIQCovuSuZESne6RG6XQ==",
-      "license": "MIT",
-      "dependencies": {
-        "debug": "4"
-      },
-      "engines": {
-        "node": ">= 6.0.0"
-      }
-    },
-    "node_modules/ansi-regex": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
-      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/aproba": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/aproba/-/aproba-2.1.0.tgz",
-      "integrity": "sha512-tLIEcj5GuR2RSTnxNKdkK0dJ/GrC7P38sUkiDmDuHfsHmbagTFAxDVIBltoklXEVIQ/f14IL8IMJ5pn9Hez1Ew==",
-      "license": "ISC"
-    },
-    "node_modules/are-we-there-yet": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-2.0.0.tgz",
-      "integrity": "sha512-Ci/qENmwHnsYo9xKIcUJN5LeDKdJ6R1Z1j9V/J5wyq8nh/mYPEpIKJbBZXtZjG04HiK7zV/p6Vs9952MrMeUIw==",
-      "deprecated": "This package is no longer supported.",
-      "license": "ISC",
-      "dependencies": {
-        "delegates": "^1.0.0",
-        "readable-stream": "^3.6.0"
-      },
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/balanced-match": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
-      "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
-      "license": "MIT"
-    },
    "node_modules/bcrypt": {
-      "version": "5.1.1",
-      "resolved": "https://registry.npmjs.org/bcrypt/-/bcrypt-5.1.1.tgz",
-      "integrity": "sha512-AGBHOG5hPYZ5Xl9KXzU5iKq9516yEmvCKDg3ecP5kX2aB6UqTeXZxk2ELnDgDm6BQSMlLt9rDB4LoSMx0rYwww==",
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/bcrypt/-/bcrypt-6.0.0.tgz",
+      "integrity": "sha512-cU8v/EGSrnH+HnxV2z0J7/blxH8gq7Xh2JFT6Aroax7UohdmiJJlxApMxtKfuI7z68NvvVcmR78k2LbT6efhRg==",
      "hasInstallScript": true,
      "license": "MIT",
      "dependencies": {
-        "@mapbox/node-pre-gyp": "^1.0.11",
-        "node-addon-api": "^5.0.0"
+        "node-addon-api": "^8.3.0",
+        "node-gyp-build": "^4.8.4"
      },
      "engines": {
-        "node": ">= 10.0.0"
+        "node": ">= 18"
      }
    },
    "node_modules/better-auth": {
@@ -883,90 +817,12 @@
        }
      }
    },
-    "node_modules/brace-expansion": {
-      "version": "1.1.13",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz",
-      "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==",
-      "license": "MIT",
-      "dependencies": {
-        "balanced-match": "^1.0.0",
-        "concat-map": "0.0.1"
-      }
-    },
-    "node_modules/chownr": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/chownr/-/chownr-2.0.0.tgz",
-      "integrity": "sha512-bIomtDF5KGpdogkLd9VspvFzk9KfpyyGlS8YFVZl7TGPBHL5snIOnxeshwVgPteQ9b4Eydl+pVbIyE1DcvCWgQ==",
-      "license": "ISC",
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/color-support": {
-      "version": "1.1.3",
-      "resolved": "https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz",
-      "integrity": "sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==",
-      "license": "ISC",
-      "bin": {
-        "color-support": "bin.js"
-      }
-    },
-    "node_modules/concat-map": {
-      "version": "0.0.1",
-      "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz",
-      "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==",
-      "license": "MIT"
-    },
-    "node_modules/console-control-strings": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz",
-      "integrity": "sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==",
-      "license": "ISC"
-    },
-    "node_modules/debug": {
-      "version": "4.4.3",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
-      "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
-      "license": "MIT",
-      "dependencies": {
-        "ms": "^2.1.3"
-      },
-      "engines": {
-        "node": ">=6.0"
-      },
-      "peerDependenciesMeta": {
-        "supports-color": {
-          "optional": true
-        }
-      }
-    },
    "node_modules/defu": {
      "version": "6.1.4",
      "resolved": "https://registry.npmjs.org/defu/-/defu-6.1.4.tgz",
      "integrity": "sha512-mEQCMmwJu317oSz8CwdIOdwf3xMif1ttiM8LTufzc3g6kR+9Pe236twL8j3IYT1F7GfRgGcW6MWxzZjLIkuHIg==",
      "license": "MIT"
    },
-    "node_modules/delegates": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/delegates/-/delegates-1.0.0.tgz",
-      "integrity": "sha512-bd2L678uiWATM6m5Z1VzNCErI3jiGzt6HGY8OVICs40JQq/HALfbyNJmp0UDakEY4pMMaN0Ly5om/B1VI/+xfQ==",
-      "license": "MIT"
-    },
-    "node_modules/detect-libc": {
-      "version": "2.1.2",
-      "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.1.2.tgz",
-      "integrity": "sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==",
-      "license": "Apache-2.0",
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/emoji-regex": {
-      "version": "8.0.0",
-      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
-      "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==",
-      "license": "MIT"
-    },
    "node_modules/esbuild": {
      "version": "0.27.4",
      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.4.tgz",
@@ -1009,35 +865,11 @@
        "@esbuild/win32-x64": "0.27.4"
      }
    },
-    "node_modules/fs-minipass": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/fs-minipass/-/fs-minipass-2.1.0.tgz",
-      "integrity": "sha512-V/JgOLFCS+R6Vcq0slCuaeWEdNC3ouDlJMNIsacH2VtALiu9mV4LPrHc5cDl8k5aw6J8jwgWWpiTo5RYhmIzvg==",
-      "license": "ISC",
-      "dependencies": {
-        "minipass": "^3.0.0"
-      },
-      "engines": {
-        "node": ">= 8"
-      }
-    },
-    "node_modules/fs-minipass/node_modules/minipass": {
-      "version": "3.3.6",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz",
-      "integrity": "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==",
-      "license": "ISC",
-      "dependencies": {
-        "yallist": "^4.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/fs.realpath": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
-      "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==",
-      "license": "ISC"
+    "node_modules/fast-sha256": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/fast-sha256/-/fast-sha256-1.3.0.tgz",
+      "integrity": "sha512-n11RGP/lrWEFI/bWdygLxhI+pVeo1ZYIVwvvPkW7azl/rOy+F3HYRZ2K5zeE9mmkhQppyv9sQFx0JM9UabnpPQ==",
+      "license": "Unlicense"
    },
    "node_modules/fsevents": {
      "version": "2.3.3",
@@ -1054,27 +886,6 @@
        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
      }
    },
-    "node_modules/gauge": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/gauge/-/gauge-3.0.2.tgz",
-      "integrity": "sha512-+5J6MS/5XksCuXq++uFRsnUd7Ovu1XenbeuIuNRJxYWjgQbPuFhT14lAvsWfqfAmnwluf1OwMjz39HjfLPci0Q==",
-      "deprecated": "This package is no longer supported.",
-      "license": "ISC",
-      "dependencies": {
-        "aproba": "^1.0.3 || ^2.0.0",
-        "color-support": "^1.1.2",
-        "console-control-strings": "^1.0.0",
-        "has-unicode": "^2.0.1",
-        "object-assign": "^4.1.1",
-        "signal-exit": "^3.0.0",
-        "string-width": "^4.2.3",
-        "strip-ansi": "^6.0.1",
-        "wide-align": "^1.1.2"
-      },
-      "engines": {
-        "node": ">=10"
-      }
-    },
    "node_modules/get-tsconfig": {
      "version": "4.13.7",
      "resolved": "https://registry.npmjs.org/get-tsconfig/-/get-tsconfig-4.13.7.tgz",
@@ -1088,72 +899,6 @@
        "url": "https://github.com/privatenumber/get-tsconfig?sponsor=1"
      }
    },
-    "node_modules/glob": {
-      "version": "7.2.3",
-      "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz",
-      "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==",
-      "deprecated": "Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me",
-      "license": "ISC",
-      "dependencies": {
-        "fs.realpath": "^1.0.0",
-        "inflight": "^1.0.4",
-        "inherits": "2",
-        "minimatch": "^3.1.1",
-        "once": "^1.3.0",
-        "path-is-absolute": "^1.0.0"
-      },
-      "engines": {
-        "node": "*"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
-    "node_modules/has-unicode": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz",
-      "integrity": "sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==",
-      "license": "ISC"
-    },
-    "node_modules/https-proxy-agent": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-5.0.1.tgz",
-      "integrity": "sha512-dFcAjpTQFgoLMzC2VwU+C/CbS7uRL0lWmxDITmqm7C+7F0Odmj6s9l6alZc6AELXhrnggM2CeWSXHGOdX2YtwA==",
-      "license": "MIT",
-      "dependencies": {
-        "agent-base": "6",
-        "debug": "4"
-      },
-      "engines": {
-        "node": ">= 6"
-      }
-    },
-    "node_modules/inflight": {
-      "version": "1.0.6",
-      "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz",
-      "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==",
-      "deprecated": "This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.",
-      "license": "ISC",
-      "dependencies": {
-        "once": "^1.3.0",
-        "wrappy": "1"
-      }
-    },
-    "node_modules/inherits": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
-      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==",
-      "license": "ISC"
-    },
-    "node_modules/is-fullwidth-code-point": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz",
-      "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=8"
-      }
-    },
    "node_modules/jose": {
      "version": "6.2.2",
      "resolved": "https://registry.npmjs.org/jose/-/jose-6.2.2.tgz",
@@ -1172,94 +917,6 @@
        "node": ">=20.0.0"
      }
    },
-    "node_modules/make-dir": {
-      "version": "3.1.0",
-      "resolved": "https://registry.npmjs.org/make-dir/-/make-dir-3.1.0.tgz",
-      "integrity": "sha512-g3FeP20LNwhALb/6Cz6Dd4F2ngze0jz7tbzrD2wAV+o9FeNHe4rL+yK2md0J/fiSf1sa1ADhXqi5+oVwOM/eGw==",
-      "license": "MIT",
-      "dependencies": {
-        "semver": "^6.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
-    "node_modules/make-dir/node_modules/semver": {
-      "version": "6.3.1",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
-      "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
-      "license": "ISC",
-      "bin": {
-        "semver": "bin/semver.js"
-      }
-    },
-    "node_modules/minimatch": {
-      "version": "3.1.5",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
-      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
-      "license": "ISC",
-      "dependencies": {
-        "brace-expansion": "^1.1.7"
-      },
-      "engines": {
-        "node": "*"
-      }
-    },
-    "node_modules/minipass": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-5.0.0.tgz",
-      "integrity": "sha512-3FnjYuehv9k6ovOEbyOswadCDPX1piCfhV8ncmYtHOjuPwylVWsghTLo7rabjC3Rx5xD4HDx8Wm1xnMF7S5qFQ==",
-      "license": "ISC",
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/minizlib": {
-      "version": "2.1.2",
-      "resolved": "https://registry.npmjs.org/minizlib/-/minizlib-2.1.2.tgz",
-      "integrity": "sha512-bAxsR8BVfj60DWXHE3u30oHzfl4G7khkSuPW+qvpd7jFRHm7dLxOjUk1EHACJ/hxLY8phGJ0YhYHZo7jil7Qdg==",
-      "license": "MIT",
-      "dependencies": {
-        "minipass": "^3.0.0",
-        "yallist": "^4.0.0"
-      },
-      "engines": {
-        "node": ">= 8"
-      }
-    },
-    "node_modules/minizlib/node_modules/minipass": {
-      "version": "3.3.6",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz",
-      "integrity": "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==",
-      "license": "ISC",
-      "dependencies": {
-        "yallist": "^4.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/mkdirp": {
-      "version": "1.0.4",
-      "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-1.0.4.tgz",
-      "integrity": "sha512-vVqVZQyf3WLx2Shd0qJ9xuvqgAyKPLAiqITEtqW0oIUjzo3PePDd6fW9iFz30ef7Ysp/oiWqbhszeGWW2T6Gzw==",
-      "license": "MIT",
-      "bin": {
-        "mkdirp": "bin/cmd.js"
-      },
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/ms": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
-      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
-      "license": "MIT"
-    },
    "node_modules/nanostores": {
      "version": "1.2.0",
      "resolved": "https://registry.npmjs.org/nanostores/-/nanostores-1.2.0.tgz",
@@ -1276,84 +933,23 @@
      }
    },
    "node_modules/node-addon-api": {
-      "version": "5.1.0",
-      "resolved": "https://registry.npmjs.org/node-addon-api/-/node-addon-api-5.1.0.tgz",
-      "integrity": "sha512-eh0GgfEkpnoWDq+VY8OyvYhFEzBk6jIYbRKdIlyTiAXIVJ8PyBaKb0rp7oDtoddbdoHWhq8wwr+XZ81F1rpNdA==",
-      "license": "MIT"
-    },
-    "node_modules/node-fetch": {
-      "version": "2.7.0",
-      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz",
-      "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==",
+      "version": "8.7.0",
+      "resolved": "https://registry.npmjs.org/node-addon-api/-/node-addon-api-8.7.0.tgz",
+      "integrity": "sha512-9MdFxmkKaOYVTV+XVRG8ArDwwQ77XIgIPyKASB1k3JPq3M8fGQQQE3YpMOrKm6g//Ktx8ivZr8xo1Qmtqub+GA==",
      "license": "MIT",
-      "dependencies": {
-        "whatwg-url": "^5.0.0"
-      },
      "engines": {
-        "node": "4.x || >=6.0.0"
-      },
-      "peerDependencies": {
-        "encoding": "^0.1.0"
-      },
-      "peerDependenciesMeta": {
-        "encoding": {
-          "optional": true
-        }
+        "node": "^18 || ^20 || >= 21"
      }
    },
-    "node_modules/nopt": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/nopt/-/nopt-5.0.0.tgz",
-      "integrity": "sha512-Tbj67rffqceeLpcRXrT7vKAN8CwfPeIBgM7E6iBkmKLV7bEMwpGgYLGv0jACUsECaa/vuxP0IjEont6umdMgtQ==",
-      "license": "ISC",
-      "dependencies": {
-        "abbrev": "1"
-      },
+    "node_modules/node-gyp-build": {
+      "version": "4.8.4",
+      "resolved": "https://registry.npmjs.org/node-gyp-build/-/node-gyp-build-4.8.4.tgz",
+      "integrity": "sha512-LA4ZjwlnUblHVgq0oBF3Jl/6h/Nvs5fzBLwdEF4nuxnFdsfajde4WfxtJr3CaiH+F6ewcIB/q4jQ4UzPyid+CQ==",
+      "license": "MIT",
      "bin": {
-        "nopt": "bin/nopt.js"
-      },
-      "engines": {
-        "node": ">=6"
-      }
-    },
-    "node_modules/npmlog": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/npmlog/-/npmlog-5.0.1.tgz",
-      "integrity": "sha512-AqZtDUWOMKs1G/8lwylVjrdYgqA4d9nu8hc+0gzRxlDb1I10+FHBGMXs6aiQHFdCUUlqH99MUMuLfzWDNDtfxw==",
-      "deprecated": "This package is no longer supported.",
-      "license": "ISC",
-      "dependencies": {
-        "are-we-there-yet": "^2.0.0",
