@rebasepro/server-core 0.1.2 → 0.2.1

package/dist/types/src/types/index.d.ts

@@ -24,3 +24,5 @@ export * from "./data_source";
 export * from "./cron";
 export * from "./backend_hooks";
 export * from "./component_ref";
+export * from "./auth_adapter";
+export * from "./database_adapter";

package/dist/types/src/types/plugins.d.ts

@@ -250,7 +250,7 @@ export interface PluginFormActionProps<USER extends User = User, EC extends Enti
     disabled: boolean;
     formContext?: FormContext;
     context: RebaseContext<USER>;
-    openEntityMode: "side_panel" | "full_screen" | "split";
+    openEntityMode: "side_panel" | "full_screen" | "split" | "dialog";
 }
 /**
  * Parameters passed to the field builder wrap function.

package/dist/types/src/types/properties.d.ts

@@ -1,5 +1,5 @@
 import type { ComponentRef } from "./component_ref";
-import type { EntityReference, EntityRelation, EntityValues, GeoPoint, Entity } from "./entities";
+import type { EntityReference, EntityRelation, EntityValues, GeoPoint, Entity, Vector } from "./entities";
 import type { Relation, JoinStep, OnAction } from "./relations";
 import type { EntityCollection, FilterValues } from "./collections";
 import type { ColorKey, ColorScheme } from "./chips";
@@ -31,8 +31,8 @@ export type PropertyCallbacks<T = unknown, M extends Record<string, unknown> = R
 /**
  * @group Entity properties
  */
-export type DataType = "string" | "number" | "boolean" | "date" | "geopoint" | "reference" | "relation" | "array" | "map";
-export type Property = StringProperty | NumberProperty | BooleanProperty | DateProperty | GeopointProperty | ReferenceProperty | RelationProperty | ArrayProperty | MapProperty;
+export type DataType = "string" | "number" | "boolean" | "date" | "geopoint" | "reference" | "relation" | "array" | "map" | "vector" | "binary";
+export type Property = StringProperty | NumberProperty | BooleanProperty | DateProperty | GeopointProperty | ReferenceProperty | RelationProperty | ArrayProperty | MapProperty | VectorProperty | BinaryProperty;
 export type Properties = {
     [key: string]: Property;
 };
@@ -48,7 +48,7 @@ export type FirebaseProperties = {
  * A helper type to infer the underlying data type from a Property definition.
  * This is the core of the type inference system.
  */
-export type InferPropertyType<P extends Property> = P extends StringProperty ? string : P extends NumberProperty ? number : P extends BooleanProperty ? boolean : P extends DateProperty ? Date : P extends GeopointProperty ? GeoPoint : P extends ReferenceProperty ? EntityReference : P extends RelationProperty ? EntityRelation | EntityRelation[] : P extends ArrayProperty ? (P["of"] extends Property ? InferPropertyType<P["of"]>[] : unknown[]) : P extends MapProperty ? (P["properties"] extends Properties ? InferEntityType<P["properties"]> : Record<string, unknown>) : never;
+export type InferPropertyType<P extends Property> = P extends StringProperty ? string : P extends NumberProperty ? number : P extends BooleanProperty ? boolean : P extends DateProperty ? Date : P extends GeopointProperty ? GeoPoint : P extends ReferenceProperty ? EntityReference : P extends RelationProperty ? EntityRelation | EntityRelation[] : P extends ArrayProperty ? (P["of"] extends Property ? InferPropertyType<P["of"]>[] : unknown[]) : P extends MapProperty ? (P["properties"] extends Properties ? InferEntityType<P["properties"]> : Record<string, unknown>) : P extends VectorProperty ? Vector : P extends BinaryProperty ? string : never;
 /**
  * Helper type that determines whether a property is required.
  * Uses direct structural matching against `{ validation: { required: true } }`
@@ -309,6 +309,25 @@ export interface BooleanProperty extends BaseProperty {
      */
     validation?: PropertyValidationSchema;
 }
+/**
+ * @group Entity properties
+ */
+export interface VectorUIConfig extends BaseUIConfig {
+    clearable?: boolean;
+}
+export interface VectorProperty extends BaseProperty {
+    ui?: VectorUIConfig;
+    type: "vector";
+    dimensions: number;
+    validation?: PropertyValidationSchema;
+}
+/**
+ * @group Entity properties
+ */
+export interface BinaryProperty extends BaseProperty {
+    type: "binary";
+    validation?: PropertyValidationSchema;
+}
 /**
  * @group Entity properties
  */
@@ -421,7 +440,7 @@ export interface RelationProperty extends BaseProperty {
      * When set, the framework treats this property as a self-contained relation
      * definition and no separate `relations[]` entry is needed.
      */
-    target?: () => EntityCollection;
+    target?: string | (() => EntityCollection | string);
     /**
      * Whether this property references one or many records.
      * Defaults to `"one"`.

