@astralibx/staff-engine 0.2.0 → 0.2.1

package/dist/index.d.mts

@@ -4,6 +4,7 @@ import { IStaff, IPermissionGroup, LogAdapter, IPermissionGroupCreateInput, IPer
 export { DEFAULT_OPTIONS, ResolvedOptions, StaffEngineConfig } from '@astralibx/staff-types';
 import { AlxError } from '@astralibx/core';
 export { sendSuccess } from '@astralibx/core';
+import { z } from 'zod';
 
 interface IStaffDocument extends Omit<IStaff, '_id'>, Document {
     _id: Types.ObjectId;
@@ -46,6 +47,35 @@ declare class PermissionService {
     getAllPermissionKeys(): Promise<string[]>;
 }
 
+interface StaffServiceDeps {
+    Staff: Model<IStaffDocument>;
+    PermissionGroup: Model<IPermissionGroupDocument>;
+    adapters: StaffAdapters;
+    hooks: StaffHooks;
+    permissionCache: PermissionCacheService;
+    logger: LogAdapter;
+    tenantId?: string;
+    requireEmailUniqueness: boolean;
+}
+declare class StaffService {
+    private Staff;
+    private PermissionGroup;
+    private adapters;
+    private hooks;
+    private permissionCache;
+    private logger;
+    private tenantId?;
+    private requireEmailUniqueness;
+    constructor(deps: StaffServiceDeps);
+    private get tenantFilter();
+    create(data: IStaffCreateInput): Promise<IStaffDocument>;
+    list(filters?: IStaffListFilters): Promise<IPaginatedResult<IStaffDocument>>;
+    getById(staffId: string): Promise<IStaffDocument>;
+    update(staffId: string, data: IStaffUpdateInput): Promise<IStaffDocument>;
+    updatePermissions(staffId: string, permissions: string[]): Promise<IStaffDocument>;
+    updateStatus(staffId: string, status: string): Promise<IStaffDocument>;
+}
+
 declare class RateLimiterService {
     private windowMs;
     private maxAttempts;
@@ -67,36 +97,30 @@ declare class RateLimiterService {
     private recordAttemptRedis;
 }
 
-interface StaffServiceDeps {
+interface AuthServiceDeps {
     Staff: Model<IStaffDocument>;
-    PermissionGroup: Model<IPermissionGroupDocument>;
     adapters: StaffAdapters;
     hooks: StaffHooks;
-    permissionCache: PermissionCacheService;
     rateLimiter: RateLimiterService;
     logger: LogAdapter;
     tenantId?: string;
     jwtSecret: string;
     staffTokenExpiry: string;
     ownerTokenExpiry: string;
-    requireEmailUniqueness: boolean;
     allowSelfPasswordChange: boolean;
 }
-declare class StaffService {
+declare class AuthService {
     private Staff;
-    private PermissionGroup;
     private adapters;
     private hooks;
-    private permissionCache;
     private rateLimiter;
     private logger;
     private tenantId?;
     private jwtSecret;
     private staffTokenExpiry;
     private ownerTokenExpiry;
-    private requireEmailUniqueness;
     private allowSelfPasswordChange;
-    constructor(deps: StaffServiceDeps);
+    constructor(deps: AuthServiceDeps);
     private get tenantFilter();
     private generateToken;
     setupOwner(data: {
@@ -111,12 +135,6 @@ declare class StaffService {
         staff: IStaffDocument;
         token: string;
     }>;
-    create(data: IStaffCreateInput): Promise<IStaffDocument>;
-    list(filters?: IStaffListFilters): Promise<IPaginatedResult<IStaffDocument>>;
-    getById(staffId: string): Promise<IStaffDocument>;
-    update(staffId: string, data: IStaffUpdateInput): Promise<IStaffDocument>;
-    updatePermissions(staffId: string, permissions: string[]): Promise<IStaffDocument>;
-    updateStatus(staffId: string, status: string): Promise<IStaffDocument>;
     resetPassword(staffId: string, newPassword: string): Promise<void>;
     changeOwnPassword(staffId: string, oldPassword: string, newPassword: string): Promise<void>;
 }
@@ -238,10 +256,206 @@ declare class InvalidConfigError extends AlxStaffError {
  */
 declare function validatePermissionPairs(permissions: string[], allGroups: IPermissionGroupDocument[]): void;
 
