@alepha/ui 0.13.1 → 0.13.2

package/dist/auth/index.d.ts

@@ -1,8 +1,11 @@
 import { ActionMenuConfig, ActionMenuItem, ActionProps } from "@alepha/ui";
-import * as alepha1246 from "alepha";
-import { Alepha, AlephaError, Async, Descriptor, DescriptorArgs, FileLike, InstantiableClass, LogLevel, LoggerInterface, Page, PageQuery, Service, Static, StaticEncode, StreamLike, TArray, TFile, TNull, TObject, TOptional, TRecord, TSchema, TStream, TString, TUnion, TVoid } from "alepha";
+import * as alepha1672 from "alepha";
+import { Alepha, AlephaError, Async, FileLike, InstantiableClass, LogLevel, LoggerInterface, Page, PageQuery, Primitive, PrimitiveArgs, Service, Static, StaticEncode, StreamLike, TArray, TFile, TNull, TObject, TOptional, TRecord, TSchema, TStream, TString, TUnion, TVoid } from "alepha";
 import * as react_jsx_runtime0 from "react/jsx-runtime";
 import { FC, ReactNode } from "react";
+import { IncomingMessage, Server, ServerResponse } from "node:http";
+import { Readable } from "node:stream";
+import { ReadableStream } from "node:stream/web";
 import "dayjs/plugin/relativeTime.js";
 import dayjsDuration from "dayjs/plugin/duration.js";
 import "dayjs/plugin/utc.js";
@@ -13,9 +16,6 @@ import "dayjs/locale/fr.js";
 import DayjsApi, { Dayjs, ManipulateType, PluginFunc } from "dayjs";
 import { CryptoKey, FlattenedJWSInput, JSONWebKeySet, JWSHeaderParameters, JWTHeaderParameters, JWTPayload, JWTVerifyResult, KeyObject } from "jose";
 import { JWTVerifyOptions } from "jose/jwt/verify";
-import { IncomingMessage, Server, ServerResponse } from "node:http";
-import { Readable } from "node:stream";
-import { ReadableStream } from "node:stream/web";
 import * as drizzle_orm0 from "drizzle-orm";
 import { BuildExtraConfigColumns, SQL, SQLWrapper } from "drizzle-orm";
 import * as drizzle_orm_pg_core0 from "drizzle-orm/pg-core";
@@ -25,28 +25,275 @@ import * as DrizzleKit from "drizzle-kit/api";
 import { Configuration } from "openid-client";
 
 //#region ../alepha/src/security/schemas/userAccountInfoSchema.d.ts
-declare const userAccountInfoSchema: alepha1246.TObject<{
-  id: alepha1246.TString;
-  name: alepha1246.TOptional<alepha1246.TString>;
-  email: alepha1246.TOptional<alepha1246.TString>;
-  username: alepha1246.TOptional<alepha1246.TString>;
-  picture: alepha1246.TOptional<alepha1246.TString>;
-  sessionId: alepha1246.TOptional<alepha1246.TString>;
-  organizations: alepha1246.TOptional<alepha1246.TArray<alepha1246.TString>>;
-  roles: alepha1246.TOptional<alepha1246.TArray<alepha1246.TString>>;
+declare const userAccountInfoSchema: alepha1672.TObject<{
+  id: alepha1672.TString;
+  name: alepha1672.TOptional<alepha1672.TString>;
+  email: alepha1672.TOptional<alepha1672.TString>;
+  username: alepha1672.TOptional<alepha1672.TString>;
+  picture: alepha1672.TOptional<alepha1672.TString>;
+  sessionId: alepha1672.TOptional<alepha1672.TString>;
+  organizations: alepha1672.TOptional<alepha1672.TArray<alepha1672.TString>>;
+  roles: alepha1672.TOptional<alepha1672.TArray<alepha1672.TString>>;
 }>;
 type UserAccount = Static<typeof userAccountInfoSchema>;
 //#endregion
+//#region ../alepha/src/server/schemas/errorSchema.d.ts
+declare const errorSchema: alepha1672.TObject<{
+  error: alepha1672.TString;
+  status: alepha1672.TInteger;
+  message: alepha1672.TString;
+  details: alepha1672.TOptional<alepha1672.TString>;
+  requestId: alepha1672.TOptional<alepha1672.TString>;
+  cause: alepha1672.TOptional<alepha1672.TObject<{
+    name: alepha1672.TString;
+    message: alepha1672.TString;
+  }>>;
+}>;
+type ErrorSchema = Static<typeof errorSchema>;
+//#endregion
+//#region ../alepha/src/server/errors/HttpError.d.ts
+declare class HttpError extends AlephaError {
+  name: string;
+  static is: (error: unknown, status?: number) => error is HttpErrorLike;
+  static toJSON(error: HttpError): ErrorSchema;
+  readonly error: string;
+  readonly status: number;
+  readonly requestId?: string;
+  readonly details?: string;
+  readonly reason?: {
+    name: string;
+    message: string;
+  };
+  constructor(options: Partial<ErrorSchema>, cause?: unknown);
+}
+interface HttpErrorLike extends Error {
+  status: number;
+}
+//#endregion
+//#region ../alepha/src/router/providers/RouterProvider.d.ts
+declare abstract class RouterProvider<T$1 extends Route = Route> {
+  protected routePathRegex: RegExp;
+  protected tree: Tree<T$1>;
+  protected cache: Map<string, RouteMatch<T$1>>;
+  match(path: string): RouteMatch<T$1>;
+  protected test(path: string): void;
+  protected push(route: T$1): void;
+  protected createRouteMatch(path: string): RouteMatch<T$1>;
+  protected mapParams(match: RouteMatch<T$1>): RouteMatch<T$1>;
+  protected createParts(path: string): string[];
+}
+interface RouteMatch<T$1 extends Route> {
+  route?: T$1;
+  params?: Record<string, string>;
+}
+interface Route {
+  path: string;
+  /**
+   * Rename a param in the route.
+   * This is automatically filled when you have scenarios like:
+   * `/customers/:id` and `/customers/:userId/payments`
+   *
+   * In this case, `:id` will be renamed to `:userId` in the second route.
+   */
+  mapParams?: Record<string, string>;
+}
+interface Tree<T$1 extends Route> {
+  route?: T$1;
+  children: {
+    [key: string]: Tree<T$1>;
+  };
+  param?: {
+    route?: T$1;
+    name: string;
+    children: {
+      [key: string]: Tree<T$1>;
+    };
+  };
+  wildcard?: {
+    route: T$1;
+  };
+}
+//#endregion
+//#region ../alepha/src/server/constants/routeMethods.d.ts
+declare const routeMethods: readonly ["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS", "CONNECT", "TRACE"];
+type RouteMethod = (typeof routeMethods)[number];
+//#endregion
+//#region ../alepha/src/server/helpers/ServerReply.d.ts
+/**
+ * Helper for building server replies.
+ */
+declare class ServerReply {
+  headers: Record<string, string> & {
+    "set-cookie"?: string[];
+  };
+  status?: number;
+  body?: any;
+  /**
+   * Redirect to a given URL with optional status code (default 302).
+   */
+  redirect(url: string, status?: number): void;
+  /**
+   * Set the response status code.
+   */
+  setStatus(status: number): this;
+  /**
+   * Set a response header.
+   */
+  setHeader(name: string, value: string): this;
+  /**
+   * Set the response body.
+   */
+  setBody(body: any): this;
+}
+//#endregion
+//#region ../alepha/src/server/services/UserAgentParser.d.ts
+interface UserAgentInfo {
+  os: "Windows" | "Android" | "Ubuntu" | "MacOS" | "iOS" | "Linux" | "FreeBSD" | "OpenBSD" | "ChromeOS" | "BlackBerry" | "Symbian" | "Windows Phone";
+  browser: "Chrome" | "Firefox" | "Safari" | "Edge" | "Opera" | "Internet Explorer" | "Brave" | "Vivaldi" | "Samsung Browser" | "UC Browser" | "Yandex";
+  device: "MOBILE" | "DESKTOP" | "TABLET";
+}
+/**
+ * Simple User-Agent parser to detect OS, browser, and device type.
+ * This parser is not exhaustive and may not cover all edge cases.
+ *
+ * Use result for non
+ */
+declare class UserAgentParser {
+  parse(userAgent?: string): UserAgentInfo;
+}
+//#endregion
+//#region ../alepha/src/server/interfaces/ServerRequest.d.ts
+type TRequestBody = TObject | TString | TArray | TRecord | TStream;
+type TResponseBody = TObject | TString | TRecord | TFile | TArray | TStream | TVoid;
+interface RequestConfigSchema {
+  body?: TRequestBody;
+  params?: TObject;
+  query?: TObject;
+  headers?: TObject;
+  response?: TResponseBody;
+}
+interface ServerRequestConfig<TConfig extends RequestConfigSchema = RequestConfigSchema> {
+  body: TConfig["body"] extends TRequestBody ? Static<TConfig["body"]> : any;
+  headers: TConfig["headers"] extends TObject ? Static<TConfig["headers"]> : Record<string, string>;
+  params: TConfig["params"] extends TObject ? Static<TConfig["params"]> : Record<string, string>;
+  query: TConfig["query"] extends TObject ? Static<TConfig["query"]> : Record<string, any>;
+}
+type ServerRequestConfigEntry<TConfig extends RequestConfigSchema = RequestConfigSchema> = Partial<ServerRequestConfig<TConfig>>;
+interface ServerRequest<TConfig extends RequestConfigSchema = RequestConfigSchema> extends ServerRequestConfig<TConfig> {
+  /**
+   * HTTP method used for this request.
+   */
+  method: RouteMethod;
+  /**
+   * Full request URL.
+   */
+  url: URL;
+  /**
+   * Unique request ID assigned to this request.
+   */
+  requestId: string;
+  /**
+   * Client IP address.
+   * Will parse `X-Forwarded-For` header if present.
+   */
+  ip?: string;
+  /**
+   * Value of the `Host` header sent by the client.
+   */
+  host?: string;
+  /**
+   * Browser user agent information.
+   * Information are not guaranteed to be accurate. Use with caution.
+   *
+   * @see {@link UserAgentParser}
+   */
+  userAgent: UserAgentInfo;
+  /**
+   * Arbitrary metadata attached to the request. Can be used by middlewares to store information.
+   */
+  metadata: Record<string, any>;
+  /**
+   * Reply object to be used to send response.
+   */
+  reply: ServerReply;
+  /**
+   * The raw underlying request object (Web Request).
+   */
+  raw: ServerRawRequest;
+}
+interface ServerRoute<TConfig extends RequestConfigSchema = RequestConfigSchema> extends Route {
+  /**
+   * Handler function for this route.
+   */
+  handler: ServerHandler<TConfig>;
+  /**
+   * HTTP method for this route.
+   */
+  method?: RouteMethod;
+  /**
+   * Request/response schema for this route.
+   *
+   * Request schema contains:
+   * - body, for POST/PUT/PATCH requests
+   * - params, for URL parameters (e.g. /user/:id)
+   * - query, for URL query parameters (e.g. /user?id=123)
+   * - headers, for HTTP headers
+   *
+   * Response schema contains:
+   * - response
+   *
+   * Response schema is used to validate and serialize the response sent by the handler.
+   */
+  schema?: TConfig;
+  /**
+   * @see ServerLoggerProvider
+   */
+  silent?: boolean;
+}
+type ServerResponseBody<TConfig extends RequestConfigSchema = RequestConfigSchema> = TConfig["response"] extends TResponseBody ? Static<TConfig["response"]> : ResponseBodyType;
+type ResponseKind = "json" | "text" | "void" | "file" | "any";
+type ResponseBodyType = string | Buffer | StreamLike | undefined | null | void;
+type ServerHandler<TConfig extends RequestConfigSchema = RequestConfigSchema> = (request: ServerRequest<TConfig>) => Async<ServerResponseBody<TConfig>>;
+interface ServerResponse$1 {
+  body: string | Buffer | ArrayBuffer | Readable | ReadableStream;
+  headers: Record<string, string>;
+  status: number;
+}
+type ServerRouteRequestHandler = (request: ServerRequestData) => Promise<ServerResponse$1>;
+interface ServerRouteMatcher extends Route {
+  handler: ServerRouteRequestHandler;
+}
+interface ServerRequestData {
+  method: RouteMethod;
+  url: URL;
+  headers: Record<string, string>;
+  query: Record<string, string>;
+  params: Record<string, string>;
+  raw: ServerRawRequest;
+}
+interface ServerRawRequest {
+  node?: NodeRequestEvent;
+  web?: WebRequestEvent;
+}
+interface NodeRequestEvent {
+  req: IncomingMessage;
+  res: ServerResponse;
+}
+interface WebRequestEvent {
+  req: Request;
+  res?: Response;
+}
+//#endregion
 //#region ../alepha/src/logger/schemas/logEntrySchema.d.ts
-declare const logEntrySchema: alepha1246.TObject<{
-  level: alepha1246.TUnsafe<"TRACE" | "SILENT" | "DEBUG" | "INFO" | "WARN" | "ERROR">;
-  message: alepha1246.TString;
-  service: alepha1246.TString;
-  module: alepha1246.TString;
-  context: alepha1246.TOptional<alepha1246.TString>;
-  app: alepha1246.TOptional<alepha1246.TString>;
-  data: alepha1246.TOptional<alepha1246.TAny>;
-  timestamp: alepha1246.TNumber;
+declare const logEntrySchema: alepha1672.TObject<{
+  level: alepha1672.TUnsafe<"TRACE" | "SILENT" | "DEBUG" | "INFO" | "WARN" | "ERROR">;
+  message: alepha1672.TString;
+  service: alepha1672.TString;
+  module: alepha1672.TString;
+  context: alepha1672.TOptional<alepha1672.TString>;
+  app: alepha1672.TOptional<alepha1672.TString>;
+  data: alepha1672.TOptional<alepha1672.TAny>;
+  timestamp: alepha1672.TNumber;
 }>;
 type LogEntry = Static<typeof logEntrySchema>;
 //#endregion
@@ -61,8 +308,8 @@ declare class DateTimeProvider {
   protected readonly timeouts: Timeout[];
   protected readonly intervals: Interval[];
   constructor();
-  protected readonly onStart: alepha1246.HookDescriptor<"start">;
-  protected readonly onStop: alepha1246.HookDescriptor<"stop">;
+  protected readonly onStart: alepha1672.HookPrimitive<"start">;
+  protected readonly onStop: alepha1672.HookPrimitive<"stop">;
   setLocale(locale: string): void;
   isDateTime(value: unknown): value is DateTime;
   /**
@@ -194,7 +441,7 @@ declare class Logger implements LoggerInterface {
 }
 //#endregion
 //#region ../alepha/src/logger/index.d.ts
-declare const envSchema$9: alepha1246.TObject<{
+declare const envSchema$9: alepha1672.TObject<{
   /**
    * Default log level for the application.
    *
@@ -211,14 +458,14 @@ declare const envSchema$9: alepha1246.TObject<{
    * LOG_LEVEL=my.module.name:debug,info # Set debug level for my.module.name and info for all other modules
    * LOG_LEVEL=alepha:trace, info # Set trace level for all alepha modules and info for all other modules
    */
-  LOG_LEVEL: alepha1246.TOptional<alepha1246.TString>;
+  LOG_LEVEL: alepha1672.TOptional<alepha1672.TString>;
   /**
    * Built-in log formats.
    * - "json" - JSON format, useful for structured logging and log aggregation. {@link JsonFormatterProvider}
    * - "pretty" - Simple text format, human-readable, with colors. {@link SimpleFormatterProvider}
    * - "raw" - Raw format, no formatting, just the message.  {@link RawFormatterProvider}
    */
-  LOG_FORMAT: alepha1246.TOptional<alepha1246.TUnsafe<"json" | "pretty" | "raw">>;
+  LOG_FORMAT: alepha1672.TOptional<alepha1672.TUnsafe<"json" | "pretty" | "raw">>;
 }>;
 declare module "alepha" {
   interface Env extends Partial<Static<typeof envSchema$9>> {}
@@ -236,1142 +483,895 @@ declare module "alepha" {
   }
 }
 //#endregion
-//#region ../alepha/src/security/interfaces/UserAccountToken.d.ts
-/**
- * Add contextual metadata to a user account info.
- * E.g. UserAccountToken is a UserAccountInfo during a request.
- */
-interface UserAccountToken extends UserAccount {
-  /**
-   * Access token for the user.
-   */
-  token?: string;
-  /**
-   * Realm name of the user.
-   */
-  realm?: string;
-  /**
-   * Is user dedicated to his own resources for this scope ?
-   * Mostly, Admin is false and Customer is true.
-   */
-  ownership?: string | boolean;
+//#region ../alepha/src/server/services/ServerRequestParser.d.ts
+declare class ServerRequestParser {
+  protected readonly alepha: Alepha;
+  protected readonly userAgentParser: UserAgentParser;
+  createServerRequest(rawRequest: ServerRequestData): ServerRequest;
+  getRequestId(request: ServerRequestData): string | undefined;
+  getRequestUserAgent(request: ServerRequestData): UserAgentInfo;
+  getRequestIp(request: ServerRequestData): string | undefined;
 }
 //#endregion
-//#region ../alepha/src/security/schemas/permissionSchema.d.ts
-declare const permissionSchema: alepha1246.TObject<{
-  name: alepha1246.TString;
-  group: alepha1246.TOptional<alepha1246.TString>;
-  description: alepha1246.TOptional<alepha1246.TString>;
-  method: alepha1246.TOptional<alepha1246.TString>;
-  path: alepha1246.TOptional<alepha1246.TString>;
-}>;
-type Permission = Static<typeof permissionSchema>;
-//#endregion
-//#region ../alepha/src/security/schemas/roleSchema.d.ts
-declare const roleSchema: alepha1246.TObject<{
-  name: alepha1246.TString;
-  description: alepha1246.TOptional<alepha1246.TString>;
-  default: alepha1246.TOptional<alepha1246.TBoolean>;
-  permissions: alepha1246.TArray<alepha1246.TObject<{
-    name: alepha1246.TString;
-    ownership: alepha1246.TOptional<alepha1246.TBoolean>;
-    exclude: alepha1246.TOptional<alepha1246.TArray<alepha1246.TString>>;
-  }>>;
-}>;
-type Role = Static<typeof roleSchema>;
+//#region ../alepha/src/server/providers/ServerTimingProvider.d.ts
+type TimingMap = Record<string, [number, number]>;
+declare class ServerTimingProvider {
+  protected readonly log: Logger;
+  protected readonly alepha: Alepha;
+  options: {
+    prefix: string;
+    disabled: boolean;
+  };
+  readonly onRequest: alepha1672.HookPrimitive<"server:onRequest">;
+  readonly onResponse: alepha1672.HookPrimitive<"server:onResponse">;
+  protected get handlerName(): string;
+  beginTiming(name: string): void;
+  endTiming(name: string): void;
+  protected setDuration(name: string, timing: TimingMap): void;
+}
 //#endregion
-//#region ../alepha/src/security/providers/JwtProvider.d.ts
+//#region ../alepha/src/server/providers/ServerRouterProvider.d.ts
 /**
- * Provides utilities for working with JSON Web Tokens (JWT).
+ * Main router for all routes on the server side.
+ *
+ * - $route => generic route
+ * - $action => action route (for API calls)
+ * - $page => React route (for SSR)
  */
-declare class JwtProvider {
+declare class ServerRouterProvider extends RouterProvider<ServerRouteMatcher> {
   protected readonly log: Logger;
-  protected readonly keystore: KeyLoaderHolder[];
-  protected readonly dateTimeProvider: DateTimeProvider;
-  protected readonly encoder: TextEncoder;
-  /**
-   * Adds a key loader to the embedded keystore.
-   *
-   * @param name
-   * @param secretKeyOrJwks
-   */
-  setKeyLoader(name: string, secretKeyOrJwks: string | JSONWebKeySet): void;
-  /**
-   * Retrieves the payload from a JSON Web Token (JWT).
-   *
-   * @param token - The JWT to extract the payload from.
-   *
-   * @return A Promise that resolves with the payload object from the token.
-   */
-  parse(token: string, keyName?: string, options?: JWTVerifyOptions): Promise<JwtParseResult>;
-  /**
-   * Creates a JWT token with the provided payload and secret key.
-   *
-   * @param payload - The payload to be encoded in the token.
-   * 	It should include the `realm_access` property which contains an array of roles.
-   * @param keyName - The name of the key to use when signing the token.
-   *
-   * @returns The signed JWT token.
-   */
-  create(payload: ExtendedJWTPayload, keyName?: string, signOptions?: JwtSignOptions): Promise<string>;
+  protected readonly alepha: Alepha;
+  protected readonly routes: ServerRoute[];
+  protected readonly serverTimingProvider: ServerTimingProvider;
+  protected readonly serverRequestParser: ServerRequestParser;
   /**
-   * Determines if the provided key is a secret key.
+   * Get all registered routes, optionally filtered by a pattern.
    *
-   * @param key
-   * @protected
+   * Pattern accept simple wildcard '*' at the end.
+   * Example: '/api/*' will match all routes starting with '/api/' but '/api/' will match only that exact route.
    */
-  protected isSecretKey(key: string): boolean;
-}
-type KeyLoader = (protectedHeader?: JWSHeaderParameters, token?: FlattenedJWSInput) => Promise<CryptoKey | KeyObject>;
-interface KeyLoaderHolder {
-  name: string;
-  keyLoader: KeyLoader;
-  secretKey?: string;
-}
-interface JwtSignOptions {
-  header?: Partial<JWTHeaderParameters>;
-}
-interface ExtendedJWTPayload extends JWTPayload {
-  sid?: string;
-  name?: string;
-  roles?: string[];
-  email?: string;
-  organizations?: string[];
-  realm_access?: {
-    roles: string[];
-  };
-}
-interface JwtParseResult {
-  keyName: string;
-  result: JWTVerifyResult<ExtendedJWTPayload>;
+  getRoutes(pattern?: string): ServerRoute[];
+  createRoute<TConfig extends RequestConfigSchema = RequestConfigSchema>(route: ServerRoute<TConfig>): void;
+  protected getContextId(headers: Record<string, string>): string;
+  protected processRequest(request: ServerRequest, route: ServerRoute, responseKind: ResponseKind): Promise<{
+    status: number;
+    headers: Record<string, string> & {
+      "set-cookie"?: string[];
+    };
+    body: any;
+  }>;
+  protected runRouteHandler(route: ServerRoute, request: ServerRequest, responseKind: ResponseKind): Promise<void>;
+  serializeResponse(route: ServerRoute, reply: ServerReply, responseKind: ResponseKind): void;
+  protected getResponseType(schema?: RequestConfigSchema): ResponseKind;
+  protected errorHandler(route: ServerRoute, request: ServerRequest, error: Error): Promise<void>;
+  validateRequest(route: {
+    schema?: RequestConfigSchema;
+  }, request: ServerRequestConfig): void;
 }
 //#endregion
-//#region ../alepha/src/security/providers/SecurityProvider.d.ts
-declare const envSchema$8: alepha1246.TObject<{
-  APP_SECRET: alepha1246.TString;
-}>;
-declare module "alepha" {
-  interface Env extends Partial<Static<typeof envSchema$8>> {}
-}
-declare class SecurityProvider {
-  protected readonly UNKNOWN_USER_NAME = "Anonymous User";
-  protected readonly PERMISSION_REGEXP: RegExp;
-  protected readonly PERMISSION_REGEXP_WILDCARD: RegExp;
+//#region ../alepha/src/server/providers/ServerProvider.d.ts
+/**
+ * Base server provider to handle incoming requests and route them.
