fix: access control indexing type

[YevheniiKotyrlo]

Summary

Two source-level type fixes for consumers with skipLibCheck: false:

1. Remove zod/v4/core re-export from src/index.ts

The line export type * from "zod/v4/core" overlaps with export type * from "zod/v4" and leaks internal Zod types into the public API namespace. This causes TS2742 ("cannot be named without a reference to zod/v4/core") for consumers. The line already has @ts-expect-error above it, confirming it was known to be problematic.

Related: #5574, #4837

2. Fix access control [key][number] indexing in admin and organization plugins

The emitted .d.ts for permission types uses S[key][number] double-indexing, but TypeScript cannot narrow the intermediate [key] access to readonly unknown[] after the conditional check. This produces type errors in the emitted declarations for both admin and organization plugin client types.

Fix: introduce an ArrayElement<T> helper type (T extends readonly (infer E)[] ? E : never) and use ArrayElement<S[key]> instead of S[key][number] in 4 locations (admin/client.ts, admin/routes.ts, organization/client.ts, organization/organization.ts).

Related: #4804, #6491, #6127

Impact

• Runtime: Zero — types only, no behavioral changes
• Build: pnpm typecheck, pnpm lint, pnpm build all pass
• Consumers: Fixes TS2742 and access control type errors for projects using skipLibCheck: false

Verification

• pnpm typecheck — zero errors
• pnpm lint (Biome, 1386 files) — no issues
• pnpm build (tsdown, 673 output files) — clean in ~1100ms

---

Summary by cubic

Fix TypeScript declaration issues by removing the zod/v4/core type re-export and using a new ArrayElement helper for permission arrays. This resolves TS2742 and permission type errors for projects using skipLibCheck: false.

• Bug Fixes
  • Removed export type * from "zod/v4/core" to prevent internal Zod types leaking and “cannot be named” errors.
  • Added ArrayElement helper in access/types and used it in admin and organization permission types (replacing S[key][number]) to fix emitted d.ts.

^{Written for commit e0036d5. Summary will update on new commits.}

[vercel]

@YevheniiKotyrlo is attempting to deploy a commit to the better-auth Team on Vercel.

A member of the Team first needs to authorize it.

[pkg-pr-new]

Open in StackBlitz

@better-auth/api-key

npm i https://pkg.pr.new/@better-auth/api-key@8155

better-auth

npm i https://pkg.pr.new/better-auth@8155

auth

npm i https://pkg.pr.new/auth@8155

@better-auth/core

npm i https://pkg.pr.new/@better-auth/core@8155

@better-auth/drizzle-adapter

npm i https://pkg.pr.new/@better-auth/drizzle-adapter@8155

@better-auth/electron

npm i https://pkg.pr.new/@better-auth/electron@8155

@better-auth/expo

npm i https://pkg.pr.new/@better-auth/expo@8155

@better-auth/i18n

npm i https://pkg.pr.new/@better-auth/i18n@8155

@better-auth/kysely-adapter

npm i https://pkg.pr.new/@better-auth/kysely-adapter@8155

@better-auth/memory-adapter

npm i https://pkg.pr.new/@better-auth/memory-adapter@8155

@better-auth/mongo-adapter

npm i https://pkg.pr.new/@better-auth/mongo-adapter@8155

@better-auth/oauth-provider

npm i https://pkg.pr.new/@better-auth/oauth-provider@8155

@better-auth/passkey

npm i https://pkg.pr.new/@better-auth/passkey@8155

@better-auth/prisma-adapter

npm i https://pkg.pr.new/@better-auth/prisma-adapter@8155

@better-auth/redis-storage

npm i https://pkg.pr.new/@better-auth/redis-storage@8155

@better-auth/scim

npm i https://pkg.pr.new/@better-auth/scim@8155

@better-auth/sso

npm i https://pkg.pr.new/@better-auth/sso@8155

@better-auth/stripe

npm i https://pkg.pr.new/@better-auth/stripe@8155

@better-auth/telemetry

npm i https://pkg.pr.new/@better-auth/telemetry@8155

@better-auth/test-utils

npm i https://pkg.pr.new/@better-auth/test-utils@8155

commit: c993f3e

[cubic-dev-ai]

No issues found across 6 files

[himself65]

I want merge this after: #8021

[CLAassistant]

All committers have signed the CLA.