@spfn/auth 0.1.0-alpha.1 → 0.1.0-alpha.86

package/dist/plugin.js

@@ -8,15 +8,25 @@ var __export = (target, all) => {
     __defProp(target, name, { get: all[name], enumerable: true });
 };
 
+// src/server/entities/schema.ts
+import { createFunctionSchema } from "@spfn/core/db";
+var authSchema;
+var init_schema = __esm({
+  "src/server/entities/schema.ts"() {
+    "use strict";
+    authSchema = createFunctionSchema("@spfn/auth");
+  }
+});
+
 // src/server/entities/roles.ts
 import { text, boolean, integer, index } from "drizzle-orm/pg-core";
-import { id, timestamps, createFunctionSchema } from "@spfn/core/db";
-var schema, roles;
+import { id, timestamps } from "@spfn/core/db";
+var roles;
 var init_roles = __esm({
   "src/server/entities/roles.ts"() {
     "use strict";
-    schema = createFunctionSchema("@spfn/auth");
-    roles = schema.table(
+    init_schema();
+    roles = authSchema.table(
       "roles",
       {
         // Primary key
@@ -58,15 +68,15 @@ var init_roles = __esm({
 
 // src/server/entities/users.ts
 import { text as text2, timestamp, check, boolean as boolean2, bigint, index as index2 } from "drizzle-orm/pg-core";
-import { id as id2, timestamps as timestamps2, createFunctionSchema as createFunctionSchema2 } from "@spfn/core/db";
+import { id as id2, timestamps as timestamps2 } from "@spfn/core/db";
 import { sql } from "drizzle-orm";
-var schema2, users;
+var users;
 var init_users = __esm({
   "src/server/entities/users.ts"() {
     "use strict";
     init_roles();
-    schema2 = createFunctionSchema2("@spfn/auth");
-    users = schema2.table(
+    init_schema();
+    users = authSchema.table(
       "users",
       {
         // Identity
@@ -131,14 +141,14 @@ var init_users = __esm({
 
 // src/server/entities/user-social-accounts.ts
 import { text as text3, timestamp as timestamp2, uniqueIndex } from "drizzle-orm/pg-core";
-import { id as id3, timestamps as timestamps3, foreignKey, createFunctionSchema as createFunctionSchema3 } from "@spfn/core/db";
-var schema3, userSocialAccounts;
+import { id as id3, timestamps as timestamps3, foreignKey } from "@spfn/core/db";
+var userSocialAccounts;
 var init_user_social_accounts = __esm({
   "src/server/entities/user-social-accounts.ts"() {
     "use strict";
     init_users();
-    schema3 = createFunctionSchema3("@spfn/auth");
-    userSocialAccounts = schema3.table(
+    init_schema();
+    userSocialAccounts = authSchema.table(
       "user_social_accounts",
       {
         id: id3(),
@@ -169,14 +179,14 @@ var init_user_social_accounts = __esm({
 
 // src/server/entities/user-public-keys.ts
 import { text as text4, timestamp as timestamp3, boolean as boolean3, index as index3 } from "drizzle-orm/pg-core";
-import { id as id4, foreignKey as foreignKey2, createFunctionSchema as createFunctionSchema4 } from "@spfn/core/db";
-var schema4, userPublicKeys;
+import { id as id4, foreignKey as foreignKey2 } from "@spfn/core/db";
+var userPublicKeys;
 var init_user_public_keys = __esm({
   "src/server/entities/user-public-keys.ts"() {
     "use strict";
     init_users();
-    schema4 = createFunctionSchema4("@spfn/auth");
-    userPublicKeys = schema4.table(
+    init_schema();
+    userPublicKeys = authSchema.table(
       "user_public_keys",
       {
         id: id4(),
@@ -214,13 +224,13 @@ var init_user_public_keys = __esm({
 
 // src/server/entities/verification-codes.ts
 import { text as text5, timestamp as timestamp4, index as index4 } from "drizzle-orm/pg-core";
-import { id as id5, timestamps as timestamps4, createFunctionSchema as createFunctionSchema5 } from "@spfn/core/db";
-var schema5, verificationCodes;
+import { id as id5, timestamps as timestamps4 } from "@spfn/core/db";
+var verificationCodes;
 var init_verification_codes = __esm({
   "src/server/entities/verification-codes.ts"() {
     "use strict";
-    schema5 = createFunctionSchema5("@spfn/auth");
-    verificationCodes = schema5.table(
+    init_schema();
+    verificationCodes = authSchema.table(
       "verification_codes",
       {
         id: id5(),
@@ -261,15 +271,15 @@ var init_verification_codes = __esm({
 
 // src/server/entities/invitations.ts
 import { text as text6, timestamp as timestamp5, bigint as bigint2, index as index5, jsonb } from "drizzle-orm/pg-core";
-import { id as id6, timestamps as timestamps5, createFunctionSchema as createFunctionSchema6 } from "@spfn/core/db";
-var schema6, invitations;
+import { id as id6, timestamps as timestamps5 } from "@spfn/core/db";
+var invitations;
 var init_invitations = __esm({
   "src/server/entities/invitations.ts"() {
     "use strict";
     init_roles();
     init_users();
-    schema6 = createFunctionSchema6("@spfn/auth");
-    invitations = schema6.table(
+    init_schema();
+    invitations = authSchema.table(
       "user_invitations",
       {
         // Primary key
@@ -337,13 +347,13 @@ var init_invitations = __esm({
 
 // src/server/entities/permissions.ts
 import { text as text7, boolean as boolean4, index as index6 } from "drizzle-orm/pg-core";
-import { id as id7, timestamps as timestamps6, createFunctionSchema as createFunctionSchema7 } from "@spfn/core/db";
-var schema7, permissions;
+import { id as id7, timestamps as timestamps6 } from "@spfn/core/db";
+var permissions;
 var init_permissions = __esm({
   "src/server/entities/permissions.ts"() {
     "use strict";
-    schema7 = createFunctionSchema7("@spfn/auth");
-    permissions = schema7.table(
+    init_schema();
+    permissions = authSchema.table(
       "permissions",
       {
         // Primary key
@@ -384,15 +394,15 @@ var init_permissions = __esm({
 
 // src/server/entities/role-permissions.ts
 import { bigint as bigint3, index as index7, unique } from "drizzle-orm/pg-core";
-import { id as id8, timestamps as timestamps7, createFunctionSchema as createFunctionSchema8 } from "@spfn/core/db";
-var schema8, rolePermissions;
+import { id as id8, timestamps as timestamps7 } from "@spfn/core/db";
+var rolePermissions;
 var init_role_permissions = __esm({
   "src/server/entities/role-permissions.ts"() {
     "use strict";
     init_roles();
     init_permissions();
-    schema8 = createFunctionSchema8("@spfn/auth");
-    rolePermissions = schema8.table(
+    init_schema();
+    rolePermissions = authSchema.table(
       "role_permissions",
       {
         // Primary key
@@ -416,15 +426,15 @@ var init_role_permissions = __esm({
 
 // src/server/entities/user-permissions.ts
 import { bigint as bigint4, boolean as boolean5, text as text8, timestamp as timestamp6, index as index8, unique as unique2 } from "drizzle-orm/pg-core";
-import { id as id9, timestamps as timestamps8, createFunctionSchema as createFunctionSchema9 } from "@spfn/core/db";
-var schema9, userPermissions;
+import { id as id9, timestamps as timestamps8 } from "@spfn/core/db";
+var userPermissions;
 var init_user_permissions = __esm({
   "src/server/entities/user-permissions.ts"() {
     "use strict";
     init_users();
     init_permissions();
-    schema9 = createFunctionSchema9("@spfn/auth");
-    userPermissions = schema9.table(
+    init_schema();
+    userPermissions = authSchema.table(
       "user_permissions",
       {
         // Primary key
@@ -460,6 +470,7 @@ var init_user_permissions = __esm({
 // src/server/entities/index.ts
 var entities_exports = {};
 __export(entities_exports, {
+  authSchema: () => authSchema,
   invitations: () => invitations,
   permissions: () => permissions,
   rolePermissions: () => rolePermissions,
@@ -473,6 +484,7 @@ __export(entities_exports, {
 var init_entities = __esm({
   "src/server/entities/index.ts"() {
     "use strict";
+    init_schema();
     init_users();
     init_user_social_accounts();
     init_user_public_keys();
@@ -558,6 +570,14 @@ var init_builtin = __esm({
         isSystem: true,
         isBuiltin: true
       },
+      USER_INVITE: {
+        name: "user:invite",
+        displayName: "Invite Users",
+        description: "Create and send user invitations",
+        category: "user",
+        isSystem: true,
+        isBuiltin: true
+      },
       // RBAC management (superadmin functions)
       RBAC_ROLE_MANAGE: {
         name: "rbac:role:manage",
@@ -582,6 +602,7 @@ var init_builtin = __esm({
         "user:read",
         "user:write",
         "user:delete",
+        "user:invite",
         "rbac:role:manage",
         "rbac:permission:manage"
       ],
@@ -589,7 +610,8 @@ var init_builtin = __esm({
         "auth:self:manage",
         "user:read",
         "user:write",
-        "user:delete"
+        "user:delete",
+        "user:invite"
       ],
       user: [
         "auth:self:manage"
@@ -598,167 +620,64 @@ var init_builtin = __esm({
   }
 });
 
-// src/server/rbac/presets.ts
-var PRESET_ROLES, PRESET_PERMISSIONS, PRESET_ROLE_PERMISSIONS;
-var init_presets = __esm({
-  "src/server/rbac/presets.ts"() {
-    "use strict";
-    PRESET_ROLES = {
-      MODERATOR: {
-        name: "moderator",
-        displayName: "Moderator",
-        description: "Content moderation and community management",
-        priority: 50,
-        isSystem: true
-      },
-      EDITOR: {
-        name: "editor",
-        displayName: "Editor",
-        description: "Content creation and editing",
-        priority: 30,
-        isSystem: true
-      },
-      VIEWER: {
-        name: "viewer",
-        displayName: "Viewer",
-        description: "Read-only access to content",
-        priority: 5,
-        isSystem: true
-      }
-    };
-    PRESET_PERMISSIONS = {
-      // Content management
-      CONTENT_READ: {
-        name: "content:read",
-        displayName: "Read Content",
-        description: "View all content including drafts",
-        category: "content",
-        isSystem: true
-      },
-      CONTENT_WRITE: {
-        name: "content:write",
-        displayName: "Write Content",
-        description: "Create and edit content",
-        category: "content",
-        isSystem: true
-      },
-      CONTENT_DELETE: {
-        name: "content:delete",
-        displayName: "Delete Content",
-        description: "Delete any content",
-        category: "content",
-        isSystem: true
-      },
-      CONTENT_PUBLISH: {
-        name: "content:publish",
-        displayName: "Publish Content",
-        description: "Publish content to make it public",
-        category: "content",
-        isSystem: true
-      },
-      // Moderation
-      COMMENT_MODERATE: {
-        name: "comment:moderate",
-        displayName: "Moderate Comments",
-        description: "Review and delete inappropriate comments",
-        category: "moderation",
-        isSystem: true
-      },
-      // System
-      SYSTEM_CONFIG: {
-        name: "system:config",
-        displayName: "System Configuration",
-        description: "Configure application settings",
-        category: "system",
-        isSystem: true
-      },
-      // Analytics
-      ANALYTICS_VIEW: {
-        name: "analytics:view",
-        displayName: "View Analytics",
-        description: "Access analytics dashboard and reports",
-        category: "analytics",
-        isSystem: true
-      }
-    };
-    PRESET_ROLE_PERMISSIONS = {
-      moderator: [
-        "auth:self:manage",
-        "user:read",
-        "content:read",
-        "content:write",
-        "content:delete",
-        "comment:moderate"
-      ],
-      editor: [
-        "auth:self:manage",
-        "content:read",
-        "content:write",
-        "content:publish"
-      ],
-      viewer: [
-        "auth:self:manage",
-        "content:read"
-      ]
-    };
-  }
-});
-
 // src/server/rbac/index.ts
 var init_rbac = __esm({
   "src/server/rbac/index.ts"() {
     "use strict";
     init_types();
     init_builtin();
-    init_presets();
+  }
+});
+
+// src/lib/config.ts
+function configureAuth(config) {
+  globalConfig = {
+    ...globalConfig,
+    ...config
+  };
+}
+var globalConfig;
+var init_config = __esm({
+  "src/lib/config.ts"() {
+    "use strict";
+    globalConfig = {
+      sessionTtl: "7d"
+      // Default: 7 days
+    };
   }
 });
 
