fix: upgrade bcrypt and filter unfixed CVEs in Grype scans

Merge pull request #206 from cartsnitch/fix/car-620-grype-only-fixed
fix: add only-fixed flag to Grype scans to skip unfixable CVEs
2026-04-15 00:51:53 +00:00 · 2026-04-15 00:46:10 +00:00 · 2026-04-15 00:28:56 +00:00 · 2026-04-14 23:57:40 +00:00 · 2026-04-14 23:51:42 +00:00 · 2026-04-14 23:25:17 +00:00
42 changed files with 1202 additions and 787 deletions
@@ -2,9 +2,9 @@ name: CI

 on:
  push:
-    branches: [main]
+    branches: [main, dev, uat]
  pull_request:
-    branches: [main]
+    branches: [main, dev, uat]

 concurrency:
  group: ci-${{ github.ref }}
@@ -13,6 +13,7 @@ concurrency:
 permissions:
  contents: write
  packages: write
+  security-events: write

 env:
  REGISTRY: ghcr.io
@@ -99,10 +100,11 @@ jobs:

  build-and-push:
    runs-on: runners-cartsnitch
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    if: github.event_name == 'push'
    needs: [lint, test, e2e]
    outputs:
      calver_tag: ${{ steps.calver.outputs.version }}
+      sha_tag: sha-${{ github.sha }}
    steps:
      - uses: actions/checkout@v4
        with:
@@ -126,14 +128,14 @@ jobs:
          echo "CalVer tag: $VERSION"

      - name: Log in to Docker Hub
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Log in to GHCR
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
@@ -146,21 +148,48 @@ jobs:
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
-            type=sha,prefix=sha-
+            type=sha,prefix=sha-,format=long
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

-      - name: Build and push Docker image
+      - name: Build Docker image
        uses: docker/build-push-action@v6
        with:
          context: .
-          push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+          load: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          target: prod
          cache-from: type=gha
          cache-to: type=gha,mode=max

+      - name: Scan frontend image for vulnerabilities
+        uses: anchore/scan-action@v5
+        id: scan
+        with:
+          image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
+          fail-build: true
+          severity-cutoff: high
+          only-fixed: "true"
+          output-format: sarif
+
+      - name: Upload frontend scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
+      - name: Push Docker image
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          target: prod
+          cache-from: type=gha
+
      - name: Create git tag
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
        run: |
@@ -169,10 +198,11 @@ jobs:

  build-and-push-auth:
    runs-on: runners-cartsnitch
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    if: github.event_name == 'push'
    needs: [lint, test, e2e]
    outputs:
      calver_tag: ${{ steps.calver.outputs.version }}
+      sha_tag: sha-${{ github.sha }}
    steps:
      - uses: actions/checkout@v4
        with:
@@ -195,14 +225,14 @@ jobs:
          echo "version=$VERSION" >> "$GITHUB_OUTPUT"

      - name: Log in to Docker Hub
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Log in to GHCR
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
@@ -215,25 +245,55 @@ jobs:
        with:
          images: ${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}
          tags: |
-            type=sha,prefix=sha-
+            type=sha,prefix=sha-,format=long
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

-      - name: Build and push auth Docker image
+      - name: Build Docker image
        uses: docker/build-push-action@v6
        with:
          context: ./auth
          file: ./auth/Dockerfile
-          push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+          load: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Scan auth image for vulnerabilities
+        uses: anchore/scan-action@v5
+        id: scan
+        with:
+          image: "${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}:sha-${{ github.sha }}"
+          fail-build: true
+          severity-cutoff: high
+          only-fixed: "true"
+          output-format: sarif
+
+      - name: Upload auth scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
+      - name: Push Docker image
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@v6
+        with:
+          context: ./auth
+          file: ./auth/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha

  build-and-push-receiptwitness:
    runs-on: runners-cartsnitch
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    if: github.event_name == 'push'
    needs: [lint, test]
    outputs:
      calver_tag: ${{ steps.calver.outputs.version }}
+      sha_tag: sha-${{ github.sha }}
    steps:
      - uses: actions/checkout@v4
        with:
@@ -251,14 +311,14 @@ jobs:
          echo "version=$VERSION" >> "$GITHUB_OUTPUT"

      - name: Log in to Docker Hub
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Log in to GHCR
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
@@ -271,25 +331,55 @@ jobs:
        with:
          images: ${{ env.REGISTRY }}/${{ env.RECEIPTWITNESS_IMAGE_NAME }}
          tags: |
-            type=sha,prefix=sha-
+            type=sha,prefix=sha-,format=long
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

-      - name: Build and push receiptwitness image
+      - name: Build Docker image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./receiptwitness/Dockerfile
-          push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+          load: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Scan receiptwitness image for vulnerabilities
+        uses: anchore/scan-action@v5
+        id: scan
+        with:
+          image: "${{ env.REGISTRY }}/${{ env.RECEIPTWITNESS_IMAGE_NAME }}:sha-${{ github.sha }}"
+          fail-build: true
+          severity-cutoff: high
+          only-fixed: "true"
+          output-format: sarif
+
+      - name: Upload receiptwitness scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
+      - name: Push Docker image
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./receiptwitness/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha

  build-and-push-api:
    runs-on: runners-cartsnitch
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    if: github.event_name == 'push'
    needs: [lint, test]
    outputs:
      calver_tag: ${{ steps.calver.outputs.version }}
+      sha_tag: sha-${{ github.sha }}
    steps:
      - uses: actions/checkout@v4
        with:
@@ -307,14 +397,14 @@ jobs:
          echo "version=$VERSION" >> "$GITHUB_OUTPUT"

      - name: Log in to Docker Hub
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Log in to GHCR
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
@@ -327,23 +417,52 @@ jobs:
        with:
          images: ${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}
          tags: |
-            type=sha,prefix=sha-
+            type=sha,prefix=sha-,format=long
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

-      - name: Build and push API Docker image
+      - name: Build Docker image
        uses: docker/build-push-action@v6
        with:
          context: ./api
          file: ./api/Dockerfile
-          push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+          load: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Scan api image for vulnerabilities
+        uses: anchore/scan-action@v5
+        id: scan
+        with:
+          image: "${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}:sha-${{ github.sha }}"
+          fail-build: true
+          severity-cutoff: high
+          only-fixed: "true"
+          output-format: sarif
+
+      - name: Upload api scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
+      - name: Push Docker image
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@v6
+        with:
+          context: ./api
+          file: ./api/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha

  deploy-dev:
    runs-on: runners-cartsnitch
    needs: [build-and-push, build-and-push-auth, build-and-push-receiptwitness, build-and-push-api]
-    if: always() && !cancelled() && github.event_name == 'push' && github.ref == 'refs/heads/main'
+    if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main')
    steps:
      - name: Generate GitHub App token
        id: app-token
@@ -368,29 +487,65 @@ jobs:
      - name: Install kustomize
        uses: imranismail/setup-kustomize@v2

+      - name: Determine image tag for frontend
+        id: frontend_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi
+
      - name: Update frontend image tag
        if: needs.build-and-push.result == 'success'
        run: |
          cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ needs.build-and-push.outputs.calver_tag }}
+          kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
+
+      - name: Determine image tag for auth
+        id: auth_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi

      - name: Update auth image tag
        if: needs.build-and-push-auth.result == 'success'
        run: |
          cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/auth:${{ needs.build-and-push-auth.outputs.calver_tag }}
+          kustomize edit set image ghcr.io/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }}
+
+      - name: Determine image tag for receiptwitness
+        id: receiptwitness_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi

      - name: Update receiptwitness image tag
        if: needs.build-and-push-receiptwitness.result == 'success'
        run: |
          cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}
+          kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }}
+
+      - name: Determine image tag for api
+        id: api_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-api.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-api.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi

      - name: Update api image tag
        if: needs.build-and-push-api.result == 'success'
        run: |
          cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/api:${{ needs.build-and-push-api.outputs.calver_tag }}
+          kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }}

      - name: Commit and push to infra
        run: |
@@ -405,7 +560,7 @@ jobs:
  deploy-uat:
    runs-on: runners-cartsnitch
    needs: [build-and-push, build-and-push-auth, build-and-push-receiptwitness, build-and-push-api]
-    if: always() && !cancelled() && github.event_name == 'push' && github.ref == 'refs/heads/main'
+    if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/uat' || github.ref == 'refs/heads/main')
    steps:
      - name: Generate GitHub App token
        id: app-token
@@ -430,29 +585,65 @@ jobs:
      - name: Install kustomize
        uses: imranismail/setup-kustomize@v2

+      - name: Determine image tag for frontend
+        id: frontend_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi
+
      - name: Update frontend image tag
        if: needs.build-and-push.result == 'success'
        run: |
          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ needs.build-and-push.outputs.calver_tag }}
+          kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
+
+      - name: Determine image tag for auth
+        id: auth_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi

      - name: Update auth image tag
        if: needs.build-and-push-auth.result == 'success'
        run: |
          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/auth:${{ needs.build-and-push-auth.outputs.calver_tag }}
+          kustomize edit set image ghcr.io/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }}
+
+      - name: Determine image tag for receiptwitness
+        id: receiptwitness_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi

      - name: Update receiptwitness image tag
        if: needs.build-and-push-receiptwitness.result == 'success'
        run: |
          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}
+          kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }}
+
+      - name: Determine image tag for api
+        id: api_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-api.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-api.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi

      - name: Update api image tag
        if: needs.build-and-push-api.result == 'success'
        run: |
          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/api:${{ needs.build-and-push-api.outputs.calver_tag }}
+          kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }}

      - name: Commit and push to infra
        run: |
@@ -1,6 +1,6 @@
 # Stage 1: Build
 FROM node:20-alpine AS build
-
+RUN apk update && apk upgrade --no-cache
 WORKDIR /app

 COPY package.json package-lock.json ./
@@ -11,6 +11,9 @@ RUN npm run build

 # Stage 2: Production — uses nginxinc/nginx-unprivileged which runs as non-root (UID 101)
 FROM nginxinc/nginx-unprivileged:stable-alpine AS prod
+USER root
+RUN apk update && apk upgrade --no-cache
+USER 101

 COPY --from=build /app/dist /usr/share/nginx/html
 COPY nginx.conf /etc/nginx/conf.d/default.conf
@@ -1,6 +1,6 @@
 FROM python:3.12-slim AS build

-RUN apt-get update && apt-get install -y --no-install-recommends \
+RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
    libpq-dev \
    build-essential \
    && rm -rf /var/lib/apt/lists/*
@@ -12,10 +12,14 @@ RUN pip install --no-cache-dir --prefix=/install .

 FROM python:3.12-slim AS prod

+RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends libpq5 && rm -rf /var/lib/apt/lists/*
+
 WORKDIR /app
 RUN adduser --system --group --uid 1000 app
 COPY --from=build /install /usr/local
 COPY src/ ./src/
+COPY alembic.ini ./
+COPY alembic/ ./alembic/

 USER 1000
 EXPOSE 8000
@@ -23,4 +27,4 @@ EXPOSE 8000
 HEALTHCHECK --interval=30s --timeout=3s \
    CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8000/health')"

-CMD ["uvicorn", "cartsnitch_api.main:app", "--host", "0.0.0.0", "--port", "8000"]
+CMD ["sh", "-c", "python -m alembic upgrade head && uvicorn cartsnitch_api.main:app --host 0.0.0.0 --port 8000"]
@@ -18,7 +18,7 @@ if not db_url:
        "CARTSNITCH_DATABASE_URL_SYNC must be set. "
        "Example: postgresql://user:pass@localhost:5432/cartsnitch"
    )
-config.set_main_option("sqlalchemy.url", db_url)
+config.set_main_option("sqlalchemy.url", db_url.replace("%", "%%"))

 target_metadata = Base.metadata

@@ -31,6 +31,7 @@ def run_migrations_offline() -> None:
        target_metadata=target_metadata,
        literal_binds=True,
        dialect_opts={"paramstyle": "named"},
+        version_table_column_width=128,
    )
    with context.begin_transaction():
        context.run_migrations()
@@ -44,9 +45,20 @@ def run_migrations_online() -> None:
        poolclass=pool.NullPool,
    )
    with connectable.connect() as connection:
-        context.configure(connection=connection, target_metadata=target_metadata)
+        context.configure(connection=connection, target_metadata=target_metadata, version_table_column_width=128)
        with context.begin_transaction():
            context.run_migrations()
+        # Create any tables defined in models but not yet created by migrations.
+        # This bootstraps fresh databases that have no legacy schema.
+        # checkfirst=True ensures this is a no-op on existing databases.
+        try:
+            Base.metadata.create_all(bind=connection, checkfirst=True)
+            connection.commit()
+        except Exception as exc:
+            import logging
+            logging.getLogger("alembic.env").warning(
+                "create_all failed (non-fatal, migrations should handle table creation): %s", exc
+            )


 if context.is_offline_mode():
@@ -33,6 +33,21 @@ def _is_fernet_token(value: str) -> bool:


 def upgrade() -> None:
+    conn = op.get_bind()
+    inspector = sa.inspect(conn)
+
+    # Fresh DB — table created by Base.metadata.create_all with correct TEXT type
+    if not inspector.has_table("user_store_accounts"):
+        return
+
+    # Already migrated? Skip if session_data is already TEXT (not JSON)
+    cols = {c["name"]: c for c in inspector.get_columns("user_store_accounts")}
+    if "session_data" not in cols:
+        return
+    col_type = str(cols["session_data"]["type"]).lower()
+    if "text" in col_type and "json" not in col_type:
+        return  # already TEXT — nothing to do
+
    # Change column type from JSON to TEXT to hold Fernet ciphertext
    op.alter_column(
        "user_store_accounts",
@@ -43,7 +58,6 @@ def upgrade() -> None:
        postgresql_using="session_data::text",
    )