package/dist/types/src/types/property_config.d.ts

@@ -1,5 +1,5 @@
 import React from "react";
-import { ArrayProperty, MapProperty, StringProperty, NumberProperty, BooleanProperty, DateProperty, GeopointProperty, ReferenceProperty, RelationProperty } from "./properties";
+import { ArrayProperty, MapProperty, StringProperty, NumberProperty, BooleanProperty, DateProperty, GeopointProperty, ReferenceProperty, RelationProperty, VectorProperty, BinaryProperty } from "./properties";
 import { BaseProperty } from "./properties";
 type CMSBasePropertyNoName = Omit<BaseProperty, "name">;
 export type ConfigProperty = (Omit<StringProperty, "name"> & {
@@ -28,6 +28,10 @@ export type ConfigProperty = (Omit<StringProperty, "name"> & {
 } & CMSBasePropertyNoName) | (Omit<MapProperty, "name" | "properties"> & {
     name?: string;
     properties?: Record<string, ConfigProperty>;
+} & CMSBasePropertyNoName) | (Omit<VectorProperty, "name"> & {
+    name?: string;
+} & CMSBasePropertyNoName) | (Omit<BinaryProperty, "name"> & {
+    name?: string;
 } & CMSBasePropertyNoName);
 /**
  * This is the configuration object for a property.
@@ -66,5 +70,5 @@ export type PropertyConfig = {
      */
     description?: string;
 };
-export type PropertyConfigId = "text_field" | "multiline" | "markdown" | "url" | "email" | "user_select" | "select" | "multi_select" | "number_input" | "number_select" | "multi_number_select" | "file_upload" | "multi_file_upload" | "group" | "key_value" | "reference" | "reference_as_string" | "multi_references" | "relation" | "switch" | "date_time" | "repeat" | "custom_array" | "block";
+export type PropertyConfigId = "text_field" | "multiline" | "markdown" | "url" | "email" | "user_select" | "select" | "multi_select" | "number_input" | "number_select" | "multi_number_select" | "file_upload" | "multi_file_upload" | "group" | "key_value" | "reference" | "reference_as_string" | "multi_references" | "relation" | "switch" | "date_time" | "repeat" | "custom_array" | "block" | "vector_input";
 export {};

package/dist/types/src/types/relations.d.ts

@@ -17,7 +17,7 @@ export interface Relation {
     /**
      * The final collection you want to retrieve records from.
      */
-    target: () => EntityCollection;
+    target: (() => EntityCollection) | any;
     /**
      * The nature of the relationship, determining if one or many records are returned.
      */

package/dist/types/src/types/translations.d.ts

@@ -30,6 +30,8 @@ export interface RebaseTranslations {
     copy: string;
     delete: string;
     delete_not_allowed: string;
+    edit_entity?: string;
+    back_to_detail?: string;
     delete_confirmation_title: string;
     delete_confirmation_body: string;
     delete_multiple_confirmation_body: string;
@@ -392,6 +394,12 @@ export interface RebaseTranslations {
     submit: string;
     no_filterable_properties: string;
     apply_filters: string;
+    /** Label shown on the filter presets dropdown trigger */
+    filter_presets?: string;
+    /** Tooltip shown when hovering over a preset entry */
+    filter_preset_apply?: string;
+    /** Shown when a preset is active, with {{label}} interpolation */
+    filter_preset_active?: string;
     list: string;
     table_view_mode: string;
     cards: string;

