@vertz/server 0.2.0 → 0.2.1

package/dist/index.js

@@ -7,46 +7,49 @@ import {
   createMiddleware,
   createModule,
   createModuleDef,
-  createServer,
-  deepFreeze,
+  deepFreeze as deepFreeze3,
   ForbiddenException,
   InternalServerErrorException,
   makeImmutable,
   NotFoundException,
   ServiceUnavailableException,
   UnauthorizedException,
-  ValidationException,
-  VertzException,
+  ValidationException as ValidationException2,
+  VertzException as VertzException2,
   vertz
 } from "@vertz/core";
 
-// src/domain/domain.ts
-function domain(name, options) {
-  if (!name || !options) {
-    return Object.freeze({
-      name: name || "",
-      type: "persisted",
-      table: null,
-      exposedRelations: {},
-      access: {},
-      handlers: {},
-      actions: {}
-    });
+// src/action/action.ts
+import { deepFreeze } from "@vertz/core";
+var ACTION_NAME_PATTERN = /^[a-z][a-z0-9-]*$/;
+function action(name, config) {
+  if (!name || !ACTION_NAME_PATTERN.test(name)) {
+    throw new Error(`action() name must be a non-empty lowercase string matching /^[a-z][a-z0-9-]*$/. Got: "${name}"`);
+  }
+  if (!config.actions || Object.keys(config.actions).length === 0) {
+    throw new Error("action() requires at least one action in the actions config.");
   }
   const def = {
+    kind: "action",
     name,
-    type: options.type,
-    table: options.table,
-    exposedRelations: options.expose || {},
-    access: options.access || {},
-    handlers: options.handlers || {},
-    actions: options.actions || {}
+    inject: config.inject ?? {},
+    access: config.access ?? {},
+    actions: config.actions
   };
-  return Object.freeze(def);
+  return deepFreeze(def);
 }
 // src/auth/index.ts
-import * as jose from "jose";
+import {
+  createAuthRateLimitedError,
+  createAuthValidationError,
+  createInvalidCredentialsError,
+  createSessionExpiredError,
+  createUserExistsError,
+  err,
+  ok
+} from "@vertz/errors";
 import bcrypt from "bcryptjs";
+import * as jose from "jose";
 
 // src/auth/access.ts
 class AuthorizationError extends Error {
@@ -75,8 +78,8 @@ function createAccess(config) {
       return false;
     if (roleEnts.has(entitlement))
       return true;
-    const [resource, action] = entitlement.split(":");
-    if (action && resource !== "*") {
+    const [resource, action2] = entitlement.split(":");
+    if (action2 && resource !== "*") {
       const wildcard = `${resource}:*`;
       if (roleEnts.has(wildcard))
         return true;
@@ -226,32 +229,16 @@ async function verifyPassword(password, hash) {
 function validatePassword(password, requirements) {
   const req = { ...DEFAULT_PASSWORD_REQUIREMENTS, ...requirements };
   if (password.length < (req.minLength ?? 8)) {
-    return {
-      code: "PASSWORD_TOO_SHORT",
-      message: `Password must be at least ${req.minLength} characters`,
-      status: 400
-    };
+    return createAuthValidationError(`Password must be at least ${req.minLength} characters`, "password", "TOO_SHORT");
   }
   if (req.requireUppercase && !/[A-Z]/.test(password)) {
-    return {
-      code: "PASSWORD_NO_UPPERCASE",
-      message: "Password must contain at least one uppercase letter",
-      status: 400
-    };
+    return createAuthValidationError("Password must contain at least one uppercase letter", "password", "NO_UPPERCASE");
   }
   if (req.requireNumbers && !/\d/.test(password)) {
-    return {
-      code: "PASSWORD_NO_NUMBER",
-      message: "Password must contain at least one number",
-      status: 400
-    };
+    return createAuthValidationError("Password must contain at least one number", "password", "NO_NUMBER");
   }
   if (req.requireSymbols && !/[!@#$%^&*(),.?":{}|<>]/.test(password)) {
-    return {
-      code: "PASSWORD_NO_SYMBOL",
-      message: "Password must contain at least one symbol",
-      status: 400
-    };
+    return createAuthValidationError("Password must contain at least one symbol", "password", "NO_SYMBOL");
   }
   return null;
 }
@@ -286,7 +273,9 @@ async function createJWT(user, secret, ttl, algorithm, customClaims) {
 }
 async function verifyJWT(token, secret, algorithm) {
   try {
-    const { payload } = await jose.jwtVerify(token, new TextEncoder().encode(secret), { algorithms: [algorithm] });
+    const { payload } = await jose.jwtVerify(token, new TextEncoder().encode(secret), {
+      algorithms: [algorithm]
+    });
     return payload;
   } catch {
     return null;
@@ -302,17 +291,15 @@ function createAuth(config) {
     jwtAlgorithm = "HS256",
     claims
   } = config;
-  const envJwtSecret = process.env.AUTH_JWT_SECRET;
+  const isProduction = config.isProduction ?? (typeof process === "undefined" || false);
   let jwtSecret;
   if (configJwtSecret) {
     jwtSecret = configJwtSecret;
-  } else if (envJwtSecret) {
-    jwtSecret = envJwtSecret;
+  } else if (isProduction) {
+    throw new Error('jwtSecret is required in production. Provide it via createAuth({ jwtSecret: "..." }).');
   } else {
-    if (false) {} else {
-      console.warn("⚠️ Using insecure default JWT secret. Set AUTH_JWT_SECRET for production.");
-      jwtSecret = "dev-secret-change-in-production";
-    }
+    console.warn("Using insecure default JWT secret. Provide jwtSecret in createAuth() config for production.");
+    jwtSecret = "dev-secret-change-in-production";
   }
   const cookieConfig = { ...DEFAULT_COOKIE_CONFIG, ...session.cookie };
   const ttlMs = parseDuration(session.ttl);
@@ -330,18 +317,18 @@ function createAuth(config) {
   async function signUp(data) {
     const { email, password, role = "user", ...additionalFields } = data;
     if (!email || !email.includes("@")) {
-      return { ok: false, error: { code: "INVALID_EMAIL", message: "Invalid email format", status: 400 } };
+      return err(createAuthValidationError("Invalid email format", "email", "INVALID_FORMAT"));
     }
     const passwordError = validatePassword(password, emailPassword?.password);
     if (passwordError) {
-      return { ok: false, error: passwordError };
+      return err(passwordError);
     }
