@mesob/auth-hono 0.3.5 → 0.4.1

package/dist/index.js

@@ -161,11 +161,10 @@ var tenantsInIam = iam.table("tenants", {
 var rolePermissionsInIam = iam.table("role_permissions", {
   id: uuid().default(sql`uuid_generate_v7()`).primaryKey().notNull(),
   tenantId: varchar("tenant_id", { length: 30 }).notNull(),
-  roleId: text("role_id").notNull(),
-  permissionId: text("permission_id").notNull()
+  permissionId: text("permission_id").notNull(),
+  roleId: uuid("role_id").notNull()
 }, (table) => [
   index("idx_role_permissions_permission_id").using("btree", table.tenantId.asc().nullsLast().op("text_ops"), table.permissionId.asc().nullsLast().op("text_ops")),
-  index("idx_role_permissions_tenant_role").using("btree", table.tenantId.asc().nullsLast().op("text_ops"), table.roleId.asc().nullsLast().op("text_ops")),
   foreignKey({
     columns: [table.tenantId],
     foreignColumns: [tenantsInIam.id],
@@ -177,11 +176,11 @@ var rolePermissionsInIam = iam.table("role_permissions", {
     name: "role_permissions_permission_id_fkey"
   }).onUpdate("cascade").onDelete("cascade"),
   foreignKey({
-    columns: [table.roleId],
-    foreignColumns: [rolesInIam.id],
-    name: "role_permissions_role_id_fkey"
-  }).onUpdate("cascade").onDelete("cascade"),
-  unique("role_permissions_unique").on(table.roleId, table.permissionId),
+    columns: [table.tenantId, table.roleId],
+    foreignColumns: [rolesInIam.tenantId, rolesInIam.id],
+    name: "role_permissions_tenant_role_fkey"
+  }).onDelete("cascade"),
+  unique("role_permissions_tenant_role_permission_unique").on(table.tenantId, table.permissionId, table.roleId),
   pgPolicy("tenant_isolation", { as: "permissive", for: "all", to: ["public"], using: sql`((tenant_id)::text = (iam.current_tenant_id())::text)`, withCheck: sql`((tenant_id)::text = (iam.current_tenant_id())::text)` })
 ]);
 var permissionsInIam = iam.table("permissions", {
@@ -225,23 +224,6 @@ var accountsInIam = iam.table("accounts", {
   unique("accounts_tenant_provider_account_unique").on(table.tenantId, table.provider, table.providerAccountId),
   pgPolicy("tenant_isolation", { as: "permissive", for: "all", to: ["public"], using: sql`((tenant_id)::text = (iam.current_tenant_id())::text)`, withCheck: sql`((tenant_id)::text = (iam.current_tenant_id())::text)` })
 ]);
-var rolesInIam = iam.table("roles", {
-  id: text().primaryKey().notNull(),
-  tenantId: varchar("tenant_id", { length: 30 }).notNull(),
-  createdAt: timestamp("created_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
-  updatedAt: timestamp("updated_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
-  name: jsonb().notNull(),
-  description: jsonb().notNull(),
-  code: text().notNull()
-}, (table) => [
-  foreignKey({
-    columns: [table.tenantId],
-    foreignColumns: [tenantsInIam.id],
-    name: "roles_tenant_id_fkey"
-  }).onUpdate("cascade").onDelete("cascade"),
-  unique("roles_tenant_code_unique").on(table.tenantId, table.code),
-  pgPolicy("tenant_isolation", { as: "permissive", for: "all", to: ["public"], using: sql`((tenant_id)::text = (iam.current_tenant_id())::text)`, withCheck: sql`((tenant_id)::text = (iam.current_tenant_id())::text)` })
-]);
 var usersInIam = iam.table("users", {
   id: uuid().default(sql`uuid_generate_v7()`).primaryKey().notNull(),
   tenantId: varchar("tenant_id", { length: 30 }).notNull(),
@@ -257,7 +239,7 @@ var usersInIam = iam.table("users", {
   bannedUntil: timestamp("banned_until", { withTimezone: true, mode: "string" }),
   lastSignInAt: timestamp("last_sign_in_at", { withTimezone: true, mode: "string" }),
   loginAttempt: smallint("login_attempt").default(0).notNull(),
-  userType: text("user_type").array().default(["employee"]).notNull()
+  userType: text("user_type").array().default(["RAY"]).notNull()
 }, (table) => [
   index("idx_users_auth_lookup").using("btree", table.tenantId.asc().nullsLast().op("bool_ops"), table.email.asc().nullsLast().op("bool_ops"), table.id.asc().nullsLast().op("timestamptz_ops"), table.emailVerified.asc().nullsLast().op("timestamptz_ops"), table.bannedUntil.asc().nullsLast().op("uuid_ops")).where(sql`(email IS NOT NULL)`),
   index("idx_users_email_lookup").using("btree", table.tenantId.asc().nullsLast().op("text_ops"), table.email.asc().nullsLast().op("text_ops")).where(sql`(email IS NOT NULL)`),
@@ -281,14 +263,34 @@ var usersInIam = iam.table("users", {
   check("users_contact_required_check", sql`(email IS NOT NULL) OR (phone IS NOT NULL)`),
   check("users_user_type_check", sql`user_type <@ ARRAY['candidate'::text, 'employee'::text, 'admin'::text]`)
 ]);
+var rolesInIam = iam.table("roles", {
+  tenantId: varchar("tenant_id", { length: 30 }).notNull(),
+  createdAt: timestamp("created_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  updatedAt: timestamp("updated_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  name: jsonb().notNull(),
+  description: jsonb().notNull(),
+  code: text().notNull(),
+  id: uuid().default(sql`uuid_generate_v7()`).primaryKey().notNull(),
+  isSystem: boolean("is_system").default(false).notNull(),
+  isEditable: boolean("is_editable").default(true).notNull(),
+  isDeletable: boolean("is_deletable").default(true).notNull()
+}, (table) => [
+  foreignKey({
+    columns: [table.tenantId],
+    foreignColumns: [tenantsInIam.id],
+    name: "roles_tenant_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  unique("roles_tenant_code_unique").on(table.tenantId, table.code),
+  unique("roles_tenant_id_unique").on(table.tenantId, table.id),
+  pgPolicy("tenant_isolation", { as: "permissive", for: "all", to: ["public"], using: sql`((tenant_id)::text = (iam.current_tenant_id())::text)`, withCheck: sql`((tenant_id)::text = (iam.current_tenant_id())::text)` })
+]);
 var userRolesInIam = iam.table("user_roles", {
   id: uuid().default(sql`uuid_generate_v7()`).primaryKey().notNull(),
   tenantId: varchar("tenant_id", { length: 30 }).notNull(),
   userId: uuid("user_id").notNull(),
-  roleId: text("role_id").notNull()
+  roleId: uuid("role_id").notNull()
 }, (table) => [
-  index("idx_user_roles_role_id").using("btree", table.tenantId.asc().nullsLast().op("text_ops"), table.roleId.asc().nullsLast().op("text_ops")),
-  index("idx_user_roles_tenant_user").using("btree", table.tenantId.asc().nullsLast().op("text_ops"), table.userId.asc().nullsLast().op("text_ops")),
+  index("idx_user_roles_tenant_user").using("btree", table.tenantId.asc().nullsLast().op("text_ops"), table.userId.asc().nullsLast().op("uuid_ops")),
   foreignKey({
     columns: [table.tenantId],
     foreignColumns: [tenantsInIam.id],
@@ -300,11 +302,11 @@ var userRolesInIam = iam.table("user_roles", {
     name: "user_roles_user_id_fkey"
   }).onUpdate("cascade").onDelete("cascade"),
   foreignKey({
-    columns: [table.roleId],
-    foreignColumns: [rolesInIam.id],
-    name: "user_roles_role_id_fkey"
-  }).onUpdate("cascade").onDelete("cascade"),
-  unique("user_roles_unique").on(table.userId, table.roleId),
+    columns: [table.tenantId, table.roleId],
+    foreignColumns: [rolesInIam.tenantId, rolesInIam.id],
+    name: "user_roles_tenant_role_fkey"
+  }).onDelete("cascade"),
+  unique("user_roles_tenant_user_role_unique").on(table.tenantId, table.userId, table.roleId),
   pgPolicy("tenant_isolation", { as: "permissive", for: "all", to: ["public"], using: sql`((tenant_id)::text = (iam.current_tenant_id())::text)`, withCheck: sql`((tenant_id)::text = (iam.current_tenant_id())::text)` })
 ]);
 var domainsInIam = iam.table("domains", {
@@ -348,8 +350,8 @@ var tenantsInIamRelations = relations(tenantsInIam, ({ many }) => ({
   accountChangesInIam: many(accountChangesInIam),
   rolePermissionsInIam: many(rolePermissionsInIam),
   accountsInIam: many(accountsInIam),
-  rolesInIam: many(rolesInIam),
   usersInIam: many(usersInIam),
+  rolesInIam: many(rolesInIam),
   userRolesInIam: many(userRolesInIam),
   domainsInIam: many(domainsInIam)
 }));
@@ -394,8 +396,8 @@ var rolePermissionsInIamRelations = relations(rolePermissionsInIam, ({ one }) =>
     references: [permissionsInIam.id]
   }),
   rolesInIam: one(rolesInIam, {
-    fields: [rolePermissionsInIam.roleId],
-    references: [rolesInIam.id]
+    fields: [rolePermissionsInIam.tenantId],
+    references: [rolesInIam.tenantId]
   })
 }));
 var permissionsInIamRelations = relations(permissionsInIam, ({ many }) => ({
@@ -429,8 +431,8 @@ var userRolesInIamRelations = relations(userRolesInIam, ({ one }) => ({
     references: [usersInIam.id]
   }),
   rolesInIam: one(rolesInIam, {
-    fields: [userRolesInIam.roleId],
-    references: [rolesInIam.id]
+    fields: [userRolesInIam.tenantId],
+    references: [rolesInIam.tenantId]
   })
 }));
 var domainsInIamRelations = relations(domainsInIam, ({ one }) => ({
@@ -534,7 +536,66 @@ var findTenantById = async (database, tenantId) => {
 };
 
 // src/db/orm/user.ts
+import { and as and4, eq as eq4 } from "drizzle-orm";
+
+// src/lib/user-auth-select.ts
 import { and as and3, eq as eq3, sql as sql3 } from "drizzle-orm";
+function getUserAuthSelect(tenantId) {
+  return {
+    roles: sql3`COALESCE(
+      (
+        select array_to_json(array_agg(distinct "iam"."roles"."id"))
+        from ${userRolesInIam}
+        inner join ${rolesInIam}
+          on ${and3(
+      eq3(rolesInIam.tenantId, userRolesInIam.tenantId),
+      eq3(rolesInIam.id, userRolesInIam.roleId)
+    )}
+        where ${and3(
+      eq3(userRolesInIam.tenantId, tenantId),
+      eq3(userRolesInIam.userId, usersInIam.id)
+    )}
+      ),
+      '[]'::json
+    )`,
+    roleCodes: sql3`COALESCE(
+      (
+        select array_to_json(array_agg(distinct ${rolesInIam.code}))
+        from ${userRolesInIam}
+        inner join ${rolesInIam}
+          on ${and3(
+      eq3(rolesInIam.tenantId, userRolesInIam.tenantId),
+      eq3(rolesInIam.id, userRolesInIam.roleId)
+    )}
+        where ${and3(
+      eq3(userRolesInIam.tenantId, tenantId),
+      eq3(userRolesInIam.userId, usersInIam.id)
+    )}
+      ),
+      '[]'::json
+    )`,
+    permissions: sql3`COALESCE(
+      (
+        select array_to_json(array_agg(distinct "iam"."permissions"."id"))
+        from ${userRolesInIam}
+        inner join ${rolePermissionsInIam}
+          on ${and3(
+      eq3(rolePermissionsInIam.tenantId, userRolesInIam.tenantId),
+      eq3(rolePermissionsInIam.roleId, userRolesInIam.roleId)
+    )}
+        inner join ${permissionsInIam}
+          on ${eq3(permissionsInIam.id, rolePermissionsInIam.permissionId)}
+        where ${and3(
+      eq3(userRolesInIam.tenantId, tenantId),
+      eq3(userRolesInIam.userId, usersInIam.id)
+    )}
+      ),
+      '[]'::json
+    )`
+  };
+}
+
+// src/db/orm/user.ts
 var fetchUserWithRoles = async ({
   database,
   userId,
@@ -551,40 +612,8 @@ var fetchUserWithRoles = async ({
     emailVerified: usersInIam.emailVerified,
     phoneVerified: usersInIam.phoneVerified,
     lastSignInAt: usersInIam.lastSignInAt,
-    roles: sql3`COALESCE(
-        array_to_json(array_agg(DISTINCT ${rolesInIam.id}) FILTER (WHERE ${userRolesInIam.id} IS NOT NULL)),
-        '[]'::json
-      )`,
-    roleCodes: sql3`COALESCE(
-        array_to_json(array_agg(DISTINCT ${rolesInIam.code}) FILTER (WHERE ${rolesInIam.code} IS NOT NULL)),
-        '[]'::json
-      )`,
-    permissions: sql3`COALESCE(
-        array_to_json(array_agg(DISTINCT ${permissionsInIam.id}) FILTER (WHERE ${permissionsInIam.id} IS NOT NULL)),
-        '[]'::json
-      )`
-  }).from(usersInIam).leftJoin(
-    userRolesInIam,
-    and3(
-      eq3(userRolesInIam.userId, usersInIam.id),
-      eq3(userRolesInIam.tenantId, tenantId)
-    )
-  ).leftJoin(
-    rolesInIam,
-    and3(
-      eq3(userRolesInIam.roleId, rolesInIam.id),
-      eq3(rolesInIam.tenantId, tenantId)
-    )
-  ).leftJoin(
-    rolePermissionsInIam,
-    and3(
-      eq3(rolePermissionsInIam.roleId, rolesInIam.id),
-      eq3(rolePermissionsInIam.tenantId, tenantId)
-    )
-  ).leftJoin(
-    permissionsInIam,
-    eq3(rolePermissionsInIam.permissionId, permissionsInIam.id)
-  ).where(and3(eq3(usersInIam.id, userId), eq3(usersInIam.tenantId, tenantId))).groupBy(usersInIam.id).limit(1);
+    ...getUserAuthSelect(tenantId)
+  }).from(usersInIam).where(and4(eq4(usersInIam.id, userId), eq4(usersInIam.tenantId, tenantId))).limit(1);
   return userResult || null;
 };
 
@@ -821,6 +850,7 @@ import { z } from "zod";
 var emailField = z.string().trim().email("Invalid email address").max(255, "Email too long");
 var phoneField = z.string().trim().min(6, "Phone too short").max(30, "Phone too long").regex(/^[+()\d\s-]+$/, "Invalid phone number format");
 var passwordField = z.string().min(8, "Password must be at least 8 characters").max(128, "Password too long");
+var identifierField = z.string().trim().min(1, "Identifier is required");
 var userSchema = z.object({
   id: z.string().uuid(),
   tenantId: z.string(),
@@ -843,12 +873,34 @@ var sessionSchema = z.object({
   userAgent: z.string().nullable().optional(),
   ip: z.string().nullable().optional()
 });
+var authUserSchema = z.object({
+  id: z.string().uuid(),
+  tenantId: z.string(),
+  fullName: z.string(),
+  email: z.string().email().nullable(),
+  phone: z.string().nullable(),
+  image: z.string().nullable(),
+  emailVerified: z.boolean(),
+  phoneVerified: z.boolean()
+});
+var authSessionSchema = z.object({
+  id: z.string().uuid(),
+  expiresAt: z.string().datetime()
+});
 var authSuccessSchema = z.object({
-  user: userSchema,
-  session: sessionSchema.nullable(),
+  user: authUserSchema,
+  session: authSessionSchema.nullable(),
   sessionToken: z.string().optional(),
   sessionExpiresAt: z.string().datetime().optional()
 });
+var authAccountSchema = z.object({
+  fullName: z.string(),
+  email: z.string().email().nullable(),
+  phone: z.string().nullable(),
+  verified: z.boolean(),
+  hasPassword: z.boolean(),
+  requiresPasswordSetup: z.boolean()
+});
 var messageSchema = z.object({
   message: z.string()
 });
@@ -870,7 +922,13 @@ var signUpSchema = z.object({
   path: ["email"]
 });
 var signInSchema = z.object({
-  identifier: z.string(),
+  identifier: identifierField,
+  password: passwordField,
+  /** Keep me signed in for longer. Default: true */
+  rememberMe: z.boolean().default(true)
+});
+var setPasswordSchema = z.object({
+  identifier: identifierField,
   password: passwordField,
   /** Keep me signed in for longer. Default: true */
   rememberMe: z.boolean().default(true)
@@ -919,11 +977,14 @@ var messageWithVerificationIdSchema = messageSchema.extend({
   verificationId: z.string().uuid().optional()
 });
 var checkAccountSchema = z.object({
-  username: z.string()
+  username: identifierField
 });
 var checkAccountResponseSchema = z.object({
   exists: z.boolean(),
-  verified: z.boolean()
+  verified: z.boolean(),
+  hasPassword: z.boolean(),
+  requiresPasswordSetup: z.boolean(),
+  account: authAccountSchema.nullable()
 });
 var updateProfileSchema = z.object({
   fullName: z.string().min(1).max(255).optional().describe("User full name")
@@ -949,7 +1010,7 @@ var pendingAccountChangeResponseSchema = z.object({
 });
 
 // src/routes/auth/handler/check-account.ts
-import { and as and4, eq as eq4, sql as sql4 } from "drizzle-orm";
+import { and as and5, eq as eq5, sql as sql4 } from "drizzle-orm";
 
 // src/lib/tenant.ts
 import { HTTPException as HTTPException2 } from "hono/http-exception";
@@ -981,22 +1042,45 @@ var checkAccountHandler = async (c) => {
   const { username } = body;
   const isEmail = username.includes("@");
   const userTypeFilter = sql4`${usersInIam.userType} @> ARRAY[${config.userType}]::text[]`;
-  const whereClause = isEmail ? and4(
-    eq4(usersInIam.tenantId, resolvedTenantId),
+  const whereClause = isEmail ? and5(
+    eq5(usersInIam.tenantId, resolvedTenantId),
     userTypeFilter,
     sql4`lower(${usersInIam.email}) = lower(${username})`
-  ) : and4(
-    eq4(usersInIam.tenantId, resolvedTenantId),
+  ) : and5(
+    eq5(usersInIam.tenantId, resolvedTenantId),
     userTypeFilter,
-    eq4(usersInIam.phone, username)
+    eq5(usersInIam.phone, username)
   );
   const [result] = await database.select({
-    verified: isEmail ? usersInIam.emailVerified : usersInIam.phoneVerified
-  }).from(usersInIam).where(whereClause).limit(1);
+    fullName: usersInIam.fullName,
+    email: usersInIam.email,
+    phone: usersInIam.phone,
+    verified: isEmail ? usersInIam.emailVerified : usersInIam.phoneVerified,
+    password: accountsInIam.password
+  }).from(usersInIam).leftJoin(
+    accountsInIam,
+    and5(
+      eq5(accountsInIam.tenantId, resolvedTenantId),
+      eq5(accountsInIam.userId, usersInIam.id),
+      eq5(accountsInIam.provider, "credentials")
+    )
+  ).where(whereClause).limit(1);
+  const verified = result?.verified ?? false;
+  const hasPassword = Boolean(result?.password);
   return c.json(
     {
       exists: !!result,
-      verified: result?.verified ?? false
+      verified,
+      hasPassword,
+      requiresPasswordSetup: !!result && verified && !hasPassword,
+      account: result ? {
+        fullName: result.fullName,
+        email: result.email,
+        phone: result.phone,
+        verified,
+        hasPassword,
+        requiresPasswordSetup: verified && !hasPassword
+      } : null
     },
     200
   );
@@ -1004,7 +1088,7 @@ var checkAccountHandler = async (c) => {
 
 // src/routes/auth/handler/sign-in.ts
 import { logger as logger2 } from "@mesob/common";
-import { and as and8, eq as eq8 } from "drizzle-orm";
+import { and as and9, eq as eq9 } from "drizzle-orm";
 
 // src/errors.ts
 var AUTH_ERRORS = {
@@ -1018,15 +1102,25 @@ var AUTH_ERRORS = {
   REQUIRES_VERIFICATION: "REQUIRES_VERIFICATION",
   UNAUTHORIZED: "UNAUTHORIZED",
   ACCESS_DENIED: "ACCESS_DENIED",
-  HAS_NO_PASSWORD: "HAS_NO_PASSWORD"
-};
-
-// src/lib/normalize-user.ts
-var normalizeUser = (user) => ({
-  ...user,
-  roles: user.roles ?? null,
-  roleCodes: user.roleCodes ?? null
-});
+  HAS_NO_PASSWORD: "HAS_NO_PASSWORD",
+  PASSWORD_ALREADY_SET: "PASSWORD_ALREADY_SET"
+};
+
+// src/lib/normalize-auth-response.ts
+var normalizeAuthUser = (user) => ({
+  id: user.id,
+  tenantId: user.tenantId,
+  fullName: user.fullName,
+  email: user.email,
+  phone: user.phone,
+  image: user.image,
+  emailVerified: user.emailVerified,
+  phoneVerified: user.phoneVerified
+});
+var normalizeAuthSession = (session) => session ? {
+  id: session.id,
+  expiresAt: session.expiresAt
+} : null;
 
 // src/lib/session.ts
 import { dayjs } from "@mesob/common";
@@ -1105,7 +1199,7 @@ var getRefreshedExpiresAt = ({
 };
 
 // src/routes/auth/helper/session.ts
-import { and as and5, asc, eq as eq5, gt as gt2, inArray, sql as sql5 } from "drizzle-orm";
+import { and as and6, asc, eq as eq6, gt as gt2, inArray, sql as sql5 } from "drizzle-orm";
 var createSessionRecord = async ({
   tx,
   tenantId,
@@ -1174,9 +1268,9 @@ var cleanupOldSessions = async ({
   maxSessions
 }) => {
   const [{ count }] = await database.select({ count: sql5`count(*)` }).from(sessionsInIam).where(
-    and5(
-      eq5(sessionsInIam.tenantId, tenantId),
-      eq5(sessionsInIam.userId, userId),
+    and6(
+      eq6(sessionsInIam.tenantId, tenantId),
+      eq6(sessionsInIam.userId, userId),
       gt2(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
     )
   );
@@ -1185,9 +1279,9 @@ var cleanupOldSessions = async ({
   }
   const toDeleteCount = count - maxSessions;
   const idsToDelete = await database.select({ id: sessionsInIam.id }).from(sessionsInIam).where(
-    and5(
-      eq5(sessionsInIam.tenantId, tenantId),
-      eq5(sessionsInIam.userId, userId),
+    and6(
+      eq6(sessionsInIam.tenantId, tenantId),
+      eq6(sessionsInIam.userId, userId),
       gt2(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
     )
   ).orderBy(asc(sessionsInIam.createdAt)).limit(toDeleteCount);
@@ -1195,9 +1289,9 @@ var cleanupOldSessions = async ({
     return;
   }
   await database.delete(sessionsInIam).where(
-    and5(
-      eq5(sessionsInIam.tenantId, tenantId),
-      eq5(sessionsInIam.userId, userId),
+    and6(
+      eq6(sessionsInIam.tenantId, tenantId),
+      eq6(sessionsInIam.userId, userId),
       inArray(
         sessionsInIam.id,
         idsToDelete.map((s) => s.id)
@@ -1207,17 +1301,17 @@ var cleanupOldSessions = async ({
 };
 
