@spfn/auth 0.1.0-alpha.1 → 0.1.0-alpha.87

package/dist/server/routes/index.js

@@ -8,26 +8,160 @@ var __export = (target, all) => {
     __defProp(target, name, { get: all[name], enumerable: true });
 };
 
+// src/server/helpers/jwt.ts
+var jwt_exports = {};
+__export(jwt_exports, {
+  decodeToken: () => decodeToken,
+  generateToken: () => generateToken,
+  verifyClientToken: () => verifyClientToken,
+  verifyKeyFingerprint: () => verifyKeyFingerprint,
+  verifyToken: () => verifyToken
+});
+import jwt from "jsonwebtoken";
+import crypto from "crypto";
+function generateToken(payload) {
+  return jwt.sign(payload, JWT_SECRET, {
+    expiresIn: JWT_EXPIRES_IN
+  });
+}
+function verifyToken(token) {
+  return jwt.verify(token, JWT_SECRET);
+}
+function verifyClientToken(token, publicKeyB64, algorithm) {
+  try {
+    const publicKeyDER = Buffer.from(publicKeyB64, "base64");
+    const publicKeyObject = crypto.createPublicKey({
+      key: publicKeyDER,
+      format: "der",
+      type: "spki"
+    });
+    const decoded = jwt.verify(token, publicKeyObject, {
+      algorithms: [algorithm],
+      // Prevent algorithm confusion attacks
+      issuer: "spfn-client"
+      // Validate token issuer
+    });
+    if (typeof decoded === "string") {
+      throw new Error("Invalid token format: expected object payload");
+    }
+    return decoded;
+  } catch (error) {
+    if (error instanceof jwt.TokenExpiredError) {
+      throw new Error("Token has expired");
+    }
+    if (error instanceof jwt.JsonWebTokenError) {
+      throw new Error("Invalid token signature");
+    }
+    throw new Error(`Token verification failed: ${error instanceof Error ? error.message : "Unknown error"}`);
+  }
+}
+function decodeToken(token) {
+  try {
+    return jwt.decode(token);
+  } catch {
+    return null;
+  }
+}
+function verifyKeyFingerprint(publicKeyB64, expectedFingerprint) {
+  try {
+    const publicKeyDER = Buffer.from(publicKeyB64, "base64");
+    const fingerprint = crypto.createHash("sha256").update(publicKeyDER).digest("hex");
+    return fingerprint === expectedFingerprint;
+  } catch (error) {
+    console.error("Failed to verify key fingerprint:", error);
+    return false;
+  }
+}
+var JWT_SECRET, JWT_EXPIRES_IN;
+var init_jwt = __esm({
+  "src/server/helpers/jwt.ts"() {
+    "use strict";
+    JWT_SECRET = process.env.SPFN_AUTH_JWT_SECRET || // New prefixed version (recommended)
+    process.env.JWT_SECRET || // Legacy fallback
+    "dev-secret-key-change-in-production";
+    JWT_EXPIRES_IN = process.env.SPFN_AUTH_JWT_EXPIRES_IN || // New prefixed version (recommended)
+    process.env.JWT_EXPIRES_IN || // Legacy fallback
+    "7d";
+  }
+});
+
+// src/server/entities/schema.ts
+import { createFunctionSchema } from "@spfn/core/db";
+var authSchema;
+var init_schema = __esm({
+  "src/server/entities/schema.ts"() {
+    "use strict";
+    authSchema = createFunctionSchema("@spfn/auth");
+  }
+});
+
+// src/server/entities/verification-codes.ts
+import { text, timestamp, index } from "drizzle-orm/pg-core";
+import { id, timestamps } from "@spfn/core/db";
+var verificationCodes;
+var init_verification_codes = __esm({
+  "src/server/entities/verification-codes.ts"() {
+    "use strict";
+    init_schema();
+    verificationCodes = authSchema.table(
+      "verification_codes",
+      {
+        id: id(),
+        // Target (email or phone)
+        target: text("target").notNull(),
+        // Email address or E.164 phone number
+        targetType: text(
+          "target_type",
+          {
+            enum: ["email", "phone"]
+          }
+        ).notNull(),
+        // Code
+        code: text("code").notNull(),
+        // 6-digit code by default (configurable)
+        // Purpose
+        purpose: text(
+          "purpose",
+          {
+            enum: ["registration", "login", "password_reset", "email_change", "phone_change"]
+          }
+        ).notNull(),
+        // Expiry
+        expiresAt: timestamp("expires_at", { withTimezone: true }).notNull(),
+        // Usage tracking
+        usedAt: timestamp("used_at", { withTimezone: true }),
+        attempts: text("attempts").notNull().default("0"),
+        // Track failed verification attempts
+        ...timestamps()
+      },
+      (table) => [
+        // Index for quick lookup by target and purpose
+        index("target_purpose_idx").on(table.target, table.purpose, table.expiresAt)
+      ]
+    );
+  }
+});
+
 // src/server/entities/roles.ts
-import { text, boolean, integer, index } from "drizzle-orm/pg-core";
-import { id, timestamps, createFunctionSchema } from "@spfn/core/db";
-var schema, roles;
+import { text as text2, boolean, integer, index as index2 } from "drizzle-orm/pg-core";
+import { id as id2, timestamps as timestamps2 } from "@spfn/core/db";
+var roles;
 var init_roles = __esm({
   "src/server/entities/roles.ts"() {
     "use strict";
-    schema = createFunctionSchema("@spfn/auth");
-    roles = schema.table(
+    init_schema();
+    roles = authSchema.table(
       "roles",
       {
         // Primary key
-        id: id(),
+        id: id2(),
         // Role identifier (used in code, e.g., 'admin', 'editor')
         // Must be unique, lowercase, kebab-case recommended
-        name: text("name").notNull().unique(),
+        name: text2("name").notNull().unique(),
         // Display name for UI (e.g., 'Administrator', 'Content Editor')
-        displayName: text("display_name").notNull(),
+        displayName: text2("display_name").notNull(),
         // Role description
-        description: text("description"),
+        description: text2("description"),
         // Built-in role flag
         // true: Core package roles (user, admin, superadmin) - cannot be deleted
         // false: Custom or preset roles - can be deleted
@@ -43,45 +177,45 @@ var init_roles = __esm({
         // superadmin: 100, admin: 80, user: 10
         // Used for role hierarchy and conflict resolution
         priority: integer("priority").notNull().default(10),
-        ...timestamps()
+        ...timestamps2()
       },
       (table) => [
-        index("roles_name_idx").on(table.name),
-        index("roles_is_system_idx").on(table.isSystem),
-        index("roles_is_active_idx").on(table.isActive),
-        index("roles_is_builtin_idx").on(table.isBuiltin),
-        index("roles_priority_idx").on(table.priority)
+        index2("roles_name_idx").on(table.name),
+        index2("roles_is_system_idx").on(table.isSystem),
+        index2("roles_is_active_idx").on(table.isActive),
+        index2("roles_is_builtin_idx").on(table.isBuiltin),
+        index2("roles_priority_idx").on(table.priority)
       ]
     );
   }
 });
 
 // src/server/entities/users.ts
-import { text as text2, timestamp, check, boolean as boolean2, bigint, index as index2 } from "drizzle-orm/pg-core";
-import { id as id2, timestamps as timestamps2, createFunctionSchema as createFunctionSchema2 } from "@spfn/core/db";
+import { text as text3, timestamp as timestamp2, check, boolean as boolean2, bigint, index as index3 } from "drizzle-orm/pg-core";
+import { id as id3, timestamps as timestamps3 } from "@spfn/core/db";
 import { sql } from "drizzle-orm";
-var schema2, users;
+var users;
 var init_users = __esm({
   "src/server/entities/users.ts"() {
     "use strict";
     init_roles();
-    schema2 = createFunctionSchema2("@spfn/auth");
-    users = schema2.table(
+    init_schema();
+    users = authSchema.table(
       "users",
       {
         // Identity
-        id: id2(),
+        id: id3(),
         // Email address (unique identifier)
         // Used for: login, password reset, notifications
-        email: text2("email").unique(),
+        email: text3("email").unique(),
         // Phone number in E.164 international format
         // Format: +[country code][number] (e.g., +821012345678)
         // Used for: SMS login, 2FA, notifications
-        phone: text2("phone").unique(),
+        phone: text3("phone").unique(),
         // Authentication
         // Bcrypt password hash ($2b$10$[salt][hash], 60 chars)
         // Nullable to support OAuth-only accounts
-        passwordHash: text2("password_hash"),
+        passwordHash: text3("password_hash"),
         // Force password change on next login
         // Use cases: initial setup, security breach, policy violation
         passwordChangeRequired: boolean2("password_change_required").notNull().default(false),
@@ -94,7 +228,7 @@ var init_users = __esm({
         // - active: Normal operation (default)
         // - inactive: Deactivated (user request, dormant)
         // - suspended: Locked (security incident, ToS violation)
-        status: text2(
+        status: text3(
           "status",
           {
             enum: ["active", "inactive", "suspended"]
@@ -103,14 +237,14 @@ var init_users = __esm({
         // Verification timestamps
         // null = unverified, timestamp = verified at this time
         // Email verification (via verification code or magic link)
-        emailVerifiedAt: timestamp("email_verified_at", { withTimezone: true }),
+        emailVerifiedAt: timestamp2("email_verified_at", { withTimezone: true }),
         // Phone verification (via SMS OTP)
-        phoneVerifiedAt: timestamp("phone_verified_at", { withTimezone: true }),
+        phoneVerifiedAt: timestamp2("phone_verified_at", { withTimezone: true }),
         // Metadata
         // Last successful login timestamp
         // Used for: security auditing, dormant account detection
-        lastLoginAt: timestamp("last_login_at", { withTimezone: true }),
-        ...timestamps2()
+        lastLoginAt: timestamp2("last_login_at", { withTimezone: true }),
+        ...timestamps3()
       },
       (table) => [
         // Database constraints
@@ -120,44 +254,44 @@ var init_users = __esm({
           sql`${table.email} IS NOT NULL OR ${table.phone} IS NOT NULL`
         ),
         // Indexes for query optimization
-        index2("users_email_idx").on(table.email),
-        index2("users_phone_idx").on(table.phone),
-        index2("users_status_idx").on(table.status),
-        index2("users_role_id_idx").on(table.roleId)
+        index3("users_email_idx").on(table.email),
+        index3("users_phone_idx").on(table.phone),
+        index3("users_status_idx").on(table.status),
+        index3("users_role_id_idx").on(table.roleId)
       ]
     );
   }
 });
 
 // src/server/entities/user-social-accounts.ts
-import { text as text3, timestamp as timestamp2, uniqueIndex } from "drizzle-orm/pg-core";
-import { id as id3, timestamps as timestamps3, foreignKey, createFunctionSchema as createFunctionSchema3 } from "@spfn/core/db";
-var schema3, userSocialAccounts;
+import { text as text4, timestamp as timestamp3, uniqueIndex } from "drizzle-orm/pg-core";
+import { id as id4, timestamps as timestamps4, foreignKey } from "@spfn/core/db";
+var userSocialAccounts;
 var init_user_social_accounts = __esm({
   "src/server/entities/user-social-accounts.ts"() {
     "use strict";
     init_users();
-    schema3 = createFunctionSchema3("@spfn/auth");
-    userSocialAccounts = schema3.table(
+    init_schema();
+    userSocialAccounts = authSchema.table(
       "user_social_accounts",
       {
-        id: id3(),
+        id: id4(),
         // Foreign key to users
         userId: foreignKey("user", () => users.id),
         // Provider info
-        provider: text3(
+        provider: text4(
           "provider",
           {
             enum: ["google", "github", "kakao", "naver"]
           }
         ).notNull(),
-        providerUserId: text3("provider_user_id").notNull(),
-        providerEmail: text3("provider_email"),
+        providerUserId: text4("provider_user_id").notNull(),
+        providerEmail: text4("provider_email"),
         // OAuth tokens (encrypted in production)
-        accessToken: text3("access_token"),
-        refreshToken: text3("refresh_token"),
-        tokenExpiresAt: timestamp2("token_expires_at", { withTimezone: true }),
-        ...timestamps3()
+        accessToken: text4("access_token"),
+        refreshToken: text4("refresh_token"),
+        tokenExpiresAt: timestamp3("token_expires_at", { withTimezone: true }),
+        ...timestamps4()
       },
       (table) => [
         // Unique constraint: one provider account per provider
@@ -168,92 +302,45 @@ var init_user_social_accounts = __esm({
 });
 