-        "console-control-strings": "^1.1.0",
-        "gauge": "^3.0.0",
-        "set-blocking": "^2.0.0"
-      }
-    },
-    "node_modules/object-assign": {
-      "version": "4.1.1",
-      "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz",
-      "integrity": "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
-    "node_modules/once": {
-      "version": "1.4.0",
-      "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
-      "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==",
-      "license": "ISC",
-      "dependencies": {
-        "wrappy": "1"
-      }
-    },
-    "node_modules/path-is-absolute": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
-      "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=0.10.0"
+        "node-gyp-build": "bin.js",
+        "node-gyp-build-optional": "optional.js",
+        "node-gyp-build-test": "build-test.js"
      }
    },
    "node_modules/pg": {
@@ -1445,6 +1041,12 @@
        "split2": "^4.1.0"
      }
    },
+    "node_modules/postal-mime": {
+      "version": "2.7.4",
+      "resolved": "https://registry.npmjs.org/postal-mime/-/postal-mime-2.7.4.tgz",
+      "integrity": "sha512-0WdnFQYUrPGGTFu1uOqD2s7omwua8xaeYGdO6rb88oD5yJ/4pPHDA4sdWqfD8wQVfCny563n/HQS7zTFft+f/g==",
+      "license": "MIT-0"
+    },
    "node_modules/postgres-array": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/postgres-array/-/postgres-array-2.0.0.tgz",
@@ -1484,18 +1086,25 @@
        "node": ">=0.10.0"
      }
    },
-    "node_modules/readable-stream": {
-      "version": "3.6.2",
-      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.2.tgz",
-      "integrity": "sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==",
+    "node_modules/resend": {
+      "version": "6.11.0",
+      "resolved": "https://registry.npmjs.org/resend/-/resend-6.11.0.tgz",
+      "integrity": "sha512-S9gxOccfwc+E6Cr3q28Gu8NkiIjYlYPlj9rqk4zkIuzlEoh8sWu/IvJSg7U7t+o3g0Ov2IOCzcneUaCi/M/WdQ==",
      "license": "MIT",
      "dependencies": {
-        "inherits": "^2.0.3",
-        "string_decoder": "^1.1.1",
-        "util-deprecate": "^1.0.1"
+        "postal-mime": "2.7.4",
+        "svix": "1.90.0"
      },
      "engines": {
-        "node": ">= 6"
+        "node": ">=20"
+      },
+      "peerDependencies": {
+        "@react-email/render": "*"
+      },
+      "peerDependenciesMeta": {
+        "@react-email/render": {
+          "optional": true
+        }
      }
    },
    "node_modules/resolve-pkg-maps": {
@@ -1508,78 +1117,18 @@
        "url": "https://github.com/privatenumber/resolve-pkg-maps?sponsor=1"
      }
    },
-    "node_modules/rimraf": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-3.0.2.tgz",
-      "integrity": "sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==",
-      "deprecated": "Rimraf versions prior to v4 are no longer supported",
-      "license": "ISC",
-      "dependencies": {
-        "glob": "^7.1.3"
-      },
-      "bin": {
-        "rimraf": "bin.js"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
    "node_modules/rou3": {
      "version": "0.7.12",
      "resolved": "https://registry.npmjs.org/rou3/-/rou3-0.7.12.tgz",
      "integrity": "sha512-iFE4hLDuloSWcD7mjdCDhx2bKcIsYbtOTpfH5MHHLSKMOUyjqQXTeZVa289uuwEGEKFoE/BAPbhaU4B774nceg==",
      "license": "MIT"
    },
-    "node_modules/safe-buffer": {
-      "version": "5.2.1",
-      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
-      "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/feross"
-        },
-        {
-          "type": "patreon",
-          "url": "https://www.patreon.com/feross"
-        },
-        {
-          "type": "consulting",
-          "url": "https://feross.org/support"
-        }
-      ],
-      "license": "MIT"
-    },
-    "node_modules/semver": {
-      "version": "7.7.4",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.4.tgz",
-      "integrity": "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==",
-      "license": "ISC",
-      "bin": {
-        "semver": "bin/semver.js"
-      },
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/set-blocking": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz",
-      "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==",
-      "license": "ISC"
-    },
    "node_modules/set-cookie-parser": {
      "version": "3.1.0",
      "resolved": "https://registry.npmjs.org/set-cookie-parser/-/set-cookie-parser-3.1.0.tgz",
      "integrity": "sha512-kjnC1DXBHcxaOaOXBHBeRtltsDG2nUiUni+jP92M9gYdW12rsmx92UsfpH7o5tDRs7I1ZZPSQJQGv3UaRfCiuw==",
      "license": "MIT"
    },
-    "node_modules/signal-exit": {
-      "version": "3.0.7",
-      "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.7.tgz",
-      "integrity": "sha512-wnD2ZE+l+SPC/uoS0vXeE9L1+0wuaMqKlfz9AMUo38JsyLSBWSFcHR1Rri62LZc12vLr1gb3jl7iwQhgwpAbGQ==",
-      "license": "ISC"
-    },
    "node_modules/split2": {
      "version": "4.2.0",
      "resolved": "https://registry.npmjs.org/split2/-/split2-4.2.0.tgz",
@@ -1589,65 +1138,26 @@
        "node": ">= 10.x"
      }
    },
-    "node_modules/string_decoder": {
-      "version": "1.3.0",
-      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz",
-      "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==",
+    "node_modules/standardwebhooks": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/standardwebhooks/-/standardwebhooks-1.0.0.tgz",
+      "integrity": "sha512-BbHGOQK9olHPMvQNHWul6MYlrRTAOKn03rOe4A8O3CLWhNf4YHBqq2HJKKC+sfqpxiBY52pNeesD6jIiLDz8jg==",
      "license": "MIT",
      "dependencies": {
-        "safe-buffer": "~5.2.0"
+        "@stablelib/base64": "^1.0.0",
+        "fast-sha256": "^1.3.0"
      }
    },
-    "node_modules/string-width": {
-      "version": "4.2.3",
-      "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
-      "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
+    "node_modules/svix": {
+      "version": "1.90.0",
+      "resolved": "https://registry.npmjs.org/svix/-/svix-1.90.0.tgz",
+      "integrity": "sha512-ljkZuyy2+IBEoESkIpn8sLM+sxJHQcPxlZFxU+nVDhltNfUMisMBzWX/UR8SjEnzoI28ZjCzMbmYAPwSTucoMw==",
      "license": "MIT",
      "dependencies": {
-        "emoji-regex": "^8.0.0",
-        "is-fullwidth-code-point": "^3.0.0",
-        "strip-ansi": "^6.0.1"
-      },
-      "engines": {
-        "node": ">=8"
+        "standardwebhooks": "1.0.0",
+        "uuid": "^10.0.0"
      }
    },
-    "node_modules/strip-ansi": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
-      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
-      "license": "MIT",
-      "dependencies": {
-        "ansi-regex": "^5.0.1"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/tar": {
-      "version": "6.2.1",
-      "resolved": "https://registry.npmjs.org/tar/-/tar-6.2.1.tgz",
-      "integrity": "sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==",
-      "deprecated": "Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me",
-      "license": "ISC",
-      "dependencies": {
-        "chownr": "^2.0.0",
-        "fs-minipass": "^2.0.0",
-        "minipass": "^5.0.0",
-        "minizlib": "^2.1.1",
-        "mkdirp": "^1.0.3",
-        "yallist": "^4.0.0"
-      },
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/tr46": {
-      "version": "0.0.3",
-      "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz",
-      "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==",
-      "license": "MIT"
-    },
    "node_modules/tsx": {
      "version": "4.21.0",
      "resolved": "https://registry.npmjs.org/tsx/-/tsx-4.21.0.tgz",
@@ -1689,43 +1199,19 @@
      "dev": true,
      "license": "MIT"
    },
-    "node_modules/util-deprecate": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
-      "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==",
-      "license": "MIT"
-    },
-    "node_modules/webidl-conversions": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
-      "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==",
-      "license": "BSD-2-Clause"
-    },
-    "node_modules/whatwg-url": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz",
-      "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==",
+    "node_modules/uuid": {
+      "version": "10.0.0",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-10.0.0.tgz",
+      "integrity": "sha512-8XkAphELsDnEGrDxUOHB3RGvXz6TeuYSGEZBOjtTtPm2lwhGBjLgOzLHB63IUWfBpNucQjND6d3AOudO+H3RWQ==",
+      "funding": [
+        "https://github.com/sponsors/broofa",
+        "https://github.com/sponsors/ctavan"
+      ],
      "license": "MIT",
-      "dependencies": {
-        "tr46": "~0.0.3",
-        "webidl-conversions": "^3.0.0"
+      "bin": {
+        "uuid": "dist/bin/uuid"
      }
    },
-    "node_modules/wide-align": {
-      "version": "1.1.5",
-      "resolved": "https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz",
-      "integrity": "sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==",
-      "license": "ISC",
-      "dependencies": {
-        "string-width": "^1.0.2 || 2 || 3 || 4"
-      }
-    },
-    "node_modules/wrappy": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
-      "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==",
-      "license": "ISC"
-    },
    "node_modules/xtend": {
      "version": "4.0.2",
      "resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.2.tgz",
@@ -1735,12 +1221,6 @@
        "node": ">=0.4"
      }
    },
-    "node_modules/yallist": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz",
-      "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==",
-      "license": "ISC"
-    },
    "node_modules/zod": {
      "version": "4.3.6",
      "resolved": "https://registry.npmjs.org/zod/-/zod-4.3.6.tgz",
@@ -7,18 +7,20 @@
    "dev": "tsx watch src/index.ts",
    "build": "tsc",
    "start": "node dist/index.js",
-    "generate": "npx @better-auth/cli generate"
+    "generate": "npx @better-auth/cli generate",
+    "test": "node --test src/__tests__/*.test.ts"
  },
  "dependencies": {
+    "bcrypt": "^6.0.0",
    "better-auth": "^1.2.0",
    "pg": "^8.13.0",
-    "bcrypt": "^5.1.1"
+    "resend": "^6.11.0"
  },
  "devDependencies": {
+    "@types/bcrypt": "^6.0.0",
    "@types/node": "^22.0.0",
    "@types/pg": "^8.11.0",
-    "@types/bcrypt": "^5.0.2",
    "tsx": "^4.19.0",
    "typescript": "^5.7.0"
  }
-}
+}
@@ -0,0 +1,117 @@
+import { describe, it } from 'node:test';
+import { equal } from 'node:assert';
+import http from 'node:http';
+
+describe('Auth health endpoint', () => {
+  const startHealthServer = (poolMock) => {
+    return new Promise((resolve) => {
+      const server = http.createServer(async (req, res) => {
+        if (req.url === '/health' && req.method === 'GET') {
+          try {
+            const client = await poolMock.connect();
+            try {
+              await Promise.race([
+                client.query('SELECT 1'),
+                new Promise((_, reject) => setTimeout(() => reject(new Error('DB timeout')), 2000)),
+              ]);
+            } finally {
+              client.release();
+            }
+            res.writeHead(200, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ status: 'ok', db: 'reachable' }));
+          } catch {
+            res.writeHead(503, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ status: 'error', db: 'unreachable' }));
+          }
+          return;
+        }
+        res.writeHead(404);
+        res.end();
+      });
+      server.listen(0, '0.0.0.0', () => {
+        const addr = server.address();
+        const port = typeof addr === 'object' && addr ? addr.port : 0;
+        resolve({ port, close: () => server.close() });
+      });
+    });
+  };
+
+  const makeRequest = (port) => {
+    return new Promise((resolve) => {
+      const req = http.get(`http://localhost:${port}/health`, (res) => {
+        let body = '';
+        res.on('data', (chunk) => { body += chunk; });
+        res.on('end', () => {
+          resolve({ status: res.statusCode, body });
+        });
+      });
+      req.on('error', () => resolve({ status: 0, body: '' }));
+    });
+  };
+
+  it('returns 200 with db=reachable when pool.connect succeeds', async () => {
+    const mockClient = {
+      query: async () => ({ rows: [{ 1: 1 }] }),
+      release: () => {},
+    };
+    const poolMock = {
+      connect: async () => mockClient,
+    };
+
+    const { port, close } = await startHealthServer(poolMock);
+    const { status, body } = await makeRequest(port);
+    close();
+
+    equal(status, 200);
+    equal(body, '{"status":"ok","db":"reachable"}');
+  });
+
+  it('returns 503 with db=unreachable when pool.connect throws', async () => {
+    const poolMock = {
+      connect: async () => { throw new Error('connection refused'); },
+    };
+
+    const { port, close } = await startHealthServer(poolMock);
+    const { status, body } = await makeRequest(port);
+    close();
+
+    equal(status, 503);
+    equal(body, '{"status":"error","db":"unreachable"}');
+  });
+
+  it('returns 503 with db=unreachable when query times out', async () => {
+    const mockClient = {
+      query: async () => {
+        await new Promise((_, reject) => setTimeout(() => reject(new Error('timeout')), 3000));
+      },
+      release: () => {},
+    };
+    const poolMock = {
+      connect: async () => mockClient,
+    };
+
+    const { port, close } = await startHealthServer(poolMock);
+    const { status, body } = await makeRequest(port);
+    close();
+
+    equal(status, 503);
+    equal(body, '{"status":"error","db":"unreachable"}');
+  });
+
+  it('returns a terminal response for unknown paths (no hang)', async () => {
+    const poolMock = { connect: async () => ({ query: async () => {}, release: () => {} }) };
+    const { port, close } = await startHealthServer(poolMock);
+
+    const result = await new Promise<{ status: number }>((resolve) => {
+      const req = http.get(`http://localhost:${port}/`, (res) => {
+        res.resume();
+        res.on('end', () => resolve({ status: res.statusCode ?? 0 }));
+      });
+      req.on('error', () => resolve({ status: 0 }));
+      setTimeout(() => resolve({ status: -1 }), 1000);
+    });
+    close();
+
+    equal(result.status !== -1, true, 'Unknown path must return a terminal response within 1s');
+  });
+});
@@ -1,6 +1,7 @@
 import { betterAuth } from "better-auth";
 import bcrypt from "bcrypt";
 import pg from "pg";
+import { Resend } from "resend";

