@spfn/auth 0.1.0-alpha.1 → 0.1.0-alpha.87

package/dist/server/routes/auth/index.js

@@ -8,26 +8,83 @@ var __export = (target, all) => {
     __defProp(target, name, { get: all[name], enumerable: true });
 };
 
+// src/server/entities/schema.ts
+import { createFunctionSchema } from "@spfn/core/db";
+var authSchema;
+var init_schema = __esm({
+  "src/server/entities/schema.ts"() {
+    "use strict";
+    authSchema = createFunctionSchema("@spfn/auth");
+  }
+});
+
+// src/server/entities/verification-codes.ts
+import { text, timestamp, index } from "drizzle-orm/pg-core";
+import { id, timestamps } from "@spfn/core/db";
+var verificationCodes;
+var init_verification_codes = __esm({
+  "src/server/entities/verification-codes.ts"() {
+    "use strict";
+    init_schema();
+    verificationCodes = authSchema.table(
+      "verification_codes",
+      {
+        id: id(),
+        // Target (email or phone)
+        target: text("target").notNull(),
+        // Email address or E.164 phone number
+        targetType: text(
+          "target_type",
+          {
+            enum: ["email", "phone"]
+          }
+        ).notNull(),
+        // Code
+        code: text("code").notNull(),
+        // 6-digit code by default (configurable)
+        // Purpose
+        purpose: text(
+          "purpose",
+          {
+            enum: ["registration", "login", "password_reset", "email_change", "phone_change"]
+          }
+        ).notNull(),
+        // Expiry
+        expiresAt: timestamp("expires_at", { withTimezone: true }).notNull(),
+        // Usage tracking
+        usedAt: timestamp("used_at", { withTimezone: true }),
+        attempts: text("attempts").notNull().default("0"),
+        // Track failed verification attempts
+        ...timestamps()
+      },
+      (table) => [
+        // Index for quick lookup by target and purpose
+        index("target_purpose_idx").on(table.target, table.purpose, table.expiresAt)
+      ]
+    );
+  }
+});
+
 // src/server/entities/roles.ts
-import { text, boolean, integer, index } from "drizzle-orm/pg-core";
-import { id, timestamps, createFunctionSchema } from "@spfn/core/db";
-var schema, roles;
+import { text as text2, boolean, integer, index as index2 } from "drizzle-orm/pg-core";
+import { id as id2, timestamps as timestamps2 } from "@spfn/core/db";
+var roles;
 var init_roles = __esm({
   "src/server/entities/roles.ts"() {
     "use strict";
-    schema = createFunctionSchema("@spfn/auth");
-    roles = schema.table(
+    init_schema();
+    roles = authSchema.table(
       "roles",
       {
         // Primary key
-        id: id(),
+        id: id2(),
         // Role identifier (used in code, e.g., 'admin', 'editor')
         // Must be unique, lowercase, kebab-case recommended
-        name: text("name").notNull().unique(),
+        name: text2("name").notNull().unique(),
         // Display name for UI (e.g., 'Administrator', 'Content Editor')
-        displayName: text("display_name").notNull(),
+        displayName: text2("display_name").notNull(),
         // Role description
-        description: text("description"),
+        description: text2("description"),
         // Built-in role flag
         // true: Core package roles (user, admin, superadmin) - cannot be deleted
         // false: Custom or preset roles - can be deleted
@@ -43,45 +100,45 @@ var init_roles = __esm({
         // superadmin: 100, admin: 80, user: 10
         // Used for role hierarchy and conflict resolution
         priority: integer("priority").notNull().default(10),
-        ...timestamps()
+        ...timestamps2()
       },
       (table) => [
-        index("roles_name_idx").on(table.name),
-        index("roles_is_system_idx").on(table.isSystem),
-        index("roles_is_active_idx").on(table.isActive),
-        index("roles_is_builtin_idx").on(table.isBuiltin),
-        index("roles_priority_idx").on(table.priority)
+        index2("roles_name_idx").on(table.name),
+        index2("roles_is_system_idx").on(table.isSystem),
+        index2("roles_is_active_idx").on(table.isActive),
+        index2("roles_is_builtin_idx").on(table.isBuiltin),
+        index2("roles_priority_idx").on(table.priority)
       ]
     );
   }
 });
 
 // src/server/entities/users.ts
-import { text as text2, timestamp, check, boolean as boolean2, bigint, index as index2 } from "drizzle-orm/pg-core";
-import { id as id2, timestamps as timestamps2, createFunctionSchema as createFunctionSchema2 } from "@spfn/core/db";
+import { text as text3, timestamp as timestamp2, check, boolean as boolean2, bigint, index as index3 } from "drizzle-orm/pg-core";
+import { id as id3, timestamps as timestamps3 } from "@spfn/core/db";
 import { sql } from "drizzle-orm";
-var schema2, users;
+var users;
 var init_users = __esm({
   "src/server/entities/users.ts"() {
     "use strict";
     init_roles();
-    schema2 = createFunctionSchema2("@spfn/auth");
-    users = schema2.table(
+    init_schema();
+    users = authSchema.table(
       "users",
       {
         // Identity
-        id: id2(),
+        id: id3(),
         // Email address (unique identifier)
         // Used for: login, password reset, notifications
-        email: text2("email").unique(),
+        email: text3("email").unique(),
         // Phone number in E.164 international format
         // Format: +[country code][number] (e.g., +821012345678)
         // Used for: SMS login, 2FA, notifications
-        phone: text2("phone").unique(),
+        phone: text3("phone").unique(),
         // Authentication
         // Bcrypt password hash ($2b$10$[salt][hash], 60 chars)
         // Nullable to support OAuth-only accounts
-        passwordHash: text2("password_hash"),
+        passwordHash: text3("password_hash"),
         // Force password change on next login
         // Use cases: initial setup, security breach, policy violation
         passwordChangeRequired: boolean2("password_change_required").notNull().default(false),
@@ -94,7 +151,7 @@ var init_users = __esm({
         // - active: Normal operation (default)
         // - inactive: Deactivated (user request, dormant)
         // - suspended: Locked (security incident, ToS violation)
-        status: text2(
+        status: text3(
           "status",
           {
             enum: ["active", "inactive", "suspended"]
@@ -103,14 +160,14 @@ var init_users = __esm({
         // Verification timestamps
         // null = unverified, timestamp = verified at this time
         // Email verification (via verification code or magic link)
-        emailVerifiedAt: timestamp("email_verified_at", { withTimezone: true }),
+        emailVerifiedAt: timestamp2("email_verified_at", { withTimezone: true }),
         // Phone verification (via SMS OTP)
-        phoneVerifiedAt: timestamp("phone_verified_at", { withTimezone: true }),
+        phoneVerifiedAt: timestamp2("phone_verified_at", { withTimezone: true }),
         // Metadata
         // Last successful login timestamp
         // Used for: security auditing, dormant account detection
-        lastLoginAt: timestamp("last_login_at", { withTimezone: true }),
-        ...timestamps2()
+        lastLoginAt: timestamp2("last_login_at", { withTimezone: true }),
+        ...timestamps3()
       },
       (table) => [
         // Database constraints
@@ -120,44 +177,44 @@ var init_users = __esm({
           sql`${table.email} IS NOT NULL OR ${table.phone} IS NOT NULL`
         ),
         // Indexes for query optimization
-        index2("users_email_idx").on(table.email),
-        index2("users_phone_idx").on(table.phone),
-        index2("users_status_idx").on(table.status),
-        index2("users_role_id_idx").on(table.roleId)
+        index3("users_email_idx").on(table.email),
+        index3("users_phone_idx").on(table.phone),
+        index3("users_status_idx").on(table.status),
+        index3("users_role_id_idx").on(table.roleId)
       ]
     );
   }
 });
 
 // src/server/entities/user-social-accounts.ts
-import { text as text3, timestamp as timestamp2, uniqueIndex } from "drizzle-orm/pg-core";
-import { id as id3, timestamps as timestamps3, foreignKey, createFunctionSchema as createFunctionSchema3 } from "@spfn/core/db";
-var schema3, userSocialAccounts;
+import { text as text4, timestamp as timestamp3, uniqueIndex } from "drizzle-orm/pg-core";
+import { id as id4, timestamps as timestamps4, foreignKey } from "@spfn/core/db";
+var userSocialAccounts;
 var init_user_social_accounts = __esm({
   "src/server/entities/user-social-accounts.ts"() {
     "use strict";
     init_users();
-    schema3 = createFunctionSchema3("@spfn/auth");
-    userSocialAccounts = schema3.table(
+    init_schema();
+    userSocialAccounts = authSchema.table(
       "user_social_accounts",
       {
-        id: id3(),
+        id: id4(),
         // Foreign key to users
         userId: foreignKey("user", () => users.id),
         // Provider info
-        provider: text3(
+        provider: text4(
           "provider",
           {
             enum: ["google", "github", "kakao", "naver"]
           }
         ).notNull(),
-        providerUserId: text3("provider_user_id").notNull(),
-        providerEmail: text3("provider_email"),
+        providerUserId: text4("provider_user_id").notNull(),
+        providerEmail: text4("provider_email"),
         // OAuth tokens (encrypted in production)
-        accessToken: text3("access_token"),
-        refreshToken: text3("refresh_token"),
-        tokenExpiresAt: timestamp2("token_expires_at", { withTimezone: true }),
-        ...timestamps3()
+        accessToken: text4("access_token"),
+        refreshToken: text4("refresh_token"),
+        tokenExpiresAt: timestamp3("token_expires_at", { withTimezone: true }),
+        ...timestamps4()
       },
       (table) => [
         // Unique constraint: one provider account per provider
@@ -168,92 +225,45 @@ var init_user_social_accounts = __esm({
 });
 
