@rebasepro/client-postgresql 0.0.1-canary.dbf160a → 0.0.1-canary.e17585f

package/dist/client/src/auth.d.ts

@@ -50,7 +50,12 @@ export declare function createAuth(transport: Transport, options?: CreateAuthOpt
         accessToken: string;
         refreshToken: string;
     }>;
-    signInWithGoogle: (idToken: string) => Promise<{
+    signInWithGoogle: (tokenOrPayload: string | {
+        idToken?: string;
+        accessToken?: string;
+        code?: string;
+        redirectUri?: string;
+    }) => Promise<{
         user: RebaseUser;
         accessToken: string;
         refreshToken: string;

package/dist/client/src/collection.d.ts

@@ -1,4 +1,4 @@
-import { Transport } from "./transport";
+import { Transport, FindParams } from "./transport";
 import { RebaseWebSocketClient } from "./websocket";
 import { CollectionAccessor } from "@rebasepro/types";
 import { FilterOperator, QueryBuilder } from "./query_builder";
@@ -15,5 +15,6 @@ export interface CollectionClient<M extends Record<string, unknown> = Record<str
     offset(count: number): QueryBuilder<M>;
     search(searchString: string): QueryBuilder<M>;
     include(...relations: string[]): QueryBuilder<M>;
+    count(params?: FindParams): Promise<number>;
 }
 export declare function createCollectionClient<M extends Record<string, unknown> = Record<string, unknown>>(transport: Transport, slug: string, ws?: RebaseWebSocketClient): CollectionClient<M>;

package/dist/client/src/functions.d.ts

@@ -0,0 +1,49 @@
+import type { Transport } from "./transport";
+/**
+ * Client interface for invoking custom backend functions.
+ *
+ * Custom functions are Hono route files auto-mounted by the Rebase backend
+ * at `/api/functions/{name}`.  The `FunctionsClient` wraps the shared
+ * transport so callers never need to manually construct URLs or inject
+ * auth tokens.
+ *
+ * @example
+ * ```ts
+ * const result = await client.functions.invoke<{ job: Job }>('extract-job', {
+ *     url: 'https://example.com/posting',
+ *     html: htmlContent,
+ * });
+ * ```
+ */
+export interface FunctionsClient {
+    /**
+     * Invoke a custom backend function by name.
+     *
+     * @typeParam T - Expected shape of the response payload.
+     * @param name    - Function name (the filename without extension, e.g. `"extract-job"`).
+     * @param payload - Optional JSON-serialisable body sent as `POST`.
+     * @param options - Optional overrides (HTTP method, sub-path, extra headers).
+     * @returns The parsed JSON response from the function.
+     */
+    invoke<T = unknown>(name: string, payload?: unknown, options?: FunctionInvokeOptions): Promise<T>;
+}
+export interface FunctionInvokeOptions {
+    /** HTTP method — defaults to `"POST"`. */
+    method?: "GET" | "POST" | "PUT" | "PATCH" | "DELETE";
+    /** Sub-path appended after the function name, e.g. `"status/123"`. */
+    path?: string;
+    /** Extra headers merged into the request (auth is still injected automatically). */
+    headers?: Record<string, string>;
+}
+/**
+ * Create a `FunctionsClient` backed by the given transport.
+ *
+ * The transport already handles:
+ * - Base URL resolution
+ * - JWT injection via `Authorization: Bearer`
+ * - 401 retry / `onUnauthorized` flow
+ * - Consistent error throwing via `RebaseApiError`
+ *
+ * @internal
+ */
+export declare function createFunctionsClient(transport: Transport): FunctionsClient;

package/dist/client/src/index.d.ts

@@ -3,6 +3,7 @@ import { createAuth, CreateAuthOptions } from "./auth";
 import { createAdmin, CreateAdminOptions } from "./admin";
 import { createCron, CreateCronOptions } from "./cron";
 import { CollectionClient } from "./collection";
+import type { FunctionsClient } from "./functions";
 export * from "./transport";
 export * from "./auth";
 export * from "./admin";
@@ -11,6 +12,7 @@ export * from "./collection";
 export * from "./websocket";
 export * from "./storage";
 export * from "./reviver";
+export * from "./functions";
 export interface CreateRebaseClientOptions extends RebaseClientConfig {
     auth?: CreateAuthOptions;
     admin?: CreateAdminOptions;
@@ -26,6 +28,7 @@ export type RebaseClient<DB = Record<string, unknown>> = BaseRebaseClient<DB> &
     auth: ReturnType<typeof createAuth>;
     admin: ReturnType<typeof createAdmin>;
     cron: ReturnType<typeof createCron>;
+    functions: FunctionsClient;
     ws?: RebaseWebSocketClient;
     storage?: StorageSource;
     call: <T = unknown>(endpoint: string, payload?: unknown) => Promise<T>;

