From 53b2b3c8cba84b52e4e41a347bff99b254af5369 Mon Sep 17 00:00:00 2001
From: Mohamed Melouk <42706279+cobraprojects@users.noreply.github.com>
Date: Fri, 8 May 2026 00:23:15 +0300
Subject: [PATCH 1/4] add social login to auth

---
 apps/blog-next/app/api/login/route.ts         |   9 +-
 apps/blog-next/app/api/logout/route.ts        |   8 +-
 apps/blog-next/app/api/register/route.ts      |   6 -
 .../app/auth/github/callback/route.ts         |  21 +++
 apps/blog-next/app/auth/github/route.ts       |   5 +
 .../app/auth/google/callback/route.ts         |  21 +++
 apps/blog-next/app/auth/google/route.ts       |   5 +
 apps/blog-next/app/login/page.tsx             |   5 +
 apps/blog-nuxt/app/pages/login.vue            |   7 +
 apps/blog-nuxt/server/api/login.post.ts       |   2 -
 apps/blog-nuxt/server/api/logout.post.ts      |   5 +-
 apps/blog-nuxt/server/api/register.post.ts    |   1 -
 apps/blog-nuxt/server/lib/request.ts          |  15 ++
 .../server/routes/auth/github.get.ts          |   7 +
 .../server/routes/auth/github/callback.get.ts |  15 ++
 .../server/routes/auth/google.get.ts          |   7 +
 .../server/routes/auth/google/callback.get.ts |  15 ++
 .../src/routes/api/login/+server.ts           |   9 +-
 .../src/routes/api/logout/+server.ts          |   8 +-
 .../src/routes/api/register/+server.ts        |   6 -
 .../src/routes/auth/github/+server.ts         |   5 +
 .../routes/auth/github/callback/+server.ts    |  21 +++
 .../src/routes/auth/google/+server.ts         |   5 +
 .../routes/auth/google/callback/+server.ts    |  21 +++
 .../src/routes/login/+page.svelte             |   7 +
 apps/docs/docs/auth/social-login.md           |  44 ++++-
 packages/adapter-next/src/config.ts           |  86 ++++++++-
 packages/adapter-next/src/runtime.ts          | 101 ++++++++++
 packages/adapter-next/tests/adapter.test.ts   |  33 ++++
 .../src/runtime/composables/index.ts          |  31 ++++
 packages/adapter-nuxt/tests/module.test.ts    |  17 ++
 packages/adapter-sveltekit/src/index.ts       | 112 +++++++++++-
 .../adapter-sveltekit/tests/runtime.test.ts   |  24 +++
 packages/auth-social/src/index.ts             |  67 ++++---
 packages/auth-social/tests/package.test.ts    | 128 +++++++++----
 packages/auth/src/contracts.ts                |   1 +
 packages/auth/src/runtime.ts                  |  19 +-
 packages/auth/src/sveltekit/server.ts         | 123 ++++++++++---
 packages/auth/tests/package.test.ts           |  33 ++++
 packages/core/src/portable/holo.ts            |   8 +
 scripts/validate-framework-smoke.mjs          |   2 +-
 tests/example-app-auth-flow.mjs               | 172 ++++++++++++++++++
 42 files changed, 1088 insertions(+), 149 deletions(-)
 create mode 100644 apps/blog-next/app/auth/github/callback/route.ts
 create mode 100644 apps/blog-next/app/auth/github/route.ts
 create mode 100644 apps/blog-next/app/auth/google/callback/route.ts
 create mode 100644 apps/blog-next/app/auth/google/route.ts
 create mode 100644 apps/blog-nuxt/server/lib/request.ts
 create mode 100644 apps/blog-nuxt/server/routes/auth/github.get.ts
 create mode 100644 apps/blog-nuxt/server/routes/auth/github/callback.get.ts
 create mode 100644 apps/blog-nuxt/server/routes/auth/google.get.ts
 create mode 100644 apps/blog-nuxt/server/routes/auth/google/callback.get.ts
 create mode 100644 apps/blog-sveltekit/src/routes/auth/github/+server.ts
 create mode 100644 apps/blog-sveltekit/src/routes/auth/github/callback/+server.ts
 create mode 100644 apps/blog-sveltekit/src/routes/auth/google/+server.ts
 create mode 100644 apps/blog-sveltekit/src/routes/auth/google/callback/+server.ts

diff --git a/apps/blog-next/app/api/login/route.ts b/apps/blog-next/app/api/login/route.ts
index 85f8ca8..6b706f3 100644
--- a/apps/blog-next/app/api/login/route.ts
+++ b/apps/blog-next/app/api/login/route.ts
@@ -27,11 +27,6 @@ export async function POST(request: Request) {
     })
   }
 
-  const headers = new Headers()
-  for (const cookie of session.cookies) {
-    headers.append('set-cookie', cookie)
-  }
-
   return Response.json(submission.success({
     message: session.emailVerificationRequired
       ? 'Signed in. Verify your email address to continue.'
@@ -40,7 +35,5 @@ export async function POST(request: Request) {
       ? session.emailVerificationRoute ?? '/verify-email'
       : '/admin',
     user: session.user,
-  }), {
-    headers,
-  })
+  }))
 }
diff --git a/apps/blog-next/app/api/logout/route.ts b/apps/blog-next/app/api/logout/route.ts
index 3be87d2..3b94ae4 100644
--- a/apps/blog-next/app/api/logout/route.ts
+++ b/apps/blog-next/app/api/logout/route.ts
@@ -1,18 +1,12 @@
 import { logout, user } from '@holo-js/auth'
 
 export async function POST() {
-  const signedOut = await logout()
-  const headers = new Headers()
-  for (const cookie of signedOut.cookies) {
-    headers.append('set-cookie', cookie)
-  }
+  await logout()
 
   return Response.json({
     ok: true,
     authenticated: false,
     message: 'Signed out successfully.',
     user: await user(),
-  }, {
-    headers,
   })
 }
diff --git a/apps/blog-next/app/api/register/route.ts b/apps/blog-next/app/api/register/route.ts
index f7c109c..b5d8016 100644
--- a/apps/blog-next/app/api/register/route.ts
+++ b/apps/blog-next/app/api/register/route.ts
@@ -28,11 +28,6 @@ export async function POST(request: Request) {
   }
 
   const session = await loginUsing(created)
-  const headers = new Headers()
-  for (const cookie of session.cookies) {
-    headers.append('set-cookie', cookie)
-  }
-
   return Response.json(submission.success({
     message: session.emailVerificationRequired
       ? 'Account created. Check your inbox to verify your email address.'
@@ -43,6 +38,5 @@ export async function POST(request: Request) {
     user: session.user,
   }, 201), {
     status: 201,
-    headers,
   })
 }
diff --git a/apps/blog-next/app/auth/github/callback/route.ts b/apps/blog-next/app/auth/github/callback/route.ts
new file mode 100644
index 0000000..b3b3e24
--- /dev/null
+++ b/apps/blog-next/app/auth/github/callback/route.ts
@@ -0,0 +1,21 @@
+import { redirect } from 'next/navigation'
+import auth from '@holo-js/auth'
+import { callback } from '@holo-js/auth-social'
+
+export function GET(request: Request): Promise<Response> {
+  return handleCallback(request)
+}
+
+async function handleCallback(request: Request): Promise<Response> {
+  const result = await callback('github', request)
+  if (!result.ok) {
+    return Response.json({
+      message: result.message,
+    }, {
+      status: result.status,
+    })
+  }
+
+  await auth.guard(result.guard).loginUsing(result.user)
+  redirect('/admin')
+}
diff --git a/apps/blog-next/app/auth/github/route.ts b/apps/blog-next/app/auth/github/route.ts
new file mode 100644
index 0000000..0650a4c
--- /dev/null
+++ b/apps/blog-next/app/auth/github/route.ts
@@ -0,0 +1,5 @@
+import { redirect } from '@holo-js/auth-social'
+
+export function GET(request: Request): Promise<Response> {
+  return redirect('github', request)
+}
diff --git a/apps/blog-next/app/auth/google/callback/route.ts b/apps/blog-next/app/auth/google/callback/route.ts
new file mode 100644
index 0000000..827b3d8
--- /dev/null
+++ b/apps/blog-next/app/auth/google/callback/route.ts
@@ -0,0 +1,21 @@
+import { redirect } from 'next/navigation'
+import auth from '@holo-js/auth'
+import { callback } from '@holo-js/auth-social'
+
+export function GET(request: Request): Promise<Response> {
+  return handleCallback(request)
+}
+
+async function handleCallback(request: Request): Promise<Response> {
+  const result = await callback('google', request)
+  if (!result.ok) {
+    return Response.json({
+      message: result.message,
+    }, {
+      status: result.status,
+    })
+  }
+
+  await auth.guard(result.guard).loginUsing(result.user)
+  redirect('/admin')
+}
diff --git a/apps/blog-next/app/auth/google/route.ts b/apps/blog-next/app/auth/google/route.ts
new file mode 100644
index 0000000..5c1baa4
--- /dev/null
+++ b/apps/blog-next/app/auth/google/route.ts
@@ -0,0 +1,5 @@
+import { redirect } from '@holo-js/auth-social'
+
+export function GET(request: Request): Promise<Response> {
+  return redirect('google', request)
+}
diff --git a/apps/blog-next/app/login/page.tsx b/apps/blog-next/app/login/page.tsx
index 36914d2..2c39684 100644
--- a/apps/blog-next/app/login/page.tsx
+++ b/apps/blog-next/app/login/page.tsx
@@ -44,6 +44,11 @@ export default function LoginPage() {
         <p style={{ margin: 0, color: '#94a3b8' }}>Use your email address and password to access the admin area.</p>
       </div>
 
+      <div style={{ display: 'grid', gap: '0.65rem' }}>
+        <a href="/auth/google" style={{ color: '#e5e7eb', textDecoration: 'none' }}>Continue with Google</a>
+        <a href="/auth/github" style={{ color: '#e5e7eb', textDecoration: 'none' }}>Continue with GitHub</a>
+      </div>
+
       <form onSubmit={(event) => { event.preventDefault(); form.submit() }} style={{ display: 'grid', gap: '0.9rem' }}>
         <label style={{ display: 'grid', gap: '0.35rem' }}>
           <span>Email</span>
diff --git a/apps/blog-nuxt/app/pages/login.vue b/apps/blog-nuxt/app/pages/login.vue
index baf55d5..30aa62d 100644
--- a/apps/blog-nuxt/app/pages/login.vue
+++ b/apps/blog-nuxt/app/pages/login.vue
@@ -32,6 +32,11 @@ const form = useForm(loginForm, {
       <p>Use your email address and password to access the admin area.</p>
     </div>
 
+    <div class="social-links">
+      <a href="/auth/google">Continue with Google</a>
+      <a href="/auth/github">Continue with GitHub</a>
+    </div>
+
     <form class="stack" @submit.prevent="form.submit()">
       <label class="field">
         <span>Email</span>
@@ -72,6 +77,8 @@ const form = useForm(loginForm, {
 .copy p { margin: 0; color: #94a3b8; }
 .stack, .field { display: grid; gap: 0.35rem; }
 .stack { gap: 0.9rem; }
+.social-links { display: grid; gap: 0.65rem; }
+.social-links a { color: #e5e7eb; text-decoration: none; }
 .remember, .links { display: flex; gap: 0.75rem; align-items: center; flex-wrap: wrap; }
 .error { color: #fca5a5; }
 .success { color: #86efac; }
diff --git a/apps/blog-nuxt/server/api/login.post.ts b/apps/blog-nuxt/server/api/login.post.ts
index a8062fe..b2c9366 100644
--- a/apps/blog-nuxt/server/api/login.post.ts
+++ b/apps/blog-nuxt/server/api/login.post.ts
@@ -26,8 +26,6 @@ export default defineEventHandler(async (event) => {
     }
   }
 
-  event.node.res.setHeader('set-cookie', [...session.cookies])
-
   return submission.success({
     message: session.emailVerificationRequired
       ? 'Signed in. Verify your email address to continue.'
diff --git a/apps/blog-nuxt/server/api/logout.post.ts b/apps/blog-nuxt/server/api/logout.post.ts
index aed9bf5..cd89250 100644
--- a/apps/blog-nuxt/server/api/logout.post.ts
+++ b/apps/blog-nuxt/server/api/logout.post.ts
@@ -1,8 +1,7 @@
 import { logout, user } from '@holo-js/auth'
 
-export default defineEventHandler(async (event) => {
-  const signedOut = await logout()
-  event.node.res.setHeader('set-cookie', [...signedOut.cookies])
+export default defineEventHandler(async () => {
+  await logout()
 
   return {
     ok: true,
diff --git a/apps/blog-nuxt/server/api/register.post.ts b/apps/blog-nuxt/server/api/register.post.ts
index fc08c7e..4532578 100644
--- a/apps/blog-nuxt/server/api/register.post.ts
+++ b/apps/blog-nuxt/server/api/register.post.ts
@@ -27,7 +27,6 @@ export default defineEventHandler(async (event) => {
   }
 
   const session = await loginUsing(created)
-  event.node.res.setHeader('set-cookie', [...session.cookies])
   setResponseStatus(event, 201)
   return submission.success({
     message: session.emailVerificationRequired
diff --git a/apps/blog-nuxt/server/lib/request.ts b/apps/blog-nuxt/server/lib/request.ts
new file mode 100644
index 0000000..889bd9a
--- /dev/null
+++ b/apps/blog-nuxt/server/lib/request.ts
@@ -0,0 +1,15 @@
+import { getHeaders, getRequestURL, type H3Event } from 'h3'
+
+export function toWebRequest(event: H3Event): Request {
+  const headers = new Headers()
+  for (const [key, value] of Object.entries(getHeaders(event))) {
+    if (typeof value === 'string') {
+      headers.set(key, value)
+    }
+  }
+
+  return new Request(getRequestURL(event), {
+    method: event.method,
+    headers,
+  })
+}
diff --git a/apps/blog-nuxt/server/routes/auth/github.get.ts b/apps/blog-nuxt/server/routes/auth/github.get.ts
new file mode 100644
index 0000000..a760090
--- /dev/null
+++ b/apps/blog-nuxt/server/routes/auth/github.get.ts
@@ -0,0 +1,7 @@
+import { redirect } from '@holo-js/auth-social'
+
+import { toWebRequest } from '../../lib/request'
+
+export default defineEventHandler((event) => {
+  return redirect('github', toWebRequest(event))
+})
diff --git a/apps/blog-nuxt/server/routes/auth/github/callback.get.ts b/apps/blog-nuxt/server/routes/auth/github/callback.get.ts
new file mode 100644
index 0000000..f65c483
--- /dev/null
+++ b/apps/blog-nuxt/server/routes/auth/github/callback.get.ts
@@ -0,0 +1,15 @@
+import auth from '@holo-js/auth'
+import { callback } from '@holo-js/auth-social'
+
+import { toWebRequest } from '../../../lib/request'
+
+export default defineEventHandler(async (event) => {
+  const result = await callback('github', toWebRequest(event))
+  if (!result.ok) {
+    setResponseStatus(event, result.status)
+    return { message: result.message }
+  }
+
+  await auth.guard(result.guard).loginUsing(result.user)
+  return sendRedirect(event, '/admin', 303)
+})
diff --git a/apps/blog-nuxt/server/routes/auth/google.get.ts b/apps/blog-nuxt/server/routes/auth/google.get.ts
new file mode 100644
index 0000000..8655171
--- /dev/null
+++ b/apps/blog-nuxt/server/routes/auth/google.get.ts
@@ -0,0 +1,7 @@
+import { redirect } from '@holo-js/auth-social'
+
+import { toWebRequest } from '../../lib/request'
+
+export default defineEventHandler((event) => {
+  return redirect('google', toWebRequest(event))
+})
diff --git a/apps/blog-nuxt/server/routes/auth/google/callback.get.ts b/apps/blog-nuxt/server/routes/auth/google/callback.get.ts
new file mode 100644
index 0000000..6f91a70
--- /dev/null
+++ b/apps/blog-nuxt/server/routes/auth/google/callback.get.ts
@@ -0,0 +1,15 @@
+import auth from '@holo-js/auth'
+import { callback } from '@holo-js/auth-social'
+
+import { toWebRequest } from '../../../lib/request'
+
+export default defineEventHandler(async (event) => {
+  const result = await callback('google', toWebRequest(event))
+  if (!result.ok) {
+    setResponseStatus(event, result.status)
+    return { message: result.message }
+  }
+
+  await auth.guard(result.guard).loginUsing(result.user)
+  return sendRedirect(event, '/admin', 303)
+})
diff --git a/apps/blog-sveltekit/src/routes/api/login/+server.ts b/apps/blog-sveltekit/src/routes/api/login/+server.ts
index c25a103..8d1c717 100644
--- a/apps/blog-sveltekit/src/routes/api/login/+server.ts
+++ b/apps/blog-sveltekit/src/routes/api/login/+server.ts
@@ -28,11 +28,6 @@ export async function POST({ request }: { request: Request }) {
     })
   }
 
-  const headers = new Headers()
-  for (const cookie of session.cookies) {
-    headers.append('set-cookie', cookie)
-  }
-
   return json(submission.success({
     message: session.emailVerificationRequired
       ? 'Signed in. Verify your email address to continue.'
@@ -41,7 +36,5 @@ export async function POST({ request }: { request: Request }) {
       ? session.emailVerificationRoute ?? '/verify-email'
       : '/admin',
     user: session.user,
-  }), {
-    headers,
-  })
+  }))
 }
diff --git a/apps/blog-sveltekit/src/routes/api/logout/+server.ts b/apps/blog-sveltekit/src/routes/api/logout/+server.ts
index b628d5c..40833fe 100644
--- a/apps/blog-sveltekit/src/routes/api/logout/+server.ts
+++ b/apps/blog-sveltekit/src/routes/api/logout/+server.ts
@@ -2,18 +2,12 @@ import { json } from '@sveltejs/kit'
 import { logout, user } from '@holo-js/auth'
 
 export async function POST() {
-  const signedOut = await logout()
-  const headers = new Headers()
-  for (const cookie of signedOut.cookies) {
-    headers.append('set-cookie', cookie)
-  }
+  await logout()
 
   return json({
     ok: true,
     authenticated: false,
     message: 'Signed out successfully.',
     user: await user(),
-  }, {
-    headers,
   })
 }
diff --git a/apps/blog-sveltekit/src/routes/api/register/+server.ts b/apps/blog-sveltekit/src/routes/api/register/+server.ts
index 05b6e58..883ee5b 100644
--- a/apps/blog-sveltekit/src/routes/api/register/+server.ts
+++ b/apps/blog-sveltekit/src/routes/api/register/+server.ts
@@ -29,11 +29,6 @@ export async function POST({ request }: { request: Request }) {
   }
 
   const session = await loginUsing(created)
-  const headers = new Headers()
-  for (const cookie of session.cookies) {
-    headers.append('set-cookie', cookie)
-  }
-
   return json(submission.success({
     message: session.emailVerificationRequired
       ? 'Account created. Check your inbox to verify your email address.'
@@ -44,6 +39,5 @@ export async function POST({ request }: { request: Request }) {
     user: session.user,
   }, 201), {
     status: 201,
-    headers,
   })
 }
diff --git a/apps/blog-sveltekit/src/routes/auth/github/+server.ts b/apps/blog-sveltekit/src/routes/auth/github/+server.ts
new file mode 100644
index 0000000..bcc3c3c
--- /dev/null
+++ b/apps/blog-sveltekit/src/routes/auth/github/+server.ts
@@ -0,0 +1,5 @@
+import { redirect } from '@holo-js/auth-social'
+
+export function GET({ request }: { request: Request }): Promise<Response> {
+  return redirect('github', request)
+}
diff --git a/apps/blog-sveltekit/src/routes/auth/github/callback/+server.ts b/apps/blog-sveltekit/src/routes/auth/github/callback/+server.ts
new file mode 100644
index 0000000..1692d7f
--- /dev/null
+++ b/apps/blog-sveltekit/src/routes/auth/github/callback/+server.ts
@@ -0,0 +1,21 @@
+import { json, redirect } from '@sveltejs/kit'
+import auth from '@holo-js/auth'
+import { callback } from '@holo-js/auth-social'
+
+export function GET({ request }: { request: Request }): Promise<Response> {
+  return handleCallback(request)
+}
+
+async function handleCallback(request: Request): Promise<Response> {
+  const result = await callback('github', request)
+  if (!result.ok) {
+    return json({
+      message: result.message,
+    }, {
+      status: result.status,
+    })
+  }
+
+  await auth.guard(result.guard).loginUsing(result.user)
+  throw redirect(303, '/admin')
+}
diff --git a/apps/blog-sveltekit/src/routes/auth/google/+server.ts b/apps/blog-sveltekit/src/routes/auth/google/+server.ts
new file mode 100644
index 0000000..f2dd094
--- /dev/null
+++ b/apps/blog-sveltekit/src/routes/auth/google/+server.ts
@@ -0,0 +1,5 @@
+import { redirect } from '@holo-js/auth-social'
+
+export function GET({ request }: { request: Request }): Promise<Response> {
+  return redirect('google', request)
+}
diff --git a/apps/blog-sveltekit/src/routes/auth/google/callback/+server.ts b/apps/blog-sveltekit/src/routes/auth/google/callback/+server.ts
new file mode 100644
index 0000000..313ee02
--- /dev/null
+++ b/apps/blog-sveltekit/src/routes/auth/google/callback/+server.ts
@@ -0,0 +1,21 @@
+import { json, redirect } from '@sveltejs/kit'
+import auth from '@holo-js/auth'
+import { callback } from '@holo-js/auth-social'
+
+export function GET({ request }: { request: Request }): Promise<Response> {
+  return handleCallback(request)
+}
+
+async function handleCallback(request: Request): Promise<Response> {
+  const result = await callback('google', request)
+  if (!result.ok) {
+    return json({
+      message: result.message,
+    }, {
+      status: result.status,
+    })
+  }
+
+  await auth.guard(result.guard).loginUsing(result.user)
+  throw redirect(303, '/admin')
+}
diff --git a/apps/blog-sveltekit/src/routes/login/+page.svelte b/apps/blog-sveltekit/src/routes/login/+page.svelte
index c012207..8a3523e 100644
--- a/apps/blog-sveltekit/src/routes/login/+page.svelte
+++ b/apps/blog-sveltekit/src/routes/login/+page.svelte
@@ -27,6 +27,11 @@
     <p>Use your email address and password to access the admin area.</p>
   </div>
 
