@spfn/auth 0.2.0-beta.6 → 0.2.0-beta.60

package/dist/server.js

@@ -1,11 +1,5 @@
 var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
-  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
-}) : x)(function(x) {
-  if (typeof require !== "undefined") return require.apply(this, arguments);
-  throw Error('Dynamic require of "' + x + '" is not supported');
-});
 var __esm = (fn, res) => function __init() {
   return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
 };
@@ -1365,7 +1359,7 @@ var init_literal2 = __esm({
 });
 
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/boolean/boolean.mjs
-function Boolean(options) {
+function Boolean2(options) {
   return CreateType({ [Kind]: "Boolean", type: "boolean" }, options);
 }
 var init_boolean = __esm({
@@ -1447,7 +1441,7 @@ var init_string2 = __esm({
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.41/node_modules/@sinclair/typebox/build/esm/type/template-literal/syntax.mjs
 function* FromUnion(syntax) {
   const trim = syntax.trim().replace(/"|'/g, "");
-  return trim === "boolean" ? yield Boolean() : trim === "number" ? yield Number2() : trim === "bigint" ? yield BigInt() : trim === "string" ? yield String2() : yield (() => {
+  return trim === "boolean" ? yield Boolean2() : trim === "number" ? yield Number2() : trim === "bigint" ? yield BigInt() : trim === "string" ? yield String2() : yield (() => {
     const literals = trim.split("|").map((literal) => Literal(literal.trim()));
     return literals.length === 0 ? Never() : literals.length === 1 ? literals[0] : UnionEvaluated(literals);
   })();
@@ -4250,7 +4244,7 @@ __export(type_exports3, {
   AsyncIterator: () => AsyncIterator,
   Awaited: () => Awaited,
   BigInt: () => BigInt,
-  Boolean: () => Boolean,
+  Boolean: () => Boolean2,
   Capitalize: () => Capitalize,
   Composite: () => Composite,
   Const: () => Const,
@@ -4570,7 +4564,7 @@ var init_roles = __esm({
 });
 
 // src/server/entities/users.ts
-import { text as text2, check, boolean as boolean2, index as index2 } from "drizzle-orm/pg-core";
+import { text as text2, check, boolean as boolean2, index as index2, uuid } from "drizzle-orm/pg-core";
 import { id as id2, timestamps as timestamps2, enumText, utcTimestamp, foreignKey } from "@spfn/core/db";
 import { sql } from "drizzle-orm";
 var users;
@@ -4585,6 +4579,9 @@ var init_users = __esm({
       {
         // Identity
         id: id2(),
+        // Public-facing UUID (for URLs, external APIs)
+        // Never expose internal bigserial ID externally
+        publicId: uuid("public_id").notNull().unique().defaultRandom(),
         // Email address (unique identifier)
         // Used for: login, password reset, notifications
         email: text2("email").unique(),
@@ -4592,6 +4589,9 @@ var init_users = __esm({
         // Format: +[country code][number] (e.g., +821012345678)
         // Used for: SMS login, 2FA, notifications
         phone: text2("phone").unique(),
+        // Username (unique, optional)
+        // Used for: display, mention, public profile URL
+        username: text2("username").unique(),
         // Authentication
         // Bcrypt password hash ($2b$10$[salt][hash], 60 chars)
         // Nullable to support OAuth-only accounts
@@ -4629,8 +4629,10 @@ var init_users = __esm({
           sql`${table.email} IS NOT NULL OR ${table.phone} IS NOT NULL`
         ),
         // Indexes for query optimization
+        index2("users_public_id_idx").on(table.publicId),
         index2("users_email_idx").on(table.email),
         index2("users_phone_idx").on(table.phone),
+        index2("users_username_idx").on(table.username),
         index2("users_status_idx").on(table.status),
         index2("users_role_id_idx").on(table.roleId)
       ]
@@ -4655,8 +4657,8 @@ var init_user_profiles = __esm({
         // Foreign key to users table
         userId: foreignKey2("user", () => users.id).unique(),
         // Display Information
-        // Display name shown in UI (required)
-        displayName: text3("display_name").notNull(),
+        // Display name shown in UI (optional)
+        displayName: text3("display_name"),
         // First name (optional)
         firstName: text3("first_name"),
         // Last name (optional)
@@ -5297,6 +5299,27 @@ var init_user_permissions = __esm({
   }
 });
 
+// src/server/entities/auth-metadata.ts
+import { text as text10, timestamp } from "drizzle-orm/pg-core";
+var authMetadata;
+var init_auth_metadata = __esm({
+  "src/server/entities/auth-metadata.ts"() {
+    "use strict";
+    init_schema4();
+    authMetadata = authSchema.table(
+      "auth_metadata",
+      {
+        // Metadata key (primary key)
+        key: text10("key").primaryKey(),
+        // Metadata value
+        value: text10("value").notNull(),
+        // Last updated timestamp
+        updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow()
+      }
+    );
+  }
+});
+
 // src/server/entities/index.ts
 var init_entities = __esm({
   "src/server/entities/index.ts"() {
@@ -5312,6 +5335,7 @@ var init_entities = __esm({
     init_permissions();
     init_role_permissions();
     init_user_permissions();
+    init_auth_metadata();
   }
 });
 
@@ -5349,6 +5373,22 @@ var init_users_repository = __esm({
         const result = await this.readDb.select().from(users).where(eq(users.phone, phone)).limit(1);
         return result[0] ?? null;
       }
+      /**
+       * 사용자명으로 사용자 조회
+       * Read replica 사용
+       */
+      async findByUsername(username) {
+        const result = await this.readDb.select().from(users).where(eq(users.username, username)).limit(1);
+        return result[0] ?? null;
+      }
+      /**
+       * Public ID(UUID)로 사용자 조회
+       * Read replica 사용
+       */
+      async findByPublicId(publicId) {
+        const result = await this.readDb.select().from(users).where(eq(users.publicId, publicId)).limit(1);
+        return result[0] ?? null;
+      }
       /**
        * 이메일 또는 전화번호로 사용자 조회
        * Read replica 사용
@@ -5361,6 +5401,28 @@ var init_users_repository = __esm({
         }
         return null;
       }
+      /**
+       * ID로 사용자 + Role 조회 (leftJoin)
+       * Read replica 사용
+       *
+       * roleId가 null인 유저는 role: null 반환
+       */
+      async findByIdWithRole(id11) {
+        const result = await this.readDb.select({
+          user: users,
+          roleName: roles.name,
+          roleDisplayName: roles.displayName,
+          rolePriority: roles.priority
+        }).from(users).leftJoin(roles, eq(users.roleId, roles.id)).where(eq(users.id, id11)).limit(1);
+        const row = result[0];
+        if (!row) {
+          return null;
+        }
+        return {
+          user: row.user,
+          role: row.roleName ? { name: row.roleName, displayName: row.roleDisplayName, priority: row.rolePriority } : null
+        };
+      }
       /**
        * 사용자 생성
        * Write primary 사용
@@ -5467,18 +5529,24 @@ var init_users_repository = __esm({
       async fetchMinimalUserData(userId) {
         const user = await this.readDb.select({
           id: users.id,
+          publicId: users.publicId,
           email: users.email,
+          username: users.username,
           emailVerifiedAt: users.emailVerifiedAt,
-          phoneVerifiedAt: users.phoneVerifiedAt
+          phoneVerifiedAt: users.phoneVerifiedAt,
+          passwordHash: users.passwordHash
         }).from(users).where(eq(users.id, userId)).limit(1).then((rows) => rows[0] ?? null);
         if (!user) {
           throw new NotFoundError({ message: "[@spfn/auth] User not found" });
         }
         return {
           userId: user.id,
+          publicId: user.publicId,
           email: user.email,
+          username: user.username,
           isEmailVerified: !!user.emailVerifiedAt,
-          isPhoneVerified: !!user.phoneVerifiedAt
+          isPhoneVerified: !!user.phoneVerifiedAt,
+          hasPassword: !!user.passwordHash
         };
       }
       /**
@@ -5491,7 +5559,9 @@ var init_users_repository = __esm({
       async fetchFullUserData(userId) {
         const user = await this.readDb.select({
           id: users.id,
+          publicId: users.publicId,
           email: users.email,
+          username: users.username,
           emailVerifiedAt: users.emailVerifiedAt,
           phoneVerifiedAt: users.phoneVerifiedAt,
           lastLoginAt: users.lastLoginAt,
@@ -5503,7 +5573,9 @@ var init_users_repository = __esm({
         }
         return {
           userId: user.id,
+          publicId: user.publicId,
           email: user.email,
+          username: user.username,
           isEmailVerified: !!user.emailVerifiedAt,
           isPhoneVerified: !!user.phoneVerifiedAt,
           lastLoginAt: user.lastLoginAt,
@@ -6087,6 +6159,13 @@ var init_user_profiles_repository = __esm({
         const result = await this.readDb.select().from(userProfiles).where(eq8(userProfiles.id, id11)).limit(1);
         return result[0] ?? null;
       }
+      /**
+       * User ID로 locale만 조회 (경량)
+       */
+      async findLocaleByUserId(userId) {
+        const result = await this.readDb.select({ locale: userProfiles.locale }).from(userProfiles).where(eq8(userProfiles.userId, userId)).limit(1);
+        return result[0]?.locale || "en";
+      }
       /**
        * User ID로 프로필 조회
        */
@@ -6260,16 +6339,16 @@ var init_invitations_repository = __esm({
       /**
        * 초대 상태 업데이트
        */
-      async updateStatus(id11, status, timestamp) {
+      async updateStatus(id11, status, timestamp2) {
         const updates = {
           status,
           updatedAt: /* @__PURE__ */ new Date()
         };
-        if (timestamp) {
+        if (timestamp2) {
           if (status === "accepted") {
-            updates.acceptedAt = timestamp;
+            updates.acceptedAt = timestamp2;
           } else if (status === "cancelled") {
-            updates.cancelledAt = timestamp;
+            updates.cancelledAt = timestamp2;
           }
         }
         const result = await this.db.update(userInvitations).set(updates).where(eq9(userInvitations.id, id11)).returning();
@@ -6413,6 +6492,133 @@ var init_invitations_repository = __esm({
   }
 });
 
+// src/server/repositories/social-accounts.repository.ts
+import { eq as eq10, and as and7 } from "drizzle-orm";
+import { BaseRepository as BaseRepository10 } from "@spfn/core/db";
+var SocialAccountsRepository, socialAccountsRepository;
+var init_social_accounts_repository = __esm({
+  "src/server/repositories/social-accounts.repository.ts"() {
+    "use strict";
+    init_entities();
+    SocialAccountsRepository = class extends BaseRepository10 {
+      /**
+       * provider와 providerUserId로 소셜 계정 조회
+       * Read replica 사용
+       */
+      async findByProviderAndProviderId(provider, providerUserId) {
+        const result = await this.readDb.select().from(userSocialAccounts).where(
+          and7(
+            eq10(userSocialAccounts.provider, provider),
+            eq10(userSocialAccounts.providerUserId, providerUserId)
+          )
+        ).limit(1);
+        return result[0] ?? null;
+      }
+      /**
+       * userId로 모든 소셜 계정 조회
+       * Read replica 사용
+       */
+      async findByUserId(userId) {
+        return await this.readDb.select().from(userSocialAccounts).where(eq10(userSocialAccounts.userId, userId));
+      }
+      /**
+       * userId와 provider로 소셜 계정 조회
+       * Read replica 사용
+       */
+      async findByUserIdAndProvider(userId, provider) {
+        const result = await this.readDb.select().from(userSocialAccounts).where(
+          and7(
+            eq10(userSocialAccounts.userId, userId),
+            eq10(userSocialAccounts.provider, provider)
+          )
+        ).limit(1);
+        return result[0] ?? null;
+      }
+      /**
+       * 소셜 계정 생성
+       * Write primary 사용
+       */
+      async create(data) {
+        return await this._create(userSocialAccounts, {
+          ...data,
+          createdAt: /* @__PURE__ */ new Date(),
+          updatedAt: /* @__PURE__ */ new Date()
+        });
+      }
+      /**
+       * 토큰 정보 업데이트
+       * Write primary 사용
+       */
+      async updateTokens(id11, data) {
+        const result = await this.db.update(userSocialAccounts).set({
+          ...data,
+          updatedAt: /* @__PURE__ */ new Date()
+        }).where(eq10(userSocialAccounts.id, id11)).returning();
+        return result[0] ?? null;
+      }
+      /**
+       * 소셜 계정 삭제
+       * Write primary 사용
+       */
+      async deleteById(id11) {
+        const result = await this.db.delete(userSocialAccounts).where(eq10(userSocialAccounts.id, id11)).returning();
+        return result[0] ?? null;
+      }
+      /**
+       * userId와 provider로 소셜 계정 삭제
+       * Write primary 사용
+       */
+      async deleteByUserIdAndProvider(userId, provider) {
+        const result = await this.db.delete(userSocialAccounts).where(
+          and7(
+            eq10(userSocialAccounts.userId, userId),
+            eq10(userSocialAccounts.provider, provider)
+          )
+        ).returning();
+        return result[0] ?? null;
+      }
+    };
+    socialAccountsRepository = new SocialAccountsRepository();
+  }
+});
+
+// src/server/repositories/auth-metadata.repository.ts
+import { BaseRepository as BaseRepository11 } from "@spfn/core/db";
+import { eq as eq11 } from "drizzle-orm";
+var AuthMetadataRepository, authMetadataRepository;
+var init_auth_metadata_repository = __esm({
+  "src/server/repositories/auth-metadata.repository.ts"() {
+    "use strict";
+    init_auth_metadata();
+    AuthMetadataRepository = class extends BaseRepository11 {
+      /**
+       * 키로 값 조회
+       */
+      async get(key) {
+        const result = await this.readDb.select().from(authMetadata).where(eq11(authMetadata.key, key)).limit(1);
+        return result[0]?.value ?? null;
+      }
+      /**
+       * 키-값 저장 (upsert)
+       */
+      async set(key, value) {
+        await this.db.insert(authMetadata).values({
+          key,
+          value,
+          updatedAt: /* @__PURE__ */ new Date()
+        }).onConflictDoUpdate({
+          target: authMetadata.key,
+          set: {
+            value,
+            updatedAt: /* @__PURE__ */ new Date()
+          }
+        });
+      }
+    };
+    authMetadataRepository = new AuthMetadataRepository();
+  }
+});
+
 // src/server/repositories/index.ts
 var init_repositories = __esm({
   "src/server/repositories/index.ts"() {
@@ -6426,6 +6632,8 @@ var init_repositories = __esm({
     init_user_permissions_repository();
     init_user_profiles_repository();
     init_invitations_repository();
+    init_social_accounts_repository();
+    init_auth_metadata_repository();
   }
 });
 