package/dist/types/src/users/user.d.ts

@@ -42,5 +42,10 @@ export type User = {
      * The date and time when the user was created.
      */
     createdAt?: Date | string | null;
+    /**
+     * Additional metadata/custom claims associated with the user.
+     * Accessible by the frontend, but only writable by the backend.
+     */
+    readonly metadata?: Record<string, any>;
     getIdToken?: (forceRefresh?: boolean) => Promise<string>;
 };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@rebasepro/server-core",
   "type": "module",
-  "version": "0.1.2",
+  "version": "0.2.1",
   "description": "Database-Agnostic Backend Core for Rebase",
   "funding": {
     "url": "https://github.com/sponsors/rebaseco"
@@ -33,44 +33,44 @@
   "exports": {
     ".": {
       "types": "./dist/server-core/src/index.d.ts",
-      "development": "./src/index.ts",
+      "development": "./dist/index.es.js",
       "import": "./dist/index.es.js",
       "require": "./dist/index.umd.js"
     },
     "./package.json": "./package.json"
   },
   "dependencies": {
-    "@aws-sdk/client-s3": "^3.654.0",
-    "@aws-sdk/s3-request-presigner": "^3.654.0",
+    "@aws-sdk/client-s3": "^3.1050.0",
+    "@aws-sdk/s3-request-presigner": "^3.1050.0",
     "@hono/graphql-server": "0.7.0",
     "@hono/node-server": "1.19.12",
-    "google-auth-library": "^9.0.0",
-    "graphql": "^16.8.1",
-    "hono": "^4.12.10",
-    "jsonwebtoken": "^9.0.0",
-    "nodemailer": "^6.9.0",
+    "drizzle-orm": "^0.44.7",
+    "google-auth-library": "^9.15.1",
+    "graphql": "^16.14.0",
+    "hono": "^4.12.21",
+    "jsonwebtoken": "^9.0.3",
+    "nodemailer": "^6.10.1",
     "ts-morph": "27.0.2",
-    "ws": "^8.16.0",
-    "zod": "^3.22.4",
-    "@rebasepro/client": "0.1.2",
-    "@rebasepro/common": "0.1.2",
-    "@rebasepro/utils": "0.1.2",
-    "@rebasepro/types": "0.1.2"
+    "ws": "^8.20.1",
+    "zod": "^3.25.76",
+    "@rebasepro/common": "0.2.1",
+    "@rebasepro/client": "0.2.1",
+    "@rebasepro/types": "0.2.1",
+    "@rebasepro/utils": "0.2.1"
   },
   "devDependencies": {
     "@types/jest": "^29.5.14",
-    "@types/jsonwebtoken": "^9.0.0",
-    "@types/node": "^20.10.5",
-    "@types/nodemailer": "^6.4.0",
-    "@types/react": "^19.0.8",
-    "@types/react-dom": "^19.0.3",
-    "@types/ws": "^8.5.10",
+    "@types/jsonwebtoken": "^9.0.10",
+    "@types/node": "^20.19.41",
+    "@types/nodemailer": "^6.4.23",
+    "@types/react": "^19.2.15",
+    "@types/react-dom": "^19.2.3",
+    "@types/ws": "^8.18.1",
+    "@vitejs/plugin-react": "^4.7.0",
     "jest": "^29.7.0",
     "ts-jest": "29.4.1",
-    "typescript": "^5.0.0",
-    "vite": "^5.0.0",
-    "@rebasepro/common": "0.1.2",
-    "@rebasepro/types": "0.1.2"
+    "typescript": "^5.9.3",
+    "vite": "^5.4.21"
   },
   "gitHead": "d935eefa5aa8d1009a2398cfac2c1e4ee9aeb6b6",
   "publishConfig": {
@@ -80,7 +80,7 @@
     "watch": "vite build --watch",
     "build": "vite build && tsc --emitDeclarationOnly -p tsconfig.prod.json",
     "test:lint": "eslint \"src/**\" --quiet",
-    "test": "jest --passWithNoTests",
+    "test": "jest --passWithNoTests --forceExit",
     "clean": "rm -rf dist && find ./src -name '*.js' -type f | xargs rm -f"
   }
 }

package/src/api/errors.ts

@@ -108,7 +108,7 @@ export const errorHandler: ErrorHandler = (err, c) => {
             logMessage = `Database schema mismatch (${issue} missing): ${cause.message}. Did you forget to run migrations ('pnpm db:push' or 'pnpm db:migrate')?`;
         }
     } else if ("code" in error && error.code === "ENETUNREACH") {
-         const netErr = error as unknown as PgLikeError;
+         const netErr = error as PgLikeError;
          logMessage = `Network unreachable. Cannot connect to service at ${netErr.address}:${netErr.port}.`;
     } else if ("code" in error && (error.code === "42703" || error.code === "42P01")) {
         const issue = error.code === "42703" ? "column" : "table";