+declare const StaffEngineConfigSchema: z.ZodObject<{
+    db: z.ZodObject<{
+        connection: z.ZodEffects<z.ZodUnknown, {}, unknown>;
+        collectionPrefix: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        connection: {};
+        collectionPrefix?: string | undefined;
+    }, {
+        connection?: unknown;
+        collectionPrefix?: string | undefined;
+    }>;
+    redis: z.ZodOptional<z.ZodObject<{
+        connection: z.ZodUnknown;
+        keyPrefix: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        connection?: unknown;
+        keyPrefix?: string | undefined;
+    }, {
+        connection?: unknown;
+        keyPrefix?: string | undefined;
+    }>>;
+    logger: z.ZodOptional<z.ZodObject<{
+        info: z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>;
+        warn: z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>;
+        error: z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>;
+    }, "strip", z.ZodTypeAny, {
+        info: (...args: unknown[]) => unknown;
+        warn: (...args: unknown[]) => unknown;
+        error: (...args: unknown[]) => unknown;
+    }, {
+        info: (...args: unknown[]) => unknown;
+        warn: (...args: unknown[]) => unknown;
+        error: (...args: unknown[]) => unknown;
+    }>>;
+    tenantId: z.ZodOptional<z.ZodString>;
+    auth: z.ZodObject<{
+        jwtSecret: z.ZodString;
+        staffTokenExpiry: z.ZodOptional<z.ZodString>;
+        ownerTokenExpiry: z.ZodOptional<z.ZodString>;
+        permissionCacheTtlMs: z.ZodOptional<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        jwtSecret: string;
+        staffTokenExpiry?: string | undefined;
+        ownerTokenExpiry?: string | undefined;
+        permissionCacheTtlMs?: number | undefined;
+    }, {
+        jwtSecret: string;
+        staffTokenExpiry?: string | undefined;
+        ownerTokenExpiry?: string | undefined;
+        permissionCacheTtlMs?: number | undefined;
+    }>;
+    adapters: z.ZodObject<{
+        hashPassword: z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>;
+        comparePassword: z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>;
+    }, "strip", z.ZodTypeAny, {
+        hashPassword: (...args: unknown[]) => unknown;
+        comparePassword: (...args: unknown[]) => unknown;
+    }, {
+        hashPassword: (...args: unknown[]) => unknown;
+        comparePassword: (...args: unknown[]) => unknown;
+    }>;
+    hooks: z.ZodOptional<z.ZodObject<{
+        onStaffCreated: z.ZodOptional<z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>>;
+        onLogin: z.ZodOptional<z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>>;
+        onLoginFailed: z.ZodOptional<z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>>;
+        onPermissionsChanged: z.ZodOptional<z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>>;
+        onStatusChanged: z.ZodOptional<z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>>;
+        onMetric: z.ZodOptional<z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>>;
+    }, "strip", z.ZodTypeAny, {
+        onStaffCreated?: ((...args: unknown[]) => unknown) | undefined;
+        onLogin?: ((...args: unknown[]) => unknown) | undefined;
+        onLoginFailed?: ((...args: unknown[]) => unknown) | undefined;
+        onPermissionsChanged?: ((...args: unknown[]) => unknown) | undefined;
+        onStatusChanged?: ((...args: unknown[]) => unknown) | undefined;
+        onMetric?: ((...args: unknown[]) => unknown) | undefined;
+    }, {
+        onStaffCreated?: ((...args: unknown[]) => unknown) | undefined;
+        onLogin?: ((...args: unknown[]) => unknown) | undefined;
+        onLoginFailed?: ((...args: unknown[]) => unknown) | undefined;
+        onPermissionsChanged?: ((...args: unknown[]) => unknown) | undefined;
+        onStatusChanged?: ((...args: unknown[]) => unknown) | undefined;
+        onMetric?: ((...args: unknown[]) => unknown) | undefined;
+    }>>;
+    options: z.ZodOptional<z.ZodObject<{
+        requireEmailUniqueness: z.ZodOptional<z.ZodBoolean>;
+        allowSelfPasswordChange: z.ZodOptional<z.ZodBoolean>;
+        rateLimiter: z.ZodOptional<z.ZodObject<{
+            windowMs: z.ZodOptional<z.ZodNumber>;
+            maxAttempts: z.ZodOptional<z.ZodNumber>;
+        }, "strip", z.ZodTypeAny, {
+            windowMs?: number | undefined;
+            maxAttempts?: number | undefined;
+        }, {
+            windowMs?: number | undefined;
+            maxAttempts?: number | undefined;
+        }>>;
+    }, "strip", z.ZodTypeAny, {
+        requireEmailUniqueness?: boolean | undefined;
+        allowSelfPasswordChange?: boolean | undefined;
+        rateLimiter?: {
+            windowMs?: number | undefined;
+            maxAttempts?: number | undefined;
+        } | undefined;
+    }, {
+        requireEmailUniqueness?: boolean | undefined;
+        allowSelfPasswordChange?: boolean | undefined;
+        rateLimiter?: {
+            windowMs?: number | undefined;
+            maxAttempts?: number | undefined;
+        } | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    db: {
+        connection: {};
+        collectionPrefix?: string | undefined;
+    };
+    auth: {
+        jwtSecret: string;
+        staffTokenExpiry?: string | undefined;
+        ownerTokenExpiry?: string | undefined;
+        permissionCacheTtlMs?: number | undefined;
+    };
+    adapters: {
+        hashPassword: (...args: unknown[]) => unknown;
+        comparePassword: (...args: unknown[]) => unknown;
+    };
+    tenantId?: string | undefined;
+    options?: {
+        requireEmailUniqueness?: boolean | undefined;
+        allowSelfPasswordChange?: boolean | undefined;
+        rateLimiter?: {
+            windowMs?: number | undefined;
+            maxAttempts?: number | undefined;
+        } | undefined;
+    } | undefined;
+    redis?: {
+        connection?: unknown;
+        keyPrefix?: string | undefined;
+    } | undefined;
+    logger?: {
+        info: (...args: unknown[]) => unknown;
+        warn: (...args: unknown[]) => unknown;
+        error: (...args: unknown[]) => unknown;
+    } | undefined;
+    hooks?: {
+        onStaffCreated?: ((...args: unknown[]) => unknown) | undefined;
+        onLogin?: ((...args: unknown[]) => unknown) | undefined;
+        onLoginFailed?: ((...args: unknown[]) => unknown) | undefined;
+        onPermissionsChanged?: ((...args: unknown[]) => unknown) | undefined;
+        onStatusChanged?: ((...args: unknown[]) => unknown) | undefined;
+        onMetric?: ((...args: unknown[]) => unknown) | undefined;
+    } | undefined;
+}, {
+    db: {
+        connection?: unknown;
+        collectionPrefix?: string | undefined;
+    };
+    auth: {
+        jwtSecret: string;
+        staffTokenExpiry?: string | undefined;
+        ownerTokenExpiry?: string | undefined;
+        permissionCacheTtlMs?: number | undefined;
+    };
+    adapters: {
+        hashPassword: (...args: unknown[]) => unknown;
+        comparePassword: (...args: unknown[]) => unknown;
+    };
+    tenantId?: string | undefined;
+    options?: {
+        requireEmailUniqueness?: boolean | undefined;
+        allowSelfPasswordChange?: boolean | undefined;
+        rateLimiter?: {
+            windowMs?: number | undefined;
+            maxAttempts?: number | undefined;
+        } | undefined;
+    } | undefined;
+    redis?: {
+        connection?: unknown;
+        keyPrefix?: string | undefined;
+    } | undefined;
+    logger?: {
+        info: (...args: unknown[]) => unknown;
+        warn: (...args: unknown[]) => unknown;
+        error: (...args: unknown[]) => unknown;
+    } | undefined;
+    hooks?: {
+        onStaffCreated?: ((...args: unknown[]) => unknown) | undefined;
+        onLogin?: ((...args: unknown[]) => unknown) | undefined;
+        onLoginFailed?: ((...args: unknown[]) => unknown) | undefined;
+        onPermissionsChanged?: ((...args: unknown[]) => unknown) | undefined;
+        onStatusChanged?: ((...args: unknown[]) => unknown) | undefined;
+        onMetric?: ((...args: unknown[]) => unknown) | undefined;
+    } | undefined;
+}>;
+
 declare function handleStaffError(res: Response, error: unknown, logger: LogAdapter): void;
 