@@ -6552,7 +6760,7 @@ var init_role_service = __esm({
 import "@spfn/auth/config";
 
 // src/server/routes/index.ts
-import { defineRouter as defineRouter4 } from "@spfn/core/route";
+import { defineRouter as defineRouter5 } from "@spfn/core/route";
 
 // src/server/routes/auth/index.ts
 init_schema3();
@@ -6675,12 +6883,24 @@ function getAuth(c) {
   }
   return c.get("auth");
 }
+function getOptionalAuth(c) {
+  if ("raw" in c && c.raw) {
+    return c.raw.get("auth");
+  }
+  return c.get("auth");
+}
 function getUser(c) {
   return getAuth(c).user;
 }
 function getUserId(c) {
   return getAuth(c).userId;
 }
+function getRole(c) {
+  return getAuth(c).role;
+}
+function getLocale(c) {
+  return getAuth(c).locale;
+}
 function getKeyId(c) {
   return getAuth(c).keyId;
 }
@@ -6690,7 +6910,7 @@ init_types();
 
 // src/server/services/auth.service.ts
 init_repositories();
-import { ValidationError } from "@spfn/core/errors";
+import { ValidationError as ValidationError2 } from "@spfn/core/errors";
 import {
   InvalidCredentialsError,
   AccountDisabledError,
@@ -6701,9 +6921,10 @@ import {
 } from "@spfn/auth/errors";
 
 // src/server/services/verification.service.ts
-import { env as env5 } from "@spfn/auth/config";
+import { env as env3 } from "@spfn/auth/config";
 import { InvalidVerificationCodeError } from "@spfn/auth/errors";
 import jwt2 from "jsonwebtoken";
+import { sendEmail, sendSMS } from "@spfn/notification/server";
 
 // src/server/logger.ts
 import { logger as rootLogger } from "@spfn/core/logger";
@@ -6713,8 +6934,10 @@ var authLogger = {
   interceptor: {
     general: rootLogger.child("@spfn/auth:interceptor:general"),
     login: rootLogger.child("@spfn/auth:interceptor:login"),
-    keyRotation: rootLogger.child("@spfn/auth:interceptor:key-rotation")
+    keyRotation: rootLogger.child("@spfn/auth:interceptor:key-rotation"),
+    oauth: rootLogger.child("@spfn/auth:interceptor:oauth")
   },
+  session: rootLogger.child("@spfn/auth:session"),
   service: rootLogger.child("@spfn/auth:service"),
   setup: rootLogger.child("@spfn/auth:setup"),
   email: rootLogger.child("@spfn/auth:email"),
@@ -6723,410 +6946,6 @@ var authLogger = {
 
 // src/server/services/verification.service.ts
 init_repositories();
-
-// src/server/services/sms/provider.ts
-var currentProvider = null;
-var fallbackProvider = {
-  name: "fallback",
-  sendSMS: async (params) => {
-    authLogger.sms.debug("DEV MODE - SMS not actually sent", {
-      phone: params.phone,
-      message: params.message,
-      purpose: params.purpose || "N/A"
-    });
-    return {
-      success: true,
-      messageId: "dev-mode-no-actual-sms"
-    };
-  }
-};
-function registerSMSProvider(provider) {
-  currentProvider = provider;
-  authLogger.sms.info("Registered SMS provider", { name: provider.name });
-}
-function getSMSProvider() {
-  return currentProvider || fallbackProvider;
-}
-async function sendSMS(params) {
-  const provider = getSMSProvider();
-  return await provider.sendSMS(params);
-}
-
-// src/server/services/sms/aws-sns.provider.ts
-import { env as env3 } from "@spfn/auth/config";
-function isValidE164Phone(phone) {
-  const e164Regex = /^\+[1-9]\d{1,14}$/;
-  return e164Regex.test(phone);
-}
-function createAWSSNSProvider() {
-  try {
-    const { SNSClient, PublishCommand } = __require("@aws-sdk/client-sns");
-    return {
-      name: "aws-sns",
-      sendSMS: async (params) => {
-        const { phone, message, purpose } = params;
-        if (!isValidE164Phone(phone)) {
-          return {
-            success: false,
-            error: "Invalid phone number format. Must be E.164 format (e.g., +821012345678)"
-          };
-        }
-        if (!env3.SPFN_AUTH_AWS_SNS_ACCESS_KEY_ID) {
-          return {
-            success: false,
-            error: "AWS SNS credentials not configured. Set SPFN_AUTH_AWS_SNS_ACCESS_KEY_ID environment variable."
-          };
-        }
-        try {
-          const config = {
-            region: env3.SPFN_AUTH_AWS_REGION || "ap-northeast-2"
-          };
-          if (env3.SPFN_AUTH_AWS_SNS_ACCESS_KEY_ID && env3.SPFN_AUTH_AWS_SNS_SECRET_ACCESS_KEY) {
-            config.credentials = {
-              accessKeyId: env3.SPFN_AUTH_AWS_SNS_ACCESS_KEY_ID,
-              secretAccessKey: env3.SPFN_AUTH_AWS_SNS_SECRET_ACCESS_KEY
-            };
-          }
-          const client = new SNSClient(config);
-          const command = new PublishCommand({
-            PhoneNumber: phone,
-            Message: message,
-            MessageAttributes: {
-              "AWS.SNS.SMS.SMSType": {
-                DataType: "String",
-                StringValue: "Transactional"
-                // For OTP codes
-              },
-              ...env3.SPFN_AUTH_AWS_SNS_SENDER_ID && {
-                "AWS.SNS.SMS.SenderID": {
-                  DataType: "String",
-                  StringValue: env3.SPFN_AUTH_AWS_SNS_SENDER_ID
-                }
-              }
-            }
-          });
-          const response = await client.send(command);
-          authLogger.sms.info("SMS sent via AWS SNS", {
-            phone,
-            messageId: response.MessageId,
-            purpose: purpose || "N/A"
-          });
-          return {
-            success: true,
-            messageId: response.MessageId
-          };
-        } catch (error) {
-          const err = error;
-          authLogger.sms.error("Failed to send SMS via AWS SNS", {
-            phone,
-            error: err.message
-          });
-          return {
-            success: false,
-            error: err.message || "Failed to send SMS via AWS SNS"
-          };
-        }
-      }
-    };
-  } catch (error) {
-    return null;
-  }
-}
-var awsSNSProvider = createAWSSNSProvider();
-
-// src/server/services/sms/index.ts
-if (awsSNSProvider) {
-  registerSMSProvider(awsSNSProvider);
-}
-
-// src/server/services/email/provider.ts
-var currentProvider2 = null;
-var fallbackProvider2 = {
-  name: "fallback",
-  sendEmail: async (params) => {
-    authLogger.email.debug("DEV MODE - Email not actually sent", {
-      to: params.to,
-      subject: params.subject,
-      purpose: params.purpose || "N/A",
-      textPreview: params.text?.substring(0, 100) || "N/A"
-    });
-    return {
-      success: true,
-      messageId: "dev-mode-no-actual-email"
-    };
-  }
-};
-function registerEmailProvider(provider) {
-  currentProvider2 = provider;
-  authLogger.email.info("Registered email provider", { name: provider.name });
-}
-function getEmailProvider() {
-  return currentProvider2 || fallbackProvider2;
-}
-async function sendEmail(params) {
-  const provider = getEmailProvider();
-  return await provider.sendEmail(params);
-}
-
-// src/server/services/email/aws-ses.provider.ts
-import { env as env4 } from "@spfn/auth/config";
-function isValidEmail(email) {
-  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-  return emailRegex.test(email);
-}
-function createAWSSESProvider() {
-  try {
-    const { SESClient, SendEmailCommand } = __require("@aws-sdk/client-ses");
-    return {
-      name: "aws-ses",
-      sendEmail: async (params) => {
-        const { to, subject, text: text10, html, purpose } = params;
-        if (!isValidEmail(to)) {
-          return {
-            success: false,
-            error: "Invalid email address format"
-          };
-        }
-        if (!env4.SPFN_AUTH_AWS_SES_ACCESS_KEY_ID) {
-          return {
-            success: false,
-            error: "AWS SES credentials not configured. Set SPFN_AUTH_AWS_SES_ACCESS_KEY_ID environment variable."
-          };
-        }
-        if (!env4.SPFN_AUTH_AWS_SES_FROM_EMAIL) {
-          return {
-            success: false,
-            error: "AWS SES sender email not configured. Set SPFN_AUTH_AWS_SES_FROM_EMAIL environment variable."
-          };
-        }
-        try {
-          const config = {
-            region: env4.SPFN_AUTH_AWS_REGION || "ap-northeast-2"
-          };
-          if (env4.SPFN_AUTH_AWS_SES_ACCESS_KEY_ID && env4.SPFN_AUTH_AWS_SES_SECRET_ACCESS_KEY) {
-            config.credentials = {
-              accessKeyId: env4.SPFN_AUTH_AWS_SES_ACCESS_KEY_ID,
-              secretAccessKey: env4.SPFN_AUTH_AWS_SES_SECRET_ACCESS_KEY
-            };
-          }
-          const client = new SESClient(config);
-          const body = {};
-          if (text10) {
-            body.Text = {
-              Charset: "UTF-8",
-              Data: text10
-            };
-          }
-          if (html) {
-            body.Html = {
-              Charset: "UTF-8",
-              Data: html
-            };
-          }
-          const command = new SendEmailCommand({
-            Source: env4.SPFN_AUTH_AWS_SES_FROM_EMAIL,
-            Destination: {
-              ToAddresses: [to]
-            },
-            Message: {
-              Subject: {
-                Charset: "UTF-8",
-                Data: subject
-              },
-              Body: body
-            }
-          });
-          const response = await client.send(command);
-          authLogger.email.info("Email sent via AWS SES", {
-            to,
-            messageId: response.MessageId,
-            purpose: purpose || "N/A"
-          });
-          return {
-            success: true,
-            messageId: response.MessageId
-          };
-        } catch (error) {
-          const err = error;
-          authLogger.email.error("Failed to send email via AWS SES", {
-            to,
-            error: err.message
-          });
-          return {
-            success: false,
-            error: err.message || "Failed to send email via AWS SES"
-          };
-        }
-      }
-    };
-  } catch (error) {
-    return null;
-  }
-}
-var awsSESProvider = createAWSSESProvider();
-
-// src/server/services/email/index.ts
-if (awsSESProvider) {
-  registerEmailProvider(awsSESProvider);
-}
-
-// src/server/services/email/templates/verification-code.ts
-function getSubject(purpose) {
-  switch (purpose) {
-    case "registration":
-      return "Verify your email address";
-    case "login":
-      return "Your login verification code";
-    case "password_reset":
-      return "Reset your password";
-    default:
-      return "Your verification code";
-  }
-}
-function getPurposeText(purpose) {
-  switch (purpose) {
-    case "registration":
-      return "complete your registration";
-    case "login":
-      return "verify your identity";
-    case "password_reset":
-      return "reset your password";
-    default:
-      return "verify your identity";
-  }
-}
-function generateText(params) {
-  const { code, expiresInMinutes = 5 } = params;
-  return `Your verification code is: ${code}
-
-This code will expire in ${expiresInMinutes} minutes.
-
-If you didn't request this code, please ignore this email.`;
-}
-function generateHTML(params) {
-  const { code, purpose, expiresInMinutes = 5, appName } = params;
-  const purposeText = getPurposeText(purpose);
-  return `<!DOCTYPE html>
-<html>
-<head>
-    <meta charset="utf-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <title>Verification Code</title>
-</head>
-<body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px; background-color: #f5f5f5;">
-    <div style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); padding: 30px; border-radius: 10px 10px 0 0; text-align: center;">
-        <h1 style="color: white; margin: 0; font-size: 24px;">${appName ? appName : "Verification Code"}</h1>
-    </div>
-    <div style="background: #ffffff; padding: 30px; border: 1px solid #e0e0e0; border-top: none; border-radius: 0 0 10px 10px;">
-        <p style="margin-bottom: 20px; font-size: 16px;">
-            Please use the following verification code to ${purposeText}:
-        </p>
-        <div style="background: #f8f9fa; padding: 25px; border-radius: 8px; text-align: center; margin: 25px 0; border: 2px dashed #dee2e6;">
-            <span style="font-size: 36px; font-weight: bold; letter-spacing: 10px; color: #333; font-family: 'Courier New', monospace;">${code}</span>
-        </div>
-        <p style="color: #666; font-size: 14px; margin-top: 20px; text-align: center;">
-            <strong>This code will expire in ${expiresInMinutes} minutes.</strong>
-        </p>
-        <hr style="border: none; border-top: 1px solid #eee; margin: 30px 0;">
-        <p style="color: #999; font-size: 12px; text-align: center; margin: 0;">
-            If you didn't request this code, please ignore this email.
-        </p>
-    </div>
-    <div style="text-align: center; padding: 20px; color: #999; font-size: 11px;">
-        <p style="margin: 0;">This is an automated message. Please do not reply.</p>
-    </div>
-</body>
-</html>`;
-}
-function verificationCodeTemplate(params) {
-  return {
-    subject: getSubject(params.purpose),
-    text: generateText(params),
-    html: generateHTML(params)
-  };
-}
-
-// src/server/services/email/templates/registry.ts
-var customTemplates = {};
-function registerEmailTemplates(templates) {
-  customTemplates = { ...customTemplates, ...templates };
-  authLogger.email.info("Registered custom email templates", {
-    templates: Object.keys(templates)
-  });
-}
-function getVerificationCodeTemplate(params) {
-  if (customTemplates.verificationCode) {
-    return customTemplates.verificationCode(params);
-  }
-  return verificationCodeTemplate(params);
-}
-function getWelcomeTemplate(params) {
-  if (customTemplates.welcome) {
-    return customTemplates.welcome(params);
-  }
-  return {
-    subject: params.appName ? `Welcome to ${params.appName}!` : "Welcome!",
-    text: `Welcome! Your account has been created successfully.`,
-    html: `
-<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; padding: 20px;">
-    <h1>Welcome${params.appName ? ` to ${params.appName}` : ""}!</h1>
-    <p>Your account has been created successfully.</p>
-</body>
-</html>`
-  };
-}
-function getPasswordResetTemplate(params) {
-  if (customTemplates.passwordReset) {
-    return customTemplates.passwordReset(params);
-  }
-  const expires = params.expiresInMinutes || 30;
-  return {
-    subject: "Reset your password",
-    text: `Click this link to reset your password: ${params.resetLink}
-
-This link will expire in ${expires} minutes.`,
-    html: `
-<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; padding: 20px;">
-    <h1>Reset Your Password</h1>
-    <p>Click the button below to reset your password:</p>
-    <a href="${params.resetLink}" style="display: inline-block; background: #667eea; color: white; padding: 12px 24px; text-decoration: none; border-radius: 6px;">Reset Password</a>
-    <p style="color: #666; margin-top: 20px;">This link will expire in ${expires} minutes.</p>
-</body>
-</html>`
-  };
-}
-function getInvitationTemplate(params) {
-  if (customTemplates.invitation) {
-    return customTemplates.invitation(params);
-  }
-  const appName = params.appName || "our platform";
-  const inviterText = params.inviterName ? `${params.inviterName} has invited you` : "You have been invited";
-  const roleText = params.roleName ? ` as ${params.roleName}` : "";
-  return {
-    subject: `You're invited to join ${appName}`,
-    text: `${inviterText} to join ${appName}${roleText}.
-
-Click here to accept: ${params.inviteLink}`,
-    html: `
-<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"></head>
-<body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; padding: 20px;">
-    <h1>You're Invited!</h1>
-    <p>${inviterText} to join <strong>${appName}</strong>${roleText}.</p>
-    <a href="${params.inviteLink}" style="display: inline-block; background: #667eea; color: white; padding: 12px 24px; text-decoration: none; border-radius: 6px;">Accept Invitation</a>
-</body>
-</html>`
-  };
-}
-
-// src/server/services/verification.service.ts
 var VERIFICATION_TOKEN_EXPIRY = "15m";
 var VERIFICATION_CODE_EXPIRY_MINUTES = 5;
 var MAX_VERIFICATION_ATTEMPTS = 5;
@@ -7170,7 +6989,7 @@ async function markCodeAsUsed(codeId) {
   await verificationCodesRepository.markAsUsed(codeId);
 }
 function createVerificationToken(payload) {
-  return jwt2.sign(payload, env5.SPFN_AUTH_VERIFICATION_TOKEN_SECRET, {
+  return jwt2.sign(payload, env3.SPFN_AUTH_VERIFICATION_TOKEN_SECRET, {
     expiresIn: VERIFICATION_TOKEN_EXPIRY,
     issuer: "spfn-auth",
     audience: "spfn-client"
@@ -7178,7 +6997,7 @@ function createVerificationToken(payload) {
 }
 function validateVerificationToken(token) {
   try {
-    const decoded = jwt2.verify(token, env5.SPFN_AUTH_VERIFICATION_TOKEN_SECRET, {
+    const decoded = jwt2.verify(token, env3.SPFN_AUTH_VERIFICATION_TOKEN_SECRET, {
       issuer: "spfn-auth",
       audience: "spfn-client"
     });
@@ -7192,17 +7011,14 @@ function validateVerificationToken(token) {
   }
 }
 async function sendVerificationEmail(email, code, purpose) {
-  const { subject, text: text10, html } = getVerificationCodeTemplate({
-    code,
-    purpose,
-    expiresInMinutes: VERIFICATION_CODE_EXPIRY_MINUTES
-  });
   const result = await sendEmail({
     to: email,
-    subject,
-    text: text10,
-    html,
-    purpose
+    template: "verification-code",
+    data: {
+      code,
+      purpose,
+      expiresInMinutes: VERIFICATION_CODE_EXPIRY_MINUTES
+    }
   });
   if (!result.success) {
     authLogger.email.error("Failed to send verification email", {
@@ -7213,11 +7029,13 @@ async function sendVerificationEmail(email, code, purpose) {
   }
 }
 async function sendVerificationSMS(phone, code, purpose) {
-  const message = `Your verification code is: ${code}`;
   const result = await sendSMS({
-    phone,
-    message,
-    purpose
+    to: phone,
+    template: "verification-code",
+    data: {
+      code,
+      expiresInMinutes: VERIFICATION_CODE_EXPIRY_MINUTES
+    }
   });
   if (!result.success) {
     authLogger.sms.error("Failed to send verification SMS", {
@@ -7270,6 +7088,10 @@ function getKeyExpiryDate() {
 }
 async function registerPublicKeyService(params) {
   const { userId, keyId, publicKey, fingerprint, algorithm = "ES256" } = params;
+  const existing = await keysRepository.findActiveByKeyId(keyId);
+  if (existing) {
+    return;
+  }
   const isValidFingerprint = verifyKeyFingerprint(publicKey, fingerprint);
   if (!isValidFingerprint) {
     throw new InvalidKeyFingerprintError();
@@ -7318,6 +7140,9 @@ async function revokeKeyService(params) {
 
