diff --git a/docs/ERROR_TRACKING_DESIGN.md b/docs/ERROR_TRACKING_DESIGN.md
new file mode 100644
index 000000000..a959634bd
--- /dev/null
+++ b/docs/ERROR_TRACKING_DESIGN.md
@@ -0,0 +1,476 @@
+# Centralized Error Tracking System
+
+> Design document for a centralized error tracking solution across all ManaCore applications.
+
+## Overview
+
+A centralized error tracking system that allows all ManaCore applications (backends and frontends) to report errors to a single database table in `mana-core-auth`. This enables unified error monitoring, analysis, and debugging across the entire ecosystem.
+
+## Architecture
+
+```
+┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
+│   chat-backend  │    │  picture-web    │    │  zitare-mobile  │
+│                 │    │                 │    │                 │
+│ ErrorTracking   │    │ errorTracker    │    │ errorTracker    │
+│    Filter       │    │  .captureError  │    │  .captureError  │
+└────────┬────────┘    └────────┬────────┘    └────────┬────────┘
+         │                      │                      │
+         └──────────────────────┼──────────────────────┘
+                                │
+                    POST /api/v1/errors
+                                │
+                    ┌───────────▼───────────┐
+                    │   mana-core-auth      │
+                    │   ErrorLogsController │
+                    │          │            │
+                    │   ErrorLogsService    │
+                    │          │            │
+                    │   error_logs table    │
+                    └───────────────────────┘
+```
+
+## Components
+
+### 1. Database Schema
+
+**Location:** `services/mana-core-auth/src/db/schema/error-logs.schema.ts`
+
+```typescript
+export const errorLogsSchema = pgSchema('error_logs');
+
+export const errorLogs = errorLogsSchema.table('error_logs', {
+  // Primary key
+  id: uuid('id').primaryKey().defaultRandom(),
+
+  // Error identification
+  errorCode: text('error_code').notNull(),      // e.g., 'VALIDATION_FAILED'
+  errorType: text('error_type').notNull(),      // e.g., 'AppError', 'TypeError'
+  message: text('message').notNull(),
+  stackTrace: text('stack_trace'),
+
+  // Source identification
+  appId: text('app_id').notNull(),              // 'chat', 'picture', 'zitare'
+  sourceType: errorSourceTypeEnum('source_type'), // 'backend', 'frontend_web', 'frontend_mobile'
+  serviceName: text('service_name'),            // 'chat-backend', 'picture-web'
+
+  // User context (optional)
+  userId: text('user_id').references(() => users.id, { onDelete: 'set null' }),
+  sessionId: text('session_id'),
+
+  // Request metadata (backend errors)
+  requestUrl: text('request_url'),
+  requestMethod: text('request_method'),
+  requestHeaders: jsonb('request_headers'),     // Sanitized - no auth tokens
+  requestBody: jsonb('request_body'),           // Sanitized - no passwords
+  responseStatusCode: integer('response_status_code'),
+
+  // Classification
+  environment: errorEnvironmentEnum('environment'), // 'development', 'staging', 'production'
+  severity: errorSeverityEnum('severity'),          // 'debug', 'info', 'warning', 'error', 'critical'
+
+  // Additional context
+  context: jsonb('context').default({}),
+  fingerprint: text('fingerprint'),             // For error grouping/deduplication
+
+  // Browser/device info (frontend errors)
+  userAgent: text('user_agent'),
+  browserInfo: jsonb('browser_info'),
+  deviceInfo: jsonb('device_info'),
+
+  // Timestamps
+  occurredAt: timestamp('occurred_at', { withTimezone: true }).notNull(),
+  createdAt: timestamp('created_at', { withTimezone: true }).defaultNow().notNull(),
+});
+```
+
+**Indexes:**
+- `appId` - Filter by application
+- `userId` - Find user-specific errors
+- `environment` - Filter by environment
+- `severity` - Filter by severity level
+- `occurredAt` - Time-based queries
+- `errorCode` - Group by error type
+- `fingerprint` - Deduplicate similar errors
+
+### 2. REST API
+
+**Endpoint:** `POST /api/v1/errors`
+
+**Authentication:** Optional (uses `OptionalAuthGuard`)
+
+**Headers:**
+- `X-App-Id`: Application identifier (fallback if not in body)
+- `Authorization`: Bearer token (optional, for user context)
+
+**Request Body:**
+```typescript
+interface CreateErrorLogDto {
+  // Required
+  errorCode: string;      // Max 100 chars
+  errorType: string;      // Max 100 chars
+  message: string;        // Max 5000 chars
+
+  // Optional
+  stackTrace?: string;    // Max 50000 chars
+  appId?: string;
+  sourceType?: 'backend' | 'frontend_web' | 'frontend_mobile';
+  serviceName?: string;
+  userId?: string;
+  sessionId?: string;
+  requestUrl?: string;
+  requestMethod?: string;
+  requestHeaders?: Record<string, unknown>;
+  requestBody?: Record<string, unknown>;
+  responseStatusCode?: number;
+  environment?: 'development' | 'staging' | 'production';
+  severity?: 'debug' | 'info' | 'warning' | 'error' | 'critical';
+  context?: Record<string, unknown>;
+  fingerprint?: string;
+  browserInfo?: Record<string, unknown>;
+  deviceInfo?: Record<string, unknown>;
+  occurredAt?: string;    // ISO 8601 timestamp
+}
+```
+
+**Response:**
+```typescript
+// Success
+{ success: true, id: string }
+
+// Failure (never throws - always returns)
+{ success: false, error: string }
+```
+
+**Batch Endpoint:** `POST /api/v1/errors/batch`
+```typescript
+// Request
+{ errors: CreateErrorLogDto[] }
+
+// Response
+{ success: true, total: number, succeeded: number, failed: number }
+```
+
+### 3. Shared NestJS Package
+
+**Package:** `@manacore/shared-error-tracking`
+
+**Installation:**
+```bash
+pnpm add @manacore/shared-error-tracking
+```
+
+**Exports:**
+```typescript
+// NestJS module and components
+import {
+  ErrorTrackingModule,
+  ErrorTrackingService,
+  ErrorTrackingFilter
+} from '@manacore/shared-error-tracking/nestjs';
+
+// Frontend clients
+import {
+  createErrorTracker,
+  createSvelteErrorHandler,
+  setupGlobalErrorHandler
+} from '@manacore/shared-error-tracking/frontend';
+
+// Type definitions
+import type {
+  ErrorLogPayload,
+  ErrorTrackingConfig
+} from '@manacore/shared-error-tracking/types';
+```
+
+#### NestJS Integration
+
+**Module Registration:**
+```typescript
+// app.module.ts
+import { ErrorTrackingModule } from '@manacore/shared-error-tracking/nestjs';
+
+@Module({
+  imports: [
+    ErrorTrackingModule.forRootAsync({
+      useFactory: (configService: ConfigService) => ({
+        errorTrackingUrl: configService.get('MANA_CORE_AUTH_URL'),
+        appId: 'chat',
+        serviceName: 'chat-backend',
+        enableLocalLogging: configService.get('NODE_ENV') !== 'production',
+      }),
+      inject: [ConfigService],
+    }),
+  ],
+})
+export class AppModule {}
+```
+
+**Global Exception Filter:**
+```typescript
+// main.ts
+import { ErrorTrackingFilter } from '@manacore/shared-error-tracking/nestjs';
+
+async function bootstrap() {
+  const app = await NestFactory.create(AppModule);
+
+  const errorTrackingFilter = app.get(ErrorTrackingFilter);
+  app.useGlobalFilters(errorTrackingFilter);
+
+  await app.listen(3002);
+}
+```
+
+**Manual Error Reporting:**
+```typescript
+import { ErrorTrackingService } from '@manacore/shared-error-tracking/nestjs';
+
+@Injectable()
+export class SomeService {
+  constructor(private errorTracking: ErrorTrackingService) {}
+
+  async riskyOperation() {
+    try {
+      // ... operation
+    } catch (error) {
+      // Report non-critical error without throwing
+      this.errorTracking.reportError({
+        errorCode: 'SYNC_WARNING',
+        errorType: 'OperationWarning',
+        message: 'Non-critical sync failed',
+        severity: 'warning',
+        context: { operationType: 'background-sync' },
+      });
+    }
+  }
+}
+```
+
+### 4. Frontend Clients
+
+#### SvelteKit Integration
+
+**Setup:**
+```typescript
+// src/lib/error-tracking.ts
+import { createErrorTracker } from '@manacore/shared-error-tracking/frontend';
+import { PUBLIC_MANA_CORE_AUTH_URL } from '$env/static/public';
+
+export const errorTracker = createErrorTracker({
+  errorTrackingUrl: PUBLIC_MANA_CORE_AUTH_URL,
+  appId: 'chat',
+  serviceName: 'chat-web',
+  environment: import.meta.env.MODE === 'production' ? 'production' : 'development',
+  getAuthToken: async () => {
+    // Return JWT token if user is authenticated
+    return authStore.getToken();
+  },
+});
+```
+
+**SvelteKit Hooks:**
+```typescript
+// src/hooks.client.ts
+import { createSvelteErrorHandler, setupGlobalErrorHandler } from '@manacore/shared-error-tracking/frontend';
+import { errorTracker } from '$lib/error-tracking';
+
+// Capture unhandled errors and promise rejections
+if (typeof window !== 'undefined') {
+  setupGlobalErrorHandler(errorTracker);
+}
+
+// Export for SvelteKit
+export const handleError = createSvelteErrorHandler(errorTracker);
+```
+
+**Manual Error Capture:**
+```typescript
+import { errorTracker } from '$lib/error-tracking';
+
+async function loadData() {
+  try {
+    const response = await fetch('/api/data');
+    if (!response.ok) throw new Error('Failed to load data');
+    return response.json();
+  } catch (error) {
+    errorTracker.captureError(error, {
+      component: 'DataLoader',
+      action: 'loadData',
+    });
+    throw error; // Re-throw for UI error boundary
+  }
+}
+```
+
+#### Expo/React Native Integration
+
+**Setup:**
+```typescript
+// src/lib/error-tracking.ts
+import { createErrorTracker, createExpoErrorHandler } from '@manacore/shared-error-tracking/frontend';
+
+export const errorTracker = createErrorTracker({
+  errorTrackingUrl: process.env.EXPO_PUBLIC_MANA_CORE_AUTH_URL!,
+  appId: 'chat',
+  serviceName: 'chat-mobile',
+  environment: __DEV__ ? 'development' : 'production',
+  getAuthToken: async () => authStore.getToken(),
+});
+
