Hosted edition: subscriptions, plan gating, onboarding, auth hardening + RLS (config-gated)

.env.example

@@ -20,10 +20,27 @@ TWILIO_ACCOUNT_SID=
 TWILIO_AUTH_TOKEN=
 TWILIO_PHONE_NUMBER=
 
-# Stripe
+# Stripe (client invoicing — client portal payments)
 STRIPE_SECRET_KEY=
 STRIPE_WEBHOOK_SECRET=
 
+# Hosted SaaS subscriptions (managed service only — leave HOSTED_BILLING_ENABLED
+# unset for self-host so the OSS edition runs fully unlocked). When enabled,
+# plan tiers are enforced and these must be set.
+HOSTED_BILLING_ENABLED=
+# Cloud plan: $99/mo recurring Price, charged per location (Stripe quantity).
+STRIPE_PRICE_CLOUD=
+# Metered overage Prices for usage beyond the included monthly allowances.
+STRIPE_PRICE_SMS_OVERAGE=
+STRIPE_PRICE_AI_OVERAGE=
+# Separate webhook endpoint secret for customer.subscription.* events.
+STRIPE_SUBSCRIPTION_WEBHOOK_SECRET=
+# Public base URL used to build Stripe success/return URLs (falls back to NEXTAUTH_URL).
+NEXT_PUBLIC_APP_URL="http://localhost:3000"
+# Comma-separated emails allowed into the cross-tenant platform admin dashboard
+# (/admin). OpenVPM operators only — separate from a practice's own admin role.
+PLATFORM_ADMIN_EMAILS=
+
 # Cron job authentication
 CRON_SECRET=
 

.gitignore

@@ -49,3 +49,6 @@ docs/screenshots/audit/
 test-results/
 CAVSG_AI_Innovator_Survey_COMPLETED.docx
 package-lock.json
+
+# Local MCP server config (not for the public repo)
+.mcp.json

apps/web/app/(auth)/forgot-password/page.tsx

@@ -0,0 +1,70 @@
+"use client";
+
+import { useState } from "react";
+import Link from "next/link";
+import { trpc } from "@/lib/trpc";
+import { toast } from "sonner";
+
+export default function ForgotPasswordPage() {
+  const [email, setEmail] = useState("");
+  const [sent, setSent] = useState(false);
+
+  const request = trpc.auth.requestPasswordReset.useMutation({
+    onSuccess: () => setSent(true),
+    onError: (err) => toast.error(err.message),
+  });
+
+  return (
+    <div className="flex min-h-screen items-center justify-center bg-surface">
+      <div className="w-full max-w-sm rounded-lg border border-border bg-card p-8">
+        <div className="mb-6 text-center">
+          <h1 className="font-heading text-2xl font-bold text-foreground">OpenVPM</h1>
+          <p className="mt-1 text-sm text-muted-foreground">Reset your password</p>
+        </div>
+
+        {sent ? (
+          <p className="text-center text-sm text-muted-foreground">
+            If an account exists for <strong>{email}</strong>, we&apos;ve sent a reset link.
+            Check your inbox.
+          </p>
+        ) : (
+          <form
+            onSubmit={(e) => {
+              e.preventDefault();
+              request.mutate({ email });
+            }}
+            className="space-y-4"
+          >
+            <div>
+              <label htmlFor="email" className="mb-1.5 block text-sm font-medium text-foreground">
+                Email
+              </label>
+              <input
+                id="email"
+                type="email"
+                value={email}
+                onChange={(e) => setEmail(e.target.value)}
+                required
+                className="w-full rounded-md border border-input bg-background px-3 py-2 text-sm ring-offset-background placeholder:text-muted-foreground focus:outline-none focus:ring-2 focus:ring-ring"
+                placeholder="you@clinic.com"
+              />
+            </div>
+            <button
+              type="submit"
+              disabled={request.isPending}
+              className="w-full rounded-md bg-primary px-4 py-2 text-sm font-medium text-primary-foreground transition-colors hover:bg-primary/90 disabled:opacity-50"
+            >
+              {request.isPending ? "Sending…" : "Send reset link"}
+            </button>
+          </form>
+        )}
+
+        <p className="mt-4 text-center text-sm text-muted-foreground">
+          <Link href="/login" className="text-primary hover:underline">
+            Back to sign in
+          </Link>
+        </p>
+      </div>
+    </div>
+  );
+}

