@spfn/auth 0.1.0-alpha.1 → 0.1.0-alpha.86

package/dist/server/routes/invitations/index.js

@@ -8,15 +8,102 @@ var __export = (target, all) => {
     __defProp(target, name, { get: all[name], enumerable: true });
 };
 
+// src/server/helpers/jwt.ts
+var jwt_exports = {};
+__export(jwt_exports, {
+  decodeToken: () => decodeToken,
+  generateToken: () => generateToken,
+  verifyClientToken: () => verifyClientToken,
+  verifyKeyFingerprint: () => verifyKeyFingerprint,
+  verifyToken: () => verifyToken
+});
+import jwt from "jsonwebtoken";
+import crypto from "crypto";
+function generateToken(payload) {
+  return jwt.sign(payload, JWT_SECRET, {
+    expiresIn: JWT_EXPIRES_IN
+  });
+}
+function verifyToken(token) {
+  return jwt.verify(token, JWT_SECRET);
+}
+function verifyClientToken(token, publicKeyB64, algorithm) {
+  try {
+    const publicKeyDER = Buffer.from(publicKeyB64, "base64");
+    const publicKeyObject = crypto.createPublicKey({
+      key: publicKeyDER,
+      format: "der",
+      type: "spki"
+    });
+    const decoded = jwt.verify(token, publicKeyObject, {
+      algorithms: [algorithm],
+      // Prevent algorithm confusion attacks
+      issuer: "spfn-client"
+      // Validate token issuer
+    });
+    if (typeof decoded === "string") {
+      throw new Error("Invalid token format: expected object payload");
+    }
+    return decoded;
+  } catch (error) {
+    if (error instanceof jwt.TokenExpiredError) {
+      throw new Error("Token has expired");
+    }
+    if (error instanceof jwt.JsonWebTokenError) {
+      throw new Error("Invalid token signature");
+    }
+    throw new Error(`Token verification failed: ${error instanceof Error ? error.message : "Unknown error"}`);
+  }
+}
+function decodeToken(token) {
+  try {
+    return jwt.decode(token);
+  } catch {
+    return null;
+  }
+}
+function verifyKeyFingerprint(publicKeyB64, expectedFingerprint) {
+  try {
+    const publicKeyDER = Buffer.from(publicKeyB64, "base64");
+    const fingerprint = crypto.createHash("sha256").update(publicKeyDER).digest("hex");
+    return fingerprint === expectedFingerprint;
+  } catch (error) {
+    console.error("Failed to verify key fingerprint:", error);
+    return false;
+  }
+}
+var JWT_SECRET, JWT_EXPIRES_IN;
+var init_jwt = __esm({
+  "src/server/helpers/jwt.ts"() {
+    "use strict";
+    JWT_SECRET = process.env.SPFN_AUTH_JWT_SECRET || // New prefixed version (recommended)
+    process.env.JWT_SECRET || // Legacy fallback
+    "dev-secret-key-change-in-production";
+    JWT_EXPIRES_IN = process.env.SPFN_AUTH_JWT_EXPIRES_IN || // New prefixed version (recommended)
+    process.env.JWT_EXPIRES_IN || // Legacy fallback
+    "7d";
+  }
+});
+
+// src/server/entities/schema.ts
+import { createFunctionSchema } from "@spfn/core/db";
+var authSchema;
+var init_schema = __esm({
+  "src/server/entities/schema.ts"() {
+    "use strict";
+    authSchema = createFunctionSchema("@spfn/auth");
+  }
+});
+
 // src/server/entities/roles.ts
 import { text, boolean, integer, index } from "drizzle-orm/pg-core";
-import { id, timestamps, createFunctionSchema } from "@spfn/core/db";
-var schema, roles;
+import { id, timestamps } from "@spfn/core/db";
+var roles;
 var init_roles = __esm({
   "src/server/entities/roles.ts"() {
     "use strict";
-    schema = createFunctionSchema("@spfn/auth");
-    roles = schema.table(
+    init_schema();
+    roles = authSchema.table(
       "roles",
       {
         // Primary key
@@ -58,15 +145,15 @@ var init_roles = __esm({
 
 // src/server/entities/users.ts
 import { text as text2, timestamp, check, boolean as boolean2, bigint, index as index2 } from "drizzle-orm/pg-core";
-import { id as id2, timestamps as timestamps2, createFunctionSchema as createFunctionSchema2 } from "@spfn/core/db";
+import { id as id2, timestamps as timestamps2 } from "@spfn/core/db";
 import { sql } from "drizzle-orm";
-var schema2, users;
+var users;
 var init_users = __esm({
   "src/server/entities/users.ts"() {
     "use strict";
     init_roles();
-    schema2 = createFunctionSchema2("@spfn/auth");
-    users = schema2.table(
+    init_schema();
+    users = authSchema.table(
       "users",
       {
         // Identity
@@ -131,14 +218,14 @@ var init_users = __esm({
 
 // src/server/entities/user-social-accounts.ts
 import { text as text3, timestamp as timestamp2, uniqueIndex } from "drizzle-orm/pg-core";
-import { id as id3, timestamps as timestamps3, foreignKey, createFunctionSchema as createFunctionSchema3 } from "@spfn/core/db";
-var schema3, userSocialAccounts;
+import { id as id3, timestamps as timestamps3, foreignKey } from "@spfn/core/db";
+var userSocialAccounts;
 var init_user_social_accounts = __esm({
   "src/server/entities/user-social-accounts.ts"() {
     "use strict";
     init_users();
-    schema3 = createFunctionSchema3("@spfn/auth");
-    userSocialAccounts = schema3.table(
+    init_schema();
+    userSocialAccounts = authSchema.table(
       "user_social_accounts",
       {
         id: id3(),
@@ -169,14 +256,14 @@ var init_user_social_accounts = __esm({
 
 // src/server/entities/user-public-keys.ts
 import { text as text4, timestamp as timestamp3, boolean as boolean3, index as index3 } from "drizzle-orm/pg-core";
-import { id as id4, foreignKey as foreignKey2, createFunctionSchema as createFunctionSchema4 } from "@spfn/core/db";
-var schema4, userPublicKeys;
+import { id as id4, foreignKey as foreignKey2 } from "@spfn/core/db";
+var userPublicKeys;
 var init_user_public_keys = __esm({
   "src/server/entities/user-public-keys.ts"() {
     "use strict";
     init_users();
-    schema4 = createFunctionSchema4("@spfn/auth");
-    userPublicKeys = schema4.table(
+    init_schema();
+    userPublicKeys = authSchema.table(
       "user_public_keys",
       {
         id: id4(),
@@ -214,13 +301,13 @@ var init_user_public_keys = __esm({
 
 // src/server/entities/verification-codes.ts
 import { text as text5, timestamp as timestamp4, index as index4 } from "drizzle-orm/pg-core";
-import { id as id5, timestamps as timestamps4, createFunctionSchema as createFunctionSchema5 } from "@spfn/core/db";
-var schema5, verificationCodes;
+import { id as id5, timestamps as timestamps4 } from "@spfn/core/db";
+var verificationCodes;
 var init_verification_codes = __esm({
   "src/server/entities/verification-codes.ts"() {
     "use strict";
-    schema5 = createFunctionSchema5("@spfn/auth");
-    verificationCodes = schema5.table(
+    init_schema();
+    verificationCodes = authSchema.table(
       "verification_codes",
       {
         id: id5(),
@@ -261,15 +348,15 @@ var init_verification_codes = __esm({
 
 // src/server/entities/invitations.ts
 import { text as text6, timestamp as timestamp5, bigint as bigint2, index as index5, jsonb } from "drizzle-orm/pg-core";
-import { id as id6, timestamps as timestamps5, createFunctionSchema as createFunctionSchema6 } from "@spfn/core/db";
-var schema6, invitations;
+import { id as id6, timestamps as timestamps5 } from "@spfn/core/db";
+var invitations;
 var init_invitations = __esm({
   "src/server/entities/invitations.ts"() {
     "use strict";
     init_roles();
     init_users();
-    schema6 = createFunctionSchema6("@spfn/auth");
-    invitations = schema6.table(
+    init_schema();
+    invitations = authSchema.table(
       "user_invitations",
       {
         // Primary key
@@ -337,13 +424,13 @@ var init_invitations = __esm({
 
