@alepha/react 0.12.0 → 0.13.0

package/dist/auth/index.d.cts

@@ -1,519 +1,1126 @@
-import * as alepha4 from "alepha";
-import { Alepha, AlephaError, Async, Descriptor, KIND, Static } from "alepha";
-import { AccessTokenResponse, RealmDescriptor, SecurityProvider, UserAccount, UserAccountToken } from "alepha/security";
-import { DateTimeProvider } from "alepha/datetime";
-import { Configuration } from "openid-client";
-import * as alepha_logger0 from "alepha/logger";
-import * as typebox143 from "typebox";
-import * as alepha_server_cookies0 from "alepha/server/cookies";
-import { Cookies, ServerCookiesProvider } from "alepha/server/cookies";
-import * as alepha_server0 from "alepha/server";
-import { HttpClient } from "alepha/server";
-import { HttpVirtualClient, ServerLinksProvider } from "alepha/server/links";
+import * as alepha20 from "alepha";
+import { Alepha, AlephaError, Async, Descriptor, FileLike, InstantiableClass, LogLevel, LoggerInterface, Static, StreamLike, TArray, TFile, TObject, TRecord, TSchema, TStream, TString, TVoid } from "alepha";
+import dayjsDuration from "dayjs/plugin/duration.js";
+import DayjsApi, { Dayjs, ManipulateType, PluginFunc } from "dayjs";
+import { IncomingMessage, Server, ServerResponse } from "node:http";
+import { Readable } from "node:stream";
+import { ReadableStream } from "node:stream/web";
 
-//#region src/auth/schemas/tokensSchema.d.ts
-declare const tokensSchema: typebox143.TObject<{
-  provider: typebox143.TString;
-  access_token: typebox143.TString;
-  issued_at: typebox143.TNumber;
-  expires_in: typebox143.TOptional<typebox143.TNumber>;
-  refresh_token: typebox143.TOptional<typebox143.TString>;
-  refresh_token_expires_in: typebox143.TOptional<typebox143.TNumber>;
-  refresh_expires_in: typebox143.TOptional<typebox143.TNumber>;
-  id_token: typebox143.TOptional<typebox143.TString>;
-  scope: typebox143.TOptional<typebox143.TString>;
+//#region ../alepha/src/security/schemas/userAccountInfoSchema.d.ts
+declare const userAccountInfoSchema: alepha20.TObject<{
+  id: alepha20.TString;
+  name: alepha20.TOptional<alepha20.TString>;
+  email: alepha20.TOptional<alepha20.TString>;
+  username: alepha20.TOptional<alepha20.TString>;
+  picture: alepha20.TOptional<alepha20.TString>;
+  sessionId: alepha20.TOptional<alepha20.TString>;
+  organizations: alepha20.TOptional<alepha20.TArray<alepha20.TString>>;
+  roles: alepha20.TOptional<alepha20.TArray<alepha20.TString>>;
 }>;
-type Tokens = Static<typeof tokensSchema>;
+type UserAccount = Static<typeof userAccountInfoSchema>;
 //#endregion
-//#region src/auth/services/ReactAuth.d.ts
-/**
- * Browser, SSR friendly, service to handle authentication.
- */
-declare class ReactAuth {
-  protected readonly log: alepha_logger0.Logger;
-  protected readonly alepha: Alepha;
-  protected readonly httpClient: HttpClient;
-  static path: {
-    login: string;
-    callback: string;
-    logout: string;
-    token: string;
-    refresh: string;
-    userinfo: string;
-  };
-  protected readonly onBeginTransition: alepha4.HookDescriptor<"react:transition:begin">;
-  protected readonly onFetchRequest: alepha4.HookDescriptor<"client:onRequest">;
+//#region ../alepha/src/logger/schemas/logEntrySchema.d.ts
+declare const logEntrySchema: alepha20.TObject<{
+  level: alepha20.TUnsafe<"SILENT" | "TRACE" | "DEBUG" | "INFO" | "WARN" | "ERROR">;
+  message: alepha20.TString;
+  service: alepha20.TString;
+  module: alepha20.TString;
+  context: alepha20.TOptional<alepha20.TString>;
+  app: alepha20.TOptional<alepha20.TString>;
+  data: alepha20.TOptional<alepha20.TAny>;
+  timestamp: alepha20.TNumber;
+}>;
+type LogEntry = Static<typeof logEntrySchema>;
+//#endregion
+//#region ../alepha/src/datetime/providers/DateTimeProvider.d.ts
+type DateTime = DayjsApi.Dayjs;
+type Duration = dayjsDuration.Duration;
+type DurationLike = number | dayjsDuration.Duration | [number, ManipulateType];
+declare class DateTimeProvider {
+  static PLUGINS: Array<PluginFunc<any>>;
+  protected alepha: Alepha;
+  protected ref: DateTime | null;
+  protected readonly timeouts: Timeout[];
+  protected readonly intervals: Interval[];
+  constructor();
+  protected readonly onStart: alepha20.HookDescriptor<"start">;
+  protected readonly onStop: alepha20.HookDescriptor<"stop">;
+  setLocale(locale: string): void;
+  isDateTime(value: unknown): value is DateTime;
   /**
-   * Get the current authenticated user.
+   * Create a new UTC DateTime instance.
+   */
+  utc(date: string | number | Date | Dayjs | null | undefined): DateTime;
+  /**
+   * Create a new DateTime instance.
+   */
+  of(date: string | number | Date | Dayjs | null | undefined): DateTime;
+  /**
+   * Get the current date as a string.
+   */
+  toISOString(date?: Date | string | DateTime): string;
+  /**
+   * Get the current date.
+   */
+  now(): DateTime;
+  /**
+   * Get the current date as a string.
    *
-   * Alias for `alepha.state.get("user")`
+   * This is much faster than `DateTimeProvider.now().toISOString()` as it avoids creating a DateTime instance.
    */
-  get user(): UserAccountToken | undefined;
-  ping(): Promise<{
-    name?: string | undefined;
-    email?: string | undefined;
-    username?: string | undefined;
-    picture?: string | undefined;
-    sessionId?: string | undefined;
-    organizations?: string[] | undefined;
-    roles?: string[] | undefined;
-    id: string;
-  } | undefined>;
-  login(provider: string, options: {
-    hostname?: string;
-    username?: string;
-    password?: string;
-    redirect?: string;
-    [extra: string]: any;
-  }): Promise<Tokens>;
-  logout(): void;
+  nowISOString(): string;
+  /**
+   * Get the current date as milliseconds since epoch.
+   *
+   * This is much faster than `DateTimeProvider.now().valueOf()` as it avoids creating a DateTime instance.
+   */
+  nowMillis(): number;
+  /**
+   * Get the current date as a string.
+   *
+   * @protected
+   */
+  protected getCurrentDate(): DateTime;
+  /**
+   * Create a new Duration instance.
+   */
+  duration: (duration: DurationLike, unit?: ManipulateType) => Duration;
+  isDurationLike(value: unknown): value is DurationLike;
+  /**
+   * Return a promise that resolves after the next tick.
+   * It uses `setTimeout` with 0 ms delay.
+   */
+  tick(): Promise<void>;
+  /**
+   * Wait for a certain duration.
+   *
+   * You can clear the timeout by using the `AbortSignal` API.
+   * Aborted signal will resolve the promise immediately, it does not reject it.
+   */
+  wait(duration: DurationLike, options?: {
+    signal?: AbortSignal;
+    now?: number;
+  }): Promise<void>;
+  createInterval(run: () => unknown, duration: DurationLike, start?: boolean): Interval;
+  /**
+   * Run a callback after a certain duration.
+   */
+  createTimeout(callback: () => void, duration: DurationLike, now?: number): Timeout;
+  clearTimeout(timeout: Timeout): void;
+  clearInterval(interval: Interval): void;
+  /**
+   * Run a function with a deadline.
+   */
+  deadline<T>(fn: (signal: AbortSignal) => Promise<T>, duration: DurationLike): Promise<T>;
+  /**
+   * Add time to the current date.
+   */
+  travel(duration: DurationLike, unit?: ManipulateType): Promise<void>;
+  /**
+   * Stop the time.
+   */
+  pause(): DateTime;
+  /**
+   * Reset the reference date.
