npm - @mesob/auth-hono - Versions diffs - 0.4.6 → 0.5.0 - Mend

@mesob/auth-hono 0.4.6 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/dist/{index-zShda6U3.d.ts → index-D8OE85f8.d.ts} +2 -58
package/dist/{index-CKOeabpa.d.ts → index-DwIwuvVj.d.ts} +11 -2
package/dist/index.d.ts +7 -14
package/dist/index.js +768 -690
package/dist/index.js.map +1 -1
package/dist/lib/cleanup.d.ts +2 -2
package/dist/lib/cookie.d.ts +3 -3
package/dist/lib/has-role-permission.d.ts +3 -3
package/dist/lib/iam-seed.d.ts +4 -76
package/dist/lib/normalize-auth-response.d.ts +3 -3
package/dist/lib/normalize-user.d.ts +3 -3
package/dist/lib/openapi-config.d.ts +3 -3
package/dist/lib/permission-catalog.d.ts +2 -2
package/dist/lib/phone-validation.d.ts +3 -3
package/dist/lib/session.d.ts +3 -3
package/dist/lib/tenant.d.ts +3 -3
package/package.json +4 -4

package/dist/index.js CHANGED Viewed

@@ -11,23 +11,6 @@ import { deepmerge } from "deepmerge-ts";
 import { drizzle } from "drizzle-orm/node-postgres";
 import { Pool } from "pg";
-// src/db/relations.ts
-var relations_exports = {};
-__export(relations_exports, {
-  accountChangesInIamRelations: () => accountChangesInIamRelations,
-  accountsInIamRelations: () => accountsInIamRelations,
-  domainsInIamRelations: () => domainsInIamRelations,
-  permissionsInIamRelations: () => permissionsInIamRelations,
-  rolePermissionsInIamRelations: () => rolePermissionsInIamRelations,
-  rolesInIamRelations: () => rolesInIamRelations,
-  sessionsInIamRelations: () => sessionsInIamRelations,
-  tenantsInIamRelations: () => tenantsInIamRelations,
-  userRolesInIamRelations: () => userRolesInIamRelations,
-  usersInIamRelations: () => usersInIamRelations,
-  verificationsInIamRelations: () => verificationsInIamRelations
-});
-import { relations } from "drizzle-orm/relations";
 // src/db/schema.ts
 var schema_exports = {};
 __export(schema_exports, {
@@ -333,117 +316,8 @@ var domainsInIam = iam.table("domains", {
   check("domains_status_check", sql`status = ANY (ARRAY['PENDING'::text, 'ACTIVE'::text, 'DISABLED'::text, 'DELETED'::text])`)
 ]);
-// src/db/relations.ts
-var verificationsInIamRelations = relations(verificationsInIam, ({ one }) => ({
-  tenantsInIam: one(tenantsInIam, {
-    fields: [verificationsInIam.tenantId],
-    references: [tenantsInIam.id]
-  }),
-  usersInIam: one(usersInIam, {
-    fields: [verificationsInIam.userId],
-    references: [usersInIam.id]
-  })
-}));
-var tenantsInIamRelations = relations(tenantsInIam, ({ many }) => ({
-  verificationsInIam: many(verificationsInIam),
-  sessionsInIam: many(sessionsInIam),
-  accountChangesInIam: many(accountChangesInIam),
-  rolePermissionsInIam: many(rolePermissionsInIam),
-  accountsInIam: many(accountsInIam),
-  usersInIam: many(usersInIam),
-  rolesInIam: many(rolesInIam),
-  userRolesInIam: many(userRolesInIam),
-  domainsInIam: many(domainsInIam)
-}));
-var usersInIamRelations = relations(usersInIam, ({ one, many }) => ({
-  verificationsInIam: many(verificationsInIam),
-  sessionsInIam: many(sessionsInIam),
-  accountChangesInIam: many(accountChangesInIam),
-  accountsInIam: many(accountsInIam),
-  tenantsInIam: one(tenantsInIam, {
-    fields: [usersInIam.tenantId],
-    references: [tenantsInIam.id]
-  }),
-  userRolesInIam: many(userRolesInIam)
-}));
-var sessionsInIamRelations = relations(sessionsInIam, ({ one }) => ({
-  tenantsInIam: one(tenantsInIam, {
-    fields: [sessionsInIam.tenantId],
-    references: [tenantsInIam.id]
-  }),
-  usersInIam: one(usersInIam, {
-    fields: [sessionsInIam.userId],
-    references: [usersInIam.id]
-  })
-}));
-var accountChangesInIamRelations = relations(accountChangesInIam, ({ one }) => ({
-  tenantsInIam: one(tenantsInIam, {
-    fields: [accountChangesInIam.tenantId],
-    references: [tenantsInIam.id]
-  }),
-  usersInIam: one(usersInIam, {
-    fields: [accountChangesInIam.userId],
-    references: [usersInIam.id]
-  })
-}));
-var rolePermissionsInIamRelations = relations(rolePermissionsInIam, ({ one }) => ({
-  tenantsInIam: one(tenantsInIam, {
-    fields: [rolePermissionsInIam.tenantId],
-    references: [tenantsInIam.id]
-  }),
-  permissionsInIam: one(permissionsInIam, {
-    fields: [rolePermissionsInIam.permissionId],
-    references: [permissionsInIam.id]
-  }),
-  rolesInIam: one(rolesInIam, {
-    fields: [rolePermissionsInIam.tenantId],
-    references: [rolesInIam.tenantId]
-  })
-}));
-var permissionsInIamRelations = relations(permissionsInIam, ({ many }) => ({
-  rolePermissionsInIam: many(rolePermissionsInIam)
-}));
-var rolesInIamRelations = relations(rolesInIam, ({ one, many }) => ({
-  rolePermissionsInIam: many(rolePermissionsInIam),
-  tenantsInIam: one(tenantsInIam, {
-    fields: [rolesInIam.tenantId],
-    references: [tenantsInIam.id]
-  }),
-  userRolesInIam: many(userRolesInIam)
-}));
-var accountsInIamRelations = relations(accountsInIam, ({ one }) => ({
-  tenantsInIam: one(tenantsInIam, {
-    fields: [accountsInIam.tenantId],
-    references: [tenantsInIam.id]
-  }),
-  usersInIam: one(usersInIam, {
-    fields: [accountsInIam.userId],
-    references: [usersInIam.id]
-  })
-}));
-var userRolesInIamRelations = relations(userRolesInIam, ({ one }) => ({
-  tenantsInIam: one(tenantsInIam, {
-    fields: [userRolesInIam.tenantId],
-    references: [tenantsInIam.id]
-  }),
-  usersInIam: one(usersInIam, {
-    fields: [userRolesInIam.userId],
-    references: [usersInIam.id]
-  }),
-  rolesInIam: one(rolesInIam, {
-    fields: [userRolesInIam.tenantId],
-    references: [rolesInIam.tenantId]
-  })
-}));
-var domainsInIamRelations = relations(domainsInIam, ({ one }) => ({
-  tenantsInIam: one(tenantsInIam, {
-    fields: [domainsInIam.tenantId],
-    references: [tenantsInIam.id]
-  })
-}));
 // src/db/index.ts
-var schemaConfig = { schema: { ...schema_exports, ...relations_exports } };
+var schemaConfig = { schema: { ...schema_exports } };
 var createDatabase = (connectionString) => {
   const pool = new Pool({ connectionString });
   return drizzle({ client: pool, ...schemaConfig });
@@ -612,6 +486,7 @@ var fetchUserWithRoles = async ({
     emailVerified: usersInIam.emailVerified,
     phoneVerified: usersInIam.phoneVerified,
     lastSignInAt: usersInIam.lastSignInAt,
+    bannedUntil: usersInIam.bannedUntil,
     ...getUserAuthSelect(tenantId)
   }).from(usersInIam).where(and4(eq4(usersInIam.id, userId), eq4(usersInIam.tenantId, tenantId))).limit(1);
   return userResult || null;
@@ -862,6 +737,7 @@ var userSchema = z.object({
   emailVerified: z.boolean(),
   phoneVerified: z.boolean(),
   lastSignInAt: z.string().datetime().nullable(),
+  bannedUntil: z.string().datetime().nullable().optional(),
   createdAt: z.string().datetime().nullable().optional(),
   userType: z.array(z.string()).optional(),
   roles: z.array(z.string()).nullable().optional(),
@@ -993,6 +869,8 @@ var checkAccountResponseSchema = z.object({
   verified: z.boolean(),
   hasPassword: z.boolean(),
   requiresPasswordSetup: z.boolean(),
+  needsVerification: z.boolean().optional(),
+  verificationId: z.string().uuid().optional(),
   account: authAccountSchema.nullable()
 });
 var updateProfileSchema = z.object({
@@ -1019,7 +897,7 @@ var pendingAccountChangeResponseSchema = z.object({
 });
 // src/routes/auth/handler/check-account.ts
-import { and as and5, eq as eq5, sql as sql4 } from "drizzle-orm";
+import { and as and6, eq as eq6, sql as sql4 } from "drizzle-orm";
 // src/lib/tenant.ts
 import { HTTPException as HTTPException2 } from "hono/http-exception";
@@ -1041,79 +919,9 @@ var ensureTenantId = (config, tenantId) => {
   return config.tenant.tenantId;
 };
-// src/routes/auth/handler/check-account.ts
-var checkAccountHandler = async (c) => {
-  const body = c.req.valid("json");
-  const config = c.get("config");
-  const database = c.get("database");
-  const tenantId = c.get("tenantId");
-  const resolvedTenantId = ensureTenantId(config, tenantId);
-  const { username } = body;
-  const isEmail = username.includes("@");
-  const userTypeFilter = sql4`${usersInIam.userType} @> ARRAY[${config.userType}]::text[]`;
-  const whereClause = isEmail ? and5(
-    eq5(usersInIam.tenantId, resolvedTenantId),
-    userTypeFilter,
-    sql4`lower(${usersInIam.email}) = lower(${username})`
-  ) : and5(
-    eq5(usersInIam.tenantId, resolvedTenantId),
-    userTypeFilter,
-    eq5(usersInIam.phone, username)
-  );
-  const [result] = await database.select({
-    fullName: usersInIam.fullName,
-    email: usersInIam.email,
-    phone: usersInIam.phone,
-    verified: isEmail ? usersInIam.emailVerified : usersInIam.phoneVerified,
-    hasPassword: sql4`exists(
-        select 1
-        from ${accountsInIam}
-        where ${eq5(accountsInIam.tenantId, resolvedTenantId)}
-          and ${eq5(accountsInIam.userId, usersInIam.id)}
-          and ${eq5(accountsInIam.provider, "credentials")}
-          and ${sql4`${accountsInIam.password} is not null`}
-      )`
-  }).from(usersInIam).where(whereClause).limit(1);
-  const verified = result?.verified ?? false;
-  const hasPassword = result?.hasPassword ?? false;
-  return c.json(
-    {
-      exists: !!result,
-      verified,
-      hasPassword,