 // src/routes/auth/helper/user.ts
-import { and as and6, eq as eq6, gt as gt3, sql as sql6 } from "drizzle-orm";
+import { and as and7, eq as eq7, gt as gt3, sql as sql6 } from "drizzle-orm";
 var checkExistingUserStatus = async ({
   tx,
   identifier,
   tenantId,
   isEmail
 }) => {
-  const whereClause = isEmail ? and6(
-    eq6(usersInIam.tenantId, tenantId),
+  const whereClause = isEmail ? and7(
+    eq7(usersInIam.tenantId, tenantId),
     sql6`lower(${usersInIam.email}) = lower(${identifier})`
-  ) : and6(eq6(usersInIam.tenantId, tenantId), eq6(usersInIam.phone, identifier));
+  ) : and7(eq7(usersInIam.tenantId, tenantId), eq7(usersInIam.phone, identifier));
   const [existingUser] = await tx.select().from(usersInIam).where(whereClause).limit(1);
   if (!existingUser) {
     return { action: "proceed" };
@@ -1227,9 +1321,9 @@ var checkExistingUserStatus = async ({
     return { action: "error", code: AUTH_ERRORS.USER_EXISTS };
   }
   const [pendingVerification] = await tx.select().from(verificationsInIam).where(
-    and6(
-      eq6(verificationsInIam.userId, existingUser.id),
-      eq6(verificationsInIam.tenantId, tenantId),
+    and7(
+      eq7(verificationsInIam.userId, existingUser.id),
+      eq7(verificationsInIam.tenantId, tenantId),
       gt3(verificationsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
     )
   ).limit(1);
@@ -1249,18 +1343,18 @@ var deleteUnverifiedUser = async ({
   tenantId
 }) => {
   await tx.delete(verificationsInIam).where(
-    and6(
-      eq6(verificationsInIam.userId, userId),
-      eq6(verificationsInIam.tenantId, tenantId)
+    and7(
+      eq7(verificationsInIam.userId, userId),
+      eq7(verificationsInIam.tenantId, tenantId)
     )
   );
   await tx.delete(accountsInIam).where(
-    and6(
-      eq6(accountsInIam.userId, userId),
-      eq6(accountsInIam.tenantId, tenantId)
+    and7(
+      eq7(accountsInIam.userId, userId),
+      eq7(accountsInIam.tenantId, tenantId)
     )
   );
-  await tx.delete(usersInIam).where(and6(eq6(usersInIam.id, userId), eq6(usersInIam.tenantId, tenantId)));
+  await tx.delete(usersInIam).where(and7(eq7(usersInIam.id, userId), eq7(usersInIam.tenantId, tenantId)));
 };
 var createUserWithAccount = async ({
   tx,
@@ -1300,14 +1394,14 @@ var fetchUserForLogin = async ({
   userType
 }) => {
   const userTypeFilter = sql6`${usersInIam.userType} @> ARRAY[${userType}]::text[]`;
-  const whereClause = isEmail ? and6(
-    eq6(usersInIam.tenantId, tenantId),
+  const whereClause = isEmail ? and7(
+    eq7(usersInIam.tenantId, tenantId),
     userTypeFilter,
     sql6`lower(${usersInIam.email}) = lower(${identifier})`
-  ) : and6(
-    eq6(usersInIam.tenantId, tenantId),
+  ) : and7(
+    eq7(usersInIam.tenantId, tenantId),
     userTypeFilter,
-    eq6(usersInIam.phone, identifier)
+    eq7(usersInIam.phone, identifier)
   );
   const [row] = await database.select({
     id: usersInIam.id,
@@ -1321,8 +1415,16 @@ var fetchUserForLogin = async ({
     phoneVerified: usersInIam.phoneVerified,
     lastSignInAt: usersInIam.lastSignInAt,
     bannedUntil: usersInIam.bannedUntil,
-    loginAttempt: usersInIam.loginAttempt
-  }).from(usersInIam).where(whereClause).limit(1);
+    loginAttempt: usersInIam.loginAttempt,
+    hasPassword: sql6`coalesce(${accountsInIam.password} is not null, false)`
+  }).from(usersInIam).leftJoin(
+    accountsInIam,
+    and7(
+      eq7(accountsInIam.tenantId, tenantId),
+      eq7(accountsInIam.userId, usersInIam.id),
+      eq7(accountsInIam.provider, "credentials")
+    )
+  ).where(whereClause).limit(1);
   return row || null;
 };
 var fetchUserByIdWithRoles = async ({
@@ -1343,46 +1445,14 @@ var fetchUserByIdWithRoles = async ({
     lastSignInAt: usersInIam.lastSignInAt,
     bannedUntil: usersInIam.bannedUntil,
     loginAttempt: usersInIam.loginAttempt,
-    roles: sql6`COALESCE(
-        array_to_json(array_agg(DISTINCT ${rolesInIam.id}) FILTER (WHERE ${userRolesInIam.id} IS NOT NULL)),
-        '[]'::json
-      )`,
-    roleCodes: sql6`COALESCE(
-        array_to_json(array_agg(DISTINCT ${rolesInIam.code}) FILTER (WHERE ${rolesInIam.code} IS NOT NULL)),
-        '[]'::json
-      )`,
-    permissions: sql6`COALESCE(
-        array_to_json(array_agg(DISTINCT ${permissionsInIam.id}) FILTER (WHERE ${permissionsInIam.id} IS NOT NULL)),
-        '[]'::json
-      )`
-  }).from(usersInIam).leftJoin(
-    userRolesInIam,
-    and6(
-      eq6(userRolesInIam.userId, usersInIam.id),
-      eq6(userRolesInIam.tenantId, tenantId)
-    )
-  ).leftJoin(
-    rolesInIam,
-    and6(
-      eq6(userRolesInIam.roleId, rolesInIam.id),
-      eq6(rolesInIam.tenantId, tenantId)
-    )
-  ).leftJoin(
-    rolePermissionsInIam,
-    and6(
-      eq6(rolePermissionsInIam.roleId, rolesInIam.id),
-      eq6(rolePermissionsInIam.tenantId, tenantId)
-    )
-  ).leftJoin(
-    permissionsInIam,
-    eq6(rolePermissionsInIam.permissionId, permissionsInIam.id)
-  ).where(and6(eq6(usersInIam.id, userId), eq6(usersInIam.tenantId, tenantId))).groupBy(usersInIam.id).limit(1);
+    ...getUserAuthSelect(tenantId)
+  }).from(usersInIam).where(and7(eq7(usersInIam.id, userId), eq7(usersInIam.tenantId, tenantId))).limit(1);
   return result || null;
 };
 
 // src/routes/auth/helper/verification.ts
 import { dayjs as dayjs2 } from "@mesob/common";
-import { and as and7, desc, eq as eq7 } from "drizzle-orm";
+import { and as and8, desc, eq as eq8 } from "drizzle-orm";
 var createVerification = async ({
   tx,
   tenantId,
@@ -1448,10 +1518,10 @@ var checkVerificationResend = async ({
     id: verificationsInIam.id,
     createdAt: verificationsInIam.createdAt
   }).from(verificationsInIam).where(
-    and7(
-      eq7(verificationsInIam.tenantId, tenantId),
-      eq7(verificationsInIam.userId, userId),
-      eq7(verificationsInIam.type, type)
+    and8(
+      eq8(verificationsInIam.tenantId, tenantId),
+      eq8(verificationsInIam.userId, userId),
+      eq8(verificationsInIam.type, type)
     )
   ).orderBy(desc(verificationsInIam.createdAt)).limit(1);
   if (!verification) {
@@ -1473,10 +1543,10 @@ var handleEmailVerification = async ({
     return c.json({ error: "User email not found" }, 401);
   }
   await database.delete(verificationsInIam).where(
-    and7(
-      eq7(verificationsInIam.tenantId, tenantId),
-      eq7(verificationsInIam.userId, user.id),
-      eq7(verificationsInIam.type, "email-verification")
+    and8(
+      eq8(verificationsInIam.tenantId, tenantId),
+      eq8(verificationsInIam.userId, user.id),
+      eq8(verificationsInIam.type, "email-verification")
     )
   );
   const code = generateOtpCode(config.email.otpLength);
@@ -1511,7 +1581,7 @@ var handleEmailVerification = async ({
   }
   return c.json(
     {
-      user: normalizeUser(user),
+      user: normalizeAuthUser(user),
       session: null,
       verificationId: verification.id,
       requiresVerification: true
@@ -1530,10 +1600,10 @@ var handlePhoneVerification = async ({
     return c.json({ error: "User phone not found" }, 401);
   }
   await database.delete(verificationsInIam).where(
-    and7(
-      eq7(verificationsInIam.tenantId, tenantId),
-      eq7(verificationsInIam.userId, user.id),
-      eq7(verificationsInIam.type, "phone-otp")
+    and8(
+      eq8(verificationsInIam.tenantId, tenantId),
+      eq8(verificationsInIam.userId, user.id),
+      eq8(verificationsInIam.type, "phone-otp")
     )
   );
   const code = generateOtpCode(config.phone.otpLength);
@@ -1568,7 +1638,7 @@ var handlePhoneVerification = async ({
   }
   return c.json(
     {
-      user: normalizeUser(user),
+      user: normalizeAuthUser(user),
       session: null,
       verificationId: verification.id,
       requiresVerification: true
@@ -1578,177 +1648,178 @@ var handlePhoneVerification = async ({
 };
 
 // src/routes/auth/handler/sign-in.ts
-var signInHandler = async (c) => {
-  const body = c.req.valid("json");
-  const config = c.get("config");
-  const database = c.get("database");
-  const tenantId = c.get("tenantId");
-  const resolvedTenantId = ensureTenantId(config, tenantId);
-  const { identifier, password, rememberMe = true } = body;
-  const isEmail = identifier.includes("@");
-  if (isEmail && !config.email.enabled) {
-    return c.json({ error: "Email authentication is disabled" }, 401);
-  }
-  if (!(isEmail || config.phone.enabled)) {
-    return c.json({ error: "Phone authentication is disabled" }, 401);
-  }
-  const user = await fetchUserForLogin({
-    database,
-    identifier,
-    tenantId: resolvedTenantId,
-    isEmail,
-    userType: config.userType
-  });
-  if (!user) {
-    logger2.log("[sign-in] 401: user not found", {
+var signInHandler = (
+  // biome-ignore lint/complexity/noExcessiveCognitiveComplexity: auth flow combines lockout, verification, and session creation
+  async function signInHandler2(c) {
+    const body = c.req.valid("json");
+    const config = c.get("config");
+    const database = c.get("database");
+    const tenantId = c.get("tenantId");
+    const resolvedTenantId = ensureTenantId(config, tenantId);
+    const { identifier, password, rememberMe = true } = body;
+    const isEmail = identifier.includes("@");
+    if (isEmail && !config.email.enabled) {
+      return c.json({ error: "Email authentication is disabled" }, 401);
+    }
+    if (!(isEmail || config.phone.enabled)) {
+      return c.json({ error: "Phone authentication is disabled" }, 401);
+    }
+    const user = await fetchUserForLogin({
+      database,
       identifier,
       tenantId: resolvedTenantId,
+      isEmail,
       userType: config.userType
     });
-    return c.json({ error: AUTH_ERRORS.UNAUTHORIZED }, 401);
-  }
-  if (user.bannedUntil && new Date(user.bannedUntil) > /* @__PURE__ */ new Date()) {
-    logger2.log("[sign-in] 401: account banned", {
-      userId: user.id,
-      bannedUntil: user.bannedUntil
-    });
-    return c.json(
-      {
-        error: "Account locked. Try again later.",
+    if (!user) {
+      logger2.log("[sign-in] 401: user not found", {
+        identifier,
+        tenantId: resolvedTenantId,
+        userType: config.userType
+      });
+      return c.json({ error: AUTH_ERRORS.UNAUTHORIZED }, 401);
+    }
+    if (user.bannedUntil && new Date(user.bannedUntil) > /* @__PURE__ */ new Date()) {
+      logger2.log("[sign-in] 401: account banned", {
+        userId: user.id,
         bannedUntil: user.bannedUntil
-      },
-      401
-    );
-  }
-  const [account] = await database.select({
-    id: accountsInIam.id,
-    tenantId: accountsInIam.tenantId,
-    userId: accountsInIam.userId,
-    provider: accountsInIam.provider,
-    providerAccountId: accountsInIam.providerAccountId,
-    password: accountsInIam.password
-  }).from(accountsInIam).where(
-    and8(
-      eq8(accountsInIam.tenantId, resolvedTenantId),
-      eq8(accountsInIam.userId, user.id),
-      eq8(accountsInIam.provider, "credentials")
-    )
-  ).limit(1);
-  if (!account?.password) {
-    logger2.log("[sign-in] 401: no credentials account", { userId: user.id });
-    return c.json({ error: AUTH_ERRORS.UNAUTHORIZED }, 401);
-  }
-  const passwordValid = await verifyPassword(password, account.password);
-  if (!passwordValid) {
-    const newAttempt = (user.loginAttempt || 0) + 1;
-    const updateData = {
-      loginAttempt: newAttempt
-    };
-    if (config.security && newAttempt >= config.security.maxLoginAttempts) {
-      updateData.bannedUntil = addDuration(config.security.lockoutDuration);
+      });
+      return c.json(
+        {
+          error: "Account locked. Try again later.",
+          bannedUntil: user.bannedUntil
+        },
+        401
+      );
+    }
+    const [account] = await database.select({
+      id: accountsInIam.id,
+      tenantId: accountsInIam.tenantId,
+      userId: accountsInIam.userId,
+      provider: accountsInIam.provider,
+      providerAccountId: accountsInIam.providerAccountId,
+      password: accountsInIam.password
+    }).from(accountsInIam).where(
+      and9(
+        eq9(accountsInIam.tenantId, resolvedTenantId),
+        eq9(accountsInIam.userId, user.id),
+        eq9(accountsInIam.provider, "credentials")
+      )
+    ).limit(1);
+    if (!account?.password) {
+      logger2.log("[sign-in] 401: no credentials account", { userId: user.id });
+      return c.json({ error: AUTH_ERRORS.HAS_NO_PASSWORD }, 401);
+    }
+    const passwordValid = await verifyPassword(password, account.password);
+    if (!passwordValid) {
+      const newAttempt = (user.loginAttempt || 0) + 1;
+      const updateData = {
+        loginAttempt: newAttempt
+      };
+      if (config.security && newAttempt >= config.security.maxLoginAttempts) {
+        updateData.bannedUntil = addDuration(config.security.lockoutDuration);
+      }
+      await database.update(usersInIam).set(updateData).where(
+        and9(
+          eq9(usersInIam.id, user.id),
+          eq9(usersInIam.tenantId, resolvedTenantId)
+        )
+      );
+      logger2.log("[sign-in] 401: invalid password", {
+        userId: user.id,
+        loginAttempt: newAttempt
+      });
+      return c.json({ error: AUTH_ERRORS.UNAUTHORIZED }, 401);
+    }
+    const isVerified = isEmail ? user.emailVerified : user.phoneVerified;
+    if (isEmail && config.email.required && !isVerified) {
+      return handleEmailVerification({
+        c,
+        user: { ...user, roles: [] },
+        config,
+        database,
+        tenantId: resolvedTenantId
+      });
+    }
+    if (!isEmail && config.phone.required && !isVerified) {
+      return handlePhoneVerification({
+        c,
+        user: { ...user, roles: [] },
+        config,
+        database,
+        tenantId: resolvedTenantId
+      });
+    }
+    if (config.session.maxPerUser) {
+      await cleanupOldSessions({
+        database,
+        userId: user.id,
+        tenantId: resolvedTenantId,
+        maxSessions: config.session.maxPerUser
+      });
     }
-    await database.update(usersInIam).set(updateData).where(
-      and8(
-        eq8(usersInIam.id, user.id),
-        eq8(usersInIam.tenantId, resolvedTenantId)
+    await database.update(usersInIam).set({ lastSignInAt: (/* @__PURE__ */ new Date()).toISOString(), loginAttempt: 0 }).where(
+      and9(
+        eq9(usersInIam.id, user.id),
+        eq9(usersInIam.tenantId, resolvedTenantId)
       )
     );
-    logger2.log("[sign-in] 401: invalid password", {
+    const sessionToken = generateToken();
+    const hashedToken = await hashToken(sessionToken, config.secret);
+    const sessionDuration = getSessionDuration({
+      sessionConfig: config.session,
+      rememberMe
+    });
+    const expiresAt = addDuration(sessionDuration);
+    const [session] = await database.insert(sessionsInIam).values({
+      tenantId: resolvedTenantId,
       userId: user.id,
-      loginAttempt: newAttempt
+      token: hashedToken,
+      expiresAt,
+      userAgent: c.req.header("user-agent") || null,
+      ip: c.req.header("cf-connecting-ip") || c.req.header("x-forwarded-for") || null,
+      meta: { action: "sign-in", rememberMe }
+    }).returning({
+      id: sessionsInIam.id,
+      tenantId: sessionsInIam.tenantId,
+      userId: sessionsInIam.userId,
+      expiresAt: sessionsInIam.expiresAt,
+      createdAt: sessionsInIam.createdAt,
+      meta: sessionsInIam.meta
     });
-    return c.json({ error: AUTH_ERRORS.UNAUTHORIZED }, 401);
-  }
-  const isVerified = isEmail ? user.emailVerified : user.phoneVerified;
-  if (isEmail && config.email.required && !isVerified) {
-    return handleEmailVerification({
-      c,
-      user: { ...user, roles: [] },
-      config,
-      database,
-      tenantId: resolvedTenantId
+    setSessionCookie(c, sessionToken, config, {
+      expires: new Date(expiresAt)
     });
-  }
-  if (!isEmail && config.phone.required && !isVerified) {
-    return handlePhoneVerification({
-      c,
-      user: { ...user, roles: [] },
-      config,
+    const fullUser = await fetchUserByIdWithRoles({
       database,
+      userId: user.id,
       tenantId: resolvedTenantId
     });
+    return c.json(
+      {
+        user: normalizeAuthUser(fullUser ?? { ...user, roles: [] }),
+        session: normalizeAuthSession({
+          id: session.id,
+          expiresAt: session.expiresAt
+        }),
+        sessionExpiresAt: session.expiresAt
+      },
+      200
+    );
   }
-  if (config.session.maxPerUser) {
-    await cleanupOldSessions({
-      database,
-      userId: user.id,
-      tenantId: resolvedTenantId,
-      maxSessions: config.session.maxPerUser
-    });
-  }
-  await database.update(usersInIam).set({ lastSignInAt: (/* @__PURE__ */ new Date()).toISOString(), loginAttempt: 0 }).where(
-    and8(
-      eq8(usersInIam.id, user.id),
-      eq8(usersInIam.tenantId, resolvedTenantId)
-    )
-  );
-  const sessionToken = generateToken();
-  const hashedToken = await hashToken(sessionToken, config.secret);
-  const sessionDuration = getSessionDuration({
-    sessionConfig: config.session,
-    rememberMe
-  });
-  const expiresAt = addDuration(sessionDuration);
-  const [session] = await database.insert(sessionsInIam).values({
-    tenantId: resolvedTenantId,
-    userId: user.id,
-    token: hashedToken,
-    expiresAt,
-    userAgent: c.req.header("user-agent") || null,
-    ip: c.req.header("cf-connecting-ip") || c.req.header("x-forwarded-for") || null,
-    meta: { action: "sign-in", rememberMe }
-  }).returning({
-    id: sessionsInIam.id,
-    tenantId: sessionsInIam.tenantId,
-    userId: sessionsInIam.userId,
-    expiresAt: sessionsInIam.expiresAt,
-    createdAt: sessionsInIam.createdAt,
-    meta: sessionsInIam.meta
-  });
-  setSessionCookie(c, sessionToken, config, {
-    expires: new Date(expiresAt)
-  });
-  const fullUser = await fetchUserByIdWithRoles({
-    database,
-    userId: user.id,
-    tenantId: resolvedTenantId
-  });
-  return c.json(
-    {
-      user: normalizeUser(fullUser ?? { ...user, roles: [] }),
-      session: {
-        id: session.id,
-        expiresAt: session.expiresAt,
-        createdAt: session.createdAt,
-        meta: session.meta
-      },
-      sessionExpiresAt: session.expiresAt
-    },
-    200
-  );
-};
-
-// src/routes/auth/handler/sign-out.ts
-import { and as and9, eq as eq9, gt as gt4 } from "drizzle-orm";
-import { getCookie } from "hono/cookie";
-var signOutHandler = async (c) => {
-  const config = c.get("config");
-  const database = c.get("database");
-  const tenantId = c.get("tenantId");
-  ensureTenantId(config, tenantId);
-  const sessionToken = getCookie(c, getSessionCookieName(config));
-  if (!sessionToken) {
-    return c.json({ message: "Signed out" }, 200);
+);
+
+// src/routes/auth/handler/sign-out.ts
+import { and as and10, eq as eq10, gt as gt4 } from "drizzle-orm";
+import { getCookie } from "hono/cookie";
+var signOutHandler = async (c) => {
+  const config = c.get("config");
+  const database = c.get("database");
+  const tenantId = c.get("tenantId");
+  ensureTenantId(config, tenantId);
+  const sessionToken = getCookie(c, getSessionCookieName(config));
+  if (!sessionToken) {
+    return c.json({ message: "Signed out" }, 200);
   }
   const hashedToken = await hashToken(sessionToken, config.secret);
   const [session] = await database.select({
@@ -1761,16 +1832,16 @@ var signOutHandler = async (c) => {
     userAgent: sessionsInIam.userAgent,
     ip: sessionsInIam.ip
   }).from(sessionsInIam).where(
-    and9(
-      eq9(sessionsInIam.token, hashedToken),
+    and10(
+      eq10(sessionsInIam.token, hashedToken),
       gt4(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
     )
   ).limit(1);
   if (session) {
     await database.delete(sessionsInIam).where(
-      and9(
-        eq9(sessionsInIam.id, session.id),
-        eq9(sessionsInIam.tenantId, session.tenantId)
+      and10(
+        eq10(sessionsInIam.id, session.id),
+        eq10(sessionsInIam.tenantId, session.tenantId)
       )
     );
   }
@@ -1922,7 +1993,7 @@ var signUpHandler = async (c) => {
   if (result.type === "pending") {
     return c.json(
       {
-        user: normalizeUser(result.user),
+        user: normalizeAuthUser(result.user),
         session: null,
         verificationId: result.verificationId,
         requiresVerification: true
@@ -1941,7 +2012,7 @@ var signUpHandler = async (c) => {
     });
     return c.json(
       {
-        user: normalizeUser(result.user),
+        user: normalizeAuthUser(result.user),
         session: null,
         verificationId: result.verificationId,
         requiresVerification: true
@@ -1954,8 +2025,11 @@ var signUpHandler = async (c) => {
   });
   return c.json(
     {
-      user: normalizeUser(result.user),
-      session: { id: result.sessionId, expiresAt: result.expiresAt },
+      user: normalizeAuthUser(result.user),
+      session: normalizeAuthSession({
+        id: result.sessionId,
+        expiresAt: result.expiresAt
+      }),
       sessionExpiresAt: result.expiresAt
     },
     201
@@ -2158,26 +2232,26 @@ var createDomainHandler = async (c) => {
 };
 