 // src/server/entities/user-public-keys.ts
-import { text as text4, timestamp as timestamp3, boolean as boolean3, index as index3 } from "drizzle-orm/pg-core";
-import { id as id4, foreignKey as foreignKey2, createFunctionSchema as createFunctionSchema4 } from "@spfn/core/db";
-var schema4, userPublicKeys;
+import { text as text5, timestamp as timestamp4, boolean as boolean3, index as index4 } from "drizzle-orm/pg-core";
+import { id as id5, foreignKey as foreignKey2 } from "@spfn/core/db";
+var userPublicKeys;
 var init_user_public_keys = __esm({
   "src/server/entities/user-public-keys.ts"() {
     "use strict";
     init_users();
-    schema4 = createFunctionSchema4("@spfn/auth");
-    userPublicKeys = schema4.table(
+    init_schema();
+    userPublicKeys = authSchema.table(
       "user_public_keys",
       {
-        id: id4(),
+        id: id5(),
         // User reference
         userId: foreignKey2("user", () => users.id),
         // Key identification (client-generated UUID)
-        keyId: text4("key_id").notNull().unique(),
+        keyId: text5("key_id").notNull().unique(),
         // Public key in Base64-encoded DER format (SPKI)
-        publicKey: text4("public_key").notNull(),
+        publicKey: text5("public_key").notNull(),
         // Algorithm used (ES256 recommended, RS256 fallback)
-        algorithm: text4("algorithm", {
+        algorithm: text5("algorithm", {
           enum: ["ES256", "RS256"]
         }).notNull().default("ES256"),
         // Key fingerprint (SHA-256 hash for quick identification)
-        fingerprint: text4("fingerprint").notNull(),
+        fingerprint: text5("fingerprint").notNull(),
         // Key status
         isActive: boolean3("is_active").notNull().default(true),
         // Timestamps
-        createdAt: timestamp3("created_at", { mode: "date", withTimezone: true }).notNull().defaultNow(),
-        lastUsedAt: timestamp3("last_used_at", { mode: "date", withTimezone: true }),
-        expiresAt: timestamp3("expires_at", { mode: "date", withTimezone: true }),
+        createdAt: timestamp4("created_at", { mode: "date", withTimezone: true }).notNull().defaultNow(),
+        lastUsedAt: timestamp4("last_used_at", { mode: "date", withTimezone: true }),
+        expiresAt: timestamp4("expires_at", { mode: "date", withTimezone: true }),
         // Revocation
-        revokedAt: timestamp3("revoked_at", { mode: "date", withTimezone: true }),
-        revokedReason: text4("revoked_reason")
-      },
-      (table) => [
-        index3("user_public_keys_user_id_idx").on(table.userId),
-        index3("user_public_keys_key_id_idx").on(table.keyId),
-        index3("user_public_keys_active_idx").on(table.isActive),
-        index3("user_public_keys_fingerprint_idx").on(table.fingerprint)
-      ]
-    );
-  }
-});
-
-// src/server/entities/verification-codes.ts
-import { text as text5, timestamp as timestamp4, index as index4 } from "drizzle-orm/pg-core";
-import { id as id5, timestamps as timestamps4, createFunctionSchema as createFunctionSchema5 } from "@spfn/core/db";
-var schema5, verificationCodes;
-var init_verification_codes = __esm({
-  "src/server/entities/verification-codes.ts"() {
-    "use strict";
-    schema5 = createFunctionSchema5("@spfn/auth");
-    verificationCodes = schema5.table(
-      "verification_codes",
-      {
-        id: id5(),
-        // Target (email or phone)
-        target: text5("target").notNull(),
-        // Email address or E.164 phone number
-        targetType: text5(
-          "target_type",
-          {
-            enum: ["email", "phone"]
-          }
-        ).notNull(),
-        // Code
-        code: text5("code").notNull(),
-        // 6-digit code by default (configurable)
-        // Purpose
-        purpose: text5(
-          "purpose",
-          {
-            enum: ["registration", "login", "password_reset", "email_change", "phone_change"]
-          }
-        ).notNull(),
-        // Expiry
-        expiresAt: timestamp4("expires_at", { withTimezone: true }).notNull(),
-        // Usage tracking
-        usedAt: timestamp4("used_at", { withTimezone: true }),
-        attempts: text5("attempts").notNull().default("0"),
-        // Track failed verification attempts
-        ...timestamps4()
+        revokedAt: timestamp4("revoked_at", { mode: "date", withTimezone: true }),
+        revokedReason: text5("revoked_reason")
       },
       (table) => [
-        // Index for quick lookup by target and purpose
-        index4("target_purpose_idx").on(table.target, table.purpose, table.expiresAt)
+        index4("user_public_keys_user_id_idx").on(table.userId),
+        index4("user_public_keys_key_id_idx").on(table.keyId),
+        index4("user_public_keys_active_idx").on(table.isActive),
+        index4("user_public_keys_fingerprint_idx").on(table.fingerprint)
       ]
     );
   }
@@ -261,15 +271,15 @@ var init_verification_codes = __esm({
 
 // src/server/entities/invitations.ts
 import { text as text6, timestamp as timestamp5, bigint as bigint2, index as index5, jsonb } from "drizzle-orm/pg-core";
-import { id as id6, timestamps as timestamps5, createFunctionSchema as createFunctionSchema6 } from "@spfn/core/db";
-var schema6, invitations;
+import { id as id6, timestamps as timestamps5 } from "@spfn/core/db";
+var invitations;
 var init_invitations = __esm({
   "src/server/entities/invitations.ts"() {
     "use strict";
     init_roles();
     init_users();
-    schema6 = createFunctionSchema6("@spfn/auth");
-    invitations = schema6.table(
+    init_schema();
+    invitations = authSchema.table(
       "user_invitations",
       {
         // Primary key
@@ -337,13 +347,13 @@ var init_invitations = __esm({
 
 // src/server/entities/permissions.ts
 import { text as text7, boolean as boolean4, index as index6 } from "drizzle-orm/pg-core";
-import { id as id7, timestamps as timestamps6, createFunctionSchema as createFunctionSchema7 } from "@spfn/core/db";
-var schema7, permissions;
+import { id as id7, timestamps as timestamps6 } from "@spfn/core/db";
+var permissions;
 var init_permissions = __esm({
   "src/server/entities/permissions.ts"() {
     "use strict";
-    schema7 = createFunctionSchema7("@spfn/auth");
-    permissions = schema7.table(
+    init_schema();
+    permissions = authSchema.table(
       "permissions",
       {
         // Primary key
@@ -384,15 +394,15 @@ var init_permissions = __esm({
 
 // src/server/entities/role-permissions.ts
 import { bigint as bigint3, index as index7, unique } from "drizzle-orm/pg-core";
-import { id as id8, timestamps as timestamps7, createFunctionSchema as createFunctionSchema8 } from "@spfn/core/db";
-var schema8, rolePermissions;
+import { id as id8, timestamps as timestamps7 } from "@spfn/core/db";
+var rolePermissions;
 var init_role_permissions = __esm({
   "src/server/entities/role-permissions.ts"() {
     "use strict";
     init_roles();
     init_permissions();
-    schema8 = createFunctionSchema8("@spfn/auth");
-    rolePermissions = schema8.table(
+    init_schema();
+    rolePermissions = authSchema.table(
       "role_permissions",
       {
         // Primary key
@@ -416,15 +426,15 @@ var init_role_permissions = __esm({
 