+export const { errorHandler } = createExpoErrorHandler(errorTracker);
+```
+
+**Error Boundary:**
+```typescript
+// App.tsx
+import ErrorBoundary from 'react-native-error-boundary';
+import { errorHandler } from '@/lib/error-tracking';
+
+export default function App() {
+  return (
+    <ErrorBoundary onError={errorHandler}>
+      <RootNavigator />
+    </ErrorBoundary>
+  );
+}
+```
+
+## Configuration
+
+### Environment Variables
+
+**mana-core-auth:**
+```env
+# No additional config needed - uses existing DATABASE_URL
+```
+
+**Backend apps:**
+```env
+MANA_CORE_AUTH_URL=http://localhost:3001
+```
+
+**Frontend apps (SvelteKit):**
+```env
+PUBLIC_MANA_CORE_AUTH_URL=http://localhost:3001
+```
+
+**Mobile apps (Expo):**
+```env
+EXPO_PUBLIC_MANA_CORE_AUTH_URL=http://localhost:3001
+```
+
+### Error Tracking Config Options
+
+```typescript
+interface ErrorTrackingConfig {
+  /** URL of mana-core-auth service */
+  errorTrackingUrl: string;
+
+  /** App identifier (e.g., 'chat', 'picture') */
+  appId: string;
+
+  /** Service name for identification */
+  serviceName?: string;
+
+  /** Default environment if not detected */
+  environment?: 'development' | 'staging' | 'production';
+
+  /** Log errors locally as well (default: true in dev) */
+  enableLocalLogging?: boolean;
+
+  /** Custom headers for requests */
+  customHeaders?: Record<string, string>;
+
+  /** Function to get auth token (optional) */
+  getAuthToken?: () => Promise<string | null>;
+}
+```
+
+## Security Considerations
+
+### Automatic Sanitization
+
+The system automatically sanitizes sensitive data before storage:
+
+**Headers sanitized:**
+- `authorization`
+- `cookie`
+- `x-api-key`
+- `api-key`
+
+**Body fields sanitized:**
+- `password`
+- `token`
+- `secret`
+- `apikey`
+- `api_key`
+
+### Data Retention
+
+Consider implementing:
+- Automatic cleanup of old errors (e.g., > 30 days)
+- Aggregation of repeated errors
+- Storage limits per app
+
+## Error Grouping
+
+Errors are grouped by `fingerprint`, which is auto-generated from:
+- `errorCode`
+- `errorType`
+- `appId`
+- `requestUrl` (path only, no query params)
+- `requestMethod`
+
+This allows identifying recurring issues and tracking fix effectiveness.
+
+## Querying Errors
+
+### Example Queries
+
+**Recent errors by app:**
+```sql
+SELECT * FROM error_logs.error_logs
+WHERE app_id = 'chat'
+  AND occurred_at > NOW() - INTERVAL '24 hours'
+ORDER BY occurred_at DESC
+LIMIT 100;
+```
+
+**Error frequency by type:**
+```sql
+SELECT error_code, COUNT(*) as count
+FROM error_logs.error_logs
+WHERE occurred_at > NOW() - INTERVAL '7 days'
+GROUP BY error_code
+ORDER BY count DESC;
+```
+
+**User-specific errors:**
+```sql
+SELECT * FROM error_logs.error_logs
+WHERE user_id = 'user_123'
+ORDER BY occurred_at DESC
+LIMIT 50;
+```
+
+**Errors by fingerprint (grouped):**
+```sql
+SELECT fingerprint, error_code, message, COUNT(*) as occurrences,
+       MIN(occurred_at) as first_seen,
+       MAX(occurred_at) as last_seen
+FROM error_logs.error_logs
+WHERE environment = 'production'
+  AND occurred_at > NOW() - INTERVAL '24 hours'
+GROUP BY fingerprint, error_code, message
+ORDER BY occurrences DESC
+LIMIT 20;
+```
+
+## Future Enhancements
+
+- **Dashboard UI** - Web interface for viewing/filtering errors
+- **Alerting** - Slack/email notifications for critical errors
+- **Rate Limiting** - Prevent error flooding
+- **Sampling** - Sample high-volume errors in production
+- **Source Maps** - Frontend stack trace deobfuscation
+- **Metrics** - Error rate trends and SLI tracking
diff --git a/docs/MANA_CORE_AUTH_ANALYSIS.md b/docs/MANA_CORE_AUTH_ANALYSIS.md
new file mode 100644
index 000000000..a490856fb
--- /dev/null
+++ b/docs/MANA_CORE_AUTH_ANALYSIS.md
@@ -0,0 +1,1012 @@
+# ManaCore Auth Analysis: Session Management & Better Auth Comparison
+
+**Date:** December 17, 2025
+**Version:** 1.0
+**Status:** Final Analysis
+
+## Executive Summary
+
+This comprehensive analysis evaluates the mana-core-auth central authentication system against Better Auth best practices, with specific focus on session persistence ("stay signed in" functionality), security posture, and integration patterns across the ManaCore monorepo.
+
+### Key Findings
+
+**Overall Assessment: B+ (Strong Foundation, Strategic Improvements Needed)**
+
+#### Strengths ✅
+- Modern Better Auth framework (v1.4.3) with EdDSA JWT signing
+- Excellent integration consistency across 15+ apps
+- Robust automatic token refresh with request queuing
+- Strong rate limiting and brute force protection
+- Proper refresh token rotation implementation
+- World-class frontend/backend integration patterns
+
+#### Critical Gaps 🔴
+- **No "stay signed in" / "remember me" feature** - All users get same 7-day session
+- **Manual JWT fallback code** bypasses Better Auth's native JWT plugin
+- **No cookie cache** - Every session check queries database (performance impact)
+- **No security audit logging** - Cannot investigate incidents or track breaches
+- **Transport security incomplete** - Missing HSTS, comprehensive CSP, cookie flags
+
+#### Strategic Opportunities ⚠️
+- Enable Better Auth's cookie cache (98% reduction in DB queries)
+- Implement user-controlled "remember me" (7-day vs 30-day sessions)
+- Add multi-session management UI (view/revoke devices)
+- Complete security hardening (audit logs, headers, CSRF protection)
+
+---
+
+## Table of Contents
+
+1. [Current Implementation Overview](#1-current-implementation-overview)
+2. [Better Auth Capabilities & Best Practices](#2-better-auth-capabilities--best-practices)
+3. [Gap Analysis: What's Missing](#3-gap-analysis-whats-missing)
+4. [Security Assessment](#4-security-assessment)
+5. [Integration Patterns Analysis](#5-integration-patterns-analysis)
+6. [Performance Analysis](#6-performance-analysis)
+7. [Recommendations by Priority](#7-recommendations-by-priority)
+8. [Implementation Roadmap](#8-implementation-roadmap)
+9. [Technical References](#9-technical-references)
+
+---
+
+## 1. Current Implementation Overview
+
+### Architecture
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                    MANA-CORE-AUTH SERVICE                        │
+│                      (Port 3001)                                 │
+├─────────────────────────────────────────────────────────────────┤
+│                                                                  │
+│  Better Auth Core (v1.4.3)                                      │
+│  ├─ Email/Password Authentication                               │
+│  ├─ Session Management (database-backed)                        │
+│  ├─ JWT Plugin (EdDSA signing)                                  │
+│  ├─ Organization Plugin (multi-tenant B2B)                      │
+│  └─ JWKS Storage (auto-generated Ed25519 keys)                  │
+│                                                                  │
+│  Session Configuration                                           │
+│  ├─ Expiration: 7 days (fixed for all users)                   │
+│  ├─ Update Age: 1 day (sliding window)                          │
+│  ├─ Cookie Cache: ❌ NOT ENABLED                                │
+│  └─ Remember Me: ❌ NOT IMPLEMENTED                             │
+│                                                                  │
+│  Token Architecture                                              │
+│  ├─ Access Token: JWT (15 minutes, EdDSA)                       │
+│  ├─ Refresh Token: Session token (7 days)                       │
+│  └─ Token Rotation: ✅ Implemented                              │
+│                                                                  │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+### Technology Stack
+
+| Component | Technology | Version |
+|-----------|-----------|---------|
+| **Framework** | Better Auth | 1.4.3 |
+| **JWT Algorithm** | EdDSA (Ed25519) | N/A |
+| **JWT Library** | jose | Latest |
+| **Backend** | NestJS | 10.x |
+| **Database** | PostgreSQL + Drizzle ORM | Latest |
+| **Email** | Brevo (Sendinblue) | Latest |
+
+### Session Management Details
+
+**Current Configuration:**
+```typescript
+// better-auth.config.ts
+session: {
+  expiresIn: 60 * 60 * 24 * 7,  // 7 days
+  updateAge: 60 * 60 * 24,       // Update every 1 day
+  // cookieCache: NOT CONFIGURED
+}
+```
+
+**Session Schema:**
+```typescript
+sessions {
+  id: text (PK)
+  userId: text (FK → users.id)
+  token: text (unique, used as session cookie)
+  expiresAt: timestamp
+  refreshToken: text (unique, for token rotation)
+  refreshTokenExpiresAt: timestamp
+  deviceId: text
+  deviceName: text
+  ipAddress: text
+  userAgent: text
+  lastActivityAt: timestamp
+  revokedAt: timestamp (for manual revocation)
+}
+```
+
+**Token Lifecycle:**
+1. **Login** → Access token (15min) + Refresh token (7 days)
+2. **Access token expires** → Auto-refresh via `@manacore/shared-auth`
+3. **Refresh token used** → Old session revoked, new session created (rotation)
+4. **7 days elapsed** → User must log in again
+
+### JWT Implementation
+
+**Access Token Claims (Minimal):**
+```typescript
+{
+  sub: userId,
+  email: email,
+  role: 'user' | 'admin' | 'service',
+  sid: sessionId,
+  iss: 'manacore',
+  aud: 'manacore',
+  exp: <15 minutes from now>
+}
+```
+
+**Key Management:**
+- EdDSA key pairs auto-generated by Better Auth
+- Stored in `auth.jwks` table (private keys encrypted)
+- Public keys served via `/api/v1/auth/jwks` endpoint
+- JWKS-based validation by all backend services
+
+### Integration Pattern
+
+**Backend (NestJS):**
+```typescript
+@Controller('api')
+@UseGuards(JwtAuthGuard)
+export class MyController {
+  @Get('protected')
+  async getProtected(@CurrentUser() user: CurrentUserData) {
+    return { userId: user.userId };
+  }
+}
+```
+
+**Frontend (SvelteKit):**
+```typescript
+const token = await authStore.getValidToken(); // Auto-refreshes!