apps/web/app/(auth)/login/page.tsx

@@ -177,6 +177,11 @@ export default function LoginPage() {
         </form>
 
         <p className="mt-4 text-center text-sm text-muted-foreground">
+          <Link href="/forgot-password" className="text-primary hover:underline">
+            Forgot your password?
+          </Link>
+        </p>
+        <p className="mt-2 text-center text-sm text-muted-foreground">
           Don&apos;t have an account?{" "}
           <Link href="/register" className="text-primary hover:underline">
             Register your practice

apps/web/app/(auth)/register/page.tsx

@@ -16,16 +16,23 @@ export default function RegisterPage() {
   const [error, setError] = useState("");
   const [loading, setLoading] = useState(false);
 
+  const [verifySent, setVerifySent] = useState(false);
+
   const registerMutation = trpc.auth.register.useMutation({
-    onSuccess: async () => {
+    onSuccess: async (data) => {
+      // Hosted: email verification required → show a "check your inbox" notice.
+      if (data?.verificationRequired) {
+        setVerifySent(true);
+        setLoading(false);
+        return;
+      }
+      // Self-host: auto-sign in after registration.
       toast.success("Account created! Redirecting...");
-      // Auto-sign in after registration
       const result = await signIn("credentials", {
         email,
         password,
         redirect: false,
       });
-
       if (result?.ok) {
         router.push("/");
         router.refresh();
@@ -38,6 +45,23 @@ export default function RegisterPage() {
     },
   });
 
+  if (verifySent) {
+    return (
+      <div className="flex min-h-screen items-center justify-center bg-surface">
+        <div className="w-full max-w-sm rounded-lg border border-border bg-card p-8 text-center">
+          <h1 className="font-heading text-2xl font-bold text-foreground">Check your email</h1>
+          <p className="mt-3 text-sm text-muted-foreground">
+            We sent a verification link to <strong>{email}</strong>. Click it to activate
+            your account and start your 14-day free trial.
+          </p>
+          <Link href="/login" className="mt-6 inline-block text-sm text-primary hover:underline">
+            Back to sign in
+          </Link>
+        </div>
+      </div>
+    );
+  }
+
   async function handleSubmit(e: React.FormEvent) {
     e.preventDefault();
     setError("");
@@ -55,6 +79,9 @@ export default function RegisterPage() {
           <p className="mt-1 text-sm text-muted-foreground">
             Register your practice
           </p>
+          <p className="mt-1 text-xs text-muted-foreground">
+            14-day free trial · no credit card required
+          </p>
         </div>
 