-    conn = op.get_bind()
    rows = conn.execute(
        text("SELECT id, session_data FROM user_store_accounts WHERE session_data IS NOT NULL")
    ).fetchall()
@@ -21,81 +21,94 @@ depends_on = None


 def upgrade() -> None:
+    conn = op.get_bind()
+    inspector = sa.inspect(conn)
+
    # --- Extend users table for Better-Auth compatibility ---
-    op.add_column("users", sa.Column("email_verified", sa.Boolean(), nullable=False, server_default="false"))
-    op.add_column("users", sa.Column("image", sa.Text(), nullable=True))
+    # Guard: on a fresh DB Base.metadata.create_all (called in env.py after migrations)
+    # creates the users table with all columns, so migration 002 must not re-run add_column.
+    if inspector.has_table("users"):
+        existing_user_cols = [c["name"] for c in inspector.get_columns("users")]
+        if "email_verified" not in existing_user_cols:
+            op.add_column("users", sa.Column("email_verified", sa.Boolean(), nullable=False, server_default="false"))
+        if "image" not in existing_user_cols:
+            op.add_column("users", sa.Column("image", sa.Text(), nullable=True))

    # --- Create sessions table ---
-    op.create_table(
-        "sessions",
-        sa.Column("id", sa.Text(), nullable=False),
-        sa.Column("token", sa.Text(), nullable=False),
-        sa.Column("user_id", sa.Text(), nullable=False),
-        sa.Column("expires_at", sa.DateTime(timezone=True), nullable=False),
-        sa.Column("ip_address", sa.Text(), nullable=True),
-        sa.Column("user_agent", sa.Text(), nullable=True),
-        sa.Column("created_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
-        sa.Column("updated_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
-        sa.PrimaryKeyConstraint("id"),
-    )
-    op.create_index("ix_sessions_token", "sessions", ["token"], unique=True)
-    op.create_index("ix_sessions_user_id", "sessions", ["user_id"])
+    if not inspector.has_table("sessions"):
+        op.create_table(
+            "sessions",
+            sa.Column("id", sa.Text(), nullable=False),
+            sa.Column("token", sa.Text(), nullable=False),
+            sa.Column("user_id", sa.Text(), nullable=False),
+            sa.Column("expires_at", sa.DateTime(timezone=True), nullable=False),
+            sa.Column("ip_address", sa.Text(), nullable=True),
+            sa.Column("user_agent", sa.Text(), nullable=True),
+            sa.Column("created_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+            sa.Column("updated_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+            sa.PrimaryKeyConstraint("id"),
+        )
+        op.create_index("ix_sessions_token", "sessions", ["token"], unique=True)
+        op.create_index("ix_sessions_user_id", "sessions", ["user_id"])

    # --- Create accounts table ---
-    op.create_table(
-        "accounts",
-        sa.Column("id", sa.Text(), nullable=False),
-        sa.Column("user_id", sa.Text(), nullable=False),
-        sa.Column("account_id", sa.Text(), nullable=False),
-        sa.Column("provider_id", sa.Text(), nullable=False),
-        sa.Column("access_token", sa.Text(), nullable=True),
-        sa.Column("refresh_token", sa.Text(), nullable=True),
-        sa.Column("access_token_expires_at", sa.DateTime(timezone=True), nullable=True),
-        sa.Column("refresh_token_expires_at", sa.DateTime(timezone=True), nullable=True),
-        sa.Column("scope", sa.Text(), nullable=True),
-        sa.Column("id_token", sa.Text(), nullable=True),
-        sa.Column("password", sa.Text(), nullable=True),
-        sa.Column("created_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
-        sa.Column("updated_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
-        sa.PrimaryKeyConstraint("id"),
-    )
-    op.create_index("ix_accounts_user_id", "accounts", ["user_id"])
+    if not inspector.has_table("accounts"):
+        op.create_table(
+            "accounts",
+            sa.Column("id", sa.Text(), nullable=False),
+            sa.Column("user_id", sa.Text(), nullable=False),
+            sa.Column("account_id", sa.Text(), nullable=False),
+            sa.Column("provider_id", sa.Text(), nullable=False),
+            sa.Column("access_token", sa.Text(), nullable=True),
+            sa.Column("refresh_token", sa.Text(), nullable=True),
+            sa.Column("access_token_expires_at", sa.DateTime(timezone=True), nullable=True),
+            sa.Column("refresh_token_expires_at", sa.DateTime(timezone=True), nullable=True),
+            sa.Column("scope", sa.Text(), nullable=True),
+            sa.Column("id_token", sa.Text(), nullable=True),
+            sa.Column("password", sa.Text(), nullable=True),
+            sa.Column("created_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+            sa.Column("updated_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+            sa.PrimaryKeyConstraint("id"),
+        )
+        op.create_index("ix_accounts_user_id", "accounts", ["user_id"])

    # --- Create verifications table ---
-    op.create_table(
-        "verifications",
-        sa.Column("id", sa.Text(), nullable=False),
-        sa.Column("identifier", sa.Text(), nullable=False),
-        sa.Column("value", sa.Text(), nullable=False),
-        sa.Column("expires_at", sa.DateTime(timezone=True), nullable=False),
-        sa.Column("created_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
-        sa.Column("updated_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
-        sa.PrimaryKeyConstraint("id"),
-    )
+    if not inspector.has_table("verifications"):
+        op.create_table(
+            "verifications",
+            sa.Column("id", sa.Text(), nullable=False),
+            sa.Column("identifier", sa.Text(), nullable=False),
+            sa.Column("value", sa.Text(), nullable=False),
+            sa.Column("expires_at", sa.DateTime(timezone=True), nullable=False),
+            sa.Column("created_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+            sa.Column("updated_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+            sa.PrimaryKeyConstraint("id"),
+        )

    # --- Migrate existing password hashes to accounts table ---
-    # For each user with a hashed_password, create a 'credential' account row
-    conn = op.get_bind()
-    users = conn.execute(
-        text("SELECT id, hashed_password FROM users WHERE hashed_password IS NOT NULL")
-    ).fetchall()
+    # Only run on existing (non-fresh) DBs that already have users table with data
+    if inspector.has_table("users"):
+        users = conn.execute(
+            text("SELECT id, hashed_password FROM users WHERE hashed_password IS NOT NULL")
+        ).fetchall()

-    for user_id, hashed_password in users:
-        user_id_str = str(user_id)
-        conn.execute(
-            text(
-                "INSERT INTO accounts (id, user_id, account_id, provider_id, password, created_at, updated_at) "
-                "VALUES (gen_random_uuid()::text, :user_id, :account_id, 'credential', :password, now(), now())"
-            ),
-            {"user_id": user_id_str, "account_id": user_id_str, "password": hashed_password},
-        )
+        for user_id, hashed_password in users:
+            user_id_str = str(user_id)
+            conn.execute(
+                text(
+                    "INSERT INTO accounts (id, user_id, account_id, provider_id, password, created_at, updated_at) "
+                    "VALUES (gen_random_uuid()::text, :user_id, :account_id, 'credential', :password, now(), now())"
+                ),
+                {"user_id": user_id_str, "account_id": user_id_str, "password": hashed_password},
+            )


 def downgrade() -> None:
-    op.drop_table("verifications")
-    op.drop_table("accounts")
-    op.drop_index("ix_sessions_user_id", table_name="sessions")
-    op.drop_index("ix_sessions_token", table_name="sessions")
-    op.drop_table("sessions")
-    op.drop_column("users", "image")
-    op.drop_column("users", "email_verified")
+    op.execute(text("DROP INDEX IF EXISTS ix_accounts_user_id"))
+    op.execute(text("DROP TABLE IF EXISTS verifications"))
+    op.execute(text("DROP TABLE IF EXISTS accounts"))
+    op.execute(text("DROP INDEX IF EXISTS ix_sessions_user_id"))
+    op.execute(text("DROP INDEX IF EXISTS ix_sessions_token"))
+    op.execute(text("DROP TABLE IF EXISTS sessions"))
+    op.execute(text("ALTER TABLE users DROP COLUMN IF EXISTS image"))
+    op.execute(text("ALTER TABLE users DROP COLUMN IF EXISTS email_verified"))
@@ -19,8 +19,25 @@ depends_on = None


 def upgrade() -> None:
-    op.alter_column("users", "hashed_password", existing_type=sa.String(255), nullable=True)
+    conn = op.get_bind()
+    inspector = sa.inspect(conn)
+
+    # Fresh DB — nothing to alter
+    if not inspector.has_table("users"):
+        return
+
+    cols = {c["name"]: c for c in inspector.get_columns("users")}
+    if "hashed_password" in cols and not cols["hashed_password"]["nullable"]:
+        op.alter_column("users", "hashed_password", existing_type=sa.String(255), nullable=True)


 def downgrade() -> None:
-    op.alter_column("users", "hashed_password", existing_type=sa.String(255), nullable=False)
+    conn = op.get_bind()
+    inspector = sa.inspect(conn)
+
+    if not inspector.has_table("users"):
+        return
+
+    cols = {c["name"]: c for c in inspector.get_columns("users")}
+    if "hashed_password" in cols and cols["hashed_password"]["nullable"]:
+        op.alter_column("users", "hashed_password", existing_type=sa.String(255), nullable=False)
@@ -25,7 +25,21 @@ depends_on = None


 def upgrade() -> None:
-    # Step 1: Drop existing FK constraints
+    conn = op.get_bind()
+    inspector = sa.inspect(conn)
+
+    # Fresh DB — no tables yet, nothing to convert
+    if not inspector.has_table("users"):
+        return
+
+    # Check if already TEXT (Base.metadata.create_all uses TEXT for fresh DB)
+    users_cols = {c["name"]: c for c in inspector.get_columns("users")}
+    if "id" in users_cols:
+        id_type = str(users_cols["id"]["type"]).lower()
+        if "text" in id_type and "uuid" not in id_type:
+            return  # already TEXT — nothing to do
+
+    # Step 1: Drop existing FK constraints (ignore if they don't exist)
    op.execute(text("ALTER TABLE user_store_accounts DROP CONSTRAINT IF EXISTS user_store_accounts_user_id_fkey"))
    op.execute(text("ALTER TABLE purchases DROP CONSTRAINT IF EXISTS purchases_user_id_fkey"))

@@ -18,6 +18,15 @@ depends_on = None


 def upgrade() -> None:
+    conn = op.get_bind()
+    inspector = sa.inspect(conn)
+    # Guard: on a fresh DB Base.metadata.create_all creates users table with the column already present
+    if not inspector.has_table("users"):
+        return
+    existing_cols = [c["name"] for c in inspector.get_columns("users")]
+    if "email_inbound_token" in existing_cols:
+        return
+
    # Add column nullable first so existing rows can be backfilled
    op.add_column(
        "users",
@@ -25,11 +34,10 @@ def upgrade() -> None:
    )

