refactor(auth): localize admin auth and replace latest ranges

packages/auth/package.json

@@ -1,25 +0,0 @@
-{
-  "name": "@cms/auth",
-  "version": "0.0.1",
-  "private": true,
-  "type": "module",
-  "exports": {
-    ".": "./src/index.ts",
-    "./server": "./src/server.ts"
-  },
-  "scripts": {
-    "lint": "biome check src",
-    "typecheck": "tsc -p tsconfig.json --noEmit"
-  },
-  "dependencies": {
-    "@cms/content": "workspace:*",
-    "@cms/db": "workspace:*",
-    "better-auth": "^1.4.18"
-  },
-  "devDependencies": {
-    "@cms/config": "workspace:*",
-    "@biomejs/biome": "latest",
-    "@types/node": "latest",
-    "typescript": "latest"
-  }
-}

packages/auth/src/index.ts

@@ -1,7 +0,0 @@
-export {
-  type AuthSession,
-  auth,
-  authRouteHandlers,
-  isAdminRegistrationEnabled,
-  resolveRoleFromAuthSession,
-} from "./server"

packages/auth/src/server.ts

@@ -1,84 +0,0 @@
-import { normalizeRole, type Role } from "@cms/content/rbac"
-import { db } from "@cms/db"
-import { betterAuth } from "better-auth"
-import { prismaAdapter } from "better-auth/adapters/prisma"
-import { toNextJsHandler } from "better-auth/next-js"
-
-const FALLBACK_DEV_SECRET = "dev-only-change-me-for-production"
-
-const isProduction = process.env.NODE_ENV === "production"
-
-const adminOrigin = process.env.CMS_ADMIN_ORIGIN ?? "http://localhost:3001"
-const webOrigin = process.env.CMS_WEB_ORIGIN ?? "http://localhost:3000"
-
-function resolveAuthSecret(): string {
-  const value = process.env.BETTER_AUTH_SECRET
-
-  if (value) {
-    return value
-  }
-
-  if (isProduction) {
-    throw new Error("BETTER_AUTH_SECRET is required in production")
-  }
-
-  return FALLBACK_DEV_SECRET
-}
-
-export function isAdminRegistrationEnabled(): boolean {
-  const value = process.env.CMS_ADMIN_REGISTRATION_ENABLED
-
-  if (value === "true") {
-    return true
-  }
-
-  if (value === "false") {
-    return false
-  }
-
-  return !isProduction
-}
-
-export const auth = betterAuth({
-  appName: "CMS Admin",
-  baseURL: process.env.BETTER_AUTH_URL ?? adminOrigin,
-  secret: resolveAuthSecret(),
-  trustedOrigins: [adminOrigin, webOrigin],
-  database: prismaAdapter(db, {
-    provider: "postgresql",
-  }),
-  emailAndPassword: {
-    enabled: true,
-    disableSignUp: !isAdminRegistrationEnabled(),
-  },
-  user: {
-    additionalFields: {
-      role: {
-        type: "string",
-        required: true,
-        defaultValue: "editor",
-        input: false,
-      },
-      isBanned: {
-        type: "boolean",
-        required: true,
-        defaultValue: false,
-        input: false,
-      },
-    },
-  },
-})
-
-export const authRouteHandlers = toNextJsHandler(auth)
-
-export type AuthSession = typeof auth.$Infer.Session
-
-export function resolveRoleFromAuthSession(session: AuthSession | null | undefined): Role | null {
-  const sessionUserRole = session?.user?.role
-
-  if (typeof sessionUserRole !== "string") {
-    return null
-  }
-
-  return normalizeRole(sessionUserRole)
-}

packages/auth/tsconfig.json

@@ -1,8 +0,0 @@
-{
-  "extends": "@cms/config/tsconfig/base",
-  "compilerOptions": {
-    "noEmit": false,
-    "outDir": "dist"
-  },
-  "include": ["src/**/*.ts"]
-}

packages/content/package.json

@@ -13,11 +13,11 @@
     "typecheck": "tsc -p tsconfig.json --noEmit"
   },
   "dependencies": {
-    "zod": "latest"
+    "zod": "4.3.6"
   },
   "devDependencies": {
     "@cms/config": "workspace:*",
-    "@biomejs/biome": "latest",
-    "typescript": "latest"
+    "@biomejs/biome": "2.3.14",
+    "typescript": "5.9.3"
   }
 }

packages/db/package.json

@@ -10,7 +10,7 @@
     "build": "tsc -p tsconfig.json",
     "lint": "biome check src prisma/seed.ts",
     "typecheck": "tsc -p tsconfig.json --noEmit",
-    "db:auth:generate": "mkdir -p prisma/generated && set -a && . ../../.env && set +a && bunx @better-auth/cli@latest generate --config prisma/better-auth.config.ts --output prisma/generated/better-auth.prisma --yes",
+    "db:auth:generate": "mkdir -p prisma/generated && set -a && . ../../.env && set +a && bunx @better-auth/cli@1.4.18 generate --config prisma/better-auth.config.ts --output prisma/generated/better-auth.prisma --yes",
     "db:generate": "bun --env-file=../../.env prisma generate",
     "db:migrate": "bun --env-file=../../.env prisma migrate dev --name init",
     "db:migrate:named": "bun --env-file=../../.env prisma migrate dev",
@@ -20,19 +20,19 @@
   },
   "dependencies": {
     "@cms/content": "workspace:*",
-    "@prisma/adapter-pg": "latest",
-    "@prisma/client": "latest",
-    "pg": "latest",
-    "zod": "latest"
+    "@prisma/adapter-pg": "7.3.0",
+    "@prisma/client": "7.3.0",
+    "pg": "8.18.0",
+    "zod": "4.3.6"
   },
   "devDependencies": {
     "@cms/config": "workspace:*",
-    "@biomejs/biome": "latest",
-    "@types/node": "latest",
-    "@types/pg": "latest",
-    "better-auth": "^1.4.18",
-    "prisma": "latest",
-    "typescript": "latest"
+    "@biomejs/biome": "2.3.14",
+    "@types/node": "25.2.2",
+    "@types/pg": "8.16.0",
+    "better-auth": "1.4.18",
+    "prisma": "7.3.0",
+    "typescript": "5.9.3"
   },
   "prisma": {
     "seed": "bun --env-file=../../.env prisma/seed.ts"

packages/ui/package.json

@@ -14,19 +14,19 @@
     "typecheck": "tsc -p tsconfig.json --noEmit"
   },
   "dependencies": {
-    "class-variance-authority": "latest",
-    "clsx": "latest",
-    "tailwind-merge": "latest"
+    "class-variance-authority": "0.7.1",
+    "clsx": "2.1.1",
+    "tailwind-merge": "3.4.0"
   },
   "peerDependencies": {
-    "react": "latest",
-    "react-dom": "latest"
+    "react": "19.2.4",
+    "react-dom": "19.2.4"
   },
   "devDependencies": {
     "@cms/config": "workspace:*",
-    "@biomejs/biome": "latest",
-    "@types/react": "latest",
-    "@types/react-dom": "latest",
-    "typescript": "latest"
+    "@biomejs/biome": "2.3.14",
+    "@types/react": "19.2.13",
+    "@types/react-dom": "19.2.3",
+    "typescript": "5.9.3"
   }
 }