 // src/server/entities/permissions.ts
 import { text as text7, boolean as boolean4, index as index6 } from "drizzle-orm/pg-core";
-import { id as id7, timestamps as timestamps6, createFunctionSchema as createFunctionSchema7 } from "@spfn/core/db";
-var schema7, permissions;
+import { id as id7, timestamps as timestamps6 } from "@spfn/core/db";
+var permissions;
 var init_permissions = __esm({
   "src/server/entities/permissions.ts"() {
     "use strict";
-    schema7 = createFunctionSchema7("@spfn/auth");
-    permissions = schema7.table(
+    init_schema();
+    permissions = authSchema.table(
       "permissions",
       {
         // Primary key
@@ -384,15 +471,15 @@ var init_permissions = __esm({
 
 // src/server/entities/role-permissions.ts
 import { bigint as bigint3, index as index7, unique } from "drizzle-orm/pg-core";
-import { id as id8, timestamps as timestamps7, createFunctionSchema as createFunctionSchema8 } from "@spfn/core/db";
-var schema8, rolePermissions;
+import { id as id8, timestamps as timestamps7 } from "@spfn/core/db";
+var rolePermissions;
 var init_role_permissions = __esm({
   "src/server/entities/role-permissions.ts"() {
     "use strict";
     init_roles();
     init_permissions();
-    schema8 = createFunctionSchema8("@spfn/auth");
-    rolePermissions = schema8.table(
+    init_schema();
+    rolePermissions = authSchema.table(
       "role_permissions",
       {
         // Primary key
@@ -416,15 +503,15 @@ var init_role_permissions = __esm({
 
 // src/server/entities/user-permissions.ts
 import { bigint as bigint4, boolean as boolean5, text as text8, timestamp as timestamp6, index as index8, unique as unique2 } from "drizzle-orm/pg-core";
-import { id as id9, timestamps as timestamps8, createFunctionSchema as createFunctionSchema9 } from "@spfn/core/db";
-var schema9, userPermissions;
+import { id as id9, timestamps as timestamps8 } from "@spfn/core/db";
+var userPermissions;
 var init_user_permissions = __esm({
   "src/server/entities/user-permissions.ts"() {
     "use strict";
     init_users();
     init_permissions();
-    schema9 = createFunctionSchema9("@spfn/auth");
-    userPermissions = schema9.table(
+    init_schema();
+    userPermissions = authSchema.table(
       "user_permissions",
       {
         // Primary key
@@ -460,6 +547,7 @@ var init_user_permissions = __esm({
 // src/server/entities/index.ts
 var entities_exports = {};
 __export(entities_exports, {
+  authSchema: () => authSchema,
   invitations: () => invitations,
   permissions: () => permissions,
   rolePermissions: () => rolePermissions,
@@ -473,6 +561,7 @@ __export(entities_exports, {
 var init_entities = __esm({
   "src/server/entities/index.ts"() {
     "use strict";
+    init_schema();
     init_users();
     init_user_social_accounts();
     init_user_public_keys();
@@ -486,8 +575,8 @@ var init_entities = __esm({
 });
 
 // src/server/services/role.service.ts
-import { getDatabase as getDatabase6 } from "@spfn/core/db";
-import { eq as eq6, and as and6 } from "drizzle-orm";
+import { getDatabase as getDatabase7 } from "@spfn/core/db";
+import { eq as eq7, and as and7 } from "drizzle-orm";
 var init_role_service = __esm({
   "src/server/services/role.service.ts"() {
     "use strict";
@@ -598,8 +687,8 @@ function Clone(value) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/clone/type.mjs
-function CloneType(schema10, options) {
-  return options === void 0 ? Clone(schema10) : Clone({ ...options, ...schema10 });
+function CloneType(schema, options) {
+  return options === void 0 ? Clone(schema) : Clone({ ...options, ...schema });
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/value/guard/guard.mjs
@@ -676,8 +765,8 @@ function Immutable(value) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/create/type.mjs
-function CreateType(schema10, options) {
-  const result = options !== void 0 ? { ...options, ...schema10 } : schema10;
+function CreateType(schema, options) {
+  const result = options !== void 0 ? { ...options, ...schema } : schema;
   switch (TypeSystemPolicy.InstanceMode) {
     case "freeze":
       return Immutable(result);
@@ -995,16 +1084,16 @@ function IsBoolean3(value) {
   return IsKindOf2(value, "Boolean") && value.type === "boolean" && IsOptionalString(value.$id);
 }
 function IsComputed2(value) {
-  return IsKindOf2(value, "Computed") && IsString(value.target) && IsArray(value.parameters) && value.parameters.every((schema10) => IsSchema2(schema10));
+  return IsKindOf2(value, "Computed") && IsString(value.target) && IsArray(value.parameters) && value.parameters.every((schema) => IsSchema2(schema));
 }
 function IsConstructor2(value) {
-  return IsKindOf2(value, "Constructor") && value.type === "Constructor" && IsOptionalString(value.$id) && IsArray(value.parameters) && value.parameters.every((schema10) => IsSchema2(schema10)) && IsSchema2(value.returns);
+  return IsKindOf2(value, "Constructor") && value.type === "Constructor" && IsOptionalString(value.$id) && IsArray(value.parameters) && value.parameters.every((schema) => IsSchema2(schema)) && IsSchema2(value.returns);
 }
 function IsDate3(value) {
   return IsKindOf2(value, "Date") && value.type === "Date" && IsOptionalString(value.$id) && IsOptionalNumber(value.exclusiveMaximumTimestamp) && IsOptionalNumber(value.exclusiveMinimumTimestamp) && IsOptionalNumber(value.maximumTimestamp) && IsOptionalNumber(value.minimumTimestamp) && IsOptionalNumber(value.multipleOfTimestamp);
 }
 function IsFunction3(value) {
-  return IsKindOf2(value, "Function") && value.type === "Function" && IsOptionalString(value.$id) && IsArray(value.parameters) && value.parameters.every((schema10) => IsSchema2(schema10)) && IsSchema2(value.returns);
+  return IsKindOf2(value, "Function") && value.type === "Function" && IsOptionalString(value.$id) && IsArray(value.parameters) && value.parameters.every((schema) => IsSchema2(schema)) && IsSchema2(value.returns);
 }
 function IsImport(value) {
   return IsKindOf2(value, "Import") && HasPropertyKey(value, "$defs") && IsObject(value.$defs) && IsProperties(value.$defs) && HasPropertyKey(value, "$ref") && IsString(value.$ref) && value.$ref in value.$defs;
@@ -1013,10 +1102,10 @@ function IsInteger2(value) {
   return IsKindOf2(value, "Integer") && value.type === "integer" && IsOptionalString(value.$id) && IsOptionalNumber(value.exclusiveMaximum) && IsOptionalNumber(value.exclusiveMinimum) && IsOptionalNumber(value.maximum) && IsOptionalNumber(value.minimum) && IsOptionalNumber(value.multipleOf);
 }
 function IsProperties(value) {
-  return IsObject(value) && Object.entries(value).every(([key, schema10]) => IsControlCharacterFree(key) && IsSchema2(schema10));
+  return IsObject(value) && Object.entries(value).every(([key, schema]) => IsControlCharacterFree(key) && IsSchema2(schema));
 }
 function IsIntersect2(value) {
-  return IsKindOf2(value, "Intersect") && (IsString(value.type) && value.type !== "object" ? false : true) && IsArray(value.allOf) && value.allOf.every((schema10) => IsSchema2(schema10) && !IsTransform2(schema10)) && IsOptionalString(value.type) && (IsOptionalBoolean(value.unevaluatedProperties) || IsOptionalSchema(value.unevaluatedProperties)) && IsOptionalString(value.$id);
+  return IsKindOf2(value, "Intersect") && (IsString(value.type) && value.type !== "object" ? false : true) && IsArray(value.allOf) && value.allOf.every((schema) => IsSchema2(schema) && !IsTransform2(schema)) && IsOptionalString(value.type) && (IsOptionalBoolean(value.unevaluatedProperties) || IsOptionalSchema(value.unevaluatedProperties)) && IsOptionalString(value.$id);
 }
 function IsIterator3(value) {
   return IsKindOf2(value, "Iterator") && value.type === "Iterator" && IsOptionalString(value.$id) && IsSchema2(value.items);
@@ -1064,9 +1153,9 @@ function IsPromise2(value) {
   return IsKindOf2(value, "Promise") && value.type === "Promise" && IsOptionalString(value.$id) && IsSchema2(value.item);
 }
 function IsRecord2(value) {
-  return IsKindOf2(value, "Record") && value.type === "object" && IsOptionalString(value.$id) && IsAdditionalProperties(value.additionalProperties) && IsObject(value.patternProperties) && ((schema10) => {
-    const keys = Object.getOwnPropertyNames(schema10.patternProperties);
-    return keys.length === 1 && IsPattern(keys[0]) && IsObject(schema10.patternProperties) && IsSchema2(schema10.patternProperties[keys[0]]);
+  return IsKindOf2(value, "Record") && value.type === "object" && IsOptionalString(value.$id) && IsAdditionalProperties(value.additionalProperties) && IsObject(value.patternProperties) && ((schema) => {
+    const keys = Object.getOwnPropertyNames(schema.patternProperties);
+    return keys.length === 1 && IsPattern(keys[0]) && IsObject(schema.patternProperties) && IsSchema2(schema.patternProperties[keys[0]]);
   })(value);
 }
 function IsRecursive(value) {
@@ -1095,16 +1184,16 @@ function IsTransform2(value) {
 }
 function IsTuple2(value) {
   return IsKindOf2(value, "Tuple") && value.type === "array" && IsOptionalString(value.$id) && IsNumber(value.minItems) && IsNumber(value.maxItems) && value.minItems === value.maxItems && // empty
-  (IsUndefined(value.items) && IsUndefined(value.additionalItems) && value.minItems === 0 || IsArray(value.items) && value.items.every((schema10) => IsSchema2(schema10)));
+  (IsUndefined(value.items) && IsUndefined(value.additionalItems) && value.minItems === 0 || IsArray(value.items) && value.items.every((schema) => IsSchema2(schema)));
 }
 function IsUndefined4(value) {
   return IsKindOf2(value, "Undefined") && value.type === "undefined" && IsOptionalString(value.$id);
 }
 function IsUnionLiteral(value) {
-  return IsUnion2(value) && value.anyOf.every((schema10) => IsLiteralString(schema10) || IsLiteralNumber(schema10));
+  return IsUnion2(value) && value.anyOf.every((schema) => IsLiteralString(schema) || IsLiteralNumber(schema));
 }
 function IsUnion2(value) {
-  return IsKindOf2(value, "Union") && IsOptionalString(value.$id) && IsObject(value) && IsArray(value.anyOf) && value.anyOf.every((schema10) => IsSchema2(schema10));
+  return IsKindOf2(value, "Union") && IsOptionalString(value.$id) && IsObject(value) && IsArray(value.anyOf) && value.anyOf.every((schema) => IsSchema2(schema));
 }
 function IsUint8Array3(value) {
   return IsKindOf2(value, "Uint8Array") && value.type === "Uint8Array" && IsOptionalString(value.$id) && IsOptionalNumber(value.minByteLength) && IsOptionalNumber(value.maxByteLength);
@@ -1386,8 +1475,8 @@ function IsTemplateLiteralExpressionFinite(expression) {
     throw new TemplateLiteralFiniteError(`Unknown expression type`);
   })();
 }
-function IsTemplateLiteralFinite(schema10) {
-  const expression = TemplateLiteralParseExact(schema10.pattern);
+function IsTemplateLiteralFinite(schema) {
+  const expression = TemplateLiteralParseExact(schema.pattern);
   return IsTemplateLiteralExpressionFinite(expression);
 }
 