 interface RouteServices {
     staff: StaffService;
+    auth: AuthService;
     permissions: PermissionService;
 }
 declare function createRoutes(services: RouteServices, auth: AuthMiddleware, logger: LogAdapter, allowSelfPasswordChange: boolean): Router;
@@ -250,6 +464,7 @@ interface StaffEngine {
     routes: Router;
     auth: AuthMiddleware;
     staff: StaffService;
+    authService: AuthService;
     permissions: PermissionService;
     models: {
         Staff: Model<IStaffDocument>;
@@ -259,4 +474,4 @@ interface StaffEngine {
 }
 declare function createStaffEngine(config: StaffEngineConfig): StaffEngine;
 
-export { AlxStaffError, type AuthMiddleware, type AuthenticatedRequest, AuthenticationError, AuthorizationError, DEFAULTS, DEFAULT_AUTH, DuplicateError, ERROR_CODE, ERROR_MESSAGE, type ErrorCode, GroupNotFoundError, type IPermissionGroupDocument, type IStaffDocument, InvalidConfigError, InvalidPermissionError, LastOwnerError, PermissionCacheService, PermissionService, RateLimitError, RateLimiterService, SetupError, type StaffEngine, StaffNotFoundError, StaffService, type StaffUser, TokenError, createAuthMiddleware, createPermissionGroupModel, createRoutes, createStaffEngine, createStaffModel, handleStaffError, validatePermissionPairs };
+export { AlxStaffError, type AuthMiddleware, AuthService, type AuthenticatedRequest, AuthenticationError, AuthorizationError, DEFAULTS, DEFAULT_AUTH, DuplicateError, ERROR_CODE, ERROR_MESSAGE, type ErrorCode, GroupNotFoundError, type IPermissionGroupDocument, type IStaffDocument, InvalidConfigError, InvalidPermissionError, LastOwnerError, PermissionCacheService, PermissionService, RateLimitError, RateLimiterService, SetupError, type StaffEngine, StaffEngineConfigSchema, StaffNotFoundError, StaffService, type StaffUser, TokenError, createAuthMiddleware, createPermissionGroupModel, createRoutes, createStaffEngine, createStaffModel, handleStaffError, validatePermissionPairs };

package/dist/index.d.ts

@@ -4,6 +4,7 @@ import { IStaff, IPermissionGroup, LogAdapter, IPermissionGroupCreateInput, IPer
 export { DEFAULT_OPTIONS, ResolvedOptions, StaffEngineConfig } from '@astralibx/staff-types';
 import { AlxError } from '@astralibx/core';
 export { sendSuccess } from '@astralibx/core';
+import { z } from 'zod';
 
 interface IStaffDocument extends Omit<IStaff, '_id'>, Document {
     _id: Types.ObjectId;
@@ -46,6 +47,35 @@ declare class PermissionService {
     getAllPermissionKeys(): Promise<string[]>;
 }
 
+interface StaffServiceDeps {
+    Staff: Model<IStaffDocument>;
+    PermissionGroup: Model<IPermissionGroupDocument>;
+    adapters: StaffAdapters;
+    hooks: StaffHooks;
+    permissionCache: PermissionCacheService;
+    logger: LogAdapter;
+    tenantId?: string;
+    requireEmailUniqueness: boolean;
+}
+declare class StaffService {
+    private Staff;
+    private PermissionGroup;
+    private adapters;
+    private hooks;
+    private permissionCache;
+    private logger;
+    private tenantId?;
+    private requireEmailUniqueness;
+    constructor(deps: StaffServiceDeps);
+    private get tenantFilter();
+    create(data: IStaffCreateInput): Promise<IStaffDocument>;
+    list(filters?: IStaffListFilters): Promise<IPaginatedResult<IStaffDocument>>;
+    getById(staffId: string): Promise<IStaffDocument>;
+    update(staffId: string, data: IStaffUpdateInput): Promise<IStaffDocument>;
+    updatePermissions(staffId: string, permissions: string[]): Promise<IStaffDocument>;
+    updateStatus(staffId: string, status: string): Promise<IStaffDocument>;
+}
+
 declare class RateLimiterService {
     private windowMs;
     private maxAttempts;
@@ -67,36 +97,30 @@ declare class RateLimiterService {
     private recordAttemptRedis;
 }
 