     if (users.has(email.toLowerCase())) {
-      return { ok: false, error: { code: "USER_EXISTS", message: "User already exists", status: 409 } };
+      return err(createUserExistsError("User already exists", email.toLowerCase()));
     }
     const signUpRateLimit = signUpLimiter.check(`signup:${email.toLowerCase()}`, emailPassword?.rateLimit?.maxAttempts || 3);
     if (!signUpRateLimit.allowed) {
-      return { ok: false, error: { code: "RATE_LIMITED", message: "Too many sign up attempts", status: 429 } };
+      return err(createAuthRateLimitedError("Too many sign up attempts"));
     }
     const passwordHash = await hashPassword(password);
     const now = new Date;
@@ -365,24 +352,21 @@ function createAuth(config) {
       claims: claims ? claims(user) : undefined
     };
     sessions.set(token, { userId: user.id, expiresAt });
-    return {
-      ok: true,
-      data: { user, expiresAt, payload }
-    };
+    return ok({ user, expiresAt, payload });
   }
   async function signIn(data) {
     const { email, password } = data;
     const stored = users.get(email.toLowerCase());
     if (!stored) {
-      return { ok: false, error: { code: "INVALID_CREDENTIALS", message: "Invalid email or password", status: 401 } };
+      return err(createInvalidCredentialsError());
     }
     const signInRateLimit = signInLimiter.check(`signin:${email.toLowerCase()}`, emailPassword?.rateLimit?.maxAttempts || 5);
     if (!signInRateLimit.allowed) {
-      return { ok: false, error: { code: "RATE_LIMITED", message: "Too many sign in attempts", status: 429 } };
+      return err(createAuthRateLimitedError("Too many sign in attempts"));
     }
     const valid = await verifyPassword(password, stored.passwordHash);
     if (!valid) {
-      return { ok: false, error: { code: "INVALID_CREDENTIALS", message: "Invalid email or password", status: 401 } };
+      return err(createInvalidCredentialsError());
     }
     const user = buildAuthUser(stored);
     const token = await createJWT(user, jwtSecret, ttlMs, jwtAlgorithm, claims);
@@ -396,10 +380,7 @@ function createAuth(config) {
       claims: claims ? claims(user) : undefined
     };
     sessions.set(token, { userId: user.id, expiresAt });
-    return {
-      ok: true,
-      data: { user, expiresAt, payload }
-    };
+    return ok({ user, expiresAt, payload });
   }
   async function signOut(ctx) {
     const cookieName = cookieConfig.name || "vertz.sid";
@@ -407,49 +388,46 @@ function createAuth(config) {
     if (token) {
       sessions.delete(token);
     }
-    return { ok: true, data: undefined };
+    return ok(undefined);
   }
   async function getSession(headers) {
     const cookieName = cookieConfig.name || "vertz.sid";
     const token = headers.get("cookie")?.split(";").find((c) => c.trim().startsWith(`${cookieName}=`))?.split("=")[1];
     if (!token) {
-      return { ok: true, data: null };
+      return ok(null);
     }
     const session2 = sessions.get(token);
     if (!session2) {
-      return { ok: true, data: null };
+      return ok(null);
     }
     if (session2.expiresAt < new Date) {
       sessions.delete(token);
-      return { ok: true, data: null };
+      return ok(null);
     }
     const payload = await verifyJWT(token, jwtSecret, jwtAlgorithm);
     if (!payload) {
       sessions.delete(token);
-      return { ok: true, data: null };
+      return ok(null);
     }
     const stored = users.get(payload.email);
     if (!stored) {
-      return { ok: true, data: null };
+      return ok(null);
     }
     const user = buildAuthUser(stored);
     const expiresAt = new Date(payload.exp * 1000);
-    return {
-      ok: true,
-      data: { user, expiresAt, payload }
-    };
+    return ok({ user, expiresAt, payload });
   }
   async function refreshSession(ctx) {
     const refreshRateLimit = refreshLimiter.check(`refresh:${ctx.headers.get("x-forwarded-ip") || "default"}`, 10);
     if (!refreshRateLimit.allowed) {
-      return { ok: false, error: { code: "RATE_LIMITED", message: "Too many refresh attempts", status: 429 } };
+      return err(createAuthRateLimitedError("Too many refresh attempts"));
     }
     const sessionResult = await getSession(ctx.headers);
     if (!sessionResult.ok) {
       return sessionResult;
     }
     if (!sessionResult.data) {
-      return { ok: false, error: { code: "NO_SESSION", message: "No active session", status: 401 } };
+      return err(createSessionExpiredError("No active session"));
     }
     const user = sessionResult.data.user;
     const token = await createJWT(user, jwtSecret, ttlMs, jwtAlgorithm, claims);
@@ -463,10 +441,25 @@ function createAuth(config) {
       claims: claims ? claims(user) : undefined
     };
     sessions.set(token, { userId: user.id, expiresAt });
-    return {
-      ok: true,
-      data: { user, expiresAt, payload }
-    };
+    return ok({ user, expiresAt, payload });
+  }
+  function authErrorToStatus(error) {
+    switch (error.code) {
+      case "AUTH_VALIDATION_ERROR":
+        return 400;
+      case "INVALID_CREDENTIALS":
+        return 401;
+      case "SESSION_EXPIRED":
+        return 401;
+      case "USER_EXISTS":
+        return 409;
+      case "RATE_LIMITED":
+        return 429;
+      case "PERMISSION_DENIED":
+        return 403;
+      default:
+        return 500;
+    }
   }
   async function handleAuthRequest(request) {
     const url = new URL(request.url);
@@ -476,7 +469,12 @@ function createAuth(config) {
       const origin = request.headers.get("origin");
       const referer = request.headers.get("referer");
       if (!origin && !referer) {
-        if (false) {}
+        if (isProduction) {
+          return new Response(JSON.stringify({ error: "CSRF validation failed" }), {
+            status: 403,
+            headers: { "Content-Type": "application/json" }
+          });
+        }
       }
     }
     try {
@@ -485,7 +483,7 @@ function createAuth(config) {
         const result = await signUp(body);
         if (!result.ok) {
           return new Response(JSON.stringify({ error: result.error }), {