 // src/server/entities/user-permissions.ts
 import { bigint as bigint4, boolean as boolean5, text as text8, timestamp as timestamp6, index as index8, unique as unique2 } from "drizzle-orm/pg-core";
-import { id as id9, timestamps as timestamps8, createFunctionSchema as createFunctionSchema9 } from "@spfn/core/db";
-var schema9, userPermissions;
+import { id as id9, timestamps as timestamps8 } from "@spfn/core/db";
+var userPermissions;
 var init_user_permissions = __esm({
   "src/server/entities/user-permissions.ts"() {
     "use strict";
     init_users();
     init_permissions();
-    schema9 = createFunctionSchema9("@spfn/auth");
-    userPermissions = schema9.table(
+    init_schema();
+    userPermissions = authSchema.table(
       "user_permissions",
       {
         // Primary key
@@ -461,6 +471,7 @@ var init_user_permissions = __esm({
 var init_entities = __esm({
   "src/server/entities/index.ts"() {
     "use strict";
+    init_schema();
     init_users();
     init_user_social_accounts();
     init_user_public_keys();
@@ -486,14 +497,14 @@ __export(role_service_exports, {
   setRolePermissions: () => setRolePermissions,
   updateRole: () => updateRole
 });
-import { getDatabase as getDatabase5 } from "@spfn/core/db";
-import { eq as eq5, and as and5 } from "drizzle-orm";
+import { getDatabase as getDatabase3 } from "@spfn/core/db";
+import { eq as eq3, and as and3 } from "drizzle-orm";
 async function createRole(data) {
-  const db = getDatabase5();
+  const db = getDatabase3();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
-  const existing = await db.select().from(roles).where(eq5(roles.name, data.name)).limit(1);
+  const existing = await db.select().from(roles).where(eq3(roles.name, data.name)).limit(1);
   if (existing.length > 0) {
     throw new Error(`Role with name '${data.name}' already exists`);
   }
@@ -517,28 +528,28 @@ async function createRole(data) {
   return newRole;
 }
 async function updateRole(roleId, data) {
-  const db = getDatabase5();
+  const db = getDatabase3();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const roleIdNum = Number(roleId);
-  const [role] = await db.select().from(roles).where(eq5(roles.id, roleIdNum)).limit(1);
+  const [role] = await db.select().from(roles).where(eq3(roles.id, roleIdNum)).limit(1);
   if (!role) {
     throw new Error("Role not found");
   }
   if (role.isBuiltin && data.priority !== void 0) {
     throw new Error("Cannot modify priority of built-in roles");
   }
-  const [updated] = await db.update(roles).set(data).where(eq5(roles.id, roleIdNum)).returning();
+  const [updated] = await db.update(roles).set(data).where(eq3(roles.id, roleIdNum)).returning();
   return updated;
 }
 async function deleteRole(roleId) {
-  const db = getDatabase5();
+  const db = getDatabase3();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const roleIdNum = Number(roleId);
-  const [role] = await db.select().from(roles).where(eq5(roles.id, roleIdNum)).limit(1);
+  const [role] = await db.select().from(roles).where(eq3(roles.id, roleIdNum)).limit(1);
   if (!role) {
     throw new Error("Role not found");
   }
@@ -548,20 +559,20 @@ async function deleteRole(roleId) {
   if (role.isSystem) {
     throw new Error(`Cannot delete system role: ${role.name}. Deactivate it instead.`);
   }
-  await db.delete(roles).where(eq5(roles.id, roleIdNum));
+  await db.delete(roles).where(eq3(roles.id, roleIdNum));
   console.log(`[Auth] \u{1F5D1}\uFE0F  Deleted role: ${role.name}`);
 }
 async function addPermissionToRole(roleId, permissionId) {
-  const db = getDatabase5();
+  const db = getDatabase3();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const roleIdNum = Number(roleId);
   const permissionIdNum = Number(permissionId);
   const existing = await db.select().from(rolePermissions).where(
-    and5(
-      eq5(rolePermissions.roleId, roleIdNum),
-      eq5(rolePermissions.permissionId, permissionIdNum)
+    and3(
+      eq3(rolePermissions.roleId, roleIdNum),
+      eq3(rolePermissions.permissionId, permissionIdNum)
     )
   ).limit(1);
   if (existing.length > 0) {
@@ -573,26 +584,26 @@ async function addPermissionToRole(roleId, permissionId) {
   });
 }
 async function removePermissionFromRole(roleId, permissionId) {
-  const db = getDatabase5();
+  const db = getDatabase3();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const roleIdNum = Number(roleId);
   const permissionIdNum = Number(permissionId);
   await db.delete(rolePermissions).where(
-    and5(
-      eq5(rolePermissions.roleId, roleIdNum),
-      eq5(rolePermissions.permissionId, permissionIdNum)
+    and3(
+      eq3(rolePermissions.roleId, roleIdNum),
+      eq3(rolePermissions.permissionId, permissionIdNum)
     )
   );
 }
 async function setRolePermissions(roleId, permissionIds) {
-  const db = getDatabase5();
+  const db = getDatabase3();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const roleIdNum = Number(roleId);
-  await db.delete(rolePermissions).where(eq5(rolePermissions.roleId, roleIdNum));
+  await db.delete(rolePermissions).where(eq3(rolePermissions.roleId, roleIdNum));
   if (permissionIds.length > 0) {
     const mappings = permissionIds.map((permId) => ({
       roleId: roleIdNum,
@@ -602,31 +613,31 @@ async function setRolePermissions(roleId, permissionIds) {
   }
 }
 async function getAllRoles(includeInactive = false) {
-  const db = getDatabase5();
+  const db = getDatabase3();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const query = db.select().from(roles);
   if (!includeInactive) {
-    return query.where(eq5(roles.isActive, true));
+    return query.where(eq3(roles.isActive, true));
   }
   return query;
 }
 async function getRoleByName(name) {
-  const db = getDatabase5();
+  const db = getDatabase3();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
-  const [role] = await db.select().from(roles).where(eq5(roles.name, name)).limit(1);
+  const [role] = await db.select().from(roles).where(eq3(roles.name, name)).limit(1);
   return role || null;
 }
 async function getRolePermissions(roleId) {
-  const db = getDatabase5();
+  const db = getDatabase3();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const roleIdNum = Number(roleId);
-  const perms = await db.select({ name: permissions.name }).from(rolePermissions).innerJoin(permissions, eq5(rolePermissions.permissionId, permissions.id)).where(eq5(rolePermissions.roleId, roleIdNum));
+  const perms = await db.select({ name: permissions.name }).from(rolePermissions).innerJoin(permissions, eq3(rolePermissions.permissionId, permissions.id)).where(eq3(rolePermissions.roleId, roleIdNum));
   return perms.map((p) => p.name);
 }
 var init_role_service = __esm({
@@ -739,8 +750,8 @@ function Clone(value) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/clone/type.mjs
-function CloneType(schema10, options) {
-  return options === void 0 ? Clone(schema10) : Clone({ ...options, ...schema10 });
+function CloneType(schema, options) {
+  return options === void 0 ? Clone(schema) : Clone({ ...options, ...schema });
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/value/guard/guard.mjs
@@ -817,8 +828,8 @@ function Immutable(value) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/create/type.mjs
-function CreateType(schema10, options) {
-  const result = options !== void 0 ? { ...options, ...schema10 } : schema10;
+function CreateType(schema, options) {
+  const result = options !== void 0 ? { ...options, ...schema } : schema;
   switch (TypeSystemPolicy.InstanceMode) {
     case "freeze":
       return Immutable(result);
@@ -1136,16 +1147,16 @@ function IsBoolean3(value) {
   return IsKindOf2(value, "Boolean") && value.type === "boolean" && IsOptionalString(value.$id);
 }
 function IsComputed2(value) {
-  return IsKindOf2(value, "Computed") && IsString(value.target) && IsArray(value.parameters) && value.parameters.every((schema10) => IsSchema2(schema10));
+  return IsKindOf2(value, "Computed") && IsString(value.target) && IsArray(value.parameters) && value.parameters.every((schema) => IsSchema2(schema));
 }
 function IsConstructor2(value) {
-  return IsKindOf2(value, "Constructor") && value.type === "Constructor" && IsOptionalString(value.$id) && IsArray(value.parameters) && value.parameters.every((schema10) => IsSchema2(schema10)) && IsSchema2(value.returns);
+  return IsKindOf2(value, "Constructor") && value.type === "Constructor" && IsOptionalString(value.$id) && IsArray(value.parameters) && value.parameters.every((schema) => IsSchema2(schema)) && IsSchema2(value.returns);
 }
 function IsDate3(value) {
   return IsKindOf2(value, "Date") && value.type === "Date" && IsOptionalString(value.$id) && IsOptionalNumber(value.exclusiveMaximumTimestamp) && IsOptionalNumber(value.exclusiveMinimumTimestamp) && IsOptionalNumber(value.maximumTimestamp) && IsOptionalNumber(value.minimumTimestamp) && IsOptionalNumber(value.multipleOfTimestamp);
 }
 function IsFunction3(value) {
-  return IsKindOf2(value, "Function") && value.type === "Function" && IsOptionalString(value.$id) && IsArray(value.parameters) && value.parameters.every((schema10) => IsSchema2(schema10)) && IsSchema2(value.returns);
+  return IsKindOf2(value, "Function") && value.type === "Function" && IsOptionalString(value.$id) && IsArray(value.parameters) && value.parameters.every((schema) => IsSchema2(schema)) && IsSchema2(value.returns);
 }
 function IsImport(value) {
   return IsKindOf2(value, "Import") && HasPropertyKey(value, "$defs") && IsObject(value.$defs) && IsProperties(value.$defs) && HasPropertyKey(value, "$ref") && IsString(value.$ref) && value.$ref in value.$defs;
@@ -1154,10 +1165,10 @@ function IsInteger2(value) {
   return IsKindOf2(value, "Integer") && value.type === "integer" && IsOptionalString(value.$id) && IsOptionalNumber(value.exclusiveMaximum) && IsOptionalNumber(value.exclusiveMinimum) && IsOptionalNumber(value.maximum) && IsOptionalNumber(value.minimum) && IsOptionalNumber(value.multipleOf);
 }
 function IsProperties(value) {
-  return IsObject(value) && Object.entries(value).every(([key, schema10]) => IsControlCharacterFree(key) && IsSchema2(schema10));
+  return IsObject(value) && Object.entries(value).every(([key, schema]) => IsControlCharacterFree(key) && IsSchema2(schema));
 }
 function IsIntersect2(value) {
-  return IsKindOf2(value, "Intersect") && (IsString(value.type) && value.type !== "object" ? false : true) && IsArray(value.allOf) && value.allOf.every((schema10) => IsSchema2(schema10) && !IsTransform2(schema10)) && IsOptionalString(value.type) && (IsOptionalBoolean(value.unevaluatedProperties) || IsOptionalSchema(value.unevaluatedProperties)) && IsOptionalString(value.$id);
+  return IsKindOf2(value, "Intersect") && (IsString(value.type) && value.type !== "object" ? false : true) && IsArray(value.allOf) && value.allOf.every((schema) => IsSchema2(schema) && !IsTransform2(schema)) && IsOptionalString(value.type) && (IsOptionalBoolean(value.unevaluatedProperties) || IsOptionalSchema(value.unevaluatedProperties)) && IsOptionalString(value.$id);
 }
 function IsIterator3(value) {
   return IsKindOf2(value, "Iterator") && value.type === "Iterator" && IsOptionalString(value.$id) && IsSchema2(value.items);
@@ -1205,9 +1216,9 @@ function IsPromise2(value) {
   return IsKindOf2(value, "Promise") && value.type === "Promise" && IsOptionalString(value.$id) && IsSchema2(value.item);
 }
 function IsRecord2(value) {
-  return IsKindOf2(value, "Record") && value.type === "object" && IsOptionalString(value.$id) && IsAdditionalProperties(value.additionalProperties) && IsObject(value.patternProperties) && ((schema10) => {
-    const keys = Object.getOwnPropertyNames(schema10.patternProperties);
-    return keys.length === 1 && IsPattern(keys[0]) && IsObject(schema10.patternProperties) && IsSchema2(schema10.patternProperties[keys[0]]);
+  return IsKindOf2(value, "Record") && value.type === "object" && IsOptionalString(value.$id) && IsAdditionalProperties(value.additionalProperties) && IsObject(value.patternProperties) && ((schema) => {
+    const keys = Object.getOwnPropertyNames(schema.patternProperties);
+    return keys.length === 1 && IsPattern(keys[0]) && IsObject(schema.patternProperties) && IsSchema2(schema.patternProperties[keys[0]]);
   })(value);
 }
 function IsRecursive(value) {
@@ -1236,16 +1247,16 @@ function IsTransform2(value) {
 }
 function IsTuple2(value) {
   return IsKindOf2(value, "Tuple") && value.type === "array" && IsOptionalString(value.$id) && IsNumber(value.minItems) && IsNumber(value.maxItems) && value.minItems === value.maxItems && // empty
-  (IsUndefined(value.items) && IsUndefined(value.additionalItems) && value.minItems === 0 || IsArray(value.items) && value.items.every((schema10) => IsSchema2(schema10)));
+  (IsUndefined(value.items) && IsUndefined(value.additionalItems) && value.minItems === 0 || IsArray(value.items) && value.items.every((schema) => IsSchema2(schema)));
 }
 function IsUndefined4(value) {
   return IsKindOf2(value, "Undefined") && value.type === "undefined" && IsOptionalString(value.$id);
 }
 function IsUnionLiteral(value) {
-  return IsUnion2(value) && value.anyOf.every((schema10) => IsLiteralString(schema10) || IsLiteralNumber(schema10));
+  return IsUnion2(value) && value.anyOf.every((schema) => IsLiteralString(schema) || IsLiteralNumber(schema));
 }
 function IsUnion2(value) {
-  return IsKindOf2(value, "Union") && IsOptionalString(value.$id) && IsObject(value) && IsArray(value.anyOf) && value.anyOf.every((schema10) => IsSchema2(schema10));
+  return IsKindOf2(value, "Union") && IsOptionalString(value.$id) && IsObject(value) && IsArray(value.anyOf) && value.anyOf.every((schema) => IsSchema2(schema));
 }
 function IsUint8Array3(value) {
   return IsKindOf2(value, "Uint8Array") && value.type === "Uint8Array" && IsOptionalString(value.$id) && IsOptionalNumber(value.minByteLength) && IsOptionalNumber(value.maxByteLength);
@@ -1527,8 +1538,8 @@ function IsTemplateLiteralExpressionFinite(expression) {
     throw new TemplateLiteralFiniteError(`Unknown expression type`);
   })();
 }
-function IsTemplateLiteralFinite(schema10) {
-  const expression = TemplateLiteralParseExact(schema10.pattern);
+function IsTemplateLiteralFinite(schema) {
+  const expression = TemplateLiteralParseExact(schema.pattern);
   return IsTemplateLiteralExpressionFinite(expression);
 }
 
