Initial commit: Port Nimara CRM (Layers 0-4)

Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM,
PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source
files covering clients, berths, interests/pipeline, documents/EOI,
expenses/invoices, email, notifications, dashboard, admin, and
client portal. CI/CD via Gitea Actions with Docker builds.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/lib/auth/index.ts

@@ -0,0 +1,53 @@
+import { betterAuth } from 'better-auth';
+import { drizzleAdapter } from 'better-auth/adapters/drizzle';
+
+import { db } from '@/lib/db';
+import { logger } from '@/lib/logger';
+
+/**
+ * Better Auth server configuration.
+ *
+ * Sessions are stored in PostgreSQL (not Redis) per SECURITY-GUIDELINES.md §1.2.
+ * The drizzle adapter handles session persistence via the existing `sessions` table.
+ */
+export const auth = betterAuth({
+  database: drizzleAdapter(db, {
+    provider: 'pg',
+  }),
+
+  emailAndPassword: {
+    enabled: true,
+    minPasswordLength: 12,
+    // Accounts are admin-created only — no self-service email verification flow.
+    requireEmailVerification: false,
+  },
+
+  session: {
+    // Enable cookie-level session caching to reduce DB reads (5-minute cache).
+    cookieCache: {
+      enabled: true,
+      maxAge: 5 * 60,
+    },
+    // Absolute session lifetime: 24 hours.
+    expiresIn: 60 * 60 * 24,
+    // Refresh the session whenever the user is active in the last 25% of its lifetime (6h).
+    updateAge: 60 * 60 * 6,
+  },
+
+  advanced: {
+    cookiePrefix: 'pn-crm',
+    defaultCookieAttributes: {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'strict' as const,
+    },
+  },
+
+  logger: {
+    disabled: false,
+    level: 'error' as const,
+  },
+});
+
+export type Session = typeof auth.$Infer.Session;
+export type User = typeof auth.$Infer.Session.user;