-interface StaffServiceDeps {
+interface AuthServiceDeps {
     Staff: Model<IStaffDocument>;
-    PermissionGroup: Model<IPermissionGroupDocument>;
     adapters: StaffAdapters;
     hooks: StaffHooks;
-    permissionCache: PermissionCacheService;
     rateLimiter: RateLimiterService;
     logger: LogAdapter;
     tenantId?: string;
     jwtSecret: string;
     staffTokenExpiry: string;
     ownerTokenExpiry: string;
-    requireEmailUniqueness: boolean;
     allowSelfPasswordChange: boolean;
 }
-declare class StaffService {
+declare class AuthService {
     private Staff;
-    private PermissionGroup;
     private adapters;
     private hooks;
-    private permissionCache;
     private rateLimiter;
     private logger;
     private tenantId?;
     private jwtSecret;
     private staffTokenExpiry;
     private ownerTokenExpiry;
-    private requireEmailUniqueness;
     private allowSelfPasswordChange;
-    constructor(deps: StaffServiceDeps);
+    constructor(deps: AuthServiceDeps);
     private get tenantFilter();
     private generateToken;
     setupOwner(data: {
@@ -111,12 +135,6 @@ declare class StaffService {
         staff: IStaffDocument;
         token: string;
     }>;
-    create(data: IStaffCreateInput): Promise<IStaffDocument>;
-    list(filters?: IStaffListFilters): Promise<IPaginatedResult<IStaffDocument>>;
-    getById(staffId: string): Promise<IStaffDocument>;
-    update(staffId: string, data: IStaffUpdateInput): Promise<IStaffDocument>;
-    updatePermissions(staffId: string, permissions: string[]): Promise<IStaffDocument>;
-    updateStatus(staffId: string, status: string): Promise<IStaffDocument>;
     resetPassword(staffId: string, newPassword: string): Promise<void>;
     changeOwnPassword(staffId: string, oldPassword: string, newPassword: string): Promise<void>;
 }
@@ -238,10 +256,206 @@ declare class InvalidConfigError extends AlxStaffError {
  */
 declare function validatePermissionPairs(permissions: string[], allGroups: IPermissionGroupDocument[]): void;
 