    # Backfill existing users with unique tokens
-    connection = op.get_bind()
-    result = connection.execute(sa.text("SELECT id FROM users WHERE email_inbound_token IS NULL"))
+    result = conn.execute(sa.text("SELECT id FROM users WHERE email_inbound_token IS NULL"))
    for (user_id,) in result:
        token = secrets.token_urlsafe(16)
-        connection.execute(
+        conn.execute(
            sa.text("UPDATE users SET email_inbound_token = :token WHERE id = :id"),
            {"token": token, "id": user_id},
        )
@@ -0,0 +1,42 @@
+"""Add server_default to users.email_inbound_token.
+
+Revision ID: 006_email_inbound_token_server_default
+Revises: 005_add_email_inbound_token
+Create Date: 2026-04-04
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+revision = "006_email_inbound_token_server_default"
+down_revision = "005_add_email_inbound_token"
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    conn = op.get_bind()
+    inspector = sa.inspect(conn)
+    # Guard: on a fresh DB Base.metadata.create_all already sets the server_default
+    if not inspector.has_table("users"):
+        return
+    cols = {c["name"]: c for c in inspector.get_columns("users")}
+    if "email_inbound_token" not in cols:
+        return
+    if cols["email_inbound_token"].get("default") is not None:
+        return
+    op.alter_column(
+        "users",
+        "email_inbound_token",
+        server_default=sa.text(
+            "replace(replace(trim(trailing '=' from encode(gen_random_bytes(16), 'base64')), '+', '-'), '/', '_')"
+        ),
+    )
+
+
+def downgrade() -> None:
+    op.alter_column(
+        "users",
+        "email_inbound_token",
+        server_default=None,
+    )
@@ -0,0 +1,47 @@
+"""Bootstrap users table on fresh databases.
+
+On fresh databases, migrations 001-006 skip users-table operations because
+the table does not exist yet. Base.metadata.create_all() in env.py is meant
+to handle this, but if it fails (import errors, etc.) the table is never
+created. This migration creates the users table with raw SQL as a safety net.
+
+Revision ID: 007_bootstrap_users_table
+Revises: 006_email_inbound_token_server_default
+Create Date: 2026-04-04
+"""
+
+import sqlalchemy as sa
+from sqlalchemy import text
+
+from alembic import op
+
+revision = "007_bootstrap_users_table"
+down_revision = "006_email_inbound_token_server_default"
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    conn = op.get_bind()
+    inspector = sa.inspect(conn)
+    if inspector.has_table("users"):
+        return  # Table already exists (non-fresh DB or create_all already ran)
+
+    conn.execute(text("""
+        CREATE TABLE users (
+            id TEXT PRIMARY KEY,
+            email VARCHAR(255) NOT NULL UNIQUE,
+            hashed_password VARCHAR(255),
+            display_name VARCHAR(100),
+            email_verified BOOLEAN NOT NULL DEFAULT false,
+            image TEXT,
+            email_inbound_token VARCHAR(22) NOT NULL UNIQUE
+                DEFAULT replace(replace(trim(trailing '=' from encode(gen_random_bytes(16), 'base64')), '+', '-'), '/', '_'),
+            created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+            updated_at TIMESTAMPTZ NOT NULL DEFAULT now()
+        )
+    """))
+
+
+def downgrade() -> None:
+    op.execute(text("DROP TABLE IF EXISTS users"))
@@ -0,0 +1,210 @@
+"""Create domain tables (stores, purchases, coupons, etc.).
+
+Revision ID: 008_create_domain_tables
+Revises: 007_bootstrap_users_table
+Create Date: 2026-04-04
+"""
+
+import sqlalchemy as sa
+from sqlalchemy import text
+
+from alembic import op
+
+revision = "008_create_domain_tables"
+down_revision = "007_bootstrap_users_table"
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    conn = op.get_bind()
+    inspector = sa.inspect(conn)
+
+    # 1. stores
+    if not inspector.has_table("stores"):
+        op.create_table(
+            "stores",
+            sa.Column("id", sa.Uuid(), server_default=text("gen_random_uuid()"), primary_key=True),
+            sa.Column("name", sa.String(100), nullable=False),
+            sa.Column("slug", sa.String(20), nullable=False, unique=True),
+            sa.Column("logo_url", sa.String(500), nullable=True),
+            sa.Column("website_url", sa.String(500), nullable=True),
+            sa.Column("created_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+            sa.Column("updated_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+        )
+
+    # 2. store_locations
+    if not inspector.has_table("store_locations"):
+        op.create_table(
+            "store_locations",
+            sa.Column("id", sa.Uuid(), server_default=text("gen_random_uuid()"), primary_key=True),
+            sa.Column("store_id", sa.Uuid(), sa.ForeignKey("stores.id"), nullable=False),
+            sa.Column("address", sa.String(300), nullable=False),
+            sa.Column("city", sa.String(100), nullable=False),
+            sa.Column("state", sa.String(2), nullable=False),
+            sa.Column("zip", sa.String(10), nullable=False),
+            sa.Column("lat", sa.Float(), nullable=True),
+            sa.Column("lng", sa.Float(), nullable=True),
+            sa.Column("created_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+            sa.Column("updated_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+        )
+
+    # 3. normalized_products
+    if not inspector.has_table("normalized_products"):
+        op.create_table(
+            "normalized_products",
+            sa.Column("id", sa.Uuid(), server_default=text("gen_random_uuid()"), primary_key=True),
+            sa.Column("canonical_name", sa.String(300), nullable=False),
+            sa.Column("category", sa.String(50), nullable=True),
+            sa.Column("subcategory", sa.String(100), nullable=True),
+            sa.Column("brand", sa.String(200), nullable=True),
+            sa.Column("size", sa.String(50), nullable=True),
+            sa.Column("size_unit", sa.String(10), nullable=True),
+            sa.Column("upc_variants", sa.JSON(), nullable=True),
+            sa.Column("created_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+            sa.Column("updated_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+        )
+
+    # 4. purchases
+    if not inspector.has_table("purchases"):
+        op.create_table(
+            "purchases",
+            sa.Column("id", sa.Uuid(), server_default=text("gen_random_uuid()"), primary_key=True),
+            sa.Column("user_id", sa.Text(), sa.ForeignKey("users.id"), nullable=False),
+            sa.Column("store_id", sa.Uuid(), sa.ForeignKey("stores.id"), nullable=False),
+            sa.Column("store_location_id", sa.Uuid(), sa.ForeignKey("store_locations.id"), nullable=True),
+            sa.Column("receipt_id", sa.String(200), nullable=False),
+            sa.Column("purchase_date", sa.Date(), nullable=False),
+            sa.Column("total", sa.Numeric(10, 2), nullable=False),
+            sa.Column("subtotal", sa.Numeric(10, 2), nullable=True),
+            sa.Column("tax", sa.Numeric(10, 2), nullable=True),
+            sa.Column("savings_total", sa.Numeric(10, 2), nullable=True),
+            sa.Column("source_url", sa.String(500), nullable=True),
+            sa.Column("raw_data", sa.JSON(), nullable=True),
+            sa.Column("ingested_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+            sa.Column("created_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+            sa.Column("updated_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+            sa.UniqueConstraint("user_id", "store_id", "receipt_id", name="uq_purchase_receipt"),
+            sa.Index("ix_purchases_user_store", "user_id", "store_id"),
+        )
+
+    # 5. purchase_items
+    if not inspector.has_table("purchase_items"):
+        op.create_table(
+            "purchase_items",
+            sa.Column("id", sa.Uuid(), server_default=text("gen_random_uuid()"), primary_key=True),
+            sa.Column("purchase_id", sa.Uuid(), sa.ForeignKey("purchases.id"), nullable=False),
+            sa.Column("product_name_raw", sa.String(300), nullable=False),
+            sa.Column("upc", sa.String(20), nullable=True),
+            sa.Column("quantity", sa.Numeric(10, 3), nullable=False),
+            sa.Column("unit_price", sa.Numeric(10, 2), nullable=False),
+            sa.Column("extended_price", sa.Numeric(10, 2), nullable=False),
+            sa.Column("regular_price", sa.Numeric(10, 2), nullable=True),
+            sa.Column("sale_price", sa.Numeric(10, 2), nullable=True),
+            sa.Column("coupon_discount", sa.Numeric(10, 2), nullable=True),
+            sa.Column("loyalty_discount", sa.Numeric(10, 2), nullable=True),
+            sa.Column("category_raw", sa.String(100), nullable=True),
+            sa.Column("normalized_product_id", sa.Uuid(), sa.ForeignKey("normalized_products.id"), nullable=True),
+            sa.Column("created_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+            sa.Column("updated_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+        )
+
+    # 6. coupons
+    if not inspector.has_table("coupons"):
+        op.create_table(
+            "coupons",
+            sa.Column("id", sa.Uuid(), server_default=text("gen_random_uuid()"), primary_key=True),
+            sa.Column("store_id", sa.Uuid(), sa.ForeignKey("stores.id"), nullable=False),
+            sa.Column("normalized_product_id", sa.Uuid(), sa.ForeignKey("normalized_products.id"), nullable=True),
+            sa.Column("title", sa.String(300), nullable=False),
+            sa.Column("description", sa.String(1000), nullable=True),
+            sa.Column("discount_type", sa.String(20), nullable=False),
+            sa.Column("discount_value", sa.Numeric(10, 2), nullable=True),
+            sa.Column("min_purchase", sa.Numeric(10, 2), nullable=True),
+            sa.Column("valid_from", sa.Date(), nullable=True),
+            sa.Column("valid_to", sa.Date(), nullable=True),
+            sa.Column("requires_clip", sa.Boolean(), server_default=text("false"), nullable=False),
+            sa.Column("coupon_code", sa.String(100), nullable=True),
+            sa.Column("source_url", sa.String(500), nullable=True),
+            sa.Column("scraped_at", sa.DateTime(timezone=True), nullable=True),
+            sa.Column("created_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+            sa.Column("updated_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+        )
+
+    # 7. price_history
+    if not inspector.has_table("price_history"):
+        op.create_table(
+            "price_history",
+            sa.Column("id", sa.Uuid(), server_default=text("gen_random_uuid()"), primary_key=True),
+            sa.Column("normalized_product_id", sa.Uuid(), sa.ForeignKey("normalized_products.id"), nullable=False),
+            sa.Column("store_id", sa.Uuid(), sa.ForeignKey("stores.id"), nullable=False),
+            sa.Column("observed_date", sa.Date(), nullable=False),
+            sa.Column("regular_price", sa.Numeric(10, 2), nullable=False),
+            sa.Column("sale_price", sa.Numeric(10, 2), nullable=True),
+            sa.Column("loyalty_price", sa.Numeric(10, 2), nullable=True),
+            sa.Column("coupon_price", sa.Numeric(10, 2), nullable=True),
+            sa.Column("source", sa.String(20), nullable=False),
+            sa.Column("purchase_item_id", sa.Uuid(), sa.ForeignKey("purchase_items.id"), nullable=True),
+            sa.Column("created_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+            sa.Column("updated_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+            sa.Index("ix_price_history_product_store_date", "normalized_product_id", "store_id", "observed_date"),
+        )
+
+    # 8. shrinkflation_events
+    if not inspector.has_table("shrinkflation_events"):
+        op.create_table(
+            "shrinkflation_events",
+            sa.Column("id", sa.Uuid(), server_default=text("gen_random_uuid()"), primary_key=True),
+            sa.Column("normalized_product_id", sa.Uuid(), sa.ForeignKey("normalized_products.id"), nullable=False),
+            sa.Column("detected_date", sa.Date(), nullable=False),
+            sa.Column("old_size", sa.String(50), nullable=False),
+            sa.Column("new_size", sa.String(50), nullable=False),
+            sa.Column("old_unit", sa.String(10), nullable=True),
+            sa.Column("new_unit", sa.String(10), nullable=True),
+            sa.Column("price_at_old_size", sa.Numeric(10, 2), nullable=True),
+            sa.Column("price_at_new_size", sa.Numeric(10, 2), nullable=True),
+            sa.Column("confidence", sa.Numeric(3, 2), server_default=text("1.00"), nullable=False),
+            sa.Column("notes", sa.String(1000), nullable=True),
+            sa.Column("created_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+            sa.Column("updated_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+        )
+
+    # 9. user_store_accounts
+    if not inspector.has_table("user_store_accounts"):
+        op.create_table(
+            "user_store_accounts",
+            sa.Column("id", sa.Uuid(), server_default=text("gen_random_uuid()"), primary_key=True),
+            sa.Column("user_id", sa.Text(), sa.ForeignKey("users.id"), nullable=False),
+            sa.Column("store_id", sa.Uuid(), sa.ForeignKey("stores.id"), nullable=False),
+            sa.Column("session_data", sa.JSON(), nullable=True),
+            sa.Column("session_expires_at", sa.DateTime(timezone=True), nullable=True),
+            sa.Column("last_sync_at", sa.DateTime(timezone=True), nullable=True),
+            sa.Column("status", sa.String(20), server_default=text("'active'"), nullable=False),
+            sa.Column("created_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+            sa.Column("updated_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+            sa.UniqueConstraint("user_id", "store_id", name="uq_user_store_account"),
+        )
+
+
+def downgrade() -> None:
+    conn = op.get_bind()
+    inspector = sa.inspect(conn)
+
+    if inspector.has_table("user_store_accounts"):
+        op.drop_table("user_store_accounts")
+    if inspector.has_table("shrinkflation_events"):
+        op.drop_table("shrinkflation_events")
+    if inspector.has_table("price_history"):
+        op.drop_table("price_history")
+    if inspector.has_table("coupons"):
+        op.drop_table("coupons")
+    if inspector.has_table("purchase_items"):
+        op.drop_table("purchase_items")
+    if inspector.has_table("purchases"):
+        op.drop_table("purchases")
+    if inspector.has_table("normalized_products"):
+        op.drop_table("normalized_products")
+    if inspector.has_table("store_locations"):
+        op.drop_table("store_locations")
+    if inspector.has_table("stores"):
+        op.drop_table("stores")
@@ -19,12 +19,15 @@ bearer_scheme = HTTPBearer(auto_error=False)

 # Better-Auth session cookie name
 SESSION_COOKIE_NAME = "better-auth.session_token"
+# Secure prefix used by better-auth on HTTPS deployments
+SECURE_SESSION_COOKIE_NAME = "__Secure-better-auth.session_token"


 async def _validate_session_token(token: str, db: AsyncSession) -> str:
    """Validate a Better-Auth session token against the sessions table.

-    Returns the user_id (as str) if the session is valid and not expired.
+    Better-Auth stores the raw token in the DB. The cookie/Bearer header
+    carries the same raw token, so we compare directly.
    """
    result = await db.execute(
        text("SELECT user_id, expires_at FROM sessions WHERE token = :token"),
@@ -65,14 +68,17 @@ async def get_current_user(
    """
    token: str | None = None

-    # 1. Check session cookie
-    cookie_token = request.cookies.get(SESSION_COOKIE_NAME)
+    # 1. Check session cookie — prefer __Secure- variant (HTTPS) over plain (HTTP dev)
+    cookie_token = request.cookies.get(SECURE_SESSION_COOKIE_NAME) or request.cookies.get(SESSION_COOKIE_NAME)
    if cookie_token:
-        token = cookie_token
+        # Better-Auth cookie format is "token.sessionId" — extract just the token part
+        token = cookie_token.split(".")[0] if "." in cookie_token else cookie_token

    # 2. Fall back to Bearer header
    if not token and credentials:
-        token = credentials.credentials
+        # Callers might pass the compound value here too
+        raw = credentials.credentials
+        token = raw.split(".")[0] if "." in raw else raw

    if not token:
        raise HTTPException(
@@ -1,26 +1,51 @@
 """Redis/DragonflyDB caching helpers."""

+import redis.asyncio as redis
+
 from cartsnitch_api.config import settings


 class CacheClient:
-    """Stub for Redis/DragonflyDB caching.
+    """Redis/DragonflyDB caching with connection pooling.