-      requiresPasswordSetup: !!result && verified && !hasPassword,
-      account: result ? {
-        fullName: result.fullName,
-        email: result.email,
-        phone: result.phone,
-        verified,
-        hasPassword,
-        requiresPasswordSetup: verified && !hasPassword
-      } : null
-    },
-    200
-  );
-};
-// src/routes/auth/handler/sign-in.ts
-import { logger as logger2 } from "@mesob/common";
-import { and as and9, eq as eq9 } from "drizzle-orm";
-// src/errors.ts
-var AUTH_ERRORS = {
-  USER_NOT_FOUND: "USER_NOT_FOUND",
-  INVALID_PASSWORD: "INVALID_PASSWORD",
-  USER_EXISTS: "USER_EXISTS",
-  VERIFICATION_EXPIRED: "VERIFICATION_EXPIRED",
-  VERIFICATION_MISMATCH: "VERIFICATION_MISMATCH",
-  VERIFICATION_NOT_FOUND: "VERIFICATION_NOT_FOUND",
-  TOO_MANY_ATTEMPTS: "TOO_MANY_ATTEMPTS",
-  REQUIRES_VERIFICATION: "REQUIRES_VERIFICATION",
-  UNAUTHORIZED: "UNAUTHORIZED",
-  ACCESS_DENIED: "ACCESS_DENIED",
-  HAS_NO_PASSWORD: "HAS_NO_PASSWORD",
-  PASSWORD_ALREADY_SET: "PASSWORD_ALREADY_SET"
-};
+// src/routes/auth/helper/verification.ts
+import { dayjs as dayjs2 } from "@mesob/common";
+import { and as and5, desc, eq as eq5, gt as gt2 } from "drizzle-orm";
 // src/lib/normalize-auth-response.ts
 var normalizeAuthUser = (user) => ({
@@ -1207,278 +1015,125 @@ var getRefreshedExpiresAt = ({
   return addDuration(duration);
 };
-// src/routes/auth/helper/session.ts
-import { and as and6, asc, eq as eq6, gt as gt2, inArray, sql as sql5 } from "drizzle-orm";
-var createSessionRecord = async ({
+// src/routes/auth/helper/verification.ts
+var createVerification = async ({
   tx,
   tenantId,
   userId,
-  config,
-  userAgent,
-  ip,
-  action,
-  rememberMe,
-  expiresIn
+  type,
+  to,
+  config
 }) => {
-  const sessionToken = generateToken();
-  const hashedToken = await hashToken(sessionToken, config.secret);
-  const sessionDuration = expiresIn || getSessionDuration({
-    sessionConfig: config.session,
-    rememberMe: rememberMe ?? true
-  });
-  const expiresAt = addDuration(sessionDuration);
-  const meta = { action };
-  if (rememberMe !== void 0) {
-    meta.rememberMe = rememberMe;
-  }
-  const [session] = await tx.insert(sessionsInIam).values({
+  const isPhone = type === "phone-otp-sign-up";
+  const code = generateOtpCode(
+    isPhone ? config.phone.otpLength : config.email.otpLength
+  );
+  const hashedCode = await hashToken(code, config.secret);
+  const expiresAt = addDuration(
+    isPhone ? config.phone.expiresIn : config.email.expiresIn
+  );
+  const [verification] = await tx.insert(verificationsInIam).values({
     tenantId,
     userId,
-    token: hashedToken,
+    type,
+    code: hashedCode,
     expiresAt,
-    userAgent,
-    ip,
-    meta
-  }).returning({
-    id: sessionsInIam.id,
-    expiresAt: sessionsInIam.expiresAt,
-    createdAt: sessionsInIam.createdAt,
-    updatedAt: sessionsInIam.updatedAt,
-    userAgent: sessionsInIam.userAgent,
-    ip: sessionsInIam.ip
-  });
-  return { session, sessionToken, expiresAt };
+    to,
+    attempt: 0
+  }).returning();
+  return { verificationId: verification.id, code, hash: hashedCode };
 };
-var createSession = async ({
-  tx,
-  tenantId,
-  userId,
+var sendVerification = async ({
+  channel,
+  to,
+  code,
   config,
-  userAgent,
-  ip,
-  rememberMe = true
+  hash,
+  type
 }) => {
-  const { session, sessionToken, expiresAt } = await createSessionRecord({
-    tx,
-    tenantId,
-    userId,
-    config,
-    userAgent,
-    ip,
-    rememberMe,
-    action: "sign-up"
-  });
-  return { sessionId: session.id, sessionToken, expiresAt };
+  if (channel === "phone" && config.phone.sendVerificationOTP) {
+    await config.phone.sendVerificationOTP({
+      phone: to,
+      code,
+      hash,
+      type
+    });
+  } else if (config.email.sendVerificationOTP) {
+    await config.email.sendVerificationOTP({
+      email: to,
+      code,
+      hash,
+      type
+    });
+  }
 };
-var cleanupOldSessions = async ({
+var checkVerificationResend = async ({
   database,
-  userId,
   tenantId,
-  maxSessions
+  userId,
+  type,
+  resendInterval
 }) => {
-  const [{ count }] = await database.select({ count: sql5`count(*)` }).from(sessionsInIam).where(
-    and6(
-      eq6(sessionsInIam.tenantId, tenantId),
-      eq6(sessionsInIam.userId, userId),
-      gt2(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
-    )
-  );
-  if (count <= maxSessions) {
-    return;
+  if (!resendInterval) {
+    return { blocked: false };
   }
-  const toDeleteCount = count - maxSessions;
-  const idsToDelete = await database.select({ id: sessionsInIam.id }).from(sessionsInIam).where(
-    and6(
-      eq6(sessionsInIam.tenantId, tenantId),
-      eq6(sessionsInIam.userId, userId),
-      gt2(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
+  const [verification] = await database.select({
+    id: verificationsInIam.id,
+    createdAt: verificationsInIam.createdAt
+  }).from(verificationsInIam).where(
+    and5(
+      eq5(verificationsInIam.tenantId, tenantId),
+      eq5(verificationsInIam.userId, userId),
+      eq5(verificationsInIam.type, type)
     )
-  ).orderBy(asc(sessionsInIam.createdAt)).limit(toDeleteCount);
-  if (!idsToDelete.length) {
-    return;
+  ).orderBy(desc(verificationsInIam.createdAt)).limit(1);
+  if (!verification) {
+    return { blocked: false };
   }
-  await database.delete(sessionsInIam).where(
-    and6(
-      eq6(sessionsInIam.tenantId, tenantId),
-      eq6(sessionsInIam.userId, userId),
-      inArray(
-        sessionsInIam.id,
-        idsToDelete.map((s) => s.id)
-      )
-    )
-  );
+  const cooldownSeconds = parseDuration(resendInterval);
+  const createdAt = dayjs2(verification.createdAt);
+  const blocked = dayjs2().diff(createdAt, "second") < cooldownSeconds;
+  return { blocked, verificationId: verification.id };
 };
-// src/routes/auth/helper/user.ts
-import { and as and7, eq as eq7, gt as gt3, sql as sql6 } from "drizzle-orm";
-var checkExistingUserStatus = async ({
-  tx,
-  identifier,
+var ensureVerificationForCheckAccount = async ({
+  database,
   tenantId,
-  isEmail
+  userId,
+  type,
+  to,
+  config
 }) => {
-  const whereClause = isEmail ? and7(
-    eq7(usersInIam.tenantId, tenantId),
-    sql6`lower(${usersInIam.email}) = lower(${identifier})`
-  ) : and7(eq7(usersInIam.tenantId, tenantId), eq7(usersInIam.phone, identifier));
-  const [existingUser] = await tx.select().from(usersInIam).where(whereClause).limit(1);
-  if (!existingUser) {
-    return { action: "proceed" };
-  }
-  const isVerified = isEmail ? existingUser.emailVerified : existingUser.phoneVerified;
-  if (isVerified) {
-    return { action: "error", code: AUTH_ERRORS.USER_EXISTS };
-  }
-  const [pendingVerification] = await tx.select().from(verificationsInIam).where(
-    and7(
-      eq7(verificationsInIam.userId, existingUser.id),
-      eq7(verificationsInIam.tenantId, tenantId),
-      gt3(verificationsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const [existing] = await database.select({
+    id: verificationsInIam.id,
+    expiresAt: verificationsInIam.expiresAt
+  }).from(verificationsInIam).where(
+    and5(
+      eq5(verificationsInIam.tenantId, tenantId),
+      eq5(verificationsInIam.userId, userId),
+      eq5(verificationsInIam.type, type),
+      gt2(verificationsInIam.expiresAt, now)
     )
-  ).limit(1);
-  if (pendingVerification) {
-    return {
-      action: "pending",
-      verificationId: pendingVerification.id,
-      user: existingUser
-    };
+  ).orderBy(desc(verificationsInIam.createdAt)).limit(1);
+  if (existing) {
+    return { verificationId: existing.id };
   }
-  await deleteUnverifiedUser({ tx, userId: existingUser.id, tenantId });
-  return { action: "proceed" };
-};
-var deleteUnverifiedUser = async ({
-  tx,
-  userId,
-  tenantId
-}) => {
-  await tx.delete(verificationsInIam).where(
-    and7(
-      eq7(verificationsInIam.userId, userId),
-      eq7(verificationsInIam.tenantId, tenantId)
+  await database.delete(verificationsInIam).where(
+    and5(
+      eq5(verificationsInIam.tenantId, tenantId),
+      eq5(verificationsInIam.userId, userId),
+      eq5(verificationsInIam.type, type)
     )
   );
-  await tx.delete(accountsInIam).where(
-    and7(
-      eq7(accountsInIam.userId, userId),
-      eq7(accountsInIam.tenantId, tenantId)
-    )
-  );
-  await tx.delete(usersInIam).where(and7(eq7(usersInIam.id, userId), eq7(usersInIam.tenantId, tenantId)));
-};
-var createUserWithAccount = async ({
-  tx,
-  tenantId,
-  email,
-  phone,
-  password,
-  fullName,
-  handle,
-  config
-}) => {
-  const [user] = await tx.insert(usersInIam).values({
-    tenantId,
-    fullName,
-    handle,
-    email: email || null,
-    phone: phone || null,
-    emailVerified: email ? !config.email.required : false,
-    phoneVerified: phone ? !config.phone.required : false,
-    userType: [config.userType]
-  }).returning();
-  const passwordHash = await hashPassword(password);
-  await tx.insert(accountsInIam).values({
-    tenantId,
-    userId: user.id,
-    provider: "credentials",
-    providerAccountId: email || phone || user.id,
-    password: passwordHash
-  });
-  return user;
-};
-var fetchUserForLogin = async ({
