@spfn/auth 0.1.0-alpha.1 → 0.1.0-alpha.86

package/dist/server.js

@@ -8,15 +8,25 @@ var __export = (target, all) => {
     __defProp(target, name, { get: all[name], enumerable: true });
 };
 
+// src/server/entities/schema.ts
+import { createFunctionSchema } from "@spfn/core/db";
+var authSchema;
+var init_schema = __esm({
+  "src/server/entities/schema.ts"() {
+    "use strict";
+    authSchema = createFunctionSchema("@spfn/auth");
+  }
+});
+
 // src/server/entities/roles.ts
 import { text, boolean, integer, index } from "drizzle-orm/pg-core";
-import { id, timestamps, createFunctionSchema } from "@spfn/core/db";
-var schema, roles;
+import { id, timestamps } from "@spfn/core/db";
+var roles;
 var init_roles = __esm({
   "src/server/entities/roles.ts"() {
     "use strict";
-    schema = createFunctionSchema("@spfn/auth");
-    roles = schema.table(
+    init_schema();
+    roles = authSchema.table(
       "roles",
       {
         // Primary key
@@ -58,15 +68,15 @@ var init_roles = __esm({
 
 // src/server/entities/users.ts
 import { text as text2, timestamp, check, boolean as boolean2, bigint, index as index2 } from "drizzle-orm/pg-core";
-import { id as id2, timestamps as timestamps2, createFunctionSchema as createFunctionSchema2 } from "@spfn/core/db";
+import { id as id2, timestamps as timestamps2 } from "@spfn/core/db";
 import { sql } from "drizzle-orm";
-var schema2, users;
+var users;
 var init_users = __esm({
   "src/server/entities/users.ts"() {
     "use strict";
     init_roles();
-    schema2 = createFunctionSchema2("@spfn/auth");
-    users = schema2.table(
+    init_schema();
+    users = authSchema.table(
       "users",
       {
         // Identity
@@ -131,14 +141,14 @@ var init_users = __esm({
 
 // src/server/entities/user-social-accounts.ts
 import { text as text3, timestamp as timestamp2, uniqueIndex } from "drizzle-orm/pg-core";
-import { id as id3, timestamps as timestamps3, foreignKey, createFunctionSchema as createFunctionSchema3 } from "@spfn/core/db";
-var schema3, userSocialAccounts;
+import { id as id3, timestamps as timestamps3, foreignKey } from "@spfn/core/db";
+var userSocialAccounts;
 var init_user_social_accounts = __esm({
   "src/server/entities/user-social-accounts.ts"() {
     "use strict";
     init_users();
-    schema3 = createFunctionSchema3("@spfn/auth");
-    userSocialAccounts = schema3.table(
+    init_schema();
+    userSocialAccounts = authSchema.table(
       "user_social_accounts",
       {
         id: id3(),
@@ -169,14 +179,14 @@ var init_user_social_accounts = __esm({
 
 // src/server/entities/user-public-keys.ts
 import { text as text4, timestamp as timestamp3, boolean as boolean3, index as index3 } from "drizzle-orm/pg-core";
-import { id as id4, foreignKey as foreignKey2, createFunctionSchema as createFunctionSchema4 } from "@spfn/core/db";
-var schema4, userPublicKeys;
+import { id as id4, foreignKey as foreignKey2 } from "@spfn/core/db";
+var userPublicKeys;
 var init_user_public_keys = __esm({
   "src/server/entities/user-public-keys.ts"() {
     "use strict";
     init_users();
-    schema4 = createFunctionSchema4("@spfn/auth");
-    userPublicKeys = schema4.table(
+    init_schema();
+    userPublicKeys = authSchema.table(
       "user_public_keys",
       {
         id: id4(),
@@ -214,13 +224,13 @@ var init_user_public_keys = __esm({
 
 // src/server/entities/verification-codes.ts
 import { text as text5, timestamp as timestamp4, index as index4 } from "drizzle-orm/pg-core";
-import { id as id5, timestamps as timestamps4, createFunctionSchema as createFunctionSchema5 } from "@spfn/core/db";
-var schema5, verificationCodes;
+import { id as id5, timestamps as timestamps4 } from "@spfn/core/db";
+var verificationCodes;
 var init_verification_codes = __esm({
   "src/server/entities/verification-codes.ts"() {
     "use strict";
-    schema5 = createFunctionSchema5("@spfn/auth");
-    verificationCodes = schema5.table(
+    init_schema();
+    verificationCodes = authSchema.table(
       "verification_codes",
       {
         id: id5(),
@@ -261,15 +271,15 @@ var init_verification_codes = __esm({
 
 // src/server/entities/invitations.ts
 import { text as text6, timestamp as timestamp5, bigint as bigint2, index as index5, jsonb } from "drizzle-orm/pg-core";
-import { id as id6, timestamps as timestamps5, createFunctionSchema as createFunctionSchema6 } from "@spfn/core/db";
-var schema6, invitations;
+import { id as id6, timestamps as timestamps5 } from "@spfn/core/db";
+var invitations;
 var init_invitations = __esm({
   "src/server/entities/invitations.ts"() {
     "use strict";
     init_roles();
     init_users();
-    schema6 = createFunctionSchema6("@spfn/auth");
-    invitations = schema6.table(
+    init_schema();
+    invitations = authSchema.table(
       "user_invitations",
       {
         // Primary key
@@ -337,13 +347,13 @@ var init_invitations = __esm({
 
 // src/server/entities/permissions.ts
 import { text as text7, boolean as boolean4, index as index6 } from "drizzle-orm/pg-core";
-import { id as id7, timestamps as timestamps6, createFunctionSchema as createFunctionSchema7 } from "@spfn/core/db";
-var schema7, permissions;
+import { id as id7, timestamps as timestamps6 } from "@spfn/core/db";
+var permissions;
 var init_permissions = __esm({
   "src/server/entities/permissions.ts"() {
     "use strict";
-    schema7 = createFunctionSchema7("@spfn/auth");
-    permissions = schema7.table(
+    init_schema();
+    permissions = authSchema.table(
       "permissions",
       {
         // Primary key
@@ -384,15 +394,15 @@ var init_permissions = __esm({
 