 const { Pool } = pg;

@@ -17,10 +18,13 @@ if (!databaseUrl) {
  );
 }

-const pool = new Pool({
+export const pool = new Pool({
  connectionString: databaseUrl ?? "postgresql://cartsnitch:cartsnitch@localhost:5432/cartsnitch",
 });

+const resend = new Resend(process.env.RESEND_API_KEY);
+const fromEmail = process.env.FROM_EMAIL || "CartSnitch <noreply@cartsnitch.com>";
+
 export const auth = betterAuth({
  database: pool,
  basePath: "/auth",
@@ -33,7 +37,7 @@ export const auth = betterAuth({
    maxPasswordLength: 128,
    password: {
      hash: async (password: string) => {
-        return bcrypt.hash(password, 10);
+        return bcrypt.hash(password, 12);
      },
      verify: async (data: { hash: string; password: string }) => {
        return bcrypt.compare(data.password, data.hash);
@@ -41,6 +45,19 @@ export const auth = betterAuth({
    },
  },

+  emailVerification: {
+    sendOnSignUp: true,
+    autoSignInAfterVerification: true,
+    sendVerificationEmail: async ({ user, url }) => {
+      await resend.emails.send({
+        from: fromEmail,
+        to: user.email,
+        subject: "Verify your CartSnitch email",
+        html: `<p>Hi ${user.name || ""},</p><p>Click the link below to verify your email address:</p><p><a href="${url}">Verify Email</a></p><p>This link expires in 1 hour.</p><p>— CartSnitch</p>`,
+      });
+    },
+  },
+
  session: {
    modelName: "sessions",
    fields: {
@@ -103,4 +120,4 @@ export const auth = betterAuth({
    "https://cartsnitch.dev.farh.net",
    "https://cartsnitch.uat.farh.net",
  ],
-});
+});
@@ -1,6 +1,6 @@
 import { createServer } from "node:http";
 import { toNodeHandler } from "better-auth/node";
-import { auth } from "./auth.js";
+import { auth, pool } from "./auth.js";

 const port = parseInt(process.env.PORT ?? "3001", 10);

@@ -8,13 +8,27 @@ const handler = toNodeHandler(auth);

 const server = createServer(async (req, res) => {
  // Health check
-  if (req.url === "/health" && req.method === "GET") {
-    res.writeHead(200, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ status: "ok" }));
+  if ((req.url === "/health" || req.url === "/auth/health") && req.method === "GET") {
+    try {
+      const client = await pool.connect();
+      try {
+        await Promise.race([
+          client.query("SELECT 1"),
+          new Promise((_, reject) => setTimeout(() => reject(new Error("DB timeout")), 2000)),
+        ]);
+      } finally {
+        client.release();
+      }
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ status: "ok", db: "reachable" }));
+    } catch {
+      res.writeHead(503, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ status: "error", db: "unreachable" }));
+    }
    return;
  }

-  // All /auth/* routes handled by Better-Auth
+  // All other routes handled by Better-Auth (returns 404 for unknown paths)
  await handler(req, res);
 });