 // src/server/entities/user-public-keys.ts
-import { text as text4, timestamp as timestamp3, boolean as boolean3, index as index3 } from "drizzle-orm/pg-core";
-import { id as id4, foreignKey as foreignKey2, createFunctionSchema as createFunctionSchema4 } from "@spfn/core/db";
-var schema4, userPublicKeys;
+import { text as text5, timestamp as timestamp4, boolean as boolean3, index as index4 } from "drizzle-orm/pg-core";
+import { id as id5, foreignKey as foreignKey2 } from "@spfn/core/db";
+var userPublicKeys;
 var init_user_public_keys = __esm({
   "src/server/entities/user-public-keys.ts"() {
     "use strict";
     init_users();
-    schema4 = createFunctionSchema4("@spfn/auth");
-    userPublicKeys = schema4.table(
+    init_schema();
+    userPublicKeys = authSchema.table(
       "user_public_keys",
       {
-        id: id4(),
+        id: id5(),
         // User reference
         userId: foreignKey2("user", () => users.id),
         // Key identification (client-generated UUID)
-        keyId: text4("key_id").notNull().unique(),
+        keyId: text5("key_id").notNull().unique(),
         // Public key in Base64-encoded DER format (SPKI)
-        publicKey: text4("public_key").notNull(),
+        publicKey: text5("public_key").notNull(),
         // Algorithm used (ES256 recommended, RS256 fallback)
-        algorithm: text4("algorithm", {
+        algorithm: text5("algorithm", {
           enum: ["ES256", "RS256"]
         }).notNull().default("ES256"),
         // Key fingerprint (SHA-256 hash for quick identification)
-        fingerprint: text4("fingerprint").notNull(),
+        fingerprint: text5("fingerprint").notNull(),
         // Key status
         isActive: boolean3("is_active").notNull().default(true),
         // Timestamps
-        createdAt: timestamp3("created_at", { mode: "date", withTimezone: true }).notNull().defaultNow(),
-        lastUsedAt: timestamp3("last_used_at", { mode: "date", withTimezone: true }),
-        expiresAt: timestamp3("expires_at", { mode: "date", withTimezone: true }),
+        createdAt: timestamp4("created_at", { mode: "date", withTimezone: true }).notNull().defaultNow(),
+        lastUsedAt: timestamp4("last_used_at", { mode: "date", withTimezone: true }),
+        expiresAt: timestamp4("expires_at", { mode: "date", withTimezone: true }),
         // Revocation
-        revokedAt: timestamp3("revoked_at", { mode: "date", withTimezone: true }),
-        revokedReason: text4("revoked_reason")
-      },
-      (table) => [
-        index3("user_public_keys_user_id_idx").on(table.userId),
-        index3("user_public_keys_key_id_idx").on(table.keyId),
-        index3("user_public_keys_active_idx").on(table.isActive),
-        index3("user_public_keys_fingerprint_idx").on(table.fingerprint)
-      ]
-    );
-  }
-});
-
-// src/server/entities/verification-codes.ts
-import { text as text5, timestamp as timestamp4, index as index4 } from "drizzle-orm/pg-core";
-import { id as id5, timestamps as timestamps4, createFunctionSchema as createFunctionSchema5 } from "@spfn/core/db";
-var schema5, verificationCodes;
-var init_verification_codes = __esm({
-  "src/server/entities/verification-codes.ts"() {
-    "use strict";
-    schema5 = createFunctionSchema5("@spfn/auth");
-    verificationCodes = schema5.table(
-      "verification_codes",
-      {
-        id: id5(),
-        // Target (email or phone)
-        target: text5("target").notNull(),
-        // Email address or E.164 phone number
-        targetType: text5(
-          "target_type",
-          {
-            enum: ["email", "phone"]
-          }
-        ).notNull(),
-        // Code
-        code: text5("code").notNull(),
-        // 6-digit code by default (configurable)
-        // Purpose
-        purpose: text5(
-          "purpose",
-          {
-            enum: ["registration", "login", "password_reset", "email_change", "phone_change"]
-          }
-        ).notNull(),
-        // Expiry
-        expiresAt: timestamp4("expires_at", { withTimezone: true }).notNull(),
-        // Usage tracking
-        usedAt: timestamp4("used_at", { withTimezone: true }),
-        attempts: text5("attempts").notNull().default("0"),
-        // Track failed verification attempts
-        ...timestamps4()
+        revokedAt: timestamp4("revoked_at", { mode: "date", withTimezone: true }),
+        revokedReason: text5("revoked_reason")
       },
       (table) => [
-        // Index for quick lookup by target and purpose
-        index4("target_purpose_idx").on(table.target, table.purpose, table.expiresAt)
+        index4("user_public_keys_user_id_idx").on(table.userId),
+        index4("user_public_keys_key_id_idx").on(table.keyId),
+        index4("user_public_keys_active_idx").on(table.isActive),
+        index4("user_public_keys_fingerprint_idx").on(table.fingerprint)
       ]
     );
   }
@@ -261,15 +348,15 @@ var init_verification_codes = __esm({
 
 // src/server/entities/invitations.ts
 import { text as text6, timestamp as timestamp5, bigint as bigint2, index as index5, jsonb } from "drizzle-orm/pg-core";
-import { id as id6, timestamps as timestamps5, createFunctionSchema as createFunctionSchema6 } from "@spfn/core/db";
-var schema6, invitations;
+import { id as id6, timestamps as timestamps5 } from "@spfn/core/db";
+var invitations;
 var init_invitations = __esm({
   "src/server/entities/invitations.ts"() {
     "use strict";
     init_roles();
     init_users();
-    schema6 = createFunctionSchema6("@spfn/auth");
-    invitations = schema6.table(
+    init_schema();
+    invitations = authSchema.table(
       "user_invitations",
       {
         // Primary key
@@ -337,13 +424,13 @@ var init_invitations = __esm({
 
 // src/server/entities/permissions.ts
 import { text as text7, boolean as boolean4, index as index6 } from "drizzle-orm/pg-core";
-import { id as id7, timestamps as timestamps6, createFunctionSchema as createFunctionSchema7 } from "@spfn/core/db";
-var schema7, permissions;
+import { id as id7, timestamps as timestamps6 } from "@spfn/core/db";
+var permissions;
 var init_permissions = __esm({
   "src/server/entities/permissions.ts"() {
     "use strict";
-    schema7 = createFunctionSchema7("@spfn/auth");
-    permissions = schema7.table(
+    init_schema();
+    permissions = authSchema.table(
       "permissions",
       {
         // Primary key
@@ -384,15 +471,15 @@ var init_permissions = __esm({
 
 // src/server/entities/role-permissions.ts
 import { bigint as bigint3, index as index7, unique } from "drizzle-orm/pg-core";
-import { id as id8, timestamps as timestamps7, createFunctionSchema as createFunctionSchema8 } from "@spfn/core/db";
-var schema8, rolePermissions;
+import { id as id8, timestamps as timestamps7 } from "@spfn/core/db";
+var rolePermissions;
 var init_role_permissions = __esm({
   "src/server/entities/role-permissions.ts"() {
     "use strict";
     init_roles();
     init_permissions();
-    schema8 = createFunctionSchema8("@spfn/auth");
-    rolePermissions = schema8.table(
+    init_schema();
+    rolePermissions = authSchema.table(
       "role_permissions",
       {
         // Primary key
@@ -416,15 +503,15 @@ var init_role_permissions = __esm({
 