+   */
+  reset(): void;
+}
+interface Interval {
+  timer?: any;
+  duration: number;
+  run: () => unknown;
+}
+interface Timeout {
+  now: number;
+  timer?: any;
+  duration: number;
+  callback: () => void;
+  clear: () => void;
 }
 //#endregion
-//#region src/auth/providers/ReactAuthProvider.d.ts
-declare class ReactAuthProvider {
-  protected readonly log: alepha_logger0.Logger;
+//#region ../alepha/src/logger/providers/LogDestinationProvider.d.ts
+declare abstract class LogDestinationProvider {
+  abstract write(message: string, entry: LogEntry): void;
+}
+//#endregion
+//#region ../alepha/src/logger/providers/LogFormatterProvider.d.ts
+declare abstract class LogFormatterProvider {
+  abstract format(entry: LogEntry): string;
+}
+//#endregion
+//#region ../alepha/src/logger/services/Logger.d.ts
+declare class Logger implements LoggerInterface {
   protected readonly alepha: Alepha;
-  protected readonly serverCookiesProvider: ServerCookiesProvider;
+  protected readonly formatter: LogFormatterProvider;
+  protected readonly destination: LogDestinationProvider;
   protected readonly dateTimeProvider: DateTimeProvider;
-  protected readonly serverLinksProvider: ServerLinksProvider;
-  protected readonly reactAuth: ReactAuth;
-  protected readonly authorizationCode: alepha_server_cookies0.AbstractCookieDescriptor<typebox143.TObject<{
-    provider: typebox143.TString;
-    codeVerifier: typebox143.TOptional<typebox143.TString>;
-    redirectUri: typebox143.TOptional<typebox143.TString>;
-    state: typebox143.TOptional<typebox143.TString>;
-    nonce: typebox143.TOptional<typebox143.TString>;
-  }>>;
-  readonly tokens: alepha_server_cookies0.AbstractCookieDescriptor<typebox143.TObject<{
-    provider: typebox143.TString;
-    access_token: typebox143.TString;
-    issued_at: typebox143.TNumber;
-    expires_in: typebox143.TOptional<typebox143.TNumber>;
-    refresh_token: typebox143.TOptional<typebox143.TString>;
-    refresh_token_expires_in: typebox143.TOptional<typebox143.TNumber>;
-    refresh_expires_in: typebox143.TOptional<typebox143.TNumber>;
-    id_token: typebox143.TOptional<typebox143.TString>;
-    scope: typebox143.TOptional<typebox143.TString>;
-  }>>;
-  readonly onRender: alepha4.HookDescriptor<"react:server:render:begin">;
-  get identities(): Array<AuthDescriptor>;
-  protected readonly configure: alepha4.HookDescriptor<"configure">;
-  protected getAccessTokens(tokens: Tokens): string | undefined;
-  /**
-   * Fill request headers with access token from cookies or fallback to provider's fallback function.
-   */
-  protected readonly onRequest: alepha4.HookDescriptor<"server:onRequest">;
-  /**
-   * Convert cookies to tokens.
-   * If the tokens are expired, try to refresh them using the refresh token.
-   */
-  protected cookiesToTokens(cookies: Cookies): Promise<Tokens | undefined>;
-  protected refreshTokens(tokens: Tokens): Promise<Tokens | undefined>;
-  /**
-   * Get user information.
-   */
-  readonly userinfo: alepha_server0.RouteDescriptor<{
-    response: typebox143.TObject<{
-      user: typebox143.TOptional<typebox143.TObject<{
-        id: typebox143.TString;
-        name: typebox143.TOptional<typebox143.TString>;
-        email: typebox143.TOptional<typebox143.TString>;
-        username: typebox143.TOptional<typebox143.TString>;
-        picture: typebox143.TOptional<typebox143.TString>;
-        sessionId: typebox143.TOptional<typebox143.TString>;
-        organizations: typebox143.TOptional<typebox143.TArray<typebox143.TString>>;
-        roles: typebox143.TOptional<typebox143.TArray<typebox143.TString>>;
-      }>>;
-      api: typebox143.TObject<{
-        prefix: typebox143.TOptional<typebox143.TString>;
-        links: typebox143.TArray<typebox143.TObject<{
-          name: typebox143.TString;
-          group: typebox143.TOptional<typebox143.TString>;
-          path: typebox143.TString;
-          method: typebox143.TOptional<typebox143.TString>;
-          requestBodyType: typebox143.TOptional<typebox143.TString>;
-          service: typebox143.TOptional<typebox143.TString>;
-        }>>;
-      }>;
-    }>;
-  }>;
+  protected readonly levels: Record<string, number>;
+  protected readonly service: string;
+  protected readonly module: string;
+  protected readonly app?: string;
+  protected appLogLevel: string;
+  protected logLevel: LogLevel;
+  constructor(service: string, module: string);
+  get context(): string | undefined;
+  get level(): string;
+  parseLevel(level: string, app: string): LogLevel;
+  private matchesPattern;
+  asLogLevel(something: string): LogLevel;
+  error(message: string, data?: unknown): void;
+  warn(message: string, data?: unknown): void;
+  info(message: string, data?: unknown): void;
+  debug(message: string, data?: unknown): void;
+  trace(message: string, data?: unknown): void;
+  protected log(level: LogLevel, message: string, data?: unknown): void;
+  protected emit(entry: LogEntry, message?: string): void;
+}
+//#endregion
+//#region ../alepha/src/logger/index.d.ts
+declare const envSchema$3: alepha20.TObject<{
   /**
-   * Refresh a token for internal providers.
-   */
-  readonly refresh: alepha_server0.RouteDescriptor<{
-    query: typebox143.TObject<{
-      provider: typebox143.TString;
-    }>;
-    body: typebox143.TObject<{
-      refresh_token: typebox143.TString;
-      access_token: typebox143.TOptional<typebox143.TString>;
-    }>;
-    response: typebox143.TObject<{
-      provider: typebox143.TString;
-      access_token: typebox143.TString;
-      issued_at: typebox143.TNumber;
-      expires_in: typebox143.TOptional<typebox143.TNumber>;
-      refresh_token: typebox143.TOptional<typebox143.TString>;
-      refresh_token_expires_in: typebox143.TOptional<typebox143.TNumber>;
-      refresh_expires_in: typebox143.TOptional<typebox143.TNumber>;
-      id_token: typebox143.TOptional<typebox143.TString>;
-      scope: typebox143.TOptional<typebox143.TString>;
-    }>;
-  }>;
+   * Default log level for the application.
+   *
+   * Default by environment:
+   * - dev = info
+   * - prod = info
+   * - test = error
+   *
+   * Levels are: "trace" | "debug" | "info" | "warn" | "error" | "silent"
+   *
+   * Level can be set for a specific module:
+   *
+   * @example
+   * LOG_LEVEL=my.module.name:debug,info # Set debug level for my.module.name and info for all other modules
+   * LOG_LEVEL=alepha:trace, info # Set trace level for all alepha modules and info for all other modules
+   */
+  LOG_LEVEL: alepha20.TOptional<alepha20.TString>;
   /**
-   * Login for local password-based authentication.
-   */
-  readonly token: alepha_server0.RouteDescriptor<{
-    query: typebox143.TObject<{
-      provider: typebox143.TString;
-    }>;
-    body: typebox143.TObject<{
-      username: typebox143.TString;
-      password: typebox143.TString;
-    }>;
-    response: typebox143.TObject<{
-      provider: typebox143.TString;
-      access_token: typebox143.TString;
-      issued_at: typebox143.TNumber;
-      expires_in: typebox143.TOptional<typebox143.TNumber>;
-      refresh_token: typebox143.TOptional<typebox143.TString>;
-      refresh_token_expires_in: typebox143.TOptional<typebox143.TNumber>;
-      refresh_expires_in: typebox143.TOptional<typebox143.TNumber>;
-      id_token: typebox143.TOptional<typebox143.TString>;
-      scope: typebox143.TOptional<typebox143.TString>;
-      user: typebox143.TObject<{
-        id: typebox143.TString;
-        name: typebox143.TOptional<typebox143.TString>;
-        email: typebox143.TOptional<typebox143.TString>;
-        username: typebox143.TOptional<typebox143.TString>;
-        picture: typebox143.TOptional<typebox143.TString>;
-        sessionId: typebox143.TOptional<typebox143.TString>;
-        organizations: typebox143.TOptional<typebox143.TArray<typebox143.TString>>;
-        roles: typebox143.TOptional<typebox143.TArray<typebox143.TString>>;
-      }>;
-      api: typebox143.TObject<{
-        prefix: typebox143.TOptional<typebox143.TString>;
-        links: typebox143.TArray<typebox143.TObject<{
-          name: typebox143.TString;
-          group: typebox143.TOptional<typebox143.TString>;
-          path: typebox143.TString;
-          method: typebox143.TOptional<typebox143.TString>;
-          requestBodyType: typebox143.TOptional<typebox143.TString>;
-          service: typebox143.TOptional<typebox143.TString>;
-        }>>;
-      }>;
-    }>;
-  }>;
+   * Built-in log formats.