package/src/api/graphql/graphql-schema-generator.ts

@@ -89,6 +89,7 @@ export class GraphQLSchemaGenerator {
         let type;
 
         switch (property.type) {
+            case "binary":
             case "string":
                 type = GraphQLString;
                 break;
@@ -104,6 +105,9 @@ export class GraphQLSchemaGenerator {
             case "array":
                 type = new GraphQLList(GraphQLString);
                 break;
+            case "vector":
+                type = new GraphQLList(GraphQLFloat);
+                break;
             default:
                 type = GraphQLString;
         }
@@ -143,6 +147,7 @@ export class GraphQLSchemaGenerator {
 
     private convertPropertyToInputType(property: Property) {
         switch (property.type) {
+            case "binary":
             case "string":
                 return GraphQLString;
             case "number":
@@ -153,6 +158,8 @@ export class GraphQLSchemaGenerator {
                 return GraphQLString;
             case "array":
                 return new GraphQLList(GraphQLString);
+            case "vector":
+                return new GraphQLList(GraphQLFloat);
             default:
                 return GraphQLString;
         }

package/src/api/openapi-generator.ts

@@ -1,4 +1,4 @@
-import { EntityCollection, Property, StringProperty, NumberProperty, ArrayProperty, MapProperty, Relation } from "@rebasepro/types";
+import { EntityCollection, Property, StringProperty, NumberProperty, ArrayProperty, MapProperty, Relation, VectorProperty } from "@rebasepro/types";
 
 /**
  * OpenAPI 3.0.3 specification generator.
@@ -624,6 +624,18 @@ enum: [variantKey] },
             return base;
         }
 
+        case "vector": {
+            const vp = property as VectorProperty;
+            base.type = "array";
+            base.items = { type: "number" };
+            base.description = (base.description || "") + ` (Vector(${vp.dimensions}))`;
+            return base;
+        }
+        case "binary": {
+            base.type = "string";
+            base.description = (base.description || "") + " (Binary/Base64)";
+            return base;
+        }
         default:
             base.type = "string";
             return base;

package/src/api/rest/api-generator-count.test.ts

@@ -1,18 +1,20 @@
 import { jest } from "@jest/globals";
 import { RestApiGenerator } from "./api-generator";
-import type { DataDriver, EntityCollection, FetchCollectionProps } from "@rebasepro/types";
+import type { DataDriver, Entity, EntityCollection, FetchCollectionProps } from "@rebasepro/types";
 
 /**
  * Minimal mock DataDriver for testing.
  */
 function createMockDriver(overrides?: Partial<DataDriver>): DataDriver {
     return {
-        fetchCollection: jest.fn().mockResolvedValue([]),
-        fetchEntity: jest.fn().mockResolvedValue(null),
-        saveEntity: jest.fn().mockResolvedValue({ id: "1", path: "test", values: {} }),
-        deleteEntity: jest.fn().mockResolvedValue(undefined),
-        countEntities: jest.fn().mockResolvedValue(0),
-        ...overrides,
+        fetchCollection: jest.fn<DataDriver["fetchCollection"]>().mockResolvedValue([]),
+        fetchEntity: jest.fn<DataDriver["fetchEntity"]>().mockResolvedValue(undefined),
+        saveEntity: jest.fn<DataDriver["saveEntity"]>().mockResolvedValue({ id: "1",
+path: "test",
+values: {} } as Entity),
+        deleteEntity: jest.fn<DataDriver["deleteEntity"]>().mockResolvedValue(undefined),
+        countEntities: jest.fn<NonNullable<DataDriver["countEntities"]>>().mockResolvedValue(0),
+        ...overrides
     } as unknown as DataDriver;
 }
 
@@ -21,7 +23,7 @@ function createTestCollection(slug: string): EntityCollection {
         slug,
         name: slug.charAt(0).toUpperCase() + slug.slice(1),
         path: slug,
-        properties: {},
+        properties: {}
     } as unknown as EntityCollection;
 }
 
