@vertz/server 0.2.11 → 0.2.13

package/dist/index.js

@@ -17,275 +17,2145 @@ import {
   vertz
 } from "@vertz/core";
 
-// src/action/action.ts
-import { deepFreeze } from "@vertz/core";
-var ACTION_NAME_PATTERN = /^[a-z][a-z0-9-]*$/;
-function action(name, config) {
-  if (!name || !ACTION_NAME_PATTERN.test(name)) {
-    throw new Error(`action() name must be a non-empty lowercase string matching /^[a-z][a-z0-9-]*$/. Got: "${name}"`);
-  }
-  if (!config.actions || Object.keys(config.actions).length === 0) {
-    throw new Error("action() requires at least one action in the actions config.");
-  }
-  const def = {
-    kind: "action",
-    name,
-    inject: config.inject ?? {},
-    access: config.access ?? {},
-    actions: config.actions
-  };
-  return deepFreeze(def);
-}
 // src/auth/index.ts
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { join } from "node:path";
 import {
   createAuthRateLimitedError,
-  createAuthValidationError,
+  createAuthValidationError as createAuthValidationError2,
   createInvalidCredentialsError,
+  createMfaAlreadyEnabledError,
+  createMfaInvalidCodeError,
+  createMfaNotEnabledError,
+  createMfaRequiredError,
   createSessionExpiredError,
+  createSessionNotFoundError,
+  createTokenExpiredError,
+  createTokenInvalidError,
   createUserExistsError,
   err,
   ok
 } from "@vertz/errors";
-import bcrypt from "bcryptjs";
-import * as jose from "jose";
 
-// src/auth/access.ts
-class AuthorizationError extends Error {
-  entitlement;
-  userId;
-  constructor(message, entitlement, userId) {
-    super(message);
-    this.entitlement = entitlement;
-    this.userId = userId;
-    this.name = "AuthorizationError";
+// src/auth/billing-period.ts
+function calculateBillingPeriod(startedAt, per, now = new Date) {
+  if (per === "month") {
+    return calculateMonthlyPeriod(startedAt, now);
   }
+  const durationMs = per === "day" ? 24 * 60 * 60 * 1000 : 60 * 60 * 1000;
+  const elapsed = now.getTime() - startedAt.getTime();
+  const periodsElapsed = Math.floor(elapsed / durationMs);
+  const periodStart = new Date(startedAt.getTime() + periodsElapsed * durationMs);
+  const periodEnd = new Date(periodStart.getTime() + durationMs);
+  return { periodStart, periodEnd };
 }
-function createAccess(config) {
-  const { roles, entitlements } = config;
-  const roleEntitlements = new Map;
-  for (const [roleName, roleDef] of Object.entries(roles)) {
-    roleEntitlements.set(roleName, new Set(roleDef.entitlements));
+function calculateMonthlyPeriod(startedAt, now) {
+  if (now.getTime() < startedAt.getTime()) {
+    return { periodStart: new Date(startedAt), periodEnd: addMonths(startedAt, 1) };
   }
-  const entitlementRoles = new Map;
-  for (const [entName, entDef] of Object.entries(entitlements)) {
-    entitlementRoles.set(entName, new Set(entDef.roles));
+  let periodStart = new Date(startedAt);
+  const approxMonths = (now.getUTCFullYear() - startedAt.getUTCFullYear()) * 12 + (now.getUTCMonth() - startedAt.getUTCMonth());
+  if (approxMonths > 0) {
+    periodStart = addMonths(startedAt, approxMonths);
+    if (periodStart.getTime() > now.getTime()) {
+      periodStart = addMonths(startedAt, approxMonths - 1);
+    }
   }
-  function roleHasEntitlement(role, entitlement) {
-    const roleEnts = roleEntitlements.get(role);
-    if (!roleEnts)
-      return false;
-    if (roleEnts.has(entitlement))
-      return true;
-    const [resource, action2] = entitlement.split(":");
-    if (action2 && resource !== "*") {
-      const wildcard = `${resource}:*`;
-      if (roleEnts.has(wildcard))
-        return true;
+  const periodEnd = addMonths(startedAt, getMonthOffset(startedAt, periodStart) + 1);
+  return { periodStart, periodEnd };
+}
+function addMonths(base, months) {
+  const result = new Date(base);
+  const targetMonth = result.getUTCMonth() + months;
+  result.setUTCMonth(targetMonth);
+  const expectedMonth = ((base.getUTCMonth() + months) % 12 + 12) % 12;
+  if (result.getUTCMonth() !== expectedMonth) {
+    result.setUTCDate(0);
+  }
+  return result;
+}
+function getMonthOffset(base, target) {
+  return (target.getUTCFullYear() - base.getUTCFullYear()) * 12 + (target.getUTCMonth() - base.getUTCMonth());
+}
+
+// src/auth/plan-store.ts
+function resolveEffectivePlan(orgPlan, plans, defaultPlan = "free", now) {
+  if (!orgPlan)
+    return null;
+  if (orgPlan.expiresAt && orgPlan.expiresAt.getTime() < (now ?? Date.now())) {
+    return plans?.[defaultPlan] ? defaultPlan : null;
+  }
+  if (!plans?.[orgPlan.planId])
+    return null;
+  return orgPlan.planId;
+}
+
+class InMemoryPlanStore {
+  plans = new Map;
+  async assignPlan(orgId, planId, startedAt = new Date, expiresAt = null) {
+    this.plans.set(orgId, {
+      orgId,
+      planId,
+      startedAt,
+      expiresAt,
+      overrides: {}
+    });
+  }
+  async getPlan(orgId) {
+    return this.plans.get(orgId) ?? null;
+  }
+  async updateOverrides(orgId, overrides) {
+    const plan = this.plans.get(orgId);
+    if (!plan)
+      return;
+    plan.overrides = { ...plan.overrides, ...overrides };
+  }
+  async removePlan(orgId) {
+    this.plans.delete(orgId);
+  }
+  dispose() {
+    this.plans.clear();
+  }
+}
+
+// src/auth/access-set.ts
+async function computeAccessSet(config) {
+  const {
+    userId,
+    accessDef,
+    roleStore,
+    closureStore,
+    plan,
+    flagStore,
+    planStore,
+    walletStore,
+    orgId
+  } = config;
+  const entitlements = {};
+  let resolvedPlan = plan ?? null;
+  if (!userId) {
+    for (const name of Object.keys(accessDef.entitlements)) {
+      entitlements[name] = {
+        allowed: false,
+        reasons: ["not_authenticated"],
+        reason: "not_authenticated"
+      };
     }
+    return {
+      entitlements,
+      flags: {},
+      plan: plan ?? null,
+      computedAt: new Date().toISOString()
+    };
+  }
+  const assignments = await roleStore.getRolesForUser(userId);
+  const effectiveRolesByType = new Map;
+  for (const assignment of assignments) {
+    addRole(effectiveRolesByType, assignment.resourceType, assignment.role);
+    const descendants = await closureStore.getDescendants(assignment.resourceType, assignment.resourceId);
+    for (const desc of descendants) {
+      if (desc.depth === 0)
+        continue;
+      const inheritedRole = resolveInheritedRole(assignment.resourceType, assignment.role, desc.type, accessDef);
+      if (inheritedRole) {
+        addRole(effectiveRolesByType, desc.type, inheritedRole);
+      }
+    }
+  }
+  const allRoles = new Set;
+  for (const roles of effectiveRolesByType.values()) {
+    for (const role of roles) {
+      allRoles.add(role);
+    }
+  }
+  for (const [name, entDef] of Object.entries(accessDef.entitlements)) {
+    if (entDef.roles.length === 0) {
+      entitlements[name] = { allowed: true, reasons: [] };
+      continue;
+    }
+    const hasRequiredRole = entDef.roles.some((r) => allRoles.has(r));
+    if (hasRequiredRole) {
+      entitlements[name] = { allowed: true, reasons: [] };
+    } else {
+      entitlements[name] = {
+        allowed: false,
+        reasons: ["role_required"],