+ *
+ * This is the default implementation for serverless environments.
+ *
+ * ServerProvider supports both Node.js HTTP requests and Web (Fetch API) requests.
+ */
+declare class ServerProvider {
   protected readonly log: Logger;
-  protected readonly jwt: JwtProvider;
-  protected readonly env: {
-    APP_SECRET: string;
-  };
   protected readonly alepha: Alepha;
-  get secretKey(): string;
+  protected readonly dateTimeProvider: DateTimeProvider;
+  protected readonly router: ServerRouterProvider;
+  protected readonly internalServerErrorMessage = "Internal Server Error";
+  get hostname(): string;
   /**
-   * The permissions configured for the security provider.
+   * When a Node.js HTTP request is received from outside. (Vercel, AWS Lambda, etc.)
    */
-  protected readonly permissions: Permission[];
+  protected readonly onNodeRequest: alepha1672.HookPrimitive<"node:request">;
   /**
-   * The realms configured for the security provider.
+   * When a Web (Fetch API) request is received from outside. (Netlify, Cloudflare Workers, etc.)
    */
-  protected readonly realms: Realm[];
-  protected start: alepha1246.HookDescriptor<"start">;
+  protected readonly onWebRequest: alepha1672.HookPrimitive<"web:request">;
   /**
-   * Adds a role to one or more realms.
+   * Handle Node.js HTTP request event.
    *
-   * @param role
-   * @param realms
+   * Technically, we just convert Node.js request to Web Standard Request.
    */
-  createRole(role: Role, ...realms: string[]): Role;
+  handleNodeRequest(nodeRequestEvent: NodeRequestEvent): Promise<void>;
   /**
-   * Adds a permission to the security provider.
-   *
-   * @param raw - The permission to add.
+   * Handle Web (Fetch API) request event.
    */
-  createPermission(raw: Permission | string): Permission;
-  createRealm(realm: Realm): void;
+  handleWebRequest(ev: WebRequestEvent): Promise<void>;
   /**
-   * Updates the roles for a realm then synchronizes the user account provider if available.
-   *
-   * Only available when the app is started.
-   *
-   * @param realm - The realm to update the roles for.
-   * @param roles - The roles to update.
+   * Helper for Vite development mode to let Vite handle (or not) 404.
    */
-  updateRealm(realm: string, roles: Role[]): Promise<void>;
+  protected isViteNotFound(url?: string, route?: Route, params?: Record<string, string>): boolean;
+}
+//#endregion
+//#region ../alepha/src/cache/providers/CacheProvider.d.ts
+/**
+ * Cache provider interface.
+ *
+ * All methods are asynchronous and return promises.
+ * Values are stored as Uint8Array.
+ */
+declare abstract class CacheProvider {
   /**
-   * Creates a user account from the provided payload.
+   * Get the value of a key.
    *
-   * @param payload - The payload to create the user account from.
-   * @param [realmName] - The realm containing the roles. Default is all.
+   * @param name Cache name, used to group keys. Should be Redis-like "some:group:name" format.
+   * @param key The key of the value to get.
    *
-   * @returns The user info created from the payload.
+   * @return The value of the key, or undefined if the key does not exist.
    */
-  createUserFromPayload(payload: JWTPayload, realmName?: string): UserAccount;
+  abstract get(name: string, key: string): Promise<Uint8Array | undefined>;
   /**
-   * Checks if the user has the specified permission.
+   * Set the string value of a key.
    *
-   * Bonus: we check also if the user has "ownership" flag.
+   * @param name Cache name, used to group keys. Should be Redis-like "some:group:name" format.
+   * @param key The key of the value to set.
+   * @param value The value to set.
+   * @param ttl The time-to-live of the key, in milliseconds.
    *
-   * @param permissionLike - The permission to check for.
-   * @param roleEntries - The roles to check for the permission.
-   */
-  checkPermission(permissionLike: string | Permission, ...roleEntries: string[]): SecurityCheckResult;
-  /**
-   * Creates a user account from the provided payload.
+   * @return The value of the key.
    */
-  createUserFromToken(headerOrToken?: string, options?: {
-    permission?: Permission | string;
-    realm?: string;
-    verify?: JWTVerifyOptions;
-  }): Promise<UserAccountToken>;
+  abstract set(name: string, key: string, value: Uint8Array, ttl?: number): Promise<Uint8Array>;
   /**
-   * Checks if a user has a specific role.
+   * Remove the specified keys.
    *
-   * @param roleName - The role to check for.
-   * @param permission - The permission to check for.
-   * @returns True if the user has the role, false otherwise.
+   * @param name Cache name, used to group keys. Should be Redis-like "some:group:name" format.
+   * @param keys The keys to delete.
    */
-  can(roleName: string, permission: string | Permission): boolean;
+  abstract del(name: string, ...keys: string[]): Promise<void>;
+  abstract has(name: string, key: string): Promise<boolean>;
+  abstract keys(name: string, filter?: string): Promise<string[]>;
   /**
-   * Checks if a user has ownership of a specific permission.
+   * Remove all keys from all cache names.
    */
-  ownership(roleName: string, permission: string | Permission): string | boolean | undefined;
+  abstract clear(): Promise<void>;
+}
+//#endregion
+//#region ../alepha/src/cache/primitives/$cache.d.ts
+interface CachePrimitiveOptions<TReturn = any, TParameter extends any[] = any[]> {
   /**
-   * Converts a permission object to a string.
+   * The cache name. This is useful for invalidating multiple caches at once.
    *
-   * @param permission
+   * Store key as `cache:$name:$key`.
+   *
+   * @default Name of the key of the class.
    */
-  permissionToString(permission: Permission | string): string;
-  getRealms(): Realm[];
+  name?: string;
   /**
-   * Retrieves the user account from the provided user ID.
-   *
-   * @param realm
+   * Function which returns cached data.
    */
-  getRoles(realm?: string): Role[];
+  handler?: (...args: TParameter) => TReturn;
   /**
-   * Returns all permissions.
-   *
-   * @param user - Filter permissions by user.
-   *
-   * @return An array containing all permissions.
+   * The key generator for the cache.
+   * If not provided, the arguments will be json.stringify().
    */
-  getPermissions(user?: {
-    roles?: Array<Role | string>;
-    realm?: string;
-  }): Permission[];
+  key?: (...args: TParameter) => string;
   /**
-   * Retrieves the user ID from the provided payload object.
+   * The store provider for the cache.
+   * If not provided, the default store provider will be used.
+   */
+  provider?: InstantiableClass<CacheProvider> | "memory";
+  /**
+   * The time-to-live for the cache in seconds.
+   * Set 0 to skip expiration.
    *
-   * @param payload - The payload object from which to extract the user ID.
-   * @return The user ID as a string.
+   * @default 300 (5 minutes).
    */
-  getIdFromPayload(payload: Record<string, any>): string;
-  getSessionIdFromPayload(payload: Record<string, any>): string | undefined;
+  ttl?: DurationLike;
   /**
-   * Retrieves the roles from the provided payload object.
-   * @param payload - The payload object from which to extract the roles.
-   * @return An array of role strings.
+   * If the cache is disabled.
    */
-  getRolesFromPayload(payload: Record<string, any>): string[];
-  getPictureFromPayload(payload: Record<string, any>): string | undefined;
-  getUsernameFromPayload(payload: Record<string, any>): string | undefined;
-  getEmailFromPayload(payload: Record<string, any>): string | undefined;
+  disabled?: boolean;
+}
+declare class CachePrimitive<TReturn = any, TParameter extends any[] = any[]> extends Primitive<CachePrimitiveOptions<TReturn, TParameter>> {
+  protected readonly env: {
+    CACHE_ENABLED: boolean;
+    CACHE_DEFAULT_TTL: number;
+  };
+  protected readonly dateTimeProvider: DateTimeProvider;
+  protected readonly provider: CacheProvider;
+  protected encoder: TextEncoder;
+  protected decoder: TextDecoder;
+  protected codes: {
+    BINARY: number;
+    JSON: number;
+    STRING: number;
+  };
+  get container(): string;
+  run(...args: TParameter): Promise<TReturn>;
+  key(...args: TParameter): string;
+  invalidate(...keys: string[]): Promise<void>;
+  set(key: string, value: TReturn, ttl?: DurationLike): Promise<void>;
+  get(key: string): Promise<TReturn | undefined>;
+  protected serialize<TReturn>(value: TReturn): Uint8Array;
+  protected deserialize<TReturn>(uint8Array: Uint8Array): Promise<TReturn>;
+  protected $provider(): CacheProvider;
+}
+interface CachePrimitiveFn<TReturn = any, TParameter extends any[] = any[]> extends CachePrimitive<TReturn, TParameter> {
   /**
-   * Returns the name from the given payload.
-   *
-   * @param payload - The payload object.
-   * @returns The name extracted from the payload, or an empty string if the payload is falsy or no name is found.
+   * Run the cache primitive with the provided arguments.
    */
-  getNameFromPayload(payload: Record<string, any>): string;
-  getOrganizationsFromPayload(payload: Record<string, any>): string[] | undefined;
+  (...args: TParameter): Promise<TReturn>;
 }
-/**
- * A realm definition.
- */
-interface Realm {
-  name: string;
-  roles: Role[];
+//#endregion
+//#region ../alepha/src/server/services/HttpClient.d.ts
+declare class HttpClient {
+  protected readonly log: Logger;
+  protected readonly alepha: Alepha;
+  readonly cache: CachePrimitiveFn<HttpClientCache, any[]>;
+  protected readonly pendingRequests: HttpClientPendingRequests;
+  fetchAction(args: FetchActionArgs): Promise<FetchResponse>;
+  fetch<T$1 extends TSchema>(url: string, request?: RequestInitWithOptions<T$1>): Promise<FetchResponse<Static<T$1>>>;
+  protected url(host: string, action: HttpAction, args: ServerRequestConfigEntry): string;
+  protected body(init: RequestInit, headers: Record<string, string>, action: HttpAction, args?: ServerRequestConfigEntry): Promise<void>;
+  protected responseData(response: Response, options: FetchOptions): Promise<any>;
+  protected isMaybeFile(response: Response): boolean;
+  protected createFileLike(response: Response, defaultFileName?: string): FileLike;
+  pathVariables(url: string, action: {
+    schema?: {
+      params?: TObject;
+    };
+  }, args?: ServerRequestConfigEntry): string;
+  queryParams(url: string, action: {
+    schema?: {
+      query?: TObject;
+    };
+  }, args?: ServerRequestConfigEntry): string;
+}
+interface FetchOptions<T$1 extends TSchema = TSchema> {
   /**
-   * The secret key for the realm.
-   *
-   * Can be also a JWKS URL.
+   * Key to identify the request in the pending requests.
    */
-  secret?: string | JSONWebKeySet | (() => string);
+  key?: string;
   /**
-   * Create the user account info based on the raw JWT payload.
-   * By default, SecurityProvider has his own implementation, but this method allow to override it.
+   * The schema to validate the response against.
    */
-  profile?: (raw: Record<string, any>) => UserAccount;
+  schema?: {
+    response?: T$1;
+  };
+  /**
+   * Built-in cache options.
+   */
+  localCache?: boolean | number | DurationLike;
 }
-interface SecurityCheckResult {
-  isAuthorized: boolean;
-  ownership: string | boolean | undefined;
+type RequestInitWithOptions<T$1 extends TSchema = TSchema> = RequestInit & FetchOptions<T$1>;
+interface FetchResponse<T$1 = any> {
+  data: T$1;
+  status: number;
+  statusText: string;
+  headers: Headers;
+  raw?: Response;
+}
+type HttpClientPendingRequests = Record<string, Promise<any> | undefined>;
+interface HttpClientCache {
+  data: any;
+  etag?: string;
+}
+interface FetchActionArgs {
+  action: HttpAction;
+  host?: string;
+  config?: ServerRequestConfigEntry;
+  options?: ClientRequestOptions;
+}
+interface HttpAction {
+  method?: string;
+  prefix?: string;
+  path: string;
+  requestBodyType?: string;
+  schema?: {
+    params?: TObject;
+    query?: TObject;
+    body?: TRequestBody;
+    response?: TResponseBody;
+  };
 }
 //#endregion
-//#region ../alepha/src/security/descriptors/$realm.d.ts
-type RealmDescriptorOptions = {
+//#region ../alepha/src/server/primitives/$action.d.ts
+interface ActionPrimitiveOptions<TConfig extends RequestConfigSchema> extends Omit<ServerRoute, "handler" | "path" | "schema" | "mapParams"> {
   /**
-   * Define the realm name.
-   * If not provided, it will use the property key.
+   * Name of the action.
+   *
+   * - It will be used to generate the route path if `path` is not provided.
+   * - It will be used to generate the permission name if `security` is enabled.
    */
   name?: string;
   /**
-   * Short description about the realm.
+   * Group actions together.
+   *
+   * - If not provided, the service name containing the route will be used.
+   * - It will be used as Tag for documentation purposes.
+   * - It will be used for permission name generation if `security` is enabled.
+   *
+   * @example
+   * ```ts
+   * // group = "MyController"
+   * class MyController {
+   * 	hello = $action({ handler: () => "Hello World" });
+   * }
+   *
+   * // group = "users"
+   * class MyOtherController {
+   *   group = "users";
+   *   a1 = $action({ handler: () => "Action 1", group: this.group });
+   *   a2 = $action({ handler: () => "Action 2", group: this.group });
+   * }
+   * ```
    */
-  description?: string;
+  group?: string;
   /**
-   * All roles available in the realm. Role is a string (role name) or a Role object (embedded role).
+   * Pathname of the route. If not provided, property key is used.
    */
-  roles?: Array<string | Role>;
+  path?: string;
   /**
-   * Realm settings.
+   * The route method.
+   *
+   * - If not provided, it will be set to "GET" by default.
+   * - If not provider and a body is provided, it will be set to "POST".
+   *
+   * Wildcard methods are not supported for now. (e.g. "ALL", "ANY", etc.)
    */
-  settings?: RealmSettings;
+  method?: RouteMethod;
   /**
-   * Parse the JWT payload to create a user account info.
+   * The config schema of the route.
+   * - body: The request body schema.
+   * - params: Path variables schema.
+   * - query: The request query-params schema.
+   * - response: The response schema.
    */
-  profile?: (jwtPayload: Record<string, any>) => UserAccount;
-} & (RealmInternal | RealmExternal);
-interface RealmSettings {
-  accessToken?: {
-    /**
-     * Lifetime of the access token.
-     * @default 15 minutes
-     */
-    expiration?: DurationLike;
-  };
-  refreshToken?: {
-    /**
-     * Lifetime of the refresh token.
-     * @default 30 days
-     */
-    expiration?: DurationLike;
-  };
-  onCreateSession?: (user: UserAccount, config: {
-    expiresIn: number;
-  }) => Promise<{
-    refreshToken: string;
-    sessionId?: string;
-  }>;
-  onRefreshSession?: (refreshToken: string) => Promise<{
-    user: UserAccount;
-    expiresIn: number;
-    sessionId?: string;
-  }>;
-  onDeleteSession?: (refreshToken: string) => Promise<void>;
-}
-type RealmInternal = {
+  schema?: TConfig;
   /**
-   * Internal secret to sign JWT tokens and verify them.
+   * A short description of the action. Used for documentation purposes.
    */
-  secret: string;
-};
-interface RealmExternal {
+  description?: string;
   /**
-   * URL to the JWKS (JSON Web Key Set) to verify JWT tokens from external providers.
+   * Disable the route. Useful with env variables do disable one specific route.
+   * Route won't be available in the API but can still be called locally!
    */
-  jwks: (() => string) | JSONWebKeySet;
+  disabled?: boolean;
+  /**
+   * Main route handler. This is where the route logic is implemented.
+   */
+  handler: ServerActionHandler<TConfig>;
 }
-declare class RealmDescriptor extends Descriptor<RealmDescriptorOptions> {
-  protected readonly securityProvider: SecurityProvider;
-  protected readonly dateTimeProvider: DateTimeProvider;
-  protected readonly jwt: JwtProvider;
+declare class ActionPrimitive<TConfig extends RequestConfigSchema> extends Primitive<ActionPrimitiveOptions<TConfig>> {
   protected readonly log: Logger;
-  get name(): string;
-  get accessTokenExpiration(): Duration;
-  get refreshTokenExpiration(): Duration;
+  protected readonly env: {
+    SERVER_API_PREFIX: string;
+  };
+  protected readonly httpClient: HttpClient;
+  protected readonly serverProvider: ServerProvider;
+  protected readonly serverRouterProvider: ServerRouterProvider;
   protected onInit(): void;
+  get prefix(): string;
+  get route(): ServerRoute;
   /**
-   * Get all roles in the realm.
+   * Returns the name of the action.
    */
-  getRoles(): Role[];
-  /**
-   * Set all roles in the realm.
-   */
-  setRoles(roles: Role[]): Promise<void>;
+  get name(): string;
   /**
-   * Get a role by name, throws an error if not found.
+   * Returns the group of the action. (e.g. "orders", "admin", etc.)
    */
-  getRoleByName(name: string): Role;
-  parseToken(token: string): Promise<JWTPayload>;
+  get group(): string;
   /**
-   * Create a token for the subject.
+   * Returns the HTTP method of the action.
    */
-  createToken(user: UserAccount, refreshToken?: {
-    sid?: string;
-    refresh_token?: string;
-    refresh_token_expires_in?: number;
-  }): Promise<AccessTokenResponse>;
-  refreshToken(refreshToken: string, accessToken?: string): Promise<{
-    tokens: AccessTokenResponse;
-    user: UserAccount;
-  }>;
-}
-interface AccessTokenResponse {
-  access_token: string;
-  token_type: string;
-  expires_in?: number;
-  issued_at: number;
-  refresh_token?: string;
-  refresh_token_expires_in?: number;
-  scope?: string;
-}
-//#endregion
-//#region ../alepha/src/security/descriptors/$serviceAccount.d.ts
-interface ServiceAccountDescriptor {
-  token: () => Promise<string>;
-}
-//#endregion
-//#region ../alepha/src/server/constants/routeMethods.d.ts
-declare const routeMethods: readonly ["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS", "CONNECT", "TRACE"];
-type RouteMethod = (typeof routeMethods)[number];
-//#endregion
-//#region ../alepha/src/router/providers/RouterProvider.d.ts
-declare abstract class RouterProvider<T$1 extends Route = Route> {
-  protected routePathRegex: RegExp;
-  protected tree: Tree<T$1>;
-  protected cache: Map<string, RouteMatch<T$1>>;
-  match(path: string): RouteMatch<T$1>;
-  protected test(path: string): void;
-  protected push(route: T$1): void;
-  protected createRouteMatch(path: string): RouteMatch<T$1>;
-  protected mapParams(match: RouteMatch<T$1>): RouteMatch<T$1>;
-  protected createParts(path: string): string[];
-}
-interface RouteMatch<T$1 extends Route> {
-  route?: T$1;
-  params?: Record<string, string>;
-}
-interface Route {
-  path: string;
+  get method(): RouteMethod;
   /**
-   * Rename a param in the route.
-   * This is automatically filled when you have scenarios like:
-   * `/customers/:id` and `/customers/:userId/payments`
+   * Returns the path of the action.
    *
-   * In this case, `:id` will be renamed to `:userId` in the second route.
-   */
-  mapParams?: Record<string, string>;
-}
-interface Tree<T$1 extends Route> {
-  route?: T$1;
-  children: {
-    [key: string]: Tree<T$1>;
-  };
-  param?: {
-    route?: T$1;
-    name: string;
-    children: {
-      [key: string]: Tree<T$1>;
-    };
-  };
-  wildcard?: {
-    route: T$1;
-  };
-}
-//#endregion
-//#region ../alepha/src/server/helpers/ServerReply.d.ts
-/**
- * Helper for building server replies.
- */
-declare class ServerReply {
-  headers: Record<string, string> & {
-    "set-cookie"?: string[];
-  };
-  status?: number;
-  body?: any;
-  /**
-   * Redirect to a given URL with optional status code (default 302).
+   * Path is prefixed by `/api` by default.
    */
-  redirect(url: string, status?: number): void;
+  get path(): string;
+  get schema(): TConfig | undefined;
+  getBodyContentType(): string | undefined;
   /**
-   * Set the response status code.
+   * Call the action handler directly.
+   * There is no HTTP layer involved.
    */
-  setStatus(status: number): this;
+  run(config?: ClientRequestEntry<TConfig>, options?: ClientRequestOptions): Promise<ClientRequestResponse<TConfig>>;
   /**
-   * Set a response header.
+   * Works like `run`, but always fetches (http request) the route.
    */
-  setHeader(name: string, value: string): this;
+  fetch(config?: ClientRequestEntry<TConfig>, options?: ClientRequestOptions): Promise<FetchResponse<ClientRequestResponse<TConfig>>>;
+}
+interface ActionPrimitiveFn<TConfig extends RequestConfigSchema> extends ActionPrimitive<TConfig> {
+  (config?: ClientRequestEntry<TConfig>, options?: ClientRequestOptions): Promise<ClientRequestResponse<TConfig>>;
+}
+type ClientRequestEntry<TConfig extends RequestConfigSchema, T$1 = ClientRequestEntryContainer<TConfig>> = { [K in keyof T$1 as T$1[K] extends undefined ? never : K]: T$1[K] };
+type ClientRequestEntryContainer<TConfig extends RequestConfigSchema> = {
+  body: TConfig["body"] extends TObject ? Static<TConfig["body"]> : undefined;
+  params: TConfig["params"] extends TObject ? Static<TConfig["params"]> : undefined;
+  headers?: TConfig["headers"] extends TObject ? Static<TConfig["headers"]> : undefined;
+  query?: TConfig["query"] extends TObject ? Partial<Static<TConfig["query"]>> : undefined;
+};
+interface ClientRequestOptions extends FetchOptions {
   /**
-   * Set the response body.