+const response = await fetch('/api/endpoint', {
+  headers: { Authorization: `Bearer ${token}` }
+});
+```
+
+---
+
+## 2. Better Auth Capabilities & Best Practices
+
+### 2.1 Cookie Cache Optimization
+
+**What It Is:**
+Better Auth's cookie cache stores session data in cryptographically signed cookies, eliminating database queries for session validation.
+
+**How It Works:**
+```
+WITHOUT CACHE:
+  Every useSession() → Database Query
+
+WITH CACHE (5 min):
+  1st useSession() → Database Query → Cache in signed cookie
+  2nd-Nth useSession() (within 5 min) → Read from cookie (no DB query)
+  After 5 min → Database Query → Refresh cache
+```
+
+**Configuration:**
+```typescript
+session: {
+  cookieCache: {
+    enabled: true,
+    maxAge: 5 * 60,      // 5 minutes
+    strategy: "jwe",     // Encrypted (default in v1.4+)
+    refreshCache: true
+  }
+}
+```
+
+**Security:**
+- Cookies cryptographically signed (cannot be tampered)
+- Short `maxAge` (5 min) ensures frequent DB checks
+- Encrypted with AES-256-GCM (JWE strategy)
+
+**Performance Impact:**
+- **98% reduction** in session-related database queries
+- **10-20ms → <1ms** validation time
+
+### 2.2 Extended Sessions ("Stay Signed In")
+
+**Concept:**
+Users opt-in to longer session durations (e.g., 30 days instead of 7 days) via "Remember Me" checkbox.
+
+**Better Auth Approach:**
+No built-in "remember me" plugin, but supports custom implementation via session hooks.
+
+**Recommended Pattern:**
+
+```typescript
+// 1. Add rememberMe to session schema
+sessions {
+  rememberMe: boolean (default: false)
+}
+
+// 2. Dynamic expiration logic
+session: {
+  expiresIn: 60 * 60 * 24 * 7,  // Default: 7 days
+
+  async beforeCreate({ session, request }) {
+    if (request.body.rememberMe) {
+      session.expiresAt = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000); // 30 days
+      session.rememberMe = true;
+    }
+    return session;
+  }
+}
+```
+
+**Alternative: Stateless Sessions**
+```typescript
+session: {
+  statelessSessions: {
+    enabled: true,
+    expiresIn: 60 * 60 * 24 * 30  // 30 days
+  }
+}
+```
+- **Pros:** Zero DB queries, infinite scalability
+- **Cons:** Cannot revoke before expiration
+
+### 2.3 Multi-Session Management
+
+**Better Auth Plugin:**
+```typescript
+import { multiSession } from 'better-auth/plugins';
+
+plugins: [
+  multiSession()
+]
+```
+
+**Features:**
+- Users can maintain multiple active sessions
+- View all sessions with device info
+- Revoke specific sessions
+- Switch between sessions (e.g., personal vs organization account)
+
+**Use Cases for ManaCore:**
+- Organization members with multiple org accounts
+- Users testing across environments
+- B2B users switching between tenant contexts
+
+### 2.4 Industry Best Practices (OWASP)
+
+**Session Timeout Recommendations:**
+
+| Application Type | Idle Timeout | Absolute Timeout |
+|-----------------|-------------|------------------|
+| Financial/Healthcare | 2-5 minutes | 2-4 hours |
+| Office Applications | 15-30 minutes | 4-8 hours |
+| Low-Risk Apps | 30 minutes | 12 hours |
+| "Remember Me" (Trusted Devices) | N/A | 7-30 days |
+
+**Session Security Requirements:**
+- ✅ Minimum 64 bits entropy (Better Auth complies)
+- ✅ httpOnly cookies (prevent XSS)
+- ✅ Secure flag (HTTPS only)
+- ✅ SameSite=Lax or Strict (CSRF protection)
+- ✅ Session regeneration on login (Better Auth handles)
+
+**Token Rotation Best Practices:**
+- ✅ Single-use refresh tokens
+- ✅ Immediate invalidation of old tokens
+- ✅ Reuse detection → revoke entire token family
+- ✅ Short access token lifetime (5-15 min)
+
+---
+
+## 3. Gap Analysis: What's Missing
+
+### 3.1 Missing Features Summary
+
+| Feature | Current Status | Better Auth Support | Priority | Impact |
+|---------|---------------|-------------------|----------|--------|
+| **Cookie Cache** | ❌ Not enabled | ✅ Built-in | 🔴 High | Performance |
+| **Remember Me** | ❌ Not implemented | ⚠️ Custom | ⚠️ Medium | UX |
+| **Extended Sessions** | ❌ Fixed 7 days | ⚠️ Custom | ⚠️ Medium | UX |
+| **Multi-Session Plugin** | ❌ Not enabled | ✅ Built-in | ✅ Low | Advanced UX |
+| **Session Management UI** | ❌ Not implemented | ⚠️ Custom | ⚠️ Medium | Security |
+| **Device Fingerprinting** | ⚠️ Basic tracking | ⚠️ Custom | ⚠️ Medium | Security |
+| **Session Activity Tracking** | ⚠️ Schema exists | ⚠️ Not used | ✅ Low | Analytics |
+| **Stateless Session Option** | ❌ Not configured | ✅ Built-in | ✅ Low | Scalability |
+
+### 3.2 Critical Implementation Issues
+
+#### Issue 1: Manual JWT Fallback (CRITICAL)
+
+**Location:** `better-auth.service.ts:451-508`
+
+**Problem:**
+```typescript
+try {
+  // Try Better Auth's JWT plugin
+  const jwtResult = await this.api.signJWT({ body: { payload } });
+  accessToken = jwtResult?.token || '';
+} catch (jwtError) {
+  // ❌ FALLBACK: Manual JWT generation
+  accessToken = jwt.sign(payload, privateKey, {
+    algorithm: 'RS256',  // 🔴 WRONG! Better Auth uses EdDSA
+  });
+}
+```
+
+**Issues:**
+1. Algorithm mismatch (RS256 vs EdDSA)
+2. Uses different keys (env vars vs JWKS table)
+3. Tokens from fallback won't validate via JWKS endpoint
+4. Defeats Better Auth's design
+
+**Solution:**
+```typescript
+// Always use Better Auth's JWT plugin
+const jwtResult = await this.api.signJWT({
+  body: { payload },
+  headers: {
+    authorization: `Bearer ${sessionToken}`, // Provide session context
+  },
+});
+const accessToken = jwtResult.token;
+```
+
+#### Issue 2: No Cookie Cache (Performance)
+
+**Impact:**
+- Every `useSession()` call queries PostgreSQL
+- High database load on session validation
+- 10-20ms added latency per request
+