@@ -0,0 +1,28 @@
+"""Add GIN index on normalized_products.upc_variants for fast JSON containment lookups.
+
+Revision ID: 002_add_normalized_products_upc_variants_index
+Revises: 001_add_email_inbound_token
+Create Date: 2026-04-14
+"""
+
+from collections.abc import Sequence
+
+from alembic import op
+
+revision: str = "002_add_normalized_products_upc_variants_index"
+down_revision: str | None = "001_add_email_inbound_token"
+branch_labels: str | Sequence[str] | None = None
+depends_on: str | Sequence[str] | None = None
+
+
+def upgrade() -> None:
+    op.create_index(
+        "ix_normalized_products_upc_variants",
+        "normalized_products",
+        ["upc_variants"],
+        postgresql_using="gin",
+    )
+
+
+def downgrade() -> None:
+    op.drop_index("ix_normalized_products_upc_variants", table_name="normalized_products")
@@ -3,6 +3,7 @@
 from typing import TYPE_CHECKING

 from sqlalchemy import JSON, String
+from sqlalchemy.dialects.postgresql import JSONB
 from sqlalchemy.orm import Mapped, mapped_column, relationship

 from cartsnitch_common.constants import ProductCategory, SizeUnit
@@ -26,7 +27,9 @@ class NormalizedProduct(UUIDPrimaryKeyMixin, TimestampMixin, Base):
    brand: Mapped[str | None] = mapped_column(String(200))
    size: Mapped[str | None] = mapped_column(String(50))
    size_unit: Mapped[SizeUnit | None] = mapped_column(String(10))
-    upc_variants: Mapped[list[str] | None] = mapped_column(JSON, default=list)
+    upc_variants: Mapped[list[str] | None] = mapped_column(
+        JSON().with_variant(JSONB(), "postgresql"), default=list
+    )

    # Relationships
    purchase_items: Mapped[list["PurchaseItem"]] = relationship(back_populates="normalized_product")
@@ -0,0 +1,244 @@
+# UAT Receipt Submission Path
+
+**Issue:** [CAR-812](/CAR/issues/CAR-812)
+**Author:** Barcode Betty
+**Date:** 2026-05-04
+
+---
+
+## Overview
+
+The UAT environment supports receipt submission via **inbound email**. This is the only supported submission method in UAT — there is no public REST API surface for receipt ingestion.
+
+---
+
+## How It Works
+
+### Architecture
+
+```
+User composes email
+    ↓
+Email sent to <user_token>@cartsnitch.<env>.farh.net
+    ↓
+Mailgun webhook receives the email
+    ↓
+Email job enqueued to DragonflyDB stream: email:receipts
+    ↓
+email-worker (ReceiptWitness) consumes the job
+    ↓
+Worker resolves user via email_inbound_token lookup in DB
+    ↓
+Retailer detected from email content (meijer / kroger / target)
+    ↓
+Email parsed into Purchase + PurchaseItem records
+    ↓
+receipt.ingested event published to Redis
+    ↓
+MatchResult created with method=upc, confidence=1.0 for known UPCs
+```
+
+### Key Components
+
+| Component | Location | Role |
+|-----------|----------|------|
+| `users.email_inbound_token` | DB (migration `001_add_email_inbound_token`) | 22-char unique token per user; used as email routing identifier |
+| `email:receipts` stream | DragonflyDB | Queue holding pending email jobs |
+| `email-worker` | `receiptwitness/src/receiptwitness/worker/email_worker.py` | Async worker consuming the stream |
+| `BaseEmailParser` | `receiptwitness/src/receiptwitness/parsers/email/base.py` | Abstract parser; subclasses for meijer/kroger/target |
+| Retailer detectors | `receiptwitness/src/receiptwitness/parsers/email/detector.py` | Sifts sender/subject to pick the right parser |
+
+### Email Address Format
+
+Each user is assigned a unique inbound token. The receipt submission email address is shown in **Settings → Receipt Email** on the UI:
+
+**Address:** `receipts+<email_inbound_token>@receipts.cartsnitch.com`
+
+To find a user's token in the UAT database (requires `kubectl` access to `cartsnitch-uat`):
+
+```bash
+kubectl exec -n cartsnitch-uat deployment/cartsnitch-api -- \\
+  python -c "from cartsnitch_common.database import get_sync_session; \\
+  from cartsnitch_common.models.user import User; \\
+  from sqlalchemy import select; \\
+  s = get_sync_session('postgresql://cartsnitch:cartsnitch@cartsnitch-pg-rw:5432/cartsnitch'); \\
+  u = s.execute(select(User).where(User.email=='dottie@example.com')).scalar_one(); \\
+  print(u.email_inbound_token)"
+```
+
+---
+
+## Submitting a Test Receipt (Step-by-Step)
+
+### Prerequisites
+
+- A test user account in UAT with a known `email_inbound_token`
+- A sample receipt email with a **known UPC** from the seeded `normalized_products` table
+
+### Steps
+
+1. **Obtain the test user's inbound token.**
+   Use the UAT Settings → Receipt Email page in the UI to see the full address `receipts+<token>@receipts.cartsnitch.com`, or query the DB directly (see above).
+
+2. **Compose the email.**
+   Send to: the address shown in Settings → Receipt Email
+   Subject: anything
+   Body: plain-text or HTML receipt content
+
+3. **Expected behavior after email is processed:**
+   - A `Receipt` row is created in `purchases`
+   - `PurchaseItem` rows are created with `upc` matching the seeded product UPC
+   - A `MatchResult` is created with `method='upc'` and `confidence=1.0`
+
+---
+
+## Known UPC for Dottie (from UAT seed)
+
+> **NOTE:** `kubectl` is not available in this execution environment. The UAT seed and DB query could not be executed. The sample receipt below uses a plausible placeholder UPC. Before Dottie runs the regression:
+> 1. Run `bash scripts/seed-env.sh uat` from a machine with UAT kubecontext
+> 2. Query: `SELECT id, canonical_name, upc_variants->0->>'upc' AS sample_upc FROM normalized_products WHERE jsonb_array_length(upc_variants) > 0 LIMIT 1;`
+> 3. Replace the placeholder values below with the real captured row
+
+- `id`: **TBD — run seed and query UAT DB**
+- `name`: **TBD — run seed and query UAT DB**
+- `sample UPC`: **TBD — run seed and query UAT DB**
+
+### Meijer Sample Receipt (plain text)
+
+```
+Meijer
+===================================
+Purchase Date: 03/15/2026
+Store: Meijer #127 - Ann Arbor, MI
+-----------------------------------
+ 1 x Organic Whole Milk 1gal      $4.99
+ 1 x Whole Wheat Bread             $3.29
+ 1 x Bananas (2 lb)                $0.67
+ 1 x Chicken Breast (3 lb)        $12.47
+ 1 x Cheddar Cheese Block 8oz      $5.99
+-----------------------------------
+Subtotal:                        $27.41
+Tax:                              $1.93
+Total:                           $29.34
+===================================
+THANK YOU FOR SHOPPING MEIJER
+===================================
+```
+Meijer
+===================================
+Purchase Date: 03/15/2026
+Store: Meijer #127 - Ann Arbor, MI
+-----------------------------------
+ 1 x Organic Whole Milk 1gal      $4.99
+ 1 x Whole Wheat Bread            $3.29
+ 1 x Bananas (2 lb)               $0.67
+ 1 x Chicken Breast (3 lb)       $12.47
+ 1 x Cheddar Cheese Block 8oz     $5.99
+-----------------------------------
+Subtotal:                       $27.41
+Tax:                             $1.93
+Total:                          $29.34
+===================================
+THANK YOU FOR SHOPPING MEIJER
+===================================
+```
+
+> **Note:** The `email-worker` parses the email body and extracts line items by retailer. The exact format and field mapping depends on the retailer parser. For Meijer, the parser looks for item lines matching `(\d+) x (.+?)\s+\$([\d.]+)`. UPCs in the `upc_variants` JSONB of seeded products will be matched during the normalization step.
+
+### Kroger Sample Receipt (plain text)
+
+```
+KROGER
+===================================
+Purchase Date: 03/15/2026
+Store: KROGER #412 - Ann Arbor MI
+-----------------------------------
+ 1 Organic Whole Milk 1gal        $5.29
+ 1 Whole Wheat Bread              $3.49
+ 1 Bananas (2 lb)                 $0.69
+ 1 Chicken Breast (3 lb)         $11.99
+ 1 Sharp Cheddar Cheese 8oz       $4.99
+-----------------------------------
+Subtotal:                       $26.45
+Tax:                             $1.85
+Total:                          $28.30
+===================================
+```
+
+### Target Sample Receipt (plain text)
+
+```
+TARGET
+===================================
+03/15/2026  14:32
+Store: 0874 Ann Arbor, MI
+===================================
+ 1  Organic Whole Milk 1G         $5.49
+ 1  Whole Wheat Bread             $3.29
+ 1  Bananas LB 2                  $0.68
+ 1  Chicken Breast 3#             $12.99
+ 1  Cheddar Cheese 8OZ           $5.79
+-----------------------------------
+Subtotal:                       $28.24
+Tax (6%):                        $1.69
+Total:                          $29.93
+===================================
+```
+
+---
+
+## Troubleshooting
+
+### Email not processed
+
+1. Check the `email:receipts` stream has messages:
+   ```bash
+   kubectl exec -n cartsnitch-uat deploy/email-worker -- python -c \\
+     "import asyncio; from receiptwitness.queue.email import get_redis; \\
+     async def chk(): c = await get_redis(); info = await c.xinfo_stream('email:receipts'); print(info); \\
+     asyncio.run(chk())"
+   ```
+
+2. Check `email-worker` logs for retailer detection failures:
+   ```bash
+   kubectl logs -n cartsnitch-uat deploy/email-worker -f
+   ```
+
+3. Verify the token resolves to a user in the DB:
+   ```bash
+   kubectl exec -n cartsnitch-uat deploy/cartsnitch-api -- \\
+     python -c "from cartsnitch_common.database import get_sync_session; \\
+     from cartsnitch_common.models.user import User; \\
+     from sqlalchemy import select; \\
+     s = get_sync_session('postgresql://...'); \\
+     r = s.execute(select(User.email_inbound_token).limit(5)).all(); \\
+     print(r)"
+   ```
+
+### No MatchResult created
+
+The normalization pipeline requires a `normalized_product` row with the submitted UPC in `upc_variants`. If the seed was run, the product should be found. Check the `match_results` table after submission:
+
+```sql
+SELECT mr.*, np.canonical_name
+FROM match_results mr
+JOIN normalized_products np ON np.id = mr.normalized_product_id
+WHERE mr.match_method = 'upc'
+ORDER BY mr.created_at DESC
+LIMIT 10;
+```
+
+---
+
+## Related Files
+
+| File | Role |
+|------|------|
+| `common/alembic/versions/001_add_email_inbound_token.py` | Adds `email_inbound_token` column |
+| `receiptwitness/src/receiptwitness/worker/email_worker.py` | Consumes email jobs from stream |
+| `receiptwitness/src/receiptwitness/queue/email.py` | DragonflyDB stream consumer group |
+| `receiptwitness/src/receiptwitness/parsers/email/detector.py` | Retailer detection |
+| `receiptwitness/src/receiptwitness/parsers/email/meijer.py` | Meijer email parser |
+| `receiptwitness/src/receiptwitness/parsers/email/kroger.py` | Kroger email parser |
+| `receiptwitness/src/receiptwitness/parsers/email/target.py` | Target email parser |
+| `docs/uat-runbook.md` | UAT runbook (defect classification, entry/exit criteria) |
@@ -1,4 +1,4 @@
-import { test as base, expect } from "@playwright/test";
+import { test as base, expect, type Page } from "@playwright/test";
 import AxeBuilder from "@axe-core/playwright";

