npm - @vertz/server - Versions diffs - 0.2.0 → 0.2.3 - Mend

@vertz/server 0.2.0 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -1,230 +1,167 @@
-import { AccumulateProvides, AppBuilder, AppConfig, BootInstruction, BootSequence, CorsConfig, Ctx, DeepReadonly, Deps, EnvConfig, ExtractMethods, HandlerCtx, HttpMethod, HttpStatusCode, Infer as Infer2, InferSchema, ListenOptions, MiddlewareDef, Module, ModuleBootInstruction, ModuleDef, NamedMiddlewareDef, NamedModule, NamedModuleDef, NamedRouterDef, NamedServiceDef, RawRequest, ResolveInjectMap, RouterDef, ServerAdapter, ServerHandle, ServiceBootInstruction, ServiceDef, ServiceFactory } from "@vertz/core";
-import { BadRequestException, ConflictException, createEnv, createImmutableProxy, createMiddleware, createModule, createModuleDef, createServer, deepFreeze, ForbiddenException, InternalServerErrorException, makeImmutable, NotFoundException, ServiceUnavailableException, UnauthorizedException, ValidationException, VertzException, vertz } from "@vertz/core";
-interface JsonbValidator<T> {
-	parse(value: unknown): T;
-}
-interface ColumnMetadata {
-	readonly sqlType: string;
-	readonly primary: boolean;
-	readonly unique: boolean;
-	readonly nullable: boolean;
-	readonly hasDefault: boolean;
-	readonly sensitive: boolean;
-	readonly hidden: boolean;
-	readonly isTenant: boolean;
-	readonly references: {
-		readonly table: string;
-		readonly column: string;
-	} | null;
-	readonly check: string | null;
-	readonly defaultValue?: unknown;
-	readonly format?: string;
-	readonly length?: number;
-	readonly precision?: number;
-	readonly scale?: number;
-	readonly enumName?: string;
-	readonly enumValues?: readonly string[];
-	readonly validator?: JsonbValidator<unknown>;
-}
-/** Phantom symbol to carry the TypeScript type without a runtime value. */
-declare const PhantomType: unique symbol;
-interface ColumnBuilder<
-	TType,
-	TMeta extends ColumnMetadata = ColumnMetadata
-> {
-	/** Phantom field -- only exists at the type level for inference. Do not access at runtime. */
-	readonly [PhantomType]: TType;
-	readonly _meta: TMeta;
-	primary(): ColumnBuilder<TType, Omit<TMeta, "primary" | "hasDefault"> & {
-		readonly primary: true;
-		readonly hasDefault: true;
-	}>;
-	unique(): ColumnBuilder<TType, Omit<TMeta, "unique"> & {
-		readonly unique: true;
-	}>;
-	nullable(): ColumnBuilder<TType | null, Omit<TMeta, "nullable"> & {
-		readonly nullable: true;
-	}>;
-	default(value: TType | "now"): ColumnBuilder<TType, Omit<TMeta, "hasDefault"> & {
-		readonly hasDefault: true;
-		readonly defaultValue: TType | "now";
-	}>;
-	sensitive(): ColumnBuilder<TType, Omit<TMeta, "sensitive"> & {
-		readonly sensitive: true;
-	}>;
-	hidden(): ColumnBuilder<TType, Omit<TMeta, "hidden"> & {
-		readonly hidden: true;
-	}>;
-	check(sql: string): ColumnBuilder<TType, Omit<TMeta, "check"> & {
-		readonly check: string;
-	}>;
-	references(table: string, column?: string): ColumnBuilder<TType, Omit<TMeta, "references"> & {
-		readonly references: {
-			readonly table: string;
-			readonly column: string;
-		};
-	}>;
+import { AccumulateProvides, AppBuilder as AppBuilder2, AppConfig as AppConfig2, CorsConfig, Ctx, DeepReadonly, Deps, EnvConfig, HandlerCtx, HttpMethod, HttpStatusCode, Infer, InferSchema, ListenOptions, MiddlewareDef, NamedMiddlewareDef, RawRequest, ServerAdapter, ServerHandle } from "@vertz/core";