 // src/server/services/rbac.service.ts
 import { getDatabase } from "@spfn/core/db";
+import { logger } from "@spfn/core/logger";
 import { eq, and, inArray } from "drizzle-orm";
 async function initializeAuth(options = {}) {
   const db = getDatabase();
   if (!db) {
     throw new Error("[Auth] Database not initialized. Call initDatabase() first.");
   }
-  console.log("[Auth] \u{1F510} Initializing RBAC system...");
-  const allRoles = [...Object.values(BUILTIN_ROLES)];
-  if (options.usePresets) {
-    allRoles.push(...Object.values(PRESET_ROLES));
-  } else if (options.presetRoles) {
-    for (const presetKey of options.presetRoles) {
-      if (PRESET_ROLES[presetKey]) {
-        allRoles.push(PRESET_ROLES[presetKey]);
-      }
-    }
-  }
-  if (options.roles) {
-    allRoles.push(...options.roles);
+  authLogger.info("\u{1F510} Initializing RBAC system...");
+  if (options.sessionTtl !== void 0) {
+    configureAuth({
+      sessionTtl: options.sessionTtl
+    });
+    authLogger.info(`\u23F1\uFE0F  Session TTL: ${options.sessionTtl}`);
   }
+  const allRoles = [
+    ...Object.values(BUILTIN_ROLES),
+    ...options.roles || []
+  ];
   for (const roleConfig of allRoles) {
     await upsertRole(roleConfig);
   }
-  const allPermissions = [...Object.values(BUILTIN_PERMISSIONS)];
-  if (options.usePresets) {
-    allPermissions.push(...Object.values(PRESET_PERMISSIONS));
-  } else if (options.presetPermissions) {
-    for (const presetKey of options.presetPermissions) {
-      if (PRESET_PERMISSIONS[presetKey]) {
-        allPermissions.push(PRESET_PERMISSIONS[presetKey]);
-      }
-    }
-  }
-  if (options.permissions) {
-    allPermissions.push(...options.permissions);
-  }
+  const allPermissions = [
+    ...Object.values(BUILTIN_PERMISSIONS),
+    ...options.permissions || []
+  ];
   for (const permConfig of allPermissions) {
     await upsertPermission(permConfig);
   }
   const allMappings = { ...BUILTIN_ROLE_PERMISSIONS };
-  if (options.usePresets) {
-    Object.assign(allMappings, PRESET_ROLE_PERMISSIONS);
-  }
   if (options.rolePermissions) {
     for (const [roleName, permNames] of Object.entries(options.rolePermissions)) {
       if (allMappings[roleName]) {
@@ -773,9 +692,9 @@ async function initializeAuth(options = {}) {
   for (const [roleName, permNames] of Object.entries(allMappings)) {
     await assignPermissionsToRole(roleName, permNames);
   }
-  console.log("[Auth] \u2705 RBAC initialization complete");
-  console.log(`[Auth] \u{1F4CA} Roles: ${allRoles.length}, Permissions: ${allPermissions.length}`);
-  console.log(`[Auth] \u{1F512} Built-in roles: user, admin, superadmin`);
+  authLogger.info("\u2705 RBAC initialization complete");
+  authLogger.info(`\u{1F4CA} Roles: ${allRoles.length}, Permissions: ${allPermissions.length}`);
+  authLogger.info("\u{1F512} Built-in roles: user, admin, superadmin");
 }
 async function upsertRole(config) {
   const db = getDatabase();
@@ -789,7 +708,7 @@ async function upsertRole(config) {
       isSystem: config.isSystem ?? false,
       isBuiltin: config.isBuiltin ?? false
     });
-    console.log(`[Auth]   \u2705 Created role: ${config.name}`);
+    authLogger.info(`  \u2705 Created role: ${config.name}`);
   } else {
     const updateData = {
       displayName: config.displayName,
@@ -813,7 +732,7 @@ async function upsertPermission(config) {
       isSystem: config.isSystem ?? false,
       isBuiltin: config.isBuiltin ?? false
     });
-    console.log(`[Auth]   \u2705 Created permission: ${config.name}`);
+    authLogger.info(`  \u2705 Created permission: ${config.name}`);
   } else {
     await db.update(permissions).set({
       displayName: config.displayName,
@@ -826,12 +745,12 @@ async function assignPermissionsToRole(roleName, permissionNames) {
   const db = getDatabase();
   const [role] = await db.select().from(roles).where(eq(roles.name, roleName)).limit(1);
   if (!role) {
-    console.warn(`[Auth]   \u26A0\uFE0F  Role not found: ${roleName}, skipping permission assignment`);
+    authLogger.warn(`  \u26A0\uFE0F  Role not found: ${roleName}, skipping permission assignment`);
     return;
   }
   const perms = await db.select().from(permissions).where(inArray(permissions.name, permissionNames));
   if (perms.length === 0) {
-    console.warn(`[Auth]   \u26A0\uFE0F  No permissions found for role: ${roleName}`);
+    authLogger.warn(`  \u26A0\uFE0F  No permissions found for role: ${roleName}`);
     return;
   }
   for (const perm of perms) {
@@ -849,11 +768,14 @@ async function assignPermissionsToRole(roleName, permissionNames) {
     }
   }
 }
+var authLogger;
 var init_rbac_service = __esm({
   "src/server/services/rbac.service.ts"() {
     "use strict";
     init_entities();
     init_rbac();
+    init_config();
+    authLogger = logger.child("@spfn/auth");
   }
 });
 