 // src/server/services/user.service.ts
 init_repositories();
+import { ValidationError } from "@spfn/core/errors";
+import { ReservedUsernameError, UsernameAlreadyTakenError } from "@spfn/auth/errors";
+import { env as env4 } from "@spfn/auth/config";
 async function getUserByIdService(userId) {
   return await usersRepository.findById(userId);
 }
@@ -7333,6 +7158,108 @@ async function updateLastLoginService(userId) {
 async function updateUserService(userId, updates) {
   await usersRepository.updateById(userId, updates);
 }
+function getReservedUsernames() {
+  const raw = env4.SPFN_AUTH_RESERVED_USERNAMES ?? "";
+  if (!raw) {
+    return /* @__PURE__ */ new Set();
+  }
+  return new Set(
+    raw.split(",").map((s) => s.trim().toLowerCase()).filter(Boolean)
+  );
+}
+function isReservedUsername(username) {
+  return getReservedUsernames().has(username.toLowerCase());
+}
+function validateUsernameLength(username) {
+  const min = env4.SPFN_AUTH_USERNAME_MIN_LENGTH ?? 3;
+  const max = env4.SPFN_AUTH_USERNAME_MAX_LENGTH ?? 30;
+  if (username.length < min) {
+    throw new ValidationError({
+      message: `Username must be at least ${min} characters`,
+      details: { minLength: min, actual: username.length }
+    });
+  }
+  if (username.length > max) {
+    throw new ValidationError({
+      message: `Username must be at most ${max} characters`,
+      details: { maxLength: max, actual: username.length }
+    });
+  }
+}
+async function checkUsernameAvailableService(username) {
+  validateUsernameLength(username);
+  if (isReservedUsername(username)) {
+    return false;
+  }
+  const existing = await usersRepository.findByUsername(username);
+  return !existing;
+}
+async function updateUsernameService(userId, username) {
+  const userIdNum = typeof userId === "string" ? Number(userId) : Number(userId);
+  if (username !== null) {
+    validateUsernameLength(username);
+    if (isReservedUsername(username)) {
+      throw new ReservedUsernameError({ username });
+    }
+    const existing = await usersRepository.findByUsername(username);
+    if (existing && existing.id !== userIdNum) {
+      throw new UsernameAlreadyTakenError({ username });
+    }
+  }
+  return await usersRepository.updateById(userIdNum, { username });
+}
+
+// src/server/events/index.ts
+init_esm();
+import { defineEvent } from "@spfn/core/event";
+var AuthProviderSchema = Type.Union([
+  Type.Literal("email"),
+  Type.Literal("phone"),
+  Type.Literal("google")
+]);
+var authLoginEvent = defineEvent(
+  "auth.login",
+  Type.Object({
+    userId: Type.String(),
+    provider: AuthProviderSchema,
+    email: Type.Optional(Type.String()),
+    phone: Type.Optional(Type.String())
+  })
+);
+var authRegisterEvent = defineEvent(
+  "auth.register",
+  Type.Object({
+    userId: Type.String(),
+    provider: AuthProviderSchema,
+    email: Type.Optional(Type.String()),
+    phone: Type.Optional(Type.String()),
+    metadata: Type.Optional(Type.Record(Type.String(), Type.Unknown()))
+  })
+);
+var invitationCreatedEvent = defineEvent(
+  "auth.invitation.created",
+  Type.Object({
+    invitationId: Type.String(),
+    email: Type.String(),
+    token: Type.String(),
+    roleId: Type.Number(),
+    invitedBy: Type.String(),
+    expiresAt: Type.String(),
+    isResend: Type.Boolean(),
+    metadata: Type.Optional(Type.Record(Type.String(), Type.Unknown()))
+  })
+);
+var invitationAcceptedEvent = defineEvent(
+  "auth.invitation.accepted",
+  Type.Object({
+    invitationId: Type.String(),
+    email: Type.String(),
+    userId: Type.String(),
+    roleId: Type.Number(),
+    invitedBy: Type.String(),
+    metadata: Type.Optional(Type.Record(Type.String(), Type.Unknown()))
+  })
+);
 