+import { BadRequestException, ConflictException, createEnv, createImmutableProxy, createMiddleware, deepFreeze, ForbiddenException, InternalServerErrorException, makeImmutable, NotFoundException, ServiceUnavailableException, UnauthorizedException, ValidationException, VertzException, vertz } from "@vertz/core";
+import { ModelDef as ModelDef2, RelationDef, SchemaLike, TableDef } from "@vertz/db";
+import { ModelDef } from "@vertz/db";
+import { EntityDbAdapter, ListOptions } from "@vertz/db";
+import { EntityError, Result } from "@vertz/errors";
+import { EntityDbAdapter as EntityDbAdapter2, ListOptions as ListOptions2 } from "@vertz/db";
+interface ListResult<T = Record<string, unknown>> {
+	items: T[];
+	total: number;
+	limit: number;
+	nextCursor: string | null;
+	hasNextPage: boolean;
+}
+interface CrudResult<T = unknown> {
+	status: number;
+	body: T;
 }
-type InferColumnType<C> = C extends ColumnBuilder<infer T, ColumnMetadata> ? T : never;
-interface ThroughDef<TJoin extends TableDef<ColumnRecord> = TableDef<ColumnRecord>> {
-	readonly table: () => TJoin;
-	readonly thisKey: string;
-	readonly thatKey: string;
+interface CrudHandlers {
+	list(ctx: EntityContext, options?: ListOptions): Promise<Result<CrudResult<ListResult>, EntityError>>;
+	get(ctx: EntityContext, id: string): Promise<Result<CrudResult<Record<string, unknown>>, EntityError>>;
+	create(ctx: EntityContext, data: Record<string, unknown>): Promise<Result<CrudResult<Record<string, unknown>>, EntityError>>;
+	update(ctx: EntityContext, id: string, data: Record<string, unknown>): Promise<Result<CrudResult<Record<string, unknown>>, EntityError>>;
+	delete(ctx: EntityContext, id: string): Promise<Result<CrudResult<null>, EntityError>>;
 }
-interface RelationDef<
-	TTarget extends TableDef<ColumnRecord> = TableDef<ColumnRecord>,
-	TType extends "one" | "many" = "one" | "many"
-> {
-	readonly _type: TType;
-	readonly _target: () => TTarget;
-	readonly _foreignKey: string | null;
-	readonly _through: ThroughDef | null;
-}
-interface IndexDef {
-	readonly columns: readonly string[];
-}
-/** A record of column builders -- the shape passed to d.table(). */
-type ColumnRecord = Record<string, ColumnBuilder<unknown, ColumnMetadata>>;
-/** Extract the TypeScript type from every column in a record. */
-type InferColumns<T extends ColumnRecord> = { [K in keyof T] : InferColumnType<T[K]> };
-/** Keys of columns where a given metadata flag is `true`. */
-type ColumnKeysWhere<
-	T extends ColumnRecord,
-	Flag extends keyof ColumnMetadata
-> = { [K in keyof T] : T[K] extends ColumnBuilder<unknown, infer M> ? M extends Record<Flag, true> ? K : never : never }[keyof T];
-/** Keys of columns where a given metadata flag is NOT `true` (i.e., false). */
-type ColumnKeysWhereNot<
-	T extends ColumnRecord,
-	Flag extends keyof ColumnMetadata
-> = { [K in keyof T] : T[K] extends ColumnBuilder<unknown, infer M> ? M extends Record<Flag, true> ? never : K : never }[keyof T];
-/**
-* $infer -- default SELECT type.
-* Excludes hidden columns. Includes everything else (including sensitive).
-*/
-type Infer<T extends ColumnRecord> = { [K in ColumnKeysWhereNot<T, "hidden">] : InferColumnType<T[K]> };
-/**
-* $infer_all -- all columns including hidden.
-*/
-type InferAll<T extends ColumnRecord> = InferColumns<T>;
-/**
-* $insert -- write type. ALL columns included (visibility is read-side only).
-* Columns with hasDefault: true become optional.