 // src/server/entities/role-permissions.ts
 import { bigint as bigint3, index as index7, unique } from "drizzle-orm/pg-core";
-import { id as id8, timestamps as timestamps7, createFunctionSchema as createFunctionSchema8 } from "@spfn/core/db";
-var schema8, rolePermissions;
+import { id as id8, timestamps as timestamps7 } from "@spfn/core/db";
+var rolePermissions;
 var init_role_permissions = __esm({
   "src/server/entities/role-permissions.ts"() {
     "use strict";
     init_roles();
     init_permissions();
-    schema8 = createFunctionSchema8("@spfn/auth");
-    rolePermissions = schema8.table(
+    init_schema();
+    rolePermissions = authSchema.table(
       "role_permissions",
       {
         // Primary key
@@ -416,15 +426,15 @@ var init_role_permissions = __esm({
 
 // src/server/entities/user-permissions.ts
 import { bigint as bigint4, boolean as boolean5, text as text8, timestamp as timestamp6, index as index8, unique as unique2 } from "drizzle-orm/pg-core";
-import { id as id9, timestamps as timestamps8, createFunctionSchema as createFunctionSchema9 } from "@spfn/core/db";
-var schema9, userPermissions;
+import { id as id9, timestamps as timestamps8 } from "@spfn/core/db";
+var userPermissions;
 var init_user_permissions = __esm({
   "src/server/entities/user-permissions.ts"() {
     "use strict";
     init_users();
     init_permissions();
-    schema9 = createFunctionSchema9("@spfn/auth");
-    userPermissions = schema9.table(
+    init_schema();
+    userPermissions = authSchema.table(
       "user_permissions",
       {
         // Primary key
@@ -460,6 +470,7 @@ var init_user_permissions = __esm({
 // src/server/entities/index.ts
 var entities_exports = {};
 __export(entities_exports, {
+  authSchema: () => authSchema,
   invitations: () => invitations,
   permissions: () => permissions,
   rolePermissions: () => rolePermissions,
@@ -473,6 +484,7 @@ __export(entities_exports, {
 var init_entities = __esm({
   "src/server/entities/index.ts"() {
     "use strict";
+    init_schema();
     init_users();
     init_user_social_accounts();
     init_user_public_keys();
@@ -485,6 +497,83 @@ var init_entities = __esm({
   }
 });
 
+// src/server/helpers/jwt.ts
+var jwt_exports = {};
+__export(jwt_exports, {
+  decodeToken: () => decodeToken,
+  generateToken: () => generateToken,
+  verifyClientToken: () => verifyClientToken,
+  verifyKeyFingerprint: () => verifyKeyFingerprint,
+  verifyToken: () => verifyToken
+});
+import jwt from "jsonwebtoken";
+import crypto from "crypto";
+function generateToken(payload) {
+  return jwt.sign(payload, JWT_SECRET, {
+    expiresIn: JWT_EXPIRES_IN
+  });
+}
+function verifyToken(token) {
+  return jwt.verify(token, JWT_SECRET);
+}
+function verifyClientToken(token, publicKeyB64, algorithm) {
+  try {
+    const publicKeyDER = Buffer.from(publicKeyB64, "base64");
+    const publicKeyObject = crypto.createPublicKey({
+      key: publicKeyDER,
+      format: "der",
+      type: "spki"
+    });
+    const decoded = jwt.verify(token, publicKeyObject, {
+      algorithms: [algorithm],
+      // Prevent algorithm confusion attacks
+      issuer: "spfn-client"
+      // Validate token issuer
+    });
+    if (typeof decoded === "string") {
+      throw new Error("Invalid token format: expected object payload");
+    }
+    return decoded;
+  } catch (error) {
+    if (error instanceof jwt.TokenExpiredError) {
+      throw new Error("Token has expired");
+    }
+    if (error instanceof jwt.JsonWebTokenError) {
+      throw new Error("Invalid token signature");
+    }
+    throw new Error(`Token verification failed: ${error instanceof Error ? error.message : "Unknown error"}`);
+  }
+}
+function decodeToken(token) {
+  try {
+    return jwt.decode(token);
+  } catch {
+    return null;
+  }
+}
+function verifyKeyFingerprint(publicKeyB64, expectedFingerprint) {
+  try {
+    const publicKeyDER = Buffer.from(publicKeyB64, "base64");
+    const fingerprint = crypto.createHash("sha256").update(publicKeyDER).digest("hex");
+    return fingerprint === expectedFingerprint;
+  } catch (error) {
+    console.error("Failed to verify key fingerprint:", error);
+    return false;
+  }
+}
+var JWT_SECRET, JWT_EXPIRES_IN;
+var init_jwt = __esm({
+  "src/server/helpers/jwt.ts"() {
+    "use strict";
+    JWT_SECRET = process.env.SPFN_AUTH_JWT_SECRET || // New prefixed version (recommended)
+    process.env.JWT_SECRET || // Legacy fallback
+    "dev-secret-key-change-in-production";
+    JWT_EXPIRES_IN = process.env.SPFN_AUTH_JWT_EXPIRES_IN || // New prefixed version (recommended)
+    process.env.JWT_EXPIRES_IN || // Legacy fallback
+    "7d";
+  }
+});
+
 // src/server/services/role.service.ts
 var role_service_exports = {};
 __export(role_service_exports, {
@@ -710,6 +799,14 @@ var BUILTIN_PERMISSIONS = {
     isSystem: true,
     isBuiltin: true
   },
+  USER_INVITE: {
+    name: "user:invite",
+    displayName: "Invite Users",
+    description: "Create and send user invitations",
+    category: "user",
+    isSystem: true,
+    isBuiltin: true
+  },
   // RBAC management (superadmin functions)
   RBAC_ROLE_MANAGE: {
     name: "rbac:role:manage",
@@ -734,6 +831,7 @@ var BUILTIN_ROLE_PERMISSIONS = {
     "user:read",
     "user:write",
     "user:delete",
+    "user:invite",
     "rbac:role:manage",
     "rbac:permission:manage"
   ],
@@ -741,113 +839,14 @@ var BUILTIN_ROLE_PERMISSIONS = {
     "auth:self:manage",
     "user:read",
     "user:write",
-    "user:delete"
+    "user:delete",
+    "user:invite"
   ],
   user: [
     "auth:self:manage"
   ]
 };
 