+  <div class="social-links">
+    <a href="/auth/google">Continue with Google</a>
+    <a href="/auth/github">Continue with GitHub</a>
+  </div>
+
   <form class="stack" on:submit={(event) => { event.preventDefault(); form.submit() }}>
     <label class="field">
       <span>Email</span>
@@ -89,6 +94,8 @@
   .copy p { margin: 0; color: #94a3b8; }
   .stack, .field { display: grid; gap: 0.35rem; }
   .stack { gap: 0.9rem; }
+  .social-links { display: grid; gap: 0.65rem; }
+  .social-links a { color: #e5e7eb; text-decoration: none; }
   .remember, .links { display: flex; gap: 0.75rem; align-items: center; flex-wrap: wrap; }
   .error { color: #fca5a5; }
   .success { color: #86efac; }
diff --git a/apps/docs/docs/auth/social-login.md b/apps/docs/docs/auth/social-login.md
index 4522096..e5af3fe 100644
--- a/apps/docs/docs/auth/social-login.md
+++ b/apps/docs/docs/auth/social-login.md
@@ -66,9 +66,9 @@ import { defineAuthConfig } from '@holo-js/config'
 export default defineAuthConfig({
   social: {
     google: {
-      clientId: process.env.GOOGLE_CLIENT_ID,
-      clientSecret: process.env.GOOGLE_CLIENT_SECRET,
-      redirectUri: 'https://app.example.com/auth/google/callback',
+      clientId: process.env.AUTH_GOOGLE_CLIENT_ID,
+      clientSecret: process.env.AUTH_GOOGLE_CLIENT_SECRET,
+      redirectUri: process.env.AUTH_GOOGLE_REDIRECT_URI,
       scopes: ['openid', 'email', 'profile'],
       guard: 'web',
     },
@@ -76,6 +76,11 @@ export default defineAuthConfig({
 })
 ```
 
+The route the user clicks is the start route, for example `/auth/google`.
+
+The URL registered with the provider is the redirect URI, for example `/auth/google/callback`. This is the URL Google
+calls the "Authorized redirect URI", and it is the same value you put in `AUTH_GOOGLE_REDIRECT_URI`.
+
 Provider keys map to first-party packages:
 
 - `google` -> `@holo-js/auth-social-google`
@@ -168,19 +173,48 @@ Typical route shapes:
 - `GET /auth/github`
 - `GET /auth/github/callback`
 
+For a local app running on `http://localhost:3000`, put this in the provider dashboard:
+
+```text
+http://localhost:3000/auth/google/callback
+http://localhost:3000/auth/github/callback
+```
+
+And put the same redirect URIs in your app env:
+
+```ini
+AUTH_GOOGLE_REDIRECT_URI=http://localhost:3000/auth/google/callback
+AUTH_GITHUB_REDIRECT_URI=http://localhost:3000/auth/github/callback
+```
+
 ## Handling The Callback
 
 ```ts
+import { redirect } from 'next/navigation'
+import auth from '@holo-js/auth'
 import { callback } from '@holo-js/auth-social'
 