+        reason: "role_required",
+        meta: { requiredRoles: [...entDef.roles] }
+      };
+    }
+  }
+  const resolvedFlags = {};
+  if (flagStore && orgId) {
+    const orgFlags = flagStore.getFlags(orgId);
+    Object.assign(resolvedFlags, orgFlags);
+    for (const [name, entDef] of Object.entries(accessDef.entitlements)) {
+      if (entDef.flags?.length) {
+        const disabledFlags = [];
+        for (const flag of entDef.flags) {
+          if (!flagStore.getFlag(orgId, flag)) {
+            disabledFlags.push(flag);
+          }
+        }
+        if (disabledFlags.length > 0) {
+          const entry = entitlements[name];
+          const reasons = [...entry.reasons];
+          if (!reasons.includes("flag_disabled"))
+            reasons.push("flag_disabled");
+          entitlements[name] = {
+            ...entry,
+            allowed: false,
+            reasons,
+            reason: reasons[0],
+            meta: { ...entry.meta, disabledFlags }
+          };
+        }
+      }
+    }
+  }
+  if (planStore && orgId) {
+    const orgPlan = await planStore.getPlan(orgId);
+    if (orgPlan) {
+      const effectivePlanId = resolveEffectivePlan(orgPlan, accessDef.plans, accessDef.defaultPlan);
+      resolvedPlan = effectivePlanId;
+      if (effectivePlanId) {
+        const planDef = accessDef.plans?.[effectivePlanId];
+        if (planDef) {
+          for (const [name, entDef] of Object.entries(accessDef.entitlements)) {
+            if (entDef.plans?.length && !planDef.entitlements.includes(name)) {
+              const entry = entitlements[name];
+              const reasons = [...entry.reasons];
+              if (!reasons.includes("plan_required"))
+                reasons.push("plan_required");
+              entitlements[name] = {
+                ...entry,
+                allowed: false,
+                reasons,
+                reason: reasons[0],
+                meta: { ...entry.meta, requiredPlans: [...entDef.plans] }
+              };
+            }
+            if (walletStore && planDef.limits?.[name]) {
+              const limitDef = planDef.limits[name];
+              const override = orgPlan.overrides[name];
+              const effectiveLimit = override ? Math.max(override.max, limitDef.max) : limitDef.max;
+              const { periodStart, periodEnd } = calculateBillingPeriod(orgPlan.startedAt, limitDef.per);
+              const consumed = await walletStore.getConsumption(orgId, name, periodStart, periodEnd);
+              const remaining = Math.max(0, effectiveLimit - consumed);
+              const entry = entitlements[name];
+              if (consumed >= effectiveLimit) {
+                const reasons = [...entry.reasons];
+                if (!reasons.includes("limit_reached"))
+                  reasons.push("limit_reached");
+                entitlements[name] = {
+                  ...entry,
+                  allowed: false,
+                  reasons,
+                  reason: reasons[0],
+                  meta: {
+                    ...entry.meta,
+                    limit: { max: effectiveLimit, consumed, remaining }
+                  }
+                };
+              } else {
+                entitlements[name] = {
+                  ...entry,
+                  meta: {
+                    ...entry.meta,
+                    limit: { max: effectiveLimit, consumed, remaining }
+                  }
+                };
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  return {
+    entitlements,
+    flags: resolvedFlags,
+    plan: resolvedPlan,
+    computedAt: new Date().toISOString()
+  };
+}
+function encodeAccessSet(set) {
+  const entitlements = {};
+  for (const [name, check] of Object.entries(set.entitlements)) {
+    if (check.allowed) {
+      const entry = { allowed: true };
+      if (check.meta?.limit) {
+        entry.meta = { limit: { ...check.meta.limit } };
+      }
+      entitlements[name] = entry;
+    } else if (check.meta && Object.keys(check.meta).length > 0) {
+      const strippedMeta = { ...check.meta };
+      delete strippedMeta.requiredRoles;
+      delete strippedMeta.requiredPlans;
+      const hasRemainingMeta = Object.keys(strippedMeta).length > 0;
+      entitlements[name] = {
+        allowed: false,
+        ...check.reasons.length > 0 ? { reasons: [...check.reasons] } : {},
+        ...check.reason ? { reason: check.reason } : {},
+        ...hasRemainingMeta ? { meta: strippedMeta } : {}
+      };
+    }
+  }
+  return {
+    entitlements,
+    flags: { ...set.flags },
+    plan: set.plan,
+    computedAt: set.computedAt
+  };
+}
+function decodeAccessSet(encoded, accessDef) {
+  const entitlements = {};
+  for (const [name, check] of Object.entries(encoded.entitlements)) {
+    entitlements[name] = {
+      allowed: check.allowed,
+      reasons: check.reasons ?? [],
+      ...check.reason ? { reason: check.reason } : {},
+      ...check.meta ? { meta: check.meta } : {}
+    };
+  }
+  for (const name of Object.keys(accessDef.entitlements)) {
+    if (!(name in entitlements)) {
+      entitlements[name] = {
+        allowed: false,
+        reasons: ["role_required"],
+        reason: "role_required"
+      };
+    }
+  }
+  return {
+    entitlements,
+    flags: { ...encoded.flags },
+    plan: encoded.plan,
+    computedAt: encoded.computedAt
+  };
+}
+function addRole(map, resourceType, role) {
+  let roles = map.get(resourceType);
+  if (!roles) {
+    roles = new Set;
+    map.set(resourceType, roles);
+  }
+  roles.add(role);
+}
+function resolveInheritedRole(sourceType, sourceRole, targetType, accessDef) {
+  const hierarchy = accessDef.hierarchy;
+  const sourceIdx = hierarchy.indexOf(sourceType);
+  const targetIdx = hierarchy.indexOf(targetType);
+  if (sourceIdx === -1 || targetIdx === -1 || sourceIdx >= targetIdx)
+    return null;
+  let currentRole = sourceRole;
+  for (let i = sourceIdx;i < targetIdx; i++) {
+    const currentType = hierarchy[i];
+    const inheritanceMap = accessDef.inheritance[currentType];
+    if (!inheritanceMap || !(currentRole in inheritanceMap))
+      return null;
+    currentRole = inheritanceMap[currentRole];
+  }
+  return currentRole;
+}
+
+// src/auth/cookies.ts
+var DEFAULT_COOKIE_CONFIG = {
+  name: "vertz.sid",
+  httpOnly: true,
+  secure: true,
+  sameSite: "lax",
+  path: "/",
+  maxAge: 60
+};
+function buildSessionCookie(value, cookieConfig, clear = false) {
+  const name = cookieConfig.name || "vertz.sid";
+  const maxAge = cookieConfig.maxAge ?? 60;
+  const path = cookieConfig.path || "/";
+  const sameSite = cookieConfig.sameSite || "lax";
+  const secure = cookieConfig.secure ?? true;
+  if (clear) {
+    return `${name}=; Path=${path}; HttpOnly${secure ? "; Secure" : ""}; SameSite=${sameSite}; Max-Age=0`;
+  }
+  return `${name}=${value}; Path=${path}; HttpOnly${secure ? "; Secure" : ""}; SameSite=${sameSite}; Max-Age=${maxAge}`;
+}
+function buildRefreshCookie(value, cookieConfig, refreshName, refreshMaxAge, clear = false) {
+  const name = refreshName;
+  const sameSite = cookieConfig.sameSite || "lax";
+  const secure = cookieConfig.secure ?? true;
+  const path = "/api/auth/refresh";