 // src/server/services/auth.service.ts
 async function checkAccountExistsService(params) {
@@ -7349,7 +7276,7 @@ async function checkAccountExistsService(params) {
     identifierType = "phone";
     user = await usersRepository.findByPhone(phone);
   } else {
-    throw new ValidationError({ message: "Either email or phone must be provided" });
+    throw new ValidationError2({ message: "Either email or phone must be provided" });
   }
   return {
     exists: !!user,
@@ -7358,7 +7285,7 @@ async function checkAccountExistsService(params) {
   };
 }
 async function registerService(params) {
-  const { email, phone, verificationToken, password, publicKey, keyId, fingerprint, algorithm } = params;
+  const { email, phone, verificationToken, password, publicKey, keyId, fingerprint, algorithm, metadata } = params;
   const tokenPayload = validateVerificationToken(verificationToken);
   if (!tokenPayload) {
     throw new InvalidVerificationTokenError();
@@ -7400,17 +7327,26 @@ async function registerService(params) {
     fingerprint,
     algorithm
   });
-  return {
+  const result = {
     userId: String(newUser.id),
+    publicId: newUser.publicId,
     email: newUser.email || void 0,
     phone: newUser.phone || void 0
   };
+  await authRegisterEvent.emit({
+    userId: result.userId,
+    provider: email ? "email" : "phone",
+    email: result.email,
+    phone: result.phone,
+    metadata
+  });
+  return result;
 }
 async function loginService(params) {
   const { email, phone, password, publicKey, keyId, fingerprint, oldKeyId, algorithm } = params;
   const user = await usersRepository.findByEmailOrPhone(email, phone);
   if (!email && !phone) {
-    throw new ValidationError({ message: "Either email or phone must be provided" });
+    throw new ValidationError2({ message: "Either email or phone must be provided" });
   }
   if (!user || !user.passwordHash) {
     throw new InvalidCredentialsError();
@@ -7437,12 +7373,20 @@ async function loginService(params) {
     algorithm
   });
   await updateLastLoginService(user.id);
-  return {
+  const result = {
     userId: String(user.id),
+    publicId: user.publicId,
     email: user.email || void 0,
     phone: user.phone || void 0,
     passwordChangeRequired: user.passwordChangeRequired
   };
+  await authLoginEvent.emit({
+    userId: result.userId,
+    provider: email ? "email" : "phone",
+    email: result.email,
+    phone: result.phone
+  });
+  return result;
 }
 async function logoutService(params) {
   const { userId, keyId } = params;
@@ -7460,16 +7404,18 @@ async function changePasswordService(params) {
   } else {
     const user = await usersRepository.findById(userId);
     if (!user) {
-      throw new ValidationError({ message: "User not found" });
+      throw new ValidationError2({ message: "User not found" });
     }
     passwordHash = user.passwordHash;
   }
-  if (!passwordHash) {
-    throw new ValidationError({ message: "No password set for this account" });
-  }
-  const isValid = await verifyPassword(currentPassword, passwordHash);
-  if (!isValid) {
-    throw new InvalidCredentialsError({ message: "Current password is incorrect" });
+  if (passwordHash) {
+    if (!currentPassword) {
+      throw new ValidationError2({ message: "Current password is required" });
+    }
+    const isValid = await verifyPassword(currentPassword, passwordHash);
+    if (!isValid) {
+      throw new InvalidCredentialsError({ message: "Current password is incorrect" });
+    }
   }
   const newPasswordHash = await hashPassword(newPassword);
   await usersRepository.updatePassword(userId, newPasswordHash, true);
@@ -7478,14 +7424,27 @@ async function changePasswordService(params) {
 // src/server/services/rbac.service.ts
 init_repositories();
 init_rbac();
+import { createHash } from "crypto";
 
 // src/server/lib/config.ts
-import { env as env6 } from "@spfn/auth/config";
+import { env as env5 } from "@spfn/auth/config";
+function getCookieSuffix() {
+  const port = process.env.PORT;
+  return port ? `_${port}` : "";
+}
 var COOKIE_NAMES = {
   /** Encrypted session data (userId, privateKey, keyId, algorithm) */
-  SESSION: "spfn_session",
+  get SESSION() {
+    return `spfn_session${getCookieSuffix()}`;
+  },
   /** Current key ID (for key rotation) */
-  SESSION_KEY_ID: "spfn_session_key_id"
+  get SESSION_KEY_ID() {
+    return `spfn_session_key_id${getCookieSuffix()}`;
+  },
+  /** Pending OAuth session (privateKey, keyId, algorithm) - temporary during OAuth flow */
+  get OAUTH_PENDING() {
+    return `spfn_oauth_pending${getCookieSuffix()}`;
+  }
 };
 function parseDuration(duration) {
   if (typeof duration === "number") {
@@ -7530,7 +7489,7 @@ function getSessionTtl(override) {
   if (globalConfig.sessionTtl !== void 0) {
     return parseDuration(globalConfig.sessionTtl);
   }
-  const envTtl = env6.SPFN_AUTH_SESSION_TTL;
+  const envTtl = env5.SPFN_AUTH_SESSION_TTL;
   if (envTtl) {
     return parseDuration(envTtl);
   }
@@ -7538,28 +7497,19 @@ function getSessionTtl(override) {
 }
 
 // src/server/services/rbac.service.ts
-async function initializeAuth(options = {}) {
-  authLogger.service.info("\u{1F510} Initializing RBAC system...");
-  if (options.sessionTtl !== void 0) {
-    configureAuth({
-      sessionTtl: options.sessionTtl
-    });
-    authLogger.service.info(`\u23F1\uFE0F  Session TTL: ${options.sessionTtl}`);
-  }
-  const allRoles = [
-    ...Object.values(BUILTIN_ROLES),
-    ...options.roles || []
-  ];
-  for (const roleConfig of allRoles) {
-    await upsertRole(roleConfig);
-  }
-  const allPermissions = [
-    ...Object.values(BUILTIN_PERMISSIONS),
-    ...options.permissions || []
-  ];
-  for (const permConfig of allPermissions) {
-    await upsertPermission(permConfig);
-  }
+var RBAC_HASH_KEY = "rbac_config_hash";
+function computeConfigHash(allRoles, allPermissions, allMappings) {
+  const payload = JSON.stringify({
+    roles: allRoles.map((r) => ({ name: r.name, displayName: r.displayName, description: r.description, priority: r.priority, isSystem: r.isSystem, isBuiltin: r.isBuiltin })).sort((a, b) => a.name.localeCompare(b.name)),
+    permissions: allPermissions.map((p) => ({ name: p.name, displayName: p.displayName, description: p.description, category: p.category, isSystem: p.isSystem, isBuiltin: p.isBuiltin })).sort((a, b) => a.name.localeCompare(b.name)),
+    mappings: Object.keys(allMappings).sort().reduce((acc, key) => {
+      acc[key] = [...allMappings[key]].sort();
+      return acc;
+    }, {})
+  });
+  return createHash("sha256").update(payload).digest("hex");
+}
+function collectMappings(options) {
   const allMappings = { ...BUILTIN_ROLE_PERMISSIONS };
   if (options.rolePermissions) {
     for (const [roleName, permNames] of Object.entries(options.rolePermissions)) {
@@ -7572,78 +7522,114 @@ async function initializeAuth(options = {}) {
       }
     }
   }
-  for (const [roleName, permNames] of Object.entries(allMappings)) {
-    await assignPermissionsToRole(roleName, permNames);
+  return allMappings;
+}
+async function initializeAuth(options = {}) {
+  authLogger.service.info("\u{1F510} Initializing RBAC system...");
+  if (options.sessionTtl !== void 0) {
+    configureAuth({
+      sessionTtl: options.sessionTtl
+    });
+    authLogger.service.info(`\u23F1\uFE0F  Session TTL: ${options.sessionTtl}`);
+  }
+  const allRoles = [
+    ...Object.values(BUILTIN_ROLES),
+    ...options.roles || []
+  ];
+  const allPermissions = [
+    ...Object.values(BUILTIN_PERMISSIONS),
+    ...options.permissions || []
+  ];
+  const allMappings = collectMappings(options);
+  const configHash = computeConfigHash(allRoles, allPermissions, allMappings);
+  const storedHash = await authMetadataRepository.get(RBAC_HASH_KEY);
+  if (storedHash === configHash) {
+    authLogger.service.info("\u2705 RBAC config unchanged, skipping initialization");
+    return;
   }
+  authLogger.service.info("\u{1F504} RBAC config changed, applying updates...");
+  const existingRoles = await rolesRepository.findAll();
+  const existingPermissions = await permissionsRepository.findAll();
+  const rolesByName = new Map(existingRoles.map((r) => [r.name, r]));
+  const permsByName = new Map(existingPermissions.map((p) => [p.name, p]));
+  await syncRoles(allRoles, rolesByName);
+  await syncPermissions(allPermissions, permsByName);
+  const updatedRoles = await rolesRepository.findAll();
+  const updatedPermissions = await permissionsRepository.findAll();
+  const updatedRolesByName = new Map(updatedRoles.map((r) => [r.name, r]));
+  const updatedPermsByName = new Map(updatedPermissions.map((p) => [p.name, p]));
+  await syncMappings(allMappings, updatedRolesByName, updatedPermsByName);
+  await authMetadataRepository.set(RBAC_HASH_KEY, configHash);
   authLogger.service.info("\u2705 RBAC initialization complete");
   authLogger.service.info(`\u{1F4CA} Roles: ${allRoles.length}, Permissions: ${allPermissions.length}`);
   authLogger.service.info("\u{1F512} Built-in roles: user, admin, superadmin");
 }
-async function upsertRole(config) {
-  const existing = await rolesRepository.findByName(config.name);
-  if (!existing) {
-    await rolesRepository.create({
-      name: config.name,
-      displayName: config.displayName,
-      description: config.description || null,
-      priority: config.priority ?? 10,
-      isSystem: config.isSystem ?? false,
-      isBuiltin: config.isBuiltin ?? false,
-      isActive: true
-    });
-    authLogger.service.info(`  \u2705 Created role: ${config.name}`);
-  } else {
-    const updateData = {
-      displayName: config.displayName,
-      description: config.description || null
-    };
-    if (!existing.isBuiltin) {
-      updateData.priority = config.priority ?? existing.priority;
+async function syncRoles(configs, existingByName) {
+  for (const config of configs) {
+    const existing = existingByName.get(config.name);
+    if (!existing) {
+      await rolesRepository.create({
+        name: config.name,
+        displayName: config.displayName,
+        description: config.description || null,
+        priority: config.priority ?? 10,
+        isSystem: config.isSystem ?? false,
+        isBuiltin: config.isBuiltin ?? false,
+        isActive: true
+      });
+      authLogger.service.info(`  \u2705 Created role: ${config.name}`);
+    } else {
+      const updateData = {
+        displayName: config.displayName,
+        description: config.description || null
+      };
+      if (!existing.isBuiltin) {
+        updateData.priority = config.priority ?? existing.priority;
+      }
+      await rolesRepository.updateById(existing.id, updateData);
     }
-    await rolesRepository.updateById(existing.id, updateData);
-  }
-}
-async function upsertPermission(config) {
-  const existing = await permissionsRepository.findByName(config.name);
-  if (!existing) {
-    await permissionsRepository.create({
-      name: config.name,
-      displayName: config.displayName,
-      description: config.description || null,
-      category: config.category || null,
-      isSystem: config.isSystem ?? false,
-      isBuiltin: config.isBuiltin ?? false,
-      isActive: true,
-      metadata: null
-    });
-    authLogger.service.info(`  \u2705 Created permission: ${config.name}`);
-  } else {
-    await permissionsRepository.updateById(existing.id, {
-      displayName: config.displayName,
-      description: config.description || null,
-      category: config.category || null
-    });
   }
 }
-async function assignPermissionsToRole(roleName, permissionNames) {
-  const role = await rolesRepository.findByName(roleName);
-  if (!role) {
-    authLogger.service.warn(`  \u26A0\uFE0F  Role not found: ${roleName}, skipping permission assignment`);
-    return;
-  }
-  const perms = await permissionsRepository.findByNames(permissionNames);
-  if (perms.length === 0) {
-    authLogger.service.warn(`  \u26A0\uFE0F  No permissions found for role: ${roleName}`);
-    return;
+async function syncPermissions(configs, existingByName) {
+  for (const config of configs) {
+    const existing = existingByName.get(config.name);
+    if (!existing) {
+      await permissionsRepository.create({
+        name: config.name,
+        displayName: config.displayName,
+        description: config.description || null,
+        category: config.category || null,
+        isSystem: config.isSystem ?? false,
+        isBuiltin: config.isBuiltin ?? false,
+        isActive: true,
+        metadata: null
+      });
+      authLogger.service.info(`  \u2705 Created permission: ${config.name}`);
+    } else {
+      await permissionsRepository.updateById(existing.id, {
+        displayName: config.displayName,
+        description: config.description || null,
+        category: config.category || null
+      });
+    }
   }
-  const existingMappings = await rolePermissionsRepository.findByRoleId(role.id);
-  const existingPermIds = new Set(existingMappings.map((m) => m.permissionId));
-  const newMappings = perms.filter((perm) => !existingPermIds.has(perm.id)).map((perm) => ({
-    roleId: role.id,
-    permissionId: perm.id
-  }));
-  if (newMappings.length > 0) {
-    await rolePermissionsRepository.createMany(newMappings);
+}
+async function syncMappings(allMappings, rolesByName, permsByName) {
+  for (const [roleName, permNames] of Object.entries(allMappings)) {
+    const role = rolesByName.get(roleName);
+    if (!role) {
+      authLogger.service.warn(`  \u26A0\uFE0F  Role not found: ${roleName}, skipping permission assignment`);
+      continue;
+    }
+    const existingMappings = await rolePermissionsRepository.findByRoleId(role.id);
+    const existingPermIds = new Set(existingMappings.map((m) => m.permissionId));
+    const newMappings = permNames.map((name) => permsByName.get(name)).filter((perm) => perm != null).filter((perm) => !existingPermIds.has(perm.id)).map((perm) => ({
+      roleId: role.id,
+      permissionId: perm.id
+    }));
+    if (newMappings.length > 0) {
+      await rolePermissionsRepository.createMany(newMappings);
+    }
   }
 }
 