 export async function GET(request: Request) {
-  return callback('google', request)
+  const result = await callback('google', request)
+  if (!result.ok) {
+    return Response.json({
+      message: result.message,
+    }, {
+      status: result.status,
+    })
+  }
+
+  await auth.guard(result.guard).loginUsing(result.user)
+  redirect('/admin')
 }
 ```
 
 The callback route should receive the upstream `code` and `state` values, then pass the full request through to Holo.
 Holo validates the state, verifies PKCE when that provider flow uses it, exchanges the authorization code, links the
-identity, and establishes the local session.
+identity, and returns the local user.
+
+Use `loginUsing()` when the selected guard is session-based, then redirect with your framework's native redirect API.
+Token guard flows can create a token from the returned user instead of creating a session.
 
 The callback flow:
 
diff --git a/packages/adapter-next/src/config.ts b/packages/adapter-next/src/config.ts
index 53a58c9..7fa7078 100644
--- a/packages/adapter-next/src/config.ts
+++ b/packages/adapter-next/src/config.ts
@@ -1,3 +1,6 @@
+import { existsSync, readFileSync } from 'node:fs'
+import { resolve } from 'node:path'
+
 const HOLO_SERVER_EXTERNAL_PACKAGES = [
   '@holo-js/core',
   '@holo-js/adapter-next',
@@ -6,6 +9,43 @@ const HOLO_SERVER_EXTERNAL_PACKAGES = [
   'esbuild',
 ]
 
+const HOLO_OPTIONAL_SERVER_EXTERNAL_PACKAGES = [
+  '@holo-js/auth',
+  '@holo-js/auth-clerk',
+  '@holo-js/auth-social',
+  '@holo-js/auth-social-apple',
+  '@holo-js/auth-social-discord',
+  '@holo-js/auth-social-facebook',
+  '@holo-js/auth-social-github',
+  '@holo-js/auth-social-google',
+  '@holo-js/auth-social-linkedin',
+  '@holo-js/auth-workos',
+  '@holo-js/authorization',
+  '@holo-js/broadcast',
+  '@holo-js/cache',
+  '@holo-js/cache-db',
+  '@holo-js/cache-redis',
+  '@holo-js/events',
+  '@holo-js/forms',
+  '@holo-js/mail',
+  '@holo-js/notifications',
+  '@holo-js/queue',
+  '@holo-js/queue-db',
+  '@holo-js/queue-redis',
+  '@holo-js/security',
+  '@holo-js/session',
+  '@holo-js/storage',
+  '@holo-js/storage-s3',
+  '@holo-js/validation',
+] as const
+
+interface PackageJson {
+  readonly dependencies?: Readonly<Record<string, string>>
+  readonly devDependencies?: Readonly<Record<string, string>>
+  readonly peerDependencies?: Readonly<Record<string, string>>
+  readonly optionalDependencies?: Readonly<Record<string, string>>
+}
+
 interface TurbopackIgnoreIssueRule {
   readonly path: string | RegExp
   readonly title?: string | RegExp
@@ -24,10 +64,54 @@ interface NextConfig {
   readonly [key: string]: unknown
 }
 
+function isStringRecord(value: unknown): value is Readonly<Record<string, string>> {
+  if (!value || typeof value !== 'object' || Array.isArray(value)) {
+    return false
+  }
+
+  return Object.values(value).every(entry => typeof entry === 'string')
+}
+
+function readPackageJson(projectRoot: string): PackageJson | undefined {
+  const packageJsonPath = resolve(projectRoot, 'package.json')
+  if (!existsSync(packageJsonPath)) {
+    return undefined
+  }
+
+  const parsed = JSON.parse(readFileSync(packageJsonPath, 'utf8')) as unknown
+  if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+    return undefined
+  }
+
+  return {
+    ...('dependencies' in parsed && isStringRecord(parsed.dependencies) ? { dependencies: parsed.dependencies } : {}),
+    ...('devDependencies' in parsed && isStringRecord(parsed.devDependencies) ? { devDependencies: parsed.devDependencies } : {}),
+    ...('peerDependencies' in parsed && isStringRecord(parsed.peerDependencies) ? { peerDependencies: parsed.peerDependencies } : {}),
+    ...('optionalDependencies' in parsed && isStringRecord(parsed.optionalDependencies) ? { optionalDependencies: parsed.optionalDependencies } : {}),
+  }
+}
+
+function hasPackage(packageJson: PackageJson, packageName: string): boolean {
+  return packageJson.dependencies?.[packageName] !== undefined
+    || packageJson.devDependencies?.[packageName] !== undefined
+    || packageJson.peerDependencies?.[packageName] !== undefined
+    || packageJson.optionalDependencies?.[packageName] !== undefined
+}
+
+function resolveInstalledOptionalServerExternalPackages(projectRoot: string): readonly string[] {
+  const packageJson = readPackageJson(projectRoot)
+  if (!packageJson) {
+    return []
+  }
+
+  return HOLO_OPTIONAL_SERVER_EXTERNAL_PACKAGES.filter(packageName => hasPackage(packageJson, packageName))
+}
+
 export function withHolo<TConfig extends NextConfig>(nextConfig: TConfig = {} as TConfig): TConfig {
   const existingExternal = nextConfig.serverExternalPackages ?? []
+  const optionalExternal = resolveInstalledOptionalServerExternalPackages(process.cwd())
   const mergedExternal = [
-    ...new Set([...HOLO_SERVER_EXTERNAL_PACKAGES, ...existingExternal]),
+    ...new Set([...HOLO_SERVER_EXTERNAL_PACKAGES, ...optionalExternal, ...existingExternal]),
   ]
 
   const existingExcludes = nextConfig.outputFileTracingExcludes ?? {}
diff --git a/packages/adapter-next/src/runtime.ts b/packages/adapter-next/src/runtime.ts
index 84721a1..1c27f26 100644
--- a/packages/adapter-next/src/runtime.ts
+++ b/packages/adapter-next/src/runtime.ts
@@ -8,6 +8,98 @@ export type NextHoloRuntimeOptions = CreateHoloOptions & {
   readonly projectRoot: string
 }
 
+type ResponseCookieOptions = {
+  path?: string
+  domain?: string
+  maxAge?: number
+  expires?: Date
+  secure?: boolean
+  httpOnly?: boolean
+  sameSite?: 'lax' | 'strict' | 'none'
+  partitioned?: boolean
+}
+
+type ParsedResponseCookie = {
+  readonly name: string
+  readonly value: string
+  readonly options: ResponseCookieOptions
+}
+
+type MutableNextCookieStore = {
+  set(name: string, value: string, options?: ResponseCookieOptions): void
+}
+
+function safeDecodeCookieSegment(value: string): string {
+  try {
+    return decodeURIComponent(value)
+  } catch {
+    return value
+  }
+}
+
+function parseResponseCookie(cookie: string): ParsedResponseCookie | null {
+  const [nameValue, ...attributes] = cookie.split(';')
+  const separator = nameValue?.indexOf('=') ?? -1
+  if (!nameValue || separator <= 0) {
+    return null
+  }
+
+  const options: ResponseCookieOptions = {}
+  for (const rawAttribute of attributes) {
+    const attribute = rawAttribute.trim()
+    if (!attribute) {
+      continue
+    }
+
+    const attributeSeparator = attribute.indexOf('=')
+    const key = (attributeSeparator === -1 ? attribute : attribute.slice(0, attributeSeparator)).trim().toLowerCase()
+    const value = attributeSeparator === -1 ? '' : attribute.slice(attributeSeparator + 1).trim()
+
+    switch (key) {
+      case 'path':
+        options.path = value
+        break
+      case 'domain':
+        options.domain = value
+        break
+      case 'max-age': {
+        const maxAge = Number(value)
+        if (Number.isFinite(maxAge)) {
+          options.maxAge = maxAge
+        }
+        break
+      }
+      case 'expires': {
+        const expires = new Date(value)
+        if (!Number.isNaN(expires.getTime())) {
+          options.expires = expires
+        }
+        break
+      }
+      case 'secure':
+        options.secure = true
+        break
+      case 'httponly':
+        options.httpOnly = true
+        break
+      case 'samesite':
+        if (value.toLowerCase() === 'lax' || value.toLowerCase() === 'strict' || value.toLowerCase() === 'none') {
+          options.sameSite = value.toLowerCase() as ResponseCookieOptions['sameSite']
+        }
+        break
+      case 'partitioned':
+        options.partitioned = true
+        break
+    }
+  }
+
+  return {
+    name: safeDecodeCookieSegment(nameValue.slice(0, separator)),
+    value: safeDecodeCookieSegment(nameValue.slice(separator + 1)),
+    options,
+  }
+}
+
 function resolveNextAuthRequestAccessors(): NonNullable<CreateHoloOptions['authRequest']> {
   return {
     async getCookie(name: string) {
@@ -28,6 +120,15 @@ function resolveNextAuthRequestAccessors(): NonNullable<CreateHoloOptions['authR
       const requestHeaders = await headers()
       return requestHeaders.get(name) ?? undefined
     },
+    async appendResponseCookie(cookie: string) {
+      const parsed = parseResponseCookie(cookie)
+      if (!parsed) {
+        return
+      }
+
+      const store = await cookies() as unknown as MutableNextCookieStore
+      store.set(parsed.name, parsed.value, parsed.options)
+    },
   }
 }
 
diff --git a/packages/adapter-next/tests/adapter.test.ts b/packages/adapter-next/tests/adapter.test.ts
index 6d8e369..4a38297 100644
--- a/packages/adapter-next/tests/adapter.test.ts
+++ b/packages/adapter-next/tests/adapter.test.ts
@@ -10,6 +10,7 @@ import {
   initializeNextHoloProject,
   resetNextHoloProject,
 } from '../src'
+import { withHolo } from '../src/config'
 
 const configEntry = JSON.stringify(resolve(import.meta.dirname, '../../config/src/index.ts'))
 const tempDirs: string[] = []
@@ -171,4 +172,36 @@ export default defineConfig({
 
     expect(resolved.runtime.renderView).toBe(renderView)
   })
+
+  it('externalizes installed optional Holo server packages', async () => {
+    const root = await createProject()
+    await writeFile(join(root, 'package.json'), JSON.stringify({
+      dependencies: {
+        '@holo-js/auth': 'workspace:*',
+        '@holo-js/auth-social': 'workspace:*',
+        '@holo-js/auth-social-google': 'workspace:*',
+      },
+    }), 'utf8')
+
+    const previousCwd = process.cwd()
+    process.chdir(root)
+
+    try {
+      const config = withHolo({
+        serverExternalPackages: ['custom-runtime'],
+      })
+
+      expect(config.serverExternalPackages).toEqual(expect.arrayContaining([
+        '@holo-js/core',
+        '@holo-js/auth',
+        '@holo-js/auth-social',
+        '@holo-js/auth-social-google',
+        'custom-runtime',
+      ]))
+      expect(config.serverExternalPackages).not.toContain('@holo-js/auth-social-github')
+      expect(config.serverExternalPackages).not.toContain('@holo-js/auth-clerk')
+    } finally {
+      process.chdir(previousCwd)
+    }
+  })
 })
diff --git a/packages/adapter-nuxt/src/runtime/composables/index.ts b/packages/adapter-nuxt/src/runtime/composables/index.ts
index ed89fe6..6fc3c06 100644
--- a/packages/adapter-nuxt/src/runtime/composables/index.ts
+++ b/packages/adapter-nuxt/src/runtime/composables/index.ts
@@ -29,6 +29,10 @@ type NuxtAuthRequestEvent = {
     readonly req?: {
       readonly headers?: Readonly<Record<string, string | readonly string[] | undefined>>
     }
+    readonly res?: {
+      getHeader(name: string): number | string | readonly string[] | undefined
+      setHeader(name: string, value: number | string | readonly string[]): void
+    }
   }
 }
 
@@ -140,6 +144,28 @@ export function createNuxtAuthRequestAccessors() {
     return undefined
   }
 
+  async function appendCookie(cookie: string): Promise<void> {
+    const nitroContext = await loadNitroContextModule()
+    const event = nitroContext.useEvent()
+    const response = event?.node?.res
+    if (!response) {
+      return
+    }
+
+    const current = response.getHeader('set-cookie')
+    if (Array.isArray(current)) {
+      response.setHeader('set-cookie', [...current, cookie])
+      return
+    }
+
+    if (typeof current === 'string') {
+      response.setHeader('set-cookie', [current, cookie])
+      return
+    }
+
+    response.setHeader('set-cookie', [cookie])
+  }
+
   const getCookieValue: NonNullable<CreateHoloOptions['authRequest']>['getCookie'] = async (name) => {
     return await readCookie(name)
   }
@@ -148,9 +174,14 @@ export function createNuxtAuthRequestAccessors() {
     return await readHeader(name)
   }
 
+  const appendResponseCookie: NonNullable<CreateHoloOptions['authRequest']>['appendResponseCookie'] = async (cookie) => {
+    await appendCookie(cookie)
+  }
+
   return {
     getCookie: getCookieValue,
     getHeader: getHeaderValue,
+    appendResponseCookie,
   } satisfies NonNullable<CreateHoloOptions['authRequest']>
 }
 
diff --git a/packages/adapter-nuxt/tests/module.test.ts b/packages/adapter-nuxt/tests/module.test.ts
index e130a9b..200cf67 100644
--- a/packages/adapter-nuxt/tests/module.test.ts
+++ b/packages/adapter-nuxt/tests/module.test.ts
@@ -356,6 +356,7 @@ export default defineDatabaseConfig({
   })
 
   it('skips malformed cookie segments when decoding auth cookies', async () => {
+    const headers = new Map<string, number | string | readonly string[]>()
     vi.resetModules()
     vi.doMock('nitropack/runtime/context', () => ({
       useEvent: () => ({
@@ -364,6 +365,16 @@ export default defineDatabaseConfig({
             cookie: 'broken=%; auth-token=secret%20value',
           }),
         },
+        node: {
+          res: {
+            getHeader(name: string) {
+              return headers.get(name)
+            },
+            setHeader(name: string, value: number | string | readonly string[]) {
+              headers.set(name, value)
+            },
+          },
+        },
       }),
     }))
 
@@ -372,6 +383,12 @@ export default defineDatabaseConfig({
 
     await expect(accessors.getCookie('broken')).resolves.toBeUndefined()
     await expect(accessors.getCookie('auth-token')).resolves.toBe('secret value')
+    await accessors.appendResponseCookie?.('holo_session=session-1; Path=/; HttpOnly')
+    await accessors.appendResponseCookie?.('holo_session_remember=remember-1; Path=/; HttpOnly')
+    expect(headers.get('set-cookie')).toEqual([
+      'holo_session=session-1; Path=/; HttpOnly',
+      'holo_session_remember=remember-1; Path=/; HttpOnly',
+    ])
   })
 
   it('generates a server import wrapper for model defaults when server models exist', async () => {
diff --git a/packages/adapter-sveltekit/src/index.ts b/packages/adapter-sveltekit/src/index.ts
index e556fdc..d9d913a 100644
--- a/packages/adapter-sveltekit/src/index.ts
+++ b/packages/adapter-sveltekit/src/index.ts
@@ -17,28 +17,132 @@ export type SvelteKitHoloProject<TCustom extends HoloConfigMap = HoloConfigMap>
 type SvelteKitRequestEvent = {
   readonly cookies: {
     get(name: string): string | undefined
+    set(name: string, value: string, options: SvelteKitCookieOptions): void
   }
   readonly request: {
     readonly headers: Headers
   }
 }
 
+type SvelteKitCookieOptions = {
+  path: string
+  domain?: string
+  maxAge?: number
+  expires?: Date
+  secure?: boolean
+  httpOnly?: boolean
+  sameSite?: 'lax' | 'strict' | 'none'
+}
+
+type ParsedResponseCookie = {
+  readonly name: string
+  readonly value: string
+  readonly options: SvelteKitCookieOptions
+}
+
+type SvelteKitRuntimeGlobal = typeof globalThis & {
+  __holoSvelteKitRequestEventStore?: AsyncLocalStorage<SvelteKitRequestEvent>
+}
+
 const svelteKitAdapter = createHoloFrameworkAdapter<SvelteKitHoloOptions>({
   stateKey: '__holoSvelteKitAdapter__',
   displayName: 'SvelteKit',
 })
-const svelteKitRequestEventStore = new AsyncLocalStorage<SvelteKitRequestEvent>()
+
+function getSvelteKitRequestEventStore(): AsyncLocalStorage<SvelteKitRequestEvent> {
+  const runtimeGlobal = globalThis as SvelteKitRuntimeGlobal
+  runtimeGlobal.__holoSvelteKitRequestEventStore ??= new AsyncLocalStorage<SvelteKitRequestEvent>()
+
+  return runtimeGlobal.__holoSvelteKitRequestEventStore
+}
+
+function safeDecodeCookieSegment(value: string): string {
+  try {
+    return decodeURIComponent(value)
+  } catch {
+    return value
+  }
+}
+
+function parseResponseCookie(cookie: string): ParsedResponseCookie | null {
+  const [nameValue, ...attributes] = cookie.split(';')
+  const separator = nameValue?.indexOf('=') ?? -1
+  if (!nameValue || separator <= 0) {
+    return null
+  }
+
+  const options: SvelteKitCookieOptions = { path: '/' }
+  for (const rawAttribute of attributes) {
+    const attribute = rawAttribute.trim()
+    if (!attribute) {
+      continue
+    }
+
+    const attributeSeparator = attribute.indexOf('=')
+    const key = (attributeSeparator === -1 ? attribute : attribute.slice(0, attributeSeparator)).trim().toLowerCase()
+    const value = attributeSeparator === -1 ? '' : attribute.slice(attributeSeparator + 1).trim()
+
+    switch (key) {
+      case 'path':
+        options.path = value || '/'
+        break
+      case 'domain':
+        options.domain = value
+        break
+      case 'max-age': {
+        const maxAge = Number(value)
+        if (Number.isFinite(maxAge)) {
+          options.maxAge = maxAge
+        }
+        break
+      }
+      case 'expires': {
+        const expires = new Date(value)
+        if (!Number.isNaN(expires.getTime())) {
+          options.expires = expires
+        }
+        break
+      }
+      case 'secure':
+        options.secure = true
+        break
+      case 'httponly':
+        options.httpOnly = true
+        break
+      case 'samesite':
+        if (value.toLowerCase() === 'lax' || value.toLowerCase() === 'strict' || value.toLowerCase() === 'none') {
+          options.sameSite = value.toLowerCase() as SvelteKitCookieOptions['sameSite']
+        }
+        break
+    }
+  }
+
+  return {
+    name: safeDecodeCookieSegment(nameValue.slice(0, separator)),
+    value: safeDecodeCookieSegment(nameValue.slice(separator + 1)),
+    options,
+  }
+}
 
 function resolveSvelteKitAuthRequestAccessors(): NonNullable<SvelteKitHoloOptions['authRequest']> {
   return {
     async getCookie(name: string) {
-      const event = svelteKitRequestEventStore.getStore()
+      const event = getSvelteKitRequestEventStore().getStore()
       return event?.cookies.get(name) ?? undefined
     },
     async getHeader(name: string) {
-      const event = svelteKitRequestEventStore.getStore()
+      const event = getSvelteKitRequestEventStore().getStore()
       return event?.request.headers.get(name) ?? undefined
     },
+    appendResponseCookie(cookie: string) {
+      const event = getSvelteKitRequestEventStore().getStore()
+      const parsed = parseResponseCookie(cookie)
+      if (!event || !parsed) {
+        return
+      }
+
+      event.cookies.set(parsed.name, parsed.value, parsed.options)
+    },
   }
 }
 
@@ -55,7 +159,7 @@ export function runWithSvelteKitRequestEvent<TValue>(
   event: SvelteKitRequestEvent,
   callback: () => TValue,
 ): TValue {
-  return svelteKitRequestEventStore.run(event, callback)
+  return getSvelteKitRequestEventStore().run(event, callback)
 }
 
 export async function createSvelteKitHoloProject<TCustom extends HoloConfigMap = HoloConfigMap>(
diff --git a/packages/adapter-sveltekit/tests/runtime.test.ts b/packages/adapter-sveltekit/tests/runtime.test.ts
index 0258092..da7a272 100644
--- a/packages/adapter-sveltekit/tests/runtime.test.ts
+++ b/packages/adapter-sveltekit/tests/runtime.test.ts
@@ -3,6 +3,7 @@ import { afterEach, describe, expect, it, vi } from 'vitest'
 type MockAuthRequest = {
   getCookie(name: string): Promise<string | undefined>
   getHeader(name: string): Promise<string | undefined>
+  appendResponseCookie?(cookie: string): void | Promise<void>
 }
 
 function makeHoloCoreMock(
@@ -64,6 +65,15 @@ afterEach(() => {
 describe('@holo-js/adapter-sveltekit request context', () => {
   it('owns auth request accessors inside the adapter and resolves them from the current request event', async () => {
     let capturedAuthRequest: MockAuthRequest | undefined
+    const responseCookies: Array<{
+      readonly name: string
+      readonly value: string
+      readonly options: {
+        readonly path: string
+        readonly httpOnly?: boolean
+        readonly sameSite?: 'lax' | 'strict' | 'none'
+      }
+    }> = []
 
     vi.doMock('@holo-js/core', () => makeHoloCoreMock((authRequest) => {
       capturedAuthRequest = authRequest
@@ -79,6 +89,9 @@ describe('@holo-js/adapter-sveltekit request context', () => {
         get(name: string) {
           return name === 'session' ? 'cookie-value' : undefined
         },
+        set(name, value, options) {
+          responseCookies.push({ name, value, options })
+        },
       },
       request: {
         headers: new Headers({
@@ -94,8 +107,19 @@ describe('@holo-js/adapter-sveltekit request context', () => {
       }
       await expect(capturedAuthRequest.getCookie('session')).resolves.toBe('cookie-value')
       await expect(capturedAuthRequest.getHeader('x-request-id')).resolves.toBe('header-value')
+      await capturedAuthRequest.appendResponseCookie?.('session=response-value; Path=/; HttpOnly; SameSite=Lax')
     })
 
+    expect(responseCookies).toEqual([{
+      name: 'session',
+      value: 'response-value',
+      options: {
+        path: '/',
+        httpOnly: true,
+        sameSite: 'lax',
+      },
+    }])
+
     expect(capturedAuthRequest).toBeDefined()
     if (!capturedAuthRequest) {
       throw new Error('Expected auth request accessors to be captured.')
diff --git a/packages/auth-social/src/index.ts b/packages/auth-social/src/index.ts
index f73383f..984c38c 100644
--- a/packages/auth-social/src/index.ts
+++ b/packages/auth-social/src/index.ts
@@ -85,12 +85,35 @@ export interface SocialAuthBindings {
 
 export interface SocialAuthFacade {
   redirect(provider: string, request: Request): Promise<Response>
-  callback(provider: string, request: Request): Promise<Response>
+  callback(provider: string, request: Request): Promise<SocialCallbackResult>
 }
 
-let socialBindings: SocialAuthBindings | undefined
+export type SocialCallbackResult = SocialCallbackSuccess | SocialCallbackFailure
+
+export interface SocialCallbackSuccess {
+  readonly ok: true
+  readonly guard: string
+  readonly authProvider: string
+  readonly provider: string
+  readonly user: AuthUserLike
+}
+
+export interface SocialCallbackFailure {
+  readonly ok: false
+  readonly status: 400
+  readonly message: string
+}
+
+const SOCIAL_BINDINGS_KEY = '__holoAuthSocialBindings__'
 const AUTH_PROVIDER_MARKER = Symbol.for('holo-js.auth.provider')
 type RuntimeAuthProviderAdapter = ReturnType<typeof authRuntimeInternals.getRuntimeBindings>['providers'][string]
+type SocialRuntimeGlobal = typeof globalThis & {
+  [SOCIAL_BINDINGS_KEY]?: SocialAuthBindings
+}
+
+function getSocialRuntimeGlobal(): SocialRuntimeGlobal {
+  return globalThis as SocialRuntimeGlobal
+}
 
 function requireUserRecord(user: unknown, message: string): Record<string, unknown> {
   if (user == null) {
@@ -141,6 +164,7 @@ function throwUnconfigured(): never {
 }
 
 function getBindings(): SocialAuthBindings {
+  const socialBindings = getSocialRuntimeGlobal()[SOCIAL_BINDINGS_KEY]
   if (!socialBindings) {
     throwUnconfigured()
   }
@@ -250,9 +274,6 @@ function resolveGuardAndProvider(provider: string): {
   if (!guard) {
     throw new Error(`[@holo-js/auth-social] Guard "${guardName}" is not configured for social provider "${provider}".`)
   }
-  if (guard.driver !== 'session') {
-    throw new Error(`[@holo-js/auth-social] Social sign-in requires auth guard "${guardName}" to use the session driver.`)
-  }
 
   const authProvider = providerConfig.mapToProvider ?? guard.provider
   const adapter = authBindings.providers[authProvider]
@@ -482,19 +503,23 @@ async function readCallbackParameters(request: Request): Promise<{
   }
 }
 
-export async function callback(provider: string, request: Request): Promise<Response> {
+export async function callback(provider: string, request: Request): Promise<SocialCallbackResult> {
   const { state, code } = await readCallbackParameters(request)
   if (!state || !code) {
-    return Response.json({
+    return {
+      ok: false,
+      status: 400,
       message: 'Missing OAuth state or code.',
-    }, { status: 400 })
+    }
   }
 
   const pending = await getBindings().stateStore.read(provider, state)
   if (!pending) {
-    return Response.json({
+    return {
+      ok: false,
+      status: 400,
       message: 'Invalid or expired OAuth state.',
-    }, { status: 400 })
+    }
   }
 
   await getBindings().stateStore.delete(provider, state)
@@ -510,32 +535,22 @@ export async function callback(provider: string, request: Request): Promise<Resp
   })
 
   const linked = await resolveLinkedUser(provider, exchanged.profile, exchanged.tokens)
-  const established = await authRuntimeInternals.establishSessionForUser(linked.user, {
-    guard: linked.guard,
-    provider: linked.authProvider,
-  })
-  const headers = new Headers()
-  for (const cookie of established.cookies) {
-    headers.append('set-cookie', cookie)
-  }
 
-  return Response.json({
-    authenticated: true,
+  return {
+    ok: true,
     guard: linked.guard,
+    authProvider: linked.authProvider,
     provider,
     user: linked.user,
-  }, {
-    status: 200,
-    headers,
-  })
+  }
 }
 
 export function configureSocialAuthRuntime(bindings?: SocialAuthBindings): void {
-  socialBindings = bindings
+  getSocialRuntimeGlobal()[SOCIAL_BINDINGS_KEY] = bindings
 }
 
 export function resetSocialAuthRuntime(): void {
-  socialBindings = undefined
+  delete getSocialRuntimeGlobal()[SOCIAL_BINDINGS_KEY]
 }
 
 export const socialAuth = Object.freeze({
diff --git a/packages/auth-social/tests/package.test.ts b/packages/auth-social/tests/package.test.ts
index 048d559..de95d94 100644
--- a/packages/auth-social/tests/package.test.ts
+++ b/packages/auth-social/tests/package.test.ts
@@ -1,6 +1,6 @@
 import { afterEach, describe, expect, it } from 'vitest'
 import { configureSessionRuntime, getSessionRuntime, resetSessionRuntime } from '../../session/src/runtime'
-import { authRuntimeInternals, configureAuthRuntime, defineAuthConfig, resetAuthRuntime, tokens } from '../../auth/src'