-// src/server/rbac/presets.ts
-var PRESET_ROLES = {
-  MODERATOR: {
-    name: "moderator",
-    displayName: "Moderator",
-    description: "Content moderation and community management",
-    priority: 50,
-    isSystem: true
-  },
-  EDITOR: {
-    name: "editor",
-    displayName: "Editor",
-    description: "Content creation and editing",
-    priority: 30,
-    isSystem: true
-  },
-  VIEWER: {
-    name: "viewer",
-    displayName: "Viewer",
-    description: "Read-only access to content",
-    priority: 5,
-    isSystem: true
-  }
-};
-var PRESET_PERMISSIONS = {
-  // Content management
-  CONTENT_READ: {
-    name: "content:read",
-    displayName: "Read Content",
-    description: "View all content including drafts",
-    category: "content",
-    isSystem: true
-  },
-  CONTENT_WRITE: {
-    name: "content:write",
-    displayName: "Write Content",
-    description: "Create and edit content",
-    category: "content",
-    isSystem: true
-  },
-  CONTENT_DELETE: {
-    name: "content:delete",
-    displayName: "Delete Content",
-    description: "Delete any content",
-    category: "content",
-    isSystem: true
-  },
-  CONTENT_PUBLISH: {
-    name: "content:publish",
-    displayName: "Publish Content",
-    description: "Publish content to make it public",
-    category: "content",
-    isSystem: true
-  },
-  // Moderation
-  COMMENT_MODERATE: {
-    name: "comment:moderate",
-    displayName: "Moderate Comments",
-    description: "Review and delete inappropriate comments",
-    category: "moderation",
-    isSystem: true
-  },
-  // System
-  SYSTEM_CONFIG: {
-    name: "system:config",
-    displayName: "System Configuration",
-    description: "Configure application settings",
-    category: "system",
-    isSystem: true
-  },
-  // Analytics
-  ANALYTICS_VIEW: {
-    name: "analytics:view",
-    displayName: "View Analytics",
-    description: "Access analytics dashboard and reports",
-    category: "analytics",
-    isSystem: true
-  }
-};
-var PRESET_ROLE_PERMISSIONS = {
-  moderator: [
-    "auth:self:manage",
-    "user:read",
-    "content:read",
-    "content:write",
-    "content:delete",
-    "comment:moderate"
-  ],
-  editor: [
-    "auth:self:manage",
-    "content:read",
-    "content:write",
-    "content:publish"
-  ],
-  viewer: [
-    "auth:self:manage",
-    "content:read"
-  ]
-};
-
 // src/server/services/auth.service.ts
 init_entities();
 import { findOne as findOne2, create as create3 } from "@spfn/core/db";
@@ -899,68 +898,8 @@ function validatePasswordStrength(password) {
   };
 }
 
-// src/server/helpers/jwt.ts
-import jwt from "jsonwebtoken";
-import crypto from "crypto";
-var JWT_SECRET = process.env.SPFN_AUTH_JWT_SECRET || // New prefixed version (recommended)
-process.env.JWT_SECRET || // Legacy fallback
-"dev-secret-key-change-in-production";
-var JWT_EXPIRES_IN = process.env.SPFN_AUTH_JWT_EXPIRES_IN || // New prefixed version (recommended)
-process.env.JWT_EXPIRES_IN || // Legacy fallback
-"7d";
-function generateToken(payload) {
-  return jwt.sign(payload, JWT_SECRET, {
-    expiresIn: JWT_EXPIRES_IN
-  });
-}
-function verifyToken(token) {
-  return jwt.verify(token, JWT_SECRET);
-}
-function verifyClientToken(token, publicKeyB64, algorithm) {
-  try {
-    const publicKeyDER = Buffer.from(publicKeyB64, "base64");
-    const publicKeyObject = crypto.createPublicKey({
-      key: publicKeyDER,
-      format: "der",
-      type: "spki"
-    });
-    const decoded = jwt.verify(token, publicKeyObject, {
-      algorithms: [algorithm],
-      // Prevent algorithm confusion attacks
-      issuer: "spfn-client"
-      // Validate token issuer
-    });
-    if (typeof decoded === "string") {
-      throw new Error("Invalid token format: expected object payload");
-    }
-    return decoded;
-  } catch (error) {
-    if (error instanceof jwt.TokenExpiredError) {
-      throw new Error("Token has expired");
-    }
-    if (error instanceof jwt.JsonWebTokenError) {
-      throw new Error("Invalid token signature");
-    }
-    throw new Error(`Token verification failed: ${error instanceof Error ? error.message : "Unknown error"}`);
-  }
-}
-function decodeToken(token) {
-  try {
-    return jwt.decode(token);
-  } catch {
-    return null;
-  }
-}
-function verifyKeyFingerprint(publicKeyB64, expectedFingerprint) {
-  try {
-    const publicKeyDER = Buffer.from(publicKeyB64, "base64");
-    const fingerprint = crypto.createHash("sha256").update(publicKeyDER).digest("hex");
-    return fingerprint === expectedFingerprint;
-  } catch (error) {
-    console.error("Failed to verify key fingerprint:", error);
-    return false;
-  }
-}
+// src/server/helpers/index.ts
+init_jwt();
 
 // src/server/helpers/verification.ts
 init_verification_codes();
@@ -1119,16 +1058,14 @@ var KeyExpiredError = class extends UnauthorizedError {
 };
 var AccountDisabledError = class extends ForbiddenError {
   constructor(status = "disabled") {
-    super(`Account is ${status}`);
+    super(`Account is ${status}`, { details: { status } });
     this.name = "AccountDisabledError";
-    this.details = { status };
   }
 };
 var AccountAlreadyExistsError = class extends ConflictError {
   constructor(identifier, identifierType) {
-    super("Account already exists");
+    super("Account already exists", { details: { identifier, identifierType } });
     this.name = "AccountAlreadyExistsError";
-    this.details = { identifier, identifierType };
   }
 };
 var InvalidVerificationCodeError = class extends ValidationError {
@@ -1151,9 +1088,8 @@ var InvalidKeyFingerprintError = class extends ValidationError {
 };
 var VerificationTokenPurposeMismatchError = class extends ValidationError {
   constructor(expected, actual) {
-    super(`Verification token is for ${actual}, but ${expected} was expected`);
+    super(`Verification token is for ${actual}, but ${expected} was expected`, { details: { expected, actual } });
     this.name = "VerificationTokenPurposeMismatchError";
-    this.details = { expected, actual };
   }
 };
 var VerificationTokenTargetMismatchError = class extends ValidationError {
@@ -1165,6 +1101,7 @@ var VerificationTokenTargetMismatchError = class extends ValidationError {
 