@@ -1418,8 +1507,8 @@ function* TemplateLiteralExpressionGenerate(expression) {
     throw new TemplateLiteralGenerateError("Unknown expression");
   })();
 }
-function TemplateLiteralGenerate(schema10) {
-  const expression = TemplateLiteralParseExact(schema10.pattern);
+function TemplateLiteralGenerate(schema) {
+  const expression = TemplateLiteralParseExact(schema.pattern);
   return IsTemplateLiteralExpressionFinite(expression) ? [...TemplateLiteralExpressionGenerate(expression)] : [];
 }
 
@@ -1495,18 +1584,18 @@ var TemplateLiteralPatternError = class extends TypeBoxError {
 function Escape(value) {
   return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
-function Visit2(schema10, acc) {
-  return IsTemplateLiteral(schema10) ? schema10.pattern.slice(1, schema10.pattern.length - 1) : IsUnion(schema10) ? `(${schema10.anyOf.map((schema11) => Visit2(schema11, acc)).join("|")})` : IsNumber3(schema10) ? `${acc}${PatternNumber}` : IsInteger(schema10) ? `${acc}${PatternNumber}` : IsBigInt2(schema10) ? `${acc}${PatternNumber}` : IsString2(schema10) ? `${acc}${PatternString}` : IsLiteral(schema10) ? `${acc}${Escape(schema10.const.toString())}` : IsBoolean2(schema10) ? `${acc}${PatternBoolean}` : (() => {
-    throw new TemplateLiteralPatternError(`Unexpected Kind '${schema10[Kind]}'`);
+function Visit2(schema, acc) {
+  return IsTemplateLiteral(schema) ? schema.pattern.slice(1, schema.pattern.length - 1) : IsUnion(schema) ? `(${schema.anyOf.map((schema2) => Visit2(schema2, acc)).join("|")})` : IsNumber3(schema) ? `${acc}${PatternNumber}` : IsInteger(schema) ? `${acc}${PatternNumber}` : IsBigInt2(schema) ? `${acc}${PatternNumber}` : IsString2(schema) ? `${acc}${PatternString}` : IsLiteral(schema) ? `${acc}${Escape(schema.const.toString())}` : IsBoolean2(schema) ? `${acc}${PatternBoolean}` : (() => {
+    throw new TemplateLiteralPatternError(`Unexpected Kind '${schema[Kind]}'`);
   })();
 }
 function TemplateLiteralPattern(kinds) {
-  return `^${kinds.map((schema10) => Visit2(schema10, "")).join("")}$`;
+  return `^${kinds.map((schema) => Visit2(schema, "")).join("")}$`;
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/template-literal/union.mjs
-function TemplateLiteralToUnion(schema10) {
-  const R = TemplateLiteralGenerate(schema10);
+function TemplateLiteralToUnion(schema) {
+  const R = TemplateLiteralGenerate(schema);
   const L = R.map((S) => Literal(S));
   return UnionEvaluated(L);
 }
@@ -1643,18 +1732,18 @@ function Promise2(item, options) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/readonly/readonly.mjs
-function RemoveReadonly(schema10) {
-  return CreateType(Discard(schema10, [ReadonlyKind]));
+function RemoveReadonly(schema) {
+  return CreateType(Discard(schema, [ReadonlyKind]));
 }
-function AddReadonly(schema10) {
-  return CreateType({ ...schema10, [ReadonlyKind]: "Readonly" });
+function AddReadonly(schema) {
+  return CreateType({ ...schema, [ReadonlyKind]: "Readonly" });
 }
-function ReadonlyWithFlag(schema10, F) {
-  return F === false ? RemoveReadonly(schema10) : AddReadonly(schema10);
+function ReadonlyWithFlag(schema, F) {
+  return F === false ? RemoveReadonly(schema) : AddReadonly(schema);
 }
-function Readonly(schema10, enable) {
+function Readonly(schema, enable) {
   const F = enable ?? true;
-  return IsMappedResult(schema10) ? ReadonlyFromMappedResult(schema10, F) : ReadonlyWithFlag(schema10, F);
+  return IsMappedResult(schema) ? ReadonlyFromMappedResult(schema, F) : ReadonlyWithFlag(schema, F);
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/readonly/readonly-from-mapped-result.mjs
@@ -1733,18 +1822,18 @@ function Mapped(key, map, options) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/optional/optional.mjs
-function RemoveOptional(schema10) {
-  return CreateType(Discard(schema10, [OptionalKind]));
+function RemoveOptional(schema) {
+  return CreateType(Discard(schema, [OptionalKind]));
 }
-function AddOptional(schema10) {
-  return CreateType({ ...schema10, [OptionalKind]: "Optional" });
+function AddOptional(schema) {
+  return CreateType({ ...schema, [OptionalKind]: "Optional" });
 }
-function OptionalWithFlag(schema10, F) {
-  return F === false ? RemoveOptional(schema10) : AddOptional(schema10);
+function OptionalWithFlag(schema, F) {
+  return F === false ? RemoveOptional(schema) : AddOptional(schema);
 }
-function Optional(schema10, enable) {
+function Optional(schema, enable) {
   const F = enable ?? true;
-  return IsMappedResult(schema10) ? OptionalFromMappedResult(schema10, F) : OptionalWithFlag(schema10, F);
+  return IsMappedResult(schema) ? OptionalFromMappedResult(schema, F) : OptionalWithFlag(schema, F);
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/optional/optional-from-mapped-result.mjs
@@ -1764,7 +1853,7 @@ function OptionalFromMappedResult(R, F) {
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/intersect/intersect-create.mjs
 function IntersectCreate(T, options = {}) {
-  const allObjects = T.every((schema10) => IsObject3(schema10));
+  const allObjects = T.every((schema) => IsObject3(schema));
   const clonedUnevaluatedProperties = IsSchema(options.unevaluatedProperties) ? { unevaluatedProperties: options.unevaluatedProperties } : {};
   return CreateType(options.unevaluatedProperties === false || IsSchema(options.unevaluatedProperties) || allObjects ? { ...clonedUnevaluatedProperties, [Kind]: "Intersect", type: "object", allOf: T } : { ...clonedUnevaluatedProperties, [Kind]: "Intersect", allOf: T }, options);
 }
@@ -1787,7 +1876,7 @@ function IntersectEvaluated(types, options = {}) {
     return CreateType(types[0], options);
   if (types.length === 0)
     return Never(options);
-  if (types.some((schema10) => IsTransform(schema10)))
+  if (types.some((schema) => IsTransform(schema)))
     throw new Error("Cannot intersect transform types");
   return ResolveIntersect(types, options);
 }
@@ -1798,7 +1887,7 @@ function Intersect(types, options) {
     return CreateType(types[0], options);
   if (types.length === 0)
     return Never(options);
-  if (types.some((schema10) => IsTransform(schema10)))
+  if (types.some((schema) => IsTransform(schema)))
     throw new Error("Cannot intersect transform types");
   return IntersectCreate(types, options);
 }
@@ -1989,8 +2078,8 @@ function Const(T, options) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/constructor-parameters/constructor-parameters.mjs
-function ConstructorParameters(schema10, options) {
-  return IsConstructor(schema10) ? Tuple(schema10.parameters, options) : Never(options);
+function ConstructorParameters(schema, options) {
+  return IsConstructor(schema) ? Tuple(schema.parameters, options) : Never(options);
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/enum/enum.mjs
@@ -2028,7 +2117,7 @@ function FromAnyRight(left, right) {
   return ExtendsResult.True;
 }
 function FromAny(left, right) {
-  return type_exports.IsIntersect(right) ? FromIntersectRight(left, right) : type_exports.IsUnion(right) && right.anyOf.some((schema10) => type_exports.IsAny(schema10) || type_exports.IsUnknown(schema10)) ? ExtendsResult.True : type_exports.IsUnion(right) ? ExtendsResult.Union : type_exports.IsUnknown(right) ? ExtendsResult.True : type_exports.IsAny(right) ? ExtendsResult.True : ExtendsResult.Union;
+  return type_exports.IsIntersect(right) ? FromIntersectRight(left, right) : type_exports.IsUnion(right) && right.anyOf.some((schema) => type_exports.IsAny(schema) || type_exports.IsUnknown(schema)) ? ExtendsResult.True : type_exports.IsUnion(right) ? ExtendsResult.Union : type_exports.IsUnknown(right) ? ExtendsResult.True : type_exports.IsAny(right) ? ExtendsResult.True : ExtendsResult.Union;
 }
 function FromArrayRight(left, right) {
   return type_exports.IsUnknown(left) ? ExtendsResult.False : type_exports.IsAny(left) ? ExtendsResult.Union : type_exports.IsNever(left) ? ExtendsResult.True : ExtendsResult.False;
@@ -2049,13 +2138,13 @@ function FromBoolean(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : type_exports.IsBoolean(right) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromConstructor(left, right) {
-  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : !type_exports.IsConstructor(right) ? ExtendsResult.False : left.parameters.length > right.parameters.length ? ExtendsResult.False : !left.parameters.every((schema10, index9) => IntoBooleanResult(Visit3(right.parameters[index9], schema10)) === ExtendsResult.True) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.returns, right.returns));
+  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : !type_exports.IsConstructor(right) ? ExtendsResult.False : left.parameters.length > right.parameters.length ? ExtendsResult.False : !left.parameters.every((schema, index9) => IntoBooleanResult(Visit3(right.parameters[index9], schema)) === ExtendsResult.True) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.returns, right.returns));
 }