@@ -1559,8 +1570,8 @@ function* TemplateLiteralExpressionGenerate(expression) {
     throw new TemplateLiteralGenerateError("Unknown expression");
   })();
 }
-function TemplateLiteralGenerate(schema10) {
-  const expression = TemplateLiteralParseExact(schema10.pattern);
+function TemplateLiteralGenerate(schema) {
+  const expression = TemplateLiteralParseExact(schema.pattern);
   return IsTemplateLiteralExpressionFinite(expression) ? [...TemplateLiteralExpressionGenerate(expression)] : [];
 }
 
@@ -1636,18 +1647,18 @@ var TemplateLiteralPatternError = class extends TypeBoxError {
 function Escape(value) {
   return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
-function Visit2(schema10, acc) {
-  return IsTemplateLiteral(schema10) ? schema10.pattern.slice(1, schema10.pattern.length - 1) : IsUnion(schema10) ? `(${schema10.anyOf.map((schema11) => Visit2(schema11, acc)).join("|")})` : IsNumber3(schema10) ? `${acc}${PatternNumber}` : IsInteger(schema10) ? `${acc}${PatternNumber}` : IsBigInt2(schema10) ? `${acc}${PatternNumber}` : IsString2(schema10) ? `${acc}${PatternString}` : IsLiteral(schema10) ? `${acc}${Escape(schema10.const.toString())}` : IsBoolean2(schema10) ? `${acc}${PatternBoolean}` : (() => {
-    throw new TemplateLiteralPatternError(`Unexpected Kind '${schema10[Kind]}'`);
+function Visit2(schema, acc) {
+  return IsTemplateLiteral(schema) ? schema.pattern.slice(1, schema.pattern.length - 1) : IsUnion(schema) ? `(${schema.anyOf.map((schema2) => Visit2(schema2, acc)).join("|")})` : IsNumber3(schema) ? `${acc}${PatternNumber}` : IsInteger(schema) ? `${acc}${PatternNumber}` : IsBigInt2(schema) ? `${acc}${PatternNumber}` : IsString2(schema) ? `${acc}${PatternString}` : IsLiteral(schema) ? `${acc}${Escape(schema.const.toString())}` : IsBoolean2(schema) ? `${acc}${PatternBoolean}` : (() => {
+    throw new TemplateLiteralPatternError(`Unexpected Kind '${schema[Kind]}'`);
   })();
 }
 function TemplateLiteralPattern(kinds) {
-  return `^${kinds.map((schema10) => Visit2(schema10, "")).join("")}$`;
+  return `^${kinds.map((schema) => Visit2(schema, "")).join("")}$`;
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/template-literal/union.mjs
-function TemplateLiteralToUnion(schema10) {
-  const R = TemplateLiteralGenerate(schema10);
+function TemplateLiteralToUnion(schema) {
+  const R = TemplateLiteralGenerate(schema);
   const L = R.map((S) => Literal(S));
   return UnionEvaluated(L);
 }
@@ -1784,18 +1795,18 @@ function Promise2(item, options) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/readonly/readonly.mjs
-function RemoveReadonly(schema10) {
-  return CreateType(Discard(schema10, [ReadonlyKind]));
+function RemoveReadonly(schema) {
+  return CreateType(Discard(schema, [ReadonlyKind]));
 }
-function AddReadonly(schema10) {
-  return CreateType({ ...schema10, [ReadonlyKind]: "Readonly" });
+function AddReadonly(schema) {
+  return CreateType({ ...schema, [ReadonlyKind]: "Readonly" });
 }
-function ReadonlyWithFlag(schema10, F) {
-  return F === false ? RemoveReadonly(schema10) : AddReadonly(schema10);
+function ReadonlyWithFlag(schema, F) {
+  return F === false ? RemoveReadonly(schema) : AddReadonly(schema);
 }
-function Readonly(schema10, enable) {
+function Readonly(schema, enable) {
   const F = enable ?? true;
-  return IsMappedResult(schema10) ? ReadonlyFromMappedResult(schema10, F) : ReadonlyWithFlag(schema10, F);
+  return IsMappedResult(schema) ? ReadonlyFromMappedResult(schema, F) : ReadonlyWithFlag(schema, F);
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/readonly/readonly-from-mapped-result.mjs
@@ -1874,18 +1885,18 @@ function Mapped(key, map, options) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/optional/optional.mjs
-function RemoveOptional(schema10) {
-  return CreateType(Discard(schema10, [OptionalKind]));
+function RemoveOptional(schema) {
+  return CreateType(Discard(schema, [OptionalKind]));
 }
-function AddOptional(schema10) {
-  return CreateType({ ...schema10, [OptionalKind]: "Optional" });
+function AddOptional(schema) {
+  return CreateType({ ...schema, [OptionalKind]: "Optional" });
 }
-function OptionalWithFlag(schema10, F) {
-  return F === false ? RemoveOptional(schema10) : AddOptional(schema10);
+function OptionalWithFlag(schema, F) {
+  return F === false ? RemoveOptional(schema) : AddOptional(schema);
 }
-function Optional(schema10, enable) {
+function Optional(schema, enable) {
   const F = enable ?? true;
-  return IsMappedResult(schema10) ? OptionalFromMappedResult(schema10, F) : OptionalWithFlag(schema10, F);
+  return IsMappedResult(schema) ? OptionalFromMappedResult(schema, F) : OptionalWithFlag(schema, F);
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/optional/optional-from-mapped-result.mjs
@@ -1905,7 +1916,7 @@ function OptionalFromMappedResult(R, F) {
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/intersect/intersect-create.mjs
 function IntersectCreate(T, options = {}) {
-  const allObjects = T.every((schema10) => IsObject3(schema10));
+  const allObjects = T.every((schema) => IsObject3(schema));
   const clonedUnevaluatedProperties = IsSchema(options.unevaluatedProperties) ? { unevaluatedProperties: options.unevaluatedProperties } : {};
   return CreateType(options.unevaluatedProperties === false || IsSchema(options.unevaluatedProperties) || allObjects ? { ...clonedUnevaluatedProperties, [Kind]: "Intersect", type: "object", allOf: T } : { ...clonedUnevaluatedProperties, [Kind]: "Intersect", allOf: T }, options);
 }
@@ -1928,7 +1939,7 @@ function IntersectEvaluated(types, options = {}) {
     return CreateType(types[0], options);
   if (types.length === 0)
     return Never(options);
-  if (types.some((schema10) => IsTransform(schema10)))
+  if (types.some((schema) => IsTransform(schema)))
     throw new Error("Cannot intersect transform types");
   return ResolveIntersect(types, options);
 }
@@ -1939,7 +1950,7 @@ function Intersect(types, options) {
     return CreateType(types[0], options);
   if (types.length === 0)
     return Never(options);
-  if (types.some((schema10) => IsTransform(schema10)))
+  if (types.some((schema) => IsTransform(schema)))
     throw new Error("Cannot intersect transform types");
   return IntersectCreate(types, options);
 }
@@ -2130,8 +2141,8 @@ function Const(T, options) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/constructor-parameters/constructor-parameters.mjs
-function ConstructorParameters(schema10, options) {
-  return IsConstructor(schema10) ? Tuple(schema10.parameters, options) : Never(options);
+function ConstructorParameters(schema, options) {
+  return IsConstructor(schema) ? Tuple(schema.parameters, options) : Never(options);
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/enum/enum.mjs
@@ -2169,7 +2180,7 @@ function FromAnyRight(left, right) {
   return ExtendsResult.True;
 }
 function FromAny(left, right) {
-  return type_exports.IsIntersect(right) ? FromIntersectRight(left, right) : type_exports.IsUnion(right) && right.anyOf.some((schema10) => type_exports.IsAny(schema10) || type_exports.IsUnknown(schema10)) ? ExtendsResult.True : type_exports.IsUnion(right) ? ExtendsResult.Union : type_exports.IsUnknown(right) ? ExtendsResult.True : type_exports.IsAny(right) ? ExtendsResult.True : ExtendsResult.Union;
+  return type_exports.IsIntersect(right) ? FromIntersectRight(left, right) : type_exports.IsUnion(right) && right.anyOf.some((schema) => type_exports.IsAny(schema) || type_exports.IsUnknown(schema)) ? ExtendsResult.True : type_exports.IsUnion(right) ? ExtendsResult.Union : type_exports.IsUnknown(right) ? ExtendsResult.True : type_exports.IsAny(right) ? ExtendsResult.True : ExtendsResult.Union;
 }
 function FromArrayRight(left, right) {
   return type_exports.IsUnknown(left) ? ExtendsResult.False : type_exports.IsAny(left) ? ExtendsResult.Union : type_exports.IsNever(left) ? ExtendsResult.True : ExtendsResult.False;
@@ -2190,13 +2201,13 @@ function FromBoolean(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : type_exports.IsBoolean(right) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromConstructor(left, right) {
-  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : !type_exports.IsConstructor(right) ? ExtendsResult.False : left.parameters.length > right.parameters.length ? ExtendsResult.False : !left.parameters.every((schema10, index9) => IntoBooleanResult(Visit3(right.parameters[index9], schema10)) === ExtendsResult.True) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.returns, right.returns));
+  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : !type_exports.IsConstructor(right) ? ExtendsResult.False : left.parameters.length > right.parameters.length ? ExtendsResult.False : !left.parameters.every((schema, index9) => IntoBooleanResult(Visit3(right.parameters[index9], schema)) === ExtendsResult.True) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.returns, right.returns));
 }