 // src/server/services/key.service.ts
 init_entities();
+init_jwt();
 import { create as create2, getDatabase as getDatabase2 } from "@spfn/core/db";
 import { eq as eq2, and as and2 } from "drizzle-orm";
 function getKeyExpiryDate() {
@@ -1453,52 +1390,105 @@ async function verifyCodeService(params) {
   };
 }
 
-// src/server/services/rbac.service.ts
+// src/server/services/me.service.ts
 init_entities();
 import { getDatabase as getDatabase4 } from "@spfn/core/db";
-import { eq as eq4, and as and4, inArray } from "drizzle-orm";
-async function initializeAuth(options = {}) {
+import { eq as eq4, and as and4 } from "drizzle-orm";
+async function getMeService(userId) {
   const db = getDatabase4();
   if (!db) {
-    throw new Error("[Auth] Database not initialized. Call initDatabase() first.");
+    throw new Error("[Auth] Database not initialized");
   }
-  console.log("[Auth] \u{1F510} Initializing RBAC system...");
-  const allRoles = [...Object.values(BUILTIN_ROLES)];
-  if (options.usePresets) {
-    allRoles.push(...Object.values(PRESET_ROLES));
-  } else if (options.presetRoles) {
-    for (const presetKey of options.presetRoles) {
-      if (PRESET_ROLES[presetKey]) {
-        allRoles.push(PRESET_ROLES[presetKey]);
-      }
-    }
+  const userIdNum = typeof userId === "string" ? Number(userId) : Number(userId);
+  const [userWithRole] = await db.select({
+    userId: users.id,
+    email: users.email,
+    phone: users.phone,
+    roleId: roles.id,
+    roleName: roles.name,
+    roleDisplayName: roles.displayName,
+    rolePriority: roles.priority
+  }).from(users).innerJoin(roles, eq4(users.roleId, roles.id)).where(eq4(users.id, userIdNum)).limit(1);
+  if (!userWithRole) {
+    throw new Error("[Auth] User not found");
+  }
+  const rolePerms = await db.select({
+    id: permissions.id,
+    name: permissions.name,
+    displayName: permissions.displayName,
+    category: permissions.category
+  }).from(rolePermissions).innerJoin(permissions, eq4(rolePermissions.permissionId, permissions.id)).where(
+    and4(
+      eq4(rolePermissions.roleId, userWithRole.roleId),
+      eq4(permissions.isActive, true)
+    )
+  );
+  return {
+    userId: userWithRole.userId.toString(),
+    email: userWithRole.email ?? void 0,
+    phone: userWithRole.phone ?? void 0,
+    role: {
+      id: userWithRole.roleId,
+      name: userWithRole.roleName,
+      displayName: userWithRole.roleDisplayName,
+      priority: userWithRole.rolePriority
+    },
+    permissions: rolePerms.map((perm) => ({
+      id: perm.id,
+      name: perm.name,
+      displayName: perm.displayName,
+      category: perm.category ?? void 0
+    }))
+  };
+}
+
+// src/server/services/rbac.service.ts
+init_entities();
+import { getDatabase as getDatabase5 } from "@spfn/core/db";
+import { logger } from "@spfn/core/logger";
+import { eq as eq5, and as and5, inArray } from "drizzle-orm";
+
+// src/lib/config.ts
+var globalConfig = {
+  sessionTtl: "7d"
+  // Default: 7 days
+};
+function configureAuth(config) {
+  globalConfig = {
+    ...globalConfig,
+    ...config
+  };
+}
+
+// src/server/services/rbac.service.ts
+var authLogger = logger.child("@spfn/auth");
+async function initializeAuth(options = {}) {
+  const db = getDatabase5();
+  if (!db) {
+    throw new Error("[Auth] Database not initialized. Call initDatabase() first.");
   }
-  if (options.roles) {
-    allRoles.push(...options.roles);
+  authLogger.info("\u{1F510} Initializing RBAC system...");
+  if (options.sessionTtl !== void 0) {
+    configureAuth({
+      sessionTtl: options.sessionTtl
+    });
+    authLogger.info(`\u23F1\uFE0F  Session TTL: ${options.sessionTtl}`);
   }
+  const allRoles = [
+    ...Object.values(BUILTIN_ROLES),
+    ...options.roles || []
+  ];
   for (const roleConfig of allRoles) {
     await upsertRole(roleConfig);
   }
-  const allPermissions = [...Object.values(BUILTIN_PERMISSIONS)];
-  if (options.usePresets) {
-    allPermissions.push(...Object.values(PRESET_PERMISSIONS));
-  } else if (options.presetPermissions) {
-    for (const presetKey of options.presetPermissions) {
-      if (PRESET_PERMISSIONS[presetKey]) {
-        allPermissions.push(PRESET_PERMISSIONS[presetKey]);
-      }
-    }
-  }
-  if (options.permissions) {
-    allPermissions.push(...options.permissions);
-  }
+  const allPermissions = [
+    ...Object.values(BUILTIN_PERMISSIONS),
+    ...options.permissions || []
+  ];
   for (const permConfig of allPermissions) {