-*/
-type Insert<T extends ColumnRecord> = { [K in ColumnKeysWhereNot<T, "hasDefault">] : InferColumnType<T[K]> } & { [K in ColumnKeysWhere<T, "hasDefault">]? : InferColumnType<T[K]> };
-/**
-* $update -- write type. ALL non-primary-key columns, all optional.
-* Primary key excluded (you don't update a PK).
-*/
-type Update<T extends ColumnRecord> = { [K in ColumnKeysWhereNot<T, "primary">]? : InferColumnType<T[K]> };
+declare function createCrudHandlers(def: EntityDefinition, db: EntityDbAdapter): CrudHandlers;
 /**
-* $not_sensitive -- excludes columns marked .sensitive() OR .hidden().
-* (hidden implies sensitive for read purposes)
+* EntityOperations — typed CRUD facade for a single entity.
+*
+* When used as `ctx.entity`, TModel fills in actual column types.
+* When used as `ctx.entities.*`, TModel defaults to `ModelDef` (loose typing).
 */
-type NotSensitive<T extends ColumnRecord> = { [K in ColumnKeysWhereNot<T, "sensitive"> & ColumnKeysWhereNot<T, "hidden"> & keyof T] : InferColumnType<T[K]> };
+interface EntityOperations<TModel extends ModelDef = ModelDef> {
+	get(id: string): Promise<TModel["table"]["$response"]>;
+	list(options?: ListOptions2): Promise<ListResult<TModel["table"]["$response"]>>;
+	create(data: TModel["table"]["$create_input"]): Promise<TModel["table"]["$response"]>;
+	update(id: string, data: TModel["table"]["$update_input"]): Promise<TModel["table"]["$response"]>;
+	delete(id: string): Promise<void>;
+}
+/** Extracts the model type from an EntityDefinition */
+type ExtractModel<T> = T extends EntityDefinition<infer M> ? M : ModelDef2;
 /**
-* $not_hidden -- excludes columns marked .hidden().
-* Same as $infer (excludes hidden, keeps sensitive).
+* Maps an inject config `{ key: EntityDefinition<TModel> }` to
+* `{ key: EntityOperations<TModel> }` for typed ctx.entities access.
 */
-type NotHidden<T extends ColumnRecord> = { [K in ColumnKeysWhereNot<T, "hidden">] : InferColumnType<T[K]> };
-interface TableDef<TColumns extends ColumnRecord = ColumnRecord> {
-	readonly _name: string;
-	readonly _columns: TColumns;
-	readonly _indexes: readonly IndexDef[];
-	readonly _shared: boolean;
-	/** Default SELECT type -- excludes hidden columns. */
-	readonly $infer: Infer<TColumns>;
-	/** All columns including hidden. */
-	readonly $infer_all: InferAll<TColumns>;
-	/** Insert type -- defaulted columns optional. ALL columns included. */
-	readonly $insert: Insert<TColumns>;
-	/** Update type -- all non-PK columns optional. ALL columns included. */
-	readonly $update: Update<TColumns>;
-	/** Excludes sensitive and hidden columns. */
-	readonly $not_sensitive: NotSensitive<TColumns>;
-	/** Excludes hidden columns. */
-	readonly $not_hidden: NotHidden<TColumns>;
-	/** Mark this table as shared / cross-tenant. */
-	shared(): TableDef<TColumns>;
-}
-/** Relations record — maps relation names to RelationDef. */
-type RelationsRecord = Record<string, RelationDef>;
-/** A table entry in the database registry, pairing a table with its relations. */
-interface TableEntry<
-	TTable extends TableDef<ColumnRecord> = TableDef<ColumnRecord>,
-	TRelations extends RelationsRecord = RelationsRecord
+type InjectToOperations<TInject extends Record<string, EntityDefinition> = {}> = { readonly [K in keyof TInject] : EntityOperations<ExtractModel<TInject[K]>> };
+interface BaseContext {
+	readonly userId: string | null;
+	authenticated(): boolean;
+	tenant(): boolean;
+	role(...roles: string[]): boolean;
+}
+interface EntityContext<
+	TModel extends ModelDef2 = ModelDef2,
+	TInject extends Record<string, EntityDefinition> = {}
+> extends BaseContext {
+	/** Typed CRUD on the current entity */
+	readonly entity: EntityOperations<TModel>;
+	/** Typed access to injected entities only */
+	readonly entities: InjectToOperations<TInject>;
+}