    Will be used for expensive queries: price trends, product comparisons.
    Cache invalidation via Redis pub/sub events from other services.
    """

    def __init__(self) -> None:
-        self.url = settings.redis_url
+        self._pool: redis.ConnectionPool | None = None
+        self._client: redis.Redis | None = None
+
+    async def initialize(self) -> None:
+        """Initialize the Redis connection pool."""
+        self._pool = redis.ConnectionPool.from_url(
+            settings.redis_url,
+            max_connections=20,
+            decode_responses=True,
+        )
+        self._client = redis.Redis(connection_pool=self._pool)
+
+    async def close(self) -> None:
+        """Close the Redis connection pool."""
+        if self._client:
+            await self._client.aclose()
+        if self._pool:
+            await self._pool.aclose()

    async def get(self, key: str) -> str | None:
-        # TODO: implement with redis-py async
-        return None
+        if not self._client:
+            return None
+        return await self._client.get(key)

    async def set(self, key: str, value: str, ttl_seconds: int = 300) -> None:
-        # TODO: implement with redis-py async
-        pass
+        if not self._client:
+            return
+        await self._client.set(key, value, ex=ttl_seconds)

    async def delete(self, key: str) -> None:
-        # TODO: implement with redis-py async
-        pass
+        if not self._client:
+            return
+        await self._client.delete(key)
+
+
+cache_client = CacheClient()
@@ -1,23 +1,25 @@
 import base64

-from pydantic import model_validator
+from pydantic import AliasChoices, Field, model_validator
 from pydantic_settings import BaseSettings


 class Settings(BaseSettings):
    model_config = {"env_prefix": "CARTSNITCH_"}

-    database_url: str = "postgresql+asyncpg://cartsnitch:cartsnitch@localhost:5432/cartsnitch"
+    database_url: str = Field(
+        default="postgresql+asyncpg://cartsnitch:cartsnitch@localhost:5432/cartsnitch",
+        validation_alias=AliasChoices("CARTSNITCH_DATABASE_URL", "DATABASE_URL"),
+    )
    redis_url: str = "redis://localhost:6379/0"

-    jwt_secret_key: str = "change-me-in-production"
+    jwt_secret_key: str
    jwt_algorithm: str = "HS256"
    jwt_access_token_expire_minutes: int = 15
    jwt_refresh_token_expire_days: int = 7

-    service_key: str = "change-me-in-production"
-    # Valid Fernet key for local dev — MUST be overridden in production
-    fernet_key: str = "7reF42nmTwbdN21PBoubGp7h_FU8qSimstmlaMLoRK8="
+    service_key: str
+    fernet_key: str

    auth_service_url: str = "http://auth:3001"

@@ -32,9 +34,26 @@ class Settings(BaseSettings):
    rate_limit_window_seconds: int = 60
    rate_limit_enabled: bool = True

+    _PLACEHOLDER_VALUES = {"change-me-in-production"}
+
    @model_validator(mode="after")
-    def validate_fernet_key(self):
-        """Validate fernet_key is a valid 32-byte url-safe base64 key at startup."""
+    def validate_secrets(self):
+        if not self.jwt_secret_key or self.jwt_secret_key in self._PLACEHOLDER_VALUES:
+            raise ValueError(
+                "CARTSNITCH_JWT_SECRET_KEY must be set to a secure value. "
+                'Generate one with: python -c "import secrets; print(secrets.token_urlsafe(32))"'
+            )
+        if not self.service_key or self.service_key in self._PLACEHOLDER_VALUES:
+            raise ValueError(
+                "CARTSNITCH_SERVICE_KEY must be set to a secure value. "
+                'Generate one with: python -c "import secrets; print(secrets.token_urlsafe(32))"'
+            )
+        if not self.fernet_key or self.fernet_key in self._PLACEHOLDER_VALUES:
+            raise ValueError(
+                "CARTSNITCH_FERNET_KEY must be set to a valid Fernet key. "
+                "Generate one with: python -c "
+                "'from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())'"
+            )
        try:
            decoded = base64.urlsafe_b64decode(self.fernet_key.encode())
            if len(decoded) != 32:
@@ -49,5 +68,12 @@ class Settings(BaseSettings):
            ) from None
        return self

+    @model_validator(mode="after")
+    def normalize_database_url(self):
+        """Normalize postgresql:// → postgresql+asyncpg:// for the asyncpg driver."""
+        if self.database_url.startswith("postgresql://"):
+            self.database_url = self.database_url.replace("postgresql://", "postgresql+asyncpg://", 1)
+        return self
+

 settings = Settings()
@@ -6,7 +6,14 @@ from sqlalchemy.ext.asyncio import AsyncSession, async_sessionmaker, create_asyn

 from cartsnitch_api.config import settings

-engine = create_async_engine(settings.database_url, echo=False)
+engine = create_async_engine(
+    settings.database_url,
+    echo=False,
+    pool_size=10,
+    max_overflow=20,
+    pool_pre_ping=True,
+    pool_recycle=3600,
+)
 async_session_factory = async_sessionmaker(engine, class_=AsyncSession, expire_on_commit=False)


@@ -14,3 +21,8 @@ async def get_db() -> AsyncGenerator[AsyncSession, None]:
    """FastAPI dependency that yields an async DB session."""
    async with async_session_factory() as session:
        yield session
+
+
+async def dispose_engine() -> None:
+    """Dispose the database engine, closing all pooled connections."""
+    await engine.dispose()
@@ -5,6 +5,8 @@ from contextlib import asynccontextmanager
 from fastapi import APIRouter, FastAPI

 from cartsnitch_api.auth.routes import router as auth_router
+from cartsnitch_api.cache import cache_client
+from cartsnitch_api.database import dispose_engine
 from cartsnitch_api.middleware.cors import add_cors_middleware
 from cartsnitch_api.middleware.error_handler import add_error_handlers, add_error_monitor_middleware
 from cartsnitch_api.middleware.rate_limit import add_rate_limit_middleware
@@ -23,9 +25,10 @@ from cartsnitch_api.routes.user import router as user_router

@asynccontextmanager
 async def lifespan(app: FastAPI):
-    # TODO: initialize DB session pool, Redis connection, service clients
+    await cache_client.initialize()
    yield
-    # TODO: cleanup connections
+    await cache_client.close()
+    await dispose_engine()


 def create_app() -> FastAPI:
@@ -11,6 +11,6 @@ def add_cors_middleware(app: FastAPI) -> None:
        CORSMiddleware,
        allow_origins=settings.cors_origins,
        allow_credentials=True,
-        allow_methods=["*"],
-        allow_headers=["*"],
+        allow_methods=["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
+        allow_headers=["Content-Type", "Authorization", "Accept", "Origin", "X-Requested-With"],
    )
@@ -4,6 +4,7 @@ Uses in-memory sliding window as fallback, Redis/DragonflyDB when available.
 Per-IP limiting on public endpoints, per-token limiting on authenticated endpoints.
 """

+import hashlib
 import time
 from collections import defaultdict
 from threading import Lock
@@ -71,8 +72,8 @@ def _get_rate_limit_key(request: Request) -> tuple[str, _SlidingWindowCounter]:
    auth_header = request.headers.get("authorization", "")
    if auth_header.startswith("Bearer "):
        token = auth_header[7:]
-        # Use last 16 chars of token as key to avoid storing full tokens
-        return f"token:{token[-16:]}", _auth_limiter
+        token_hash = hashlib.sha256(token.encode()).hexdigest()
+        return f"token:{token_hash}", _auth_limiter

    # Fallback to IP for unauthenticated non-public endpoints
    return f"ip:{_get_client_ip(request)}", _public_limiter
@@ -4,7 +4,8 @@ import secrets
 from datetime import datetime
 from typing import TYPE_CHECKING

-from sqlalchemy import DateTime, ForeignKey, String, Text, UniqueConstraint
+import sqlalchemy as sa
+from sqlalchemy import Boolean, DateTime, ForeignKey, String, Text, UniqueConstraint
 from sqlalchemy.orm import Mapped, mapped_column, relationship

 from cartsnitch_api.constants import AccountStatus
@@ -23,13 +24,20 @@ class User(TimestampMixin, Base):

    id: Mapped[str] = mapped_column(Text, primary_key=True)
    email: Mapped[str] = mapped_column(String(255), nullable=False, unique=True)
-    hashed_password: Mapped[str] = mapped_column(String(255), nullable=False)
+    hashed_password: Mapped[str | None] = mapped_column(String(255), nullable=True)
    display_name: Mapped[str | None] = mapped_column(String(100))
+    email_verified: Mapped[bool] = mapped_column(
+        Boolean, nullable=False, server_default="false"
+    )
+    image: Mapped[str | None] = mapped_column(Text, nullable=True)
    email_inbound_token: Mapped[str] = mapped_column(
        String(22),
        nullable=False,
        unique=True,
        default=lambda: secrets.token_urlsafe(16),
+        server_default=sa.text(
+            "replace(replace(trim(trailing '=' from encode(gen_random_bytes(16), 'base64')), '+', '-'), '/', '_')"
+        ),
    )

    # Relationships
@@ -19,6 +19,25 @@ from cartsnitch_api.database import get_db
 from cartsnitch_api.main import create_app
 from cartsnitch_api.models import Base

+TEST_JWT_SECRET = secrets.token_urlsafe(32)
+TEST_SERVICE_KEY = secrets.token_urlsafe(32)
+TEST_FERNET_KEY = "7reF42nmTwbdN21PBoubGp7h_FU8qSimstmlaMLoRK8="
+
+
+@pytest.fixture(autouse=True)
+def setup_test_settings():
+    original_jwt = cartsnitch_settings.jwt_secret_key
+    original_service = cartsnitch_settings.service_key
+    original_fernet = cartsnitch_settings.fernet_key
+    cartsnitch_settings.jwt_secret_key = TEST_JWT_SECRET
+    cartsnitch_settings.service_key = TEST_SERVICE_KEY
+    cartsnitch_settings.fernet_key = TEST_FERNET_KEY
+    yield
+    cartsnitch_settings.jwt_secret_key = original_jwt
+    cartsnitch_settings.service_key = original_service
+    cartsnitch_settings.fernet_key = original_fernet
+
+
 TEST_DATABASE_URL = "sqlite+aiosqlite:///:memory:"


@@ -60,7 +79,8 @@ async def db_engine():
    async with engine.begin() as conn:
        await conn.run_sync(Base.metadata.create_all)
        # Create Better-Auth tables (not managed by SQLAlchemy models)
-        await conn.execute(text("""
+        await conn.execute(
+            text("""
            CREATE TABLE IF NOT EXISTS sessions (
                id TEXT PRIMARY KEY,
                token TEXT NOT NULL UNIQUE,
@@ -71,8 +91,10 @@ async def db_engine():
                created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,
                updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL
            )
-        """))
-        await conn.execute(text("""
+        """)
+        )
+        await conn.execute(
+            text("""
            CREATE TABLE IF NOT EXISTS accounts (
                id TEXT PRIMARY KEY,
                user_id TEXT NOT NULL,
@@ -88,8 +110,10 @@ async def db_engine():
                created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,
                updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL
            )
-        """))
-        await conn.execute(text("""
+        """)
+        )
+        await conn.execute(
+            text("""
            CREATE TABLE IF NOT EXISTS verifications (
                id TEXT PRIMARY KEY,
                identifier TEXT NOT NULL,
@@ -98,7 +122,8 @@ async def db_engine():
                created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,
                updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL
            )
-        """))
+        """)
+        )

    yield engine

@@ -133,10 +158,13 @@ async def client(db_engine):
    app.dependency_overrides.clear()


-async def _create_test_user_and_session(client: AsyncClient, db_engine, **user_overrides) -> tuple[dict, str]:
+async def _create_test_user_and_session(
+    client: AsyncClient, db_engine, **user_overrides
+) -> tuple[dict, str]:
    """Create a test user and a valid session directly in the DB.

-    Returns (user_dict, session_token).
+    Returns (user_dict, session_token).  Better-Auth stores the raw token
+    in the DB, so we insert it as-is.
    """
    user_id = str(uuid.uuid4())
    email = user_overrides.get("email", "test@example.com")
@@ -71,6 +71,56 @@ async def test_delete_me(client, auth_headers):
    assert resp.status_code == 404


+@pytest.mark.asyncio
+async def test_get_me_compound_cookie(client, db_engine):
+    """Compound cookie value (token.sessionId) must be parsed to extract the token part."""
+    from tests.conftest import _create_test_user_and_session
+
+    _, session_token = await _create_test_user_and_session(
+        client, db_engine, email="compound@example.com", display_name="Compound User"
+    )
+    compound = f"{session_token}.B0atkJCFxK1rZlwWPMK97nVO2LnyDun7"
+    resp = await client.get(
+        "/auth/me",
+        headers={"Cookie": f"better-auth.session_token={compound}"},
+    )
+    assert resp.status_code == 200
+    assert resp.json()["email"] == "compound@example.com"
+
+
+@pytest.mark.asyncio
+async def test_get_me_raw_token_cookie(client, db_engine):
+    """Raw token (no dot) in cookie must still work — regression guard."""
+    from tests.conftest import _create_test_user_and_session
+
+    _, session_token = await _create_test_user_and_session(
+        client, db_engine, email="rawcookie@example.com", display_name="Raw Cookie User"
+    )
+    resp = await client.get(
+        "/auth/me",
+        headers={"Cookie": f"better-auth.session_token={session_token}"},
+    )
+    assert resp.status_code == 200
+    assert resp.json()["email"] == "rawcookie@example.com"
+
+
+@pytest.mark.asyncio
+async def test_get_me_compound_bearer(client, db_engine):
+    """Compound Bearer token (token.sessionId) must be parsed to extract the token part."""
+    from tests.conftest import _create_test_user_and_session
+
+    _, session_token = await _create_test_user_and_session(
+        client, db_engine, email="compoundbearer@example.com", display_name="Compound Bearer User"
+    )
+    compound = f"{session_token}.B0atkJCFxK1rZlwWPMK97nVO2LnyDun7"
+    resp = await client.get(
+        "/auth/me",
+        headers={"Authorization": f"Bearer {compound}"},
+    )
+    assert resp.status_code == 200
+    assert resp.json()["email"] == "compoundbearer@example.com"
+
+
@pytest.mark.asyncio
 async def test_expired_session_rejected(client, db_engine):
    """Expired sessions must be rejected."""
@@ -0,0 +1,48 @@
+"""Tests for Settings config, specifically the database_url env var fallback."""
+
+import os
+
+from cartsnitch_api.config import Settings
+
+
+def test_database_url_prefers_cartsnitch_prefix():
+    """CARTSNITCH_DATABASE_URL takes precedence over DATABASE_URL."""
+    env = {
+        "CARTSNITCH_DATABASE_URL": "postgresql+asyncpg://user1:pass1@host1:5432/db1",
+        "DATABASE_URL": "postgresql://user2:pass2@host2:5432/db2",
+    }
+    settings = Settings(**env)
+    assert settings.database_url == "postgresql+asyncpg://user1:pass1@host1:5432/db1"
+
+
+def test_database_url_falls_back_to_database_url():
+    """When CARTSNITCH_DATABASE_URL is absent, DATABASE_URL is accepted."""
+    env = {
+        "DATABASE_URL": "postgresql://user:pass@dbhost:5432/mydb",
+    }
+    settings = Settings(**env)
+    assert settings.database_url == "postgresql+asyncpg://user:pass@dbhost:5432/mydb"
+
+
+def test_database_url_normalizes_plain_postgresql_prefix():
+    """DATABASE_URL with plain postgresql:// is normalized to postgresql+asyncpg://."""
+    env = {
+        "DATABASE_URL": "postgresql://cartsnitch:cartsnitch@localhost:5432/cartsnitch",
+    }
+    settings = Settings(**env)
+    assert settings.database_url == "postgresql+asyncpg://cartsnitch:cartsnitch@localhost:5432/cartsnitch"
+
+
+def test_database_url_preserves_asyncpg_prefix():
+    """CARTSNITCH_DATABASE_URL with postgresql+asyncpg:// is left unchanged."""
+    env = {
+        "CARTSNITCH_DATABASE_URL": "postgresql+asyncpg://cartsnitch:cartsnitch@localhost:5432/cartsnitch",
+    }
+    settings = Settings(**env)
+    assert settings.database_url == "postgresql+asyncpg://cartsnitch:cartsnitch@localhost:5432/cartsnitch"
+
+
+def test_database_url_default():
+    """When neither env var is set, the hardcoded default is used."""
+    settings = Settings()
+    assert settings.database_url == "postgresql+asyncpg://cartsnitch:cartsnitch@localhost:5432/cartsnitch"
@@ -1,8 +1,10 @@
 """Tests for rate limiting middleware."""