 // src/routes/domains/handler/delete-domain.ts
-import { and as and10, eq as eq10 } from "drizzle-orm";
+import { and as and11, eq as eq11 } from "drizzle-orm";
 var deleteDomainHandler = async (c) => {
   const { id } = c.req.valid("param");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
-  const [existing] = await database.select().from(domainsInIam).where(and10(eq10(domainsInIam.id, id), eq10(domainsInIam.tenantId, tenantId))).limit(1);
+  const [existing] = await database.select().from(domainsInIam).where(and11(eq11(domainsInIam.id, id), eq11(domainsInIam.tenantId, tenantId))).limit(1);
   if (!existing) {
     return c.json({ error: "Domain not found" }, 404);
   }
-  await database.delete(domainsInIam).where(and10(eq10(domainsInIam.id, id), eq10(domainsInIam.tenantId, tenantId)));
+  await database.delete(domainsInIam).where(and11(eq11(domainsInIam.id, id), eq11(domainsInIam.tenantId, tenantId)));
   return c.json({ message: "Domain deleted" }, 200);
 };
 
 // src/routes/domains/handler/get-domain.ts
-import { and as and11, eq as eq11 } from "drizzle-orm";
+import { and as and12, eq as eq12 } from "drizzle-orm";
 var getDomainHandler = async (c) => {
   const { id } = c.req.valid("param");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
-  const [domain] = await database.select().from(domainsInIam).where(and11(eq11(domainsInIam.id, id), eq11(domainsInIam.tenantId, tenantId))).limit(1);
+  const [domain] = await database.select().from(domainsInIam).where(and12(eq12(domainsInIam.id, id), eq12(domainsInIam.tenantId, tenantId))).limit(1);
   if (!domain) {
     return c.json({ error: "Domain not found" }, 404);
   }
@@ -2185,7 +2259,7 @@ var getDomainHandler = async (c) => {
 };
 
 // src/routes/domains/handler/list-domains.ts
-import { and as and12, eq as eq12, sql as sql7 } from "drizzle-orm";
+import { and as and13, eq as eq13, sql as sql7 } from "drizzle-orm";
 var listDomainsHandler = async (c) => {
   const query = c.req.valid("query");
   const database = c.get("database");
@@ -2193,26 +2267,26 @@ var listDomainsHandler = async (c) => {
   const page = query.page || 1;
   const limit = query.limit || 20;
   const offset = (page - 1) * limit;
-  const conditions = [eq12(domainsInIam.tenantId, tenantId)];
+  const conditions = [eq13(domainsInIam.tenantId, tenantId)];
   if (query.status) {
-    conditions.push(eq12(domainsInIam.status, query.status));
+    conditions.push(eq13(domainsInIam.status, query.status));
   }
   const [domains, totalResult] = await Promise.all([
-    database.select().from(domainsInIam).where(and12(...conditions)).limit(limit).offset(offset),
-    database.select({ count: sql7`count(*)` }).from(domainsInIam).where(and12(...conditions))
+    database.select().from(domainsInIam).where(and13(...conditions)).limit(limit).offset(offset),
+    database.select({ count: sql7`count(*)` }).from(domainsInIam).where(and13(...conditions))
   ]);
   const total = Number(totalResult[0]?.count || 0);
   return c.json({ domains, total, page, limit });
 };
 
 // src/routes/domains/handler/update-domain.ts
-import { and as and13, eq as eq13, sql as sql8 } from "drizzle-orm";
+import { and as and14, eq as eq14, sql as sql8 } from "drizzle-orm";
 var updateDomainHandler = async (c) => {
   const { id } = c.req.valid("param");
   const body = c.req.valid("json");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
-  const [existing] = await database.select().from(domainsInIam).where(and13(eq13(domainsInIam.id, id), eq13(domainsInIam.tenantId, tenantId))).limit(1);
+  const [existing] = await database.select().from(domainsInIam).where(and14(eq14(domainsInIam.id, id), eq14(domainsInIam.tenantId, tenantId))).limit(1);
   if (!existing) {
     return c.json({ error: "Domain not found" }, 404);
   }
@@ -2232,7 +2306,7 @@ var updateDomainHandler = async (c) => {
   const [updated] = await database.update(domainsInIam).set({
     ...updateData,
     updatedAt: sql8`CURRENT_TIMESTAMP`
-  }).where(and13(eq13(domainsInIam.id, id), eq13(domainsInIam.tenantId, tenantId))).returning();
+  }).where(and14(eq14(domainsInIam.id, id), eq14(domainsInIam.tenantId, tenantId))).returning();
   if (!updated) {
     return c.json({ error: "Domain not found" }, 404);
   }
@@ -2240,19 +2314,19 @@ var updateDomainHandler = async (c) => {
 };
 
 // src/routes/domains/handler/verify-domain.ts
-import { and as and14, eq as eq14, sql as sql9 } from "drizzle-orm";
+import { and as and15, eq as eq15, sql as sql9 } from "drizzle-orm";
 var verifyDomainHandler = async (c) => {
   const { id } = c.req.valid("param");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
-  const [existing] = await database.select().from(domainsInIam).where(and14(eq14(domainsInIam.id, id), eq14(domainsInIam.tenantId, tenantId))).limit(1);
+  const [existing] = await database.select().from(domainsInIam).where(and15(eq15(domainsInIam.id, id), eq15(domainsInIam.tenantId, tenantId))).limit(1);
   if (!existing) {
     return c.json({ error: "Domain not found" }, 404);
   }
   const [updated] = await database.update(domainsInIam).set({
     status: "active",
     updatedAt: sql9`CURRENT_TIMESTAMP`
-  }).where(and14(eq14(domainsInIam.id, id), eq14(domainsInIam.tenantId, tenantId))).returning();
+  }).where(and15(eq15(domainsInIam.id, id), eq15(domainsInIam.tenantId, tenantId))).returning();
   if (!updated) {
     return c.json({ error: "Domain not found" }, 404);
   }
@@ -2426,7 +2500,7 @@ var domains_route_default = domainRoutes;
 import { createRoute as createRoute3, OpenAPIHono as OpenAPIHono3 } from "@hono/zod-openapi";
 
 // src/routes/email/handler/verification-confirm.ts
-import { and as and15, eq as eq15 } from "drizzle-orm";
+import { and as and16, eq as eq16 } from "drizzle-orm";
 var emailVerificationConfirmHandler = async (c) => {
   const body = c.req.valid("json");
   const config = c.get("config");
@@ -2436,9 +2510,9 @@ var emailVerificationConfirmHandler = async (c) => {
   const { verificationId, code } = body;
   const result = await withTransaction(database, async (tx) => {
     const [verification] = await tx.select().from(verificationsInIam).where(
-      and15(
-        eq15(verificationsInIam.id, verificationId),
-        eq15(verificationsInIam.tenantId, resolvedTenantId)
+      and16(
+        eq16(verificationsInIam.id, verificationId),
+        eq16(verificationsInIam.tenantId, resolvedTenantId)
       )
     ).limit(1);
     if (!verification || verification.type !== "email-verification") {
@@ -2454,7 +2528,7 @@ var emailVerificationConfirmHandler = async (c) => {
       };
     }
     if ((verification.attempt || 0) >= config.email.maxAttempts) {
-      await tx.delete(verificationsInIam).where(eq15(verificationsInIam.id, verificationId));
+      await tx.delete(verificationsInIam).where(eq16(verificationsInIam.id, verificationId));
       return {
         status: "error",
         error: AUTH_ERRORS.TOO_MANY_ATTEMPTS
@@ -2462,7 +2536,7 @@ var emailVerificationConfirmHandler = async (c) => {
     }
     const hashedCode = await hashToken(code, config.secret);
     if (verification.code !== hashedCode) {
-      await tx.update(verificationsInIam).set({ attempt: (verification.attempt || 0) + 1 }).where(eq15(verificationsInIam.id, verificationId));
+      await tx.update(verificationsInIam).set({ attempt: (verification.attempt || 0) + 1 }).where(eq16(verificationsInIam.id, verificationId));
       return {
         status: "error",
         error: AUTH_ERRORS.VERIFICATION_MISMATCH
@@ -2472,12 +2546,12 @@ var emailVerificationConfirmHandler = async (c) => {
       emailVerified: true,
       lastSignInAt: (/* @__PURE__ */ new Date()).toISOString()
     }).where(
-      and15(
-        eq15(usersInIam.id, verification.userId),
-        eq15(usersInIam.tenantId, resolvedTenantId)
+      and16(
+        eq16(usersInIam.id, verification.userId),
+        eq16(usersInIam.tenantId, resolvedTenantId)
       )
     );
-    await tx.delete(verificationsInIam).where(eq15(verificationsInIam.id, verificationId));
+    await tx.delete(verificationsInIam).where(eq16(verificationsInIam.id, verificationId));
     const user = await fetchUserWithRoles({
       database: tx,
       userId: verification.userId,
@@ -2512,14 +2586,8 @@ var emailVerificationConfirmHandler = async (c) => {
   });
   return c.json(
     {
-      user: normalizeUser(result.user),
-      session: {
-        id: result.session.id,
-        expiresAt: result.session.expiresAt,
-        createdAt: result.session.createdAt,
-        userAgent: result.session.userAgent,
-        ip: result.session.ip
-      },
+      user: normalizeAuthUser(result.user),
+      session: normalizeAuthSession(result.session),
       sessionExpiresAt: result.session.expiresAt
     },
     200
@@ -2527,7 +2595,7 @@ var emailVerificationConfirmHandler = async (c) => {
 };
 
 // src/routes/email/handler/verification-request.ts
-import { and as and16, eq as eq16, sql as sql10 } from "drizzle-orm";
+import { and as and17, eq as eq17, sql as sql10 } from "drizzle-orm";
 var emailVerificationRequestHandler = async (c) => {
   const body = c.req.valid("json");
   const config = c.get("config");
@@ -2548,8 +2616,8 @@ var emailVerificationRequestHandler = async (c) => {
   let userId = user?.id;
   if (!userId) {
     const [result] = await database.select({ id: usersInIam.id }).from(usersInIam).where(
-      and16(
-        eq16(usersInIam.tenantId, resolvedTenantId),
+      and17(
+        eq17(usersInIam.tenantId, resolvedTenantId),
         sql10`lower(${usersInIam.email}) = lower(${email})`
       )
     ).limit(1);
@@ -2575,10 +2643,10 @@ var emailVerificationRequestHandler = async (c) => {
     );
   }
   await database.delete(verificationsInIam).where(
-    and16(
-      eq16(verificationsInIam.tenantId, resolvedTenantId),
-      eq16(verificationsInIam.userId, userId),
-      eq16(verificationsInIam.type, "email-verification")
+    and17(
+      eq17(verificationsInIam.tenantId, resolvedTenantId),
+      eq17(verificationsInIam.userId, userId),
+      eq17(verificationsInIam.type, "email-verification")
     )
   );
   const code = generateOtpCode(config.email.otpLength);
@@ -2610,11 +2678,11 @@ var emailVerificationRequestHandler = async (c) => {
       updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
       reason: "replaced"
     }).where(
-      and16(
-        eq16(accountChangesInIam.tenantId, resolvedTenantId),
-        eq16(accountChangesInIam.userId, user.id),
-        eq16(accountChangesInIam.changeType, "email"),
-        eq16(accountChangesInIam.status, "pending")
+      and17(
+        eq17(accountChangesInIam.tenantId, resolvedTenantId),
+        eq17(accountChangesInIam.userId, user.id),
+        eq17(accountChangesInIam.changeType, "email"),
+        eq17(accountChangesInIam.status, "pending")
       )
     );
     await database.insert(accountChangesInIam).values({
@@ -2729,7 +2797,7 @@ var email_route_default = emailRoutes;
 import { createRoute as createRoute4, OpenAPIHono as OpenAPIHono4 } from "@hono/zod-openapi";
 
 // src/routes/password/handler/change.ts
-import { and as and17, eq as eq17, gt as gt5, ne } from "drizzle-orm";
+import { and as and18, eq as eq18, gt as gt5, ne } from "drizzle-orm";
 import { getCookie as getCookie2 } from "hono/cookie";
 var changePasswordHandler = async (c) => {
   const body = c.req.valid("json");
@@ -2747,10 +2815,10 @@ var changePasswordHandler = async (c) => {
   const resolvedTenantId = ensureTenantId(config, tenantId);
   const { currentPassword, newPassword } = body;
   const [account] = await database.select().from(accountsInIam).where(
-    and17(
-      eq17(accountsInIam.tenantId, resolvedTenantId),
-      eq17(accountsInIam.userId, userId),
-      eq17(accountsInIam.provider, "credentials")
+    and18(
+      eq18(accountsInIam.tenantId, resolvedTenantId),
+      eq18(accountsInIam.userId, userId),
+      eq18(accountsInIam.provider, "credentials")
     )
   ).limit(1);
   if (!account?.password) {
@@ -2762,19 +2830,19 @@ var changePasswordHandler = async (c) => {
   }
   const passwordHash = await hashPassword(newPassword);
   await database.update(accountsInIam).set({ password: passwordHash }).where(
-    and17(
-      eq17(accountsInIam.tenantId, resolvedTenantId),
-      eq17(accountsInIam.userId, userId),
-      eq17(accountsInIam.provider, "credentials")
+    and18(
+      eq18(accountsInIam.tenantId, resolvedTenantId),
+      eq18(accountsInIam.userId, userId),
+      eq18(accountsInIam.provider, "credentials")
     )
   );
   const currentSessionToken = getCookie2(c, getSessionCookieName(config));
   if (currentSessionToken) {
     const hashedToken = await hashToken(currentSessionToken, config.secret);
     await database.delete(sessionsInIam).where(
-      and17(
-        eq17(sessionsInIam.tenantId, resolvedTenantId),
-        eq17(sessionsInIam.userId, userId),
+      and18(
+        eq18(sessionsInIam.tenantId, resolvedTenantId),
+        eq18(sessionsInIam.userId, userId),
         gt5(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString()),
         ne(sessionsInIam.token, hashedToken)
       )
@@ -2784,7 +2852,7 @@ var changePasswordHandler = async (c) => {
 };
 
 // src/routes/password/handler/forgot.ts
-import { and as and18, eq as eq18, sql as sql11 } from "drizzle-orm";
+import { and as and19, eq as eq19, sql as sql11 } from "drizzle-orm";
 var forgotPasswordHandler = async (c) => {
   const body = c.req.valid("json");
   const config = c.get("config");
@@ -2818,19 +2886,19 @@ var forgotPasswordHandler = async (c) => {
         )`
     }).from(usersInIam).leftJoin(
       userRolesInIam,
-      and18(
-        eq18(userRolesInIam.userId, usersInIam.id),
-        eq18(userRolesInIam.tenantId, resolvedTenantId)
+      and19(
+        eq19(userRolesInIam.userId, usersInIam.id),
+        eq19(userRolesInIam.tenantId, resolvedTenantId)
       )
     ).leftJoin(
       rolesInIam,
-      and18(
-        eq18(userRolesInIam.roleId, rolesInIam.id),
-        eq18(rolesInIam.tenantId, resolvedTenantId)
+      and19(
+        eq19(userRolesInIam.roleId, rolesInIam.id),
+        eq19(rolesInIam.tenantId, resolvedTenantId)
       )
     ).where(
-      and18(
-        eq18(usersInIam.tenantId, resolvedTenantId),
+      and19(
+        eq19(usersInIam.tenantId, resolvedTenantId),
         sql11`lower(${usersInIam.email}) = lower(${identifier})`
       )
     ).groupBy(usersInIam.id).limit(1);
@@ -2853,20 +2921,20 @@ var forgotPasswordHandler = async (c) => {
         )`
     }).from(usersInIam).leftJoin(
       userRolesInIam,
-      and18(
-        eq18(userRolesInIam.userId, usersInIam.id),
-        eq18(userRolesInIam.tenantId, resolvedTenantId)
+      and19(
+        eq19(userRolesInIam.userId, usersInIam.id),
+        eq19(userRolesInIam.tenantId, resolvedTenantId)
       )
     ).leftJoin(
       rolesInIam,
-      and18(
-        eq18(userRolesInIam.roleId, rolesInIam.id),
-        eq18(rolesInIam.tenantId, resolvedTenantId)
+      and19(
+        eq19(userRolesInIam.roleId, rolesInIam.id),
+        eq19(rolesInIam.tenantId, resolvedTenantId)
       )
     ).where(
-      and18(
-        eq18(usersInIam.tenantId, resolvedTenantId),
-        eq18(usersInIam.phone, identifier)
+      and19(
+        eq19(usersInIam.tenantId, resolvedTenantId),
+        eq19(usersInIam.phone, identifier)
       )
     ).groupBy(usersInIam.id).limit(1);
     user = result || null;
@@ -2880,10 +2948,10 @@ var forgotPasswordHandler = async (c) => {
       return c.json({ message: "If account exists, reset code sent" }, 200);
     }
     await database.delete(verificationsInIam).where(
-      and18(
-        eq18(verificationsInIam.tenantId, resolvedTenantId),
-        eq18(verificationsInIam.userId, user.id),
-        eq18(verificationsInIam.type, "password-reset")
+      and19(
+        eq19(verificationsInIam.tenantId, resolvedTenantId),
+        eq19(verificationsInIam.userId, user.id),
+        eq19(verificationsInIam.type, "password-reset")
       )
     );
     const code = generateOtpCode(config.email.otpLength);
@@ -2922,10 +2990,10 @@ var forgotPasswordHandler = async (c) => {
       return c.json({ message: "If account exists, reset code sent" }, 200);
     }
     await database.delete(verificationsInIam).where(
-      and18(
-        eq18(verificationsInIam.tenantId, resolvedTenantId),
-        eq18(verificationsInIam.userId, user.id),
-        eq18(verificationsInIam.type, "password-reset-otp")
+      and19(
+        eq19(verificationsInIam.tenantId, resolvedTenantId),
+        eq19(verificationsInIam.userId, user.id),
+        eq19(verificationsInIam.type, "password-reset-otp")
       )
     );
     const code = generateOtpCode(config.phone.otpLength);
@@ -2972,7 +3040,7 @@ var forgotPasswordHandler = async (c) => {
 };
 
 // src/routes/password/handler/reset.ts
-import { and as and19, eq as eq19, gt as gt6 } from "drizzle-orm";
+import { and as and20, eq as eq20, gt as gt6 } from "drizzle-orm";
 
 // src/routes/password/helper/session.ts
 var createPasswordResetSession = async ({
@@ -2999,14 +3067,8 @@ var createPasswordResetSession = async ({
   });
   return c.json(
     {
-      user: normalizeUser(user),
-      session: {
-        id: session.id,
-        expiresAt: session.expiresAt,
-        createdAt: session.createdAt,
-        userAgent: session.userAgent,
-        ip: session.ip
-      },
+      user: normalizeAuthUser(user),
+      session: normalizeAuthSession(session),
       sessionExpiresAt: session.expiresAt
     },
     200
@@ -3022,9 +3084,9 @@ var resetPasswordHandler = async (c) => {
   const resolvedTenantId = ensureTenantId(config, tenantId);
   const { verificationId, code, password } = body;
   const [verification] = await database.select().from(verificationsInIam).where(
-    and19(
-      eq19(verificationsInIam.id, verificationId),
-      eq19(verificationsInIam.tenantId, resolvedTenantId)
+    and20(
+      eq20(verificationsInIam.id, verificationId),
+      eq20(verificationsInIam.tenantId, resolvedTenantId)
     )
   ).limit(1);
   if (!verification) {
@@ -3038,34 +3100,34 @@ var resetPasswordHandler = async (c) => {
   }
   const maxAttempts = verification.type === "password-reset" ? config.email.maxAttempts : config.phone.maxAttempts;
   if ((verification.attempt || 0) >= maxAttempts) {
-    await database.delete(verificationsInIam).where(eq19(verificationsInIam.id, verificationId));
+    await database.delete(verificationsInIam).where(eq20(verificationsInIam.id, verificationId));
     return c.json({ error: AUTH_ERRORS.TOO_MANY_ATTEMPTS }, 400);
   }
   const hashedCode = await hashToken(code, config.secret);
   if (verification.code !== hashedCode) {
-    await database.update(verificationsInIam).set({ attempt: (verification.attempt || 0) + 1 }).where(eq19(verificationsInIam.id, verificationId));
+    await database.update(verificationsInIam).set({ attempt: (verification.attempt || 0) + 1 }).where(eq20(verificationsInIam.id, verificationId));
     return c.json({ error: AUTH_ERRORS.VERIFICATION_MISMATCH }, 400);
   }
   const passwordHash = await hashPassword(password);
   await database.update(accountsInIam).set({ password: passwordHash }).where(
-    and19(
-      eq19(accountsInIam.tenantId, resolvedTenantId),
-      eq19(accountsInIam.userId, verification.userId),
-      eq19(accountsInIam.provider, "credentials")
+    and20(
+      eq20(accountsInIam.tenantId, resolvedTenantId),
+      eq20(accountsInIam.userId, verification.userId),
+      eq20(accountsInIam.provider, "credentials")
     )
   );
   await database.delete(sessionsInIam).where(
-    and19(
-      eq19(sessionsInIam.tenantId, resolvedTenantId),
-      eq19(sessionsInIam.userId, verification.userId),
+    and20(
+      eq20(sessionsInIam.tenantId, resolvedTenantId),
+      eq20(sessionsInIam.userId, verification.userId),
       gt6(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
     )
   );
-  await database.delete(verificationsInIam).where(eq19(verificationsInIam.id, verificationId));
+  await database.delete(verificationsInIam).where(eq20(verificationsInIam.id, verificationId));
   const [user] = await database.select().from(usersInIam).where(
-    and19(
-      eq19(usersInIam.id, verification.userId),
-      eq19(usersInIam.tenantId, resolvedTenantId)
+    and20(
+      eq20(usersInIam.id, verification.userId),
+      eq20(usersInIam.tenantId, resolvedTenantId)
     )
   ).limit(1);
   if (!user) {
@@ -3080,8 +3142,97 @@ var resetPasswordHandler = async (c) => {
   });
 };
 