 export const test = base.extend<{ axeCheck: void }>({
@@ -10,3 +10,91 @@ export const test = base.extend<{ axeCheck: void }>({
 });

 export { expect } from "@playwright/test";
+
+const MOCK_USER_ID = "mock_user_123";
+const MOCK_SESSION_ID = "mock_session_456";
+
+async function mockAuthRoutes(page: Page, authenticated = false) {
+  await page.route(/.*\/auth\/sign-up\/email.*/, async (route) => {
+    await route.fulfill({
+      status: 200,
+      contentType: "application/json",
+      body: JSON.stringify({
+        token: null,
+        user: {
+          id: MOCK_USER_ID,
+          email: "mock@cartsnitch.test",
+          name: "Mock User",
+          emailVerified: true,
+          createdAt: new Date().toISOString(),
+          updatedAt: new Date().toISOString(),
+        },
+      }),
+    });
+  });
+
+  await page.route(/.*\/auth\/sign-in\/email.*/, async (route) => {
+    await route.fulfill({
+      status: 200,
+      contentType: "application/json",
+      body: JSON.stringify({
+        redirect: false,
+        token: "mock_token_123",
+        user: {
+          id: MOCK_USER_ID,
+          email: "mock@cartsnitch.test",
+          name: "Mock User",
+          emailVerified: true,
+          createdAt: new Date().toISOString(),
+          updatedAt: new Date().toISOString(),
+        },
+      }),
+    });
+  });
+
+  await page.route(/.*\/auth\/get-session.*/, async (route) => {
+    if (authenticated) {
+      await route.fulfill({
+        status: 200,
+        contentType: "application/json",
+        body: JSON.stringify({
+          session: {
+            id: MOCK_SESSION_ID,
+            expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(),
+            createdAt: new Date().toISOString(),
+            updatedAt: new Date().toISOString(),
+            ipAddress: null,
+            userAgent: null,
+          },
+          user: {
+            id: MOCK_USER_ID,
+            email: "mock@cartsnitch.test",
+            name: "Mock User",
+            emailVerified: true,
+            createdAt: new Date().toISOString(),
+            updatedAt: new Date().toISOString(),
+          },
+        }),
+      });
+    } else {
+      await route.fulfill({
+        status: 401,
+        contentType: "application/json",
+        body: JSON.stringify({ error: "Unauthorized" }),
+      });
+    }
+  });
+}
+
+export async function mockSessionDelayed(page: Page, delayMs = 3000) {
+  await page.route(/.*\/auth\/get-session.*/, async (route) => {
+    await new Promise((r) => setTimeout(r, delayMs));
+    await route.fulfill({
+      status: 401,
+      contentType: "application/json",
+      body: JSON.stringify({ error: "Unauthorized" }),
+    });
+  });
+}
+
+export { mockAuthRoutes };
@@ -1,18 +1,19 @@
 import { test, expect } from '@playwright/test';
+import { mockAuthRoutes } from '../fixtures';

 const uniqueEmail = () => `betty+e2e-${Date.now()}@cartsnitch.test`;

 test.describe('J1: Registration and Login', () => {
-  test('can register a new account and lands on dashboard', async ({ page }) => {
+  test('shows success message after registration', async ({ page }) => {
+    await mockAuthRoutes(page, false);
    await page.goto('/register');
    await page.fill('[placeholder="Full Name"]', 'Betty Tester');
    await page.fill('[placeholder="Email"]', uniqueEmail());
    await page.fill('[placeholder="Password (min. 8 characters)"]', 'TestPass123!');
    await page.click('button[type="submit"]');

-    // With VITE_MOCK_AUTH=true the app navigates to "/" on success
-    await expect(page).toHaveURL('http://localhost:5173/');
-    await expect(page.getByRole('heading', { name: /cart/i })).toBeVisible();
+    // Registration now shows "Account created! Please sign in." message
+    await expect(page.locator('.bg-red-50')).toContainText('Account created! Please sign in.');
  });

  test('shows validation error when registration fields are empty', async ({ page }) => {
@@ -30,23 +31,18 @@ test.describe('J1: Registration and Login', () => {
    await expect(page.getByRole('heading', { name: /cartsnitch/i })).toBeVisible();
  });

-  test('can sign in with credentials and land on dashboard', async ({ page }) => {
-    // Register first so we have a real account
+  test('can sign in with valid credentials', async ({ page }) => {
+    await mockAuthRoutes(page, true);
    const email = uniqueEmail();
    await page.goto('/register');
    await page.fill('[placeholder="Full Name"]', 'Login Betty');
    await page.fill('[placeholder="Email"]', email);
    await page.fill('[placeholder="Password (min. 8 characters)"]', 'TestPass123!');
    await page.click('button[type="submit"]');
-    await expect(page).toHaveURL('http://localhost:5173/');
+    await expect(page.locator('.bg-red-50')).toContainText('Account created! Please sign in.');

-    // Sign out by clearing the mock session (reload with no session)
-    await page.goto('/');
-    await page.reload();
-
-    // Now sign in
    await page.goto('/login');
-    await page.fill('[placeholder="Email"]', email);
+    await page.fill('[placeholder="Email"]', 'test@cartsnitch.test');
    await page.fill('[placeholder="Password"]', 'TestPass123!');
    await page.click('button[type="submit"]');

@@ -1,9 +1,9 @@
 import { test, expect } from '@playwright/test';
+import { mockAuthRoutes, mockSessionDelayed } from '../fixtures';

 test.describe('J8: Unauthenticated Access', () => {
  test('redirects /dashboard (/) to /login when not authenticated', async ({ page }) => {
-    // No session cookie — start fresh
-    await page.context().clearCookies();
+    await mockAuthRoutes(page, false);
    await page.goto('/');

    await expect(page).toHaveURL(/\/login/);
@@ -11,7 +11,7 @@ test.describe('J8: Unauthenticated Access', () => {
  });

  test('redirects /purchases to /login when not authenticated', async ({ page }) => {
-    await page.context().clearCookies();
+    await mockAuthRoutes(page, false);
    await page.goto('/purchases');

    await expect(page).toHaveURL(/\/login/);
@@ -19,7 +19,7 @@ test.describe('J8: Unauthenticated Access', () => {
  });

  test('redirects /products to /login when not authenticated', async ({ page }) => {
-    await page.context().clearCookies();
+    await mockAuthRoutes(page, false);
    await page.goto('/products');

    await expect(page).toHaveURL(/\/login/);
@@ -27,7 +27,7 @@ test.describe('J8: Unauthenticated Access', () => {
  });

  test('redirects /coupons to /login when not authenticated', async ({ page }) => {
-    await page.context().clearCookies();
+    await mockAuthRoutes(page, false);
    await page.goto('/coupons');

    await expect(page).toHaveURL(/\/login/);
@@ -35,15 +35,9 @@ test.describe('J8: Unauthenticated Access', () => {
  });

  test('shows loading spinner while auth session is pending', async ({ page }) => {
-    // Intercept but don't respond — session stays pending
-    await page.context().clearCookies();
-    await page.request.fetch('/api/auth/session', {
-      method: 'GET',
-    });
-
-    // Just navigate to a protected route — ProtectedRoute will show spinner while session is pending
+    await mockSessionDelayed(page, 3000);
    await page.goto('/purchases');
-    // Spinner is visible briefly; once resolved, should redirect to login
+    await expect(page.locator('.animate-spin')).toBeVisible({ timeout: 2000 });
    await expect(page).toHaveURL(/\/login/, { timeout: 10_000 });
  });
 });
@@ -1,8 +1,8 @@
-import { test, expect } from './fixtures';
+import { test, expect, mockAuthRoutes } from './fixtures';