-  database,
-  identifier,
-  tenantId,
-  isEmail,
-  userType
-}) => {
-  const userTypeFilter = sql6`${usersInIam.userType} @> ARRAY[${userType}]::text[]`;
-  const whereClause = isEmail ? and7(
-    eq7(usersInIam.tenantId, tenantId),
-    userTypeFilter,
-    sql6`lower(${usersInIam.email}) = lower(${identifier})`
-  ) : and7(
-    eq7(usersInIam.tenantId, tenantId),
-    userTypeFilter,
-    eq7(usersInIam.phone, identifier)
-  );
-  const [row] = await database.select({
-    id: usersInIam.id,
-    tenantId: usersInIam.tenantId,
-    fullName: usersInIam.fullName,
-    email: usersInIam.email,
-    phone: usersInIam.phone,
-    handle: usersInIam.handle,
-    image: usersInIam.image,
-    emailVerified: usersInIam.emailVerified,
-    phoneVerified: usersInIam.phoneVerified,
-    lastSignInAt: usersInIam.lastSignInAt,
-    bannedUntil: usersInIam.bannedUntil,
-    loginAttempt: usersInIam.loginAttempt,
-    hasPassword: sql6`exists(
-        select 1
-        from ${accountsInIam}
-        where ${eq7(accountsInIam.tenantId, tenantId)}
-          and ${eq7(accountsInIam.userId, usersInIam.id)}
-          and ${eq7(accountsInIam.provider, "credentials")}
-          and ${sql6`${accountsInIam.password} is not null`}
-      )`
-  }).from(usersInIam).where(whereClause).limit(1);
-  return row || null;
-};
-var fetchUserByIdWithRoles = async ({
-  database,
-  userId,
-  tenantId
-}) => {
-  const [result] = await database.select({
-    id: usersInIam.id,
-    tenantId: usersInIam.tenantId,
-    fullName: usersInIam.fullName,
-    email: usersInIam.email,
-    phone: usersInIam.phone,
-    handle: usersInIam.handle,
-    image: usersInIam.image,
-    emailVerified: usersInIam.emailVerified,
-    phoneVerified: usersInIam.phoneVerified,
-    lastSignInAt: usersInIam.lastSignInAt,
-    bannedUntil: usersInIam.bannedUntil,
-    loginAttempt: usersInIam.loginAttempt,
-    ...getUserAuthSelect(tenantId)
-  }).from(usersInIam).where(and7(eq7(usersInIam.id, userId), eq7(usersInIam.tenantId, tenantId))).limit(1);
-  return result || null;
-};
-// src/routes/auth/helper/verification.ts
-import { dayjs as dayjs2 } from "@mesob/common";
-import { and as and8, desc, eq as eq8 } from "drizzle-orm";
-var createVerification = async ({
-  tx,
-  tenantId,
-  userId,
-  type,
-  to,
-  config
-}) => {
-  const isPhone = type === "phone-otp-sign-up";
-  const code = generateOtpCode(
-    isPhone ? config.phone.otpLength : config.email.otpLength
+  const isPhone = type === "phone-otp";
+  const code = generateOtpCode(
+    isPhone ? config.phone.otpLength : config.email.otpLength
   );
   const hashedCode = await hashToken(code, config.secret);
   const expiresAt = addDuration(
     isPhone ? config.phone.expiresIn : config.email.expiresIn
   );
-  const [verification] = await tx.insert(verificationsInIam).values({
+  const [verification] = await database.insert(verificationsInIam).values({
     tenantId,
     userId,
     type,
@@ -1487,59 +1142,22 @@ var createVerification = async ({
     to,
     attempt: 0
   }).returning();
-  return { verificationId: verification.id, code, hash: hashedCode };
-};
-var sendVerification = async ({
-  channel,
-  to,
-  code,
-  config,
-  hash,
-  type
-}) => {
-  if (channel === "phone" && config.phone.sendVerificationOTP) {
+  if (isPhone && config.phone.sendVerificationOTP) {
     await config.phone.sendVerificationOTP({
       phone: to,
       code,
-      hash,
+      hash: hashedCode,
       type
     });
-  } else if (config.email.sendVerificationOTP) {
+  } else if (!isPhone && config.email.sendVerificationOTP) {
     await config.email.sendVerificationOTP({
       email: to,
       code,
-      hash,
+      hash: hashedCode,
       type
     });
   }
-};
-var checkVerificationResend = async ({
-  database,
-  tenantId,
-  userId,
-  type,
-  resendInterval
-}) => {
-  if (!resendInterval) {
-    return { blocked: false };
-  }
-  const [verification] = await database.select({
-    id: verificationsInIam.id,
-    createdAt: verificationsInIam.createdAt
-  }).from(verificationsInIam).where(
-    and8(
-      eq8(verificationsInIam.tenantId, tenantId),
-      eq8(verificationsInIam.userId, userId),
-      eq8(verificationsInIam.type, type)
-    )
-  ).orderBy(desc(verificationsInIam.createdAt)).limit(1);
-  if (!verification) {
-    return { blocked: false };
-  }
-  const cooldownSeconds = parseDuration(resendInterval);
-  const createdAt = dayjs2(verification.createdAt);
-  const blocked = dayjs2().diff(createdAt, "second") < cooldownSeconds;
-  return { blocked, verificationId: verification.id };
+  return { verificationId: verification.id };
 };
 var handleEmailVerification = async ({
   c,
@@ -1552,10 +1170,10 @@ var handleEmailVerification = async ({
     return c.json({ error: "User email not found" }, 401);
   }
   await database.delete(verificationsInIam).where(
-    and8(
-      eq8(verificationsInIam.tenantId, tenantId),
-      eq8(verificationsInIam.userId, user.id),
-      eq8(verificationsInIam.type, "email-verification")
+    and5(
+      eq5(verificationsInIam.tenantId, tenantId),
+      eq5(verificationsInIam.userId, user.id),
+      eq5(verificationsInIam.type, "email-verification")
     )
   );
   const code = generateOtpCode(config.email.otpLength);
@@ -1588,72 +1206,418 @@ var handleEmailVerification = async ({
       type: "email-verification"
     });
   }
-  return c.json(
-    {
-      user: normalizeAuthUser(user),
-      session: null,
-      verificationId: verification.id,
-      requiresVerification: true
-    },
-    200
-  );
+  return c.json(
+    {
+      user: normalizeAuthUser(user),
+      session: null,
+      verificationId: verification.id,
+      requiresVerification: true
+    },
+    200
+  );
+};
+var handlePhoneVerification = async ({
+  c,
+  user,
+  config,
+  database,
+  tenantId
+}) => {
+  if (!user.phone) {
+    return c.json({ error: "User phone not found" }, 401);
+  }
+  await database.delete(verificationsInIam).where(
+    and5(
+      eq5(verificationsInIam.tenantId, tenantId),
+      eq5(verificationsInIam.userId, user.id),
+      eq5(verificationsInIam.type, "phone-otp")
+    )
+  );
+  const code = generateOtpCode(config.phone.otpLength);
+  const hashedCode = await hashToken(code, config.secret);
+  const expiresAt = addDuration(config.phone.expiresIn);
+  const [verification] = await database.insert(verificationsInIam).values({
+    tenantId,
+    userId: user.id,
+    type: "phone-otp",
+    code: hashedCode,
+    expiresAt,
+    to: user.phone,
+    attempt: 0
+  }).returning({
+    id: verificationsInIam.id,
+    tenantId: verificationsInIam.tenantId,
+    userId: verificationsInIam.userId,
+    type: verificationsInIam.type,
+    code: verificationsInIam.code,
+    to: verificationsInIam.to,
+    expiresAt: verificationsInIam.expiresAt,
+    createdAt: verificationsInIam.createdAt,
+    attempt: verificationsInIam.attempt
+  });
+  if (config.phone.sendVerificationOTP) {
+    await config.phone.sendVerificationOTP({
+      phone: user.phone,
+      code,
+      hash: hashedCode,
+      type: "phone-otp"
+    });
+  }
+  return c.json(
+    {
+      user: normalizeAuthUser(user),
+      session: null,
+      verificationId: verification.id,
+      requiresVerification: true
+    },
+    200
+  );
+};
+// src/routes/auth/handler/check-account.ts
+var checkAccountHandler = async (c) => {
+  const body = c.req.valid("json");
+  const config = c.get("config");
+  const database = c.get("database");
+  const tenantId = c.get("tenantId");
+  const resolvedTenantId = ensureTenantId(config, tenantId);
+  const { username } = body;
+  const isEmail = username.includes("@");
+  const userTypeFilter = sql4`${usersInIam.userType} @> ARRAY[${config.userType}]::text[]`;
+  const whereClause = isEmail ? and6(
+    eq6(usersInIam.tenantId, resolvedTenantId),
+    userTypeFilter,
+    sql4`lower(${usersInIam.email}) = lower(${username})`
+  ) : and6(
+    eq6(usersInIam.tenantId, resolvedTenantId),
+    userTypeFilter,
+    eq6(usersInIam.phone, username)
+  );
+  const [result] = await database.select({
+    id: usersInIam.id,
+    fullName: usersInIam.fullName,
+    email: usersInIam.email,
+    phone: usersInIam.phone,
+    verified: isEmail ? usersInIam.emailVerified : usersInIam.phoneVerified,
+    hasPassword: sql4`exists(
+        select 1
+        from ${accountsInIam}
+        where ${eq6(accountsInIam.tenantId, resolvedTenantId)}
+          and ${eq6(accountsInIam.userId, usersInIam.id)}
+          and ${eq6(accountsInIam.provider, "credentials")}
+          and ${sql4`${accountsInIam.password} is not null`}
+      )`
+  }).from(usersInIam).where(whereClause).limit(1);
+  const verified = result?.verified ?? false;
+  const hasPassword = result?.hasPassword ?? false;
+  let needsVerification = false;
+  let verificationId;
+  if (result && !verified) {
+    const type = isEmail ? "email-verification" : "phone-otp";
+    const to = isEmail ? result.email ?? username : result.phone ?? username;
+    if (to) {
+      const { verificationId: vid } = await ensureVerificationForCheckAccount({
+        database,
+        tenantId: resolvedTenantId,