+declare const StaffEngineConfigSchema: z.ZodObject<{
+    db: z.ZodObject<{
+        connection: z.ZodEffects<z.ZodUnknown, {}, unknown>;
+        collectionPrefix: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        connection: {};
+        collectionPrefix?: string | undefined;
+    }, {
+        connection?: unknown;
+        collectionPrefix?: string | undefined;
+    }>;
+    redis: z.ZodOptional<z.ZodObject<{
+        connection: z.ZodUnknown;
+        keyPrefix: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        connection?: unknown;
+        keyPrefix?: string | undefined;
+    }, {
+        connection?: unknown;
+        keyPrefix?: string | undefined;
+    }>>;
+    logger: z.ZodOptional<z.ZodObject<{
+        info: z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>;
+        warn: z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>;
+        error: z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>;
+    }, "strip", z.ZodTypeAny, {
+        info: (...args: unknown[]) => unknown;
+        warn: (...args: unknown[]) => unknown;
+        error: (...args: unknown[]) => unknown;
+    }, {
+        info: (...args: unknown[]) => unknown;
+        warn: (...args: unknown[]) => unknown;
+        error: (...args: unknown[]) => unknown;
+    }>>;
+    tenantId: z.ZodOptional<z.ZodString>;
+    auth: z.ZodObject<{
+        jwtSecret: z.ZodString;
+        staffTokenExpiry: z.ZodOptional<z.ZodString>;
+        ownerTokenExpiry: z.ZodOptional<z.ZodString>;
+        permissionCacheTtlMs: z.ZodOptional<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        jwtSecret: string;
+        staffTokenExpiry?: string | undefined;
+        ownerTokenExpiry?: string | undefined;
+        permissionCacheTtlMs?: number | undefined;
+    }, {
+        jwtSecret: string;
+        staffTokenExpiry?: string | undefined;
+        ownerTokenExpiry?: string | undefined;
+        permissionCacheTtlMs?: number | undefined;
+    }>;
+    adapters: z.ZodObject<{
+        hashPassword: z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>;
+        comparePassword: z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>;
+    }, "strip", z.ZodTypeAny, {
+        hashPassword: (...args: unknown[]) => unknown;
+        comparePassword: (...args: unknown[]) => unknown;
+    }, {
+        hashPassword: (...args: unknown[]) => unknown;
+        comparePassword: (...args: unknown[]) => unknown;
+    }>;
+    hooks: z.ZodOptional<z.ZodObject<{
+        onStaffCreated: z.ZodOptional<z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>>;
+        onLogin: z.ZodOptional<z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>>;
+        onLoginFailed: z.ZodOptional<z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>>;
+        onPermissionsChanged: z.ZodOptional<z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>>;
+        onStatusChanged: z.ZodOptional<z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>>;
+        onMetric: z.ZodOptional<z.ZodFunction<z.ZodTuple<[], z.ZodUnknown>, z.ZodUnknown>>;
+    }, "strip", z.ZodTypeAny, {
+        onStaffCreated?: ((...args: unknown[]) => unknown) | undefined;
+        onLogin?: ((...args: unknown[]) => unknown) | undefined;
+        onLoginFailed?: ((...args: unknown[]) => unknown) | undefined;
+        onPermissionsChanged?: ((...args: unknown[]) => unknown) | undefined;
+        onStatusChanged?: ((...args: unknown[]) => unknown) | undefined;
+        onMetric?: ((...args: unknown[]) => unknown) | undefined;
+    }, {
+        onStaffCreated?: ((...args: unknown[]) => unknown) | undefined;
+        onLogin?: ((...args: unknown[]) => unknown) | undefined;
+        onLoginFailed?: ((...args: unknown[]) => unknown) | undefined;
+        onPermissionsChanged?: ((...args: unknown[]) => unknown) | undefined;
+        onStatusChanged?: ((...args: unknown[]) => unknown) | undefined;
+        onMetric?: ((...args: unknown[]) => unknown) | undefined;
+    }>>;
+    options: z.ZodOptional<z.ZodObject<{
+        requireEmailUniqueness: z.ZodOptional<z.ZodBoolean>;
+        allowSelfPasswordChange: z.ZodOptional<z.ZodBoolean>;