 function FromDate(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : type_exports.IsDate(right) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromFunction(left, right) {
-  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : !type_exports.IsFunction(right) ? ExtendsResult.False : left.parameters.length > right.parameters.length ? ExtendsResult.False : !left.parameters.every((schema10, index9) => IntoBooleanResult(Visit3(right.parameters[index9], schema10)) === ExtendsResult.True) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.returns, right.returns));
+  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : !type_exports.IsFunction(right) ? ExtendsResult.False : left.parameters.length > right.parameters.length ? ExtendsResult.False : !left.parameters.every((schema, index9) => IntoBooleanResult(Visit3(right.parameters[index9], schema)) === ExtendsResult.True) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.returns, right.returns));
 }
 function FromIntegerRight(left, right) {
   return type_exports.IsLiteral(left) && value_exports.IsNumber(left.const) ? ExtendsResult.True : type_exports.IsNumber(left) || type_exports.IsInteger(left) ? ExtendsResult.True : ExtendsResult.False;
@@ -2064,10 +2153,10 @@ function FromInteger(left, right) {
   return type_exports.IsInteger(right) || type_exports.IsNumber(right) ? ExtendsResult.True : IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : ExtendsResult.False;
 }
 function FromIntersectRight(left, right) {
-  return right.allOf.every((schema10) => Visit3(left, schema10) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
+  return right.allOf.every((schema) => Visit3(left, schema) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromIntersect4(left, right) {
-  return left.allOf.some((schema10) => Visit3(schema10, right) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
+  return left.allOf.some((schema) => Visit3(schema, right) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromIterator(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : !type_exports.IsIterator(right) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.items, right.items));
@@ -2081,8 +2170,8 @@ function FromNeverRight(left, right) {
 function FromNever(left, right) {
   return ExtendsResult.True;
 }
-function UnwrapTNot(schema10) {
-  let [current, depth] = [schema10, 0];
+function UnwrapTNot(schema) {
+  let [current, depth] = [schema, 0];
   while (true) {
     if (!type_exports.IsNot(current))
       break;
@@ -2103,44 +2192,44 @@ function FromNumberRight(left, right) {
 function FromNumber(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : type_exports.IsInteger(right) || type_exports.IsNumber(right) ? ExtendsResult.True : ExtendsResult.False;
 }
-function IsObjectPropertyCount(schema10, count) {
-  return Object.getOwnPropertyNames(schema10.properties).length === count;
+function IsObjectPropertyCount(schema, count) {
+  return Object.getOwnPropertyNames(schema.properties).length === count;
 }
-function IsObjectStringLike(schema10) {
-  return IsObjectArrayLike(schema10);
+function IsObjectStringLike(schema) {
+  return IsObjectArrayLike(schema);
 }
-function IsObjectSymbolLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0) || IsObjectPropertyCount(schema10, 1) && "description" in schema10.properties && type_exports.IsUnion(schema10.properties.description) && schema10.properties.description.anyOf.length === 2 && (type_exports.IsString(schema10.properties.description.anyOf[0]) && type_exports.IsUndefined(schema10.properties.description.anyOf[1]) || type_exports.IsString(schema10.properties.description.anyOf[1]) && type_exports.IsUndefined(schema10.properties.description.anyOf[0]));
+function IsObjectSymbolLike(schema) {
+  return IsObjectPropertyCount(schema, 0) || IsObjectPropertyCount(schema, 1) && "description" in schema.properties && type_exports.IsUnion(schema.properties.description) && schema.properties.description.anyOf.length === 2 && (type_exports.IsString(schema.properties.description.anyOf[0]) && type_exports.IsUndefined(schema.properties.description.anyOf[1]) || type_exports.IsString(schema.properties.description.anyOf[1]) && type_exports.IsUndefined(schema.properties.description.anyOf[0]));
 }
-function IsObjectNumberLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0);
+function IsObjectNumberLike(schema) {
+  return IsObjectPropertyCount(schema, 0);
 }
-function IsObjectBooleanLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0);
+function IsObjectBooleanLike(schema) {
+  return IsObjectPropertyCount(schema, 0);
 }
-function IsObjectBigIntLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0);
+function IsObjectBigIntLike(schema) {
+  return IsObjectPropertyCount(schema, 0);
 }
-function IsObjectDateLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0);
+function IsObjectDateLike(schema) {
+  return IsObjectPropertyCount(schema, 0);
 }
-function IsObjectUint8ArrayLike(schema10) {
-  return IsObjectArrayLike(schema10);
+function IsObjectUint8ArrayLike(schema) {
+  return IsObjectArrayLike(schema);
 }
-function IsObjectFunctionLike(schema10) {
+function IsObjectFunctionLike(schema) {
   const length = Number2();
-  return IsObjectPropertyCount(schema10, 0) || IsObjectPropertyCount(schema10, 1) && "length" in schema10.properties && IntoBooleanResult(Visit3(schema10.properties["length"], length)) === ExtendsResult.True;
+  return IsObjectPropertyCount(schema, 0) || IsObjectPropertyCount(schema, 1) && "length" in schema.properties && IntoBooleanResult(Visit3(schema.properties["length"], length)) === ExtendsResult.True;
 }
-function IsObjectConstructorLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0);
+function IsObjectConstructorLike(schema) {
+  return IsObjectPropertyCount(schema, 0);
 }
-function IsObjectArrayLike(schema10) {
+function IsObjectArrayLike(schema) {
   const length = Number2();
-  return IsObjectPropertyCount(schema10, 0) || IsObjectPropertyCount(schema10, 1) && "length" in schema10.properties && IntoBooleanResult(Visit3(schema10.properties["length"], length)) === ExtendsResult.True;
+  return IsObjectPropertyCount(schema, 0) || IsObjectPropertyCount(schema, 1) && "length" in schema.properties && IntoBooleanResult(Visit3(schema.properties["length"], length)) === ExtendsResult.True;
 }
-function IsObjectPromiseLike(schema10) {
+function IsObjectPromiseLike(schema) {
   const then = Function([Any()], Any());
-  return IsObjectPropertyCount(schema10, 0) || IsObjectPropertyCount(schema10, 1) && "then" in schema10.properties && IntoBooleanResult(Visit3(schema10.properties["then"], then)) === ExtendsResult.True;
+  return IsObjectPropertyCount(schema, 0) || IsObjectPropertyCount(schema, 1) && "then" in schema.properties && IntoBooleanResult(Visit3(schema.properties["then"], then)) === ExtendsResult.True;
 }
 function Property(left, right) {
   return Visit3(left, right) === ExtendsResult.False ? ExtendsResult.False : type_exports.IsOptional(left) && !type_exports.IsOptional(right) ? ExtendsResult.False : ExtendsResult.True;
@@ -2171,11 +2260,11 @@ function FromObject(left, right) {
 function FromPromise2(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) && IsObjectPromiseLike(right) ? ExtendsResult.True : !type_exports.IsPromise(right) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.item, right.item));
 }
-function RecordKey(schema10) {
-  return PatternNumberExact in schema10.patternProperties ? Number2() : PatternStringExact in schema10.patternProperties ? String2() : Throw("Unknown record key pattern");
+function RecordKey(schema) {
+  return PatternNumberExact in schema.patternProperties ? Number2() : PatternStringExact in schema.patternProperties ? String2() : Throw("Unknown record key pattern");
 }
-function RecordValue(schema10) {
-  return PatternNumberExact in schema10.patternProperties ? schema10.patternProperties[PatternNumberExact] : PatternStringExact in schema10.patternProperties ? schema10.patternProperties[PatternStringExact] : Throw("Unable to get record value schema");
+function RecordValue(schema) {
+  return PatternNumberExact in schema.patternProperties ? schema.patternProperties[PatternNumberExact] : PatternStringExact in schema.patternProperties ? schema.patternProperties[PatternStringExact] : Throw("Unable to get record value schema");
 }
 function FromRecordRight(left, right) {
   const [Key, Value] = [RecordKey(right), RecordValue(right)];
@@ -2209,13 +2298,13 @@ function FromTemplateLiteral2(left, right) {
   return type_exports.IsTemplateLiteral(left) ? Visit3(TemplateLiteralToUnion(left), right) : type_exports.IsTemplateLiteral(right) ? Visit3(left, TemplateLiteralToUnion(right)) : Throw("Invalid fallthrough for TemplateLiteral");
 }
 function IsArrayOfTuple(left, right) {
-  return type_exports.IsArray(right) && left.items !== void 0 && left.items.every((schema10) => Visit3(schema10, right.items) === ExtendsResult.True);
+  return type_exports.IsArray(right) && left.items !== void 0 && left.items.every((schema) => Visit3(schema, right.items) === ExtendsResult.True);