+type AccessRule = false | ((ctx: BaseContext, row: Record<string, unknown>) => boolean | Promise<boolean>);
+interface EntityBeforeHooks<
+	TCreateInput = unknown,
+	TUpdateInput = unknown
 > {
-	readonly table: TTable;
-	readonly relations: TRelations;
-}
-type DomainType = "persisted" | "process" | "view" | "session";
-interface DomainContext<TRow = any> {
-	user: {
-		id: string;
-		role: string;
-		[key: string]: unknown;
-	} | null;
-	tenant: {
-		id: string;
-		[key: string]: unknown;
-	} | null;
-	request: {
-		method: string;
-		path: string;
-		headers: Record<string, string>;
-		ip: string;
+	readonly create?: (data: TCreateInput, ctx: EntityContext) => TCreateInput | Promise<TCreateInput>;
+	readonly update?: (data: TUpdateInput, ctx: EntityContext) => TUpdateInput | Promise<TUpdateInput>;
+}
+interface EntityAfterHooks<TResponse = unknown> {
+	readonly create?: (result: TResponse, ctx: EntityContext) => void | Promise<void>;
+	readonly update?: (prev: TResponse, next: TResponse, ctx: EntityContext) => void | Promise<void>;
+	readonly delete?: (row: TResponse, ctx: EntityContext) => void | Promise<void>;
+}
+interface EntityActionDef<
+	TInput = unknown,
+	TOutput = unknown,
+	TResponse = unknown,
+	TCtx extends EntityContext = EntityContext
+> {
+	readonly method?: string;
+	readonly path?: string;
+	readonly body: SchemaLike<TInput>;
+	readonly response: SchemaLike<TOutput>;
+	readonly handler: (input: TInput, ctx: TCtx, row: TResponse | null) => Promise<TOutput>;
+}
+/** Extract column keys from a RelationDef's target table. */
+type RelationColumnKeys<R> = R extends RelationDef<infer TTarget> ? TTarget extends TableDef<infer TCols> ? Extract<keyof TCols, string> : string : string;
+type EntityRelationsConfig<TRelations extends Record<string, RelationDef> = Record<string, RelationDef>> = { [K in keyof TRelations]? : true | false | { [F in RelationColumnKeys<TRelations[K]>]? : true } };
+interface EntityConfig<
+	TModel extends ModelDef2 = ModelDef2,
+	TActions extends Record<string, EntityActionDef<any, any, any, any>> = {},
+	TInject extends Record<string, EntityDefinition> = {}
+> {
+	readonly model: TModel;
+	readonly inject?: TInject;
+	readonly access?: Partial<Record<"list" | "get" | "create" | "update" | "delete" | Extract<keyof NoInfer<TActions>, string>, AccessRule>>;
+	readonly before?: {
+		readonly create?: (data: TModel["table"]["$create_input"], ctx: EntityContext<TModel, TInject>) => TModel["table"]["$create_input"] | Promise<TModel["table"]["$create_input"]>;
+		readonly update?: (data: TModel["table"]["$update_input"], ctx: EntityContext<TModel, TInject>) => TModel["table"]["$update_input"] | Promise<TModel["table"]["$update_input"]>;
 	};
-	db: Record<string, any>;
-	services: Record<string, unknown>;
-	defaultHandler: (data: any) => Promise<TRow>;
-}
-type AccessRule<TRow> = (row: TRow, ctx: DomainContext<TRow>) => boolean;
-interface AccessRules<TRow> {
-	read?: AccessRule<TRow>;
-	create?: AccessRule<Partial<TRow>>;
-	update?: AccessRule<TRow>;
-	delete?: AccessRule<TRow>;
-}
-type Result<
-	T,
-	E = any
-> = {
-	ok: true;
-	data: T;
-} | {
-	ok: false;
-	error: E;
-};
-interface DomainError {
-	type: string;
-	code: string;
-	message: string;
-	entity?: string;
-	field?: string;
-}
-interface DomainOptions<TEntry extends TableEntry<any, any>> {
-	type: DomainType;
-	table: TEntry;
-	fields?: any;
-	expose?: any;
-	access?: AccessRules<any>;
-	handlers?: any;
-	actions?: Record<string, any>;
-}
-interface DomainDefinition2<TEntry extends TableEntry<any, any> = TableEntry<any, any>> {
-	readonly name: string;
-	readonly type: DomainType;
-	readonly table: TEntry;
-	readonly exposedRelations: Record<string, any>;
-	readonly access: AccessRules<any>;
-	readonly handlers: any;
-	readonly actions: Record<string, any>;