+        rateLimiter: z.ZodOptional<z.ZodObject<{
+            windowMs: z.ZodOptional<z.ZodNumber>;
+            maxAttempts: z.ZodOptional<z.ZodNumber>;
+        }, "strip", z.ZodTypeAny, {
+            windowMs?: number | undefined;
+            maxAttempts?: number | undefined;
+        }, {
+            windowMs?: number | undefined;
+            maxAttempts?: number | undefined;
+        }>>;
+    }, "strip", z.ZodTypeAny, {
+        requireEmailUniqueness?: boolean | undefined;
+        allowSelfPasswordChange?: boolean | undefined;
+        rateLimiter?: {
+            windowMs?: number | undefined;
+            maxAttempts?: number | undefined;
+        } | undefined;
+    }, {
+        requireEmailUniqueness?: boolean | undefined;
+        allowSelfPasswordChange?: boolean | undefined;
+        rateLimiter?: {
+            windowMs?: number | undefined;
+            maxAttempts?: number | undefined;
+        } | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    db: {
+        connection: {};
+        collectionPrefix?: string | undefined;
+    };
+    auth: {
+        jwtSecret: string;
+        staffTokenExpiry?: string | undefined;
+        ownerTokenExpiry?: string | undefined;
+        permissionCacheTtlMs?: number | undefined;
+    };
+    adapters: {
+        hashPassword: (...args: unknown[]) => unknown;
+        comparePassword: (...args: unknown[]) => unknown;
+    };
+    tenantId?: string | undefined;
+    options?: {
+        requireEmailUniqueness?: boolean | undefined;
+        allowSelfPasswordChange?: boolean | undefined;
+        rateLimiter?: {
+            windowMs?: number | undefined;
+            maxAttempts?: number | undefined;
+        } | undefined;
+    } | undefined;
+    redis?: {
+        connection?: unknown;
+        keyPrefix?: string | undefined;
+    } | undefined;
+    logger?: {
+        info: (...args: unknown[]) => unknown;
+        warn: (...args: unknown[]) => unknown;
+        error: (...args: unknown[]) => unknown;
+    } | undefined;
+    hooks?: {
+        onStaffCreated?: ((...args: unknown[]) => unknown) | undefined;
+        onLogin?: ((...args: unknown[]) => unknown) | undefined;
+        onLoginFailed?: ((...args: unknown[]) => unknown) | undefined;
+        onPermissionsChanged?: ((...args: unknown[]) => unknown) | undefined;
+        onStatusChanged?: ((...args: unknown[]) => unknown) | undefined;
+        onMetric?: ((...args: unknown[]) => unknown) | undefined;
+    } | undefined;
+}, {
+    db: {
+        connection?: unknown;
+        collectionPrefix?: string | undefined;
+    };
+    auth: {
+        jwtSecret: string;
+        staffTokenExpiry?: string | undefined;
+        ownerTokenExpiry?: string | undefined;
+        permissionCacheTtlMs?: number | undefined;
+    };
+    adapters: {
+        hashPassword: (...args: unknown[]) => unknown;
+        comparePassword: (...args: unknown[]) => unknown;
+    };
+    tenantId?: string | undefined;
+    options?: {
+        requireEmailUniqueness?: boolean | undefined;
+        allowSelfPasswordChange?: boolean | undefined;
+        rateLimiter?: {
+            windowMs?: number | undefined;
+            maxAttempts?: number | undefined;
+        } | undefined;
+    } | undefined;
+    redis?: {
+        connection?: unknown;
+        keyPrefix?: string | undefined;
+    } | undefined;
+    logger?: {
+        info: (...args: unknown[]) => unknown;
+        warn: (...args: unknown[]) => unknown;
+        error: (...args: unknown[]) => unknown;
+    } | undefined;
+    hooks?: {
+        onStaffCreated?: ((...args: unknown[]) => unknown) | undefined;
+        onLogin?: ((...args: unknown[]) => unknown) | undefined;
+        onLoginFailed?: ((...args: unknown[]) => unknown) | undefined;
+        onPermissionsChanged?: ((...args: unknown[]) => unknown) | undefined;
+        onStatusChanged?: ((...args: unknown[]) => unknown) | undefined;
+        onMetric?: ((...args: unknown[]) => unknown) | undefined;
+    } | undefined;
+}>;
+
 declare function handleStaffError(res: Response, error: unknown, logger: LogAdapter): void;
 