+  if (clear) {
+    return `${name}=; Path=${path}; HttpOnly${secure ? "; Secure" : ""}; SameSite=${sameSite}; Max-Age=0`;
+  }
+  return `${name}=${value}; Path=${path}; HttpOnly${secure ? "; Secure" : ""}; SameSite=${sameSite}; Max-Age=${refreshMaxAge}`;
+}
+function buildMfaChallengeCookie(value, cookieConfig, clear = false) {
+  const name = "vertz.mfa";
+  const path = "/api/auth/mfa";
+  const sameSite = cookieConfig.sameSite || "lax";
+  const secure = cookieConfig.secure ?? true;
+  if (clear) {
+    return `${name}=; Path=${path}; HttpOnly${secure ? "; Secure" : ""}; SameSite=${sameSite}; Max-Age=0`;
+  }
+  return `${name}=${value}; Path=${path}; HttpOnly${secure ? "; Secure" : ""}; SameSite=${sameSite}; Max-Age=300`;
+}
+function buildOAuthStateCookie(value, cookieConfig, clear = false) {
+  const name = "vertz.oauth";
+  const path = "/api/auth/oauth";
+  const sameSite = cookieConfig.sameSite || "lax";
+  const secure = cookieConfig.secure ?? true;
+  if (clear) {
+    return `${name}=; Path=${path}; HttpOnly${secure ? "; Secure" : ""}; SameSite=${sameSite}; Max-Age=0`;
+  }
+  return `${name}=${value}; Path=${path}; HttpOnly${secure ? "; Secure" : ""}; SameSite=${sameSite}; Max-Age=300`;
+}
+
+// src/auth/crypto.ts
+function timingSafeEqual(a, b) {
+  if (a.length !== b.length)
     return false;
+  const encoder = new TextEncoder;
+  const bufA = encoder.encode(a);
+  const bufB = encoder.encode(b);
+  let result = 0;
+  for (let i = 0;i < bufA.length; i++) {
+    result |= bufA[i] ^ bufB[i];
   }
-  async function checkEntitlement(entitlement, user) {
-    if (!user)
-      return false;
-    const allowedRoles = entitlementRoles.get(entitlement);
-    if (!allowedRoles) {
-      return false;
+  return result === 0;
+}
+async function sha256Hex(input) {
+  const data = new TextEncoder().encode(input);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  const hashArray = new Uint8Array(hashBuffer);
+  return Array.from(hashArray).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function toBase64Url(buffer) {
+  return btoa(String.fromCharCode(...buffer)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function fromBase64Url(str) {
+  const padded = str.replace(/-/g, "+").replace(/_/g, "/");
+  const binary = atob(padded);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0;i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+async function deriveKey(passphrase) {
+  const keyMaterial = await crypto.subtle.importKey("raw", new TextEncoder().encode(passphrase), "HKDF", false, ["deriveKey"]);
+  return crypto.subtle.deriveKey({
+    name: "HKDF",
+    hash: "SHA-256",
+    salt: new TextEncoder().encode("vertz-oauth-state"),
+    info: new TextEncoder().encode("aes-256-gcm")
+  }, keyMaterial, { name: "AES-GCM", length: 256 }, false, ["encrypt", "decrypt"]);
+}
+async function encrypt(plaintext, key) {
+  const aesKey = await deriveKey(key);
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const encoded = new TextEncoder().encode(plaintext);
+  const ciphertext = await crypto.subtle.encrypt({ name: "AES-GCM", iv }, aesKey, encoded);
+  const combined = new Uint8Array(iv.length + ciphertext.byteLength);
+  combined.set(iv, 0);
+  combined.set(new Uint8Array(ciphertext), iv.length);
+  return toBase64Url(combined);
+}
+async function decrypt(ciphertext, key) {
+  try {
+    const aesKey = await deriveKey(key);
+    const combined = fromBase64Url(ciphertext);
+    const iv = combined.slice(0, 12);
+    const data = combined.slice(12);
+    const decrypted = await crypto.subtle.decrypt({ name: "AES-GCM", iv }, aesKey, data);
+    return new TextDecoder().decode(decrypted);
+  } catch {
+    return null;
+  }
+}
+function generateCodeVerifier() {
+  const bytes = crypto.getRandomValues(new Uint8Array(32));
+  return toBase64Url(bytes);
+}
+async function generateCodeChallenge(verifier) {
+  const data = new TextEncoder().encode(verifier);
+  const hash = await crypto.subtle.digest("SHA-256", data);
+  return toBase64Url(new Uint8Array(hash));
+}
+function generateNonce() {
+  const bytes = crypto.getRandomValues(new Uint8Array(16));
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+
+// src/auth/device-name.ts
+function parseDeviceName(userAgent) {
+  if (!userAgent)
+    return "Unknown device";
+  let browser = "";
+  if (/Edg\//.test(userAgent))
+    browser = "Edge";
+  else if (/Chrome\//.test(userAgent) && !/Chromium\//.test(userAgent))
+    browser = "Chrome";
+  else if (/Firefox\//.test(userAgent))
+    browser = "Firefox";
+  else if (/Safari\//.test(userAgent) && !/Chrome\//.test(userAgent))
+    browser = "Safari";
+  let os = "";
+  if (/iPhone/.test(userAgent))
+    os = "iPhone";
+  else if (/iPad/.test(userAgent))
+    os = "iPad";
+  else if (/Mac OS X/.test(userAgent))
+    os = "macOS";
+  else if (/Windows/.test(userAgent))
+    os = "Windows";
+  else if (/Linux/.test(userAgent))
+    os = "Linux";
+  else if (/Android/.test(userAgent))
+    os = "Android";
+  if (browser && os)
+    return `${browser} on ${os}`;
+  if (browser)
+    return browser;
+  if (os)
+    return os;
+  return "Unknown device";
+}
+
+// src/auth/email-verification-store.ts
+class InMemoryEmailVerificationStore {
+  byId = new Map;
+  byTokenHash = new Map;
+  byUserId = new Map;
+  async createVerification(data) {
+    const verification = {
+      id: crypto.randomUUID(),
+      userId: data.userId,
+      tokenHash: data.tokenHash,
+      expiresAt: data.expiresAt,
+      createdAt: new Date
+    };
+    this.byId.set(verification.id, verification);
+    this.byTokenHash.set(data.tokenHash, verification);
+    const userSet = this.byUserId.get(data.userId) ?? new Set;
+    userSet.add(verification.id);
+    this.byUserId.set(data.userId, userSet);
+    return verification;
+  }
+  async findByTokenHash(tokenHash) {
+    return this.byTokenHash.get(tokenHash) ?? null;
+  }
+  async deleteByUserId(userId) {
+    const ids = this.byUserId.get(userId);
+    if (ids) {
+      for (const id of ids) {
+        const verification = this.byId.get(id);
+        if (verification) {
+          this.byTokenHash.delete(verification.tokenHash);
+          this.byId.delete(id);
+        }
+      }
+      this.byUserId.delete(userId);
+    }
+  }
+  async deleteByTokenHash(tokenHash) {
+    const verification = this.byTokenHash.get(tokenHash);
+    if (verification) {
+      this.byTokenHash.delete(tokenHash);
+      this.byId.delete(verification.id);
+      const userSet = this.byUserId.get(verification.userId);
+      if (userSet) {
+        userSet.delete(verification.id);
+        if (userSet.size === 0) {
+          this.byUserId.delete(verification.userId);
+        }
+      }
+    }
+  }
+  dispose() {
+    this.byId.clear();
+    this.byTokenHash.clear();
+    this.byUserId.clear();
+  }
+}
+
+// src/auth/jwt.ts
+import * as jose from "jose";
+function parseDuration(duration) {
+  if (typeof duration === "number")
+    return duration;
+  const match = duration.match(/^(\d+)([smhd])$/);
+  if (!match) {
+    throw new Error(`Invalid duration: "${duration}". Expected format: <number><unit> where unit is s (seconds), m (minutes), h (hours), or d (days). Examples: "60s", "15m", "7d".`);