+   * - "json" - JSON format, useful for structured logging and log aggregation. {@link JsonFormatterProvider}
+   * - "pretty" - Simple text format, human-readable, with colors. {@link SimpleFormatterProvider}
+   * - "raw" - Raw format, no formatting, just the message.  {@link RawFormatterProvider}
+   */
+  LOG_FORMAT: alepha20.TOptional<alepha20.TUnsafe<"json" | "pretty" | "raw">>;
+}>;
+declare module "alepha" {
+  interface Env extends Partial<Static<typeof envSchema$3>> {}
+  interface State {
+    /**
+     * Current log level for the application or specific modules.
+     */
+    "alepha.logger.level"?: string;
+  }
+  interface Hooks {
+    log: {
+      message?: string;
+      entry: LogEntry;
+    };
+  }
+}
+//#endregion
+//#region ../alepha/src/security/interfaces/UserAccountToken.d.ts
+/**
+ * Add contextual metadata to a user account info.
+ * E.g. UserAccountToken is a UserAccountInfo during a request.
+ */
+interface UserAccountToken extends UserAccount {
   /**
-   * Oauth2/OIDC login route.
+   * Access token for the user.
    */
-  readonly login: alepha_server0.RouteDescriptor<{
-    query: typebox143.TObject<{
-      provider: typebox143.TString;
-      redirect_uri: typebox143.TOptional<typebox143.TString>;
-    }>;
-  }>;
+  token?: string;
   /**
-   * Callback for OAuth2/OIDC providers.
-   * It handles the authorization code flow and retrieves the access token.
+   * Realm name of the user.
    */
-  readonly callback: alepha_server0.RouteDescriptor<alepha_server0.RequestConfigSchema>;
+  realm?: string;
   /**
-   * Logout route for OAuth2/OIDC providers.
+   * Is user dedicated to his own resources for this scope ?
+   * Mostly, Admin is false and Customer is true.
    */
-  readonly logout: alepha_server0.RouteDescriptor<{
-    query: typebox143.TObject<{
-      post_logout_redirect_uri: typebox143.TOptional<typebox143.TString>;
-    }>;
-  }>;
-  protected provider(opts: string | {
-    provider: string;
-  }): AuthDescriptor;
-  protected setTokens(tokens: Tokens, cookies?: Cookies): void;
-}
-interface OAuth2Profile {
-  sub: string;
-  email?: string;
-  name?: string;
-  given_name?: string;
-  family_name?: string;
-  middle_name?: string;
-  nickname?: string;
-  preferred_username?: string;
-  profile?: string;
-  picture?: string;
-  website?: string;
-  email_verified?: boolean;
-  gender?: string;
-  birthdate?: string;
-  zoneinfo?: string;
-  locale?: string;
-  phone_number?: string;
-  phone_number_verified?: boolean;
-  address?: {
-    formatted?: string;
-    street_address?: string;
-    locality?: string;
-    region?: string;
-    postal_code?: string;
-    country?: string;
+  ownership?: string | boolean;
+}
+//#endregion
+//#region ../alepha/src/security/providers/SecurityProvider.d.ts
+declare const envSchema$2: alepha20.TObject<{
+  APP_SECRET: alepha20.TString;
+}>;
+declare module "alepha" {
+  interface Env extends Partial<Static<typeof envSchema$2>> {}
+}
+//#endregion
+//#region ../alepha/src/server/constants/routeMethods.d.ts
+declare const routeMethods: readonly ["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS", "CONNECT", "TRACE"];
+type RouteMethod = (typeof routeMethods)[number];
+//#endregion
+//#region ../alepha/src/router/providers/RouterProvider.d.ts
+declare abstract class RouterProvider<T extends Route = Route> {
+  protected routePathRegex: RegExp;
+  protected tree: Tree<T>;
+  protected cache: Map<string, RouteMatch<T>>;
+  match(path: string): RouteMatch<T>;
+  protected test(path: string): void;
+  protected push(route: T): void;
+  protected createRouteMatch(path: string): RouteMatch<T>;
+  protected mapParams(match: RouteMatch<T>): RouteMatch<T>;
+  protected createParts(path: string): string[];
+}
+interface RouteMatch<T extends Route> {
+  route?: T;
+  params?: Record<string, string>;
+}
+interface Route {
+  path: string;
+  /**
+   * Rename a param in the route.
+   * This is automatically filled when you have scenarios like:
+   * `/customers/:id` and `/customers/:userId/payments`
+   *
+   * In this case, `:id` will be renamed to `:userId` in the second route.
+   */
+  mapParams?: Record<string, string>;
+}
+interface Tree<T extends Route> {
+  route?: T;
+  children: {
+    [key: string]: Tree<T>;
+  };
+  param?: {
+    route?: T;
+    name: string;
+    children: {
+      [key: string]: Tree<T>;
+    };
+  };
+  wildcard?: {
+    route: T;
   };
-  updated_at?: number;
-  [key: string]: unknown;
 }
 //#endregion
-//#region src/auth/descriptors/$auth.d.ts
+//#region ../alepha/src/server/helpers/ServerReply.d.ts
 /**
- * Creates an authentication provider descriptor for handling user login flows.
- *
- * Supports multiple authentication strategies: credentials (username/password), OAuth2,
- * and OIDC (OpenID Connect). Handles token management, user profile retrieval, and
- * integration with both external identity providers (Auth0, Keycloak) and internal realms.
- *
- * **Authentication Types**: Credentials, OAuth2 (Google, GitHub), OIDC, External providers
- *
- * @example
- * ```ts
- * class AuthProviders {
- *   // Internal credentials-based auth
- *   credentials = $auth({
- *     realm: this.userRealm,
- *     credentials: {
- *       account: async ({ username, password }) => {
- *         return await this.validateUser(username, password);
- *       }
- *     }
- *   });
+ * Helper for building server replies.
+ */
+declare class ServerReply {
+  headers: Record<string, string> & {
+    "set-cookie"?: string[];
+  };
+  status?: number;
+  body?: any;
+  /**
+   * Redirect to a given URL with optional status code (default 302).
+   */
+  redirect(url: string, status?: number): void;
+  /**
+   * Set the response status code.
+   */
+  setStatus(status: number): this;
+  /**
+   * Set a response header.
+   */
+  setHeader(name: string, value: string): this;
+  /**
+   * Set the response body.
+   */
+  setBody(body: any): this;
+}
+//#endregion
+//#region ../alepha/src/server/services/UserAgentParser.d.ts
+interface UserAgentInfo {
+  os: "Windows" | "Android" | "Ubuntu" | "MacOS" | "iOS" | "Linux" | "FreeBSD" | "OpenBSD" | "ChromeOS" | "BlackBerry" | "Symbian" | "Windows Phone";
+  browser: "Chrome" | "Firefox" | "Safari" | "Edge" | "Opera" | "Internet Explorer" | "Brave" | "Vivaldi" | "Samsung Browser" | "UC Browser" | "Yandex";
+  device: "MOBILE" | "DESKTOP" | "TABLET";
+}
+/**
+ * Simple User-Agent parser to detect OS, browser, and device type.
+ * This parser is not exhaustive and may not cover all edge cases.