+// src/routes/password/handler/set.ts
+import { and as and21, eq as eq21 } from "drizzle-orm";
+var setPasswordHandler = async (c) => {
+  const body = c.req.valid("json");
+  const config = c.get("config");
+  const database = c.get("database");
+  const tenantId = c.get("tenantId");
+  const resolvedTenantId = ensureTenantId(config, tenantId);
+  const { identifier, password, rememberMe = true } = body;
+  const isEmail = identifier.includes("@");
+  const user = await fetchUserForLogin({
+    database,
+    identifier,
+    tenantId: resolvedTenantId,
+    isEmail,
+    userType: config.userType
+  });
+  if (!user) {
+    return c.json({ error: AUTH_ERRORS.USER_NOT_FOUND }, 400);
+  }
+  const isVerified = isEmail ? user.emailVerified : user.phoneVerified;
+  if (!isVerified) {
+    return c.json({ error: AUTH_ERRORS.REQUIRES_VERIFICATION }, 409);
+  }
+  if (user.hasPassword) {
+    return c.json({ error: AUTH_ERRORS.PASSWORD_ALREADY_SET }, 409);
+  }
+  const userAgent = c.req.header("user-agent") || null;
+  const ip = c.req.header("cf-connecting-ip") || c.req.header("x-forwarded-for") || null;
+  const result = await withTransaction(database, async (tx) => {
+    const passwordHash = await hashPassword(password);
+    const [account] = await tx.select({
+      id: accountsInIam.id
+    }).from(accountsInIam).where(
+      and21(
+        eq21(accountsInIam.tenantId, resolvedTenantId),
+        eq21(accountsInIam.userId, user.id),
+        eq21(accountsInIam.provider, "credentials")
+      )
+    ).limit(1);
+    if (account) {
+      await tx.update(accountsInIam).set({
+        password: passwordHash,
+        providerAccountId: identifier
+      }).where(eq21(accountsInIam.id, account.id));
+    } else {
+      await tx.insert(accountsInIam).values({
+        tenantId: resolvedTenantId,
+        userId: user.id,
+        provider: "credentials",
+        providerAccountId: identifier,
+        password: passwordHash
+      });
+    }
+    await tx.update(usersInIam).set({ lastSignInAt: (/* @__PURE__ */ new Date()).toISOString(), loginAttempt: 0 }).where(
+      and21(
+        eq21(usersInIam.id, user.id),
+        eq21(usersInIam.tenantId, resolvedTenantId)
+      )
+    );
+    return createSessionRecord({
+      tx,
+      tenantId: resolvedTenantId,
+      userId: user.id,
+      config,
+      userAgent,
+      ip,
+      action: "set-password",
+      rememberMe
+    });
+  });
+  setSessionCookie(c, result.sessionToken, config, {
+    expires: new Date(result.expiresAt)
+  });
+  const fullUser = await fetchUserByIdWithRoles({
+    database,
+    userId: user.id,
+    tenantId: resolvedTenantId
+  });
+  return c.json(
+    {
+      user: normalizeAuthUser(fullUser ?? { ...user, roles: [] }),
+      session: normalizeAuthSession(result.session),
+      sessionExpiresAt: result.session.expiresAt
+    },
+    200
+  );
+};
+
 // src/routes/password/handler/verify.ts
-import { and as and20, eq as eq20 } from "drizzle-orm";
+import { and as and22, eq as eq22 } from "drizzle-orm";
 var verifyPasswordHandler = async (c) => {
   const body = c.req.valid("json");
   const config = c.get("config");
@@ -3098,10 +3249,10 @@ var verifyPasswordHandler = async (c) => {
   const resolvedTenantId = ensureTenantId(config, tenantId);
   const { password } = body;
   const [account] = await database.select().from(accountsInIam).where(
-    and20(
-      eq20(accountsInIam.tenantId, resolvedTenantId),
-      eq20(accountsInIam.userId, userId),
-      eq20(accountsInIam.provider, "credentials")
+    and22(
+      eq22(accountsInIam.tenantId, resolvedTenantId),
+      eq22(accountsInIam.userId, userId),
+      eq22(accountsInIam.provider, "credentials")
     )
   ).limit(1);
   if (!account?.password) {
@@ -3223,97 +3374,420 @@ var changePasswordRoute = createRoute4({
     }
   }
 });
-var passwordRoutes = new OpenAPIHono4().openapi(forgotPasswordRoute, forgotPasswordHandler).openapi(resetPasswordRoute, resetPasswordHandler).openapi(verifyPasswordRoute, verifyPasswordHandler).openapi(changePasswordRoute, changePasswordHandler);
+var setPasswordRoute = createRoute4({
+  method: "post",
+  path: "/set",
+  tags: ["Password"],
+  summary: "Set password for an existing verified account",
+  request: {
+    body: {
+      content: {
+        "application/json": {
+          schema: setPasswordSchema
+        }
+      }
+    }
+  },
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: authSuccessSchema
+        }
+      },
+      description: "Password set and user signed in"
+    },
+    400: {
+      content: { "application/json": { schema: errorResponseSchema } },
+      description: "Account not found"
+    },
+    409: {
+      content: { "application/json": { schema: errorResponseSchema } },
+      description: "Password already exists or verification required"
+    }
+  }
+});
+var passwordRoutes = new OpenAPIHono4().openapi(forgotPasswordRoute, forgotPasswordHandler).openapi(resetPasswordRoute, resetPasswordHandler).openapi(verifyPasswordRoute, verifyPasswordHandler).openapi(changePasswordRoute, changePasswordHandler).openapi(setPasswordRoute, setPasswordHandler);
 var password_route_default = passwordRoutes;
 
 // src/routes/permissions/permissions.route.ts
 import { createRoute as createRoute5, OpenAPIHono as OpenAPIHono5 } from "@hono/zod-openapi";
 
 // src/routes/permissions/handler/get-permission.ts
-import { eq as eq21 } from "drizzle-orm";
+import { getPermissionEntries } from "@mesob/common";
+import { eq as eq23 } from "drizzle-orm";
 var getPermissionHandler = async (c) => {
   const { id } = c.req.valid("param");
   const database = c.get("database");
-  const [permission] = await database.select().from(permissionsInIam).where(eq21(permissionsInIam.id, id)).limit(1);
+  const config = c.get("config");
+  const [permission] = await database.select().from(permissionsInIam).where(eq23(permissionsInIam.id, id)).limit(1);
   if (!permission) {
-    return c.json({ error: "Permission not found" }, 404);
+    const configuredPermission = getPermissionEntries(config.permissions).find(
+      (entry) => entry.code === id
+    );
+    if (!configuredPermission) {
+      return c.json({ error: "Permission not found" }, 404);
+    }
+    return c.json(
+      {
+        permission: {
+          id: configuredPermission.code,
+          description: null,
+          activity: configuredPermission.activity,
+          application: configuredPermission.application,
+          feature: configuredPermission.feature
+        }
+      },
+      200
+    );
   }
   return c.json({ permission }, 200);
 };
 
+// src/lib/permission-catalog.ts
+import { getPermissionEntries as getPermissionEntries2 } from "@mesob/common";
+var collator = new Intl.Collator(void 0, {
+  numeric: true,
+  sensitivity: "base"
+});
+var sortValueMap = {
+  id: (permission) => permission.id,
+  application: (permission) => permission.application,
+  feature: (permission) => permission.feature,
+  activity: (permission) => permission.activity
+};
+async function getMergedPermissionCatalog({
+  database,
+  permissions
+}) {
+  const [databasePermissions, configuredPermissions] = await Promise.all([
+    database.select().from(permissionsInIam),
+    Promise.resolve(
+      getPermissionEntries2(permissions).map((entry) => ({
+        id: entry.code,
+        description: null,
+        activity: entry.activity,
+        application: entry.application,
+        feature: entry.feature
+      }))
+    )
+  ]);
+  return [...databasePermissions, ...configuredPermissions].filter(
+    (permission, index2, permissionList) => {
+      const key = [
+        permission.application,
+        permission.feature,
+        permission.activity
+      ].join(":");
+      return permissionList.findIndex((candidate) => {
+        return [candidate.application, candidate.feature, candidate.activity].join(
+          ":"
+        ) === key;
+      }) === index2;
+    }
+  );
+}
+function filterAndSortPermissions(permissions, query) {
+  const search = query.search?.trim().toLowerCase();
+  const filteredPermissions = search ? permissions.filter((permission) => {
+    let fields = [
+      permission.id,
+      permission.application,
+      permission.feature,
+      permission.activity
+    ];
+    if (query.filter === "application") {
+      fields = [permission.application];
+    } else if (query.filter === "feature") {
+      fields = [permission.feature];
+    } else if (query.filter === "activity") {
+      fields = [permission.activity];
+    }
+    return fields.some((field) => field.toLowerCase().includes(search));
+  }) : permissions;
+  const sortGetter = sortValueMap[query.sort || "id"] ?? sortValueMap.id;
+  return [...filteredPermissions].sort((a, b) => {
+    const order = collator.compare(sortGetter(a), sortGetter(b)) || collator.compare(a.id, b.id);
+    return query.order === "desc" ? -order : order;
+  });
+}
+
 // src/routes/permissions/handler/list-permissions.ts
-import { and as and21, ilike, sql as sql12 } from "drizzle-orm";
 var listPermissionsHandler = async (c) => {
   const query = c.req.valid("query");
   const database = c.get("database");
+  const config = c.get("config");
   const page = query.page || 1;
   const limit = query.limit || 20;
   const offset = (page - 1) * limit;
-  const conditions = [];
-  if (query.application) {
-    conditions.push(
-      ilike(permissionsInIam.application, `%${query.application}%`)
-    );
-  }
-  if (query.feature) {
-    conditions.push(ilike(permissionsInIam.feature, `%${query.feature}%`));
-  }
-  const [permissions, totalResult] = await Promise.all([
-    database.select().from(permissionsInIam).where(conditions.length > 0 ? and21(...conditions) : void 0).limit(limit).offset(offset),
-    database.select({ count: sql12`count(*)` }).from(permissionsInIam).where(conditions.length > 0 ? and21(...conditions) : void 0)
-  ]);
-  const total = Number(totalResult[0]?.count || 0);
+  const mergedPermissions = await getMergedPermissionCatalog({
+    database,
+    permissions: config.permissions
+  });
+  const sortedPermissions = filterAndSortPermissions(mergedPermissions, query);
+  const total = sortedPermissions.length;
+  const permissions = sortedPermissions.slice(offset, offset + limit);
   return c.json({ permissions, total, page, limit }, 200);
 };
 
-// src/routes/permissions/permissions.schema.ts
-import { z as z3 } from "zod";
-var listPermissionsQuerySchema = z3.object({
-  page: z3.coerce.number().min(1).default(1).optional(),
-  limit: z3.coerce.number().min(1).max(100).default(20).optional(),
-  application: z3.string().optional(),
-  feature: z3.string().optional()
-});
-var permissionIdParamSchema = z3.object({
-  id: z3.string()
-});
-var permissionSchema = z3.object({
-  id: z3.string(),
-  description: z3.unknown(),
-  activity: z3.string(),
-  application: z3.string(),
-  feature: z3.string()
-});
-var listPermissionsResponseSchema = z3.object({
-  permissions: z3.array(permissionSchema),
-  total: z3.number(),
-  page: z3.number(),
-  limit: z3.number()
-});
-var permissionResponseSchema = z3.object({
-  permission: permissionSchema
-});
-var errorResponseSchema3 = z3.object({
-  error: z3.string()
-});
-
-// src/routes/permissions/permissions.route.ts
-var listPermissionsRoute = createRoute5({
-  method: "get",
-  path: "/",
-  tags: ["Permissions"],
-  summary: "List permissions",
-  request: {
-    query: listPermissionsQuerySchema
-  },
-  responses: {
-    200: {
-      content: {
-        "application/json": {
-          schema: listPermissionsResponseSchema
-        }
-      },
-      description: "List of permissions"
+// src/lib/iam-seed.ts
+import { randomUUID } from "crypto";
+import { getPermissionEntries as getPermissionEntries3, toTitleCase } from "@mesob/common";
+import {
+  and as and23,
+  eq as eq24,
+  inArray as inArray2,
+  notInArray,
+  sql as sql12
+} from "drizzle-orm";
+import { HTTPException as HTTPException3 } from "hono/http-exception";
+function buildPermissionDescription(code) {
+  return {
+    en: toTitleCase(code.replaceAll(":", " ").replaceAll("_", " "))
+  };
+}
+function buildPermissionSeedRows(permissions) {
+  return getPermissionEntries3(permissions).map((entry) => ({
+    id: entry.code,
+    application: entry.application,
+    feature: entry.feature,
+    activity: entry.activity,
+    description: buildPermissionDescription(entry.code)
+  }));
+}
+async function seedPermissions({
+  database,
+  permissions
+}) {
+  const rows = buildPermissionSeedRows(permissions);
+  if (!rows.length) {
+    return [];
+  }
+  await database.insert(permissionsInIam).values(rows).onConflictDoUpdate({
+    target: permissionsInIam.id,
+    set: {
+      application: sql12`excluded.application`,
+      feature: sql12`excluded.feature`,
+      activity: sql12`excluded.activity`,
+      description: sql12`excluded.description`
+    }
+  });
+  return database.select().from(permissionsInIam).where(
+    inArray2(
+      permissionsInIam.id,
+      rows.map((row) => row.id)
+    )
+  );
+}
+async function assertPermissionsExist({
+  database,
+  permissionIds
+}) {
+  if (!permissionIds.length) {
+    return;
+  }
+  const existing = await database.select({ id: permissionsInIam.id }).from(permissionsInIam).where(inArray2(permissionsInIam.id, permissionIds));
+  const existingIds = new Set(existing.map((permission) => permission.id));
+  const missingPermissionIds = permissionIds.filter(
+    (id) => !existingIds.has(id)
+  );
+  if (missingPermissionIds.length) {
+    throw new HTTPException3(400, {
+      message: `Unknown permissions: ${missingPermissionIds.join(", ")}`
+    });
+  }
+}
+async function syncRolePermissions({
+  database,
+  tenantId,
+  roleId,
+  permissionIds
+}) {
+  const uniquePermissionIds = [...new Set(permissionIds)];
+  await assertPermissionsExist({
+    database,
+    permissionIds: uniquePermissionIds
+  });
+  if (!uniquePermissionIds.length) {
+    await database.delete(rolePermissionsInIam).where(
+      and23(
+        eq24(rolePermissionsInIam.tenantId, tenantId),
+        eq24(rolePermissionsInIam.roleId, roleId)
+      )
+    );
+    return [];
+  }
+  await database.delete(rolePermissionsInIam).where(
+    and23(
+      eq24(rolePermissionsInIam.tenantId, tenantId),
+      eq24(rolePermissionsInIam.roleId, roleId),
+      notInArray(rolePermissionsInIam.permissionId, uniquePermissionIds)
+    )
+  );
+  await database.insert(rolePermissionsInIam).values(
+    uniquePermissionIds.map((permissionId) => ({
+      id: randomUUID(),
+      tenantId,
+      roleId,
+      permissionId
+    }))
+  ).onConflictDoNothing({
+    target: [
+      rolePermissionsInIam.tenantId,
+      rolePermissionsInIam.permissionId,
+      rolePermissionsInIam.roleId
+    ]
+  });
+  return database.select().from(rolePermissionsInIam).where(
+    and23(
+      eq24(rolePermissionsInIam.tenantId, tenantId),
+      eq24(rolePermissionsInIam.roleId, roleId)
+    )
+  );
+}
+async function seedRoles({
+  database,
+  tenantId,
+  roles
+}) {
+  if (!roles.length) {
+    return [];
+  }
+  await database.insert(rolesInIam).values(
+    roles.map((role) => ({
+      id: randomUUID(),
+      tenantId,
+      code: role.code,
+      name: role.name,
+      description: role.description ?? { en: role.code },
+      isSystem: role.isSystem ?? false,
+      isEditable: role.isEditable ?? true,
+      isDeletable: role.isDeletable ?? true
+    }))
+  ).onConflictDoUpdate({
+    target: [rolesInIam.tenantId, rolesInIam.code],
+    set: {
+      name: sql12`excluded.name`,
+      description: sql12`excluded.description`,
+      isSystem: sql12`excluded.is_system`,
+      isEditable: sql12`excluded.is_editable`,
+      isDeletable: sql12`excluded.is_deletable`,
+      updatedAt: sql12`CURRENT_TIMESTAMP`
+    }
+  });
+  const seededRoles = await database.select().from(rolesInIam).where(
+    and23(
+      eq24(rolesInIam.tenantId, tenantId),
+      inArray2(
+        rolesInIam.code,
+        roles.map((role) => role.code)
+      )
+    )
+  );
+  const roleByCode = new Map(
+    seededRoles.map((role) => [role.code, role])
+  );
+  for (const role of roles) {
+    const seededRole = roleByCode.get(role.code);
+    if (!seededRole) {
+      continue;
+    }
+    await syncRolePermissions({
+      database,
+      tenantId,
+      roleId: seededRole.id,
+      permissionIds: [...new Set(role.permissionIds ?? [])]
+    });
+  }
+  return seededRoles;
+}
+
+// src/routes/permissions/handler/seed-permissions.ts
+var seedPermissionsHandler = async (c) => {
+  const config = c.get("config");
+  const database = c.get("database");
+  if (!config.permissions) {
+    return c.json({ error: "No permissions configured for seeding" }, 400);
+  }
+  const permissions = await seedPermissions({
+    database,
+    permissions: config.permissions
+  });
+  return c.json(
+    {
+      permissions,
+      total: permissions.length
+    },
+    200
+  );
+};
+
+// src/routes/permissions/permissions.schema.ts
+import { z as z3 } from "zod";
+var permissionFilterValues = [
+  "",
+  "application",
+  "feature",
+  "activity"
+];
+var permissionSortValues = [
+  "id",
+  "application",
+  "feature",
+  "activity"
+];
+var listPermissionsQuerySchema = z3.object({
+  page: z3.coerce.number().min(1).default(1).optional(),
+  limit: z3.coerce.number().min(1).max(100).default(20).optional(),
+  search: z3.string().optional(),
+  filter: z3.enum(permissionFilterValues).optional(),
+  sort: z3.enum(permissionSortValues).optional(),
+  order: z3.enum(["asc", "desc"]).optional()
+});
+var permissionIdParamSchema = z3.object({
+  id: z3.string()
+});
+var permissionSchema = z3.object({
+  id: z3.string(),
+  description: z3.unknown(),
+  activity: z3.string(),
+  application: z3.string(),
+  feature: z3.string()
+});
+var seedPermissionsResponseSchema = z3.object({
+  permissions: z3.array(permissionSchema),
+  total: z3.number()
+});
+var listPermissionsResponseSchema = z3.object({
+  permissions: z3.array(permissionSchema),
+  total: z3.number(),
+  page: z3.number(),
+  limit: z3.number()
+});
+var permissionResponseSchema = z3.object({
+  permission: permissionSchema
+});
+var errorResponseSchema3 = z3.object({
+  error: z3.string()
+});
+
+// src/routes/permissions/permissions.route.ts
+var listPermissionsRoute = createRoute5({
+  method: "get",
+  path: "/",
+  tags: ["Permissions"],
+  summary: "List permissions",
+  request: {
+    query: listPermissionsQuerySchema
+  },
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: listPermissionsResponseSchema
+        }
+      },
+      description: "List of permissions"
     }
   }
 });
@@ -3344,14 +3818,38 @@ var getPermissionRoute = createRoute5({
     }
   }
 });
-var permissionRoutes = new OpenAPIHono5().openapi(listPermissionsRoute, listPermissionsHandler).openapi(getPermissionRoute, getPermissionHandler);
+var seedPermissionsRoute = createRoute5({
+  method: "post",
+  path: "/seed",
+  tags: ["Permissions"],
+  summary: "Seed permissions from config",
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: seedPermissionsResponseSchema
+        }
+      },
+      description: "Seeded permissions"
+    },
+    400: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema3
+        }
+      },
+      description: "Invalid permission config"
+    }
+  }
+});
+var permissionRoutes = new OpenAPIHono5().openapi(listPermissionsRoute, listPermissionsHandler).openapi(seedPermissionsRoute, seedPermissionsHandler).openapi(getPermissionRoute, getPermissionHandler);
 var permissions_route_default = permissionRoutes;
 
 // src/routes/phone/phone.route.ts
 import { createRoute as createRoute6, OpenAPIHono as OpenAPIHono6 } from "@hono/zod-openapi";
 
 // src/routes/phone/handler/verification-confirm.ts
-import { and as and22, eq as eq22 } from "drizzle-orm";
+import { and as and24, eq as eq25 } from "drizzle-orm";
 
 // src/routes/phone/helper/session.ts
 var shouldCreateSession = (context) => context === "sign-in" || context === "change-phone" || context === "sign-up";
@@ -3367,9 +3865,9 @@ var phoneVerificationConfirmHandler = async (c) => {
   const { verificationId, code, context } = body;
   const result = await withTransaction(database, async (tx) => {
     const [verification] = await tx.select().from(verificationsInIam).where(
-      and22(
-        eq22(verificationsInIam.id, verificationId),
-        eq22(verificationsInIam.tenantId, resolvedTenantId)
+      and24(
+        eq25(verificationsInIam.id, verificationId),
+        eq25(verificationsInIam.tenantId, resolvedTenantId)
       )
     ).limit(1);
     const expectedType = `phone-otp-${context}`;
@@ -3386,7 +3884,7 @@ var phoneVerificationConfirmHandler = async (c) => {
       };
     }
     if ((verification.attempt || 0) >= config.phone.maxAttempts) {
-      await tx.delete(verificationsInIam).where(eq22(verificationsInIam.id, verificationId));
+      await tx.delete(verificationsInIam).where(eq25(verificationsInIam.id, verificationId));
       return {
         status: "error",
         error: AUTH_ERRORS.TOO_MANY_ATTEMPTS
@@ -3394,21 +3892,21 @@ var phoneVerificationConfirmHandler = async (c) => {
     }
     const hashedCode = await hashToken(code, config.secret);
     if (verification.code !== hashedCode) {
-      await tx.update(verificationsInIam).set({ attempt: (verification.attempt || 0) + 1 }).where(eq22(verificationsInIam.id, verificationId));
+      await tx.update(verificationsInIam).set({ attempt: (verification.attempt || 0) + 1 }).where(eq25(verificationsInIam.id, verificationId));
       return {
         status: "error",
         error: AUTH_ERRORS.VERIFICATION_MISMATCH
       };
     }
-    await tx.delete(verificationsInIam).where(eq22(verificationsInIam.id, verificationId));
+    await tx.delete(verificationsInIam).where(eq25(verificationsInIam.id, verificationId));
     if (shouldCreateSession(context) && verification.userId) {
       await tx.update(usersInIam).set({
         phoneVerified: true,
         lastSignInAt: (/* @__PURE__ */ new Date()).toISOString()
       }).where(
-        and22(
-          eq22(usersInIam.id, verification.userId),
-          eq22(usersInIam.tenantId, resolvedTenantId)
+        and24(
+          eq25(usersInIam.id, verification.userId),
+          eq25(usersInIam.tenantId, resolvedTenantId)
         )
       );
     }
@@ -3450,7 +3948,7 @@ var phoneVerificationConfirmHandler = async (c) => {
   if (!result.session) {
     return c.json(
       {
-        user: normalizeUser(result.user),
+        user: normalizeAuthUser(result.user),
         session: null
       },
       200
@@ -3461,14 +3959,8 @@ var phoneVerificationConfirmHandler = async (c) => {
   });
   return c.json(
     {
-      user: normalizeUser(result.user),
-      session: {
-        id: result.session.id,
-        expiresAt: result.session.expiresAt,
-        createdAt: result.session.createdAt,
-        userAgent: result.session.userAgent,
-        ip: result.session.ip
-      },
+      user: normalizeAuthUser(result.user),
+      session: normalizeAuthSession(result.session),
       sessionExpiresAt: result.session.expiresAt
     },
     200
@@ -3476,7 +3968,7 @@ var phoneVerificationConfirmHandler = async (c) => {
 };
 
 // src/routes/phone/handler/verification-request.ts
-import { and as and23, eq as eq23 } from "drizzle-orm";
+import { and as and25, eq as eq26 } from "drizzle-orm";
 var phoneVerificationRequestHandler = async (c) => {
   const body = c.req.valid("json");
   const config = c.get("config");
@@ -3501,9 +3993,9 @@ var phoneVerificationRequestHandler = async (c) => {
   let userId = user?.id;
   if (!userId) {
     const [result] = await database.select({ id: usersInIam.id }).from(usersInIam).where(
-      and23(
-        eq23(usersInIam.tenantId, resolvedTenantId),
-        eq23(usersInIam.phone, phone)
+      and25(
+        eq26(usersInIam.tenantId, resolvedTenantId),
+        eq26(usersInIam.phone, phone)
       )
     ).limit(1);
     if (!result) {
@@ -3529,10 +4021,10 @@ var phoneVerificationRequestHandler = async (c) => {
     );
   }
   await database.delete(verificationsInIam).where(
-    and23(
-      eq23(verificationsInIam.tenantId, resolvedTenantId),
-      eq23(verificationsInIam.userId, userId),
-      eq23(verificationsInIam.type, verificationType)
+    and25(
+      eq26(verificationsInIam.tenantId, resolvedTenantId),
+      eq26(verificationsInIam.userId, userId),
+      eq26(verificationsInIam.type, verificationType)
     )
   );
   const code = generateOtpCode(config.phone.otpLength);
@@ -3564,11 +4056,11 @@ var phoneVerificationRequestHandler = async (c) => {
       updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
       reason: "replaced"
     }).where(
-      and23(
-        eq23(accountChangesInIam.tenantId, resolvedTenantId),
-        eq23(accountChangesInIam.userId, user.id),
-        eq23(accountChangesInIam.changeType, "phone"),
-        eq23(accountChangesInIam.status, "pending")
+      and25(
+        eq26(accountChangesInIam.tenantId, resolvedTenantId),
+        eq26(accountChangesInIam.userId, user.id),
+        eq26(accountChangesInIam.changeType, "phone"),
+        eq26(accountChangesInIam.status, "pending")
       )
     );
     await database.insert(accountChangesInIam).values({
@@ -3684,7 +4176,7 @@ import { createRoute as createRoute7, OpenAPIHono as OpenAPIHono7 } from "@hono/
 import { z as z4 } from "zod";
 