 }
 function FromTupleRight(left, right) {
   return type_exports.IsNever(left) ? ExtendsResult.True : type_exports.IsUnknown(left) ? ExtendsResult.False : type_exports.IsAny(left) ? ExtendsResult.Union : ExtendsResult.False;
 }
 function FromTuple3(left, right) {
-  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) && IsObjectArrayLike(right) ? ExtendsResult.True : type_exports.IsArray(right) && IsArrayOfTuple(left, right) ? ExtendsResult.True : !type_exports.IsTuple(right) ? ExtendsResult.False : value_exports.IsUndefined(left.items) && !value_exports.IsUndefined(right.items) || !value_exports.IsUndefined(left.items) && value_exports.IsUndefined(right.items) ? ExtendsResult.False : value_exports.IsUndefined(left.items) && !value_exports.IsUndefined(right.items) ? ExtendsResult.True : left.items.every((schema10, index9) => Visit3(schema10, right.items[index9]) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
+  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) && IsObjectArrayLike(right) ? ExtendsResult.True : type_exports.IsArray(right) && IsArrayOfTuple(left, right) ? ExtendsResult.True : !type_exports.IsTuple(right) ? ExtendsResult.False : value_exports.IsUndefined(left.items) && !value_exports.IsUndefined(right.items) || !value_exports.IsUndefined(left.items) && value_exports.IsUndefined(right.items) ? ExtendsResult.False : value_exports.IsUndefined(left.items) && !value_exports.IsUndefined(right.items) ? ExtendsResult.True : left.items.every((schema, index9) => Visit3(schema, right.items[index9]) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromUint8Array(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : type_exports.IsUint8Array(right) ? ExtendsResult.True : ExtendsResult.False;
@@ -2224,10 +2313,10 @@ function FromUndefined(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : type_exports.IsVoid(right) ? FromVoidRight(left, right) : type_exports.IsUndefined(right) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromUnionRight(left, right) {
-  return right.anyOf.some((schema10) => Visit3(left, schema10) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
+  return right.anyOf.some((schema) => Visit3(left, schema) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromUnion6(left, right) {
-  return left.anyOf.every((schema10) => Visit3(schema10, right) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
+  return left.anyOf.every((schema) => Visit3(schema, right) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromUnknownRight(left, right) {
   return ExtendsResult.True;
@@ -2364,13 +2453,13 @@ function ExtractFromMappedResult(R, T) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/instance-type/instance-type.mjs
-function InstanceType(schema10, options) {
-  return IsConstructor(schema10) ? CreateType(schema10.returns, options) : Never(options);
+function InstanceType(schema, options) {
+  return IsConstructor(schema) ? CreateType(schema.returns, options) : Never(options);
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/readonly-optional/readonly-optional.mjs
-function ReadonlyOptional(schema10) {
-  return Readonly(Optional(schema10));
+function ReadonlyOptional(schema) {
+  return Readonly(Optional(schema));
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/record/record.mjs
@@ -2543,11 +2632,11 @@ function ApplyUppercase(value) {
 function ApplyLowercase(value) {
   return value.toLowerCase();
 }
-function FromTemplateLiteral3(schema10, mode, options) {
-  const expression = TemplateLiteralParseExact(schema10.pattern);
+function FromTemplateLiteral3(schema, mode, options) {
+  const expression = TemplateLiteralParseExact(schema.pattern);
   const finite = IsTemplateLiteralExpressionFinite(expression);
   if (!finite)
-    return { ...schema10, pattern: FromLiteralValue(schema10.pattern, mode) };
+    return { ...schema, pattern: FromLiteralValue(schema.pattern, mode) };
   const strings = [...TemplateLiteralExpressionGenerate(expression)];
   const literals = strings.map((value) => Literal(value));
   const mapped = FromRest5(literals, mode);
@@ -2560,14 +2649,14 @@ function FromLiteralValue(value, mode) {
 function FromRest5(T, M) {
   return T.map((L) => Intrinsic(L, M));
 }
-function Intrinsic(schema10, mode, options = {}) {
+function Intrinsic(schema, mode, options = {}) {
   return (
     // Intrinsic-Mapped-Inference
-    IsMappedKey(schema10) ? IntrinsicFromMappedKey(schema10, mode, options) : (
+    IsMappedKey(schema) ? IntrinsicFromMappedKey(schema, mode, options) : (
       // Standard-Inference
-      IsTemplateLiteral(schema10) ? FromTemplateLiteral3(schema10, mode, options) : IsUnion(schema10) ? Union(FromRest5(schema10.anyOf, mode), options) : IsLiteral(schema10) ? Literal(FromLiteralValue(schema10.const, mode), options) : (
+      IsTemplateLiteral(schema) ? FromTemplateLiteral3(schema, mode, options) : IsUnion(schema) ? Union(FromRest5(schema.anyOf, mode), options) : IsLiteral(schema) ? Literal(FromLiteralValue(schema.const, mode), options) : (
         // Default Type
-        CreateType(schema10, options)
+        CreateType(schema, options)
       )
     )
   );
@@ -2964,8 +3053,8 @@ function Not(type, options) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/parameters/parameters.mjs
-function Parameters(schema10, options) {
-  return IsFunction2(schema10) ? Tuple(schema10.parameters, options) : Never();
+function Parameters(schema, options) {
+  return IsFunction2(schema) ? Tuple(schema.parameters, options) : Never();
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/recursive/recursive.mjs
@@ -2993,40 +3082,40 @@ function Rest(T) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/return-type/return-type.mjs
-function ReturnType(schema10, options) {
-  return IsFunction2(schema10) ? CreateType(schema10.returns, options) : Never(options);
+function ReturnType(schema, options) {
+  return IsFunction2(schema) ? CreateType(schema.returns, options) : Never(options);
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/transform/transform.mjs
 var TransformDecodeBuilder = class {
-  constructor(schema10) {
-    this.schema = schema10;
+  constructor(schema) {
+    this.schema = schema;
   }
   Decode(decode) {
     return new TransformEncodeBuilder(this.schema, decode);
   }
 };
 var TransformEncodeBuilder = class {
-  constructor(schema10, decode) {
-    this.schema = schema10;
+  constructor(schema, decode) {
+    this.schema = schema;
     this.decode = decode;
   }
-  EncodeTransform(encode, schema10) {
-    const Encode = (value) => schema10[TransformKind].Encode(encode(value));
-    const Decode = (value) => this.decode(schema10[TransformKind].Decode(value));
+  EncodeTransform(encode, schema) {
+    const Encode = (value) => schema[TransformKind].Encode(encode(value));
+    const Decode = (value) => this.decode(schema[TransformKind].Decode(value));
     const Codec = { Encode, Decode };
-    return { ...schema10, [TransformKind]: Codec };
+    return { ...schema, [TransformKind]: Codec };
   }
-  EncodeSchema(encode, schema10) {
+  EncodeSchema(encode, schema) {
     const Codec = { Decode: this.decode, Encode: encode };
-    return { ...schema10, [TransformKind]: Codec };
+    return { ...schema, [TransformKind]: Codec };
   }
   Encode(encode) {
     return IsTransform(this.schema) ? this.EncodeTransform(encode, this.schema) : this.EncodeSchema(encode, this.schema);
   }
 };
-function Transform(schema10) {
-  return new TransformDecodeBuilder(schema10);
+function Transform(schema) {
+  return new TransformDecodeBuilder(schema);
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/unsafe/unsafe.mjs
@@ -3404,6 +3493,33 @@ var changePasswordContract = {
     })
   )
 };
+var getMeContract = {
+  method: "GET",
+  path: "/_auth/me",
+  body: Type.Object({}),
+  response: ApiResponseSchema(
+    Type.Object({
+      userId: Type.String({ description: "User ID" }),
+      email: Type.Optional(Type.String({ description: "User email address" })),
+      phone: Type.Optional(Type.String({ description: "User phone number" })),
+      role: Type.Object({
+        id: Type.Number({ description: "Role ID" }),
+        name: Type.String({ description: "Role name (e.g., user, admin)" }),
+        displayName: Type.String({ description: "Display name for UI" }),
+        priority: Type.Number({ description: "Role priority level" })
+      }, { description: "User role information" }),
+      permissions: Type.Array(
+        Type.Object({
+          id: Type.Number({ description: "Permission ID" }),
+          name: Type.String({ description: "Permission name (e.g., user:delete)" }),
+          displayName: Type.String({ description: "Display name for UI" }),
+          category: Type.Optional(Type.String({ description: "Permission category" }))
+        }),
+        { description: "List of permissions granted through role" }
+      )
+    })
+  )
+};
 