  *
- *   // External OIDC provider
- *   keycloak = $auth({
- *     oidc: {
- *       issuer: "https://auth.example.com",
- *       clientId: "my-app",
- *       clientSecret: "secret",
- *       redirectUri: "/auth/callback"
- *     }
- *   });
- * }
- * ```
+ * Use result for non
  */
-declare const $auth: {
-  (options: AuthDescriptorOptions): AuthDescriptor;
-  [KIND]: typeof AuthDescriptor;
-};
-type AuthDescriptorOptions = {
+declare class UserAgentParser {
+  parse(userAgent?: string): UserAgentInfo;
+}
+//#endregion
+//#region ../alepha/src/server/interfaces/ServerRequest.d.ts
+type TRequestBody = TObject | TString | TArray | TRecord | TStream;
+type TResponseBody = TObject | TString | TRecord | TFile | TArray | TStream | TVoid;
+interface RequestConfigSchema {
+  body?: TRequestBody;
+  params?: TObject;
+  query?: TObject;
+  headers?: TObject;
+  response?: TResponseBody;
+}
+interface ServerRequestConfig<TConfig extends RequestConfigSchema = RequestConfigSchema> {
+  body: TConfig["body"] extends TRequestBody ? Static<TConfig["body"]> : any;
+  headers: TConfig["headers"] extends TObject ? Static<TConfig["headers"]> : Record<string, string>;
+  params: TConfig["params"] extends TObject ? Static<TConfig["params"]> : Record<string, string>;
+  query: TConfig["query"] extends TObject ? Static<TConfig["query"]> : Record<string, any>;
+}
+type ServerRequestConfigEntry<TConfig extends RequestConfigSchema = RequestConfigSchema> = Partial<ServerRequestConfig<TConfig>>;
+interface ServerRequest<TConfig extends RequestConfigSchema = RequestConfigSchema> extends ServerRequestConfig<TConfig> {
   /**
-   * Name of the identity provider.
-   * If not provided, it will be derived from the property key.
+   * HTTP method used for this request.
    */
-  name?: string;
+  method: RouteMethod;
   /**
-   * If true, auth provider will be skipped.
+   * Full request URL.
    */
-  disabled?: boolean;
-} & (AuthExternal | AuthInternal);
+  url: URL;
+  /**
+   * Unique request ID assigned to this request.
+   */
+  requestId: string;
+  /**
+   * Client IP address.
+   * Will parse `X-Forwarded-For` header if present.
+   */
+  ip?: string;
+  /**
+   * Value of the `Host` header sent by the client.
+   */
+  host?: string;
+  /**
+   * Browser user agent information.
+   * Information are not guaranteed to be accurate. Use with caution.
+   *
+   * @see {@link UserAgentParser}
+   */
+  userAgent: UserAgentInfo;
+  /**
+   * Arbitrary metadata attached to the request. Can be used by middlewares to store information.
+   */
+  metadata: Record<string, any>;
+  /**
+   * Reply object to be used to send response.
+   */
+  reply: ServerReply;
+  /**
+   * The raw underlying request object (Web Request).
+   */
+  raw: ServerRawRequest;
+}
+interface ServerRoute<TConfig extends RequestConfigSchema = RequestConfigSchema> extends Route {
+  /**
+   * Handler function for this route.
+   */
+  handler: ServerHandler<TConfig>;
+  /**
+   * HTTP method for this route.
+   */
+  method?: RouteMethod;
+  /**
+   * Request/response schema for this route.
+   *
+   * Request schema contains:
+   * - body, for POST/PUT/PATCH requests
+   * - params, for URL parameters (e.g. /user/:id)
+   * - query, for URL query parameters (e.g. /user?id=123)
+   * - headers, for HTTP headers
+   *
+   * Response schema contains:
+   * - response
+   *
+   * Response schema is used to validate and serialize the response sent by the handler.
+   */
+  schema?: TConfig;
+  /**
+   * @see ServerLoggerProvider
+   */
+  silent?: boolean;
+}
+type ServerResponseBody<TConfig extends RequestConfigSchema = RequestConfigSchema> = TConfig["response"] extends TResponseBody ? Static<TConfig["response"]> : ResponseBodyType;
+type ResponseKind = "json" | "text" | "void" | "file" | "any";
+type ResponseBodyType = string | Buffer | StreamLike | undefined | null | void;
+type ServerHandler<TConfig extends RequestConfigSchema = RequestConfigSchema> = (request: ServerRequest<TConfig>) => Async<ServerResponseBody<TConfig>>;
+interface ServerResponse$1 {
+  body: string | Buffer | ArrayBuffer | Readable | ReadableStream;
+  headers: Record<string, string>;
+  status: number;
+}
+type ServerRouteRequestHandler = (request: ServerRequestData) => Promise<ServerResponse$1>;
+interface ServerRouteMatcher extends Route {
+  handler: ServerRouteRequestHandler;
+}
+interface ServerRequestData {
+  method: RouteMethod;
+  url: URL;
+  headers: Record<string, string>;
+  query: Record<string, string>;
+  params: Record<string, string>;
+  raw: ServerRawRequest;
+}
+interface ServerRawRequest {
+  node?: NodeRequestEvent;
+  web?: WebRequestEvent;
+}
+interface NodeRequestEvent {
+  req: IncomingMessage;
+  res: ServerResponse;
+}
+interface WebRequestEvent {
+  req: Request;
+  res?: Response;
+}
+//#endregion
+//#region ../alepha/src/server/services/ServerRequestParser.d.ts
+declare class ServerRequestParser {
+  protected readonly alepha: Alepha;
+  protected readonly userAgentParser: UserAgentParser;
+  createServerRequest(rawRequest: ServerRequestData): ServerRequest;
+  getRequestId(request: ServerRequestData): string | undefined;
+  getRequestUserAgent(request: ServerRequestData): UserAgentInfo;
+  getRequestIp(request: ServerRequestData): string | undefined;
+}
+//#endregion
+//#region ../alepha/src/server/providers/ServerTimingProvider.d.ts
+type TimingMap = Record<string, [number, number]>;
+declare class ServerTimingProvider {
+  protected readonly log: Logger;
+  protected readonly alepha: Alepha;
+  options: {
+    prefix: string;
+    disabled: boolean;
+  };
+  readonly onRequest: alepha20.HookDescriptor<"server:onRequest">;
+  readonly onResponse: alepha20.HookDescriptor<"server:onResponse">;
+  protected get handlerName(): string;
+  beginTiming(name: string): void;
+  endTiming(name: string): void;
+  protected setDuration(name: string, timing: TimingMap): void;
+}
+//#endregion
+//#region ../alepha/src/server/providers/ServerRouterProvider.d.ts
+/**
+ * Main router for all routes on the server side.
+ *
+ * - $route => generic route
+ * - $action => action route (for API calls)
+ * - $page => React route (for SSR)
+ */
+declare class ServerRouterProvider extends RouterProvider<ServerRouteMatcher> {
+  protected readonly log: Logger;
+  protected readonly alepha: Alepha;
+  protected readonly routes: ServerRoute[];
+  protected readonly serverTimingProvider: ServerTimingProvider;
+  protected readonly serverRequestParser: ServerRequestParser;
+  /**
+   * Get all registered routes, optionally filtered by a pattern.
+   *
+   * Pattern accept simple wildcard '*' at the end.
+   * Example: '/api/*' will match all routes starting with '/api/' but '/api/' will match only that exact route.
+   */
+  getRoutes(pattern?: string): ServerRoute[];
+  createRoute<TConfig extends RequestConfigSchema = RequestConfigSchema>(route: ServerRoute<TConfig>): void;
+  protected getContextId(headers: Record<string, string>): string;
+  protected processRequest(request: ServerRequest, route: ServerRoute, responseKind: ResponseKind): Promise<{
+    status: number;
+    headers: Record<string, string> & {
+      "set-cookie"?: string[];
+    };
+    body: any;
+  }>;
+  protected runRouteHandler(route: ServerRoute, request: ServerRequest, responseKind: ResponseKind): Promise<void>;
+  serializeResponse(route: ServerRoute, reply: ServerReply, responseKind: ResponseKind): void;
+  protected getResponseType(schema?: RequestConfigSchema): ResponseKind;
+  protected errorHandler(route: ServerRoute, request: ServerRequest, error: Error): Promise<void>;
+  validateRequest(route: {
+    schema?: RequestConfigSchema;
+  }, request: ServerRequestConfig): void;
+}
+//#endregion
+//#region ../alepha/src/server/providers/ServerProvider.d.ts
 /**
- * When you let an external service handle authentication. (e.g. Keycloak, Auth0, etc.)