+   * Standard request fetch options.
    */
-  setBody(body: any): this;
-}
-//#endregion
-//#region ../alepha/src/server/services/UserAgentParser.d.ts
-interface UserAgentInfo {
-  os: "Windows" | "Android" | "Ubuntu" | "MacOS" | "iOS" | "Linux" | "FreeBSD" | "OpenBSD" | "ChromeOS" | "BlackBerry" | "Symbian" | "Windows Phone";
-  browser: "Chrome" | "Firefox" | "Safari" | "Edge" | "Opera" | "Internet Explorer" | "Brave" | "Vivaldi" | "Samsung Browser" | "UC Browser" | "Yandex";
-  device: "MOBILE" | "DESKTOP" | "TABLET";
+  request?: RequestInit;
 }
+type ClientRequestResponse<TConfig extends RequestConfigSchema> = TConfig["response"] extends TSchema ? Static<TConfig["response"]> : any;
 /**
- * Simple User-Agent parser to detect OS, browser, and device type.
- * This parser is not exhaustive and may not cover all edge cases.
+ * Specific handler for server actions.
+ */
+type ServerActionHandler<TConfig extends RequestConfigSchema = RequestConfigSchema> = (request: ServerActionRequest<TConfig>) => Async<ServerResponseBody<TConfig>>;
+/**
+ * Server Action Request Interface
  *
- * Use result for non
+ * Can be extended with module augmentation to add custom properties (like `user` in Server Security).
+ *
+ * This is NOT Server Request, but a specific type for actions.
  */
-declare class UserAgentParser {
-  parse(userAgent?: string): UserAgentInfo;
-}
+interface ServerActionRequest<TConfig extends RequestConfigSchema> extends ServerRequest<TConfig> {}
 //#endregion
-//#region ../alepha/src/server/interfaces/ServerRequest.d.ts
-type TRequestBody = TObject | TString | TArray | TRecord | TStream;
-type TResponseBody = TObject | TString | TRecord | TFile | TArray | TStream | TVoid;
-interface RequestConfigSchema {
-  body?: TRequestBody;
-  params?: TObject;
-  query?: TObject;
-  headers?: TObject;
-  response?: TResponseBody;
-}
-interface ServerRequestConfig<TConfig extends RequestConfigSchema = RequestConfigSchema> {
-  body: TConfig["body"] extends TRequestBody ? Static<TConfig["body"]> : any;
-  headers: TConfig["headers"] extends TObject ? Static<TConfig["headers"]> : Record<string, string>;
-  params: TConfig["params"] extends TObject ? Static<TConfig["params"]> : Record<string, string>;
-  query: TConfig["query"] extends TObject ? Static<TConfig["query"]> : Record<string, any>;
-}
-type ServerRequestConfigEntry<TConfig extends RequestConfigSchema = RequestConfigSchema> = Partial<ServerRequestConfig<TConfig>>;
-interface ServerRequest<TConfig extends RequestConfigSchema = RequestConfigSchema> extends ServerRequestConfig<TConfig> {
-  /**
-   * HTTP method used for this request.
-   */
-  method: RouteMethod;
-  /**
-   * Full request URL.
-   */
-  url: URL;
-  /**
-   * Unique request ID assigned to this request.
-   */
-  requestId: string;
-  /**
-   * Client IP address.
-   * Will parse `X-Forwarded-For` header if present.
-   */
-  ip?: string;
-  /**
-   * Value of the `Host` header sent by the client.
-   */
-  host?: string;
-  /**
-   * Browser user agent information.
-   * Information are not guaranteed to be accurate. Use with caution.
-   *
-   * @see {@link UserAgentParser}
-   */
-  userAgent: UserAgentInfo;
-  /**
-   * Arbitrary metadata attached to the request. Can be used by middlewares to store information.
-   */
-  metadata: Record<string, any>;
-  /**
-   * Reply object to be used to send response.
-   */
-  reply: ServerReply;
-  /**
-   * The raw underlying request object (Web Request).
-   */
-  raw: ServerRawRequest;
-}
-interface ServerRoute<TConfig extends RequestConfigSchema = RequestConfigSchema> extends Route {
-  /**
-   * Handler function for this route.
-   */
-  handler: ServerHandler<TConfig>;
-  /**
-   * HTTP method for this route.
-   */
-  method?: RouteMethod;
-  /**
-   * Request/response schema for this route.
-   *
-   * Request schema contains:
-   * - body, for POST/PUT/PATCH requests
-   * - params, for URL parameters (e.g. /user/:id)
-   * - query, for URL query parameters (e.g. /user?id=123)
-   * - headers, for HTTP headers
-   *
-   * Response schema contains:
-   * - response
-   *
-   * Response schema is used to validate and serialize the response sent by the handler.
-   */
-  schema?: TConfig;
-  /**
-   * @see ServerLoggerProvider
-   */
-  silent?: boolean;
-}
-type ServerResponseBody<TConfig extends RequestConfigSchema = RequestConfigSchema> = TConfig["response"] extends TResponseBody ? Static<TConfig["response"]> : ResponseBodyType;
-type ResponseKind = "json" | "text" | "void" | "file" | "any";
-type ResponseBodyType = string | Buffer | StreamLike | undefined | null | void;
-type ServerHandler<TConfig extends RequestConfigSchema = RequestConfigSchema> = (request: ServerRequest<TConfig>) => Async<ServerResponseBody<TConfig>>;
-interface ServerResponse$1 {
-  body: string | Buffer | ArrayBuffer | Readable | ReadableStream;
-  headers: Record<string, string>;
-  status: number;
-}
-type ServerRouteRequestHandler = (request: ServerRequestData) => Promise<ServerResponse$1>;
-interface ServerRouteMatcher extends Route {
-  handler: ServerRouteRequestHandler;
-}
-interface ServerRequestData {
-  method: RouteMethod;
-  url: URL;
-  headers: Record<string, string>;
-  query: Record<string, string>;
-  params: Record<string, string>;
-  raw: ServerRawRequest;
-}
-interface ServerRawRequest {
-  node?: NodeRequestEvent;
-  web?: WebRequestEvent;
-}
-interface NodeRequestEvent {
-  req: IncomingMessage;
-  res: ServerResponse;
-}
-interface WebRequestEvent {
-  req: Request;
-  res?: Response;
+//#region ../alepha/src/server/primitives/$route.d.ts
+interface RoutePrimitiveOptions<TConfig extends RequestConfigSchema = RequestConfigSchema> extends ServerRoute<TConfig> {}
+declare class RoutePrimitive<TConfig extends RequestConfigSchema> extends Primitive<RoutePrimitiveOptions<TConfig>> {
+  protected readonly serverRouterProvider: ServerRouterProvider;
+  protected onInit(): void;
 }
 //#endregion
-//#region ../alepha/src/server/services/ServerRequestParser.d.ts
-declare class ServerRequestParser {
-  protected readonly alepha: Alepha;
-  protected readonly userAgentParser: UserAgentParser;
-  createServerRequest(rawRequest: ServerRequestData): ServerRequest;
-  getRequestId(request: ServerRequestData): string | undefined;
-  getRequestUserAgent(request: ServerRequestData): UserAgentInfo;
-  getRequestIp(request: ServerRequestData): string | undefined;
+//#region ../alepha/src/server/providers/BunHttpServerProvider.d.ts
+declare const envSchema$8: alepha1672.TObject<{
+  SERVER_PORT: alepha1672.TInteger;
+  SERVER_HOST: alepha1672.TString;
+}>;
+declare module "alepha" {
+  interface Env extends Partial<Static<typeof envSchema$8>> {}
 }
 //#endregion
-//#region ../alepha/src/server/providers/ServerTimingProvider.d.ts
-type TimingMap = Record<string, [number, number]>;
-declare class ServerTimingProvider {
-  protected readonly log: Logger;
-  protected readonly alepha: Alepha;
-  options: {
-    prefix: string;
-    disabled: boolean;
-  };
-  readonly onRequest: alepha1246.HookDescriptor<"server:onRequest">;
-  readonly onResponse: alepha1246.HookDescriptor<"server:onResponse">;
-  protected get handlerName(): string;
-  beginTiming(name: string): void;
-  endTiming(name: string): void;
-  protected setDuration(name: string, timing: TimingMap): void;
+//#region ../alepha/src/server/providers/NodeHttpServerProvider.d.ts
+declare const envSchema$7: alepha1672.TObject<{
+  SERVER_PORT: alepha1672.TInteger;
+  SERVER_HOST: alepha1672.TString;
+}>;
+declare module "alepha" {
+  interface Env extends Partial<Static<typeof envSchema$7>> {}
 }
 //#endregion
-//#region ../alepha/src/server/providers/ServerRouterProvider.d.ts
-/**
- * Main router for all routes on the server side.
- *
- * - $route => generic route
- * - $action => action route (for API calls)
- * - $page => React route (for SSR)
- */
-declare class ServerRouterProvider extends RouterProvider<ServerRouteMatcher> {
-  protected readonly log: Logger;
-  protected readonly alepha: Alepha;
-  protected readonly routes: ServerRoute[];
-  protected readonly serverTimingProvider: ServerTimingProvider;
-  protected readonly serverRequestParser: ServerRequestParser;
-  /**
-   * Get all registered routes, optionally filtered by a pattern.
-   *
-   * Pattern accept simple wildcard '*' at the end.
-   * Example: '/api/*' will match all routes starting with '/api/' but '/api/' will match only that exact route.
-   */
-  getRoutes(pattern?: string): ServerRoute[];
-  createRoute<TConfig extends RequestConfigSchema = RequestConfigSchema>(route: ServerRoute<TConfig>): void;
-  protected getContextId(headers: Record<string, string>): string;
-  protected processRequest(request: ServerRequest, route: ServerRoute, responseKind: ResponseKind): Promise<{
-    status: number;
-    headers: Record<string, string> & {
-      "set-cookie"?: string[];
+//#region ../alepha/src/server/index.d.ts
+declare module "alepha" {
+  interface State {
+    "alepha.node.server"?: Server;
+  }
+  interface Hooks {
+    "action:onRequest": {
+      action: ActionPrimitive<RequestConfigSchema>;
+      request: ServerRequest;
+      options: ClientRequestOptions;
     };
-    body: any;
-  }>;
-  protected runRouteHandler(route: ServerRoute, request: ServerRequest, responseKind: ResponseKind): Promise<void>;
-  serializeResponse(route: ServerRoute, reply: ServerReply, responseKind: ResponseKind): void;
-  protected getResponseType(schema?: RequestConfigSchema): ResponseKind;
-  protected errorHandler(route: ServerRoute, request: ServerRequest, error: Error): Promise<void>;
-  validateRequest(route: {
-    schema?: RequestConfigSchema;
-  }, request: ServerRequestConfig): void;
+    "action:onResponse": {
+      action: ActionPrimitive<RequestConfigSchema>;
+      request: ServerRequest;
+      options: ClientRequestOptions;
+      response: any;
+    };
+    "server:onRequest": {
+      route: ServerRoute;
+      request: ServerRequest;
+    };
+    "server:onError": {
+      route: ServerRoute;
+      request: ServerRequest;
+      error: Error;
+    };
+    "server:onSend": {
+      route: ServerRoute;
+      request: ServerRequest;
+    };
+    "server:onResponse": {
+      route: ServerRoute;
+      request: ServerRequest;
+      response: ServerResponse$1;
+    };
+    "client:onRequest": {
+      route: HttpAction;
+      config: ServerRequestConfigEntry;
+      options: ClientRequestOptions;
+      headers: Record<string, string>;
+      request: RequestInit;
+    };
+    "client:beforeFetch": {
+      url: string;
+      options: FetchOptions;
+      request: RequestInit;
+    };
+    "client:onError": {
+      route?: HttpAction;
+      error: HttpError;
+    };
+    "node:request": NodeRequestEvent;
+    "web:request": WebRequestEvent;
+  }
 }
 //#endregion
-//#region ../alepha/src/server/providers/ServerProvider.d.ts
+//#region ../alepha/src/security/interfaces/UserAccountToken.d.ts
 /**
- * Base server provider to handle incoming requests and route them.
- *
- * This is the default implementation for serverless environments.
- *
- * ServerProvider supports both Node.js HTTP requests and Web (Fetch API) requests.
+ * Add contextual metadata to a user account info.
+ * E.g. UserAccountToken is a UserAccountInfo during a request.
  */
-declare class ServerProvider {
-  protected readonly log: Logger;
-  protected readonly alepha: Alepha;
-  protected readonly dateTimeProvider: DateTimeProvider;
-  protected readonly router: ServerRouterProvider;
-  protected readonly internalServerErrorMessage = "Internal Server Error";
-  get hostname(): string;
-  /**
-   * When a Node.js HTTP request is received from outside. (Vercel, AWS Lambda, etc.)
-   */
-  protected readonly onNodeRequest: alepha1246.HookDescriptor<"node:request">;
-  /**
-   * When a Web (Fetch API) request is received from outside. (Netlify, Cloudflare Workers, etc.)
-   */
-  protected readonly onWebRequest: alepha1246.HookDescriptor<"web:request">;
+interface UserAccountToken extends UserAccount {
   /**
-   * Handle Node.js HTTP request event.
-   *
-   * Technically, we just convert Node.js request to Web Standard Request.
+   * Access token for the user.
    */
-  handleNodeRequest(nodeRequestEvent: NodeRequestEvent): Promise<void>;
+  token?: string;
   /**
-   * Handle Web (Fetch API) request event.
+   * Realm name of the user.
    */
-  handleWebRequest(ev: WebRequestEvent): Promise<void>;
+  realm?: string;
   /**
-   * Helper for Vite development mode to let Vite handle (or not) 404.
+   * Is user dedicated to his own resources for this scope ?
+   * Mostly, Admin is false and Customer is true.
    */
-  protected isViteNotFound(url?: string, route?: Route, params?: Record<string, string>): boolean;
+  ownership?: string | boolean;
 }
 //#endregion
-//#region ../alepha/src/cache/providers/CacheProvider.d.ts
+//#region ../alepha/src/security/schemas/permissionSchema.d.ts
+declare const permissionSchema: alepha1672.TObject<{
+  name: alepha1672.TString;
+  group: alepha1672.TOptional<alepha1672.TString>;
+  description: alepha1672.TOptional<alepha1672.TString>;
+  method: alepha1672.TOptional<alepha1672.TString>;
+  path: alepha1672.TOptional<alepha1672.TString>;
+}>;
+type Permission = Static<typeof permissionSchema>;
+//#endregion
+//#region ../alepha/src/security/schemas/roleSchema.d.ts
+declare const roleSchema: alepha1672.TObject<{
+  name: alepha1672.TString;
+  description: alepha1672.TOptional<alepha1672.TString>;
+  default: alepha1672.TOptional<alepha1672.TBoolean>;
+  permissions: alepha1672.TArray<alepha1672.TObject<{
+    name: alepha1672.TString;
+    ownership: alepha1672.TOptional<alepha1672.TBoolean>;
+    exclude: alepha1672.TOptional<alepha1672.TArray<alepha1672.TString>>;
+  }>>;
+}>;
+type Role = Static<typeof roleSchema>;
+//#endregion
+//#region ../alepha/src/security/providers/JwtProvider.d.ts
 /**
- * Cache provider interface.
- *
- * All methods are asynchronous and return promises.
- * Values are stored as Uint8Array.
+ * Provides utilities for working with JSON Web Tokens (JWT).
  */
-declare abstract class CacheProvider {
+declare class JwtProvider {
+  protected readonly log: Logger;
+  protected readonly keystore: KeyLoaderHolder[];
+  protected readonly dateTimeProvider: DateTimeProvider;
+  protected readonly encoder: TextEncoder;
   /**
-   * Get the value of a key.
-   *
-   * @param name Cache name, used to group keys. Should be Redis-like "some:group:name" format.
-   * @param key The key of the value to get.
+   * Adds a key loader to the embedded keystore.
    *
-   * @return The value of the key, or undefined if the key does not exist.
+   * @param name
+   * @param secretKeyOrJwks
    */
-  abstract get(name: string, key: string): Promise<Uint8Array | undefined>;
+  setKeyLoader(name: string, secretKeyOrJwks: string | JSONWebKeySet): void;
   /**
-   * Set the string value of a key.
-   *
-   * @param name Cache name, used to group keys. Should be Redis-like "some:group:name" format.
-   * @param key The key of the value to set.
-   * @param value The value to set.
-   * @param ttl The time-to-live of the key, in milliseconds.
+   * Retrieves the payload from a JSON Web Token (JWT).
    *
-   * @return The value of the key.
-   */
-  abstract set(name: string, key: string, value: Uint8Array, ttl?: number): Promise<Uint8Array>;
-  /**
-   * Remove the specified keys.
+   * @param token - The JWT to extract the payload from.
    *
-   * @param name Cache name, used to group keys. Should be Redis-like "some:group:name" format.
-   * @param keys The keys to delete.
-   */
-  abstract del(name: string, ...keys: string[]): Promise<void>;
-  abstract has(name: string, key: string): Promise<boolean>;
-  abstract keys(name: string, filter?: string): Promise<string[]>;
-  /**
-   * Remove all keys from all cache names.
+   * @return A Promise that resolves with the payload object from the token.
    */
-  abstract clear(): Promise<void>;
-}
-//#endregion
-//#region ../alepha/src/cache/descriptors/$cache.d.ts
-interface CacheDescriptorOptions<TReturn = any, TParameter extends any[] = any[]> {
+  parse(token: string, keyName?: string, options?: JWTVerifyOptions): Promise<JwtParseResult>;
   /**
-   * The cache name. This is useful for invalidating multiple caches at once.
+   * Creates a JWT token with the provided payload and secret key.
    *
-   * Store key as `cache:$name:$key`.
+   * @param payload - The payload to be encoded in the token.
+   * 	It should include the `realm_access` property which contains an array of roles.
+   * @param keyName - The name of the key to use when signing the token.
    *
-   * @default Name of the key of the class.
-   */
-  name?: string;
-  /**
-   * Function which returns cached data.
-   */
-  handler?: (...args: TParameter) => TReturn;
-  /**
-   * The key generator for the cache.
-   * If not provided, the arguments will be json.stringify().
-   */
-  key?: (...args: TParameter) => string;
-  /**
-   * The store provider for the cache.
-   * If not provided, the default store provider will be used.
+   * @returns The signed JWT token.
    */
-  provider?: InstantiableClass<CacheProvider> | "memory";
+  create(payload: ExtendedJWTPayload, keyName?: string, signOptions?: JwtSignOptions): Promise<string>;
   /**
-   * The time-to-live for the cache in seconds.
-   * Set 0 to skip expiration.
+   * Determines if the provided key is a secret key.
    *
-   * @default 300 (5 minutes).
-   */
-  ttl?: DurationLike;
-  /**
-   * If the cache is disabled.
+   * @param key
+   * @protected
    */
-  disabled?: boolean;
+  protected isSecretKey(key: string): boolean;
 }
-declare class CacheDescriptor<TReturn = any, TParameter extends any[] = any[]> extends Descriptor<CacheDescriptorOptions<TReturn, TParameter>> {
-  protected readonly env: {
-    CACHE_ENABLED: boolean;
-    CACHE_DEFAULT_TTL: number;
-  };
-  protected readonly dateTimeProvider: DateTimeProvider;
-  protected readonly provider: CacheProvider;
-  protected encoder: TextEncoder;
-  protected decoder: TextDecoder;
-  protected codes: {
-    BINARY: number;
-    JSON: number;
-    STRING: number;
+type KeyLoader = (protectedHeader?: JWSHeaderParameters, token?: FlattenedJWSInput) => Promise<CryptoKey | KeyObject>;
+interface KeyLoaderHolder {
+  name: string;
+  keyLoader: KeyLoader;
+  secretKey?: string;
+}
+interface JwtSignOptions {
+  header?: Partial<JWTHeaderParameters>;
+}
+interface ExtendedJWTPayload extends JWTPayload {
+  sid?: string;
+  name?: string;
+  roles?: string[];
+  email?: string;
+  organizations?: string[];
+  realm_access?: {
+    roles: string[];
   };
-  get container(): string;
-  run(...args: TParameter): Promise<TReturn>;
-  key(...args: TParameter): string;
-  invalidate(...keys: string[]): Promise<void>;
-  set(key: string, value: TReturn, ttl?: DurationLike): Promise<void>;
-  get(key: string): Promise<TReturn | undefined>;
-  protected serialize<TReturn>(value: TReturn): Uint8Array;
-  protected deserialize<TReturn>(uint8Array: Uint8Array): Promise<TReturn>;
-  protected $provider(): CacheProvider;
 }
-interface CacheDescriptorFn<TReturn = any, TParameter extends any[] = any[]> extends CacheDescriptor<TReturn, TParameter> {
-  /**
-   * Run the cache descriptor with the provided arguments.
-   */
-  (...args: TParameter): Promise<TReturn>;
+interface JwtParseResult {
+  keyName: string;
+  result: JWTVerifyResult<ExtendedJWTPayload>;
 }
 //#endregion
-//#region ../alepha/src/server/services/HttpClient.d.ts
-declare class HttpClient {
-  protected readonly log: Logger;
-  protected readonly alepha: Alepha;
-  readonly cache: CacheDescriptorFn<HttpClientCache, any[]>;
-  protected readonly pendingRequests: HttpClientPendingRequests;
-  fetchAction(args: FetchActionArgs): Promise<FetchResponse>;
-  fetch<T$1 extends TSchema>(url: string, request?: RequestInitWithOptions<T$1>): Promise<FetchResponse<Static<T$1>>>;
-  protected url(host: string, action: HttpAction, args: ServerRequestConfigEntry): string;
-  protected body(init: RequestInit, headers: Record<string, string>, action: HttpAction, args?: ServerRequestConfigEntry): Promise<void>;
-  protected responseData(response: Response, options: FetchOptions): Promise<any>;
-  protected isMaybeFile(response: Response): boolean;
-  protected createFileLike(response: Response, defaultFileName?: string): FileLike;
-  pathVariables(url: string, action: {
-    schema?: {
-      params?: TObject;
-    };
-  }, args?: ServerRequestConfigEntry): string;
-  queryParams(url: string, action: {
-    schema?: {
-      query?: TObject;
-    };
-  }, args?: ServerRequestConfigEntry): string;
+//#region ../alepha/src/security/providers/SecurityProvider.d.ts
+declare const envSchema$6: alepha1672.TObject<{
+  APP_SECRET: alepha1672.TString;
+}>;
+declare module "alepha" {
+  interface Env extends Partial<Static<typeof envSchema$6>> {}
 }
-interface FetchOptions<T$1 extends TSchema = TSchema> {
-  /**
-   * Key to identify the request in the pending requests.