package/dist/types/src/controllers/auth.d.ts

@@ -80,8 +80,14 @@ export type AuthController<USER extends User = User, ExtraData = unknown> = {
 export interface AuthControllerExtended<USER extends User = User, ExtraData = unknown> extends AuthController<USER, ExtraData> {
     /** Login with email and password */
     emailPasswordLogin?(email: string, password: string): Promise<void>;
-    /** Login with a Google ID token or trigger Google popup */
-    googleLogin?(idToken: string): Promise<void>;
+    /** Login with a Google token or authorization code */
+    googleLogin?: {
+        (token: string, tokenType?: "idToken" | "accessToken"): Promise<void>;
+        (payload: {
+            code: string;
+            redirectUri: string;
+        }): Promise<void>;
+    };
     /** Register a new user */
     register?(email: string, password: string, displayName?: string): Promise<void>;
     /** Skip login (for anonymous access if enabled) */

package/dist/types/src/controllers/client.d.ts

@@ -167,4 +167,17 @@ export interface RebaseClient<DB = unknown> {
     email?: EmailService;
     /** Admin API for user and role management */
     admin?: AdminAPI;
+    /**
+     * The base HTTP URL of the backend server.
+     * Exposed by the SDK client (`@rebasepro/client`) and used to auto-derive
+     * the `ApiConfigProvider` URL.
+     */
+    baseUrl?: string;
+    /**
+     * WebSocket client for realtime subscriptions and admin capabilities.
+     * Exposed by the SDK client (`@rebasepro/client`). The shape is intentionally
+     * left as `unknown` in the base interface — callers should narrow via feature
+     * detection (e.g. `typeof ws.executeSql === "function"`).
+     */
+    ws?: unknown;
 }

package/dist/types/src/controllers/collection_registry.d.ts

@@ -36,7 +36,8 @@ export type CollectionRegistryController<DB = Record<string, unknown>, EC extend
      * Retrieve all the related parent collection ids for a given path
      * @param path
      */
-    getParentCollectionIds: (path: string) => string[];
+    getParentCollectionSlugs: (path: string) => string[];
+    getParentEntityIds: (path: string) => string[];
     /**
      * Resolve paths from a list of ids
      * @param ids

package/dist/types/src/controllers/data_driver.d.ts

@@ -144,12 +144,19 @@ export interface DataDriver {
         path: string;
         databaseId?: string;
         collection: EntityCollection;
-        parentCollectionIds?: string[];
+        parentCollectionSlugs?: string[];
+        parentEntityIds?: string[];
     }) => Promise<boolean>;
     /**
      * Flag to indicate if the driver has requested the initialization of the text search index
      */
     needsInitTextSearch?: boolean;
+    /**
+     * Optional REST-optimised fetch service. When present, the REST API
+     * generator uses these methods instead of the generic `fetchEntity` /
+     * `fetchCollection` pipeline, enabling include-aware eager-loading.
+     */
+    restFetchService?: RestFetchService;
     /**
      * Return the admin capabilities of this driver.
      * @see SQLAdmin
@@ -158,3 +165,31 @@ export interface DataDriver {
      */
     admin?: import("../types/backend").DatabaseAdmin;
 }
+/**
+ * REST-optimised fetch service exposed by drivers that support
+ * eager-loading of relations via `include`.
+ *
+ * The methods return flattened rows (`{ id, ...columns }`) rather
+ * than the `Entity<M>` wrapper used by the generic DataDriver API.
+ *
+ * @group DataDriver
+ */
+export interface RestFetchService {
+    /**
+     * Fetch a collection of flattened entities with optional relation includes.
+     */
+    fetchCollectionForRest(collectionPath: string, options?: {
+        filter?: FilterValues<string>;
+        orderBy?: string;
+        order?: "desc" | "asc";
+        limit?: number;
+        offset?: number;
+        startAfter?: Record<string, unknown>;
+        searchString?: string;
+        databaseId?: string;
+    }, include?: string[]): Promise<Record<string, unknown>[]>;
+    /**
+     * Fetch a single flattened entity with optional relation includes.
+     */
+    fetchEntityForRest(collectionPath: string, entityId: string | number, include?: string[], databaseId?: string): Promise<Record<string, unknown> | null>;
+}