+	readonly after?: {
+		readonly create?: (result: TModel["table"]["$response"], ctx: EntityContext<TModel, TInject>) => void | Promise<void>;
+		readonly update?: (prev: TModel["table"]["$response"], next: TModel["table"]["$response"], ctx: EntityContext<TModel, TInject>) => void | Promise<void>;
+		readonly delete?: (row: TModel["table"]["$response"], ctx: EntityContext<TModel, TInject>) => void | Promise<void>;
+	};
+	readonly actions?: { readonly [K in keyof TActions] : TActions[K] };
+	readonly relations?: EntityRelationsConfig<TModel["relations"]>;
 }
+interface EntityDefinition<TModel extends ModelDef2 = ModelDef2> {
+	readonly kind: "entity";
+	readonly name: string;
+	readonly model: TModel;
+	readonly inject: Record<string, EntityDefinition>;
+	readonly access: Partial<Record<string, AccessRule>>;
+	readonly before: EntityBeforeHooks;
+	readonly after: EntityAfterHooks;
+	readonly actions: Record<string, EntityActionDef>;
+	readonly relations: EntityRelationsConfig<TModel["relations"]>;
+}
+import { SchemaLike as SchemaLike2 } from "@vertz/db";
+/** Extracts the model type from an EntityDefinition */
+type ExtractModel2<T> = T extends EntityDefinition<infer M> ? M : never;
 /**
-* STUB: domain() function for TDD red phase
-* This returns a properly shaped, frozen object that passes all structure tests.
-* Business logic (CRUD generation, access enforcement, etc.) will be implemented next.
+* Maps an inject config `{ key: EntityDefinition<TModel> }` to
+* `{ key: EntityOperations<TModel> }` for typed ctx.entities access.
 */
-declare function domain<TEntry extends TableEntry<any, any>>(name?: string, options?: DomainOptions<TEntry>): DomainDefinition2<TEntry>;
+type InjectToOperations2<TInject extends Record<string, EntityDefinition> = {}> = { readonly [K in keyof TInject] : EntityOperations<ExtractModel2<TInject[K]>> };
+interface ActionContext<TInject extends Record<string, EntityDefinition> = {}> extends BaseContext {
+	/** Typed access to injected entities only */
+	readonly entities: InjectToOperations2<TInject>;
+}
+interface ActionActionDef<
+	TInput = unknown,
+	TOutput = unknown,
+	TCtx extends ActionContext = ActionContext
+> {
+	readonly method?: string;
+	readonly path?: string;
+	readonly body: SchemaLike2<TInput>;
+	readonly response: SchemaLike2<TOutput>;
+	readonly handler: (input: TInput, ctx: TCtx) => Promise<TOutput>;
+}
+interface ActionConfig<
+	TActions extends Record<string, ActionActionDef<any, any, any>> = Record<string, ActionActionDef<any, any, any>>,
+	TInject extends Record<string, EntityDefinition> = {}
+> {
+	readonly inject?: TInject;
+	readonly access?: Partial<Record<Extract<keyof NoInfer<TActions>, string>, AccessRule>>;
+	readonly actions: { readonly [K in keyof TActions] : TActions[K] };
+}
+interface ActionDefinition {
+	readonly kind: "action";
+	readonly name: string;
+	readonly inject: Record<string, EntityDefinition>;
+	readonly access: Partial<Record<string, AccessRule>>;
+	readonly actions: Record<string, ActionActionDef>;
+}
+declare function action<
+	TInject extends Record<string, EntityDefinition> = {},
+	TActions extends Record<string, ActionActionDef<any, any, any>> = Record<string, ActionActionDef<any, any, any>>
+>(name: string, config: ActionConfig<TActions, TInject>): ActionDefinition;
+import { AuthValidationError } from "@vertz/errors";
+import { AuthError, Result as Result2 } from "@vertz/errors";
 type SessionStrategy = "jwt" | "database" | "hybrid";
 interface CookieConfig {
 	name?: string;
@@ -262,6 +199,18 @@ interface AuthConfig {
 	jwtAlgorithm?: "HS256" | "HS384" | "HS512" | "RS256";
 	/** Custom claims function for JWT payload */
 	claims?: (user: AuthUser) => Record<string, unknown>;
+	/**
+	* Whether the app runs in production mode.