-   */
-  key?: string;
-  /**
-   * The schema to validate the response against.
-   */
-  schema?: {
-    response?: T$1;
+declare class SecurityProvider {
+  protected readonly UNKNOWN_USER_NAME = "Anonymous User";
+  protected readonly PERMISSION_REGEXP: RegExp;
+  protected readonly PERMISSION_REGEXP_WILDCARD: RegExp;
+  protected readonly log: Logger;
+  protected readonly jwt: JwtProvider;
+  protected readonly env: {
+    APP_SECRET: string;
   };
+  protected readonly alepha: Alepha;
+  get secretKey(): string;
   /**
-   * Built-in cache options.
+   * The permissions configured for the security provider.
    */
-  localCache?: boolean | number | DurationLike;
-}
-type RequestInitWithOptions<T$1 extends TSchema = TSchema> = RequestInit & FetchOptions<T$1>;
-interface FetchResponse<T$1 = any> {
-  data: T$1;
-  status: number;
-  statusText: string;
-  headers: Headers;
-  raw?: Response;
-}
-type HttpClientPendingRequests = Record<string, Promise<any> | undefined>;
-interface HttpClientCache {
-  data: any;
-  etag?: string;
-}
-interface FetchActionArgs {
-  action: HttpAction;
-  host?: string;
-  config?: ServerRequestConfigEntry;
-  options?: ClientRequestOptions;
-}
-interface HttpAction {
-  method?: string;
-  prefix?: string;
-  path: string;
-  requestBodyType?: string;
-  schema?: {
-    params?: TObject;
-    query?: TObject;
-    body?: TRequestBody;
-    response?: TResponseBody;
-  };
-}
-//#endregion
-//#region ../alepha/src/server/descriptors/$action.d.ts
-interface ActionDescriptorOptions<TConfig extends RequestConfigSchema> extends Omit<ServerRoute, "handler" | "path" | "schema" | "mapParams"> {
+  protected readonly permissions: Permission[];
   /**
-   * Name of the action.
-   *
-   * - It will be used to generate the route path if `path` is not provided.
-   * - It will be used to generate the permission name if `security` is enabled.
+   * The realms configured for the security provider.
    */
-  name?: string;
+  protected readonly realms: Realm[];
+  protected start: alepha1672.HookPrimitive<"start">;
   /**
-   * Group actions together.
-   *
-   * - If not provided, the service name containing the route will be used.
-   * - It will be used as Tag for documentation purposes.
-   * - It will be used for permission name generation if `security` is enabled.
-   *
-   * @example
-   * ```ts
-   * // group = "MyController"
-   * class MyController {
-   * 	hello = $action({ handler: () => "Hello World" });
-   * }
+   * Adds a role to one or more realms.
    *
-   * // group = "users"
-   * class MyOtherController {
-   *   group = "users";
-   *   a1 = $action({ handler: () => "Action 1", group: this.group });
-   *   a2 = $action({ handler: () => "Action 2", group: this.group });
-   * }
-   * ```
+   * @param role
+   * @param realms
    */
-  group?: string;
+  createRole(role: Role, ...realms: string[]): Role;
   /**
-   * Pathname of the route. If not provided, property key is used.
+   * Adds a permission to the security provider.
+   *
+   * @param raw - The permission to add.
    */
-  path?: string;
+  createPermission(raw: Permission | string): Permission;
+  createRealm(realm: Realm): void;
   /**
-   * The route method.
+   * Updates the roles for a realm then synchronizes the user account provider if available.
    *
-   * - If not provided, it will be set to "GET" by default.
-   * - If not provider and a body is provided, it will be set to "POST".
+   * Only available when the app is started.
    *
-   * Wildcard methods are not supported for now. (e.g. "ALL", "ANY", etc.)
+   * @param realm - The realm to update the roles for.
+   * @param roles - The roles to update.
    */
-  method?: RouteMethod;
+  updateRealm(realm: string, roles: Role[]): Promise<void>;
   /**
-   * The config schema of the route.
-   * - body: The request body schema.
-   * - params: Path variables schema.
-   * - query: The request query-params schema.
-   * - response: The response schema.
+   * Creates a user account from the provided payload.
+   *
+   * @param payload - The payload to create the user account from.
+   * @param [realmName] - The realm containing the roles. Default is all.
+   *
+   * @returns The user info created from the payload.
    */
-  schema?: TConfig;
+  createUserFromPayload(payload: JWTPayload, realmName?: string): UserAccount;
   /**
-   * A short description of the action. Used for documentation purposes.
+   * Checks if the user has the specified permission.
+   *
+   * Bonus: we check also if the user has "ownership" flag.
+   *
+   * @param permissionLike - The permission to check for.
+   * @param roleEntries - The roles to check for the permission.
    */
-  description?: string;
+  checkPermission(permissionLike: string | Permission, ...roleEntries: string[]): SecurityCheckResult;
   /**
-   * Disable the route. Useful with env variables do disable one specific route.
-   * Route won't be available in the API but can still be called locally!
+   * Creates a user account from the provided payload.
    */
-  disabled?: boolean;
+  createUserFromToken(headerOrToken?: string, options?: {
+    permission?: Permission | string;
+    realm?: string;
+    verify?: JWTVerifyOptions;
+  }): Promise<UserAccountToken>;
   /**
-   * Main route handler. This is where the route logic is implemented.
+   * Checks if a user has a specific role.
+   *
+   * @param roleName - The role to check for.
+   * @param permission - The permission to check for.
+   * @returns True if the user has the role, false otherwise.
    */
-  handler: ServerActionHandler<TConfig>;
-}
-declare class ActionDescriptor<TConfig extends RequestConfigSchema> extends Descriptor<ActionDescriptorOptions<TConfig>> {
-  protected readonly log: Logger;
-  protected readonly env: {
-    SERVER_API_PREFIX: string;
-  };
-  protected readonly httpClient: HttpClient;
-  protected readonly serverProvider: ServerProvider;
-  protected readonly serverRouterProvider: ServerRouterProvider;
-  protected onInit(): void;
-  get prefix(): string;
-  get route(): ServerRoute;
+  can(roleName: string, permission: string | Permission): boolean;
   /**
-   * Returns the name of the action.
+   * Checks if a user has ownership of a specific permission.
    */
-  get name(): string;
+  ownership(roleName: string, permission: string | Permission): string | boolean | undefined;
   /**
-   * Returns the group of the action. (e.g. "orders", "admin", etc.)
+   * Converts a permission object to a string.
+   *
+   * @param permission
    */
-  get group(): string;
+  permissionToString(permission: Permission | string): string;
+  getRealms(): Realm[];
   /**
-   * Returns the HTTP method of the action.
+   * Retrieves the user account from the provided user ID.
+   *
+   * @param realm
    */
-  get method(): RouteMethod;
+  getRoles(realm?: string): Role[];
   /**
-   * Returns the path of the action.
+   * Returns all permissions.
    *
-   * Path is prefixed by `/api` by default.
+   * @param user - Filter permissions by user.
+   *
+   * @return An array containing all permissions.
    */
-  get path(): string;
-  get schema(): TConfig | undefined;
-  getBodyContentType(): string | undefined;
+  getPermissions(user?: {
+    roles?: Array<Role | string>;
+    realm?: string;
+  }): Permission[];
   /**
-   * Call the action handler directly.
-   * There is no HTTP layer involved.
+   * Retrieves the user ID from the provided payload object.
+   *
+   * @param payload - The payload object from which to extract the user ID.
+   * @return The user ID as a string.
    */
-  run(config?: ClientRequestEntry<TConfig>, options?: ClientRequestOptions): Promise<ClientRequestResponse<TConfig>>;
+  getIdFromPayload(payload: Record<string, any>): string;
+  getSessionIdFromPayload(payload: Record<string, any>): string | undefined;
   /**
-   * Works like `run`, but always fetches (http request) the route.
+   * Retrieves the roles from the provided payload object.
+   * @param payload - The payload object from which to extract the roles.
+   * @return An array of role strings.
    */
-  fetch(config?: ClientRequestEntry<TConfig>, options?: ClientRequestOptions): Promise<FetchResponse<ClientRequestResponse<TConfig>>>;
-}
-interface ActionDescriptorFn<TConfig extends RequestConfigSchema> extends ActionDescriptor<TConfig> {
-  (config?: ClientRequestEntry<TConfig>, options?: ClientRequestOptions): Promise<ClientRequestResponse<TConfig>>;
-}
-type ClientRequestEntry<TConfig extends RequestConfigSchema, T$1 = ClientRequestEntryContainer<TConfig>> = { [K in keyof T$1 as T$1[K] extends undefined ? never : K]: T$1[K] };
-type ClientRequestEntryContainer<TConfig extends RequestConfigSchema> = {
-  body: TConfig["body"] extends TObject ? Static<TConfig["body"]> : undefined;
-  params: TConfig["params"] extends TObject ? Static<TConfig["params"]> : undefined;
-  headers?: TConfig["headers"] extends TObject ? Static<TConfig["headers"]> : undefined;
-  query?: TConfig["query"] extends TObject ? Partial<Static<TConfig["query"]>> : undefined;
-};
-interface ClientRequestOptions extends FetchOptions {
+  getRolesFromPayload(payload: Record<string, any>): string[];
+  getPictureFromPayload(payload: Record<string, any>): string | undefined;
+  getUsernameFromPayload(payload: Record<string, any>): string | undefined;
+  getEmailFromPayload(payload: Record<string, any>): string | undefined;
   /**
-   * Standard request fetch options.
+   * Returns the name from the given payload.
+   *
+   * @param payload - The payload object.
+   * @returns The name extracted from the payload, or an empty string if the payload is falsy or no name is found.
    */
-  request?: RequestInit;
+  getNameFromPayload(payload: Record<string, any>): string;
+  getOrganizationsFromPayload(payload: Record<string, any>): string[] | undefined;
 }
-type ClientRequestResponse<TConfig extends RequestConfigSchema> = TConfig["response"] extends TSchema ? Static<TConfig["response"]> : any;
-/**
- * Specific handler for server actions.
- */
-type ServerActionHandler<TConfig extends RequestConfigSchema = RequestConfigSchema> = (request: ServerActionRequest<TConfig>) => Async<ServerResponseBody<TConfig>>;
 /**
- * Server Action Request Interface
- *
- * Can be extended with module augmentation to add custom properties (like `user` in Server Security).
- *
- * This is NOT Server Request, but a specific type for actions.
+ * A realm definition.
  */
-interface ServerActionRequest<TConfig extends RequestConfigSchema> extends ServerRequest<TConfig> {}
-//#endregion
-//#region ../alepha/src/server/schemas/errorSchema.d.ts
-declare const errorSchema: alepha1246.TObject<{
-  error: alepha1246.TString;
-  status: alepha1246.TInteger;
-  message: alepha1246.TString;
-  details: alepha1246.TOptional<alepha1246.TString>;
-  requestId: alepha1246.TOptional<alepha1246.TString>;
-  cause: alepha1246.TOptional<alepha1246.TObject<{
-    name: alepha1246.TString;
-    message: alepha1246.TString;
-  }>>;
-}>;
-type ErrorSchema = Static<typeof errorSchema>;
-//#endregion
-//#region ../alepha/src/server/errors/HttpError.d.ts
-declare class HttpError extends AlephaError {
+interface Realm {
   name: string;
-  static is: (error: unknown, status?: number) => error is HttpErrorLike;
-  static toJSON(error: HttpError): ErrorSchema;
-  readonly error: string;
-  readonly status: number;
-  readonly requestId?: string;
-  readonly details?: string;
-  readonly reason?: {
-    name: string;
-    message: string;
-  };
-  constructor(options: Partial<ErrorSchema>, cause?: unknown);
+  roles: Role[];
+  /**
+   * The secret key for the realm.
+   *
+   * Can be also a JWKS URL.
+   */
+  secret?: string | JSONWebKeySet | (() => string);
+  /**
+   * Create the user account info based on the raw JWT payload.
+   * By default, SecurityProvider has his own implementation, but this method allow to override it.
+   */
+  profile?: (raw: Record<string, any>) => UserAccount;
 }
-interface HttpErrorLike extends Error {
-  status: number;
+interface SecurityCheckResult {
+  isAuthorized: boolean;
+  ownership: string | boolean | undefined;
 }
 //#endregion
-//#region ../alepha/src/server/descriptors/$route.d.ts
-interface RouteDescriptorOptions<TConfig extends RequestConfigSchema = RequestConfigSchema> extends ServerRoute<TConfig> {}
-declare class RouteDescriptor<TConfig extends RequestConfigSchema> extends Descriptor<RouteDescriptorOptions<TConfig>> {
-  protected readonly serverRouterProvider: ServerRouterProvider;
-  protected onInit(): void;
+//#region ../alepha/src/security/primitives/$realm.d.ts
+type RealmPrimitiveOptions = {
+  /**
+   * Define the realm name.
+   * If not provided, it will use the property key.
+   */
+  name?: string;
+  /**
+   * Short description about the realm.
+   */
+  description?: string;
+  /**
+   * All roles available in the realm. Role is a string (role name) or a Role object (embedded role).
+   */
+  roles?: Array<string | Role>;
+  /**
+   * Realm settings.
+   */
+  settings?: RealmSettings;
+  /**
+   * Parse the JWT payload to create a user account info.
+   */
+  profile?: (jwtPayload: Record<string, any>) => UserAccount;
+} & (RealmInternal | RealmExternal);
+interface RealmSettings {
+  accessToken?: {
+    /**
+     * Lifetime of the access token.
+     * @default 15 minutes
+     */
+    expiration?: DurationLike;
+  };
+  refreshToken?: {
+    /**
+     * Lifetime of the refresh token.
+     * @default 30 days
+     */
+    expiration?: DurationLike;
+  };
+  onCreateSession?: (user: UserAccount, config: {
+    expiresIn: number;
+  }) => Promise<{
+    refreshToken: string;
+    sessionId?: string;
+  }>;
+  onRefreshSession?: (refreshToken: string) => Promise<{
+    user: UserAccount;
+    expiresIn: number;
+    sessionId?: string;
+  }>;
+  onDeleteSession?: (refreshToken: string) => Promise<void>;
 }
-//#endregion
-//#region ../alepha/src/server/providers/BunHttpServerProvider.d.ts
-declare const envSchema$7: alepha1246.TObject<{
-  SERVER_PORT: alepha1246.TInteger;
-  SERVER_HOST: alepha1246.TString;
-}>;
-declare module "alepha" {
-  interface Env extends Partial<Static<typeof envSchema$7>> {}
+type RealmInternal = {
+  /**
+   * Internal secret to sign JWT tokens and verify them.
+   */
+  secret: string;
+};
+interface RealmExternal {
+  /**
+   * URL to the JWKS (JSON Web Key Set) to verify JWT tokens from external providers.
+   */
+  jwks: (() => string) | JSONWebKeySet;
+}
+declare class RealmPrimitive extends Primitive<RealmPrimitiveOptions> {
+  protected readonly securityProvider: SecurityProvider;
+  protected readonly dateTimeProvider: DateTimeProvider;
+  protected readonly jwt: JwtProvider;
+  protected readonly log: Logger;
+  get name(): string;
+  get accessTokenExpiration(): Duration;
+  get refreshTokenExpiration(): Duration;
+  protected onInit(): void;
+  /**
+   * Get all roles in the realm.
+   */
+  getRoles(): Role[];
+  /**
+   * Set all roles in the realm.
+   */
+  setRoles(roles: Role[]): Promise<void>;
+  /**
+   * Get a role by name, throws an error if not found.
+   */
+  getRoleByName(name: string): Role;
+  parseToken(token: string): Promise<JWTPayload>;
+  /**
+   * Create a token for the subject.
+   */
+  createToken(user: UserAccount, refreshToken?: {
+    sid?: string;
+    refresh_token?: string;
+    refresh_token_expires_in?: number;
+  }): Promise<AccessTokenResponse>;
+  refreshToken(refreshToken: string, accessToken?: string): Promise<{
+    tokens: AccessTokenResponse;
+    user: UserAccount;
+  }>;
 }
-//#endregion
-//#region ../alepha/src/server/providers/NodeHttpServerProvider.d.ts
-declare const envSchema$6: alepha1246.TObject<{
-  SERVER_PORT: alepha1246.TInteger;
-  SERVER_HOST: alepha1246.TString;
-}>;
-declare module "alepha" {
-  interface Env extends Partial<Static<typeof envSchema$6>> {}
+interface AccessTokenResponse {
+  access_token: string;
+  token_type: string;
+  expires_in?: number;
+  issued_at: number;
+  refresh_token?: string;
+  refresh_token_expires_in?: number;
+  scope?: string;
 }
 //#endregion
-//#region ../alepha/src/server/index.d.ts
-declare module "alepha" {
-  interface State {
-    "alepha.node.server"?: Server;
-  }
-  interface Hooks {
-    "action:onRequest": {
-      action: ActionDescriptor<RequestConfigSchema>;
-      request: ServerRequest;
-      options: ClientRequestOptions;
-    };
-    "action:onResponse": {
-      action: ActionDescriptor<RequestConfigSchema>;
-      request: ServerRequest;
-      options: ClientRequestOptions;
-      response: any;
-    };
-    "server:onRequest": {
-      route: ServerRoute;
-      request: ServerRequest;
-    };
-    "server:onError": {
-      route: ServerRoute;
-      request: ServerRequest;
-      error: Error;
-    };
-    "server:onSend": {
-      route: ServerRoute;
-      request: ServerRequest;
-    };
-    "server:onResponse": {
-      route: ServerRoute;
-      request: ServerRequest;
-      response: ServerResponse$1;
-    };
-    "client:onRequest": {
-      route: HttpAction;
-      config: ServerRequestConfigEntry;
-      options: ClientRequestOptions;
-      headers: Record<string, string>;
-      request: RequestInit;
-    };
-    "client:beforeFetch": {
-      url: string;
-      options: FetchOptions;
-      request: RequestInit;
-    };
-    "client:onError": {
-      route?: HttpAction;
-      error: HttpError;
-    };
-    "node:request": NodeRequestEvent;
-    "web:request": WebRequestEvent;
-  }
+//#region ../alepha/src/security/primitives/$serviceAccount.d.ts
+interface ServiceAccountPrimitive {
+  token: () => Promise<string>;
 }
 //#endregion
 //#region ../alepha/src/security/providers/CryptoProvider.d.ts
@@ -1393,7 +1393,7 @@ declare module "alepha" {
 /**
  * Provides comprehensive authentication and authorization capabilities with JWT tokens, role-based access control, and user management.
  *
- * The security module enables building secure applications using descriptors like `$realm`, `$role`, and `$permission`
+ * The security module enables building secure applications using primitives like `$realm`, `$role`, and `$permission`
  * on class properties. It offers JWT-based authentication, fine-grained permissions, service accounts, and seamless
  * integration with various authentication providers and user management systems.
  *
@@ -1468,23 +1468,23 @@ declare module "alepha/server" {
  */
 //#endregion
 //#region ../alepha/src/server-links/schemas/apiLinksResponseSchema.d.ts
-declare const apiLinkSchema: alepha1246.TObject<{
-  name: alepha1246.TString;
-  group: alepha1246.TOptional<alepha1246.TString>;
-  path: alepha1246.TString;
-  method: alepha1246.TOptional<alepha1246.TString>;
-  requestBodyType: alepha1246.TOptional<alepha1246.TString>;
-  service: alepha1246.TOptional<alepha1246.TString>;
+declare const apiLinkSchema: alepha1672.TObject<{
+  name: alepha1672.TString;
+  group: alepha1672.TOptional<alepha1672.TString>;
+  path: alepha1672.TString;
+  method: alepha1672.TOptional<alepha1672.TString>;
+  requestBodyType: alepha1672.TOptional<alepha1672.TString>;
+  service: alepha1672.TOptional<alepha1672.TString>;
 }>;
-declare const apiLinksResponseSchema: alepha1246.TObject<{
-  prefix: alepha1246.TOptional<alepha1246.TString>;
-  links: alepha1246.TArray<alepha1246.TObject<{
-    name: alepha1246.TString;
-    group: alepha1246.TOptional<alepha1246.TString>;
-    path: alepha1246.TString;
-    method: alepha1246.TOptional<alepha1246.TString>;
-    requestBodyType: alepha1246.TOptional<alepha1246.TString>;
-    service: alepha1246.TOptional<alepha1246.TString>;
+declare const apiLinksResponseSchema: alepha1672.TObject<{
+  prefix: alepha1672.TOptional<alepha1672.TString>;
+  links: alepha1672.TArray<alepha1672.TObject<{
+    name: alepha1672.TString;
+    group: alepha1672.TOptional<alepha1672.TString>;
+    path: alepha1672.TString;
+    method: alepha1672.TOptional<alepha1672.TString>;
+    requestBodyType: alepha1672.TOptional<alepha1672.TString>;
+    service: alepha1672.TOptional<alepha1672.TString>;
   }>>;
 }>;
 type ApiLinksResponse = Static<typeof apiLinksResponseSchema>;
@@ -1551,14 +1551,14 @@ interface ClientScope {
   service?: string;
   hostname?: string;
 }
-type HttpVirtualClient<T$1> = { [K in keyof T$1 as T$1[K] extends ActionDescriptor<RequestConfigSchema> ? K : never]: T$1[K] extends ActionDescriptor<infer Schema> ? VirtualAction<Schema> : never };
-interface VirtualAction<T$1 extends RequestConfigSchema> extends Pick<ActionDescriptor<T$1>, "name" | "run" | "fetch"> {
+type HttpVirtualClient<T$1> = { [K in keyof T$1 as T$1[K] extends ActionPrimitive<RequestConfigSchema> ? K : never]: T$1[K] extends ActionPrimitive<infer Schema> ? VirtualAction<Schema> : never };
+interface VirtualAction<T$1 extends RequestConfigSchema> extends Pick<ActionPrimitive<T$1>, "name" | "run" | "fetch"> {
   (config?: ClientRequestEntry<T$1>, opts?: ClientRequestOptions): Promise<ClientRequestResponse<T$1>>;
   can: () => boolean;
 }
 //#endregion
-//#region ../alepha/src/server-proxy/descriptors/$proxy.d.ts
-type ProxyDescriptorOptions = {
+//#region ../alepha/src/server-proxy/primitives/$proxy.d.ts
+type ProxyPrimitiveOptions = {
   /**
    * Path pattern to match for proxying requests.