+        userId: result.id,
+        type,
+        to,
+        config
+      });
+      needsVerification = true;
+      verificationId = vid;
+    }
+  }
+  return c.json(
+    {
+      exists: !!result,
+      verified,
+      hasPassword,
+      requiresPasswordSetup: !!result && verified && !hasPassword,
+      ...needsVerification && verificationId ? { needsVerification: true, verificationId } : {},
+      account: result ? {
+        fullName: result.fullName,
+        email: result.email,
+        phone: result.phone,
+        verified,
+        hasPassword,
+        requiresPasswordSetup: verified && !hasPassword
+      } : null
+    },
+    200
+  );
+};
+// src/routes/auth/handler/sign-in.ts
+import { logger as logger2 } from "@mesob/common";
+import { and as and9, eq as eq9 } from "drizzle-orm";
+// src/errors.ts
+var AUTH_ERRORS = {
+  USER_NOT_FOUND: "USER_NOT_FOUND",
+  INVALID_PASSWORD: "INVALID_PASSWORD",
+  USER_EXISTS: "USER_EXISTS",
+  VERIFICATION_EXPIRED: "VERIFICATION_EXPIRED",
+  VERIFICATION_MISMATCH: "VERIFICATION_MISMATCH",
+  VERIFICATION_NOT_FOUND: "VERIFICATION_NOT_FOUND",
+  TOO_MANY_ATTEMPTS: "TOO_MANY_ATTEMPTS",
+  REQUIRES_VERIFICATION: "REQUIRES_VERIFICATION",
+  UNAUTHORIZED: "UNAUTHORIZED",
+  ACCESS_DENIED: "ACCESS_DENIED",
+  HAS_NO_PASSWORD: "HAS_NO_PASSWORD",
+  PASSWORD_ALREADY_SET: "PASSWORD_ALREADY_SET"
+};
+// src/routes/auth/helper/session.ts
+import { and as and7, asc, eq as eq7, gt as gt3, inArray, sql as sql5 } from "drizzle-orm";
+var createSessionRecord = async ({
+  tx,
+  tenantId,
+  userId,
+  config,
+  userAgent,
+  ip,
+  action,
+  rememberMe,
+  expiresIn
+}) => {
+  const sessionToken = generateToken();
+  const hashedToken = await hashToken(sessionToken, config.secret);
+  const sessionDuration = expiresIn || getSessionDuration({
+    sessionConfig: config.session,
+    rememberMe: rememberMe ?? true
+  });
+  const expiresAt = addDuration(sessionDuration);
+  const meta = { action };
+  if (rememberMe !== void 0) {
+    meta.rememberMe = rememberMe;
+  }
+  const [session] = await tx.insert(sessionsInIam).values({
+    tenantId,
+    userId,
+    token: hashedToken,
+    expiresAt,
+    userAgent,
+    ip,
+    meta
+  }).returning({
+    id: sessionsInIam.id,
+    expiresAt: sessionsInIam.expiresAt,
+    createdAt: sessionsInIam.createdAt,
+    updatedAt: sessionsInIam.updatedAt,
+    userAgent: sessionsInIam.userAgent,
+    ip: sessionsInIam.ip
+  });
+  return { session, sessionToken, expiresAt };
+};
+var createSession = async ({
+  tx,
+  tenantId,
+  userId,
+  config,
+  userAgent,
+  ip,
+  rememberMe = true
+}) => {
+  const { session, sessionToken, expiresAt } = await createSessionRecord({
+    tx,
+    tenantId,
+    userId,
+    config,
+    userAgent,
+    ip,
+    rememberMe,
+    action: "sign-up"
+  });
+  return { sessionId: session.id, sessionToken, expiresAt };
+};
+var cleanupOldSessions = async ({
+  database,
+  userId,
+  tenantId,
+  maxSessions
+}) => {
+  const [{ count }] = await database.select({ count: sql5`count(*)` }).from(sessionsInIam).where(
+    and7(
+      eq7(sessionsInIam.tenantId, tenantId),
+      eq7(sessionsInIam.userId, userId),
+      gt3(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
+    )
+  );
+  if (count <= maxSessions) {
+    return;
+  }
+  const toDeleteCount = count - maxSessions;
+  const idsToDelete = await database.select({ id: sessionsInIam.id }).from(sessionsInIam).where(
+    and7(
+      eq7(sessionsInIam.tenantId, tenantId),
+      eq7(sessionsInIam.userId, userId),
+      gt3(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
+    )
+  ).orderBy(asc(sessionsInIam.createdAt)).limit(toDeleteCount);
+  if (!idsToDelete.length) {
+    return;
+  }
+  await database.delete(sessionsInIam).where(
+    and7(
+      eq7(sessionsInIam.tenantId, tenantId),
+      eq7(sessionsInIam.userId, userId),
+      inArray(
+        sessionsInIam.id,
+        idsToDelete.map((s) => s.id)
+      )
+    )
+  );
+};
+// src/routes/auth/helper/user.ts
+import { and as and8, eq as eq8, gt as gt4, sql as sql6 } from "drizzle-orm";
+var checkExistingUserStatus = async ({
+  tx,
+  identifier,
+  tenantId,
+  isEmail
+}) => {
+  const whereClause = isEmail ? and8(
+    eq8(usersInIam.tenantId, tenantId),
+    sql6`lower(${usersInIam.email}) = lower(${identifier})`
+  ) : and8(eq8(usersInIam.tenantId, tenantId), eq8(usersInIam.phone, identifier));
+  const [existingUser] = await tx.select().from(usersInIam).where(whereClause).limit(1);
+  if (!existingUser) {
+    return { action: "proceed" };
+  }
+  const isVerified = isEmail ? existingUser.emailVerified : existingUser.phoneVerified;
+  if (isVerified) {
+    return { action: "error", code: AUTH_ERRORS.USER_EXISTS };
+  }
+  const [pendingVerification] = await tx.select().from(verificationsInIam).where(
+    and8(
+      eq8(verificationsInIam.userId, existingUser.id),
+      eq8(verificationsInIam.tenantId, tenantId),
+      gt4(verificationsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
+    )
+  ).limit(1);
+  if (pendingVerification) {
+    return {
+      action: "pending",
+      verificationId: pendingVerification.id,
+      user: existingUser
+    };
+  }
+  await deleteUnverifiedUser({ tx, userId: existingUser.id, tenantId });
+  return { action: "proceed" };
 };
-var handlePhoneVerification = async ({
-  c,
-  user,
-  config,
-  database,
+var deleteUnverifiedUser = async ({
+  tx,
+  userId,
   tenantId
 }) => {
-  if (!user.phone) {
-    return c.json({ error: "User phone not found" }, 401);
-  }
-  await database.delete(verificationsInIam).where(
+  await tx.delete(verificationsInIam).where(
     and8(
-      eq8(verificationsInIam.tenantId, tenantId),
-      eq8(verificationsInIam.userId, user.id),
-      eq8(verificationsInIam.type, "phone-otp")
+      eq8(verificationsInIam.userId, userId),
+      eq8(verificationsInIam.tenantId, tenantId)
     )
   );
-  const code = generateOtpCode(config.phone.otpLength);
-  const hashedCode = await hashToken(code, config.secret);
-  const expiresAt = addDuration(config.phone.expiresIn);
-  const [verification] = await database.insert(verificationsInIam).values({
+  await tx.delete(accountsInIam).where(
+    and8(
+      eq8(accountsInIam.userId, userId),
+      eq8(accountsInIam.tenantId, tenantId)
+    )
+  );
+  await tx.delete(usersInIam).where(and8(eq8(usersInIam.id, userId), eq8(usersInIam.tenantId, tenantId)));
+};
+var createUserWithAccount = async ({
+  tx,
+  tenantId,
+  email,
+  phone,
+  password,
+  fullName,
+  handle,
+  config
+}) => {
+  const [user] = await tx.insert(usersInIam).values({
+    tenantId,
+    fullName,
+    handle,
+    email: email || null,
+    phone: phone || null,
+    emailVerified: email ? !config.email.required : false,
+    phoneVerified: phone ? !config.phone.required : false,
+    userType: [config.userType]
+  }).returning();
+  const passwordHash = await hashPassword(password);
+  await tx.insert(accountsInIam).values({
     tenantId,
     userId: user.id,
-    type: "phone-otp",
-    code: hashedCode,
-    expiresAt,
-    to: user.phone,
-    attempt: 0
-  }).returning({
-    id: verificationsInIam.id,
-    tenantId: verificationsInIam.tenantId,
-    userId: verificationsInIam.userId,
-    type: verificationsInIam.type,
-    code: verificationsInIam.code,
-    to: verificationsInIam.to,
-    expiresAt: verificationsInIam.expiresAt,
-    createdAt: verificationsInIam.createdAt,
-    attempt: verificationsInIam.attempt
+    provider: "credentials",
+    providerAccountId: email || phone || user.id,
+    password: passwordHash
   });
-  if (config.phone.sendVerificationOTP) {
-    await config.phone.sendVerificationOTP({
-      phone: user.phone,
-      code,
-      hash: hashedCode,
-      type: "phone-otp"
-    });
-  }
-  return c.json(
-    {
-      user: normalizeAuthUser(user),
-      session: null,
-      verificationId: verification.id,
-      requiresVerification: true
-    },
-    200
+  return user;
+};
+var fetchUserForLogin = async ({
+  database,
+  identifier,
+  tenantId,
+  isEmail,
+  userType
+}) => {
+  const userTypeFilter = sql6`${usersInIam.userType} @> ARRAY[${userType}]::text[]`;
+  const whereClause = isEmail ? and8(
+    eq8(usersInIam.tenantId, tenantId),
+    userTypeFilter,
+    sql6`lower(${usersInIam.email}) = lower(${identifier})`
+  ) : and8(
+    eq8(usersInIam.tenantId, tenantId),
+    userTypeFilter,
+    eq8(usersInIam.phone, identifier)
   );
+  const [row] = await database.select({
+    id: usersInIam.id,
+    tenantId: usersInIam.tenantId,
+    fullName: usersInIam.fullName,
+    email: usersInIam.email,
+    phone: usersInIam.phone,
+    handle: usersInIam.handle,
+    image: usersInIam.image,
+    emailVerified: usersInIam.emailVerified,
+    phoneVerified: usersInIam.phoneVerified,
+    lastSignInAt: usersInIam.lastSignInAt,
+    bannedUntil: usersInIam.bannedUntil,
+    loginAttempt: usersInIam.loginAttempt,
+    hasPassword: sql6`exists(
+        select 1
+        from ${accountsInIam}
+        where ${eq8(accountsInIam.tenantId, tenantId)}
+          and ${eq8(accountsInIam.userId, usersInIam.id)}
+          and ${eq8(accountsInIam.provider, "credentials")}