 // src/routes/profile/handler/account-change-pending.ts
-import { and as and24, eq as eq24, gt as gt7, sql as sql13 } from "drizzle-orm";
+import { and as and26, eq as eq27, gt as gt7, sql as sql13 } from "drizzle-orm";
 var accountChangePendingHandler = async (c) => {
   const config = c.get("config");
   const database = c.get("database");
@@ -3695,17 +4187,17 @@ var accountChangePendingHandler = async (c) => {
   }
   const resolvedTenantId = ensureTenantId(config, tenantId);
   await database.update(accountChangesInIam).set({ status: "expired" }).where(
-    and24(
-      eq24(accountChangesInIam.tenantId, resolvedTenantId),
-      eq24(accountChangesInIam.userId, userId),
+    and26(
+      eq27(accountChangesInIam.tenantId, resolvedTenantId),
+      eq27(accountChangesInIam.userId, userId),
       sql13`${accountChangesInIam.expiresAt} < CURRENT_TIMESTAMP`
     )
   );
   const [accountChange] = await database.select().from(accountChangesInIam).where(
-    and24(
-      eq24(accountChangesInIam.tenantId, resolvedTenantId),
-      eq24(accountChangesInIam.userId, userId),
-      eq24(accountChangesInIam.status, "pending")
+    and26(
+      eq27(accountChangesInIam.tenantId, resolvedTenantId),
+      eq27(accountChangesInIam.userId, userId),
+      eq27(accountChangesInIam.status, "pending")
     )
   ).limit(1);
   if (!accountChange) {
@@ -3717,11 +4209,11 @@ var accountChangePendingHandler = async (c) => {
       id: verificationsInIam.id,
       expiresAt: verificationsInIam.expiresAt
     }).from(verificationsInIam).where(
-      and24(
-        eq24(verificationsInIam.tenantId, resolvedTenantId),
-        eq24(verificationsInIam.userId, userId),
-        eq24(verificationsInIam.type, "email-verification"),
-        eq24(verificationsInIam.to, accountChange.newEmail),
+      and26(
+        eq27(verificationsInIam.tenantId, resolvedTenantId),
+        eq27(verificationsInIam.userId, userId),
+        eq27(verificationsInIam.type, "email-verification"),
+        eq27(verificationsInIam.to, accountChange.newEmail),
         gt7(verificationsInIam.expiresAt, sql13`CURRENT_TIMESTAMP`)
       )
     ).limit(1);
@@ -3732,11 +4224,11 @@ var accountChangePendingHandler = async (c) => {
       id: verificationsInIam.id,
       expiresAt: verificationsInIam.expiresAt
     }).from(verificationsInIam).where(
-      and24(
-        eq24(verificationsInIam.tenantId, resolvedTenantId),
-        eq24(verificationsInIam.userId, userId),
-        eq24(verificationsInIam.type, "phone-otp-change-phone"),
-        eq24(verificationsInIam.to, accountChange.newPhone),
+      and26(
+        eq27(verificationsInIam.tenantId, resolvedTenantId),
+        eq27(verificationsInIam.userId, userId),
+        eq27(verificationsInIam.type, "phone-otp-change-phone"),
+        eq27(verificationsInIam.to, accountChange.newPhone),
         gt7(verificationsInIam.expiresAt, sql13`CURRENT_TIMESTAMP`)
       )
     ).limit(1);
@@ -3759,6 +4251,13 @@ var accountChangePendingHandler = async (c) => {
   );
 };
 
+// src/lib/normalize-user.ts
+var normalizeUser = (user) => ({
+  ...user,
+  roles: user.roles ?? null,
+  roleCodes: user.roleCodes ?? null
+});
+
 // src/routes/profile/handler/me.ts
 var meHandler = (c) => {
   const user = c.get("user");
@@ -3805,7 +4304,7 @@ var sessionHandler = (c) => {
 };
 
 // src/routes/profile/handler/update.ts
-import { and as and25, eq as eq25, sql as sql14 } from "drizzle-orm";
+import { and as and27, eq as eq28, sql as sql14 } from "drizzle-orm";
 var updateProfileHandler = async (c) => {
   const body = c.req.valid("json");
   const config = c.get("config");
@@ -3828,7 +4327,7 @@ var updateProfileHandler = async (c) => {
     ...updateData,
     updatedAt: sql14`CURRENT_TIMESTAMP`
   }).where(
-    and25(eq25(usersInIam.id, userId), eq25(usersInIam.tenantId, resolvedTenantId))
+    and27(eq28(usersInIam.id, userId), eq28(usersInIam.tenantId, resolvedTenantId))
   ).returning({
     id: usersInIam.id,
     tenantId: usersInIam.tenantId,
@@ -3848,7 +4347,7 @@ var updateProfileHandler = async (c) => {
 };
 
 // src/routes/profile/handler/update-email.ts
-import { and as and26, eq as eq26, ne as ne2, sql as sql15 } from "drizzle-orm";
+import { and as and28, eq as eq29, ne as ne2, sql as sql15 } from "drizzle-orm";
 var updateEmailHandler = async (c) => {
   const body = c.req.valid("json");
   const config = c.get("config");
@@ -3866,9 +4365,9 @@ var updateEmailHandler = async (c) => {
   const resolvedTenantId = ensureTenantId(config, tenantId);
   if (user.email && session?.id) {
     await database.delete(sessionsInIam).where(
-      and26(
-        eq26(sessionsInIam.tenantId, resolvedTenantId),
-        eq26(sessionsInIam.userId, userId),
+      and28(
+        eq29(sessionsInIam.tenantId, resolvedTenantId),
+        eq29(sessionsInIam.userId, userId),
         ne2(sessionsInIam.id, session.id)
       )
     );
@@ -3878,7 +4377,7 @@ var updateEmailHandler = async (c) => {
     emailVerified: true,
     updatedAt: sql15`CURRENT_TIMESTAMP`
   }).where(
-    and26(eq26(usersInIam.id, userId), eq26(usersInIam.tenantId, resolvedTenantId))
+    and28(eq29(usersInIam.id, userId), eq29(usersInIam.tenantId, resolvedTenantId))
   ).returning({
     id: usersInIam.id,
     tenantId: usersInIam.tenantId,
@@ -3895,25 +4394,25 @@ var updateEmailHandler = async (c) => {
     return c.json({ error: "User not found" }, 404);
   }
   await database.update(accountChangesInIam).set({ status: "applied" }).where(
-    and26(
-      eq26(accountChangesInIam.tenantId, resolvedTenantId),
-      eq26(accountChangesInIam.userId, userId),
-      eq26(accountChangesInIam.changeType, "email"),
-      eq26(accountChangesInIam.newEmail, body.email)
+    and28(
+      eq29(accountChangesInIam.tenantId, resolvedTenantId),
+      eq29(accountChangesInIam.userId, userId),
+      eq29(accountChangesInIam.changeType, "email"),
+      eq29(accountChangesInIam.newEmail, body.email)
     )
   );
   await database.update(accountsInIam).set({ providerAccountId: body.email }).where(
-    and26(
-      eq26(accountsInIam.tenantId, resolvedTenantId),
-      eq26(accountsInIam.userId, userId),
-      eq26(accountsInIam.provider, "credentials")
+    and28(
+      eq29(accountsInIam.tenantId, resolvedTenantId),
+      eq29(accountsInIam.userId, userId),
+      eq29(accountsInIam.provider, "credentials")
     )
   );
   return c.json({ user: normalizeUser(updatedUser) }, 200);
 };
 
 // src/routes/profile/handler/update-phone.ts
-import { and as and27, eq as eq27, ne as ne3, sql as sql16 } from "drizzle-orm";
+import { and as and29, eq as eq30, ne as ne3, sql as sql16 } from "drizzle-orm";
 var updatePhoneHandler = async (c) => {
   const body = c.req.valid("json");
   const config = c.get("config");
@@ -3935,9 +4434,9 @@ var updatePhoneHandler = async (c) => {
   }
   if (user.phone && session?.id) {
     await database.delete(sessionsInIam).where(
-      and27(
-        eq27(sessionsInIam.tenantId, resolvedTenantId),
-        eq27(sessionsInIam.userId, userId),
+      and29(
+        eq30(sessionsInIam.tenantId, resolvedTenantId),
+        eq30(sessionsInIam.userId, userId),
         ne3(sessionsInIam.id, session.id)
       )
     );
@@ -3947,7 +4446,7 @@ var updatePhoneHandler = async (c) => {
     phoneVerified: true,
     updatedAt: sql16`CURRENT_TIMESTAMP`
   }).where(
-    and27(eq27(usersInIam.id, userId), eq27(usersInIam.tenantId, resolvedTenantId))
+    and29(eq30(usersInIam.id, userId), eq30(usersInIam.tenantId, resolvedTenantId))
   ).returning({
     id: usersInIam.id,
     tenantId: usersInIam.tenantId,
@@ -3964,18 +4463,18 @@ var updatePhoneHandler = async (c) => {
     return c.json({ error: "User not found" }, 404);
   }
   await database.update(accountChangesInIam).set({ status: "applied" }).where(
-    and27(
-      eq27(accountChangesInIam.tenantId, resolvedTenantId),
-      eq27(accountChangesInIam.userId, userId),
-      eq27(accountChangesInIam.changeType, "phone"),
-      eq27(accountChangesInIam.newPhone, body.phone)
+    and29(
+      eq30(accountChangesInIam.tenantId, resolvedTenantId),
+      eq30(accountChangesInIam.userId, userId),
+      eq30(accountChangesInIam.changeType, "phone"),
+      eq30(accountChangesInIam.newPhone, body.phone)
     )
   );
   await database.update(accountsInIam).set({ providerAccountId: body.phone }).where(
-    and27(
-      eq27(accountsInIam.tenantId, resolvedTenantId),
-      eq27(accountsInIam.userId, userId),
-      eq27(accountsInIam.provider, "credentials")
+    and29(
+      eq30(accountsInIam.tenantId, resolvedTenantId),
+      eq30(accountsInIam.userId, userId),
+      eq30(accountsInIam.provider, "credentials")
     )
   );
   return c.json({ user: normalizeUser(updatedUser) }, 200);
@@ -4225,41 +4724,41 @@ var assignRolePermissionHandler = async (c) => {
 };
 
 // src/routes/role-permissions/handler/list-role-permissions.ts
-import { and as and28, eq as eq28 } from "drizzle-orm";
+import { and as and30, eq as eq31 } from "drizzle-orm";
 var listRolePermissionsHandler = async (c) => {
   const query = c.req.valid("query");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
-  const conditions = [eq28(rolePermissionsInIam.tenantId, tenantId)];
+  const conditions = [eq31(rolePermissionsInIam.tenantId, tenantId)];
   if (query.roleId) {
-    conditions.push(eq28(rolePermissionsInIam.roleId, query.roleId));
+    conditions.push(eq31(rolePermissionsInIam.roleId, query.roleId));
   }
   if (query.permissionId) {
-    conditions.push(eq28(rolePermissionsInIam.permissionId, query.permissionId));
+    conditions.push(eq31(rolePermissionsInIam.permissionId, query.permissionId));
   }
-  const rolePermissions = await database.select().from(rolePermissionsInIam).where(and28(...conditions));
+  const rolePermissions = await database.select().from(rolePermissionsInIam).where(and30(...conditions));
   return c.json({ rolePermissions }, 200);
 };
 
 // src/routes/role-permissions/handler/revoke-role-permission.ts
-import { and as and29, eq as eq29 } from "drizzle-orm";
+import { and as and31, eq as eq32 } from "drizzle-orm";
 var revokeRolePermissionHandler = async (c) => {
   const { id } = c.req.valid("param");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
   const [existing] = await database.select().from(rolePermissionsInIam).where(
-    and29(
-      eq29(rolePermissionsInIam.id, id),
-      eq29(rolePermissionsInIam.tenantId, tenantId)
+    and31(
+      eq32(rolePermissionsInIam.id, id),
+      eq32(rolePermissionsInIam.tenantId, tenantId)
     )
   ).limit(1);
   if (!existing) {
     return c.json({ error: "Role permission not found" }, 404);
   }
   await database.delete(rolePermissionsInIam).where(
-    and29(
-      eq29(rolePermissionsInIam.id, id),
-      eq29(rolePermissionsInIam.tenantId, tenantId)
+    and31(
+      eq32(rolePermissionsInIam.id, id),
+      eq32(rolePermissionsInIam.tenantId, tenantId)
     )
   );
   return c.json({ message: "Permission revoked from role" }, 200);
@@ -4383,81 +4882,571 @@ var role_permissions_route_default = rolePermissionRoutes;
 // src/routes/roles/roles.route.ts
 import { createRoute as createRoute9, OpenAPIHono as OpenAPIHono9 } from "@hono/zod-openapi";
 
+// src/routes/roles/handler/assign-role-permissions.ts
+import { randomUUID as randomUUID2 } from "crypto";
+import { and as and32, eq as eq33, inArray as inArray3 } from "drizzle-orm";
+var assignRolePermissionsHandler = async (c) => {
+  const { id } = c.req.valid("param");
+  const body = c.req.valid("json");
+  const database = c.get("database");
+  const config = c.get("config");
+  const tenantId = c.get("tenantId");
+  const resolvedTenantId = ensureTenantId(config, tenantId);
+  const permissionIds = [...new Set(body.permissionIds)];
+  const [role] = await database.select({
+    id: rolesInIam.id,
+    isEditable: rolesInIam.isEditable
+  }).from(rolesInIam).where(and32(eq33(rolesInIam.id, id), eq33(rolesInIam.tenantId, tenantId))).limit(1);
+  if (!role) {
+    return c.json({ error: "Role not found" }, 404);
+  }
+  if (!role.isEditable) {
+    return c.json({ error: "Role is not editable" }, 403);
+  }
+  await seedPermissions({
+    database,
+    permissions: config.permissions
+  });
+  const existingPermissions = permissionIds.length ? await database.select({ id: permissionsInIam.id }).from(permissionsInIam).where(inArray3(permissionsInIam.id, permissionIds)) : [];
+  const existingPermissionIds = new Set(
+    existingPermissions.map((permission) => permission.id)
+  );
+  const missingPermissionIds = permissionIds.filter(
+    (permissionId) => !existingPermissionIds.has(permissionId)
+  );
+  if (missingPermissionIds.length) {
+    return c.json(
+      { error: `Unknown permissions: ${missingPermissionIds.join(", ")}` },
+      400
+    );
+  }
+  const created = permissionIds.length ? await database.insert(rolePermissionsInIam).values(
+    permissionIds.map((permissionId) => ({
+      id: randomUUID2(),
+      tenantId: resolvedTenantId,
+      roleId: id,
+      permissionId
+    }))
+  ).onConflictDoNothing({
+    target: [
+      rolePermissionsInIam.tenantId,
+      rolePermissionsInIam.permissionId,
+      rolePermissionsInIam.roleId
+    ]
+  }).returning({ permissionId: rolePermissionsInIam.permissionId }) : [];
+  return c.json(
+    {
+      created: created.length,
+      skipped: permissionIds.length - created.length
+    },
+    200
+  );
+};
+
+// src/routes/roles/handler/assign-role-users.ts
+import { randomUUID as randomUUID3 } from "crypto";
+import { and as and33, eq as eq34, inArray as inArray4 } from "drizzle-orm";
+var assignRoleUsersHandler = async (c) => {
+  const { id } = c.req.valid("param");
+  const body = c.req.valid("json");
+  const database = c.get("database");
+  const config = c.get("config");
+  const tenantId = c.get("tenantId");
+  const resolvedTenantId = ensureTenantId(config, tenantId);
+  const userIds = [...new Set(body.userIds)];
+  const [role] = await database.select({
+    id: rolesInIam.id,
+    isEditable: rolesInIam.isEditable
+  }).from(rolesInIam).where(and33(eq34(rolesInIam.id, id), eq34(rolesInIam.tenantId, tenantId))).limit(1);
+  if (!role) {
+    return c.json({ error: "Role not found" }, 404);
+  }
+  if (!role.isEditable) {
+    return c.json({ error: "Role is not editable" }, 403);
+  }
+  const existingUsers = userIds.length ? await database.select({ id: usersInIam.id }).from(usersInIam).where(
+    and33(
+      eq34(usersInIam.tenantId, tenantId),
+      inArray4(usersInIam.id, userIds)
+    )
+  ) : [];
+  const existingUserIds = new Set(existingUsers.map((user) => user.id));
+  const missingUserIds = userIds.filter(
+    (userId) => !existingUserIds.has(userId)
+  );
+  if (missingUserIds.length) {
+    return c.json(
+      { error: `Unknown users: ${missingUserIds.join(", ")}` },
+      400
+    );
+  }
+  const created = userIds.length ? await database.insert(userRolesInIam).values(
+    userIds.map((userId) => ({
+      id: randomUUID3(),
+      tenantId: resolvedTenantId,
+      roleId: id,
+      userId
+    }))
+  ).onConflictDoNothing({
+    target: [
+      userRolesInIam.tenantId,
+      userRolesInIam.userId,
+      userRolesInIam.roleId
+    ]
+  }).returning({ userId: userRolesInIam.userId }) : [];
+  return c.json(
+    {
+      created: created.length,
+      skipped: userIds.length - created.length
+    },
+    200
+  );
+};
+
 // src/routes/roles/handler/create-role.ts
-import { randomUUID } from "crypto";
+import { randomUUID as randomUUID4 } from "crypto";
 var createRoleHandler = async (c) => {
   const body = c.req.valid("json");
   const config = c.get("config");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
   const resolvedTenantId = ensureTenantId(config, tenantId);
-  const [role] = await database.insert(rolesInIam).values({
-    id: randomUUID(),
-    tenantId: resolvedTenantId,
-    name: body.name,
-    description: body.description,
-    code: body.code
-  }).returning();
-  return c.json({ role }, 201);
+  const permissionIds = [...new Set(body.permissionIds ?? [])];
+  const role = await withTransaction(database, async (tx) => {
+    await seedPermissions({
+      database: tx,
+      permissions: config.permissions
+    });
+    const [createdRole] = await tx.insert(rolesInIam).values({
+      id: randomUUID4(),
+      tenantId: resolvedTenantId,
+      name: body.name ?? { en: body.code },
+      description: body.description ?? { en: body.code },
+      code: body.code,
+      isSystem: body.isSystem ?? false,
+      isEditable: body.isEditable ?? true,
+      isDeletable: body.isDeletable ?? true
+    }).returning();
+    if (body.permissionIds !== void 0) {
+      await syncRolePermissions({
+        database: tx,
+        tenantId: resolvedTenantId,
+        roleId: createdRole.id,
+        permissionIds
+      });
+    }
+    return createdRole;
+  });
+  return c.json(
+    {
+      role: {
+        ...role,
+        permissionIds,
+        permissionCount: permissionIds.length
+      }
+    },
+    201
+  );
 };
 
 // src/routes/roles/handler/delete-role.ts
-import { and as and30, eq as eq30 } from "drizzle-orm";
+import { and as and34, eq as eq35 } from "drizzle-orm";
 var deleteRoleHandler = async (c) => {
   const { id } = c.req.valid("param");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
-  const [existing] = await database.select().from(rolesInIam).where(and30(eq30(rolesInIam.id, id), eq30(rolesInIam.tenantId, tenantId))).limit(1);
+  const [existing] = await database.select().from(rolesInIam).where(and34(eq35(rolesInIam.id, id), eq35(rolesInIam.tenantId, tenantId))).limit(1);
   if (!existing) {
     return c.json({ error: "Role not found" }, 404);
   }
-  await database.delete(rolesInIam).where(and30(eq30(rolesInIam.id, id), eq30(rolesInIam.tenantId, tenantId)));
+  if (!existing.isDeletable) {
+    return c.json({ error: "Role is not deletable" }, 403);
+  }
+  await database.delete(rolesInIam).where(and34(eq35(rolesInIam.id, id), eq35(rolesInIam.tenantId, tenantId)));
   return c.json({ message: "Role deleted" }, 200);
 };
 
 // src/routes/roles/handler/get-role.ts
-import { and as and31, eq as eq31 } from "drizzle-orm";
+import { and as and35, eq as eq36, sql as sql17 } from "drizzle-orm";
 var getRoleHandler = async (c) => {
   const { id } = c.req.valid("param");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
-  const [role] = await database.select().from(rolesInIam).where(and31(eq31(rolesInIam.id, id), eq31(rolesInIam.tenantId, tenantId))).limit(1);
+  const [role] = await database.select({
+    id: rolesInIam.id,
+    tenantId: rolesInIam.tenantId,
+    createdAt: rolesInIam.createdAt,
+    updatedAt: rolesInIam.updatedAt,
+    name: rolesInIam.name,
+    description: rolesInIam.description,
+    code: rolesInIam.code,
+    isSystem: rolesInIam.isSystem,
+    isEditable: rolesInIam.isEditable,
+    isDeletable: rolesInIam.isDeletable,
+    permissionIds: sql17`COALESCE(
+        (
+          select array_to_json(array_agg(${rolePermissionsInIam.permissionId}))
+          from ${rolePermissionsInIam}
+          where ${and35(
+      eq36(rolePermissionsInIam.tenantId, tenantId),
+      eq36(rolePermissionsInIam.roleId, rolesInIam.id)
+    )}
+        ),
+        '[]'::json
+      )`,
+    permissionCount: sql17`(
+        select count(*)::int
+        from ${rolePermissionsInIam}
+        where ${and35(
+      eq36(rolePermissionsInIam.tenantId, tenantId),
+      eq36(rolePermissionsInIam.roleId, rolesInIam.id)
+    )}
+      )`,
+    userCount: sql17`(
+        select count(*)::int
+        from ${userRolesInIam}
+        where ${and35(
+      eq36(userRolesInIam.tenantId, tenantId),
+      eq36(userRolesInIam.roleId, rolesInIam.id)
+    )}
+      )`
+  }).from(rolesInIam).where(and35(eq36(rolesInIam.id, id), eq36(rolesInIam.tenantId, tenantId))).limit(1);
   if (!role) {
     return c.json({ error: "Role not found" }, 404);
   }
-  return c.json({ role }, 200);
+  return c.json(
+    {
+      role: {
+        ...role,
+        permissionIds: role.permissionIds ?? void 0
+      }
+    },
+    200
+  );
 };
 