 // src/server/entities/user-permissions.ts
 import { bigint as bigint4, boolean as boolean5, text as text8, timestamp as timestamp6, index as index8, unique as unique2 } from "drizzle-orm/pg-core";
-import { id as id9, timestamps as timestamps8, createFunctionSchema as createFunctionSchema9 } from "@spfn/core/db";
-var schema9, userPermissions;
+import { id as id9, timestamps as timestamps8 } from "@spfn/core/db";
+var userPermissions;
 var init_user_permissions = __esm({
   "src/server/entities/user-permissions.ts"() {
     "use strict";
     init_users();
     init_permissions();
-    schema9 = createFunctionSchema9("@spfn/auth");
-    userPermissions = schema9.table(
+    init_schema();
+    userPermissions = authSchema.table(
       "user_permissions",
       {
         // Primary key
@@ -460,6 +547,7 @@ var init_user_permissions = __esm({
 // src/server/entities/index.ts
 var entities_exports = {};
 __export(entities_exports, {
+  authSchema: () => authSchema,
   invitations: () => invitations,
   permissions: () => permissions,
   rolePermissions: () => rolePermissions,
@@ -473,6 +561,7 @@ __export(entities_exports, {
 var init_entities = __esm({
   "src/server/entities/index.ts"() {
     "use strict";
+    init_schema();
     init_users();
     init_user_social_accounts();
     init_user_public_keys();
@@ -498,14 +587,14 @@ __export(role_service_exports, {
   setRolePermissions: () => setRolePermissions,
   updateRole: () => updateRole
 });
-import { getDatabase as getDatabase5 } from "@spfn/core/db";
-import { eq as eq5, and as and5 } from "drizzle-orm";
+import { getDatabase as getDatabase3 } from "@spfn/core/db";
+import { eq as eq3, and as and3 } from "drizzle-orm";
 async function createRole(data) {
-  const db = getDatabase5();
+  const db = getDatabase3();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
-  const existing = await db.select().from(roles).where(eq5(roles.name, data.name)).limit(1);
+  const existing = await db.select().from(roles).where(eq3(roles.name, data.name)).limit(1);
   if (existing.length > 0) {
     throw new Error(`Role with name '${data.name}' already exists`);
   }
@@ -529,28 +618,28 @@ async function createRole(data) {
   return newRole;
 }
 async function updateRole(roleId, data) {
-  const db = getDatabase5();
+  const db = getDatabase3();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const roleIdNum = Number(roleId);
-  const [role] = await db.select().from(roles).where(eq5(roles.id, roleIdNum)).limit(1);
+  const [role] = await db.select().from(roles).where(eq3(roles.id, roleIdNum)).limit(1);
   if (!role) {
     throw new Error("Role not found");
   }
   if (role.isBuiltin && data.priority !== void 0) {
     throw new Error("Cannot modify priority of built-in roles");
   }
-  const [updated] = await db.update(roles).set(data).where(eq5(roles.id, roleIdNum)).returning();
+  const [updated] = await db.update(roles).set(data).where(eq3(roles.id, roleIdNum)).returning();
   return updated;
 }
 async function deleteRole(roleId) {
-  const db = getDatabase5();
+  const db = getDatabase3();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const roleIdNum = Number(roleId);
-  const [role] = await db.select().from(roles).where(eq5(roles.id, roleIdNum)).limit(1);
+  const [role] = await db.select().from(roles).where(eq3(roles.id, roleIdNum)).limit(1);
   if (!role) {
     throw new Error("Role not found");
   }
@@ -560,20 +649,20 @@ async function deleteRole(roleId) {
   if (role.isSystem) {
     throw new Error(`Cannot delete system role: ${role.name}. Deactivate it instead.`);
   }
-  await db.delete(roles).where(eq5(roles.id, roleIdNum));
+  await db.delete(roles).where(eq3(roles.id, roleIdNum));
   console.log(`[Auth] \u{1F5D1}\uFE0F  Deleted role: ${role.name}`);
 }
 async function addPermissionToRole(roleId, permissionId) {
-  const db = getDatabase5();
+  const db = getDatabase3();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const roleIdNum = Number(roleId);
   const permissionIdNum = Number(permissionId);
   const existing = await db.select().from(rolePermissions).where(
-    and5(
-      eq5(rolePermissions.roleId, roleIdNum),
-      eq5(rolePermissions.permissionId, permissionIdNum)
+    and3(
+      eq3(rolePermissions.roleId, roleIdNum),
+      eq3(rolePermissions.permissionId, permissionIdNum)
     )
   ).limit(1);
   if (existing.length > 0) {
@@ -585,26 +674,26 @@ async function addPermissionToRole(roleId, permissionId) {
   });
 }
 async function removePermissionFromRole(roleId, permissionId) {
-  const db = getDatabase5();
+  const db = getDatabase3();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const roleIdNum = Number(roleId);
   const permissionIdNum = Number(permissionId);
   await db.delete(rolePermissions).where(
-    and5(
-      eq5(rolePermissions.roleId, roleIdNum),
-      eq5(rolePermissions.permissionId, permissionIdNum)
+    and3(
+      eq3(rolePermissions.roleId, roleIdNum),
+      eq3(rolePermissions.permissionId, permissionIdNum)
     )
   );
 }
 async function setRolePermissions(roleId, permissionIds) {
-  const db = getDatabase5();
+  const db = getDatabase3();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const roleIdNum = Number(roleId);
-  await db.delete(rolePermissions).where(eq5(rolePermissions.roleId, roleIdNum));
+  await db.delete(rolePermissions).where(eq3(rolePermissions.roleId, roleIdNum));
   if (permissionIds.length > 0) {
     const mappings = permissionIds.map((permId) => ({
       roleId: roleIdNum,
@@ -614,31 +703,31 @@ async function setRolePermissions(roleId, permissionIds) {
   }
 }
 async function getAllRoles(includeInactive = false) {
-  const db = getDatabase5();
+  const db = getDatabase3();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const query = db.select().from(roles);
   if (!includeInactive) {
-    return query.where(eq5(roles.isActive, true));
+    return query.where(eq3(roles.isActive, true));
   }
   return query;
 }
 async function getRoleByName(name) {
-  const db = getDatabase5();
+  const db = getDatabase3();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
-  const [role] = await db.select().from(roles).where(eq5(roles.name, name)).limit(1);
+  const [role] = await db.select().from(roles).where(eq3(roles.name, name)).limit(1);
   return role || null;
 }
 async function getRolePermissions(roleId) {
-  const db = getDatabase5();
+  const db = getDatabase3();
   if (!db) {
     throw new Error("[Auth] Database not initialized");
   }
   const roleIdNum = Number(roleId);
-  const perms = await db.select({ name: permissions.name }).from(rolePermissions).innerJoin(permissions, eq5(rolePermissions.permissionId, permissions.id)).where(eq5(rolePermissions.roleId, roleIdNum));
+  const perms = await db.select({ name: permissions.name }).from(rolePermissions).innerJoin(permissions, eq3(rolePermissions.permissionId, permissions.id)).where(eq3(rolePermissions.roleId, roleIdNum));
   return perms.map((p) => p.name);
 }
 var init_role_service = __esm({
@@ -2243,8 +2332,8 @@ function Clone(value) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/clone/type.mjs
-function CloneType(schema10, options) {
-  return options === void 0 ? Clone(schema10) : Clone({ ...options, ...schema10 });
+function CloneType(schema, options) {
+  return options === void 0 ? Clone(schema) : Clone({ ...options, ...schema });
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/value/guard/guard.mjs
@@ -2321,8 +2410,8 @@ function Immutable(value) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/create/type.mjs
-function CreateType(schema10, options) {
-  const result = options !== void 0 ? { ...options, ...schema10 } : schema10;
+function CreateType(schema, options) {
+  const result = options !== void 0 ? { ...options, ...schema } : schema;
   switch (TypeSystemPolicy.InstanceMode) {
     case "freeze":
       return Immutable(result);
@@ -2640,16 +2729,16 @@ function IsBoolean3(value) {
   return IsKindOf2(value, "Boolean") && value.type === "boolean" && IsOptionalString(value.$id);
 }
 function IsComputed2(value) {
-  return IsKindOf2(value, "Computed") && IsString(value.target) && IsArray(value.parameters) && value.parameters.every((schema10) => IsSchema2(schema10));
+  return IsKindOf2(value, "Computed") && IsString(value.target) && IsArray(value.parameters) && value.parameters.every((schema) => IsSchema2(schema));
 }
 function IsConstructor2(value) {
-  return IsKindOf2(value, "Constructor") && value.type === "Constructor" && IsOptionalString(value.$id) && IsArray(value.parameters) && value.parameters.every((schema10) => IsSchema2(schema10)) && IsSchema2(value.returns);
+  return IsKindOf2(value, "Constructor") && value.type === "Constructor" && IsOptionalString(value.$id) && IsArray(value.parameters) && value.parameters.every((schema) => IsSchema2(schema)) && IsSchema2(value.returns);
 }
 function IsDate3(value) {
   return IsKindOf2(value, "Date") && value.type === "Date" && IsOptionalString(value.$id) && IsOptionalNumber(value.exclusiveMaximumTimestamp) && IsOptionalNumber(value.exclusiveMinimumTimestamp) && IsOptionalNumber(value.maximumTimestamp) && IsOptionalNumber(value.minimumTimestamp) && IsOptionalNumber(value.multipleOfTimestamp);
 }
 function IsFunction3(value) {
-  return IsKindOf2(value, "Function") && value.type === "Function" && IsOptionalString(value.$id) && IsArray(value.parameters) && value.parameters.every((schema10) => IsSchema2(schema10)) && IsSchema2(value.returns);
+  return IsKindOf2(value, "Function") && value.type === "Function" && IsOptionalString(value.$id) && IsArray(value.parameters) && value.parameters.every((schema) => IsSchema2(schema)) && IsSchema2(value.returns);
 }
 function IsImport(value) {
   return IsKindOf2(value, "Import") && HasPropertyKey(value, "$defs") && IsObject(value.$defs) && IsProperties(value.$defs) && HasPropertyKey(value, "$ref") && IsString(value.$ref) && value.$ref in value.$defs;
@@ -2658,10 +2747,10 @@ function IsInteger2(value) {
   return IsKindOf2(value, "Integer") && value.type === "integer" && IsOptionalString(value.$id) && IsOptionalNumber(value.exclusiveMaximum) && IsOptionalNumber(value.exclusiveMinimum) && IsOptionalNumber(value.maximum) && IsOptionalNumber(value.minimum) && IsOptionalNumber(value.multipleOf);
 }
 function IsProperties(value) {
-  return IsObject(value) && Object.entries(value).every(([key, schema10]) => IsControlCharacterFree(key) && IsSchema2(schema10));
+  return IsObject(value) && Object.entries(value).every(([key, schema]) => IsControlCharacterFree(key) && IsSchema2(schema));
 }
 function IsIntersect2(value) {
-  return IsKindOf2(value, "Intersect") && (IsString(value.type) && value.type !== "object" ? false : true) && IsArray(value.allOf) && value.allOf.every((schema10) => IsSchema2(schema10) && !IsTransform2(schema10)) && IsOptionalString(value.type) && (IsOptionalBoolean(value.unevaluatedProperties) || IsOptionalSchema(value.unevaluatedProperties)) && IsOptionalString(value.$id);
+  return IsKindOf2(value, "Intersect") && (IsString(value.type) && value.type !== "object" ? false : true) && IsArray(value.allOf) && value.allOf.every((schema) => IsSchema2(schema) && !IsTransform2(schema)) && IsOptionalString(value.type) && (IsOptionalBoolean(value.unevaluatedProperties) || IsOptionalSchema(value.unevaluatedProperties)) && IsOptionalString(value.$id);
 }
 function IsIterator3(value) {
   return IsKindOf2(value, "Iterator") && value.type === "Iterator" && IsOptionalString(value.$id) && IsSchema2(value.items);
@@ -2709,9 +2798,9 @@ function IsPromise2(value) {
   return IsKindOf2(value, "Promise") && value.type === "Promise" && IsOptionalString(value.$id) && IsSchema2(value.item);
 }
 function IsRecord2(value) {
-  return IsKindOf2(value, "Record") && value.type === "object" && IsOptionalString(value.$id) && IsAdditionalProperties(value.additionalProperties) && IsObject(value.patternProperties) && ((schema10) => {
-    const keys = Object.getOwnPropertyNames(schema10.patternProperties);
-    return keys.length === 1 && IsPattern(keys[0]) && IsObject(schema10.patternProperties) && IsSchema2(schema10.patternProperties[keys[0]]);
+  return IsKindOf2(value, "Record") && value.type === "object" && IsOptionalString(value.$id) && IsAdditionalProperties(value.additionalProperties) && IsObject(value.patternProperties) && ((schema) => {
+    const keys = Object.getOwnPropertyNames(schema.patternProperties);
+    return keys.length === 1 && IsPattern(keys[0]) && IsObject(schema.patternProperties) && IsSchema2(schema.patternProperties[keys[0]]);
   })(value);
 }
 function IsRecursive(value) {
@@ -2740,16 +2829,16 @@ function IsTransform2(value) {
 }
 function IsTuple2(value) {
   return IsKindOf2(value, "Tuple") && value.type === "array" && IsOptionalString(value.$id) && IsNumber(value.minItems) && IsNumber(value.maxItems) && value.minItems === value.maxItems && // empty
-  (IsUndefined(value.items) && IsUndefined(value.additionalItems) && value.minItems === 0 || IsArray(value.items) && value.items.every((schema10) => IsSchema2(schema10)));
+  (IsUndefined(value.items) && IsUndefined(value.additionalItems) && value.minItems === 0 || IsArray(value.items) && value.items.every((schema) => IsSchema2(schema)));
 }
 function IsUndefined4(value) {
   return IsKindOf2(value, "Undefined") && value.type === "undefined" && IsOptionalString(value.$id);
 }
 function IsUnionLiteral(value) {
-  return IsUnion2(value) && value.anyOf.every((schema10) => IsLiteralString(schema10) || IsLiteralNumber(schema10));
+  return IsUnion2(value) && value.anyOf.every((schema) => IsLiteralString(schema) || IsLiteralNumber(schema));
 }
 function IsUnion2(value) {
-  return IsKindOf2(value, "Union") && IsOptionalString(value.$id) && IsObject(value) && IsArray(value.anyOf) && value.anyOf.every((schema10) => IsSchema2(schema10));
+  return IsKindOf2(value, "Union") && IsOptionalString(value.$id) && IsObject(value) && IsArray(value.anyOf) && value.anyOf.every((schema) => IsSchema2(schema));
 }
 function IsUint8Array3(value) {
   return IsKindOf2(value, "Uint8Array") && value.type === "Uint8Array" && IsOptionalString(value.$id) && IsOptionalNumber(value.minByteLength) && IsOptionalNumber(value.maxByteLength);
@@ -3031,8 +3120,8 @@ function IsTemplateLiteralExpressionFinite(expression) {
     throw new TemplateLiteralFiniteError(`Unknown expression type`);
   })();
 }
-function IsTemplateLiteralFinite(schema10) {
-  const expression = TemplateLiteralParseExact(schema10.pattern);
+function IsTemplateLiteralFinite(schema) {
+  const expression = TemplateLiteralParseExact(schema.pattern);
   return IsTemplateLiteralExpressionFinite(expression);
 }
 
@@ -3063,8 +3152,8 @@ function* TemplateLiteralExpressionGenerate(expression) {
     throw new TemplateLiteralGenerateError("Unknown expression");
   })();
 }
-function TemplateLiteralGenerate(schema10) {
-  const expression = TemplateLiteralParseExact(schema10.pattern);
+function TemplateLiteralGenerate(schema) {
+  const expression = TemplateLiteralParseExact(schema.pattern);
   return IsTemplateLiteralExpressionFinite(expression) ? [...TemplateLiteralExpressionGenerate(expression)] : [];
 }
 