@@ -31,7 +33,7 @@ describe("RestApiGenerator - Count Endpoint", () => {
 
     beforeEach(() => {
         driver = createMockDriver({
-            countEntities: jest.fn().mockResolvedValue(42),
+            countEntities: jest.fn<NonNullable<DataDriver["countEntities"]>>().mockResolvedValue(42)
         });
         collection = createTestCollection("products");
     });
@@ -93,10 +95,10 @@ describe("RestApiGenerator - Count Endpoint", () => {
 
     it("GET /products/count should not be confused with GET /products/:id", async () => {
         // Ensure the count route is registered before the :id route
-        const fetchEntity = jest.fn().mockResolvedValue(null);
+        const fetchEntity = jest.fn<DataDriver["fetchEntity"]>().mockResolvedValue(undefined);
         const driverCustom = createMockDriver({
-            countEntities: jest.fn().mockResolvedValue(99),
-            fetchEntity,
+            countEntities: jest.fn<NonNullable<DataDriver["countEntities"]>>().mockResolvedValue(99),
+            fetchEntity: fetchEntity as unknown as DataDriver["fetchEntity"]
         });
         const generator = new RestApiGenerator([collection], driverCustom);
         const app = generator.generateRoutes();

package/src/api/rest/query-parser.ts

@@ -37,27 +37,9 @@ export function parseQueryOptions(query: Record<string, unknown>): QueryOptions
     // Filtering
     options.where = {};
 
-    // Legacy JSON where clause
-    if (query.where) {
-        try {
-            const parsedWhere = typeof query.where === "string"
-                ? JSON.parse(query.where)
-                : query.where;
-            if (typeof parsedWhere !== "object" || parsedWhere === null || Array.isArray(parsedWhere)) {
-                throw new Error("Filter must be a JSON object");
-            }
-            Object.assign(options.where, parsedWhere);
-        } catch (e) {
-            const message = e instanceof Error ? e.message : "malformed JSON";
-            const err = new Error(`Invalid 'where' filter: ${message}`) as Error & { code?: string; statusCode?: number };
-            err.code = "BAD_REQUEST";
-            err.statusCode = 400;
-            throw err;
-        }
-    }
 
-    // PostgREST style filtering
-    const reservedQueryKeys = ["limit", "offset", "page", "orderBy", "where", "include", "fields", "searchString"];
+    // PostgREST-style filtering: ?field=op.value
+    const reservedQueryKeys = ["limit", "offset", "page", "orderBy", "include", "fields", "searchString"];
     for (const [key, rawValue] of Object.entries(query)) {
         if (reservedQueryKeys.includes(key)) continue;
 

package/src/auth/adapter-middleware.ts

@@ -0,0 +1,83 @@
+/**
+ * Adapter Auth Middleware
+ *
+ * Creates a Hono middleware that delegates authentication to an `AuthAdapter`
+ * instead of hardcoded JWT verification. This is used when the user passes
+ * an `AuthAdapter` to `initializeRebaseBackend()`.
+ *
+ * The middleware:
+ * 1. Calls `adapter.verifyRequest(request)` to resolve the user
+ * 2. Scopes the DataDriver via `withAuth()` for RLS
+ * 3. Enforces auth (401) when `requireAuth` is true and no user is found
+ *
+ * The behavior is identical to `createAuthMiddleware()` — only the
+ * token verification strategy is pluggable.
+ */
+
+import type { MiddlewareHandler } from "hono";
+import type { DataDriver, AuthAdapter } from "@rebasepro/types";
+import type { HonoEnv } from "../api/types";
+import { scopeDataDriver } from "./rls-scope";
+
+export interface AdapterAuthMiddlewareOptions {
+    /** The auth adapter to delegate verification to. */
+    adapter: AuthAdapter;
+    /** The DataDriver to scope via withAuth() for RLS. */
+    driver: DataDriver;
+    /**
+     * If true, return 401 when no valid user is resolved.
+     * Defaults to `true` (secure by default).
+     */
+    requireAuth?: boolean;
+}
+
+/**
+ * Create a Hono middleware that uses an `AuthAdapter` for request verification.
+ */
+export function createAdapterAuthMiddleware(options: AdapterAuthMiddlewareOptions): MiddlewareHandler<HonoEnv> {
+    const { adapter, driver, requireAuth: enforceAuth = true } = options;
+
+    return async (c, next) => {
+        let authenticatedUser = null;
+
+        try {
+            authenticatedUser = await adapter.verifyRequest(c.req.raw);
+        } catch (error) {
+            // adapter.verifyRequest() threw — reject the request (fail closed)
+            return c.json({ error: { message: "Unauthorized", code: "UNAUTHORIZED" } }, 401);
+        }
+
+        if (authenticatedUser) {
+            // Authenticated — set user context and scope driver
+            c.set("user", {
+                userId: authenticatedUser.uid,
+                email: authenticatedUser.email,
+                roles: authenticatedUser.roles,
+            });
+            try {
+                c.set("driver", await scopeDataDriver(driver, {
+                    uid: authenticatedUser.uid,
+                    roles: authenticatedUser.roles,
+                }));
+            } catch (error) {
+                console.error("[AUTH-ADAPTER] RLS scoping failed for authenticated user:", error);
+                return c.json({ error: { message: "Internal authentication error", code: "INTERNAL_ERROR" } }, 500);
+            }
+        } else {
+            // Not authenticated — scope as anon for RLS evaluation
+            try {
+                c.set("driver", await scopeDataDriver(driver, { uid: "anon", roles: ["anon"] }));
+            } catch (error) {
+                console.error("[AUTH-ADAPTER] Failed to create anon-scoped driver:", error);
+                return c.json({ error: { message: "Server configuration error", code: "INTERNAL_ERROR" } }, 500);
+            }
+        }
+
+        // Enforce auth if required
+        if (enforceAuth && !c.get("user")) {
+            return c.json({ error: { message: "Unauthorized: Authentication required", code: "UNAUTHORIZED" } }, 401);
+        }
+
+        return next();
+    };
+}