 interface RouteServices {
     staff: StaffService;
+    auth: AuthService;
     permissions: PermissionService;
 }
 declare function createRoutes(services: RouteServices, auth: AuthMiddleware, logger: LogAdapter, allowSelfPasswordChange: boolean): Router;
@@ -250,6 +464,7 @@ interface StaffEngine {
     routes: Router;
     auth: AuthMiddleware;
     staff: StaffService;
+    authService: AuthService;
     permissions: PermissionService;
     models: {
         Staff: Model<IStaffDocument>;
@@ -259,4 +474,4 @@ interface StaffEngine {
 }
 declare function createStaffEngine(config: StaffEngineConfig): StaffEngine;
 
-export { AlxStaffError, type AuthMiddleware, type AuthenticatedRequest, AuthenticationError, AuthorizationError, DEFAULTS, DEFAULT_AUTH, DuplicateError, ERROR_CODE, ERROR_MESSAGE, type ErrorCode, GroupNotFoundError, type IPermissionGroupDocument, type IStaffDocument, InvalidConfigError, InvalidPermissionError, LastOwnerError, PermissionCacheService, PermissionService, RateLimitError, RateLimiterService, SetupError, type StaffEngine, StaffNotFoundError, StaffService, type StaffUser, TokenError, createAuthMiddleware, createPermissionGroupModel, createRoutes, createStaffEngine, createStaffModel, handleStaffError, validatePermissionPairs };
+export { AlxStaffError, type AuthMiddleware, AuthService, type AuthenticatedRequest, AuthenticationError, AuthorizationError, DEFAULTS, DEFAULT_AUTH, DuplicateError, ERROR_CODE, ERROR_MESSAGE, type ErrorCode, GroupNotFoundError, type IPermissionGroupDocument, type IStaffDocument, InvalidConfigError, InvalidPermissionError, LastOwnerError, PermissionCacheService, PermissionService, RateLimitError, RateLimiterService, SetupError, type StaffEngine, StaffEngineConfigSchema, StaffNotFoundError, StaffService, type StaffUser, TokenError, createAuthMiddleware, createPermissionGroupModel, createRoutes, createStaffEngine, createStaffModel, handleStaffError, validatePermissionPairs };