@@ -7729,7 +7715,7 @@ function calculateExpiresAt(days = 7) {
   return expiresAt;
 }
 async function createInvitation(params) {
-  const { email, roleId, invitedBy, expiresInDays = 7, metadata } = params;
+  const { email, roleId, invitedBy, expiresInDays = 7, expiresAt: expiresAtParam, metadata } = params;
   const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
   if (!emailRegex.test(email)) {
     throw new Error("Invalid email format");
@@ -7751,7 +7737,7 @@ async function createInvitation(params) {
     throw new Error(`User with id ${invitedBy} not found`);
   }
   const token = generateInvitationToken();
-  const expiresAt = calculateExpiresAt(expiresInDays);
+  const expiresAt = expiresAtParam ?? calculateExpiresAt(expiresInDays);
   const invitation = await invitationsRepository.create({
     email,
     token,
@@ -7761,7 +7747,16 @@ async function createInvitation(params) {
     expiresAt,
     metadata: metadata || null
   });
-  console.log(`[Auth] \u2705 Created invitation: ${email} as ${role.name} (expires: ${expiresAt.toISOString()})`);
+  await invitationCreatedEvent.emit({
+    invitationId: String(invitation.id),
+    email,
+    token,
+    roleId,
+    invitedBy: String(invitedBy),
+    expiresAt: expiresAt.toISOString(),
+    isResend: false,
+    metadata
+  });
   return invitation;
 }
 async function getInvitationByToken(token) {
@@ -7825,7 +7820,14 @@ async function acceptInvitation(params) {
     "accepted",
     /* @__PURE__ */ new Date()
   );
-  console.log(`[Auth] \u2705 Invitation accepted: ${invitation.email} as ${role.name}`);
+  await invitationAcceptedEvent.emit({
+    invitationId: String(invitation.id),
+    email: invitation.email,
+    userId: String(newUser.id),
+    roleId: Number(invitation.roleId),
+    invitedBy: String(invitation.invitedBy),
+    metadata: invitation.metadata
+  });
   return {
     userId: newUser.id,
     email: newUser.email,
@@ -7870,7 +7872,16 @@ async function resendInvitation(id11, expiresInDays = 7) {
   if (!updated) {
     throw new Error("Failed to update invitation");
   }
-  console.log(`[Auth] \u{1F4E7} Invitation resent: ${invitation.email} (new expiry: ${newExpiresAt.toISOString()})`);
+  await invitationCreatedEvent.emit({
+    invitationId: String(invitation.id),
+    email: invitation.email,
+    token: invitation.token,
+    roleId: Number(invitation.roleId),
+    invitedBy: String(invitation.invitedBy),
+    expiresAt: newExpiresAt.toISOString(),
+    isResend: true,
+    metadata: invitation.metadata
+  });
   return updated;
 }
 
@@ -7884,13 +7895,48 @@ async function getAuthSessionService(userId) {
   ]);
   return {
     userId: user.userId,
+    publicId: user.publicId,
     email: user.email,
     emailVerified: user.isEmailVerified,
     phoneVerified: user.isPhoneVerified,
+    hasPassword: user.hasPassword,
     ...roleAndPerms
   };
 }
 
+// src/server/lib/one-time-token.ts
+import { SSETokenManager } from "@spfn/core/event/sse";
+var manager = null;
+function initOneTimeTokenManager(config) {
+  if (manager) {
+    manager.destroy();
+  }
+  manager = new SSETokenManager({
+    ttl: config?.ttl,
+    store: config?.store
+  });
+}
+function getOneTimeTokenManager() {
+  if (!manager) {
+    throw new Error(
+      "OneTimeTokenManager not initialized. Ensure createAuthLifecycle() is configured in your server config."
+    );
+  }
+  return manager;
+}
+
+// src/server/services/one-time-token.service.ts
+async function issueOneTimeTokenService(userId) {
+  const manager2 = getOneTimeTokenManager();
+  const token = await manager2.issue(userId);
+  const expiresAt = new Date(Date.now() + 3e4).toISOString();
+  return { token, expiresAt };
+}
+async function verifyOneTimeTokenService(token) {
+  const manager2 = getOneTimeTokenManager();
+  return await manager2.verify(token);
+}
+
 // src/server/services/user-profile.service.ts
 init_repositories();
 async function getUserProfileService(userId) {
@@ -7901,7 +7947,9 @@ async function getUserProfileService(userId) {
   ]);
   return {
     userId: user.userId,
+    publicId: user.publicId,
     email: user.email,
+    username: user.username,
     emailVerified: user.isEmailVerified,
     phoneVerified: user.isPhoneVerified,
     lastLoginAt: user.lastLoginAt,
@@ -7910,6 +7958,12 @@ async function getUserProfileService(userId) {
     profile
   };
 }
+async function updateLocaleService(userId, locale) {
+  const userIdNum = Number(userId);
+  const normalized = locale.trim() || "en";
+  await userProfilesRepository.upsertByUserId(userIdNum, { locale: normalized });
+  return { locale: normalized };
+}
 function emptyToNull(value) {
   if (value === "") {
     return null;
@@ -7920,7 +7974,7 @@ async function updateUserProfileService(userId, params) {
   const userIdNum = typeof userId === "string" ? Number(userId) : Number(userId);
   const updateData = {};
   if (params.displayName !== void 0) {
-    updateData.displayName = emptyToNull(params.displayName) || "User";
+    updateData.displayName = emptyToNull(params.displayName);
   }
   if (params.firstName !== void 0) {
     updateData.firstName = emptyToNull(params.firstName);
@@ -7961,15 +8015,355 @@ async function updateUserProfileService(userId, params) {
   if (params.metadata !== void 0) {
     updateData.metadata = params.metadata;
   }
-  const existing = await userProfilesRepository.findByUserId(userIdNum);
-  if (!existing && !updateData.displayName) {
-    updateData.displayName = "User";
-  }
   await userProfilesRepository.upsertByUserId(userIdNum, updateData);
   const profile = await userProfilesRepository.fetchProfileData(userIdNum);
   return profile;
 }
 