@@ -3140,18 +3229,18 @@ var TemplateLiteralPatternError = class extends TypeBoxError {
 function Escape(value) {
   return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
-function Visit2(schema10, acc) {
-  return IsTemplateLiteral(schema10) ? schema10.pattern.slice(1, schema10.pattern.length - 1) : IsUnion(schema10) ? `(${schema10.anyOf.map((schema11) => Visit2(schema11, acc)).join("|")})` : IsNumber3(schema10) ? `${acc}${PatternNumber}` : IsInteger(schema10) ? `${acc}${PatternNumber}` : IsBigInt2(schema10) ? `${acc}${PatternNumber}` : IsString2(schema10) ? `${acc}${PatternString}` : IsLiteral(schema10) ? `${acc}${Escape(schema10.const.toString())}` : IsBoolean2(schema10) ? `${acc}${PatternBoolean}` : (() => {
-    throw new TemplateLiteralPatternError(`Unexpected Kind '${schema10[Kind]}'`);
+function Visit2(schema, acc) {
+  return IsTemplateLiteral(schema) ? schema.pattern.slice(1, schema.pattern.length - 1) : IsUnion(schema) ? `(${schema.anyOf.map((schema2) => Visit2(schema2, acc)).join("|")})` : IsNumber3(schema) ? `${acc}${PatternNumber}` : IsInteger(schema) ? `${acc}${PatternNumber}` : IsBigInt2(schema) ? `${acc}${PatternNumber}` : IsString2(schema) ? `${acc}${PatternString}` : IsLiteral(schema) ? `${acc}${Escape(schema.const.toString())}` : IsBoolean2(schema) ? `${acc}${PatternBoolean}` : (() => {
+    throw new TemplateLiteralPatternError(`Unexpected Kind '${schema[Kind]}'`);
   })();
 }
 function TemplateLiteralPattern(kinds) {
-  return `^${kinds.map((schema10) => Visit2(schema10, "")).join("")}$`;
+  return `^${kinds.map((schema) => Visit2(schema, "")).join("")}$`;
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/template-literal/union.mjs
-function TemplateLiteralToUnion(schema10) {
-  const R = TemplateLiteralGenerate(schema10);
+function TemplateLiteralToUnion(schema) {
+  const R = TemplateLiteralGenerate(schema);
   const L = R.map((S) => Literal(S));
   return UnionEvaluated(L);
 }
@@ -3288,18 +3377,18 @@ function Promise2(item, options) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/readonly/readonly.mjs
-function RemoveReadonly(schema10) {
-  return CreateType(Discard(schema10, [ReadonlyKind]));
+function RemoveReadonly(schema) {
+  return CreateType(Discard(schema, [ReadonlyKind]));
 }
-function AddReadonly(schema10) {
-  return CreateType({ ...schema10, [ReadonlyKind]: "Readonly" });
+function AddReadonly(schema) {
+  return CreateType({ ...schema, [ReadonlyKind]: "Readonly" });
 }
-function ReadonlyWithFlag(schema10, F) {
-  return F === false ? RemoveReadonly(schema10) : AddReadonly(schema10);
+function ReadonlyWithFlag(schema, F) {
+  return F === false ? RemoveReadonly(schema) : AddReadonly(schema);
 }
-function Readonly(schema10, enable) {
+function Readonly(schema, enable) {
   const F = enable ?? true;
-  return IsMappedResult(schema10) ? ReadonlyFromMappedResult(schema10, F) : ReadonlyWithFlag(schema10, F);
+  return IsMappedResult(schema) ? ReadonlyFromMappedResult(schema, F) : ReadonlyWithFlag(schema, F);
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/readonly/readonly-from-mapped-result.mjs
@@ -3378,18 +3467,18 @@ function Mapped(key, map, options) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/optional/optional.mjs
-function RemoveOptional(schema10) {
-  return CreateType(Discard(schema10, [OptionalKind]));
+function RemoveOptional(schema) {
+  return CreateType(Discard(schema, [OptionalKind]));
 }
-function AddOptional(schema10) {
-  return CreateType({ ...schema10, [OptionalKind]: "Optional" });
+function AddOptional(schema) {
+  return CreateType({ ...schema, [OptionalKind]: "Optional" });
 }
-function OptionalWithFlag(schema10, F) {
-  return F === false ? RemoveOptional(schema10) : AddOptional(schema10);
+function OptionalWithFlag(schema, F) {
+  return F === false ? RemoveOptional(schema) : AddOptional(schema);
 }
-function Optional(schema10, enable) {
+function Optional(schema, enable) {
   const F = enable ?? true;
-  return IsMappedResult(schema10) ? OptionalFromMappedResult(schema10, F) : OptionalWithFlag(schema10, F);
+  return IsMappedResult(schema) ? OptionalFromMappedResult(schema, F) : OptionalWithFlag(schema, F);
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/optional/optional-from-mapped-result.mjs
@@ -3409,7 +3498,7 @@ function OptionalFromMappedResult(R, F) {
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/intersect/intersect-create.mjs
 function IntersectCreate(T, options = {}) {
-  const allObjects = T.every((schema10) => IsObject3(schema10));
+  const allObjects = T.every((schema) => IsObject3(schema));
   const clonedUnevaluatedProperties = IsSchema(options.unevaluatedProperties) ? { unevaluatedProperties: options.unevaluatedProperties } : {};
   return CreateType(options.unevaluatedProperties === false || IsSchema(options.unevaluatedProperties) || allObjects ? { ...clonedUnevaluatedProperties, [Kind]: "Intersect", type: "object", allOf: T } : { ...clonedUnevaluatedProperties, [Kind]: "Intersect", allOf: T }, options);
 }
@@ -3432,7 +3521,7 @@ function IntersectEvaluated(types, options = {}) {
     return CreateType(types[0], options);
   if (types.length === 0)
     return Never(options);
-  if (types.some((schema10) => IsTransform(schema10)))
+  if (types.some((schema) => IsTransform(schema)))
     throw new Error("Cannot intersect transform types");
   return ResolveIntersect(types, options);
 }
@@ -3443,7 +3532,7 @@ function Intersect(types, options) {
     return CreateType(types[0], options);
   if (types.length === 0)
     return Never(options);
-  if (types.some((schema10) => IsTransform(schema10)))
+  if (types.some((schema) => IsTransform(schema)))
     throw new Error("Cannot intersect transform types");
   return IntersectCreate(types, options);
 }
@@ -3634,8 +3723,8 @@ function Const(T, options) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/constructor-parameters/constructor-parameters.mjs
-function ConstructorParameters(schema10, options) {
-  return IsConstructor(schema10) ? Tuple(schema10.parameters, options) : Never(options);
+function ConstructorParameters(schema, options) {
+  return IsConstructor(schema) ? Tuple(schema.parameters, options) : Never(options);
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/enum/enum.mjs
@@ -3673,7 +3762,7 @@ function FromAnyRight(left, right) {
   return ExtendsResult.True;
 }
 function FromAny(left, right) {
-  return type_exports.IsIntersect(right) ? FromIntersectRight(left, right) : type_exports.IsUnion(right) && right.anyOf.some((schema10) => type_exports.IsAny(schema10) || type_exports.IsUnknown(schema10)) ? ExtendsResult.True : type_exports.IsUnion(right) ? ExtendsResult.Union : type_exports.IsUnknown(right) ? ExtendsResult.True : type_exports.IsAny(right) ? ExtendsResult.True : ExtendsResult.Union;
+  return type_exports.IsIntersect(right) ? FromIntersectRight(left, right) : type_exports.IsUnion(right) && right.anyOf.some((schema) => type_exports.IsAny(schema) || type_exports.IsUnknown(schema)) ? ExtendsResult.True : type_exports.IsUnion(right) ? ExtendsResult.Union : type_exports.IsUnknown(right) ? ExtendsResult.True : type_exports.IsAny(right) ? ExtendsResult.True : ExtendsResult.Union;
 }
 function FromArrayRight(left, right) {
   return type_exports.IsUnknown(left) ? ExtendsResult.False : type_exports.IsAny(left) ? ExtendsResult.Union : type_exports.IsNever(left) ? ExtendsResult.True : ExtendsResult.False;
@@ -3694,13 +3783,13 @@ function FromBoolean(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : type_exports.IsBoolean(right) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromConstructor(left, right) {
-  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : !type_exports.IsConstructor(right) ? ExtendsResult.False : left.parameters.length > right.parameters.length ? ExtendsResult.False : !left.parameters.every((schema10, index9) => IntoBooleanResult(Visit3(right.parameters[index9], schema10)) === ExtendsResult.True) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.returns, right.returns));
+  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : !type_exports.IsConstructor(right) ? ExtendsResult.False : left.parameters.length > right.parameters.length ? ExtendsResult.False : !left.parameters.every((schema, index9) => IntoBooleanResult(Visit3(right.parameters[index9], schema)) === ExtendsResult.True) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.returns, right.returns));
 }
 function FromDate(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : type_exports.IsDate(right) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromFunction(left, right) {
-  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : !type_exports.IsFunction(right) ? ExtendsResult.False : left.parameters.length > right.parameters.length ? ExtendsResult.False : !left.parameters.every((schema10, index9) => IntoBooleanResult(Visit3(right.parameters[index9], schema10)) === ExtendsResult.True) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.returns, right.returns));
+  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : !type_exports.IsFunction(right) ? ExtendsResult.False : left.parameters.length > right.parameters.length ? ExtendsResult.False : !left.parameters.every((schema, index9) => IntoBooleanResult(Visit3(right.parameters[index9], schema)) === ExtendsResult.True) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.returns, right.returns));
 }
 function FromIntegerRight(left, right) {
   return type_exports.IsLiteral(left) && value_exports.IsNumber(left.const) ? ExtendsResult.True : type_exports.IsNumber(left) || type_exports.IsInteger(left) ? ExtendsResult.True : ExtendsResult.False;
@@ -3709,10 +3798,10 @@ function FromInteger(left, right) {
   return type_exports.IsInteger(right) || type_exports.IsNumber(right) ? ExtendsResult.True : IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : ExtendsResult.False;
 }
 function FromIntersectRight(left, right) {
-  return right.allOf.every((schema10) => Visit3(left, schema10) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
+  return right.allOf.every((schema) => Visit3(left, schema) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromIntersect4(left, right) {
-  return left.allOf.some((schema10) => Visit3(schema10, right) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
+  return left.allOf.some((schema) => Visit3(schema, right) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromIterator(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : !type_exports.IsIterator(right) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.items, right.items));
@@ -3726,8 +3815,8 @@ function FromNeverRight(left, right) {
 function FromNever(left, right) {
   return ExtendsResult.True;
 }
-function UnwrapTNot(schema10) {
-  let [current, depth] = [schema10, 0];
+function UnwrapTNot(schema) {
+  let [current, depth] = [schema, 0];
   while (true) {
     if (!type_exports.IsNot(current))
       break;
@@ -3748,44 +3837,44 @@ function FromNumberRight(left, right) {
 function FromNumber(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : type_exports.IsInteger(right) || type_exports.IsNumber(right) ? ExtendsResult.True : ExtendsResult.False;
 }
-function IsObjectPropertyCount(schema10, count) {
-  return Object.getOwnPropertyNames(schema10.properties).length === count;
+function IsObjectPropertyCount(schema, count) {
+  return Object.getOwnPropertyNames(schema.properties).length === count;
 }
-function IsObjectStringLike(schema10) {
-  return IsObjectArrayLike(schema10);
+function IsObjectStringLike(schema) {
+  return IsObjectArrayLike(schema);
 }
-function IsObjectSymbolLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0) || IsObjectPropertyCount(schema10, 1) && "description" in schema10.properties && type_exports.IsUnion(schema10.properties.description) && schema10.properties.description.anyOf.length === 2 && (type_exports.IsString(schema10.properties.description.anyOf[0]) && type_exports.IsUndefined(schema10.properties.description.anyOf[1]) || type_exports.IsString(schema10.properties.description.anyOf[1]) && type_exports.IsUndefined(schema10.properties.description.anyOf[0]));
+function IsObjectSymbolLike(schema) {
+  return IsObjectPropertyCount(schema, 0) || IsObjectPropertyCount(schema, 1) && "description" in schema.properties && type_exports.IsUnion(schema.properties.description) && schema.properties.description.anyOf.length === 2 && (type_exports.IsString(schema.properties.description.anyOf[0]) && type_exports.IsUndefined(schema.properties.description.anyOf[1]) || type_exports.IsString(schema.properties.description.anyOf[1]) && type_exports.IsUndefined(schema.properties.description.anyOf[0]));
 }
-function IsObjectNumberLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0);
+function IsObjectNumberLike(schema) {
+  return IsObjectPropertyCount(schema, 0);
 }
-function IsObjectBooleanLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0);
+function IsObjectBooleanLike(schema) {
+  return IsObjectPropertyCount(schema, 0);
 }
-function IsObjectBigIntLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0);
+function IsObjectBigIntLike(schema) {
+  return IsObjectPropertyCount(schema, 0);
 }
-function IsObjectDateLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0);
+function IsObjectDateLike(schema) {
