Edge proxy performs optimistic cookie auth and Upstash rate limiting before app routes run.
Better Auth handler, Stripe webhook, Server Actions, React Email templates, AI chat/object streaming, and dynamic OG routes live in one App Router app.
Only `BETTER_AUTH_SECRET`, `DATABASE_URL`, and `NEXT_PUBLIC_APP_URL` are required to boot; missing Stripe, Resend, OAuth, Upstash, or AI keys hide/no-op gracefully.
Data model
Auth, organization, user, invite, subscription, chat, and app tables share one Drizzle/Postgres schema.
The same schema supports single-user billing and organization tenancy; behavior switches through `starter.config.ts`.
Email templates, AI chat history, structured AI outputs, admin state, Stripe customer/subscription links, and feature flags use typed server/client contracts.
Techniques
Auth schema regenerates from the Better Auth plugin config before Drizzle migration generation.
Per-seat Stripe quantity sync runs from member add/remove hooks with prorations.
Shared Zod schemas keep `streamObject` output aligned between server and client.
Admin plugin supports user management, ban/unban, role changes, and impersonation while authenticated routes stay under one shell.
Verification
Security baseline includes Upstash rate limiting, strict CSP, security headers, and optimistic Edge auth gating in `proxy.ts`.
Auth plugins include passkeys/WebAuthn, TOTP, magic links, Google/GitHub OAuth, Stripe, organization tenancy, and admin console.
Single + multi tenancy use the same schema, with behavior controlled by config rather than a forked codebase.
Per-seat billing updates Stripe subscription item quantity when team members are added or removed.
Vitest and Playwright scripts exist alongside Drizzle migration, seed, and auth-schema generation commands.
Graceful degradation lets a fresh clone demonstrate the product before every optional provider is configured.