    *
@@ -1680,14 +1680,14 @@ declare class ServerProxyProvider {
   protected readonly log: Logger;
   protected readonly routerProvider: ServerRouterProvider;
   protected readonly alepha: Alepha;
-  protected readonly configure: alepha1246.HookDescriptor<"configure">;
-  createProxy(options: ProxyDescriptorOptions): void;
-  createProxyHandler(target: string, options: Omit<ProxyDescriptorOptions, "path">): ServerHandler;
+  protected readonly configure: alepha1672.HookPrimitive<"configure">;
+  createProxy(options: ProxyPrimitiveOptions): void;
+  createProxyHandler(target: string, options: Omit<ProxyPrimitiveOptions, "path">): ServerHandler;
   private getRawRequestBody;
 }
 //#endregion
-//#region ../alepha/src/server-links/descriptors/$remote.d.ts
-interface RemoteDescriptorOptions {
+//#region ../alepha/src/server-links/primitives/$remote.d.ts
+interface RemotePrimitiveOptions {
   /**
    * The URL of the remote service.
    * You can use a function to generate the URL dynamically.
@@ -1719,7 +1719,7 @@ interface RemoteDescriptorOptions {
    * If true, all methods of the remote service will be exposed as actions in this context.
    * > Note: Proxy will never use the service account, it just... proxies the request.
    */
-  proxy?: boolean | Partial<ProxyDescriptorOptions & {
+  proxy?: boolean | Partial<ProxyPrimitiveOptions & {
     /**
      * If true, the remote service won't be available internally, only through the proxy.
      */
@@ -1729,9 +1729,9 @@ interface RemoteDescriptorOptions {
    * For communication between the server and the remote service with a security layer.
    * This will be used for internal communication and will not be exposed to the client.
    */
-  serviceAccount?: ServiceAccountDescriptor;
+  serviceAccount?: ServiceAccountPrimitive;
 }
-declare class RemoteDescriptor extends Descriptor<RemoteDescriptorOptions> {
+declare class RemotePrimitive extends Primitive<RemotePrimitiveOptions> {
   get name(): string;
 }
 //#endregion
@@ -1822,8 +1822,8 @@ declare class RetryProvider {
   protected calculateBackoff(attempt: number, options?: number | RetryBackoffOptions): number;
 }
 //#endregion
-//#region ../alepha/src/retry/descriptors/$retry.d.ts
-interface RetryDescriptorOptions<T$1 extends (...args: any[]) => any> {
+//#region ../alepha/src/retry/primitives/$retry.d.ts
+interface RetryPrimitiveOptions<T$1 extends (...args: any[]) => any> {
   /**
    * The function to retry.
    */
@@ -1863,18 +1863,18 @@ interface RetryDescriptorOptions<T$1 extends (...args: any[]) => any> {
    */
   signal?: AbortSignal;
 }
-declare class RetryDescriptor<T$1 extends (...args: any[]) => any> extends Descriptor<RetryDescriptorOptions<T$1>> {
+declare class RetryPrimitive<T$1 extends (...args: any[]) => any> extends Primitive<RetryPrimitiveOptions<T$1>> {
   protected readonly retryProvider: RetryProvider;
   protected appAbortController?: AbortController;
-  constructor(args: DescriptorArgs<RetryDescriptorOptions<T$1>>);
+  constructor(args: PrimitiveArgs<RetryPrimitiveOptions<T$1>>);
   run(...args: Parameters<T$1>): Promise<ReturnType<T$1>>;
 }
-interface RetryDescriptorFn<T$1 extends (...args: any[]) => any> extends RetryDescriptor<T$1> {
+interface RetryPrimitiveFn<T$1 extends (...args: any[]) => any> extends RetryPrimitive<T$1> {
   (...args: Parameters<T$1>): Promise<ReturnType<T$1>>;
 }
 //#endregion
-//#region ../alepha/src/server-links/providers/RemoteDescriptorProvider.d.ts
-declare class RemoteDescriptorProvider {
+//#region ../alepha/src/server-links/providers/RemotePrimitiveProvider.d.ts
+declare class RemotePrimitiveProvider {
   protected readonly env: {
     SERVER_API_PREFIX: string;
   };
@@ -1884,10 +1884,10 @@ declare class RemoteDescriptorProvider {
   protected readonly remotes: Array<ServerRemote>;
   protected readonly log: Logger;
   getRemotes(): ServerRemote[];
-  readonly configure: alepha1246.HookDescriptor<"configure">;
-  readonly start: alepha1246.HookDescriptor<"start">;
-  registerRemote(value: RemoteDescriptor): Promise<void>;
-  protected readonly fetchLinks: RetryDescriptorFn<(opts: FetchLinksOptions) => Promise<ApiLinksResponse>>;
+  readonly configure: alepha1672.HookPrimitive<"configure">;
+  readonly start: alepha1672.HookPrimitive<"start">;
+  registerRemote(value: RemotePrimitive): Promise<void>;
+  protected readonly fetchLinks: RetryPrimitiveFn<(opts: FetchLinksOptions) => Promise<ApiLinksResponse>>;
 }
 interface FetchLinksOptions {
   /**
@@ -1936,7 +1936,7 @@ interface ServerRemote {
   /**
    * Force a default access token provider when not provided.
    */
-  serviceAccount?: ServiceAccountDescriptor;
+  serviceAccount?: ServiceAccountPrimitive;
   /**
    * Prefix for the remote service links.
    */
@@ -1950,25 +1950,25 @@ declare class ServerLinksProvider {
   };
   protected readonly alepha: Alepha;
   protected readonly linkProvider: LinkProvider;
-  protected readonly remoteProvider: RemoteDescriptorProvider;
+  protected readonly remoteProvider: RemotePrimitiveProvider;
   protected readonly serverTimingProvider: ServerTimingProvider;
   get prefix(): string;
-  readonly onRoute: alepha1246.HookDescriptor<"configure">;
+  readonly onRoute: alepha1672.HookPrimitive<"configure">;
   /**
    * First API - Get all API links for the user.
    *
    * This is based on the user's permissions.
    */
-  readonly links: RouteDescriptor<{
-    response: alepha1246.TObject<{
-      prefix: alepha1246.TOptional<alepha1246.TString>;
-      links: alepha1246.TArray<alepha1246.TObject<{
-        name: alepha1246.TString;
-        group: alepha1246.TOptional<alepha1246.TString>;
-        path: alepha1246.TString;
-        method: alepha1246.TOptional<alepha1246.TString>;
-        requestBodyType: alepha1246.TOptional<alepha1246.TString>;
-        service: alepha1246.TOptional<alepha1246.TString>;
+  readonly links: RoutePrimitive<{
+    response: alepha1672.TObject<{
+      prefix: alepha1672.TOptional<alepha1672.TString>;
+      links: alepha1672.TArray<alepha1672.TObject<{
+        name: alepha1672.TString;
+        group: alepha1672.TOptional<alepha1672.TString>;
+        path: alepha1672.TString;
+        method: alepha1672.TOptional<alepha1672.TString>;
+        requestBodyType: alepha1672.TOptional<alepha1672.TString>;
+        service: alepha1672.TOptional<alepha1672.TString>;
       }>>;
     }>;
   }>;
@@ -1978,11 +1978,11 @@ declare class ServerLinksProvider {
    * Note: Body/Response schema are not included in `links` API because it's TOO BIG.
    * I mean for 150+ links, you got 50ms of serialization time.
    */
-  readonly schema: RouteDescriptor<{
-    params: alepha1246.TObject<{
-      name: alepha1246.TString;
+  readonly schema: RoutePrimitive<{
+    params: alepha1672.TObject<{
+      name: alepha1672.TString;
     }>;
-    response: alepha1246.TRecord<string, alepha1246.TAny>;
+    response: alepha1672.TRecord<string, alepha1672.TAny>;
   }>;
   getSchemaByName(name: string, options?: GetApiLinksOptions): Promise<RequestConfigSchema>;
   /**
@@ -2011,7 +2011,7 @@ declare module "alepha" {
 /**
  * Provides server-side link management and remote capabilities for client-server interactions.
  *
- * The server-links module enables declarative link definitions using `$remote` and `$client` descriptors,
+ * The server-links module enables declarative link definitions using `$remote` and `$client` primitives,
  * facilitating seamless API endpoint management and client-server communication. It integrates with server
  * security features to ensure safe and controlled access to resources.
  *
@@ -2032,7 +2032,7 @@ declare module "alepha/server" {
      */
     cache?: ServerRouteCache;
   }
-  interface ActionDescriptor<TConfig extends RequestConfigSchema> {
+  interface ActionPrimitive<TConfig extends RequestConfigSchema> {
     invalidate: () => Promise<void>;
   }
 }
@@ -2051,11 +2051,11 @@ boolean
   /**
    * If true, enables storing cached responses. (in-memory, Redis, @see alepha/cache for other providers)
    * If a DurationLike is provided, it will be used as the TTL for the cache.
-   * If CacheDescriptorOptions is provided, it will be used to configure the cache storage.
+   * If CachePrimitiveOptions is provided, it will be used to configure the cache storage.
    *
    * @default false
    */
-  store?: true | DurationLike | CacheDescriptorOptions;
+  store?: true | DurationLike | CachePrimitiveOptions;
   /**
    * If true, enables ETag support for the cached responses.
    */
@@ -2135,13 +2135,13 @@ declare class Redirection extends Error {
 }
 //#endregion
 //#region ../react/src/core/providers/ReactPageProvider.d.ts
-declare const envSchema$5: alepha1246.TObject<{
-  REACT_STRICT_MODE: alepha1246.TBoolean;
+declare const envSchema$5: alepha1672.TObject<{
+  REACT_STRICT_MODE: alepha1672.TBoolean;
 }>;
 declare module "alepha" {
   interface Env extends Partial<Static<typeof envSchema$5>> {}
 }
-interface PageRouteEntry extends Omit<PageDescriptorOptions, "children" | "parent"> {
+interface PageRouteEntry extends Omit<PagePrimitiveOptions, "children" | "parent"> {
   children?: PageRouteEntry[];
 }
 interface PageRoute extends PageRouteEntry {
@@ -2196,19 +2196,19 @@ interface ReactRouterState {
 //#endregion
 //#region ../react/src/core/services/ReactPageService.d.ts
 declare class ReactPageService {
-  fetch(pathname: string, options?: PageDescriptorRenderOptions): Promise<{
+  fetch(pathname: string, options?: PagePrimitiveRenderOptions): Promise<{
     html: string;
     response: Response;
   }>;
-  render(name: string, options?: PageDescriptorRenderOptions): Promise<PageDescriptorRenderResult>;
+  render(name: string, options?: PagePrimitiveRenderOptions): Promise<PagePrimitiveRenderResult>;
 }
 //#endregion
-//#region ../react/src/core/descriptors/$page.d.ts
-interface PageDescriptorOptions<TConfig extends PageConfigSchema = PageConfigSchema, TProps extends object = TPropsDefault, TPropsParent extends object = TPropsParentDefault> {
+//#region ../react/src/core/primitives/$page.d.ts
+interface PagePrimitiveOptions<TConfig extends PageConfigSchema = PageConfigSchema, TProps extends object = TPropsDefault, TPropsParent extends object = TPropsParentDefault> {
   /**
    * Identifier name for the page. Must be unique.
    *
-   * @default Descriptor key
+   * @default Primitive key
    */
   name?: string;
   /**
@@ -2260,11 +2260,11 @@ interface PageDescriptorOptions<TConfig extends PageConfigSchema = PageConfigSch
    * Attach child pages to create nested routes.
    * This will make the page a parent route.
    */
-  children?: Array<PageDescriptor> | (() => Array<PageDescriptor>);
+  children?: Array<PagePrimitive> | (() => Array<PagePrimitive>);
   /**
    * Define a parent page for nested routing.
    */
-  parent?: PageDescriptor<PageConfigSchema, TPropsParent, any>;
+  parent?: PagePrimitive<PageConfigSchema, TPropsParent, any>;
   can?: () => boolean;
   /**
    * Catch any error from the `resolve` function or during `rendering`.
@@ -2374,7 +2374,7 @@ interface PageDescriptorOptions<TConfig extends PageConfigSchema = PageConfigSch
   animation?: PageAnimation;
 }
 type ErrorHandler = (error: Error, state: ReactRouterState) => ReactNode | Redirection | undefined;
-declare class PageDescriptor<TConfig extends PageConfigSchema = PageConfigSchema, TProps extends object = TPropsDefault, TPropsParent extends object = TPropsParentDefault> extends Descriptor<PageDescriptorOptions<TConfig, TProps, TPropsParent>> {
+declare class PagePrimitive<TConfig extends PageConfigSchema = PageConfigSchema, TProps extends object = TPropsDefault, TPropsParent extends object = TPropsParentDefault> extends Primitive<PagePrimitiveOptions<TConfig, TProps, TPropsParent>> {
   protected readonly reactPageService: ReactPageService;
   protected onInit(): void;
   get name(): string;
@@ -2384,8 +2384,8 @@ declare class PageDescriptor<TConfig extends PageConfigSchema = PageConfigSchema
    * This will render the page (HTML layout included or not) and return the HTML + context.
    * Only valid for server-side rendering, it will throw an error if called on the client-side.
    */
-  render(options?: PageDescriptorRenderOptions): Promise<PageDescriptorRenderResult>;
-  fetch(options?: PageDescriptorRenderOptions): Promise<{
+  render(options?: PagePrimitiveRenderOptions): Promise<PagePrimitiveRenderResult>;
+  fetch(options?: PagePrimitiveRenderOptions): Promise<{
     html: string;
     response: Response;
   }>;
@@ -2398,7 +2398,7 @@ interface PageConfigSchema {
 }
 type TPropsDefault = any;
 type TPropsParentDefault = {};
-interface PageDescriptorRenderOptions {
+interface PagePrimitiveRenderOptions {
   params?: Record<string, string>;
   query?: Record<string, string>;
   /**
@@ -2410,7 +2410,7 @@ interface PageDescriptorRenderOptions {
   html?: boolean;
   hydration?: boolean;
 }
-interface PageDescriptorRenderResult {
+interface PagePrimitiveRenderResult {
   html: string;
   state: ReactRouterState;
   redirect?: string;
@@ -2433,8 +2433,8 @@ type CssAnimation = {
 };
 //#endregion
 //#region ../react/src/core/providers/ReactBrowserProvider.d.ts
-declare const envSchema$4: alepha1246.TObject<{
-  REACT_ROOT_ID: alepha1246.TString;
+declare const envSchema$4: alepha1672.TObject<{
+  REACT_ROOT_ID: alepha1672.TString;
 }>;
 declare module "alepha" {
   interface Env extends Partial<Static<typeof envSchema$4>> {}
@@ -2442,8 +2442,8 @@ declare module "alepha" {
 /**
  * React browser renderer configuration atom
  */
-declare const reactBrowserOptions: alepha1246.Atom<alepha1246.TObject<{
-  scrollRestoration: alepha1246.TUnsafe<"top" | "manual">;
+declare const reactBrowserOptions: alepha1672.Atom<alepha1672.TObject<{
+  scrollRestoration: alepha1672.TUnsafe<"top" | "manual">;
 }>, "alepha.react.browser.options">;
 type ReactBrowserRendererOptions = Static<typeof reactBrowserOptions.schema>;
 declare module "alepha" {
@@ -2854,10 +2854,10 @@ declare class FileDetector {
 }
 //#endregion
 //#region ../react/src/core/providers/ReactServerProvider.d.ts
-declare const envSchema$3: alepha1246.TObject<{
-  REACT_SSR_ENABLED: alepha1246.TOptional<alepha1246.TBoolean>;
-  REACT_ROOT_ID: alepha1246.TString;
-  REACT_SERVER_TEMPLATE: alepha1246.TOptional<alepha1246.TString>;
+declare const envSchema$3: alepha1672.TObject<{
+  REACT_SSR_ENABLED: alepha1672.TOptional<alepha1672.TBoolean>;
+  REACT_ROOT_ID: alepha1672.TString;
+  REACT_SERVER_TEMPLATE: alepha1672.TOptional<alepha1672.TString>;
 }>;
 declare module "alepha" {
   interface Env extends Partial<Static<typeof envSchema$3>> {}
@@ -2868,11 +2868,11 @@ declare module "alepha" {
 /**
  * React server provider configuration atom
  */
-declare const reactServerOptions: alepha1246.Atom<alepha1246.TObject<{
-  publicDir: alepha1246.TString;
-  staticServer: alepha1246.TObject<{
-    disabled: alepha1246.TBoolean;
-    path: alepha1246.TString;
+declare const reactServerOptions: alepha1672.Atom<alepha1672.TObject<{
+  publicDir: alepha1672.TString;
+  staticServer: alepha1672.TObject<{
+    disabled: alepha1672.TBoolean;
+    path: alepha1672.TString;
   }>;
 }>, "alepha.react.server.options">;
 type ReactServerProviderOptions = Static<typeof reactServerOptions.schema>;
@@ -2977,7 +2977,7 @@ declare module "alepha" {
 /**
  * Provides full-stack React development with declarative routing, server-side rendering, and client-side hydration.
  *
- * The React module enables building modern React applications using the `$page` descriptor on class properties.
+ * The React module enables building modern React applications using the `$page` primitive on class properties.
  * It delivers seamless server-side rendering, automatic code splitting, and client-side navigation with full
  * type safety and schema validation for route parameters and data.
  *
@@ -2986,25 +2986,25 @@ declare module "alepha" {
  */
 //#endregion
 //#region ../alepha/src/api-users/atoms/realmAuthSettingsAtom.d.ts
-declare const realmAuthSettingsAtom: alepha1246.Atom<alepha1246.TObject<{
-  registrationAllowed: alepha1246.TBoolean;
-  emailEnabled: alepha1246.TBoolean;
-  emailRequired: alepha1246.TBoolean;
-  usernameEnabled: alepha1246.TBoolean;
-  usernameRequired: alepha1246.TBoolean;
-  phoneEnabled: alepha1246.TBoolean;
-  phoneRequired: alepha1246.TBoolean;
-  verifyEmailRequired: alepha1246.TBoolean;
-  verifyPhoneRequired: alepha1246.TBoolean;
-  firstNameLastNameEnabled: alepha1246.TBoolean;
-  firstNameLastNameRequired: alepha1246.TBoolean;
-  resetPasswordAllowed: alepha1246.TBoolean;
-  passwordPolicy: alepha1246.TObject<{
-    minLength: alepha1246.TInteger;
-    requireUppercase: alepha1246.TBoolean;
-    requireLowercase: alepha1246.TBoolean;
-    requireNumbers: alepha1246.TBoolean;
-    requireSpecialCharacters: alepha1246.TBoolean;
+declare const realmAuthSettingsAtom: alepha1672.Atom<alepha1672.TObject<{
+  registrationAllowed: alepha1672.TBoolean;
+  emailEnabled: alepha1672.TBoolean;
+  emailRequired: alepha1672.TBoolean;
+  usernameEnabled: alepha1672.TBoolean;
+  usernameRequired: alepha1672.TBoolean;
+  phoneEnabled: alepha1672.TBoolean;
+  phoneRequired: alepha1672.TBoolean;
+  verifyEmailRequired: alepha1672.TBoolean;
+  verifyPhoneRequired: alepha1672.TBoolean;
+  firstNameLastNameEnabled: alepha1672.TBoolean;
+  firstNameLastNameRequired: alepha1672.TBoolean;
+  resetPasswordAllowed: alepha1672.TBoolean;
+  passwordPolicy: alepha1672.TObject<{
+    minLength: alepha1672.TInteger;
+    requireUppercase: alepha1672.TBoolean;
+    requireLowercase: alepha1672.TBoolean;
+    requireNumbers: alepha1672.TBoolean;
+    requireSpecialCharacters: alepha1672.TBoolean;
   }>;
 }>, "alepha.api.users.realmAuthSettings">;
 type RealmAuthSettings = Static<typeof realmAuthSettingsAtom.schema>;
@@ -3036,8 +3036,8 @@ type TObjectInsert<T$1 extends TObject> = TObject<{ [K in keyof T$1["properties"
  */
 type TObjectUpdate<T$1 extends TObject> = TObject<{ [K in keyof T$1["properties"]]: T$1["properties"][K] extends TOptional<infer U> ? TOptional<TUnion<[U, TNull]>> : T$1["properties"][K] }>;
 //#endregion
-//#region ../alepha/src/orm/descriptors/$entity.d.ts
-interface EntityDescriptorOptions<T$1 extends TObject, Keys = keyof Static<T$1>> {
+//#region ../alepha/src/orm/primitives/$entity.d.ts
+interface EntityPrimitiveOptions<T$1 extends TObject, Keys = keyof Static<T$1>> {
   /**
    * The database table name that will be created for this entity.
    * If not provided, name will be inferred from the $repository variable name.
@@ -3149,9 +3149,9 @@ interface EntityDescriptorOptions<T$1 extends TObject, Keys = keyof Static<T$1>>
    */
   config?: (self: BuildExtraConfigColumns<string, FromSchema<T$1>, "pg">) => PgTableExtraConfigValue[];
 }
-declare class EntityDescriptor<T$1 extends TObject = TObject> {
-  readonly options: EntityDescriptorOptions<T$1>;
-  constructor(options: EntityDescriptorOptions<T$1>);
+declare class EntityPrimitive<T$1 extends TObject = TObject> {
+  readonly options: EntityPrimitiveOptions<T$1>;
+  constructor(options: EntityPrimitiveOptions<T$1>);
   alias(alias: string): this;
   get cols(): EntityColumns<T$1>;
   get name(): string;
@@ -3171,7 +3171,7 @@ type SchemaToTableConfig<T$1 extends TObject> = {
 };
 type EntityColumn<T$1 extends TObject> = {
   name: string;
-  entity: EntityDescriptor<T$1>;
+  entity: EntityPrimitive<T$1>;
 };
 type EntityColumns<T$1 extends TObject> = { [key in keyof T$1["properties"]]: EntityColumn<T$1> };
 //#endregion
@@ -3217,7 +3217,7 @@ interface PgEnumOptions {
 interface PgRefOptions {
   ref: () => {
     name: string;
-    entity: EntityDescriptor;
+    entity: EntityPrimitive;
   };
   actions?: {
     onUpdate?: UpdateDeleteAction;
@@ -3231,19 +3231,6 @@ declare class DbError extends AlephaError {
   constructor(message: string, cause?: unknown);
 }
 //#endregion
-//#region ../alepha/src/orm/helpers/pgAttr.d.ts
-/**
- * Type representation.