+  return IsObjectPropertyCount(schema, 0);
 }
-function IsObjectUint8ArrayLike(schema10) {
-  return IsObjectArrayLike(schema10);
+function IsObjectUint8ArrayLike(schema) {
+  return IsObjectArrayLike(schema);
 }
-function IsObjectFunctionLike(schema10) {
+function IsObjectFunctionLike(schema) {
   const length = Number2();
-  return IsObjectPropertyCount(schema10, 0) || IsObjectPropertyCount(schema10, 1) && "length" in schema10.properties && IntoBooleanResult(Visit3(schema10.properties["length"], length)) === ExtendsResult.True;
+  return IsObjectPropertyCount(schema, 0) || IsObjectPropertyCount(schema, 1) && "length" in schema.properties && IntoBooleanResult(Visit3(schema.properties["length"], length)) === ExtendsResult.True;
 }
-function IsObjectConstructorLike(schema10) {
-  return IsObjectPropertyCount(schema10, 0);
+function IsObjectConstructorLike(schema) {
+  return IsObjectPropertyCount(schema, 0);
 }
-function IsObjectArrayLike(schema10) {
+function IsObjectArrayLike(schema) {
   const length = Number2();
-  return IsObjectPropertyCount(schema10, 0) || IsObjectPropertyCount(schema10, 1) && "length" in schema10.properties && IntoBooleanResult(Visit3(schema10.properties["length"], length)) === ExtendsResult.True;
+  return IsObjectPropertyCount(schema, 0) || IsObjectPropertyCount(schema, 1) && "length" in schema.properties && IntoBooleanResult(Visit3(schema.properties["length"], length)) === ExtendsResult.True;
 }
-function IsObjectPromiseLike(schema10) {
+function IsObjectPromiseLike(schema) {
   const then = Function([Any()], Any());
-  return IsObjectPropertyCount(schema10, 0) || IsObjectPropertyCount(schema10, 1) && "then" in schema10.properties && IntoBooleanResult(Visit3(schema10.properties["then"], then)) === ExtendsResult.True;
+  return IsObjectPropertyCount(schema, 0) || IsObjectPropertyCount(schema, 1) && "then" in schema.properties && IntoBooleanResult(Visit3(schema.properties["then"], then)) === ExtendsResult.True;
 }
 function Property(left, right) {
   return Visit3(left, right) === ExtendsResult.False ? ExtendsResult.False : type_exports.IsOptional(left) && !type_exports.IsOptional(right) ? ExtendsResult.False : ExtendsResult.True;
@@ -3816,11 +3905,11 @@ function FromObject(left, right) {
 function FromPromise2(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) && IsObjectPromiseLike(right) ? ExtendsResult.True : !type_exports.IsPromise(right) ? ExtendsResult.False : IntoBooleanResult(Visit3(left.item, right.item));
 }
-function RecordKey(schema10) {
-  return PatternNumberExact in schema10.patternProperties ? Number2() : PatternStringExact in schema10.patternProperties ? String2() : Throw("Unknown record key pattern");
+function RecordKey(schema) {
+  return PatternNumberExact in schema.patternProperties ? Number2() : PatternStringExact in schema.patternProperties ? String2() : Throw("Unknown record key pattern");
 }
-function RecordValue(schema10) {
-  return PatternNumberExact in schema10.patternProperties ? schema10.patternProperties[PatternNumberExact] : PatternStringExact in schema10.patternProperties ? schema10.patternProperties[PatternStringExact] : Throw("Unable to get record value schema");
+function RecordValue(schema) {
+  return PatternNumberExact in schema.patternProperties ? schema.patternProperties[PatternNumberExact] : PatternStringExact in schema.patternProperties ? schema.patternProperties[PatternStringExact] : Throw("Unable to get record value schema");
 }
 function FromRecordRight(left, right) {
   const [Key, Value] = [RecordKey(right), RecordValue(right)];
@@ -3854,13 +3943,13 @@ function FromTemplateLiteral2(left, right) {
   return type_exports.IsTemplateLiteral(left) ? Visit3(TemplateLiteralToUnion(left), right) : type_exports.IsTemplateLiteral(right) ? Visit3(left, TemplateLiteralToUnion(right)) : Throw("Invalid fallthrough for TemplateLiteral");
 }
 function IsArrayOfTuple(left, right) {
-  return type_exports.IsArray(right) && left.items !== void 0 && left.items.every((schema10) => Visit3(schema10, right.items) === ExtendsResult.True);
+  return type_exports.IsArray(right) && left.items !== void 0 && left.items.every((schema) => Visit3(schema, right.items) === ExtendsResult.True);
 }
 function FromTupleRight(left, right) {
   return type_exports.IsNever(left) ? ExtendsResult.True : type_exports.IsUnknown(left) ? ExtendsResult.False : type_exports.IsAny(left) ? ExtendsResult.Union : ExtendsResult.False;
 }
 function FromTuple3(left, right) {
-  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) && IsObjectArrayLike(right) ? ExtendsResult.True : type_exports.IsArray(right) && IsArrayOfTuple(left, right) ? ExtendsResult.True : !type_exports.IsTuple(right) ? ExtendsResult.False : value_exports.IsUndefined(left.items) && !value_exports.IsUndefined(right.items) || !value_exports.IsUndefined(left.items) && value_exports.IsUndefined(right.items) ? ExtendsResult.False : value_exports.IsUndefined(left.items) && !value_exports.IsUndefined(right.items) ? ExtendsResult.True : left.items.every((schema10, index9) => Visit3(schema10, right.items[index9]) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
+  return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) && IsObjectArrayLike(right) ? ExtendsResult.True : type_exports.IsArray(right) && IsArrayOfTuple(left, right) ? ExtendsResult.True : !type_exports.IsTuple(right) ? ExtendsResult.False : value_exports.IsUndefined(left.items) && !value_exports.IsUndefined(right.items) || !value_exports.IsUndefined(left.items) && value_exports.IsUndefined(right.items) ? ExtendsResult.False : value_exports.IsUndefined(left.items) && !value_exports.IsUndefined(right.items) ? ExtendsResult.True : left.items.every((schema, index9) => Visit3(schema, right.items[index9]) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromUint8Array(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : type_exports.IsUint8Array(right) ? ExtendsResult.True : ExtendsResult.False;
@@ -3869,10 +3958,10 @@ function FromUndefined(left, right) {
   return IsStructuralRight(right) ? StructuralRight(left, right) : type_exports.IsObject(right) ? FromObjectRight(left, right) : type_exports.IsRecord(right) ? FromRecordRight(left, right) : type_exports.IsVoid(right) ? FromVoidRight(left, right) : type_exports.IsUndefined(right) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromUnionRight(left, right) {
-  return right.anyOf.some((schema10) => Visit3(left, schema10) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
+  return right.anyOf.some((schema) => Visit3(left, schema) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromUnion6(left, right) {
-  return left.anyOf.every((schema10) => Visit3(schema10, right) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
+  return left.anyOf.every((schema) => Visit3(schema, right) === ExtendsResult.True) ? ExtendsResult.True : ExtendsResult.False;
 }
 function FromUnknownRight(left, right) {
   return ExtendsResult.True;
@@ -4009,13 +4098,13 @@ function ExtractFromMappedResult(R, T) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/instance-type/instance-type.mjs
-function InstanceType(schema10, options) {
-  return IsConstructor(schema10) ? CreateType(schema10.returns, options) : Never(options);
+function InstanceType(schema, options) {
+  return IsConstructor(schema) ? CreateType(schema.returns, options) : Never(options);
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/readonly-optional/readonly-optional.mjs
-function ReadonlyOptional(schema10) {
-  return Readonly(Optional(schema10));
+function ReadonlyOptional(schema) {
+  return Readonly(Optional(schema));
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/record/record.mjs
@@ -4188,11 +4277,11 @@ function ApplyUppercase(value) {
 function ApplyLowercase(value) {
   return value.toLowerCase();
 }
-function FromTemplateLiteral3(schema10, mode, options) {
-  const expression = TemplateLiteralParseExact(schema10.pattern);
+function FromTemplateLiteral3(schema, mode, options) {
+  const expression = TemplateLiteralParseExact(schema.pattern);
   const finite = IsTemplateLiteralExpressionFinite(expression);
   if (!finite)
-    return { ...schema10, pattern: FromLiteralValue(schema10.pattern, mode) };
+    return { ...schema, pattern: FromLiteralValue(schema.pattern, mode) };
   const strings = [...TemplateLiteralExpressionGenerate(expression)];
   const literals = strings.map((value) => Literal(value));
   const mapped = FromRest5(literals, mode);
@@ -4205,14 +4294,14 @@ function FromLiteralValue(value, mode) {
 function FromRest5(T, M) {
   return T.map((L) => Intrinsic(L, M));
 }
-function Intrinsic(schema10, mode, options = {}) {
+function Intrinsic(schema, mode, options = {}) {
   return (
     // Intrinsic-Mapped-Inference
-    IsMappedKey(schema10) ? IntrinsicFromMappedKey(schema10, mode, options) : (
+    IsMappedKey(schema) ? IntrinsicFromMappedKey(schema, mode, options) : (
       // Standard-Inference
-      IsTemplateLiteral(schema10) ? FromTemplateLiteral3(schema10, mode, options) : IsUnion(schema10) ? Union(FromRest5(schema10.anyOf, mode), options) : IsLiteral(schema10) ? Literal(FromLiteralValue(schema10.const, mode), options) : (
+      IsTemplateLiteral(schema) ? FromTemplateLiteral3(schema, mode, options) : IsUnion(schema) ? Union(FromRest5(schema.anyOf, mode), options) : IsLiteral(schema) ? Literal(FromLiteralValue(schema.const, mode), options) : (
         // Default Type
-        CreateType(schema10, options)
+        CreateType(schema, options)
       )
     )
   );
@@ -4609,8 +4698,8 @@ function Not(type, options) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/parameters/parameters.mjs
-function Parameters(schema10, options) {
-  return IsFunction2(schema10) ? Tuple(schema10.parameters, options) : Never();
+function Parameters(schema, options) {
+  return IsFunction2(schema) ? Tuple(schema.parameters, options) : Never();
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/recursive/recursive.mjs
@@ -4638,40 +4727,40 @@ function Rest(T) {
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/return-type/return-type.mjs
-function ReturnType(schema10, options) {
-  return IsFunction2(schema10) ? CreateType(schema10.returns, options) : Never(options);
+function ReturnType(schema, options) {
+  return IsFunction2(schema) ? CreateType(schema.returns, options) : Never(options);
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/transform/transform.mjs
 var TransformDecodeBuilder = class {
-  constructor(schema10) {
-    this.schema = schema10;
+  constructor(schema) {
+    this.schema = schema;
   }
   Decode(decode) {
     return new TransformEncodeBuilder(this.schema, decode);
   }
 };
 var TransformEncodeBuilder = class {
-  constructor(schema10, decode) {
-    this.schema = schema10;
+  constructor(schema, decode) {
+    this.schema = schema;
     this.decode = decode;
   }
-  EncodeTransform(encode, schema10) {
-    const Encode = (value) => schema10[TransformKind].Encode(encode(value));
-    const Decode = (value) => this.decode(schema10[TransformKind].Decode(value));
+  EncodeTransform(encode, schema) {
+    const Encode = (value) => schema[TransformKind].Encode(encode(value));
+    const Decode = (value) => this.decode(schema[TransformKind].Decode(value));
     const Codec = { Encode, Decode };
-    return { ...schema10, [TransformKind]: Codec };
+    return { ...schema, [TransformKind]: Codec };
   }
-  EncodeSchema(encode, schema10) {
+  EncodeSchema(encode, schema) {
     const Codec = { Decode: this.decode, Encode: encode };
-    return { ...schema10, [TransformKind]: Codec };
+    return { ...schema, [TransformKind]: Codec };
   }
   Encode(encode) {
     return IsTransform(this.schema) ? this.EncodeTransform(encode, this.schema) : this.EncodeSchema(encode, this.schema);
   }
 };
-function Transform(schema10) {
-  return new TransformDecodeBuilder(schema10);
+function Transform(schema) {
+  return new TransformDecodeBuilder(schema);
 }
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/unsafe/unsafe.mjs
@@ -5049,6 +5138,33 @@ var changePasswordContract = {
     })
   )
 };
+var getMeContract = {
+  method: "GET",
+  path: "/_auth/me",
+  body: Type.Object({}),
+  response: ApiResponseSchema(
+    Type.Object({
+      userId: Type.String({ description: "User ID" }),
+      email: Type.Optional(Type.String({ description: "User email address" })),
+      phone: Type.Optional(Type.String({ description: "User phone number" })),
+      role: Type.Object({
+        id: Type.Number({ description: "Role ID" }),
+        name: Type.String({ description: "Role name (e.g., user, admin)" }),
+        displayName: Type.String({ description: "Display name for UI" }),
+        priority: Type.Number({ description: "Role priority level" })
+      }, { description: "User role information" }),
+      permissions: Type.Array(
+        Type.Object({
+          id: Type.Number({ description: "Permission ID" }),
+          name: Type.String({ description: "Permission name (e.g., user:delete)" }),
+          displayName: Type.String({ description: "Display name for UI" }),
+          category: Type.Optional(Type.String({ description: "Permission category" }))
+        }),
+        { description: "List of permissions granted through role" }
+      )
+    })
+  )
+};
 