@@ -2619,8 +2541,8 @@ var init_value2 = __esm({
 });
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/clone/type.mjs
-function CloneType(schema10, options) {
-  return options === void 0 ? Clone(schema10) : Clone({ ...options, ...schema10 });
+function CloneType(schema, options) {
+  return options === void 0 ? Clone(schema) : Clone({ ...options, ...schema });
 }
 var init_type = __esm({
   "../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/clone/type.mjs"() {
@@ -2737,8 +2659,8 @@ var init_immutable = __esm({
 });
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/create/type.mjs
-function CreateType(schema10, options) {
-  const result = options !== void 0 ? { ...options, ...schema10 } : schema10;
+function CreateType(schema, options) {
+  const result = options !== void 0 ? { ...options, ...schema } : schema;
   switch (TypeSystemPolicy.InstanceMode) {
     case "freeze":
       return Immutable(result);
@@ -3068,16 +2990,16 @@ function IsBoolean3(value) {
   return IsKindOf2(value, "Boolean") && value.type === "boolean" && IsOptionalString(value.$id);
 }
 function IsComputed2(value) {
-  return IsKindOf2(value, "Computed") && IsString(value.target) && IsArray(value.parameters) && value.parameters.every((schema10) => IsSchema2(schema10));
+  return IsKindOf2(value, "Computed") && IsString(value.target) && IsArray(value.parameters) && value.parameters.every((schema) => IsSchema2(schema));
 }
 function IsConstructor2(value) {
-  return IsKindOf2(value, "Constructor") && value.type === "Constructor" && IsOptionalString(value.$id) && IsArray(value.parameters) && value.parameters.every((schema10) => IsSchema2(schema10)) && IsSchema2(value.returns);
+  return IsKindOf2(value, "Constructor") && value.type === "Constructor" && IsOptionalString(value.$id) && IsArray(value.parameters) && value.parameters.every((schema) => IsSchema2(schema)) && IsSchema2(value.returns);
 }
 function IsDate3(value) {
   return IsKindOf2(value, "Date") && value.type === "Date" && IsOptionalString(value.$id) && IsOptionalNumber(value.exclusiveMaximumTimestamp) && IsOptionalNumber(value.exclusiveMinimumTimestamp) && IsOptionalNumber(value.maximumTimestamp) && IsOptionalNumber(value.minimumTimestamp) && IsOptionalNumber(value.multipleOfTimestamp);
 }
 function IsFunction3(value) {
-  return IsKindOf2(value, "Function") && value.type === "Function" && IsOptionalString(value.$id) && IsArray(value.parameters) && value.parameters.every((schema10) => IsSchema2(schema10)) && IsSchema2(value.returns);
+  return IsKindOf2(value, "Function") && value.type === "Function" && IsOptionalString(value.$id) && IsArray(value.parameters) && value.parameters.every((schema) => IsSchema2(schema)) && IsSchema2(value.returns);
 }
 function IsImport(value) {
   return IsKindOf2(value, "Import") && HasPropertyKey(value, "$defs") && IsObject(value.$defs) && IsProperties(value.$defs) && HasPropertyKey(value, "$ref") && IsString(value.$ref) && value.$ref in value.$defs;
@@ -3086,10 +3008,10 @@ function IsInteger2(value) {
   return IsKindOf2(value, "Integer") && value.type === "integer" && IsOptionalString(value.$id) && IsOptionalNumber(value.exclusiveMaximum) && IsOptionalNumber(value.exclusiveMinimum) && IsOptionalNumber(value.maximum) && IsOptionalNumber(value.minimum) && IsOptionalNumber(value.multipleOf);
 }
 function IsProperties(value) {
-  return IsObject(value) && Object.entries(value).every(([key, schema10]) => IsControlCharacterFree(key) && IsSchema2(schema10));
+  return IsObject(value) && Object.entries(value).every(([key, schema]) => IsControlCharacterFree(key) && IsSchema2(schema));
 }
 function IsIntersect2(value) {
-  return IsKindOf2(value, "Intersect") && (IsString(value.type) && value.type !== "object" ? false : true) && IsArray(value.allOf) && value.allOf.every((schema10) => IsSchema2(schema10) && !IsTransform2(schema10)) && IsOptionalString(value.type) && (IsOptionalBoolean(value.unevaluatedProperties) || IsOptionalSchema(value.unevaluatedProperties)) && IsOptionalString(value.$id);
+  return IsKindOf2(value, "Intersect") && (IsString(value.type) && value.type !== "object" ? false : true) && IsArray(value.allOf) && value.allOf.every((schema) => IsSchema2(schema) && !IsTransform2(schema)) && IsOptionalString(value.type) && (IsOptionalBoolean(value.unevaluatedProperties) || IsOptionalSchema(value.unevaluatedProperties)) && IsOptionalString(value.$id);
 }
 function IsIterator3(value) {
   return IsKindOf2(value, "Iterator") && value.type === "Iterator" && IsOptionalString(value.$id) && IsSchema2(value.items);
@@ -3137,9 +3059,9 @@ function IsPromise2(value) {
   return IsKindOf2(value, "Promise") && value.type === "Promise" && IsOptionalString(value.$id) && IsSchema2(value.item);
 }
 function IsRecord2(value) {
-  return IsKindOf2(value, "Record") && value.type === "object" && IsOptionalString(value.$id) && IsAdditionalProperties(value.additionalProperties) && IsObject(value.patternProperties) && ((schema10) => {
-    const keys = Object.getOwnPropertyNames(schema10.patternProperties);
-    return keys.length === 1 && IsPattern(keys[0]) && IsObject(schema10.patternProperties) && IsSchema2(schema10.patternProperties[keys[0]]);
+  return IsKindOf2(value, "Record") && value.type === "object" && IsOptionalString(value.$id) && IsAdditionalProperties(value.additionalProperties) && IsObject(value.patternProperties) && ((schema) => {
+    const keys = Object.getOwnPropertyNames(schema.patternProperties);
+    return keys.length === 1 && IsPattern(keys[0]) && IsObject(schema.patternProperties) && IsSchema2(schema.patternProperties[keys[0]]);
   })(value);
 }
 function IsRecursive(value) {
@@ -3168,16 +3090,16 @@ function IsTransform2(value) {
 }
 function IsTuple2(value) {
   return IsKindOf2(value, "Tuple") && value.type === "array" && IsOptionalString(value.$id) && IsNumber(value.minItems) && IsNumber(value.maxItems) && value.minItems === value.maxItems && // empty
-  (IsUndefined(value.items) && IsUndefined(value.additionalItems) && value.minItems === 0 || IsArray(value.items) && value.items.every((schema10) => IsSchema2(schema10)));
+  (IsUndefined(value.items) && IsUndefined(value.additionalItems) && value.minItems === 0 || IsArray(value.items) && value.items.every((schema) => IsSchema2(schema)));
 }
 function IsUndefined4(value) {
   return IsKindOf2(value, "Undefined") && value.type === "undefined" && IsOptionalString(value.$id);
 }
 function IsUnionLiteral(value) {
-  return IsUnion2(value) && value.anyOf.every((schema10) => IsLiteralString(schema10) || IsLiteralNumber(schema10));
+  return IsUnion2(value) && value.anyOf.every((schema) => IsLiteralString(schema) || IsLiteralNumber(schema));
 }
 function IsUnion2(value) {
-  return IsKindOf2(value, "Union") && IsOptionalString(value.$id) && IsObject(value) && IsArray(value.anyOf) && value.anyOf.every((schema10) => IsSchema2(schema10));
+  return IsKindOf2(value, "Union") && IsOptionalString(value.$id) && IsObject(value) && IsArray(value.anyOf) && value.anyOf.every((schema) => IsSchema2(schema));
 }
 function IsUint8Array3(value) {
   return IsKindOf2(value, "Uint8Array") && value.type === "Uint8Array" && IsOptionalString(value.$id) && IsOptionalNumber(value.minByteLength) && IsOptionalNumber(value.maxByteLength);
@@ -3778,8 +3700,8 @@ function IsTemplateLiteralExpressionFinite(expression) {
     throw new TemplateLiteralFiniteError(`Unknown expression type`);
   })();
 }
-function IsTemplateLiteralFinite(schema10) {
-  const expression = TemplateLiteralParseExact(schema10.pattern);
+function IsTemplateLiteralFinite(schema) {
+  const expression = TemplateLiteralParseExact(schema.pattern);
   return IsTemplateLiteralExpressionFinite(expression);
 }
 var TemplateLiteralFiniteError;
@@ -3818,8 +3740,8 @@ function* TemplateLiteralExpressionGenerate(expression) {
     throw new TemplateLiteralGenerateError("Unknown expression");
   })();
 }
-function TemplateLiteralGenerate(schema10) {
-  const expression = TemplateLiteralParseExact(schema10.pattern);
+function TemplateLiteralGenerate(schema) {
+  const expression = TemplateLiteralParseExact(schema.pattern);
   return IsTemplateLiteralExpressionFinite(expression) ? [...TemplateLiteralExpressionGenerate(expression)] : [];
 }
 var TemplateLiteralGenerateError;
@@ -3991,13 +3913,13 @@ var init_syntax = __esm({
 function Escape(value) {
   return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
-function Visit2(schema10, acc) {
-  return IsTemplateLiteral(schema10) ? schema10.pattern.slice(1, schema10.pattern.length - 1) : IsUnion(schema10) ? `(${schema10.anyOf.map((schema11) => Visit2(schema11, acc)).join("|")})` : IsNumber3(schema10) ? `${acc}${PatternNumber}` : IsInteger(schema10) ? `${acc}${PatternNumber}` : IsBigInt2(schema10) ? `${acc}${PatternNumber}` : IsString2(schema10) ? `${acc}${PatternString}` : IsLiteral(schema10) ? `${acc}${Escape(schema10.const.toString())}` : IsBoolean2(schema10) ? `${acc}${PatternBoolean}` : (() => {
-    throw new TemplateLiteralPatternError(`Unexpected Kind '${schema10[Kind]}'`);
+function Visit2(schema, acc) {
+  return IsTemplateLiteral(schema) ? schema.pattern.slice(1, schema.pattern.length - 1) : IsUnion(schema) ? `(${schema.anyOf.map((schema2) => Visit2(schema2, acc)).join("|")})` : IsNumber3(schema) ? `${acc}${PatternNumber}` : IsInteger(schema) ? `${acc}${PatternNumber}` : IsBigInt2(schema) ? `${acc}${PatternNumber}` : IsString2(schema) ? `${acc}${PatternString}` : IsLiteral(schema) ? `${acc}${Escape(schema.const.toString())}` : IsBoolean2(schema) ? `${acc}${PatternBoolean}` : (() => {
+    throw new TemplateLiteralPatternError(`Unexpected Kind '${schema[Kind]}'`);
   })();
 }
 function TemplateLiteralPattern(kinds) {
-  return `^${kinds.map((schema10) => Visit2(schema10, "")).join("")}$`;
+  return `^${kinds.map((schema) => Visit2(schema, "")).join("")}$`;
 }
 var TemplateLiteralPatternError;
 var init_pattern = __esm({
@@ -4013,8 +3935,8 @@ var init_pattern = __esm({
 });
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/template-literal/union.mjs
-function TemplateLiteralToUnion(schema10) {
-  const R = TemplateLiteralGenerate(schema10);
+function TemplateLiteralToUnion(schema) {
+  const R = TemplateLiteralGenerate(schema);
   const L = R.map((S) => Literal(S));
   return UnionEvaluated(L);
 }
@@ -4279,18 +4201,18 @@ var init_promise2 = __esm({
 });
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/readonly/readonly.mjs
-function RemoveReadonly(schema10) {
-  return CreateType(Discard(schema10, [ReadonlyKind]));
+function RemoveReadonly(schema) {
+  return CreateType(Discard(schema, [ReadonlyKind]));
 }
-function AddReadonly(schema10) {
-  return CreateType({ ...schema10, [ReadonlyKind]: "Readonly" });
+function AddReadonly(schema) {
+  return CreateType({ ...schema, [ReadonlyKind]: "Readonly" });
 }
-function ReadonlyWithFlag(schema10, F) {
-  return F === false ? RemoveReadonly(schema10) : AddReadonly(schema10);
+function ReadonlyWithFlag(schema, F) {
+  return F === false ? RemoveReadonly(schema) : AddReadonly(schema);
 }
-function Readonly(schema10, enable) {
+function Readonly(schema, enable) {
   const F = enable ?? true;
-  return IsMappedResult(schema10) ? ReadonlyFromMappedResult(schema10, F) : ReadonlyWithFlag(schema10, F);
+  return IsMappedResult(schema) ? ReadonlyFromMappedResult(schema, F) : ReadonlyWithFlag(schema, F);
 }
 var init_readonly = __esm({
   "../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/readonly/readonly.mjs"() {
@@ -4444,18 +4366,18 @@ var init_mapped2 = __esm({
 });
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/optional/optional.mjs
-function RemoveOptional(schema10) {
-  return CreateType(Discard(schema10, [OptionalKind]));
+function RemoveOptional(schema) {
+  return CreateType(Discard(schema, [OptionalKind]));
 }
-function AddOptional(schema10) {
-  return CreateType({ ...schema10, [OptionalKind]: "Optional" });
+function AddOptional(schema) {
+  return CreateType({ ...schema, [OptionalKind]: "Optional" });
 }
-function OptionalWithFlag(schema10, F) {
-  return F === false ? RemoveOptional(schema10) : AddOptional(schema10);
+function OptionalWithFlag(schema, F) {
+  return F === false ? RemoveOptional(schema) : AddOptional(schema);
 }
-function Optional(schema10, enable) {
+function Optional(schema, enable) {
   const F = enable ?? true;
-  return IsMappedResult(schema10) ? OptionalFromMappedResult(schema10, F) : OptionalWithFlag(schema10, F);
+  return IsMappedResult(schema) ? OptionalFromMappedResult(schema, F) : OptionalWithFlag(schema, F);
 }
 var init_optional = __esm({
   "../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/optional/optional.mjs"() {
@@ -4501,7 +4423,7 @@ var init_optional2 = __esm({
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/intersect/intersect-create.mjs
 function IntersectCreate(T, options = {}) {
-  const allObjects = T.every((schema10) => IsObject3(schema10));
+  const allObjects = T.every((schema) => IsObject3(schema));
   const clonedUnevaluatedProperties = IsSchema(options.unevaluatedProperties) ? { unevaluatedProperties: options.unevaluatedProperties } : {};
   return CreateType(options.unevaluatedProperties === false || IsSchema(options.unevaluatedProperties) || allObjects ? { ...clonedUnevaluatedProperties, [Kind]: "Intersect", type: "object", allOf: T } : { ...clonedUnevaluatedProperties, [Kind]: "Intersect", allOf: T }, options);
 }
@@ -4532,7 +4454,7 @@ function IntersectEvaluated(types, options = {}) {
     return CreateType(types[0], options);
   if (types.length === 0)
     return Never(options);
-  if (types.some((schema10) => IsTransform(schema10)))
+  if (types.some((schema) => IsTransform(schema)))
     throw new Error("Cannot intersect transform types");
   return ResolveIntersect(types, options);
 }
@@ -4562,7 +4484,7 @@ function Intersect(types, options) {
     return CreateType(types[0], options);
   if (types.length === 0)
     return Never(options);
-  if (types.some((schema10) => IsTransform(schema10)))
+  if (types.some((schema) => IsTransform(schema)))
     throw new Error("Cannot intersect transform types");
   return IntersectCreate(types, options);
 }
@@ -4992,8 +4914,8 @@ var init_const2 = __esm({
 });
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/constructor-parameters/constructor-parameters.mjs
-function ConstructorParameters(schema10, options) {
-  return IsConstructor(schema10) ? Tuple(schema10.parameters, options) : Never(options);
+function ConstructorParameters(schema, options) {
+  return IsConstructor(schema) ? Tuple(schema.parameters, options) : Never(options);
 }
 var init_constructor_parameters = __esm({
   "../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/constructor-parameters/constructor-parameters.mjs"() {
@@ -5056,7 +4978,7 @@ function FromAnyRight(left, right) {
   return ExtendsResult.True;
 }
 function FromAny(left, right) {
-  return type_exports.IsIntersect(right) ? FromIntersectRight(left, right) : type_exports.IsUnion(right) && right.anyOf.some((schema10) => type_exports.IsAny(schema10) || type_exports.IsUnknown(schema10)) ? ExtendsResult.True : type_exports.IsUnion(right) ? ExtendsResult.Union : type_exports.IsUnknown(right) ? ExtendsResult.True : type_exports.IsAny(right) ? ExtendsResult.True : ExtendsResult.Union;
+  return type_exports.IsIntersect(right) ? FromIntersectRight(left, right) : type_exports.IsUnion(right) && right.anyOf.some((schema) => type_exports.IsAny(schema) || type_exports.IsUnknown(schema)) ? ExtendsResult.True : type_exports.IsUnion(right) ? ExtendsResult.Union : type_exports.IsUnknown(right) ? ExtendsResult.True : type_exports.IsAny(right) ? ExtendsResult.True : ExtendsResult.Union;
 }
 function FromArrayRight(left, right) {
   return type_exports.IsUnknown(left) ? ExtendsResult.False : type_exports.IsAny(left) ? ExtendsResult.Union : type_exports.IsNever(left) ? ExtendsResult.True : ExtendsResult.False;
@@ -5077,13 +4999,13 @@ function FromBoolean(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : type_exports.IsBoolean(right) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromConstructor(left, right) {
-  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : !type_exports.IsConstructor(right) ? ExtendsResult.False : left.parameters.length > right.parameters.length ? ExtendsResult.False : !left.parameters.every((schema10, index9) => IntoBooleanResult(Visit3(right.parameters[index9], schema10)) === ExtendsResult.True) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.returns, right.returns));
+  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : !type_exports.IsConstructor(right) ? ExtendsResult.False : left.parameters.length > right.parameters.length ? ExtendsResult.False : !left.parameters.every((schema, index9) => IntoBooleanResult(Visit3(right.parameters[index9], schema)) === ExtendsResult.True) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.returns, right.returns));
 }
 function FromDate(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : type_exports.IsDate(right) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromFunction(left, right) {
-  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : !type_exports.IsFunction(right) ? ExtendsResult.False : left.parameters.length > right.parameters.length ? ExtendsResult.False : !left.parameters.every((schema10, index9) => IntoBooleanResult(Visit3(right.parameters[index9], schema10)) === ExtendsResult.True) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.returns, right.returns));
+  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : !type_exports.IsFunction(right) ? ExtendsResult.False : left.parameters.length > right.parameters.length ? ExtendsResult.False : !left.parameters.every((schema, index9) => IntoBooleanResult(Visit3(right.parameters[index9], schema)) === ExtendsResult.True) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.returns, right.returns));
 }
 function FromIntegerRight(left, right) {
   return type_exports.IsLiteral(left) && value_exports.IsNumber(left.const) ? ExtendsResult.True : type_exports.IsNumber(left) || type_exports.IsInteger(left) ? ExtendsResult.True : ExtendsResult.False;
@@ -5092,10 +5014,10 @@ function FromInteger(left, right) {
   return type_exports.IsInteger(right) || type_exports.IsNumber(right) ? ExtendsResult.True : IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : ExtendsResult.False;
 }
 function FromIntersectRight(left, right) {
-  return right.allOf.every((schema10) => Visit3(left, schema10) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
+  return right.allOf.every((schema) => Visit3(left, schema) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromIntersect4(left, right) {
-  return left.allOf.some((schema10) => Visit3(schema10, right) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
+  return left.allOf.some((schema) => Visit3(schema, right) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromIterator(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : !type_exports.IsIterator(right) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.items, right.items));
@@ -5109,8 +5031,8 @@ function FromNeverRight(left, right) {
 function FromNever(left, right) {
   return ExtendsResult.True;
 }
-function UnwrapTNot(schema10) {
-  let [current, depth] = [schema10, 0];
+function UnwrapTNot(schema) {
+  let [current, depth] = [schema, 0];
   while (true) {
     if (!type_exports.IsNot(current))
       break;
@@ -5131,44 +5053,44 @@ function FromNumberRight(left, right) {
 function FromNumber(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : type_exports.IsInteger(right) || type_exports.IsNumber(right) ? ExtendsResult.True : ExtendsResult.False;
 }
-function IsObjectPropertyCount(schema10, count) {
-  return Object.getOwnPropertyNames(schema10.properties).length === count;
+function IsObjectPropertyCount(schema, count) {
+  return Object.getOwnPropertyNames(schema.properties).length === count;
 }
-function IsObjectStringLike(schema10) {
-  return IsObjectArrayLike(schema10);
+function IsObjectStringLike(schema) {
+  return IsObjectArrayLike(schema);
 }
-function IsObjectSymbolLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0) || IsObjectPropertyCount(schema10, 1) && "description" in schema10.properties && type_exports.IsUnion(schema10.properties.description) && schema10.properties.description.anyOf.length === 2 && (type_exports.IsString(schema10.properties.description.anyOf[0]) && type_exports.IsUndefined(schema10.properties.description.anyOf[1]) || type_exports.IsString(schema10.properties.description.anyOf[1]) && type_exports.IsUndefined(schema10.properties.description.anyOf[0]));
+function IsObjectSymbolLike(schema) {
+  return IsObjectPropertyCount(schema, 0) || IsObjectPropertyCount(schema, 1) && "description" in schema.properties && type_exports.IsUnion(schema.properties.description) && schema.properties.description.anyOf.length === 2 && (type_exports.IsString(schema.properties.description.anyOf[0]) && type_exports.IsUndefined(schema.properties.description.anyOf[1]) || type_exports.IsString(schema.properties.description.anyOf[1]) && type_exports.IsUndefined(schema.properties.description.anyOf[0]));
 }
-function IsObjectNumberLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0);
+function IsObjectNumberLike(schema) {
+  return IsObjectPropertyCount(schema, 0);
 }
-function IsObjectBooleanLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0);
+function IsObjectBooleanLike(schema) {
+  return IsObjectPropertyCount(schema, 0);
 }
-function IsObjectBigIntLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0);
+function IsObjectBigIntLike(schema) {
+  return IsObjectPropertyCount(schema, 0);
 }
-function IsObjectDateLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0);
+function IsObjectDateLike(schema) {
+  return IsObjectPropertyCount(schema, 0);
 }
-function IsObjectUint8ArrayLike(schema10) {
-  return IsObjectArrayLike(schema10);
+function IsObjectUint8ArrayLike(schema) {
+  return IsObjectArrayLike(schema);
 }
-function IsObjectFunctionLike(schema10) {
+function IsObjectFunctionLike(schema) {
   const length = Number2();
-  return IsObjectPropertyCount(schema10, 0) || IsObjectPropertyCount(schema10, 1) && "length" in schema10.properties && IntoBooleanResult(Visit3(schema10.properties["length"], length)) === ExtendsResult.True;
+  return IsObjectPropertyCount(schema, 0) || IsObjectPropertyCount(schema, 1) && "length" in schema.properties && IntoBooleanResult(Visit3(schema.properties["length"], length)) === ExtendsResult.True;
 }
-function IsObjectConstructorLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0);
+function IsObjectConstructorLike(schema) {
+  return IsObjectPropertyCount(schema, 0);
 }
-function IsObjectArrayLike(schema10) {
+function IsObjectArrayLike(schema) {
   const length = Number2();
-  return IsObjectPropertyCount(schema10, 0) || IsObjectPropertyCount(schema10, 1) && "length" in schema10.properties && IntoBooleanResult(Visit3(schema10.properties["length"], length)) === ExtendsResult.True;
+  return IsObjectPropertyCount(schema, 0) || IsObjectPropertyCount(schema, 1) && "length" in schema.properties && IntoBooleanResult(Visit3(schema.properties["length"], length)) === ExtendsResult.True;
 }
-function IsObjectPromiseLike(schema10) {
+function IsObjectPromiseLike(schema) {
   const then = Function([Any()], Any());
-  return IsObjectPropertyCount(schema10, 0) || IsObjectPropertyCount(schema10, 1) && "then" in schema10.properties && IntoBooleanResult(Visit3(schema10.properties["then"], then)) === ExtendsResult.True;
+  return IsObjectPropertyCount(schema, 0) || IsObjectPropertyCount(schema, 1) && "then" in schema.properties && IntoBooleanResult(Visit3(schema.properties["then"], then)) === ExtendsResult.True;
 }
 function Property(left, right) {
   return Visit3(left, right) === ExtendsResult.False ? ExtendsResult.False : type_exports.IsOptional(left) && !type_exports.IsOptional(right) ? ExtendsResult.False : ExtendsResult.True;
@@ -5199,11 +5121,11 @@ function FromObject(left, right) {
 function FromPromise2(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) && IsObjectPromiseLike(right) ? ExtendsResult.True : !type_exports.IsPromise(right) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.item, right.item));
 }
-function RecordKey(schema10) {
-  return PatternNumberExact in schema10.patternProperties ? Number2() : PatternStringExact in schema10.patternProperties ? String2() : Throw("Unknown record key pattern");
+function RecordKey(schema) {
+  return PatternNumberExact in schema.patternProperties ? Number2() : PatternStringExact in schema.patternProperties ? String2() : Throw("Unknown record key pattern");
 }
-function RecordValue(schema10) {
-  return PatternNumberExact in schema10.patternProperties ? schema10.patternProperties[PatternNumberExact] : PatternStringExact in schema10.patternProperties ? schema10.patternProperties[PatternStringExact] : Throw("Unable to get record value schema");
+function RecordValue(schema) {
+  return PatternNumberExact in schema.patternProperties ? schema.patternProperties[PatternNumberExact] : PatternStringExact in schema.patternProperties ? schema.patternProperties[PatternStringExact] : Throw("Unable to get record value schema");
 }
 function FromRecordRight(left, right) {
   const [Key, Value] = [RecordKey(right), RecordValue(right)];
@@ -5237,13 +5159,13 @@ function FromTemplateLiteral2(left, right) {
   return type_exports.IsTemplateLiteral(left) ? Visit3(TemplateLiteralToUnion(left), right) : type_exports.IsTemplateLiteral(right) ? Visit3(left, TemplateLiteralToUnion(right)) : Throw("Invalid fallthrough for TemplateLiteral");
 }
 function IsArrayOfTuple(left, right) {
-  return type_exports.IsArray(right) && left.items !== void 0 && left.items.every((schema10) => Visit3(schema10, right.items) === ExtendsResult.True);
+  return type_exports.IsArray(right) && left.items !== void 0 && left.items.every((schema) => Visit3(schema, right.items) === ExtendsResult.True);
 }
 function FromTupleRight(left, right) {
   return type_exports.IsNever(left) ? ExtendsResult.True : type_exports.IsUnknown(left) ? ExtendsResult.False : type_exports.IsAny(left) ? ExtendsResult.Union : ExtendsResult.False;
 }
 function FromTuple3(left, right) {
-  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) && IsObjectArrayLike(right) ? ExtendsResult.True : type_exports.IsArray(right) && IsArrayOfTuple(left, right) ? ExtendsResult.True : !type_exports.IsTuple(right) ? ExtendsResult.False : value_exports.IsUndefined(left.items) && !value_exports.IsUndefined(right.items) || !value_exports.IsUndefined(left.items) && value_exports.IsUndefined(right.items) ? ExtendsResult.False : value_exports.IsUndefined(left.items) && !value_exports.IsUndefined(right.items) ? ExtendsResult.True : left.items.every((schema10, index9) => Visit3(schema10, right.items[index9]) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
+  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) && IsObjectArrayLike(right) ? ExtendsResult.True : type_exports.IsArray(right) && IsArrayOfTuple(left, right) ? ExtendsResult.True : !type_exports.IsTuple(right) ? ExtendsResult.False : value_exports.IsUndefined(left.items) && !value_exports.IsUndefined(right.items) || !value_exports.IsUndefined(left.items) && value_exports.IsUndefined(right.items) ? ExtendsResult.False : value_exports.IsUndefined(left.items) && !value_exports.IsUndefined(right.items) ? ExtendsResult.True : left.items.every((schema, index9) => Visit3(schema, right.items[index9]) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromUint8Array(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : type_exports.IsUint8Array(right) ? ExtendsResult.True : ExtendsResult.False;
@@ -5252,10 +5174,10 @@ function FromUndefined(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : type_exports.IsVoid(right) ? FromVoidRight(left, right) : type_exports.IsUndefined(right) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromUnionRight(left, right) {
-  return right.anyOf.some((schema10) => Visit3(left, schema10) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
+  return right.anyOf.some((schema) => Visit3(left, schema) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromUnion6(left, right) {
-  return left.anyOf.every((schema10) => Visit3(schema10, right) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
+  return left.anyOf.every((schema) => Visit3(schema, right) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromUnknownRight(left, right) {
   return ExtendsResult.True;
@@ -5534,8 +5456,8 @@ var init_extract2 = __esm({
 });
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/instance-type/instance-type.mjs
-function InstanceType(schema10, options) {
-  return IsConstructor(schema10) ? CreateType(schema10.returns, options) : Never(options);
+function InstanceType(schema, options) {
+  return IsConstructor(schema) ? CreateType(schema.returns, options) : Never(options);
 }
 var init_instance_type = __esm({
   "../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/instance-type/instance-type.mjs"() {
@@ -5555,8 +5477,8 @@ var init_instance_type2 = __esm({
 });
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/readonly-optional/readonly-optional.mjs
-function ReadonlyOptional(schema10) {
-  return Readonly(Optional(schema10));
+function ReadonlyOptional(schema) {
+  return Readonly(Optional(schema));
 }
 var init_readonly_optional = __esm({
   "../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/readonly-optional/readonly-optional.mjs"() {
@@ -5815,11 +5737,11 @@ function ApplyUppercase(value) {
 function ApplyLowercase(value) {
   return value.toLowerCase();
 }
-function FromTemplateLiteral3(schema10, mode, options) {
-  const expression = TemplateLiteralParseExact(schema10.pattern);
+function FromTemplateLiteral3(schema, mode, options) {
+  const expression = TemplateLiteralParseExact(schema.pattern);
   const finite = IsTemplateLiteralExpressionFinite(expression);
   if (!finite)
-    return { ...schema10, pattern: FromLiteralValue(schema10.pattern, mode) };
+    return { ...schema, pattern: FromLiteralValue(schema.pattern, mode) };
   const strings = [...TemplateLiteralExpressionGenerate(expression)];
   const literals = strings.map((value) => Literal(value));
   const mapped = FromRest5(literals, mode);
@@ -5832,14 +5754,14 @@ function FromLiteralValue(value, mode) {
 function FromRest5(T, M) {
   return T.map((L) => Intrinsic(L, M));
 }
-function Intrinsic(schema10, mode, options = {}) {
+function Intrinsic(schema, mode, options = {}) {
   return (
     // Intrinsic-Mapped-Inference
-    IsMappedKey(schema10) ? IntrinsicFromMappedKey(schema10, mode, options) : (
+    IsMappedKey(schema) ? IntrinsicFromMappedKey(schema, mode, options) : (
       // Standard-Inference
-      IsTemplateLiteral(schema10) ? FromTemplateLiteral3(schema10, mode, options) : IsUnion(schema10) ? Union(FromRest5(schema10.anyOf, mode), options) : IsLiteral(schema10) ? Literal(FromLiteralValue(schema10.const, mode), options) : (
+      IsTemplateLiteral(schema) ? FromTemplateLiteral3(schema, mode, options) : IsUnion(schema) ? Union(FromRest5(schema.anyOf, mode), options) : IsLiteral(schema) ? Literal(FromLiteralValue(schema.const, mode), options) : (
         // Default Type
-        CreateType(schema10, options)
+        CreateType(schema, options)
       )
     )
   );
@@ -6496,8 +6418,8 @@ var init_not2 = __esm({
 });
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/parameters/parameters.mjs
-function Parameters(schema10, options) {
-  return IsFunction2(schema10) ? Tuple(schema10.parameters, options) : Never();
+function Parameters(schema, options) {
+  return IsFunction2(schema) ? Tuple(schema.parameters, options) : Never();
 }
 var init_parameters = __esm({
   "../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/parameters/parameters.mjs"() {
@@ -6589,8 +6511,8 @@ var init_rest2 = __esm({
 });
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/return-type/return-type.mjs
-function ReturnType(schema10, options) {
-  return IsFunction2(schema10) ? CreateType(schema10.returns, options) : Never(options);
+function ReturnType(schema, options) {
+  return IsFunction2(schema) ? CreateType(schema.returns, options) : Never(options);
 }
 var init_return_type = __esm({
   "../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/return-type/return-type.mjs"() {
@@ -6617,18 +6539,18 @@ var init_anyschema = __esm({
 });
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/schema/schema.mjs
-var init_schema = __esm({
+var init_schema2 = __esm({
   "../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/schema/schema.mjs"() {
     "use strict";
   }
 });
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/schema/index.mjs
-var init_schema2 = __esm({
+var init_schema3 = __esm({
   "../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/schema/index.mjs"() {
     "use strict";
     init_anyschema();
-    init_schema();
+    init_schema2();
   }
 });
 