-            status: result.error.status,
+            status: authErrorToStatus(result.error),
             headers: { "Content-Type": "application/json" }
           });
         }
@@ -503,7 +501,7 @@ function createAuth(config) {
         const result = await signIn(body);
         if (!result.ok) {
           return new Response(JSON.stringify({ error: result.error }), {
-            status: result.error.status,
+            status: authErrorToStatus(result.error),
             headers: { "Content-Type": "application/json" }
           });
         }
@@ -543,7 +541,7 @@ function createAuth(config) {
         const result = await refreshSession({ headers: request.headers });
         if (!result.ok) {
           return new Response(JSON.stringify({ error: result.error }), {
-            status: result.error.status,
+            status: authErrorToStatus(result.error),
             headers: { "Content-Type": "application/json" }
           });
         }
@@ -560,7 +558,7 @@ function createAuth(config) {
         status: 404,
         headers: { "Content-Type": "application/json" }
       });
-    } catch (error) {
+    } catch (_error) {
       return new Response(JSON.stringify({ error: "Internal server error" }), {
         status: 500,
         headers: { "Content-Type": "application/json" }
@@ -608,30 +606,1062 @@ function createAuth(config) {
     initialize
   };
 }
+// src/create-server.ts
+import { createServer as coreCreateServer } from "@vertz/core";
+import {
+  createDatabaseBridgeAdapter
+} from "@vertz/db";
+
+// src/entity/access-enforcer.ts
+import { EntityForbiddenError, err as err2, ok as ok2 } from "@vertz/errors";
+async function enforceAccess(operation, accessRules, ctx, row) {
+  const rule = accessRules[operation];
+  if (rule === undefined) {
+    return err2(new EntityForbiddenError(`Access denied: no access rule for operation "${operation}"`));
+  }
+  if (rule === false) {
+    return err2(new EntityForbiddenError(`Operation "${operation}" is disabled`));
+  }
+  const allowed = await rule(ctx, row ?? {});
+  if (!allowed) {
+    return err2(new EntityForbiddenError(`Access denied for operation "${operation}"`));
+  }
+  return ok2(undefined);
+}
+
+// src/action/context.ts
+function createActionContext(request, registryProxy) {
+  const userId = request.userId ?? null;
+  const roles = request.roles ?? [];
+  const tenantId = request.tenantId ?? null;
+  return {
+    userId,
+    authenticated() {
+      return userId !== null;
+    },
+    tenant() {
+      return tenantId !== null;
+    },
+    role(...rolesToCheck) {
+      return rolesToCheck.some((r) => roles.includes(r));
+    },
+    entities: registryProxy
+  };
+}
+
+// src/action/route-generator.ts
+function jsonResponse(data, status = 200) {
+  return new Response(JSON.stringify(data), {
+    status,
+    headers: { "content-type": "application/json" }
+  });
+}
+function extractRequestInfo(ctx) {
+  return {
+    userId: ctx.userId ?? null,
+    tenantId: ctx.tenantId ?? null,
+    roles: ctx.roles ?? []
+  };
+}
+function generateActionRoutes(def, registry, options) {
+  const prefix = options?.apiPrefix ?? "/api";
+  const inject = def.inject ?? {};
+  const registryProxy = Object.keys(inject).length > 0 ? registry.createScopedProxy(inject) : {};
+  const routes = [];
+  for (const [handlerName, handlerDef] of Object.entries(def.actions)) {
+    const accessRule = def.access[handlerName];
+    if (accessRule === undefined)
+      continue;
+    const method = (handlerDef.method ?? "POST").toUpperCase();
+    const handlerPath = handlerDef.path ?? `${prefix}/${def.name}/${handlerName}`;
+    const routePath = handlerDef.path ? handlerPath : `${prefix}/${def.name}/${handlerName}`;
+    if (accessRule === false) {
+      routes.push({
+        method,
+        path: routePath,
+        handler: async () => jsonResponse({
+          error: {
+            code: "MethodNotAllowed",
+            message: `Action "${handlerName}" is disabled for ${def.name}`
+          }
+        }, 405)
+      });
+      continue;
+    }
+    routes.push({
+      method,
+      path: routePath,
+      handler: async (ctx) => {
+        try {
+          const requestInfo = extractRequestInfo(ctx);
+          const actionCtx = createActionContext(requestInfo, registryProxy);
+          const accessResult = await enforceAccess(handlerName, def.access, actionCtx);
+          if (!accessResult.ok) {
+            return jsonResponse({ error: { code: "Forbidden", message: accessResult.error.message } }, 403);
+          }
+          const rawBody = ctx.body ?? {};
+          const parsed = handlerDef.body.parse(rawBody);
+          if (!parsed.ok) {
+            const message = parsed.error instanceof Error ? parsed.error.message : "Invalid request body";
+            return jsonResponse({ error: { code: "BadRequest", message } }, 400);
+          }
+          const result = await handlerDef.handler(parsed.data, actionCtx);
+          const responseParsed = handlerDef.response.parse(result);
+          if (!responseParsed.ok) {
+            const message = responseParsed.error instanceof Error ? responseParsed.error.message : "Response validation failed";
+            console.warn(`[vertz] Action response validation warning: ${message}`);
+          }
+          return jsonResponse(result, 200);
+        } catch (error) {
+          const message = error instanceof Error ? error.message : "Internal server error";
+          return jsonResponse({ error: { code: "InternalServerError", message } }, 500);
+        }
+      }
+    });
+  }
+  return routes;
+}
+
+// src/entity/entity-registry.ts
+class EntityRegistry {
+  entries = new Map;
+  register(name, ops) {
+    if (this.entries.has(name)) {
+      throw new Error(`Entity "${name}" is already registered. Each entity name must be unique.`);
+    }
+    this.entries.set(name, ops);
+  }
+  get(name) {
+    const entry = this.entries.get(name);
+    if (!entry) {
+      const available = [...this.entries.keys()].join(", ");