 // src/lib/contracts/invitation.ts
 var UUID_PATTERN2 = "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$";
@@ -5282,252 +5398,45 @@ var deleteInvitationContract = {
   )
 };
 
-// src/server/helpers/jwt.ts
-import jwt from "jsonwebtoken";
-import crypto from "crypto";
-var JWT_SECRET = process.env.SPFN_AUTH_JWT_SECRET || // New prefixed version (recommended)
-process.env.JWT_SECRET || // Legacy fallback
-"dev-secret-key-change-in-production";
-var JWT_EXPIRES_IN = process.env.SPFN_AUTH_JWT_EXPIRES_IN || // New prefixed version (recommended)
-process.env.JWT_EXPIRES_IN || // Legacy fallback
-"7d";
-function verifyClientToken(token, publicKeyB64, algorithm) {
-  try {
-    const publicKeyDER = Buffer.from(publicKeyB64, "base64");
-    const publicKeyObject = crypto.createPublicKey({
-      key: publicKeyDER,
-      format: "der",
-      type: "spki"
-    });
-    const decoded = jwt.verify(token, publicKeyObject, {
-      algorithms: [algorithm],
-      // Prevent algorithm confusion attacks
-      issuer: "spfn-client"
-      // Validate token issuer
-    });
-    if (typeof decoded === "string") {
-      throw new Error("Invalid token format: expected object payload");
-    }
-    return decoded;
-  } catch (error) {
-    if (error instanceof jwt.TokenExpiredError) {
-      throw new Error("Token has expired");
-    }
-    if (error instanceof jwt.JsonWebTokenError) {
-      throw new Error("Invalid token signature");
-    }
-    throw new Error(`Token verification failed: ${error instanceof Error ? error.message : "Unknown error"}`);
+// src/server/helpers/password.ts
+import bcrypt from "bcrypt";
+var SALT_ROUNDS = parseInt(
+  process.env.SPFN_AUTH_BCRYPT_SALT_ROUNDS || // New prefixed version (recommended)
+  process.env.BCRYPT_SALT_ROUNDS || // Legacy fallback
+  "10",
+  10
+);
+async function hashPassword(password) {
+  if (!password || password.length === 0) {
+    throw new Error("Password cannot be empty");
   }
+  return bcrypt.hash(password, SALT_ROUNDS);
 }
-function verifyKeyFingerprint(publicKeyB64, expectedFingerprint) {
-  try {
-    const publicKeyDER = Buffer.from(publicKeyB64, "base64");
-    const fingerprint = crypto.createHash("sha256").update(publicKeyDER).digest("hex");
-    return fingerprint === expectedFingerprint;
-  } catch (error) {
-    console.error("Failed to verify key fingerprint:", error);
-    return false;
+async function verifyPassword(password, hash) {
+  if (!password || password.length === 0) {
+    throw new Error("Password cannot be empty");
+  }
+  if (!hash || hash.length === 0) {
+    throw new Error("Hash cannot be empty");
   }
+  return bcrypt.compare(password, hash);
 }
 
-// src/server/middleware/authenticate.ts
-init_entities();
-import { findOne, getDatabase } from "@spfn/core/db";
+// src/server/helpers/index.ts
+init_jwt();
 
-// src/server/errors/auth-errors.ts
-import {
-  ValidationError,
-  UnauthorizedError,
-  ForbiddenError,
-  ConflictError
-} from "@spfn/core/errors";
-var InvalidCredentialsError = class extends UnauthorizedError {
-  constructor(message = "Invalid credentials") {
-    super(message);
-    this.name = "InvalidCredentialsError";
-  }
-};
-var InvalidTokenError = class extends UnauthorizedError {
-  constructor(message = "Invalid authentication token") {
-    super(message);
-    this.name = "InvalidTokenError";
-  }
-};
-var TokenExpiredError = class extends UnauthorizedError {
-  constructor(message = "Authentication token has expired") {
-    super(message);
-    this.name = "TokenExpiredError";
-  }
-};
-var KeyExpiredError = class extends UnauthorizedError {
-  constructor(message = "Public key has expired") {
-    super(message);
-    this.name = "KeyExpiredError";
-  }
-};
-var AccountDisabledError = class extends ForbiddenError {
-  constructor(status = "disabled") {
-    super(`Account is ${status}`);
-    this.name = "AccountDisabledError";
-    this.details = { status };
-  }
-};
-var AccountAlreadyExistsError = class extends ConflictError {
-  constructor(identifier, identifierType) {
-    super("Account already exists");
-    this.name = "AccountAlreadyExistsError";
-    this.details = { identifier, identifierType };
-  }
-};
-var InvalidVerificationCodeError = class extends ValidationError {
-  constructor(reason = "Invalid verification code") {
-    super(reason);
-    this.name = "InvalidVerificationCodeError";
-  }
-};
-var InvalidVerificationTokenError = class extends ValidationError {
-  constructor(message = "Invalid or expired verification token") {
-    super(message);
-    this.name = "InvalidVerificationTokenError";
-  }
-};
-var InvalidKeyFingerprintError = class extends ValidationError {
-  constructor(message = "Invalid key fingerprint") {
-    super(message);
-    this.name = "InvalidKeyFingerprintError";
-  }
-};
-var VerificationTokenPurposeMismatchError = class extends ValidationError {
-  constructor(expected, actual) {
-    super(`Verification token is for ${actual}, but ${expected} was expected`);
-    this.name = "VerificationTokenPurposeMismatchError";
-    this.details = { expected, actual };
-  }
-};
-var VerificationTokenTargetMismatchError = class extends ValidationError {
-  constructor() {
-    super("Verification token does not match provided email/phone");
-    this.name = "VerificationTokenTargetMismatchError";
-  }
-};
-
-// src/server/middleware/authenticate.ts
-import { UnauthorizedError as UnauthorizedError2 } from "@spfn/core/errors";
-import { eq, and } from "drizzle-orm";
-async function authenticate(c, next) {
-  const authHeader = c.req.header("Authorization");
-  const keyId = c.req.header("X-Key-Id");
-  if (!authHeader || !authHeader.startsWith("Bearer ")) {
-    throw new UnauthorizedError2("Missing or invalid authorization header");
-  }
-  if (!keyId) {
-    throw new UnauthorizedError2("Missing X-Key-Id header");
-  }
-  const token = authHeader.substring(7);
-  const db = getDatabase();
-  const [keyRecord] = await db.select().from(userPublicKeys).where(
-    and(
-      eq(userPublicKeys.keyId, keyId),
-      eq(userPublicKeys.isActive, true)
-    )
-  );
-  if (!keyRecord) {
-    throw new UnauthorizedError2("Invalid or revoked key");
-  }
-  if (keyRecord.expiresAt && /* @__PURE__ */ new Date() > keyRecord.expiresAt) {
-    throw new KeyExpiredError();
-  }
-  try {
-    verifyClientToken(
-      token,
-      keyRecord.publicKey,
-      keyRecord.algorithm
-    );
-  } catch (err) {
-    if (err instanceof Error) {
-      if (err.name === "TokenExpiredError") {
-        throw new TokenExpiredError();
-      }
-      if (err.name === "JsonWebTokenError") {
-        throw new InvalidTokenError("Invalid token signature");
-      }
-    }
-    throw new UnauthorizedError2("Authentication failed");
-  }
-  const user = await findOne(users, { id: keyRecord.userId });
-  if (!user) {
-    throw new UnauthorizedError2("User not found");
-  }
-  if (user.status !== "active") {
-    throw new AccountDisabledError(user.status);
-  }
-  db.update(userPublicKeys).set({ lastUsedAt: /* @__PURE__ */ new Date() }).where(eq(userPublicKeys.id, keyRecord.id)).execute().catch((err) => console.error("Failed to update lastUsedAt:", err));
-  c.set("auth", {
-    user,
-    userId: String(user.id),
-    keyId
-  });
-  await next();
-}
-
-// src/server/helpers/context.ts
-function getAuth(c) {
-  if ("raw" in c && c.raw) {
-    return c.raw.get("auth");
-  }
-  return c.get("auth");
-}
-function getUser(c) {
-  return getAuth(c).user;
-}
-
-// src/server/services/permission.service.ts
-init_entities();
-import { getDatabase as getDatabase2 } from "@spfn/core/db";
-import { eq as eq2, and as and2 } from "drizzle-orm";
-
-// src/server/middleware/require-permission.ts
-import { ForbiddenError as ForbiddenError2 } from "@spfn/core/errors";
-
-// src/server/middleware/require-role.ts
-import { ForbiddenError as ForbiddenError3 } from "@spfn/core/errors";
-
-// src/server/helpers/password.ts
-import bcrypt from "bcrypt";
-var SALT_ROUNDS = parseInt(
-  process.env.SPFN_AUTH_BCRYPT_SALT_ROUNDS || // New prefixed version (recommended)
-  process.env.BCRYPT_SALT_ROUNDS || // Legacy fallback
-  "10",
-  10
-);
-async function hashPassword(password) {
-  if (!password || password.length === 0) {
-    throw new Error("Password cannot be empty");
-  }
-  return bcrypt.hash(password, SALT_ROUNDS);
-}
-async function verifyPassword(password, hash) {
-  if (!password || password.length === 0) {
-    throw new Error("Password cannot be empty");
-  }
-  if (!hash || hash.length === 0) {
-    throw new Error("Hash cannot be empty");
-  }
-  return bcrypt.compare(password, hash);
-}
-
-// src/server/helpers/verification.ts
-init_verification_codes();
-import jwt2 from "jsonwebtoken";
-import { getDatabase as getDatabase3, create } from "@spfn/core/db";
-import { eq as eq3, and as and3 } from "drizzle-orm";
-function getVerificationTokenSecret() {
-  const secret = process.env.SPFN_AUTH_VERIFICATION_TOKEN_SECRET || // New prefixed version (recommended)
-  process.env.VERIFICATION_TOKEN_SECRET || // Legacy fallback
-  process.env.SPFN_AUTH_JWT_SECRET || // New JWT secret fallback
-  process.env.JWT_SECRET;
-  if (!secret || secret.length < 32) {
-    throw new Error("SPFN_AUTH_VERIFICATION_TOKEN_SECRET must be at least 32 characters long");
+// src/server/helpers/verification.ts
+init_verification_codes();
+import jwt2 from "jsonwebtoken";
+import { getDatabase, create } from "@spfn/core/db";
+import { eq, and } from "drizzle-orm";
+function getVerificationTokenSecret() {
+  const secret = process.env.SPFN_AUTH_VERIFICATION_TOKEN_SECRET || // New prefixed version (recommended)
+  process.env.VERIFICATION_TOKEN_SECRET || // Legacy fallback
+  process.env.SPFN_AUTH_JWT_SECRET || // New JWT secret fallback
+  process.env.JWT_SECRET;
+  if (!secret || secret.length < 32) {
+    throw new Error("SPFN_AUTH_VERIFICATION_TOKEN_SECRET must be at least 32 characters long");
   }
   return secret;
 }
@@ -5539,7 +5448,7 @@ function generateVerificationCode() {
   return code;
 }
 async function storeVerificationCode(target, targetType, code, purpose) {
-  const db = getDatabase3();
+  const db = getDatabase();
   if (!db) {
     throw new Error("Database not initialized");
   }
@@ -5556,16 +5465,16 @@ async function storeVerificationCode(target, targetType, code, purpose) {
   return record;
 }
 async function validateVerificationCode(target, targetType, code, purpose) {
-  const db = getDatabase3();
+  const db = getDatabase();
   if (!db) {
     throw new Error("Database not initialized");
   }
   const records = await db.select().from(verificationCodes).where(
-    and3(
-      eq3(verificationCodes.target, target),
-      eq3(verificationCodes.targetType, targetType),
-      eq3(verificationCodes.code, code),
-      eq3(verificationCodes.purpose, purpose)
+    and(
+      eq(verificationCodes.target, target),
+      eq(verificationCodes.targetType, targetType),
+      eq(verificationCodes.code, code),
+      eq(verificationCodes.purpose, purpose)
     )
   ).limit(1);
   if (records.length === 0) {
@@ -5582,15 +5491,15 @@ async function validateVerificationCode(target, targetType, code, purpose) {
   if (attempts >= MAX_VERIFICATION_ATTEMPTS) {
     return { valid: false, error: "Too many attempts, please request a new code" };
   }
-  await db.update(verificationCodes).set({ attempts: (attempts + 1).toString() }).where(eq3(verificationCodes.id, record.id));
+  await db.update(verificationCodes).set({ attempts: (attempts + 1).toString() }).where(eq(verificationCodes.id, record.id));
   return { valid: true, codeId: record.id };
 }
 async function markCodeAsUsed(codeId) {
-  const db = getDatabase3();
+  const db = getDatabase();
   if (!db) {
     throw new Error("Database not initialized");
   }
-  await db.update(verificationCodes).set({ usedAt: /* @__PURE__ */ new Date() }).where(eq3(verificationCodes.id, codeId));
+  await db.update(verificationCodes).set({ usedAt: /* @__PURE__ */ new Date() }).where(eq(verificationCodes.id, codeId));
 }
 function createVerificationToken(payload) {
   const secret = getVerificationTokenSecret();
@@ -5623,15 +5532,101 @@ async function sendVerificationSMS(phone, code, purpose) {
   console.log(`[VERIFICATION SMS] To: ${phone}, Code: ${code}, Purpose: ${purpose}`);
 }
 