 test('app loads', async ({ page }) => {
+  await mockAuthRoutes(page, false);
  await page.goto('/');
-  // Unauthenticated users are redirected to /login
  await expect(page).toHaveURL(/\/login/);
  await expect(page.getByRole('heading', { name: /CartSnitch/i })).toBeVisible();
 });
@@ -38,7 +38,7 @@
        "tailwindcss": "^4.0.0",
        "typescript": "^5.7.3",
        "typescript-eslint": "^8.56.1",
-        "vite": "^6.3.5",
+        "vite": "^6.4.2",
        "vite-plugin-pwa": "^0.21.2",
        "vitest": "^3.2.4"
      }
@@ -1867,6 +1867,40 @@
        "node": ">=18"
      }
    },
+    "node_modules/@emnapi/core": {
+      "version": "1.9.2",
+      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.9.2.tgz",
+      "integrity": "sha512-UC+ZhH3XtczQYfOlu3lNEkdW/p4dsJ1r/bP7H8+rhao3TTTMO1ATq/4DdIi23XuGoFY+Cz0JmCbdVl0hz9jZcA==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "@emnapi/wasi-threads": "1.2.1",
+        "tslib": "^2.4.0"
+      }
+    },
+    "node_modules/@emnapi/runtime": {
+      "version": "1.9.2",
+      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.9.2.tgz",
+      "integrity": "sha512-3U4+MIWHImeyu1wnmVygh5WlgfYDtyf0k8AbLhMFxOipihf6nrWC4syIm/SwEeec0mNSafiiNnMJwbza/Is6Lw==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "tslib": "^2.4.0"
+      }
+    },
+    "node_modules/@emnapi/wasi-threads": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/@emnapi/wasi-threads/-/wasi-threads-1.2.1.tgz",
+      "integrity": "sha512-uTII7OYF+/Mes/MrcIOYp5yOtSMLBWSIoLPpcgwipoiKbli6k322tcoFsxoIIxPDqW01SQGAgko4EzZi2BNv2w==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "tslib": "^2.4.0"
+      }
+    },
    "node_modules/@esbuild/aix-ppc64": {
      "version": "0.25.12",
      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.25.12.tgz",
@@ -2669,6 +2703,25 @@
        "node": ">=18"
      }
    },
+    "node_modules/@napi-rs/wasm-runtime": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.3.tgz",
+      "integrity": "sha512-xK9sGVbJWYb08+mTJt3/YV24WxvxpXcXtP6B172paPZ+Ts69Re9dAr7lKwJoeIx8OoeuimEiRZ7umkiUVClmmQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "@tybys/wasm-util": "^0.10.1"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/Brooooooklyn"
+      },
+      "peerDependencies": {
+        "@emnapi/core": "^1.7.1",
+        "@emnapi/runtime": "^1.7.1"
+      }
+    },
    "node_modules/@noble/ciphers": {
      "version": "2.1.1",
      "resolved": "https://registry.npmjs.org/@noble/ciphers/-/ciphers-2.1.1.tgz",
@@ -3659,6 +3712,17 @@
        }
      }
    },
+    "node_modules/@tybys/wasm-util": {
+      "version": "0.10.1",
+      "resolved": "https://registry.npmjs.org/@tybys/wasm-util/-/wasm-util-0.10.1.tgz",
+      "integrity": "sha512-9tTaPJLSiejZKx+Bmog4uSubteqTvFrVrURwkmHixBo0G4seD0zUxp98E1DzUBJxLQ3NPwXrGKDiVjwx/DpPsg==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "tslib": "^2.4.0"
+      }
+    },
    "node_modules/@types/aria-query": {
      "version": "5.0.4",
      "resolved": "https://registry.npmjs.org/@types/aria-query/-/aria-query-5.0.4.tgz",
@@ -4166,33 +4230,6 @@
        "url": "https://opencollective.com/vitest"
      }
    },
-    "node_modules/@vitest/mocker": {
-      "version": "3.2.4",
-      "resolved": "https://registry.npmjs.org/@vitest/mocker/-/mocker-3.2.4.tgz",
-      "integrity": "sha512-46ryTE9RZO/rfDd7pEqFl7etuyzekzEhUbTW3BvmeO/BcCMEgq59BKhek3dXDWgAj4oMK6OZi+vRr1wPW6qjEQ==",
-      "devOptional": true,
-      "license": "MIT",
-      "dependencies": {
-        "@vitest/spy": "3.2.4",
-        "estree-walker": "^3.0.3",
-        "magic-string": "^0.30.17"
-      },
-      "funding": {
-        "url": "https://opencollective.com/vitest"
-      },
-      "peerDependencies": {
-        "msw": "^2.4.9",
-        "vite": "^5.0.0 || ^6.0.0 || ^7.0.0-0"
-      },
-      "peerDependenciesMeta": {
-        "msw": {
-          "optional": true
-        },
-        "vite": {
-          "optional": true
-        }
-      }
-    },
    "node_modules/@vitest/pretty-format": {
      "version": "3.2.4",
      "resolved": "https://registry.npmjs.org/@vitest/pretty-format/-/pretty-format-3.2.4.tgz",
@@ -8127,9 +8164,9 @@
      }
    },
    "node_modules/postcss": {
-      "version": "8.5.8",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.8.tgz",
-      "integrity": "sha512-OW/rX8O/jXnm82Ey1k44pObPtdblfiuWnrd8X7GJ7emImCOstunGbXUpp7HdBrFQX6rJzn3sPT397Wp5aCwCHg==",
+      "version": "8.5.13",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.13.tgz",
+      "integrity": "sha512-qif0+jGGZoLWdHey3UFHHWP0H7Gbmsk8T5VEqyYFbWqPr1XqvLGBbk/sl8V5exGmcYJklJOhOQq1pV9IcsiFag==",
      "devOptional": true,
      "funding": [
        {
@@ -9473,6 +9510,14 @@
        "typescript": ">=4.8.4"
      }
    },
+    "node_modules/tslib": {
+      "version": "2.8.1",
+      "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz",
+      "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==",
+      "dev": true,
+      "license": "0BSD",
+      "optional": true
+    },
    "node_modules/type-check": {
      "version": "0.4.0",
      "resolved": "https://registry.npmjs.org/type-check/-/type-check-0.4.0.tgz",
@@ -10020,6 +10065,33 @@
        }
      }
    },
+    "node_modules/vitest/node_modules/@vitest/mocker": {
+      "version": "3.2.4",
+      "resolved": "https://registry.npmjs.org/@vitest/mocker/-/mocker-3.2.4.tgz",
+      "integrity": "sha512-46ryTE9RZO/rfDd7pEqFl7etuyzekzEhUbTW3BvmeO/BcCMEgq59BKhek3dXDWgAj4oMK6OZi+vRr1wPW6qjEQ==",
+      "devOptional": true,
+      "license": "MIT",
+      "dependencies": {
+        "@vitest/spy": "3.2.4",
+        "estree-walker": "^3.0.3",
+        "magic-string": "^0.30.17"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      },
+      "peerDependencies": {
+        "msw": "^2.4.9",
+        "vite": "^5.0.0 || ^6.0.0 || ^7.0.0-0"
+      },
+      "peerDependenciesMeta": {
+        "msw": {
+          "optional": true
+        },
+        "vite": {
+          "optional": true
+        }
+      }
+    },
    "node_modules/w3c-xmlserializer": {
      "version": "5.0.0",
      "resolved": "https://registry.npmjs.org/w3c-xmlserializer/-/w3c-xmlserializer-5.0.0.tgz",
@@ -43,7 +43,7 @@
    "tailwindcss": "^4.0.0",
    "typescript": "^5.7.3",
    "typescript-eslint": "^8.56.1",
-    "vite": "^6.3.5",
+    "vite": "^6.4.2",
    "vite-plugin-pwa": "^0.21.2",
    "vitest": "^3.2.4"
  },
@@ -9,7 +9,7 @@ export default defineConfig({
    },
  ],
  webServer: {
-    command: 'VITE_MOCK_AUTH=true npm run dev',
+    command: 'npm run dev',
    url: 'http://localhost:5173',
    reuseExistingServer: !process.env.CI,
  },
@@ -5,7 +5,8 @@ WORKDIR /app

 # build-essential and libpq-dev are needed to compile any C-extension wheels
 # (e.g. psycopg2 fallback).  No git needed — common/ is copied from the repo root.
-RUN apt-get update && apt-get install -y --no-install-recommends \
+ARG APT_CACHE_BUST=1
+RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
    libpq-dev \
    build-essential \
    && rm -rf /var/lib/apt/lists/*
@@ -25,7 +26,8 @@ FROM python:3.12-slim AS prod
 WORKDIR /app

 # Install Playwright system dependencies for Chromium
-RUN apt-get update && apt-get install -y --no-install-recommends \
+ARG APT_CACHE_BUST=1
+RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
    libnss3 \
    libatk1.0-0 \
    libatk-bridge2.0-0 \
@@ -11,7 +11,7 @@ dependencies = [
    "cartsnitch-common>=0.1.0",
    "playwright>=1.49,<2.0",
    "playwright-stealth>=1.0,<2.0",
-    "cryptography>=42.0,<44.0",
+    "cryptography>=46.0,<47.0",
    "fastapi>=0.115,<1.0",
    "uvicorn[standard]>=0.30,<1.0",
    "beautifulsoup4>=4.12,<5.0",
@@ -5,12 +5,14 @@ Matches products across retailers by:
 2. Fuzzy name matching via token-based Jaccard similarity (lower confidence)
 """

+import json
 import re
 from dataclasses import dataclass
 from enum import StrEnum

 from cartsnitch_common.models.product import NormalizedProduct
-from sqlalchemy import select
+from sqlalchemy import cast, func, select, String
+from sqlalchemy.dialects.postgresql import JSONB
 from sqlalchemy.orm import Session


@@ -96,17 +98,24 @@ def jaccard_similarity(a: str, b: str) -> float:
 def match_by_upc(session: Session, upc: str) -> MatchResult | None:
    """Find a normalized product by exact UPC match.

-    Loads products with upc_variants and checks membership in Python
-    for cross-database compatibility (works on both PostgreSQL and SQLite).
+    Uses PostgreSQL JSONB containment (@>) for production efficiency.
+    Falls back to LIKE on SQLite for test compatibility.
    """
-    # TODO: Use PostgreSQL JSON containment query (@>) for production.
-    # Current approach loads all products into memory — acceptable for tests
-    # and small datasets, but will not scale.
-    stmt = select(NormalizedProduct).where(NormalizedProduct.upc_variants.is_not(None))
-    products = session.execute(stmt).scalars().all()
-    for product in products:
-        if product.upc_variants and upc in product.upc_variants:
-            return MatchResult(product=product, confidence=1.0, method=MatchMethod.UPC)
+    dialect_name = session.bind.dialect.name if session.bind else "default"
+    if dialect_name == "postgresql":
+        stmt = select(NormalizedProduct).where(
+            cast(NormalizedProduct.upc_variants, JSONB).op("@>")(
+                func.cast(json.dumps([upc]), JSONB)
+            )
+        )
+    else:
+        stmt = select(NormalizedProduct).where(
+            NormalizedProduct.upc_variants.is_not(None),
+            cast(NormalizedProduct.upc_variants, String).contains(upc),
+        )
+    product = session.execute(stmt).scalars().first()
+    if product:
+        return MatchResult(product=product, confidence=1.0, method=MatchMethod.UPC)
    return None