+**Performance Calculation:**
+```
+Scenario: 1000 concurrent users
+- Without cache: 1000 × 10 req/min × 60 min = 600,000 DB queries/hour
+- With 5-min cache: 1000 × 1 refresh/5min × 60 min = 12,000 DB queries/hour
+- Reduction: 98% fewer queries
+```
+
+**Solution:** Enable cookie cache (see Section 7.1)
+
+#### Issue 3: No "Remember Me" Option (User Experience)
+
+**Current State:**
+- All users get same 7-day session
+- Mobile apps lose sessions weekly
+- No differentiation between trusted/untrusted devices
+
+**Competitive Comparison:**
+- Gmail: 60 days with "Stay signed in"
+- GitHub: 90 days with "Keep me signed in"
+- Slack: 30 days default, 90 days on desktop
+- **ManaCore: 7 days (no option to extend)**
+
+**User Impact:**
+- Weekly re-authentication friction
+- Poor mobile app experience
+- Lower user retention
+
+#### Issue 4: Password Length Validation Mismatch (Security)
+
+**Problem:**
+```typescript
+// DTO allows 8 characters
+@MinLength(8)
+password: string;
+
+// Better Auth requires 12 characters
+minPasswordLength: 12
+```
+
+**Security Impact:** Weak passwords (8-11 chars) accepted, then rejected by Better Auth
+
+**Solution:** Fix DTO to require 12 characters minimum
+
+---
+
+## 4. Security Assessment
+
+**Overall Security Rating: B+ (Good, with improvements needed)**
+
+### 4.1 Strengths ✅
+
+#### Token Security
+- ✅ **EdDSA (Ed25519)** - Modern, secure, performant
+- ✅ **Short access tokens** (15 min) - Limits exposure window
+- ✅ **Minimal JWT claims** - No sensitive data in tokens
+- ✅ **JWKS-based validation** - Industry standard
+- ✅ **Proper token rotation** - Security via refresh token rotation
+
+#### Session Security
+- ✅ **Database-backed sessions** - Immediate revocation capability
+- ✅ **Refresh token rotation** - Prevents replay attacks
+- ✅ **Device tracking** - IP, user agent, device ID/name
+- ✅ **Session revocation** - `revokedAt` timestamp support
+
+#### Rate Limiting
+- ✅ **Login:** 5 attempts/minute
+- ✅ **Registration:** 10/hour
+- ✅ **Password reset:** 3 requests/5 minutes
+- ✅ **Global:** 100 requests/minute
+
+#### Access Control
+- ✅ **JWT guards** protect all sensitive endpoints
+- ✅ **Role-based access control** (user, admin, service)
+- ✅ **Organization-based permissions** (B2B multi-tenant)
+
+### 4.2 Critical Vulnerabilities 🔴
+
+#### 1. No Security Audit Logging (CRITICAL)
+- ❌ No logging of login attempts (success/failure)
+- ❌ No tracking of password changes
+- ❌ No forensic evidence for security incidents
+- ❌ GDPR/SOC 2/ISO 27001 non-compliance
+
+**Impact:** Cannot investigate breaches, no audit trail
+
+#### 2. Transport Security Incomplete (HIGH)
+- ❌ No HSTS (Strict-Transport-Security) header
+- ❌ No comprehensive CSP (Content-Security-Policy)
+- ❌ Cookie security flags not verified (httpOnly, secure, sameSite)
+- ❌ No HTTPS enforcement middleware
+
+**Impact:** Vulnerable to downgrade attacks, XSS, CSRF
+
+#### 3. Manual JWT Fallback (HIGH)
+- ❌ Bypasses Better Auth's security
+- ❌ Creates inconsistent token formats
+- ❌ Algorithm mismatch (RS256 vs EdDSA)
+
+**Impact:** Tokens may not validate correctly, security holes
+
+### 4.3 Medium-Priority Issues ⚠️
+
+#### 4. No CSRF Protection
+- ⚠️ CORS configured but no explicit CSRF tokens
+- ⚠️ Relies on SameSite cookies (not verified)
+
+#### 5. No Account Lockout
+- ⚠️ Rate limiting exists, but no account lockout after N failures
+- ⚠️ No progressive delays on failed attempts
+
+#### 6. No Device Fingerprinting
+- ⚠️ Tracks IP/userAgent but doesn't validate changes
+- ⚠️ Cannot detect session hijacking
+
+#### 7. Password Hashing Not Explicitly Configured
+- ⚠️ Better Auth default (scrypt) used but not verified
+- ⚠️ Hash parameters not documented
+
+### 4.4 OWASP Top 10 Compliance
+
+| OWASP Category | Compliance | Notes |
+|---------------|-----------|-------|
+| A01: Broken Access Control | ✅ Good | JWT guards, RBAC, organization permissions |
+| A02: Cryptographic Failures | ⚠️ Partial | EdDSA good, HTTPS enforcement missing |
+| A03: Injection | ✅ Good | Drizzle ORM, input validation |
+| A04: Insecure Design | ✅ Good | Defense in depth, secure by default |
+| A05: Security Misconfiguration | ⚠️ Moderate | Headers incomplete, cookies not verified |
+| A06: Vulnerable Components | ⚠️ Monitor | Need dependency scanning |
+| A07: Auth Failures | ✅ Strong | Strong passwords, 2FA schema, rate limiting |
+| A08: Data Integrity | ✅ Good | JWT signatures, DB constraints |
+| A09: Logging Failures | 🔴 Critical | No security event logging |
+| A10: SSRF | ✅ Low Risk | No user-controlled URLs |
+
+**OWASP Compliance Score: 7/10**
+
+---
+
+## 5. Integration Patterns Analysis
+
+**Overall Integration Rating: ⭐⭐⭐⭐⭐ (5/5 - World Class)**
+
+### 5.1 Backend Integration
+
+**Consistency:** Exceptional (all 15+ backends identical)
+
+**Pattern:**
+```typescript
+import { JwtAuthGuard, CurrentUser, CurrentUserData } from '@manacore/shared-nestjs-auth';
+
+@Controller('api')
+@UseGuards(JwtAuthGuard)
+export class MyController {
+  @Get('route')
+  async handler(@CurrentUser() user: CurrentUserData) {
+    return { userId: user.userId };
+  }
+}
+```
+
+**Features:**
+- ✅ Centralized validation via mana-core-auth
+- ✅ Dev bypass mode for local development
+- ✅ Type-safe user data extraction
+- ✅ Zero custom auth code in apps
+
+### 5.2 Frontend Web Integration
+
+**Consistency:** Exceptional (all web apps identical)
+
+**Pattern:**
+```typescript
+// auth.svelte.ts (Svelte 5 runes)
+let user = $state<UserData | null>(null);
+
+export const authStore = {
+  get user() { return user; },
+  async getValidToken() {
+    return await tokenManager.getValidToken(); // Auto-refresh!