+      throw new Error(`Entity "${name}" is not registered. Available entities: ${available}`);
+    }
+    return entry;
+  }
+  has(name) {
+    return this.entries.has(name);
+  }
+  createProxy() {
+    return new Proxy({}, {
+      get: (_target, prop) => {
+        if (typeof prop === "symbol")
+          return;
+        return this.get(prop);
+      }
+    });
+  }
+  createScopedProxy(inject) {
+    const localToEntity = new Map;
+    for (const [localName, def] of Object.entries(inject)) {
+      localToEntity.set(localName, def.name);
+    }
+    return new Proxy({}, {
+      get: (_target, prop) => {
+        if (typeof prop === "symbol")
+          return;
+        const entityName = localToEntity.get(prop);
+        if (!entityName) {
+          throw new Error(`Entity "${prop}" is not declared in inject. ` + `Injected entities: ${[...localToEntity.keys()].join(", ") || "(none)"}. ` + `Add it to the inject config to access it.`);
+        }
+        return this.get(entityName);
+      }
+    });
+  }
+}
+
+// src/entity/field-filter.ts
+function stripHiddenFields(table, data) {
+  const hiddenKeys = new Set;
+  for (const key of Object.keys(table._columns)) {
+    const col = table._columns[key];
+    if (col?._meta._annotations.hidden) {
+      hiddenKeys.add(key);
+    }
+  }
+  if (hiddenKeys.size === 0)
+    return data;
+  const result = {};
+  for (const [key, value] of Object.entries(data)) {
+    if (!hiddenKeys.has(key)) {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+function narrowRelationFields(relationsConfig, data) {
+  const result = {};
+  for (const [key, value] of Object.entries(data)) {
+    const config = relationsConfig[key];
+    if (config === undefined || config === true) {
+      result[key] = value;
+    } else if (config === false) {} else if (typeof config === "object" && value !== null && typeof value === "object") {
+      if (Array.isArray(value)) {
+        result[key] = value.map((item) => {
+          const narrowed = {};
+          for (const field of Object.keys(config)) {
+            if (field in item) {
+              narrowed[field] = item[field];
+            }
+          }
+          return narrowed;
+        });
+      } else {
+        const narrowed = {};
+        for (const field of Object.keys(config)) {
+          if (field in value) {
+            narrowed[field] = value[field];
+          }
+        }
+        result[key] = narrowed;
+      }
+    } else {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+function applySelect(select, data) {
+  if (!select)
+    return data;
+  const result = {};
+  for (const key of Object.keys(select)) {
+    if (key in data) {
+      result[key] = data[key];
+    }
+  }
+  return result;
+}
+function stripReadOnlyFields(table, data) {
+  const excludedKeys = new Set;
+  for (const key of Object.keys(table._columns)) {
+    const col = table._columns[key];
+    if (col?._meta.isReadOnly || col?._meta.primary) {
+      excludedKeys.add(key);
+    }
+  }
+  if (excludedKeys.size === 0)
+    return data;
+  const result = {};
+  for (const [key, value] of Object.entries(data)) {
+    if (!excludedKeys.has(key)) {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+
+// src/entity/action-pipeline.ts
+import {
+  BadRequestError,
+  EntityNotFoundError,
+  err as err3,
+  ok as ok3
+} from "@vertz/errors";
+function createActionHandler(def, actionName, actionDef, db, hasId) {
+  return async (ctx, id, rawInput) => {
+    let row = null;
+    if (hasId) {
+      row = await db.get(id);
+      if (!row) {
+        return err3(new EntityNotFoundError(`${def.name} with id "${id}" not found`));
+      }
+    }
+    const accessResult = await enforceAccess(actionName, def.access, ctx, row ?? {});
+    if (!accessResult.ok)
+      return err3(accessResult.error);
+    const parseResult = actionDef.body.parse(rawInput);
+    if (!parseResult.ok) {
+      return err3(new BadRequestError(parseResult.error.message));
+    }
+    const input = parseResult.data;
+    const result = await actionDef.handler(input, ctx, row);
+    const afterHooks = def.after;
+    const afterHook = afterHooks[actionName];
+    if (afterHook) {
+      try {
+        await afterHook(result, ctx, row);
+      } catch {}
+    }
+    return ok3({ status: 200, body: result });
+  };
+}
+
+// src/entity/context.ts
+function createEntityContext(request, entityOps, registryProxy) {
+  const userId = request.userId ?? null;
+  const roles = request.roles ?? [];
+  const tenantId = request.tenantId ?? null;
+  return {
+    userId,
+    authenticated() {
+      return userId !== null;
+    },
+    tenant() {
+      return tenantId !== null;
+    },
+    role(...rolesToCheck) {
+      return rolesToCheck.some((r) => roles.includes(r));
+    },
+    entity: entityOps,
+    entities: registryProxy
+  };
+}
+
+// src/entity/crud-pipeline.ts
+import { EntityNotFoundError as EntityNotFoundError2, err as err4, ok as ok4 } from "@vertz/errors";
+function resolvePrimaryKeyColumn(table) {
+  for (const key of Object.keys(table._columns)) {
+    const col = table._columns[key];
+    if (col?._meta.primary)
+      return key;
+  }
+  return "id";
+}
+function createCrudHandlers(def, db) {
+  const table = def.model.table;
+  return {
+    async list(ctx, options) {
+      const accessResult = await enforceAccess("list", def.access, ctx);
+      if (!accessResult.ok)
+        return err4(accessResult.error);
+      const rawWhere = options?.where;
+      const safeWhere = rawWhere ? stripHiddenFields(table, rawWhere) : undefined;
+      const where = safeWhere && Object.keys(safeWhere).length > 0 ? safeWhere : undefined;
+      const limit = Math.max(0, options?.limit ?? 20);
+      const after = options?.after && options.after.length <= 512 ? options.after : undefined;
+      const orderBy = options?.orderBy;
+      const { data: rows, total } = await db.list({ where, orderBy, limit, after });
+      const data = rows.map((row) => narrowRelationFields(def.relations, stripHiddenFields(table, row)));
+      const pkColumn = resolvePrimaryKeyColumn(table);