package/dist/types/src/controllers/navigation.d.ts

@@ -144,17 +144,18 @@ export interface AppView {
      * It will still be accessible if you reach the specified path
      */
     hideFromNavigation?: boolean;
+    /**
+     * Navigation group for this view.
+     * Views sharing the same group name will be visually grouped
+     * together in the drawer and home page. If not set, the view
+     * falls into the default "Views" group.
+     */
+    group?: string;
     /**
      * Component to be rendered. This can be any React component, and can use
      * any of the provided hooks
      */
     view: React.ReactNode;
-    /**
-     * Optional field used to group top level navigation entries under a
-     * navigation view.
-     * This prop is ignored for admin views.
-     */
-    group?: string;
     /**
      * If true, a wildcard route (slug/*) is automatically registered
      * alongside the base route, enabling nested navigation within this view.
@@ -193,6 +194,17 @@ export interface NavigationGroupMapping {
      * List of collection ids or view paths that belong to this group.
      */
     entries: string[];
+    /**
+     * Configure which groups start collapsed.
+     * Set to `true` to collapse in both drawer and home page,
+     * or use an object to control each independently.
+     *
+     * @defaultValue false (expanded)
+     */
+    collapsedByDefault?: boolean | {
+        drawer?: boolean;
+        home?: boolean;
+    };
 }
 export interface NavigationEntry {
     id: string;

package/dist/types/src/controllers/registry.d.ts

@@ -3,7 +3,7 @@ import type { EntityCollection } from "../types/collections";
 import type { EntityCollectionsBuilder } from "../types/builders";
 import type { EntityCustomView } from "../types/entity_views";
 import type { EntityAction } from "../types/entity_actions";
-import type { AppView } from "./navigation";
+import type { AppView, NavigationGroupMapping } from "./navigation";
 /**
  * Options to enable the built-in collection editor.
  * When provided to `<RebaseCMS>`, the editor is auto-wired as a native feature.
@@ -25,6 +25,14 @@ export interface RebaseCMSConfig<EC extends EntityCollection = any> {
     entityViews?: EntityCustomView<any>[];
     entityActions?: EntityAction[];
     plugins?: any[];
+    /**
+     * Centralized configuration for how collections and views are grouped
+     * in the navigation sidebar and home page.
+     * Each mapping defines a named group and the collection/view slugs
+     * that belong to it. The array order determines group display order.
+     * Entry order within each group determines card order.
+     */
+    navigationGroupMappings?: NavigationGroupMapping[];
     /**
      * Enable the built-in visual collection/schema editor.
      * Pass `true` for zero-config, or an options object for fine-grained control.

package/dist/types/src/controllers/side_entity_controller.d.ts

@@ -62,6 +62,13 @@ export interface EntitySidePanelProps<M extends Record<string, unknown> = Record
      * Allow the user to open the entity fullscreen
      */
     allowFullScreen?: boolean;
+    /**
+     * Pre-populate the form with these values when creating a new entity.
+     * Only applied when `entityId` is not set (i.e. the form is in "new" mode).
+     * Useful for actions that fetch data from an external source (e.g. a URL)
+     * and want to pre-fill the document before the user saves.
+     */
+    defaultValues?: Partial<M>;
 }
 /**
  * Controller to open the side dialog displaying entity forms

package/dist/types/src/rebase_context.d.ts

@@ -3,6 +3,7 @@ import type { AuthController } from "./controllers/auth";
 import type { StorageSource } from "./controllers/storage";
 import type { UserConfigurationPersistence } from "./controllers/local_config_persistence";
 import type { DatabaseAdmin } from "./types/backend";
+import type { RebaseClient } from "./controllers/client";
 import type { RebaseData } from "./controllers/data";
 import type { User } from "./users";
 import type { UserManagementDelegate } from "./types/user_management_delegate";
@@ -12,6 +13,22 @@ import type { UserManagementDelegate } from "./types/user_management_delegate";
  * @group Hooks and utilities
  */
 export type RebaseCallContext<USER extends User = User> = {
+    /**
+     * The Rebase client instance.
+     * Available in all entity callbacks (beforeSave, afterSave, afterRead,
+     * beforeDelete, afterDelete) and in CollectionActionsProps via context.
+     * Use it to call backend functions, access data, storage, etc.
+     *
+     * @example
+     * // In a beforeSave callback:
+     * const result = await context.client.functions.invoke('my-function', { ... });
+     *
+     * @example
+     * // In a CollectionAction component:
+     * const { client } = props.context;
+     * const result = await client.functions.invoke('extract-job', { url });
+     */
+    client: RebaseClient<any>;
     /**
      * Unified data access — `context.data.products.create(...)`.
      * Access any collection as a dynamic property.