+from unittest.mock import MagicMock
+
 import pytest

-from cartsnitch_api.middleware.rate_limit import _SlidingWindowCounter
+from cartsnitch_api.middleware.rate_limit import _SlidingWindowCounter, _get_rate_limit_key


 class TestSlidingWindowCounter:
@@ -53,3 +55,32 @@ async def test_health_skips_rate_limit(client):
    resp = await client.get("/health")
    assert resp.status_code == 200
    assert "x-ratelimit-limit" not in resp.headers
+
+
+class TestGetRateLimitKey:
+    def _make_request(self, auth_header: str = "") -> MagicMock:
+        req = MagicMock()
+        req.url.path = "/purchases"
+        req.headers = {"authorization": auth_header} if auth_header else {}
+        return req
+
+    def test_distinct_tokens_produce_distinct_keys(self):
+        req1 = self._make_request("Bearer token_alpha_12345")
+        req2 = self._make_request("Bearer token_beta_67890")
+        key1, _ = _get_rate_limit_key(req1)
+        key2, _ = _get_rate_limit_key(req2)
+        assert key1 != key2
+
+    def test_same_token_produces_same_key(self):
+        req1 = self._make_request("Bearer same_token_value_abc")
+        req2 = self._make_request("Bearer same_token_value_abc")
+        key1, _ = _get_rate_limit_key(req1)
+        key2, _ = _get_rate_limit_key(req2)
+        assert key1 == key2
+
+    def test_key_does_not_contain_raw_token_suffix(self):
+        raw_token = "my_secret_jwt_token_xyz"
+        req = self._make_request(f"Bearer {raw_token}")
+        key, _ = _get_rate_limit_key(req)
+        assert raw_token[-16:] not in key
+        assert raw_token not in key
@@ -1,4 +1,5 @@
 FROM node:22-alpine AS builder
+RUN apk update && apk upgrade --no-cache
 WORKDIR /app
 COPY package.json package-lock.json* ./
 RUN npm ci
@@ -7,6 +8,7 @@ COPY src/ src/
 RUN npm run build