+	* Controls security enforcement (JWT secret requirement, CSRF validation).
+	* Defaults to true when process.env is unavailable (secure-by-default for edge runtimes).
+	*/
+	isProduction?: boolean;
+	/**
+	* Directory to persist auto-generated dev JWT secret.
+	* Defaults to `.vertz` in the current working directory.
+	* Only used in non-production mode when jwtSecret is not provided.
+	*/
+	devSecretPath?: string;
 }
 interface AuthUser {
 	id: string;
@@ -296,11 +245,11 @@ interface SignInInput {
 	password: string;
 }
 interface AuthApi {
-	signUp: (data: SignUpInput) => Promise<AuthResult<Session>>;
-	signIn: (data: SignInInput) => Promise<AuthResult<Session>>;
-	signOut: (ctx: AuthContext) => Promise<AuthResult<void>>;
-	getSession: (headers: Headers) => Promise<AuthResult<Session | null>>;
-	refreshSession: (ctx: AuthContext) => Promise<AuthResult<Session>>;
+	signUp: (data: SignUpInput) => Promise<Result2<Session, AuthError>>;
+	signIn: (data: SignInInput) => Promise<Result2<Session, AuthError>>;
+	signOut: (ctx: AuthContext) => Promise<Result2<void, AuthError>>;
+	getSession: (headers: Headers) => Promise<Result2<Session | null, AuthError>>;
+	refreshSession: (ctx: AuthContext) => Promise<Result2<Session, AuthError>>;
 }
 interface AuthInstance {
 	/** HTTP handler for auth routes */
@@ -317,18 +266,6 @@ interface AuthContext {
 	request: Request;
 	ip?: string;
 }
-type AuthResult<T> = {
-	ok: true;
-	data: T;
-} | {
-	ok: false;
-	error: AuthError;
-};
-interface AuthError {
-	code: string;
-	message: string;
-	status: number;
-}
 interface RateLimitResult {
 	allowed: boolean;
 	remaining: number;
@@ -381,6 +318,112 @@ declare function createAccess(config: AccessConfig): AccessInstance;
 declare const defaultAccess: AccessInstance;
 declare function hashPassword(password: string): Promise<string>;
 declare function verifyPassword(password: string, hash: string): Promise<boolean>;
-declare function validatePassword(password: string, requirements?: PasswordRequirements): AuthError | null;
+declare function validatePassword(password: string, requirements?: PasswordRequirements): AuthValidationError | null;
 declare function createAuth(config: AuthConfig): AuthInstance;
-export { vertz, verifyPassword, validatePassword, makeImmutable, hashPassword, domain, defaultAccess, deepFreeze, createServer, createModuleDef, createModule, createMiddleware, createImmutableProxy, createEnv, createAuth, createAccess, VertzException, ValidationException, UnauthorizedException, SignUpInput, SignInInput, SessionStrategy, SessionPayload, SessionConfig, Session, ServiceUnavailableException, ServiceFactory, ServiceDef, ServiceBootInstruction, ServerHandle, ServerAdapter, RouterDef, Result, Resource, ResolveInjectMap, RawRequest, RateLimitResult, RateLimitConfig, PasswordRequirements, NotFoundException, NamedServiceDef, NamedRouterDef, NamedModuleDef, NamedModule, NamedMiddlewareDef, ModuleDef, ModuleBootInstruction, Module, MiddlewareDef, ListenOptions, InternalServerErrorException, InferSchema, Infer2 as Infer, HttpStatusCode, HttpMethod, HandlerCtx, ForbiddenException, ExtractMethods, EnvConfig, EntitlementDefinition, Entitlement, EmailPasswordConfig, DomainType, DomainOptions, DomainError, DomainDefinition2 as DomainDefinition, DomainContext, Deps, DeepReadonly, Ctx, CorsConfig, CookieConfig, ConflictException, BootSequence, BootInstruction, BadRequestException, AuthorizationError, AuthUser, AuthResult, AuthInstance, AuthError, AuthContext, AuthConfig, AuthApi, AppConfig, AppBuilder, AccumulateProvides, AccessRules, AccessRule, AccessInstance, AccessConfig };