package/dist/types/src/types/auth_adapter.d.ts

@@ -0,0 +1,354 @@
+/**
+ * @module AuthAdapter
+ *
+ * Pluggable authentication abstraction for Rebase.
+ *
+ * An `AuthAdapter` decouples authentication from the database layer,
+ * allowing users to bring their own auth system (Clerk, Auth0, Firebase Auth,
+ * custom JWT, etc.) while keeping the Rebase admin frontend fully functional.
+ *
+ * @example Built-in auth (default — zero config change)
+ * ```ts
+ * initializeRebaseBackend({
+ *   auth: { jwtSecret: "...", google: { clientId: "..." } },
+ *   database: createPostgresAdapter({ ... }),
+ * });
+ * ```
+ *
+ * @example Custom auth
+ * ```ts
+ * import { createCustomAuthAdapter } from "@rebasepro/server-core";
+ *
+ * initializeRebaseBackend({
+ *   auth: createCustomAuthAdapter({
+ *     verifyRequest: async (req) => { ... },
+ *   }),
+ *   database: createPostgresAdapter({ ... }),
+ * });
+ * ```
+ *
+ * @group Auth
+ */
+import type { Hono } from "hono";
+/**
+ * The normalized user object returned by `AuthAdapter.verifyRequest()`.
+ *
+ * Regardless of the auth provider, every request is resolved to this shape
+ * so that downstream middleware (RLS scoping, route guards) can work uniformly.
+ *
+ * @group Auth
+ */
+export interface AuthenticatedUser {
+    /** Unique user identifier (provider-specific). */
+    uid: string;
+    /** Primary email address. */
+    email: string;
+    /** Human-readable display name. */
+    displayName?: string | null;
+    /** Avatar URL. */
+    photoUrl?: string | null;
+    /** Role identifiers the user holds. */
+    roles: string[];
+    /** Whether the user has admin privileges. */
+    isAdmin: boolean;
+    /** Raw bearer token from the request (for forwarding). */
+    rawToken?: string;
+    /** Extra claims/metadata from the auth provider. */
+    claims?: Record<string, unknown>;
+}
+/**
+ * Feature flags advertised by an auth adapter.
+ *
+ * The frontend reads these from `GET /api/auth/config` to dynamically
+ * show/hide UI elements (login form, registration, password reset, etc.).
+ *
+ * @group Auth
+ */
+export interface AuthAdapterCapabilities {
+    /**
+     * Whether this adapter mounts its own `/auth/*` routes.
+     *
+     * - `true` for the built-in Rebase auth (login, register, refresh, etc.)
+     * - `false` for external providers like Clerk or Auth0 that handle
+     *   auth flows outside of the Rebase backend.
+     */
+    hasBuiltInAuthRoutes: boolean;
+    /** Supports email/password login. */
+    emailPasswordLogin: boolean;
+    /** Supports new user registration. */
+    registration: boolean;
+    /** Supports password reset flow. */
+    passwordReset: boolean;
+    /** Supports session listing/revocation. */
+    sessionManagement: boolean;
+    /** Supports profile updates (display name, photo). */
+    profileUpdate: boolean;
+    /** Supports email verification. */
+    emailVerification: boolean;
+    /** List of enabled OAuth provider IDs (e.g. `["google", "github"]`). */
+    enabledProviders: string[];
+    /**
+     * For external auth (Clerk, Auth0, etc.): the URL where the user should
+     * be redirected for login. The Rebase frontend will navigate here instead
+     * of showing its own login form.
+     */
+    externalLoginUrl?: string;
+    /**
+     * True when no users exist yet — first-user bootstrap mode.
+     * Only applicable for built-in auth.
+     */
+    needsSetup?: boolean;
+    /** Whether new user registration is enabled (may differ from `registration` capability at runtime). */
+    registrationEnabled?: boolean;
+}
+/**
+ * Options for paginated user listing.
+ * @group Auth
+ */
+export interface AuthUserListOptions {
+    limit?: number;
+    offset?: number;
+    search?: string;
+    orderBy?: string;
+    orderDir?: "asc" | "desc";
+    roleId?: string;
+}
+/**
+ * Paginated user listing result.
+ * @group Auth
+ */
+export interface AuthUserListResult {
+    users: AuthUserData[];
+    total: number;
+    limit: number;
+    offset: number;
+}
+/**
+ * User data exposed by the auth adapter.
+ * @group Auth
+ */
+export interface AuthUserData {
+    id: string;
+    email: string;