+// src/server/services/oauth.service.ts
+init_repositories();
+import { env as env8 } from "@spfn/auth/config";
+import { ValidationError as ValidationError3 } from "@spfn/core/errors";
+
+// src/server/lib/oauth/google.ts
+import { env as env6 } from "@spfn/auth/config";
+var GOOGLE_AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth";
+var GOOGLE_TOKEN_URL = "https://oauth2.googleapis.com/token";
+var GOOGLE_USERINFO_URL = "https://www.googleapis.com/oauth2/v2/userinfo";
+function isGoogleOAuthEnabled() {
+  return !!(env6.SPFN_AUTH_GOOGLE_CLIENT_ID && env6.SPFN_AUTH_GOOGLE_CLIENT_SECRET);
+}
+function getGoogleOAuthConfig() {
+  const clientId = env6.SPFN_AUTH_GOOGLE_CLIENT_ID;
+  const clientSecret = env6.SPFN_AUTH_GOOGLE_CLIENT_SECRET;
+  if (!clientId || !clientSecret) {
+    throw new Error("Google OAuth is not configured. Set SPFN_AUTH_GOOGLE_CLIENT_ID and SPFN_AUTH_GOOGLE_CLIENT_SECRET.");
+  }
+  const baseUrl = env6.NEXT_PUBLIC_SPFN_API_URL || env6.SPFN_API_URL;
+  const redirectUri = env6.SPFN_AUTH_GOOGLE_REDIRECT_URI || `${baseUrl}/_auth/oauth/google/callback`;
+  return {
+    clientId,
+    clientSecret,
+    redirectUri
+  };
+}
+function getDefaultScopes() {
+  const envScopes = env6.SPFN_AUTH_GOOGLE_SCOPES;
+  if (envScopes) {
+    return envScopes.split(",").map((s) => s.trim()).filter(Boolean);
+  }
+  return ["email", "profile"];
+}
+function getGoogleAuthUrl(state, scopes) {
+  const resolvedScopes = scopes ?? getDefaultScopes();
+  const config = getGoogleOAuthConfig();
+  const params = new URLSearchParams({
+    client_id: config.clientId,
+    redirect_uri: config.redirectUri,
+    response_type: "code",
+    scope: resolvedScopes.join(" "),
+    state,
+    access_type: "offline",
+    // refresh_token 받기 위해
+    prompt: "consent"
+    // 매번 동의 화면 표시 (refresh_token 보장)
+  });
+  return `${GOOGLE_AUTH_URL}?${params.toString()}`;
+}
+async function exchangeCodeForTokens(code) {
+  const config = getGoogleOAuthConfig();
+  const response = await fetch(GOOGLE_TOKEN_URL, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded"
+    },
+    body: new URLSearchParams({
+      client_id: config.clientId,
+      client_secret: config.clientSecret,
+      redirect_uri: config.redirectUri,
+      grant_type: "authorization_code",
+      code
+    })
+  });
+  if (!response.ok) {
+    const error = await response.text();
+    throw new Error(`Failed to exchange code for tokens: ${error}`);
+  }
+  return response.json();
+}
+async function getGoogleUserInfo(accessToken) {
+  const response = await fetch(GOOGLE_USERINFO_URL, {
+    headers: {
+      Authorization: `Bearer ${accessToken}`
+    }
+  });
+  if (!response.ok) {
+    const error = await response.text();
+    throw new Error(`Failed to get user info: ${error}`);
+  }
+  return response.json();
+}
+async function refreshAccessToken(refreshToken) {
+  const config = getGoogleOAuthConfig();
+  const response = await fetch(GOOGLE_TOKEN_URL, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded"
+    },
+    body: new URLSearchParams({
+      client_id: config.clientId,
+      client_secret: config.clientSecret,
+      refresh_token: refreshToken,
+      grant_type: "refresh_token"
+    })
+  });
+  if (!response.ok) {
+    const error = await response.text();
+    throw new Error(`Failed to refresh access token: ${error}`);
+  }
+  return response.json();
+}
+
+// src/server/lib/oauth/state.ts
+import * as jose from "jose";
+import { env as env7 } from "@spfn/auth/config";
+async function getStateKey() {
+  const secret = env7.SPFN_AUTH_SESSION_SECRET;
+  const encoder = new TextEncoder();
+  const data = encoder.encode(`oauth-state:${secret}`);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  return new Uint8Array(hashBuffer);
+}
+function generateNonce() {
+  const array = new Uint8Array(16);
+  crypto.getRandomValues(array);
+  return Array.from(array, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function createOAuthState(params) {
+  const key = await getStateKey();
+  const state = {
+    returnUrl: params.returnUrl,
+    nonce: generateNonce(),
+    provider: params.provider,
+    publicKey: params.publicKey,
+    keyId: params.keyId,
+    fingerprint: params.fingerprint,
+    algorithm: params.algorithm,
+    metadata: params.metadata
+  };
+  const jwe = await new jose.EncryptJWT({ state }).setProtectedHeader({ alg: "dir", enc: "A256GCM" }).setIssuedAt().setExpirationTime("10m").encrypt(key);
+  return encodeURIComponent(jwe);
+}
+async function verifyOAuthState(encryptedState) {
+  const key = await getStateKey();
+  const jwe = decodeURIComponent(encryptedState);
+  const { payload } = await jose.jwtDecrypt(jwe, key);
+  return payload.state;
+}
+
+// src/server/services/oauth.service.ts
+async function oauthStartService(params) {
+  const { provider, returnUrl, publicKey, keyId, fingerprint, algorithm, metadata } = params;
+  if (provider === "google") {
+    if (!isGoogleOAuthEnabled()) {
+      throw new ValidationError3({
+        message: "Google OAuth is not configured. Set SPFN_AUTH_GOOGLE_CLIENT_ID and SPFN_AUTH_GOOGLE_CLIENT_SECRET."
+      });
+    }
+    const state = await createOAuthState({
+      provider: "google",
+      returnUrl,
+      publicKey,
+      keyId,
+      fingerprint,
+      algorithm,
+      metadata
+    });
+    const authUrl = getGoogleAuthUrl(state);
+    return { authUrl };
+  }
+  throw new ValidationError3({
+    message: `Unsupported OAuth provider: ${provider}`
+  });
+}
+async function oauthCallbackService(params) {
+  const { provider, code, state } = params;
+  const stateData = await verifyOAuthState(state);
+  if (stateData.provider !== provider) {
+    throw new ValidationError3({
+      message: "OAuth state provider mismatch"
+    });
+  }
+  if (provider === "google") {
+    return handleGoogleCallback(code, stateData);
+  }
+  throw new ValidationError3({
+    message: `Unsupported OAuth provider: ${provider}`
+  });
+}
+async function handleGoogleCallback(code, stateData) {
+  const tokens = await exchangeCodeForTokens(code);
+  const googleUser = await getGoogleUserInfo(tokens.access_token);
+  const existingSocialAccount = await socialAccountsRepository.findByProviderAndProviderId(
+    "google",
+    googleUser.id
+  );
+  let userId;
+  let isNewUser = false;
+  if (existingSocialAccount) {
+    userId = existingSocialAccount.userId;
+    await socialAccountsRepository.updateTokens(existingSocialAccount.id, {
+      accessToken: tokens.access_token,
+      refreshToken: tokens.refresh_token ?? existingSocialAccount.refreshToken,
+      tokenExpiresAt: new Date(Date.now() + tokens.expires_in * 1e3)
+    });
+  } else {
+    const result = await createOrLinkUser(googleUser, tokens);
+    userId = result.userId;
+    isNewUser = result.isNewUser;
+  }
+  await registerPublicKeyService({
+    userId,
+    keyId: stateData.keyId,
+    publicKey: stateData.publicKey,
+    fingerprint: stateData.fingerprint,
+    algorithm: stateData.algorithm
+  });
+  await updateLastLoginService(userId);
+  const appUrl = env8.NEXT_PUBLIC_SPFN_APP_URL || env8.SPFN_APP_URL;
+  const callbackPath = env8.SPFN_AUTH_OAUTH_SUCCESS_URL || "/auth/callback";
+  const callbackUrl = callbackPath.startsWith("http") ? callbackPath : `${appUrl}${callbackPath}`;
+  const redirectUrl = buildRedirectUrl(callbackUrl, {
+    userId: String(userId),
+    keyId: stateData.keyId,
+    returnUrl: stateData.returnUrl,
+    isNewUser: String(isNewUser)
+  });
+  const user = await usersRepository.findById(userId);
+  const eventPayload = {
+    userId: String(userId),
+    provider: "google",
+    email: user?.email || void 0,
+    phone: user?.phone || void 0,
+    metadata: stateData.metadata
+  };
+  if (isNewUser) {
+    await authRegisterEvent.emit(eventPayload);
+  } else {
+    await authLoginEvent.emit(eventPayload);
+  }
+  return {
+    redirectUrl,
+    userId: String(userId),
+    keyId: stateData.keyId,
+    isNewUser
+  };
+}
+async function createOrLinkUser(googleUser, tokens) {
+  const existingUser = googleUser.email ? await usersRepository.findByEmail(googleUser.email) : null;
+  let userId;
+  let isNewUser = false;
+  if (existingUser) {
+    if (!googleUser.verified_email) {
+      throw new ValidationError3({
+        message: "Cannot link to existing account with unverified email. Please verify your email with Google first."
+      });
+    }
+    userId = existingUser.id;
+    if (!existingUser.emailVerifiedAt) {
+      await usersRepository.updateById(existingUser.id, {
+        emailVerifiedAt: /* @__PURE__ */ new Date()
+      });
+    }
+  } else {
+    const { getRoleByName: getRoleByName3 } = await Promise.resolve().then(() => (init_role_service(), role_service_exports));
+    const userRole = await getRoleByName3("user");
+    if (!userRole) {
+      throw new Error("Default user role not found. Run initializeAuth() first.");
+    }
+    const newUser = await usersRepository.create({
+      email: googleUser.verified_email ? googleUser.email : null,
+      phone: null,
+      passwordHash: null,
+      // OAuth 사용자는 비밀번호 없음
+      passwordChangeRequired: false,
+      roleId: userRole.id,
+      status: "active",
+      emailVerifiedAt: googleUser.verified_email ? /* @__PURE__ */ new Date() : null
+    });
+    userId = newUser.id;
+    isNewUser = true;
+  }
+  await socialAccountsRepository.create({
+    userId,
+    provider: "google",
+    providerUserId: googleUser.id,
+    providerEmail: googleUser.email,
+    accessToken: tokens.access_token,
+    refreshToken: tokens.refresh_token ?? null,
+    tokenExpiresAt: new Date(Date.now() + tokens.expires_in * 1e3)
+  });
+  return { userId, isNewUser };
+}
+function buildRedirectUrl(baseUrl, params) {
+  const url = new URL(baseUrl, "http://placeholder");
+  for (const [key, value] of Object.entries(params)) {
+    url.searchParams.set(key, value);
+  }
+  if (baseUrl.startsWith("http")) {
+    return url.toString();
+  }
+  return `${url.pathname}${url.search}`;
+}
+function buildOAuthErrorUrl(error) {
+  const errorUrl = env8.SPFN_AUTH_OAUTH_ERROR_URL || "/auth/error?error={error}";
+  return errorUrl.replace("{error}", encodeURIComponent(error));
+}
+function isOAuthProviderEnabled(provider) {
+  switch (provider) {
+    case "google":
+      return isGoogleOAuthEnabled();
+    case "github":
+    case "kakao":
+    case "naver":
+      return false;
+    default:
+      return false;
+  }
+}
+function getEnabledOAuthProviders() {
+  const providers = [];
+  if (isGoogleOAuthEnabled()) {
+    providers.push("google");
+  }
+  return providers;
+}
+var TOKEN_EXPIRY_BUFFER_MS = 5 * 60 * 1e3;
+async function getGoogleAccessToken(userId) {
+  const account = await socialAccountsRepository.findByUserIdAndProvider(userId, "google");
+  if (!account) {
+    throw new ValidationError3({
+      message: "No Google account linked. User must sign in with Google first."
+    });
+  }
+  const isExpired = !account.tokenExpiresAt || account.tokenExpiresAt.getTime() < Date.now() + TOKEN_EXPIRY_BUFFER_MS;
+  if (!isExpired && account.accessToken) {
+    return account.accessToken;
+  }
+  if (!account.refreshToken) {
+    throw new ValidationError3({
+      message: "Google refresh token not available. User must re-authenticate with Google."
+    });
+  }
+  const tokens = await refreshAccessToken(account.refreshToken);
+  await socialAccountsRepository.updateTokens(account.id, {
+    accessToken: tokens.access_token,
+    refreshToken: tokens.refresh_token ?? account.refreshToken,
+    tokenExpiresAt: new Date(Date.now() + tokens.expires_in * 1e3)
+  });
+  return tokens.access_token;
+}
+
 // src/server/routes/auth/index.ts
 init_esm();
 import { Transactional } from "@spfn/core/db";
@@ -8020,7 +8414,10 @@ var register = route.post("/_auth/register").input({
     verificationToken: Type.String({
       description: "Verification token obtained from /verify-code endpoint"
     }),
-    password: PasswordSchema
+    password: PasswordSchema,
+    metadata: Type.Optional(Type.Record(Type.String(), Type.Unknown(), {
+      description: "Custom metadata passed to authRegisterEvent (e.g. referral code, UTM params)"
+    }))
   }, {
     minProperties: 3,
     // email/phone + verificationToken + password
@@ -8062,9 +8459,7 @@ var login = route.post("/_auth/login").input({
   const { body } = await c.data();
   return await loginService(body);
 });
-var logout = route.post("/_auth/logout").input({
-  body: Type.Object({})
-}).handler(async (c) => {
+var logout = route.post("/_auth/logout").handler(async (c) => {
   const auth = getAuth(c);
   if (!auth) {
     return c.noContent();
@@ -8073,9 +8468,7 @@ var logout = route.post("/_auth/logout").input({
   await logoutService({ userId: Number(userId), keyId });
   return c.noContent();
 });
-var rotateKey = route.post("/_auth/keys/rotate").input({
-  body: Type.Object({})
-}).interceptor({
+var rotateKey = route.post("/_auth/keys/rotate").interceptor({
   body: Type.Object({
     publicKey: Type.String({ description: "New public key" }),
     keyId: Type.String({ description: "New key identifier" }),
@@ -8096,10 +8489,10 @@ var rotateKey = route.post("/_auth/keys/rotate").input({
 });
 var changePassword = route.put("/_auth/password").input({
   body: Type.Object({
-    currentPassword: Type.String({
+    currentPassword: Type.Optional(Type.String({
       minLength: 1,
-      description: "Current password for verification"
-    }),
+      description: "Current password for verification (required when changing existing password)"
+    })),
     newPassword: PasswordSchema
   })
 }).handler(async (c) => {
@@ -8117,6 +8510,10 @@ var getAuthSession = route.get("/_auth/session").handler(async (c) => {
   const { userId } = getAuth(c);
   return await getAuthSessionService(userId);
 });
+var issueOneTimeToken = route.post("/_auth/tokens").handler(async (c) => {
+  const { userId } = getAuth(c);
+  return await issueOneTimeTokenService(userId);
+});
 var authRouter = defineRouter({
   checkAccountExists,
   sendVerificationCode,
@@ -8126,7 +8523,8 @@ var authRouter = defineRouter({
   logout,
   rotateKey,
   changePassword,
-  getAuthSession
+  getAuthSession,
+  issueOneTimeToken
 });
 
 // src/server/routes/invitations/index.ts
@@ -8135,7 +8533,7 @@ import { EMAIL_PATTERN as EMAIL_PATTERN2, UUID_PATTERN } from "@spfn/auth";
 // src/server/middleware/authenticate.ts
 import { defineMiddleware } from "@spfn/core/route";
 import { UnauthorizedError } from "@spfn/core/errors";
-import { verifyClientToken as verifyClientToken2, decodeToken as decodeToken2, authLogger as authLogger2, keysRepository as keysRepository2, usersRepository as usersRepository2 } from "@spfn/auth/server";
+import { verifyClientToken as verifyClientToken2, decodeToken as decodeToken2, authLogger as authLogger2, keysRepository as keysRepository2, usersRepository as usersRepository2, userProfilesRepository as userProfilesRepository2 } from "@spfn/auth/server";
 import {
   InvalidTokenError,
   TokenExpiredError,
@@ -8182,10 +8580,14 @@ var authenticate = defineMiddleware("auth", async (c, next) => {
     }
     throw new UnauthorizedError({ message: "Authentication failed" });
   }
-  const user = await usersRepository2.findById(keyRecord.userId);
-  if (!user) {
+  const [result, locale] = await Promise.all([
+    usersRepository2.findByIdWithRole(keyRecord.userId),
+    userProfilesRepository2.findLocaleByUserId(keyRecord.userId)
+  ]);
+  if (!result) {
     throw new UnauthorizedError({ message: "User not found" });
   }
+  const { user, role } = result;
   if (user.status !== "active") {
     throw new AccountDisabledError2({ status: user.status });
   }
@@ -8193,7 +8595,9 @@ var authenticate = defineMiddleware("auth", async (c, next) => {
   c.set("auth", {
     user,
     userId: String(user.id),
-    keyId
+    keyId,
+    role: role?.name ?? null,
+    locale
   });
   const method = c.req.method;
   const path = c.req.path;
@@ -8208,6 +8612,55 @@ var authenticate = defineMiddleware("auth", async (c, next) => {
   });
   await next();
 });
+var optionalAuth = defineMiddleware("optionalAuth", async (c, next) => {
+  const authHeader = c.req.header("Authorization");
+  if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    await next();
+    return;
+  }
+  const token = authHeader.substring(7);
+  try {
+    const decoded = decodeToken2(token);
+    if (!decoded || !decoded.keyId) {
+      await next();
+      return;
+    }
+    const keyId = decoded.keyId;
+    const keyRecord = await keysRepository2.findActiveByKeyId(keyId);
+    if (!keyRecord) {
+      await next();
+      return;
+    }
+    if (keyRecord.expiresAt && /* @__PURE__ */ new Date() > keyRecord.expiresAt) {
+      await next();
+      return;
+    }
+    verifyClientToken2(
+      token,
+      keyRecord.publicKey,
+      keyRecord.algorithm
+    );
+    const [result, locale] = await Promise.all([
+      usersRepository2.findByIdWithRole(keyRecord.userId),
+      userProfilesRepository2.findLocaleByUserId(keyRecord.userId)
+    ]);
+    if (!result || result.user.status !== "active") {
+      await next();
+      return;
+    }
+    const { user, role } = result;
+    keysRepository2.updateLastUsedById(keyRecord.id).catch((err) => authLogger2.middleware.error("Failed to update lastUsedAt", err));
+    c.set("auth", {
+      user,
+      userId: String(user.id),
+      keyId,
+      role: role?.name ?? null,
+      locale
+    });
+  } catch {
+  }
+  await next();
+}, { skips: ["auth"] });
 
 // src/server/middleware/require-permission.ts
 import { defineMiddleware as defineMiddleware2 } from "@spfn/core/route";
@@ -8273,7 +8726,7 @@ var requireAnyPermission = defineMiddleware2(
 
 // src/server/middleware/require-role.ts
 import { defineMiddleware as defineMiddleware3 } from "@spfn/core/route";
-import { getAuth as getAuth3, hasAnyRole as hasAnyRole2, authLogger as authLogger4 } from "@spfn/auth/server";
+import { getAuth as getAuth3, authLogger as authLogger4 } from "@spfn/auth/server";
 import { ForbiddenError as ForbiddenError2 } from "@spfn/core/errors";
 import { InsufficientRoleError } from "@spfn/auth/errors";
 var requireRole = defineMiddleware3(
@@ -8287,11 +8740,11 @@ var requireRole = defineMiddleware3(
       });
       throw new ForbiddenError2({ message: "Authentication required" });
     }
-    const { userId } = auth;
-    const allowed = await hasAnyRole2(userId, roleNames);
-    if (!allowed) {
+    const { userId, role: userRole } = auth;
+    if (!userRole || !roleNames.includes(userRole)) {
       authLogger4.middleware.warn("Role check failed", {
         userId,
+        userRole,
         requiredRoles: roleNames,
         path: c.req.path
       });
@@ -8299,6 +8752,7 @@ var requireRole = defineMiddleware3(
     }
     authLogger4.middleware.debug("Role check passed", {
       userId,
+      userRole,
       roles: roleNames
     });
     await next();
@@ -8307,7 +8761,7 @@ var requireRole = defineMiddleware3(
 