+ * Base server provider to handle incoming requests and route them.
+ *
+ * This is the default implementation for serverless environments.
+ *
+ * ServerProvider supports both Node.js HTTP requests and Web (Fetch API) requests.
  */
-type AuthExternal = {
+declare class ServerProvider {
+  protected readonly log: Logger;
+  protected readonly alepha: Alepha;
+  protected readonly dateTimeProvider: DateTimeProvider;
+  protected readonly router: ServerRouterProvider;
+  protected readonly internalServerErrorMessage = "Internal Server Error";
+  get hostname(): string;
   /**
-   * Only OIDC is supported for external authentication.
+   * When a Node.js HTTP request is received from outside. (Vercel, AWS Lambda, etc.)
    */
-  oidc: OidcOptions;
+  protected readonly onNodeRequest: alepha20.HookDescriptor<"node:request">;
   /**
-   * For anonymous access, this will expect a service account access token.
+   * When a Web (Fetch API) request is received from outside. (Netlify, Cloudflare Workers, etc.)
+   */
+  protected readonly onWebRequest: alepha20.HookDescriptor<"web:request">;
+  /**
+   * Handle Node.js HTTP request event.
    *
-   * ```ts
-   * class App {
-   *   anonymous = $serviceAccount(...);
-   *   auth = $auth({
-   *     // ... config ...
-   *     fallback: this.anonymous,
-   *   })
-   * }
-   * ```
+   * Technically, we just convert Node.js request to Web Standard Request.
    */
-  fallback?: () => Async<AccessToken>;
-};
+  handleNodeRequest(nodeRequestEvent: NodeRequestEvent): Promise<void>;
+  /**
+   * Handle Web (Fetch API) request event.
+   */
+  handleWebRequest(ev: WebRequestEvent): Promise<void>;
+  /**
+   * Helper for Vite development mode to let Vite handle (or not) 404.
+   */
+  protected isViteNotFound(url?: string, route?: Route, params?: Record<string, string>): boolean;
+}
+//#endregion
+//#region ../alepha/src/cache/providers/CacheProvider.d.ts
 /**
- * When using your own authentication system, e.g. using a database to store user accounts.
- * This is usually used with a custom login form.
+ * Cache provider interface.
  *
- * This relies on the `realm`, which is used to create/verify the access token.
+ * All methods are asynchronous and return promises.
+ * Values are stored as Uint8Array.
  */
-type AuthInternal = {
-  realm: RealmDescriptor;
-} & ({
+declare abstract class CacheProvider {
   /**
-   * The common username/password authentication.
+   * Get the value of a key.
    *
-   * - It uses the OAuth2 Client Credentials flow to obtain an access token.
+   * @param name Cache name, used to group keys. Should be Redis-like "some:group:name" format.
+   * @param key The key of the value to get.
    *
-   * This is usually used with a custom login form on your website or mobile app.
+   * @return The value of the key, or undefined if the key does not exist.
    */
-  credentials: CredentialsOptions;
-} | {
+  abstract get(name: string, key: string): Promise<Uint8Array | undefined>;
   /**
-   * OAuth2 authentication. Delegates authentication to an OAuth2 provider. (e.g. Google, GitHub, etc.)
+   * Set the string value of a key.
    *
-   * - It uses the OAuth2 Authorization Code flow to obtain an access token and user information.
+   * @param name Cache name, used to group keys. Should be Redis-like "some:group:name" format.
+   * @param key The key of the value to set.
+   * @param value The value to set.
+   * @param ttl The time-to-live of the key, in milliseconds.
    *
-   * This is usually used with a login button that redirects to the OAuth2 provider.
+   * @return The value of the key.
    */
-  oauth: OAuth2Options;
-} | {
+  abstract set(name: string, key: string, value: Uint8Array, ttl?: number): Promise<Uint8Array>;
   /**
-   * Like OAuth2, but uses OIDC (OpenID Connect) for authentication and user information retrieval.
-   * OIDC is an identity layer on top of OAuth2, providing user authentication and profile information.
+   * Remove the specified keys.
    *
-   * - It uses the OAuth2 Authorization Code flow to obtain an access token and user information.
-   * - PCKE (Proof Key for Code Exchange) is recommended for security.
+   * @param name Cache name, used to group keys. Should be Redis-like "some:group:name" format.
+   * @param keys The keys to delete.
+   */
+  abstract del(name: string, ...keys: string[]): Promise<void>;
+  abstract has(name: string, key: string): Promise<boolean>;
+  abstract keys(name: string, filter?: string): Promise<string[]>;
+  /**
+   * Remove all keys from all cache names.
+   */
+  abstract clear(): Promise<void>;
+}
+//#endregion
+//#region ../alepha/src/cache/descriptors/$cache.d.ts
+interface CacheDescriptorOptions<TReturn = any, TParameter extends any[] = any[]> {
+  /**
+   * The cache name. This is useful for invalidating multiple caches at once.
    *
-   * This is usually used with a login button that redirects to the OIDC provider.
-   */
-  oidc: OidcOptions;
-});
-type CredentialsOptions = {
-  account: (credentials: {
-    username: string;
-    password: string;
-  }) => Async<UserAccount>;
-};
-interface OidcOptions {
+   * Store key as `cache:$name:$key`.
+   *
+   * @default Name of the key of the class.
+   */
+  name?: string;
+  /**
+   * Function which returns cached data.
+   */
+  handler?: (...args: TParameter) => TReturn;
+  /**
+   * The key generator for the cache.
+   * If not provided, the arguments will be json.stringify().
+   */
+  key?: (...args: TParameter) => string;
   /**
-   * URL of the OIDC issuer.
+   * The store provider for the cache.
+   * If not provided, the default store provider will be used.
    */
-  issuer: string;
+  provider?: InstantiableClass<CacheProvider> | "memory";
   /**
-   * Client ID for the OIDC client.
+   * The time-to-live for the cache in seconds.
+   * Set 0 to skip expiration.
+   *
+   * @default 300 (5 minutes).
    */
-  clientId: string;
+  ttl?: DurationLike;
   /**
-   * Client secret for the OIDC client.
-   * Optional if PKCE (Proof Key for Code Exchange) is used.
+   * If the cache is disabled.
    */
-  clientSecret?: string;
+  disabled?: boolean;
+}
+declare class CacheDescriptor<TReturn = any, TParameter extends any[] = any[]> extends Descriptor<CacheDescriptorOptions<TReturn, TParameter>> {
+  protected readonly env: {
+    CACHE_ENABLED: boolean;
+    CACHE_DEFAULT_TTL: number;
+  };
+  protected readonly dateTimeProvider: DateTimeProvider;
+  protected readonly provider: CacheProvider;
+  protected encoder: TextEncoder;
+  protected decoder: TextDecoder;
+  protected codes: {
+    BINARY: number;
+    JSON: number;
+    STRING: number;
+  };
+  get container(): string;
+  run(...args: TParameter): Promise<TReturn>;
+  key(...args: TParameter): string;
+  invalidate(...keys: string[]): Promise<void>;
+  set(key: string, value: TReturn, ttl?: DurationLike): Promise<void>;
+  get(key: string): Promise<TReturn | undefined>;
+  protected serialize<TReturn>(value: TReturn): Uint8Array;
+  protected deserialize<TReturn>(uint8Array: Uint8Array): Promise<TReturn>;
+  protected $provider(): CacheProvider;
+}
+interface CacheDescriptorFn<TReturn = any, TParameter extends any[] = any[]> extends CacheDescriptor<TReturn, TParameter> {
   /**
-   * Redirect URI for the OIDC client.
-   * This is where the user will be redirected after authentication.
+   * Run the cache descriptor with the provided arguments.