-// src/routes/roles/handler/list-roles.ts
-import { and as and32, eq as eq32, sql as sql17 } from "drizzle-orm";
-var listRolesHandler = async (c) => {
+// src/routes/roles/handler/list-role-permissions.ts
+import { and as and36, eq as eq37 } from "drizzle-orm";
+var listRolePermissionsHandler2 = async (c) => {
+  const { id } = c.req.valid("param");
   const query = c.req.valid("query");
   const database = c.get("database");
+  const config = c.get("config");
   const tenantId = c.get("tenantId");
+  const [role] = await database.select({ id: rolesInIam.id }).from(rolesInIam).where(and36(eq37(rolesInIam.id, id), eq37(rolesInIam.tenantId, tenantId))).limit(1);
+  if (!role) {
+    return c.json({ error: "Role not found" }, 404);
+  }
   const page = query.page || 1;
   const limit = query.limit || 20;
   const offset = (page - 1) * limit;
-  const conditions = [eq32(rolesInIam.tenantId, tenantId)];
-  const [roles, totalResult] = await Promise.all([
-    database.select().from(rolesInIam).where(and32(...conditions)).limit(limit).offset(offset),
-    database.select({ count: sql17`count(*)` }).from(rolesInIam).where(and32(...conditions))
+  const [assignedPermissions, permissionCatalog] = await Promise.all([
+    database.select({ permissionId: rolePermissionsInIam.permissionId }).from(rolePermissionsInIam).where(
+      and36(
+        eq37(rolePermissionsInIam.tenantId, tenantId),
+        eq37(rolePermissionsInIam.roleId, id)
+      )
+    ).then((rows) => new Set(rows.map((row) => row.permissionId))),
+    getMergedPermissionCatalog({
+      database,
+      permissions: config.permissions
+    })
   ]);
-  const total = Number(totalResult[0]?.count || 0);
-  return c.json({ roles, total, page, limit });
+  const sortedPermissions = filterAndSortPermissions(
+    permissionCatalog.filter(
+      (permission) => assignedPermissions.has(permission.id)
+    ),
+    query
+  );
+  const total = sortedPermissions.length;
+  const permissions = sortedPermissions.slice(offset, offset + limit);
+  return c.json({ permissions, total, page, limit }, 200);
 };
 
-// src/routes/roles/handler/update-role.ts
-import { and as and33, eq as eq33, sql as sql18 } from "drizzle-orm";
-var updateRoleHandler = async (c) => {
-  const { id } = c.req.valid("param");
-  const body = c.req.valid("json");
-  const database = c.get("database");
-  const tenantId = c.get("tenantId");
-  const [existing] = await database.select().from(rolesInIam).where(and33(eq33(rolesInIam.id, id), eq33(rolesInIam.tenantId, tenantId))).limit(1);
-  if (!existing) {
-    return c.json({ error: "Role not found" }, 404);
-  }
-  const updateData = {};
+// src/routes/roles/handler/list-role-users.ts
+import { and as and37, asc as asc2, desc as desc2, eq as eq38, ilike, or, sql as sql18 } from "drizzle-orm";
+var sortColumnMap = {
+  createdAt: usersInIam.createdAt,
+  updatedAt: usersInIam.updatedAt,
+  fullName: usersInIam.fullName,
+  handle: usersInIam.handle,
+  lastSignInAt: usersInIam.lastSignInAt
+};
+function getRoleUserSearchCondition(search, filter) {
+  const term = `%${search}%`;
+  if (filter === "fullName") {
+    return ilike(usersInIam.fullName, term);
+  }
+  if (filter === "email") {
+    return ilike(usersInIam.email, term);
+  }
+  if (filter === "phone") {
+    return ilike(usersInIam.phone, term);
+  }
+  if (filter === "handle") {
+    return ilike(usersInIam.handle, term);
+  }
+  return or(
+    ilike(usersInIam.fullName, term),
+    ilike(usersInIam.email, term),
+    ilike(usersInIam.phone, term),
+    ilike(usersInIam.handle, term)
+  );
+}
+async function ensureRoleExists({
+  database,
+  id,
+  tenantId
+}) {
+  const [role] = await database.select({ id: rolesInIam.id }).from(rolesInIam).where(and37(eq38(rolesInIam.id, id), eq38(rolesInIam.tenantId, tenantId))).limit(1);
+  return role;
+}
+var listRoleUsersHandler = async (c) => {
+  const { id } = c.req.valid("param");
+  const query = c.req.valid("query");
+  const database = c.get("database");
+  const tenantId = c.get("tenantId");
+  const role = await ensureRoleExists({ database, id, tenantId });
+  if (!role) {
+    return c.json({ error: "Role not found" }, 404);
+  }
+  const page = query.page || 1;
+  const limit = query.limit || 20;
+  const offset = (page - 1) * limit;
+  const conditions = [
+    eq38(userRolesInIam.tenantId, tenantId),
+    eq38(userRolesInIam.roleId, id),
+    eq38(usersInIam.tenantId, tenantId)
+  ];
+  if (query.search) {
+    const searchCondition = getRoleUserSearchCondition(
+      query.search,
+      query.filter
+    );
+    if (searchCondition) {
+      conditions.push(searchCondition);
+    }
+  }
+  const orderDir = query.order === "asc" ? asc2 : desc2;
+  const sortCol = query.sort && sortColumnMap[query.sort] ? sortColumnMap[query.sort] : usersInIam.createdAt;
+  const [users, totalResult] = await Promise.all([
+    database.select({
+      id: usersInIam.id,
+      tenantId: usersInIam.tenantId,
+      fullName: usersInIam.fullName,
+      email: usersInIam.email,
+      phone: usersInIam.phone,
+      handle: usersInIam.handle,
+      image: usersInIam.image,
+      emailVerified: usersInIam.emailVerified,
+      phoneVerified: usersInIam.phoneVerified,
+      lastSignInAt: usersInIam.lastSignInAt
+    }).from(userRolesInIam).innerJoin(usersInIam, eq38(usersInIam.id, userRolesInIam.userId)).where(and37(...conditions)).orderBy(orderDir(sortCol)).limit(limit).offset(offset),
+    database.select({ count: sql18`count(*)` }).from(userRolesInIam).innerJoin(usersInIam, eq38(usersInIam.id, userRolesInIam.userId)).where(and37(...conditions))
+  ]);
+  const total = Number(totalResult[0]?.count || 0);
+  return c.json(
+    {
+      users: users.map((user) => ({
+        ...user,
+        roles: null
+      })),
+      total,
+      page,
+      limit
+    },
+    200
+  );
+};
+
+// src/routes/roles/handler/list-roles.ts
+import { and as and38, asc as asc3, desc as desc3, eq as eq39, ilike as ilike2, or as or2, sql as sql19 } from "drizzle-orm";
+var sortColumnMap2 = {
+  createdAt: rolesInIam.createdAt,
+  updatedAt: rolesInIam.updatedAt,
+  code: rolesInIam.code
+};
+var listRolesHandler = async (c) => {
+  const query = c.req.valid("query");
+  const database = c.get("database");
+  const tenantId = c.get("tenantId");
+  const page = query.page || 1;
+  const limit = query.limit || 20;
+  const offset = (page - 1) * limit;
+  const conditions = [eq39(rolesInIam.tenantId, tenantId)];
+  if (query.search) {
+    const term = `%${query.search}%`;
+    const searchCondition = query.filter === "code" ? ilike2(rolesInIam.code, term) : or2(
+      ilike2(rolesInIam.code, term),
+      sql19`cast(${rolesInIam.name} as text) ilike ${term}`,
+      sql19`cast(${rolesInIam.description} as text) ilike ${term}`
+    );
+    if (searchCondition) {
+      conditions.push(searchCondition);
+    }
+  }
+  const orderDir = query.order === "asc" ? asc3 : desc3;
+  const sortCol = query.sort && sortColumnMap2[query.sort] ? sortColumnMap2[query.sort] : rolesInIam.createdAt;
+  const [roles, totalResult] = await Promise.all([
+    database.select({
+      id: rolesInIam.id,
+      tenantId: rolesInIam.tenantId,
+      createdAt: rolesInIam.createdAt,
+      updatedAt: rolesInIam.updatedAt,
+      name: rolesInIam.name,
+      description: rolesInIam.description,
+      code: rolesInIam.code,
+      isSystem: rolesInIam.isSystem,
+      isEditable: rolesInIam.isEditable,
+      isDeletable: rolesInIam.isDeletable,
+      permissionCount: sql19`(
+          select count(*)::int
+          from ${rolePermissionsInIam}
+          where ${and38(
+        eq39(rolePermissionsInIam.tenantId, tenantId),
+        eq39(rolePermissionsInIam.roleId, rolesInIam.id)
+      )}
+        )`,
+      userCount: sql19`(
+          select count(*)::int
+          from ${userRolesInIam}
+          where ${and38(
+        eq39(userRolesInIam.tenantId, tenantId),
+        eq39(userRolesInIam.roleId, rolesInIam.id)
+      )}
+        )`
+    }).from(rolesInIam).where(and38(...conditions)).orderBy(orderDir(sortCol)).limit(limit).offset(offset),
+    database.select({ count: sql19`count(*)` }).from(rolesInIam).where(and38(...conditions))
+  ]);
+  const total = Number(totalResult[0]?.count || 0);
+  return c.json({ roles, total, page, limit });
+};
+
+// src/routes/roles/handler/revoke-role-permission.ts
+import { and as and39, eq as eq40 } from "drizzle-orm";
+var revokeRolePermissionHandler2 = async (c) => {
+  const { id, permissionId } = c.req.valid("param");
+  const database = c.get("database");
+  const tenantId = c.get("tenantId");
+  const [role] = await database.select({
+    id: rolesInIam.id,
+    isEditable: rolesInIam.isEditable
+  }).from(rolesInIam).where(and39(eq40(rolesInIam.id, id), eq40(rolesInIam.tenantId, tenantId))).limit(1);
+  if (!role) {
+    return c.json({ error: "Role not found" }, 404);
+  }
+  if (!role.isEditable) {
+    return c.json({ error: "Role is not editable" }, 403);
+  }
+  const [deleted] = await database.delete(rolePermissionsInIam).where(
+    and39(
+      eq40(rolePermissionsInIam.tenantId, tenantId),
+      eq40(rolePermissionsInIam.roleId, id),
+      eq40(rolePermissionsInIam.permissionId, permissionId)
+    )
+  ).returning({ id: rolePermissionsInIam.id });
+  if (!deleted) {
+    return c.json({ error: "Role permission not found" }, 404);
+  }
+  return c.json({ message: "Permission revoked from role" }, 200);
+};
+
+// src/routes/roles/handler/revoke-role-user.ts
+import { and as and40, eq as eq41 } from "drizzle-orm";
+var revokeRoleUserHandler = async (c) => {
+  const { id, userId } = c.req.valid("param");
+  const database = c.get("database");
+  const tenantId = c.get("tenantId");
+  const [role] = await database.select({
+    id: rolesInIam.id,
+    isEditable: rolesInIam.isEditable
+  }).from(rolesInIam).where(and40(eq41(rolesInIam.id, id), eq41(rolesInIam.tenantId, tenantId))).limit(1);
+  if (!role) {
+    return c.json({ error: "Role not found" }, 404);
+  }
+  if (!role.isEditable) {
+    return c.json({ error: "Role is not editable" }, 403);
+  }
+  const [deleted] = await database.delete(userRolesInIam).where(
+    and40(
+      eq41(userRolesInIam.tenantId, tenantId),
+      eq41(userRolesInIam.roleId, id),
+      eq41(userRolesInIam.userId, userId)
+    )
+  ).returning({ id: userRolesInIam.id });
+  if (!deleted) {
+    return c.json({ error: "Role user not found" }, 404);
+  }
+  return c.json({ message: "User removed from role" }, 200);
+};
+
+// src/routes/roles/handler/seed-roles.ts
+import { and as and41, eq as eq42, inArray as inArray5, sql as sql20 } from "drizzle-orm";
+var seedRolesHandler = async (c) => {
+  const config = c.get("config");
+  const database = c.get("database");
+  const tenantId = c.get("tenantId");
+  const resolvedTenantId = ensureTenantId(config, tenantId);
+  if (!config.roles?.length) {
+    return c.json({ error: "No roles configured for seeding" }, 400);
+  }
+  const rolesToSeed = config.roles;
+  const seededRoles = await withTransaction(database, async (tx) => {
+    await seedPermissions({
+      database: tx,
+      permissions: config.permissions
+    });
+    return seedRoles({
+      database: tx,
+      tenantId: resolvedTenantId,
+      roles: rolesToSeed
+    });
+  });
+  const permissionCountRows = seededRoles.length ? await database.select({
+    roleId: rolePermissionsInIam.roleId,
+    count: sql20`count(*)::int`
+  }).from(rolePermissionsInIam).where(
+    and41(
+      eq42(rolePermissionsInIam.tenantId, resolvedTenantId),
+      inArray5(
+        rolePermissionsInIam.roleId,
+        seededRoles.map((role) => role.id)
+      )
+    )
+  ).groupBy(rolePermissionsInIam.roleId) : [];
+  const permissionCountByRoleId = new Map(
+    permissionCountRows.map((row) => [row.roleId, row.count])
+  );
+  const roles = seededRoles.map((role) => ({
+    ...role,
+    permissionCount: permissionCountByRoleId.get(role.id) ?? 0
+  }));
+  return c.json(
+    {
+      roles,
+      total: roles.length
+    },
+    200
+  );
+};
+
+// src/routes/roles/handler/update-role.ts
+import { and as and42, eq as eq43, sql as sql21 } from "drizzle-orm";
+var updateRoleHandler = async (c) => {
+  const { id } = c.req.valid("param");
+  const body = c.req.valid("json");
+  const database = c.get("database");
+  const config = c.get("config");
+  const tenantId = c.get("tenantId");
+  const permissionIds = body.permissionIds === void 0 ? void 0 : [...new Set(body.permissionIds)];
+  const [existing] = await database.select().from(rolesInIam).where(and42(eq43(rolesInIam.id, id), eq43(rolesInIam.tenantId, tenantId))).limit(1);
+  if (!existing) {
+    return c.json({ error: "Role not found" }, 404);
+  }
+  if (!existing.isEditable) {
+    return c.json({ error: "Role is not editable" }, 403);
+  }
+  const updateData = {};
   if (body.name !== void 0) {
     updateData.name = body.name;
   }
@@ -4467,34 +5456,98 @@ var updateRoleHandler = async (c) => {
   if (body.code !== void 0) {
     updateData.code = body.code;
   }
-  const [updated] = await database.update(rolesInIam).set({
-    ...updateData,
-    updatedAt: sql18`CURRENT_TIMESTAMP`
-  }).where(and33(eq33(rolesInIam.id, id), eq33(rolesInIam.tenantId, tenantId))).returning();
+  if (body.isSystem !== void 0) {
+    updateData.isSystem = body.isSystem;
+  }
+  if (body.isEditable !== void 0) {
+    updateData.isEditable = body.isEditable;
+  }
+  if (body.isDeletable !== void 0) {
+    updateData.isDeletable = body.isDeletable;
+  }
+  const updated = await withTransaction(database, async (tx) => {
+    await seedPermissions({
+      database: tx,
+      permissions: config.permissions
+    });
+    const [role] = await tx.update(rolesInIam).set({
+      ...updateData,
+      updatedAt: sql21`CURRENT_TIMESTAMP`
+    }).where(and42(eq43(rolesInIam.id, id), eq43(rolesInIam.tenantId, tenantId))).returning();
+    if (!role) {
+      return null;
+    }
+    if (permissionIds !== void 0) {
+      await syncRolePermissions({
+        database: tx,
+        tenantId,
+        roleId: role.id,
+        permissionIds
+      });
+    }
+    return role;
+  });
   if (!updated) {
     return c.json({ error: "Role not found" }, 404);
   }
-  return c.json({ role: updated }, 200);
+  return c.json(
+    {
+      role: {
+        ...updated,
+        permissionIds,
+        permissionCount: permissionIds?.length
+      }
+    },
+    200
+  );
 };
 
 // src/routes/roles/roles.schema.ts
 import { z as z6 } from "zod";
+var roleFilterValues = ["", "code"];
+var roleSortValues = ["createdAt", "updatedAt", "code"];
 var listRolesQuerySchema = z6.object({
   page: z6.coerce.number().min(1).default(1).optional(),
-  limit: z6.coerce.number().min(1).max(100).default(20).optional()
+  limit: z6.coerce.number().min(1).max(100).default(20).optional(),
+  search: z6.string().optional(),
+  filter: z6.enum(roleFilterValues).optional(),
+  sort: z6.enum(roleSortValues).optional(),
+  order: z6.enum(["asc", "desc"]).optional()
 });
 var roleIdParamSchema = z6.object({
   id: z6.uuid()
 });
 var createRoleSchema = z6.object({
-  name: z6.unknown(),
-  description: z6.unknown(),
-  code: z6.string()
+  name: z6.unknown().optional(),
+  description: z6.unknown().optional(),
+  code: z6.string(),
+  permissionIds: z6.array(z6.string()).optional(),
+  isSystem: z6.boolean().optional(),
+  isEditable: z6.boolean().optional(),
+  isDeletable: z6.boolean().optional()
 });
 var updateRoleSchema = z6.object({
   name: z6.unknown().optional(),
   description: z6.unknown().optional(),
-  code: z6.string().optional()
+  code: z6.string().optional(),
+  permissionIds: z6.array(z6.string()).optional(),
+  isSystem: z6.boolean().optional(),
+  isEditable: z6.boolean().optional(),
+  isDeletable: z6.boolean().optional()
+});
+var assignRolePermissionsSchema = z6.object({
+  permissionIds: z6.array(z6.string()).min(1)
+});
+var assignRoleUsersSchema = z6.object({
+  userIds: z6.array(z6.uuid()).min(1)
+});
+var rolePermissionParamSchema = z6.object({
+  id: z6.uuid(),
+  permissionId: z6.string()
+});
+var roleUserParamSchema = z6.object({
+  id: z6.uuid(),
+  userId: z6.uuid()
 });
 var roleSchema = z6.object({
   id: z6.uuid(),
@@ -4503,7 +5556,13 @@ var roleSchema = z6.object({
   updatedAt: z6.string(),
   name: z6.unknown(),
   description: z6.unknown(),
-  code: z6.string()
+  code: z6.string(),
+  isSystem: z6.boolean(),
+  isEditable: z6.boolean(),
+  isDeletable: z6.boolean(),
+  permissionIds: z6.array(z6.string()).optional(),
+  permissionCount: z6.number().optional(),
+  userCount: z6.number().optional()
 });
 var listRolesResponseSchema = z6.object({
   roles: z6.array(roleSchema),
@@ -4514,12 +5573,45 @@ var listRolesResponseSchema = z6.object({
 var roleResponseSchema = z6.object({
   role: roleSchema
 });
+var listRolePermissionsResponseSchema2 = z6.object({
+  permissions: z6.array(permissionSchema),
+  total: z6.number(),
+  page: z6.number(),
+  limit: z6.number()
+});
+var assignRolePermissionsResponseSchema = z6.object({
+  created: z6.number(),
+  skipped: z6.number()
+});
+var listRoleUsersQuerySchema = z6.object({
+  page: z6.coerce.number().min(1).default(1).optional(),
+  limit: z6.coerce.number().min(1).max(100).default(20).optional(),
+  search: z6.string().optional(),
+  filter: z6.enum(["", "fullName", "email", "phone", "handle"]).optional(),
+  sort: z6.enum(["createdAt", "updatedAt", "fullName", "handle", "lastSignInAt"]).optional(),
+  order: z6.enum(["asc", "desc"]).optional()
+});
+var listRoleUsersResponseSchema = z6.object({
+  users: z6.array(userSchema),
+  total: z6.number(),
+  page: z6.number(),
+  limit: z6.number()
+});
+var assignRoleUsersResponseSchema = z6.object({
+  created: z6.number(),
+  skipped: z6.number()
+});
 var deleteRoleResponseSchema = z6.object({
   message: z6.string()
 });
+var seedRolesResponseSchema = z6.object({
+  roles: z6.array(roleSchema),
+  total: z6.number()
+});
 var errorResponseSchema5 = z6.object({
   error: z6.string()
 });
+var listRolePermissionsQuerySchema2 = listPermissionsQuerySchema;
 