+          and ${sql6`${accountsInIam.password} is not null`}
+      )`
+  }).from(usersInIam).where(whereClause).limit(1);
+  return row || null;
+};
+var fetchUserByIdWithRoles = async ({
+  database,
+  userId,
+  tenantId
+}) => {
+  const [result] = await database.select({
+    id: usersInIam.id,
+    tenantId: usersInIam.tenantId,
+    fullName: usersInIam.fullName,
+    email: usersInIam.email,
+    phone: usersInIam.phone,
+    handle: usersInIam.handle,
+    image: usersInIam.image,
+    emailVerified: usersInIam.emailVerified,
+    phoneVerified: usersInIam.phoneVerified,
+    lastSignInAt: usersInIam.lastSignInAt,
+    bannedUntil: usersInIam.bannedUntil,
+    loginAttempt: usersInIam.loginAttempt,
+    ...getUserAuthSelect(tenantId)
+  }).from(usersInIam).where(and8(eq8(usersInIam.id, userId), eq8(usersInIam.tenantId, tenantId))).limit(1);
+  return result || null;
 };
 // src/routes/auth/handler/sign-in.ts
@@ -1819,7 +1783,7 @@ var signInHandler = (
 );
 // src/routes/auth/handler/sign-out.ts
-import { and as and10, eq as eq10, gt as gt4 } from "drizzle-orm";
+import { and as and10, eq as eq10, gt as gt5 } from "drizzle-orm";
 import { getCookie } from "hono/cookie";
 var signOutHandler = async (c) => {
   const config = c.get("config");
@@ -1843,7 +1807,7 @@ var signOutHandler = async (c) => {
   }).from(sessionsInIam).where(
     and10(
       eq10(sessionsInIam.token, hashedToken),
-      gt4(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
+      gt5(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
     )
   ).limit(1);
   if (session) {
@@ -2171,6 +2135,24 @@ var auth_route_default = authRoutes;
 // src/routes/domains/domains.route.ts
 import { createRoute as createRoute2, OpenAPIHono as OpenAPIHono2 } from "@hono/zod-openapi";
+// src/lib/has-role-permission.ts
+import { grant } from "@mesob/common";
+import { HTTPException as HTTPException3 } from "hono/http-exception";
+var toArray = (v) => {
+  return Array.isArray(v) ? v : [v];
+};
+var hasPermission = (c, permission) => {
+  const user = c.get("user");
+  const perms = user?.permissions;
+  const check2 = toArray(permission);
+  return grant(check2, perms);
+};
+var hasPermissionThrow = (c, permission) => {
+  if (!hasPermission(c, permission)) {
+    throw new HTTPException3(401, { message: "Unauthorized" });
+  }
+};
 // src/routes/domains/domains.schema.ts
 import { z as z2 } from "zod";
 var listDomainsQuerySchema = z2.object({
@@ -2230,10 +2212,11 @@ var createDomainHandler = async (c) => {
   const database = c.get("database");
   const tenantId = c.get("tenantId");
   const resolvedTenantId = ensureTenantId(config, tenantId);
+  const status = (body.status || "pending").toUpperCase();
   const [domain] = await database.insert(domainsInIam).values({
     tenantId: resolvedTenantId,
     domain: body.domain,
-    status: body.status || "pending",
+    status,
     meta: body.meta || null,
     isPrimary: body.isPrimary
   }).returning();
@@ -2278,7 +2261,7 @@ var listDomainsHandler = async (c) => {
   const offset = (page - 1) * limit;
   const conditions = [eq13(domainsInIam.tenantId, tenantId)];
   if (query.status) {
-    conditions.push(eq13(domainsInIam.status, query.status));
+    conditions.push(eq13(domainsInIam.status, query.status.toUpperCase()));
   }
   const [domains, totalResult] = await Promise.all([
     database.select().from(domainsInIam).where(and13(...conditions)).limit(limit).offset(offset),
@@ -2304,7 +2287,7 @@ var updateDomainHandler = async (c) => {
     updateData.domain = body.domain;
   }
   if (body.status !== void 0) {
-    updateData.status = body.status;
+    updateData.status = body.status.toUpperCase();
   }
   if (body.meta !== void 0) {
     updateData.meta = body.meta;
@@ -2502,7 +2485,12 @@ var verifyDomainRoute = createRoute2({
     }
   }
 });
-var domainRoutes = new OpenAPIHono2().openapi(listDomainsRoute, listDomainsHandler).openapi(getDomainRoute, getDomainHandler).openapi(createDomainRoute, createDomainHandler).openapi(updateDomainRoute, updateDomainHandler).openapi(deleteDomainRoute, deleteDomainHandler).openapi(verifyDomainRoute, verifyDomainHandler);
+var IAM_ALL = "iam:all:all";
+var domainRoutesBase = new OpenAPIHono2().use("*", (c, next) => {
+  hasPermissionThrow(c, IAM_ALL);
+  return next();
+});
+var domainRoutes = domainRoutesBase.openapi(listDomainsRoute, listDomainsHandler).openapi(getDomainRoute, getDomainHandler).openapi(createDomainRoute, createDomainHandler).openapi(updateDomainRoute, updateDomainHandler).openapi(deleteDomainRoute, deleteDomainHandler).openapi(verifyDomainRoute, verifyDomainHandler);
 var domains_route_default = domainRoutes;
 // src/routes/email/email.route.ts
@@ -2806,7 +2794,7 @@ var email_route_default = emailRoutes;
 import { createRoute as createRoute4, OpenAPIHono as OpenAPIHono4 } from "@hono/zod-openapi";
 // src/routes/password/handler/change.ts
-import { and as and18, eq as eq18, gt as gt5, ne } from "drizzle-orm";
+import { and as and18, eq as eq18, gt as gt6, ne } from "drizzle-orm";
 import { getCookie as getCookie2 } from "hono/cookie";
 var changePasswordHandler = async (c) => {
   const body = c.req.valid("json");
@@ -2852,7 +2840,7 @@ var changePasswordHandler = async (c) => {
       and18(
         eq18(sessionsInIam.tenantId, resolvedTenantId),
         eq18(sessionsInIam.userId, userId),
-        gt5(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString()),
+        gt6(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString()),
         ne(sessionsInIam.token, hashedToken)
       )
     );
@@ -3049,7 +3037,7 @@ var forgotPasswordHandler = async (c) => {
 };
 // src/routes/password/handler/reset.ts
-import { and as and20, eq as eq20, gt as gt6 } from "drizzle-orm";
+import { and as and20, eq as eq20, gt as gt7 } from "drizzle-orm";
 // src/routes/password/helper/session.ts
 var createPasswordResetSession = async ({
@@ -3129,7 +3117,7 @@ var resetPasswordHandler = async (c) => {
     and20(
       eq20(sessionsInIam.tenantId, resolvedTenantId),
       eq20(sessionsInIam.userId, verification.userId),
-      gt6(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
+      gt7(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
     )
   );
   await database.delete(verificationsInIam).where(eq20(verificationsInIam.id, verificationId));
@@ -3549,7 +3537,7 @@ import {
   notInArray,
   sql as sql12
 } from "drizzle-orm";
-import { HTTPException as HTTPException3 } from "hono/http-exception";
+import { HTTPException as HTTPException4 } from "hono/http-exception";
 function buildPermissionDescription(code) {
   return {
     en: toTitleCase(code.replaceAll(":", " ").replaceAll("_", " "))
@@ -3606,7 +3594,7 @@ async function assertPermissionsExist({
     (id) => !existingIds.has(id)
   );
   if (missingPermissionIds.length) {
-    throw new HTTPException3(400, {
+    throw new HTTPException4(400, {
       message: `Unknown permissions: ${missingPermissionIds.join(", ")}`
     });
   }
@@ -3856,7 +3844,12 @@ var seedPermissionsRoute = createRoute5({
     }
   }
 });
-var permissionRoutes = new OpenAPIHono5().openapi(listPermissionsRoute, listPermissionsHandler).openapi(seedPermissionsRoute, seedPermissionsHandler).openapi(getPermissionRoute, getPermissionHandler);
+var IAM_ALL2 = "iam:all:all";
+var permissionRoutesBase = new OpenAPIHono5().use("*", (c, next) => {
+  hasPermissionThrow(c, IAM_ALL2);
+  return next();
+});
+var permissionRoutes = permissionRoutesBase.openapi(listPermissionsRoute, listPermissionsHandler).openapi(seedPermissionsRoute, seedPermissionsHandler).openapi(getPermissionRoute, getPermissionHandler);
 var permissions_route_default = permissionRoutes;
 // src/routes/phone/phone.route.ts
@@ -4190,7 +4183,7 @@ import { createRoute as createRoute7, OpenAPIHono as OpenAPIHono7 } from "@hono/
 import { z as z4 } from "zod";
 // src/routes/profile/handler/account-change-pending.ts
-import { and as and26, eq as eq27, gt as gt7, sql as sql13 } from "drizzle-orm";
+import { and as and26, eq as eq27, gt as gt8, sql as sql13 } from "drizzle-orm";
 var accountChangePendingHandler = async (c) => {
   const config = c.get("config");
   const database = c.get("database");
@@ -4228,7 +4221,7 @@ var accountChangePendingHandler = async (c) => {
         eq27(verificationsInIam.userId, userId),
         eq27(verificationsInIam.type, "email-verification"),
         eq27(verificationsInIam.to, accountChange.newEmail),
-        gt7(verificationsInIam.expiresAt, sql13`CURRENT_TIMESTAMP`)
+        gt8(verificationsInIam.expiresAt, sql13`CURRENT_TIMESTAMP`)
       )
     ).limit(1);
     verification = v || null;
@@ -4243,7 +4236,7 @@ var accountChangePendingHandler = async (c) => {
         eq27(verificationsInIam.userId, userId),
         eq27(verificationsInIam.type, "phone-otp-change-phone"),
         eq27(verificationsInIam.to, accountChange.newPhone),
-        gt7(verificationsInIam.expiresAt, sql13`CURRENT_TIMESTAMP`)
+        gt8(verificationsInIam.expiresAt, sql13`CURRENT_TIMESTAMP`)
       )
     ).limit(1);
     verification = v || null;
@@ -4890,7 +4883,15 @@ var revokeRolePermissionRoute = createRoute8({
     }
   }
 });