     await upsertPermission(permConfig);
   }
   const allMappings = { ...BUILTIN_ROLE_PERMISSIONS };
-  if (options.usePresets) {
-    Object.assign(allMappings, PRESET_ROLE_PERMISSIONS);
-  }
   if (options.rolePermissions) {
     for (const [roleName, permNames] of Object.entries(options.rolePermissions)) {
       if (allMappings[roleName]) {
@@ -1513,13 +1503,13 @@ async function initializeAuth(options = {}) {
   for (const [roleName, permNames] of Object.entries(allMappings)) {
     await assignPermissionsToRole(roleName, permNames);
   }
-  console.log("[Auth] \u2705 RBAC initialization complete");
-  console.log(`[Auth] \u{1F4CA} Roles: ${allRoles.length}, Permissions: ${allPermissions.length}`);
-  console.log(`[Auth] \u{1F512} Built-in roles: user, admin, superadmin`);
+  authLogger.info("\u2705 RBAC initialization complete");
+  authLogger.info(`\u{1F4CA} Roles: ${allRoles.length}, Permissions: ${allPermissions.length}`);
+  authLogger.info("\u{1F512} Built-in roles: user, admin, superadmin");
 }
 async function upsertRole(config) {
-  const db = getDatabase4();
-  const existing = await db.select().from(roles).where(eq4(roles.name, config.name)).limit(1);
+  const db = getDatabase5();
+  const existing = await db.select().from(roles).where(eq5(roles.name, config.name)).limit(1);
   if (existing.length === 0) {
     await db.insert(roles).values({
       name: config.name,
@@ -1529,7 +1519,7 @@ async function upsertRole(config) {
       isSystem: config.isSystem ?? false,
       isBuiltin: config.isBuiltin ?? false
     });
-    console.log(`[Auth]   \u2705 Created role: ${config.name}`);
+    authLogger.info(`  \u2705 Created role: ${config.name}`);
   } else {
     const updateData = {
       displayName: config.displayName,
@@ -1538,12 +1528,12 @@ async function upsertRole(config) {
     if (!existing[0].isBuiltin) {
       updateData.priority = config.priority ?? existing[0].priority;
     }
-    await db.update(roles).set(updateData).where(eq4(roles.id, existing[0].id));
+    await db.update(roles).set(updateData).where(eq5(roles.id, existing[0].id));
   }
 }
 async function upsertPermission(config) {
-  const db = getDatabase4();
-  const existing = await db.select().from(permissions).where(eq4(permissions.name, config.name)).limit(1);
+  const db = getDatabase5();
+  const existing = await db.select().from(permissions).where(eq5(permissions.name, config.name)).limit(1);
   if (existing.length === 0) {
     await db.insert(permissions).values({
       name: config.name,
@@ -1553,32 +1543,32 @@ async function upsertPermission(config) {
       isSystem: config.isSystem ?? false,
       isBuiltin: config.isBuiltin ?? false
     });
-    console.log(`[Auth]   \u2705 Created permission: ${config.name}`);
+    authLogger.info(`  \u2705 Created permission: ${config.name}`);
   } else {
     await db.update(permissions).set({
       displayName: config.displayName,
       description: config.description,
       category: config.category
-    }).where(eq4(permissions.id, existing[0].id));
+    }).where(eq5(permissions.id, existing[0].id));
   }
 }
 async function assignPermissionsToRole(roleName, permissionNames) {
-  const db = getDatabase4();
-  const [role] = await db.select().from(roles).where(eq4(roles.name, roleName)).limit(1);
+  const db = getDatabase5();
+  const [role] = await db.select().from(roles).where(eq5(roles.name, roleName)).limit(1);
   if (!role) {
-    console.warn(`[Auth]   \u26A0\uFE0F  Role not found: ${roleName}, skipping permission assignment`);
+    authLogger.warn(`  \u26A0\uFE0F  Role not found: ${roleName}, skipping permission assignment`);
     return;
   }
   const perms = await db.select().from(permissions).where(inArray(permissions.name, permissionNames));
   if (perms.length === 0) {
-    console.warn(`[Auth]   \u26A0\uFE0F  No permissions found for role: ${roleName}`);
+    authLogger.warn(`  \u26A0\uFE0F  No permissions found for role: ${roleName}`);
     return;
   }
   for (const perm of perms) {
     const existing = await db.select().from(rolePermissions).where(
-      and4(
-        eq4(rolePermissions.roleId, role.id),
-        eq4(rolePermissions.permissionId, perm.id)
+      and5(
+        eq5(rolePermissions.roleId, role.id),
+        eq5(rolePermissions.permissionId, perm.id)
       )
     ).limit(1);
     if (existing.length === 0) {
@@ -1592,23 +1582,23 @@ async function assignPermissionsToRole(roleName, permissionNames) {
 