 function FromDate(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : type_exports.IsDate(right) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromFunction(left, right) {
-  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : !type_exports.IsFunction(right) ? ExtendsResult.False : left.parameters.length > right.parameters.length ? ExtendsResult.False : !left.parameters.every((schema10, index9) => IntoBooleanResult(Visit3(right.parameters[index9], schema10)) === ExtendsResult.True) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.returns, right.returns));
+  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : !type_exports.IsFunction(right) ? ExtendsResult.False : left.parameters.length > right.parameters.length ? ExtendsResult.False : !left.parameters.every((schema, index9) => IntoBooleanResult(Visit3(right.parameters[index9], schema)) === ExtendsResult.True) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.returns, right.returns));
 }
 function FromIntegerRight(left, right) {
   return type_exports.IsLiteral(left) && value_exports.IsNumber(left.const) ? ExtendsResult.True : type_exports.IsNumber(left) || type_exports.IsInteger(left) ? ExtendsResult.True : ExtendsResult.False;
@@ -2205,10 +2216,10 @@ function FromInteger(left, right) {
   return type_exports.IsInteger(right) || type_exports.IsNumber(right) ? ExtendsResult.True : IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : ExtendsResult.False;
 }
 function FromIntersectRight(left, right) {
-  return right.allOf.every((schema10) => Visit3(left, schema10) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
+  return right.allOf.every((schema) => Visit3(left, schema) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromIntersect4(left, right) {
-  return left.allOf.some((schema10) => Visit3(schema10, right) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
+  return left.allOf.some((schema) => Visit3(schema, right) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromIterator(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : !type_exports.IsIterator(right) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.items, right.items));
@@ -2222,8 +2233,8 @@ function FromNeverRight(left, right) {
 function FromNever(left, right) {
   return ExtendsResult.True;
 }
-function UnwrapTNot(schema10) {
-  let [current, depth] = [schema10, 0];
+function UnwrapTNot(schema) {
+  let [current, depth] = [schema, 0];
   while (true) {
     if (!type_exports.IsNot(current))
       break;
@@ -2244,44 +2255,44 @@ function FromNumberRight(left, right) {
 function FromNumber(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : type_exports.IsInteger(right) || type_exports.IsNumber(right) ? ExtendsResult.True : ExtendsResult.False;
 }
-function IsObjectPropertyCount(schema10, count) {
-  return Object.getOwnPropertyNames(schema10.properties).length === count;
+function IsObjectPropertyCount(schema, count) {
+  return Object.getOwnPropertyNames(schema.properties).length === count;
 }
-function IsObjectStringLike(schema10) {
-  return IsObjectArrayLike(schema10);
+function IsObjectStringLike(schema) {
+  return IsObjectArrayLike(schema);
 }
-function IsObjectSymbolLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0) || IsObjectPropertyCount(schema10, 1) && "description" in schema10.properties && type_exports.IsUnion(schema10.properties.description) && schema10.properties.description.anyOf.length === 2 && (type_exports.IsString(schema10.properties.description.anyOf[0]) && type_exports.IsUndefined(schema10.properties.description.anyOf[1]) || type_exports.IsString(schema10.properties.description.anyOf[1]) && type_exports.IsUndefined(schema10.properties.description.anyOf[0]));
+function IsObjectSymbolLike(schema) {
+  return IsObjectPropertyCount(schema, 0) || IsObjectPropertyCount(schema, 1) && "description" in schema.properties && type_exports.IsUnion(schema.properties.description) && schema.properties.description.anyOf.length === 2 && (type_exports.IsString(schema.properties.description.anyOf[0]) && type_exports.IsUndefined(schema.properties.description.anyOf[1]) || type_exports.IsString(schema.properties.description.anyOf[1]) && type_exports.IsUndefined(schema.properties.description.anyOf[0]));
 }
-function IsObjectNumberLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0);
+function IsObjectNumberLike(schema) {
+  return IsObjectPropertyCount(schema, 0);
 }
-function IsObjectBooleanLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0);
+function IsObjectBooleanLike(schema) {
+  return IsObjectPropertyCount(schema, 0);
 }
-function IsObjectBigIntLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0);
+function IsObjectBigIntLike(schema) {
+  return IsObjectPropertyCount(schema, 0);
 }
-function IsObjectDateLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0);
+function IsObjectDateLike(schema) {
+  return IsObjectPropertyCount(schema, 0);
 }
-function IsObjectUint8ArrayLike(schema10) {
-  return IsObjectArrayLike(schema10);
+function IsObjectUint8ArrayLike(schema) {
+  return IsObjectArrayLike(schema);
 }
-function IsObjectFunctionLike(schema10) {
+function IsObjectFunctionLike(schema) {
   const length = Number2();
-  return IsObjectPropertyCount(schema10, 0) || IsObjectPropertyCount(schema10, 1) && "length" in schema10.properties && IntoBooleanResult(Visit3(schema10.properties["length"], length)) === ExtendsResult.True;
+  return IsObjectPropertyCount(schema, 0) || IsObjectPropertyCount(schema, 1) && "length" in schema.properties && IntoBooleanResult(Visit3(schema.properties["length"], length)) === ExtendsResult.True;
 }
-function IsObjectConstructorLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0);
+function IsObjectConstructorLike(schema) {
+  return IsObjectPropertyCount(schema, 0);
 }
-function IsObjectArrayLike(schema10) {
+function IsObjectArrayLike(schema) {
   const length = Number2();
-  return IsObjectPropertyCount(schema10, 0) || IsObjectPropertyCount(schema10, 1) && "length" in schema10.properties && IntoBooleanResult(Visit3(schema10.properties["length"], length)) === ExtendsResult.True;
+  return IsObjectPropertyCount(schema, 0) || IsObjectPropertyCount(schema, 1) && "length" in schema.properties && IntoBooleanResult(Visit3(schema.properties["length"], length)) === ExtendsResult.True;
 }
-function IsObjectPromiseLike(schema10) {
+function IsObjectPromiseLike(schema) {
   const then = Function([Any()], Any());
-  return IsObjectPropertyCount(schema10, 0) || IsObjectPropertyCount(schema10, 1) && "then" in schema10.properties && IntoBooleanResult(Visit3(schema10.properties["then"], then)) === ExtendsResult.True;
+  return IsObjectPropertyCount(schema, 0) || IsObjectPropertyCount(schema, 1) && "then" in schema.properties && IntoBooleanResult(Visit3(schema.properties["then"], then)) === ExtendsResult.True;
 }
 function Property(left, right) {
   return Visit3(left, right) === ExtendsResult.False ? ExtendsResult.False : type_exports.IsOptional(left) && !type_exports.IsOptional(right) ? ExtendsResult.False : ExtendsResult.True;
@@ -2312,11 +2323,11 @@ function FromObject(left, right) {
 function FromPromise2(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) && IsObjectPromiseLike(right) ? ExtendsResult.True : !type_exports.IsPromise(right) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.item, right.item));
 }
-function RecordKey(schema10) {
-  return PatternNumberExact in schema10.patternProperties ? Number2() : PatternStringExact in schema10.patternProperties ? String2() : Throw("Unknown record key pattern");
+function RecordKey(schema) {
+  return PatternNumberExact in schema.patternProperties ? Number2() : PatternStringExact in schema.patternProperties ? String2() : Throw("Unknown record key pattern");
 }
-function RecordValue(schema10) {
-  return PatternNumberExact in schema10.patternProperties ? schema10.patternProperties[PatternNumberExact] : PatternStringExact in schema10.patternProperties ? schema10.patternProperties[PatternStringExact] : Throw("Unable to get record value schema");
+function RecordValue(schema) {
+  return PatternNumberExact in schema.patternProperties ? schema.patternProperties[PatternNumberExact] : PatternStringExact in schema.patternProperties ? schema.patternProperties[PatternStringExact] : Throw("Unable to get record value schema");
 }
 function FromRecordRight(left, right) {
   const [Key, Value] = [RecordKey(right), RecordValue(right)];
@@ -2350,13 +2361,13 @@ function FromTemplateLiteral2(left, right) {
   return type_exports.IsTemplateLiteral(left) ? Visit3(TemplateLiteralToUnion(left), right) : type_exports.IsTemplateLiteral(right) ? Visit3(left, TemplateLiteralToUnion(right)) : Throw("Invalid fallthrough for TemplateLiteral");
 }
 function IsArrayOfTuple(left, right) {
-  return type_exports.IsArray(right) && left.items !== void 0 && left.items.every((schema10) => Visit3(schema10, right.items) === ExtendsResult.True);
+  return type_exports.IsArray(right) && left.items !== void 0 && left.items.every((schema) => Visit3(schema, right.items) === ExtendsResult.True);