         <form onSubmit={handleSubmit} className="space-y-4">

apps/web/app/(auth)/reset-password/page.tsx

@@ -0,0 +1,85 @@
+"use client";
+
+import { Suspense, useState } from "react";
+import { useSearchParams } from "next/navigation";
+import Link from "next/link";
+import { trpc } from "@/lib/trpc";
+import { toast } from "sonner";
+
+function ResetPasswordInner() {
+  const params = useSearchParams();
+  const token = params.get("token") ?? "";
+  const [password, setPassword] = useState("");
+  const [done, setDone] = useState(false);
+
+  const reset = trpc.auth.resetPassword.useMutation({
+    onSuccess: () => setDone(true),
+    onError: (err) => toast.error(err.message),
+  });
+
+  return (
+    <div className="flex min-h-screen items-center justify-center bg-surface">
+      <div className="w-full max-w-sm rounded-lg border border-border bg-card p-8">
+        <div className="mb-6 text-center">
+          <h1 className="font-heading text-2xl font-bold text-foreground">OpenVPM</h1>
+          <p className="mt-1 text-sm text-muted-foreground">Choose a new password</p>
+        </div>
+
+        {done ? (
+          <div className="text-center">
+            <p className="text-sm text-foreground">Your password has been reset.</p>
+            <Link
+              href="/login"
+              className="mt-6 inline-block rounded-md bg-primary px-4 py-2 text-sm font-medium text-primary-foreground hover:bg-primary/90"
+            >
+              Sign in
+            </Link>
+          </div>
+        ) : !token ? (
+          <p className="text-center text-sm text-destructive">
+            This reset link is invalid. Request a new one from the sign-in page.
+          </p>
+        ) : (
+          <form
+            onSubmit={(e) => {
+              e.preventDefault();
+              reset.mutate({ token, password });
+            }}
+            className="space-y-4"
+          >
+            <div>
+              <label htmlFor="password" className="mb-1.5 block text-sm font-medium text-foreground">
+                New password
+              </label>
+              <input
+                id="password"
+                type="password"
+                value={password}
+                onChange={(e) => setPassword(e.target.value)}
+                required
+                minLength={8}
+                className="w-full rounded-md border border-input bg-background px-3 py-2 text-sm ring-offset-background placeholder:text-muted-foreground focus:outline-none focus:ring-2 focus:ring-ring"
+                placeholder="At least 8 characters"
+              />
+            </div>
+            <button
+              type="submit"
+              disabled={reset.isPending}
+              className="w-full rounded-md bg-primary px-4 py-2 text-sm font-medium text-primary-foreground transition-colors hover:bg-primary/90 disabled:opacity-50"
+            >
+              {reset.isPending ? "Resetting…" : "Reset password"}
+            </button>
+          </form>
+        )}
+      </div>
+    </div>
+  );
+}
+
+export default function ResetPasswordPage() {
+  return (
+    <Suspense fallback={null}>
+      <ResetPasswordInner />
+    </Suspense>
+  );
+}

apps/web/app/(auth)/verify-email/page.tsx

@@ -0,0 +1,71 @@
+"use client";
+
+import { Suspense, useEffect, useRef, useState } from "react";
+import { useSearchParams } from "next/navigation";
+import Link from "next/link";
+import { trpc } from "@/lib/trpc";
+
+function VerifyEmailInner() {
+  const params = useSearchParams();
+  const token = params.get("token") ?? "";
+  const [status, setStatus] = useState<"verifying" | "ok" | "error">("verifying");
+  const ran = useRef(false);
+
+  const verify = trpc.auth.verifyEmail.useMutation({
+    onSuccess: () => setStatus("ok"),
+    onError: () => setStatus("error"),
+  });
+
+  useEffect(() => {
+    if (ran.current) return;
+    ran.current = true;
+    if (!token) {
+      setStatus("error");
+      return;
+    }
+    verify.mutate({ token });
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [token]);
+
+  return (
+    <div className="flex min-h-screen items-center justify-center bg-surface">
+      <div className="w-full max-w-sm rounded-lg border border-border bg-card p-8 text-center">
+        <h1 className="font-heading text-2xl font-bold text-foreground">OpenVPM</h1>
+        {status === "verifying" && (
+          <p className="mt-3 text-sm text-muted-foreground">Verifying your email…</p>
+        )}
+        {status === "ok" && (
+          <>
+            <p className="mt-3 text-sm text-foreground">
+              Your email is verified. You can now sign in and start your free trial.
+            </p>
+            <Link
+              href="/login"
+              className="mt-6 inline-block rounded-md bg-primary px-4 py-2 text-sm font-medium text-primary-foreground hover:bg-primary/90"
+            >
+              Sign in
+            </Link>
+          </>
+        )}
+        {status === "error" && (
+          <>
+            <p className="mt-3 text-sm text-destructive">
+              This verification link is invalid or has expired.
+            </p>
+            <Link href="/login" className="mt-6 inline-block text-sm text-primary hover:underline">
+              Back to sign in
+            </Link>
+          </>
+        )}
+      </div>
+    </div>
+  );
+}
+
+export default function VerifyEmailPage() {
+  return (
+    <Suspense fallback={null}>
+      <VerifyEmailInner />
+    </Suspense>
+  );
+}