    */
-  redirectUri?: string;
+  (...args: TParameter): Promise<TReturn>;
+}
+//#endregion
+//#region ../alepha/src/server/services/HttpClient.d.ts
+declare class HttpClient {
+  protected readonly log: Logger;
+  protected readonly alepha: Alepha;
+  readonly cache: CacheDescriptorFn<HttpClientCache, any[]>;
+  protected readonly pendingRequests: HttpClientPendingRequests;
+  fetchAction(args: FetchActionArgs): Promise<FetchResponse>;
+  fetch<T extends TSchema>(url: string, request?: RequestInitWithOptions<T>): Promise<FetchResponse<Static<T>>>;
+  protected url(host: string, action: HttpAction, args: ServerRequestConfigEntry): string;
+  protected body(init: RequestInit, headers: Record<string, string>, action: HttpAction, args?: ServerRequestConfigEntry): Promise<void>;
+  protected responseData(response: Response, options: FetchOptions): Promise<any>;
+  protected isMaybeFile(response: Response): boolean;
+  protected createFileLike(response: Response, defaultFileName?: string): FileLike;
+  pathVariables(url: string, action: {
+    schema?: {
+      params?: TObject;
+    };
+  }, args?: ServerRequestConfigEntry): string;
+  queryParams(url: string, action: {
+    schema?: {
+      query?: TObject;
+    };
+  }, args?: ServerRequestConfigEntry): string;
+}
+interface FetchOptions<T extends TSchema = TSchema> {
   /**
-   * For external auth providers only.
-   * Take the ID token instead of the access token for validation.
+   * Key to identify the request in the pending requests.
    */
-  useIdToken?: boolean;
+  key?: string;
   /**
-   * URI to redirect the user after logout.
+   * The schema to validate the response against.
    */
-  logoutUri?: string;
+  schema?: {
+    response?: T;
+  };
   /**
-   * Optional scope for the OIDC client.
-   * @default "openid profile email".
+   * Built-in cache options.
    */
-  scope?: string;
-  account?: (tokens: {
-    access_token: string;
-    user: OAuth2Profile;
-    id_token?: string;
-    expires_in?: number;
-    scope?: string;
-  }) => Async<UserAccount>;
+  localCache?: boolean | number | DurationLike;
 }
-interface OAuth2Options {
+type RequestInitWithOptions<T extends TSchema = TSchema> = RequestInit & FetchOptions<T>;
+interface FetchResponse<T = any> {
+  data: T;
+  status: number;
+  statusText: string;
+  headers: Headers;
+  raw?: Response;
+}
+type HttpClientPendingRequests = Record<string, Promise<any> | undefined>;
+interface HttpClientCache {
+  data: any;
+  etag?: string;
+}
+interface FetchActionArgs {
+  action: HttpAction;
+  host?: string;
+  config?: ServerRequestConfigEntry;
+  options?: ClientRequestOptions;
+}
+interface HttpAction {
+  method?: string;
+  prefix?: string;
+  path: string;
+  requestBodyType?: string;
+  schema?: {
+    params?: TObject;
+    query?: TObject;
+    body?: TRequestBody;
+    response?: TResponseBody;
+  };
+}
+//#endregion
+//#region ../alepha/src/server/descriptors/$action.d.ts
+interface ActionDescriptorOptions<TConfig extends RequestConfigSchema> extends Omit<ServerRoute, "handler" | "path" | "schema" | "mapParams"> {
   /**
-   * URL of the OAuth2 authorization endpoint.
+   * Name of the action.
+   *
+   * - It will be used to generate the route path if `path` is not provided.
+   * - It will be used to generate the permission name if `security` is enabled.
+   */
+  name?: string;
+  /**
+   * Group actions together.
+   *
+   * - If not provided, the service name containing the route will be used.
+   * - It will be used as Tag for documentation purposes.
+   * - It will be used for permission name generation if `security` is enabled.
+   *
+   * @example
+   * ```ts
+   * // group = "MyController"
+   * class MyController {
+   * 	hello = $action({ handler: () => "Hello World" });
+   * }
+   *
+   * // group = "users"
+   * class MyOtherController {
+   *   group = "users";
+   *   a1 = $action({ handler: () => "Action 1", group: this.group });
+   *   a2 = $action({ handler: () => "Action 2", group: this.group });
+   * }
+   * ```
    */
-  clientId: string;
+  group?: string;
   /**
-   * Client secret for the OAuth2 client.
+   * Pathname of the route. If not provided, property key is used.
    */
-  clientSecret: string;
+  path?: string;
   /**
-   * URL of the OAuth2 authorization endpoint.
+   * The route method.
+   *
+   * - If not provided, it will be set to "GET" by default.
+   * - If not provider and a body is provided, it will be set to "POST".
+   *
+   * Wildcard methods are not supported for now. (e.g. "ALL", "ANY", etc.)
    */
-  authorization: string;
+  method?: RouteMethod;
   /**
-   * URL of the OAuth2 token endpoint.
+   * The config schema of the route.
+   * - body: The request body schema.
+   * - params: Path variables schema.
+   * - query: The request query-params schema.
+   * - response: The response schema.
    */
-  token: string;
+  schema?: TConfig;
   /**
-   * Function to retrieve user profile information from the OAuth2 tokens.
+   * A short description of the action. Used for documentation purposes.
    */
-  userinfo: (tokens: Tokens) => Async<OAuth2Profile>;
-  account?: (tokens: {
-    access_token: string;
-    user: OAuth2Profile;
-    id_token?: string;
-    expires_in?: number;
-    scope?: string;
-  }) => Async<UserAccount>;
+  description?: string;
   /**
-   * URL of the OAuth2 authorization endpoint.
+   * Disable the route. Useful with env variables do disable one specific route.
+   * Route won't be available in the API but can still be called locally!
    */
-  redirectUri?: string;
+  disabled?: boolean;
   /**
-   * URL of the OAuth2 authorization endpoint.
+   * Main route handler. This is where the route logic is implemented.
    */
-  scope?: string;
+  handler: ServerActionHandler<TConfig>;
 }
-declare class AuthDescriptor extends Descriptor<AuthDescriptorOptions> {
-  protected readonly securityProvider: SecurityProvider;
-  protected readonly dateTimeProvider: DateTimeProvider;
-  oauth?: Configuration;
+declare class ActionDescriptor<TConfig extends RequestConfigSchema> extends Descriptor<ActionDescriptorOptions<TConfig>> {
+  protected readonly log: Logger;
+  protected readonly env: {
+    SERVER_API_PREFIX: string;
+  };
+  protected readonly httpClient: HttpClient;
+  protected readonly serverProvider: ServerProvider;
+  protected readonly serverRouterProvider: ServerRouterProvider;
+  protected onInit(): void;
+  get prefix(): string;
+  get route(): ServerRoute;
+  /**
+   * Returns the name of the action.
+   */
   get name(): string;
-  get jwks_uri(): string;
-  get scope(): string | undefined;
-  get redirect_uri(): string | undefined;
   /**
-   * Refreshes the access token using the refresh token.
-   * Can be used on oauth2, oidc or credentials auth providers.
+   * Returns the group of the action. (e.g. "orders", "admin", etc.)
    */
-  refresh(refreshToken: string, accessToken?: string): Promise<AccessTokenResponse>;
+  get group(): string;
   /**
-   * Extracts user information from the access token.
-   * This is used to create a user account from the access token.
+   * Returns the HTTP method of the action.
    */
-  user(tokens: Tokens): Promise<UserAccount>;
-  protected getUserFromIdToken(idToken: string): OAuth2Profile;
-  prepare(): Promise<void>;
+  get method(): RouteMethod;
+  /**
+   * Returns the path of the action.
+   *
+   * Path is prefixed by `/api` by default.
+   */
+  get path(): string;
+  get schema(): TConfig | undefined;
+  getBodyContentType(): string | undefined;
+  /**
+   * Call the action handler directly.
+   * There is no HTTP layer involved.
+   */
+  run(config?: ClientRequestEntry<TConfig>, options?: ClientRequestOptions): Promise<ClientRequestResponse<TConfig>>;
+  /**
+   * Works like `run`, but always fetches (http request) the route.
