Shipped Auth.js (next-auth v5 beta) with Google OAuth, JWT sessions (Edge-safe middleware), @auth/mongodb-adapter for user/account persistence, middleware redirects + 401 on protected /api/*, and /sign-in. Operator reference: app AGENTS.md, docs/utility/authentication.md, vault [[Projects/lumendev-invoice/runbooks/runbook-auth-failure|runbook]].
src/auth.config.ts (Edge — no Mongo driver); src/auth.ts merges MongoDBAdapter + same config for Route Handlers; src/middleware.ts uses config-only NextAuth so Edge does not load mongodb (avoids stream runtime error).trustHost true in development or when AUTH_TRUST_HOST=true; AUTH_SECRET (or NEXTAUTH_SECRET) required — Auth.js MissingSecret if unset./receipt/* is auth-only (no public share links). POST /api/invoices/migrate session-gated and disabled outside development.docs/utility/authentication.md (env table, JWT vs adapter, protected routes, AUTH_SECRET / Google secret rotation); docs/README reading order updated. src/env.ts + next.config.ts strict env at startup.docs/utility/authentication.md, src/env.ts, src/auth.ts, src/auth.config.ts, src/middleware.ts, src/lib/requireSession.ts, src/lib/mongodb-auth.ts, src/app/api/auth/[...nextauth]/route.ts, src/app/sign-in/page.tsx