 FROM node:22-alpine
+RUN apk update && apk upgrade --no-cache
 WORKDIR /app
 ENV NODE_ENV=production
 COPY package.json package-lock.json* ./
@@ -8,12 +8,12 @@
      "name": "@cartsnitch/auth",
      "version": "0.1.0",
      "dependencies": {
-        "bcrypt": "^5.1.1",
+        "bcrypt": "^6.0.0",
        "better-auth": "^1.2.0",
        "pg": "^8.13.0"
      },
      "devDependencies": {
-        "@types/bcrypt": "^5.0.2",
+        "@types/bcrypt": "^6.0.0",
        "@types/node": "^22.0.0",
        "@types/pg": "^8.11.0",
        "tsx": "^4.19.0",
@@ -590,26 +590,6 @@
        "node": ">=18"
      }
    },
-    "node_modules/@mapbox/node-pre-gyp": {
-      "version": "1.0.11",
-      "resolved": "https://registry.npmjs.org/@mapbox/node-pre-gyp/-/node-pre-gyp-1.0.11.tgz",
-      "integrity": "sha512-Yhlar6v9WQgUp/He7BdgzOz8lqMQ8sU+jkCq7Wx8Myc5YFJLbEe7lgui/V7G1qB1DJykHSGwreceSaD60Y0PUQ==",
-      "license": "BSD-3-Clause",
-      "dependencies": {
-        "detect-libc": "^2.0.0",
-        "https-proxy-agent": "^5.0.0",
-        "make-dir": "^3.1.0",
-        "node-fetch": "^2.6.7",
-        "nopt": "^5.0.0",
-        "npmlog": "^5.0.1",
-        "rimraf": "^3.0.2",
-        "semver": "^7.3.5",
-        "tar": "^6.1.11"
-      },
-      "bin": {
-        "node-pre-gyp": "bin/node-pre-gyp"
-      }
-    },
    "node_modules/@noble/ciphers": {
      "version": "2.1.1",
      "resolved": "https://registry.npmjs.org/@noble/ciphers/-/ciphers-2.1.1.tgz",
@@ -660,9 +640,9 @@
      "license": "MIT"
    },
    "node_modules/@types/bcrypt": {
-      "version": "5.0.2",
-      "resolved": "https://registry.npmjs.org/@types/bcrypt/-/bcrypt-5.0.2.tgz",
-      "integrity": "sha512-6atioO8Y75fNcbmj0G7UjI9lXN2pQ/IGJ2FWT4a/btd0Lk9lQalHLKhkgKVZ3r+spnmWUKfbMi1GEe9wyHQfNQ==",
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/@types/bcrypt/-/bcrypt-6.0.0.tgz",
+      "integrity": "sha512-/oJGukuH3D2+D+3H4JWLaAsJ/ji86dhRidzZ/Od7H/i8g+aCmvkeCc6Ni/f9uxGLSQVCRZkX2/lqEFG2BvWtlQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -691,71 +671,18 @@
        "pg-types": "^2.2.0"
      }
    },
-    "node_modules/abbrev": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.1.1.tgz",
-      "integrity": "sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q==",
-      "license": "ISC"
-    },
-    "node_modules/agent-base": {
-      "version": "6.0.2",
-      "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-6.0.2.tgz",
-      "integrity": "sha512-RZNwNclF7+MS/8bDg70amg32dyeZGZxiDuQmZxKLAlQjr3jGyLx+4Kkk58UO7D2QdgFIQCovuSuZESne6RG6XQ==",
-      "license": "MIT",
-      "dependencies": {
-        "debug": "4"
-      },
-      "engines": {
-        "node": ">= 6.0.0"
-      }
-    },
-    "node_modules/ansi-regex": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
-      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/aproba": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/aproba/-/aproba-2.1.0.tgz",
-      "integrity": "sha512-tLIEcj5GuR2RSTnxNKdkK0dJ/GrC7P38sUkiDmDuHfsHmbagTFAxDVIBltoklXEVIQ/f14IL8IMJ5pn9Hez1Ew==",
-      "license": "ISC"
-    },
-    "node_modules/are-we-there-yet": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-2.0.0.tgz",
-      "integrity": "sha512-Ci/qENmwHnsYo9xKIcUJN5LeDKdJ6R1Z1j9V/J5wyq8nh/mYPEpIKJbBZXtZjG04HiK7zV/p6Vs9952MrMeUIw==",
-      "deprecated": "This package is no longer supported.",
-      "license": "ISC",
-      "dependencies": {
-        "delegates": "^1.0.0",
-        "readable-stream": "^3.6.0"
-      },
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/balanced-match": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
-      "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
-      "license": "MIT"
-    },
    "node_modules/bcrypt": {
-      "version": "5.1.1",
-      "resolved": "https://registry.npmjs.org/bcrypt/-/bcrypt-5.1.1.tgz",
-      "integrity": "sha512-AGBHOG5hPYZ5Xl9KXzU5iKq9516yEmvCKDg3ecP5kX2aB6UqTeXZxk2ELnDgDm6BQSMlLt9rDB4LoSMx0rYwww==",
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/bcrypt/-/bcrypt-6.0.0.tgz",
+      "integrity": "sha512-cU8v/EGSrnH+HnxV2z0J7/blxH8gq7Xh2JFT6Aroax7UohdmiJJlxApMxtKfuI7z68NvvVcmR78k2LbT6efhRg==",
      "hasInstallScript": true,
      "license": "MIT",
      "dependencies": {
-        "@mapbox/node-pre-gyp": "^1.0.11",
-        "node-addon-api": "^5.0.0"
+        "node-addon-api": "^8.3.0",
+        "node-gyp-build": "^4.8.4"
      },
      "engines": {
-        "node": ">= 10.0.0"
+        "node": ">= 18"
      }
    },
    "node_modules/better-auth": {
@@ -883,90 +810,12 @@
        }
      }
    },
-    "node_modules/brace-expansion": {
-      "version": "1.1.13",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz",
-      "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==",
-      "license": "MIT",
-      "dependencies": {
-        "balanced-match": "^1.0.0",
-        "concat-map": "0.0.1"
-      }
-    },
-    "node_modules/chownr": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/chownr/-/chownr-2.0.0.tgz",
-      "integrity": "sha512-bIomtDF5KGpdogkLd9VspvFzk9KfpyyGlS8YFVZl7TGPBHL5snIOnxeshwVgPteQ9b4Eydl+pVbIyE1DcvCWgQ==",
-      "license": "ISC",
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/color-support": {
-      "version": "1.1.3",
-      "resolved": "https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz",
-      "integrity": "sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==",
-      "license": "ISC",
-      "bin": {
-        "color-support": "bin.js"
-      }
-    },
-    "node_modules/concat-map": {
-      "version": "0.0.1",
-      "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz",
-      "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==",
-      "license": "MIT"
-    },
-    "node_modules/console-control-strings": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz",
-      "integrity": "sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==",
-      "license": "ISC"
-    },
-    "node_modules/debug": {
-      "version": "4.4.3",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
-      "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
-      "license": "MIT",
-      "dependencies": {
-        "ms": "^2.1.3"
-      },
-      "engines": {
-        "node": ">=6.0"
-      },
-      "peerDependenciesMeta": {
-        "supports-color": {
-          "optional": true
-        }
-      }
-    },
    "node_modules/defu": {
      "version": "6.1.4",
      "resolved": "https://registry.npmjs.org/defu/-/defu-6.1.4.tgz",
      "integrity": "sha512-mEQCMmwJu317oSz8CwdIOdwf3xMif1ttiM8LTufzc3g6kR+9Pe236twL8j3IYT1F7GfRgGcW6MWxzZjLIkuHIg==",
      "license": "MIT"
    },
-    "node_modules/delegates": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/delegates/-/delegates-1.0.0.tgz",
-      "integrity": "sha512-bd2L678uiWATM6m5Z1VzNCErI3jiGzt6HGY8OVICs40JQq/HALfbyNJmp0UDakEY4pMMaN0Ly5om/B1VI/+xfQ==",
-      "license": "MIT"
-    },
-    "node_modules/detect-libc": {
-      "version": "2.1.2",
-      "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.1.2.tgz",
-      "integrity": "sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==",
-      "license": "Apache-2.0",
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/emoji-regex": {
-      "version": "8.0.0",
-      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
-      "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==",
-      "license": "MIT"
-    },
    "node_modules/esbuild": {
      "version": "0.27.4",
      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.4.tgz",
@@ -1009,36 +858,6 @@
        "@esbuild/win32-x64": "0.27.4"
      }
    },
-    "node_modules/fs-minipass": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/fs-minipass/-/fs-minipass-2.1.0.tgz",
-      "integrity": "sha512-V/JgOLFCS+R6Vcq0slCuaeWEdNC3ouDlJMNIsacH2VtALiu9mV4LPrHc5cDl8k5aw6J8jwgWWpiTo5RYhmIzvg==",
-      "license": "ISC",
-      "dependencies": {
-        "minipass": "^3.0.0"
-      },
-      "engines": {
-        "node": ">= 8"
-      }
-    },
-    "node_modules/fs-minipass/node_modules/minipass": {
-      "version": "3.3.6",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz",
-      "integrity": "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==",
-      "license": "ISC",
-      "dependencies": {
-        "yallist": "^4.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/fs.realpath": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
-      "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==",
-      "license": "ISC"
-    },
    "node_modules/fsevents": {
      "version": "2.3.3",
      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz",
@@ -1054,27 +873,6 @@
        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
      }
    },
-    "node_modules/gauge": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/gauge/-/gauge-3.0.2.tgz",
-      "integrity": "sha512-+5J6MS/5XksCuXq++uFRsnUd7Ovu1XenbeuIuNRJxYWjgQbPuFhT14lAvsWfqfAmnwluf1OwMjz39HjfLPci0Q==",
-      "deprecated": "This package is no longer supported.",
-      "license": "ISC",
-      "dependencies": {
-        "aproba": "^1.0.3 || ^2.0.0",
-        "color-support": "^1.1.2",
-        "console-control-strings": "^1.0.0",
-        "has-unicode": "^2.0.1",
-        "object-assign": "^4.1.1",
-        "signal-exit": "^3.0.0",
-        "string-width": "^4.2.3",
-        "strip-ansi": "^6.0.1",
-        "wide-align": "^1.1.2"
-      },
-      "engines": {
-        "node": ">=10"
-      }
-    },
    "node_modules/get-tsconfig": {
      "version": "4.13.7",
      "resolved": "https://registry.npmjs.org/get-tsconfig/-/get-tsconfig-4.13.7.tgz",
@@ -1088,72 +886,6 @@
        "url": "https://github.com/privatenumber/get-tsconfig?sponsor=1"
      }
    },
-    "node_modules/glob": {
-      "version": "7.2.3",
-      "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz",
-      "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==",
-      "deprecated": "Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me",
-      "license": "ISC",
-      "dependencies": {
-        "fs.realpath": "^1.0.0",
-        "inflight": "^1.0.4",
-        "inherits": "2",
-        "minimatch": "^3.1.1",
-        "once": "^1.3.0",
-        "path-is-absolute": "^1.0.0"
-      },
-      "engines": {
-        "node": "*"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
-    "node_modules/has-unicode": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz",
-      "integrity": "sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==",
-      "license": "ISC"
-    },
-    "node_modules/https-proxy-agent": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-5.0.1.tgz",
-      "integrity": "sha512-dFcAjpTQFgoLMzC2VwU+C/CbS7uRL0lWmxDITmqm7C+7F0Odmj6s9l6alZc6AELXhrnggM2CeWSXHGOdX2YtwA==",
-      "license": "MIT",
-      "dependencies": {
-        "agent-base": "6",
-        "debug": "4"
-      },
-      "engines": {
-        "node": ">= 6"
-      }
-    },
-    "node_modules/inflight": {
-      "version": "1.0.6",
-      "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz",
-      "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==",
-      "deprecated": "This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.",
-      "license": "ISC",
-      "dependencies": {
-        "once": "^1.3.0",
-        "wrappy": "1"
-      }
-    },
-    "node_modules/inherits": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
-      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==",
-      "license": "ISC"
-    },
-    "node_modules/is-fullwidth-code-point": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz",
-      "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=8"
-      }
-    },
    "node_modules/jose": {
      "version": "6.2.2",
      "resolved": "https://registry.npmjs.org/jose/-/jose-6.2.2.tgz",
@@ -1172,94 +904,6 @@
        "node": ">=20.0.0"
      }
    },
-    "node_modules/make-dir": {
-      "version": "3.1.0",
-      "resolved": "https://registry.npmjs.org/make-dir/-/make-dir-3.1.0.tgz",
-      "integrity": "sha512-g3FeP20LNwhALb/6Cz6Dd4F2ngze0jz7tbzrD2wAV+o9FeNHe4rL+yK2md0J/fiSf1sa1ADhXqi5+oVwOM/eGw==",
-      "license": "MIT",
-      "dependencies": {
-        "semver": "^6.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
-    "node_modules/make-dir/node_modules/semver": {
-      "version": "6.3.1",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
-      "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
-      "license": "ISC",
-      "bin": {
-        "semver": "bin/semver.js"
-      }
-    },
-    "node_modules/minimatch": {
-      "version": "3.1.5",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
-      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
-      "license": "ISC",
-      "dependencies": {
-        "brace-expansion": "^1.1.7"
-      },
-      "engines": {
-        "node": "*"
-      }
-    },
-    "node_modules/minipass": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-5.0.0.tgz",
-      "integrity": "sha512-3FnjYuehv9k6ovOEbyOswadCDPX1piCfhV8ncmYtHOjuPwylVWsghTLo7rabjC3Rx5xD4HDx8Wm1xnMF7S5qFQ==",
-      "license": "ISC",
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/minizlib": {
-      "version": "2.1.2",
-      "resolved": "https://registry.npmjs.org/minizlib/-/minizlib-2.1.2.tgz",
-      "integrity": "sha512-bAxsR8BVfj60DWXHE3u30oHzfl4G7khkSuPW+qvpd7jFRHm7dLxOjUk1EHACJ/hxLY8phGJ0YhYHZo7jil7Qdg==",
-      "license": "MIT",
-      "dependencies": {
-        "minipass": "^3.0.0",
-        "yallist": "^4.0.0"
-      },
-      "engines": {
-        "node": ">= 8"
-      }
-    },
-    "node_modules/minizlib/node_modules/minipass": {
-      "version": "3.3.6",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz",
-      "integrity": "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==",
-      "license": "ISC",
-      "dependencies": {
-        "yallist": "^4.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/mkdirp": {
-      "version": "1.0.4",
-      "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-1.0.4.tgz",
-      "integrity": "sha512-vVqVZQyf3WLx2Shd0qJ9xuvqgAyKPLAiqITEtqW0oIUjzo3PePDd6fW9iFz30ef7Ysp/oiWqbhszeGWW2T6Gzw==",
-      "license": "MIT",
-      "bin": {
-        "mkdirp": "bin/cmd.js"
-      },
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/ms": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
-      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
-      "license": "MIT"
-    },
    "node_modules/nanostores": {
      "version": "1.2.0",
      "resolved": "https://registry.npmjs.org/nanostores/-/nanostores-1.2.0.tgz",
@@ -1276,84 +920,23 @@
      }
    },
    "node_modules/node-addon-api": {
-      "version": "5.1.0",
-      "resolved": "https://registry.npmjs.org/node-addon-api/-/node-addon-api-5.1.0.tgz",
-      "integrity": "sha512-eh0GgfEkpnoWDq+VY8OyvYhFEzBk6jIYbRKdIlyTiAXIVJ8PyBaKb0rp7oDtoddbdoHWhq8wwr+XZ81F1rpNdA==",
-      "license": "MIT"
-    },
-    "node_modules/node-fetch": {
-      "version": "2.7.0",
-      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz",
-      "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==",
+      "version": "8.7.0",
+      "resolved": "https://registry.npmjs.org/node-addon-api/-/node-addon-api-8.7.0.tgz",
+      "integrity": "sha512-9MdFxmkKaOYVTV+XVRG8ArDwwQ77XIgIPyKASB1k3JPq3M8fGQQQE3YpMOrKm6g//Ktx8ivZr8xo1Qmtqub+GA==",
      "license": "MIT",
-      "dependencies": {
-        "whatwg-url": "^5.0.0"
-      },
      "engines": {
-        "node": "4.x || >=6.0.0"
-      },
-      "peerDependencies": {
-        "encoding": "^0.1.0"
-      },
-      "peerDependenciesMeta": {
-        "encoding": {
-          "optional": true
-        }
+        "node": "^18 || ^20 || >= 21"
      }
    },
-    "node_modules/nopt": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/nopt/-/nopt-5.0.0.tgz",
-      "integrity": "sha512-Tbj67rffqceeLpcRXrT7vKAN8CwfPeIBgM7E6iBkmKLV7bEMwpGgYLGv0jACUsECaa/vuxP0IjEont6umdMgtQ==",
-      "license": "ISC",
-      "dependencies": {
-        "abbrev": "1"
-      },
+    "node_modules/node-gyp-build": {
+      "version": "4.8.4",
+      "resolved": "https://registry.npmjs.org/node-gyp-build/-/node-gyp-build-4.8.4.tgz",
+      "integrity": "sha512-LA4ZjwlnUblHVgq0oBF3Jl/6h/Nvs5fzBLwdEF4nuxnFdsfajde4WfxtJr3CaiH+F6ewcIB/q4jQ4UzPyid+CQ==",
+      "license": "MIT",
      "bin": {
-        "nopt": "bin/nopt.js"
-      },
-      "engines": {
-        "node": ">=6"
-      }
-    },
-    "node_modules/npmlog": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/npmlog/-/npmlog-5.0.1.tgz",
-      "integrity": "sha512-AqZtDUWOMKs1G/8lwylVjrdYgqA4d9nu8hc+0gzRxlDb1I10+FHBGMXs6aiQHFdCUUlqH99MUMuLfzWDNDtfxw==",
-      "deprecated": "This package is no longer supported.",
-      "license": "ISC",
-      "dependencies": {
-        "are-we-there-yet": "^2.0.0",
-        "console-control-strings": "^1.1.0",
-        "gauge": "^3.0.0",
-        "set-blocking": "^2.0.0"
-      }
-    },
-    "node_modules/object-assign": {
-      "version": "4.1.1",
-      "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz",
-      "integrity": "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
-    "node_modules/once": {
-      "version": "1.4.0",
-      "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
-      "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==",
-      "license": "ISC",
-      "dependencies": {
-        "wrappy": "1"
-      }
-    },
-    "node_modules/path-is-absolute": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
-      "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=0.10.0"
+        "node-gyp-build": "bin.js",
+        "node-gyp-build-optional": "optional.js",
+        "node-gyp-build-test": "build-test.js"
      }
    },
    "node_modules/pg": {
@@ -1484,20 +1067,6 @@
        "node": ">=0.10.0"
      }
    },
-    "node_modules/readable-stream": {
-      "version": "3.6.2",
-      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.2.tgz",
-      "integrity": "sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==",
-      "license": "MIT",
-      "dependencies": {
-        "inherits": "^2.0.3",
-        "string_decoder": "^1.1.1",
-        "util-deprecate": "^1.0.1"
-      },
-      "engines": {
-        "node": ">= 6"
-      }
-    },
    "node_modules/resolve-pkg-maps": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/resolve-pkg-maps/-/resolve-pkg-maps-1.0.0.tgz",
@@ -1508,78 +1077,18 @@
        "url": "https://github.com/privatenumber/resolve-pkg-maps?sponsor=1"
      }
    },
-    "node_modules/rimraf": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-3.0.2.tgz",
-      "integrity": "sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==",
-      "deprecated": "Rimraf versions prior to v4 are no longer supported",
-      "license": "ISC",
-      "dependencies": {
-        "glob": "^7.1.3"
-      },
-      "bin": {
-        "rimraf": "bin.js"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
    "node_modules/rou3": {
      "version": "0.7.12",
      "resolved": "https://registry.npmjs.org/rou3/-/rou3-0.7.12.tgz",
      "integrity": "sha512-iFE4hLDuloSWcD7mjdCDhx2bKcIsYbtOTpfH5MHHLSKMOUyjqQXTeZVa289uuwEGEKFoE/BAPbhaU4B774nceg==",
      "license": "MIT"
    },
-    "node_modules/safe-buffer": {
-      "version": "5.2.1",
-      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
-      "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/feross"
-        },
-        {
-          "type": "patreon",
-          "url": "https://www.patreon.com/feross"
-        },
-        {
-          "type": "consulting",
-          "url": "https://feross.org/support"
-        }
-      ],
-      "license": "MIT"
-    },
-    "node_modules/semver": {
-      "version": "7.7.4",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.4.tgz",
-      "integrity": "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==",
-      "license": "ISC",
-      "bin": {
-        "semver": "bin/semver.js"
-      },
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/set-blocking": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz",
-      "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==",
-      "license": "ISC"
-    },
    "node_modules/set-cookie-parser": {
      "version": "3.1.0",
      "resolved": "https://registry.npmjs.org/set-cookie-parser/-/set-cookie-parser-3.1.0.tgz",
      "integrity": "sha512-kjnC1DXBHcxaOaOXBHBeRtltsDG2nUiUni+jP92M9gYdW12rsmx92UsfpH7o5tDRs7I1ZZPSQJQGv3UaRfCiuw==",
      "license": "MIT"
    },
-    "node_modules/signal-exit": {
-      "version": "3.0.7",
-      "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.7.tgz",
-      "integrity": "sha512-wnD2ZE+l+SPC/uoS0vXeE9L1+0wuaMqKlfz9AMUo38JsyLSBWSFcHR1Rri62LZc12vLr1gb3jl7iwQhgwpAbGQ==",
-      "license": "ISC"
-    },
    "node_modules/split2": {
      "version": "4.2.0",
      "resolved": "https://registry.npmjs.org/split2/-/split2-4.2.0.tgz",
@@ -1589,65 +1098,6 @@
        "node": ">= 10.x"
      }
    },
-    "node_modules/string_decoder": {
-      "version": "1.3.0",
-      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz",
-      "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==",
-      "license": "MIT",
-      "dependencies": {
-        "safe-buffer": "~5.2.0"
-      }
-    },
-    "node_modules/string-width": {
-      "version": "4.2.3",
-      "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
-      "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
-      "license": "MIT",
-      "dependencies": {
-        "emoji-regex": "^8.0.0",
-        "is-fullwidth-code-point": "^3.0.0",
-        "strip-ansi": "^6.0.1"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/strip-ansi": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
-      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
-      "license": "MIT",
-      "dependencies": {
-        "ansi-regex": "^5.0.1"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/tar": {
-      "version": "6.2.1",
-      "resolved": "https://registry.npmjs.org/tar/-/tar-6.2.1.tgz",
-      "integrity": "sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==",
-      "deprecated": "Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me",
-      "license": "ISC",
-      "dependencies": {
-        "chownr": "^2.0.0",
-        "fs-minipass": "^2.0.0",
-        "minipass": "^5.0.0",
-        "minizlib": "^2.1.1",
-        "mkdirp": "^1.0.3",
-        "yallist": "^4.0.0"
-      },
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/tr46": {
-      "version": "0.0.3",
-      "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz",
-      "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==",
-      "license": "MIT"
-    },
    "node_modules/tsx": {
      "version": "4.21.0",
      "resolved": "https://registry.npmjs.org/tsx/-/tsx-4.21.0.tgz",
@@ -1689,43 +1139,6 @@
      "dev": true,
      "license": "MIT"
    },
-    "node_modules/util-deprecate": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
-      "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==",
-      "license": "MIT"
-    },
-    "node_modules/webidl-conversions": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
-      "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==",
-      "license": "BSD-2-Clause"
-    },
-    "node_modules/whatwg-url": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz",
-      "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==",
-      "license": "MIT",
-      "dependencies": {
-        "tr46": "~0.0.3",
-        "webidl-conversions": "^3.0.0"
-      }
-    },
-    "node_modules/wide-align": {
-      "version": "1.1.5",
-      "resolved": "https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz",
-      "integrity": "sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==",
-      "license": "ISC",
-      "dependencies": {
-        "string-width": "^1.0.2 || 2 || 3 || 4"
-      }
-    },
-    "node_modules/wrappy": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
-      "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==",
-      "license": "ISC"
-    },
    "node_modules/xtend": {
      "version": "4.0.2",
      "resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.2.tgz",
@@ -1735,12 +1148,6 @@
        "node": ">=0.4"
      }
    },
-    "node_modules/yallist": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz",
-      "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==",
-      "license": "ISC"
-    },
    "node_modules/zod": {
      "version": "4.3.6",
      "resolved": "https://registry.npmjs.org/zod/-/zod-4.3.6.tgz",
@@ -12,12 +12,12 @@
  "dependencies": {
    "better-auth": "^1.2.0",
    "pg": "^8.13.0",
-    "bcrypt": "^5.1.1"
+    "bcrypt": "^6.0.0"
  },
  "devDependencies": {
    "@types/node": "^22.0.0",
    "@types/pg": "^8.11.0",
-    "@types/bcrypt": "^5.0.2",
+    "@types/bcrypt": "^6.0.0",
    "tsx": "^4.19.0",
    "typescript": "^5.7.0"
  }
@@ -4,17 +4,23 @@ import pg from "pg";

 const { Pool } = pg;

-const pool = new Pool({
-  connectionString:
-    process.env.DATABASE_URL ??
-    "postgresql://cartsnitch:cartsnitch@localhost:5432/cartsnitch",
-});
-
 const secret = process.env.BETTER_AUTH_SECRET;
 if (!secret) {
  throw new Error("BETTER_AUTH_SECRET environment variable is required");
 }