 // src/routes/roles/roles.route.ts
 var listRolesRoute = createRoute9({
@@ -4537,26 +5629,258 @@ var listRolesRoute = createRoute9({
           schema: listRolesResponseSchema
         }
       },
-      description: "List of roles"
+      description: "List of roles"
+    }
+  }
+});
+var getRoleRoute = createRoute9({
+  method: "get",
+  path: "/{id}",
+  tags: ["Roles"],
+  summary: "Get role by ID",
+  request: {
+    params: roleIdParamSchema
+  },
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: roleResponseSchema
+        }
+      },
+      description: "Role details"
+    },
+    404: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema5
+        }
+      },
+      description: "Role not found"
+    }
+  }
+});
+var createRoleRoute = createRoute9({
+  method: "post",
+  path: "/",
+  tags: ["Roles"],
+  summary: "Create role",
+  request: {
+    body: {
+      content: {
+        "application/json": {
+          schema: createRoleSchema
+        }
+      }
+    }
+  },
+  responses: {
+    201: {
+      content: {
+        "application/json": {
+          schema: roleResponseSchema
+        }
+      },
+      description: "Role created"
+    },
+    400: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema5
+        }
+      },
+      description: "Invalid permission assignment"
+    },
+    409: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema5
+        }
+      },
+      description: "Role code already exists"
+    }
+  }
+});
+var updateRoleRoute = createRoute9({
+  method: "put",
+  path: "/{id}",
+  tags: ["Roles"],
+  summary: "Update role",
+  request: {
+    params: roleIdParamSchema,
+    body: {
+      content: {
+        "application/json": {
+          schema: updateRoleSchema
+        }
+      }
+    }
+  },
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: roleResponseSchema
+        }
+      },
+      description: "Role updated"
+    },
+    400: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema5
+        }
+      },
+      description: "Invalid permission assignment"
+    },
+    403: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema5
+        }
+      },
+      description: "Role is not editable"
+    },
+    404: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema5
+        }
+      },
+      description: "Role not found"
+    }
+  }
+});
+var deleteRoleRoute = createRoute9({
+  method: "delete",
+  path: "/{id}",
+  tags: ["Roles"],
+  summary: "Delete role",
+  request: {
+    params: roleIdParamSchema
+  },
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: deleteRoleResponseSchema
+        }
+      },
+      description: "Role deleted"
+    },
+    403: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema5
+        }
+      },
+      description: "Role is not deletable"
+    },
+    404: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema5
+        }
+      },
+      description: "Role not found"
+    }
+  }
+});
+var listRolePermissionsRoute2 = createRoute9({
+  method: "get",
+  path: "/{id}/permissions",
+  tags: ["Roles"],
+  summary: "List permissions assigned to a role",
+  request: {
+    params: roleIdParamSchema,
+    query: listRolePermissionsQuerySchema2
+  },
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: listRolePermissionsResponseSchema2
+        }
+      },
+      description: "Role permissions"
+    },
+    404: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema5
+        }
+      },
+      description: "Role not found"
+    }
+  }
+});
+var assignRolePermissionsRoute = createRoute9({
+  method: "post",
+  path: "/{id}/permissions",
+  tags: ["Roles"],
+  summary: "Assign permissions to a role",
+  request: {
+    params: roleIdParamSchema,
+    body: {
+      content: {
+        "application/json": {
+          schema: assignRolePermissionsSchema
+        }
+      }
+    }
+  },
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: assignRolePermissionsResponseSchema
+        }
+      },
+      description: "Permissions assigned"
+    },
+    400: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema5
+        }
+      },
+      description: "Invalid permissions"
+    },
+    403: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema5
+        }
+      },
+      description: "Role is not editable"
+    },
+    404: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema5
+        }
+      },
+      description: "Role not found"
     }
   }
 });
-var getRoleRoute = createRoute9({
+var listRoleUsersRoute = createRoute9({
   method: "get",
-  path: "/{id}",
+  path: "/{id}/users",
   tags: ["Roles"],
-  summary: "Get role by ID",
+  summary: "List users assigned to a role",
   request: {
-    params: roleIdParamSchema
+    params: roleIdParamSchema,
+    query: listRoleUsersQuerySchema
   },
   responses: {
     200: {
       content: {
         "application/json": {
-          schema: roleResponseSchema
+          schema: listRoleUsersResponseSchema
         }
       },
-      description: "Role details"
+      description: "Role users"
     },
     404: {
       content: {
@@ -4568,62 +5892,80 @@ var getRoleRoute = createRoute9({
     }
   }
 });
-var createRoleRoute = createRoute9({
+var assignRoleUsersRoute = createRoute9({
   method: "post",
-  path: "/",
+  path: "/{id}/users",
   tags: ["Roles"],
-  summary: "Create role",
+  summary: "Assign users to a role",
   request: {
+    params: roleIdParamSchema,
     body: {
       content: {
         "application/json": {
-          schema: createRoleSchema
+          schema: assignRoleUsersSchema
         }
       }
     }
   },
   responses: {
-    201: {
+    200: {
       content: {
         "application/json": {
-          schema: roleResponseSchema
+          schema: assignRoleUsersResponseSchema
         }
       },
-      description: "Role created"
+      description: "Users assigned"
     },
-    409: {
+    400: {
       content: {
         "application/json": {
           schema: errorResponseSchema5
         }
       },
-      description: "Role code already exists"
+      description: "Invalid users"
+    },
+    403: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema5
+        }
+      },
+      description: "Role is not editable"
+    },
+    404: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema5
+        }
+      },
+      description: "Role not found"
     }
   }
 });
-var updateRoleRoute = createRoute9({
-  method: "put",
-  path: "/{id}",
+var revokeRolePermissionRoute2 = createRoute9({
+  method: "delete",
+  path: "/{id}/permissions/{permissionId}",
   tags: ["Roles"],
-  summary: "Update role",
+  summary: "Revoke a permission from a role",
   request: {
-    params: roleIdParamSchema,
-    body: {
-      content: {
-        "application/json": {
-          schema: updateRoleSchema
-        }
-      }
-    }
+    params: rolePermissionParamSchema
   },
   responses: {
     200: {
       content: {
         "application/json": {
-          schema: roleResponseSchema
+          schema: deleteRoleResponseSchema
         }
       },
-      description: "Role updated"
+      description: "Permission revoked"
+    },
+    403: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema5
+        }
+      },
+      description: "Role is not editable"
     },
     404: {
       content: {
@@ -4631,17 +5973,17 @@ var updateRoleRoute = createRoute9({
           schema: errorResponseSchema5
         }
       },
-      description: "Role not found"
+      description: "Role or permission not found"
     }
   }
 });
-var deleteRoleRoute = createRoute9({
+var revokeRoleUserRoute = createRoute9({
   method: "delete",
-  path: "/{id}",
+  path: "/{id}/users/{userId}",
   tags: ["Roles"],
-  summary: "Delete role",
+  summary: "Remove a user from a role",
   request: {
-    params: roleIdParamSchema
+    params: roleUserParamSchema
   },
   responses: {
     200: {
@@ -4650,7 +5992,15 @@ var deleteRoleRoute = createRoute9({
           schema: deleteRoleResponseSchema
         }
       },
-      description: "Role deleted"
+      description: "User removed"
+    },
+    403: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema5
+        }
+      },
+      description: "Role is not editable"
     },
     404: {
       content: {
@@ -4658,23 +6008,47 @@ var deleteRoleRoute = createRoute9({
           schema: errorResponseSchema5
         }
       },
-      description: "Role not found"
+      description: "Role or user not found"
+    }
+  }
+});
+var seedRolesRoute = createRoute9({
+  method: "post",
+  path: "/seed",
+  tags: ["Roles"],
+  summary: "Seed tenant roles from config",
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: seedRolesResponseSchema
+        }
+      },
+      description: "Seeded roles"
+    },
+    400: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema5
+        }
+      },
+      description: "Invalid role config"
     }
   }
 });
-var roleRoutes = new OpenAPIHono9().openapi(listRolesRoute, listRolesHandler).openapi(getRoleRoute, getRoleHandler).openapi(createRoleRoute, createRoleHandler).openapi(updateRoleRoute, updateRoleHandler).openapi(deleteRoleRoute, deleteRoleHandler);
+var roleRoutes = new OpenAPIHono9().openapi(listRolesRoute, listRolesHandler).openapi(seedRolesRoute, seedRolesHandler).openapi(getRoleRoute, getRoleHandler).openapi(createRoleRoute, createRoleHandler).openapi(updateRoleRoute, updateRoleHandler).openapi(listRolePermissionsRoute2, listRolePermissionsHandler2).openapi(assignRolePermissionsRoute, assignRolePermissionsHandler).openapi(revokeRolePermissionRoute2, revokeRolePermissionHandler2).openapi(listRoleUsersRoute, listRoleUsersHandler).openapi(assignRoleUsersRoute, assignRoleUsersHandler).openapi(revokeRoleUserRoute, revokeRoleUserHandler).openapi(deleteRoleRoute, deleteRoleHandler);
 var roles_route_default = roleRoutes;
 
 // src/routes/sessions/sessions.route.ts
 import { createRoute as createRoute10, OpenAPIHono as OpenAPIHono10 } from "@hono/zod-openapi";
 
 // src/routes/sessions/handler/get-session.ts
-import { and as and34, eq as eq34 } from "drizzle-orm";
+import { and as and43, eq as eq44 } from "drizzle-orm";
 var getSessionHandler = async (c) => {
   const { id } = c.req.valid("param");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
-  const [session] = await database.select().from(sessionsInIam).where(and34(eq34(sessionsInIam.id, id), eq34(sessionsInIam.tenantId, tenantId))).limit(1);
+  const [session] = await database.select().from(sessionsInIam).where(and43(eq44(sessionsInIam.id, id), eq44(sessionsInIam.tenantId, tenantId))).limit(1);
   if (!session) {
     return c.json({ error: "Session not found" }, 404);
   }
@@ -4682,7 +6056,7 @@ var getSessionHandler = async (c) => {
 };
 
 // src/routes/sessions/handler/list-sessions.ts
-import { and as and35, eq as eq35, sql as sql19 } from "drizzle-orm";
+import { and as and44, eq as eq45, sql as sql22 } from "drizzle-orm";
 var listSessionsHandler = async (c) => {
   const query = c.req.valid("query");
   const database = c.get("database");
@@ -4690,48 +6064,48 @@ var listSessionsHandler = async (c) => {
   const page = query.page || 1;
   const limit = query.limit || 20;
   const offset = (page - 1) * limit;
-  const conditions = [eq35(sessionsInIam.tenantId, tenantId)];
+  const conditions = [eq45(sessionsInIam.tenantId, tenantId)];
   if (query.userId) {
-    conditions.push(eq35(sessionsInIam.userId, query.userId));
+    conditions.push(eq45(sessionsInIam.userId, query.userId));
   }
   const [sessions, totalResult] = await Promise.all([
-    database.select().from(sessionsInIam).where(and35(...conditions)).limit(limit).offset(offset),
-    database.select({ count: sql19`count(*)` }).from(sessionsInIam).where(and35(...conditions))
+    database.select().from(sessionsInIam).where(and44(...conditions)).limit(limit).offset(offset),
+    database.select({ count: sql22`count(*)` }).from(sessionsInIam).where(and44(...conditions))
   ]);
   const total = Number(totalResult[0]?.count || 0);
   return c.json({ sessions, total, page, limit }, 200);
 };
 
 // src/routes/sessions/handler/revoke-all-sessions.ts
-import { and as and36, eq as eq36 } from "drizzle-orm";
+import { and as and45, eq as eq46 } from "drizzle-orm";
 var revokeAllSessionsHandler = async (c) => {
   const { userId } = c.req.valid("param");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
-  const [user] = await database.select().from(usersInIam).where(and36(eq36(usersInIam.id, userId), eq36(usersInIam.tenantId, tenantId))).limit(1);
+  const [user] = await database.select().from(usersInIam).where(and45(eq46(usersInIam.id, userId), eq46(usersInIam.tenantId, tenantId))).limit(1);
   if (!user) {
     return c.json({ error: "User not found" }, 404);
   }
   await database.delete(sessionsInIam).where(
-    and36(
-      eq36(sessionsInIam.tenantId, tenantId),
-      eq36(sessionsInIam.userId, userId)
+    and45(
+      eq46(sessionsInIam.tenantId, tenantId),
+      eq46(sessionsInIam.userId, userId)
     )
   );
   return c.json({ message: "All user sessions revoked" }, 200);
 };
 
 // src/routes/sessions/handler/revoke-session.ts
-import { and as and37, eq as eq37 } from "drizzle-orm";
+import { and as and46, eq as eq47 } from "drizzle-orm";
 var revokeSessionHandler = async (c) => {
   const { id } = c.req.valid("param");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
-  const [existing] = await database.select().from(sessionsInIam).where(and37(eq37(sessionsInIam.id, id), eq37(sessionsInIam.tenantId, tenantId))).limit(1);
+  const [existing] = await database.select().from(sessionsInIam).where(and46(eq47(sessionsInIam.id, id), eq47(sessionsInIam.tenantId, tenantId))).limit(1);
   if (!existing) {
     return c.json({ error: "Session not found" }, 404);
   }
-  await database.delete(sessionsInIam).where(and37(eq37(sessionsInIam.id, id), eq37(sessionsInIam.tenantId, tenantId)));
+  await database.delete(sessionsInIam).where(and46(eq47(sessionsInIam.id, id), eq47(sessionsInIam.tenantId, tenantId)));
   return c.json({ message: "Session revoked" }, 200);
 };
 
@@ -4933,10 +6307,11 @@ var system_route_default = tenantRoutes;
 import { createRoute as createRoute12, OpenAPIHono as OpenAPIHono12 } from "@hono/zod-openapi";
 
 // src/routes/tenants/handler/create-tenant.ts
-import { eq as eq38 } from "drizzle-orm";
+import { eq as eq48 } from "drizzle-orm";
 
 // src/lib/has-role-permission.ts
-import { HTTPException as HTTPException3 } from "hono/http-exception";
+import { grant } from "@mesob/common";
+import { HTTPException as HTTPException4 } from "hono/http-exception";
 var toArray = (v) => {
   return Array.isArray(v) ? v : [v];
 };
@@ -4951,21 +6326,18 @@ var hasRole = (c, role) => {
 };
 var hasRoleThrow = (c, role) => {
   if (!hasRole(c, role)) {
-    throw new HTTPException3(401, { message: "Unauthorized" });
+    throw new HTTPException4(401, { message: "Unauthorized" });
   }
 };
 var hasPermission = (c, permission) => {
   const user = c.get("user");
   const perms = user?.permissions;
-  if (!perms?.length) {
-    return false;
-  }
   const check2 = toArray(permission);
-  return check2.some((p) => perms.includes(p));
+  return grant(check2, perms);
 };
 var hasPermissionThrow = (c, permission) => {
   if (!hasPermission(c, permission)) {
-    throw new HTTPException3(401, { message: "Unauthorized" });
+    throw new HTTPException4(401, { message: "Unauthorized" });
   }
 };
 
@@ -4974,7 +6346,7 @@ var createTenantHandler = async (c) => {
   hasRoleThrow(c, ["owner", "tenant-admin"]);
   const body = c.req.valid("json");
   const database = c.get("database");
-  const [existing] = await database.select().from(tenantsInIam).where(eq38(tenantsInIam.id, body.id)).limit(1);
+  const [existing] = await database.select().from(tenantsInIam).where(eq48(tenantsInIam.id, body.id)).limit(1);
   if (existing) {
     return c.json({ error: "Tenant already exists" }, 409);
   }
@@ -4997,26 +6369,26 @@ var createTenantHandler = async (c) => {
 };
 
 // src/routes/tenants/handler/delete-tenant.ts
-import { eq as eq39 } from "drizzle-orm";
+import { eq as eq49 } from "drizzle-orm";
 var deleteTenantHandler = async (c) => {
   hasRoleThrow(c, ["owner", "tenant-admin"]);
   const { id } = c.req.valid("param");
   const database = c.get("database");
-  const [existing] = await database.select().from(tenantsInIam).where(eq39(tenantsInIam.id, id)).limit(1);
+  const [existing] = await database.select().from(tenantsInIam).where(eq49(tenantsInIam.id, id)).limit(1);
   if (!existing) {
     return c.json({ error: "Tenant not found" }, 404);
   }
-  await database.delete(tenantsInIam).where(eq39(tenantsInIam.id, id));
+  await database.delete(tenantsInIam).where(eq49(tenantsInIam.id, id));
   return c.json({ message: "Tenant deleted" }, 200);
 };
 
 // src/routes/tenants/handler/get-tenant.ts
-import { eq as eq40 } from "drizzle-orm";
+import { eq as eq50 } from "drizzle-orm";
 var getTenantHandler = async (c) => {
   hasRoleThrow(c, ["owner", "tenant-admin"]);
   const { id } = c.req.valid("param");
   const database = c.get("database");
-  const [tenant] = await database.select().from(tenantsInIam).where(eq40(tenantsInIam.id, id)).limit(1);
+  const [tenant] = await database.select().from(tenantsInIam).where(eq50(tenantsInIam.id, id)).limit(1);
   if (!tenant) {
     return c.json({ error: "Tenant not found" }, 404);
   }
@@ -5024,11 +6396,11 @@ var getTenantHandler = async (c) => {
 };
 
 // src/routes/tenants/handler/list-tenants.ts
-import { and as and38, asc as asc2, desc as desc2, eq as eq41, ilike as ilike2, or, sql as sql20 } from "drizzle-orm";
-var sortColumnMap = {
+import { and as and47, asc as asc4, desc as desc4, eq as eq51, ilike as ilike3, or as or3, sql as sql23 } from "drizzle-orm";
+var sortColumnMap3 = {
   createdAt: tenantsInIam.createdAt,
   updatedAt: tenantsInIam.updatedAt,
-  name: sql20`${tenantsInIam.name}::text`
+  name: sql23`${tenantsInIam.name}::text`
 };
 var listTenantsHandler = async (c) => {
   hasRoleThrow(c, ["owner", "tenant-admin"]);
@@ -5039,42 +6411,42 @@ var listTenantsHandler = async (c) => {
   const offset = (page - 1) * limit;
   const conditions = [];
   if (query.isActive !== void 0) {
-    conditions.push(eq41(tenantsInIam.isActive, query.isActive));
+    conditions.push(eq51(tenantsInIam.isActive, query.isActive));
   }
   if (query.filter === "isActive:true") {
-    conditions.push(eq41(tenantsInIam.isActive, true));
+    conditions.push(eq51(tenantsInIam.isActive, true));
   } else if (query.filter === "isActive:false") {
-    conditions.push(eq41(tenantsInIam.isActive, false));
+    conditions.push(eq51(tenantsInIam.isActive, false));
   }
   if (query.search?.trim()) {
     const term = `%${query.search.trim()}%`;
-    const searchCond = or(
-      ilike2(tenantsInIam.id, term),
-      ilike2(sql20`${tenantsInIam.name}::text`, term)
+    const searchCond = or3(
+      ilike3(tenantsInIam.id, term),
+      ilike3(sql23`${tenantsInIam.name}::text`, term)
     );
     if (searchCond) {
       conditions.push(searchCond);
     }
   }
-  const orderDir = query.order === "asc" ? asc2 : desc2;
-  const sortCol = query.sort && sortColumnMap[query.sort] ? sortColumnMap[query.sort] : tenantsInIam.createdAt;
-  const whereClause = conditions.length > 0 ? and38(...conditions) : void 0;
+  const orderDir = query.order === "asc" ? asc4 : desc4;
+  const sortCol = query.sort && sortColumnMap3[query.sort] ? sortColumnMap3[query.sort] : tenantsInIam.createdAt;
+  const whereClause = conditions.length > 0 ? and47(...conditions) : void 0;
   const [tenants, totalResult] = await Promise.all([
     database.select().from(tenantsInIam).where(whereClause).orderBy(orderDir(sortCol)).limit(limit).offset(offset),
-    database.select({ count: sql20`count(*)` }).from(tenantsInIam).where(whereClause)
+    database.select({ count: sql23`count(*)` }).from(tenantsInIam).where(whereClause)
   ]);
   const total = Number(totalResult[0]?.count || 0);
   return c.json({ tenants, total, page, limit }, 200);
 };
 
 // src/routes/tenants/handler/update-tenant.ts
-import { eq as eq42, sql as sql21 } from "drizzle-orm";
+import { eq as eq52, sql as sql24 } from "drizzle-orm";
 var updateTenantHandler = async (c) => {
   hasRoleThrow(c, ["owner", "tenant-admin"]);
   const { id } = c.req.valid("param");
   const body = c.req.valid("json");
   const database = c.get("database");
-  const [existing] = await database.select().from(tenantsInIam).where(eq42(tenantsInIam.id, id)).limit(1);
+  const [existing] = await database.select().from(tenantsInIam).where(eq52(tenantsInIam.id, id)).limit(1);
   if (!existing) {
     return c.json({ error: "Tenant not found" }, 404);
   }
@@ -5117,8 +6489,8 @@ var updateTenantHandler = async (c) => {
   }
   const [updated] = await database.update(tenantsInIam).set({
     ...updateData,
-    updatedAt: sql21`CURRENT_TIMESTAMP`
-  }).where(eq42(tenantsInIam.id, id)).returning();
+    updatedAt: sql24`CURRENT_TIMESTAMP`
+  }).where(eq52(tenantsInIam.id, id)).returning();
   if (!updated) {
     return c.json({ error: "Tenant not found" }, 404);
   }
@@ -5373,36 +6745,36 @@ var assignUserRoleHandler = async (c) => {
 };
 
 // src/routes/user-roles/handler/list-user-roles.ts
-import { and as and39, eq as eq43 } from "drizzle-orm";
+import { and as and48, eq as eq53 } from "drizzle-orm";
 var listUserRolesHandler = async (c) => {
   const query = c.req.valid("query");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
-  const conditions = [eq43(userRolesInIam.tenantId, tenantId)];
+  const conditions = [eq53(userRolesInIam.tenantId, tenantId)];
   if (query.userId) {
-    conditions.push(eq43(userRolesInIam.userId, query.userId));
+    conditions.push(eq53(userRolesInIam.userId, query.userId));
   }
   if (query.roleId) {
-    conditions.push(eq43(userRolesInIam.roleId, query.roleId));
+    conditions.push(eq53(userRolesInIam.roleId, query.roleId));
   }
-  const userRoles = await database.select().from(userRolesInIam).where(and39(...conditions));
+  const userRoles = await database.select().from(userRolesInIam).where(and48(...conditions));
   return c.json({ userRoles }, 200);
 };
 
 // src/routes/user-roles/handler/revoke-user-role.ts
-import { and as and40, eq as eq44 } from "drizzle-orm";
+import { and as and49, eq as eq54 } from "drizzle-orm";
 var revokeUserRoleHandler = async (c) => {
   const { id } = c.req.valid("param");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
   const [existing] = await database.select().from(userRolesInIam).where(
-    and40(eq44(userRolesInIam.id, id), eq44(userRolesInIam.tenantId, tenantId))
+    and49(eq54(userRolesInIam.id, id), eq54(userRolesInIam.tenantId, tenantId))
   ).limit(1);
   if (!existing) {
     return c.json({ error: "User role not found" }, 404);
   }
   await database.delete(userRolesInIam).where(
-    and40(eq44(userRolesInIam.id, id), eq44(userRolesInIam.tenantId, tenantId))
+    and49(eq54(userRolesInIam.id, id), eq54(userRolesInIam.tenantId, tenantId))
   );
   return c.json({ message: "Role revoked from user" }, 200);
 };
@@ -5526,20 +6898,20 @@ var user_roles_route_default = userRoleRoutes;
 import { createRoute as createRoute14, OpenAPIHono as OpenAPIHono14 } from "@hono/zod-openapi";
 
 // src/routes/users/handler/ban-user.ts
-import { and as and41, eq as eq45, sql as sql22 } from "drizzle-orm";
+import { and as and50, eq as eq55, sql as sql25 } from "drizzle-orm";
 var banUserHandler = async (c) => {
   const { id } = c.req.valid("param");
   const body = c.req.valid("json");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
-  const [existing] = await database.select().from(usersInIam).where(and41(eq45(usersInIam.id, id), eq45(usersInIam.tenantId, tenantId))).limit(1);
+  const [existing] = await database.select().from(usersInIam).where(and50(eq55(usersInIam.id, id), eq55(usersInIam.tenantId, tenantId))).limit(1);
   if (!existing) {
     return c.json({ error: "User not found" }, 404);
   }
   const [updated] = await database.update(usersInIam).set({
     bannedUntil: body.bannedUntil || null,
-    updatedAt: sql22`CURRENT_TIMESTAMP`
-  }).where(and41(eq45(usersInIam.id, id), eq45(usersInIam.tenantId, tenantId))).returning({
+    updatedAt: sql25`CURRENT_TIMESTAMP`
+  }).where(and50(eq55(usersInIam.id, id), eq55(usersInIam.tenantId, tenantId))).returning({
     id: usersInIam.id,
     tenantId: usersInIam.tenantId,
     fullName: usersInIam.fullName,
@@ -5558,17 +6930,17 @@ var banUserHandler = async (c) => {
 };
 
 // src/routes/users/helper/user.ts
-import { and as and42, eq as eq46, sql as sql23 } from "drizzle-orm";
+import { and as and51, eq as eq56, sql as sql26 } from "drizzle-orm";
 var checkUserExists = async ({
   database,
   identifier,
   tenantId,
   isEmail
 }) => {
-  const whereClause = isEmail ? and42(
-    eq46(usersInIam.tenantId, tenantId),
-    sql23`lower(${usersInIam.email}) = lower(${identifier})`
-  ) : and42(eq46(usersInIam.tenantId, tenantId), eq46(usersInIam.phone, identifier));
+  const whereClause = isEmail ? and51(
+    eq56(usersInIam.tenantId, tenantId),
+    sql26`lower(${usersInIam.email}) = lower(${identifier})`
+  ) : and51(eq56(usersInIam.tenantId, tenantId), eq56(usersInIam.phone, identifier));
   const [user] = await database.select().from(usersInIam).where(whereClause).limit(1);
   return user || null;
 };
@@ -5578,14 +6950,170 @@ var checkHandleExists = async ({
   tenantId
 }) => {
   const [existingHandle] = await database.select().from(usersInIam).where(
-    and42(
-      eq46(usersInIam.tenantId, tenantId),
-      sql23`lower(${usersInIam.handle}) = lower(${handle})`
+    and51(
+      eq56(usersInIam.tenantId, tenantId),
+      sql26`lower(${usersInIam.handle}) = lower(${handle})`
     )
   ).limit(1);
   return existingHandle || null;
 };
 