@@ -6648,8 +6570,8 @@ var init_static2 = __esm({
 });
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/transform/transform.mjs
-function Transform(schema10) {
-  return new TransformDecodeBuilder(schema10);
+function Transform(schema) {
+  return new TransformDecodeBuilder(schema);
 }
 var TransformDecodeBuilder, TransformEncodeBuilder;
 var init_transform = __esm({
@@ -6658,27 +6580,27 @@ var init_transform = __esm({
     init_symbols2();
     init_kind();
     TransformDecodeBuilder = class {
-      constructor(schema10) {
-        this.schema = schema10;
+      constructor(schema) {
+        this.schema = schema;
       }
       Decode(decode) {
         return new TransformEncodeBuilder(this.schema, decode);
       }
     };
     TransformEncodeBuilder = class {
-      constructor(schema10, decode) {
-        this.schema = schema10;
+      constructor(schema, decode) {
+        this.schema = schema;
         this.decode = decode;
       }
-      EncodeTransform(encode, schema10) {
-        const Encode = (value) => schema10[TransformKind].Encode(encode(value));
-        const Decode = (value) => this.decode(schema10[TransformKind].Decode(value));
+      EncodeTransform(encode, schema) {
+        const Encode = (value) => schema[TransformKind].Encode(encode(value));
+        const Decode = (value) => this.decode(schema[TransformKind].Decode(value));
         const Codec = { Encode, Decode };
-        return { ...schema10, [TransformKind]: Codec };
+        return { ...schema, [TransformKind]: Codec };
       }
-      EncodeSchema(encode, schema10) {
+      EncodeSchema(encode, schema) {
         const Codec = { Decode: this.decode, Encode: encode };
-        return { ...schema10, [TransformKind]: Codec };
+        return { ...schema, [TransformKind]: Codec };
       }
       Encode(encode) {
         return IsTransform(this.schema) ? this.EncodeTransform(encode, this.schema) : this.EncodeSchema(encode, this.schema);
@@ -6937,7 +6859,7 @@ var init_esm = __esm({
     init_required2();
     init_rest2();
     init_return_type2();
-    init_schema2();
+    init_schema3();
     init_static2();
     init_string2();
     init_symbol2();
@@ -6987,7 +6909,7 @@ var init_schemas = __esm({
 });
 