package/src/auth/admin-routes.ts

@@ -2,7 +2,8 @@ import { Hono } from "hono";
 import { ApiError, errorHandler } from "../api/errors";
 import type { AuthRepository } from "./interfaces";
 import { requireAuth, requireAdmin, createRequireAuth } from "./middleware";
-import { hashPassword, validatePasswordStrength } from "./password";
+import type { AuthOverrides } from "./auth-overrides";
+import { resolveAuthOverrides } from "./auth-overrides";
 import { AuthModuleConfig } from "./routes";
 import type { BackendHooks, AdminUser, AdminRole, BackendHookContext } from "@rebasepro/types";
 
@@ -17,6 +18,11 @@ interface AdminRouteOptions extends AuthModuleConfig {
      * Backend-level hooks for intercepting admin data.
      */
     hooks?: BackendHooks;
+    /**
+     * Auth overrides for customizing password hashing, credential
+     * verification, lifecycle hooks, etc.
+     */
+    overrides?: AuthOverrides;
 }
 import { HonoEnv } from "../api/types";
 import { randomBytes, createHash } from "crypto";
@@ -68,7 +74,8 @@ function hashToken(token: string): string {
 export function createAdminRoutes(config: AdminRouteOptions): Hono<HonoEnv> {
     const router = new Hono<HonoEnv>();
     const authRepo = config.authRepo;
-    const { emailService, emailConfig, hooks } = config;
+    const { emailService, emailConfig, hooks, overrides } = config;
+    const ops = resolveAuthOverrides(overrides);
 
     /** Build a BackendHookContext from Hono's context object */
     function buildHookContext(c: { get: (key: string) => unknown }, method: BackendHookContext["method"]): BackendHookContext {
@@ -192,41 +199,20 @@ export function createAdminRoutes(config: AdminRouteOptions): Hono<HonoEnv> {
         const orderDir = c.req.query("orderDir") as "asc" | "desc" | undefined;
         const hookCtx = buildHookContext(c, "GET");
 
-        // If pagination params are provided, use the paginated path
-        if (limitParam !== undefined || search) {
-            const limit = limitParam ? parseInt(limitParam, 10) : 25;
-            const offset = offsetParam ? parseInt(offsetParam, 10) : 0;
-
-            const result = await authRepo.listUsersPaginated({
-                limit,
-                offset,
-                search: search || undefined,
-                orderBy: orderBy || undefined,
-                orderDir: orderDir || undefined,
-                roleId: c.req.query("role") || undefined
-            });
-
-            let usersWithRoles: AdminUser[] = await Promise.all(
-                result.users.map(async (u) => {
-                    const roles = await authRepo.getUserRoleIds(u.id);
-                    return toAdminUser(u, roles);
-                })
-            );
-
-            usersWithRoles = await applyUserAfterReadBatch(usersWithRoles, hookCtx);
+        const limit = limitParam ? parseInt(limitParam, 10) : 25;
+        const offset = offsetParam ? parseInt(offsetParam, 10) : 0;
 