+  }
+};
+
+// api.ts
+const token = await authStore.getValidToken();
+fetch(url, { headers: { Authorization: `Bearer ${token}` } });
+```
+
+**Features:**
+- ✅ Automatic token refresh
+- ✅ Request queuing during refresh
+- ✅ Offline handling
+- ✅ Fetch interceptor for 401 retry
+
+### 5.3 Frontend Mobile Integration
+
+**Consistency:** Exceptional (all mobile apps identical)
+
+**Pattern:**
+```typescript
+// AuthProvider.tsx (React Native)
+setStorageAdapter(createSecureStoreAdapter()); // Secure encrypted storage
+
+const [user, setUser] = useState<UserData | null>(null);
+
+export function AuthProvider({ children }) {
+  // Same patterns as web
+}
+```
+
+**Features:**
+- ✅ SecureStore for encrypted token storage
+- ✅ Same auto-refresh logic as web
+- ✅ Device ID generation and persistence
+
+### 5.4 Token Flow
+
+**Automatic Refresh Flow:**
+```
+1. App needs data → getValidToken()
+2. Check local expiration → Expired
+3. State: REFRESHING
+4. Queue concurrent requests
+5. POST /auth/refresh { refreshToken }
+6. Receive new tokens
+7. Store in localStorage/SecureStore
+8. Process queued requests with new token
+9. Return data to app
+```
+
+**Benefits:**
+- ✅ Zero manual token management
+- ✅ No duplicate refresh calls
+- ✅ Handles concurrent requests gracefully
+- ✅ Automatic retry on 401
+
+### 5.5 Pain Points
+
+**Minimal - only minor opportunities:**
+
+1. **Manual token passing** (Minor)
+   - Apps call `await authStore.getValidToken()` in each API function
+   - Could be abstracted into shared API client package
+
+2. **Duplicated API clients** (Opportunity)
+   - Each app has own `api.ts` / `client.ts`
+   - Could create `@manacore/shared-api-client`
+
+**No critical integration issues found.**
+
+---
+
+## 6. Performance Analysis
+
+### 6.1 Current Performance
+
+**Session Validation:**
+- Every `useSession()` → PostgreSQL query (~10-20ms)
+- 1000 users × 10 req/min = **600,000 DB queries/hour**
+
+**Token Refresh:**
+- Local check < 1ms
+- Network refresh ~50-100ms
+- Average: 1 refresh per user per hour
+
+### 6.2 With Cookie Cache (Projected)
+
+**Session Validation:**
+- First call → PostgreSQL query (~10-20ms) → Cache
+- Subsequent calls (5 min) → Cookie read (~<1ms)
+- 1000 users × 10 req/min = **12,000 DB queries/hour**
+
+**Improvement:**
+- **98% reduction** in session queries
+- **10-20ms → <1ms** average validation time
+- **Massive database load reduction**
+
+### 6.3 Bottleneck Analysis
+
+**Current Bottleneck:** Session validation database queries
+
+**Solution:** Enable cookie cache (15-minute implementation)
+
+---
+
+## 7. Recommendations by Priority
+
+### 🔴 CRITICAL (Implement Immediately)
+
+#### 1. Fix JWT Generation Fallback
+**Effort:** 2 hours
+**Impact:** Security, consistency
+
+Remove manual JWT fallback and fix Better Auth API call:
+```typescript
+// Remove lines 470-508 in better-auth.service.ts
+// Always use Better Auth's native JWT generation
+const jwtResult = await this.api.signJWT({
+  body: { payload },
+  headers: { authorization: `Bearer ${sessionToken}` }
+});
+```
+
+#### 2. Enable Cookie Cache
+**Effort:** 30 minutes
+**Impact:** Performance (98% DB query reduction)
+
+```typescript
+// better-auth.config.ts
+session: {
+  expiresIn: 60 * 60 * 24 * 7,
+  updateAge: 60 * 60 * 24,
+  cookieCache: {
+    enabled: true,
+    maxAge: 5 * 60,
+    strategy: "jwe",
+    refreshCache: true
+  }
+}
+```
+
+#### 3. Fix Password Length Validation
+**Effort:** 15 minutes
+**Impact:** Security
+
+```typescript
+// register.dto.ts, register-b2b.dto.ts
+@MinLength(12) // Match Better Auth config
+@MaxLength(128)
+password: string;
+```
+
+#### 4. Implement Security Audit Logging
+**Effort:** 1 day
+**Impact:** Compliance, security incident response
+
+```typescript
+// Create SecurityEventsService
+await logSecurityEvent({
+  userId: user.id,
+  eventType: 'login_success' | 'login_failure' | 'password_change',
+  ipAddress: req.ip,
+  userAgent: req.get('user-agent'),
+  metadata: { /* event details */ }
+});
+```
+
+#### 5. Configure Security Headers
+**Effort:** 2 hours
+**Impact:** Transport security, XSS/CSRF protection
+
+```typescript
+// main.ts
+helmet({
+  strictTransportSecurity: { maxAge: 31536000, includeSubDomains: true },
+  contentSecurityPolicy: { /* CSP directives */ },
+  frameguard: { action: 'deny' },
+  noSniff: true,
+})
+```
+
+### ⚠️ HIGH PRIORITY (Within 2 Weeks)
+
+#### 6. Implement "Remember Me" Feature
+**Effort:** 8 hours
+**Impact:** User experience, retention
+
+**Steps:**
+1. Add `rememberMe: boolean` to session schema
+2. Update login DTO to accept `rememberMe`
+3. Implement dynamic expiration (7 days vs 30 days)
+4. Add checkbox to login UI (all apps)
+
+```typescript
+// Dynamic expiration
+if (dto.rememberMe) {
+  session.expiresAt = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000);
+  session.rememberMe = true;
+}
+```
+
+#### 7. Add Session Management UI
+**Effort:** 12 hours
+**Impact:** Security, user control
+
+**Features:**
+- List all active sessions with device info
+- Revoke specific sessions
+- "Where you're signed in" page
+
+```typescript
+// Backend endpoints
+GET /auth/sessions/active → List user sessions
+DELETE /auth/sessions/:id → Revoke session
+```
+
+#### 8. Add Account Lockout
+**Effort:** 4 hours
+**Impact:** Brute force protection
+
+```typescript
+// After 5 failed login attempts → 15-minute lockout
+const FAILED_LOGIN_THRESHOLD = 5;
+const LOCKOUT_DURATION = 15 * 60 * 1000;
+```
+
+### ⚠️ MEDIUM PRIORITY (Within 1 Month)
+
+#### 9. Enable Multi-Session Plugin
+**Effort:** 2 hours
+**Impact:** Advanced UX for organization users
+
+```typescript
+import { multiSession } from 'better-auth/plugins';
+
+plugins: [multiSession()]
+```
+
+#### 10. Implement Device Fingerprinting
+**Effort:** 8 hours
+**Impact:** Session hijacking detection
+
+```typescript
+// Bind sessions to device fingerprint
+// Validate: IP changes, userAgent mismatches
+// Alert on anomalies
+```
+
+#### 11. Add Step-Up Authentication
+**Effort:** 6 hours
+**Impact:** Security for sensitive operations
+
+```typescript
+// Require re-authentication for:
+// - Password changes
+// - Account deletion
+// - Payment method updates
+@UseGuards(JwtAuthGuard, StepUpAuthGuard)
+```
+
+### ✅ LOW PRIORITY (Nice to Have)
+
+12. Inactivity timeout (auto-logout after 30 min idle)
+13. Trusted devices (skip 2FA on recognized devices)
+14. Impossible travel detection
+15. Password breach checking (HaveIBeenPwned)
+16. Secrets management integration (AWS Secrets Manager)
+
+---
+
+## 8. Implementation Roadmap
+
+### Phase 1: Critical Fixes (Week 1)
+
+**Goal:** Fix security issues and enable performance optimization
+
+| Task | Effort | Owner | Status |
+|------|--------|-------|--------|
+| Fix JWT generation fallback | 2h | Backend | 🔴 Not started |
+| Enable cookie cache | 30m | Backend | 🔴 Not started |
+| Fix password length validation | 15m | Backend | 🔴 Not started |
+| Implement security audit logging | 8h | Backend | 🔴 Not started |
+| Configure security headers | 2h | DevOps | 🔴 Not started |
+
+**Total Effort:** ~13 hours
+**Impact:** Security hardening + 98% DB query reduction
+
+### Phase 2: "Remember Me" Feature (Week 2-3)
+
+**Goal:** Implement user-controlled session duration
+
+| Task | Effort | Owner | Status |
+|------|--------|-------|--------|
+| Add `rememberMe` to schema | 1h | Backend | 🔴 Not started |
+| Update login DTO | 30m | Backend | 🔴 Not started |
+| Implement dynamic expiration | 2h | Backend | 🔴 Not started |
+| Add UI checkbox (web apps) | 3h | Frontend | 🔴 Not started |
+| Add UI checkbox (mobile apps) | 2h | Mobile | 🔴 Not started |
+| Testing | 2h | QA | 🔴 Not started |
+
+**Total Effort:** ~10.5 hours
+**Impact:** Better UX, competitive parity
+
+### Phase 3: Session Management UI (Week 4-5)
+
+**Goal:** Give users control over their sessions
+
+| Task | Effort | Owner | Status |
+|------|--------|-------|--------|
+| Backend endpoints (list/revoke) | 3h | Backend | 🔴 Not started |
+| Web UI component | 4h | Frontend | 🔴 Not started |
+| Mobile UI component | 3h | Mobile | 🔴 Not started |
+| Integration testing | 2h | QA | 🔴 Not started |
+
+**Total Effort:** ~12 hours
+**Impact:** Security visibility, user trust
+
+### Phase 4: Advanced Security (Month 2+)
+
+**Goal:** Enterprise-grade security features
+
+| Task | Effort | Priority |
+|------|--------|----------|
+| Multi-session plugin | 2h | Medium |
+| Device fingerprinting | 8h | Medium |
+| Step-up authentication | 6h | Medium |
+| Account lockout | 4h | High |
+| Inactivity timeout | 6h | Low |
+
+**Total Effort:** ~26 hours
+
+---
+
+## 9. Technical References
+
+### Documentation Locations
+
+**ManaCore Docs:**
+- Auth service: `/services/mana-core-auth/`
+- Shared backend auth: `/packages/shared-nestjs-auth/`
+- Shared frontend auth: `/packages/shared-auth/`
+- Guidelines: `/.claude/guidelines/authentication.md`
+
+**Key Files:**