+      const lastRow = rows[rows.length - 1];
+      const nextCursor = limit > 0 && rows.length === limit && lastRow ? String(lastRow[pkColumn]) : null;
+      const hasNextPage = nextCursor !== null;
+      return ok4({ status: 200, body: { items: data, total, limit, nextCursor, hasNextPage } });
+    },
+    async get(ctx, id) {
+      const row = await db.get(id);
+      if (!row) {
+        return err4(new EntityNotFoundError2(`${def.name} with id "${id}" not found`));
+      }
+      const accessResult = await enforceAccess("get", def.access, ctx, row);
+      if (!accessResult.ok)
+        return err4(accessResult.error);
+      return ok4({
+        status: 200,
+        body: narrowRelationFields(def.relations, stripHiddenFields(table, row))
+      });
+    },
+    async create(ctx, data) {
+      const accessResult = await enforceAccess("create", def.access, ctx);
+      if (!accessResult.ok)
+        return err4(accessResult.error);
+      let input = stripReadOnlyFields(table, data);
+      if (def.before.create) {
+        input = await def.before.create(input, ctx);
+      }
+      const result = await db.create(input);
+      const strippedResult = stripHiddenFields(table, result);
+      if (def.after.create) {
+        try {
+          await def.after.create(strippedResult, ctx);
+        } catch {}
+      }
+      return ok4({ status: 201, body: narrowRelationFields(def.relations, strippedResult) });
+    },
+    async update(ctx, id, data) {
+      const existing = await db.get(id);
+      if (!existing) {
+        return err4(new EntityNotFoundError2(`${def.name} with id "${id}" not found`));
+      }
+      const accessResult = await enforceAccess("update", def.access, ctx, existing);
+      if (!accessResult.ok)
+        return err4(accessResult.error);
+      let input = stripReadOnlyFields(table, data);
+      if (def.before.update) {
+        input = await def.before.update(input, ctx);
+      }
+      const result = await db.update(id, input);
+      const strippedExisting = stripHiddenFields(table, existing);
+      const strippedResult = stripHiddenFields(table, result);
+      if (def.after.update) {
+        try {
+          await def.after.update(strippedExisting, strippedResult, ctx);
+        } catch {}
+      }
+      return ok4({
+        status: 200,
+        body: narrowRelationFields(def.relations, strippedResult)
+      });
+    },
+    async delete(ctx, id) {
+      const existing = await db.get(id);
+      if (!existing) {
+        return err4(new EntityNotFoundError2(`${def.name} with id "${id}" not found`));
+      }
+      const accessResult = await enforceAccess("delete", def.access, ctx, existing);
+      if (!accessResult.ok)
+        return err4(accessResult.error);
+      await db.delete(id);
+      if (def.after.delete) {
+        try {
+          await def.after.delete(stripHiddenFields(table, existing), ctx);
+        } catch {}
+      }
+      return ok4({ status: 204, body: null });
+    }
+  };
+}
+
+// src/entity/error-handler.ts
+import { ValidationException, VertzException } from "@vertz/core";
+import { EntityError, isEntityValidationError } from "@vertz/errors";
+var ERROR_CODE_TO_STATUS = {
+  BadRequest: 400,
+  Unauthorized: 401,
+  Forbidden: 403,
+  NotFound: 404,
+  MethodNotAllowed: 405,
+  Conflict: 409,
+  ValidationError: 422,
+  InternalError: 500,
+  ServiceUnavailable: 503
+};
+var STATUS_TO_ERROR_CODE = {
+  400: "BadRequest",
+  401: "Unauthorized",
+  403: "Forbidden",
+  404: "NotFound",
+  405: "MethodNotAllowed",
+  409: "Conflict",
+  422: "ValidationError",
+  500: "InternalError",
+  503: "ServiceUnavailable"
+};
+function entityErrorHandler(error) {
+  if (error instanceof EntityError) {
+    const status = ERROR_CODE_TO_STATUS[error.code] ?? 500;
+    const details = isEntityValidationError(error) ? error.errors : undefined;
+    return {
+      status,
+      body: {
+        error: {
+          code: error.code,
+          message: error.message,
+          ...details !== undefined && { details }
+        }
+      }
+    };
+  }
+  if (error instanceof VertzException) {
+    const code = STATUS_TO_ERROR_CODE[error.statusCode] ?? "InternalError";
+    const details = error instanceof ValidationException ? error.errors : undefined;
+    return {
+      status: error.statusCode,
+      body: {
+        error: {
+          code,
+          message: error.message,
+          ...details !== undefined && { details }
+        }
+      }
+    };
+  }
+  return {
+    status: 500,
+    body: {
+      error: { code: "InternalError", message: "An unexpected error occurred" }
+    }
+  };
+}
+
+// src/entity/vertzql-parser.ts
+var MAX_LIMIT = 1000;
+function parseVertzQL(query) {
+  const result = {};
+  for (const [key, value] of Object.entries(query)) {
+    const whereMatch = key.match(/^where\[([^\]]+)\](?:\[([^\]]+)\])?$/);
+    if (whereMatch) {
+      if (!result.where)
+        result.where = {};
+      const field = whereMatch[1];
+      const op = whereMatch[2];
+      const existing = result.where[field];
+      if (op) {
+        const base = existing && typeof existing === "object" ? existing : existing !== undefined ? { eq: existing } : {};
+        result.where[field] = { ...base, [op]: value };
+      } else {
+        if (existing && typeof existing === "object") {
+          result.where[field] = { ...existing, eq: value };
+        } else {
+          result.where[field] = value;
+        }
+      }
+      continue;
+    }
+    if (key === "limit") {
+      const parsed = Number.parseInt(value, 10);
+      if (!Number.isNaN(parsed)) {
+        result.limit = Math.max(0, Math.min(parsed, MAX_LIMIT));
+      }
+      continue;
+    }
+    if (key === "after") {
+      if (value) {
+        result.after = value;
+      }
+      continue;
+    }
+    if (key === "orderBy") {
+      const [field, dir] = value.split(":");
+      if (field) {
+        if (!result.orderBy)
+          result.orderBy = {};
+        result.orderBy[field] = dir === "desc" ? "desc" : "asc";