+import auth, { authRuntimeInternals, configureAuthRuntime, defineAuthConfig, resetAuthRuntime, tokens } from '../../auth/src'
 import type { AuthProviderAdapter, AuthTokenStore, PersonalAccessTokenRecord } from '../../auth/src'
 import {
   callback,
@@ -312,8 +312,9 @@ describe('@holo-js/auth-social', () => {
     expect(runtime.stateStore.records.size).toBe(1)
 
     const invalid = await callback('google', new Request('https://app.test/auth/google/callback?state=bad&code=demo'))
-    expect(invalid.status).toBe(400)
-    await expect(invalid.json()).resolves.toMatchObject({
+    expect(invalid).toMatchObject({
+      ok: false,
+      status: 400,
       message: 'Invalid or expired OAuth state.',
     })
   })
@@ -355,16 +356,21 @@ describe('@holo-js/auth-social', () => {
     })
 
     const response = await callback('google', new Request(`https://app.test/auth/google/callback?state=${state}&code=code-1`))
-    expect(response.status).toBe(200)
-    expect(response.headers.get('set-cookie')).toContain('holo_session=')
-    await expect(response.json()).resolves.toMatchObject({
-      authenticated: true,
+    expect(response).toMatchObject({
+      ok: true,
       provider: 'google',
       user: {
         id: localUser.id,
         email: 'existing@example.com',
       },
     })
+    expect(runtime.context.getSessionId('web')).toBeUndefined()
+    if (!response.ok) {
+      throw new Error('Expected successful social callback.')
+    }
+
+    const session = await auth.guard(response.guard).loginUsing(response.user)
+    expect(session.cookies.join('; ')).toContain('holo_session=')
     expect(runtime.context.getSessionId('web')).toBeTypeOf('string')
   })
 
@@ -391,7 +397,7 @@ describe('@holo-js/auth-social', () => {
       },
     })
     let response = await callback('google', new Request(`https://app.test/auth/google/callback?state=${state}&code=code-link`))
-    expect(response.status).toBe(200)
+    expect(response.ok).toBe(true)
     expect((await runtime.identityStore.findByProviderUserId('google', 'google-link'))?.userId).toBe(existing.id)
 
     redirectResponse = await redirect('google', new Request('https://app.test/auth/google'))
@@ -409,13 +415,36 @@ describe('@holo-js/auth-social', () => {
       },
     })
     response = await callback('google', new Request(`https://app.test/auth/google/callback?state=${state}&code=code-create`))
-    await expect(response.json()).resolves.toMatchObject({
+    expect(response).toMatchObject({
+      ok: true,
       user: {
         email: 'new@example.com',
         name: 'New Social User',
       },
     })
     expect(runtime.usersProvider.usersByEmail.has('new@example.com')).toBe(true)
+
+    redirectResponse = await redirect('google', new Request('https://app.test/auth/google'))
+    state = new URL(redirectResponse.headers.get('location')!).searchParams.get('state')!
+    runtime.exchangeProfiles.set('code-redirect', {
+      profile: {
+        id: 'google-redirect',
+        email: 'redirect@example.com',
+        emailVerified: true,
+        name: 'Redirect User',
+      },
+      tokens: {
+        accessToken: 'redirect-token',
+      },
+    })
+    response = await callback('google', new Request(`https://app.test/auth/google/callback?state=${state}&code=code-redirect`))
+    expect(response).toMatchObject({
+      ok: true,
+      user: {
+        email: 'redirect@example.com',
+      },
+    })
+    expect(runtime.usersProvider.usersByEmail.has('redirect@example.com')).toBe(true)
   })
 
   it('preserves the auth provider marker on linked social users', async () => {
@@ -460,16 +489,16 @@ describe('@holo-js/auth-social', () => {
     })
 
     const response = await callback('google', new Request(`https://app.test/auth/google/callback?state=${state}&code=code-map-to-provider`))
-    expect(response.status).toBe(200)
-    await expect(response.json()).resolves.toMatchObject({
-      authenticated: true,
+    expect(response).toMatchObject({
+      ok: true,
       provider: 'google',
       guard: 'web',
+      authProvider: 'admins',
       user: {
         email: 'admin@example.com',
       },
     })
-    expect(runtime.context.getSessionId('web')).toBeTypeOf('string')
+    expect(runtime.context.getSessionId('web')).toBeUndefined()
 
     const storedIdentity = await runtime.identityStore.findByProviderUserId('google', 'google-admin-web')
     expect(storedIdentity).toMatchObject({
@@ -478,13 +507,6 @@ describe('@holo-js/auth-social', () => {
       userId: 1,
     })
 
-    const sessionId = runtime.context.getSessionId('web')
-    const record = sessionId ? await runtime.sessionStore.read(sessionId) : null
-    expect(authRuntimeInternals.readSessionPayload(record, 'web')).toMatchObject({
-      guard: 'web',
-      provider: 'admins',
-      userId: 1,
-    })
     expect(runtime.usersProvider.users.size).toBe(0)
     expect(runtime.adminsProvider.users.size).toBe(1)
   })
@@ -513,7 +535,7 @@ describe('@holo-js/auth-social', () => {
     })
 
     const response = await callback('google', new Request(`https://app.test/auth/google/callback?state=${state}&code=code-unverified-existing`))
-    expect(response.status).toBe(200)
+    expect(response.ok).toBe(true)
 
     const storedIdentity = await runtime.identityStore.findByProviderUserId('google', 'google-unverified-existing')
     expect(storedIdentity?.userId).not.toBe(existing.id)
@@ -548,9 +570,8 @@ describe('@holo-js/auth-social', () => {
       }),
     }))
 
-    expect(response.status).toBe(200)
-    await expect(response.json()).resolves.toMatchObject({
-      authenticated: true,
+    expect(response).toMatchObject({
+      ok: true,
       provider: 'google',
       user: {
         email: 'form@example.com',
@@ -596,8 +617,8 @@ describe('@holo-js/auth-social', () => {
       },
     })
     const response = await callback('google', new Request(`https://app.test/auth/google/callback?state=${state}&code=code-allow`))
-    expect(response.status).toBe(200)
-    await expect(response.json()).resolves.toMatchObject({
+    expect(response).toMatchObject({
+      ok: true,
       user: {
         email: 'google-allow@google.social.local',
       },
@@ -625,14 +646,22 @@ describe('@holo-js/auth-social', () => {
     })
 
     const response = await callback('google', new Request(`https://app.test/auth/google/callback?state=${state}&code=code-admin`))
-    expect(response.status).toBe(200)
-    await expect(response.json()).resolves.toMatchObject({
+    expect(response).toMatchObject({
+      ok: true,
       guard: 'admin',
+      authProvider: 'admins',
       user: {
         email: 'admin@example.com',
       },
     })
+    expect(runtime.context.getSessionId('admin')).toBeUndefined()
+    if (!response.ok) {
+      throw new Error('Expected successful social callback.')
+    }
+
+    const session = await auth.guard(response.guard).loginUsing(response.user)
     expect(runtime.context.getSessionId('admin')).toBeTypeOf('string')
+    expect(session.cookies.join('; ')).toContain('holo_session=')
     expect(runtime.adminsProvider.usersByEmail.has('admin@example.com')).toBe(true)
 
     const storedIdentity = await runtime.identityStore.findByProviderUserId('google', 'google-admin')
@@ -647,13 +676,46 @@ describe('@holo-js/auth-social', () => {
     })
   })
 
-  it('rejects social providers mapped to token guards', async () => {
-    configureRuntime({
+  it('returns the linked user for token guards without creating a session', async () => {
+    const runtime = configureRuntime({
       socialGuard: 'api',
     })
-    await expect(redirect('google', new Request(
-      'https://app.test/auth/google',
-    ))).rejects.toThrow('requires auth guard "api" to use the session driver')
+    const redirectResponse = await redirect('google', new Request('https://app.test/auth/google'))
+    const state = new URL(redirectResponse.headers.get('location')!).searchParams.get('state')!
+    runtime.exchangeProfiles.set('code-api', {
+      profile: {
+        id: 'google-api',
+        email: 'api@example.com',
+        emailVerified: true,
+        name: 'API Social',
+      },
+      tokens: {
+        accessToken: 'api-access',
+      },
+    })
+
+    const response = await callback('google', new Request(`https://app.test/auth/google/callback?state=${state}&code=code-api`))
+
+    expect(response).toMatchObject({
+      ok: true,
+      guard: 'api',
+      authProvider: 'users',
+      user: {
+        email: 'api@example.com',
+      },
+    })
+    expect(runtime.context.getSessionId('api')).toBeUndefined()
+    if (!response.ok) {
+      throw new Error('Expected successful social callback.')
+    }
+
+    await expect(tokens.create(response.user, {
+      guard: response.guard,
+      name: 'social-api',
+    })).resolves.toMatchObject({
+      provider: 'users',
+      userId: 1,
+    })
   })
 
   it('fails closed for missing provider runtime, missing config activation, and PKCE mismatch', async () => {
diff --git a/packages/auth/src/contracts.ts b/packages/auth/src/contracts.ts
index 4fa479c..997e4d4 100644
--- a/packages/auth/src/contracts.ts
+++ b/packages/auth/src/contracts.ts
@@ -467,6 +467,7 @@ export interface AuthRuntimeContext {
   setCachedUser(guardName: string, user: AuthUser | null): void
   getRequestCookie?(name: string): string | undefined | Promise<string | undefined>
   getRequestHeader?(name: string): string | undefined | Promise<string | undefined>
+  appendResponseCookie?(cookie: string): void | Promise<void>
   getAccessToken?(guardName: string): string | undefined
   setAccessToken?(guardName: string, token?: string): void
   getRememberToken?(guardName: string): string | undefined
diff --git a/packages/auth/src/runtime.ts b/packages/auth/src/runtime.ts
index e7bc869..0e3828a 100644
--- a/packages/auth/src/runtime.ts
+++ b/packages/auth/src/runtime.ts
@@ -904,6 +904,19 @@ async function resolveRequestHeader(
   return typeof value === 'string' && value.length > 0 ? value : undefined
 }
 
+async function appendResponseCookies(
+  bindings: RuntimeBindings,
+  cookies: readonly string[],
+): Promise<void> {
+  if (!bindings.context.appendResponseCookie) {
+    return
+  }
+
+  for (const cookie of cookies) {
+    await bindings.context.appendResponseCookie(cookie)
+  }
+}
+
 function parseBearerToken(header: string | undefined): string | undefined {
   if (typeof header !== 'string') {
     return undefined
@@ -2210,9 +2223,12 @@ async function logoutForGuard(guardName: string): Promise<AuthLogoutResult> {
   bindings.context.setCachedUser(guardName, null)
   bindings.context.setRememberToken?.(guardName)
 
+  const cookies = buildLogoutCookies(bindings, guardName, { clearSessionCookies })
+  await appendResponseCookies(bindings, cookies)
+
   return Object.freeze({
     guard: guardName,
-    cookies: buildLogoutCookies(bindings, guardName, { clearSessionCookies }),
+    cookies,
   })
 }
 
@@ -2400,6 +2416,7 @@ async function establishSessionForUser(
       ? [forgetDefaultRememberCookie(bindings)].filter((cookie): cookie is string => typeof cookie === 'string')
       : []),
   ]
+  await appendResponseCookies(bindings, cookies)
 
   return Object.freeze({
     guard: options.guard,
diff --git a/packages/auth/src/sveltekit/server.ts b/packages/auth/src/sveltekit/server.ts
index 78aad3c..60d7e49 100644
--- a/packages/auth/src/sveltekit/server.ts
+++ b/packages/auth/src/sveltekit/server.ts
@@ -1,3 +1,4 @@
+import { AsyncLocalStorage } from 'node:async_hooks'
 import holoAuth, { user as currentUser } from '../index'
 import type { AuthUserLike, HoloAuthUser } from '../contracts'
 
@@ -28,6 +29,30 @@ export type SvelteKitHandleEvent = {
   readonly url: URL
 }
 
+type SvelteKitCookieOptions = {
+  path: string
+  domain?: string
+  maxAge?: number
+  expires?: Date
+  secure?: boolean
+  httpOnly?: boolean
+  sameSite?: 'lax' | 'strict' | 'none'
+}
+
+type SvelteKitStoredRequestEvent = SvelteKitHandleEvent & {
+  readonly cookies: {
+    get(name: string): string | undefined
+    set(name: string, value: string, options: SvelteKitCookieOptions): void
+  }
+  readonly request: {
+    readonly headers: Headers
+  }
+}
+
+type SvelteKitRuntimeGlobal = typeof globalThis & {
+  __holoSvelteKitRequestEventStore?: AsyncLocalStorage<SvelteKitStoredRequestEvent>
+}
+
 export type SvelteKitHandleInput<TEvent extends SvelteKitHandleEvent = SvelteKitHandleEvent> = {
   readonly event: TEvent
   readonly resolve: (event: TEvent, options?: never) => Response | Promise<Response>
@@ -37,6 +62,40 @@ export type SvelteKitHandle = <TEvent extends SvelteKitHandleEvent>(
   input: SvelteKitHandleInput<TEvent>,
 ) => Response | Promise<Response>
 
+function getSvelteKitRequestEventStore(): AsyncLocalStorage<SvelteKitStoredRequestEvent> {
+  const runtimeGlobal = globalThis as SvelteKitRuntimeGlobal
+  runtimeGlobal.__holoSvelteKitRequestEventStore ??= new AsyncLocalStorage<SvelteKitStoredRequestEvent>()
+
+  return runtimeGlobal.__holoSvelteKitRequestEventStore
+}
+
+function isSvelteKitStoredRequestEvent(event: SvelteKitHandleEvent): event is SvelteKitStoredRequestEvent {
+  const candidate = event as SvelteKitHandleEvent & {
+    readonly cookies?: {
+      get?: unknown
+      set?: unknown
+    }
+    readonly request?: {
+      readonly headers?: unknown
+    }
+  }
+
+  return typeof candidate.cookies?.get === 'function'
+    && typeof candidate.cookies.set === 'function'
+    && candidate.request?.headers instanceof Headers
+}
+
+function runWithSvelteKitRequestEvent<TValue>(
+  event: SvelteKitHandleEvent,
+  callback: () => TValue,
+): TValue {
+  if (!isSvelteKitStoredRequestEvent(event)) {
+    return callback()
+  }
+
+  return getSvelteKitRequestEventStore().run(event, callback)
+}
+
 function toClientAuthUser(user: (HoloAuthUser & AuthUserLike) | null): HoloAuthUser | null {
   // AuthUserLike custom fields crossing SvelteKit load boundaries must stay JSON-safe.
   return user ? JSON.parse(JSON.stringify(user)) as HoloAuthUser : null
@@ -104,41 +163,45 @@ export async function auth(options: AuthOptions = {}): Promise<AuthState> {
 
 export function guestOnly(options: GuestOnlyOptions): SvelteKitHandle {
   return async ({ event, resolve }) => {
-    if (!matchesRoutes(options.routes, event.url.pathname)) {
-      return resolve(event)
-    }
-
-    const currentAuth = await auth({ guard: options.guard })
-    if (!currentAuth.authenticated) {
-      return resolve(event)
-    }
-
-    const redirectUrl = new URL(options.redirectTo, event.url)
-    if (isSameUrl(event.url, redirectUrl)) {
-      return resolve(event)
-    }
-
-    return Response.redirect(redirectUrl, options.status ?? 303)
+    return runWithSvelteKitRequestEvent(event, async () => {
+      if (!matchesRoutes(options.routes, event.url.pathname)) {
+        return resolve(event)
+      }
+
+      const currentAuth = await auth({ guard: options.guard })
+      if (!currentAuth.authenticated) {
+        return resolve(event)
+      }
+
+      const redirectUrl = new URL(options.redirectTo, event.url)
+      if (isSameUrl(event.url, redirectUrl)) {
+        return resolve(event)
+      }
+
+      return Response.redirect(redirectUrl, options.status ?? 303)
+    })
   }
 }
 
 export function authOnly(options: AuthOnlyOptions): SvelteKitHandle {
   return async ({ event, resolve }) => {
-    if (!matchesRoutes(options.routes, event.url.pathname)) {
-      return resolve(event)
-    }
-
-    const currentAuth = await auth({ guard: options.guard })
-    if (currentAuth.authenticated) {
-      return resolve(event)
-    }
-
-    const redirectUrl = new URL(options.redirectTo, event.url)
-    if (isSameUrl(event.url, redirectUrl)) {
-      return resolve(event)
-    }
-
-    return Response.redirect(redirectUrl, options.status ?? 303)
+    return runWithSvelteKitRequestEvent(event, async () => {
+      if (!matchesRoutes(options.routes, event.url.pathname)) {
+        return resolve(event)
+      }
+
+      const currentAuth = await auth({ guard: options.guard })
+      if (currentAuth.authenticated) {
+        return resolve(event)
+      }
+
+      const redirectUrl = new URL(options.redirectTo, event.url)
+      if (isSameUrl(event.url, redirectUrl)) {
+        return resolve(event)
+      }
+
+      return Response.redirect(redirectUrl, options.status ?? 303)
+    })
   }
 }
 
diff --git a/packages/auth/tests/package.test.ts b/packages/auth/tests/package.test.ts
index b7595f7..123e79b 100644
--- a/packages/auth/tests/package.test.ts
+++ b/packages/auth/tests/package.test.ts
@@ -771,6 +771,39 @@ describe('@holo-js/auth package runtime', () => {
     expect(loggedOut.cookies).toContainEqual(expect.stringContaining('holo_session_remember=;'))
   })
 
+  it('appends session and logout cookies to the active response context', async () => {
+    const runtime = configureRuntime()
+    const appendedCookies: string[] = []
+    const currentBindings = authRuntimeInternals.getRuntimeBindings()
+
+    configureAuthRuntime({
+      ...currentBindings,
+      context: {
+        ...runtime.context,
+        appendResponseCookie(cookie) {
+          appendedCookies.push(cookie)
+        },
+      },
+    })
+
+    const created = unwrapAuthResult(await register({
+      name: 'Ava',
+      email: 'ava@example.com',
+      password: 'secret-secret',
+      passwordConfirmation: 'secret-secret',
+    }))
+    const established = await loginUsing(created)
+
+    expect(appendedCookies).toEqual([...established.cookies])
+
+    const loggedOut = await logout()
+
+    expect(appendedCookies).toEqual([
+      ...established.cookies,
+      ...loggedOut.cookies,
+    ])
+  })
+
   it('hydrates the request session cookie before logout and invalidates the stored session', async () => {
     const runtime = configureRuntime()
     const created = await runtime.usersProvider.create({
diff --git a/packages/core/src/portable/holo.ts b/packages/core/src/portable/holo.ts
index b34485c..a041349 100644
--- a/packages/core/src/portable/holo.ts
+++ b/packages/core/src/portable/holo.ts
@@ -826,6 +826,7 @@ export interface CreateHoloOptions {
   readonly authRequest?: {
     readonly getCookie?: (name: string) => string | undefined | Promise<string | undefined>
     readonly getHeader?: (name: string) => string | undefined | Promise<string | undefined>
+    readonly appendResponseCookie?: (cookie: string) => void | Promise<void>
   }
 }
 
@@ -1377,11 +1378,13 @@ function attachAuthRequestAccessors<TContext extends {
 ): TContext & {
   getRequestCookie?(name: string): string | undefined | Promise<string | undefined>
   getRequestHeader?(name: string): string | undefined | Promise<string | undefined>
+  appendResponseCookie?(cookie: string): void | Promise<void>
 } {
   return Object.freeze({
     ...context,
     getRequestCookie: accessors.getCookie,
     getRequestHeader: accessors.getHeader,
+    appendResponseCookie: accessors.appendResponseCookie,
   })
 }
 
@@ -1401,6 +1404,7 @@ function createRequestAwareAuthContext<TContext extends {
 ): TContext & {
   getRequestCookie?(name: string): string | undefined | Promise<string | undefined>
   getRequestHeader?(name: string): string | undefined | Promise<string | undefined>
+  appendResponseCookie?(cookie: string): void | Promise<void>
   setRequestAccessors(accessors?: CreateHoloOptions['authRequest']): void
 } {
   const requestAccessorStorage = new AsyncLocalStorage<{
@@ -1409,6 +1413,7 @@ function createRequestAwareAuthContext<TContext extends {
   type RequestAccessContext = TContext & {
     getRequestCookie?(name: string): string | undefined | Promise<string | undefined>
     getRequestHeader?(name: string): string | undefined | Promise<string | undefined>
+    appendResponseCookie?(cookie: string): void | Promise<void>
   }
 
   const resolveRequestContext = (): RequestAccessContext => {
@@ -1428,6 +1433,9 @@ function createRequestAwareAuthContext<TContext extends {
     getRequestHeader(name) {
       return resolveRequestContext().getRequestHeader?.(name)
     },
+    appendResponseCookie(cookie) {
+      return resolveRequestContext().appendResponseCookie?.(cookie)
+    },
     setRequestAccessors(nextAccessors) {
       requestAccessorStorage.enterWith({
         accessors: nextAccessors,
diff --git a/scripts/validate-framework-smoke.mjs b/scripts/validate-framework-smoke.mjs
index 7583e01..9ead5a6 100644
--- a/scripts/validate-framework-smoke.mjs
+++ b/scripts/validate-framework-smoke.mjs
@@ -2024,7 +2024,7 @@ function assertAuthSmokePayload(app, payload) {
   assert.equal(payload.social.unverifiedVerifiedEmailPolicyRejected, true)
   assert.equal(payload.social.unverifiedIdentityNotCreated, true)
   assert.equal(payload.social.pkceMismatchRejected, true)
-  assert.equal(payload.social.tokenGuardRejected, true)
+  assert.equal(payload.social.tokenGuardCreatesAccessToken, true)
   assert.equal(payload.social.verificationOptionalSyntheticEmail, true)
 
   assert.equal(payload.workos.missingProviderRejected, true)
diff --git a/tests/example-app-auth-flow.mjs b/tests/example-app-auth-flow.mjs
index 3dd76df..f488167 100644
--- a/tests/example-app-auth-flow.mjs
+++ b/tests/example-app-auth-flow.mjs
@@ -133,6 +133,37 @@ function assertRedirectsTo(result, expectedPath) {
   assert.equal(new URL(location, result.response.url).pathname, expectedPath)
 }
 
+function assertFieldFailure(result, fields) {
+  assert.equal(result.json.ok, false)
+  assert.equal(result.json.valid, false)
+  for (const field of fields) {
+    assert.ok(
+      Array.isArray(result.json.errors?.[field]),
+      `Expected ${field} validation errors.`,
+    )
+  }
+}
+
+function assertThrottleFailure(result) {
+  assert.equal(result.response.status, 429)
+  assert.equal(result.json.ok, false)
+  assert.equal(result.json.valid, false)
+  assert.ok(
+    Array.isArray(result.json.errors?._root),
+    'Expected throttled response to include a root error.',
+  )
+}
+
+function assertSocialRedirect(result, expected) {
+  assert.equal(result.response.status, 302)
+  const location = result.response.headers.get('location')
+  assert.ok(location, `Expected ${expected.provider} redirect to include a location header.`)
+  const authorizationUrl = new URL(location)
+  assert.equal(authorizationUrl.origin, expected.origin)
+  assert.equal(authorizationUrl.pathname, expected.pathname)
+  assert.ok(authorizationUrl.searchParams.get('state'), `Expected ${expected.provider} redirect to include OAuth state.`)
+}
+
 async function waitForOutputMatch(getOutput, matcher, startIndex = 0, timeoutMs = 10000) {
   const startedAt = Date.now()
 
@@ -166,6 +197,8 @@ export async function assertExampleAppAuthFlow({
   const password = 'secret-secret'
   const nextPassword = 'secret-secret-2'
   const clientIp = `127.0.0.${(Date.now() % 200) + 1}`
+  const throttleLoginIp = `127.0.1.${(Date.now() % 200) + 1}`
+  const throttleRegisterIp = `127.0.2.${(Date.now() % 200) + 1}`
   const requestHeaders = {
     'x-forwarded-for': clientIp,
     'x-real-ip': clientIp,
@@ -206,6 +239,8 @@ export async function assertExampleAppAuthFlow({
 
     const loginPage = await fetchAuthText('/login')
     assert.match(loginPage.text, /Sign in/i)
+    assert.match(loginPage.text, /Continue with Google/i)
+    assert.match(loginPage.text, /Continue with GitHub/i)
     assertGuestNav(loginPage.text)
 
     const forgotPasswordPage = await fetchAuthText('/forgot-password')
@@ -213,12 +248,91 @@ export async function assertExampleAppAuthFlow({
 
     const verifyPromptPage = await fetchAuthText('/verify-email')
     assert.match(verifyPromptPage.text, /Verify your email/i)
+
+    assertRedirectsTo(await fetchAuthText('/admin/posts', {
+      allowFailure: true,
+    }), '/login')
   }
 
   const initialUser = await fetchAuthJson('/api/auth/user')
   assert.equal(initialUser.json.authenticated, false)
   assert.equal(initialUser.json.user, null)
 
+  assertSocialRedirect(await fetchAuthText('/auth/google', {
+    allowFailure: true,
+  }), {
+    provider: 'google',
+    origin: 'https://accounts.google.com',
+    pathname: '/o/oauth2/v2/auth',
+  })
+  assertSocialRedirect(await fetchAuthText('/auth/github', {
+    allowFailure: true,
+  }), {
+    provider: 'github',
+    origin: 'https://github.com',
+    pathname: '/login/oauth/authorize',
+  })
+
+  const missingGoogleCallback = await fetchAuthJson('/auth/google/callback', {
+    allowFailure: true,
+  })
+  assert.equal(missingGoogleCallback.response.status, 400)
+  assert.equal(missingGoogleCallback.json.message, 'Missing OAuth state or code.')
+
+  const missingGithubCallback = await fetchAuthJson('/auth/github/callback', {
+    allowFailure: true,
+  })
+  assert.equal(missingGithubCallback.response.status, 400)
+  assert.equal(missingGithubCallback.json.message, 'Missing OAuth state or code.')
+
+  const badCredentials = await fetchAuthJson('/api/login', {
+    fields: {
+      email,
+      password: 'wrong-password',
+    },
+    headers: {
+      'x-forwarded-for': '127.0.0.224',
+      'x-real-ip': '127.0.0.224',
+    },
+    allowFailure: true,
+  })
+  assert.equal(badCredentials.response.status, 401)
+  assertFieldFailure(badCredentials, ['email', 'password'])
+
+  let throttledLogin
+  for (let attempt = 0; attempt < 6; attempt += 1) {
+    throttledLogin = await fetchAuthJson('/api/login', {
+      fields: {
+        email: `${appName}-throttled-login-${Date.now()}@app.test`,
+        password: 'wrong-password',
+      },
+      headers: {