 // src/lib/contracts/auth.ts
-var EMAIL_PATTERN, PHONE_PATTERN, FINGERPRINT_PATTERN, UUID_PATTERN, BASE64_PATTERN, sendVerificationCodeContract, verifyCodeContract, checkAccountExistsContract, registerContract, loginContract, logoutContract, rotateKeyContract, changePasswordContract;
+var EMAIL_PATTERN, PHONE_PATTERN, FINGERPRINT_PATTERN, UUID_PATTERN, BASE64_PATTERN, sendVerificationCodeContract, verifyCodeContract, checkAccountExistsContract, registerContract, loginContract, logoutContract, rotateKeyContract, changePasswordContract, getMeContract;
 var init_auth = __esm({
   "src/lib/contracts/auth.ts"() {
     "use strict";
@@ -7262,6 +7184,33 @@ var init_auth = __esm({
         })
       )
     };
+    getMeContract = {
+      method: "GET",
+      path: "/_auth/me",
+      body: Type.Object({}),
+      response: ApiResponseSchema(
+        Type.Object({
+          userId: Type.String({ description: "User ID" }),
+          email: Type.Optional(Type.String({ description: "User email address" })),
+          phone: Type.Optional(Type.String({ description: "User phone number" })),
+          role: Type.Object({
+            id: Type.Number({ description: "Role ID" }),
+            name: Type.String({ description: "Role name (e.g., user, admin)" }),
+            displayName: Type.String({ description: "Display name for UI" }),
+            priority: Type.Number({ description: "Role priority level" })
+          }, { description: "User role information" }),
+          permissions: Type.Array(
+            Type.Object({
+              id: Type.Number({ description: "Permission ID" }),
+              name: Type.String({ description: "Permission name (e.g., user:delete)" }),
+              displayName: Type.String({ description: "Display name for UI" }),
+              category: Type.Optional(Type.String({ description: "Permission category" }))
+            }),
+            { description: "List of permissions granted through role" }
+          )
+        })
+      )
+    };
   }
 });
 
@@ -7514,9 +7463,55 @@ var init_contracts = __esm({
   }
 });
 
+// src/server/helpers/password.ts
+import bcrypt from "bcrypt";
+async function hashPassword(password) {
+  if (!password || password.length === 0) {
+    throw new Error("Password cannot be empty");
+  }
+  return bcrypt.hash(password, SALT_ROUNDS);
+}
+async function verifyPassword(password, hash) {
+  if (!password || password.length === 0) {
+    throw new Error("Password cannot be empty");
+  }
+  if (!hash || hash.length === 0) {
+    throw new Error("Hash cannot be empty");
+  }
+  return bcrypt.compare(password, hash);
+}
+var SALT_ROUNDS;
+var init_password = __esm({
+  "src/server/helpers/password.ts"() {
+    "use strict";
+    SALT_ROUNDS = parseInt(
+      process.env.SPFN_AUTH_BCRYPT_SALT_ROUNDS || // New prefixed version (recommended)
+      process.env.BCRYPT_SALT_ROUNDS || // Legacy fallback
+      "10",
+      10
+    );
+  }
+});
+
 // src/server/helpers/jwt.ts
+var jwt_exports = {};
+__export(jwt_exports, {
+  decodeToken: () => decodeToken,
+  generateToken: () => generateToken,
+  verifyClientToken: () => verifyClientToken,
+  verifyKeyFingerprint: () => verifyKeyFingerprint,
+  verifyToken: () => verifyToken
+});
 import jwt from "jsonwebtoken";
 import crypto from "crypto";
+function generateToken(payload) {
+  return jwt.sign(payload, JWT_SECRET, {
+    expiresIn: JWT_EXPIRES_IN
+  });
+}
+function verifyToken(token) {
+  return jwt.verify(token, JWT_SECRET);
+}
 function verifyClientToken(token, publicKeyB64, algorithm) {
   try {
     const publicKeyDER = Buffer.from(publicKeyB64, "base64");
@@ -7545,6 +7540,13 @@ function verifyClientToken(token, publicKeyB64, algorithm) {
     throw new Error(`Token verification failed: ${error instanceof Error ? error.message : "Unknown error"}`);
   }
 }
+function decodeToken(token) {
+  try {
+    return jwt.decode(token);
+  } catch {
+    return null;
+  }
+}
 function verifyKeyFingerprint(publicKeyB64, expectedFingerprint) {
   try {
     const publicKeyDER = Buffer.from(publicKeyB64, "base64");
@@ -7568,6 +7570,146 @@ var init_jwt = __esm({
   }
 });
 
+// src/server/helpers/verification.ts
+import jwt2 from "jsonwebtoken";
+import { getDatabase as getDatabase2, create } from "@spfn/core/db";
+import { eq as eq2, and as and2 } from "drizzle-orm";
+function getVerificationTokenSecret() {
+  const secret = process.env.SPFN_AUTH_VERIFICATION_TOKEN_SECRET || // New prefixed version (recommended)
+  process.env.VERIFICATION_TOKEN_SECRET || // Legacy fallback
+  process.env.SPFN_AUTH_JWT_SECRET || // New JWT secret fallback
+  process.env.JWT_SECRET;
+  if (!secret || secret.length < 32) {
+    throw new Error("SPFN_AUTH_VERIFICATION_TOKEN_SECRET must be at least 32 characters long");
+  }
+  return secret;
+}
+function generateVerificationCode() {
+  const code = Math.floor(Math.random() * 1e6).toString().padStart(6, "0");
+  return code;
+}
+async function storeVerificationCode(target, targetType, code, purpose) {
+  const db = getDatabase2();
+  if (!db) {
+    throw new Error("Database not initialized");
+  }
+  const expiresAt = /* @__PURE__ */ new Date();
+  expiresAt.setMinutes(expiresAt.getMinutes() + VERIFICATION_CODE_EXPIRY_MINUTES);
+  const record = await create(verificationCodes, {
+    target,
+    targetType,
+    code,
+    purpose,
+    expiresAt,
+    attempts: "0"
+  });
+  return record;
+}
+async function validateVerificationCode(target, targetType, code, purpose) {
+  const db = getDatabase2();
+  if (!db) {
+    throw new Error("Database not initialized");
+  }
+  const records = await db.select().from(verificationCodes).where(
+    and2(
+      eq2(verificationCodes.target, target),
+      eq2(verificationCodes.targetType, targetType),
+      eq2(verificationCodes.code, code),
+      eq2(verificationCodes.purpose, purpose)
+    )
+  ).limit(1);
+  if (records.length === 0) {
+    return { valid: false, error: "Invalid verification code" };
+  }
+  const record = records[0];
+  if (record.usedAt) {
+    return { valid: false, error: "Verification code already used" };
+  }
+  if (/* @__PURE__ */ new Date() > new Date(record.expiresAt)) {
+    return { valid: false, error: "Verification code expired" };
+  }
+  const attempts = parseInt(record.attempts, 10);
+  if (attempts >= MAX_VERIFICATION_ATTEMPTS) {
+    return { valid: false, error: "Too many attempts, please request a new code" };
+  }
+  await db.update(verificationCodes).set({ attempts: (attempts + 1).toString() }).where(eq2(verificationCodes.id, record.id));
+  return { valid: true, codeId: record.id };
+}
+async function markCodeAsUsed(codeId) {
+  const db = getDatabase2();
+  if (!db) {
+    throw new Error("Database not initialized");
+  }
+  await db.update(verificationCodes).set({ usedAt: /* @__PURE__ */ new Date() }).where(eq2(verificationCodes.id, codeId));
+}
+function createVerificationToken(payload) {
+  const secret = getVerificationTokenSecret();
+  return jwt2.sign(payload, secret, {
+    expiresIn: VERIFICATION_TOKEN_EXPIRY,
+    issuer: "spfn-auth",
+    audience: "spfn-client"
+  });
+}
+function validateVerificationToken(token) {
+  try {
+    const secret = getVerificationTokenSecret();
+    const decoded = jwt2.verify(token, secret, {
+      issuer: "spfn-auth",
+      audience: "spfn-client"
+    });
+    if (typeof decoded === "object" && decoded !== null && "target" in decoded && "targetType" in decoded && "purpose" in decoded && "codeId" in decoded) {
+      return decoded;
+    }
+    return null;
+  } catch (error) {
+    console.error("[validateVerificationToken] Error:", error);
+    return null;
+  }
+}
+async function sendVerificationEmail(email, code, purpose) {
+  console.log(`[VERIFICATION EMAIL] To: ${email}, Code: ${code}, Purpose: ${purpose}`);
+}
+async function sendVerificationSMS(phone, code, purpose) {
+  console.log(`[VERIFICATION SMS] To: ${phone}, Code: ${code}, Purpose: ${purpose}`);
+}
+var VERIFICATION_TOKEN_EXPIRY, VERIFICATION_CODE_EXPIRY_MINUTES, MAX_VERIFICATION_ATTEMPTS;
+var init_verification = __esm({
+  "src/server/helpers/verification.ts"() {
+    "use strict";
+    init_verification_codes();
+    VERIFICATION_TOKEN_EXPIRY = "15m";
+    VERIFICATION_CODE_EXPIRY_MINUTES = 5;
+    MAX_VERIFICATION_ATTEMPTS = 5;
+  }
+});
+
+// src/server/helpers/context.ts
+function getAuth(c) {
+  if ("raw" in c && c.raw) {
+    return c.raw.get("auth");
+  }
+  return c.get("auth");
+}
+function getUser(c) {
+  return getAuth(c).user;
+}
+var init_context2 = __esm({
+  "src/server/helpers/context.ts"() {
+    "use strict";
+  }
+});
+
+// src/server/helpers/index.ts
+var init_helpers3 = __esm({
+  "src/server/helpers/index.ts"() {
+    "use strict";
+    init_password();
+    init_jwt();
+    init_verification();
+    init_context2();
+  }
+});
+
 // src/server/errors/auth-errors.ts
 import {
   ValidationError,
@@ -7605,16 +7747,14 @@ var init_auth_errors = __esm({
     };
     AccountDisabledError = class extends ForbiddenError {
       constructor(status = "disabled") {
-        super(`Account is ${status}`);
+        super(`Account is ${status}`, { details: { status } });
         this.name = "AccountDisabledError";
-        this.details = { status };
       }
     };
     AccountAlreadyExistsError = class extends ConflictError {
       constructor(identifier, identifierType) {
-        super("Account already exists");
+        super("Account already exists", { details: { identifier, identifierType } });
         this.name = "AccountAlreadyExistsError";
-        this.details = { identifier, identifierType };
       }
     };
     InvalidVerificationCodeError = class extends ValidationError {
@@ -7637,9 +7777,8 @@ var init_auth_errors = __esm({
     };
     VerificationTokenPurposeMismatchError = class extends ValidationError {
       constructor(expected, actual) {
-        super(`Verification token is for ${actual}, but ${expected} was expected`);
+        super(`Verification token is for ${actual}, but ${expected} was expected`, { details: { expected, actual } });
         this.name = "VerificationTokenPurposeMismatchError";
-        this.details = { expected, actual };
       }
     };
     VerificationTokenTargetMismatchError = class extends ValidationError {
@@ -7659,287 +7798,9 @@ var init_errors = __esm({
   }
 });
 