@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+# =============================================================================
+# apply-seed-job.sh — Apply the seed Job manifest for a given environment.
+#
+# Usage:
+#   ./apply-seed-job.sh <env>
+#
+# Example:
+#   ./apply-seed-job.sh uat
+#   ./apply-seed-job.sh dev
+# =============================================================================
+
+set -euo pipefail
+
+ENV="${1:-}"
+HELP_FLAG=""
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --help) HELP_FLAG="1"; shift ;;
+    *) ENV="$1"; shift ;;
+  esac
+done
+
+if [[ -n "$HELP_FLAG" ]] || [[ -z "$ENV" ]]; then
+  echo "Usage: $0 <env>"
+  echo "  env   dev or uat"
+  exit 0
+fi
+
+if [[ "$ENV" != "dev" && "$ENV" != "uat" ]]; then
+  echo "ERROR: Invalid environment: $ENV (must be 'dev' or 'uat')" >&2
+  exit 1
+fi
+
+SCRIPT_DIR="$(dirname "$0")"
+sed "s/__ENV__/${ENV}/g" "${SCRIPT_DIR}/seed-env-job.yaml" | kubectl apply -f -
+echo "Seed job applied for environment: $ENV"
@@ -58,4 +58,4 @@ spec:
              memory: 256Mi
            limits:
              cpu: 500m
-              memory: 512Mi
+              memory: 512Mi
@@ -1,104 +1,3 @@
 #!/usr/bin/env bash
-# =============================================================================
-# seed-dev.sh — Run the CartSnitch seed runner against the dev database.
-#
-# Usage:
-#   ./seed-dev.sh              Run full seed against dev
-#   ./seed-dev.sh --dry-run    Show planned record counts without writing
-#   ./seed-dev.sh --help       Show this help
-#
-# Prerequisites:
-#   - kubectl configured for the cartsnitch-dev cluster
-#   - Namespace cartsnitch-dev exists (CNPG Postgres must be running)
-#
-# What it does:
-#   1. Starts a background port-forward to cartsnitch-pg-rw:5432
-#   2. Waits for the tunnel to be ready
-#   3. Runs python -m cartsnitch_common.seed with --database-url pointing
-#      to localhost:<forwarded-port>/cartsnitch
-#   4. Cleans up the port-forward on exit (normal, interrupt, or error)
-# =============================================================================
-
-set -euo pipefail
-
-# --- Config -------------------------------------------------------------------
-readonly NAMESPACE="cartsnitch-dev"
-readonly SVC_NAME="cartsnitch-pg-rw"
-readonly LOCAL_PORT="5433"          # use a non-privileged port to avoid conflicts
-readonly DB_NAME="cartsnitch"
-readonly PG_USER="cartsnitch"
-# Retrieve password from the CNPG credentials secret
-readonly PG_PASSWORD="$(
-  kubectl get secret cartsnitch-pg-credentials \
-    -n "$NAMESPACE" \
-    -o jsonpath='{.data.password}' \
-  | base64 -d
-)"
-readonly DB_URL="postgresql://${PG_USER}:${PG_PASSWORD}@localhost:${LOCAL_PORT}/${DB_NAME}"
-
-# --- Helpers ------------------------------------------------------------------
-log()  { echo "[seed-dev] $*"; }
-fail() { log "ERROR: $*" >&2; exit 1; }
-
-# Cleanup port-forward and exit.
-cleanup() {
-  if [[ -n "${PF_PID:-}" ]]; then
-    log "Stopping port-forward (PID $PF_PID)..."
-    kill "$PF_PID" 2>/dev/null || true
-    wait "$PF_PID" 2>/dev/null || true
-  fi
-}
-trap cleanup EXIT
-
-# --- Args ---------------------------------------------------------------------
-DRY_RUN=""
-HELP_FLAG=""
-
-while [[ $# -gt 0 ]]; do
-  case "$1" in
-    --dry-run)  DRY_RUN="--dry-run"; shift ;;
-    --help)     HELP_FLAG="1"; shift ;;
-    *)          fail "Unknown argument: $1";;
-  esac
-done
-
-if [[ -n "$HELP_FLAG" ]]; then
-  sed -n '3,/^# ---/p' "$0" | head -n -1 | sed 's/^# //'
-  echo ""
-  echo "Additional arguments are passed through to the seed runner."
-  echo "Common seed-runner options:"
-  echo "  --dry-run          Show planned record counts without writing"
-  echo "  --seed N           Set random seed (default: 42)"
-  exit 0
-fi
-
-# --- Prerequisites ------------------------------------------------------------
-if ! command -v kubectl &>/dev/null; then
-  fail "kubectl not found — must be installed and configured."
-fi
-
-# --- Port-forward -------------------------------------------------------------
-log "Starting port-forward ${SVC_NAME}:5432 -> localhost:${LOCAL_PORT} ..."
-kubectl port-forward \
-  -n "$NAMESPACE" \
-  svc/"$SVC_NAME" \
-  "${LOCAL_PORT}:5432" \
-  &>/dev/null &
-PF_PID=$!
-
-# Give the tunnel a moment to establish
-sleep 2
-
-# Verify the tunnel is up
-if ! kill -0 "$PF_PID" 2>/dev/null; then
-  fail "Port-forward failed to start."
-fi
-log "Port-forward active (PID $PF_PID) on localhost:${LOCAL_PORT}"
-
-# --- Seed --------------------------------------------------------------------
-log "Running seed against dev database..."
-set -x
-python -m cartsnitch_common.seed --database-url "$DB_URL" $DRY_RUN
-set +x
-
-log "Done."
+# Backward-compat wrapper — delegates to seed-env.sh dev
+exec "$(dirname "$0")/seed-env.sh" dev "$@"
@@ -0,0 +1,58 @@
+# seed-env-job.yaml
+# K8s Job to run the CartSnitch seed runner against any CartSnitch database.
+#
+# Usage (via apply-seed-job.sh):
+#   bash scripts/apply-seed-job.sh dev
+#   bash scripts/apply-seed-job.sh uat
+#
+# To view logs:
+#   kubectl logs -n cartsnitch-<env> job/seed-env -f
+#
+# To re-run after fixing issues:
+#   kubectl delete -f - -n cartsnitch-<env> && bash scripts/apply-seed-job.sh <env>
+#
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: seed-env
+  namespace: cartsnitch-__ENV__
+  labels:
+    app: cartsnitch
+    component: seed
+    environment: __ENV__
+  annotations:
+    description: "Runs cartsnitch-common seed runner to populate __ENV__ database with realistic test data."
+spec:
+  backoffLimit: 0
+  concurrencyPolicy: Forbid
+  template:
+    metadata:
+      labels:
+        app: cartsnitch
+        component: seed
+        environment: __ENV__
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: seed
+          image: python:3.12-slim
+          command:
+            - sh
+            - -c
+            - |
+              pip install --no-cache-dir "cartsnitch-common @ git+https://github.com/cartsnitch/common.git@main" && \
+              python -m cartsnitch_common.seed --database-url "$${DATABASE_URL}"
+          env:
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: cartsnitch-secrets
+                  key: database-url-pg
+                  optional: false
+          resources:
+            requests:
+              cpu: 100m
+              memory: 256Mi
+            limits:
+              cpu: 500m
+              memory: 512Mi
@@ -0,0 +1,122 @@
+#!/usr/bin/env bash
+# =============================================================================
+# seed-env.sh — Run the CartSnitch seed runner against any CartSnitch database.
+#
+# Usage:
+#   ./seed-env.sh [--env dev|uat] [--dry-run] [--help]
+#   ./seed-env.sh uat --dry-run   Run dry-run against UAT
+#   ./seed-env.sh dev            Run full seed against dev (default)
+#
+# Prerequisites:
+#   - kubectl configured for the target cluster
+#   - Namespace cartsnitch-<env> exists (CNPG Postgres must be running)
+#
+# What it does:
+#   1. Starts a background port-forward to cartsnitch-pg-rw:5432
+#   2. Waits for the tunnel to be ready
+#   3. Runs python -m cartsnitch_common.seed with --database-url pointing
+#      to localhost:<forwarded-port>/cartsnitch
+#   4. Cleans up the port-forward on exit (normal, interrupt, or error)
+# =============================================================================
+
+set -euo pipefail
+
+# --- Config -------------------------------------------------------------------
+ENV="dev"
+if [[ "${1:-}" == "dev" || "${1:-}" == "uat" ]]; then
+  ENV="$1"; shift
+fi
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --env) ENV="$2"; shift 2 ;;
+    --dry-run|--help) break ;;
+    *) break ;;
+  esac
+done
+
+NAMESPACE="cartsnitch-${ENV}"
+SVC_NAME="cartsnitch-pg-rw"
+LOCAL_PORT="5433"
+DB_NAME="cartsnitch"
+PG_USER="cartsnitch"
+PG_PASSWORD="$(
+  kubectl get secret cartsnitch-pg-credentials \
+    -n "$NAMESPACE" \
+    -o jsonpath='{.data.password}' \
+  | base64 -d
+)"
+DB_URL="postgresql://${PG_USER}:${PG_PASSWORD}@localhost:${LOCAL_PORT}/${DB_NAME}"
+
+# --- Helpers ------------------------------------------------------------------
+log()  { echo "[seed-env] [$ENV] $*"; }
+fail() { log "ERROR: $*" >&2; exit 1; }
+
+cleanup() {
+  if [[ -n "${PF_PID:-}" ]]; then
+    log "Stopping port-forward (PID $PF_PID)..."
+    kill "$PF_PID" 2>/dev/null || true
+    wait "$PF_PID" 2>/dev/null || true
+  fi
+}
+trap cleanup EXIT
+
+# --- Args ---------------------------------------------------------------------
+DRY_RUN=""
+HELP_FLAG=""
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --dry-run)  DRY_RUN="--dry-run"; shift ;;
+    --help)     HELP_FLAG="1"; shift ;;
+    *)          fail "Unknown argument: $1";;
+  esac
+done
+
+if [[ -n "$HELP_FLAG" ]]; then
+  echo "Usage: $0 [--env dev|uat] [--dry-run] [--help]"
+  echo ""
+  echo "Positional / keyword arguments:"
+  echo "  --env dev|uat    Target environment (default: dev)"
+  echo "  --dry-run        Show planned record counts without writing"
+  echo "  --help           Show this help"
+  echo ""
+  echo "Additional arguments are passed through to the seed runner."
+  echo "Common seed-runner options:"
+  echo "  --seed N         Set random seed (default: 42)"
+  exit 0
+fi
+
+# --- Validate env --------------------------------------------------------------
+if [[ "$ENV" != "dev" && "$ENV" != "uat" ]]; then
+  fail "Invalid environment: $ENV (must be 'dev' or 'uat')"
+fi
+
+# --- Prerequisites ------------------------------------------------------------
+if ! command -v kubectl &>/dev/null; then
+  fail "kubectl not found — must be installed and configured."
+fi
+
+# --- Port-forward -------------------------------------------------------------
+log "Starting port-forward ${SVC_NAME}:5432 -> localhost:${LOCAL_PORT} ..."
+kubectl port-forward \
+  -n "$NAMESPACE" \
+  svc/"$SVC_NAME" \
+  "${LOCAL_PORT}:5432" \
+  &>/dev/null &
+PF_PID=$!
+
+sleep 2
+
+if ! kill -0 "$PF_PID" 2>/dev/null; then
+  fail "Port-forward failed to start."
+fi
+log "Port-forward active (PID $PF_PID) on localhost:${LOCAL_PORT}"
+
+# --- Seed --------------------------------------------------------------------
+log "Running seed against ${ENV} database..."
+set -x
+python -m cartsnitch_common.seed --database-url "$DB_URL" $DRY_RUN
+set +x
+
+log "Done."
@@ -15,6 +15,7 @@ import { AccountLinking } from './pages/AccountLinking.tsx'
 import { Login } from './pages/Login.tsx'
 import { Register } from './pages/Register.tsx'
 import { ForgotPassword } from './pages/ForgotPassword.tsx'
+import { VerifyEmail } from './pages/VerifyEmail.tsx'

 const queryClient = new QueryClient({
  defaultOptions: {
@@ -47,6 +48,7 @@ export default function App() {
          <Route path="login" element={<Login />} />
          <Route path="register" element={<Register />} />
          <Route path="forgot-password" element={<ForgotPassword />} />
+          <Route path="verify-email" element={<VerifyEmail />} />
        </Routes>
      </BrowserRouter>
    </QueryClientProvider>
@@ -1,25 +1,8 @@
-import { useEffect } from 'react'
 import { Navigate, Outlet } from 'react-router-dom'
 import { authClient } from '../lib/auth-client.ts'
-import { useAuthStore } from '../stores/auth.ts'

 export function ProtectedRoute() {
-  const isMockAuth = import.meta.env.VITE_MOCK_AUTH === 'true'
  const { data: session, isPending } = authClient.useSession()
-  const isAuthenticated = useAuthStore((s) => s.isAuthenticated)
-  const setAuthenticated = useAuthStore((s) => s.setAuthenticated)
-
-  useEffect(() => {
-    if (!isMockAuth) {
-      setAuthenticated(!!session)
-    }
-  }, [session, setAuthenticated, isMockAuth])
-
-  // In mock auth mode, rely on Zustand store (set by Login/Register pages)
-  if (isMockAuth) {
-    if (!isAuthenticated) return <Navigate to="/login" replace />
-    return <Outlet />
-  }