+  }
+  const value = parseInt(match[1], 10);
+  const unit = match[2];
+  const multipliers = { s: 1, m: 60, h: 3600, d: 86400 };
+  return value * multipliers[unit] * 1000;
+}
+async function createJWT(user, secret, ttl, algorithm, customClaims) {
+  const claims = customClaims ? customClaims(user) : {};
+  const jwt = await new jose.SignJWT({
+    sub: user.id,
+    email: user.email,
+    role: user.role,
+    ...claims
+  }).setProtectedHeader({ alg: algorithm }).setIssuedAt().setExpirationTime(`${Math.floor(ttl / 1000)}s`).sign(new TextEncoder().encode(secret));
+  return jwt;
+}
+async function verifyJWT(token, secret, algorithm) {
+  try {
+    const { payload } = await jose.jwtVerify(token, new TextEncoder().encode(secret), {
+      algorithms: [algorithm]
+    });
+    if (typeof payload.sub !== "string" || typeof payload.email !== "string" || typeof payload.role !== "string" || typeof payload.jti !== "string" || typeof payload.sid !== "string") {
+      return null;
+    }
+    return payload;
+  } catch {
+    return null;
+  }
+}
+
+// src/auth/mfa-store.ts
+class InMemoryMFAStore {
+  secrets = new Map;
+  backupCodes = new Map;
+  enabled = new Set;
+  async enableMfa(userId, encryptedSecret) {
+    this.secrets.set(userId, encryptedSecret);
+    this.enabled.add(userId);
+  }
+  async disableMfa(userId) {
+    this.secrets.delete(userId);
+    this.backupCodes.delete(userId);
+    this.enabled.delete(userId);
+  }
+  async getSecret(userId) {
+    return this.secrets.get(userId) ?? null;
+  }
+  async isMfaEnabled(userId) {
+    return this.enabled.has(userId);
+  }
+  async setBackupCodes(userId, hashedCodes) {
+    this.backupCodes.set(userId, [...hashedCodes]);
+  }
+  async getBackupCodes(userId) {
+    return this.backupCodes.get(userId) ?? [];
+  }
+  async consumeBackupCode(userId, hashedCode) {
+    const codes = this.backupCodes.get(userId);
+    if (codes) {
+      this.backupCodes.set(userId, codes.filter((c) => c !== hashedCode));
+    }
+  }
+  dispose() {
+    this.secrets.clear();
+    this.backupCodes.clear();
+    this.enabled.clear();
+  }
+}
+
+// src/auth/oauth-account-store.ts
+class InMemoryOAuthAccountStore {
+  byProviderAccount = new Map;
+  byUserId = new Map;
+  providerKey(provider, providerId) {
+    return `${provider}:${providerId}`;
+  }
+  async linkAccount(userId, provider, providerId, email) {
+    const link = { userId, provider, providerId, email };
+    this.byProviderAccount.set(this.providerKey(provider, providerId), link);
+    const userLinks = this.byUserId.get(userId) ?? [];
+    const exists = userLinks.some((l) => l.provider === provider && l.providerId === providerId);
+    if (!exists) {
+      userLinks.push(link);
+      this.byUserId.set(userId, userLinks);
+    }
+  }
+  async findByProviderAccount(provider, providerId) {
+    const link = this.byProviderAccount.get(this.providerKey(provider, providerId));
+    return link?.userId ?? null;
+  }
+  async findByUserId(userId) {
+    const links = this.byUserId.get(userId) ?? [];
+    return links.map(({ provider, providerId }) => ({ provider, providerId }));
+  }
+  async unlinkAccount(userId, provider) {
+    const userLinks = this.byUserId.get(userId) ?? [];
+    const linkToRemove = userLinks.find((l) => l.provider === provider);
+    if (linkToRemove) {
+      this.byProviderAccount.delete(this.providerKey(provider, linkToRemove.providerId));
+      this.byUserId.set(userId, userLinks.filter((l) => l.provider !== provider));
+    }
+  }
+  dispose() {
+    this.byProviderAccount.clear();
+    this.byUserId.clear();
+  }
+}
+
+// src/auth/password.ts
+import { createAuthValidationError } from "@vertz/errors";
+import bcrypt from "bcryptjs";
+var DEFAULT_PASSWORD_REQUIREMENTS = {
+  minLength: 8,
+  requireUppercase: false,
+  requireNumbers: false,
+  requireSymbols: false
+};
+var BCRYPT_ROUNDS = 12;
+async function hashPassword(password) {
+  return bcrypt.hash(password, BCRYPT_ROUNDS);
+}
+async function verifyPassword(password, hash) {
+  return bcrypt.compare(password, hash);
+}
+function validatePassword(password, requirements) {
+  const req = { ...DEFAULT_PASSWORD_REQUIREMENTS, ...requirements };
+  if (password.length < (req.minLength ?? 8)) {
+    return createAuthValidationError(`Password must be at least ${req.minLength} characters`, "password", "TOO_SHORT");
+  }
+  if (req.requireUppercase && !/[A-Z]/.test(password)) {
+    return createAuthValidationError("Password must contain at least one uppercase letter", "password", "NO_UPPERCASE");
+  }
+  if (req.requireNumbers && !/\d/.test(password)) {
+    return createAuthValidationError("Password must contain at least one number", "password", "NO_NUMBER");
+  }
+  if (req.requireSymbols && !/[!@#$%^&*(),.?":{}|<>]/.test(password)) {
+    return createAuthValidationError("Password must contain at least one symbol", "password", "NO_SYMBOL");
+  }
+  return null;
+}
+
+// src/auth/password-reset-store.ts
+class InMemoryPasswordResetStore {
+  byId = new Map;
+  byTokenHash = new Map;
+  byUserId = new Map;
+  async createReset(data) {
+    const reset = {
+      id: crypto.randomUUID(),
+      userId: data.userId,
+      tokenHash: data.tokenHash,
+      expiresAt: data.expiresAt,
+      createdAt: new Date
+    };
+    this.byId.set(reset.id, reset);
+    this.byTokenHash.set(data.tokenHash, reset);
+    const userSet = this.byUserId.get(data.userId) ?? new Set;
+    userSet.add(reset.id);
+    this.byUserId.set(data.userId, userSet);
+    return reset;
+  }
+  async findByTokenHash(tokenHash) {
+    return this.byTokenHash.get(tokenHash) ?? null;
+  }
+  async deleteByUserId(userId) {
+    const ids = this.byUserId.get(userId);
+    if (ids) {
+      for (const id of ids) {
+        const reset = this.byId.get(id);
+        if (reset) {
+          this.byTokenHash.delete(reset.tokenHash);
+          this.byId.delete(id);
+        }
+      }
+      this.byUserId.delete(userId);
+    }
+  }
+  dispose() {
+    this.byId.clear();
+    this.byTokenHash.clear();
+    this.byUserId.clear();
+  }
+}
+
+// src/auth/rate-limit-store.ts
+var CLEANUP_INTERVAL_MS = 60000;
+
+class InMemoryRateLimitStore {
+  store = new Map;
+  cleanupTimer;
+  constructor() {
+    this.cleanupTimer = setInterval(() => this.cleanup(), CLEANUP_INTERVAL_MS);
+  }
+  async check(key, maxAttempts, windowMs) {
+    const now = new Date;
+    const entry = this.store.get(key);
+    if (!entry || entry.resetAt < now) {
+      const resetAt = new Date(now.getTime() + windowMs);
+      this.store.set(key, { count: 1, resetAt });
+      return { allowed: true, remaining: maxAttempts - 1, resetAt };
+    }
+    if (entry.count >= maxAttempts) {
+      return { allowed: false, remaining: 0, resetAt: entry.resetAt };
+    }
+    entry.count++;
+    return { allowed: true, remaining: maxAttempts - entry.count, resetAt: entry.resetAt };
+  }
+  dispose() {
+    clearInterval(this.cleanupTimer);
+  }
+  cleanup() {
+    const now = new Date;
+    for (const [key, entry] of this.store) {
+      if (entry.resetAt < now) {