+      }
+      continue;
+    }
+    if (key === "q") {
+      try {
+        const urlDecoded = decodeURIComponent(value);
+        const b64 = urlDecoded.replace(/-/g, "+").replace(/_/g, "/");
+        const padded = b64 + "=".repeat((4 - b64.length % 4) % 4);
+        const decoded = JSON.parse(atob(padded));
+        if (decoded.select && typeof decoded.select === "object") {
+          result.select = decoded.select;
+        }
+        if (decoded.include && typeof decoded.include === "object") {
+          result.include = decoded.include;
+        }
+      } catch {
+        result._qError = "Invalid q= parameter: not valid base64 or JSON";
+      }
+    }
+  }
+  return result;
+}
+function getHiddenColumns(table) {
+  const hidden = new Set;
+  for (const key of Object.keys(table._columns)) {
+    const col = table._columns[key];
+    if (col?._meta._annotations.hidden) {
+      hidden.add(key);
+    }
+  }
+  return hidden;
+}
+function validateVertzQL(options, table, relationsConfig) {
+  if (options._qError) {
+    return { ok: false, error: options._qError };
+  }
+  const hiddenColumns = getHiddenColumns(table);
+  if (options.where) {
+    for (const field of Object.keys(options.where)) {
+      if (hiddenColumns.has(field)) {
+        return { ok: false, error: `Field "${field}" is not filterable` };
+      }
+    }
+  }
+  if (options.orderBy) {
+    for (const field of Object.keys(options.orderBy)) {
+      if (hiddenColumns.has(field)) {
+        return { ok: false, error: `Field "${field}" is not sortable` };
+      }
+    }
+  }
+  if (options.select) {
+    for (const field of Object.keys(options.select)) {
+      if (hiddenColumns.has(field)) {
+        return { ok: false, error: `Field "${field}" is not selectable` };
+      }
+    }
+  }
+  if (options.include && relationsConfig) {
+    for (const [relation, requested] of Object.entries(options.include)) {
+      const entityConfig = relationsConfig[relation];
+      if (entityConfig === undefined || entityConfig === false) {
+        return { ok: false, error: `Relation "${relation}" is not exposed` };
+      }
+      if (typeof entityConfig === "object" && typeof requested === "object") {
+        for (const field of Object.keys(requested)) {
+          if (!(field in entityConfig)) {
+            return {
+              ok: false,
+              error: `Field "${field}" is not exposed on relation "${relation}"`
+            };
+          }
+        }
+      }
+    }
+  }
+  return { ok: true };
+}
+
+// src/entity/route-generator.ts
+function jsonResponse2(data, status = 200) {
+  return new Response(JSON.stringify(data), {
+    status,
+    headers: { "content-type": "application/json" }
+  });
+}
+function emptyResponse(status) {
+  return new Response(null, { status });
+}
+function extractRequestInfo2(ctx) {
+  return {
+    userId: ctx.userId ?? null,
+    tenantId: ctx.tenantId ?? null,
+    roles: ctx.roles ?? []
+  };
+}
+function getParams(ctx) {
+  return ctx.params ?? {};
+}
+function generateEntityRoutes(def, registry, db, options) {
+  const prefix = options?.apiPrefix ?? "/api";
+  const basePath = `${prefix}/${def.name}`;
+  const crudHandlers = createCrudHandlers(def, db);
+  const inject = def.inject ?? {};
+  const registryProxy = Object.keys(inject).length > 0 ? registry.createScopedProxy(inject) : {};
+  const routes = [];
+  function makeEntityCtx(ctx) {
+    const requestInfo = extractRequestInfo2(ctx);
+    const entityOps = {};
+    return createEntityContext(requestInfo, entityOps, registryProxy);
+  }
+  if (def.access.list !== undefined) {
+    if (def.access.list === false) {
+      routes.push({
+        method: "GET",
+        path: basePath,
+        handler: async () => jsonResponse2({
+          error: {
+            code: "MethodNotAllowed",
+            message: `Operation "list" is disabled for ${def.name}`
+          }
+        }, 405)
+      });
+    } else {
+      routes.push({
+        method: "GET",
+        path: basePath,
+        handler: async (ctx) => {
+          try {
+            const entityCtx = makeEntityCtx(ctx);
+            const query = ctx.query ?? {};
+            const parsed = parseVertzQL(query);
+            const relationsConfig = def.relations;
+            const validation = validateVertzQL(parsed, def.model.table, relationsConfig);
+            if (!validation.ok) {
+              return jsonResponse2({ error: { code: "BadRequest", message: validation.error } }, 400);
+            }
+            const options2 = {
+              where: parsed.where ? parsed.where : undefined,
+              orderBy: parsed.orderBy,
+              limit: parsed.limit,
+              after: parsed.after
+            };
+            const result = await crudHandlers.list(entityCtx, options2);
+            if (!result.ok) {
+              const { status, body } = entityErrorHandler(result.error);
+              return jsonResponse2(body, status);
+            }
+            if (parsed.select && result.data.body.items) {
+              result.data.body.items = result.data.body.items.map((row) => applySelect(parsed.select, row));
+            }
+            return jsonResponse2(result.data.body, result.data.status);
+          } catch (error) {
+            const { status, body } = entityErrorHandler(error);
+            return jsonResponse2(body, status);
+          }
+        }
+      });
+    }
+    routes.push({
+      method: "POST",
+      path: `${basePath}/query`,
+      handler: async (ctx) => {
+        try {
+          const entityCtx = makeEntityCtx(ctx);
+          const body = ctx.body ?? {};
+          const parsed = {
+            where: body.where,
+            orderBy: body.orderBy,
+            limit: typeof body.limit === "number" ? body.limit : undefined,
+            after: typeof body.after === "string" ? body.after : undefined,
+            select: body.select,
+            include: body.include
+          };
+          const relationsConfig = def.relations;
+          const validation = validateVertzQL(parsed, def.model.table, relationsConfig);