- */
-type PgAttr<T$1 extends TSchema, TAttr extends PgSymbolKeys> = T$1 & { [K in TAttr]: PgSymbols[K] };
-interface PgAttrField {
-  key: string;
-  type: TSchema;
-  data: any;
-  nested?: any[];
-  one?: boolean;
-}
-//#endregion
 //#region ../alepha/src/orm/interfaces/FilterOperators.d.ts
 interface FilterOperators<TValue> {
   /**
@@ -3660,6 +3647,55 @@ interface FilterOperators<TValue> {
   arrayOverlaps?: TValue;
 }
 //#endregion
+//#region ../alepha/src/orm/interfaces/PgQuery.d.ts
+/**
+ * Order direction for sorting
+ */
+type OrderDirection = "asc" | "desc";
+/**
+ * Single order by clause with column and direction
+ */
+interface OrderByClause<T$1> {
+  column: keyof T$1;
+  direction?: OrderDirection;
+}
+/**
+ * Order by parameter - supports 3 modes:
+ * 1. String: orderBy: "name" (defaults to ASC)
+ * 2. Single object: orderBy: { column: "name", direction: "desc" }
+ * 3. Array: orderBy: [{ column: "name", direction: "asc" }, { column: "age", direction: "desc" }]
+ */
+type OrderBy<T$1> = keyof T$1 | OrderByClause<T$1> | Array<OrderByClause<T$1>>;
+/**
+ * Generic query interface for PostgreSQL entities
+ */
+interface PgQuery<T$1 extends TObject = TObject> {
+  distinct?: (keyof Static<T$1>)[];
+  columns?: (keyof Static<T$1>)[];
+  where?: PgQueryWhereOrSQL<T$1>;
+  limit?: number;
+  offset?: number;
+  orderBy?: OrderBy<Static<T$1>>;
+  groupBy?: (keyof Static<T$1>)[];
+}
+type PgStatic<T$1 extends TObject, Relations extends PgRelationMap<T$1>> = Static<T$1> & { [K in keyof Relations]: Static<Relations[K]["join"]["schema"]> & (Relations[K]["with"] extends PgRelationMap<TObject> ? PgStatic<Relations[K]["join"]["schema"], Relations[K]["with"]> : {}) };
+interface PgQueryRelations<T$1 extends TObject = TObject, Relations extends PgRelationMap<T$1> | undefined = undefined> extends PgQuery<T$1> {
+  with?: Relations;
+  where?: PgQueryWhereOrSQL<T$1, Relations>;
+}
+type PgRelationMap<Base extends TObject> = Record<string, PgRelation<Base>>;
+type PgRelation<Base extends TObject> = {
+  type?: "left" | "inner" | "right";
+  join: {
+    schema: TObject;
+    name: string;
+  };
+  on: SQLWrapper | [keyof Static<Base>, {
+    name: string;
+  }];
+  with?: PgRelationMap<TObject>;
+};
+//#endregion
 //#region ../alepha/src/orm/interfaces/PgQueryWhere.d.ts
 type PgQueryWhere<T$1 extends TObject, Relations extends PgRelationMap<TObject> | undefined = undefined> = (PgQueryWhereOperators<T$1> & PgQueryWhereConditions<T$1>) | (PgQueryWhereRelations<Relations> & PgQueryWhereOperators<T$1> & PgQueryWhereConditions<T$1, Relations>);
 type PgQueryWhereOrSQL<T$1 extends TObject, Relations extends PgRelationMap<TObject> | undefined = undefined> = SQLWrapper | PgQueryWhere<T$1, Relations>;
@@ -3739,64 +3775,28 @@ type PgQueryWhereRelations<Relations extends PgRelationMap<TObject> | undefined
  */
 type NestedJsonbQuery<T$1> = T$1 extends object ? T$1 extends Array<infer U> ? U extends object ? { [K in keyof U]?: FilterOperators<U[K]> | U[K] } : FilterOperators<U> | U : { [K in keyof T$1]?: FilterOperators<T$1[K]> | T$1[K] | (T$1[K] extends object ? NestedJsonbQuery<T$1[K]> : never) } : FilterOperators<T$1> | T$1;
 //#endregion
-//#region ../alepha/src/orm/interfaces/PgQuery.d.ts
-/**
- * Order direction for sorting
- */
-type OrderDirection = "asc" | "desc";
-/**
- * Single order by clause with column and direction
- */
-interface OrderByClause<T$1> {
-  column: keyof T$1;
-  direction?: OrderDirection;
-}
-/**
- * Order by parameter - supports 3 modes:
- * 1. String: orderBy: "name" (defaults to ASC)
- * 2. Single object: orderBy: { column: "name", direction: "desc" }
- * 3. Array: orderBy: [{ column: "name", direction: "asc" }, { column: "age", direction: "desc" }]
- */
-type OrderBy<T$1> = keyof T$1 | OrderByClause<T$1> | Array<OrderByClause<T$1>>;
+//#region ../alepha/src/orm/helpers/pgAttr.d.ts
 /**
- * Generic query interface for PostgreSQL entities
+ * Type representation.
  */
-interface PgQuery<T$1 extends TObject = TObject> {
-  distinct?: (keyof Static<T$1>)[];
-  columns?: (keyof Static<T$1>)[];
-  where?: PgQueryWhereOrSQL<T$1>;
-  limit?: number;
-  offset?: number;
-  orderBy?: OrderBy<Static<T$1>>;
-  groupBy?: (keyof Static<T$1>)[];
-}
-type PgStatic<T$1 extends TObject, Relations extends PgRelationMap<T$1>> = Static<T$1> & { [K in keyof Relations]: Static<Relations[K]["join"]["schema"]> & (Relations[K]["with"] extends PgRelationMap<TObject> ? PgStatic<Relations[K]["join"]["schema"], Relations[K]["with"]> : {}) };
-interface PgQueryRelations<T$1 extends TObject = TObject, Relations extends PgRelationMap<T$1> | undefined = undefined> extends PgQuery<T$1> {
-  with?: Relations;
-  where?: PgQueryWhereOrSQL<T$1, Relations>;
+type PgAttr<T$1 extends TSchema, TAttr extends PgSymbolKeys> = T$1 & { [K in TAttr]: PgSymbols[K] };
+interface PgAttrField {
+  key: string;
+  type: TSchema;
+  data: any;
+  nested?: any[];
+  one?: boolean;
 }
-type PgRelationMap<Base extends TObject> = Record<string, PgRelation<Base>>;
-type PgRelation<Base extends TObject> = {
-  type?: "left" | "inner" | "right";
-  join: {
-    schema: TObject;
-    name: string;
-  };
-  on: SQLWrapper | [keyof Static<Base>, {
-    name: string;
-  }];
-  with?: PgRelationMap<TObject>;
-};
 //#endregion
-//#region ../alepha/src/orm/descriptors/$sequence.d.ts
-interface SequenceDescriptorOptions extends PgSequenceOptions {
+//#region ../alepha/src/orm/primitives/$sequence.d.ts
+interface SequencePrimitiveOptions extends PgSequenceOptions {
   /**
    * The name of the sequence. If not provided, the property key will be used.
    */
   name?: string;
   provider?: DatabaseProvider;
 }
-declare class SequenceDescriptor extends Descriptor<SequenceDescriptorOptions> {
+declare class SequencePrimitive extends Primitive<SequencePrimitiveOptions> {
   readonly provider: DatabaseProvider;
   onInit(): void;
   get name(): string;
@@ -3827,22 +3827,22 @@ interface TableConfigBuilders<TConfig> {
   }) => TConfig;
 }
 /**
- * Abstract base class for transforming Alepha Descriptors (Entity, Sequence, etc...)
+ * Abstract base class for transforming Alepha Primitives (Entity, Sequence, etc...)
  * into drizzle models (tables, enums, sequences, etc...).
  */
 declare abstract class ModelBuilder {
   /**
-   * Build a table from an entity descriptor.
+   * Build a table from an entity primitive.
    */
-  abstract buildTable(entity: EntityDescriptor, options: {
+  abstract buildTable(entity: EntityPrimitive, options: {
     tables: Map<string, unknown>;
     enums: Map<string, unknown>;
     schema: string;
   }): void;
   /**
-   * Build a sequence from a sequence descriptor.
+   * Build a sequence from a sequence primitive.
    */
-  abstract buildSequence(sequence: SequenceDescriptor, options: {
+  abstract buildSequence(sequence: SequencePrimitive, options: {
     sequences: Map<string, unknown>;
     schema: string;
   }): void;
@@ -3854,12 +3854,12 @@ declare abstract class ModelBuilder {
    * Build the table configuration function for any database.
    * This includes indexes, foreign keys, constraints, and custom config.
    *
-   * @param entity - The entity descriptor
+   * @param entity - The entity primitive
    * @param builders - Database-specific builder functions
    * @param tableResolver - Function to resolve entity references to table columns
    * @param customConfigHandler - Optional handler for custom config
    */
-  protected buildTableConfig<TConfig, TSelf>(entity: EntityDescriptor, builders: TableConfigBuilders<TConfig>, tableResolver?: (entityName: string) => any, customConfigHandler?: (config: any, self: TSelf) => TConfig[]): ((self: TSelf) => TConfig[]) | undefined;
+  protected buildTableConfig<TConfig, TSelf>(entity: EntityPrimitive, builders: TableConfigBuilders<TConfig>, tableResolver?: (entityName: string) => any, customConfigHandler?: (config: any, self: TSelf) => TConfig[]): ((self: TSelf) => TConfig[]) | undefined;
 }
 //#endregion
 //#region ../alepha/src/orm/providers/DrizzleKitProvider.d.ts
@@ -3900,11 +3900,11 @@ declare class DrizzleKitProvider {
    */
   importDrizzleKit(): typeof DrizzleKit;
 }
-declare const devMigrationsSchema: alepha1246.TObject<{
-  id: alepha1246.TNumber;
-  name: alepha1246.TString;
-  snapshot: alepha1246.TString;
-  created_at: alepha1246.TString;
+declare const devMigrationsSchema: alepha1672.TObject<{
+  id: alepha1672.TNumber;
+  name: alepha1672.TString;
+  snapshot: alepha1672.TString;
+  created_at: alepha1672.TString;
 }>;
 type DevMigrations = Static<typeof devMigrationsSchema>;
 //#endregion
@@ -3923,9 +3923,9 @@ declare abstract class DatabaseProvider {
   readonly sequences: Map<string, unknown>;
   get name(): string;
   get schema(): string;
-  table<T$1 extends TObject>(entity: EntityDescriptor<T$1>): PgTableWithColumns<SchemaToTableConfig<T$1>>;
-  registerEntity(entity: EntityDescriptor): void;
-  registerSequence(sequence: SequenceDescriptor): void;
+  table<T$1 extends TObject>(entity: EntityPrimitive<T$1>): PgTableWithColumns<SchemaToTableConfig<T$1>>;
+  registerEntity(entity: EntityPrimitive): void;
+  registerSequence(sequence: SequencePrimitive): void;
   abstract execute(statement: SQLLike): Promise<Record<string, unknown>[]>;
   run<T$1 extends TObject>(statement: SQLLike, schema: T$1): Promise<Array<Static<T$1>>>;
   /**
@@ -4101,7 +4101,7 @@ declare class QueryManager {
   createPagination<T$1>(entities: T$1[], limit?: number, offset?: number, sort?: Array<{
     column: string;
     direction: "asc" | "desc";
-  }>): alepha1246.Page<T$1>;
+  }>): alepha1672.Page<T$1>;
 }
 interface PgJoin {
   table: string;
@@ -4133,13 +4133,13 @@ declare class PgRelationManager {
 //#endregion
 //#region ../alepha/src/orm/services/Repository.d.ts
 declare abstract class Repository<T$1 extends TObject> {
-  readonly entity: EntityDescriptor<T$1>;
+  readonly entity: EntityPrimitive<T$1>;
   readonly provider: DatabaseProvider;
   protected readonly relationManager: PgRelationManager;
   protected readonly queryManager: QueryManager;
   protected readonly dateTimeProvider: DateTimeProvider;
   protected readonly alepha: Alepha;
-  constructor(entity: EntityDescriptor<T$1>, provider?: typeof DatabaseProvider);
+  constructor(entity: EntityPrimitive<T$1>, provider?: typeof DatabaseProvider);
   /**
    * Represents the primary key of the table.
    * - Key is the name of the primary key column.
@@ -4405,9 +4405,9 @@ interface StatementOptions {
   now?: DateTime | string;
 }
 //#endregion
-//#region ../alepha/src/lock/descriptors/$lock.d.ts
-declare const envSchema$2: alepha1246.TObject<{
-  LOCK_PREFIX_KEY: alepha1246.TString;
+//#region ../alepha/src/lock/primitives/$lock.d.ts
+declare const envSchema$2: alepha1672.TObject<{
+  LOCK_PREFIX_KEY: alepha1672.TString;
 }>;
 declare module "alepha" {
   interface Env extends Partial<Static<typeof envSchema$2>> {}
@@ -4417,7 +4417,7 @@ declare module "alepha" {
 declare module "alepha" {
   interface Env extends Partial<Static<typeof envSchema$1>> {}
 }
-declare const envSchema$1: alepha1246.TObject<{
+declare const envSchema$1: alepha1672.TObject<{
   /**
    * Main configuration for database connection.
    * Accept a string in the format of a Postgres connection URL.
@@ -4425,21 +4425,21 @@ declare const envSchema$1: alepha1246.TObject<{
    * or
    * Example: postgres://user:password@localhost:5432/database?sslmode=require
    */
-  DATABASE_URL: alepha1246.TOptional<alepha1246.TString>;
+  DATABASE_URL: alepha1672.TOptional<alepha1672.TString>;
   /**
    * In addition to the DATABASE_URL, you can specify the postgres schema name.
    *
    * It will monkey patch drizzle tables.
    */
-  POSTGRES_SCHEMA: alepha1246.TOptional<alepha1246.TString>;
+  POSTGRES_SCHEMA: alepha1672.TOptional<alepha1672.TString>;
 }>;
 //#endregion
 //#region ../alepha/src/orm/providers/drivers/NodeSqliteProvider.d.ts
 /**
  * Configuration options for the Node.js SQLite database provider.
  */
-declare const nodeSqliteOptions: alepha1246.Atom<alepha1246.TObject<{
-  path: alepha1246.TOptional<alepha1246.TString>;
+declare const nodeSqliteOptions: alepha1672.Atom<alepha1672.TObject<{
+  path: alepha1672.TOptional<alepha1672.TString>;
 }>, "alepha.postgres.node-sqlite.options">;
 type NodeSqliteProviderOptions = Static<typeof nodeSqliteOptions.schema>;
 declare module "alepha" {
@@ -4523,16 +4523,16 @@ declare module "alepha" {
 }
 //#endregion
 //#region ../alepha/src/api-users/entities/identities.d.ts
-declare const identities: EntityDescriptor<alepha1246.TObject<{
-  id: PgAttr<PgAttr<alepha1246.TString, typeof PG_PRIMARY_KEY>, typeof PG_DEFAULT>;
-  version: PgAttr<PgAttr<alepha1246.TInteger, typeof PG_VERSION>, typeof PG_DEFAULT>;
-  createdAt: PgAttr<PgAttr<alepha1246.TString, typeof PG_CREATED_AT>, typeof PG_DEFAULT>;
-  updatedAt: PgAttr<PgAttr<alepha1246.TString, typeof PG_UPDATED_AT>, typeof PG_DEFAULT>;
-  userId: PgAttr<alepha1246.TString, typeof PG_REF>;
-  password: alepha1246.TOptional<alepha1246.TString>;
-  provider: alepha1246.TString;
-  providerUserId: alepha1246.TOptional<alepha1246.TString>;
-  providerData: alepha1246.TOptional<alepha1246.TRecord<string, alepha1246.TAny>>;
+declare const identities: EntityPrimitive<alepha1672.TObject<{
+  id: PgAttr<PgAttr<alepha1672.TString, typeof PG_PRIMARY_KEY>, typeof PG_DEFAULT>;
+  version: PgAttr<PgAttr<alepha1672.TInteger, typeof PG_VERSION>, typeof PG_DEFAULT>;
+  createdAt: PgAttr<PgAttr<alepha1672.TString, typeof PG_CREATED_AT>, typeof PG_DEFAULT>;
+  updatedAt: PgAttr<PgAttr<alepha1672.TString, typeof PG_UPDATED_AT>, typeof PG_DEFAULT>;
+  userId: PgAttr<alepha1672.TString, typeof PG_REF>;
+  password: alepha1672.TOptional<alepha1672.TString>;
+  provider: alepha1672.TString;
+  providerUserId: alepha1672.TOptional<alepha1672.TString>;
+  providerData: alepha1672.TOptional<alepha1672.TRecord<string, alepha1672.TAny>>;
 }>>;
 //#endregion
 //#region ../alepha/src/bucket/providers/FileStorageProvider.d.ts
@@ -4583,8 +4583,8 @@ declare class MemoryFileStorageProvider implements FileStorageProvider {
   protected createId(): string;
 }
 //#endregion
-//#region ../alepha/src/bucket/descriptors/$bucket.d.ts
-interface BucketDescriptorOptions extends BucketFileOptions {
+//#region ../alepha/src/bucket/primitives/$bucket.d.ts
+interface BucketPrimitiveOptions extends BucketFileOptions {
   /**
    * File storage provider configuration for the bucket.
    *
@@ -4716,7 +4716,7 @@ interface BucketFileOptions {
    */
   maxSize?: number;
 }
-declare class BucketDescriptor extends Descriptor<BucketDescriptorOptions> {
+declare class BucketPrimitive extends Primitive<BucketPrimitiveOptions> {
   readonly provider: FileStorageProvider | MemoryFileStorageProvider;
   private readonly fileSystem;
   get name(): string;
@@ -4759,8 +4759,8 @@ interface BucketFileOptions {
 /**
  * Local file storage configuration atom
  */
-declare const localFileStorageOptions: alepha1246.Atom<alepha1246.TObject<{
-  storagePath: alepha1246.TString;
+declare const localFileStorageOptions: alepha1672.Atom<alepha1672.TObject<{
+  storagePath: alepha1672.TString;
 }>, "alepha.bucket.local.options">;
 type LocalFileStorageProviderOptions = Static<typeof localFileStorageOptions.schema>;
 declare module "alepha" {
@@ -4779,7 +4779,7 @@ declare module "alepha" {
     "bucket:file:uploaded": {
       id: string;
       file: FileLike;
-      bucket: BucketDescriptor;
+      bucket: BucketPrimitive;
       options: BucketFileOptions;
     };
     /**
@@ -4787,14 +4787,14 @@ declare module "alepha" {
      */
     "bucket:file:deleted": {
       id: string;
-      bucket: BucketDescriptor;
+      bucket: BucketPrimitive;
     };
   }
 }
 /**
- * Provides file storage capabilities through declarative bucket descriptors with support for multiple storage backends.
+ * Provides file storage capabilities through declarative bucket primitives with support for multiple storage backends.
  *
- * The bucket module enables unified file operations across different storage systems using the `$bucket` descriptor
+ * The bucket module enables unified file operations across different storage systems using the `$bucket` primitive
  * on class properties. It abstracts storage provider differences, offering consistent APIs for local filesystem,
  * cloud storage, or in-memory storage for testing environments.