+        this.store.delete(key);
+      }
+    }
+  }
+}
+
+// src/auth/session-store.ts
+var DEFAULT_MAX_SESSIONS_PER_USER = 50;
+var CLEANUP_INTERVAL_MS2 = 60000;
+
+class InMemorySessionStore {
+  sessions = new Map;
+  currentTokens = new Map;
+  cleanupTimer;
+  maxSessionsPerUser;
+  constructor(maxSessionsPerUser = DEFAULT_MAX_SESSIONS_PER_USER) {
+    this.maxSessionsPerUser = maxSessionsPerUser;
+    this.cleanupTimer = setInterval(() => this.cleanup(), CLEANUP_INTERVAL_MS2);
+  }
+  async createSession(data) {
+    const activeSessions = await this.listActiveSessions(data.userId);
+    if (activeSessions.length >= this.maxSessionsPerUser) {
+      const sorted = activeSessions.sort((a, b) => a.createdAt.getTime() - b.createdAt.getTime());
+      const toRevoke = sorted.slice(0, activeSessions.length - this.maxSessionsPerUser + 1);
+      for (const s of toRevoke) {
+        await this.revokeSession(s.id);
+      }
+    }
+    const now = new Date;
+    const session = {
+      id: crypto.randomUUID(),
+      userId: data.userId,
+      refreshTokenHash: data.refreshTokenHash,
+      previousRefreshHash: null,
+      ipAddress: data.ipAddress,
+      userAgent: data.userAgent,
+      createdAt: now,
+      lastActiveAt: now,
+      expiresAt: data.expiresAt,
+      revokedAt: null
+    };
+    this.sessions.set(session.id, session);
+    return session;
+  }
+  async createSessionWithId(id, data) {
+    const activeSessions = await this.listActiveSessions(data.userId);
+    if (activeSessions.length >= this.maxSessionsPerUser) {
+      const sorted = activeSessions.sort((a, b) => a.createdAt.getTime() - b.createdAt.getTime());
+      const toRevoke = sorted.slice(0, activeSessions.length - this.maxSessionsPerUser + 1);
+      for (const s of toRevoke) {
+        await this.revokeSession(s.id);
+      }
+    }
+    const now = new Date;
+    const session = {
+      id,
+      userId: data.userId,
+      refreshTokenHash: data.refreshTokenHash,
+      previousRefreshHash: null,
+      ipAddress: data.ipAddress,
+      userAgent: data.userAgent,
+      createdAt: now,
+      lastActiveAt: now,
+      expiresAt: data.expiresAt,
+      revokedAt: null
+    };
+    this.sessions.set(session.id, session);
+    if (data.currentTokens) {
+      this.currentTokens.set(id, data.currentTokens);
+    }
+    return session;
+  }
+  async findByRefreshHash(hash) {
+    for (const session of this.sessions.values()) {
+      if (timingSafeEqual(session.refreshTokenHash, hash) && !session.revokedAt && session.expiresAt > new Date) {
+        return session;
+      }
+    }
+    return null;
+  }
+  async findByPreviousRefreshHash(hash) {
+    for (const session of this.sessions.values()) {
+      if (session.previousRefreshHash !== null && timingSafeEqual(session.previousRefreshHash, hash) && !session.revokedAt && session.expiresAt > new Date) {
+        return session;
+      }
+    }
+    return null;
+  }
+  async revokeSession(id) {
+    const session = this.sessions.get(id);
+    if (session) {
+      session.revokedAt = new Date;
+      this.currentTokens.delete(id);
+    }
+  }
+  async listActiveSessions(userId) {
+    const now = new Date;
+    const result = [];
+    for (const session of this.sessions.values()) {
+      if (session.userId === userId && !session.revokedAt && session.expiresAt > now) {
+        result.push(session);
+      }
+    }
+    return result;
+  }
+  async countActiveSessions(userId) {
+    const sessions = await this.listActiveSessions(userId);
+    return sessions.length;
+  }
+  async getCurrentTokens(sessionId) {
+    return this.currentTokens.get(sessionId) ?? null;
+  }
+  async updateSession(id, data) {
+    const session = this.sessions.get(id);
+    if (session) {
+      session.refreshTokenHash = data.refreshTokenHash;
+      session.previousRefreshHash = data.previousRefreshHash;
+      session.lastActiveAt = data.lastActiveAt;
+      if (data.currentTokens) {
+        this.currentTokens.set(id, data.currentTokens);
+      }
+    }
+  }
+  dispose() {
+    clearInterval(this.cleanupTimer);
+  }
+  cleanup() {
+    const now = new Date;
+    for (const [id, session] of this.sessions) {
+      if (session.expiresAt < now || session.revokedAt) {
+        this.sessions.delete(id);
+        this.currentTokens.delete(id);
+      }
+    }
+  }
+}
+
+// src/auth/totp.ts
+import { timingSafeEqual as cryptoTimingSafeEqual } from "node:crypto";
+var BASE32_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+function base32Encode(buffer) {
+  let bits = 0;
+  let value = 0;
+  let result = "";
+  for (let i = 0;i < buffer.length; i++) {
+    value = value << 8 | buffer[i];
+    bits += 8;
+    while (bits >= 5) {
+      result += BASE32_ALPHABET[value >>> bits - 5 & 31];
+      bits -= 5;
+    }
+  }
+  if (bits > 0) {
+    result += BASE32_ALPHABET[value << 5 - bits & 31];
+  }
+  return result;
+}
+function base32Decode(encoded) {
+  const str = encoded.replace(/=+$/, "").toUpperCase();
+  const output = [];
+  let bits = 0;
+  let value = 0;
+  for (let i = 0;i < str.length; i++) {
+    const idx = BASE32_ALPHABET.indexOf(str[i]);
+    if (idx === -1)
+      continue;
+    value = value << 5 | idx;
+    bits += 5;
+    if (bits >= 8) {
+      output.push(value >>> bits - 8 & 255);
+      bits -= 8;
+    }
+  }
+  return new Uint8Array(output);
+}
+var TOTP_PERIOD = 30;
+var TOTP_DIGITS = 6;
+function generateTotpSecret() {
+  const bytes = crypto.getRandomValues(new Uint8Array(20));
+  return base32Encode(bytes);
+}
+async function verifyTotpCode(secret, code, timestamp, drift = 1) {
+  const time = timestamp ?? Date.now();
+  const counter = Math.floor(time / 1000 / TOTP_PERIOD);
+  for (let i = -drift;i <= drift; i++) {
+    const expected = await hmacOtp(secret, counter + i);
+    if (timingSafeEqual2(code, expected)) {
+      return true;
+    }
+  }
+  return false;
+}
+function generateTotpUri(secret, email, issuer) {
+  const label = `${encodeURIComponent(issuer)}:${encodeURIComponent(email)}`;
+  const params = new URLSearchParams({
+    secret,
+    issuer,
+    algorithm: "SHA1",
+    digits: String(TOTP_DIGITS),
+    period: String(TOTP_PERIOD)
+  });
+  return `otpauth://totp/${label}?${params.toString()}`;
+}
+var BACKUP_CODE_LENGTH = 8;
+var BACKUP_CODE_CHARS = "abcdefghijklmnopqrstuvwxyz0123456789";
+function generateBackupCodes(count = 10) {
+  const codes = [];
+  const seen = new Set;
+  while (codes.length < count) {
+    const bytes = crypto.getRandomValues(new Uint8Array(BACKUP_CODE_LENGTH));
+    let code = "";
+    for (let i = 0;i < BACKUP_CODE_LENGTH; i++) {
+      code += BACKUP_CODE_CHARS[bytes[i] % BACKUP_CODE_CHARS.length];
+    }
+    if (!seen.has(code)) {
+      seen.add(code);
+      codes.push(code);
+    }
+  }
+  return codes;
+}
+async function hashBackupCode(code) {
+  return hashPassword(code);
+}
+async function verifyBackupCode(code, hash) {
+  return verifyPassword(code, hash);
+}
+async function hmacOtp(secret, counter) {
+  const keyBytes = base32Decode(secret);
+  const key = await crypto.subtle.importKey("raw", keyBytes.buffer, { name: "HMAC", hash: "SHA-1" }, false, ["sign"]);