-// src/server/middleware/authenticate.ts
-import { findOne, getDatabase as getDatabase2 } from "@spfn/core/db";
-import { UnauthorizedError as UnauthorizedError2 } from "@spfn/core/errors";
-import { eq as eq2, and as and2 } from "drizzle-orm";
-async function authenticate(c, next) {
-  const authHeader = c.req.header("Authorization");
-  const keyId = c.req.header("X-Key-Id");
-  if (!authHeader || !authHeader.startsWith("Bearer ")) {
-    throw new UnauthorizedError2("Missing or invalid authorization header");
-  }
-  if (!keyId) {
-    throw new UnauthorizedError2("Missing X-Key-Id header");
-  }
-  const token = authHeader.substring(7);
-  const db = getDatabase2();
-  const [keyRecord] = await db.select().from(userPublicKeys).where(
-    and2(
-      eq2(userPublicKeys.keyId, keyId),
-      eq2(userPublicKeys.isActive, true)
-    )
-  );
-  if (!keyRecord) {
-    throw new UnauthorizedError2("Invalid or revoked key");
-  }
-  if (keyRecord.expiresAt && /* @__PURE__ */ new Date() > keyRecord.expiresAt) {
-    throw new KeyExpiredError();
-  }
-  try {
-    verifyClientToken(
-      token,
-      keyRecord.publicKey,
-      keyRecord.algorithm
-    );
-  } catch (err) {
-    if (err instanceof Error) {
-      if (err.name === "TokenExpiredError") {
-        throw new TokenExpiredError();
-      }
-      if (err.name === "JsonWebTokenError") {
-        throw new InvalidTokenError("Invalid token signature");
-      }
-    }
-    throw new UnauthorizedError2("Authentication failed");
-  }
-  const user = await findOne(users, { id: keyRecord.userId });
-  if (!user) {
-    throw new UnauthorizedError2("User not found");
-  }
-  if (user.status !== "active") {
-    throw new AccountDisabledError(user.status);
-  }
-  db.update(userPublicKeys).set({ lastUsedAt: /* @__PURE__ */ new Date() }).where(eq2(userPublicKeys.id, keyRecord.id)).execute().catch((err) => console.error("Failed to update lastUsedAt:", err));
-  c.set("auth", {
-    user,
-    userId: String(user.id),
-    keyId
-  });
-  await next();
-}
-var init_authenticate = __esm({
-  "src/server/middleware/authenticate.ts"() {
-    "use strict";
-    init_jwt();
-    init_entities();
-    init_errors();
-  }
-});
-
-// src/server/helpers/context.ts
-function getAuth(c) {
-  if ("raw" in c && c.raw) {
-    return c.raw.get("auth");
-  }
-  return c.get("auth");
-}
-function getUser(c) {
-  return getAuth(c).user;
-}
-var init_context2 = __esm({
-  "src/server/helpers/context.ts"() {
-    "use strict";
-  }
-});
-
-// src/server/services/permission.service.ts
-import { getDatabase as getDatabase3 } from "@spfn/core/db";
-import { eq as eq3, and as and3 } from "drizzle-orm";
-var init_permission_service = __esm({
-  "src/server/services/permission.service.ts"() {
-    "use strict";
-    init_entities();
-  }
-});
-
-// src/server/middleware/require-permission.ts
-import { ForbiddenError as ForbiddenError2 } from "@spfn/core/errors";
-var init_require_permission = __esm({
-  "src/server/middleware/require-permission.ts"() {
-    "use strict";
-    init_context2();
-    init_permission_service();
-  }
-});
-
-// src/server/middleware/require-role.ts
-import { ForbiddenError as ForbiddenError3 } from "@spfn/core/errors";
-var init_require_role = __esm({
-  "src/server/middleware/require-role.ts"() {
-    "use strict";
-    init_context2();
-    init_permission_service();
-  }
-});
-
-// src/server/middleware/index.ts
-var init_middleware = __esm({
-  "src/server/middleware/index.ts"() {
-    "use strict";
-    init_authenticate();
-    init_require_permission();
-    init_require_role();
-  }
-});
-
-// src/server/helpers/password.ts
-import bcrypt from "bcrypt";
-async function hashPassword(password) {
-  if (!password || password.length === 0) {
-    throw new Error("Password cannot be empty");
-  }
-  return bcrypt.hash(password, SALT_ROUNDS);
-}
-async function verifyPassword(password, hash) {
-  if (!password || password.length === 0) {
-    throw new Error("Password cannot be empty");
-  }
-  if (!hash || hash.length === 0) {
-    throw new Error("Hash cannot be empty");
-  }
-  return bcrypt.compare(password, hash);
-}
-var SALT_ROUNDS;
-var init_password = __esm({
-  "src/server/helpers/password.ts"() {
-    "use strict";
-    SALT_ROUNDS = parseInt(
-      process.env.SPFN_AUTH_BCRYPT_SALT_ROUNDS || // New prefixed version (recommended)
-      process.env.BCRYPT_SALT_ROUNDS || // Legacy fallback
-      "10",
-      10
-    );
-  }
-});
-
-// src/server/helpers/verification.ts
-import jwt2 from "jsonwebtoken";
-import { getDatabase as getDatabase4, create } from "@spfn/core/db";
-import { eq as eq4, and as and4 } from "drizzle-orm";
-function getVerificationTokenSecret() {
-  const secret = process.env.SPFN_AUTH_VERIFICATION_TOKEN_SECRET || // New prefixed version (recommended)
-  process.env.VERIFICATION_TOKEN_SECRET || // Legacy fallback
-  process.env.SPFN_AUTH_JWT_SECRET || // New JWT secret fallback
-  process.env.JWT_SECRET;
-  if (!secret || secret.length < 32) {
-    throw new Error("SPFN_AUTH_VERIFICATION_TOKEN_SECRET must be at least 32 characters long");
-  }
-  return secret;
-}
-function generateVerificationCode() {
-  const code = Math.floor(Math.random() * 1e6).toString().padStart(6, "0");
-  return code;
-}
-async function storeVerificationCode(target, targetType, code, purpose) {
-  const db = getDatabase4();
-  if (!db) {
-    throw new Error("Database not initialized");
-  }
-  const expiresAt = /* @__PURE__ */ new Date();
-  expiresAt.setMinutes(expiresAt.getMinutes() + VERIFICATION_CODE_EXPIRY_MINUTES);
-  const record = await create(verificationCodes, {
-    target,
-    targetType,
-    code,
-    purpose,
-    expiresAt,
-    attempts: "0"
-  });
-  return record;
-}
-async function validateVerificationCode(target, targetType, code, purpose) {
-  const db = getDatabase4();
-  if (!db) {
-    throw new Error("Database not initialized");
-  }
-  const records = await db.select().from(verificationCodes).where(
-    and4(
-      eq4(verificationCodes.target, target),
-      eq4(verificationCodes.targetType, targetType),
-      eq4(verificationCodes.code, code),
-      eq4(verificationCodes.purpose, purpose)
-    )
-  ).limit(1);
-  if (records.length === 0) {
-    return { valid: false, error: "Invalid verification code" };
-  }
-  const record = records[0];
-  if (record.usedAt) {
-    return { valid: false, error: "Verification code already used" };
-  }
-  if (/* @__PURE__ */ new Date() > new Date(record.expiresAt)) {
-    return { valid: false, error: "Verification code expired" };
-  }
-  const attempts = parseInt(record.attempts, 10);
-  if (attempts >= MAX_VERIFICATION_ATTEMPTS) {
-    return { valid: false, error: "Too many attempts, please request a new code" };
-  }
-  await db.update(verificationCodes).set({ attempts: (attempts + 1).toString() }).where(eq4(verificationCodes.id, record.id));
-  return { valid: true, codeId: record.id };
-}
-async function markCodeAsUsed(codeId) {
-  const db = getDatabase4();
-  if (!db) {
-    throw new Error("Database not initialized");
-  }
-  await db.update(verificationCodes).set({ usedAt: /* @__PURE__ */ new Date() }).where(eq4(verificationCodes.id, codeId));
-}
-function createVerificationToken(payload) {
-  const secret = getVerificationTokenSecret();
-  return jwt2.sign(payload, secret, {
-    expiresIn: VERIFICATION_TOKEN_EXPIRY,
-    issuer: "spfn-auth",
-    audience: "spfn-client"
-  });
-}
-function validateVerificationToken(token) {
-  try {
-    const secret = getVerificationTokenSecret();
-    const decoded = jwt2.verify(token, secret, {
-      issuer: "spfn-auth",
-      audience: "spfn-client"
-    });
-    if (typeof decoded === "object" && decoded !== null && "target" in decoded && "targetType" in decoded && "purpose" in decoded && "codeId" in decoded) {
-      return decoded;
-    }
-    return null;
-  } catch (error) {
-    console.error("[validateVerificationToken] Error:", error);
-    return null;
-  }
-}
-async function sendVerificationEmail(email, code, purpose) {
-  console.log(`[VERIFICATION EMAIL] To: ${email}, Code: ${code}, Purpose: ${purpose}`);
-}
-async function sendVerificationSMS(phone, code, purpose) {
-  console.log(`[VERIFICATION SMS] To: ${phone}, Code: ${code}, Purpose: ${purpose}`);
-}
-var VERIFICATION_TOKEN_EXPIRY, VERIFICATION_CODE_EXPIRY_MINUTES, MAX_VERIFICATION_ATTEMPTS;
-var init_verification = __esm({
-  "src/server/helpers/verification.ts"() {
-    "use strict";
-    init_verification_codes();
-    VERIFICATION_TOKEN_EXPIRY = "15m";
-    VERIFICATION_CODE_EXPIRY_MINUTES = 5;
-    MAX_VERIFICATION_ATTEMPTS = 5;
-  }
-});
-
-// src/server/helpers/index.ts
-var init_helpers3 = __esm({
-  "src/server/helpers/index.ts"() {
-    "use strict";
-    init_password();
-    init_jwt();
-    init_verification();
-    init_context2();
-  }
-});
-
 // src/server/services/key.service.ts
-import { create as create2, getDatabase as getDatabase5 } from "@spfn/core/db";
-import { eq as eq5, and as and5 } from "drizzle-orm";
+import { create as create2, getDatabase as getDatabase3 } from "@spfn/core/db";
+import { eq as eq3, and as and3 } from "drizzle-orm";
 function getKeyExpiryDate() {
   const expiresAt = /* @__PURE__ */ new Date();
   expiresAt.setDate(expiresAt.getDate() + 90);
@@ -7968,15 +7829,15 @@ async function rotateKeyService(params) {
   if (!isValidFingerprint) {
     throw new InvalidKeyFingerprintError();
   }
-  const db = getDatabase5();
+  const db = getDatabase3();
   await db.update(userPublicKeys).set({
     isActive: false,
     revokedAt: /* @__PURE__ */ new Date(),
     revokedReason: "Replaced by key rotation"
   }).where(
-    and5(
-      eq5(userPublicKeys.keyId, oldKeyId),
-      eq5(userPublicKeys.userId, userId)
+    and3(
+      eq3(userPublicKeys.keyId, oldKeyId),
+      eq3(userPublicKeys.userId, userId)
     )
   );
   await create2(userPublicKeys, {
@@ -7996,15 +7857,15 @@ async function rotateKeyService(params) {
 }
 async function revokeKeyService(params) {
   const { userId, keyId, reason } = params;
-  const db = getDatabase5();
+  const db = getDatabase3();
   await db.update(userPublicKeys).set({
     isActive: false,
     revokedAt: /* @__PURE__ */ new Date(),
     revokedReason: reason
   }).where(
-    and5(
-      eq5(userPublicKeys.keyId, keyId),
-      eq5(userPublicKeys.userId, userId)
+    and3(
+      eq3(userPublicKeys.keyId, keyId),
+      eq3(userPublicKeys.userId, userId)
     )
   );
 }
@@ -8018,7 +7879,7 @@ var init_key_service = __esm({
 });
 