-var rolePermissionRoutes = new OpenAPIHono8().openapi(listRolePermissionsRoute, listRolePermissionsHandler).openapi(assignRolePermissionRoute, assignRolePermissionHandler).openapi(revokeRolePermissionRoute, revokeRolePermissionHandler);
+var IAM_ALL3 = "iam:all:all";
+var rolePermissionRoutesBase = new OpenAPIHono8().use(
+  "*",
+  (c, next) => {
+    hasPermissionThrow(c, IAM_ALL3);
+    return next();
+  }
+);
+var rolePermissionRoutes = rolePermissionRoutesBase.openapi(listRolePermissionsRoute, listRolePermissionsHandler).openapi(assignRolePermissionRoute, assignRolePermissionHandler).openapi(revokeRolePermissionRoute, revokeRolePermissionHandler);
 var role_permissions_route_default = rolePermissionRoutes;
 // src/routes/roles/roles.route.ts
@@ -6050,7 +6051,12 @@ var seedRolesRoute = createRoute9({
     }
   }
 });
-var roleRoutes = new OpenAPIHono9().openapi(listRolesRoute, listRolesHandler).openapi(seedRolesRoute, seedRolesHandler).openapi(getRoleRoute, getRoleHandler).openapi(createRoleRoute, createRoleHandler).openapi(updateRoleRoute, updateRoleHandler).openapi(listRolePermissionsRoute2, listRolePermissionsHandler2).openapi(assignRolePermissionsRoute, assignRolePermissionsHandler).openapi(revokeRolePermissionRoute2, revokeRolePermissionHandler2).openapi(listRoleUsersRoute, listRoleUsersHandler).openapi(assignRoleUsersRoute, assignRoleUsersHandler).openapi(revokeRoleUserRoute, revokeRoleUserHandler).openapi(deleteRoleRoute, deleteRoleHandler);
+var IAM_ALL4 = "iam:all:all";
+var roleRoutesBase = new OpenAPIHono9().use("*", (c, next) => {
+  hasPermissionThrow(c, IAM_ALL4);
+  return next();
+});
+var roleRoutes = roleRoutesBase.openapi(listRolesRoute, listRolesHandler).openapi(seedRolesRoute, seedRolesHandler).openapi(getRoleRoute, getRoleHandler).openapi(createRoleRoute, createRoleHandler).openapi(updateRoleRoute, updateRoleHandler).openapi(listRolePermissionsRoute2, listRolePermissionsHandler2).openapi(assignRolePermissionsRoute, assignRolePermissionsHandler).openapi(revokeRolePermissionRoute2, revokeRolePermissionHandler2).openapi(listRoleUsersRoute, listRoleUsersHandler).openapi(assignRoleUsersRoute, assignRoleUsersHandler).openapi(revokeRoleUserRoute, revokeRoleUserHandler).openapi(deleteRoleRoute, deleteRoleHandler);
 var roles_route_default = roleRoutes;
 // src/routes/sessions/sessions.route.ts
@@ -6253,7 +6259,12 @@ var revokeAllSessionsRoute = createRoute10({
     }
   }
 });
-var sessionRoutes = new OpenAPIHono10().openapi(listSessionsRoute, listSessionsHandler).openapi(getSessionRoute, getSessionHandler).openapi(revokeSessionRoute, revokeSessionHandler).openapi(revokeAllSessionsRoute, revokeAllSessionsHandler);
+var IAM_ALL5 = "iam:all:all";
+var sessionRoutesBase = new OpenAPIHono10().use("*", (c, next) => {
+  hasPermissionThrow(c, IAM_ALL5);
+  return next();
+});
+var sessionRoutes = sessionRoutesBase.openapi(listSessionsRoute, listSessionsHandler).openapi(getSessionRoute, getSessionHandler).openapi(revokeSessionRoute, revokeSessionHandler).openapi(revokeAllSessionsRoute, revokeAllSessionsHandler);
 var sessions_route_default = sessionRoutes;
 // src/routes/system/system.route.ts
@@ -6277,6 +6288,7 @@ var tenantHandler = (c) => {
 };
 // src/routes/system/system.route.ts
+var IAM_ALL6 = "iam:all:all";
 var tenantRoute = createRoute11({
   method: "get",
   path: "/init",
@@ -6311,10 +6323,11 @@ var tenantRoute = createRoute11({
     }
   }
 });
-var tenantRoutes = new OpenAPIHono11().openapi(
-  tenantRoute,
-  tenantHandler
-);
+var tenantRoutesBase = new OpenAPIHono11().use("*", (c, next) => {
+  hasPermissionThrow(c, IAM_ALL6);
+  return next();
+});
+var tenantRoutes = tenantRoutesBase.openapi(tenantRoute, tenantHandler);
 var system_route_default = tenantRoutes;
 // src/routes/tenants/tenants.route.ts
@@ -6322,42 +6335,7 @@ import { createRoute as createRoute12, OpenAPIHono as OpenAPIHono12 } from "@hon
 // src/routes/tenants/handler/create-tenant.ts
 import { eq as eq48 } from "drizzle-orm";
-// src/lib/has-role-permission.ts
-import { grant } from "@mesob/common";
-import { HTTPException as HTTPException4 } from "hono/http-exception";
-var toArray = (v) => {
-  return Array.isArray(v) ? v : [v];
-};
-var hasRole = (c, role) => {
-  const user = c.get("user");
-  const codes = user?.roleCodes;
-  if (!codes?.length) {
-    return false;
-  }
-  const check2 = toArray(role);
-  return check2.some((r) => codes.includes(r));
-};
-var hasRoleThrow = (c, role) => {
-  if (!hasRole(c, role)) {
-    throw new HTTPException4(401, { message: "Unauthorized" });
-  }
-};
-var hasPermission = (c, permission) => {
-  const user = c.get("user");
-  const perms = user?.permissions;
-  const check2 = toArray(permission);
-  return grant(check2, perms);
-};
-var hasPermissionThrow = (c, permission) => {
-  if (!hasPermission(c, permission)) {
-    throw new HTTPException4(401, { message: "Unauthorized" });
-  }
-};
-// src/routes/tenants/handler/create-tenant.ts
 var createTenantHandler = async (c) => {
-  hasRoleThrow(c, ["owner", "tenant-admin"]);
   const body = c.req.valid("json");
   const database = c.get("database");
   const [existing] = await database.select().from(tenantsInIam).where(eq48(tenantsInIam.id, body.id)).limit(1);
@@ -6385,7 +6363,6 @@ var createTenantHandler = async (c) => {
 // src/routes/tenants/handler/delete-tenant.ts
 import { eq as eq49 } from "drizzle-orm";
 var deleteTenantHandler = async (c) => {
-  hasRoleThrow(c, ["owner", "tenant-admin"]);
   const { id } = c.req.valid("param");
   const database = c.get("database");
   const [existing] = await database.select().from(tenantsInIam).where(eq49(tenantsInIam.id, id)).limit(1);
@@ -6399,7 +6376,6 @@ var deleteTenantHandler = async (c) => {
 // src/routes/tenants/handler/get-tenant.ts
 import { eq as eq50 } from "drizzle-orm";
 var getTenantHandler = async (c) => {
-  hasRoleThrow(c, ["owner", "tenant-admin"]);
   const { id } = c.req.valid("param");
   const database = c.get("database");
   const [tenant] = await database.select().from(tenantsInIam).where(eq50(tenantsInIam.id, id)).limit(1);
@@ -6417,7 +6393,6 @@ var sortColumnMap3 = {
   name: sql23`${tenantsInIam.name}::text`
 };
 var listTenantsHandler = async (c) => {
-  hasRoleThrow(c, ["owner", "tenant-admin"]);
   const query = c.req.valid("query");
   const database = c.get("database");
   const page = query.page || 1;
@@ -6456,7 +6431,6 @@ var listTenantsHandler = async (c) => {
 // src/routes/tenants/handler/update-tenant.ts
 import { eq as eq52, sql as sql24 } from "drizzle-orm";
 var updateTenantHandler = async (c) => {
-  hasRoleThrow(c, ["owner", "tenant-admin"]);
   const { id } = c.req.valid("param");
   const body = c.req.valid("json");
   const database = c.get("database");
@@ -6730,7 +6704,12 @@ var deleteTenantRoute = createRoute12({
     }
   }
 });
-var tenantRoutes2 = new OpenAPIHono12().openapi(listTenantsRoute, listTenantsHandler).openapi(getTenantRoute, getTenantHandler).openapi(createTenantRoute, createTenantHandler).openapi(updateTenantRoute, updateTenantHandler).openapi(deleteTenantRoute, deleteTenantHandler);
+var IAM_ALL7 = "iam:all:all";
+var tenantRoutesBase2 = new OpenAPIHono12().use("*", (c, next) => {
+  hasPermissionThrow(c, IAM_ALL7);
+  return next();
+});
+var tenantRoutes2 = tenantRoutesBase2.openapi(listTenantsRoute, listTenantsHandler).openapi(getTenantRoute, getTenantHandler).openapi(createTenantRoute, createTenantHandler).openapi(updateTenantRoute, updateTenantHandler).openapi(deleteTenantRoute, deleteTenantHandler);
 var tenants_route_default = tenantRoutes2;
 // src/routes/user-roles/user-roles.route.ts
@@ -6905,7 +6884,12 @@ var revokeUserRoleRoute = createRoute13({
     }
   }
 });
-var userRoleRoutes = new OpenAPIHono13().openapi(listUserRolesRoute, listUserRolesHandler).openapi(assignUserRoleRoute, assignUserRoleHandler).openapi(revokeUserRoleRoute, revokeUserRoleHandler);
+var IAM_ALL8 = "iam:all:all";
+var userRoleRoutesBase = new OpenAPIHono13().use("*", (c, next) => {
+  hasPermissionThrow(c, IAM_ALL8);
+  return next();
+});
+var userRoleRoutes = userRoleRoutesBase.openapi(listUserRolesRoute, listUserRolesHandler).openapi(assignUserRoleRoute, assignUserRoleHandler).openapi(revokeUserRoleRoute, revokeUserRoleHandler);
 var user_roles_route_default = userRoleRoutes;
 // src/routes/users/users.route.ts
@@ -6922,27 +6906,24 @@ var banUserHandler = async (c) => {
   if (!existing) {
     return c.json({ error: "User not found" }, 404);
   }
-  const [updated] = await database.update(usersInIam).set({
-    bannedUntil: body.bannedUntil || null,
+  await database.update(usersInIam).set({
+    bannedUntil: body.bannedUntil ?? null,
     updatedAt: sql25`CURRENT_TIMESTAMP`
-  }).where(and50(eq55(usersInIam.id, id), eq55(usersInIam.tenantId, tenantId))).returning({
-    id: usersInIam.id,
-    tenantId: usersInIam.tenantId,
-    fullName: usersInIam.fullName,
-    email: usersInIam.email,
-    phone: usersInIam.phone,
-    handle: usersInIam.handle,
-    image: usersInIam.image,
-    emailVerified: usersInIam.emailVerified,
-    phoneVerified: usersInIam.phoneVerified,
-    lastSignInAt: usersInIam.lastSignInAt