 }
 function FromTupleRight(left, right) {
   return type_exports.IsNever(left) ? ExtendsResult.True : type_exports.IsUnknown(left) ? ExtendsResult.False : type_exports.IsAny(left) ? ExtendsResult.Union : ExtendsResult.False;
 }
 function FromTuple3(left, right) {
-  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) && IsObjectArrayLike(right) ? ExtendsResult.True : type_exports.IsArray(right) && IsArrayOfTuple(left, right) ? ExtendsResult.True : !type_exports.IsTuple(right) ? ExtendsResult.False : value_exports.IsUndefined(left.items) && !value_exports.IsUndefined(right.items) || !value_exports.IsUndefined(left.items) && value_exports.IsUndefined(right.items) ? ExtendsResult.False : value_exports.IsUndefined(left.items) && !value_exports.IsUndefined(right.items) ? ExtendsResult.True : left.items.every((schema10, index9) => Visit3(schema10, right.items[index9]) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
+  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) && IsObjectArrayLike(right) ? ExtendsResult.True : type_exports.IsArray(right) && IsArrayOfTuple(left, right) ? ExtendsResult.True : !type_exports.IsTuple(right) ? ExtendsResult.False : value_exports.IsUndefined(left.items) && !value_exports.IsUndefined(right.items) || !value_exports.IsUndefined(left.items) && value_exports.IsUndefined(right.items) ? ExtendsResult.False : value_exports.IsUndefined(left.items) && !value_exports.IsUndefined(right.items) ? ExtendsResult.True : left.items.every((schema, index9) => Visit3(schema, right.items[index9]) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromUint8Array(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : type_exports.IsUint8Array(right) ? ExtendsResult.True : ExtendsResult.False;
@@ -2365,10 +2376,10 @@ function FromUndefined(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : type_exports.IsVoid(right) ? FromVoidRight(left, right) : type_exports.IsUndefined(right) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromUnionRight(left, right) {
-  return right.anyOf.some((schema10) => Visit3(left, schema10) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
+  return right.anyOf.some((schema) => Visit3(left, schema) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromUnion6(left, right) {
-  return left.anyOf.every((schema10) => Visit3(schema10, right) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
+  return left.anyOf.every((schema) => Visit3(schema, right) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromUnknownRight(left, right) {
   return ExtendsResult.True;
@@ -2505,13 +2516,13 @@ function ExtractFromMappedResult(R, T) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/instance-type/instance-type.mjs
-function InstanceType(schema10, options) {
-  return IsConstructor(schema10) ? CreateType(schema10.returns, options) : Never(options);
+function InstanceType(schema, options) {
+  return IsConstructor(schema) ? CreateType(schema.returns, options) : Never(options);
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/readonly-optional/readonly-optional.mjs
-function ReadonlyOptional(schema10) {
-  return Readonly(Optional(schema10));
+function ReadonlyOptional(schema) {
+  return Readonly(Optional(schema));
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/record/record.mjs
@@ -2684,11 +2695,11 @@ function ApplyUppercase(value) {
 function ApplyLowercase(value) {
   return value.toLowerCase();
 }
-function FromTemplateLiteral3(schema10, mode, options) {
-  const expression = TemplateLiteralParseExact(schema10.pattern);
+function FromTemplateLiteral3(schema, mode, options) {
+  const expression = TemplateLiteralParseExact(schema.pattern);
   const finite = IsTemplateLiteralExpressionFinite(expression);
   if (!finite)
-    return { ...schema10, pattern: FromLiteralValue(schema10.pattern, mode) };
+    return { ...schema, pattern: FromLiteralValue(schema.pattern, mode) };
   const strings = [...TemplateLiteralExpressionGenerate(expression)];
   const literals = strings.map((value) => Literal(value));
   const mapped = FromRest5(literals, mode);
@@ -2701,14 +2712,14 @@ function FromLiteralValue(value, mode) {
 function FromRest5(T, M) {
   return T.map((L) => Intrinsic(L, M));
 }
-function Intrinsic(schema10, mode, options = {}) {
+function Intrinsic(schema, mode, options = {}) {
   return (
     // Intrinsic-Mapped-Inference
-    IsMappedKey(schema10) ? IntrinsicFromMappedKey(schema10, mode, options) : (
+    IsMappedKey(schema) ? IntrinsicFromMappedKey(schema, mode, options) : (
       // Standard-Inference
-      IsTemplateLiteral(schema10) ? FromTemplateLiteral3(schema10, mode, options) : IsUnion(schema10) ? Union(FromRest5(schema10.anyOf, mode), options) : IsLiteral(schema10) ? Literal(FromLiteralValue(schema10.const, mode), options) : (
+      IsTemplateLiteral(schema) ? FromTemplateLiteral3(schema, mode, options) : IsUnion(schema) ? Union(FromRest5(schema.anyOf, mode), options) : IsLiteral(schema) ? Literal(FromLiteralValue(schema.const, mode), options) : (
         // Default Type
-        CreateType(schema10, options)
+        CreateType(schema, options)
       )
     )
   );
@@ -3105,8 +3116,8 @@ function Not(type, options) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/parameters/parameters.mjs
-function Parameters(schema10, options) {
-  return IsFunction2(schema10) ? Tuple(schema10.parameters, options) : Never();
+function Parameters(schema, options) {
+  return IsFunction2(schema) ? Tuple(schema.parameters, options) : Never();
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/recursive/recursive.mjs
@@ -3134,40 +3145,40 @@ function Rest(T) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/return-type/return-type.mjs
-function ReturnType(schema10, options) {
-  return IsFunction2(schema10) ? CreateType(schema10.returns, options) : Never(options);
+function ReturnType(schema, options) {
+  return IsFunction2(schema) ? CreateType(schema.returns, options) : Never(options);
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/transform/transform.mjs
 var TransformDecodeBuilder = class {
-  constructor(schema10) {
-    this.schema = schema10;
+  constructor(schema) {
+    this.schema = schema;
   }
   Decode(decode) {
     return new TransformEncodeBuilder(this.schema, decode);
   }
 };
 var TransformEncodeBuilder = class {
-  constructor(schema10, decode) {
-    this.schema = schema10;
+  constructor(schema, decode) {
+    this.schema = schema;
     this.decode = decode;
   }
-  EncodeTransform(encode, schema10) {
-    const Encode = (value) => schema10[TransformKind].Encode(encode(value));
-    const Decode = (value) => this.decode(schema10[TransformKind].Decode(value));
+  EncodeTransform(encode, schema) {
+    const Encode = (value) => schema[TransformKind].Encode(encode(value));
+    const Decode = (value) => this.decode(schema[TransformKind].Decode(value));
     const Codec = { Encode, Decode };
-    return { ...schema10, [TransformKind]: Codec };
+    return { ...schema, [TransformKind]: Codec };
   }
-  EncodeSchema(encode, schema10) {
+  EncodeSchema(encode, schema) {
     const Codec = { Decode: this.decode, Encode: encode };
-    return { ...schema10, [TransformKind]: Codec };
+    return { ...schema, [TransformKind]: Codec };
   }
   Encode(encode) {
     return IsTransform(this.schema) ? this.EncodeTransform(encode, this.schema) : this.EncodeSchema(encode, this.schema);
   }
 };
-function Transform(schema10) {
-  return new TransformDecodeBuilder(schema10);
+function Transform(schema) {
+  return new TransformDecodeBuilder(schema);
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/unsafe/unsafe.mjs
@@ -3545,6 +3556,33 @@ var changePasswordContract = {
     })
   )
 };
+var getMeContract = {
+  method: "GET",
+  path: "/_auth/me",
+  body: Type.Object({}),
+  response: ApiResponseSchema(
+    Type.Object({
+      userId: Type.String({ description: "User ID" }),
+      email: Type.Optional(Type.String({ description: "User email address" })),
+      phone: Type.Optional(Type.String({ description: "User phone number" })),
+      role: Type.Object({
+        id: Type.Number({ description: "Role ID" }),
+        name: Type.String({ description: "Role name (e.g., user, admin)" }),
+        displayName: Type.String({ description: "Display name for UI" }),
+        priority: Type.Number({ description: "Role priority level" })
+      }, { description: "User role information" }),
+      permissions: Type.Array(
+        Type.Object({
+          id: Type.Number({ description: "Permission ID" }),
+          name: Type.String({ description: "Permission name (e.g., user:delete)" }),
+          displayName: Type.String({ description: "Display name for UI" }),
+          category: Type.Optional(Type.String({ description: "Permission category" }))
+        }),
+        { description: "List of permissions granted through role" }
+      )
+    })
+  )
+};
 