+- JWT config: `services/mana-core-auth/src/auth/better-auth.config.ts`
+- Auth service: `services/mana-core-auth/src/auth/services/better-auth.service.ts`
+- Database schema: `services/mana-core-auth/src/db/schema/auth.schema.ts`
+- Backend guard: `packages/shared-nestjs-auth/src/guards/jwt-auth.guard.ts`
+- Frontend auth: `packages/shared-auth/src/core/authService.ts`
+
+### External References
+
+**Better Auth:**
+- Docs: https://www.better-auth.com/docs
+- Session Management: https://www.better-auth.com/docs/concepts/session-management
+- Cookie Cache: https://www.better-auth.com/docs/guides/optimizing-for-performance#cookie-cache
+- Plugins: https://www.better-auth.com/docs/plugins
+
+**Security Standards:**
+- OWASP Session Management: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
+- OWASP Authentication: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
+- JWT Best Practices (RFC 8725): https://datatracker.ietf.org/doc/html/rfc8725
+- OAuth 2.0 Security (RFC 9700): https://www.rfc-editor.org/rfc/rfc9700
+
+---
+
+## Appendix A: Comparison Matrix
+
+| Feature | Current ManaCore | Better Auth Capability | Industry Standard | Gap |
+|---------|------------------|----------------------|------------------|-----|
+| Session Duration | 7 days (fixed) | Configurable | 7-30 days | ⚠️ No user control |
+| Remember Me | ❌ No | ⚠️ Custom impl | ✅ Yes | ⚠️ Missing |
+| Cookie Cache | ❌ No | ✅ Built-in | ✅ Common | 🔴 Not enabled |
+| Stateless Sessions | ❌ No | ✅ Supported | ⚠️ Varies | ✅ Not needed |
+| Multi-Session | ❌ No | ✅ Plugin | ⚠️ Advanced | ⚠️ Nice to have |
+| Session Management UI | ❌ No | ⚠️ Custom | ✅ Yes | ⚠️ Missing |
+| Token Rotation | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Implemented |
+| JWT Algorithm | ✅ EdDSA | ✅ EdDSA | ⚠️ Often RS256 | ✅ Optimal |
+| JWKS | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Implemented |
+| Device Tracking | ⚠️ Partial | ⚠️ Custom | ✅ Yes | ⚠️ Basic only |
+| Security Logging | ❌ No | ⚠️ Custom | ✅ Yes | 🔴 Critical gap |
+
+---
+
+## Appendix B: Performance Benchmarks
+
+### Session Validation Performance
+
+**Current (No Cache):**
+```
+1000 users × 10 requests/min × 60 min/hour = 600,000 queries/hour
+Average query time: 10-20ms
+Database time/hour: 1.67 hours of continuous querying
+```
+
+**With Cookie Cache (5 min):**
+```
+Cache hit rate: 98%
+Database queries: 600,000 × 0.02 = 12,000 queries/hour
+Database time/hour: 2 minutes
+Improvement: 98.3% reduction
+```
+
+### Token Refresh Performance
+
+**Refresh Metrics:**
+- Local expiration check: <1ms
+- Network refresh: 50-100ms
+- Refresh frequency: ~1 per user per hour
+- Request queuing overhead: <5ms per request
+
+---
+
+## Appendix C: Security Checklist
+
+### Pre-Deployment Checklist
+
+**Critical:**
+- [ ] Remove manual JWT fallback code
+- [ ] Enable cookie cache
+- [ ] Fix password length validation
+- [ ] Implement security audit logging
+- [ ] Configure comprehensive security headers
+- [ ] Verify HTTPS enforcement
+- [ ] Verify cookie flags (httpOnly, secure, sameSite)
+
+**High Priority:**
+- [ ] Implement "remember me" feature
+- [ ] Add session management UI
+- [ ] Add account lockout mechanism
+- [ ] Add CSRF protection
+- [ ] Document password hashing parameters
+
+**Medium Priority:**
+- [ ] Enable multi-session plugin
+- [ ] Implement device fingerprinting
+- [ ] Add step-up authentication
+- [ ] Configure JWT key rotation
+
+**Post-Deployment Monitoring:**
+- [ ] Monitor session DB query reduction (should be 98%)
+- [ ] Track token refresh success/failure rates
+- [ ] Monitor security event logs for anomalies
+- [ ] Track "remember me" adoption rate
+- [ ] Monitor failed login attempts
+
+---
+
+## Conclusion
+
+The mana-core-auth service provides a **strong foundation** for authentication with modern security practices and excellent integration patterns. The use of Better Auth framework, EdDSA JWT tokens, and comprehensive rate limiting demonstrates thoughtful architecture.
+
+**Key Strengths:**
+- World-class integration consistency across 15+ apps
+- Modern cryptography (EdDSA, scrypt/bcrypt)
+- Robust automatic token refresh
+- Proper session management with rotation
+
+**Critical Next Steps:**
+1. Fix JWT generation fallback (security)
+2. Enable cookie cache (performance)
+3. Implement security audit logging (compliance)
+4. Add "remember me" feature (UX)
+5. Complete transport security hardening (security headers, HTTPS)
+
+With Phase 1 and Phase 2 implemented (~24 hours of work), the system will achieve **A-grade enterprise security** with excellent performance and user experience suitable for production deployment at scale.
+
+---
+
+**Project Signature:** 🏗️ ManaCore Monorepo
diff --git a/docs/SECURITY_FIXES_IMPLEMENTATION_GUIDE.md b/docs/SECURITY_FIXES_IMPLEMENTATION_GUIDE.md
new file mode 100644
index 000000000..63dbe01b0
--- /dev/null
+++ b/docs/SECURITY_FIXES_IMPLEMENTATION_GUIDE.md
@@ -0,0 +1,799 @@
+# Security Fixes Implementation Guide
+
+**Date:** December 17, 2025
+**Priority:** CRITICAL
+**Estimated Time:** ~6-8 hours total
+
+## Overview
+
+This document provides step-by-step instructions to fix the 5 critical security gaps identified in the mana-core-auth analysis.
+
+---
+
+## ✅ Fix 1: Remove Manual JWT Fallback (CRITICAL)
+
+**Location:** `services/mana-core-auth/src/auth/services/better-auth.service.ts:449-508`
+
+**Problem:** Manual JWT fallback uses RS256 instead of EdDSA, bypassing Better Auth's security.
+
+**Solution:** Replace the entire try-catch block with a simple call to Better Auth's JWT plugin.
+
+### Step 1: Open the file
+```bash
+code services/mana-core-auth/src/auth/services/better-auth.service.ts
+```
+
+### Step 2: Find lines 449-508 (the JWT generation block)
+
+### Step 3: Replace with this code:
+
+```typescript
+// Generate JWT access token using Better Auth's JWT plugin
+// Better Auth's signJWT requires session context in the authorization header
+const jwtResult = await this.api.signJWT({
+	body: {
+		payload: {
+			sub: user.id,
+			email: user.email,
+			role: (user as BetterAuthUser).role || 'user',
+			sid: session?.id || '',
+		},
+	},
+	headers: {
+		// Provide session context for Better Auth's JWT plugin
+		authorization: `Bearer ${sessionToken}`,
+	},
+});
+
+const accessToken = jwtResult?.token;
+
+if (!accessToken) {
+	throw new UnauthorizedException('Failed to generate access token');
+}
+```
+
+**Testing:**
+```bash
+# Test login
+curl -X POST http://localhost:3001/api/v1/auth/login \
+  -H "Content-Type: application/json" \
+  -d '{"email": "test@example.com", "password": "yourpassword"}'
+
+# Check token algorithm (should be EdDSA)
+echo "<token>" | cut -d'.' -f1 | base64 -d
+# Should show: {"alg":"EdDSA", ...}
+```
+
+---
+
+## ✅ Fix 2: Enable Cookie Cache (HIGH IMPACT)
+
+**Location:** `services/mana-core-auth/src/auth/better-auth.config.ts:148-151`
+
+**Problem:** No cookie cache = 600,000 unnecessary DB queries per hour.
+
+**Impact:** 98% reduction in session queries, <1ms validation time.
+
+### Step 1: Open the configuration file
+```bash
+code services/mana-core-auth/src/auth/better-auth.config.ts
+```
+
+### Step 2: Find the `session` configuration block (around line 148)
+
+```typescript
+// Session configuration
+session: {
+	expiresIn: 60 * 60 * 24 * 7, // 7 days
+	updateAge: 60 * 60 * 24, // Update session once per day
+},
+```
+
+### Step 3: Add cookie cache configuration:
+
+```typescript
+// Session configuration
+session: {
+	expiresIn: 60 * 60 * 24 * 7, // 7 days
+	updateAge: 60 * 60 * 24, // Update session once per day
+
+	// Cookie cache for 98% reduction in database queries
+	// See: https://www.better-auth.com/docs/guides/optimizing-for-performance#cookie-cache
+	cookieCache: {
+		enabled: true,
+		maxAge: 5 * 60, // 5 minutes (balance between performance and freshness)
+		strategy: "jwe", // Encrypted (most secure, default in Better Auth 1.4+)
+		refreshCache: true, // Automatically refresh before expiration
+	}
+},
+```
+
+**Testing:**
+```bash
+# Monitor database queries before and after
+# Should see dramatic reduction in session queries
+
+# Check cookie is being set
+curl -v http://localhost:3001/api/v1/auth/login \
+  -H "Content-Type: application/json" \
+  -d '{"email": "test@example.com", "password": "password"}' \
+  | grep -i "set-cookie"
+```
+
+---
+
+## ✅ Fix 3: Implement "Remember Me" Feature
+
+**Location:** Multiple files (schema, DTOs, service)
+
+**Impact:** Better UX, competitive parity, GDPR compliance.
+
+### Step 1: Add `rememberMe` field to sessions schema
+
+**File:** `services/mana-core-auth/src/db/schema/auth.schema.ts`
+
+**Find the sessions table** (around line 32), add this field:
+
+```typescript
+export const sessions = authSchema.table('sessions', {
+	id: text('id').primaryKey(),
+	expiresAt: timestamp('expires_at', { withTimezone: true }).notNull(),
+	token: text('token').unique().notNull(),
+	// ... existing fields ...