+  const counterBuffer = new ArrayBuffer(8);
+  const view = new DataView(counterBuffer);
+  view.setUint32(4, counter, false);
+  const hmac = await crypto.subtle.sign("HMAC", key, counterBuffer);
+  const hmacBytes = new Uint8Array(hmac);
+  const offset = hmacBytes[hmacBytes.length - 1] & 15;
+  const binary = (hmacBytes[offset] & 127) << 24 | (hmacBytes[offset + 1] & 255) << 16 | (hmacBytes[offset + 2] & 255) << 8 | hmacBytes[offset + 3] & 255;
+  const otp = binary % 10 ** TOTP_DIGITS;
+  return otp.toString().padStart(TOTP_DIGITS, "0");
+}
+function timingSafeEqual2(a, b) {
+  const maxLen = Math.max(a.length, b.length);
+  const bufA = Buffer.alloc(maxLen);
+  const bufB = Buffer.alloc(maxLen);
+  bufA.write(a);
+  bufB.write(b);
+  const equal = cryptoTimingSafeEqual(bufA, bufB);
+  return equal && a.length === b.length;
+}
+
+// src/auth/user-store.ts
+class InMemoryUserStore {
+  byEmail = new Map;
+  byId = new Map;
+  async createUser(user, passwordHash) {
+    this.byEmail.set(user.email.toLowerCase(), { user, passwordHash });
+    this.byId.set(user.id, user);
+  }
+  async findByEmail(email) {
+    return this.byEmail.get(email.toLowerCase()) ?? null;
+  }
+  async findById(id) {
+    return this.byId.get(id) ?? null;
+  }
+  async updatePasswordHash(userId, passwordHash) {
+    const user = this.byId.get(userId);
+    if (user) {
+      const entry = this.byEmail.get(user.email.toLowerCase());
+      if (entry) {
+        entry.passwordHash = passwordHash;
+      }
+    }
+  }
+  async updateEmailVerified(userId, verified) {
+    const user = this.byId.get(userId);
+    if (user) {
+      user.emailVerified = verified;
+    }
+  }
+}
+// src/auth/access.ts
+class AuthorizationError extends Error {
+  entitlement;
+  userId;
+  constructor(message, entitlement, userId) {
+    super(message);
+    this.entitlement = entitlement;
+    this.userId = userId;
+    this.name = "AuthorizationError";
+  }
+}
+function createAccess(config) {
+  const { roles, entitlements } = config;
+  const roleEntitlements = new Map;
+  for (const [roleName, roleDef] of Object.entries(roles)) {
+    roleEntitlements.set(roleName, new Set(roleDef.entitlements));
+  }
+  const entitlementRoles = new Map;
+  for (const [entName, entDef] of Object.entries(entitlements)) {
+    entitlementRoles.set(entName, new Set(entDef.roles));
+  }
+  function roleHasEntitlement(role, entitlement) {
+    const roleEnts = roleEntitlements.get(role);
+    if (!roleEnts)
+      return false;
+    if (roleEnts.has(entitlement))
+      return true;
+    const [resource, action] = entitlement.split(":");
+    if (action && resource !== "*") {
+      const wildcard = `${resource}:*`;
+      if (roleEnts.has(wildcard))
+        return true;
+    }
+    return false;
+  }
+  async function checkEntitlement(entitlement, user) {
+    if (!user)
+      return false;
+    const allowedRoles = entitlementRoles.get(entitlement);
+    if (!allowedRoles) {
+      return false;
+    }
+    return allowedRoles.has(user.role) || roleHasEntitlement(user.role, entitlement);
+  }
+  async function can(entitlement, user) {
+    return checkEntitlement(entitlement, user);
+  }
+  async function canWithResource(entitlement, resource, user) {
+    const hasEntitlement = await checkEntitlement(entitlement, user);
+    if (!hasEntitlement)
+      return false;
+    if (resource.ownerId != null && resource.ownerId !== "" && resource.ownerId !== user?.id) {
+      return false;
+    }
+    return true;
+  }
+  async function authorize(entitlement, user) {
+    const allowed = await can(entitlement, user);
+    if (!allowed) {
+      throw new AuthorizationError(`Not authorized to perform this action: ${entitlement}`, entitlement, user?.id);
+    }
+  }
+  async function authorizeWithResource(entitlement, resource, user) {
+    const allowed = await canWithResource(entitlement, resource, user);
+    if (!allowed) {
+      throw new AuthorizationError(`Not authorized to perform this action on this resource: ${entitlement}`, entitlement, user?.id);
+    }
+  }
+  async function canAll(checks, user) {
+    const results = new Map;
+    for (const { entitlement, resource } of checks) {
+      const key = resource ? `${entitlement}:${resource.id}` : entitlement;
+      const allowed = resource ? await canWithResource(entitlement, resource, user) : await can(entitlement, user);
+      results.set(key, allowed);
+    }
+    return results;
+  }
+  function getEntitlementsForRole(role) {
+    const roleEnts = roleEntitlements.get(role);
+    return roleEnts ? Array.from(roleEnts) : [];
+  }
+  function createMiddleware() {
+    return async (ctx, next) => {
+      ctx.can = async (entitlement, resource) => {
+        if (resource) {
+          return canWithResource(entitlement, resource, ctx.user ?? null);
+        }
+        return can(entitlement, ctx.user ?? null);
+      };
+      ctx.authorize = async (entitlement, resource) => {
+        if (resource) {
+          return authorizeWithResource(entitlement, resource, ctx.user ?? null);
+        }
+        return authorize(entitlement, ctx.user ?? null);
+      };
+      await next();
+    };
+  }
+  return {
+    can,
+    canWithResource,
+    authorize,
+    authorizeWithResource,
+    canAll,
+    getEntitlementsForRole,
+    middleware: createMiddleware
+  };
+}
+var defaultAccess = createAccess({
+  roles: {
+    user: { entitlements: ["read", "create"] },
+    editor: { entitlements: ["read", "create", "update"] },
+    admin: { entitlements: ["read", "create", "update", "delete"] }
+  },
+  entitlements: {
+    "user:read": { roles: ["user", "editor", "admin"] },
+    "user:create": { roles: ["user", "editor", "admin"] },
+    "user:update": { roles: ["editor", "admin"] },
+    "user:delete": { roles: ["admin"] },
+    read: { roles: ["user", "editor", "admin"] },
+    create: { roles: ["user", "editor", "admin"] },
+    update: { roles: ["editor", "admin"] },
+    delete: { roles: ["admin"] }
+  }
+});
+// src/auth/access-context.ts
+var MAX_BULK_CHECKS = 100;
+function createAccessContext(config) {
+  const {
+    userId,
+    accessDef,
+    closureStore,
+    roleStore,
+    flagStore,
+    planStore,
+    walletStore,
+    orgResolver
+  } = config;
+  async function checkLayers1to4(entitlement, resource, resolvedOrgId) {
+    if (!userId)
+      return false;
+    const entDef = accessDef.entitlements[entitlement];
+    if (!entDef)
+      return false;
+    if (entDef.flags?.length && flagStore && orgResolver) {
+      if (!resolvedOrgId)
+        return false;
+      for (const flag of entDef.flags) {
+        if (!flagStore.getFlag(resolvedOrgId, flag)) {
+          return false;
+        }
+      }
+    }
+    if (entDef.roles.length > 0 && resource) {
+      const effectiveRole = await roleStore.getEffectiveRole(userId, resource.type, resource.id, accessDef, closureStore);
+      if (!effectiveRole || !entDef.roles.includes(effectiveRole)) {
+        return false;
+      }
+    } else if (entDef.roles.length > 0 && !resource) {
+      return false;
+    }
+    if (entDef.plans?.length && planStore && orgResolver) {