+import { AppBuilder, AppConfig } from "@vertz/core";
+import { DatabaseClient, EntityDbAdapter as EntityDbAdapter3, ModelEntry as ModelEntry2 } from "@vertz/db";
+interface ServerConfig extends Omit<AppConfig, "_entityDbFactory" | "entities"> {
+	/** Entity definitions created via entity() from @vertz/server */
+	entities?: EntityDefinition[];
+	/** Standalone action definitions created via action() from @vertz/server */
+	actions?: ActionDefinition[];
+	/**
+	* Database for entity CRUD operations.
+	* Accepts either:
+	* - A DatabaseClient from createDb() (recommended — auto-bridged per entity)
+	* - An EntityDbAdapter (deprecated — simple adapter with get/list/create/update/delete)
+	*/
+	db?: DatabaseClient<Record<string, ModelEntry2>> | EntityDbAdapter3;
+	/** @internal Factory to create a DB adapter for each entity. Prefer `db` instead. */
+	_entityDbFactory?: (entityDef: EntityDefinition) => EntityDbAdapter3;
+}
+/**
+* Creates an HTTP server with entity route generation.
+* Wraps @vertz/core's createServer to inject entity CRUD handlers.
+*/
+declare function createServer(config: ServerConfig): AppBuilder;
+import { EntityForbiddenError, Result as Result3 } from "@vertz/errors";
+/**
+* Evaluates an access rule for the given operation.
+* Returns err(EntityForbiddenError) if access is denied.
+*
+* Accepts BaseContext so both EntityContext and ActionContext can use it.
+*
+* - No rule defined → deny (deny by default)
+* - Rule is false → operation is disabled
+* - Rule is a function → evaluate and deny if returns false
+*/
+declare function enforceAccess(operation: string, accessRules: Partial<Record<string, AccessRule>>, ctx: BaseContext, row?: Record<string, unknown>): Promise<Result3<void, EntityForbiddenError>>;
+import { ModelDef as ModelDef3 } from "@vertz/db";
+/**
+* Request info extracted from HTTP context / auth middleware.
+*/
+interface RequestInfo {
+	readonly userId?: string | null;
+	readonly tenantId?: string | null;
+	readonly roles?: readonly string[];
+}
+/**
+* Creates an EntityContext from request info, entity operations, and registry proxy.
+*/
+declare function createEntityContext<TModel extends ModelDef3 = ModelDef3>(request: RequestInfo, entityOps: EntityOperations<TModel>, registryProxy: Record<string, EntityOperations>): EntityContext<TModel>;
+import { ModelDef as ModelDef4 } from "@vertz/db";
+declare function entity<
+	TModel extends ModelDef4,
+	TInject extends Record<string, EntityDefinition> = {},
+	TActions extends Record<string, EntityActionDef<any, any, TModel["table"]["$response"], EntityContext<TModel, TInject>>> = {}
+>(name: string, config: EntityConfig<TModel, TActions, TInject>): EntityDefinition<TModel>;
+declare class EntityRegistry {
+	private readonly entries;
+	register(name: string, ops: EntityOperations): void;
+	get(name: string): EntityOperations;
+	has(name: string): boolean;
+	/** Create a Proxy for dot-access: proxy.users.get(id) */
+	createProxy(): Record<string, EntityOperations>;
+	/**
+	* Create a scoped Proxy limited to injected entities only.