 // src/server/services/user.service.ts
-import { findOne as findOne2, updateOne } from "@spfn/core/db";
+import { findOne, updateOne } from "@spfn/core/db";
 async function updateLastLoginService(userId) {
   await updateOne(users, { id: userId }, {
     lastLoginAt: /* @__PURE__ */ new Date()
@@ -8044,14 +7905,14 @@ __export(role_service_exports, {
   setRolePermissions: () => setRolePermissions,
   updateRole: () => updateRole
 });
-import { getDatabase as getDatabase6 } from "@spfn/core/db";
-import { eq as eq6, and as and6 } from "drizzle-orm";
+import { getDatabase as getDatabase4 } from "@spfn/core/db";
+import { eq as eq4, and as and4 } from "drizzle-orm";
 async function createRole(data) {
-  const db = getDatabase6();
+  const db = getDatabase4();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
-  const existing = await db.select().from(roles).where(eq6(roles.name, data.name)).limit(1);
+  const existing = await db.select().from(roles).where(eq4(roles.name, data.name)).limit(1);
   if (existing.length > 0) {
     throw new Error(`Role with name '${data.name}' already exists`);
   }
@@ -8075,28 +7936,28 @@ async function createRole(data) {
   return newRole;
 }
 async function updateRole(roleId, data) {
-  const db = getDatabase6();
+  const db = getDatabase4();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const roleIdNum = Number(roleId);
-  const [role] = await db.select().from(roles).where(eq6(roles.id, roleIdNum)).limit(1);
+  const [role] = await db.select().from(roles).where(eq4(roles.id, roleIdNum)).limit(1);
   if (!role) {
     throw new Error("Role not found");
   }
   if (role.isBuiltin && data.priority !== void 0) {
     throw new Error("Cannot modify priority of built-in roles");
   }
-  const [updated] = await db.update(roles).set(data).where(eq6(roles.id, roleIdNum)).returning();
+  const [updated] = await db.update(roles).set(data).where(eq4(roles.id, roleIdNum)).returning();
   return updated;
 }
 async function deleteRole(roleId) {
-  const db = getDatabase6();
+  const db = getDatabase4();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const roleIdNum = Number(roleId);
-  const [role] = await db.select().from(roles).where(eq6(roles.id, roleIdNum)).limit(1);
+  const [role] = await db.select().from(roles).where(eq4(roles.id, roleIdNum)).limit(1);
   if (!role) {
     throw new Error("Role not found");
   }
@@ -8106,20 +7967,20 @@ async function deleteRole(roleId) {
   if (role.isSystem) {
     throw new Error(`Cannot delete system role: ${role.name}. Deactivate it instead.`);
   }
-  await db.delete(roles).where(eq6(roles.id, roleIdNum));
+  await db.delete(roles).where(eq4(roles.id, roleIdNum));
   console.log(`[Auth] \u{1F5D1}\uFE0F  Deleted role: ${role.name}`);
 }
 async function addPermissionToRole(roleId, permissionId) {
-  const db = getDatabase6();
+  const db = getDatabase4();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const roleIdNum = Number(roleId);
   const permissionIdNum = Number(permissionId);
   const existing = await db.select().from(rolePermissions).where(
-    and6(
-      eq6(rolePermissions.roleId, roleIdNum),
-      eq6(rolePermissions.permissionId, permissionIdNum)
+    and4(
+      eq4(rolePermissions.roleId, roleIdNum),
+      eq4(rolePermissions.permissionId, permissionIdNum)
     )
   ).limit(1);
   if (existing.length > 0) {
@@ -8131,26 +7992,26 @@ async function addPermissionToRole(roleId, permissionId) {
   });
 }
 async function removePermissionFromRole(roleId, permissionId) {
-  const db = getDatabase6();
+  const db = getDatabase4();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const roleIdNum = Number(roleId);
   const permissionIdNum = Number(permissionId);
   await db.delete(rolePermissions).where(
-    and6(
-      eq6(rolePermissions.roleId, roleIdNum),
-      eq6(rolePermissions.permissionId, permissionIdNum)
+    and4(
+      eq4(rolePermissions.roleId, roleIdNum),
+      eq4(rolePermissions.permissionId, permissionIdNum)
     )
   );
 }
 async function setRolePermissions(roleId, permissionIds) {
-  const db = getDatabase6();
+  const db = getDatabase4();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const roleIdNum = Number(roleId);
-  await db.delete(rolePermissions).where(eq6(rolePermissions.roleId, roleIdNum));
+  await db.delete(rolePermissions).where(eq4(rolePermissions.roleId, roleIdNum));
   if (permissionIds.length > 0) {
     const mappings = permissionIds.map((permId) => ({
       roleId: roleIdNum,
@@ -8160,31 +8021,31 @@ async function setRolePermissions(roleId, permissionIds) {
   }
 }
 async function getAllRoles(includeInactive = false) {
-  const db = getDatabase6();
+  const db = getDatabase4();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const query = db.select().from(roles);
   if (!includeInactive) {
-    return query.where(eq6(roles.isActive, true));
+    return query.where(eq4(roles.isActive, true));
   }
   return query;
 }
 async function getRoleByName(name) {
-  const db = getDatabase6();
+  const db = getDatabase4();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
-  const [role] = await db.select().from(roles).where(eq6(roles.name, name)).limit(1);
+  const [role] = await db.select().from(roles).where(eq4(roles.name, name)).limit(1);
   return role || null;
 }
 async function getRolePermissions(roleId) {
-  const db = getDatabase6();
+  const db = getDatabase4();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const roleIdNum = Number(roleId);
-  const perms = await db.select({ name: permissions.name }).from(rolePermissions).innerJoin(permissions, eq6(rolePermissions.permissionId, permissions.id)).where(eq6(rolePermissions.roleId, roleIdNum));
+  const perms = await db.select({ name: permissions.name }).from(rolePermissions).innerJoin(permissions, eq4(rolePermissions.permissionId, permissions.id)).where(eq4(rolePermissions.roleId, roleIdNum));
   return perms.map((p) => p.name);
 }
 var init_role_service = __esm({
@@ -8195,7 +8056,7 @@ var init_role_service = __esm({
 });
 
 // src/server/services/auth.service.ts
-import { findOne as findOne3, create as create3 } from "@spfn/core/db";
+import { findOne as findOne2, create as create3 } from "@spfn/core/db";
 import { ValidationError as ValidationError2 } from "@spfn/core/errors";
 async function checkAccountExistsService(params) {
   const { email, phone } = params;
@@ -8205,11 +8066,11 @@ async function checkAccountExistsService(params) {
   if (email) {
     identifier = email;
     identifierType = "email";
-    user = await findOne3(users, { email });
+    user = await findOne2(users, { email });
   } else if (phone) {
     identifier = phone;
     identifierType = "phone";
-    user = await findOne3(users, { phone });
+    user = await findOne2(users, { phone });
   } else {
     throw new ValidationError2("Either email or phone must be provided");
   }
@@ -8238,9 +8099,9 @@ async function registerService(params) {
   }
   let existingUser;
   if (email) {
-    existingUser = await findOne3(users, { email });
+    existingUser = await findOne2(users, { email });
   } else if (phone) {
-    existingUser = await findOne3(users, { phone });
+    existingUser = await findOne2(users, { phone });
   } else {
     throw new ValidationError2("Either email or phone must be provided");
   }
@@ -8281,9 +8142,9 @@ async function loginService(params) {
   const { email, phone, password, publicKey, keyId, fingerprint, oldKeyId, algorithm } = params;
   let user;
   if (email) {
-    user = await findOne3(users, { email });
+    user = await findOne2(users, { email });
   } else if (phone) {
-    user = await findOne3(users, { phone });
+    user = await findOne2(users, { phone });
   } else {
     throw new ValidationError2("Either email or phone must be provided");
   }
@@ -8333,7 +8194,7 @@ async function changePasswordService(params) {
   if (providedHash) {
     passwordHash = providedHash;
   } else {
-    const user = await findOne3(users, { id: userId });
+    const user = await findOne2(users, { id: userId });
     if (!user) {
       throw new ValidationError2("User not found");
     }
@@ -8407,6 +8268,136 @@ var init_verification_service = __esm({
   }
 });
 