 // src/lib/contracts/invitation.ts
 var UUID_PATTERN2 = "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$";
@@ -3778,216 +3816,6 @@ var deleteInvitationContract = {
   )
 };
 
-// src/server/helpers/jwt.ts
-import jwt from "jsonwebtoken";
-import crypto from "crypto";
-var JWT_SECRET = process.env.SPFN_AUTH_JWT_SECRET || // New prefixed version (recommended)
-process.env.JWT_SECRET || // Legacy fallback
-"dev-secret-key-change-in-production";
-var JWT_EXPIRES_IN = process.env.SPFN_AUTH_JWT_EXPIRES_IN || // New prefixed version (recommended)
-process.env.JWT_EXPIRES_IN || // Legacy fallback
-"7d";
-function verifyClientToken(token, publicKeyB64, algorithm) {
-  try {
-    const publicKeyDER = Buffer.from(publicKeyB64, "base64");
-    const publicKeyObject = crypto.createPublicKey({
-      key: publicKeyDER,
-      format: "der",
-      type: "spki"
-    });
-    const decoded = jwt.verify(token, publicKeyObject, {
-      algorithms: [algorithm],
-      // Prevent algorithm confusion attacks
-      issuer: "spfn-client"
-      // Validate token issuer
-    });
-    if (typeof decoded === "string") {
-      throw new Error("Invalid token format: expected object payload");
-    }
-    return decoded;
-  } catch (error) {
-    if (error instanceof jwt.TokenExpiredError) {
-      throw new Error("Token has expired");
-    }
-    if (error instanceof jwt.JsonWebTokenError) {
-      throw new Error("Invalid token signature");
-    }
-    throw new Error(`Token verification failed: ${error instanceof Error ? error.message : "Unknown error"}`);
-  }
-}
-function verifyKeyFingerprint(publicKeyB64, expectedFingerprint) {
-  try {
-    const publicKeyDER = Buffer.from(publicKeyB64, "base64");
-    const fingerprint = crypto.createHash("sha256").update(publicKeyDER).digest("hex");
-    return fingerprint === expectedFingerprint;
-  } catch (error) {
-    console.error("Failed to verify key fingerprint:", error);
-    return false;
-  }
-}
-
-// src/server/middleware/authenticate.ts
-init_entities();
-import { findOne, getDatabase } from "@spfn/core/db";
-
-// src/server/errors/auth-errors.ts
-import {
-  ValidationError,
-  UnauthorizedError,
-  ForbiddenError,
-  ConflictError
-} from "@spfn/core/errors";
-var InvalidCredentialsError = class extends UnauthorizedError {
-  constructor(message = "Invalid credentials") {
-    super(message);
-    this.name = "InvalidCredentialsError";
-  }
-};
-var InvalidTokenError = class extends UnauthorizedError {
-  constructor(message = "Invalid authentication token") {
-    super(message);
-    this.name = "InvalidTokenError";
-  }
-};
-var TokenExpiredError = class extends UnauthorizedError {
-  constructor(message = "Authentication token has expired") {
-    super(message);
-    this.name = "TokenExpiredError";
-  }
-};
-var KeyExpiredError = class extends UnauthorizedError {
-  constructor(message = "Public key has expired") {
-    super(message);
-    this.name = "KeyExpiredError";
-  }
-};
-var AccountDisabledError = class extends ForbiddenError {
-  constructor(status = "disabled") {
-    super(`Account is ${status}`);
-    this.name = "AccountDisabledError";
-    this.details = { status };
-  }
-};
-var AccountAlreadyExistsError = class extends ConflictError {
-  constructor(identifier, identifierType) {
-    super("Account already exists");
-    this.name = "AccountAlreadyExistsError";
-    this.details = { identifier, identifierType };
-  }
-};
-var InvalidVerificationCodeError = class extends ValidationError {
-  constructor(reason = "Invalid verification code") {
-    super(reason);
-    this.name = "InvalidVerificationCodeError";
-  }
-};
-var InvalidVerificationTokenError = class extends ValidationError {
-  constructor(message = "Invalid or expired verification token") {
-    super(message);
-    this.name = "InvalidVerificationTokenError";
-  }
-};
-var InvalidKeyFingerprintError = class extends ValidationError {
-  constructor(message = "Invalid key fingerprint") {
-    super(message);
-    this.name = "InvalidKeyFingerprintError";
-  }
-};
-var VerificationTokenPurposeMismatchError = class extends ValidationError {
-  constructor(expected, actual) {
-    super(`Verification token is for ${actual}, but ${expected} was expected`);
-    this.name = "VerificationTokenPurposeMismatchError";
-    this.details = { expected, actual };
-  }
-};
-var VerificationTokenTargetMismatchError = class extends ValidationError {
-  constructor() {
-    super("Verification token does not match provided email/phone");
-    this.name = "VerificationTokenTargetMismatchError";
-  }
-};
-
-// src/server/middleware/authenticate.ts
-import { UnauthorizedError as UnauthorizedError2 } from "@spfn/core/errors";
-import { eq, and } from "drizzle-orm";
-async function authenticate(c, next) {
-  const authHeader = c.req.header("Authorization");
-  const keyId = c.req.header("X-Key-Id");
-  if (!authHeader || !authHeader.startsWith("Bearer ")) {
-    throw new UnauthorizedError2("Missing or invalid authorization header");
-  }
-  if (!keyId) {
-    throw new UnauthorizedError2("Missing X-Key-Id header");
-  }
-  const token = authHeader.substring(7);
-  const db = getDatabase();
-  const [keyRecord] = await db.select().from(userPublicKeys).where(
-    and(
-      eq(userPublicKeys.keyId, keyId),
-      eq(userPublicKeys.isActive, true)
-    )
-  );
-  if (!keyRecord) {
-    throw new UnauthorizedError2("Invalid or revoked key");
-  }
-  if (keyRecord.expiresAt && /* @__PURE__ */ new Date() > keyRecord.expiresAt) {
-    throw new KeyExpiredError();
-  }
-  try {
-    verifyClientToken(
-      token,
-      keyRecord.publicKey,
-      keyRecord.algorithm
-    );
-  } catch (err) {
-    if (err instanceof Error) {
-      if (err.name === "TokenExpiredError") {
-        throw new TokenExpiredError();
-      }
-      if (err.name === "JsonWebTokenError") {
-        throw new InvalidTokenError("Invalid token signature");
-      }
-    }
-    throw new UnauthorizedError2("Authentication failed");
-  }
-  const user = await findOne(users, { id: keyRecord.userId });
-  if (!user) {
-    throw new UnauthorizedError2("User not found");
-  }
-  if (user.status !== "active") {
-    throw new AccountDisabledError(user.status);
-  }
-  db.update(userPublicKeys).set({ lastUsedAt: /* @__PURE__ */ new Date() }).where(eq(userPublicKeys.id, keyRecord.id)).execute().catch((err) => console.error("Failed to update lastUsedAt:", err));
-  c.set("auth", {
-    user,
-    userId: String(user.id),
-    keyId
-  });
-  await next();
-}
-
-// src/server/helpers/context.ts
-function getAuth(c) {
-  if ("raw" in c && c.raw) {
-    return c.raw.get("auth");
-  }
-  return c.get("auth");
-}
-function getUser(c) {
-  return getAuth(c).user;
-}
-
-// src/server/services/permission.service.ts
-init_entities();
-import { getDatabase as getDatabase2 } from "@spfn/core/db";
-import { eq as eq2, and as and2 } from "drizzle-orm";
-
-// src/server/middleware/require-permission.ts
-import { ForbiddenError as ForbiddenError2 } from "@spfn/core/errors";
-
-// src/server/middleware/require-role.ts
-import { ForbiddenError as ForbiddenError3 } from "@spfn/core/errors";
-
 // src/server/helpers/password.ts
 import bcrypt from "bcrypt";
 var SALT_ROUNDS = parseInt(
@@ -4012,11 +3840,31 @@ async function verifyPassword(password, hash) {
   return bcrypt.compare(password, hash);
 }
 
+// src/server/helpers/jwt.ts
+import jwt from "jsonwebtoken";
+import crypto from "crypto";
+var JWT_SECRET = process.env.SPFN_AUTH_JWT_SECRET || // New prefixed version (recommended)
+process.env.JWT_SECRET || // Legacy fallback
+"dev-secret-key-change-in-production";
+var JWT_EXPIRES_IN = process.env.SPFN_AUTH_JWT_EXPIRES_IN || // New prefixed version (recommended)
+process.env.JWT_EXPIRES_IN || // Legacy fallback
+"7d";
+function verifyKeyFingerprint(publicKeyB64, expectedFingerprint) {
+  try {
+    const publicKeyDER = Buffer.from(publicKeyB64, "base64");
+    const fingerprint = crypto.createHash("sha256").update(publicKeyDER).digest("hex");
+    return fingerprint === expectedFingerprint;
+  } catch (error) {
+    console.error("Failed to verify key fingerprint:", error);
+    return false;
+  }
+}
+
 // src/server/helpers/verification.ts
 init_verification_codes();
 import jwt2 from "jsonwebtoken";
-import { getDatabase as getDatabase3, create } from "@spfn/core/db";
-import { eq as eq3, and as and3 } from "drizzle-orm";
+import { getDatabase, create } from "@spfn/core/db";
+import { eq, and } from "drizzle-orm";
 function getVerificationTokenSecret() {
   const secret = process.env.SPFN_AUTH_VERIFICATION_TOKEN_SECRET || // New prefixed version (recommended)
   process.env.VERIFICATION_TOKEN_SECRET || // Legacy fallback
@@ -4035,7 +3883,7 @@ function generateVerificationCode() {
   return code;
 }
 async function storeVerificationCode(target, targetType, code, purpose) {
-  const db = getDatabase3();
+  const db = getDatabase();
   if (!db) {
     throw new Error("Database not initialized");
   }
@@ -4052,16 +3900,16 @@ async function storeVerificationCode(target, targetType, code, purpose) {
   return record;
 }
 async function validateVerificationCode(target, targetType, code, purpose) {
-  const db = getDatabase3();
+  const db = getDatabase();
   if (!db) {
     throw new Error("Database not initialized");
   }
   const records = await db.select().from(verificationCodes).where(
-    and3(
-      eq3(verificationCodes.target, target),
-      eq3(verificationCodes.targetType, targetType),
-      eq3(verificationCodes.code, code),
-      eq3(verificationCodes.purpose, purpose)
+    and(
+      eq(verificationCodes.target, target),
+      eq(verificationCodes.targetType, targetType),
+      eq(verificationCodes.code, code),
+      eq(verificationCodes.purpose, purpose)
     )
   ).limit(1);
   if (records.length === 0) {
@@ -4078,15 +3926,15 @@ async function validateVerificationCode(target, targetType, code, purpose) {
   if (attempts >= MAX_VERIFICATION_ATTEMPTS) {
     return { valid: false, error: "Too many attempts, please request a new code" };
   }
-  await db.update(verificationCodes).set({ attempts: (attempts + 1).toString() }).where(eq3(verificationCodes.id, record.id));
+  await db.update(verificationCodes).set({ attempts: (attempts + 1).toString() }).where(eq(verificationCodes.id, record.id));
   return { valid: true, codeId: record.id };
 }
 async function markCodeAsUsed(codeId) {
-  const db = getDatabase3();
+  const db = getDatabase();
   if (!db) {
     throw new Error("Database not initialized");
   }
-  await db.update(verificationCodes).set({ usedAt: /* @__PURE__ */ new Date() }).where(eq3(verificationCodes.id, codeId));
+  await db.update(verificationCodes).set({ usedAt: /* @__PURE__ */ new Date() }).where(eq(verificationCodes.id, codeId));
 }
 function createVerificationToken(payload) {
   const secret = getVerificationTokenSecret();
@@ -4119,15 +3967,82 @@ async function sendVerificationSMS(phone, code, purpose) {
   console.log(`[VERIFICATION SMS] To: ${phone}, Code: ${code}, Purpose: ${purpose}`);
 }
 
+// src/server/helpers/context.ts
+function getAuth(c) {
+  if ("raw" in c && c.raw) {
+    return c.raw.get("auth");
+  }
+  return c.get("auth");
+}
+function getUser(c) {
+  return getAuth(c).user;
+}
+
 // src/server/services/auth.service.ts
 init_entities();
-import { findOne as findOne3, create as create3 } from "@spfn/core/db";
+import { findOne as findOne2, create as create3 } from "@spfn/core/db";
 import { ValidationError as ValidationError2 } from "@spfn/core/errors";
 