+   */
+  fetch(config?: ClientRequestEntry<TConfig>, options?: ClientRequestOptions): Promise<FetchResponse<ClientRequestResponse<TConfig>>>;
 }
-type AccessToken = string | {
-  token: () => Async<string>;
+type ClientRequestEntry<TConfig extends RequestConfigSchema, T = ClientRequestEntryContainer<TConfig>> = { [K in keyof T as T[K] extends undefined ? never : K]: T[K] };
+type ClientRequestEntryContainer<TConfig extends RequestConfigSchema> = {
+  body: TConfig["body"] extends TObject ? Static<TConfig["body"]> : undefined;
+  params: TConfig["params"] extends TObject ? Static<TConfig["params"]> : undefined;
+  headers?: TConfig["headers"] extends TObject ? Static<TConfig["headers"]> : undefined;
+  query?: TConfig["query"] extends TObject ? Partial<Static<TConfig["query"]>> : undefined;
 };
+interface ClientRequestOptions extends FetchOptions {
+  /**
+   * Standard request fetch options.
+   */
+  request?: RequestInit;
+}
+type ClientRequestResponse<TConfig extends RequestConfigSchema> = TConfig["response"] extends TSchema ? Static<TConfig["response"]> : any;
+/**
+ * Specific handler for server actions.
+ */
+type ServerActionHandler<TConfig extends RequestConfigSchema = RequestConfigSchema> = (request: ServerActionRequest<TConfig>) => Async<ServerResponseBody<TConfig>>;
+/**
+ * Server Action Request Interface
+ *
+ * Can be extended with module augmentation to add custom properties (like `user` in Server Security).
+ *
+ * This is NOT Server Request, but a specific type for actions.
+ */
+interface ServerActionRequest<TConfig extends RequestConfigSchema> extends ServerRequest<TConfig> {}
+//#endregion
+//#region ../alepha/src/server/schemas/errorSchema.d.ts
+declare const errorSchema: alepha20.TObject<{
+  error: alepha20.TString;
+  status: alepha20.TInteger;
+  message: alepha20.TString;
+  details: alepha20.TOptional<alepha20.TString>;
+  requestId: alepha20.TOptional<alepha20.TString>;
+  cause: alepha20.TOptional<alepha20.TObject<{
+    name: alepha20.TString;
+    message: alepha20.TString;
+  }>>;
+}>;
+type ErrorSchema = Static<typeof errorSchema>;
+//#endregion
+//#region ../alepha/src/server/errors/HttpError.d.ts
+declare class HttpError extends AlephaError {
+  name: string;
+  static is: (error: unknown, status?: number) => error is HttpErrorLike;
+  static toJSON(error: HttpError): ErrorSchema;
+  readonly error: string;
+  readonly status: number;
+  readonly requestId?: string;
+  readonly details?: string;
+  readonly reason?: {
+    name: string;
+    message: string;
+  };
+  constructor(options: Partial<ErrorSchema>, cause?: unknown);
+}
+interface HttpErrorLike extends Error {
+  status: number;
+}
+//#endregion
+//#region ../alepha/src/server/providers/BunHttpServerProvider.d.ts
+declare const envSchema$1: alepha20.TObject<{
+  SERVER_PORT: alepha20.TInteger;
+  SERVER_HOST: alepha20.TString;
+}>;
+declare module "alepha" {
+  interface Env extends Partial<Static<typeof envSchema$1>> {}
+}
+//#endregion
+//#region ../alepha/src/server/providers/NodeHttpServerProvider.d.ts
+declare const envSchema: alepha20.TObject<{
+  SERVER_PORT: alepha20.TInteger;
+  SERVER_HOST: alepha20.TString;
+}>;
+declare module "alepha" {
+  interface Env extends Partial<Static<typeof envSchema>> {}
+}
 //#endregion
-//#region src/auth/descriptors/$authGithub.d.ts
+//#region ../alepha/src/server/index.d.ts
+declare module "alepha" {
+  interface State {
+    "alepha.node.server"?: Server;
+  }
+  interface Hooks {
+    "action:onRequest": {
+      action: ActionDescriptor<RequestConfigSchema>;
+      request: ServerRequest;
+      options: ClientRequestOptions;
+    };
+    "action:onResponse": {
+      action: ActionDescriptor<RequestConfigSchema>;
+      request: ServerRequest;
+      options: ClientRequestOptions;
+      response: any;
+    };
+    "server:onRequest": {
+      route: ServerRoute;
+      request: ServerRequest;
+    };
+    "server:onError": {
+      route: ServerRoute;
+      request: ServerRequest;
+      error: Error;
+    };
+    "server:onSend": {
+      route: ServerRoute;
+      request: ServerRequest;
+    };
+    "server:onResponse": {
+      route: ServerRoute;
+      request: ServerRequest;
+      response: ServerResponse$1;
+    };
+    "client:onRequest": {
+      route: HttpAction;
+      config: ServerRequestConfigEntry;
+      options: ClientRequestOptions;
+      headers: Record<string, string>;
+      request: RequestInit;
+    };
+    "client:beforeFetch": {
+      url: string;
+      options: FetchOptions;
+      request: RequestInit;
+    };
+    "client:onError": {
+      route?: HttpAction;
+      error: HttpError;
+    };
+    "node:request": NodeRequestEvent;
+    "web:request": WebRequestEvent;
+  }
+}
+//#endregion
+//#region ../alepha/src/security/index.d.ts
+declare module "alepha" {
+  interface Hooks {
+    "security:user:created": {
+      realm: string;
+      user: UserAccount;
+    };
+  }
+}
 /**
- * Already configured GitHub authentication descriptor.
+ * Provides comprehensive authentication and authorization capabilities with JWT tokens, role-based access control, and user management.
  *
- * Uses OAuth2 to authenticate users via their GitHub accounts.
- * Upon successful authentication, it links the GitHub account to a user session.
+ * The security module enables building secure applications using descriptors like `$realm`, `$role`, and `$permission`
+ * on class properties. It offers JWT-based authentication, fine-grained permissions, service accounts, and seamless
+ * integration with various authentication providers and user management systems.
  *
- * Environment Variables:
- * - `GITHUB_CLIENT_ID`: The client ID obtained from the GitHub Developer Settings.
- * - `GITHUB_CLIENT_SECRET`: The client secret obtained from the GitHub Developer Settings.
+ * @see {@link $realm}
+ * @see {@link $role}
+ * @see {@link $permission}
+ * @module alepha.security
  */
-declare const $authGithub: (realm: RealmDescriptor, options: Partial<OidcOptions>) => AuthDescriptor;
 //#endregion
-//#region src/auth/descriptors/$authGoogle.d.ts
+//#region ../alepha/src/server-security/providers/ServerBasicAuthProvider.d.ts
+interface BasicAuthOptions {
+  username: string;
+  password: string;
+}
+//#endregion
+//#region ../alepha/src/server-security/providers/ServerSecurityProvider.d.ts
+type ServerRouteSecure = {
+  realm?: string;
+  basic?: BasicAuthOptions;
+};
+//#endregion
+//#region ../alepha/src/server-security/index.d.ts
+declare module "alepha" {
+  interface State {
+    /**
+     * Real (or fake) user account, used for internal actions.
+     *
+     * If you define this, you assume that all actions are executed by this user by default.
+     * > To force a different user, you need to pass it explicitly in the options.
+     */
+    "alepha.server.security.system.user"?: UserAccountToken;
+    /**
+     * The authenticated user account attached to the server request state.
+     *
+     * @internal
+     */
+    "alepha.server.request.user"?: UserAccount;
+  }
+}
+declare module "alepha/server" {
+  interface ServerRequest<TConfig> {
+    user?: UserAccountToken;
+  }
+  interface ServerActionRequest<TConfig> {
+    user: UserAccountToken;
+  }
+  interface ServerRoute {
+    /**
+     * If true, the route will be protected by the security provider.
+     * All actions are secure by default, but you can disable it for specific actions.
+     */
+    secure?: boolean | ServerRouteSecure;
+  }
+  interface ClientRequestOptions extends FetchOptions {
+    /**
+     * Forward user from the previous request.
+     * If "system", use system user. @see {ServerSecurityProvider.localSystemUser}
+     * If "context", use the user from the current context (e.g. request).
+     *
+     * @default "system" if provided, else "context" if available.
+     */
+    user?: UserAccountToken | "system" | "context";
+  }
+}
 /**
- * Already configured Google authentication descriptor.
+ * Plugin for Alepha Server that provides security features. Based on the Alepha Security module.
  *
- * Uses OpenID Connect (OIDC) to authenticate users via their Google accounts.