 // src/server/services/permission.service.ts
 init_entities();
-import { getDatabase as getDatabase5 } from "@spfn/core/db";
-import { eq as eq5, and as and5 } from "drizzle-orm";
+import { getDatabase as getDatabase6 } from "@spfn/core/db";
+import { eq as eq6, and as and6 } from "drizzle-orm";
 async function getUserPermissions(userId) {
-  const db = getDatabase5();
+  const db = getDatabase6();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const userIdNum = typeof userId === "string" ? Number(userId) : Number(userId);
-  const [user] = await db.select({ roleId: users.roleId }).from(users).where(eq5(users.id, userIdNum)).limit(1);
+  const [user] = await db.select({ roleId: users.roleId }).from(users).where(eq6(users.id, userIdNum)).limit(1);
   if (!user || !user.roleId) {
     return [];
   }
   const permSet = /* @__PURE__ */ new Set();
-  const rolePerms = await db.select({ name: permissions.name }).from(rolePermissions).innerJoin(permissions, eq5(rolePermissions.permissionId, permissions.id)).where(
-    and5(
-      eq5(rolePermissions.roleId, user.roleId),
-      eq5(permissions.isActive, true)
+  const rolePerms = await db.select({ name: permissions.name }).from(rolePermissions).innerJoin(permissions, eq6(rolePermissions.permissionId, permissions.id)).where(
+    and6(
+      eq6(rolePermissions.roleId, user.roleId),
+      eq6(permissions.isActive, true)
     )
   );
   for (const perm of rolePerms) {
@@ -1618,7 +1608,7 @@ async function getUserPermissions(userId) {
     name: permissions.name,
     granted: userPermissions.granted,
     expiresAt: userPermissions.expiresAt
-  }).from(userPermissions).innerJoin(permissions, eq5(userPermissions.permissionId, permissions.id)).where(eq5(userPermissions.userId, userIdNum));
+  }).from(userPermissions).innerJoin(permissions, eq6(userPermissions.permissionId, permissions.id)).where(eq6(userPermissions.userId, userIdNum));
   const now = /* @__PURE__ */ new Date();
   for (const userPerm of userPerms) {
     if (userPerm.expiresAt && userPerm.expiresAt < now) {
@@ -1645,16 +1635,16 @@ async function hasAllPermissions(userId, permissionNames) {
   return permissionNames.every((p) => perms.includes(p));
 }
 async function hasRole(userId, roleName) {
-  const db = getDatabase5();
+  const db = getDatabase6();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const userIdNum = typeof userId === "string" ? Number(userId) : Number(userId);
-  const [user] = await db.select({ roleId: users.roleId }).from(users).where(eq5(users.id, userIdNum)).limit(1);
+  const [user] = await db.select({ roleId: users.roleId }).from(users).where(eq6(users.id, userIdNum)).limit(1);
   if (!user || !user.roleId) {
     return false;
   }
-  const [role] = await db.select({ name: roles.name }).from(roles).where(eq5(roles.id, user.roleId)).limit(1);
+  const [role] = await db.select({ name: roles.name }).from(roles).where(eq6(roles.id, user.roleId)).limit(1);
   return role?.name === roleName;
 }
 async function hasAnyRole(userId, roleNames) {
@@ -1671,8 +1661,8 @@ init_role_service();
 