+          if (!validation.ok) {
+            return jsonResponse2({ error: { code: "BadRequest", message: validation.error } }, 400);
+          }
+          const options2 = {
+            where: parsed.where,
+            orderBy: parsed.orderBy,
+            limit: parsed.limit,
+            after: parsed.after
+          };
+          const result = await crudHandlers.list(entityCtx, options2);
+          if (!result.ok) {
+            const { status, body: errBody } = entityErrorHandler(result.error);
+            return jsonResponse2(errBody, status);
+          }
+          if (parsed.select && result.data.body.items) {
+            result.data.body.items = result.data.body.items.map((row) => applySelect(parsed.select, row));
+          }
+          return jsonResponse2(result.data.body, result.data.status);
+        } catch (error) {
+          const { status, body: errBody } = entityErrorHandler(error);
+          return jsonResponse2(errBody, status);
+        }
+      }
+    });
+  }
+  if (def.access.get !== undefined) {
+    if (def.access.get === false) {
+      routes.push({
+        method: "GET",
+        path: `${basePath}/:id`,
+        handler: async () => jsonResponse2({
+          error: {
+            code: "MethodNotAllowed",
+            message: `Operation "get" is disabled for ${def.name}`
+          }
+        }, 405)
+      });
+    } else {
+      routes.push({
+        method: "GET",
+        path: `${basePath}/:id`,
+        handler: async (ctx) => {
+          try {
+            const entityCtx = makeEntityCtx(ctx);
+            const id = getParams(ctx).id;
+            const query = ctx.query ?? {};
+            const parsed = parseVertzQL(query);
+            const relationsConfig = def.relations;
+            const validation = validateVertzQL(parsed, def.model.table, relationsConfig);
+            if (!validation.ok) {
+              return jsonResponse2({ error: { code: "BadRequest", message: validation.error } }, 400);
+            }
+            const result = await crudHandlers.get(entityCtx, id);
+            if (!result.ok) {
+              const { status, body: body2 } = entityErrorHandler(result.error);
+              return jsonResponse2(body2, status);
+            }
+            const body = parsed.select ? applySelect(parsed.select, result.data.body) : result.data.body;
+            return jsonResponse2(body, result.data.status);
+          } catch (error) {
+            const { status, body } = entityErrorHandler(error);
+            return jsonResponse2(body, status);
+          }
+        }
+      });
+    }
+  }
+  if (def.access.create !== undefined) {
+    if (def.access.create === false) {
+      routes.push({
+        method: "POST",
+        path: basePath,
+        handler: async () => jsonResponse2({
+          error: {
+            code: "MethodNotAllowed",
+            message: `Operation "create" is disabled for ${def.name}`
+          }
+        }, 405)
+      });
+    } else {
+      routes.push({
+        method: "POST",
+        path: basePath,
+        handler: async (ctx) => {
+          try {
+            const entityCtx = makeEntityCtx(ctx);
+            const data = ctx.body ?? {};
+            const result = await crudHandlers.create(entityCtx, data);
+            if (!result.ok) {
+              const { status, body } = entityErrorHandler(result.error);
+              return jsonResponse2(body, status);
+            }
+            return jsonResponse2(result.data.body, result.data.status);
+          } catch (error) {
+            const { status, body } = entityErrorHandler(error);
+            return jsonResponse2(body, status);
+          }
+        }
+      });
+    }
+  }
+  if (def.access.update !== undefined) {
+    if (def.access.update === false) {
+      routes.push({
+        method: "PATCH",
+        path: `${basePath}/:id`,
+        handler: async () => jsonResponse2({
+          error: {
+            code: "MethodNotAllowed",
+            message: `Operation "update" is disabled for ${def.name}`
+          }
+        }, 405)
+      });
+    } else {
+      routes.push({
+        method: "PATCH",
+        path: `${basePath}/:id`,
+        handler: async (ctx) => {
+          try {
+            const entityCtx = makeEntityCtx(ctx);
+            const id = getParams(ctx).id;
+            const data = ctx.body ?? {};
+            const result = await crudHandlers.update(entityCtx, id, data);
+            if (!result.ok) {
+              const { status, body } = entityErrorHandler(result.error);
+              return jsonResponse2(body, status);
+            }
+            return jsonResponse2(result.data.body, result.data.status);
+          } catch (error) {
+            const { status, body } = entityErrorHandler(error);
+            return jsonResponse2(body, status);
+          }
+        }
+      });
+    }
+  }
+  if (def.access.delete !== undefined) {
+    if (def.access.delete === false) {
+      routes.push({
+        method: "DELETE",
+        path: `${basePath}/:id`,
+        handler: async () => jsonResponse2({
+          error: {
+            code: "MethodNotAllowed",
+            message: `Operation "delete" is disabled for ${def.name}`
+          }
+        }, 405)
+      });
+    } else {
+      routes.push({
+        method: "DELETE",
+        path: `${basePath}/:id`,
+        handler: async (ctx) => {
+          try {
+            const entityCtx = makeEntityCtx(ctx);
+            const id = getParams(ctx).id;
+            const result = await crudHandlers.delete(entityCtx, id);
+            if (!result.ok) {
+              const { status, body } = entityErrorHandler(result.error);
+              return jsonResponse2(body, status);
+            }
+            if (result.data.status === 204) {
+              return emptyResponse(204);
+            }
+            return jsonResponse2(result.data.body, result.data.status);
+          } catch (error) {
+            const { status, body } = entityErrorHandler(error);
+            return jsonResponse2(body, status);