+const databaseUrl = process.env.DATABASE_URL;
+if (!databaseUrl) {
+  console.warn(
+    "WARNING: DATABASE_URL is not set — using default localhost connection. " +
+    "Set DATABASE_URL for production deployments."
+  );
+}
+
+export const pool = new Pool({
+  connectionString: databaseUrl ?? "postgresql://cartsnitch:cartsnitch@localhost:5432/cartsnitch",
+});
+
 export const auth = betterAuth({
  database: pool,
  basePath: "/auth",
@@ -95,5 +101,6 @@ export const auth = betterAuth({
    "https://cartsnitch.com",
    "https://cartsnitch.farh.net",
    "https://cartsnitch.dev.farh.net",
+    "https://cartsnitch.uat.farh.net",
  ],
 });
@@ -1,6 +1,6 @@
 import { createServer } from "node:http";
 import { toNodeHandler } from "better-auth/node";
-import { auth } from "./auth.js";
+import { auth, pool } from "./auth.js";

 const port = parseInt(process.env.PORT ?? "3001", 10);

@@ -9,8 +9,22 @@ const handler = toNodeHandler(auth);
 const server = createServer(async (req, res) => {
  // Health check
  if (req.url === "/health" && req.method === "GET") {
-    res.writeHead(200, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ status: "ok" }));
+    try {
+      const client = await pool.connect();
+      try {
+        await Promise.race([
+          client.query("SELECT 1"),
+          new Promise((_, reject) => setTimeout(() => reject(new Error("DB timeout")), 2000)),
+        ]);
+      } finally {
+        client.release();
+      }
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ status: "ok", db: "connected" }));
+    } catch {
+      res.writeHead(503, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ status: "error", db: "unreachable" }));
+    }
    return;
  }

@@ -14,7 +14,7 @@ if config.config_file_name is not None:

 db_url = os.environ.get("CARTSNITCH_DATABASE_URL_SYNC")
 if db_url:
-    config.set_main_option("sqlalchemy.url", db_url)
+    config.set_main_option("sqlalchemy.url", db_url.replace("%", "%%"))

 target_metadata = Base.metadata

@@ -0,0 +1,37 @@
+"""Add email_inbound_token to users.
+
+Revision ID: 001_add_email_inbound_token
+Revises:
+Create Date: 2026-04-02
+"""
+
+from collections.abc import Sequence
+
+import sqlalchemy as sa
+
+from alembic import op
+
+revision: str = "001_add_email_inbound_token"
+down_revision: str | None = None
+branch_labels: str | Sequence[str] | None = None
+depends_on: str | Sequence[str] | None = None
+
+
+def upgrade() -> None:
+    op.add_column("users", sa.Column("email_inbound_token", sa.String(22), nullable=True))
+    op.create_unique_constraint("uq_users_email_inbound_token", "users", ["email_inbound_token"])
+
+    # Backfill existing users with generated tokens (PostgreSQL)
+    op.execute(
+        "UPDATE users SET email_inbound_token = "
+        "substring(replace(gen_random_uuid()::text, '-', ''), 1, 22) "
+        "WHERE email_inbound_token IS NULL"
+    )
+
+    # Alter to non-nullable
+    op.alter_column("users", "email_inbound_token", nullable=False)
+
+
+def downgrade() -> None:
+    op.drop_constraint("uq_users_email_inbound_token", "users", type_="unique")
+    op.drop_column("users", "email_inbound_token")
@@ -1,10 +1,11 @@
 """User and UserStoreAccount models."""

+import secrets
 import uuid
 from datetime import datetime
 from typing import TYPE_CHECKING

-from sqlalchemy import JSON, Boolean, DateTime, ForeignKey, String, Text, UniqueConstraint
+from sqlalchemy import JSON, Boolean, DateTime, ForeignKey, String, Text, UniqueConstraint, text
 from sqlalchemy.orm import Mapped, mapped_column, relationship

 from cartsnitch_common.constants import AccountStatus
@@ -21,6 +22,15 @@ class User(UUIDPrimaryKeyMixin, TimestampMixin, Base):
    __tablename__ = "users"

    email: Mapped[str] = mapped_column(String(255), nullable=False, unique=True)
+    email_inbound_token: Mapped[str] = mapped_column(
+        String(22),
+        nullable=False,
+        unique=True,
+        default=lambda: secrets.token_urlsafe(16),
+        server_default=text(
+            "replace(replace(trim(trailing '=' from encode(gen_random_bytes(16), 'base64')), '+', '-'), '/', '_')"
+        ),
+    )
    hashed_password: Mapped[str | None] = mapped_column(String(255), nullable=True)
    display_name: Mapped[str | None] = mapped_column(String(100))
    email_verified: Mapped[bool] = mapped_column(Boolean, nullable=False, server_default="false")
@@ -20,6 +20,7 @@ class UserRead(BaseModel):
    id: uuid.UUID
    email: str
    display_name: str | None
+    email_inbound_token: str
    created_at: datetime
    updated_at: datetime

@@ -147,6 +147,40 @@ class TestStoreLocationModel:
        assert loc.lat == pytest.approx(42.2808)


+class TestUserModel:
+    def test_email_inbound_token_auto_populated(self, session):
+        user = User(
+            id=uuid.uuid4(),
+            email="token_test@example.com",
+            hashed_password="hashed",
+            created_at=datetime.now(UTC),
+            updated_at=datetime.now(UTC),
+        )
+        session.add(user)
+        session.commit()
+        assert user.email_inbound_token is not None
+        assert len(user.email_inbound_token) == 22
+
+    def test_email_inbound_token_unique(self, session):
+        user1 = User(
+            id=uuid.uuid4(),
+            email="user1@example.com",
+            hashed_password="hashed",
+            created_at=datetime.now(UTC),
+            updated_at=datetime.now(UTC),
+        )
+        user2 = User(
+            id=uuid.uuid4(),
+            email="user2@example.com",
+            hashed_password="hashed",
+            created_at=datetime.now(UTC),
+            updated_at=datetime.now(UTC),
+        )
+        session.add_all([user1, user2])
+        session.commit()
+        assert user1.email_inbound_token != user2.email_inbound_token
+
+
 class TestUserStoreAccountModel:
    def test_account_status_enum(self, session):
        user = User(
@@ -9,6 +9,12 @@ server {
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
    gzip_min_length 256;

+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self' https://*.cartsnitch.com https://*.farh.net; frame-ancestors 'self'" always;
+
    # Health endpoint for K8s probes
    location /health {
        access_log off;
@@ -9805,9 +9805,9 @@
      }
    },
    "node_modules/vite": {
-      "version": "6.4.1",
-      "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.1.tgz",
-      "integrity": "sha512-+Oxm7q9hDoLMyJOYfUYBuHQo+dkAloi33apOPP56pzj+vsdJDzr+j1NISE5pyaAuKL4A3UD34qd0lx5+kfKp2g==",
+      "version": "6.4.2",
+      "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.2.tgz",
+      "integrity": "sha512-2N/55r4JDJ4gdrCvGgINMy+HH3iRpNIz8K6SFwVsA+JbQScLiC+clmAxBgwiSPgcG9U15QmvqCGWzMbqda5zGQ==",
      "devOptional": true,
      "license": "MIT",
      "dependencies": {
@@ -5,7 +5,7 @@ WORKDIR /app

 # build-essential and libpq-dev are needed to compile any C-extension wheels
 # (e.g. psycopg2 fallback).  No git needed — common/ is copied from the repo root.
-RUN apt-get update && apt-get install -y --no-install-recommends \
+RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
    libpq-dev \
    build-essential \
    && rm -rf /var/lib/apt/lists/*
@@ -25,7 +25,7 @@ FROM python:3.12-slim AS prod
 WORKDIR /app

 # Install Playwright system dependencies for Chromium
-RUN apt-get update && apt-get install -y --no-install-recommends \
+RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
    libnss3 \
    libatk1.0-0 \
    libatk-bridge2.0-0 \
@@ -1,8 +1,12 @@
 """Service-specific configuration for ReceiptWitness."""

+from pydantic import model_validator
 from pydantic_settings import BaseSettings


+_PLACEHOLDER_VALUES = {"change-me-in-production"}
+
+
 class ReceiptWitnessSettings(BaseSettings):
    model_config = {"env_prefix": "RW_"}

@@ -30,5 +34,34 @@ class ReceiptWitnessSettings(BaseSettings):
    # Mailgun inbound email webhook
    mailgun_webhook_signing_key: str = ""

+    @model_validator(mode="after")
+    def validate_required_vars(self):
+        errors = []
+        if not self.session_encryption_key or self.session_encryption_key in _PLACEHOLDER_VALUES:
+            errors.append(
+                "RW_SESSION_ENCRYPTION_KEY must be set to a secure value. "
+                'Generate one with: python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"'
+            )
+        if self.notifications_enabled and not self.resend_api_key:
+            errors.append(
+                "RW_RESEND_API_KEY must be set when RW_NOTIFICATIONS_ENABLED=true. "
+                "Get an API key from https://resend.com/api-keys"
+            )
+        if errors:
+            raise ValueError(
+                "ReceiptWitness startup failed — missing required config:\n"
+                + "\n".join(f"  - {e}" for e in errors)
+            )
+        return self

-settings = ReceiptWitnessSettings()
+
+class _LazySettings:
+    _instance: ReceiptWitnessSettings | None = None
+
+    def __getattr__(self, name: str):
+        if _LazySettings._instance is None:
+            _LazySettings._instance = ReceiptWitnessSettings()
+        return getattr(_LazySettings._instance, name)
+
+
+settings = _LazySettings()
@@ -1,12 +1,16 @@
 """Shared test fixtures."""

 import json
+import os
 from pathlib import Path

 import pytest

 FIXTURES_DIR = Path(__file__).parent / "fixtures"

+os.environ.setdefault("RW_SESSION_ENCRYPTION_KEY", "test-secret-key-for-unit-tests-only-32bytes!")
+os.environ.setdefault("RW_MAILGUN_WEBHOOK_SIGNING_KEY", "test-mailgun-signing-key")
+