  *
@@ -4804,38 +4804,38 @@ declare module "alepha" {
  */
 //#endregion
 //#region ../alepha/src/api-users/entities/sessions.d.ts
-declare const sessions: EntityDescriptor<alepha1246.TObject<{
-  id: PgAttr<PgAttr<alepha1246.TString, typeof PG_PRIMARY_KEY>, typeof PG_DEFAULT>;
-  version: PgAttr<PgAttr<alepha1246.TInteger, typeof PG_VERSION>, typeof PG_DEFAULT>;
-  createdAt: PgAttr<PgAttr<alepha1246.TString, typeof PG_CREATED_AT>, typeof PG_DEFAULT>;
-  updatedAt: PgAttr<PgAttr<alepha1246.TString, typeof PG_UPDATED_AT>, typeof PG_DEFAULT>;
-  refreshToken: alepha1246.TString;
-  userId: PgAttr<alepha1246.TString, typeof PG_REF>;
-  expiresAt: alepha1246.TString;
-  ip: alepha1246.TOptional<alepha1246.TString>;
-  userAgent: alepha1246.TOptional<alepha1246.TObject<{
-    os: alepha1246.TString;
-    browser: alepha1246.TString;
-    device: alepha1246.TUnsafe<"MOBILE" | "DESKTOP" | "TABLET">;
+declare const sessions: EntityPrimitive<alepha1672.TObject<{
+  id: PgAttr<PgAttr<alepha1672.TString, typeof PG_PRIMARY_KEY>, typeof PG_DEFAULT>;
+  version: PgAttr<PgAttr<alepha1672.TInteger, typeof PG_VERSION>, typeof PG_DEFAULT>;
+  createdAt: PgAttr<PgAttr<alepha1672.TString, typeof PG_CREATED_AT>, typeof PG_DEFAULT>;
+  updatedAt: PgAttr<PgAttr<alepha1672.TString, typeof PG_UPDATED_AT>, typeof PG_DEFAULT>;
+  refreshToken: alepha1672.TString;
+  userId: PgAttr<alepha1672.TString, typeof PG_REF>;
+  expiresAt: alepha1672.TString;
+  ip: alepha1672.TOptional<alepha1672.TString>;
+  userAgent: alepha1672.TOptional<alepha1672.TObject<{
+    os: alepha1672.TString;
+    browser: alepha1672.TString;
+    device: alepha1672.TUnsafe<"MOBILE" | "DESKTOP" | "TABLET">;
   }>>;
 }>>;
 //#endregion
 //#region ../alepha/src/api-users/entities/users.d.ts
-declare const users: EntityDescriptor<alepha1246.TObject<{
-  id: PgAttr<PgAttr<alepha1246.TString, typeof PG_PRIMARY_KEY>, typeof PG_DEFAULT>;
-  version: PgAttr<PgAttr<alepha1246.TInteger, typeof PG_VERSION>, typeof PG_DEFAULT>;
-  createdAt: PgAttr<PgAttr<alepha1246.TString, typeof PG_CREATED_AT>, typeof PG_DEFAULT>;
-  updatedAt: PgAttr<PgAttr<alepha1246.TString, typeof PG_UPDATED_AT>, typeof PG_DEFAULT>;
-  realm: PgAttr<alepha1246.TString, typeof PG_DEFAULT>;
-  username: alepha1246.TOptional<alepha1246.TString>;
-  email: alepha1246.TOptional<alepha1246.TString>;
-  phoneNumber: alepha1246.TOptional<alepha1246.TString>;
-  roles: PgAttr<alepha1246.TArray<alepha1246.TString>, typeof PG_DEFAULT>;
-  firstName: alepha1246.TOptional<alepha1246.TString>;
-  lastName: alepha1246.TOptional<alepha1246.TString>;
-  picture: alepha1246.TOptional<alepha1246.TString>;
-  enabled: PgAttr<alepha1246.TBoolean, typeof PG_DEFAULT>;
-  emailVerified: PgAttr<alepha1246.TBoolean, typeof PG_DEFAULT>;
+declare const users: EntityPrimitive<alepha1672.TObject<{
+  id: PgAttr<PgAttr<alepha1672.TString, typeof PG_PRIMARY_KEY>, typeof PG_DEFAULT>;
+  version: PgAttr<PgAttr<alepha1672.TInteger, typeof PG_VERSION>, typeof PG_DEFAULT>;
+  createdAt: PgAttr<PgAttr<alepha1672.TString, typeof PG_CREATED_AT>, typeof PG_DEFAULT>;
+  updatedAt: PgAttr<PgAttr<alepha1672.TString, typeof PG_UPDATED_AT>, typeof PG_DEFAULT>;
+  realm: PgAttr<alepha1672.TString, typeof PG_DEFAULT>;
+  username: alepha1672.TOptional<alepha1672.TString>;
+  email: alepha1672.TOptional<alepha1672.TString>;
+  phoneNumber: alepha1672.TOptional<alepha1672.TString>;
+  roles: PgAttr<alepha1672.TArray<alepha1672.TString>, typeof PG_DEFAULT>;
+  firstName: alepha1672.TOptional<alepha1672.TString>;
+  lastName: alepha1672.TOptional<alepha1672.TString>;
+  picture: alepha1672.TOptional<alepha1672.TString>;
+  enabled: PgAttr<alepha1672.TBoolean, typeof PG_DEFAULT>;
+  emailVerified: PgAttr<alepha1672.TBoolean, typeof PG_DEFAULT>;
 }>>;
 //#endregion
 //#region ../alepha/src/api-users/providers/UserRealmProvider.d.ts
@@ -4851,51 +4851,51 @@ interface UserRealm {
 }
 declare class UserRealmProvider {
   protected readonly alepha: Alepha;
-  protected readonly defaultIdentities: Repository<alepha1246.TObject<{
-    id: PgAttr<PgAttr<alepha1246.TString, typeof PG_PRIMARY_KEY>, typeof PG_DEFAULT>;
-    version: PgAttr<PgAttr<alepha1246.TInteger, typeof PG_VERSION>, typeof PG_DEFAULT>;
-    createdAt: PgAttr<PgAttr<alepha1246.TString, typeof PG_CREATED_AT>, typeof PG_DEFAULT>;
-    updatedAt: PgAttr<PgAttr<alepha1246.TString, typeof PG_UPDATED_AT>, typeof PG_DEFAULT>;
-    userId: PgAttr<alepha1246.TString, typeof PG_REF>;
-    password: alepha1246.TOptional<alepha1246.TString>;
-    provider: alepha1246.TString;
-    providerUserId: alepha1246.TOptional<alepha1246.TString>;
-    providerData: alepha1246.TOptional<alepha1246.TRecord<string, alepha1246.TAny>>;
+  protected readonly defaultIdentities: Repository<alepha1672.TObject<{
+    id: PgAttr<PgAttr<alepha1672.TString, typeof PG_PRIMARY_KEY>, typeof PG_DEFAULT>;
+    version: PgAttr<PgAttr<alepha1672.TInteger, typeof PG_VERSION>, typeof PG_DEFAULT>;
+    createdAt: PgAttr<PgAttr<alepha1672.TString, typeof PG_CREATED_AT>, typeof PG_DEFAULT>;
+    updatedAt: PgAttr<PgAttr<alepha1672.TString, typeof PG_UPDATED_AT>, typeof PG_DEFAULT>;
+    userId: PgAttr<alepha1672.TString, typeof PG_REF>;
+    password: alepha1672.TOptional<alepha1672.TString>;
+    provider: alepha1672.TString;
+    providerUserId: alepha1672.TOptional<alepha1672.TString>;
+    providerData: alepha1672.TOptional<alepha1672.TRecord<string, alepha1672.TAny>>;
   }>>;
-  protected readonly defaultSessions: Repository<alepha1246.TObject<{
-    id: PgAttr<PgAttr<alepha1246.TString, typeof PG_PRIMARY_KEY>, typeof PG_DEFAULT>;
-    version: PgAttr<PgAttr<alepha1246.TInteger, typeof PG_VERSION>, typeof PG_DEFAULT>;
-    createdAt: PgAttr<PgAttr<alepha1246.TString, typeof PG_CREATED_AT>, typeof PG_DEFAULT>;
-    updatedAt: PgAttr<PgAttr<alepha1246.TString, typeof PG_UPDATED_AT>, typeof PG_DEFAULT>;
-    refreshToken: alepha1246.TString;
-    userId: PgAttr<alepha1246.TString, typeof PG_REF>;
-    expiresAt: alepha1246.TString;
-    ip: alepha1246.TOptional<alepha1246.TString>;
-    userAgent: alepha1246.TOptional<alepha1246.TObject<{
-      os: alepha1246.TString;
-      browser: alepha1246.TString;
-      device: alepha1246.TUnsafe<"MOBILE" | "DESKTOP" | "TABLET">;
+  protected readonly defaultSessions: Repository<alepha1672.TObject<{
+    id: PgAttr<PgAttr<alepha1672.TString, typeof PG_PRIMARY_KEY>, typeof PG_DEFAULT>;
+    version: PgAttr<PgAttr<alepha1672.TInteger, typeof PG_VERSION>, typeof PG_DEFAULT>;
+    createdAt: PgAttr<PgAttr<alepha1672.TString, typeof PG_CREATED_AT>, typeof PG_DEFAULT>;
+    updatedAt: PgAttr<PgAttr<alepha1672.TString, typeof PG_UPDATED_AT>, typeof PG_DEFAULT>;
+    refreshToken: alepha1672.TString;
+    userId: PgAttr<alepha1672.TString, typeof PG_REF>;
+    expiresAt: alepha1672.TString;
+    ip: alepha1672.TOptional<alepha1672.TString>;
+    userAgent: alepha1672.TOptional<alepha1672.TObject<{
+      os: alepha1672.TString;
+      browser: alepha1672.TString;
+      device: alepha1672.TUnsafe<"MOBILE" | "DESKTOP" | "TABLET">;
     }>>;
   }>>;
-  protected readonly defaultUsers: Repository<alepha1246.TObject<{
-    id: PgAttr<PgAttr<alepha1246.TString, typeof PG_PRIMARY_KEY>, typeof PG_DEFAULT>;
-    version: PgAttr<PgAttr<alepha1246.TInteger, typeof PG_VERSION>, typeof PG_DEFAULT>;
-    createdAt: PgAttr<PgAttr<alepha1246.TString, typeof PG_CREATED_AT>, typeof PG_DEFAULT>;
-    updatedAt: PgAttr<PgAttr<alepha1246.TString, typeof PG_UPDATED_AT>, typeof PG_DEFAULT>;
-    realm: PgAttr<alepha1246.TString, typeof PG_DEFAULT>;
-    username: alepha1246.TOptional<alepha1246.TString>;
-    email: alepha1246.TOptional<alepha1246.TString>;
-    phoneNumber: alepha1246.TOptional<alepha1246.TString>;
-    roles: PgAttr<alepha1246.TArray<alepha1246.TString>, typeof PG_DEFAULT>;
-    firstName: alepha1246.TOptional<alepha1246.TString>;
-    lastName: alepha1246.TOptional<alepha1246.TString>;
-    picture: alepha1246.TOptional<alepha1246.TString>;
-    enabled: PgAttr<alepha1246.TBoolean, typeof PG_DEFAULT>;
-    emailVerified: PgAttr<alepha1246.TBoolean, typeof PG_DEFAULT>;
+  protected readonly defaultUsers: Repository<alepha1672.TObject<{
+    id: PgAttr<PgAttr<alepha1672.TString, typeof PG_PRIMARY_KEY>, typeof PG_DEFAULT>;
+    version: PgAttr<PgAttr<alepha1672.TInteger, typeof PG_VERSION>, typeof PG_DEFAULT>;
+    createdAt: PgAttr<PgAttr<alepha1672.TString, typeof PG_CREATED_AT>, typeof PG_DEFAULT>;
+    updatedAt: PgAttr<PgAttr<alepha1672.TString, typeof PG_UPDATED_AT>, typeof PG_DEFAULT>;
+    realm: PgAttr<alepha1672.TString, typeof PG_DEFAULT>;
+    username: alepha1672.TOptional<alepha1672.TString>;
+    email: alepha1672.TOptional<alepha1672.TString>;
+    phoneNumber: alepha1672.TOptional<alepha1672.TString>;
+    roles: PgAttr<alepha1672.TArray<alepha1672.TString>, typeof PG_DEFAULT>;
+    firstName: alepha1672.TOptional<alepha1672.TString>;
+    lastName: alepha1672.TOptional<alepha1672.TString>;
+    picture: alepha1672.TOptional<alepha1672.TString>;
+    enabled: PgAttr<alepha1672.TBoolean, typeof PG_DEFAULT>;
+    emailVerified: PgAttr<alepha1672.TBoolean, typeof PG_DEFAULT>;
   }>>;
   protected realms: Map<string, UserRealm>;
-  avatars: BucketDescriptor;
-  protected readonly onConfigure: alepha1246.HookDescriptor<"configure">;
+  avatars: BucketPrimitive;
+  protected readonly onConfigure: alepha1672.HookPrimitive<"configure">;
   register(userRealmName: string, userRealmOptions?: UserRealmOptions): void;
   /**
    * Gets a registered realm by name, auto-creating default if needed.
@@ -4910,21 +4910,21 @@ declare class UserRealmProvider {
 /**
  * Verification settings configuration atom
  */
-declare const verificationOptions: alepha1246.Atom<alepha1246.TObject<{
-  code: alepha1246.TObject<{
-    maxAttempts: alepha1246.TInteger;
-    codeLength: alepha1246.TInteger;
-    codeExpiration: alepha1246.TInteger;
-    verificationCooldown: alepha1246.TInteger;
-    limitPerDay: alepha1246.TInteger;
+declare const verificationOptions: alepha1672.Atom<alepha1672.TObject<{
+  code: alepha1672.TObject<{
+    maxAttempts: alepha1672.TInteger;
+    codeLength: alepha1672.TInteger;
+    codeExpiration: alepha1672.TInteger;
+    verificationCooldown: alepha1672.TInteger;
+    limitPerDay: alepha1672.TInteger;
   }>;
-  link: alepha1246.TObject<{
-    maxAttempts: alepha1246.TInteger;
-    codeExpiration: alepha1246.TInteger;
-    verificationCooldown: alepha1246.TInteger;
-    limitPerDay: alepha1246.TInteger;
+  link: alepha1672.TObject<{
+    maxAttempts: alepha1672.TInteger;
+    codeExpiration: alepha1672.TInteger;
+    verificationCooldown: alepha1672.TInteger;
+    limitPerDay: alepha1672.TInteger;
   }>;
-  purgeDays: alepha1246.TInteger;
+  purgeDays: alepha1672.TInteger;
 }>, "alepha.api.verifications.options">;
 type VerificationOptions = Static<typeof verificationOptions.schema>;
 declare module "alepha" {
@@ -4973,7 +4973,7 @@ declare module "alepha" {
 /**
  * Provides email sending capabilities for Alepha applications with multiple provider backends.
  *
- * The email module enables declarative email sending through the `$email` descriptor, allowing you to send
+ * The email module enables declarative email sending through the `$email` primitive, allowing you to send
  * emails through different providers: memory (for testing), local file system, or SMTP via Nodemailer.
  * It supports HTML email content and automatic provider selection based on environment configuration.
  *
@@ -4981,44 +4981,112 @@ declare module "alepha" {
  * @module alepha.email
  */
 //#endregion
+//#region ../alepha/src/sms/providers/SmsProvider.d.ts
+/**
+ * SMS provider interface.
+ *
+ * All methods are asynchronous and return promises.
+ */
+declare abstract class SmsProvider {
+  /**
+   * Send an SMS.
+   *
+   * @return Promise that resolves when the SMS is sent.
+   */
+  abstract send(options: SmsSendOptions): Promise<void>;
+}
+type SmsSendOptions = {
+  to: string | string[];
+  message: string;
+};
+//#endregion
+//#region ../alepha/src/sms/index.d.ts
+declare module "alepha" {
+  interface Hooks {
+    "sms:sending": {
+      to: string | string[];
+      template: string;
+      variables: Record<string, unknown>;
+      provider: SmsProvider;
+      abort(): void;
+    };
+    "sms:sent": {
+      to: string | string[];
+      template: string;
+      provider: SmsProvider;
+    };
+  }
+}
+/**
+ * Provides SMS sending capabilities for Alepha applications with multiple provider backends.
+ *
+ * The SMS module enables declarative SMS sending through the `$sms` primitive, allowing you to send
+ * text messages through different providers: memory (for testing) or local file system.
+ * It supports automatic provider selection based on environment configuration.
+ *
+ * @see {@link SmsProvider}
+ * @module alepha.sms
+ */
+//#endregion
 //#region ../alepha/src/api-notifications/services/NotificationService.d.ts
-declare const notificationServiceEnvSchema: alepha1246.TObject<{
-  NOTIFICATION_QUEUE: alepha1246.TOptional<alepha1246.TBoolean>;
+declare const notificationServiceEnvSchema: alepha1672.TObject<{
+  NOTIFICATION_QUEUE: alepha1672.TOptional<alepha1672.TBoolean>;
 }>;
 declare module "alepha" {
   interface Env extends Partial<Static<typeof notificationServiceEnvSchema>> {}
 }
 //#endregion
 //#region ../alepha/src/queue/providers/WorkerProvider.d.ts
-declare const envSchema: alepha1246.TObject<{
+declare const envSchema: alepha1672.TObject<{
   /**
    * The timeout in seconds for blocking job acquisition.
    * Workers will check for shutdown after each timeout period.
    */
-  QUEUE_WORKER_BLOCKING_TIMEOUT: alepha1246.TInteger;
+  QUEUE_WORKER_BLOCKING_TIMEOUT: alepha1672.TInteger;
   /**
    * The number of workers to run concurrently. Defaults to 1.
    * Useful only if you are doing a lot of I/O.
    */
-  QUEUE_WORKER_CONCURRENCY: alepha1246.TInteger;
+  QUEUE_WORKER_CONCURRENCY: alepha1672.TInteger;
   /**
    * Interval in milliseconds for renewing job locks during processing.
    * Should be less than the job's lock duration.
    */
-  QUEUE_WORKER_LOCK_RENEWAL_INTERVAL: alepha1246.TInteger;
+  QUEUE_WORKER_LOCK_RENEWAL_INTERVAL: alepha1672.TInteger;
   /**
    * Interval in milliseconds for the scheduler to check delayed jobs and stalled jobs.
    */
-  QUEUE_SCHEDULER_INTERVAL: alepha1246.TInteger;
+  QUEUE_SCHEDULER_INTERVAL: alepha1672.TInteger;
   /**
    * Threshold in milliseconds after lock expiration to consider a job stalled.
    */
-  QUEUE_STALLED_THRESHOLD: alepha1246.TInteger;
+  QUEUE_STALLED_THRESHOLD: alepha1672.TInteger;
 }>;
 declare module "alepha" {
   interface Env extends Partial<Static<typeof envSchema>> {}
 }
 //#endregion
+//#region ../alepha/src/server-auth/schemas/authenticationProviderSchema.d.ts
+declare const authenticationProviderSchema: alepha1672.TObject<{
+  name: alepha1672.TString;
+  type: alepha1672.TUnsafe<"OAUTH2" | "OIDC" | "CREDENTIALS">;
+}>;
+type AuthenticationProvider = Static<typeof authenticationProviderSchema>;
+//#endregion
+//#region ../alepha/src/server-auth/schemas/tokensSchema.d.ts
+declare const tokensSchema: alepha1672.TObject<{
+  provider: alepha1672.TString;
+  access_token: alepha1672.TString;
+  issued_at: alepha1672.TNumber;
+  expires_in: alepha1672.TOptional<alepha1672.TNumber>;
+  refresh_token: alepha1672.TOptional<alepha1672.TString>;
+  refresh_token_expires_in: alepha1672.TOptional<alepha1672.TNumber>;
+  refresh_expires_in: alepha1672.TOptional<alepha1672.TNumber>;
+  id_token: alepha1672.TOptional<alepha1672.TString>;
+  scope: alepha1672.TOptional<alepha1672.TString>;
+}>;
+type Tokens = Static<typeof tokensSchema>;
+//#endregion
 //#region ../alepha/src/server-cookies/services/CookieParser.d.ts
 declare class CookieParser {
   parseRequestCookies(header: string): Record<string, string>;
@@ -5039,12 +5107,12 @@ declare class ServerCookiesProvider {
   protected readonly IV_LENGTH = 16;
   protected readonly AUTH_TAG_LENGTH = 16;
   protected readonly SIGNATURE_LENGTH = 32;
-  readonly onRequest: alepha1246.HookDescriptor<"server:onRequest">;
-  readonly onAction: alepha1246.HookDescriptor<"action:onRequest">;
-  readonly onSend: alepha1246.HookDescriptor<"server:onSend">;
+  readonly onRequest: alepha1672.HookPrimitive<"server:onRequest">;
+  readonly onAction: alepha1672.HookPrimitive<"action:onRequest">;
+  readonly onSend: alepha1672.HookPrimitive<"server:onSend">;
   protected getCookiesFromContext(cookies?: Cookies): Cookies;
-  getCookie<T$1 extends TSchema>(name: string, options: CookieDescriptorOptions<T$1>, contextCookies?: Cookies): Static<T$1> | undefined;
-  setCookie<T$1 extends TSchema>(name: string, options: CookieDescriptorOptions<T$1>, data: Static<T$1>, contextCookies?: Cookies): void;
+  getCookie<T$1 extends TSchema>(name: string, options: CookiePrimitiveOptions<T$1>, contextCookies?: Cookies): Static<T$1> | undefined;
+  setCookie<T$1 extends TSchema>(name: string, options: CookiePrimitiveOptions<T$1>, data: Static<T$1>, contextCookies?: Cookies): void;
   deleteCookie<T$1 extends TSchema>(name: string, contextCookies?: Cookies): void;
   protected encrypt(text: string): string;
   protected decrypt(encryptedText: string): string;
@@ -5052,8 +5120,8 @@ declare class ServerCookiesProvider {
   protected sign(data: string): string;
 }
 //#endregion
-//#region ../alepha/src/server-cookies/descriptors/$cookie.d.ts
-interface CookieDescriptorOptions<T$1 extends TSchema> {
+//#region ../alepha/src/server-cookies/primitives/$cookie.d.ts
+interface CookiePrimitiveOptions<T$1 extends TSchema> {
   /** The schema for the cookie's value, used for validation and type safety. */
   schema: T$1;
   /** The name of the cookie. */
@@ -5077,9 +5145,9 @@ interface CookieDescriptorOptions<T$1 extends TSchema> {
   /** If true, the cookie will be signed to prevent tampering. Requires `COOKIE_SECRET` env var. */
   sign?: boolean;
 }
-interface AbstractCookieDescriptor<T$1 extends TSchema> {
+interface AbstractCookiePrimitive<T$1 extends TSchema> {
   readonly name: string;
-  readonly options: CookieDescriptorOptions<T$1>;
+  readonly options: CookiePrimitiveOptions<T$1>;
   set(value: Static<T$1>, options?: {
     cookies?: Cookies;
     ttl?: DurationLike;
@@ -5112,9 +5180,9 @@ declare module "alepha/server" {
   }
 }
 /**
- * Provides HTTP cookie management capabilities for server requests and responses with type-safe cookie descriptors.
+ * Provides HTTP cookie management capabilities for server requests and responses with type-safe cookie primitives.
  *
- * The server-cookies module enables declarative cookie handling using the `$cookie` descriptor on class properties.
+ * The server-cookies module enables declarative cookie handling using the `$cookie` primitive on class properties.
  * It offers automatic cookie parsing, secure cookie configuration, and seamless integration with server routes
  * for managing user sessions, preferences, and authentication tokens.
  *
@@ -5122,27 +5190,6 @@ declare module "alepha/server" {
  * @module alepha.server.cookies
  */
 //#endregion
-//#region ../alepha/src/server-auth/schemas/authenticationProviderSchema.d.ts
-declare const authenticationProviderSchema: alepha1246.TObject<{
-  name: alepha1246.TString;
-  type: alepha1246.TUnsafe<"OAUTH2" | "OIDC" | "CREDENTIALS">;
-}>;
-type AuthenticationProvider = Static<typeof authenticationProviderSchema>;
-//#endregion
-//#region ../alepha/src/server-auth/schemas/tokensSchema.d.ts
-declare const tokensSchema: alepha1246.TObject<{
-  provider: alepha1246.TString;
-  access_token: alepha1246.TString;
-  issued_at: alepha1246.TNumber;
-  expires_in: alepha1246.TOptional<alepha1246.TNumber>;
-  refresh_token: alepha1246.TOptional<alepha1246.TString>;
-  refresh_token_expires_in: alepha1246.TOptional<alepha1246.TNumber>;
-  refresh_expires_in: alepha1246.TOptional<alepha1246.TNumber>;
-  id_token: alepha1246.TOptional<alepha1246.TString>;
-  scope: alepha1246.TOptional<alepha1246.TString>;
-}>;
-type Tokens = Static<typeof tokensSchema>;
-//#endregion
 //#region ../alepha/src/server-auth/providers/ServerAuthProvider.d.ts
 declare class ServerAuthProvider {
   protected readonly log: Logger;
@@ -5150,34 +5197,34 @@ declare class ServerAuthProvider {
   protected readonly serverCookiesProvider: ServerCookiesProvider;
   protected readonly dateTimeProvider: DateTimeProvider;
   protected readonly serverLinksProvider: ServerLinksProvider;
-  protected readonly authorizationCode: AbstractCookieDescriptor<alepha1246.TObject<{
-    provider: alepha1246.TString;
-    codeVerifier: alepha1246.TOptional<alepha1246.TString>;
-    redirectUri: alepha1246.TOptional<alepha1246.TString>;
-    state: alepha1246.TOptional<alepha1246.TString>;
-    nonce: alepha1246.TOptional<alepha1246.TString>;
+  protected readonly authorizationCode: AbstractCookiePrimitive<alepha1672.TObject<{
+    provider: alepha1672.TString;
+    codeVerifier: alepha1672.TOptional<alepha1672.TString>;
+    redirectUri: alepha1672.TOptional<alepha1672.TString>;
+    state: alepha1672.TOptional<alepha1672.TString>;
+    nonce: alepha1672.TOptional<alepha1672.TString>;
   }>>;
-  readonly tokens: AbstractCookieDescriptor<alepha1246.TObject<{
-    provider: alepha1246.TString;
-    access_token: alepha1246.TString;
-    issued_at: alepha1246.TNumber;
-    expires_in: alepha1246.TOptional<alepha1246.TNumber>;
-    refresh_token: alepha1246.TOptional<alepha1246.TString>;
-    refresh_token_expires_in: alepha1246.TOptional<alepha1246.TNumber>;
-    refresh_expires_in: alepha1246.TOptional<alepha1246.TNumber>;
-    id_token: alepha1246.TOptional<alepha1246.TString>;
-    scope: alepha1246.TOptional<alepha1246.TString>;
+  readonly tokens: AbstractCookiePrimitive<alepha1672.TObject<{
+    provider: alepha1672.TString;
+    access_token: alepha1672.TString;
+    issued_at: alepha1672.TNumber;
+    expires_in: alepha1672.TOptional<alepha1672.TNumber>;
+    refresh_token: alepha1672.TOptional<alepha1672.TString>;
+    refresh_token_expires_in: alepha1672.TOptional<alepha1672.TNumber>;
+    refresh_expires_in: alepha1672.TOptional<alepha1672.TNumber>;
+    id_token: alepha1672.TOptional<alepha1672.TString>;
+    scope: alepha1672.TOptional<alepha1672.TString>;
   }>>;
-  get identities(): Array<AuthDescriptor>;
+  get identities(): Array<AuthPrimitive>;
   getAuthenticationProviders(filters?: {
     realmName?: string;
   }): AuthenticationProvider[];
-  protected readonly configure: alepha1246.HookDescriptor<"configure">;
+  protected readonly configure: alepha1672.HookPrimitive<"configure">;
   protected getAccessTokens(tokens: Tokens): string | undefined;
   /**
    * Fill request headers with access token from cookies or fallback to provider's fallback function.