+// src/server/helpers/context.ts
+function getAuth(c) {
+  if ("raw" in c && c.raw) {
+    return c.raw.get("auth");
+  }
+  return c.get("auth");
+}
+function getUser(c) {
+  return getAuth(c).user;
+}
+
 // src/server/services/auth.service.ts
 init_entities();
-import { findOne as findOne3, create as create3 } from "@spfn/core/db";
+import { findOne as findOne2, create as create3 } from "@spfn/core/db";
 import { ValidationError as ValidationError2 } from "@spfn/core/errors";
 
+// src/server/errors/auth-errors.ts
+import {
+  ValidationError,
+  UnauthorizedError,
+  ForbiddenError,
+  ConflictError
+} from "@spfn/core/errors";
+var InvalidCredentialsError = class extends UnauthorizedError {
+  constructor(message = "Invalid credentials") {
+    super(message);
+    this.name = "InvalidCredentialsError";
+  }
+};
+var InvalidTokenError = class extends UnauthorizedError {
+  constructor(message = "Invalid authentication token") {
+    super(message);
+    this.name = "InvalidTokenError";
+  }
+};
+var TokenExpiredError = class extends UnauthorizedError {
+  constructor(message = "Authentication token has expired") {
+    super(message);
+    this.name = "TokenExpiredError";
+  }
+};
+var KeyExpiredError = class extends UnauthorizedError {
+  constructor(message = "Public key has expired") {
+    super(message);
+    this.name = "KeyExpiredError";
+  }
+};
+var AccountDisabledError = class extends ForbiddenError {
+  constructor(status = "disabled") {
+    super(`Account is ${status}`, { details: { status } });
+    this.name = "AccountDisabledError";
+  }
+};
+var AccountAlreadyExistsError = class extends ConflictError {
+  constructor(identifier, identifierType) {
+    super("Account already exists", { details: { identifier, identifierType } });
+    this.name = "AccountAlreadyExistsError";
+  }
+};
+var InvalidVerificationCodeError = class extends ValidationError {
+  constructor(reason = "Invalid verification code") {
+    super(reason);
+    this.name = "InvalidVerificationCodeError";
+  }
+};
+var InvalidVerificationTokenError = class extends ValidationError {
+  constructor(message = "Invalid or expired verification token") {
+    super(message);
+    this.name = "InvalidVerificationTokenError";
+  }
+};
+var InvalidKeyFingerprintError = class extends ValidationError {
+  constructor(message = "Invalid key fingerprint") {
+    super(message);
+    this.name = "InvalidKeyFingerprintError";
+  }
+};
+var VerificationTokenPurposeMismatchError = class extends ValidationError {
+  constructor(expected, actual) {
+    super(`Verification token is for ${actual}, but ${expected} was expected`, { details: { expected, actual } });
+    this.name = "VerificationTokenPurposeMismatchError";
+  }
+};
+var VerificationTokenTargetMismatchError = class extends ValidationError {
+  constructor() {
+    super("Verification token does not match provided email/phone");
+    this.name = "VerificationTokenTargetMismatchError";
+  }
+};
+
 // src/server/services/key.service.ts
 init_entities();
-import { create as create2, getDatabase as getDatabase4 } from "@spfn/core/db";
-import { eq as eq4, and as and4 } from "drizzle-orm";
+init_jwt();
+import { create as create2, getDatabase as getDatabase2 } from "@spfn/core/db";
+import { eq as eq2, and as and2 } from "drizzle-orm";
 function getKeyExpiryDate() {
   const expiresAt = /* @__PURE__ */ new Date();
   expiresAt.setDate(expiresAt.getDate() + 90);
@@ -5660,15 +5655,15 @@ async function rotateKeyService(params) {
   if (!isValidFingerprint) {
     throw new InvalidKeyFingerprintError();
   }
-  const db = getDatabase4();
+  const db = getDatabase2();
   await db.update(userPublicKeys).set({
     isActive: false,
     revokedAt: /* @__PURE__ */ new Date(),
     revokedReason: "Replaced by key rotation"
   }).where(
-    and4(
-      eq4(userPublicKeys.keyId, oldKeyId),
-      eq4(userPublicKeys.userId, userId)
+    and2(
+      eq2(userPublicKeys.keyId, oldKeyId),
+      eq2(userPublicKeys.userId, userId)
     )
   );
   await create2(userPublicKeys, {
@@ -5688,22 +5683,22 @@ async function rotateKeyService(params) {
 }
 async function revokeKeyService(params) {
   const { userId, keyId, reason } = params;
-  const db = getDatabase4();
+  const db = getDatabase2();
   await db.update(userPublicKeys).set({
     isActive: false,
     revokedAt: /* @__PURE__ */ new Date(),
     revokedReason: reason
   }).where(
-    and4(
-      eq4(userPublicKeys.keyId, keyId),
-      eq4(userPublicKeys.userId, userId)
+    and2(
+      eq2(userPublicKeys.keyId, keyId),
+      eq2(userPublicKeys.userId, userId)
     )
   );
 }
 
 // src/server/services/user.service.ts
 init_entities();
-import { findOne as findOne2, updateOne } from "@spfn/core/db";
+import { findOne, updateOne } from "@spfn/core/db";
 async function updateLastLoginService(userId) {
   await updateOne(users, { id: userId }, {
     lastLoginAt: /* @__PURE__ */ new Date()
@@ -5719,11 +5714,11 @@ async function checkAccountExistsService(params) {
   if (email) {
     identifier = email;
     identifierType = "email";
-    user = await findOne3(users, { email });
+    user = await findOne2(users, { email });
   } else if (phone) {
     identifier = phone;
     identifierType = "phone";
-    user = await findOne3(users, { phone });
+    user = await findOne2(users, { phone });
   } else {
     throw new ValidationError2("Either email or phone must be provided");
   }
@@ -5752,9 +5747,9 @@ async function registerService(params) {
   }
   let existingUser;
   if (email) {
-    existingUser = await findOne3(users, { email });
+    existingUser = await findOne2(users, { email });
   } else if (phone) {
-    existingUser = await findOne3(users, { phone });
+    existingUser = await findOne2(users, { phone });
   } else {
     throw new ValidationError2("Either email or phone must be provided");
   }
@@ -5795,15 +5790,17 @@ async function loginService(params) {
   const { email, phone, password, publicKey, keyId, fingerprint, oldKeyId, algorithm } = params;
   let user;
   if (email) {
-    user = await findOne3(users, { email });
+    user = await findOne2(users, { email });
   } else if (phone) {
-    user = await findOne3(users, { phone });
+    user = await findOne2(users, { phone });
   } else {
     throw new ValidationError2("Either email or phone must be provided");
   }
   if (!user || !user.passwordHash) {
     throw new InvalidCredentialsError();
   }
+  console.log("user", user);
+  console.log("\uD328\uC2A4\uC6CC\uB4DC: ", password);
   const isValid = await verifyPassword(password, user.passwordHash);
   if (!isValid) {
     throw new InvalidCredentialsError();
@@ -5847,7 +5844,7 @@ async function changePasswordService(params) {
   if (providedHash) {
     passwordHash = providedHash;
   } else {
-    const user = await findOne3(users, { id: userId });
+    const user = await findOne2(users, { id: userId });
     if (!user) {
       throw new ValidationError2("User not found");
     }
@@ -5903,10 +5900,132 @@ async function verifyCodeService(params) {
   };
 }
 