+        'x-forwarded-for': throttleLoginIp,
+        'x-real-ip': throttleLoginIp,
+      },
+      allowFailure: true,
+    })
+  }
+  assertThrottleFailure(throttledLogin)
+
+  let throttledRegister
+  for (let attempt = 0; attempt < 11; attempt += 1) {
+    throttledRegister = await fetchAuthJson('/api/register', {
+      fields: {
+        name: 'No',
+        email: 'not-an-email',
+        password: 'short',
+        passwordConfirmation: 'different',
+      },
+      headers: {
+        'x-forwarded-for': throttleRegisterIp,
+        'x-real-ip': throttleRegisterIp,
+      },
+      allowFailure: true,
+    })
+  }
+  assertThrottleFailure(throttledRegister)
+
   const loggedInVerificationEmail = `${appName}-logged-in-verification-${Date.now()}@app.test`
   const loggedInVerificationOutputStart = getOutput().length
   const loggedInVerificationJar = createCookieJar()
@@ -283,6 +397,32 @@ export async function assertExampleAppAuthFlow({
   )[1]
   assert.ok(verificationToken)
 
+  const invalidVerification = await fetchAuthJson('/api/verify-email', {
+    method: 'POST',
+    fields: {
+      token: `${verificationToken.split('.', 1)[0]}.wrong-secret`,
+    },
+    allowFailure: true,
+  })
+  assert.equal(invalidVerification.response.status, 422)
+  assertFieldFailure(invalidVerification, ['token'])
+
+  const duplicateRegistration = await fetchAuthJson('/api/register', {
+    fields: {
+      name: 'Duplicate Auth Flow User',
+      email,
+      password,
+      passwordConfirmation: password,
+    },
+    headers: {
+      'x-forwarded-for': '127.0.0.225',
+      'x-real-ip': '127.0.0.225',
+    },
+    allowFailure: true,
+  })
+  assert.equal(duplicateRegistration.response.status, 422)
+  assertFieldFailure(duplicateRegistration, ['email'])
+
   const pendingVerificationJar = createCookieJar()
   const unverifiedLogin = await fetchAuthJson('/api/login', {
     fields: {
@@ -330,6 +470,16 @@ export async function assertExampleAppAuthFlow({
   assert.equal(verified.json.ok, true)
   assert.equal(verified.json.data?.redirectTo, '/login')
 
+  const consumedVerification = await fetchAuthJson('/api/verify-email', {
+    method: 'POST',
+    fields: {
+      token: resentVerificationToken,
+    },
+    allowFailure: true,
+  })
+  assert.equal(consumedVerification.response.status, 422)
+  assertFieldFailure(consumedVerification, ['token'])
+
   const authenticatedJar = createCookieJar()
   const loggedIn = await fetchAuthJson('/api/login', {
     fields: {
@@ -478,6 +628,17 @@ export async function assertExampleAppAuthFlow({
   const resetToken = resetTokenMatch[1]
   assert.ok(resetToken)
 
+  const invalidReset = await fetchAuthJson('/api/reset-password', {
+    fields: {
+      token: 'bad-token',
+      password: nextPassword,
+      passwordConfirmation: nextPassword,
+    },
+    allowFailure: true,
+  })
+  assert.equal(invalidReset.response.status, 422)
+  assertFieldFailure(invalidReset, ['token'])
+
   if (checkPages) {
     const resetPage = await fetchAuthText(`/reset-password?token=${encodeURIComponent(resetToken)}`)
     assert.match(resetPage.text, /Reset password/i)
@@ -494,6 +655,17 @@ export async function assertExampleAppAuthFlow({
   assert.equal(resetResult.json.data?.message, 'Password reset successfully. You can sign in with your new password.')
   assert.equal(resetResult.json.data?.redirectTo, '/login')
 
+  const consumedReset = await fetchAuthJson('/api/reset-password', {
+    fields: {
+      token: resetToken,
+      password: nextPassword,
+      passwordConfirmation: nextPassword,
+    },
+    allowFailure: true,
+  })
+  assert.equal(consumedReset.response.status, 422)
+  assertFieldFailure(consumedReset, ['token'])
+
   const oldPasswordLogin = await fetchAuthJson('/api/login', {
     fields: {
       email,

From f14cf73447c2cfc939c1381fd1f330973191814e Mon Sep 17 00:00:00 2001
From: Mohamed Melouk <42706279+cobraprojects@users.noreply.github.com>
Date: Fri, 8 May 2026 00:55:45 +0300
Subject: [PATCH 2/4] Skipped findings:
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

apps/blog-sveltekit/src/hooks.server.ts: did not add /auth/google/callback and /auth/github/callback to guestOnly.routes.

Reason: after checking the current framework implementation, packages/auth/src/sveltekit/server.ts wraps the entire guestOnly handler body in runWithSvelteKitRequestEvent(event, ...) before it checks matchesRoutes(...). That means even routes not matched by guestOnly.routes, including OAuth callbacks, still run inside the SvelteKit AsyncLocalStorage context when resolve(event) is called. The reported issue said ALS was not established for callbacks unless the callback routes were listed, but that is not true in the current code.

apps/blog-sveltekit/src/routes/auth/google/callback/+server.ts: did not wrap the callback handler directly with runWithSvelteKitRequestEvent.

Reason: same root cause as above. The framework-level SvelteKit handle already establishes the request-event store before route resolution reaches this callback handler. Adding a second manual wrapper in the route would duplicate framework integration logic in userland/example code, which goes against the repo’s API discipline for auth flows.
---
 .../app/api/forgot-password/route.ts          |  11 +-
 apps/blog-next/app/api/login/route.ts         |  11 +-
 apps/blog-next/app/api/register/route.ts      |  11 +-
 .../blog-next/app/api/reset-password/route.ts |  11 +-
 apps/blog-next/app/api/verify-email/route.ts  |  11 +-
 apps/blog-next/lib/schemas/auth.ts            |  10 +-
 .../server/api/forgot-password.post.ts        |  13 +--
 apps/blog-nuxt/server/api/login.post.ts       |  13 +--
 apps/blog-nuxt/server/api/register.post.ts    |  13 +--
 .../server/api/reset-password.post.ts         |  13 +--
 .../blog-nuxt/server/api/verify-email.post.ts |  13 +--
 apps/blog-nuxt/shared/schemas/auth.ts         |  10 +-
 apps/blog-sveltekit/src/lib/schemas/auth.ts   |  10 +-
 .../src/routes/api/forgot-password/+server.ts |  11 +-
 .../src/routes/api/login/+server.ts           |  11 +-
 .../src/routes/api/register/+server.ts        |  11 +-
 .../src/routes/api/reset-password/+server.ts  |  11 +-
 .../src/routes/api/verify-email/+server.ts    |  11 +-
 .../src/routes/auth/google/+server.ts         |   3 +-
 apps/docs/docs/auth/index.md                  |  84 +++++++-------
 apps/docs/docs/auth/local-auth.md             |  25 +++--
 apps/docs/docs/auth/social-login.md           |   3 +-
 apps/docs/docs/forms/client-usage.md          |   4 +-
 apps/docs/docs/forms/framework-integration.md |   8 +-
 apps/docs/docs/forms/index.md                 |   5 +-
 apps/docs/docs/forms/server-validation.md     |  28 +++--
 apps/docs/docs/security.md                    |  26 ++---
 apps/docs/docs/validation/index.md            |   2 +-
 apps/docs/docs/validation/rules-and-errors.md |   4 +-
 packages/adapter-next/src/config.ts           |   8 +-
 packages/adapter-next/tests/adapter.test.ts   |  21 ++++
 packages/adapter-sveltekit/src/index.ts       |   3 +
 packages/auth/src/sveltekit/server.ts         |   3 +
 packages/auth/tests/package.test.ts           |  34 ++++++
 packages/forms/src/client.ts                  |  85 ++++++++++-----
 packages/forms/src/contracts.ts               |  99 +++++++++++++----
 packages/forms/src/index.ts                   |   3 +
 packages/forms/src/sensitiveInput.ts          | 103 +++++++++++++++++-
 packages/forms/tests/client.test.ts           |  11 +-
 packages/forms/tests/client.type.test.ts      |   4 +-
 packages/forms/tests/contracts.test.ts        |  26 ++++-
 packages/forms/tests/docs-examples.test.ts    |   6 +-
 packages/validation/src/contracts-support.ts  |  10 +-
 packages/validation/src/contracts-types.ts    |   1 +
 packages/validation/src/contracts.ts          |  13 +++
 packages/validation/tests/contracts.test.ts   |  17 +--
 tests/example-app-auth-flow.mjs               |   8 +-
 47 files changed, 559 insertions(+), 293 deletions(-)

diff --git a/apps/blog-next/app/api/forgot-password/route.ts b/apps/blog-next/app/api/forgot-password/route.ts
index 001e7d7..a81fed6 100644
--- a/apps/blog-next/app/api/forgot-password/route.ts
+++ b/apps/blog-next/app/api/forgot-password/route.ts
@@ -1,5 +1,5 @@
 import { requestPasswordReset } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { forgotPasswordForm } from '@/lib/schemas/auth'
 
@@ -14,15 +14,12 @@ export async function POST(request: Request) {
 
   const { error } = await requestPasswordReset(submission.data)
   if (error) {
-    return Response.json({
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }, {
-      status: error.status,
     })
+
+    return Response.json(failure, { status: failure.status })
   }
 
   return Response.json(submission.success({
diff --git a/apps/blog-next/app/api/login/route.ts b/apps/blog-next/app/api/login/route.ts
index 6b706f3..019e907 100644
--- a/apps/blog-next/app/api/login/route.ts
+++ b/apps/blog-next/app/api/login/route.ts
@@ -1,5 +1,5 @@
 import { login } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { loginForm } from '@/lib/schemas/auth'
 
@@ -16,15 +16,12 @@ export async function POST(request: Request) {
 
   const { data: session, error } = await login(submission.data)
   if (error) {
-    return Response.json({
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }, {
-      status: error.status,
     })
+
+    return Response.json(failure, { status: failure.status })
   }
 
   return Response.json(submission.success({
diff --git a/apps/blog-next/app/api/register/route.ts b/apps/blog-next/app/api/register/route.ts
index b5d8016..01e27db 100644
--- a/apps/blog-next/app/api/register/route.ts
+++ b/apps/blog-next/app/api/register/route.ts
@@ -1,5 +1,5 @@
 import { loginUsing, register } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { registerForm } from '@/lib/schemas/auth'
 
@@ -16,15 +16,12 @@ export async function POST(request: Request) {
 
   const { data: created, error } = await register(submission.data)
   if (error) {
-    return Response.json({
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }, {
-      status: error.status,
     })
+
+    return Response.json(failure, { status: failure.status })
   }
 
   const session = await loginUsing(created)
diff --git a/apps/blog-next/app/api/reset-password/route.ts b/apps/blog-next/app/api/reset-password/route.ts
index 3cd5e3a..8014429 100644
--- a/apps/blog-next/app/api/reset-password/route.ts
+++ b/apps/blog-next/app/api/reset-password/route.ts
@@ -1,5 +1,5 @@
 import { resetPassword } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { resetPasswordForm } from '@/lib/schemas/auth'
 
@@ -14,15 +14,12 @@ export async function POST(request: Request) {
 
   const { error } = await resetPassword(submission.data)
   if (error) {
-    return Response.json({
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }, {
-      status: error.status,
     })
+
+    return Response.json(failure, { status: failure.status })
   }
 
   return Response.json(submission.success({
diff --git a/apps/blog-next/app/api/verify-email/route.ts b/apps/blog-next/app/api/verify-email/route.ts
index 341a604..a0c552a 100644
--- a/apps/blog-next/app/api/verify-email/route.ts
+++ b/apps/blog-next/app/api/verify-email/route.ts
@@ -1,5 +1,5 @@
 import { check, verification } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { verifyEmailForm } from '@/lib/schemas/auth'
 
@@ -15,15 +15,12 @@ export async function POST(request: Request) {
   const wasAuthenticated = await check()
   const { error } = await verification.consume(submission.data.token)
   if (error) {
-    return Response.json({
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }, {
-      status: error.status,
     })
+
+    return Response.json(failure, { status: failure.status })
   }
 
   return Response.json(submission.success({
diff --git a/apps/blog-next/lib/schemas/auth.ts b/apps/blog-next/lib/schemas/auth.ts
index 0f7a314..cb5bd8e 100644
--- a/apps/blog-next/lib/schemas/auth.ts
+++ b/apps/blog-next/lib/schemas/auth.ts
@@ -2,15 +2,15 @@ import { field, schema } from '@holo-js/forms/schema'
 
 export const loginForm = schema({
   email: field.string().required('Email is required.').email('Enter a valid email address.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
   remember: field.boolean().default(false),
 })
 
 export const registerForm = schema({
   name: field.string().required('Name is required.').min(3, 'Name must be at least 3 characters.'),
   email: field.string().required('Email is required.').email('Enter a valid email address.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
-  passwordConfirmation: field.string().required('Please confirm your password.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
+  passwordConfirmation: field.password().required('Please confirm your password.'),
 })
 
 export const forgotPasswordForm = schema({
@@ -19,8 +19,8 @@ export const forgotPasswordForm = schema({
 
 export const resetPasswordForm = schema({
   token: field.string().required('Reset token is required.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
-  passwordConfirmation: field.string().required('Please confirm your password.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
+  passwordConfirmation: field.password().required('Please confirm your password.'),
 })
 
 export const verifyEmailForm = schema({
diff --git a/apps/blog-nuxt/server/api/forgot-password.post.ts b/apps/blog-nuxt/server/api/forgot-password.post.ts
index e4512c1..0c82c33 100644
--- a/apps/blog-nuxt/server/api/forgot-password.post.ts
+++ b/apps/blog-nuxt/server/api/forgot-password.post.ts
@@ -1,5 +1,5 @@
 import { requestPasswordReset } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { forgotPasswordForm } from '#shared/schemas/auth'
 
@@ -14,14 +14,13 @@ export default defineEventHandler(async (event) => {
 
   const { error } = await requestPasswordReset(submission.data)
   if (error) {
-    setResponseStatus(event, error.status)
-    return {
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }
+    })
+
+    setResponseStatus(event, failure.status)
+    return failure
   }
 
   return submission.success({
diff --git a/apps/blog-nuxt/server/api/login.post.ts b/apps/blog-nuxt/server/api/login.post.ts
index b2c9366..c2aa095 100644
--- a/apps/blog-nuxt/server/api/login.post.ts
+++ b/apps/blog-nuxt/server/api/login.post.ts
@@ -1,5 +1,5 @@
 import { login } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { loginForm } from '#shared/schemas/auth'
 
@@ -16,14 +16,13 @@ export default defineEventHandler(async (event) => {
 
   const { data: session, error } = await login(submission.data)
   if (error) {
-    setResponseStatus(event, error.status)
-    return {
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }
+    })
+
+    setResponseStatus(event, failure.status)
+    return failure
   }
 
   return submission.success({
diff --git a/apps/blog-nuxt/server/api/register.post.ts b/apps/blog-nuxt/server/api/register.post.ts
index 4532578..6724432 100644
--- a/apps/blog-nuxt/server/api/register.post.ts
+++ b/apps/blog-nuxt/server/api/register.post.ts
@@ -1,5 +1,5 @@
 import { loginUsing, register } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { registerForm } from '#shared/schemas/auth'
 
@@ -16,14 +16,13 @@ export default defineEventHandler(async (event) => {
 
   const { data: created, error } = await register(submission.data)
   if (error) {
-    setResponseStatus(event, error.status)
-    return {
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }
+    })
+
+    setResponseStatus(event, failure.status)
+    return failure
   }
 
   const session = await loginUsing(created)
diff --git a/apps/blog-nuxt/server/api/reset-password.post.ts b/apps/blog-nuxt/server/api/reset-password.post.ts
index fca13d7..9120de1 100644
--- a/apps/blog-nuxt/server/api/reset-password.post.ts
+++ b/apps/blog-nuxt/server/api/reset-password.post.ts
@@ -1,5 +1,5 @@
 import { resetPassword } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { resetPasswordForm } from '#shared/schemas/auth'
 
@@ -14,14 +14,13 @@ export default defineEventHandler(async (event) => {
 
   const { error } = await resetPassword(submission.data)
   if (error) {
-    setResponseStatus(event, error.status)
-    return {
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }
+    })
+
+    setResponseStatus(event, failure.status)
+    return failure
   }
 
   return submission.success({
diff --git a/apps/blog-nuxt/server/api/verify-email.post.ts b/apps/blog-nuxt/server/api/verify-email.post.ts
index cd0fa96..bae608c 100644
--- a/apps/blog-nuxt/server/api/verify-email.post.ts
+++ b/apps/blog-nuxt/server/api/verify-email.post.ts
@@ -1,5 +1,5 @@
 import { check, verification } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { verifyEmailForm } from '#shared/schemas/auth'
 
@@ -15,14 +15,13 @@ export default defineEventHandler(async (event) => {
   const wasAuthenticated = await check()
   const { error } = await verification.consume(submission.data.token)
   if (error) {
-    setResponseStatus(event, error.status)
-    return {
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }
+    })
+
+    setResponseStatus(event, failure.status)
+    return failure
   }
 
   return submission.success({
diff --git a/apps/blog-nuxt/shared/schemas/auth.ts b/apps/blog-nuxt/shared/schemas/auth.ts
index 0f7a314..cb5bd8e 100644
--- a/apps/blog-nuxt/shared/schemas/auth.ts
+++ b/apps/blog-nuxt/shared/schemas/auth.ts
@@ -2,15 +2,15 @@ import { field, schema } from '@holo-js/forms/schema'
 
 export const loginForm = schema({
   email: field.string().required('Email is required.').email('Enter a valid email address.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
   remember: field.boolean().default(false),
 })
 
 export const registerForm = schema({
   name: field.string().required('Name is required.').min(3, 'Name must be at least 3 characters.'),
   email: field.string().required('Email is required.').email('Enter a valid email address.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
-  passwordConfirmation: field.string().required('Please confirm your password.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
+  passwordConfirmation: field.password().required('Please confirm your password.'),
 })
 
 export const forgotPasswordForm = schema({
@@ -19,8 +19,8 @@ export const forgotPasswordForm = schema({
 
 export const resetPasswordForm = schema({
   token: field.string().required('Reset token is required.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
-  passwordConfirmation: field.string().required('Please confirm your password.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
+  passwordConfirmation: field.password().required('Please confirm your password.'),
 })
 
 export const verifyEmailForm = schema({
diff --git a/apps/blog-sveltekit/src/lib/schemas/auth.ts b/apps/blog-sveltekit/src/lib/schemas/auth.ts
index 0f7a314..cb5bd8e 100644
--- a/apps/blog-sveltekit/src/lib/schemas/auth.ts
+++ b/apps/blog-sveltekit/src/lib/schemas/auth.ts
@@ -2,15 +2,15 @@ import { field, schema } from '@holo-js/forms/schema'
 
 export const loginForm = schema({
   email: field.string().required('Email is required.').email('Enter a valid email address.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
   remember: field.boolean().default(false),
 })
 
 export const registerForm = schema({
   name: field.string().required('Name is required.').min(3, 'Name must be at least 3 characters.'),
   email: field.string().required('Email is required.').email('Enter a valid email address.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
-  passwordConfirmation: field.string().required('Please confirm your password.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
+  passwordConfirmation: field.password().required('Please confirm your password.'),
 })
 
 export const forgotPasswordForm = schema({
@@ -19,8 +19,8 @@ export const forgotPasswordForm = schema({
 
 export const resetPasswordForm = schema({
   token: field.string().required('Reset token is required.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
-  passwordConfirmation: field.string().required('Please confirm your password.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
+  passwordConfirmation: field.password().required('Please confirm your password.'),
 })
 
 export const verifyEmailForm = schema({
diff --git a/apps/blog-sveltekit/src/routes/api/forgot-password/+server.ts b/apps/blog-sveltekit/src/routes/api/forgot-password/+server.ts
index 59c1f06..93b3042 100644
--- a/apps/blog-sveltekit/src/routes/api/forgot-password/+server.ts
+++ b/apps/blog-sveltekit/src/routes/api/forgot-password/+server.ts
@@ -1,6 +1,6 @@
 import { json } from '@sveltejs/kit'
 import { requestPasswordReset } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { forgotPasswordForm } from '$lib/schemas/auth'
 
@@ -15,15 +15,12 @@ export async function POST({ request }: { request: Request }) {
 
   const { error } = await requestPasswordReset(submission.data)
   if (error) {
-    return json({
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }, {
-      status: error.status,
     })
+
+    return json(failure, { status: failure.status })
   }
 
   return json(submission.success({
diff --git a/apps/blog-sveltekit/src/routes/api/login/+server.ts b/apps/blog-sveltekit/src/routes/api/login/+server.ts
index 8d1c717..6ba0dd3 100644
--- a/apps/blog-sveltekit/src/routes/api/login/+server.ts
+++ b/apps/blog-sveltekit/src/routes/api/login/+server.ts
@@ -1,6 +1,6 @@
 import { json } from '@sveltejs/kit'
 import { login } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { loginForm } from '$lib/schemas/auth'
 
@@ -17,15 +17,12 @@ export async function POST({ request }: { request: Request }) {
 
   const { data: session, error } = await login(submission.data)
   if (error) {
-    return json({
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }, {
-      status: error.status,
     })
+
+    return json(failure, { status: failure.status })
   }
 
   return json(submission.success({
diff --git a/apps/blog-sveltekit/src/routes/api/register/+server.ts b/apps/blog-sveltekit/src/routes/api/register/+server.ts
index 883ee5b..b029d84 100644
--- a/apps/blog-sveltekit/src/routes/api/register/+server.ts
+++ b/apps/blog-sveltekit/src/routes/api/register/+server.ts
@@ -1,6 +1,6 @@
 import { json } from '@sveltejs/kit'
 import { loginUsing, register } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { registerForm } from '$lib/schemas/auth'
 
@@ -17,15 +17,12 @@ export async function POST({ request }: { request: Request }) {
 
   const { data: created, error } = await register(submission.data)
   if (error) {
-    return json({
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }, {
-      status: error.status,
     })
+
+    return json(failure, { status: failure.status })
   }
 
   const session = await loginUsing(created)
diff --git a/apps/blog-sveltekit/src/routes/api/reset-password/+server.ts b/apps/blog-sveltekit/src/routes/api/reset-password/+server.ts
index 288fb9b..cacde60 100644
--- a/apps/blog-sveltekit/src/routes/api/reset-password/+server.ts
+++ b/apps/blog-sveltekit/src/routes/api/reset-password/+server.ts
@@ -1,6 +1,6 @@
 import { json } from '@sveltejs/kit'
 import { resetPassword } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { resetPasswordForm } from '$lib/schemas/auth'
 
@@ -15,15 +15,12 @@ export async function POST({ request }: { request: Request }) {
 
   const { error } = await resetPassword(submission.data)
   if (error) {
-    return json({
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }, {
-      status: error.status,
     })
+
+    return json(failure, { status: failure.status })
   }
 
   return json(submission.success({
diff --git a/apps/blog-sveltekit/src/routes/api/verify-email/+server.ts b/apps/blog-sveltekit/src/routes/api/verify-email/+server.ts
index 26ac9fc..48d3e75 100644
--- a/apps/blog-sveltekit/src/routes/api/verify-email/+server.ts
+++ b/apps/blog-sveltekit/src/routes/api/verify-email/+server.ts
@@ -1,6 +1,6 @@
 import { json } from '@sveltejs/kit'
 import { check, verification } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { verifyEmailForm } from '$lib/schemas/auth'
 
@@ -17,15 +17,12 @@ export async function POST({ request }: { request: Request }) {
   const verificationResult = verification.consume(submission.data.token)
   const [wasAuthenticated, { error }] = await Promise.all([authenticationCheck, verificationResult])
   if (error) {
-    return json({
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }, {
-      status: error.status,
     })
+
+    return json(failure, { status: failure.status })
   }
 
   return json(submission.success({
diff --git a/apps/blog-sveltekit/src/routes/auth/google/+server.ts b/apps/blog-sveltekit/src/routes/auth/google/+server.ts
index f2dd094..1b0b63a 100644
--- a/apps/blog-sveltekit/src/routes/auth/google/+server.ts
+++ b/apps/blog-sveltekit/src/routes/auth/google/+server.ts
@@ -1,5 +1,6 @@
 import { redirect } from '@holo-js/auth-social'
+import type { RequestHandler } from './$types'
 
-export function GET({ request }: { request: Request }): Promise<Response> {
+export const GET: RequestHandler = async ({ request }) => {
   return redirect('google', request)
 }
diff --git a/apps/docs/docs/auth/index.md b/apps/docs/docs/auth/index.md
index 450dde6..7e46184 100644
--- a/apps/docs/docs/auth/index.md
+++ b/apps/docs/docs/auth/index.md
@@ -122,65 +122,61 @@ export default defineSessionConfig({
 })
 ```
 