    */
-  protected readonly onRequest: alepha1246.HookDescriptor<"server:onRequest">;
+  protected readonly onRequest: alepha1672.HookPrimitive<"server:onRequest">;
   /**
    * Convert cookies to tokens.
    * If the tokens are expired, try to refresh them using the refresh token.
@@ -5187,27 +5234,27 @@ declare class ServerAuthProvider {
   /**
    * Get user information.
    */
-  readonly userinfo: RouteDescriptor<{
-    response: alepha1246.TObject<{
-      user: alepha1246.TOptional<alepha1246.TObject<{
-        id: alepha1246.TString;
-        name: alepha1246.TOptional<alepha1246.TString>;
-        email: alepha1246.TOptional<alepha1246.TString>;
-        username: alepha1246.TOptional<alepha1246.TString>;
-        picture: alepha1246.TOptional<alepha1246.TString>;
-        sessionId: alepha1246.TOptional<alepha1246.TString>;
-        organizations: alepha1246.TOptional<alepha1246.TArray<alepha1246.TString>>;
-        roles: alepha1246.TOptional<alepha1246.TArray<alepha1246.TString>>;
+  readonly userinfo: RoutePrimitive<{
+    response: alepha1672.TObject<{
+      user: alepha1672.TOptional<alepha1672.TObject<{
+        id: alepha1672.TString;
+        name: alepha1672.TOptional<alepha1672.TString>;
+        email: alepha1672.TOptional<alepha1672.TString>;
+        username: alepha1672.TOptional<alepha1672.TString>;
+        picture: alepha1672.TOptional<alepha1672.TString>;
+        sessionId: alepha1672.TOptional<alepha1672.TString>;
+        organizations: alepha1672.TOptional<alepha1672.TArray<alepha1672.TString>>;
+        roles: alepha1672.TOptional<alepha1672.TArray<alepha1672.TString>>;
       }>>;
-      api: alepha1246.TObject<{
-        prefix: alepha1246.TOptional<alepha1246.TString>;
-        links: alepha1246.TArray<alepha1246.TObject<{
-          name: alepha1246.TString;
-          group: alepha1246.TOptional<alepha1246.TString>;
-          path: alepha1246.TString;
-          method: alepha1246.TOptional<alepha1246.TString>;
-          requestBodyType: alepha1246.TOptional<alepha1246.TString>;
-          service: alepha1246.TOptional<alepha1246.TString>;
+      api: alepha1672.TObject<{
+        prefix: alepha1672.TOptional<alepha1672.TString>;
+        links: alepha1672.TArray<alepha1672.TObject<{
+          name: alepha1672.TString;
+          group: alepha1672.TOptional<alepha1672.TString>;
+          path: alepha1672.TString;
+          method: alepha1672.TOptional<alepha1672.TString>;
+          requestBodyType: alepha1672.TOptional<alepha1672.TString>;
+          service: alepha1672.TOptional<alepha1672.TString>;
         }>>;
       }>;
     }>;
@@ -5215,66 +5262,66 @@ declare class ServerAuthProvider {
   /**
    * Refresh a token for internal providers.
    */
-  readonly refresh: RouteDescriptor<{
-    query: alepha1246.TObject<{
-      provider: alepha1246.TString;
+  readonly refresh: RoutePrimitive<{
+    query: alepha1672.TObject<{
+      provider: alepha1672.TString;
     }>;
-    body: alepha1246.TObject<{
-      refresh_token: alepha1246.TString;
-      access_token: alepha1246.TOptional<alepha1246.TString>;
+    body: alepha1672.TObject<{
+      refresh_token: alepha1672.TString;
+      access_token: alepha1672.TOptional<alepha1672.TString>;
     }>;
-    response: alepha1246.TObject<{
-      provider: alepha1246.TString;
-      access_token: alepha1246.TString;
-      issued_at: alepha1246.TNumber;
-      expires_in: alepha1246.TOptional<alepha1246.TNumber>;
-      refresh_token: alepha1246.TOptional<alepha1246.TString>;
-      refresh_token_expires_in: alepha1246.TOptional<alepha1246.TNumber>;
-      refresh_expires_in: alepha1246.TOptional<alepha1246.TNumber>;
-      id_token: alepha1246.TOptional<alepha1246.TString>;
-      scope: alepha1246.TOptional<alepha1246.TString>;
+    response: alepha1672.TObject<{
+      provider: alepha1672.TString;
+      access_token: alepha1672.TString;
+      issued_at: alepha1672.TNumber;
+      expires_in: alepha1672.TOptional<alepha1672.TNumber>;
+      refresh_token: alepha1672.TOptional<alepha1672.TString>;
+      refresh_token_expires_in: alepha1672.TOptional<alepha1672.TNumber>;
+      refresh_expires_in: alepha1672.TOptional<alepha1672.TNumber>;
+      id_token: alepha1672.TOptional<alepha1672.TString>;
+      scope: alepha1672.TOptional<alepha1672.TString>;
     }>;
   }>;
   /**
    * Login for local password-based authentication.
    */
-  readonly token: RouteDescriptor<{
-    query: alepha1246.TObject<{
-      provider: alepha1246.TString;
+  readonly token: RoutePrimitive<{
+    query: alepha1672.TObject<{
+      provider: alepha1672.TString;
     }>;
-    body: alepha1246.TObject<{
-      username: alepha1246.TString;
-      password: alepha1246.TString;
+    body: alepha1672.TObject<{
+      username: alepha1672.TString;
+      password: alepha1672.TString;
     }>;
-    response: alepha1246.TObject<{
-      provider: alepha1246.TString;
-      access_token: alepha1246.TString;
-      issued_at: alepha1246.TNumber;
-      expires_in: alepha1246.TOptional<alepha1246.TNumber>;
-      refresh_token: alepha1246.TOptional<alepha1246.TString>;
-      refresh_token_expires_in: alepha1246.TOptional<alepha1246.TNumber>;
-      refresh_expires_in: alepha1246.TOptional<alepha1246.TNumber>;
-      id_token: alepha1246.TOptional<alepha1246.TString>;
-      scope: alepha1246.TOptional<alepha1246.TString>;
-      user: alepha1246.TObject<{
-        id: alepha1246.TString;
-        name: alepha1246.TOptional<alepha1246.TString>;
-        email: alepha1246.TOptional<alepha1246.TString>;
-        username: alepha1246.TOptional<alepha1246.TString>;
-        picture: alepha1246.TOptional<alepha1246.TString>;
-        sessionId: alepha1246.TOptional<alepha1246.TString>;
-        organizations: alepha1246.TOptional<alepha1246.TArray<alepha1246.TString>>;
-        roles: alepha1246.TOptional<alepha1246.TArray<alepha1246.TString>>;
+    response: alepha1672.TObject<{
+      provider: alepha1672.TString;
+      access_token: alepha1672.TString;
+      issued_at: alepha1672.TNumber;
+      expires_in: alepha1672.TOptional<alepha1672.TNumber>;
+      refresh_token: alepha1672.TOptional<alepha1672.TString>;
+      refresh_token_expires_in: alepha1672.TOptional<alepha1672.TNumber>;
+      refresh_expires_in: alepha1672.TOptional<alepha1672.TNumber>;
+      id_token: alepha1672.TOptional<alepha1672.TString>;
+      scope: alepha1672.TOptional<alepha1672.TString>;
+      user: alepha1672.TObject<{
+        id: alepha1672.TString;
+        name: alepha1672.TOptional<alepha1672.TString>;
+        email: alepha1672.TOptional<alepha1672.TString>;
+        username: alepha1672.TOptional<alepha1672.TString>;
+        picture: alepha1672.TOptional<alepha1672.TString>;
+        sessionId: alepha1672.TOptional<alepha1672.TString>;
+        organizations: alepha1672.TOptional<alepha1672.TArray<alepha1672.TString>>;
+        roles: alepha1672.TOptional<alepha1672.TArray<alepha1672.TString>>;
       }>;
-      api: alepha1246.TObject<{
-        prefix: alepha1246.TOptional<alepha1246.TString>;
-        links: alepha1246.TArray<alepha1246.TObject<{
-          name: alepha1246.TString;
-          group: alepha1246.TOptional<alepha1246.TString>;
-          path: alepha1246.TString;
-          method: alepha1246.TOptional<alepha1246.TString>;
-          requestBodyType: alepha1246.TOptional<alepha1246.TString>;
-          service: alepha1246.TOptional<alepha1246.TString>;
+      api: alepha1672.TObject<{
+        prefix: alepha1672.TOptional<alepha1672.TString>;
+        links: alepha1672.TArray<alepha1672.TObject<{
+          name: alepha1672.TString;
+          group: alepha1672.TOptional<alepha1672.TString>;
+          path: alepha1672.TString;
+          method: alepha1672.TOptional<alepha1672.TString>;
+          requestBodyType: alepha1672.TOptional<alepha1672.TString>;
+          service: alepha1672.TOptional<alepha1672.TString>;
         }>>;
       }>;
     }>;
@@ -5282,28 +5329,28 @@ declare class ServerAuthProvider {
   /**
    * Oauth2/OIDC login route.
    */
-  readonly login: RouteDescriptor<{
-    query: alepha1246.TObject<{
-      provider: alepha1246.TString;
-      redirect_uri: alepha1246.TOptional<alepha1246.TString>;
+  readonly login: RoutePrimitive<{
+    query: alepha1672.TObject<{
+      provider: alepha1672.TString;
+      redirect_uri: alepha1672.TOptional<alepha1672.TString>;
     }>;
   }>;
   /**
    * Callback for OAuth2/OIDC providers.
    * It handles the authorization code flow and retrieves the access token.
    */
-  readonly callback: RouteDescriptor<RequestConfigSchema>;
+  readonly callback: RoutePrimitive<RequestConfigSchema>;
   /**
    * Logout route for OAuth2/OIDC providers.
    */
-  readonly logout: RouteDescriptor<{
-    query: alepha1246.TObject<{
-      post_logout_redirect_uri: alepha1246.TOptional<alepha1246.TString>;
+  readonly logout: RoutePrimitive<{
+    query: alepha1672.TObject<{
+      post_logout_redirect_uri: alepha1672.TOptional<alepha1672.TString>;
     }>;
   }>;
   protected provider(opts: string | {
     provider: string;
-  }): AuthDescriptor;
+  }): AuthPrimitive;
   protected setTokens(tokens: Tokens, cookies?: Cookies): void;
 }
 interface OAuth2Profile {
@@ -5337,8 +5384,8 @@ interface OAuth2Profile {
   [key: string]: unknown;
 }
 //#endregion
-//#region ../alepha/src/server-auth/descriptors/$auth.d.ts
-type AuthDescriptorOptions = {
+//#region ../alepha/src/server-auth/primitives/$auth.d.ts
+type AuthPrimitiveOptions = {
   /**
    * Name of the identity provider.
    * If not provided, it will be derived from the property key.
@@ -5379,7 +5426,7 @@ type AuthExternal = {
  * This relies on the `realm`, which is used to create/verify the access token.
  */
 type AuthInternal = {
-  realm: RealmDescriptor;
+  realm: RealmPrimitive;
 } & ({
   /**
    * The common username/password authentication.
@@ -5492,7 +5539,7 @@ interface OAuth2Options {
    */
   scope?: string;
 }
-declare class AuthDescriptor extends Descriptor<AuthDescriptorOptions> {
+declare class AuthPrimitive extends Primitive<AuthPrimitiveOptions> {
   protected readonly securityProvider: SecurityProvider;
   protected readonly dateTimeProvider: DateTimeProvider;
   oauth?: Configuration;
@@ -5556,53 +5603,53 @@ declare class UserRealmController {
    * Get realm configuration settings.
    * This endpoint is not exposed in the API documentation.
    */
-  readonly getRealmConfig: ActionDescriptorFn<{
-    query: alepha1246.TObject<{
-      userRealmName: alepha1246.TOptional<alepha1246.TString>;
+  readonly getRealmConfig: ActionPrimitiveFn<{
+    query: alepha1672.TObject<{
+      userRealmName: alepha1672.TOptional<alepha1672.TString>;
     }>;
-    response: alepha1246.TObject<{
-      settings: alepha1246.TObject<{
-        registrationAllowed: alepha1246.TBoolean;
-        emailEnabled: alepha1246.TBoolean;
-        emailRequired: alepha1246.TBoolean;
-        usernameEnabled: alepha1246.TBoolean;
-        usernameRequired: alepha1246.TBoolean;
-        phoneEnabled: alepha1246.TBoolean;
-        phoneRequired: alepha1246.TBoolean;
-        verifyEmailRequired: alepha1246.TBoolean;
-        verifyPhoneRequired: alepha1246.TBoolean;
-        firstNameLastNameEnabled: alepha1246.TBoolean;
-        firstNameLastNameRequired: alepha1246.TBoolean;
-        resetPasswordAllowed: alepha1246.TBoolean;
-        passwordPolicy: alepha1246.TObject<{
-          minLength: alepha1246.TInteger;
-          requireUppercase: alepha1246.TBoolean;
-          requireLowercase: alepha1246.TBoolean;
-          requireNumbers: alepha1246.TBoolean;
-          requireSpecialCharacters: alepha1246.TBoolean;
+    response: alepha1672.TObject<{
+      settings: alepha1672.TObject<{
+        registrationAllowed: alepha1672.TBoolean;
+        emailEnabled: alepha1672.TBoolean;
+        emailRequired: alepha1672.TBoolean;
+        usernameEnabled: alepha1672.TBoolean;
+        usernameRequired: alepha1672.TBoolean;
+        phoneEnabled: alepha1672.TBoolean;
+        phoneRequired: alepha1672.TBoolean;
+        verifyEmailRequired: alepha1672.TBoolean;
+        verifyPhoneRequired: alepha1672.TBoolean;
+        firstNameLastNameEnabled: alepha1672.TBoolean;
+        firstNameLastNameRequired: alepha1672.TBoolean;
+        resetPasswordAllowed: alepha1672.TBoolean;
+        passwordPolicy: alepha1672.TObject<{
+          minLength: alepha1672.TInteger;
+          requireUppercase: alepha1672.TBoolean;
+          requireLowercase: alepha1672.TBoolean;
+          requireNumbers: alepha1672.TBoolean;
+          requireSpecialCharacters: alepha1672.TBoolean;
         }>;
       }>;
-      realmName: alepha1246.TString;
-      authenticationMethods: alepha1246.TArray<alepha1246.TObject<{
-        name: alepha1246.TString;
-        type: alepha1246.TUnsafe<"OAUTH2" | "OIDC" | "CREDENTIALS">;
+      realmName: alepha1672.TString;
+      authenticationMethods: alepha1672.TArray<alepha1672.TObject<{
+        name: alepha1672.TString;
+        type: alepha1672.TUnsafe<"OAUTH2" | "OIDC" | "CREDENTIALS">;
       }>>;
     }>;
   }>;
-  readonly checkUsernameAvailability: ActionDescriptorFn<{
-    query: alepha1246.TObject<{
-      userRealmName: alepha1246.TOptional<alepha1246.TString>;
+  readonly checkUsernameAvailability: ActionPrimitiveFn<{
+    query: alepha1672.TObject<{
+      userRealmName: alepha1672.TOptional<alepha1672.TString>;
     }>;
-    body: alepha1246.TObject<{
-      username: alepha1246.TString;
+    body: alepha1672.TObject<{
+      username: alepha1672.TString;
     }>;
-    response: alepha1246.TObject<{
-      available: alepha1246.TBoolean;
+    response: alepha1672.TObject<{
+      available: alepha1672.TBoolean;
     }>;
   }>;
 }
 //#endregion
-//#region ../alepha/src/api-users/descriptors/$userRealm.d.ts
+//#region ../alepha/src/api-users/primitives/$userRealm.d.ts
 interface UserRealmOptions {
   /**
    * Secret key for signing tokens.
@@ -5615,7 +5662,7 @@ interface UserRealmOptions {
    *
    * It's already pre-configured for user management with admin and user roles.
    */
-  realm?: Partial<RealmDescriptorOptions>;
+  realm?: Partial<RealmPrimitiveOptions>;
   /**
    * Override entities.
    */
@@ -5633,32 +5680,32 @@ interface UserRealmOptions {
 }
 //#endregion
 //#region ../alepha/src/api-users/schemas/userRealmConfigSchema.d.ts
-declare const userRealmConfigSchema: alepha1246.TObject<{
-  settings: alepha1246.TObject<{
-    registrationAllowed: alepha1246.TBoolean;
-    emailEnabled: alepha1246.TBoolean;
-    emailRequired: alepha1246.TBoolean;
-    usernameEnabled: alepha1246.TBoolean;
-    usernameRequired: alepha1246.TBoolean;
-    phoneEnabled: alepha1246.TBoolean;
-    phoneRequired: alepha1246.TBoolean;
-    verifyEmailRequired: alepha1246.TBoolean;
-    verifyPhoneRequired: alepha1246.TBoolean;
-    firstNameLastNameEnabled: alepha1246.TBoolean;
-    firstNameLastNameRequired: alepha1246.TBoolean;
-    resetPasswordAllowed: alepha1246.TBoolean;
-    passwordPolicy: alepha1246.TObject<{
-      minLength: alepha1246.TInteger;
-      requireUppercase: alepha1246.TBoolean;
-      requireLowercase: alepha1246.TBoolean;
-      requireNumbers: alepha1246.TBoolean;
-      requireSpecialCharacters: alepha1246.TBoolean;
+declare const userRealmConfigSchema: alepha1672.TObject<{
+  settings: alepha1672.TObject<{
+    registrationAllowed: alepha1672.TBoolean;
+    emailEnabled: alepha1672.TBoolean;
+    emailRequired: alepha1672.TBoolean;
+    usernameEnabled: alepha1672.TBoolean;
+    usernameRequired: alepha1672.TBoolean;
+    phoneEnabled: alepha1672.TBoolean;
+    phoneRequired: alepha1672.TBoolean;
+    verifyEmailRequired: alepha1672.TBoolean;
+    verifyPhoneRequired: alepha1672.TBoolean;
+    firstNameLastNameEnabled: alepha1672.TBoolean;
+    firstNameLastNameRequired: alepha1672.TBoolean;
+    resetPasswordAllowed: alepha1672.TBoolean;
+    passwordPolicy: alepha1672.TObject<{
+      minLength: alepha1672.TInteger;
+      requireUppercase: alepha1672.TBoolean;
+      requireLowercase: alepha1672.TBoolean;
+      requireNumbers: alepha1672.TBoolean;
+      requireSpecialCharacters: alepha1672.TBoolean;
     }>;
   }>;
-  realmName: alepha1246.TString;
-  authenticationMethods: alepha1246.TArray<alepha1246.TObject<{
-    name: alepha1246.TString;
-    type: alepha1246.TUnsafe<"OAUTH2" | "OIDC" | "CREDENTIALS">;
+  realmName: alepha1672.TString;
+  authenticationMethods: alepha1672.TArray<alepha1672.TObject<{
+    name: alepha1672.TString;
+    type: alepha1672.TUnsafe<"OAUTH2" | "OIDC" | "CREDENTIALS">;
   }>>;
 }>;
 type UserRealmConfig = Static<typeof userRealmConfigSchema>;
@@ -5698,9 +5745,9 @@ declare module "alepha/bucket" {
 //#region src/auth/AuthRouter.d.ts
 declare class AuthRouter {
   userRealmClient: HttpVirtualClient<UserRealmController>;
-  login: PageDescriptor<{
-    query: alepha1246.TObject<{
-      redirect: alepha1246.TOptional<alepha1246.TString>;
+  login: PagePrimitive<{
+    query: alepha1672.TObject<{
+      redirect: alepha1672.TOptional<alepha1672.TString>;
     }>;
   }, {
     realmConfig: {
@@ -5732,9 +5779,9 @@ declare class AuthRouter {
       }[];
     };
   }, TPropsParentDefault>;
-  register: PageDescriptor<{
-    query: alepha1246.TObject<{
-      redirect: alepha1246.TOptional<alepha1246.TString>;
+  register: PagePrimitive<{
+    query: alepha1672.TObject<{
+      redirect: alepha1672.TOptional<alepha1672.TString>;
     }>;
   }, {
     realmConfig: {
@@ -5766,9 +5813,9 @@ declare class AuthRouter {
       }[];
     };
   }, TPropsParentDefault>;
-  resetPassword: PageDescriptor<{
-    query: alepha1246.TObject<{
-      redirect: alepha1246.TOptional<alepha1246.TString>;
+  resetPassword: PagePrimitive<{
+    query: alepha1672.TObject<{
+      redirect: alepha1672.TOptional<alepha1672.TString>;
     }>;
   }, {
     realmConfig: {
@@ -5851,7 +5898,7 @@ declare const ResetPassword: (props: ResetPasswordProps) => react_jsx_runtime0.J
  *
  * @module alepha.ui.auth
  */
-declare const AlephaUIAuth: alepha1246.Service<alepha1246.Module>;
+declare const AlephaUIAuth: alepha1672.Service<alepha1672.Module>;
 //#endregion
 export { AlephaUIAuth, AuthRouter, Login, Register, ResetPassword, UserButton, type UserButtonProps };
 //# sourceMappingURL=index.d.ts.map