 // src/lib/contracts/invitation.ts
 var UUID_PATTERN2 = "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$";
@@ -3637,45 +3753,8 @@ var deleteInvitationContract = {
   )
 };
 
-// src/server/helpers/jwt.ts
-import jwt from "jsonwebtoken";
-import crypto from "crypto";
-var JWT_SECRET = process.env.SPFN_AUTH_JWT_SECRET || // New prefixed version (recommended)
-process.env.JWT_SECRET || // Legacy fallback
-"dev-secret-key-change-in-production";
-var JWT_EXPIRES_IN = process.env.SPFN_AUTH_JWT_EXPIRES_IN || // New prefixed version (recommended)
-process.env.JWT_EXPIRES_IN || // Legacy fallback
-"7d";
-function verifyClientToken(token, publicKeyB64, algorithm) {
-  try {
-    const publicKeyDER = Buffer.from(publicKeyB64, "base64");
-    const publicKeyObject = crypto.createPublicKey({
-      key: publicKeyDER,
-      format: "der",
-      type: "spki"
-    });
-    const decoded = jwt.verify(token, publicKeyObject, {
-      algorithms: [algorithm],
-      // Prevent algorithm confusion attacks
-      issuer: "spfn-client"
-      // Validate token issuer
-    });
-    if (typeof decoded === "string") {
-      throw new Error("Invalid token format: expected object payload");
-    }
-    return decoded;
-  } catch (error) {
-    if (error instanceof jwt.TokenExpiredError) {
-      throw new Error("Token has expired");
-    }
-    if (error instanceof jwt.JsonWebTokenError) {
-      throw new Error("Invalid token signature");
-    }
-    throw new Error(`Token verification failed: ${error instanceof Error ? error.message : "Unknown error"}`);
-  }
-}
-
 // src/server/middleware/authenticate.ts
+init_jwt();
 init_entities();
 import { findOne, getDatabase } from "@spfn/core/db";
 
@@ -3706,9 +3785,8 @@ var KeyExpiredError = class extends UnauthorizedError {
 };
 var AccountDisabledError = class extends ForbiddenError {
   constructor(status = "disabled") {
-    super(`Account is ${status}`);
+    super(`Account is ${status}`, { details: { status } });
     this.name = "AccountDisabledError";
-    this.details = { status };
   }
 };
 