-Then use auth operations inside your own routes:
+Then use auth operations inside your own routes. With `@holo-js/forms`, failed values are sanitized
+by the form schema before they are sent back to the client:
 
 ```ts
 import { login, logout, refreshUser, register, user } from '@holo-js/auth'
+import { field, schema, validate } from '@holo-js/forms'
 
-function sanitizeAuthBody(body: Record<string, unknown>) {
-  const sanitizedBody = { ...body }
-  delete sanitizedBody.password
-  delete sanitizedBody.passwordConfirmation
-  delete sanitizedBody.confirmPassword
-  delete sanitizedBody.currentPassword
-  delete sanitizedBody.newPassword
-  delete sanitizedBody.token
+const registerForm = schema({
+  name: field.string().required(),
+  email: field.string().required().email(),
+  password: field.password().required().min(8).confirmed(),
+  passwordConfirmation: field.password().required(),
+})
 
-  return sanitizedBody
-}
+const loginForm = schema({
+  email: field.string().required().email(),
+  password: field.password().required(),
+  remember: field.boolean().default(false),
+})
 
 export async function POST(request: Request) {
-  const body = await request.json()
-  const sanitizedBody = sanitizeAuthBody(body)
-
-  const { data: created, error: registerError } = await register({
-    name: body.name,
-    email: body.email,
-    password: body.password,
-    passwordConfirmation: body.passwordConfirmation,
-  })
+  const submission = await validate(request, registerForm)
+  if (!submission.valid) {
+    return Response.json(submission.fail(), { status: submission.fail().status })
+  }
+
+  const { data: created, error: registerError } = await register(submission.data)
 
   if (registerError) {
-    return Response.json({
-      ok: false,
+    const failure = submission.fail({
       status: registerError.status,
-      valid: false,
-      values: sanitizedBody,
       errors: registerError.fields,
-    }, { status: registerError.status })
+    })
+
+    return Response.json(failure, { status: failure.status })
   }
 
   return Response.json(created, { status: 201 })
 }
 
 export async function PUT(request: Request) {
-  const body = await request.json()
-  const sanitizedBody = sanitizeAuthBody(body)
+  const submission = await validate(request, loginForm)
+  if (!submission.valid) {
+    return Response.json(submission.fail(), { status: submission.fail().status })
+  }
 
-  const { data: session, error } = await login({
-    email: body.email,
-    password: body.password,
-    remember: body.remember === true,
-  })
+  const { data: session, error } = await login(submission.data)
 
   if (error) {
-    return Response.json({
-      ok: false,
+    const failure = submission.fail({
       status: error.status,
-      valid: false,
-      values: sanitizedBody,
       errors: error.fields,
-    }, { status: error.status })
+    })
+
+    return Response.json(failure, { status: failure.status })
   }
 
   return Response.json({
@@ -404,19 +400,17 @@ Successful auth calls put the result in `data`. Expected auth failures come back
 }
 ```
 