+    displayName?: string | null;
+    photoUrl?: string | null;
+    emailVerified?: boolean;
+    createdAt?: Date;
+    updatedAt?: Date;
+}
+/**
+ * Data for creating a user.
+ * @group Auth
+ */
+export interface AuthCreateUserData {
+    email: string;
+    password?: string;
+    displayName?: string;
+    photoUrl?: string;
+}
+/**
+ * Role data exposed by the auth adapter.
+ * @group Auth
+ */
+export interface AuthRoleData {
+    id: string;
+    name: string;
+    isAdmin: boolean;
+    defaultPermissions?: {
+        read?: boolean;
+        create?: boolean;
+        edit?: boolean;
+        delete?: boolean;
+    } | null;
+    collectionPermissions?: Record<string, {
+        read?: boolean;
+        create?: boolean;
+        edit?: boolean;
+        delete?: boolean;
+    }> | null;
+    config?: Record<string, unknown> | null;
+}
+/**
+ * Data for creating a role.
+ * @group Auth
+ */
+export interface AuthCreateRoleData {
+    id: string;
+    name: string;
+    isAdmin?: boolean;
+    defaultPermissions?: AuthRoleData["defaultPermissions"];
+    collectionPermissions?: AuthRoleData["collectionPermissions"];
+    config?: AuthRoleData["config"];
+}
+/**
+ * User management operations for the admin panel.
+ *
+ * Optional — if not provided by the adapter, the user management UI is hidden.
+ *
+ * @group Auth
+ */
+export interface UserManagementAdapter {
+    listUsers(options?: AuthUserListOptions): Promise<AuthUserListResult>;
+    getUserById(id: string): Promise<AuthUserData | null>;
+    createUser(data: AuthCreateUserData): Promise<AuthUserData>;
+    updateUser(id: string, data: Partial<AuthCreateUserData>): Promise<AuthUserData | null>;
+    deleteUser(id: string): Promise<void>;
+    getUserRoles(userId: string): Promise<AuthRoleData[]>;
+    setUserRoles(userId: string, roleIds: string[]): Promise<void>;
+}
+/**
+ * Role management operations for the admin panel.
+ *
+ * Optional — if not provided by the adapter, role management is disabled.
+ *
+ * @group Auth
+ */
+export interface RoleManagementAdapter {
+    listRoles(): Promise<AuthRoleData[]>;
+    getRoleById(id: string): Promise<AuthRoleData | null>;
+    createRole(data: AuthCreateRoleData): Promise<AuthRoleData>;
+    updateRole(id: string, data: Partial<AuthRoleData>): Promise<AuthRoleData | null>;
+    deleteRole(id: string): Promise<void>;
+}
+/**
+ * Pluggable authentication adapter for Rebase.
+ *
+ * This is the **key interface** that decouples authentication from the
+ * database layer. Each auth adapter knows how to:
+ *
+ * 1. Verify incoming HTTP requests (`verifyRequest`)
+ * 2. Optionally manage users and roles (for the admin panel)
+ * 3. Optionally mount auth-specific routes (login, register, etc.)
+ * 4. Advertise its capabilities so the frontend can adapt
+ *
+ * The built-in Rebase auth implements this interface internally.
+ * External providers (Clerk, Auth0, Firebase Auth) provide their own adapters.
+ * Users with custom auth can use `createCustomAuthAdapter()` for a minimal setup.
+ *
+ * @group Auth
+ */
+export interface AuthAdapter {
+    /**
+     * Unique identifier for this auth adapter.
+     *
+     * @example "rebase-builtin", "clerk", "auth0", "firebase", "custom"
+     */
+    readonly id: string;
+    /**
+     * Verify an incoming request and extract the authenticated user.
+     *
+     * This replaces the hardcoded JWT verification in server-core's middleware.
+     * Each adapter implements its own token verification strategy:
+     * - Built-in: verify Rebase JWT
+     * - Clerk: call Clerk's `verifyToken()`
+     * - Auth0: validate Auth0 JWT with JWKS
+     * - Custom: whatever logic the user provides
+     *
+     * @param request - The raw `Request` object (portable across Hono, Express, Fastify)
+     * @returns The authenticated user, or `null` for unauthenticated requests.
+     *          Throw an error to reject the request with 401.
+     */
+    verifyRequest(request: Request): Promise<AuthenticatedUser | null>;
+    /**
+     * Verify a raw bearer token and extract the authenticated user.
+     *
+     * Used for **WebSocket authentication**, where there is no HTTP `Request`