+  }).where(and50(eq55(usersInIam.id, id), eq55(usersInIam.tenantId, tenantId)));
+  const userWithRoles = await fetchUserWithRoles({
+    database,
+    userId: id,
+    tenantId
   });
-  if (!updated) {
+  if (!userWithRoles) {
     return c.json({ error: "User not found" }, 404);
   }
-  return c.json({ user: normalizeUser(updated) }, 200);
+  return c.json({ user: normalizeUser(userWithRoles) }, 200);
 };
+// src/routes/users/helper/invite.ts
+import { and as and52, eq as eq57 } from "drizzle-orm";
 // src/routes/users/helper/user.ts
 import { and as and51, eq as eq56, sql as sql26 } from "drizzle-orm";
 var checkUserExists = async ({
@@ -7012,7 +6993,89 @@ var inviteUser = (
       isEmail
     });
     if (existing) {
-      throw new Error("User already exists");
+      const identifierVerified = isEmail ? existing.emailVerified : existing.phoneVerified;
+      const hasInviteType = Array.isArray(existing.userType) && existing.userType.includes(config.userType);
+      if (identifierVerified && hasInviteType) {
+        throw new Error("User already exists");
+      }
+      const updates = {};
+      if (!identifierVerified) {
+        if (payload.emailVerified !== void 0 && payload.email) {
+          updates.emailVerified = Boolean(payload.emailVerified);
+        }
+        if (payload.phoneVerified !== void 0 && payload.phone) {
+          updates.phoneVerified = Boolean(payload.phoneVerified);
+        }
+      }
+      if (!hasInviteType) {
+        updates.userType = [config.userType];
+      }
+      let user2;
+      if (Object.keys(updates).length > 0) {
+        const [updated] = await database.update(usersInIam).set(updates).where(eq57(usersInIam.id, existing.id)).returning();
+        if (!updated) {
+          throw new Error("User update failed");
+        }
+        user2 = updated;
+      } else {
+        user2 = existing;
+      }
+      const [credAccount] = await database.select().from(accountsInIam).where(
+        and52(
+          eq57(accountsInIam.tenantId, tenantId),
+          eq57(accountsInIam.userId, user2.id),
+          eq57(accountsInIam.provider, "credentials")
+        )
+      ).limit(1);
+      const hasPassword2 = Boolean(credAccount?.password);
+      const resolvedInviteUrl2 = resolveInviteUrl({
+        inviteUrl: payload.inviteUrl,
+        identifier,
+        hasPassword: hasPassword2
+      });
+      const delivery2 = {};
+      if (payload.sendVia?.includes("email")) {
+        if (payload.email && config.email.sendInvitation) {
+          try {
+            await config.email.sendInvitation({
+              email: payload.email,
+              fullName: user2.fullName,
+              identifier,
+              inviteUrl: resolvedInviteUrl2,
+              tenantId
+            });
+            delivery2.email = "sent";
+          } catch {
+            delivery2.email = "failed";
+          }
+        } else {
+          delivery2.email = "skipped";
+        }
+      }
+      if (payload.sendVia?.includes("sms")) {
+        if (payload.phone && config.phone.sendInvitation) {
+          try {
+            await config.phone.sendInvitation({
+              phone: payload.phone,
+              fullName: user2.fullName,
+              identifier,
+              inviteUrl: resolvedInviteUrl2,
+              tenantId
+            });
+            delivery2.sms = "sent";
+          } catch {
+            delivery2.sms = "failed";
+          }
+        } else {
+          delivery2.sms = "skipped";
+        }
+      }
+      return {
+        user: normalizeUser(user2),
+        delivery: delivery2,
+        inviteUrl: resolvedInviteUrl2,
+        hasPassword: hasPassword2
+      };
     }
     const userHandle = payload.handle || generateHandle();
     const existingHandle = await checkHandleExists({
@@ -7197,16 +7260,16 @@ var createUserHandler = async (c) => {
 };
 // src/routes/users/handler/delete-user.ts
-import { and as and52, eq as eq57 } from "drizzle-orm";
+import { and as and53, eq as eq58 } from "drizzle-orm";
 var deleteUserHandler = async (c) => {
   const { id } = c.req.valid("param");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
-  const [existing] = await database.select().from(usersInIam).where(and52(eq57(usersInIam.id, id), eq57(usersInIam.tenantId, tenantId))).limit(1);
+  const [existing] = await database.select().from(usersInIam).where(and53(eq58(usersInIam.id, id), eq58(usersInIam.tenantId, tenantId))).limit(1);
   if (!existing) {
     return c.json({ error: "User not found" }, 404);
   }
-  await database.delete(usersInIam).where(and52(eq57(usersInIam.id, id), eq57(usersInIam.tenantId, tenantId)));
+  await database.delete(usersInIam).where(and53(eq58(usersInIam.id, id), eq58(usersInIam.tenantId, tenantId)));
   return c.json({ message: "User deleted" }, 200);
 };
@@ -7250,7 +7313,7 @@ var inviteUserHandler = async (c) => {
 };
 // src/routes/users/handler/list-users.ts
-import { and as and53, asc as asc5, desc as desc5, eq as eq58, ilike as ilike4, inArray as inArray6, or as or4, sql as sql27 } from "drizzle-orm";
+import { and as and54, asc as asc5, desc as desc5, eq as eq59, gt as gt9, ilike as ilike4, inArray as inArray6, or as or4, sql as sql27 } from "drizzle-orm";
 var userSelect = {
   id: usersInIam.id,
   tenantId: usersInIam.tenantId,
@@ -7266,9 +7329,6 @@ var userSelect = {
   userType: usersInIam.userType,
   roleCount: sql27`(select count(*)::int from ${userRolesInIam} where ${userRolesInIam.userId} = ${usersInIam.id} and ${userRolesInIam.tenantId} = ${usersInIam.tenantId})`.as(
     "roleCount"
-  ),
-  activeSessionCount: sql27`(select count(*)::int from ${sessionsInIam} where ${sessionsInIam.userId} = ${usersInIam.id} and ${sessionsInIam.tenantId} = ${usersInIam.tenantId} and ${sessionsInIam.expiresAt} > now())`.as(
-    "activeSessionCount"
   )
 };
 var sortColumnMap4 = {
@@ -7301,26 +7361,27 @@ var listUsersHandler = async (c) => {
   const query = c.req.valid("query");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
-  const config = c.get("config");
+  const _config = c.get("config");
   const page = query.page || 1;
   const limit = query.limit || 20;
   const offset = (page - 1) * limit;
-  const userTypeFilter = (query.userType && query.userType !== "all" ? query.userType : null) ?? config.userType;
-  const conditions = [eq58(usersInIam.tenantId, tenantId)];
+  const userTypeFilter = query.userType && query.userType !== "all" ? query.userType : null;
+  const conditions = [eq59(usersInIam.tenantId, tenantId)];
   if (userTypeFilter) {
     conditions.push(
       sql27`${usersInIam.userType} @> ARRAY[${userTypeFilter}]::text[]`
     );
   }
   if (query.search?.trim()) {
-    const term = `%${query.search.trim().replace(/[%_\\]/g, (c2) => `\\${c2}`)}%`;
-    conditions.push(
-      or4(
-        ilike4(usersInIam.fullName, term),
-        ilike4(usersInIam.email, term),
-        ilike4(usersInIam.phone, term)
-      )
+    const term = `%${query.search.trim().replace(/[%_\\]/g, (ch) => `\\${ch}`)}%`;
+    const searchCond = or4(
+      ilike4(usersInIam.fullName, term),
+      ilike4(usersInIam.email, term),
+      ilike4(usersInIam.phone, term)
     );
+    if (searchCond) {
+      conditions.push(searchCond);
+    }
   }
   if (query.email) {
     conditions.push(ilike4(usersInIam.email, `%${query.email}%`));
@@ -7332,38 +7393,52 @@ var listUsersHandler = async (c) => {
     conditions.push(ilike4(usersInIam.handle, `%${query.handle}%`));
   }
   if (query.filter === "verified") {
-    conditions.push(
-      or4(
-        eq58(usersInIam.emailVerified, true),
-        eq58(usersInIam.phoneVerified, true)
-      )
+    const verifiedCond = or4(
+      eq59(usersInIam.emailVerified, true),
+      eq59(usersInIam.phoneVerified, true)
     );
+    if (verifiedCond) {
+      conditions.push(verifiedCond);
+    }
   } else if (query.filter === "unverified") {
-    conditions.push(eq58(usersInIam.emailVerified, false));
-    conditions.push(eq58(usersInIam.phoneVerified, false));
+    conditions.push(eq59(usersInIam.emailVerified, false));
+    conditions.push(eq59(usersInIam.phoneVerified, false));
   }
   const orderDir = query.order === "asc" ? asc5 : desc5;
   const sortCol = query.sort && sortColumnMap4[query.sort] ? sortColumnMap4[query.sort] : usersInIam.fullName;
-  const whereClause = and53(...conditions);
+  const whereClause = and54(...conditions);
   const [users, totalResult] = await Promise.all([
     database.select(userSelect).from(usersInIam).where(whereClause).orderBy(orderDir(sortCol)).limit(limit).offset(offset),
     database.select({ count: sql27`count(*)` }).from(usersInIam).where(whereClause)
   ]);
   const total = Number(totalResult[0]?.count || 0);
   const userIds = users.map((u) => u.id);
+  const sessionCountRows = userIds.length > 0 ? await database.select({
+    userId: sessionsInIam.userId,
+    count: sql27`count(*)::int`.as("count")
+  }).from(sessionsInIam).where(
+    and54(
+      eq59(sessionsInIam.tenantId, tenantId),
+      inArray6(sessionsInIam.userId, userIds),
+      gt9(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
+    )
+  ).groupBy(sessionsInIam.userId) : [];
+  const sessionCountByUser = new Map(