+
+	// ✅ ADD THIS:
+	rememberMe: boolean('remember_me').default(false),
+});
+```
+
+### Step 2: Generate and run migration
+
+```bash
+cd services/mana-core-auth
+pnpm db:generate
+pnpm db:migrate
+```
+
+### Step 3: Update SignInDto
+
+**File:** `services/mana-core-auth/src/auth/dto/login.dto.ts`
+
+```typescript
+import { IsEmail, IsString, MinLength, IsOptional, IsBoolean } from 'class-validator';
+
+export class LoginDto {
+	@IsEmail()
+	email: string;
+
+	@IsString()
+	@MinLength(12) // ✅ FIXED: was 8, now matches Better Auth config
+	password: string;
+
+	@IsOptional()
+	@IsString()
+	deviceId?: string;
+
+	@IsOptional()
+	@IsString()
+	deviceName?: string;
+
+	// ✅ NEW: Remember me checkbox
+	@IsOptional()
+	@IsBoolean()
+	rememberMe?: boolean;
+}
+```
+
+### Step 4: Implement dynamic expiration in BetterAuthService
+
+**File:** `services/mana-core-auth/src/auth/services/better-auth.service.ts`
+
+**In the `signIn` method** (after getting the session), add this logic:
+
+```typescript
+// After line 447 (after getting sessionToken)
+const session = hasSession(result) ? result.session : null;
+const sessionToken = session?.token || (hasToken(result) ? result.token : '');
+
+// ✅ ADD THIS: Adjust session expiration based on rememberMe
+if (dto.rememberMe && session?.id) {
+	const db = getDb(this.databaseUrl);
+	const { sessions } = await import('../../db/schema');
+	const { eq } = await import('drizzle-orm');
+
+	// Extend session to 30 days for "remember me"
+	const extendedExpiresAt = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000);
+
+	await db.update(sessions)
+		.set({
+			expiresAt: extendedExpiresAt,
+			rememberMe: true,
+		})
+		.where(eq(sessions.id, session.id));
+}
+```
+
+### Step 5: Update frontend login forms (all apps)
+
+**Example for SvelteKit apps:**
+
+**File:** `apps/*/apps/web/src/routes/auth/login/+page.svelte`
+
+```svelte
+<script lang="ts">
+	import { authStore } from '$lib/stores/auth.svelte';
+
+	let email = $state('');
+	let password = $state('');
+	let rememberMe = $state(false); // ✅ NEW
+	let error = $state('');
+
+	async function handleSubmit() {
+		const result = await authStore.signIn(email, password, rememberMe); // ✅ UPDATED
+		if (!result.success) {
+			error = result.error || 'Login failed';
+		}
+	}
+</script>
+
+<form onsubmit={handleSubmit}>
+	<input type="email" bind:value={email} required />
+	<input type="password" bind:value={password} required />
+
+	<!-- ✅ NEW: Remember me checkbox -->
+	<label class="remember-me">
+		<input type="checkbox" bind:checked={rememberMe} />
+		<span>Stay signed in for 30 days</span>
+		<small class="hint">Don't check this on shared computers</small>
+	</label>
+
+	{#if error}
+		<p class="error">{error}</p>
+	{/if}
+
+	<button type="submit">Sign In</button>
+</form>
+```
+
+**Update authStore.signIn signature:**
+
+**File:** `apps/*/apps/web/src/lib/stores/auth.svelte.ts`
+
+```typescript
+async signIn(email: string, password: string, rememberMe: boolean = false) {
+	const authService = await getAuthService();
+	const result = await authService.signIn(email, password, {
+		deviceId,
+		deviceName,
+		rememberMe, // ✅ NEW
+	});
+	// ... rest of logic
+}
+```
+
+---
+
+## ✅ Fix 4: Implement Security Audit Logging (CRITICAL)
+
+**Location:** `services/mana-core-auth/src/security/` (new module)
+
+**Impact:** GDPR/SOC 2 compliance, incident investigation capability.
+
+### Step 1: Create Security Events Service
+
+**File:** `services/mana-core-auth/src/security/security-events.service.ts` (NEW)
+
+```typescript
+import { Injectable } from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+import { getDb } from '../db/connection';
+import { securityEvents } from '../db/schema/auth.schema';
+import { randomUUID } from 'crypto';
+
+export type SecurityEventType =
+	| 'login_success'
+	| 'login_failure'
+	| 'logout'
+	| 'password_change'
+	| 'password_reset_request'
+	| 'password_reset_complete'
+	| 'account_created'
+	| 'account_deleted'
+	| 'session_revoked'
+	| 'permission_changed'
+	| 'organization_created'
+	| 'organization_member_added'
+	| 'organization_member_removed'
+	| 'suspicious_activity'
+	| 'token_refresh'
+	| 'token_validation_failure';
+
+export interface LogSecurityEventParams {
+	userId?: string;
+	eventType: SecurityEventType;
+	ipAddress?: string;
+	userAgent?: string;
+	metadata?: Record<string, unknown>;
+}
+
+@Injectable()
+export class SecurityEventsService {
+	private databaseUrl: string;
+
+	constructor(private configService: ConfigService) {
+		this.databaseUrl = this.configService.get<string>('database.url')!;
+	}
+
+	/**
+	 * Log a security event
+	 *
+	 * All authentication-related events should be logged for:
+	 * - Security monitoring
+	 * - Incident investigation
+	 * - Compliance (GDPR, SOC 2, ISO 27001)
+	 * - Audit trails
+	 *
+	 * @param params - Event parameters
+	 */
+	async logEvent(params: LogSecurityEventParams): Promise<void> {
+		try {
+			const db = getDb(this.databaseUrl);
+
+			await db.insert(securityEvents).values({
+				id: randomUUID(),
+				userId: params.userId || null,
+				eventType: params.eventType,
+				ipAddress: params.ipAddress || null,
+				userAgent: params.userAgent || null,
+				metadata: params.metadata || null,
+				createdAt: new Date(),
+			});
+		} catch (error) {
+			// IMPORTANT: Never fail auth operations because logging failed
+			// Just log the error and continue
+			console.error('[SecurityEventsService] Failed to log security event:', error);
+		}
+	}
+
+	/**
+	 * Get security events for a user
+	 *
+	 * Useful for "Recent Activity" pages and security dashboards.
+	 *
+	 * @param userId - User ID
+	 * @param limit - Number of events to return (default: 50)
+	 * @returns Array of security events
+	 */
+	async getUserEvents(userId: string, limit: number = 50) {
+		try {
+			const db = getDb(this.databaseUrl);
+			const { eq, desc } = await import('drizzle-orm');
+
+			return await db
+				.select()
+				.from(securityEvents)
+				.where(eq(securityEvents.userId, userId))
+				.orderBy(desc(securityEvents.createdAt))
+				.limit(limit);
+		} catch (error) {
+			console.error('[SecurityEventsService] Failed to retrieve user events:', error);
+			return [];
+		}
+	}
+
+	/**
+	 * Get recent failed login attempts
+	 *
+	 * Useful for detecting brute force attacks.
+	 *
+	 * @param since - Date to start from (default: last hour)
+	 * @returns Array of failed login events
+	 */
+	async getFailedLoginAttempts(since?: Date) {
+		try {
+			const db = getDb(this.databaseUrl);
+			const { eq, gte } = await import('drizzle-orm');
+
+			const sinceDate = since || new Date(Date.now() - 60 * 60 * 1000); // 1 hour ago
+
+			return await db
+				.select()
+				.from(securityEvents)
+				.where(
+					eq(securityEvents.eventType, 'login_failure'),
+					gte(securityEvents.createdAt, sinceDate)
+				)
+				.orderBy(desc(securityEvents.createdAt));
+		} catch (error) {
+			console.error('[SecurityEventsService] Failed to retrieve failed login attempts:', error);
+			return [];
+		}
+	}
+}
+```
+
+### Step 2: Create Security Module
+
+**File:** `services/mana-core-auth/src/security/security.module.ts` (NEW)
+
+```typescript
+import { Module } from '@nestjs/common';
+import { ConfigModule } from '@nestjs/config';
+import { SecurityEventsService } from './security-events.service';
+
+@Module({
+	imports: [ConfigModule],
+	providers: [SecurityEventsService],
+	exports: [SecurityEventsService],
+})
+export class SecurityModule {}
+```
+
+### Step 3: Add to App Module
+
+**File:** `services/mana-core-auth/src/app.module.ts`
+
+```typescript
+import { SecurityModule } from './security/security.module';
+
+@Module({
+	imports: [
+		// ... existing imports ...
+		SecurityModule, // ✅ ADD THIS
+	],
+	// ...
+})
+export class AppModule {}
+```
+
+### Step 4: Inject into BetterAuthService
+
+**File:** `services/mana-core-auth/src/auth/services/better-auth.service.ts`
+
+```typescript
+import { SecurityEventsService } from '../../security/security-events.service';
+
+@Injectable()
+export class BetterAuthService {
+	constructor(
+		private configService: ConfigService,
+		private securityEventsService: SecurityEventsService, // ✅ ADD THIS
+		// ... other services
+	) {
+		// ...