 // src/server/services/invitation.service.ts
 init_entities();
-import { getDatabase as getDatabase6 } from "@spfn/core/db";
-import { eq as eq6, and as and6, lt, desc, sql as sql2 } from "drizzle-orm";
+import { getDatabase as getDatabase7 } from "@spfn/core/db";
+import { eq as eq7, and as and7, lt, desc, sql as sql2 } from "drizzle-orm";
 import crypto2 from "crypto";
 function generateInvitationToken() {
   return crypto2.randomUUID();
@@ -1683,7 +1673,7 @@ function calculateExpiresAt(days = 7) {
   return expiresAt;
 }
 async function createInvitation(params) {
-  const db = getDatabase6();
+  const db = getDatabase7();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
@@ -1692,24 +1682,24 @@ async function createInvitation(params) {
   if (!emailRegex.test(email)) {
     throw new Error("Invalid email format");
   }
-  const existingUser = await db.select().from(users).where(eq6(users.email, email)).limit(1);
+  const existingUser = await db.select().from(users).where(eq7(users.email, email)).limit(1);
   if (existingUser.length > 0) {
     throw new Error("User with this email already exists");
   }
   const existingInvitation = await db.select().from(invitations).where(
-    and6(
-      eq6(invitations.email, email),
-      eq6(invitations.status, "pending")
+    and7(
+      eq7(invitations.email, email),
+      eq7(invitations.status, "pending")
     )
   ).limit(1);
   if (existingInvitation.length > 0) {
     throw new Error("Pending invitation already exists for this email");
   }
-  const role = await db.select().from(roles).where(eq6(roles.id, roleId)).limit(1);
+  const role = await db.select().from(roles).where(eq7(roles.id, roleId)).limit(1);
   if (role.length === 0) {
     throw new Error(`Role with id ${roleId} not found`);
   }
-  const inviter = await db.select().from(users).where(eq6(users.id, invitedBy)).limit(1);
+  const inviter = await db.select().from(users).where(eq7(users.id, invitedBy)).limit(1);
   if (inviter.length === 0) {
     throw new Error(`User with id ${invitedBy} not found`);
   }
@@ -1728,15 +1718,15 @@ async function createInvitation(params) {
   return invitation;
 }
 async function getInvitationByToken(token) {
-  const db = getDatabase6();
+  const db = getDatabase7();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
-  const result = await db.select().from(invitations).where(eq6(invitations.token, token)).limit(1);
+  const result = await db.select().from(invitations).where(eq7(invitations.token, token)).limit(1);
   return result[0] || null;
 }
 async function getInvitationWithDetails(token) {
-  const db = getDatabase6();
+  const db = getDatabase7();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
@@ -1762,7 +1752,7 @@ async function getInvitationWithDetails(token) {
       id: users.id,
       email: users.email
     }
-  }).from(invitations).innerJoin(roles, eq6(invitations.roleId, roles.id)).innerJoin(users, eq6(invitations.invitedBy, users.id)).where(eq6(invitations.token, token)).limit(1);
+  }).from(invitations).innerJoin(roles, eq7(invitations.roleId, roles.id)).innerJoin(users, eq7(invitations.invitedBy, users.id)).where(eq7(invitations.token, token)).limit(1);
   return result[0] || null;
 }
 async function validateInvitation(token) {
@@ -1785,7 +1775,7 @@ async function validateInvitation(token) {
   return { valid: true, invitation };
 }
 async function acceptInvitation(params) {
-  const db = getDatabase6();
+  const db = getDatabase7();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
@@ -1795,7 +1785,7 @@ async function acceptInvitation(params) {
     throw new Error(validation.error || "Invalid invitation");
   }
   const invitation = validation.invitation;
-  const role = await db.select().from(roles).where(eq6(roles.id, invitation.roleId)).limit(1);
+  const role = await db.select().from(roles).where(eq7(roles.id, invitation.roleId)).limit(1);
   if (role.length === 0) {
     throw new Error("Role not found");
   }
@@ -1825,7 +1815,7 @@ async function acceptInvitation(params) {
       status: "accepted",
       acceptedAt: /* @__PURE__ */ new Date(),
       updatedAt: /* @__PURE__ */ new Date()
-    }).where(eq6(invitations.id, invitation.id));
+    }).where(eq7(invitations.id, invitation.id));
     return { newUser, role: role[0] };
   });
   console.log(`[Auth] \u2705 Invitation accepted: ${invitation.email} as ${result.role.name}`);
@@ -1836,7 +1826,7 @@ async function acceptInvitation(params) {
   };
 }
 async function listInvitations(params) {
-  const db = getDatabase6();
+  const db = getDatabase7();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
@@ -1844,12 +1834,12 @@ async function listInvitations(params) {
   const offset = (page - 1) * limit;
   const conditions = [];
   if (status) {
-    conditions.push(eq6(invitations.status, status));
+    conditions.push(eq7(invitations.status, status));
   }
   if (invitedBy) {
-    conditions.push(eq6(invitations.invitedBy, invitedBy));
+    conditions.push(eq7(invitations.invitedBy, invitedBy));
   }
-  const whereClause = conditions.length > 0 ? and6(...conditions) : void 0;
+  const whereClause = conditions.length > 0 ? and7(...conditions) : void 0;
   const countResult = await db.select({ count: sql2`count(*)` }).from(invitations).where(whereClause);
   const total = Number(countResult[0]?.count || 0);
   const results = await db.select({
@@ -1874,7 +1864,7 @@ async function listInvitations(params) {
       id: users.id,
       email: users.email
     }
-  }).from(invitations).innerJoin(roles, eq6(invitations.roleId, roles.id)).innerJoin(users, eq6(invitations.invitedBy, users.id)).where(whereClause).orderBy(desc(invitations.createdAt)).limit(limit).offset(offset);
+  }).from(invitations).innerJoin(roles, eq7(invitations.roleId, roles.id)).innerJoin(users, eq7(invitations.invitedBy, users.id)).where(whereClause).orderBy(desc(invitations.createdAt)).limit(limit).offset(offset);
   return {
     invitations: results,
     total,
@@ -1884,11 +1874,11 @@ async function listInvitations(params) {
   };
 }
 async function cancelInvitation(id10, cancelledBy, reason) {
-  const db = getDatabase6();
+  const db = getDatabase7();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
-  const invitation = await db.select().from(invitations).where(eq6(invitations.id, id10)).limit(1);
+  const invitation = await db.select().from(invitations).where(eq7(invitations.id, id10)).limit(1);
   if (invitation.length === 0) {
     throw new Error("Invitation not found");
   }
@@ -1900,26 +1890,26 @@ async function cancelInvitation(id10, cancelledBy, reason) {
     cancelledAt: /* @__PURE__ */ new Date(),
     updatedAt: /* @__PURE__ */ new Date(),
     metadata: invitation[0].metadata ? { ...invitation[0].metadata, cancelReason: reason, cancelledBy } : { cancelReason: reason, cancelledBy }
-  }).where(eq6(invitations.id, id10));
+  }).where(eq7(invitations.id, id10));
   console.log(`[Auth] \u26A0\uFE0F  Invitation cancelled: ${invitation[0].email} (reason: ${reason || "none"})`);
 }
 async function deleteInvitation(id10) {
-  const db = getDatabase6();
+  const db = getDatabase7();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
-  await db.delete(invitations).where(eq6(invitations.id, id10));
+  await db.delete(invitations).where(eq7(invitations.id, id10));
   console.log(`[Auth] \u{1F5D1}\uFE0F  Invitation deleted: ${id10}`);
 }
 async function expireOldInvitations() {
-  const db = getDatabase6();
+  const db = getDatabase7();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const now = /* @__PURE__ */ new Date();
   const expiredInvitations = await db.select().from(invitations).where(
-    and6(
-      eq6(invitations.status, "pending"),
+    and7(
+      eq7(invitations.status, "pending"),
       lt(invitations.expiresAt, now)
     )
   );
@@ -1930,8 +1920,8 @@ async function expireOldInvitations() {
     status: "expired",
     updatedAt: now
   }).where(
-    and6(
-      eq6(invitations.status, "pending"),
+    and7(
+      eq7(invitations.status, "pending"),
       lt(invitations.expiresAt, now)
     )
   );
@@ -1939,11 +1929,11 @@ async function expireOldInvitations() {
   return expiredInvitations.length;
 }
 async function resendInvitation(id10, expiresInDays = 7) {
-  const db = getDatabase6();
+  const db = getDatabase7();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
-  const invitation = await db.select().from(invitations).where(eq6(invitations.id, id10)).limit(1);
+  const invitation = await db.select().from(invitations).where(eq7(invitations.id, id10)).limit(1);
   if (invitation.length === 0) {
     throw new Error("Invitation not found");
   }
@@ -1955,31 +1945,34 @@ async function resendInvitation(id10, expiresInDays = 7) {
     status: "pending",
     expiresAt: newExpiresAt,
     updatedAt: /* @__PURE__ */ new Date()
-  }).where(eq6(invitations.id, id10)).returning();
+  }).where(eq7(invitations.id, id10)).returning();
   console.log(`[Auth] \u{1F4E7} Invitation resent: ${invitation[0].email} (new expiry: ${newExpiresAt.toISOString()})`);
   return updated;
 }
 