 // src/server/middleware/role-guard.ts
 import { defineMiddleware as defineMiddleware4 } from "@spfn/core/route";
-import { getAuth as getAuth4, getUserRole as getUserRole2, authLogger as authLogger5 } from "@spfn/auth/server";
+import { getAuth as getAuth4, authLogger as authLogger5 } from "@spfn/auth/server";
 import { ForbiddenError as ForbiddenError3 } from "@spfn/core/errors";
 import { InsufficientRoleError as InsufficientRoleError2 } from "@spfn/auth/errors";
 var roleGuard = defineMiddleware4(
@@ -8324,8 +8778,7 @@ var roleGuard = defineMiddleware4(
       });
       throw new ForbiddenError3({ message: "Authentication required" });
     }
-    const { userId } = auth;
-    const userRole = await getUserRole2(userId);
+    const { userId, role: userRole } = auth;
     if (deny && deny.length > 0) {
       if (userRole && deny.includes(userRole)) {
         authLogger5.middleware.warn("Role guard denied", {
@@ -8358,6 +8811,47 @@ var roleGuard = defineMiddleware4(
   }
 );
 
+// src/server/middleware/one-time-token-auth.ts
+import { defineMiddleware as defineMiddleware5 } from "@spfn/core/route";
+import { UnauthorizedError as UnauthorizedError2 } from "@spfn/core/errors";
+import { usersRepository as usersRepository3, userProfilesRepository as userProfilesRepository3 } from "@spfn/auth/server";
+var oneTimeTokenAuth = defineMiddleware5("oneTimeTokenAuth", async (c, next) => {
+  const token = c.req.query("token") ?? extractOTTHeader(c.req.header("Authorization"));
+  if (!token) {
+    throw new UnauthorizedError2({ message: "One-time token required: ?token=xxx or Authorization: OTT xxx" });
+  }
+  const userId = await verifyOneTimeTokenService(token);
+  if (!userId) {
+    throw new UnauthorizedError2({ message: "Invalid or expired one-time token" });
+  }
+  const [result, locale] = await Promise.all([
+    usersRepository3.findByIdWithRole(Number(userId)),
+    userProfilesRepository3.findLocaleByUserId(Number(userId))
+  ]);
+  if (!result) {
+    throw new UnauthorizedError2({ message: "User not found" });
+  }
+  const { user, role } = result;
+  if (user.status !== "active") {
+    throw new UnauthorizedError2({ message: "Account is not active" });
+  }
+  c.set("auth", {
+    user,
+    userId: String(user.id),
+    keyId: "",
+    // No key involved in OTT auth
+    role: role?.name ?? null,
+    locale
+  });
+  await next();
+}, { skips: ["auth"] });
+function extractOTTHeader(header) {
+  if (!header || !header.startsWith("OTT ")) {
+    return null;
+  }
+  return header.substring(4);
+}
+
 // src/server/routes/invitations/index.ts
 init_types();
 init_esm();
@@ -8433,6 +8927,10 @@ var createInvitation2 = route2.post("/_auth/invitations").input({
       maximum: 30,
       description: "Days until invitation expires (default: 7)"
     })),
+    expiresAt: Type.Optional(Type.String({
+      format: "date-time",
+      description: "Exact expiration timestamp (ISO 8601). Takes precedence over expiresInDays."
+    })),
     metadata: Type.Optional(Type.Any({
       description: "Custom metadata (welcome message, department, etc.)"
     }))
@@ -8445,6 +8943,7 @@ var createInvitation2 = route2.post("/_auth/invitations").input({
     roleId: body.roleId,
     invitedBy: Number(userId),
     expiresInDays: body.expiresInDays,
+    expiresAt: body.expiresAt ? new Date(body.expiresAt) : void 0,
     metadata: body.metadata
   });
   const baseUrl = process.env.SPFN_API_URL || "http://localhost:8790";
@@ -8579,17 +9078,312 @@ var updateUserProfile = route3.patch("/_auth/users/profile").input({
   const { body } = await c.data();
   return await updateUserProfileService(userId, body);
 });
+var checkUsername = route3.get("/_auth/users/username/check").input({
+  query: Type.Object({
+    username: Type.String({ minLength: 1 })
+  })
+}).handler(async (c) => {
+  const { query } = await c.data();
+  return { available: await checkUsernameAvailableService(query.username) };
+});
+var updateUsername = route3.patch("/_auth/users/username").input({
+  body: Type.Object({
+    username: Type.Union([
+      Type.String({ minLength: 1 }),
+      Type.Null()
+    ], { description: "New username or null to clear" })
+  })
+}).handler(async (c) => {
+  const { userId } = getAuth(c);
+  const { body } = await c.data();
+  return await updateUsernameService(userId, body.username);
+});
+var updateLocale = route3.patch("/_auth/users/locale").input({
+  body: Type.Object({
+    locale: Type.String({ minLength: 1, description: "Locale code (e.g., en, ko, ja)" })
+  })
+}).handler(async (c) => {
+  const { userId } = getAuth(c);
+  const { body } = await c.data();
+  return await updateLocaleService(userId, body.locale);
+});
 var userRouter = defineRouter3({
   getUserProfile,
-  updateUserProfile
+  updateUserProfile,
+  checkUsername,
+  updateUsername,
+  updateLocale
+});
+
+// src/server/routes/oauth/index.ts
+init_esm();
+init_types();
+import { Transactional as Transactional2 } from "@spfn/core/db";
+import { defineRouter as defineRouter4, route as route4 } from "@spfn/core/route";
+var oauthGoogleStart = route4.get("/_auth/oauth/google").input({
+  query: Type.Object({
+    state: Type.String({
+      description: "Encrypted OAuth state (returnUrl, publicKey, keyId, fingerprint, algorithm)"
+    })
+  })
+}).skip(["auth"]).handler(async (c) => {
+  const { query } = await c.data();
+  if (!isGoogleOAuthEnabled()) {
+    return c.redirect(buildOAuthErrorUrl("Google OAuth is not configured"));
+  }
+  const authUrl = getGoogleAuthUrl(query.state);
+  return c.redirect(authUrl);
+});
+var oauthGoogleCallback = route4.get("/_auth/oauth/google/callback").input({
+  query: Type.Object({
+    code: Type.Optional(Type.String({
+      description: "Authorization code from Google"
+    })),
+    state: Type.Optional(Type.String({
+      description: "OAuth state parameter"
+    })),
+    error: Type.Optional(Type.String({
+      description: "Error code from Google"
+    })),
+    error_description: Type.Optional(Type.String({
+      description: "Error description from Google"
+    }))
+  })
+}).use([Transactional2()]).skip(["auth"]).handler(async (c) => {
+  const { query } = await c.data();
+  if (query.error) {
+    const errorMessage = query.error_description || query.error;
+    return c.redirect(buildOAuthErrorUrl(errorMessage));
+  }
+  if (!query.code || !query.state) {
+    return c.redirect(buildOAuthErrorUrl("Missing authorization code or state"));
+  }
+  try {
+    const result = await oauthCallbackService({
+      provider: "google",
+      code: query.code,
+      state: query.state
+    });
+    return c.redirect(result.redirectUrl);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "OAuth callback failed";
+    return c.redirect(buildOAuthErrorUrl(message));
+  }
+});
+var oauthStart = route4.post("/_auth/oauth/start").input({
+  body: Type.Object({
+    provider: Type.Union(SOCIAL_PROVIDERS.map((p) => Type.Literal(p)), {
+      description: "OAuth provider (google, github, kakao, naver)"
+    }),
+    returnUrl: Type.String({
+      description: "URL to redirect after OAuth success"
+    }),
+    publicKey: Type.String({
+      description: "Client public key (Base64 DER)"
+    }),
+    keyId: Type.String({
+      description: "Key identifier (UUID)"
+    }),
+    fingerprint: Type.String({
+      description: "Key fingerprint (SHA-256 hex)"
+    }),
+    algorithm: Type.Union(KEY_ALGORITHM.map((a) => Type.Literal(a)), {
+      description: "Key algorithm (ES256 or RS256)"
+    }),
+    metadata: Type.Optional(Type.Record(Type.String(), Type.Unknown(), {
+      description: "Custom metadata passed to authRegisterEvent (e.g. referral code, UTM params)"
+    }))
+  })
+}).skip(["auth"]).handler(async (c) => {
+  const { body } = await c.data();
+  const result = await oauthStartService(body);
+  return result;
+});
+var oauthProviders = route4.get("/_auth/oauth/providers").skip(["auth"]).handler(async () => {
+  return {
+    providers: getEnabledOAuthProviders()
+  };
+});
+var getGoogleOAuthUrl = route4.post("/_auth/oauth/google/url").input({
+  body: Type.Object({
+    returnUrl: Type.Optional(Type.String({
+      description: "URL to redirect after OAuth success"
+    })),
+    state: Type.Optional(Type.String({
+      description: "Encrypted OAuth state (injected by interceptor)"
+    }))
+  })
+}).skip(["auth"]).handler(async (c) => {
+  const { body } = await c.data();
+  if (!isGoogleOAuthEnabled()) {
+    throw new Error("Google OAuth is not configured");
+  }
+  if (!body.state) {
+    throw new Error("OAuth state is required. Ensure the OAuth interceptor is configured.");
+  }
+  return { authUrl: getGoogleAuthUrl(body.state) };
+});
+var oauthFinalize = route4.post("/_auth/oauth/finalize").input({
+  body: Type.Object({
+    userId: Type.String({ description: "User ID from OAuth callback" }),
+    keyId: Type.String({ description: "Key ID from OAuth state" }),
+    returnUrl: Type.Optional(Type.String({ description: "URL to redirect after login" }))
+  })
+}).skip(["auth"]).handler(async (c) => {
+  const { body } = await c.data();
+  return {
+    success: true,
+    userId: body.userId,
+    keyId: body.keyId,
+    returnUrl: body.returnUrl || "/"
+  };
+});
+var oauthRouter = defineRouter4({
+  oauthGoogleStart,
+  oauthGoogleCallback,
+  oauthStart,
+  oauthProviders,
+  getGoogleOAuthUrl,
+  oauthFinalize
+});
+
+// src/server/routes/admin/index.ts
+init_repositories();
+init_esm();
+import { ForbiddenError as ForbiddenError4 } from "@spfn/core/errors";
+import { route as route5 } from "@spfn/core/route";
+var listRoles = route5.get("/_auth/admin/roles").input({
+  query: Type.Object({
+    includeInactive: Type.Optional(Type.Boolean({
+      description: "Include inactive roles (default: false)"
+    }))
+  })
+}).use([authenticate, requireRole("admin", "superadmin")]).handler(async (c) => {
+  const { query } = await c.data();
+  const roles2 = await getAllRoles(query.includeInactive ?? false);
+  return { roles: roles2 };
+});
+var createAdminRole = route5.post("/_auth/admin/roles").input({
+  body: Type.Object({
+    name: Type.String({ description: "Unique role name (slug)" }),
+    displayName: Type.String({ description: "Human-readable role name" }),
+    description: Type.Optional(Type.String({ description: "Role description" })),
+    priority: Type.Optional(Type.Number({ description: "Role priority (default: 10)" })),
+    permissionIds: Type.Optional(Type.Array(
+      Type.Number({ description: "Permission ID" }),
+      { description: "Permission IDs to assign" }
+    ))
+  })
+}).use([authenticate, requireRole("superadmin")]).handler(async (c) => {
+  const { body } = await c.data();
+  const role = await createRole({
+    name: body.name,
+    displayName: body.displayName,
+    description: body.description,
+    priority: body.priority,
+    permissionIds: body.permissionIds
+  });
+  return { role };
+});
+var updateAdminRole = route5.patch("/_auth/admin/roles/:id").input({
+  params: Type.Object({
+    id: Type.Number({ description: "Role ID" })
+  }),
+  body: Type.Object({
+    displayName: Type.Optional(Type.String({ description: "Human-readable role name" })),
+    description: Type.Optional(Type.String({ description: "Role description" })),
+    priority: Type.Optional(Type.Number({ description: "Role priority" })),
+    isActive: Type.Optional(Type.Boolean({ description: "Active status" }))
+  })
+}).use([authenticate, requireRole("superadmin")]).handler(async (c) => {
+  const { params, body } = await c.data();
+  const role = await updateRole(params.id, body);
+  return { role };
+});
+var deleteAdminRole = route5.delete("/_auth/admin/roles/:id").input({
+  params: Type.Object({
+    id: Type.Number({ description: "Role ID" })
+  })
+}).use([authenticate, requireRole("superadmin")]).handler(async (c) => {
+  const { params } = await c.data();
+  await deleteRole(params.id);
+  return c.noContent();
+});
+var updateUserRole = route5.patch("/_auth/admin/users/:userId/role").input({
+  params: Type.Object({
+    userId: Type.Number({ description: "User ID" })
+  }),
+  body: Type.Object({
+    roleId: Type.Number({ description: "New role ID to assign" })
+  })
+}).use([authenticate, requireRole("admin", "superadmin")]).handler(async (c) => {
+  const { params, body } = await c.data();
+  const auth = getAuth(c);
+  const callerRole = await getUserRole(auth.userId);
+  if (params.userId === Number(auth.userId)) {
+    throw new ForbiddenError4({ message: "Cannot change your own role" });
+  }
+  const targetRole = await getUserRole(params.userId);
+  if (targetRole === "superadmin") {
+    throw new ForbiddenError4({ message: "Cannot modify superadmin role" });
+  }
+  if (callerRole !== "superadmin") {
+    const newRole = await rolesRepository.findById(body.roleId);
+    if (newRole?.name === "superadmin") {
+      throw new ForbiddenError4({ message: "Only superadmin can assign superadmin role" });
+    }
+    if (newRole?.name === "admin") {
+      const canPromote = await hasPermission(auth.userId, "admin:promote");
+      if (!canPromote) {
+        throw new ForbiddenError4({ message: "admin:promote permission required to assign admin role" });
+      }
+    }
+  }
+  await updateUserService(params.userId, { roleId: body.roleId });
+  return { userId: params.userId, roleId: body.roleId };
 });
 