+// src/routes/users/helper/invite.ts
+var resolveInviteUrl = ({
+  inviteUrl,
+  identifier,
+  hasPassword
+}) => {
+  if (inviteUrl) {
+    return inviteUrl;
+  }
+  if (hasPassword) {
+    return "/auth/sign-in";
+  }
+  return `/auth/set-password?identifier=${encodeURIComponent(identifier)}`;
+};
+var inviteUser = (
+  // biome-ignore lint/complexity/noExcessiveCognitiveComplexity: invite flow mixes validation, persistence, and delivery reporting
+  async function inviteUser2({
+    database,
+    tenantId,
+    config,
+    payload
+  }) {
+    const identifier = payload.email || payload.phone;
+    if (!identifier) {
+      throw new Error("Either email or phone is required");
+    }
+    const isEmail = identifier.includes("@");
+    if (payload.phone) {
+      const phoneValidator = createPhoneField(config);
+      if (!phoneValidator.validate(payload.phone)) {
+        throw new Error("Invalid phone number format");
+      }
+    }
+    const existing = await checkUserExists({
+      database,
+      identifier,
+      tenantId,
+      isEmail
+    });
+    if (existing) {
+      throw new Error("User already exists");
+    }
+    const userHandle = payload.handle || generateHandle();
+    const existingHandle = await checkHandleExists({
+      database,
+      handle: userHandle,
+      tenantId
+    });
+    if (existingHandle) {
+      throw new Error("Handle already taken");
+    }
+    const passwordHash = payload.password ? await hashPassword(payload.password) : null;
+    const user = await withTransaction(database, async (tx) => {
+      const [createdUser] = await tx.insert(usersInIam).values({
+        tenantId,
+        fullName: payload.fullName,
+        handle: userHandle,
+        email: payload.email || null,
+        phone: payload.phone || null,
+        image: payload.image || null,
+        emailVerified: Boolean(payload.emailVerified),
+        phoneVerified: Boolean(payload.phoneVerified),
+        userType: [config.userType]
+      }).returning();
+      if (passwordHash) {
+        await tx.insert(accountsInIam).values({
+          tenantId,
+          userId: createdUser.id,
+          provider: "credentials",
+          providerAccountId: identifier,
+          password: passwordHash
+        });
+      }
+      return createdUser;
+    });
+    const hasPassword = Boolean(passwordHash);
+    const resolvedInviteUrl = resolveInviteUrl({
+      inviteUrl: payload.inviteUrl,
+      identifier,
+      hasPassword
+    });
+    const delivery = {};
+    if (payload.sendVia?.includes("email")) {
+      if (payload.email && config.email.sendInvitation) {
+        try {
+          await config.email.sendInvitation({
+            email: payload.email,
+            fullName: payload.fullName,
+            identifier,
+            inviteUrl: resolvedInviteUrl,
+            tenantId
+          });
+          delivery.email = "sent";
+        } catch {
+          delivery.email = "failed";
+        }
+      } else {
+        delivery.email = "skipped";
+      }
+    }
+    if (payload.sendVia?.includes("sms")) {
+      if (payload.phone && config.phone.sendInvitation) {
+        try {
+          await config.phone.sendInvitation({
+            phone: payload.phone,
+            fullName: payload.fullName,
+            identifier,
+            inviteUrl: resolvedInviteUrl,
+            tenantId
+          });
+          delivery.sms = "sent";
+        } catch {
+          delivery.sms = "failed";
+        }
+      } else {
+        delivery.sms = "skipped";
+      }
+    }
+    return {
+      user: normalizeUser(user),
+      delivery,
+      inviteUrl: resolvedInviteUrl,
+      hasPassword
+    };
+  }
+);
+
+// src/routes/users/handler/bulk-invite-users.ts
+var bulkInviteUsersHandler = async (c) => {
+  const body = c.req.valid("json");
+  const config = c.get("config");
+  const database = c.get("database");
+  const tenantId = c.get("tenantId");
+  const resolvedTenantId = ensureTenantId(config, tenantId);
+  const invited = [];
+  const failed = [];
+  for (const [index2, payload] of body.users.entries()) {
+    try {
+      const result = await inviteUser({
+        database,
+        tenantId: resolvedTenantId,
+        config,
+        payload
+      });
+      invited.push(result);
+    } catch (error) {
+      failed.push({
+        index: index2,
+        identifier: payload.email || payload.phone || null,
+        error: error instanceof Error ? error.message : "Unknown error"
+      });
+    }
+  }
+  return c.json({ invited, failed }, 200);
+};
+
 // src/routes/users/handler/create-user.ts
 var createUserHandler = async (c) => {
   const body = c.req.valid("json");
@@ -5616,41 +7144,55 @@ var createUserHandler = async (c) => {
   if (existingHandle) {
     return c.json({ error: "Handle already taken" }, 409);
   }
-  const [user] = await database.insert(usersInIam).values({
-    tenantId: resolvedTenantId,
-    fullName: body.fullName,
-    handle: userHandle,
-    email: body.email || null,
-    phone: body.phone || null,
-    image: body.image || null,
-    emailVerified: Boolean(body.emailVerified),
-    phoneVerified: Boolean(body.phoneVerified)
-  }).returning({
-    id: usersInIam.id,
-    tenantId: usersInIam.tenantId,
-    fullName: usersInIam.fullName,
-    email: usersInIam.email,
-    phone: usersInIam.phone,
-    handle: usersInIam.handle,
-    image: usersInIam.image,
-    emailVerified: usersInIam.emailVerified,
-    phoneVerified: usersInIam.phoneVerified,
-    lastSignInAt: usersInIam.lastSignInAt
+  const [user] = await withTransaction(database, async (tx) => {
+    const [createdUser] = await tx.insert(usersInIam).values({
+      tenantId: resolvedTenantId,
+      fullName: body.fullName,
+      handle: userHandle,
+      email: body.email || null,
+      phone: body.phone || null,
+      image: body.image || null,
+      emailVerified: Boolean(body.emailVerified),
+      phoneVerified: Boolean(body.phoneVerified),
+      userType: [config.userType]
+    }).returning({
+      id: usersInIam.id,
+      tenantId: usersInIam.tenantId,
+      fullName: usersInIam.fullName,
+      email: usersInIam.email,
+      phone: usersInIam.phone,
+      handle: usersInIam.handle,
+      image: usersInIam.image,
+      emailVerified: usersInIam.emailVerified,
+      phoneVerified: usersInIam.phoneVerified,
+      lastSignInAt: usersInIam.lastSignInAt
+    });
+    if (body.password) {
+      const passwordHash = await hashPassword(body.password);
+      await tx.insert(accountsInIam).values({
+        tenantId: resolvedTenantId,
+        userId: createdUser.id,
+        provider: "credentials",
+        providerAccountId: identifier,
+        password: passwordHash
+      });
+    }
+    return [createdUser];
   });
   return c.json({ user: normalizeUser(user) }, 201);
 };
 
 // src/routes/users/handler/delete-user.ts
-import { and as and43, eq as eq47 } from "drizzle-orm";
+import { and as and52, eq as eq57 } from "drizzle-orm";
 var deleteUserHandler = async (c) => {
   const { id } = c.req.valid("param");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
-  const [existing] = await database.select().from(usersInIam).where(and43(eq47(usersInIam.id, id), eq47(usersInIam.tenantId, tenantId))).limit(1);
+  const [existing] = await database.select().from(usersInIam).where(and52(eq57(usersInIam.id, id), eq57(usersInIam.tenantId, tenantId))).limit(1);
   if (!existing) {
     return c.json({ error: "User not found" }, 404);
   }
-  await database.delete(usersInIam).where(and43(eq47(usersInIam.id, id), eq47(usersInIam.tenantId, tenantId)));
+  await database.delete(usersInIam).where(and52(eq57(usersInIam.id, id), eq57(usersInIam.tenantId, tenantId)));
   return c.json({ message: "User deleted" }, 200);
 };
 
@@ -5670,9 +7212,32 @@ var getUserHandler = async (c) => {
   return c.json({ user: normalizeUser(user) }, 200);
 };
 
+// src/routes/users/handler/invite-user.ts
+var inviteUserHandler = async (c) => {
+  const body = c.req.valid("json");
+  const config = c.get("config");
+  const database = c.get("database");
+  const tenantId = c.get("tenantId");
+  const resolvedTenantId = ensureTenantId(config, tenantId);
+  try {
+    const result = await inviteUser({
+      database,
+      tenantId: resolvedTenantId,
+      config,
+      payload: body
+    });
+    return c.json(result, 201);
+  } catch (error) {
+    if (error instanceof Error) {
+      return c.json({ error: error.message }, 409);
+    }
+    throw error;
+  }
+};
+
 // src/routes/users/handler/list-users.ts
-import { and as and44, asc as asc3, desc as desc3, eq as eq48, ilike as ilike3, sql as sql24 } from "drizzle-orm";
-var sortColumnMap2 = {
+import { and as and53, asc as asc5, desc as desc5, eq as eq58, ilike as ilike4, sql as sql27 } from "drizzle-orm";
+var sortColumnMap4 = {
   createdAt: usersInIam.createdAt,
   updatedAt: usersInIam.updatedAt,
   fullName: usersInIam.fullName,
@@ -5686,26 +7251,26 @@ var listUsersHandler = async (c) => {
   const page = query.page || 1;
   const limit = query.limit || 20;
   const offset = (page - 1) * limit;
-  const conditions = [eq48(usersInIam.tenantId, tenantId)];
+  const conditions = [eq58(usersInIam.tenantId, tenantId)];
   if (query.email) {
-    conditions.push(ilike3(usersInIam.email, `%${query.email}%`));
+    conditions.push(ilike4(usersInIam.email, `%${query.email}%`));
   }
   if (query.phone) {
-    conditions.push(ilike3(usersInIam.phone, `%${query.phone}%`));
+    conditions.push(ilike4(usersInIam.phone, `%${query.phone}%`));
   }
   if (query.handle) {
-    conditions.push(ilike3(usersInIam.handle, `%${query.handle}%`));
+    conditions.push(ilike4(usersInIam.handle, `%${query.handle}%`));
   }
   if (query.filter === "emailVerified") {
-    conditions.push(eq48(usersInIam.emailVerified, true));
+    conditions.push(eq58(usersInIam.emailVerified, true));
   } else if (query.filter === "phoneVerified") {
-    conditions.push(eq48(usersInIam.phoneVerified, true));
+    conditions.push(eq58(usersInIam.phoneVerified, true));
   } else if (query.filter === "notVerified") {
-    conditions.push(eq48(usersInIam.emailVerified, false));
-    conditions.push(eq48(usersInIam.phoneVerified, false));
+    conditions.push(eq58(usersInIam.emailVerified, false));
+    conditions.push(eq58(usersInIam.phoneVerified, false));
   }
-  const orderDir = query.order === "asc" ? asc3 : desc3;
-  const sortCol = query.sort && sortColumnMap2[query.sort] ? sortColumnMap2[query.sort] : usersInIam.createdAt;
+  const orderDir = query.order === "asc" ? asc5 : desc5;
+  const sortCol = query.sort && sortColumnMap4[query.sort] ? sortColumnMap4[query.sort] : usersInIam.createdAt;
   const [users, totalResult] = await Promise.all([
     database.select({
       id: usersInIam.id,
@@ -5718,8 +7283,8 @@ var listUsersHandler = async (c) => {
       emailVerified: usersInIam.emailVerified,
       phoneVerified: usersInIam.phoneVerified,
       lastSignInAt: usersInIam.lastSignInAt
-    }).from(usersInIam).where(and44(...conditions)).orderBy(orderDir(sortCol)).limit(limit).offset(offset),
-    database.select({ count: sql24`count(*)` }).from(usersInIam).where(and44(...conditions))
+    }).from(usersInIam).where(and53(...conditions)).orderBy(orderDir(sortCol)).limit(limit).offset(offset),
+    database.select({ count: sql27`count(*)` }).from(usersInIam).where(and53(...conditions))
   ]);
   const total = Number(totalResult[0]?.count || 0);
   return c.json(
@@ -5737,18 +7302,18 @@ var listUsersHandler = async (c) => {
 };
 
 // src/routes/users/handler/search-users.ts
-import { and as and45, eq as eq49, ilike as ilike4, or as or2 } from "drizzle-orm";
+import { and as and54, eq as eq59, ilike as ilike5, or as or4 } from "drizzle-orm";
 var searchUsersHandler = async (c) => {
   const query = c.req.valid("query");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
   const limit = query.limit || 20;
-  const conditions = [eq49(usersInIam.tenantId, tenantId)];
+  const conditions = [eq59(usersInIam.tenantId, tenantId)];
   if (query.search && query.search.trim().length > 0) {
-    const searchCondition = or2(
-      ilike4(usersInIam.fullName, `%${query.search}%`),
-      ilike4(usersInIam.email, `%${query.search}%`),
-      ilike4(usersInIam.handle, `%${query.search}%`)
+    const searchCondition = or4(
+      ilike5(usersInIam.fullName, `%${query.search}%`),
+      ilike5(usersInIam.email, `%${query.search}%`),
+      ilike5(usersInIam.handle, `%${query.search}%`)
     );
     if (searchCondition) {
       conditions.push(searchCondition);
@@ -5761,26 +7326,26 @@ var searchUsersHandler = async (c) => {
     phone: usersInIam.phone,
     handle: usersInIam.handle,
     image: usersInIam.image
-  }).from(usersInIam).where(and45(...conditions)).limit(limit);
+  }).from(usersInIam).where(and54(...conditions)).limit(limit);
   return c.json({ users }, 200);
 };
 
 // src/routes/users/handler/update-user.ts
-import { and as and46, eq as eq50, sql as sql25 } from "drizzle-orm";
+import { and as and55, eq as eq60, sql as sql28 } from "drizzle-orm";
 var updateUserHandler = async (c) => {
   const { id } = c.req.valid("param");
   const body = c.req.valid("json");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
-  const [existing] = await database.select().from(usersInIam).where(and46(eq50(usersInIam.id, id), eq50(usersInIam.tenantId, tenantId))).limit(1);
+  const [existing] = await database.select().from(usersInIam).where(and55(eq60(usersInIam.id, id), eq60(usersInIam.tenantId, tenantId))).limit(1);
   if (!existing) {
     return c.json({ error: "User not found" }, 404);
   }
   if (body.handle && body.handle !== existing.handle) {
     const [handleExists] = await database.select().from(usersInIam).where(
-      and46(
-        eq50(usersInIam.tenantId, tenantId),
-        sql25`lower(${usersInIam.handle}) = lower(${body.handle})`
+      and55(
+        eq60(usersInIam.tenantId, tenantId),
+        sql28`lower(${usersInIam.handle}) = lower(${body.handle})`
       )
     ).limit(1);
     if (handleExists) {
@@ -5811,8 +7376,8 @@ var updateUserHandler = async (c) => {
   }
   const [updated] = await database.update(usersInIam).set({
     ...updateData,
-    updatedAt: sql25`CURRENT_TIMESTAMP`
-  }).where(and46(eq50(usersInIam.id, id), eq50(usersInIam.tenantId, tenantId))).returning({
+    updatedAt: sql28`CURRENT_TIMESTAMP`
+  }).where(and55(eq60(usersInIam.id, id), eq60(usersInIam.tenantId, tenantId))).returning({
     id: usersInIam.id,
     tenantId: usersInIam.tenantId,
     fullName: usersInIam.fullName,
@@ -5865,6 +7430,7 @@ var createUserSchema = z11.object({
   fullName: z11.string().min(1),
   handle: z11.string().optional(),
   image: z11.string().url().optional(),
+  password: z11.string().min(8).max(128).optional(),
   emailVerified: z11.boolean().default(false).optional(),
   phoneVerified: z11.boolean().default(false).optional()
 });
@@ -5895,6 +7461,46 @@ var deleteUserResponseSchema = z11.object({
 var errorResponseSchema9 = z11.object({
   error: z11.string()
 });
+var inviteChannelSchema = z11.enum(["email", "sms"]);
+var inviteUserSchema = z11.object({
+  email: z11.string().email().optional(),
+  phone: z11.string().optional(),
+  fullName: z11.string().min(1),
+  handle: z11.string().optional(),
+  image: z11.string().url().optional(),
+  password: z11.string().min(8).max(128).optional(),
+  emailVerified: z11.boolean().default(false).optional(),
+  phoneVerified: z11.boolean().default(false).optional(),
+  sendVia: z11.array(inviteChannelSchema).default([]).optional(),
+  inviteUrl: z11.string().url().optional()
+}).refine((data) => data.email || data.phone, {
+  message: "Either email or phone is required",
+  path: ["email"]
+});
+var bulkInviteUsersSchema = z11.object({
+  users: z11.array(inviteUserSchema).min(1)
+});
+var deliveryStateSchema = z11.enum(["sent", "skipped", "failed"]);
+var inviteDeliverySchema = z11.object({
+  email: deliveryStateSchema.optional(),
+  sms: deliveryStateSchema.optional()
+});
+var inviteUserResultSchema = z11.object({
+  user: userSchema,
+  delivery: inviteDeliverySchema,
+  inviteUrl: z11.string().nullable(),
+  hasPassword: z11.boolean()
+});
+var bulkInviteUsersResponseSchema = z11.object({
+  invited: z11.array(inviteUserResultSchema),
+  failed: z11.array(
+    z11.object({
+      index: z11.number().int().nonnegative(),
+      identifier: z11.string().nullable(),
+      error: z11.string()
+    })
+  )
+});
 var searchUsersQuerySchema = z11.object({
   search: z11.string().optional().describe("Search term"),
   limit: z11.coerce.number().int().positive().optional().default(20).describe("Limit")
@@ -6113,38 +7719,96 @@ var searchUsersRoute = createRoute14({
     }
   }
 });
-var userRoutes = new OpenAPIHono14().openapi(listUsersRoute, listUsersHandler).openapi(getUserRoute, getUserHandler).openapi(createUserRoute, createUserHandler).openapi(updateUserRoute, updateUserHandler).openapi(deleteUserRoute, deleteUserHandler).openapi(banUserRoute, banUserHandler).openapi(searchUsersRoute, searchUsersHandler);
+var inviteUserRoute = createRoute14({
+  method: "post",
+  path: "/invite",
+  tags: ["Users"],
+  summary: "Invite a single user",
+  request: {
+    body: {
+      content: {
+        "application/json": {
+          schema: inviteUserSchema
+        }
+      }
+    }
+  },
+  responses: {
+    201: {
+      content: {
+        "application/json": {
+          schema: inviteUserResultSchema
+        }
+      },
+      description: "User invited"
+    },
+    409: {
+      content: {
+        "application/json": {
+          schema: errorResponseSchema9
+        }
+      },
+      description: "User or handle already exists"
+    }
+  }
+});
+var bulkInviteUsersRoute = createRoute14({
+  method: "post",
+  path: "/invite/bulk",
+  tags: ["Users"],
+  summary: "Invite users in bulk",
+  request: {
+    body: {
+      content: {
+        "application/json": {
+          schema: bulkInviteUsersSchema
+        }
+      }
+    }
+  },
+  responses: {
+    200: {
+      content: {
+        "application/json": {
+          schema: bulkInviteUsersResponseSchema
+        }
+      },
+      description: "Bulk invite results"
+    }
+  }
+});
+var userRoutes = new OpenAPIHono14().openapi(listUsersRoute, listUsersHandler).openapi(getUserRoute, getUserHandler).openapi(createUserRoute, createUserHandler).openapi(updateUserRoute, updateUserHandler).openapi(deleteUserRoute, deleteUserHandler).openapi(banUserRoute, banUserHandler).openapi(searchUsersRoute, searchUsersHandler).openapi(inviteUserRoute, inviteUserHandler).openapi(bulkInviteUsersRoute, bulkInviteUsersHandler);
 var users_route_default = userRoutes;
 
 // src/routes/verifications/verifications.route.ts
 import { createRoute as createRoute15, OpenAPIHono as OpenAPIHono15 } from "@hono/zod-openapi";
 
 // src/routes/verifications/handler/invalidate-verification.ts
-import { and as and47, eq as eq51 } from "drizzle-orm";
+import { and as and56, eq as eq61 } from "drizzle-orm";
 var invalidateVerificationHandler = async (c) => {
   const { id } = c.req.valid("param");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
   const [existing] = await database.select().from(verificationsInIam).where(
-    and47(
-      eq51(verificationsInIam.id, id),
-      eq51(verificationsInIam.tenantId, tenantId)
+    and56(
+      eq61(verificationsInIam.id, id),
+      eq61(verificationsInIam.tenantId, tenantId)
     )
   ).limit(1);
   if (!existing) {
     return c.json({ error: "Verification not found" }, 404);
   }
   await database.delete(verificationsInIam).where(
-    and47(
-      eq51(verificationsInIam.id, id),
-      eq51(verificationsInIam.tenantId, tenantId)
+    and56(
+      eq61(verificationsInIam.id, id),
+      eq61(verificationsInIam.tenantId, tenantId)
     )
   );
   return c.json({ message: "Verification invalidated" }, 200);
 };
 
 // src/routes/verifications/handler/list-verifications.ts
-import { and as and48, eq as eq52, sql as sql26 } from "drizzle-orm";
+import { and as and57, eq as eq62, sql as sql29 } from "drizzle-orm";
 var listVerificationsHandler = async (c) => {
   const query = c.req.valid("query");
   const database = c.get("database");
@@ -6152,27 +7816,27 @@ var listVerificationsHandler = async (c) => {
   const page = query.page || 1;
   const limit = query.limit || 20;
   const offset = (page - 1) * limit;
-  const conditions = [eq52(verificationsInIam.tenantId, tenantId)];
+  const conditions = [eq62(verificationsInIam.tenantId, tenantId)];
   if (query.userId) {
-    conditions.push(eq52(verificationsInIam.userId, query.userId));
+    conditions.push(eq62(verificationsInIam.userId, query.userId));
   }
   if (query.type) {
-    conditions.push(eq52(verificationsInIam.type, query.type));
+    conditions.push(eq62(verificationsInIam.type, query.type));
   }
   if (query.status) {
     if (query.status === "active") {
-      conditions.push(sql26`${verificationsInIam.expiresAt} > CURRENT_TIMESTAMP`);
+      conditions.push(sql29`${verificationsInIam.expiresAt} > CURRENT_TIMESTAMP`);
     } else if (query.status === "expired") {
       conditions.push(
-        sql26`${verificationsInIam.expiresAt} <= CURRENT_TIMESTAMP`
+        sql29`${verificationsInIam.expiresAt} <= CURRENT_TIMESTAMP`
       );
     } else if (query.status === "consumed") {
-      conditions.push(sql26`${verificationsInIam.attempt} >= 3`);
+      conditions.push(sql29`${verificationsInIam.attempt} >= 3`);
     }
   }
   const [verifications, totalResult] = await Promise.all([
-    database.select().from(verificationsInIam).where(and48(...conditions)).limit(limit).offset(offset),
-    database.select({ count: sql26`count(*)` }).from(verificationsInIam).where(and48(...conditions))
+    database.select().from(verificationsInIam).where(and57(...conditions)).limit(limit).offset(offset),
+    database.select({ count: sql29`count(*)` }).from(verificationsInIam).where(and57(...conditions))
   ]);
   const total = Number(totalResult[0]?.count || 0);
   return c.json({ verifications, total, page, limit }, 200);
@@ -6473,7 +8137,7 @@ var createSessionMiddleware = () => {
 // src/middlewares/tenant-middleware.ts
 import { logger as logger3 } from "@mesob/common";
 import { createMiddleware as createMiddleware2 } from "hono/factory";
-import { HTTPException as HTTPException4 } from "hono/http-exception";
+import { HTTPException as HTTPException5 } from "hono/http-exception";
 function resolveHost(hostHeader, forwardedHost) {
   const hostHeaderStr = hostHeader || "";
   const forwardedHostStr = forwardedHost || "";
@@ -6537,7 +8201,7 @@ var createTenantMiddleware = (database, config) => {
     );
     c.set("host", host);
     if (!host) {
-      throw new HTTPException4(400, { message: "Missing Host header" });
+      throw new HTTPException5(400, { message: "Missing Host header" });
     }
     let tenantId = null;
     let tenant = null;
@@ -6546,13 +8210,13 @@ var createTenantMiddleware = (database, config) => {
       tenantId = result.tenantId;
       tenant = result.tenant;
     } catch {
-      throw new HTTPException4(500, { message: "Tenant resolution failed" });
+      throw new HTTPException5(500, { message: "Tenant resolution failed" });
     }
     c.set("tenantId", tenantId);
     c.set("tenant", tenant);
     const error = validateTenant(tenantId, tenant);
     if (error) {
-      throw new HTTPException4(404, { message: error });
+      throw new HTTPException5(404, { message: error });
     }
     return await next();
   });