+// src/server/errors/auth-errors.ts
+import {
+  ValidationError,
+  UnauthorizedError,
+  ForbiddenError,
+  ConflictError
+} from "@spfn/core/errors";
+var InvalidCredentialsError = class extends UnauthorizedError {
+  constructor(message = "Invalid credentials") {
+    super(message);
+    this.name = "InvalidCredentialsError";
+  }
+};
+var AccountDisabledError = class extends ForbiddenError {
+  constructor(status = "disabled") {
+    super(`Account is ${status}`, { details: { status } });
+    this.name = "AccountDisabledError";
+  }
+};
+var AccountAlreadyExistsError = class extends ConflictError {
+  constructor(identifier, identifierType) {
+    super("Account already exists", { details: { identifier, identifierType } });
+    this.name = "AccountAlreadyExistsError";
+  }
+};
+var InvalidVerificationCodeError = class extends ValidationError {
+  constructor(reason = "Invalid verification code") {
+    super(reason);
+    this.name = "InvalidVerificationCodeError";
+  }
+};
+var InvalidVerificationTokenError = class extends ValidationError {
+  constructor(message = "Invalid or expired verification token") {
+    super(message);
+    this.name = "InvalidVerificationTokenError";
+  }
+};
+var InvalidKeyFingerprintError = class extends ValidationError {
+  constructor(message = "Invalid key fingerprint") {
+    super(message);
+    this.name = "InvalidKeyFingerprintError";
+  }
+};
+var VerificationTokenPurposeMismatchError = class extends ValidationError {
+  constructor(expected, actual) {
+    super(`Verification token is for ${actual}, but ${expected} was expected`, { details: { expected, actual } });
+    this.name = "VerificationTokenPurposeMismatchError";
+  }
+};
+var VerificationTokenTargetMismatchError = class extends ValidationError {
+  constructor() {
+    super("Verification token does not match provided email/phone");
+    this.name = "VerificationTokenTargetMismatchError";
+  }
+};
+
 // src/server/services/key.service.ts
 init_entities();
-import { create as create2, getDatabase as getDatabase4 } from "@spfn/core/db";
-import { eq as eq4, and as and4 } from "drizzle-orm";
+import { create as create2, getDatabase as getDatabase2 } from "@spfn/core/db";
+import { eq as eq2, and as and2 } from "drizzle-orm";
 function getKeyExpiryDate() {
   const expiresAt = /* @__PURE__ */ new Date();
   expiresAt.setDate(expiresAt.getDate() + 90);
@@ -4156,15 +4071,15 @@ async function rotateKeyService(params) {
   if (!isValidFingerprint) {
     throw new InvalidKeyFingerprintError();
   }
-  const db = getDatabase4();
+  const db = getDatabase2();
   await db.update(userPublicKeys).set({
     isActive: false,
     revokedAt: /* @__PURE__ */ new Date(),
     revokedReason: "Replaced by key rotation"
   }).where(
-    and4(
-      eq4(userPublicKeys.keyId, oldKeyId),
-      eq4(userPublicKeys.userId, userId)
+    and2(
+      eq2(userPublicKeys.keyId, oldKeyId),
+      eq2(userPublicKeys.userId, userId)
     )
   );
   await create2(userPublicKeys, {
@@ -4184,22 +4099,22 @@ async function rotateKeyService(params) {
 }
 async function revokeKeyService(params) {
   const { userId, keyId, reason } = params;
-  const db = getDatabase4();
+  const db = getDatabase2();
   await db.update(userPublicKeys).set({
     isActive: false,
     revokedAt: /* @__PURE__ */ new Date(),
     revokedReason: reason
   }).where(
-    and4(
-      eq4(userPublicKeys.keyId, keyId),
-      eq4(userPublicKeys.userId, userId)
+    and2(
+      eq2(userPublicKeys.keyId, keyId),
+      eq2(userPublicKeys.userId, userId)
     )
   );
 }
 
 // src/server/services/user.service.ts
 init_entities();
-import { findOne as findOne2, updateOne } from "@spfn/core/db";
+import { findOne, updateOne } from "@spfn/core/db";
 async function updateLastLoginService(userId) {
   await updateOne(users, { id: userId }, {
     lastLoginAt: /* @__PURE__ */ new Date()
@@ -4215,11 +4130,11 @@ async function checkAccountExistsService(params) {
   if (email) {
     identifier = email;
     identifierType = "email";
-    user = await findOne3(users, { email });
+    user = await findOne2(users, { email });
   } else if (phone) {
     identifier = phone;
     identifierType = "phone";
-    user = await findOne3(users, { phone });
+    user = await findOne2(users, { phone });
   } else {
     throw new ValidationError2("Either email or phone must be provided");
   }
@@ -4248,9 +4163,9 @@ async function registerService(params) {
   }
   let existingUser;
   if (email) {
-    existingUser = await findOne3(users, { email });
+    existingUser = await findOne2(users, { email });
   } else if (phone) {
-    existingUser = await findOne3(users, { phone });
+    existingUser = await findOne2(users, { phone });
   } else {
     throw new ValidationError2("Either email or phone must be provided");
   }
@@ -4291,15 +4206,17 @@ async function loginService(params) {
   const { email, phone, password, publicKey, keyId, fingerprint, oldKeyId, algorithm } = params;
   let user;
   if (email) {
-    user = await findOne3(users, { email });
+    user = await findOne2(users, { email });
   } else if (phone) {
-    user = await findOne3(users, { phone });
+    user = await findOne2(users, { phone });
   } else {
     throw new ValidationError2("Either email or phone must be provided");
   }
   if (!user || !user.passwordHash) {
     throw new InvalidCredentialsError();
   }
+  console.log("user", user);
+  console.log("\uD328\uC2A4\uC6CC\uB4DC: ", password);
   const isValid = await verifyPassword(password, user.passwordHash);
   if (!isValid) {
     throw new InvalidCredentialsError();
@@ -4343,7 +4260,7 @@ async function changePasswordService(params) {
   if (providedHash) {
     passwordHash = providedHash;
   } else {
-    const user = await findOne3(users, { id: userId });
+    const user = await findOne2(users, { id: userId });
     if (!user) {
       throw new ValidationError2("User not found");
     }
@@ -4399,10 +4316,69 @@ async function verifyCodeService(params) {
   };
 }
 
+// src/server/services/me.service.ts
+init_entities();
+import { getDatabase as getDatabase4 } from "@spfn/core/db";
+import { eq as eq4, and as and4 } from "drizzle-orm";
+async function getMeService(userId) {
+  const db = getDatabase4();
+  if (!db) {
+    throw new Error("[Auth] Database not initialized");
+  }
+  const userIdNum = typeof userId === "string" ? Number(userId) : Number(userId);
+  const [userWithRole] = await db.select({
+    userId: users.id,
+    email: users.email,
+    phone: users.phone,
+    roleId: roles.id,
+    roleName: roles.name,
+    roleDisplayName: roles.displayName,
+    rolePriority: roles.priority
+  }).from(users).innerJoin(roles, eq4(users.roleId, roles.id)).where(eq4(users.id, userIdNum)).limit(1);
+  if (!userWithRole) {
+    throw new Error("[Auth] User not found");
+  }
+  const rolePerms = await db.select({
+    id: permissions.id,
+    name: permissions.name,
+    displayName: permissions.displayName,
+    category: permissions.category
+  }).from(rolePermissions).innerJoin(permissions, eq4(rolePermissions.permissionId, permissions.id)).where(
+    and4(
+      eq4(rolePermissions.roleId, userWithRole.roleId),
+      eq4(permissions.isActive, true)
+    )
+  );
+  return {
+    userId: userWithRole.userId.toString(),
+    email: userWithRole.email ?? void 0,
+    phone: userWithRole.phone ?? void 0,
+    role: {
+      id: userWithRole.roleId,
+      name: userWithRole.roleName,
+      displayName: userWithRole.roleDisplayName,
+      priority: userWithRole.rolePriority
+    },
+    permissions: rolePerms.map((perm) => ({
+      id: perm.id,
+      name: perm.name,
+      displayName: perm.displayName,
+      category: perm.category ?? void 0
+    }))
+  };
+}
+
 // src/server/services/rbac.service.ts
 init_entities();
+import { getDatabase as getDatabase5 } from "@spfn/core/db";
+import { logger } from "@spfn/core/logger";
+import { eq as eq5, and as and5, inArray } from "drizzle-orm";
+var authLogger = logger.child("@spfn/auth");
+
+// src/server/services/permission.service.ts
+init_entities();
 import { getDatabase as getDatabase6 } from "@spfn/core/db";
-import { eq as eq6, and as and6, inArray } from "drizzle-orm";
+import { eq as eq6, and as and6 } from "drizzle-orm";
 
 // src/server/services/index.ts
 init_role_service();
@@ -4439,12 +4415,16 @@ app.bind(loginContract, async (c) => {
   const result = await loginService(body);
   return c.success(result);
 });
-app.bind(logoutContract, [authenticate], async (c) => {
-  const { keyId, userId } = getAuth(c);
+app.bind(logoutContract, async (c) => {
+  const auth = getAuth(c);
+  if (!auth) {
+    return c.success({ success: true });
+  }
+  const { keyId, userId } = auth;
   await logoutService({ userId: Number(userId), keyId });
   return c.success({ success: true });
 });
-app.bind(rotateKeyContract, [authenticate], async (c) => {
+app.bind(rotateKeyContract, async (c) => {
   const body = await c.data();
   const { keyId: oldKeyId, userId } = getAuth(c);
   const result = await rotateKeyService({
@@ -4457,7 +4437,7 @@ app.bind(rotateKeyContract, [authenticate], async (c) => {
   });
   return c.success(result);
 });
-app.bind(changePasswordContract, [authenticate], async (c) => {
+app.bind(changePasswordContract, async (c) => {
   const body = await c.data();
   const user = getUser(c);
   await changePasswordService({
@@ -4468,6 +4448,11 @@ app.bind(changePasswordContract, [authenticate], async (c) => {
   });
   return c.success({ success: true });
 });
+app.bind(getMeContract, async (c) => {
+  const { userId } = getAuth(c);
+  const result = await getMeService(userId);
+  return c.success(result);
+});
 var auth_default = app;
 export {
   auth_default as default