+// src/server/services/me.service.ts
+init_entities();
+import { getDatabase as getDatabase4 } from "@spfn/core/db";
+import { eq as eq4, and as and4 } from "drizzle-orm";
+async function getMeService(userId) {
+  const db = getDatabase4();
+  if (!db) {
+    throw new Error("[Auth] Database not initialized");
+  }
+  const userIdNum = typeof userId === "string" ? Number(userId) : Number(userId);
+  const [userWithRole] = await db.select({
+    userId: users.id,
+    email: users.email,
+    phone: users.phone,
+    roleId: roles.id,
+    roleName: roles.name,
+    roleDisplayName: roles.displayName,
+    rolePriority: roles.priority
+  }).from(users).innerJoin(roles, eq4(users.roleId, roles.id)).where(eq4(users.id, userIdNum)).limit(1);
+  if (!userWithRole) {
+    throw new Error("[Auth] User not found");
+  }
+  const rolePerms = await db.select({
+    id: permissions.id,
+    name: permissions.name,
+    displayName: permissions.displayName,
+    category: permissions.category
+  }).from(rolePermissions).innerJoin(permissions, eq4(rolePermissions.permissionId, permissions.id)).where(
+    and4(
+      eq4(rolePermissions.roleId, userWithRole.roleId),
+      eq4(permissions.isActive, true)
+    )
+  );
+  return {
+    userId: userWithRole.userId.toString(),
+    email: userWithRole.email ?? void 0,
+    phone: userWithRole.phone ?? void 0,
+    role: {
+      id: userWithRole.roleId,
+      name: userWithRole.roleName,
+      displayName: userWithRole.roleDisplayName,
+      priority: userWithRole.rolePriority
+    },
+    permissions: rolePerms.map((perm) => ({
+      id: perm.id,
+      name: perm.name,
+      displayName: perm.displayName,
+      category: perm.category ?? void 0
+    }))
+  };
+}
+
 // src/server/services/rbac.service.ts
 init_entities();
+import { getDatabase as getDatabase5 } from "@spfn/core/db";
+import { logger } from "@spfn/core/logger";
+import { eq as eq5, and as and5, inArray } from "drizzle-orm";
+var authLogger = logger.child("@spfn/auth");
+
+// src/server/services/permission.service.ts
+init_entities();
 import { getDatabase as getDatabase6 } from "@spfn/core/db";
-import { eq as eq6, and as and6, inArray } from "drizzle-orm";
+import { eq as eq6, and as and6 } from "drizzle-orm";
+async function getUserPermissions(userId) {
+  const db = getDatabase6();
+  if (!db) {
+    throw new Error("[Auth] Database not initialized");
+  }
+  const userIdNum = typeof userId === "string" ? Number(userId) : Number(userId);
+  const [user] = await db.select({ roleId: users.roleId }).from(users).where(eq6(users.id, userIdNum)).limit(1);
+  if (!user || !user.roleId) {
+    return [];
+  }
+  const permSet = /* @__PURE__ */ new Set();
+  const rolePerms = await db.select({ name: permissions.name }).from(rolePermissions).innerJoin(permissions, eq6(rolePermissions.permissionId, permissions.id)).where(
+    and6(
+      eq6(rolePermissions.roleId, user.roleId),
+      eq6(permissions.isActive, true)
+    )
+  );
+  for (const perm of rolePerms) {
+    permSet.add(perm.name);
+  }
+  const userPerms = await db.select({
+    name: permissions.name,
+    granted: userPermissions.granted,
+    expiresAt: userPermissions.expiresAt
+  }).from(userPermissions).innerJoin(permissions, eq6(userPermissions.permissionId, permissions.id)).where(eq6(userPermissions.userId, userIdNum));
+  const now = /* @__PURE__ */ new Date();
+  for (const userPerm of userPerms) {
+    if (userPerm.expiresAt && userPerm.expiresAt < now) {
+      continue;
+    }
+    if (userPerm.granted) {
+      permSet.add(userPerm.name);
+    } else {
+      permSet.delete(userPerm.name);
+    }
+  }
+  return Array.from(permSet);
+}
+async function hasAllPermissions(userId, permissionNames) {
+  const perms = await getUserPermissions(userId);
+  return permissionNames.every((p) => perms.includes(p));
+}
+async function hasRole(userId, roleName) {
+  const db = getDatabase6();
+  if (!db) {
+    throw new Error("[Auth] Database not initialized");
+  }
+  const userIdNum = typeof userId === "string" ? Number(userId) : Number(userId);
+  const [user] = await db.select({ roleId: users.roleId }).from(users).where(eq6(users.id, userIdNum)).limit(1);
+  if (!user || !user.roleId) {
+    return false;
+  }
+  const [role] = await db.select({ name: roles.name }).from(roles).where(eq6(roles.id, user.roleId)).limit(1);
+  return role?.name === roleName;
+}
+async function hasAnyRole(userId, roleNames) {
+  for (const roleName of roleNames) {
+    if (await hasRole(userId, roleName)) {
+      return true;
+    }
+  }
+  return false;
+}
 
 // src/server/services/index.ts
 init_role_service();
@@ -6202,12 +6321,16 @@ app.bind(loginContract, async (c) => {
   const result = await loginService(body);
   return c.success(result);
 });
-app.bind(logoutContract, [authenticate], async (c) => {
-  const { keyId, userId } = getAuth(c);
+app.bind(logoutContract, async (c) => {
+  const auth = getAuth(c);
+  if (!auth) {
+    return c.success({ success: true });
+  }
+  const { keyId, userId } = auth;
   await logoutService({ userId: Number(userId), keyId });
   return c.success({ success: true });
 });
-app.bind(rotateKeyContract, [authenticate], async (c) => {
+app.bind(rotateKeyContract, async (c) => {
   const body = await c.data();
   const { keyId: oldKeyId, userId } = getAuth(c);
   const result = await rotateKeyService({
@@ -6220,7 +6343,7 @@ app.bind(rotateKeyContract, [authenticate], async (c) => {
   });
   return c.success(result);
 });
-app.bind(changePasswordContract, [authenticate], async (c) => {
+app.bind(changePasswordContract, async (c) => {
   const body = await c.data();
   const user = getUser(c);
   await changePasswordService({
@@ -6231,10 +6354,119 @@ app.bind(changePasswordContract, [authenticate], async (c) => {
   });
   return c.success({ success: true });
 });
+app.bind(getMeContract, async (c) => {
+  const { userId } = getAuth(c);
+  const result = await getMeService(userId);
+  return c.success(result);
+});
 var auth_default = app;
 
 // src/server/routes/invitations/index.ts
 import { createApp as createApp2 } from "@spfn/core/route";
+
+// src/server/middleware/authenticate.ts
+init_jwt();
+init_entities();
+import { findOne as findOne3, getDatabase as getDatabase8 } from "@spfn/core/db";
+import { UnauthorizedError as UnauthorizedError2 } from "@spfn/core/errors";
+import { eq as eq8, and as and8 } from "drizzle-orm";
+async function authenticate(c, next) {
+  const authHeader = c.req.header("Authorization");
+  if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    throw new UnauthorizedError2("Missing or invalid authorization header");
+  }
+  const token = authHeader.substring(7);
+  const { decodeToken: decodeToken2 } = await Promise.resolve().then(() => (init_jwt(), jwt_exports));
+  const decoded = decodeToken2(token);
+  if (!decoded || !decoded.keyId) {
+    throw new UnauthorizedError2("Invalid token: missing keyId");
+  }
+  const keyId = decoded.keyId;
+  const db = getDatabase8();
+  const [keyRecord] = await db.select().from(userPublicKeys).where(
+    and8(
+      eq8(userPublicKeys.keyId, keyId),
+      eq8(userPublicKeys.isActive, true)
+    )
+  );
+  if (!keyRecord) {
+    throw new UnauthorizedError2("Invalid or revoked key");
+  }
+  if (keyRecord.expiresAt && /* @__PURE__ */ new Date() > keyRecord.expiresAt) {
+    throw new KeyExpiredError();
+  }
+  try {
+    verifyClientToken(
+      token,
+      keyRecord.publicKey,
+      keyRecord.algorithm
+    );
+  } catch (err) {
+    if (err instanceof Error) {
+      if (err.name === "TokenExpiredError") {
+        throw new TokenExpiredError();
+      }
+      if (err.name === "JsonWebTokenError") {
+        throw new InvalidTokenError("Invalid token signature");
+      }
+    }
+    throw new UnauthorizedError2("Authentication failed");
+  }
+  const user = await findOne3(users, { id: keyRecord.userId });
+  if (!user) {
+    throw new UnauthorizedError2("User not found");
+  }
+  if (user.status !== "active") {
+    throw new AccountDisabledError(user.status);
+  }
+  db.update(userPublicKeys).set({ lastUsedAt: /* @__PURE__ */ new Date() }).where(eq8(userPublicKeys.id, keyRecord.id)).execute().catch((err) => console.error("Failed to update lastUsedAt:", err));
+  c.set("auth", {
+    user,
+    userId: String(user.id),
+    keyId
+  });
+  await next();
+}
+
+// src/server/middleware/require-permission.ts
+import { ForbiddenError as ForbiddenError2 } from "@spfn/core/errors";
+function requirePermissions(...permissionNames) {
+  return async (c, next) => {
+    const auth = getAuth(c);
+    if (!auth) {
+      throw new ForbiddenError2("Authentication required");
+    }
+    const { userId } = auth;
+    const allowed = await hasAllPermissions(userId, permissionNames);
+    if (!allowed) {
+      throw new ForbiddenError2(
+        `Missing required permissions: ${permissionNames.join(", ")}`
+      );
+    }
+    await next();
+  };
+}
+
+// src/server/middleware/require-role.ts
+import { ForbiddenError as ForbiddenError3 } from "@spfn/core/errors";
+function requireRole(...roleNames) {
+  return async (c, next) => {
+    const auth = getAuth(c);
+    if (!auth) {
+      throw new ForbiddenError3("Authentication required");
+    }
+    const { userId } = auth;
+    const allowed = await hasAnyRole(userId, roleNames);
+    if (!allowed) {
+      throw new ForbiddenError3(
+        `Required roles: ${roleNames.join(", ")}`
+      );
+    }
+    await next();
+  };
+}
+
+// src/server/routes/invitations/index.ts
 var app2 = createApp2();
 app2.bind(getInvitationContract, async (c) => {
   const params = await c.data();
@@ -6268,7 +6500,7 @@ app2.bind(acceptInvitationContract, async (c) => {
   });
   return c.success(result);
 });
-app2.bind(createInvitationContract, [authenticate], async (c) => {
+app2.bind(createInvitationContract, [authenticate, requirePermissions("user:invite")], async (c) => {
   const body = await c.data();
   const { userId } = getAuth(c);
   const invitation = await createInvitation({
@@ -6289,7 +6521,7 @@ app2.bind(createInvitationContract, [authenticate], async (c) => {
     invitationUrl
   });
 });
-app2.bind(listInvitationsContract, [authenticate], async (c) => {
+app2.bind(listInvitationsContract, [authenticate, requirePermissions("user:read")], async (c) => {
   const query = await c.data();
   const result = await listInvitations({
     status: query.status,
@@ -6308,7 +6540,7 @@ app2.bind(listInvitationsContract, [authenticate], async (c) => {
     invitations: formattedInvitations
   });
 });
-app2.bind(cancelInvitationContract, [authenticate], async (c) => {
+app2.bind(cancelInvitationContract, [authenticate, requirePermissions("user:invite")], async (c) => {
   const data = await c.data();
   const { userId } = getAuth(c);
   await cancelInvitation(
@@ -6321,7 +6553,7 @@ app2.bind(cancelInvitationContract, [authenticate], async (c) => {
     cancelledAt: (/* @__PURE__ */ new Date()).toISOString()
   });
 });
-app2.bind(resendInvitationContract, [authenticate], async (c) => {
+app2.bind(resendInvitationContract, [authenticate, requirePermissions("user:invite")], async (c) => {
   const data = await c.data();
   const updated = await resendInvitation(
     data.id,
@@ -6332,7 +6564,7 @@ app2.bind(resendInvitationContract, [authenticate], async (c) => {
     expiresAt: updated.expiresAt.toISOString()
   });
 });
-app2.bind(deleteInvitationContract, [authenticate], async (c) => {
+app2.bind(deleteInvitationContract, [authenticate, requireRole("superadmin")], async (c) => {
   const data = await c.data();
   await deleteInvitation(data.id);
   return c.success({