@@ -3717,14 +3795,16 @@ import { UnauthorizedError as UnauthorizedError2 } from "@spfn/core/errors";
 import { eq, and } from "drizzle-orm";
 async function authenticate(c, next) {
   const authHeader = c.req.header("Authorization");
-  const keyId = c.req.header("X-Key-Id");
   if (!authHeader || !authHeader.startsWith("Bearer ")) {
     throw new UnauthorizedError2("Missing or invalid authorization header");
   }
-  if (!keyId) {
-    throw new UnauthorizedError2("Missing X-Key-Id header");
-  }
   const token = authHeader.substring(7);
+  const { decodeToken: decodeToken2 } = await Promise.resolve().then(() => (init_jwt(), jwt_exports));
+  const decoded = decodeToken2(token);
+  if (!decoded || !decoded.keyId) {
+    throw new UnauthorizedError2("Invalid token: missing keyId");
+  }
+  const keyId = decoded.keyId;
   const db = getDatabase();
   const [keyRecord] = await db.select().from(userPublicKeys).where(
     and(
@@ -3783,12 +3863,107 @@ function getAuth(c) {
 init_entities();
 import { getDatabase as getDatabase2 } from "@spfn/core/db";
 import { eq as eq2, and as and2 } from "drizzle-orm";
+async function getUserPermissions(userId) {
+  const db = getDatabase2();
+  if (!db) {
+    throw new Error("[Auth] Database not initialized");
+  }
+  const userIdNum = typeof userId === "string" ? Number(userId) : Number(userId);
+  const [user] = await db.select({ roleId: users.roleId }).from(users).where(eq2(users.id, userIdNum)).limit(1);
+  if (!user || !user.roleId) {
+    return [];
+  }
+  const permSet = /* @__PURE__ */ new Set();
+  const rolePerms = await db.select({ name: permissions.name }).from(rolePermissions).innerJoin(permissions, eq2(rolePermissions.permissionId, permissions.id)).where(
+    and2(
+      eq2(rolePermissions.roleId, user.roleId),
+      eq2(permissions.isActive, true)
+    )
+  );
+  for (const perm of rolePerms) {
+    permSet.add(perm.name);
+  }
+  const userPerms = await db.select({
+    name: permissions.name,
+    granted: userPermissions.granted,
+    expiresAt: userPermissions.expiresAt
+  }).from(userPermissions).innerJoin(permissions, eq2(userPermissions.permissionId, permissions.id)).where(eq2(userPermissions.userId, userIdNum));
+  const now = /* @__PURE__ */ new Date();
+  for (const userPerm of userPerms) {
+    if (userPerm.expiresAt && userPerm.expiresAt < now) {
+      continue;
+    }
+    if (userPerm.granted) {
+      permSet.add(userPerm.name);
+    } else {
+      permSet.delete(userPerm.name);
+    }
+  }
+  return Array.from(permSet);
+}
+async function hasAllPermissions(userId, permissionNames) {
+  const perms = await getUserPermissions(userId);
+  return permissionNames.every((p) => perms.includes(p));
+}
+async function hasRole(userId, roleName) {
+  const db = getDatabase2();
+  if (!db) {
+    throw new Error("[Auth] Database not initialized");
+  }
+  const userIdNum = typeof userId === "string" ? Number(userId) : Number(userId);
+  const [user] = await db.select({ roleId: users.roleId }).from(users).where(eq2(users.id, userIdNum)).limit(1);
+  if (!user || !user.roleId) {
+    return false;
+  }
+  const [role] = await db.select({ name: roles.name }).from(roles).where(eq2(roles.id, user.roleId)).limit(1);
+  return role?.name === roleName;
+}
+async function hasAnyRole(userId, roleNames) {
+  for (const roleName of roleNames) {
+    if (await hasRole(userId, roleName)) {
+      return true;
+    }
+  }
+  return false;
+}
 
 // src/server/middleware/require-permission.ts
 import { ForbiddenError as ForbiddenError2 } from "@spfn/core/errors";
+function requirePermissions(...permissionNames) {
+  return async (c, next) => {
+    const auth = getAuth(c);
+    if (!auth) {
+      throw new ForbiddenError2("Authentication required");
+    }
+    const { userId } = auth;
+    const allowed = await hasAllPermissions(userId, permissionNames);
+    if (!allowed) {
+      throw new ForbiddenError2(
+        `Missing required permissions: ${permissionNames.join(", ")}`
+      );
+    }
+    await next();
+  };
+}
 
 // src/server/middleware/require-role.ts
 import { ForbiddenError as ForbiddenError3 } from "@spfn/core/errors";
+function requireRole(...roleNames) {
+  return async (c, next) => {
+    const auth = getAuth(c);
+    if (!auth) {
+      throw new ForbiddenError3("Authentication required");
+    }
+    const { userId } = auth;
+    const allowed = await hasAnyRole(userId, roleNames);
+    if (!allowed) {
+      throw new ForbiddenError3(
+        `Required roles: ${roleNames.join(", ")}`
+      );
+    }
+    await next();
+  };
+}
 
 // src/server/helpers/password.ts
 import bcrypt from "bcrypt";
@@ -3805,6 +3980,9 @@ async function hashPassword(password) {
   return bcrypt.hash(password, SALT_ROUNDS);
 }
 
+// src/server/helpers/index.ts
+init_jwt();
+
 // src/server/helpers/verification.ts
 init_verification_codes();
 import jwt2 from "jsonwebtoken";
@@ -3818,6 +3996,7 @@ import { ValidationError as ValidationError2 } from "@spfn/core/errors";
 
 // src/server/services/key.service.ts
 init_entities();
+init_jwt();
 import { create as create2, getDatabase as getDatabase4 } from "@spfn/core/db";
 import { eq as eq4, and as and4 } from "drizzle-orm";
 
@@ -3825,18 +4004,25 @@ import { eq as eq4, and as and4 } from "drizzle-orm";
 init_entities();
 import { findOne as findOne2, updateOne } from "@spfn/core/db";
 
-// src/server/services/rbac.service.ts
+// src/server/services/me.service.ts
 init_entities();
 import { getDatabase as getDatabase5 } from "@spfn/core/db";
-import { eq as eq5, and as and5, inArray } from "drizzle-orm";
+import { eq as eq5, and as and5 } from "drizzle-orm";
+
+// src/server/services/rbac.service.ts
+init_entities();
+import { getDatabase as getDatabase6 } from "@spfn/core/db";
+import { logger } from "@spfn/core/logger";
+import { eq as eq6, and as and6, inArray } from "drizzle-orm";
+var authLogger = logger.child("@spfn/auth");
 
 // src/server/services/index.ts
 init_role_service();
 
