The kit now ships @kit/social-{core,meta,tiktok,api} โ a provider-agnostic social-publishing primitive that treats Facebook Pages, Instagram Business, and TikTok as first-class citizens without pretending they behave the same way.
Each platform has its own quirks.
Meta gives you long-lived Page tokens that do not silently rotate. TikTok hands you a 60-day access token paired with a 365-day refresh token that absolutely does rotate on every refresh, with no extension beyond the year. Instagram Business sits inside the Meta graph but uses a different scope vocabulary and a different media-upload flow than Facebook Pages does.
Instead of papering over those differences with a lowest-common-denominator abstraction, the primitive surfaces them as capability flags on each provider โ refreshRotates is the load-bearing one โ so the calling code can branch honestly when the behaviour matters and stay generic when it does not.
Scopes are type-narrowed at the call site. Tokens are encrypted at rest with the kit's standard envelope-encryption pattern. And the upcoming Meta Graph v25โv26 cutover on Jun 15 2026 is wired into a build-time check rather than left to a future operator's memory.
This is the foundation โ Phase 4 of the broader social-jobs work. It is not yet the publish path itself, and the changelog is honest about that distinction below.
What lands today
Six new Prisma tables.
socialConnectedAccount,socialPost,socialMetric,socialWebhookEvent,socialJobAudit, andsocialApiUsageship with the full foreign-key and index strategy already in place.Per-tenant queries stay fast as connected-account count grows, and the audit / API-usage pair gives operators the receipts they need when a platform asks how a creator's data was handled. Webhook events are stored with their raw payload so re-processing a failed delivery is a re-read rather than a re-fetch.
RBAC
socialresource with seven verbs.connect,disconnect,publish,schedule,read,read:metrics, andmoderate:commentsare gated per role. Account owners, marketers, and analysts each see exactly the surface they should โ a read-only analyst cannot accidentally publish, and a marketer cannot disconnect the workspace's accounts.HMAC-signed OAuth state token. New
signOAuthStateandverifyOAuthStatehelpers close the cross-org CSRF gap so a state parameter from one tenant cannot be replayed against another.The signing key is derived from
BETTER_AUTH_SECRET_ROOTper the standard fork-isolation pattern, so non-canonical forks get their own signing domain for free โ a state token minted by your canonical app cannot be presented at a side fork's callback, and vice versa.