+// src/server/services/me.service.ts
+import { getDatabase as getDatabase5 } from "@spfn/core/db";
+import { eq as eq5, and as and5 } from "drizzle-orm";
+async function getMeService(userId) {
+  const db = getDatabase5();
+  if (!db) {
+    throw new Error("[Auth] Database not initialized");
+  }
+  const userIdNum = typeof userId === "string" ? Number(userId) : Number(userId);
+  const [userWithRole] = await db.select({
+    userId: users.id,
+    email: users.email,
+    phone: users.phone,
+    roleId: roles.id,
+    roleName: roles.name,
+    roleDisplayName: roles.displayName,
+    rolePriority: roles.priority
+  }).from(users).innerJoin(roles, eq5(users.roleId, roles.id)).where(eq5(users.id, userIdNum)).limit(1);
+  if (!userWithRole) {
+    throw new Error("[Auth] User not found");
+  }
+  const rolePerms = await db.select({
+    id: permissions.id,
+    name: permissions.name,
+    displayName: permissions.displayName,
+    category: permissions.category
+  }).from(rolePermissions).innerJoin(permissions, eq5(rolePermissions.permissionId, permissions.id)).where(
+    and5(
+      eq5(rolePermissions.roleId, userWithRole.roleId),
+      eq5(permissions.isActive, true)
+    )
+  );
+  return {
+    userId: userWithRole.userId.toString(),
+    email: userWithRole.email ?? void 0,
+    phone: userWithRole.phone ?? void 0,
+    role: {
+      id: userWithRole.roleId,
+      name: userWithRole.roleName,
+      displayName: userWithRole.roleDisplayName,
+      priority: userWithRole.rolePriority
+    },
+    permissions: rolePerms.map((perm) => ({
+      id: perm.id,
+      name: perm.name,
+      displayName: perm.displayName,
+      category: perm.category ?? void 0
+    }))
+  };
+}
+var init_me_service = __esm({
+  "src/server/services/me.service.ts"() {
+    "use strict";
+    init_entities();
+  }
+});
+
+// src/server/services/permission.service.ts
+import { getDatabase as getDatabase6 } from "@spfn/core/db";
+import { eq as eq6, and as and6 } from "drizzle-orm";
+async function getUserPermissions(userId) {
+  const db = getDatabase6();
+  if (!db) {
+    throw new Error("[Auth] Database not initialized");
+  }
+  const userIdNum = typeof userId === "string" ? Number(userId) : Number(userId);
+  const [user] = await db.select({ roleId: users.roleId }).from(users).where(eq6(users.id, userIdNum)).limit(1);
+  if (!user || !user.roleId) {
+    return [];
+  }
+  const permSet = /* @__PURE__ */ new Set();
+  const rolePerms = await db.select({ name: permissions.name }).from(rolePermissions).innerJoin(permissions, eq6(rolePermissions.permissionId, permissions.id)).where(
+    and6(
+      eq6(rolePermissions.roleId, user.roleId),
+      eq6(permissions.isActive, true)
+    )
+  );
+  for (const perm of rolePerms) {
+    permSet.add(perm.name);
+  }
+  const userPerms = await db.select({
+    name: permissions.name,
+    granted: userPermissions.granted,
+    expiresAt: userPermissions.expiresAt
+  }).from(userPermissions).innerJoin(permissions, eq6(userPermissions.permissionId, permissions.id)).where(eq6(userPermissions.userId, userIdNum));
+  const now = /* @__PURE__ */ new Date();
+  for (const userPerm of userPerms) {
+    if (userPerm.expiresAt && userPerm.expiresAt < now) {
+      continue;
+    }
+    if (userPerm.granted) {
+      permSet.add(userPerm.name);
+    } else {
+      permSet.delete(userPerm.name);
+    }
+  }
+  return Array.from(permSet);
+}
+async function hasAllPermissions(userId, permissionNames) {
+  const perms = await getUserPermissions(userId);
+  return permissionNames.every((p) => perms.includes(p));
+}
+async function hasRole(userId, roleName) {
+  const db = getDatabase6();
+  if (!db) {
+    throw new Error("[Auth] Database not initialized");
+  }
+  const userIdNum = typeof userId === "string" ? Number(userId) : Number(userId);
+  const [user] = await db.select({ roleId: users.roleId }).from(users).where(eq6(users.id, userIdNum)).limit(1);
+  if (!user || !user.roleId) {
+    return false;
+  }
+  const [role] = await db.select({ name: roles.name }).from(roles).where(eq6(roles.id, user.roleId)).limit(1);
+  return role?.name === roleName;
+}
+async function hasAnyRole(userId, roleNames) {
+  for (const roleName of roleNames) {
+    if (await hasRole(userId, roleName)) {
+      return true;
+    }
+  }
+  return false;
+}
+var init_permission_service = __esm({
+  "src/server/services/permission.service.ts"() {
+    "use strict";
+    init_entities();
+  }
+});
+
 // src/server/services/invitation.service.ts
 import { getDatabase as getDatabase7 } from "@spfn/core/db";
 import { eq as eq7, and as and7, lt, desc, sql as sql2 } from "drizzle-orm";
@@ -8685,6 +8676,7 @@ var init_services = __esm({
     init_verification_service();
     init_key_service();
     init_user_service();
+    init_me_service();
     init_rbac_service();
     init_permission_service();
     init_role_service();
@@ -8699,7 +8691,6 @@ var init_auth2 = __esm({
   "src/server/routes/auth/index.ts"() {
     "use strict";
     init_contracts();
-    init_middleware();
     init_helpers3();
     init_services();
     app = createApp();
@@ -8728,12 +8719,16 @@ var init_auth2 = __esm({
       const result = await loginService(body);
       return c.success(result);
     });
-    app.bind(logoutContract, [authenticate], async (c) => {
-      const { keyId, userId } = getAuth(c);
+    app.bind(logoutContract, async (c) => {
+      const auth = getAuth(c);
+      if (!auth) {
+        return c.success({ success: true });
+      }
+      const { keyId, userId } = auth;
       await logoutService({ userId: Number(userId), keyId });
       return c.success({ success: true });
     });
-    app.bind(rotateKeyContract, [authenticate], async (c) => {
+    app.bind(rotateKeyContract, async (c) => {
       const body = await c.data();
       const { keyId: oldKeyId, userId } = getAuth(c);
       const result = await rotateKeyService({
@@ -8746,7 +8741,7 @@ var init_auth2 = __esm({
       });
       return c.success(result);
     });
-    app.bind(changePasswordContract, [authenticate], async (c) => {
+    app.bind(changePasswordContract, async (c) => {
       const body = await c.data();
       const user = getUser(c);
       await changePasswordService({
@@ -8757,10 +8752,147 @@ var init_auth2 = __esm({
       });
       return c.success({ success: true });
     });
+    app.bind(getMeContract, async (c) => {
+      const { userId } = getAuth(c);
+      const result = await getMeService(userId);
+      return c.success(result);
+    });
     auth_default = app;
   }
 });
 
+// src/server/middleware/authenticate.ts
+import { findOne as findOne3, getDatabase as getDatabase8 } from "@spfn/core/db";
+import { UnauthorizedError as UnauthorizedError2 } from "@spfn/core/errors";
+import { eq as eq8, and as and8 } from "drizzle-orm";
+async function authenticate(c, next) {
+  const authHeader = c.req.header("Authorization");
+  if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    throw new UnauthorizedError2("Missing or invalid authorization header");
+  }
+  const token = authHeader.substring(7);
+  const { decodeToken: decodeToken2 } = await Promise.resolve().then(() => (init_jwt(), jwt_exports));
+  const decoded = decodeToken2(token);
+  if (!decoded || !decoded.keyId) {
+    throw new UnauthorizedError2("Invalid token: missing keyId");
+  }
+  const keyId = decoded.keyId;
+  const db = getDatabase8();
+  const [keyRecord] = await db.select().from(userPublicKeys).where(
+    and8(
+      eq8(userPublicKeys.keyId, keyId),
+      eq8(userPublicKeys.isActive, true)
+    )
+  );
+  if (!keyRecord) {
+    throw new UnauthorizedError2("Invalid or revoked key");
+  }
+  if (keyRecord.expiresAt && /* @__PURE__ */ new Date() > keyRecord.expiresAt) {
+    throw new KeyExpiredError();
+  }
+  try {
+    verifyClientToken(
+      token,
+      keyRecord.publicKey,
+      keyRecord.algorithm
+    );
+  } catch (err) {
+    if (err instanceof Error) {
+      if (err.name === "TokenExpiredError") {
+        throw new TokenExpiredError();
+      }
+      if (err.name === "JsonWebTokenError") {
+        throw new InvalidTokenError("Invalid token signature");
+      }
+    }
+    throw new UnauthorizedError2("Authentication failed");
+  }
+  const user = await findOne3(users, { id: keyRecord.userId });
+  if (!user) {
+    throw new UnauthorizedError2("User not found");
+  }
+  if (user.status !== "active") {
+    throw new AccountDisabledError(user.status);
+  }
+  db.update(userPublicKeys).set({ lastUsedAt: /* @__PURE__ */ new Date() }).where(eq8(userPublicKeys.id, keyRecord.id)).execute().catch((err) => console.error("Failed to update lastUsedAt:", err));
+  c.set("auth", {
+    user,
+    userId: String(user.id),
+    keyId
+  });
+  await next();
+}
+var init_authenticate = __esm({
+  "src/server/middleware/authenticate.ts"() {
+    "use strict";
+    init_jwt();
+    init_entities();
+    init_errors();
+  }
+});
+
+// src/server/middleware/require-permission.ts
+import { ForbiddenError as ForbiddenError2 } from "@spfn/core/errors";
+function requirePermissions(...permissionNames) {
+  return async (c, next) => {
+    const auth = getAuth(c);
+    if (!auth) {
+      throw new ForbiddenError2("Authentication required");
+    }
+    const { userId } = auth;
+    const allowed = await hasAllPermissions(userId, permissionNames);
+    if (!allowed) {
+      throw new ForbiddenError2(
+        `Missing required permissions: ${permissionNames.join(", ")}`
+      );
+    }
+    await next();
+  };
+}
+var init_require_permission = __esm({
+  "src/server/middleware/require-permission.ts"() {
+    "use strict";
+    init_context2();
+    init_permission_service();
+  }
+});
+
+// src/server/middleware/require-role.ts
+import { ForbiddenError as ForbiddenError3 } from "@spfn/core/errors";
+function requireRole(...roleNames) {
+  return async (c, next) => {
+    const auth = getAuth(c);
+    if (!auth) {
+      throw new ForbiddenError3("Authentication required");
+    }
+    const { userId } = auth;
+    const allowed = await hasAnyRole(userId, roleNames);
+    if (!allowed) {
+      throw new ForbiddenError3(
+        `Required roles: ${roleNames.join(", ")}`
+      );
+    }
+    await next();
+  };
+}
+var init_require_role = __esm({
+  "src/server/middleware/require-role.ts"() {
+    "use strict";
+    init_context2();
+    init_permission_service();
+  }
+});
+
+// src/server/middleware/index.ts
+var init_middleware = __esm({
+  "src/server/middleware/index.ts"() {
+    "use strict";
+    init_authenticate();
+    init_require_permission();
+    init_require_role();
+  }
+});
+
 // src/server/routes/invitations/index.ts
 import { createApp as createApp2 } from "@spfn/core/route";
 var app2, invitations_default;
@@ -8804,7 +8936,7 @@ var init_invitations2 = __esm({
       });
       return c.success(result);
     });
-    app2.bind(createInvitationContract, [authenticate], async (c) => {
+    app2.bind(createInvitationContract, [authenticate, requirePermissions("user:invite")], async (c) => {
       const body = await c.data();
       const { userId } = getAuth(c);
       const invitation = await createInvitation({
@@ -8825,7 +8957,7 @@ var init_invitations2 = __esm({
         invitationUrl
       });
     });
-    app2.bind(listInvitationsContract, [authenticate], async (c) => {
+    app2.bind(listInvitationsContract, [authenticate, requirePermissions("user:read")], async (c) => {
       const query = await c.data();
       const result = await listInvitations({
         status: query.status,
@@ -8844,7 +8976,7 @@ var init_invitations2 = __esm({
         invitations: formattedInvitations
       });
     });
-    app2.bind(cancelInvitationContract, [authenticate], async (c) => {
+    app2.bind(cancelInvitationContract, [authenticate, requirePermissions("user:invite")], async (c) => {
       const data = await c.data();
       const { userId } = getAuth(c);
       await cancelInvitation(
@@ -8857,7 +8989,7 @@ var init_invitations2 = __esm({
         cancelledAt: (/* @__PURE__ */ new Date()).toISOString()
       });
     });
-    app2.bind(resendInvitationContract, [authenticate], async (c) => {
+    app2.bind(resendInvitationContract, [authenticate, requirePermissions("user:invite")], async (c) => {
       const data = await c.data();
       const updated = await resendInvitation(
         data.id,
@@ -8868,7 +9000,7 @@ var init_invitations2 = __esm({
         expiresAt: updated.expiresAt.toISOString()
       });
     });
-    app2.bind(deleteInvitationContract, [authenticate], async (c) => {
+    app2.bind(deleteInvitationContract, [authenticate, requireRole("superadmin")], async (c) => {
       const data = await c.data();
       await deleteInvitation(data.id);
       return c.success({
@@ -8900,8 +9032,8 @@ var init_routes = __esm({
 
 // src/plugin.ts
 init_rbac_service();
-import { logger } from "@spfn/core/logger";
-var authLogger = logger.child("auth-plugin");
+import { logger as logger2 } from "@spfn/core/logger";
+var authLogger2 = logger2.child("auth-plugin");
 var spfnPlugin = {
   name: "@spfn/auth",
   /**
@@ -8909,12 +9041,12 @@ var spfnPlugin = {
    * Creates default roles (user, admin, superadmin) and permissions
    */
   afterInfrastructure: async () => {
-    authLogger.info("Initializing authentication system...");
+    authLogger2.info("Initializing authentication system...");
     try {
       await initializeAuth();
-      authLogger.info("Authentication system initialized successfully");
+      authLogger2.info("Authentication system initialized successfully");
     } catch (error) {
-      authLogger.error("Failed to initialize authentication system", error);
+      authLogger2.error("Failed to initialize authentication system", error);
       throw error;
     }
   },
@@ -8923,13 +9055,13 @@ var spfnPlugin = {
    * Routes are auto-discovered from src/server/routes
    */
   beforeRoutes: async (app4) => {
-    authLogger.info("Mounting authentication routes...");
+    authLogger2.info("Mounting authentication routes...");
     try {
       const authRoutes = await Promise.resolve().then(() => (init_routes(), routes_exports));
       app4.route("/_auth", authRoutes.default);
-      authLogger.info("Authentication routes mounted at /_auth");
+      authLogger2.info("Authentication routes mounted at /_auth");
     } catch (error) {
-      authLogger.error("Failed to mount authentication routes", error);
+      authLogger2.error("Failed to mount authentication routes", error);
       throw error;
     }
   },
@@ -8937,7 +9069,7 @@ var spfnPlugin = {
    * Log successful startup
    */
   afterStart: async () => {
-    authLogger.info("@spfn/auth plugin started successfully", {
+    authLogger2.info("@spfn/auth plugin started successfully", {
       routes: "/_auth/*",
       rbac: "enabled"
     });