+     * object — only a token string sent over the socket.
+     *
+     * If not implemented, the default behavior synthesizes a minimal `Request`
+     * with an `Authorization: Bearer <token>` header and delegates to
+     * `verifyRequest()`. Adapters should override this if their token
+     * verification logic doesn't depend on request headers/cookies.
+     *
+     * @param token - The raw bearer token string.
+     * @returns The authenticated user, or `null` if the token is invalid.
+     */
+    verifyToken?(token: string): Promise<AuthenticatedUser | null>;
+    /**
+     * User CRUD for the admin panel's user management UI.
+     * Optional — if not provided, user management UI is hidden.
+     */
+    userManagement?: UserManagementAdapter;
+    /**
+     * Role CRUD for the admin panel.
+     * Optional — if not provided, role management is disabled.
+     */
+    roleManagement?: RoleManagementAdapter;
+    /**
+     * Mount adapter-specific auth routes (login, register, refresh, etc.).
+     *
+     * - Built-in adapter: mounts `/auth/login`, `/auth/register`, etc.
+     * - External adapter: typically returns `undefined` (auth is handled externally).
+     * - Custom adapter: user mounts their own routes.
+     *
+     * The return type uses `Hono<any, any, any>` because this sub-app will be
+     * mounted into a parent app via `.route()`, which accepts any Hono env type.
+     * Adapter implementations are free to use their own env (e.g. `Hono<HonoEnv>`).
+     *
+     * @returns A Hono sub-app with auth routes, or `undefined` to skip route mounting.
+     */
+    createAuthRoutes?(): Hono<any, any, any> | undefined;
+    /**
+     * Mount admin routes for user/role management.
+     *
+     * Same typing rationale as `createAuthRoutes` — the sub-app env is
+     * unconstrained to support arbitrary adapter implementations.
+     *
+     * @returns A Hono sub-app with admin routes, or `undefined` to skip.
+     */
+    createAdminRoutes?(): Hono<any, any, any> | undefined;
+    /**
+     * Advertise what this auth adapter supports.
+     *
+     * The frontend reads this from `GET /api/auth/config` to dynamically
+     * show/hide UI elements. This is the bridge between backend capabilities
+     * and the frontend's `AuthCapabilities` type.
+     */
+    getCapabilities(): AuthAdapterCapabilities | Promise<AuthAdapterCapabilities>;
+    /**
+     * Called during backend initialization.
+     * Use for running migrations, creating tables, seeding initial data, etc.
+     */
+    initialize?(): Promise<void>;
+    /**
+     * Called during graceful shutdown.
+     * Use for closing connections, flushing caches, etc.
+     */
+    destroy?(): Promise<void>;
+    /**
+     * A static secret key for server-to-server / script authentication.
+     *
+     * When set, requests with `Authorization: Bearer <serviceKey>` bypass
+     * normal token verification and are granted admin-level access.
+     */
+    serviceKey?: string;
+}
+/**
+ * Options for creating a minimal custom auth adapter via `createCustomAuthAdapter()`.
+ *
+ * This is the simplest way to plug an existing auth system into Rebase.
+ * Only `verifyRequest` is required — everything else is optional.
+ *
+ * @group Auth
+ */
+export interface CustomAuthAdapterOptions {
+    /**
+     * Verify an incoming request and return the authenticated user.
+     * This is the only required method.
+     */
+    verifyRequest: (request: Request) => Promise<AuthenticatedUser | null>;
+    /**
+     * Verify a raw bearer token for WebSocket authentication.
+     * Optional — if omitted, a synthetic `Request` is constructed and passed
+     * to `verifyRequest`.
+     */
+    verifyToken?: (token: string) => Promise<AuthenticatedUser | null>;
+    /** Optional user management for the admin panel. */
+    userManagement?: UserManagementAdapter;
+    /** Optional role management for the admin panel. */
+    roleManagement?: RoleManagementAdapter;
+    /** Static service key for server-to-server auth. */
+    serviceKey?: string;
+    /** Override default capabilities. */
+    capabilities?: Partial<AuthAdapterCapabilities>;
+}