 // src/server/routes/index.ts
-var mainAuthRouter = defineRouter4({
-  // Flatten all routes at root level
-  ...authRouter.routes,
-  ...invitationRouter.routes,
-  ...userRouter.routes
+var mainAuthRouter = defineRouter5({
+  // Auth routes
+  checkAccountExists,
+  sendVerificationCode,
+  verifyCode,
+  register,
+  login,
+  logout,
+  rotateKey,
+  changePassword,
+  getAuthSession,
+  // One-Time Token routes
+  issueOneTimeToken,
+  // OAuth routes
+  oauthGoogleStart,
+  oauthGoogleCallback,
+  oauthStart,
+  oauthProviders,
+  getGoogleOAuthUrl,
+  oauthFinalize,
+  // Invitation routes
+  getInvitation,
+  acceptInvitation: acceptInvitation2,
+  createInvitation: createInvitation2,
+  listInvitations: listInvitations2,
+  cancelInvitation: cancelInvitation2,
+  resendInvitation: resendInvitation2,
+  deleteInvitation: deleteInvitation2,
+  // User routes
+  getUserProfile,
+  updateUserProfile,
+  checkUsername,
+  updateUsername,
+  updateLocale,
+  // Admin routes (superadmin only)
+  listRoles,
+  createAdminRole,
+  updateAdminRole,
+  deleteAdminRole,
+  updateUserRole
 });
 
 // src/server.ts
@@ -8699,36 +9493,60 @@ function shouldRotateKey(createdAt, rotationDays = 90) {
 }
 
 // src/server/lib/session.ts
-import * as jose from "jose";
-import { env as env7 } from "@spfn/auth/config";
+import * as jose2 from "jose";
+import { env as env9 } from "@spfn/auth/config";
 import { env as coreEnv } from "@spfn/core/config";
 async function getSessionSecretKey() {
-  const secret = env7.SPFN_AUTH_SESSION_SECRET;
+  const secret = env9.SPFN_AUTH_SESSION_SECRET;
   const encoder = new TextEncoder();
   const data = encoder.encode(secret);
   const hashBuffer = await crypto.subtle.digest("SHA-256", data);
   return new Uint8Array(hashBuffer);
 }
+async function getSecretFingerprint() {
+  const key = await getSessionSecretKey();
+  const hash = await crypto.subtle.digest("SHA-256", key.buffer);
+  const hex = Array.from(new Uint8Array(hash)).map((b) => b.toString(16).padStart(2, "0")).join("");
+  return hex.slice(0, 8);
+}
 async function sealSession(data, ttl = 60 * 60 * 24 * 7) {
   const secret = await getSessionSecretKey();
-  return await new jose.EncryptJWT({ data }).setProtectedHeader({ alg: "dir", enc: "A256GCM" }).setIssuedAt().setExpirationTime(`${ttl}s`).setIssuer("spfn-auth").setAudience("spfn-client").encrypt(secret);
+  const result = await new jose2.EncryptJWT({ data }).setProtectedHeader({ alg: "dir", enc: "A256GCM" }).setIssuedAt().setExpirationTime(`${ttl}s`).setIssuer("spfn-auth").setAudience("spfn-client").encrypt(secret);
+  if (coreEnv.NODE_ENV !== "production") {
+    const fingerprint = await getSecretFingerprint();
+    authLogger.session.debug(`Sealed session`, {
+      secretFingerprint: fingerprint,
+      resultLength: result.length,
+      resultPrefix: result.slice(0, 20)
+    });
+  }
+  return result;
 }
 async function unsealSession(jwt4) {
   try {
     const secret = await getSessionSecretKey();
-    const { payload } = await jose.jwtDecrypt(jwt4, secret, {
+    const { payload } = await jose2.jwtDecrypt(jwt4, secret, {
       issuer: "spfn-auth",
       audience: "spfn-client"
     });
     return payload.data;
   } catch (err) {
-    if (err instanceof jose.errors.JWTExpired) {
+    if (err instanceof jose2.errors.JWTExpired) {
       throw new Error("Session expired");
     }
-    if (err instanceof jose.errors.JWEDecryptionFailed) {
+    if (err instanceof jose2.errors.JWEDecryptionFailed) {
+      if (coreEnv.NODE_ENV !== "production") {
+        const fingerprint = await getSecretFingerprint();
+        authLogger.session.warn(`JWE decryption failed`, {
+          secretFingerprint: fingerprint,
+          jwtLength: jwt4.length,
+          jwtPrefix: jwt4.slice(0, 20),
+          jwtSuffix: jwt4.slice(-10)
+        });
+      }
       throw new Error("Invalid session");
     }
-    if (err instanceof jose.errors.JWTClaimValidationFailed) {
+    if (err instanceof jose2.errors.JWTClaimValidationFailed) {
       throw new Error("Session validation failed");
     }
     throw new Error("Failed to unseal session");
@@ -8737,7 +9555,7 @@ async function unsealSession(jwt4) {
 async function getSessionInfo(jwt4) {
   const secret = await getSessionSecretKey();
   try {
-    const { payload } = await jose.jwtDecrypt(jwt4, secret);
+    const { payload } = await jose2.jwtDecrypt(jwt4, secret);
     return {
       issuedAt: new Date(payload.iat * 1e3),
       expiresAt: new Date(payload.exp * 1e3),
@@ -8746,7 +9564,7 @@ async function getSessionInfo(jwt4) {
     };
   } catch (err) {
     if (coreEnv.NODE_ENV !== "production") {
-      console.warn("[Session] Failed to get session info:", err instanceof Error ? err.message : "Unknown error");
+      authLogger.session.warn("Failed to get session info:", err instanceof Error ? err.message : "Unknown error");
     }
     return null;
   }
@@ -8761,14 +9579,14 @@ async function shouldRefreshSession(jwt4, thresholdHours = 24) {
 }
 
 // src/server/setup.ts
-import { env as env8 } from "@spfn/auth/config";
+import { env as env10 } from "@spfn/auth/config";
 import { getRoleByName as getRoleByName2 } from "@spfn/auth/server";
 init_repositories();
 function parseAdminAccounts() {
   const accounts = [];
-  if (env8.SPFN_AUTH_ADMIN_ACCOUNTS) {
+  if (env10.SPFN_AUTH_ADMIN_ACCOUNTS) {
     try {
-      const accountsJson = env8.SPFN_AUTH_ADMIN_ACCOUNTS;
+      const accountsJson = env10.SPFN_AUTH_ADMIN_ACCOUNTS;
       const parsed = JSON.parse(accountsJson);
       if (!Array.isArray(parsed)) {
         authLogger.setup.error("\u274C SPFN_AUTH_ADMIN_ACCOUNTS must be an array");
@@ -8795,11 +9613,11 @@ function parseAdminAccounts() {
       return accounts;
     }
   }
-  const adminEmails = env8.SPFN_AUTH_ADMIN_EMAILS;
+  const adminEmails = env10.SPFN_AUTH_ADMIN_EMAILS;
   if (adminEmails) {
     const emails = adminEmails.split(",").map((s) => s.trim());
-    const passwords = (env8.SPFN_AUTH_ADMIN_PASSWORDS || "").split(",").map((s) => s.trim());
-    const roles2 = (env8.SPFN_AUTH_ADMIN_ROLES || "").split(",").map((s) => s.trim());
+    const passwords = (env10.SPFN_AUTH_ADMIN_PASSWORDS || "").split(",").map((s) => s.trim());
+    const roles2 = (env10.SPFN_AUTH_ADMIN_ROLES || "").split(",").map((s) => s.trim());
     if (passwords.length !== emails.length) {
       authLogger.setup.error("\u274C SPFN_AUTH_ADMIN_EMAILS and SPFN_AUTH_ADMIN_PASSWORDS length mismatch");
       return accounts;
@@ -8821,8 +9639,8 @@ function parseAdminAccounts() {
     }
     return accounts;
   }
-  const adminEmail = env8.SPFN_AUTH_ADMIN_EMAIL;
-  const adminPassword = env8.SPFN_AUTH_ADMIN_PASSWORD;
+  const adminEmail = env10.SPFN_AUTH_ADMIN_EMAIL;
+  const adminPassword = env10.SPFN_AUTH_ADMIN_PASSWORD;
   if (adminEmail && adminPassword) {
     accounts.push({
       email: adminEmail,
@@ -8892,14 +9710,18 @@ function createAuthLifecycle(options = {}) {
      * Performs:
      * 1. Ensures admin account exists (creates if missing)
      * 2. Initializes RBAC system with built-in + custom roles/permissions
+     * 3. Initializes one-time token manager
      */
     afterInfrastructure: async () => {
       await initializeAuth(options);
       await ensureAdminExists();
+      initOneTimeTokenManager(options.oneTimeToken);
     }
   };
 }
 export {
+  AuthMetadataRepository,
+  AuthProviderSchema,
   COOKIE_NAMES,
   EmailSchema,
   INVITATION_STATUSES,
@@ -8912,6 +9734,7 @@ export {
   RolePermissionsRepository,
   RolesRepository,
   SOCIAL_PROVIDERS,
+  SocialAccountsRepository,
   TargetTypeSchema,
   USER_STATUSES,
   UserPermissionsRepository,
@@ -8924,19 +9747,27 @@ export {
   acceptInvitation,
   addPermissionToRole,
   authLogger,
+  authLoginEvent,
+  authMetadata,
+  authMetadataRepository,
+  authRegisterEvent,
   mainAuthRouter as authRouter,
   authSchema,
   authenticate,
+  buildOAuthErrorUrl,
   cancelInvitation,
   changePasswordService,
   checkAccountExistsService,
+  checkUsernameAvailableService,
   configureAuth,
   createAuthLifecycle,
   createInvitation,
+  createOAuthState,
   createRole,
   decodeToken,
   deleteInvitation,
   deleteRole,
+  exchangeCodeForTokens,
   expireOldInvitations,
   generateClientToken,
   generateKeyPair,
@@ -8947,12 +9778,19 @@ export {
   getAuth,
   getAuthConfig,
   getAuthSessionService,
+  getEnabledOAuthProviders,
+  getGoogleAccessToken,
+  getGoogleAuthUrl,
+  getGoogleOAuthConfig,
+  getGoogleUserInfo,
   getInvitationByToken,
-  getInvitationTemplate,
   getInvitationWithDetails,
   getKeyId,
   getKeySize,
-  getPasswordResetTemplate,
+  getLocale,
+  getOneTimeTokenManager,
+  getOptionalAuth,
+  getRole,
   getRoleByName,
   getRolePermissions,
   getSessionInfo,
@@ -8965,27 +9803,33 @@ export {
   getUserPermissions,
   getUserProfileService,
   getUserRole,
-  getVerificationCodeTemplate,
-  getWelcomeTemplate,
   hasAllPermissions,
   hasAnyPermission,
   hasAnyRole,
   hasPermission,
   hasRole,
   hashPassword,
+  initOneTimeTokenManager,
   initializeAuth,
+  invitationAcceptedEvent,
+  invitationCreatedEvent,
   invitationsRepository,
+  isGoogleOAuthEnabled,
+  isOAuthProviderEnabled,
+  issueOneTimeTokenService,
   keysRepository,
   listInvitations,
   loginService,
   logoutService,
+  oauthCallbackService,
+  oauthStartService,
+  oneTimeTokenAuth,
+  optionalAuth,
   parseDuration,
   permissions,
   permissionsRepository,
-  registerEmailProvider,
-  registerEmailTemplates,
+  refreshAccessToken,
   registerPublicKeyService,
-  registerSMSProvider,
   registerService,
   removePermissionFromRole,
   requireAnyPermission,
@@ -9000,17 +9844,18 @@ export {
   rolesRepository,
   rotateKeyService,
   sealSession,
-  sendEmail,
-  sendSMS,
   sendVerificationCodeService,
   setRolePermissions,
   shouldRefreshSession,
   shouldRotateKey,
+  socialAccountsRepository,
   unsealSession,
   updateLastLoginService,
+  updateLocaleService,
   updateRole,
   updateUserProfileService,
   updateUserService,
+  updateUsernameService,
   userInvitations,
   userPermissions,
   userPermissionsRepository,
@@ -9027,6 +9872,8 @@ export {
   verifyClientToken,
   verifyCodeService,
   verifyKeyFingerprint,
+  verifyOAuthState,
+  verifyOneTimeTokenService,
   verifyPassword,
   verifyToken
 };