+      if (!resolvedOrgId)
+        return false;
+      const orgPlan = await planStore.getPlan(resolvedOrgId);
+      const effectivePlanId = resolveEffectivePlan(orgPlan, accessDef.plans, accessDef.defaultPlan);
+      if (!effectivePlanId)
+        return false;
+      const planDef = accessDef.plans?.[effectivePlanId];
+      if (!planDef || !planDef.entitlements.includes(entitlement)) {
+        return false;
+      }
+    }
+    return true;
+  }
+  async function can(entitlement, resource) {
+    const resolvedOrgId = orgResolver ? await orgResolver(resource) : null;
+    if (!await checkLayers1to4(entitlement, resource, resolvedOrgId))
+      return false;
+    const entDef = accessDef.entitlements[entitlement];
+    if (entDef?.plans?.length && walletStore && planStore && resolvedOrgId) {
+      const walletState = await resolveWalletStateFromOrgId(entitlement, resolvedOrgId, accessDef, planStore, walletStore);
+      if (walletState && walletState.consumed >= walletState.limit) {
+        return false;
+      }
+    }
+    return true;
+  }
+  async function check(entitlement, resource) {
+    const reasons = [];
+    const meta = {};
+    if (!userId) {
+      return {
+        allowed: false,
+        reasons: ["not_authenticated"],
+        reason: "not_authenticated"
+      };
+    }
+    const entDef = accessDef.entitlements[entitlement];
+    if (!entDef) {
+      return {
+        allowed: false,
+        reasons: ["role_required"],
+        reason: "role_required"
+      };
+    }
+    const resolvedOrgId = orgResolver ? await orgResolver(resource) : null;
+    if (entDef.flags?.length && flagStore && orgResolver) {
+      if (resolvedOrgId) {
+        const disabledFlags = [];
+        for (const flag of entDef.flags) {
+          if (!flagStore.getFlag(resolvedOrgId, flag)) {
+            disabledFlags.push(flag);
+          }
+        }
+        if (disabledFlags.length > 0) {
+          reasons.push("flag_disabled");
+          meta.disabledFlags = disabledFlags;
+        }
+      } else {
+        reasons.push("flag_disabled");
+        meta.disabledFlags = [...entDef.flags];
+      }
+    }
+    if (entDef.roles.length > 0) {
+      let hasRole = false;
+      if (resource) {
+        const effectiveRole = await roleStore.getEffectiveRole(userId, resource.type, resource.id, accessDef, closureStore);
+        hasRole = !!effectiveRole && entDef.roles.includes(effectiveRole);
+      }
+      if (!hasRole) {
+        reasons.push("role_required");
+        meta.requiredRoles = [...entDef.roles];
+      }
+    }
+    if (entDef.plans?.length && planStore && orgResolver) {
+      let planDenied = false;
+      if (!resolvedOrgId) {
+        planDenied = true;
+      } else {
+        const orgPlan = await planStore.getPlan(resolvedOrgId);
+        const effectivePlanId = resolveEffectivePlan(orgPlan, accessDef.plans, accessDef.defaultPlan);
+        if (!effectivePlanId) {
+          planDenied = true;
+        } else {
+          const planDef = accessDef.plans?.[effectivePlanId];
+          if (!planDef || !planDef.entitlements.includes(entitlement)) {
+            planDenied = true;
+          }
+        }
+      }
+      if (planDenied) {
+        reasons.push("plan_required");
+        meta.requiredPlans = [...entDef.plans];
+      }
+    }
+    if (entDef.plans?.length && walletStore && planStore && resolvedOrgId) {
+      const walletState = await resolveWalletStateFromOrgId(entitlement, resolvedOrgId, accessDef, planStore, walletStore);
+      if (walletState) {
+        meta.limit = {
+          max: walletState.limit,
+          consumed: walletState.consumed,
+          remaining: Math.max(0, walletState.limit - walletState.consumed)
+        };
+        if (walletState.consumed >= walletState.limit) {
+          reasons.push("limit_reached");
+        }
+      }
+    }
+    const orderedReasons = orderDenialReasons(reasons);
+    return {
+      allowed: orderedReasons.length === 0,
+      reasons: orderedReasons,
+      reason: orderedReasons[0],
+      meta: Object.keys(meta).length > 0 ? meta : undefined
+    };
+  }
+  async function authorize(entitlement, resource) {
+    const result = await can(entitlement, resource);
+    if (!result) {
+      throw new AuthorizationError(`Not authorized: ${entitlement}`, entitlement, userId ?? undefined);
+    }
+  }
+  async function canAll(checks) {
+    if (checks.length > MAX_BULK_CHECKS) {
+      throw new Error(`canAll() is limited to ${MAX_BULK_CHECKS} checks per call`);
+    }
+    const results = new Map;
+    for (const { entitlement, resource } of checks) {
+      const key = resource ? `${entitlement}:${resource.id}` : entitlement;
+      const allowed = await can(entitlement, resource);
+      results.set(key, allowed);
+    }
+    return results;
+  }
+  async function canAndConsume(entitlement, resource, amount = 1) {
+    const resolvedOrgId = orgResolver ? await orgResolver(resource) : null;
+    if (!await checkLayers1to4(entitlement, resource, resolvedOrgId))
+      return false;
+    if (!walletStore || !planStore || !orgResolver)
+      return true;
+    const entDef = accessDef.entitlements[entitlement];
+    if (!entDef?.plans?.length)
+      return true;
+    if (!resolvedOrgId)
+      return false;
+    const orgPlan = await planStore.getPlan(resolvedOrgId);
+    if (!orgPlan)
+      return false;
+    const effectivePlanId = resolveEffectivePlan(orgPlan, accessDef.plans, accessDef.defaultPlan);
+    if (!effectivePlanId)
+      return false;
+    const planDef = accessDef.plans?.[effectivePlanId];
+    if (!planDef)
+      return false;
+    const limitDef = planDef.limits?.[entitlement];
+    if (!limitDef)
+      return true;
+    const effectiveLimit = resolveEffectiveLimit(orgPlan, entitlement, limitDef);
+    const { periodStart, periodEnd } = calculateBillingPeriod(orgPlan.startedAt, limitDef.per);
+    const result = await walletStore.consume(resolvedOrgId, entitlement, periodStart, periodEnd, effectiveLimit, amount);
+    return result.success;
+  }
+  async function unconsume(entitlement, resource, amount = 1) {
+    if (!walletStore || !planStore || !orgResolver)
+      return;
+    const entDef = accessDef.entitlements[entitlement];
+    if (!entDef?.plans?.length)
+      return;
+    const orgId = await orgResolver(resource);
+    if (!orgId)
+      return;
+    const orgPlan = await planStore.getPlan(orgId);
+    if (!orgPlan)
+      return;
+    const effectivePlanId = resolveEffectivePlan(orgPlan, accessDef.plans, accessDef.defaultPlan);
+    if (!effectivePlanId)
+      return;
+    const planDef = accessDef.plans?.[effectivePlanId];
+    const limitDef = planDef?.limits?.[entitlement];
+    if (!limitDef)
+      return;
+    const { periodStart, periodEnd } = calculateBillingPeriod(orgPlan.startedAt, limitDef.per);
+    await walletStore.unconsume(orgId, entitlement, periodStart, periodEnd, amount);
+  }
+  return { can, check, authorize, canAll, canAndConsume, unconsume };
+}
+var DENIAL_ORDER = [
+  "plan_required",
+  "role_required",
+  "limit_reached",
+  "flag_disabled",
+  "hierarchy_denied",