 // src/server/services/invitation.service.ts
 init_entities();
-import { getDatabase as getDatabase7 } from "@spfn/core/db";
-import { eq as eq7, and as and7, lt, desc, sql as sql2 } from "drizzle-orm";
+import { getDatabase as getDatabase8 } from "@spfn/core/db";
+import { eq as eq8, and as and8, lt, desc, sql as sql2 } from "drizzle-orm";
 import crypto2 from "crypto";
 function generateInvitationToken() {
   return crypto2.randomUUID();
@@ -3847,7 +4033,7 @@ function calculateExpiresAt(days = 7) {
   return expiresAt;
 }
 async function createInvitation(params) {
-  const db = getDatabase7();
+  const db = getDatabase8();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
@@ -3856,24 +4042,24 @@ async function createInvitation(params) {
   if (!emailRegex.test(email)) {
     throw new Error("Invalid email format");
   }
-  const existingUser = await db.select().from(users).where(eq7(users.email, email)).limit(1);
+  const existingUser = await db.select().from(users).where(eq8(users.email, email)).limit(1);
   if (existingUser.length > 0) {
     throw new Error("User with this email already exists");
   }
   const existingInvitation = await db.select().from(invitations).where(
-    and7(
-      eq7(invitations.email, email),
-      eq7(invitations.status, "pending")
+    and8(
+      eq8(invitations.email, email),
+      eq8(invitations.status, "pending")
     )
   ).limit(1);
   if (existingInvitation.length > 0) {
     throw new Error("Pending invitation already exists for this email");
   }
-  const role = await db.select().from(roles).where(eq7(roles.id, roleId)).limit(1);
+  const role = await db.select().from(roles).where(eq8(roles.id, roleId)).limit(1);
   if (role.length === 0) {
     throw new Error(`Role with id ${roleId} not found`);
   }
-  const inviter = await db.select().from(users).where(eq7(users.id, invitedBy)).limit(1);
+  const inviter = await db.select().from(users).where(eq8(users.id, invitedBy)).limit(1);
   if (inviter.length === 0) {
     throw new Error(`User with id ${invitedBy} not found`);
   }
@@ -3892,15 +4078,15 @@ async function createInvitation(params) {
   return invitation;
 }
 async function getInvitationByToken(token) {
-  const db = getDatabase7();
+  const db = getDatabase8();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
-  const result = await db.select().from(invitations).where(eq7(invitations.token, token)).limit(1);
+  const result = await db.select().from(invitations).where(eq8(invitations.token, token)).limit(1);
   return result[0] || null;
 }
 async function getInvitationWithDetails(token) {
-  const db = getDatabase7();
+  const db = getDatabase8();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
@@ -3926,7 +4112,7 @@ async function getInvitationWithDetails(token) {
       id: users.id,
       email: users.email
     }
-  }).from(invitations).innerJoin(roles, eq7(invitations.roleId, roles.id)).innerJoin(users, eq7(invitations.invitedBy, users.id)).where(eq7(invitations.token, token)).limit(1);
+  }).from(invitations).innerJoin(roles, eq8(invitations.roleId, roles.id)).innerJoin(users, eq8(invitations.invitedBy, users.id)).where(eq8(invitations.token, token)).limit(1);
   return result[0] || null;
 }
 async function validateInvitation(token) {
@@ -3949,7 +4135,7 @@ async function validateInvitation(token) {
   return { valid: true, invitation };
 }
 async function acceptInvitation(params) {
-  const db = getDatabase7();
+  const db = getDatabase8();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
@@ -3959,7 +4145,7 @@ async function acceptInvitation(params) {
     throw new Error(validation.error || "Invalid invitation");
   }
   const invitation = validation.invitation;
-  const role = await db.select().from(roles).where(eq7(roles.id, invitation.roleId)).limit(1);
+  const role = await db.select().from(roles).where(eq8(roles.id, invitation.roleId)).limit(1);
   if (role.length === 0) {
     throw new Error("Role not found");
   }
@@ -3989,7 +4175,7 @@ async function acceptInvitation(params) {
       status: "accepted",
       acceptedAt: /* @__PURE__ */ new Date(),
       updatedAt: /* @__PURE__ */ new Date()
-    }).where(eq7(invitations.id, invitation.id));
+    }).where(eq8(invitations.id, invitation.id));
     return { newUser, role: role[0] };
   });
   console.log(`[Auth] \u2705 Invitation accepted: ${invitation.email} as ${result.role.name}`);
@@ -4000,7 +4186,7 @@ async function acceptInvitation(params) {
   };
 }
 async function listInvitations(params) {
-  const db = getDatabase7();
+  const db = getDatabase8();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
@@ -4008,12 +4194,12 @@ async function listInvitations(params) {
   const offset = (page - 1) * limit;
   const conditions = [];
   if (status) {
-    conditions.push(eq7(invitations.status, status));
+    conditions.push(eq8(invitations.status, status));
   }
   if (invitedBy) {
-    conditions.push(eq7(invitations.invitedBy, invitedBy));
+    conditions.push(eq8(invitations.invitedBy, invitedBy));
   }
-  const whereClause = conditions.length > 0 ? and7(...conditions) : void 0;
+  const whereClause = conditions.length > 0 ? and8(...conditions) : void 0;
   const countResult = await db.select({ count: sql2`count(*)` }).from(invitations).where(whereClause);
   const total = Number(countResult[0]?.count || 0);
   const results = await db.select({
@@ -4038,7 +4224,7 @@ async function listInvitations(params) {
       id: users.id,
       email: users.email
     }
-  }).from(invitations).innerJoin(roles, eq7(invitations.roleId, roles.id)).innerJoin(users, eq7(invitations.invitedBy, users.id)).where(whereClause).orderBy(desc(invitations.createdAt)).limit(limit).offset(offset);
+  }).from(invitations).innerJoin(roles, eq8(invitations.roleId, roles.id)).innerJoin(users, eq8(invitations.invitedBy, users.id)).where(whereClause).orderBy(desc(invitations.createdAt)).limit(limit).offset(offset);
   return {
     invitations: results,
     total,
@@ -4048,11 +4234,11 @@ async function listInvitations(params) {
   };
 }
 async function cancelInvitation(id10, cancelledBy, reason) {
-  const db = getDatabase7();
+  const db = getDatabase8();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
-  const invitation = await db.select().from(invitations).where(eq7(invitations.id, id10)).limit(1);
+  const invitation = await db.select().from(invitations).where(eq8(invitations.id, id10)).limit(1);
   if (invitation.length === 0) {
     throw new Error("Invitation not found");
   }
@@ -4064,23 +4250,23 @@ async function cancelInvitation(id10, cancelledBy, reason) {
     cancelledAt: /* @__PURE__ */ new Date(),
     updatedAt: /* @__PURE__ */ new Date(),
     metadata: invitation[0].metadata ? { ...invitation[0].metadata, cancelReason: reason, cancelledBy } : { cancelReason: reason, cancelledBy }
-  }).where(eq7(invitations.id, id10));
+  }).where(eq8(invitations.id, id10));
   console.log(`[Auth] \u26A0\uFE0F  Invitation cancelled: ${invitation[0].email} (reason: ${reason || "none"})`);
 }
 async function deleteInvitation(id10) {
-  const db = getDatabase7();
+  const db = getDatabase8();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
-  await db.delete(invitations).where(eq7(invitations.id, id10));
+  await db.delete(invitations).where(eq8(invitations.id, id10));
   console.log(`[Auth] \u{1F5D1}\uFE0F  Invitation deleted: ${id10}`);
 }
 async function resendInvitation(id10, expiresInDays = 7) {
-  const db = getDatabase7();
+  const db = getDatabase8();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
-  const invitation = await db.select().from(invitations).where(eq7(invitations.id, id10)).limit(1);
+  const invitation = await db.select().from(invitations).where(eq8(invitations.id, id10)).limit(1);
   if (invitation.length === 0) {
     throw new Error("Invitation not found");
   }
@@ -4092,7 +4278,7 @@ async function resendInvitation(id10, expiresInDays = 7) {
     status: "pending",
     expiresAt: newExpiresAt,
     updatedAt: /* @__PURE__ */ new Date()
-  }).where(eq7(invitations.id, id10)).returning();
+  }).where(eq8(invitations.id, id10)).returning();
   console.log(`[Auth] \u{1F4E7} Invitation resent: ${invitation[0].email} (new expiry: ${newExpiresAt.toISOString()})`);
   return updated;
 }
@@ -4131,7 +4317,7 @@ app.bind(acceptInvitationContract, async (c) => {
   });
   return c.success(result);
 });
-app.bind(createInvitationContract, [authenticate], async (c) => {
+app.bind(createInvitationContract, [authenticate, requirePermissions("user:invite")], async (c) => {
   const body = await c.data();
   const { userId } = getAuth(c);
   const invitation = await createInvitation({
@@ -4152,7 +4338,7 @@ app.bind(createInvitationContract, [authenticate], async (c) => {
     invitationUrl
   });
 });
-app.bind(listInvitationsContract, [authenticate], async (c) => {
+app.bind(listInvitationsContract, [authenticate, requirePermissions("user:read")], async (c) => {
   const query = await c.data();
   const result = await listInvitations({
     status: query.status,
@@ -4171,7 +4357,7 @@ app.bind(listInvitationsContract, [authenticate], async (c) => {
     invitations: formattedInvitations
   });
 });
-app.bind(cancelInvitationContract, [authenticate], async (c) => {
+app.bind(cancelInvitationContract, [authenticate, requirePermissions("user:invite")], async (c) => {
   const data = await c.data();
   const { userId } = getAuth(c);
   await cancelInvitation(
@@ -4184,7 +4370,7 @@ app.bind(cancelInvitationContract, [authenticate], async (c) => {
     cancelledAt: (/* @__PURE__ */ new Date()).toISOString()
   });
 });
-app.bind(resendInvitationContract, [authenticate], async (c) => {
+app.bind(resendInvitationContract, [authenticate, requirePermissions("user:invite")], async (c) => {
   const data = await c.data();
   const updated = await resendInvitation(
     data.id,
@@ -4195,7 +4381,7 @@ app.bind(resendInvitationContract, [authenticate], async (c) => {
     expiresAt: updated.expiresAt.toISOString()
   });
 });
-app.bind(deleteInvitationContract, [authenticate], async (c) => {
+app.bind(deleteInvitationContract, [authenticate, requireRole("superadmin")], async (c) => {
   const data = await c.data();
   await deleteInvitation(data.id);
   return c.success({