-That means your route can forward auth failures directly without any helper layer:
+That means a form-backed route can forward auth failures through the submission object. The forms
+package keeps sensitive values out of the response:
 
 ```ts
-const sanitizedBody = sanitizeAuthBody(body)
-
 if (error) {
-  return Response.json({
-    ok: false,
+  const failure = submission.fail({
     status: error.status,
-    valid: false,
-    values: sanitizedBody,
     errors: error.fields,
-  }, { status: error.status })
+  })
+
+  return Response.json(failure, { status: failure.status })
 }
 ```
 
diff --git a/apps/docs/docs/auth/local-auth.md b/apps/docs/docs/auth/local-auth.md
index 6a9a432..24ecdff 100644
--- a/apps/docs/docs/auth/local-auth.md
+++ b/apps/docs/docs/auth/local-auth.md
@@ -425,23 +425,28 @@ Your framework route owns parsing and response formatting. The auth package only
 
 ```ts
 import { login } from '@holo-js/auth'
+import { field, schema, validate } from '@holo-js/forms'
+
+const loginForm = schema({
+  email: field.string().required().email(),
+  password: field.password().required(),
+})
 
 export async function POST(request: Request) {
-  const body = await request.json()
+  const submission = await validate(request, loginForm)
+  if (!submission.valid) {
+    return Response.json(submission.fail(), { status: submission.fail().status })
+  }
 
-  const { data: session, error } = await login({
-    email: body.email,
-    password: body.password,
-  })
+  const { data: session, error } = await login(submission.data)
 
   if (error) {
-    return Response.json({
-      ok: false,
+    const failure = submission.fail({
       status: error.status,
-      valid: false,
-      values: body,
       errors: error.fields,
-    }, { status: error.status })
+    })
+
+    return Response.json(failure, { status: failure.status })
   }
 
   return Response.json({
diff --git a/apps/docs/docs/auth/social-login.md b/apps/docs/docs/auth/social-login.md
index e5af3fe..8179faf 100644
--- a/apps/docs/docs/auth/social-login.md
+++ b/apps/docs/docs/auth/social-login.md
@@ -224,7 +224,8 @@ The callback flow:
 - loads the provider profile
 - resolves or creates a local user
 - links the social identity
-- establishes a local authenticated session
+- establishes a local session when using a session guard with `loginUsing()`, or returns an authenticated user that
+  token guards can use to create an access token
 
 Each provider package handles its own upstream field mapping. Holo does not guess raw provider response shapes across
 different services.
diff --git a/apps/docs/docs/forms/client-usage.md b/apps/docs/docs/forms/client-usage.md
index abebc2c..c49b876 100644
--- a/apps/docs/docs/forms/client-usage.md
+++ b/apps/docs/docs/forms/client-usage.md
@@ -23,8 +23,8 @@ import { field, schema } from '@holo-js/forms'
 export const registerUser = schema({
   name: field.string().required('Name is required.').min(3, 'Name must be at least 3 characters.'),
   email: field.string().required('Email is required.').email('Enter a valid email address.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
-  passwordConfirmation: field.string().required('Please confirm your password.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
+  passwordConfirmation: field.password().required('Please confirm your password.'),
 })
 ```
 
diff --git a/apps/docs/docs/forms/framework-integration.md b/apps/docs/docs/forms/framework-integration.md
index f3e6cc7..6f08f11 100644
--- a/apps/docs/docs/forms/framework-integration.md
+++ b/apps/docs/docs/forms/framework-integration.md
@@ -19,7 +19,7 @@ import { field, schema, validate } from '@holo-js/forms'
 
 const loginForm = schema({
   email: field.string().required().email(),
-  password: field.string().required().min(8),
+  password: field.password().required().min(8),
 })
 
 export async function POST(request: Request) {
@@ -43,7 +43,7 @@ import { field, schema, validate } from '@holo-js/forms'
 
 const loginForm = schema({
   email: field.string().required().email(),
-  password: field.string().required().min(8),
+  password: field.password().required().min(8),
 })
 
 export default defineEventHandler(async (event) => {
@@ -66,7 +66,7 @@ import { field, schema, validate } from '@holo-js/forms'
 
 const loginForm = schema({
   email: field.string().required().email(),
-  password: field.string().required().min(8),
+  password: field.password().required().min(8),
 })
 
 export const actions = {
@@ -93,7 +93,7 @@ import { User } from '$lib/server/models'
 
 const loginForm = schema({
   email: field.string().required().email(),
-  password: field.string().required().min(8),
+  password: field.password().required().min(8),
 })
 
 export const login = form(loginForm, async (data, invalid) => {
diff --git a/apps/docs/docs/forms/index.md b/apps/docs/docs/forms/index.md
index a539f7e..fafc846 100644
--- a/apps/docs/docs/forms/index.md
+++ b/apps/docs/docs/forms/index.md
@@ -27,8 +27,9 @@ import { field, schema } from '@holo-js/forms'
 export const registerUser = schema({
   name: field.string().required().min(3).max(255),
   email: field.string().required().email(),
-  password: field.string().required().min(8).confirmed(),
-  passwordConfirmation: field.string().required(),
+  password: field.password().required().min(8).confirmed(),
+  passwordConfirmation: field.password().required(),
+  nationalId: field.string().sensitive().optional(),
   avatar: field.file().optional().image().maxSize('2mb'),
   newsletter: field.boolean().default(false),
 })
diff --git a/apps/docs/docs/forms/server-validation.md b/apps/docs/docs/forms/server-validation.md
index f3ef576..f62cfd8 100644
--- a/apps/docs/docs/forms/server-validation.md
+++ b/apps/docs/docs/forms/server-validation.md
@@ -10,6 +10,10 @@ validation as optional enhancement.
 The browser submits a form, the server validates it, and the response returns either `submission.fail()`
 or `submission.success(...)`.
 
+Use `field.password()` for password values and `.sensitive()` for any other submitted value that must
+never be flashed back to the client. `submission.fail()` and `submission.serialize()` remove those
+fields automatically.
+
 ::: code-group
 
 ```ts [Next.js — app/api/login/route.ts]
@@ -17,7 +21,7 @@ import { field, schema, validate } from '@holo-js/forms'
 
 const loginForm = schema({
   email: field.string().required('Email is required.').email('Enter a valid email address.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
   remember: field.boolean().default(false),
 })
 
@@ -46,7 +50,7 @@ import { field, schema, validate } from '@holo-js/forms'
 
 const loginForm = schema({
   email: field.string().required('Email is required.').email('Enter a valid email address.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
   remember: field.boolean().default(false),
 })
 
@@ -72,7 +76,7 @@ import { field, schema, validate } from '@holo-js/forms'
 
 const loginForm = schema({
   email: field.string().required('Email is required.').email('Enter a valid email address.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
   remember: field.boolean().default(false),
 })
 
@@ -119,7 +123,7 @@ import { User } from '$lib/server/models'
 
 const loginSchema = schema({
   email: field.string().required().email(),
-  password: field.string().required().min(8),
+  password: field.password().required().min(8),
 })
 
 export const login = form(loginSchema, async (data, invalid) => {
@@ -470,6 +474,8 @@ When validation fails, `submission.fail()` returns:
 }
 ```
 
+Password fields and fields marked with `.sensitive()` are omitted from `values`.
+
 ## Success response shape
 
 On success:
@@ -509,8 +515,8 @@ import { field, schema, validate } from '@holo-js/forms'
 export const registerUser = schema({
   name: field.string().required().min(3).max(255),
   email: field.string().required().email(),
-  password: field.string().required().min(8).confirmed(),
-  passwordConfirmation: field.string().required(),
+  password: field.password().required().min(8).confirmed(),
+  passwordConfirmation: field.password().required(),
 })
 
 export async function POST(request: Request) {
@@ -537,8 +543,8 @@ import { field, schema, validate } from '@holo-js/forms'
 const registerUser = schema({
   name: field.string().required().min(3).max(255),
   email: field.string().required().email(),
-  password: field.string().required().min(8).confirmed(),
-  passwordConfirmation: field.string().required(),
+  password: field.password().required().min(8).confirmed(),
+  passwordConfirmation: field.password().required(),
 })
 
 export default defineEventHandler(async (event) => {
@@ -564,8 +570,8 @@ import { field, schema, validate } from '@holo-js/forms'
 const registerUser = schema({
   name: field.string().required().min(3).max(255),
   email: field.string().required().email(),
-  password: field.string().required().min(8).confirmed(),
-  passwordConfirmation: field.string().required(),
+  password: field.password().required().min(8).confirmed(),
+  passwordConfirmation: field.password().required(),
 })
 
 export const actions = {
@@ -594,7 +600,7 @@ import { User } from '$lib/server/models'
 const registerUser = schema({
   name: field.string().required().min(3).max(255),
   email: field.string().required().email(),
-  password: field.string().required().min(8),
+  password: field.password().required().min(8),
 })
 
 export const register = form(registerUser, async (data, invalid) => {
diff --git a/apps/docs/docs/security.md b/apps/docs/docs/security.md
index 09f2726..501854e 100644
--- a/apps/docs/docs/security.md
+++ b/apps/docs/docs/security.md
@@ -127,7 +127,7 @@ import { login } from '@holo-js/auth'
 
 const loginForm = schema({
   email: field.string().required().email(),
-  password: field.string().required().min(8),
+  password: field.password().required().min(8),
 })
 
 export async function POST(request: Request) {
@@ -144,15 +144,12 @@ export async function POST(request: Request) {
 
   const { error } = await login(submission.data)
   if (error) {
-    return Response.json({
-      ok: false,
+    const failure = submission.fail({
       status: error.status,
-      valid: false,
-      values: submission.values,
       errors: error.fields,
-    }, {
-      status: error.status,
     })
+
+    return Response.json(failure, { status: failure.status })
   }
 
   return Response.json(submission.success({
@@ -170,8 +167,8 @@ import { register } from '@holo-js/auth'
 const registerUser = schema({
   name: field.string().required().min(3).max(255),
   email: field.string().required().email(),
-  password: field.string().required().min(8).confirmed(),
-  passwordConfirmation: field.string().required(),
+  password: field.password().required().min(8).confirmed(),
+  passwordConfirmation: field.password().required(),
 })
 
 export async function POST(request: Request) {
@@ -188,15 +185,12 @@ export async function POST(request: Request) {
 
   const { error } = await register(submission.data)
   if (error) {
-    return Response.json({
-      ok: false,
+    const failure = submission.fail({
       status: error.status,
-      valid: false,
-      values: submission.values,
       errors: error.fields,
-    }, {
-      status: error.status,
     })
+
+    return Response.json(failure, { status: failure.status })
   }
 
   return Response.json(submission.success({
@@ -444,7 +438,7 @@ import { field, schema, validate } from '@holo-js/forms'
 
 const loginForm = schema({
   email: field.string().required().email(),
-  password: field.string().required().min(8),
+  password: field.password().required().min(8),
 })
 
 export default defineEventHandler(async (event) => {
diff --git a/apps/docs/docs/validation/index.md b/apps/docs/docs/validation/index.md
index 8b0b3c6..99ec579 100644
--- a/apps/docs/docs/validation/index.md
+++ b/apps/docs/docs/validation/index.md
@@ -46,7 +46,7 @@ import { field, schema, validate } from '@holo-js/validation'
 
 const createSession = schema({
   email: field.string().required().email(),
-  password: field.string().required().min(8),
+  password: field.password().required().min(8),
   remember: field.boolean().default(false),
 })
 
diff --git a/apps/docs/docs/validation/rules-and-errors.md b/apps/docs/docs/validation/rules-and-errors.md
index 3de0aba..eace401 100644
--- a/apps/docs/docs/validation/rules-and-errors.md
+++ b/apps/docs/docs/validation/rules-and-errors.md
@@ -18,7 +18,7 @@ const registerUser = schema({
   email: field.string()
     .required('Email is required.')
     .email('Enter a valid email address.'),
-  password: field.string()
+  password: field.password()
     .min(8, 'Password must be at least 8 characters.'),
   birthday: field.date()
     .beforeOrToday('Birthday cannot be in the future.'),
@@ -44,7 +44,7 @@ import { field, schema } from '@holo-js/validation'
 