-            return c.json({
-                users: usersWithRoles,
-                total: result.total,
-                limit: result.limit,
-                offset: result.offset
-            });
-        }
+        const result = await authRepo.listUsersPaginated({
+            limit,
+            offset,
+            search: search || undefined,
+            orderBy: orderBy || undefined,
+            orderDir: orderDir || undefined,
+            roleId: c.req.query("role") || undefined
+        });
 
-        // Legacy: return all users (no pagination)
-        const users = await authRepo.listUsers();
         let usersWithRoles: AdminUser[] = await Promise.all(
-            users.map(async (u) => {
+            result.users.map(async (u) => {
                 const roles = await authRepo.getUserRoleIds(u.id);
                 return toAdminUser(u, roles);
             })
@@ -234,7 +220,12 @@ export function createAdminRoutes(config: AdminRouteOptions): Hono<HonoEnv> {
 
         usersWithRoles = await applyUserAfterReadBatch(usersWithRoles, hookCtx);
 
-        return c.json({ users: usersWithRoles });
+        return c.json({
+            users: usersWithRoles,
+            total: result.total,
+            limit: result.limit,
+            offset: result.offset
+        });
     });
 
     router.get("/users/:userId", requireAdmin, async (c) => {
@@ -258,7 +249,8 @@ export function createAdminRoutes(config: AdminRouteOptions): Hono<HonoEnv> {
 
     router.post("/users", requireAdmin, async (c) => {
         const body = await c.req.json();
-        let { email, displayName, password, roles } = body;
+        const { password } = body;
+        let { email, displayName, roles } = body;
 
         if (!email) {
             throw ApiError.badRequest("Email is required", "INVALID_INPUT");
@@ -281,11 +273,11 @@ export function createAdminRoutes(config: AdminRouteOptions): Hono<HonoEnv> {
         // Use provided password or auto-generate one
         const clearPassword = password || generateSecurePassword();
 
-        const validation = validatePasswordStrength(clearPassword);
+        const validation = ops.validatePasswordStrength(clearPassword);
         if (!validation.valid) {
             throw ApiError.badRequest(validation.errors.join(". "), "WEAK_PASSWORD");
         }
-        const passwordHash = await hashPassword(clearPassword);
+        const passwordHash = await ops.hashPassword(clearPassword);
 
         const user = await authRepo.createUser({
             email: email.toLowerCase(),
@@ -401,14 +393,14 @@ displayName: existing.displayName }, appName);
                 console.error("Failed to send reset email:", emailError instanceof Error ? emailError.message : emailError);
                 // Fall back to returning the temporary password
                 const clearPassword = generateSecurePassword();
-                const passwordHash = await hashPassword(clearPassword);
+                const passwordHash = await ops.hashPassword(clearPassword);
                 await authRepo.updatePassword(existing.id, passwordHash);
                 temporaryPassword = clearPassword;
             }
         } else {
             // No email service — generate password, set it, and return one-time
             const clearPassword = generateSecurePassword();
-            const passwordHash = await hashPassword(clearPassword);
+            const passwordHash = await ops.hashPassword(clearPassword);
             await authRepo.updatePassword(existing.id, passwordHash);
             temporaryPassword = clearPassword;
         }
@@ -430,7 +422,8 @@ displayName: existing.displayName }, appName);
     router.put("/users/:userId", requireAdmin, async (c) => {
         const userId = c.req.param("userId");
         const body = await c.req.json();
-        let { email, displayName, password, roles } = body;
+        const { password } = body;
+        let { email, displayName, roles } = body;
 
         const existing = await authRepo.getUserById(userId);
         if (!existing) {
@@ -451,11 +444,11 @@ displayName: existing.displayName }, appName);
         if (displayName !== undefined) updates.displayName = displayName;
 
         if (password) {
-            const validation = validatePasswordStrength(password);
+            const validation = ops.validatePasswordStrength(password);
             if (!validation.valid) {
                 throw ApiError.badRequest(validation.errors.join(". "), "WEAK_PASSWORD");
             }
-            updates.passwordHash = await hashPassword(password);
+            updates.passwordHash = await ops.hashPassword(password);
         }
 
         if (Object.keys(updates).length > 0) {