@pytest.fixture
 def meijer_receipt_data() -> dict:
@@ -0,0 +1,46 @@
+import pytest
+from receiptwitness.config import ReceiptWitnessSettings
+
+
+def test_valid_config():
+    s = ReceiptWitnessSettings(
+        session_encryption_key="7reF42nmTwbdN21PBoubGp7h_FU8qSimstmlaMLoRK8="
+    )
+    assert s.session_encryption_key
+
+
+def test_missing_session_encryption_key_raises():
+    with pytest.raises(ValueError, match="RW_SESSION_ENCRYPTION_KEY"):
+        ReceiptWitnessSettings(session_encryption_key="")
+
+
+def test_placeholder_session_encryption_key_raises():
+    with pytest.raises(ValueError, match="RW_SESSION_ENCRYPTION_KEY"):
+        ReceiptWitnessSettings(session_encryption_key="change-me-in-production")
+
+
+def test_notifications_enabled_without_resend_key_raises():
+    with pytest.raises(ValueError, match="RW_RESEND_API_KEY"):
+        ReceiptWitnessSettings(
+            session_encryption_key="7reF42nmTwbdN21PBoubGp7h_FU8qSimstmlaMLoRK8=",
+            notifications_enabled=True,
+            resend_api_key="",
+        )
+
+
+def test_notifications_disabled_without_resend_key_ok():
+    s = ReceiptWitnessSettings(
+        session_encryption_key="7reF42nmTwbdN21PBoubGp7h_FU8qSimstmlaMLoRK8=",
+        notifications_enabled=False,
+        resend_api_key="",
+    )
+    assert s.notifications_enabled is False
+
+
+def test_notifications_enabled_with_resend_key_ok():
+    s = ReceiptWitnessSettings(
+        session_encryption_key="7reF42nmTwbdN21PBoubGp7h_FU8qSimstmlaMLoRK8=",
+        notifications_enabled=True,
+        resend_api_key="re_test_1234567890",
+    )
+    assert s.resend_api_key == "re_test_1234567890"
Author	SHA1	Message	Date
Paperclip	a0eef27944	fix: upgrade bcrypt and filter unfixed CVEs in Grype scans	2026-04-15 00:51:53 +00:00
cartsnitch-cto[bot]	bb50ddc85d	Merge pull request #206 from cartsnitch/fix/car-620-grype-only-fixed fix: add only-fixed flag to Grype scans to skip unfixable CVEs	2026-04-15 00:46:10 +00:00
Hugh Hackman	bd2e8feff6	fix: add only-fixed flag to Grype scans to skip unfixable CVEs Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 00:28:56 +00:00
cartsnitch-cto[bot]	1e8223caeb	fix: remediate high-severity CVEs in Docker images (#204 ) fix: remediate high-severity CVEs in Docker images	2026-04-14 23:57:40 +00:00
Paperclip	e1d77d7789	fix: remediate high-severity CVEs in Docker images - Add apk upgrade to frontend Dockerfile (build + prod stages) - Add apk upgrade to auth Dockerfile (build + runtime stages) - Add apt-get upgrade to api Dockerfile (build + prod stages) - Add apt-get upgrade to receiptwitness Dockerfile (build + prod stages) - Run npm audit fix for frontend and auth dependencies Refs: CAR-616 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-14 23:51:42 +00:00
cartsnitch-cto[bot]	8592701382	feat(ci): add Grype image vulnerability scanning to all Docker builds feat(ci): add Grype image vulnerability scanning to all Docker builds	2026-04-14 23:25:17 +00:00
Paperclip	17447fb5e1	feat(ci): add Grype image vulnerability scanning to all Docker builds	2026-04-14 23:13:47 +00:00
cartsnitch-cto[bot]	b274fdff8e	Merge pull request #198 from cartsnitch/fix/car-608-auth-health-check fix: restore DB connectivity check to auth health endpoint	2026-04-14 16:39:18 +00:00
Paperclip	a64dc7ab5e	fix: restore DB connectivity check to auth health endpoint Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-14 16:35:24 +00:00
cartsnitch-cto[bot]	0fb99e6c16	Merge pull request #187 from cartsnitch/fix/auth-config-validation fix: add startup validation to auth service config	2026-04-14 16:19:13 +00:00
Barcode Betty	a53daddb9a	fix: update vite to resolve high-severity audit vulnerability	2026-04-14 16:09:48 +00:00
Paperclip	3351d74058	fix: add startup validation to auth service config - Add DATABASE_URL validation after BETTER_AUTH_SECRET check - Warn clearly when DATABASE_URL is not set (uses localhost default) - Move pool declaration after validation blocks Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-14 16:03:37 +00:00
cartsnitch-cto[bot]	adfa34f2c2	Merge pull request #186 from cartsnitch/fix/receiptwitness-config-validation fix: add startup validation to ReceiptWitness config	2026-04-14 14:07:48 +00:00
Paperclip	ade03fdd1c	fix: add startup validation to ReceiptWitness config Add Pydantic model_validator to ReceiptWitnessSettings that fails fast if session_encryption_key is missing or a placeholder value. Conditional validation for resend_api_key when notifications_enabled=true. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-14 13:52:24 +00:00
cartsnitch-cto[bot]	5825174f0d	Merge pull request #179 from cartsnitch/feature/cart-550-api-lifespan-pooling feat(api): implement FastAPI lifespan with connection pooling (CAR-550)	2026-04-14 13:48:17 +00:00
Barcode Betty	68e6be1985	feat(api): implement FastAPI lifespan with connection pooling - Add connection pool config to SQLAlchemy async engine (pool_size=10, max_overflow=20, pool_pre_ping, pool_recycle) - Implement Redis connection pool in CacheClient with initialize/close lifecycle - Wire lifespan startup/shutdown to initialize and dispose pools - Add dispose_engine() for graceful DB pool cleanup on shutdown Closes CAR-550 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-14 13:12:46 +00:00
cartsnitch-cto[bot]	c2a0263ddd	fix(security): use SHA-256 hash for rate limit key instead of token suffix (#169 ) fix(security): use SHA-256 hash for rate limit key instead of token suffix	2026-04-14 12:45:15 +00:00
cartsnitch-cto[bot]	da96ec7dc4	Merge pull request #172 from cartsnitch/fix/cors-security-headers CTO review: LGTM. CORS methods restricted to explicit list (no TRACE/CONNECT), headers whitelisted, nginx security headers added (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CSP). Clean diff, CI green.	2026-04-14 11:57:52 +00:00
CartSnitch Engineer Bot	37798251be	fix: restrict CORS to explicit methods and add security headers - Replace allow_methods=[""] with explicit list: GET, POST, PUT, DELETE, PATCH, OPTIONS - Replace allow_headers=[""] with explicit list: Content-Type, Authorization, Accept, Origin, X-Requested-With - Add X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CSP nginx headers Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-14 11:49:02 +00:00
CartSnitch Engineer Bot	bc5e03e7a0	fix(security): use SHA-256 hash for rate limit key instead of token suffix Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-14 11:36:17 +00:00
cartsnitch-cto[bot]	ee97f64db6	Merge pull request #156 from cartsnitch/fix/hardcoded-secrets fix: remove hardcoded default secrets from API config	2026-04-14 11:31:40 +00:00
CartSnitch Engineer Bot	538a5f4f4d	fix: remove hardcoded default secrets from API config Remove dangerous default values for jwt_secret_key, service_key, and fernet_key. Add startup validation that raises RuntimeError if these secrets are not set via environment variables or contain placeholder values. Add test fixture to provide explicit test values for these secrets, ensuring existing tests continue to pass. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-14 11:11:23 +00:00
cartsnitch-cto[bot]	4485bf1d5e	Merge pull request #148 from cartsnitch/betty/fix-alembic-create-all-commit fix(api): commit after create_all in alembic env.py	2026-04-04 21:57:54 +00:00
cartsnitch-cto[bot]	f7bf767da5	Merge pull request #147 from cartsnitch/betty/car-517-domain-tables-migration CTO review: APPROVED. Migration creates all 9 domain tables in correct FK order with idempotent guards. env.py commit fix resolves SQLAlchemy 2.0 DDL persistence issue.	2026-04-04 21:36:48 +00:00
Barcode Betty	2f1833e90d	fix(api): commit after create_all in alembic env.py SQLAlchemy 2.0 removed implicit autocommit; without an explicit connection.commit() DDL changes from create_all() are rolled back when the connection closes, leaving fresh databases without tables. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 21:36:05 +00:00
cartsnitch-engineer[bot]	b2725fd512	fix(api): create domain tables migration + fix create_all commit Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 21:22:24 +00:00
cartsnitch-cto[bot]	5532b43e38	Merge pull request #145 from cartsnitch/betty/fix-alembic-model-import fix(api): import Base from models package to register all ORM tables	2026-04-04 21:20:11 +00:00
Barcode Betty	0be7ccd4b4	fix(api): import Base from models package to register all ORM tables The models/__init__.py imports all ORM model classes (Store, Product, Coupon, etc.) which registers their table definitions with Base.metadata. Importing Base directly from models.base skips this registration, so alembic's create_all() on fresh databases fails to create app tables. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 21:12:13 +00:00
cartsnitch-cto[bot]	6d37cecdba	Merge pull request #143 from cartsnitch/betty/fix-session-cookie-parsing fix(auth): parse compound Better-Auth cookie/bearer token	2026-04-04 20:39:09 +00:00
Barcode Betty	3745f5be69	fix(auth): parse compound Better-Auth cookie/bearer token to extract token part Better-Auth sets the session cookie as "token.sessionId". The DB stores only the token part, so passing the full compound value caused 401s. Splits on "." for both cookie and Bearer paths. Tests added for compound cookie, raw token cookie (regression), and compound Bearer token. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 20:32:43 +00:00
cartsnitch-cto[bot]	abec954320	Merge pull request #141 from cartsnitch/betty/fix-api-database-url-fallback fix(api): accept DATABASE_URL as fallback for shared DB with auth service	2026-04-04 20:05:47 +00:00
Barcode Betty	ec9deb515b	fix(api): accept DATABASE_URL as fallback for shared DB with auth service API config.py now reads CARTSNITCH_DATABASE_URL first, falls back to DATABASE_URL (which the infra K8s overlay sets for all pods), and finally falls back to the hardcoded default. Also normalizes plain postgresql:// to postgresql+asyncpg:// for the asyncpg driver. Fixes CAR-510. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 19:52:24 +00:00
cartsnitch-cto[bot]	cfed9b0482	Merge pull request #139 from cartsnitch/betty/revert-sha256-session-hash fix(api): revert SHA-256 session token hashing — better-auth stores raw tokens	2026-04-04 19:25:23 +00:00
Barcode Betty	25edd8d5e3	fix(api): revert SHA-256 session token hashing — better-auth stores raw tokens Better-auth v1.5.6 stores raw 32-char tokens in sessions.token, not SHA-256 hashes. The SHA-256 fix from PR #136 causes all authenticated API calls to return 401 because the UAT sessions table contains raw tokens. - Remove hashlib from dependencies.py; compare tokens directly - Remove hashlib from conftest.py; store raw tokens in test DB - Remove hashlib from test_expired_session_rejected; use raw tokens Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-04 19:21:26 +00:00
cartsnitch-cto[bot]	bd3cb3b9ab	fix(api): hash session token with SHA-256 before DB lookup (#136 ) fix(api): hash session token with SHA-256 before DB lookup	2026-04-04 19:06:30 +00:00
cartsnitch-cto[bot]	3bedc651c6	Merge pull request #133 from cartsnitch/fix/alembic-version-table-width fix(api): widen alembic version_table column to 128 chars	2026-04-04 19:01:09 +00:00
Barcode Betty	138033be9b	fix(api): hash session token with SHA-256 before DB lookup Better-Auth v1.2+ stores SHA-256(raw_token) in the sessions.token column. The cookie/Bearer header carries the raw token, so the API was doing a plain-text lookup that would never match a hashed value — causing all authenticated endpoints to return 401. - Add hashlib import and hash token in _validate_session_token() - Update conftest._create_test_user_and_session() to store hashed tokens - Update test_expired_session_rejected() to store hashed tokens Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 19:00:09 +00:00
cartsnitch-cto[bot]	8ddefe82e4	fix: read __Secure- prefixed session cookie in API auth (#134 ) fix: read __Secure- prefixed session cookie in API auth	2026-04-04 18:48:30 +00:00
Barcode Betty	def921f115	fix(api): read __Secure- prefixed session cookie in auth Better-auth sets the session cookie with the __Secure- prefix on HTTPS deployments. The API was only reading the plain cookie name, causing all authenticated calls to return 401 in dev/UAT/prod environments. Check __Secure-better-auth.session_token first, fall back to better-auth.session_token for HTTP local dev compatibility. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 18:40:22 +00:00
Pawla Abdul	43ee1c3531	fix(api): widen alembic version_table column to 128 chars Default varchar(32) alembic_version column truncates long revision IDs like 003_make_users_hashed_password_nullable (39 chars) on fresh databases. Set version_table_column_width=128 in both context.configure() calls. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 18:32:36 +00:00
cartsnitch-cto[bot]	f03d7a33c8	Merge pull request #131 from cartsnitch/betty/fix-uat-users-table-bootstrap fix(api): bootstrap users table in migration 007 + harden create_all	2026-04-04 17:34:32 +00:00
Barcode Betty	7bf0165fe4	fix(api): bootstrap users table in migration 007 + harden create_all Create migration 007 to raw-SQL CREATE TABLE IF NOT EXISTS the users table as a safety net for fresh databases where Base.metadata.create_all() may fail due to import errors before the table is created. Wrap the create_all call in env.py with try/except so alembic never crashes due to create_all failures — migrations already handle table creation. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 17:10:29 +00:00
cartsnitch-cto[bot]	ef63c47b7c	fix(api): make alembic migrations idempotent for fresh databases (#129 ) fix(api): make alembic migrations idempotent for fresh databases	2026-04-04 16:41:02 +00:00
Pawla Abdul	be75c7f254	fix(api): add fresh-DB guards to migrations 002, 005, and 006 - 002: wrap add_column calls in has_table("users") guard - 005: add has_table + column-existence guard before add_column - 006: add has_table + column + default-existence guard before alter_column Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 16:39:27 +00:00
Pawla Abdul	e90637c227	fix(api): make alembic migrations idempotent for fresh databases - 001: guard has_table check; skip if session_data already TEXT - 002: guard each ADD COLUMN / CREATE TABLE; guard password migration - 003: guard has_table; guard nullable check - 004: guard has_table; skip if users.id already TEXT - env.py: add Base.metadata.create_all after run_migrations to bootstrap fresh DBs - api/user.py: make hashed_password nullable; add email_verified, image, email_inbound_token fields Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 16:28:29 +00:00
cartsnitch-cto[bot]	67e60c9ae1	Merge pull request #127 from cartsnitch/betty/fix-libpq5-dockerfile fix: install libpq5 runtime in API prod Docker stage	2026-04-04 15:52:33 +00:00
Barcode Betty	a25b673dd6	fix: install libpq5 runtime in API prod Docker stage psycopg2 compiled against libpq-dev in the build stage now has its runtime dependency (libpq5) available in the prod stage. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 10:51:57 +00:00
cartsnitch-cto[bot]	4e003ba3d0	Merge pull request #125 from cartsnitch/fix/alembic-percent-escape fix(api): escape percent signs in alembic database URL	2026-04-04 06:36:51 +00:00
Barcode Betty	4996ff7432	fix(api): escape percent signs in alembic database URL for configparser CNPG-generated passwords containing URL-encoded chars (e.g. %2B, %2F) cause configparser.BasicInterpolation to fail with "invalid interpolation syntax". Escaping % as %% prevents this. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 06:31:48 +00:00
cartsnitch-cto[bot]	ffc6c7960d	fix(api): add server_default to users.email_inbound_token (#123 ) fix(api): add server_default to users.email_inbound_token	2026-04-04 06:23:34 +00:00
Pawla Abdul	cf16415720	fix(api): add server_default to users.email_inbound_token Better-Auth creates users via raw SQL INSERT (not through SQLAlchemy), so it bypasses ORM defaults and causes HTTP 500 on sign-up/sign-in. Adds PostgreSQL server_default so INSERT without email_inbound_token auto-generates a URL-safe token matching Python secrets.token_urlsafe(16). Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 06:17:37 +00:00
cartsnitch-cto[bot]	33f9e17339	fix(ci): use full SHA in docker/metadata-action tags (#121 ) fix(ci): use full SHA in docker/metadata-action tags	2026-04-04 05:37:22 +00:00
cartsnitch-engineer[bot]	7639be9a41	fix(ci): use full SHA in docker/metadata-action tags The sha_tag output is a 40-char SHA, but docker/metadata-action defaults to short (7-char) SHA tags. This caused UAT pods to fail image pulls because kustomization tags didn't match GHCR tags. Change type=sha,prefix=sha- to type=sha,prefix=sha-,format=long in all four build jobs (cartsnitch, auth, receiptwitness, api). Fixes CAR-482. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 05:31:04 +00:00
cartsnitch-cto[bot]	ebe439ce84	fix(ci): build and deploy from dev and uat branches fix(ci): build and deploy from dev and uat branches	2026-04-04 04:59:40 +00:00
cartsnitch-engineer[bot]	a663729121	fix(ci): build and deploy from dev and uat branches	2026-04-04 04:54:09 +00:00
cartsnitch-cto[bot]	4fc7933e30	Merge pull request #117 from cartsnitch/betty/fix-alembic-dockerfile fix(api): include alembic config and migrations in Docker image	2026-04-04 04:44:47 +00:00
cartsnitch-engineer[bot]	6e0cb93ee2	fix(api): include alembic config and migrations in Docker image	2026-04-04 04:40:50 +00:00
cartsnitch-qa[bot]	0e4848f8b4	Merge pull request #115 from cartsnitch/betty/fix-uat-trustedorigins fix(auth): add UAT hostname to trustedOrigins	2026-04-04 04:24:09 +00:00
Pawla Abdul	bb7010f881	fix(auth): add UAT hostname to trustedOrigins Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 04:18:03 +00:00
cartsnitch-cto[bot]	4756e1c1c5	Merge pull request #114 from cartsnitch/feat/sync-common-email-inbound-token feat(common): sync email_inbound_token from standalone common repo	2026-04-03 20:18:35 +00:00
Barcode Betty	73c038e406	feat(common): sync email_inbound_token from standalone repo	2026-04-03 20:12:35 +00:00
cartsnitch-cto[bot]	02e34d65bb	fix(ci): use api/Dockerfile in build-and-push-api job fix(ci): use api/Dockerfile in build-and-push-api job	2026-04-03 19:53:46 +00:00