 // src/server/middleware/authenticate.ts
+init_jwt();
 init_entities();
-import { findOne as findOne3, getDatabase as getDatabase7 } from "@spfn/core/db";
+import { findOne as findOne3, getDatabase as getDatabase8 } from "@spfn/core/db";
 import { UnauthorizedError as UnauthorizedError2 } from "@spfn/core/errors";
-import { eq as eq7, and as and7 } from "drizzle-orm";
+import { eq as eq8, and as and8 } from "drizzle-orm";
 async function authenticate(c, next) {
   const authHeader = c.req.header("Authorization");
-  const keyId = c.req.header("X-Key-Id");
   if (!authHeader || !authHeader.startsWith("Bearer ")) {
     throw new UnauthorizedError2("Missing or invalid authorization header");
   }
-  if (!keyId) {
-    throw new UnauthorizedError2("Missing X-Key-Id header");
-  }
   const token = authHeader.substring(7);
-  const db = getDatabase7();
+  const { decodeToken: decodeToken2 } = await Promise.resolve().then(() => (init_jwt(), jwt_exports));
+  const decoded = decodeToken2(token);
+  if (!decoded || !decoded.keyId) {
+    throw new UnauthorizedError2("Invalid token: missing keyId");
+  }
+  const keyId = decoded.keyId;
+  const db = getDatabase8();
   const [keyRecord] = await db.select().from(userPublicKeys).where(
-    and7(
-      eq7(userPublicKeys.keyId, keyId),
-      eq7(userPublicKeys.isActive, true)
+    and8(
+      eq8(userPublicKeys.keyId, keyId),
+      eq8(userPublicKeys.isActive, true)
     )
   );
   if (!keyRecord) {
@@ -2012,7 +2005,7 @@ async function authenticate(c, next) {
   if (user.status !== "active") {
     throw new AccountDisabledError(user.status);
   }
-  db.update(userPublicKeys).set({ lastUsedAt: /* @__PURE__ */ new Date() }).where(eq7(userPublicKeys.id, keyRecord.id)).execute().catch((err) => console.error("Failed to update lastUsedAt:", err));
+  db.update(userPublicKeys).set({ lastUsedAt: /* @__PURE__ */ new Date() }).where(eq8(userPublicKeys.id, keyRecord.id)).execute().catch((err) => console.error("Failed to update lastUsedAt:", err));
   c.set("auth", {
     user,
     userId: String(user.id),
@@ -2078,7 +2071,9 @@ function requireRole(...roleNames) {
 // src/server/setup.ts
 init_entities();
 import { findOne as findOne4, create as create4 } from "@spfn/core/db";
+import { logger as logger2 } from "@spfn/core/logger";
 init_role_service();
+var authLogger2 = logger2.child("@spfn/auth");
 function parseAdminAccounts() {
   const accounts = [];
   if (process.env.SPFN_AUTH_ADMIN_ACCOUNTS || process.env.ADMIN_ACCOUNTS) {
@@ -2087,12 +2082,12 @@ function parseAdminAccounts() {
       process.env.ADMIN_ACCOUNTS;
       const parsed = JSON.parse(accountsJson);
       if (!Array.isArray(parsed)) {
-        console.error("[Auth] \u274C SPFN_AUTH_ADMIN_ACCOUNTS must be an array");
+        authLogger2.error("\u274C SPFN_AUTH_ADMIN_ACCOUNTS must be an array");
         return accounts;
       }
       for (const item of parsed) {
         if (!item.email || !item.password) {
-          console.warn("[Auth] \u26A0\uFE0F  Skipping account: missing email or password");
+          authLogger2.warn("\u26A0\uFE0F  Skipping account: missing email or password");
           continue;
         }
         accounts.push({
@@ -2107,7 +2102,7 @@ function parseAdminAccounts() {
       return accounts;
     } catch (error) {
       const err = error;
-      console.error("[Auth] \u274C Failed to parse SPFN_AUTH_ADMIN_ACCOUNTS:", err.message);
+      authLogger2.error("\u274C Failed to parse SPFN_AUTH_ADMIN_ACCOUNTS:", err);
       return accounts;
     }
   }
@@ -2122,7 +2117,7 @@ function parseAdminAccounts() {
     process.env.ADMIN_ROLES || // Legacy fallback
     "").split(",").map((s) => s.trim());
     if (passwords.length !== emails.length) {
-      console.error("[Auth] \u274C SPFN_AUTH_ADMIN_EMAILS and SPFN_AUTH_ADMIN_PASSWORDS length mismatch");
+      authLogger2.error("\u274C SPFN_AUTH_ADMIN_EMAILS and SPFN_AUTH_ADMIN_PASSWORDS length mismatch");
       return accounts;
     }
     for (let i = 0; i < emails.length; i++) {
@@ -2130,7 +2125,7 @@ function parseAdminAccounts() {
       const password = passwords[i];
       const role = roles2[i] || "user";
       if (!email || !password) {
-        console.warn(`[Auth] \u26A0\uFE0F  Skipping account ${i + 1}: missing email or password`);
+        authLogger2.warn(`\u26A0\uFE0F  Skipping account ${i + 1}: missing email or password`);
         continue;
       }
       accounts.push({
@@ -2161,7 +2156,7 @@ async function ensureAdminExists() {
   if (accounts.length === 0) {
     return;
   }
-  console.log(`[Auth] Creating ${accounts.length} admin account(s)...`);
+  authLogger2.info(`Creating ${accounts.length} admin account(s)...`);
   let created = 0;
   let skipped = 0;
   let failed = 0;
@@ -2169,14 +2164,14 @@ async function ensureAdminExists() {
     try {
       const existing = await findOne4(users, { email: account.email });
       if (existing) {
-        console.log(`[Auth] \u26A0\uFE0F  Account already exists: ${account.email} (skipped)`);
+        authLogger2.info(`\u26A0\uFE0F  Account already exists: ${account.email} (skipped)`);
         skipped++;
         continue;
       }
       const roleName = account.role || "user";
       const role = await getRoleByName(roleName);
       if (!role) {
-        console.error(`[Auth] \u274C Role '${roleName}' not found for ${account.email}. Run initializeAuth() first.`);
+        authLogger2.error(`\u274C Role '${roleName}' not found for ${account.email}. Run initializeAuth() first.`);
         failed++;
         continue;
       }
@@ -2191,26 +2186,23 @@ async function ensureAdminExists() {
         passwordChangeRequired: account.passwordChangeRequired !== false,
         status: "active"
       });
-      console.log(`[Auth] \u2705 Admin account created: ${account.email} (${roleName})`);
+      authLogger2.info(`\u2705 Admin account created: ${account.email} (${roleName})`);
       created++;
     } catch (error) {
       const err = error;
-      console.error(`[Auth] \u274C Failed to create account ${account.email}:`, err.message);
+      authLogger2.error(`\u274C Failed to create account ${account.email}:`, err);
       failed++;
     }
   }
-  console.log(`[Auth] \u{1F4CA} Summary: ${created} created, ${skipped} skipped, ${failed} failed`);
+  authLogger2.info(`\u{1F4CA} Summary: ${created} created, ${skipped} skipped, ${failed} failed`);
   if (created > 0) {
-    console.log("[Auth] \u26A0\uFE0F  Please change passwords on first login!");
+    authLogger2.info("\u26A0\uFE0F  Please change passwords on first login!");
   }
 }
 export {
   BUILTIN_PERMISSIONS,
   BUILTIN_ROLES,
   BUILTIN_ROLE_PERMISSIONS,
-  PRESET_PERMISSIONS,
-  PRESET_ROLES,
-  PRESET_ROLE_PERMISSIONS,
   acceptInvitation,
   addPermissionToRole,
   authenticate,
@@ -2232,6 +2224,7 @@ export {
   getInvitationByToken,
   getInvitationWithDetails,
   getKeyId,
+  getMeService,
   getRoleByName,
   getRolePermissions,
   getUser,