+	}
+}
+```
+
+### Step 5: Add logging to auth methods
+
+**In `signIn` method** (after successful login):
+
+```typescript
+// ✅ ADD: Log successful login
+await this.securityEventsService.logEvent({
+	userId: user.id,
+	eventType: 'login_success',
+	ipAddress: dto.ipAddress, // Pass from controller
+	userAgent: dto.userAgent, // Pass from controller
+	metadata: {
+		deviceId: dto.deviceId,
+		deviceName: dto.deviceName,
+		rememberMe: dto.rememberMe,
+	},
+});
+```
+
+**In `signIn` method** (in the catch block for failed login):
+
+```typescript
+// ✅ ADD: Log failed login attempt
+await this.securityEventsService.logEvent({
+	eventType: 'login_failure',
+	ipAddress: dto.ipAddress,
+	userAgent: dto.userAgent,
+	metadata: {
+		email: dto.email,
+		reason: 'invalid_credentials',
+	},
+});
+```
+
+**Add similar logging for:**
+- `registerB2C`: `account_created`
+- `registerB2B`: `account_created`, `organization_created`
+- `signOut`: `logout`
+- `requestPasswordReset`: `password_reset_request`
+- `resetPassword`: `password_reset_complete`
+- `refreshToken`: `token_refresh`
+- `validateToken` (failures): `token_validation_failure`
+
+### Step 6: Update DTOs to accept IP and UserAgent
+
+**File:** `services/mana-core-auth/src/auth/dto/login.dto.ts`
+
+```typescript
+export class LoginDto {
+	// ... existing fields ...
+
+	// ✅ ADD: For security logging
+	@IsOptional()
+	@IsString()
+	ipAddress?: string;
+
+	@IsOptional()
+	@IsString()
+	userAgent?: string;
+}
+```
+
+### Step 7: Extract IP/UserAgent in controller
+
+**File:** `services/mana-core-auth/src/auth/auth.controller.ts`
+
+```typescript
+import { Req } from '@nestjs/common';
+import { Request } from 'express';
+
+@Post('login')
+async login(@Body() loginDto: LoginDto, @Req() req: Request) {
+	// ✅ ADD: Extract IP and user agent
+	loginDto.ipAddress = req.ip || req.socket.remoteAddress;
+	loginDto.userAgent = req.get('user-agent');
+
+	return this.betterAuthService.signIn(loginDto);
+}
+```
+
+---
+
+## ✅ Fix 5: Add Comprehensive Security Headers
+
+**Location:** `services/mana-core-auth/src/main.ts`
+
+**Problem:** Minimal Helmet configuration, missing HSTS, CSP, cookie security.
+
+### Step 1: Update Helmet configuration
+
+**File:** `services/mana-core-auth/src/main.ts`
+
+```typescript
+import helmet from 'helmet';
+
+async function bootstrap() {
+	const app = await NestFactory.create(AppModule);
+
+	// ✅ REPLACE existing helmet() call with this:
+	app.use(helmet({
+		// HSTS (HTTP Strict Transport Security)
+		strictTransportSecurity: {
+			maxAge: 31536000, // 1 year in seconds
+			includeSubDomains: true,
+			preload: true,
+		},
+
+		// Content Security Policy
+		contentSecurityPolicy: {
+			directives: {
+				defaultSrc: ["'self'"],
+				styleSrc: ["'self'", "'unsafe-inline'"], // For inline styles
+				scriptSrc: ["'self'"],
+				imgSrc: ["'self'", 'data:', 'https:'],
+				connectSrc: ["'self'", ...getAllowedOrigins()], // Your app origins
+				fontSrc: ["'self'", 'data:'],
+				objectSrc: ["'none'"],
+				mediaSrc: ["'self'"],
+				frameSrc: ["'none'"],
+			},
+		},
+
+		// Clickjacking protection
+		frameguard: { action: 'deny' },
+
+		// MIME type sniffing protection
+		noSniff: true,
+
+		// XSS filter (legacy browsers)
+		xssFilter: true,
+
+		// Referrer policy
+		referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
+
+		// CORP and COOP (already configured)
+		crossOriginResourcePolicy: { policy: 'cross-origin' },
+		crossOriginOpenerPolicy: { policy: 'same-origin-allow-popups' },
+
+		// Hide X-Powered-By header
+		hidePoweredBy: true,
+	}));
+
+	// ... rest of bootstrap
+}
+
+function getAllowedOrigins(): string[] {
+	// Get allowed origins from environment
+	const corsOrigins = process.env.CORS_ORIGINS || '';
+	return corsOrigins.split(',').map(o => o.trim()).filter(Boolean);
+}
+```
+
+### Step 2: Add HTTPS redirect middleware (production only)
+
+```typescript
+async function bootstrap() {
+	const app = await NestFactory.create(AppModule);
+
+	// ✅ ADD: HTTPS enforcement in production
+	if (process.env.NODE_ENV === 'production') {
+		app.use((req: any, res: any, next: any) => {
+			// Check if request came through HTTPS (via proxy)
+			const protocol = req.header('x-forwarded-proto') || req.protocol;
+
+			if (protocol !== 'https') {
+				return res.redirect(301, `https://${req.header('host')}${req.url}`);
+			}
+
+			next();
+		});
+	}
+
+	// ... rest of configuration
+}
+```
+
+### Step 3: Verify cookie security in Better Auth
+
+**File:** `services/mana-core-auth/src/auth/better-auth.config.ts`
+
+Better Auth should handle cookie security automatically, but let's verify:
+
+```typescript
+export function createBetterAuth(databaseUrl: string) {
+	return betterAuth({
+		// ... existing config ...
+
+		// ✅ ADD: Explicit cookie security (Better Auth defaults are good, but explicit is better)
+		advanced: {
+			cookieSecureSince the configuration appears to be already handled by Better Auth internally,
+let's verify in documentation that cookies use:
+- httpOnly: true
+- secure: true (in production)
+- sameSite: 'lax' or 'strict'
+
+Better Auth handles these automatically, but check the official docs to confirm.
+```
+
+---
+
+## Testing Checklist
+
+After implementing all fixes, test each one:
+
+### JWT Fix
+- [ ] Login works
+- [ ] Token algorithm is EdDSA (not RS256)
+- [ ] Token validates via `/api/v1/auth/validate`
+- [ ] No console warnings about JWT generation
+
+### Cookie Cache
+- [ ] Login sets session cookie
+- [ ] Subsequent requests don't query database (check logs)
+- [ ] Session still revocable immediately
+- [ ] Performance improvement visible
+
+### Remember Me
+- [ ] Checkbox appears on login form
+- [ ] Unchecked: Session expires after 7 days
+- [ ] Checked: Session lasts 30 days
+- [ ] Database shows `remember_me=true` for extended sessions
+
+### Security Logging
+- [ ] Login success creates `security_events` record
+- [ ] Login failure creates `security_events` record
+- [ ] All critical events logged
+- [ ] Logging doesn't break auth if it fails
+- [ ] Can query events via `getUserEvents()`
+
+### Security Headers
+- [ ] HSTS header present (check: `curl -I https://your-domain.com`)
+- [ ] CSP header present and valid
+- [ ] No `X-Powered-By` header
+- [ ] Cookies have `httpOnly`, `secure`, `sameSite` flags
+
+---
+
+## Monitoring & Alerts (Post-Deployment)
+
+### Database Query Monitoring
+```sql
+-- Monitor session queries (should drop 98%)
+SELECT COUNT(*) FROM auth.sessions
+WHERE created_at > NOW() - INTERVAL '1 hour';
+```
+
+### Security Event Monitoring
+```sql
+-- Failed login attempts (brute force detection)
+SELECT COUNT(*), ip_address, user_agent
+FROM auth.security_events
+WHERE event_type = 'login_failure'
+  AND created_at > NOW() - INTERVAL '1 hour'
+GROUP BY ip_address, user_agent
+HAVING COUNT(*) > 5;
+
+-- Recent security events by type
+SELECT event_type, COUNT(*)
+FROM auth.security_events
+WHERE created_at > NOW() - INTERVAL '24 hours'
+GROUP BY event_type
+ORDER BY COUNT(*) DESC;
+```
+
+### Grafana Dashboard Queries (Optional)
+- Session queries per minute (should be 98% lower)
+- Failed login attempts per hour
+- Remember me adoption rate
+- Token validation errors
+
+---
+
+## Rollback Plan
+
+If any fix causes issues:
+
+### JWT Fix Rollback
+```typescript
+// Revert to previous JWT generation code
+// (Keep the old code commented out as backup)
+```
+
+### Cookie Cache Rollback
+```typescript
+// Remove cookieCache configuration
+session: {
+	expiresIn: 60 * 60 * 24 * 7,
+	updateAge: 60 * 60 * 24,
+	// cookieCache: { ... }, // COMMENTED OUT
+},
+```
+
+### Remember Me Rollback
+```sql
+-- Remove remember_me column
+ALTER TABLE auth.sessions DROP COLUMN remember_me;
+```
+
+### Security Logging Rollback
+```typescript
+// Comment out all logEvent() calls
+// Service remains, just not called
+```
+
+---
+
+## Success Criteria
+
+✅ **JWT Fix:** No RS256 tokens generated, all EdDSA
+✅ **Cookie Cache:** 98% reduction in session DB queries
+✅ **Remember Me:** Users can choose 7-day or 30-day sessions
+✅ **Security Logging:** All auth events logged to `security_events` table
+✅ **Security Headers:** All OWASP recommended headers present
+
+---
+
+## Next Steps After Implementation
+
+1. **Update documentation** (AUTHENTICATION_ARCHITECTURE.md)
+2. **Create Grafana dashboards** for security monitoring
+3. **Set up alerts** for suspicious activity (>10 failed logins/hour)
+4. **Test penetration** with OWASP ZAP or similar tools
+5. **Run security audit** with automated tools (Snyk, npm audit)
+6. **Consider** additional features:
+   - Multi-session management UI
+   - Device fingerprinting
+   - Step-up authentication
+   - Account lockout after N failures
+
+---
+
+🏗️ ManaCore Monorepo