Production-ready Better Auth. Orgs, billing, admin — shipped in an afternoon, not three weeks.

export const auth = betterAuth({
  database: drizzleAdapter(db, { provider: "pg", schema }),
  emailAndPassword: { enabled: true, requireEmailVerification: true },
  socialProviders: socialProviders(), // GitHub live, Google one flag away
  plugins: [
    organization({ creatorRole: "owner", invitationExpiresIn: WEEK }),
    stripePlugin({ subscription: { enabled: true, plans } }),
    admin({ adminRoles: ["admin"] }),
    nextCookies(), // must stay last
  ],
});

export async function requireOrgPermission(
  permissions: OrgPermission,
  options?: { redirectTo?: string },
): Promise<void> {
  const allowed = await hasOrgPermission(permissions);
  if (!allowed) {
    if (options?.redirectTo) redirect(options.redirectTo);
    throw new Error("FORBIDDEN");
  }
}

async function authorizeOrgBillingReference({ user, referenceId, action }) {
  const [membership] = await db
    .select({ role: schema.member.role })
    .from(schema.member)
    .where(and(eq(member.userId, user.id), eq(member.organizationId, referenceId)))
    .limit(1);
  if (!membership) return false; // not a member → cross-org billing blocked
  if (READ_ONLY_BILLING_ACTIONS.has(action)) return true; // any member may read
  return BILLING_MANAGER_ROLES.has(membership.role); // mutate: owner/admin only
}

export async function requireProPlan() {
  const organization = await requireActiveOrganization({ throwOnMissing: true });
  const subscription = await getActiveOrgSubscription(organization.id);
  if (subscription?.plan !== PRO_PLAN) {
    throw new Error(PLAN_REQUIRED); // a Free org can't reach this, even directly
  }
  return { organizationId: organization.id, subscription };
}

export async function requireAdmin(): Promise<Session> {
  const session = await getSession();
  if (!session) redirect("/sign-in?redirectTo=/admin");
  if (!isSystemAdmin(session.user)) {
    redirect("/dashboard"); // logged-in non-admin: clean deny, never the panel
  }
  return session;
}

// 1) Edge: a cheap, optimistic redirect — no DB on the edge.
export default function proxy(request: NextRequest) {
  if (!getSessionCookie(request)) {
    return NextResponse.redirect(new URL("/sign-in", request.url));
  }
  return NextResponse.next();
}
// 2) Server layout: the authoritative check (lib/session.ts).
export async function requireSession() {
  const session = await getSession();
  if (!session) redirect("/sign-in");
  return session;
}

# Rewrite a NextAuth or Clerk project toward Better Auth.
# Deterministic, idempotent (running twice == running once), fixture-tested.
node ./migrate/cli.mjs --transform nextauth --dry ./src   # preview the diff
node ./migrate/cli.mjs --transform nextauth ./src         # apply in place
node ./migrate/cli.mjs --transform clerk ./src            # or migrate Clerk

pnpm test:unit      # 223 unit tests (Vitest, incl. the codemod corpus)
pnpm test:codemods  # just the codemod fixtures (equality + idempotency)
pnpm test:e2e       # Playwright: auth, orgs, billing, admin happy + abuse paths
pnpm test:clone     # times a fresh clone → running app (proven under 10 min)