fix(build): make auth + storage modules side-effect-free at import

Two top-level eager initializers were breaking pnpm build during Next.js
"collect page data" phase under SKIP_ENV_VALIDATION=1:

- src/lib/auth/index.ts created the better-auth singleton at module load,
  triggering its "default secret" check against the unset BETTER_AUTH_SECRET.
- src/lib/minio/index.ts constructed `new Client({...})` at module load with
  env.MINIO_ENDPOINT === undefined, throwing InvalidEndpointError.

Storage config now lives in system_settings (read at runtime by
getStorageBackend()), so the legacy @/lib/minio module's MinIO-client
exports were already unused — only buildStoragePath had real consumers.
Stripped the module to that single pure helper; deleted the dead
minioClient / ensureBucket / getPresignedUrl exports.

For better-auth, kept the existing call-site syntax (`auth.api.foo(...)`
and `typeof auth.$Infer.Session`) by wrapping the singleton in a Proxy
that lazy-instantiates on first property access. Build-time import never
touches env; first runtime request constructs as before.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/auth/index.ts

@@ -39,61 +39,90 @@ const trustedOrigins: (request?: Request) => Promise<string[]> = async (request)
   return ['http://localhost:3000', 'http://localhost:3001'];
 };
 
-export const auth = betterAuth({
-  database: drizzleAdapter(db, {
-    provider: 'pg',
-  }),
+/**
+ * `betterAuth(...)` is wrapped in a lazy initializer so the auth singleton
+ * is constructed on first property access (i.e. first request) rather than
+ * at module import. This is required so that Next.js's "collect page data"
+ * phase during `pnpm build` doesn't trigger better-auth's "default secret"
+ * check against the unset BETTER_AUTH_SECRET — at build time the auth
+ * config is never accessed, and at runtime the env is fully populated.
+ *
+ * Call sites continue to use `auth.api.foo(...)` unchanged; the Proxy
+ * intercepts the property access and resolves the real instance just-in-
+ * time. `typeof auth.$Infer.Session` is a type-only access and never
+ * triggers the Proxy at runtime.
+ */
+function buildAuth() {
+  return betterAuth({
+    database: drizzleAdapter(db, {
+      provider: 'pg',
+    }),
 
-  trustedOrigins,
+    trustedOrigins,
 
-  emailAndPassword: {
-    enabled: true,
-    minPasswordLength: 9,
-    // Accounts are admin-created only - no self-service email verification flow.
-    requireEmailVerification: false,
-    // Self-service password reset for CRM users. The reset link lands
-    // on the existing /reset-password page (which already handles
-    // better-auth's token + new-password POST). The email send goes
-    // through the shared SMTP infra so EMAIL_REDIRECT_TO honours it
-    // in dev.
-    sendResetPassword: async ({ user, url }) => {
-      const { sendEmail } = await import('@/lib/email');
-      const subject = 'Reset your Port Nimara CRM password';
-      const html = `
+    emailAndPassword: {
+      enabled: true,
+      minPasswordLength: 9,
+      // Accounts are admin-created only - no self-service email verification flow.
+      requireEmailVerification: false,
+      // Self-service password reset for CRM users. The reset link lands
+      // on the existing /reset-password page (which already handles
+      // better-auth's token + new-password POST). The email send goes
+      // through the shared SMTP infra so EMAIL_REDIRECT_TO honours it
+      // in dev.
+      sendResetPassword: async ({ user, url }) => {
+        const { sendEmail } = await import('@/lib/email');
+        const subject = 'Reset your Port Nimara CRM password';
+        const html = `
         <p>Hi ${user.name || 'there'},</p>
         <p>You requested a password reset for your Port Nimara CRM account.</p>
         <p><a href="${url}">Click here to set a new password</a> — the link expires in 1 hour.</p>
         <p>If you didn't request this, you can safely ignore this email.</p>
       `;
-      const text = `Reset your password: ${url}`;
-      await sendEmail(user.email, subject, html, undefined, text);
+        const text = `Reset your password: ${url}`;
+        await sendEmail(user.email, subject, html, undefined, text);
+      },
     },
-  },
 
-  session: {
-    // Enable cookie-level session caching to reduce DB reads (5-minute cache).
-    cookieCache: {
-      enabled: true,
-      maxAge: 5 * 60,
+    session: {
+      // Enable cookie-level session caching to reduce DB reads (5-minute cache).
+      cookieCache: {
+        enabled: true,
+        maxAge: 5 * 60,
+      },
+      // Absolute session lifetime: 24 hours.
+      expiresIn: 60 * 60 * 24,
+      // Refresh the session whenever the user is active in the last 25% of its lifetime (6h).
+      updateAge: 60 * 60 * 6,
     },
-    // Absolute session lifetime: 24 hours.
-    expiresIn: 60 * 60 * 24,
-    // Refresh the session whenever the user is active in the last 25% of its lifetime (6h).
-    updateAge: 60 * 60 * 6,
-  },
 
-  advanced: {
-    cookiePrefix: 'pn-crm',
-    defaultCookieAttributes: {
-      httpOnly: true,
-      secure: process.env.NODE_ENV === 'production',
-      sameSite: 'strict' as const,
+    advanced: {
+      cookiePrefix: 'pn-crm',
+      defaultCookieAttributes: {
+        httpOnly: true,
+        secure: process.env.NODE_ENV === 'production',
+        sameSite: 'strict' as const,
+      },
     },
-  },
 
-  logger: {
-    disabled: false,
-    level: 'error' as const,
+    logger: {
+      disabled: false,
+      level: 'error' as const,
+    },
+  });
+}
+
+type AuthInstance = ReturnType<typeof buildAuth>;
+
+let _authInstance: AuthInstance | null = null;
+function getAuth(): AuthInstance {
+  if (!_authInstance) _authInstance = buildAuth();
+  return _authInstance;
+}
+
+export const auth = new Proxy({} as AuthInstance, {
+  get(_target, prop) {
+    return Reflect.get(getAuth(), prop);
   },
 });