 const registerUser = schema({
   email: field.string().required().email(),
-  password: field.string().required().min(8),
+  password: field.password().required().min(8),
 })
 ```
 
diff --git a/packages/adapter-next/src/config.ts b/packages/adapter-next/src/config.ts
index 7fa7078..12c50a9 100644
--- a/packages/adapter-next/src/config.ts
+++ b/packages/adapter-next/src/config.ts
@@ -78,7 +78,13 @@ function readPackageJson(projectRoot: string): PackageJson | undefined {
     return undefined
   }
 
-  const parsed = JSON.parse(readFileSync(packageJsonPath, 'utf8')) as unknown
+  let parsed: unknown
+  try {
+    parsed = JSON.parse(readFileSync(packageJsonPath, 'utf8')) as unknown
+  } catch {
+    return undefined
+  }
+
   if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
     return undefined
   }
diff --git a/packages/adapter-next/tests/adapter.test.ts b/packages/adapter-next/tests/adapter.test.ts
index 4a38297..fe6e916 100644
--- a/packages/adapter-next/tests/adapter.test.ts
+++ b/packages/adapter-next/tests/adapter.test.ts
@@ -204,4 +204,25 @@ export default defineConfig({
       process.chdir(previousCwd)
     }
   })
+
+  it('ignores optional externals when package.json cannot be parsed', async () => {
+    const root = await createProject()
+    await writeFile(join(root, 'package.json'), '{', 'utf8')
+
+    const previousCwd = process.cwd()
+    process.chdir(root)
+
+    try {
+      const config = withHolo()
+
+      expect(config.serverExternalPackages).toEqual(expect.arrayContaining([
+        '@holo-js/core',
+        '@holo-js/adapter-next',
+      ]))
+      expect(config.serverExternalPackages).not.toContain('@holo-js/auth')
+      expect(config.serverExternalPackages).not.toContain('@holo-js/auth-social')
+    } finally {
+      process.chdir(previousCwd)
+    }
+  })
 })
diff --git a/packages/adapter-sveltekit/src/index.ts b/packages/adapter-sveltekit/src/index.ts
index d9d913a..d35275d 100644
--- a/packages/adapter-sveltekit/src/index.ts
+++ b/packages/adapter-sveltekit/src/index.ts
@@ -44,6 +44,9 @@ type SvelteKitRuntimeGlobal = typeof globalThis & {
   __holoSvelteKitRequestEventStore?: AsyncLocalStorage<SvelteKitRequestEvent>
 }
 
+// Shared AsyncLocalStorage contract with packages/auth/src/sveltekit/server.ts:
+// keep this exact global key and compatible AsyncLocalStorage<SvelteKitRequestEvent>
+// / AsyncLocalStorage<SvelteKitStoredRequestEvent> value types in sync.
 const svelteKitAdapter = createHoloFrameworkAdapter<SvelteKitHoloOptions>({
   stateKey: '__holoSvelteKitAdapter__',
   displayName: 'SvelteKit',
diff --git a/packages/auth/src/sveltekit/server.ts b/packages/auth/src/sveltekit/server.ts
index 60d7e49..5b38b7b 100644
--- a/packages/auth/src/sveltekit/server.ts
+++ b/packages/auth/src/sveltekit/server.ts
@@ -53,6 +53,9 @@ type SvelteKitRuntimeGlobal = typeof globalThis & {
   __holoSvelteKitRequestEventStore?: AsyncLocalStorage<SvelteKitStoredRequestEvent>
 }
 
+// Shared AsyncLocalStorage contract with packages/adapter-sveltekit/src/index.ts:
+// keep this exact global key and compatible AsyncLocalStorage<SvelteKitStoredRequestEvent>
+// / AsyncLocalStorage<SvelteKitRequestEvent> value types in sync.
 export type SvelteKitHandleInput<TEvent extends SvelteKitHandleEvent = SvelteKitHandleEvent> = {
   readonly event: TEvent
   readonly resolve: (event: TEvent, options?: never) => Response | Promise<Response>
diff --git a/packages/auth/tests/package.test.ts b/packages/auth/tests/package.test.ts
index 123e79b..24c573f 100644
--- a/packages/auth/tests/package.test.ts
+++ b/packages/auth/tests/package.test.ts
@@ -804,6 +804,40 @@ describe('@holo-js/auth package runtime', () => {
     ])
   })
 
+  it('waits for async response cookie appends during session login and logout', async () => {
+    const runtime = configureRuntime()
+    const appendedCookies: string[] = []
+    const currentBindings = authRuntimeInternals.getRuntimeBindings()
+
+    configureAuthRuntime({
+      ...currentBindings,
+      context: {
+        ...runtime.context,
+        async appendResponseCookie(cookie) {
+          await new Promise<void>(resolve => setTimeout(resolve, 1))
+          appendedCookies.push(cookie)
+        },
+      },
+    })
+
+    const created = unwrapAuthResult(await register({
+      name: 'Ava',
+      email: 'ava@example.com',
+      password: 'secret-secret',
+      passwordConfirmation: 'secret-secret',
+    }))
+    const established = await loginUsing(created)
+
+    expect(appendedCookies).toEqual([...established.cookies])
+
+    const loggedOut = await logout()
+
+    expect(appendedCookies).toEqual([
+      ...established.cookies,
+      ...loggedOut.cookies,
+    ])
+  })
+
   it('hydrates the request session cookie before logout and invalidates the stored session', async () => {
     const runtime = configureRuntime()
     const created = await runtime.usersProvider.create({
diff --git a/packages/forms/src/client.ts b/packages/forms/src/client.ts
index 105d9e6..5c87fd7 100644
--- a/packages/forms/src/client.ts
+++ b/packages/forms/src/client.ts
@@ -1,4 +1,6 @@
 import type {
+  FormFailureErrors,
+  FormFailureInput,
   FormFailurePayload,
   InferFormData,
   FormSchema,
@@ -128,15 +130,51 @@ function normalizeStatus(value: number | undefined, fallback: number): number {
   return value
 }
 
+function normalizeFailureInput(input: FormFailureInput, fallbackStatus: number): {
+  readonly status: number
+  readonly errors?: FormFailureErrors
+} {
+  if (typeof input === 'number') {
+    return {
+      status: normalizeStatus(input, fallbackStatus),
+    }
+  }
+
+  return {
+    status: normalizeStatus(input?.status, fallbackStatus),
+    errors: input?.errors,
+  }
+}
+
+function normalizeFailureErrors(
+  fallback: Record<string, readonly string[]>,
+  override: FormFailureErrors | undefined,
+): Record<string, readonly string[]> {
+  if (!override) {
+    return fallback
+  }
+
+  const normalized: Record<string, readonly string[]> = {}
+
+  for (const [field, messages] of Object.entries(override)) {
+    if (typeof messages !== 'undefined') {
+      normalized[field] = messages
+    }
+  }
+
+  return normalized
+}
+
 function serializeSubmissionState<TData>(
   valid: boolean,
   values: Partial<TData> | TData,
   errors: ValidationErrorBag<TData>,
+  schemaDefinition?: FormSchema,
 ): SerializedFormSubmission<TData> {
   return Object.freeze({
     valid,
     submitted: true as const,
-    values: sanitizeFlashedInput(values),
+    values: sanitizeFlashedInput(values, schemaDefinition),
     errors: errors.flatten(),
   })
 }
@@ -146,17 +184,22 @@ function createSubmission<TData>(
   values: Partial<TData> | TData,
   errors: ValidationErrorBag<TData>,
   failureStatus = 422,
+  schemaDefinition?: FormSchema,
 ): FormSubmissionResult<TData> {
   const normalizedFailureStatus = normalizeStatus(failureStatus, 422)
-  const serialize = () => serializeSubmissionState(valid, values, errors)
+  const serialize = () => serializeSubmissionState(valid, values, errors, schemaDefinition)
 
-  const failure = (): FormFailurePayload<TData> => ({
-    ok: false,
-    status: normalizedFailureStatus,
-    valid: false as const,
-    values: sanitizeFlashedInput(values) as Partial<TData>,
-    errors: errors.flatten(),
-  })
+  const failure = (input?: FormFailureInput): FormFailurePayload<TData> => {
+    const normalized = normalizeFailureInput(input, normalizedFailureStatus)
+
+    return {
+      ok: false,
+      status: normalized.status,
+      valid: false as const,
+      values: sanitizeFlashedInput(values, schemaDefinition) as Partial<TData>,
+      errors: normalizeFailureErrors(errors.flatten(), normalized.errors),
+    }
+  }
 
   const success = <TPayload>(payload?: TPayload, status?: number): FormSuccessPayload<TPayload | undefined> => ({
     ok: true,
@@ -174,12 +217,8 @@ function createSubmission<TData>(
       errors,
       serialize,
       success,
-      fail(status?: number) {
-        const payload = failure()
-        return {
-          ...payload,
-          status: normalizeStatus(status, payload.status),
-        }
+      fail(input?: FormFailureInput) {
+        return failure(input)
       },
     })
   }
@@ -192,12 +231,8 @@ function createSubmission<TData>(
     errors,
     serialize,
     success,
-    fail(status?: number) {
-      const payload = failure()
-      return {
-        ...payload,
-        status: normalizeStatus(status, payload.status),
-      }
+    fail(input?: FormFailureInput) {
+      return failure(input)
     },
   })
 }
@@ -206,8 +241,7 @@ function createSuccessfulSubmission<TData>(
   schemaDefinition: FormSchema,
   data: TData,
 ): FormSubmissionResult<TData> {
-  void schemaDefinition
-  return createSubmission<TData>(true, data, createErrorBag())
+  return createSubmission<TData>(true, data, createErrorBag(), 422, schemaDefinition)
 }
 
 function createFailedSubmission<TData>(
@@ -222,6 +256,7 @@ function createFailedSubmission<TData>(
     values,
     createErrorBag<TData>(flattenedErrors),
     normalizeStatus(status, 422),
+    schemaDefinition,
   )
 }
 
@@ -849,7 +884,7 @@ export function useForm<TSchema extends FormSchema, TSuccess = unknown>(
 
       if ('ok' in normalized && normalized.ok === false) {
         state.values = mergeValues(state.values, normalized.values)
-        clearSensitiveInputValues(state.values)
+        clearSensitiveInputValues(state.values, schemaDefinition)
         state.flattenedErrors = normalized.errors
         state.lastSubmission = normalized
         notifyListeners(state)
@@ -858,7 +893,7 @@ export function useForm<TSchema extends FormSchema, TSuccess = unknown>(
 
       const normalizedSubmission = normalized as FormSubmissionResult<TData>
       state.values = mergeValues(state.values, normalizedSubmission.values)
-      clearSensitiveInputValues(state.values)
+      clearSensitiveInputValues(state.values, schemaDefinition)
       state.flattenedErrors = normalizedSubmission.errors.flatten()
       state.lastSubmission = normalizedSubmission.valid
         ? undefined
diff --git a/packages/forms/src/contracts.ts b/packages/forms/src/contracts.ts
index 7778715..49b940e 100644
--- a/packages/forms/src/contracts.ts
+++ b/packages/forms/src/contracts.ts
@@ -23,6 +23,15 @@ export interface FormFailurePayload<TData> {
   readonly errors: Record<string, readonly string[]>
 }
 
+export type FormFailureErrors = Readonly<Partial<Record<string, readonly string[]>>>
+
+export interface FormFailureOptions {
+  readonly status?: number
+  readonly errors?: FormFailureErrors
+}
+
+export type FormFailureInput = number | FormFailureOptions | undefined
+
 export interface FormSuccessPayload<TPayload = undefined> {
   readonly ok: true
   readonly status: number
@@ -90,7 +99,9 @@ export interface FormSubmissionSuccess<TData> {
   serialize(): SerializedFormSubmission<TData>
   success(): FormSuccessPayload<undefined>
   success<TPayload>(payload: TPayload, status?: number): FormSuccessPayload<TPayload>
+  fail(): FormFailurePayload<TData>
   fail(status?: number): FormFailurePayload<TData>
+  fail(options: FormFailureOptions): FormFailurePayload<TData>
 }
 
 export interface FormSubmissionFailure<TData> {
@@ -102,7 +113,9 @@ export interface FormSubmissionFailure<TData> {
   serialize(): SerializedFormSubmission<TData>
   success(): FormSuccessPayload<undefined>
   success<TPayload>(payload: TPayload, status?: number): FormSuccessPayload<TPayload>
+  fail(): FormFailurePayload<TData>
   fail(status?: number): FormFailurePayload<TData>
+  fail(options: FormFailureOptions): FormFailurePayload<TData>
 }
 
 export type FormSubmissionResult<TData> = FormSubmissionSuccess<TData> | FormSubmissionFailure<TData>
@@ -119,15 +132,51 @@ function normalizeStatus(value: number | undefined, fallback: number): number {
   return value
 }
 
+function normalizeFailureInput(input: FormFailureInput, fallbackStatus: number): {
+  readonly status: number
+  readonly errors?: FormFailureErrors
+} {
+  if (typeof input === 'number') {
+    return {
+      status: normalizeStatus(input, fallbackStatus),
+    }
+  }
+
+  return {
+    status: normalizeStatus(input?.status, fallbackStatus),
+    errors: input?.errors,
+  }
+}
+
+function normalizeFailureErrors(
+  fallback: Record<string, readonly string[]>,
+  override: FormFailureErrors | undefined,
+): Record<string, readonly string[]> {
+  if (!override) {
+    return fallback
+  }
+
+  const normalized: Record<string, readonly string[]> = {}
+
+  for (const [field, messages] of Object.entries(override)) {
+    if (typeof messages !== 'undefined') {
+      normalized[field] = messages
+    }
+  }
+
+  return normalized
+}
+
 function serializeSubmissionState<TData>(
   valid: boolean,
   values: Partial<TData> | TData,
   errors: ValidationErrorBag<TData>,
+  schemaDefinition?: FormSchema,
 ): SerializedFormSubmission<TData> {
   return Object.freeze({
     valid,
     submitted: true as const,
-    values: sanitizeFlashedInput(values),
+    values: sanitizeFlashedInput(values, schemaDefinition),
     errors: errors.flatten(),
   })
 }
@@ -137,17 +186,22 @@ function createSubmission<TData>(
   values: Partial<TData> | TData,
   errors: ValidationErrorBag<TData>,
   failureStatus = 422,
+  schemaDefinition?: FormSchema,
 ): FormSubmissionResult<TData> {
   const normalizedFailureStatus = normalizeStatus(failureStatus, 422)
-  const serialize = () => serializeSubmissionState(valid, values, errors)
+  const serialize = () => serializeSubmissionState(valid, values, errors, schemaDefinition)
 
-  const failure = (): FormFailurePayload<TData> => ({
-    ok: false,
-    status: normalizedFailureStatus,
-    valid: false as const,
-    values: sanitizeFlashedInput(values) as Partial<TData>,
-    errors: errors.flatten(),
-  })
+  const failure = (input?: FormFailureInput): FormFailurePayload<TData> => {
+    const normalized = normalizeFailureInput(input, normalizedFailureStatus)
+
+    return {
+      ok: false,
+      status: normalized.status,
+      valid: false as const,
+      values: sanitizeFlashedInput(values, schemaDefinition) as Partial<TData>,
+      errors: normalizeFailureErrors(errors.flatten(), normalized.errors),
+    }
+  }
 
   const success = <TPayload>(payload?: TPayload, status?: number): FormSuccessPayload<TPayload | undefined> => ({
     ok: true,
@@ -165,12 +219,8 @@ function createSubmission<TData>(
       errors,
       serialize,
       success,
-      fail(status?: number) {
-        const payload = failure()
-        return {
-          ...payload,
-          status: normalizeStatus(status, payload.status),
-        }
+      fail(input?: FormFailureInput) {
+        return failure(input)
       },
     })
   }
@@ -183,12 +233,8 @@ function createSubmission<TData>(
     errors,
     serialize,
     success,
-    fail(status?: number) {
-      const payload = failure()
-      return {
-        ...payload,
-        status: normalizeStatus(status, payload.status),
-      }
+    fail(input?: FormFailureInput) {
+      return failure(input)
     },
   })
 }
@@ -198,9 +244,13 @@ export function createSuccessfulSubmission<TShape extends SchemaInputShape>(
   data: InferSchemaData<TShape>,
 ): FormSubmissionSuccess<InferSchemaData<TShape>> {
   void schemaDefinition
-  return createSubmission<InferSchemaData<TShape>>(true, data, createErrorBag()) as FormSubmissionSuccess<
-    InferSchemaData<TShape>
-  >
+  return createSubmission<InferSchemaData<TShape>>(
+    true,
+    data,
+    createErrorBag(),
+    422,
+    schemaDefinition,
+  ) as FormSubmissionSuccess<InferSchemaData<TShape>>
 }
 
 export function createFailedSubmission<TShape extends SchemaInputShape>(
@@ -216,6 +266,7 @@ export function createFailedSubmission<TShape extends SchemaInputShape>(
     values,
     createErrorBag<InferSchemaData<TShape>>(flattenedErrors),
     normalizedStatus,
+    schemaDefinition,
   ) as FormSubmissionFailure<InferSchemaData<TShape>>
 }
 
diff --git a/packages/forms/src/index.ts b/packages/forms/src/index.ts
index 4533ac0..6b7395c 100644
--- a/packages/forms/src/index.ts
+++ b/packages/forms/src/index.ts
@@ -12,6 +12,9 @@ export {
   isFormSchema,
 } from './schema'
 export type {
+  FormFailureErrors,
+  FormFailureInput,
+  FormFailureOptions,
   FormFailurePayload,
   InferFormData,
   FormRequestLikeInput,
diff --git a/packages/forms/src/sensitiveInput.ts b/packages/forms/src/sensitiveInput.ts
index 1665412..1407594 100644
--- a/packages/forms/src/sensitiveInput.ts
+++ b/packages/forms/src/sensitiveInput.ts
@@ -1,3 +1,5 @@
+import type { FieldDefinition, SchemaInputShape, ValidationSchema } from '@holo-js/validation'
+
 const DEFAULT_DONT_FLASH_FIELDS = Object.freeze([
   'confirm_password',
   'confirmPassword',
@@ -12,6 +14,8 @@ const DEFAULT_DONT_FLASH_FIELDS = Object.freeze([
 
 const DEFAULT_DONT_FLASH_FIELD_SET = new Set<string>(DEFAULT_DONT_FLASH_FIELDS)
 
+type SensitiveSchema = Pick<ValidationSchema<SchemaInputShape>, 'fields'>
+
 function isPlainObject(value: unknown): value is Record<string, unknown> {
   return !!value
     && typeof value === 'object'
@@ -20,19 +24,101 @@ function isPlainObject(value: unknown): value is Record<string, unknown> {
     && !(value instanceof Blob)
 }
 
-export function sanitizeFlashedInput<TData>(
-  values: Partial<TData> | TData,
-): Partial<TData> | TData {
+function isFieldDefinition(value: unknown): value is FieldDefinition {
+  return isPlainObject(value)
+    && typeof value.kind === 'string'
+    && Array.isArray(value.rules)
+}
+
+function isSchemaField(value: unknown): value is { readonly kind: 'field', readonly definition: FieldDefinition } {
+  return isPlainObject(value)
+    && value.kind === 'field'
+    && isFieldDefinition(value.definition)
+}
+
+function collectSensitivePathsFromFields(
+  fields: Record<string, unknown>,
+  prefix = '',
+  output: string[] = [],
+): string[] {
+  for (const [key, value] of Object.entries(fields)) {
+    const path = prefix ? `${prefix}.${key}` : key
+
+    if (DEFAULT_DONT_FLASH_FIELD_SET.has(key)) {
+      output.push(path)
+    }
+
+    if (isSchemaField(value)) {
+      if (value.definition.sensitive === true) {
+        output.push(path)
+      }
+      continue
+    }
+
+    if (isPlainObject(value)) {
+      collectSensitivePathsFromFields(value, path, output)
+    }
+  }
+
+  return output
+}
+
+function collectSensitivePaths(schemaDefinition: SensitiveSchema | undefined): readonly string[] {
+  if (!schemaDefinition) {
+    return []
+  }
+
+  return collectSensitivePathsFromFields(schemaDefinition.fields as Record<string, unknown>)
+}
+
+function deletePath(root: Record<string, unknown>, path: string): void {
+  const parts = path.split('.').filter(Boolean)
+  const leaf = parts.at(-1)
+  if (!leaf) {
+    return
+  }
+
+  let cursor: unknown = root
+  for (const part of parts.slice(0, -1)) {
+    if (!isPlainObject(cursor)) {
+      return
+    }
+
+    cursor = cursor[part]
+  }
+
+  if (isPlainObject(cursor)) {
+    delete cursor[leaf]
+  }
+}
+
+function sanitizePlainObject<TData>(
+  values: TData,
+  sensitivePaths: readonly string[],
+): TData {
   if (!isPlainObject(values)) {
     return values
   }
 
-  return Object.fromEntries(
+  const output = Object.fromEntries(
     Object.entries(values).filter(([key]) => !DEFAULT_DONT_FLASH_FIELD_SET.has(key)),
-  ) as Partial<TData> | TData
+  )
+
+  for (const path of sensitivePaths) {
+    deletePath(output, path)
+  }
+
+  return output as TData
 }
 
-export function clearSensitiveInputValues<TData>(values: TData): TData {
+export function sanitizeFlashedInput<TData>(
+  values: Partial<TData> | TData,
+  schemaDefinition?: SensitiveSchema,
+): Partial<TData> | TData {
+  return sanitizePlainObject(values, collectSensitivePaths(schemaDefinition))
+}
+
+export function clearSensitiveInputValues<TData>(values: TData, schemaDefinition?: SensitiveSchema): TData {
   if (!isPlainObject(values)) {
     return values
   }
@@ -41,9 +127,14 @@ export function clearSensitiveInputValues<TData>(values: TData): TData {
     delete values[field]
   }
 
+  for (const path of collectSensitivePaths(schemaDefinition)) {
+    deletePath(values, path)
+  }
+
   return values
 }
 
 export const sensitiveInputInternals = {
+  collectSensitivePaths,
   DEFAULT_DONT_FLASH_FIELDS,
 }
diff --git a/packages/forms/tests/client.test.ts b/packages/forms/tests/client.test.ts
index 9a2d239..b8c721b 100644
--- a/packages/forms/tests/client.test.ts
+++ b/packages/forms/tests/client.test.ts
@@ -278,7 +278,7 @@ describe('@holo-js/forms client', () => {
     const registerUser = schema({
       name: field.string().required(),
       email: field.string().required().email(),
-      password: field.string().required().min(8),
+      password: field.password().required().min(8),
     })
 
     const client = useForm(registerUser, {
@@ -489,11 +489,12 @@ describe('@holo-js/forms client', () => {
     expect('valid' in fallback && fallback.valid === true).toBe(true)
   })
 
-  it('clears Laravel-style dontFlash fields after server-side failures', () => {
+  it('clears sensitive fields after server-side failures', () => {
     const registerUser = schema({
       email: field.string().required().email(),
-      password: field.string().required().min(8),
-      passwordConfirmation: field.string().required(),
+      password: field.password().required().min(8),
+      passwordConfirmation: field.password().required(),
+      nationalId: field.string().sensitive().required(),
     })
 
     const client = useForm(registerUser, {
@@ -501,6 +502,7 @@ describe('@holo-js/forms client', () => {
         email: 'ava@example.com',
         password: 'super-secret',
         passwordConfirmation: 'super-secret',
+        nationalId: 'private-id',
       },
     })
 
@@ -520,6 +522,7 @@ describe('@holo-js/forms client', () => {
     expect(client.values.email).toBe('bad')
     expect(client.values.password).toBeUndefined()
     expect(client.values.passwordConfirmation).toBeUndefined()
+    expect(client.values.nationalId).toBeUndefined()
     expect(client.errors.first('password')).toBe('The password field is required.')
   })
 
diff --git a/packages/forms/tests/client.type.test.ts b/packages/forms/tests/client.type.test.ts
index 178f1aa..4a30909 100644
--- a/packages/forms/tests/client.type.test.ts
+++ b/packages/forms/tests/client.type.test.ts
@@ -87,8 +87,8 @@ describe('@holo-js/forms client typing', () => {
     const registerUser = schema({
       name: field.string().required(),
       email: field.string().required().email(),
-      password: field.string().required().min(8).confirmed(),
-      passwordConfirmation: field.string().required(),
+      password: field.password().required().min(8).confirmed(),
+      passwordConfirmation: field.password().required(),
     })
 
     const client = useForm(registerUser, {
diff --git a/packages/forms/tests/contracts.test.ts b/packages/forms/tests/contracts.test.ts
index dac976d..8e02481 100644
--- a/packages/forms/tests/contracts.test.ts
+++ b/packages/forms/tests/contracts.test.ts
@@ -71,7 +71,7 @@ describe('@holo-js/forms contracts', () => {
   it('creates form schemas from shapes and validation schemas', () => {
     const direct = schema({
       email: field.string().required().email(),
-      password: field.string().required().min(8),
+      password: field.password().required().min(8),
     })
     const nested = schema(defineSchema({
       profile: {
@@ -231,9 +231,10 @@ describe('@holo-js/forms contracts', () => {
   it('excludes password-like dontFlash fields while preserving transport tokens in serialized failure payloads', async () => {
     const registerUser = schema({
       email: field.string().required().email(),
-      password: field.string().required().min(8),
-      passwordConfirmation: field.string().required(),
+      password: field.password().required().min(8),
+      passwordConfirmation: field.password().required(),
       token: field.string().required(),
+      nationalId: field.string().sensitive().required(),
     })
 
     const failure = await validate({
@@ -241,6 +242,7 @@ describe('@holo-js/forms contracts', () => {
       password: 'super-secret',
       passwordConfirmation: 'super-secret',
       token: 'reset-token',
+      nationalId: 'private-id',
     }, registerUser)
 
     expect(failure.valid).toBe(false)
@@ -253,6 +255,7 @@ describe('@holo-js/forms contracts', () => {
       password: 'super-secret',
       passwordConfirmation: 'super-secret',
       token: 'reset-token',
+      nationalId: 'private-id',
     })
     expect(failure.serialize()).toEqual({
       valid: false,
@@ -277,6 +280,23 @@ describe('@holo-js/forms contracts', () => {
         email: ['Invalid email: Received "bad"'],
       },
     })
+    expect(failure.fail({
+      status: 409,
+      errors: {
+        email: ['A user with this email already exists.'],
+      },
+    })).toEqual({
+      ok: false,
+      status: 409,
+      valid: false,
+      values: {
+        email: 'bad',
+        token: 'reset-token',
+      },
+      errors: {
+        email: ['A user with this email already exists.'],
+      },
+    })
   })
 
   it('preserves verification and reset transport tokens while still stripping passwords', () => {
diff --git a/packages/forms/tests/docs-examples.test.ts b/packages/forms/tests/docs-examples.test.ts
index 23cfefe..626b791 100644
--- a/packages/forms/tests/docs-examples.test.ts
+++ b/packages/forms/tests/docs-examples.test.ts
@@ -7,8 +7,8 @@ describe('@holo-js/forms documented examples', () => {
     const registerUser = schema({
       name: field.string().required().min(3).max(255),
       email: field.string().required().email(),
-      password: field.string().required().min(8).confirmed(),
-      passwordConfirmation: field.string().required(),
+      password: field.password().required().min(8).confirmed(),
+      passwordConfirmation: field.password().required(),
     })
 
     const registerFailureRequest = new Request('https://example.com/register', {
@@ -101,7 +101,7 @@ describe('@holo-js/forms documented examples', () => {
   it('covers the documented client login, nested profile, and file upload flows', async () => {
     const loginSchema = schema({
       email: field.string().required().email(),
-      password: field.string().required().min(8),
+      password: field.password().required().min(8),
     })
 
     const login = useForm(loginSchema, {
diff --git a/packages/validation/src/contracts-support.ts b/packages/validation/src/contracts-support.ts
index 0448b73..9231047 100644
--- a/packages/validation/src/contracts-support.ts
+++ b/packages/validation/src/contracts-support.ts
@@ -81,6 +81,13 @@ export function cloneDefinition(definition: FieldDefinition, rule: FieldRule): F
   })
 }
 
+export function markDefinitionSensitive(definition: FieldDefinition): FieldDefinition {
+  return Object.freeze({
+    ...definition,
+    sensitive: true as const,
+  })
+}
+
 export function assertFiniteNumber(value: number, label: string): void {
   if (!Number.isFinite(value)) {
     throw new ValidationContractError(`${label} must be a finite number.`)
@@ -129,12 +136,13 @@ export function normalizeSchemaShape<TShape extends SchemaInputShape>(shape: TSh
   return Object.freeze(Object.fromEntries(normalizedEntries)) as NormalizedSchemaShape<TShape>
 }
 
-export function createField<TOutput>(kind: FieldKind, item?: FieldDefinition): ValidationField<TOutput> {
+export function createField<TOutput>(kind: FieldKind, item?: FieldDefinition, sensitive = false): ValidationField<TOutput> {
   return Object.freeze({
     kind: 'field' as const,
     definition: Object.freeze({
       kind,
       item,
+      ...(sensitive ? { sensitive: true as const } : {}),
       rules: Object.freeze([]),
     }),
   })
diff --git a/packages/validation/src/contracts-types.ts b/packages/validation/src/contracts-types.ts
index c4defa8..3b39b06 100644
--- a/packages/validation/src/contracts-types.ts
+++ b/packages/validation/src/contracts-types.ts
@@ -87,6 +87,7 @@ export interface FieldRule {
 export interface FieldDefinition {
   readonly kind: FieldKind
   readonly rules: readonly FieldRule[]
+  readonly sensitive?: boolean
   readonly item?: FieldDefinition
 }
 
diff --git a/packages/validation/src/contracts.ts b/packages/validation/src/contracts.ts
index a933d22..7e863c9 100644
--- a/packages/validation/src/contracts.ts
+++ b/packages/validation/src/contracts.ts
@@ -35,6 +35,7 @@ import {
   normalizeRequestInput,
   normalizeRule,
   normalizeSchemaShape,
+  markDefinitionSensitive,
   parseByteSize,
   resolveCompiledSchema,
 } from './contracts-support'
@@ -65,6 +66,15 @@ export class ValidationFieldBuilder<TOutput> implements StandardSchemaV1<unknown
     return new ValidationFieldBuilder(nextField)
   }
 
+  sensitive(): ValidationFieldBuilder<TOutput> {
+    const nextField = Object.freeze({
+      ...this.field,
+      definition: markDefinitionSensitive(this.field.definition),
+    }) as ValidationField<TOutput>
+
+    return new ValidationFieldBuilder(nextField)
+  }
+
   required(message?: string): ValidationFieldBuilder<Exclude<TOutput, undefined>> {
     return this.clone<Exclude<TOutput, undefined>>(normalizeRule('required', [], message))
   }
@@ -230,6 +240,9 @@ export const field = Object.freeze({
   string() {
     return new ValidationFieldBuilder<string>(createField('string'))
   },
+  password() {
+    return new ValidationFieldBuilder<string>(createField('string', undefined, true))
+  },
   number() {
     return new ValidationFieldBuilder<number>(createField('number'))
   },
diff --git a/packages/validation/tests/contracts.test.ts b/packages/validation/tests/contracts.test.ts
index 867998e..e7f8cf5 100644
--- a/packages/validation/tests/contracts.test.ts
+++ b/packages/validation/tests/contracts.test.ts
@@ -18,7 +18,8 @@ describe('@holo-js/validation contracts', () => {
     const registerUser = schema({
       name: field.string().required().min(3).max(255),
       email: field.string().required().email(),
-      password: field.string().required().min(8).confirmed(),
+      password: field.password().required().min(8).confirmed(),
+      nationalId: field.string().sensitive().required(),
       newsletter: field.boolean().default(false),
       tags: field.array(field.string().min(1)).optional(),
       profile: {
@@ -33,6 +34,8 @@ describe('@holo-js/validation contracts', () => {
     expect(registerUser['~standard'].vendor).toBe('holo-js')
     expect(typeof registerUser['~standard'].validate).toBe('function')
     expect(registerUser.fields.name.definition.rules.map(rule => rule.name)).toEqual(['required', 'min', 'max'])
+    expect(registerUser.fields.password.definition.sensitive).toBe(true)
+    expect(registerUser.fields.nationalId.definition.sensitive).toBe(true)
     expect(registerUser.fields.tags.definition.item?.kind).toBe('string')
     expect(registerUser.fields.profile.city.definition.kind).toBe('string')
   })
@@ -76,8 +79,8 @@ describe('@holo-js/validation contracts', () => {
       age: field.number().integer().optional(),
       newsletter: field.boolean().default(false),
       tags: field.array(field.string().min(1)).optional(),
-      password: field.string().required().min(8).confirmed(),
-      passwordConfirmation: field.string().required(),
+      password: field.password().required().min(8).confirmed(),
+      passwordConfirmation: field.password().required(),
       profile: {
         city: field.string().required(),
       },
@@ -131,8 +134,8 @@ describe('@holo-js/validation contracts', () => {
       name: field.string().required().min(3),
       email: field.string().required().email(),
       age: field.number().integer().optional(),
-      password: field.string().required().min(8).confirmed(),
-      passwordConfirmation: field.string().required(),
+      password: field.password().required().min(8).confirmed(),
+      passwordConfirmation: field.password().required(),
       profile: {
         city: field.string().required(),
       },
@@ -326,7 +329,7 @@ describe('@holo-js/validation contracts', () => {
       email: field.string()
         .required('Email is mandatory.')
         .email('Please enter a valid email address.'),
-      password: field.string()
+      password: field.password()
         .min(8, 'Password must be at least 8 characters.'),
       avatar: field.file()
         .image('Avatar must be an image file.')
@@ -898,7 +901,7 @@ describe('@holo-js/validation coverage completeness', () => {
 
   it('handles confirmed rule failure for missing confirmation field', async () => {
     const passwordSchema = schema({
-      password: field.string().required().confirmed(),
+      password: field.password().required().confirmed(),
     })
 
     const failure = await validate({ password: 'secret123' }, passwordSchema)
diff --git a/tests/example-app-auth-flow.mjs b/tests/example-app-auth-flow.mjs
index f488167..5eeb00f 100644
--- a/tests/example-app-auth-flow.mjs
+++ b/tests/example-app-auth-flow.mjs
@@ -155,7 +155,10 @@ function assertThrottleFailure(result) {
 }
 
 function assertSocialRedirect(result, expected) {
-  assert.equal(result.response.status, 302)
+  assert.ok(
+    result.response.status >= 300 && result.response.status < 400,
+    'Expected redirect status in 3xx range.',
+  )
   const location = result.response.headers.get('location')
   assert.ok(location, `Expected ${expected.provider} redirect to include a location header.`)
   const authorizationUrl = new URL(location)
@@ -300,10 +303,11 @@ export async function assertExampleAppAuthFlow({
   assertFieldFailure(badCredentials, ['email', 'password'])
 
   let throttledLogin
+  const throttledEmail = `${appName}-throttled-login-${Date.now()}@app.test`
   for (let attempt = 0; attempt < 6; attempt += 1) {
     throttledLogin = await fetchAuthJson('/api/login', {
       fields: {
-        email: `${appName}-throttled-login-${Date.now()}@app.test`,
+        email: throttledEmail,
         password: 'wrong-password',
       },
       headers: {

From a18c1c2876d43bbbf35a0cb16ff64870e17ddf15 Mon Sep 17 00:00:00 2001
From: Mohamed Melouk <42706279+cobraprojects@users.noreply.github.com>
Date: Fri, 8 May 2026 02:13:27 +0300
Subject: [PATCH 3/4] fix

---
 packages/adapter-sveltekit/src/index.ts       |  4 ++
 .../adapter-sveltekit/tests/runtime.test.ts   | 31 +++++++---
 packages/forms/src/client.ts                  | 56 ++++---------------
 packages/forms/src/contracts.ts               |  4 +-
 packages/forms/src/sensitiveInput.ts          |  8 ++-
 packages/forms/tests/contracts.test.ts        | 33 +++++++++++
 6 files changed, 77 insertions(+), 59 deletions(-)

diff --git a/packages/adapter-sveltekit/src/index.ts b/packages/adapter-sveltekit/src/index.ts
index d35275d..7eead71 100644
--- a/packages/adapter-sveltekit/src/index.ts
+++ b/packages/adapter-sveltekit/src/index.ts
@@ -32,6 +32,7 @@ type SvelteKitCookieOptions = {
   secure?: boolean
   httpOnly?: boolean
   sameSite?: 'lax' | 'strict' | 'none'
+  partitioned?: boolean
 }
 
 type ParsedResponseCookie = {
@@ -117,6 +118,9 @@ function parseResponseCookie(cookie: string): ParsedResponseCookie | null {
           options.sameSite = value.toLowerCase() as SvelteKitCookieOptions['sameSite']
         }
         break
+      case 'partitioned':
+        options.partitioned = value ? value.toLowerCase() === 'true' : true
+        break
     }
   }
 
diff --git a/packages/adapter-sveltekit/tests/runtime.test.ts b/packages/adapter-sveltekit/tests/runtime.test.ts
index da7a272..9d2effc 100644
--- a/packages/adapter-sveltekit/tests/runtime.test.ts
+++ b/packages/adapter-sveltekit/tests/runtime.test.ts
@@ -72,6 +72,7 @@ describe('@holo-js/adapter-sveltekit request context', () => {
         readonly path: string
         readonly httpOnly?: boolean
         readonly sameSite?: 'lax' | 'strict' | 'none'
+        readonly partitioned?: boolean
       }
     }> = []
 
@@ -107,18 +108,30 @@ describe('@holo-js/adapter-sveltekit request context', () => {
       }
       await expect(capturedAuthRequest.getCookie('session')).resolves.toBe('cookie-value')
       await expect(capturedAuthRequest.getHeader('x-request-id')).resolves.toBe('header-value')
-      await capturedAuthRequest.appendResponseCookie?.('session=response-value; Path=/; HttpOnly; SameSite=Lax')
+      await capturedAuthRequest.appendResponseCookie?.('session=response-value; Path=/; HttpOnly; SameSite=Lax; Partitioned')
+      await capturedAuthRequest.appendResponseCookie?.('analytics=off; Path=/metrics; Partitioned=false')
     })
 
-    expect(responseCookies).toEqual([{
-      name: 'session',
-      value: 'response-value',
-      options: {
-        path: '/',
-        httpOnly: true,
-        sameSite: 'lax',
+    expect(responseCookies).toEqual([
+      {
+        name: 'session',
+        value: 'response-value',
+        options: {
+          path: '/',
+          httpOnly: true,
+          sameSite: 'lax',
+          partitioned: true,
+        },
+      },
+      {
+        name: 'analytics',
+        value: 'off',
+        options: {
+          path: '/metrics',
+          partitioned: false,
+        },
       },
-    }])
+    ])
 
     expect(capturedAuthRequest).toBeDefined()
     if (!capturedAuthRequest) {
diff --git a/packages/forms/src/client.ts b/packages/forms/src/client.ts
index 5c87fd7..cb52f8b 100644
--- a/packages/forms/src/client.ts
+++ b/packages/forms/src/client.ts
@@ -1,13 +1,14 @@
-import type {
-  FormFailureErrors,
-  FormFailureInput,
-  FormFailurePayload,
-  InferFormData,
-  FormSchema,
-  FormSubmissionResult,
-  FormSuccessPayload,
-  SerializedFormSubmission as SerializedSubmissionState,
-  SerializedFormSubmission,
+import {
+  type FormFailureInput,
+  type FormFailurePayload,
+  type InferFormData,
+  type FormSchema,
+  type FormSubmissionResult,
+  type FormSuccessPayload,
+  type SerializedFormSubmission as SerializedSubmissionState,
+  type SerializedFormSubmission,
+  normalizeFailureErrors,
+  normalizeFailureInput,
 } from './contracts'
 import { FormContractError } from './errors'
 import { clearSensitiveInputValues, sanitizeFlashedInput } from './sensitiveInput'
@@ -130,41 +131,6 @@ function normalizeStatus(value: number | undefined, fallback: number): number {
   return value
 }
 
-function normalizeFailureInput(input: FormFailureInput, fallbackStatus: number): {
-  readonly status: number
-  readonly errors?: FormFailureErrors
-} {
-  if (typeof input === 'number') {
-    return {
-      status: normalizeStatus(input, fallbackStatus),
-    }
-  }
-
-  return {
-    status: normalizeStatus(input?.status, fallbackStatus),
-    errors: input?.errors,
-  }
-}
-
-function normalizeFailureErrors(
-  fallback: Record<string, readonly string[]>,
-  override: FormFailureErrors | undefined,
-): Record<string, readonly string[]> {
-  if (!override) {
-    return fallback
-  }
-
-  const normalized: Record<string, readonly string[]> = {}
-
-  for (const [field, messages] of Object.entries(override)) {
-    if (typeof messages !== 'undefined') {
-      normalized[field] = messages
-    }
-  }
-
-  return normalized
-}
-
 function serializeSubmissionState<TData>(
   valid: boolean,
   values: Partial<TData> | TData,
diff --git a/packages/forms/src/contracts.ts b/packages/forms/src/contracts.ts
index 49b940e..7612d60 100644
--- a/packages/forms/src/contracts.ts
+++ b/packages/forms/src/contracts.ts
@@ -132,7 +132,7 @@ function normalizeStatus(value: number | undefined, fallback: number): number {
   return value
 }
 
-function normalizeFailureInput(input: FormFailureInput, fallbackStatus: number): {
+export function normalizeFailureInput(input: FormFailureInput, fallbackStatus: number): {
   readonly status: number
   readonly errors?: FormFailureErrors
 } {
@@ -148,7 +148,7 @@ function normalizeFailureInput(input: FormFailureInput, fallbackStatus: number):
   }
 }
 
-function normalizeFailureErrors(
+export function normalizeFailureErrors(
   fallback: Record<string, readonly string[]>,
   override: FormFailureErrors | undefined,
 ): Record<string, readonly string[]> {
diff --git a/packages/forms/src/sensitiveInput.ts b/packages/forms/src/sensitiveInput.ts
index 1407594..d14a4a4 100644
--- a/packages/forms/src/sensitiveInput.ts
+++ b/packages/forms/src/sensitiveInput.ts
@@ -100,9 +100,11 @@ function sanitizePlainObject<TData>(
     return values
   }
 
-  const output = Object.fromEntries(
-    Object.entries(values).filter(([key]) => !DEFAULT_DONT_FLASH_FIELD_SET.has(key)),
-  )
+  const output = structuredClone(values) as Record<string, unknown>
+
+  for (const field of DEFAULT_DONT_FLASH_FIELD_SET) {
+    delete output[field]
+  }
 
   for (const path of sensitivePaths) {
     deletePath(output, path)
diff --git a/packages/forms/tests/contracts.test.ts b/packages/forms/tests/contracts.test.ts
index 8e02481..d41a498 100644
--- a/packages/forms/tests/contracts.test.ts
+++ b/packages/forms/tests/contracts.test.ts
@@ -314,6 +314,39 @@ describe('@holo-js/forms contracts', () => {
     })
   })
 
+  it('does not mutate nested values when sanitizing flashed input', () => {
+    const profileForm = schema({
+      email: field.string().required(),
+      profile: {
+        displayName: field.string().required(),
+        nationalId: field.string().sensitive().required(),
+      },
+    })
+    const values = {
+      email: 'ava@example.com',
+      password: 'secret-secret',
+      profile: {
+        displayName: 'Ava',
+        nationalId: 'private-id',
+      },
+    }
+
+    expect(formsInternals.sanitizeFlashedInput(values, profileForm)).toEqual({
+      email: 'ava@example.com',
+      profile: {
+        displayName: 'Ava',
+      },
+    })
+    expect(values).toEqual({
+      email: 'ava@example.com',
+      password: 'secret-secret',
+      profile: {
+        displayName: 'Ava',
+        nationalId: 'private-id',
+      },
+    })
+  })
+
   it('does not coerce plain form objects with request-like field names into Request inputs', async () => {
     const requestMeta = schema({
       method: field.string().required(),

From 6e24bcd8737d3c57d9ad64d1996c58227e60c217 Mon Sep 17 00:00:00 2001
From: Mohamed Melouk <42706279+cobraprojects@users.noreply.github.com>
Date: Fri, 8 May 2026 03:13:05 +0300
Subject: [PATCH 4/4] fix

---
 packages/forms/src/contracts.ts        |  2 +-
 packages/forms/tests/contracts.test.ts | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/packages/forms/src/contracts.ts b/packages/forms/src/contracts.ts
index 7612d60..f35c431 100644
--- a/packages/forms/src/contracts.ts
+++ b/packages/forms/src/contracts.ts
@@ -156,7 +156,7 @@ export function normalizeFailureErrors(
     return fallback
   }
 
-  const normalized: Record<string, readonly string[]> = {}
+  const normalized: Record<string, readonly string[]> = { ...fallback }
 
   for (const [field, messages] of Object.entries(override)) {
     if (typeof messages !== 'undefined') {
diff --git a/packages/forms/tests/contracts.test.ts b/packages/forms/tests/contracts.test.ts
index d41a498..6b20ade 100644
--- a/packages/forms/tests/contracts.test.ts
+++ b/packages/forms/tests/contracts.test.ts
@@ -299,6 +299,28 @@ describe('@holo-js/forms contracts', () => {
     })
   })
 
+  it('merges failure override errors with existing validation errors', () => {
+    const registerUser = schema({
+      email: field.string().required().email(),
+      token: field.string().required(),
+    })
+    const failure = createFailedSubmission(registerUser, {
+      email: 'bad',
+    }, {
+      email: ['Invalid email.'],
+      token: ['Missing token.'],
+    })
+
+    expect(failure.fail({
+      errors: {
+        email: ['A user with this email already exists.'],
+      },
+    }).errors).toEqual({
+      email: ['A user with this email already exists.'],
+      token: ['Missing token.'],
+    })
+  })
+
   it('preserves verification and reset transport tokens while still stripping passwords', () => {
     expect(formsInternals.sanitizeFlashedInput({
       email: 'ava@example.com',