- * Upon successful authentication, it links the Google account to a user session.
+ * By default, all $action will be guarded by a permission check.
  *
- * Environment Variables:
- * - `GOOGLE_CLIENT_ID`: The client ID obtained from the Google Developer Console.
- * - `GOOGLE_CLIENT_SECRET`: The client secret obtained from the Google Developer Console.
+ * @see {@link ServerSecurityProvider}
+ * @module alepha.server.security
  */
-declare const $authGoogle: (realm: RealmDescriptor, options: Partial<OidcOptions>) => AuthDescriptor;
 //#endregion
-//#region src/auth/errors/SessionExpiredError.d.ts
-declare class SessionExpiredError extends AlephaError {
-  readonly name = "SessionExpiredError";
-  readonly status = 401;
+//#region ../alepha/src/server-links/schemas/apiLinksResponseSchema.d.ts
+declare const apiLinksResponseSchema: alepha20.TObject<{
+  prefix: alepha20.TOptional<alepha20.TString>;
+  links: alepha20.TArray<alepha20.TObject<{
+    name: alepha20.TString;
+    group: alepha20.TOptional<alepha20.TString>;
+    path: alepha20.TString;
+    method: alepha20.TOptional<alepha20.TString>;
+    requestBodyType: alepha20.TOptional<alepha20.TString>;
+    service: alepha20.TOptional<alepha20.TString>;
+  }>>;
+}>;
+type ApiLinksResponse = Static<typeof apiLinksResponseSchema>;
+//#endregion
+//#region ../alepha/src/server-links/providers/LinkProvider.d.ts
+type HttpVirtualClient<T> = { [K in keyof T as T[K] extends ActionDescriptor<RequestConfigSchema> ? K : never]: T[K] extends ActionDescriptor<infer Schema> ? VirtualAction<Schema> : never };
+interface VirtualAction<T extends RequestConfigSchema> extends Pick<ActionDescriptor<T>, "name" | "run" | "fetch"> {
+  (config?: ClientRequestEntry<T>, opts?: ClientRequestOptions): Promise<ClientRequestResponse<T>>;
+  can: () => boolean;
 }
 //#endregion
+//#region ../alepha/src/server-links/index.d.ts
+declare module "alepha" {
+  interface State {
+    /**
+     * API links attached to the server request state.
+     *
+     * @see {@link ApiLinksResponse}
+     * @internal
+     */
+    "alepha.server.request.apiLinks"?: ApiLinksResponse;
+  }
+}
+/**
+ * Provides server-side link management and remote capabilities for client-server interactions.
+ *
+ * The server-links module enables declarative link definitions using `$remote` and `$client` descriptors,
+ * facilitating seamless API endpoint management and client-server communication. It integrates with server
+ * security features to ensure safe and controlled access to resources.
+ *
+ * @see {@link $remote}
+ * @see {@link $client}
+ * @module alepha.server.links
+ */
+//#endregion
 //#region src/auth/hooks/useAuth.d.ts
 declare const useAuth: <T extends object = any>() => {
   user: {
@@ -536,7 +1143,53 @@ declare const useAuth: <T extends object = any>() => {
   can: <Api extends object = any>(name: keyof HttpVirtualClient<Api>) => boolean;
 };
 //#endregion
-//#region src/auth/index.d.ts
+//#region ../alepha/src/server-cookies/descriptors/$cookie.d.ts
+interface Cookies {
+  req: Record<string, string>;
+  res: Record<string, Cookie | null>;
+}
+interface Cookie {
+  value: string;
+  path?: string;
+  maxAge?: number;
+  secure?: boolean;
+  httpOnly?: boolean;
+  sameSite?: "strict" | "lax" | "none";
+  domain?: string;
+}
+//#endregion
+//#region ../alepha/src/server-cookies/index.d.ts
+declare module "alepha/server" {
+  interface ServerRequest {
+    cookies: Cookies;
+  }
+}
+/**
+ * Provides HTTP cookie management capabilities for server requests and responses with type-safe cookie descriptors.
+ *
+ * The server-cookies module enables declarative cookie handling using the `$cookie` descriptor on class properties.
+ * It offers automatic cookie parsing, secure cookie configuration, and seamless integration with server routes
+ * for managing user sessions, preferences, and authentication tokens.
+ *
+ * @see {@link $cookie}
+ * @module alepha.server.cookies
+ */
+//#endregion
+//#region ../alepha/src/server-auth/schemas/tokensSchema.d.ts
+declare const tokensSchema: alepha20.TObject<{
+  provider: alepha20.TString;
+  access_token: alepha20.TString;
+  issued_at: alepha20.TNumber;
+  expires_in: alepha20.TOptional<alepha20.TNumber>;
+  refresh_token: alepha20.TOptional<alepha20.TString>;
+  refresh_token_expires_in: alepha20.TOptional<alepha20.TNumber>;
+  refresh_expires_in: alepha20.TOptional<alepha20.TNumber>;
+  id_token: alepha20.TOptional<alepha20.TString>;
+  scope: alepha20.TOptional<alepha20.TString>;
+}>;
+type Tokens = Static<typeof tokensSchema>;
+//#endregion
+//#region ../alepha/src/server-auth/index.d.ts
 declare module "alepha" {
   interface State {
     /**
@@ -547,6 +1200,63 @@ declare module "alepha" {
     "alepha.server.request.user"?: UserAccount;
   }
 }
+/**
+ * Allow authentication services for server applications.
+ * It provides login and logout functionalities.
+ *
+ * There are multiple authentication providers available (e.g., Google, GitHub).
+ * You can also delegate authentication to your own OIDC/OAuth2, for example using Keycloak or Auth0.
+ *
+ * It's cookie-based and SSR friendly.
+ *
+ * @see {@link $auth}
+ * @see {@link ServerAuthProvider}
+ * @module alepha.server.auth
+ */
+//#endregion
+//#region src/auth/services/ReactAuth.d.ts
+/**
+ * Browser, SSR friendly, service to handle authentication.
+ */
+declare class ReactAuth {
+  protected readonly log: Logger;
+  protected readonly alepha: Alepha;
+  protected readonly httpClient: HttpClient;
+  protected readonly onBeginTransition: alepha20.HookDescriptor<"react:transition:begin">;
+  protected readonly onFetchRequest: alepha20.HookDescriptor<"client:onRequest">;
+  /**
+   * Get the current authenticated user.
+   *
+   * Alias for `alepha.state.get("user")`
+   */
+  get user(): UserAccountToken | undefined;
+  ping(): Promise<{
+    name?: string | undefined;
+    email?: string | undefined;
+    username?: string | undefined;
+    picture?: string | undefined;
+    sessionId?: string | undefined;
+    organizations?: string[] | undefined;
+    roles?: string[] | undefined;
+    id: string;
+  } | undefined>;
+  login(provider: string, options: {
+    hostname?: string;
+    username?: string;
+    password?: string;
+    redirect?: string;
+    [extra: string]: any;
+  }): Promise<Tokens>;
+  logout(): void;
+}
+//#endregion
+//#region src/auth/providers/ReactAuthProvider.d.ts
+declare class ReactAuthProvider {
+  protected readonly alepha: Alepha;
+  readonly onRender: alepha20.HookDescriptor<"react:server:render:begin">;
+}
+//#endregion
+//#region src/auth/index.d.ts
 declare module "@alepha/react" {
   interface ReactRouterState {
     user?: UserAccount;
@@ -558,7 +1268,7 @@ declare module "@alepha/react" {
  * @see {@link ReactAuthProvider}
  * @module alepha.react.auth
  */
-declare const AlephaReactAuth: alepha4.Service<alepha4.Module>;
+declare const AlephaReactAuth: alepha20.Service<alepha20.Module>;
 //#endregion
-export { $auth, $authGithub, $authGoogle, AccessToken, AlephaReactAuth, AuthDescriptor, AuthDescriptorOptions, AuthExternal, AuthInternal, CredentialsOptions, OAuth2Options, OAuth2Profile, OidcOptions, ReactAuth, ReactAuthProvider, SessionExpiredError, useAuth };
+export { AlephaReactAuth, ReactAuth, ReactAuthProvider, useAuth };
 //# sourceMappingURL=index.d.cts.map