+	* Accessing a non-injected entity throws at runtime.
+	*/
+	createScopedProxy(inject: Record<string, EntityDefinition>): Record<string, EntityOperations>;
+}
+interface EntityErrorResult {
+	status: number;
+	body: {
+		error: {
+			code: string;
+			message: string;
+			details?: unknown;
+		};
+	};
+}
+/**
+* Maps an error to a consistent EDA error response.
+* VertzExceptions are mapped to their status code + a readable error code.
+* EntityErrors from @vertz/errors are mapped by their error code.
+* Unknown errors produce a generic 500 response that never leaks internals.
+*/
+declare function entityErrorHandler(error: unknown): EntityErrorResult;
+import { TableDef as TableDef2 } from "@vertz/db";
+/**
+* Strips hidden columns from response data.
+* Used after DB reads to remove sensitive fields from API responses.
+*/
+declare function stripHiddenFields(table: TableDef2, data: Record<string, unknown>): Record<string, unknown>;
+/**
+* Strips readOnly and primary key columns from input data.
+* Used before DB writes to prevent setting immutable fields.
+*/
+declare function stripReadOnlyFields(table: TableDef2, data: Record<string, unknown>): Record<string, unknown>;
+import { EntityRouteEntry } from "@vertz/core";
+interface EntityRouteOptions {
+	apiPrefix?: string;
+}
+/**
+* Generates HTTP route entries for a single entity definition.
+*
+* Each entity produces up to 5 CRUD routes + N custom action routes.
+* Operations with no access rule are skipped (deny by default = no route).
+* Operations explicitly disabled (access: false) get a 405 handler.
+*/
+declare function generateEntityRoutes(def: EntityDefinition, registry: EntityRegistry, db: EntityDbAdapter2, options?: EntityRouteOptions): EntityRouteEntry[];
+export { vertz, verifyPassword, validatePassword, stripReadOnlyFields, stripHiddenFields, makeImmutable, hashPassword, generateEntityRoutes, entityErrorHandler, entity, enforceAccess, defaultAccess, deepFreeze, createServer, createMiddleware, createImmutableProxy, createEnv, createEntityContext, createCrudHandlers, createAuth, createAccess, action, VertzException, ValidationException, UnauthorizedException, SignUpInput, SignInInput, SessionStrategy, SessionPayload, SessionConfig, Session, ServiceUnavailableException, ServerHandle, ServerConfig, ServerAdapter, Resource, RequestInfo, RawRequest, RateLimitResult, RateLimitConfig, PasswordRequirements, NotFoundException, NamedMiddlewareDef, MiddlewareDef, ListenOptions, ListResult, ListOptions2 as ListOptions, InternalServerErrorException, InferSchema, Infer, HttpStatusCode, HttpMethod, HandlerCtx, ForbiddenException, EnvConfig, EntityRouteOptions, EntityRelationsConfig, EntityRegistry, EntityOperations, EntityErrorResult, EntityDefinition, EntityDbAdapter2 as EntityDbAdapter, EntityContext, EntityConfig, EntityActionDef, EntitlementDefinition, Entitlement, EmailPasswordConfig, Deps, DeepReadonly, Ctx, CrudResult, CrudHandlers, CorsConfig, CookieConfig, ConflictException, BaseContext, BadRequestException, AuthorizationError, AuthUser, AuthInstance, AuthContext, AuthConfig, AuthApi, AppConfig2 as AppConfig, AppBuilder2 as AppBuilder, ActionDefinition, ActionContext, ActionConfig, ActionActionDef, AccumulateProvides, AccessRule, AccessInstance, AccessConfig };