  if (isPending) {
    return (
@@ -126,7 +126,7 @@ function AlertCard({
          </Link>
          <div className="mt-1 flex items-center gap-2">
            <span className="text-xs text-gray-500">Target: ${alert.targetPrice.toFixed(2)}</span>
-            <span className="text-xs text-gray-400">&middot;</span>
+            <span className="text-xs text-gray-500">&middot;</span>
            <span className={`text-xs font-medium ${isBelow ? 'text-green-700' : 'text-gray-500'}`}>
              Now: ${alert.currentPrice.toFixed(2)}
            </span>
@@ -145,7 +145,7 @@ function AlertCard({
          )}
          <button
            onClick={() => onDelete(alert.id)}
-            className="min-h-12 min-w-12 rounded-lg p-2 text-gray-400 active:bg-gray-100"
+            className="min-h-12 min-w-12 rounded-lg p-2 text-gray-500 active:bg-gray-100"
            aria-label="Delete alert"
          >
            <svg className="h-5 w-5" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={1.5}>
@@ -62,7 +62,7 @@ export function Coupons() {
                  <p className="mt-0.5 text-xs text-gray-500">{coupon.storeName}</p>
                  <p
                    className={`mt-1 text-xs ${
-                      expiringSoon ? 'font-medium text-orange-600' : 'text-gray-400'
+                      expiringSoon ? 'font-medium text-orange-600' : 'text-gray-500'
                    }`}
                  >
                    Expires{' '}
@@ -79,21 +79,21 @@ function AuthenticatedDashboard({ userName }: { userName: string }) {
        <div className="rounded-xl bg-white p-4 shadow-sm">
          <p className="text-xs font-medium text-gray-500">Watching</p>
          <p className="mt-1 text-2xl font-bold text-gray-900">{watchingAlerts.length}</p>
-          <p className="text-xs text-gray-400">price alerts</p>
+          <p className="text-xs text-gray-600">price alerts</p>
        </div>
        <div className="rounded-xl bg-white p-4 shadow-sm">
          <p className="text-xs font-medium text-gray-500">This Month</p>
          <p className="mt-1 text-2xl font-bold text-gray-900">
            ${recentPurchases.reduce((sum, p) => sum + p.total, 0).toFixed(0)}
          </p>
-          <p className="text-xs text-gray-400">grocery spend</p>
+          <p className="text-xs text-gray-600">grocery spend</p>
        </div>
      </div>

      {/* Price trend sparklines */}
      <section className="mt-6">
        <h2 className="mb-3 text-lg font-semibold text-gray-700">Price Trends</h2>
-        <div className="rounded-xl bg-white p-4 shadow-sm text-center text-sm text-gray-400">
+        <div className="rounded-xl bg-white p-4 shadow-sm text-center text-sm text-gray-600">
          Connect a store to see price trends
        </div>
      </section>
@@ -1,15 +1,12 @@
 import { useState } from 'react'
-import { Link, useNavigate } from 'react-router-dom'
+import { Link } from 'react-router-dom'
 import { authClient } from '../lib/auth-client.ts'
-import { useAuthStore } from '../stores/auth.ts'

 export function Login() {
  const [email, setEmail] = useState('')
  const [password, setPassword] = useState('')
  const [error, setError] = useState('')
  const [loading, setLoading] = useState(false)
-  const navigate = useNavigate()
-  const setAuthenticated = useAuthStore((s) => s.setAuthenticated)

  async function handleSubmit(e: React.FormEvent) {
    e.preventDefault()
@@ -31,21 +28,17 @@ export function Login() {
        throw new Error(authError.message ?? 'Sign in failed')
      }

-      // After successful signIn, force a session fetch to confirm the cookie is set
-      // before navigating to the protected route
+      // After successful signIn, force a full page reload so Better-Auth's
+      // useSession() reinitializes with fresh cookie-backed session state.
+      // Using React Router's navigate() races with Better-Auth's internal update.
      const sessionResult = await authClient.getSession()
      if (sessionResult.data) {
-        navigate('/')
+        window.location.href = '/'
      } else {
        setError('Sign in failed. Please try again.')
      }
    } catch {
-      if (import.meta.env.VITE_MOCK_AUTH === 'true') {
-        setAuthenticated(true)
-        navigate('/')
-      } else {
-        setError('Invalid email or password. Please try again.')
-      }
+      setError('Invalid email or password. Please try again.')
    } finally {
      setLoading(false)
    }
@@ -100,4 +93,4 @@ export function Login() {
      </p>
    </main>
  )
-}
+}
@@ -97,7 +97,7 @@ export function Purchases() {
              </div>

              {/* Item preview */}
-              <p className="mt-2 truncate text-xs text-gray-400">
+              <p className="mt-2 truncate text-xs text-gray-500">
                {purchase.items
                  .slice(0, 3)
                  .map((i) => i.name)
@@ -1,7 +1,6 @@
 import { useState } from 'react'
-import { Link, useNavigate } from 'react-router-dom'
+import { Link } from 'react-router-dom'
 import { authClient } from '../lib/auth-client.ts'
-import { useAuthStore } from '../stores/auth.ts'

 export function Register() {
  const [name, setName] = useState('')
@@ -9,8 +8,6 @@ export function Register() {
  const [password, setPassword] = useState('')
  const [error, setError] = useState('')
  const [loading, setLoading] = useState(false)
-  const navigate = useNavigate()
-  const setAuthenticated = useAuthStore((s) => s.setAuthenticated)

  async function handleSubmit(e: React.FormEvent) {
    e.preventDefault()
@@ -38,22 +35,9 @@ export function Register() {
        throw new Error(authError.message ?? 'Registration failed')
      }

-      // After successful signUp, force a session fetch to confirm the cookie is set
-      // before navigating to the protected route
-      const sessionResult = await authClient.getSession()
-      if (sessionResult.data) {
-        navigate('/')
-      } else {
-        // Session not established — show success message and link to login
-        setError('Account created! Please sign in.')
-      }
+      setError('Account created! Please sign in.')
    } catch {
-      if (import.meta.env.VITE_MOCK_AUTH === 'true') {
-        setAuthenticated(true)
-        navigate('/')
-      } else {
-        setError('Registration failed. Please try again.')
-      }
+      setError('Registration failed. Please try again.')
    } finally {
      setLoading(false)
    }
@@ -153,7 +153,7 @@ export function Settings() {
              {copied ? 'Copied!' : 'Copy'}
            </button>
          </div>
-          <p className="mt-2 text-xs text-gray-400">
+          <p className="mt-2 text-xs text-gray-500">
            Supports Meijer, Kroger, and Target receipt emails.
          </p>
        </div>
@@ -89,7 +89,7 @@ export function StoreComparison() {
                {pp.price === lowestPrice ? (
                  <span className="text-xs font-medium text-green-600">Best price</span>
                ) : (
-                  <span className="text-xs text-gray-400">
+                  <span className="text-xs text-gray-500">
                    +${(pp.price - lowestPrice).toFixed(2)}
                  </span>
                )}
@@ -99,7 +99,7 @@ export function StoreComparison() {
        ))}
      </div>

-      <p className="mt-6 text-center text-xs text-gray-400">
+      <p className="mt-6 text-center text-xs text-gray-500">
        Prices last verified from store loyalty card data. Map view coming soon.
      </p>
    </div>
@@ -0,0 +1,113 @@
+import { useEffect, useState } from "react";
+import { useNavigate, useSearchParams } from "react-router-dom";
+import { authClient } from "../lib/auth-client.ts";
+
+export function VerifyEmail() {
+  const [searchParams] = useSearchParams();
+  const navigate = useNavigate();
+  const [status, setStatus] = useState<"verifying" | "success" | "error">("verifying");
+  const [resendEmail, setResendEmail] = useState("");
+  const [showResend, setShowResend] = useState(false);
+  const [resending, setResending] = useState(false);
+  const [resendMessage, setResendMessage] = useState("");
+
+  useEffect(() => {
+    const token = searchParams.get("token");
+    const callbackURL = searchParams.get("callbackURL") || "/";
+
+    if (!token) {
+      setStatus("error");
+      return;
+    }
+
+    authClient.verifyEmail({ query: { token } })
+      .then(() => {
+        setStatus("success");
+        setTimeout(() => {
+          navigate(callbackURL);
+        }, 2000);
+      })
+      .catch(() => {
+        setStatus("error");
+      });
+  }, [searchParams, navigate]);
+
+  async function handleResend() {
+    if (!resendEmail) {
+      setResendMessage("Please enter your email address.");
+      return;
+    }
+
+    setResending(true);
+    setResendMessage("");
+
+    try {
+      const { error } = await authClient.sendVerificationEmail({ email: resendEmail });
+      if (error) {
+        setResendMessage("Failed to resend. Please try again.");
+      } else {
+        setResendMessage("Verification email sent!");
+        setShowResend(false);
+      }
+    } finally {
+      setResending(false);
+    }
+  }
+
+  return (
+    <div className="flex min-h-screen flex-col items-center justify-center px-4">
+      {status === "verifying" && (
+        <>
+          <div className="mb-4 h-8 w-8 animate-spin rounded-full border-4 border-gray-200 border-t-brand-blue" />
+          <h1 className="mb-2 text-2xl font-bold text-gray-900">Verifying your email...</h1>
+          <p className="text-sm text-gray-500">Please wait while we verify your email address.</p>
+        </>
+      )}
+
+      {status === "success" && (
+        <>
+          <h1 className="mb-2 text-2xl font-bold text-gray-900">Email verified!</h1>
+          <p className="text-sm text-gray-500">Redirecting you shortly...</p>
+        </>
+      )}
+
+      {status === "error" && (
+        <>
+          <h1 className="mb-2 text-2xl font-bold text-gray-900">Verification failed</h1>
+          <p className="mb-6 text-sm text-gray-500">The verification link may have expired or is invalid.</p>
+
+          {!showResend ? (
+            <button
+              type="button"
+              onClick={() => setShowResend(true)}
+              className="min-h-12 rounded-xl bg-brand-blue px-6 py-3 text-base font-medium text-white active:bg-brand-blue/90"
+            >
+              Resend verification email
+            </button>
+          ) : (
+            <div className="w-full max-w-sm space-y-4">
+              <input
+                type="email"
+                placeholder="Your email address"
+                value={resendEmail}
+                onChange={(e) => setResendEmail(e.target.value)}
+                className="min-h-12 w-full rounded-xl border border-gray-200 px-4 text-base focus:border-brand-blue focus:outline-none focus:ring-1 focus:ring-brand-blue"
+              />
+              <button
+                type="button"
+                onClick={handleResend}
+                disabled={resending}
+                className="min-h-12 w-full rounded-xl bg-brand-blue px-4 py-3 text-base font-medium text-white active:bg-brand-blue/90 disabled:opacity-60"
+              >
+                {resending ? "Sending..." : "Send verification email"}
+              </button>
+              {resendMessage && (
+                <p className="text-sm text-gray-500">{resendMessage}</p>
+              )}
+            </div>
+          )}
+        </>
+      )}
+    </div>
+  );
+}
@@ -7,6 +7,6 @@ export default defineConfig({
    environment: 'jsdom',
    globals: true,
    setupFiles: ['./src/test/setup.ts'],
-    exclude: ['e2e/**', 'node_modules/**'],
+    exclude: ['e2e/**', 'auth/**', 'node_modules/**'],
  },
 })