+    sessionCountRows.map((r) => [r.userId, Number(r.count) ?? 0])
+  );
   const roleRows = userIds.length > 0 ? await database.select({
     userId: userRolesInIam.userId,
     code: rolesInIam.code,
     name: rolesInIam.name
   }).from(userRolesInIam).innerJoin(
     rolesInIam,
-    and53(
-      eq58(rolesInIam.tenantId, userRolesInIam.tenantId),
-      eq58(rolesInIam.id, userRolesInIam.roleId)
+    and54(
+      eq59(rolesInIam.tenantId, userRolesInIam.tenantId),
+      eq59(rolesInIam.id, userRolesInIam.roleId)
     )
   ).where(
-    and53(
-      eq58(userRolesInIam.tenantId, tenantId),
+    and54(
+      eq59(userRolesInIam.tenantId, tenantId),
       inArray6(userRolesInIam.userId, userIds)
     )
   ) : [];
@@ -7382,7 +7457,7 @@ var listUsersHandler = async (c) => {
         ...u,
         roles: null,
         userRoles: userRolesMap.get(u.id) ?? [],
-        activeSessionCount: Number(u.activeSessionCount) ?? 0
+        activeSessionCount: sessionCountByUser.get(u.id) ?? 0
       })),
       total,
       page,
@@ -7393,13 +7468,13 @@ var listUsersHandler = async (c) => {
 };
 // src/routes/users/handler/search-users.ts
-import { and as and54, eq as eq59, ilike as ilike5, or as or5 } from "drizzle-orm";
+import { and as and55, eq as eq60, ilike as ilike5, or as or5 } from "drizzle-orm";
 var searchUsersHandler = async (c) => {
   const query = c.req.valid("query");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
   const limit = query.limit || 20;
-  const conditions = [eq59(usersInIam.tenantId, tenantId)];
+  const conditions = [eq60(usersInIam.tenantId, tenantId)];
   if (query.search && query.search.trim().length > 0) {
     const searchCondition = or5(
       ilike5(usersInIam.fullName, `%${query.search}%`),
@@ -7417,25 +7492,25 @@ var searchUsersHandler = async (c) => {
     phone: usersInIam.phone,
     handle: usersInIam.handle,
     image: usersInIam.image
-  }).from(usersInIam).where(and54(...conditions)).limit(limit);
+  }).from(usersInIam).where(and55(...conditions)).limit(limit);
   return c.json({ users }, 200);
 };
 // src/routes/users/handler/update-user.ts
-import { and as and55, eq as eq60, inArray as inArray7, sql as sql28 } from "drizzle-orm";
+import { and as and56, eq as eq61, inArray as inArray7, sql as sql28 } from "drizzle-orm";
 var updateUserHandler = async (c) => {
   const { id } = c.req.valid("param");
   const body = c.req.valid("json");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
-  const [existing] = await database.select().from(usersInIam).where(and55(eq60(usersInIam.id, id), eq60(usersInIam.tenantId, tenantId))).limit(1);
+  const [existing] = await database.select().from(usersInIam).where(and56(eq61(usersInIam.id, id), eq61(usersInIam.tenantId, tenantId))).limit(1);
   if (!existing) {
     return c.json({ error: "User not found" }, 404);
   }
   if (body.handle && body.handle !== existing.handle) {
     const [handleExists] = await database.select().from(usersInIam).where(
-      and55(
-        eq60(usersInIam.tenantId, tenantId),
+      and56(
+        eq61(usersInIam.tenantId, tenantId),
         sql28`lower(${usersInIam.handle}) = lower(${body.handle})`
       )
     ).limit(1);
@@ -7468,7 +7543,7 @@ var updateUserHandler = async (c) => {
   const [updated] = await database.update(usersInIam).set({
     ...updateData,
     updatedAt: sql28`CURRENT_TIMESTAMP`
-  }).where(and55(eq60(usersInIam.id, id), eq60(usersInIam.tenantId, tenantId))).returning({
+  }).where(and56(eq61(usersInIam.id, id), eq61(usersInIam.tenantId, tenantId))).returning({
     id: usersInIam.id,
     tenantId: usersInIam.tenantId,
     fullName: usersInIam.fullName,
@@ -7487,8 +7562,8 @@ var updateUserHandler = async (c) => {
     const roleIds = body.roleIds;
     if (roleIds.length > 0) {
       const validRoles = await database.select({ id: rolesInIam.id, code: rolesInIam.code }).from(rolesInIam).where(
-        and55(
-          eq60(rolesInIam.tenantId, tenantId),
+        and56(
+          eq61(rolesInIam.tenantId, tenantId),
           inArray7(rolesInIam.id, roleIds)
         )
       );
@@ -7497,9 +7572,9 @@ var updateUserHandler = async (c) => {
       );
       const toInsert = roleIds.filter((rid) => assignableIds.has(rid));
       await database.delete(userRolesInIam).where(
-        and55(
-          eq60(userRolesInIam.tenantId, tenantId),
-          eq60(userRolesInIam.userId, id)
+        and56(
+          eq61(userRolesInIam.tenantId, tenantId),
+          eq61(userRolesInIam.userId, id)
         )
       );
       if (toInsert.length > 0) {
@@ -7513,9 +7588,9 @@ var updateUserHandler = async (c) => {
       }
     } else {
       await database.delete(userRolesInIam).where(
-        and55(
-          eq60(userRolesInIam.tenantId, tenantId),
-          eq60(userRolesInIam.userId, id)
+        and56(
+          eq61(userRolesInIam.tenantId, tenantId),
+          eq61(userRolesInIam.userId, id)
         )
       );
     }
@@ -7917,38 +7992,43 @@ var bulkInviteUsersRoute = createRoute14({
     }
   }
 });
-var userRoutes = new OpenAPIHono14().openapi(listUsersRoute, listUsersHandler).openapi(getUserRoute, getUserHandler).openapi(createUserRoute, createUserHandler).openapi(updateUserRoute, updateUserHandler).openapi(deleteUserRoute, deleteUserHandler).openapi(banUserRoute, banUserHandler).openapi(searchUsersRoute, searchUsersHandler).openapi(inviteUserRoute, inviteUserHandler).openapi(bulkInviteUsersRoute, bulkInviteUsersHandler);
+var IAM_ALL9 = "iam:all:all";
+var userRoutesBase = new OpenAPIHono14().use("*", (c, next) => {
+  hasPermissionThrow(c, IAM_ALL9);
+  return next();
+});
+var userRoutes = userRoutesBase.openapi(listUsersRoute, listUsersHandler).openapi(getUserRoute, getUserHandler).openapi(createUserRoute, createUserHandler).openapi(updateUserRoute, updateUserHandler).openapi(deleteUserRoute, deleteUserHandler).openapi(banUserRoute, banUserHandler).openapi(searchUsersRoute, searchUsersHandler).openapi(inviteUserRoute, inviteUserHandler).openapi(bulkInviteUsersRoute, bulkInviteUsersHandler);
 var users_route_default = userRoutes;
 // src/routes/verifications/verifications.route.ts
 import { createRoute as createRoute15, OpenAPIHono as OpenAPIHono15 } from "@hono/zod-openapi";
 // src/routes/verifications/handler/invalidate-verification.ts
-import { and as and56, eq as eq61 } from "drizzle-orm";
+import { and as and57, eq as eq62 } from "drizzle-orm";
 var invalidateVerificationHandler = async (c) => {
   const { id } = c.req.valid("param");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
   const [existing] = await database.select().from(verificationsInIam).where(
-    and56(
-      eq61(verificationsInIam.id, id),
-      eq61(verificationsInIam.tenantId, tenantId)
+    and57(
+      eq62(verificationsInIam.id, id),
+      eq62(verificationsInIam.tenantId, tenantId)
     )
   ).limit(1);
   if (!existing) {
     return c.json({ error: "Verification not found" }, 404);
   }
   await database.delete(verificationsInIam).where(
-    and56(
-      eq61(verificationsInIam.id, id),
-      eq61(verificationsInIam.tenantId, tenantId)
+    and57(
+      eq62(verificationsInIam.id, id),
+      eq62(verificationsInIam.tenantId, tenantId)
     )
   );
   return c.json({ message: "Verification invalidated" }, 200);
 };
 // src/routes/verifications/handler/list-verifications.ts
-import { and as and57, eq as eq62, sql as sql29 } from "drizzle-orm";
+import { and as and58, eq as eq63, sql as sql29 } from "drizzle-orm";
 var listVerificationsHandler = async (c) => {
   const query = c.req.valid("query");
   const database = c.get("database");
@@ -7956,12 +8036,12 @@ var listVerificationsHandler = async (c) => {
   const page = query.page || 1;
   const limit = query.limit || 20;
   const offset = (page - 1) * limit;
-  const conditions = [eq62(verificationsInIam.tenantId, tenantId)];
+  const conditions = [eq63(verificationsInIam.tenantId, tenantId)];
   if (query.userId) {
-    conditions.push(eq62(verificationsInIam.userId, query.userId));
+    conditions.push(eq63(verificationsInIam.userId, query.userId));
   }
   if (query.type) {
-    conditions.push(eq62(verificationsInIam.type, query.type));
+    conditions.push(eq63(verificationsInIam.type, query.type));
   }
   if (query.status) {
     if (query.status === "active") {
@@ -7975,8 +8055,8 @@ var listVerificationsHandler = async (c) => {
     }
   }
   const [verifications, totalResult] = await Promise.all([
-    database.select().from(verificationsInIam).where(and57(...conditions)).limit(limit).offset(offset),
-    database.select({ count: sql29`count(*)` }).from(verificationsInIam).where(and57(...conditions))
+    database.select().from(verificationsInIam).where(and58(...conditions)).limit(limit).offset(offset),
+    database.select({ count: sql29`count(*)` }).from(verificationsInIam).where(and58(...conditions))
   ]);
   const total = Number(totalResult[0]?.count || 0);
   return c.json({ verifications, total, page, limit }, 200);
@@ -8558,8 +8638,6 @@ export {
   createSessionMiddleware,
   createTenantMiddleware,
   hasPermission,
-  hasPermissionThrow,
-  hasRole,
-  hasRoleThrow
+  hasPermissionThrow
 };
 //# sourceMappingURL=index.js.map