+          }
+        }
+      });
+    }
+  }
+  for (const [actionName, actionDef] of Object.entries(def.actions)) {
+    if (def.access[actionName] === undefined)
+      continue;
+    const method = (actionDef.method ?? "POST").toUpperCase();
+    const actionPath = actionDef.path ? `${basePath}/${actionDef.path}` : `${basePath}/:id/${actionName}`;
+    const hasId = actionPath.includes(":id");
+    if (def.access[actionName] === false) {
+      routes.push({
+        method,
+        path: actionPath,
+        handler: async () => jsonResponse2({
+          error: {
+            code: "MethodNotAllowed",
+            message: `Action "${actionName}" is disabled for ${def.name}`
+          }
+        }, 405)
+      });
+    } else {
+      const actionHandler = createActionHandler(def, actionName, actionDef, db, hasId);
+      routes.push({
+        method,
+        path: actionPath,
+        handler: async (ctx) => {
+          try {
+            const entityCtx = makeEntityCtx(ctx);
+            const id = hasId ? getParams(ctx).id : null;
+            const input = method === "GET" ? ctx.query ?? {} : ctx.body;
+            const result = await actionHandler(entityCtx, id, input);
+            if (!result.ok) {
+              const { status, body } = entityErrorHandler(result.error);
+              return jsonResponse2(body, status);
+            }
+            return jsonResponse2(result.data.body, result.data.status);
+          } catch (error) {
+            const { status, body } = entityErrorHandler(error);
+            return jsonResponse2(body, status);
+          }
+        }
+      });
+    }
+  }
+  return routes;
+}
+
+// src/create-server.ts
+function isDatabaseClient(db) {
+  return db !== null && typeof db === "object" && "_internals" in db;
+}
+function createNoopDbAdapter() {
+  return {
+    async get() {
+      return null;
+    },
+    async list() {
+      return { data: [], total: 0 };
+    },
+    async create(data) {
+      return data;
+    },
+    async update(_id, data) {
+      return data;
+    },
+    async delete() {
+      return null;
+    }
+  };
+}
+function createEntityOps(entityDef, db) {
+  const table = entityDef.model.table;
+  return {
+    async get(id) {
+      const row = await db.get(id);
+      if (!row)
+        return row;
+      return stripHiddenFields(table, row);
+    },
+    async list(options) {
+      const result = await db.list(options);
+      const items = Array.isArray(result) ? result : result.data ?? [];
+      const total = Array.isArray(result) ? result.length : result.total ?? items.length;
+      return {
+        items: items.map((row) => stripHiddenFields(table, row)),
+        total,
+        limit: options?.limit ?? 20,
+        nextCursor: null,
+        hasNextPage: false
+      };
+    },
+    async create(data) {
+      const row = await db.create(data);
+      return stripHiddenFields(table, row);
+    },
+    async update(id, data) {
+      const row = await db.update(id, data);
+      return stripHiddenFields(table, row);
+    },
+    async delete(id) {
+      await db.delete(id);
+    }
+  };
+}
+function createServer(config) {
+  const allRoutes = [];
+  const registry = new EntityRegistry;
+  const apiPrefix = config.apiPrefix === undefined ? "/api" : config.apiPrefix;
+  if (config.entities && config.entities.length > 0) {
+    const { db } = config;
+    let dbFactory;
+    if (db && isDatabaseClient(db)) {
+      dbFactory = (entityDef) => createDatabaseBridgeAdapter(db, entityDef.name);
+    } else if (db) {
+      dbFactory = () => db;
+    } else {
+      dbFactory = config._entityDbFactory ?? createNoopDbAdapter;
+    }
+    for (const entityDef of config.entities) {
+      const entityDb = dbFactory(entityDef);
+      const ops = createEntityOps(entityDef, entityDb);
+      registry.register(entityDef.name, ops);
+    }
+    for (const entityDef of config.entities) {
+      const entityDb = dbFactory(entityDef);
+      const routes = generateEntityRoutes(entityDef, registry, entityDb, {
+        apiPrefix
+      });
+      allRoutes.push(...routes);
+    }
+  }
+  if (config.actions && config.actions.length > 0) {
+    for (const actionDef of config.actions) {
+      const routes = generateActionRoutes(actionDef, registry, { apiPrefix });
+      allRoutes.push(...routes);
+    }
+  }
+  return coreCreateServer({
+    ...config,
+    _entityRoutes: allRoutes.length > 0 ? allRoutes : undefined
+  });
+}
+// src/entity/entity.ts
+import { deepFreeze as deepFreeze2 } from "@vertz/core";
+var ENTITY_NAME_PATTERN = /^[a-z][a-z0-9-]*$/;
+function entity(name, config) {
+  if (!name || !ENTITY_NAME_PATTERN.test(name)) {
+    throw new Error(`entity() name must be a non-empty lowercase string matching /^[a-z][a-z0-9-]*$/. Got: "${name}"`);
+  }
+  if (!config.model) {
+    throw new Error("entity() requires a model in the config.");
+  }
+  const def = {
+    kind: "entity",
+    name,
+    model: config.model,
+    inject: config.inject ?? {},
+    access: config.access ?? {},
+    before: config.before ?? {},
+    after: config.after ?? {},
+    actions: config.actions ?? {},
+    relations: config.relations ?? {}
+  };
+  return deepFreeze2(def);
+}
 export {
   vertz,
   verifyPassword,
   validatePassword,
+  stripReadOnlyFields,
+  stripHiddenFields,
   makeImmutable,
   hashPassword,
-  domain,
+  generateEntityRoutes,
+  entityErrorHandler,
+  entity,
+  enforceAccess,
   defaultAccess,
-  deepFreeze,
+  deepFreeze3 as deepFreeze,
   createServer,
   createModuleDef,
   createModule,
   createMiddleware,
   createImmutableProxy,
   createEnv,
+  createEntityContext,
+  createCrudHandlers,
   createAuth,
   createAccess,
-  VertzException,
-  ValidationException,
+  action,
+  VertzException2 as VertzException,
+  ValidationException2 as ValidationException,
   UnauthorizedException,
   ServiceUnavailableException,
   NotFoundException,
   InternalServerErrorException,
   ForbiddenException,
+  EntityRegistry,
   ConflictException,
   BadRequestException,
   AuthorizationError