+  "step_up_required",
+  "not_authenticated"
+];
+function orderDenialReasons(reasons) {
+  return [...reasons].sort((a, b) => DENIAL_ORDER.indexOf(a) - DENIAL_ORDER.indexOf(b));
+}
+async function resolveWalletStateFromOrgId(entitlement, orgId, accessDef, planStore, walletStore) {
+  const orgPlan = await planStore.getPlan(orgId);
+  const effectivePlanId = resolveEffectivePlan(orgPlan, accessDef.plans, accessDef.defaultPlan);
+  if (!effectivePlanId || !orgPlan)
+    return null;
+  const planDef = accessDef.plans?.[effectivePlanId];
+  const limitDef = planDef?.limits?.[entitlement];
+  if (!limitDef)
+    return null;
+  const effectiveLimit = resolveEffectiveLimit(orgPlan, entitlement, limitDef);
+  const { periodStart, periodEnd } = calculateBillingPeriod(orgPlan.startedAt, limitDef.per);
+  const consumed = await walletStore.getConsumption(orgId, entitlement, periodStart, periodEnd);
+  return { limit: effectiveLimit, consumed };
+}
+function resolveEffectiveLimit(orgPlan, entitlement, planLimit) {
+  const override = orgPlan.overrides[entitlement];
+  if (!override)
+    return planLimit.max;
+  return Math.max(override.max, planLimit.max);
+}
+// src/auth/access-event-broadcaster.ts
+function createAccessEventBroadcaster(config) {
+  const {
+    jwtSecret,
+    jwtAlgorithm = "HS256",
+    path = "/api/auth/access-events",
+    cookieName = "vertz.sid"
+  } = config;
+  const connectionsByOrg = new Map;
+  const connectionsByUser = new Map;
+  let connectionCount = 0;
+  const allConnections = new Set;
+  const PING_INTERVAL_MS = 30000;
+  const pingTimer = setInterval(() => {
+    for (const ws of allConnections) {
+      try {
+        ws.ping();
+      } catch {}
+    }
+  }, PING_INTERVAL_MS);
+  if (typeof pingTimer === "object" && "unref" in pingTimer) {
+    pingTimer.unref();
+  }
+  function addConnection(ws) {
+    const { orgId, userId } = ws.data;
+    let orgSet = connectionsByOrg.get(orgId);
+    if (!orgSet) {
+      orgSet = new Set;
+      connectionsByOrg.set(orgId, orgSet);
+    }
+    orgSet.add(ws);
+    let userSet = connectionsByUser.get(userId);
+    if (!userSet) {
+      userSet = new Set;
+      connectionsByUser.set(userId, userSet);
+    }
+    userSet.add(ws);
+    allConnections.add(ws);
+    connectionCount++;
+  }
+  function removeConnection(ws) {
+    const { orgId, userId } = ws.data;
+    const orgSet = connectionsByOrg.get(orgId);
+    if (orgSet) {
+      orgSet.delete(ws);
+      if (orgSet.size === 0)
+        connectionsByOrg.delete(orgId);
+    }
+    const userSet = connectionsByUser.get(userId);
+    if (userSet) {
+      userSet.delete(ws);
+      if (userSet.size === 0)
+        connectionsByUser.delete(userId);
+    }
+    allConnections.delete(ws);
+    connectionCount--;
+  }
+  function broadcastToOrg(orgId, message) {
+    const orgSet = connectionsByOrg.get(orgId);
+    if (!orgSet)
+      return;
+    for (const ws of orgSet) {
+      ws.send(message);
+    }
+  }
+  function broadcastToUser(userId, message) {
+    const userSet = connectionsByUser.get(userId);
+    if (!userSet)
+      return;
+    for (const ws of userSet) {
+      ws.send(message);
+    }
+  }
+  function parseCookie(request) {
+    const cookieHeader = request.headers.get("cookie");
+    if (!cookieHeader)
+      return null;
+    const cookies = cookieHeader.split(";").map((c) => c.trim());
+    for (const cookie of cookies) {
+      const [name, ...rest] = cookie.split("=");
+      if (name === cookieName) {
+        return rest.join("=");
+      }
+    }
+    return null;
+  }
+  async function handleUpgrade(request, server) {
+    const url = new URL(request.url);
+    if (url.pathname !== path)
+      return false;
+    const token = parseCookie(request);
+    if (!token)
+      return false;
+    try {
+      const payload = await verifyJWT(token, jwtSecret, jwtAlgorithm);
+      if (!payload || !payload.sub)
+        return false;
+      const claims = payload.claims;
+      const orgId = claims?.orgId ?? "";
+      return server.upgrade(request, {
+        data: {
+          userId: payload.sub,
+          orgId
+        }
+      });
+    } catch {
+      return false;
+    }
+  }
+  const websocket = {
+    open(ws) {
+      addConnection(ws);
+    },
+    message(_ws, msg) {
+      const msgStr = typeof msg === "string" ? msg : msg.toString();
+      if (msgStr === "pong") {
+        return;
+      }
+    },
+    close(ws) {
+      removeConnection(ws);
+    }
+  };
+  function broadcastFlagToggle(orgId, flag, enabled) {
+    const event = { type: "access:flag_toggled", orgId, flag, enabled };
+    broadcastToOrg(orgId, JSON.stringify(event));
+  }
+  function broadcastLimitUpdate(orgId, entitlement, consumed, remaining, max) {
+    const event = {
+      type: "access:limit_updated",
+      orgId,
+      entitlement,
+      consumed,
+      remaining,
+      max
+    };
+    broadcastToOrg(orgId, JSON.stringify(event));
+  }
+  function broadcastRoleChange(userId) {
+    const event = { type: "access:role_changed", userId };
+    broadcastToUser(userId, JSON.stringify(event));
+  }
+  function broadcastPlanChange(orgId) {
+    const event = { type: "access:plan_changed", orgId };
+    broadcastToOrg(orgId, JSON.stringify(event));
+  }
+  return {
+    handleUpgrade,
+    websocket,
+    broadcastFlagToggle,
+    broadcastLimitUpdate,
+    broadcastRoleChange,
+    broadcastPlanChange,
+    get getConnectionCount() {
+      return connectionCount;
+    }
+  };
+}
+// src/auth/closure-store.ts
+var MAX_DEPTH = 4;
+
+class InMemoryClosureStore {
+  rows = [];
+  async addResource(type, id, parent) {
+    this.rows.push({
+      ancestorType: type,
+      ancestorId: id,
+      descendantType: type,
+      descendantId: id,
+      depth: 0
+    });
+    if (parent) {
+      const parentAncestors = await this.getAncestors(parent.parentType, parent.parentId);
+      const maxParentDepth = Math.max(...parentAncestors.map((a) => a.depth), 0);
+      if (maxParentDepth + 1 >= MAX_DEPTH) {
+        this.rows.pop();
+        throw new Error("Hierarchy depth exceeds maximum of 4 levels");
+      }
+      for (const ancestor of parentAncestors) {
+        this.rows.push({
+          ancestorType: ancestor.type,
+          ancestorId: ancestor.id,
+          descendantType: type,
+          descendantId: id,
+          depth: ancestor.depth + 1
+        });
+      }
+    }
+  }
+  async removeResource(type, id) {
+    const descendants = await this.getDescendants(type, id);
+    const descendantKeys = new Set(descendants.map((d) => `${d.type}:${d.id}`));
+    this.rows = this.rows.filter((row) => {
+      const ancestorKey = `${row.ancestorType}:${row.ancestorId}`;
+      const descendantKey = `${row.descendantType}:${row.descendantId}`;
+      return !descendantKeys.has(ancestorKey) && !descendantKeys.has(descendantKey);
+    });
+  }
+  async getAncestors(type, id) {
+    return this.rows.filter((row) => row.descendantType === type && row.descendantId === id).map((row) => ({
+      type: row.ancestorType,
+      id: row.ancestorId,
+      depth: row.depth
+    }));
+  }
+  async getDescendants(type, id) {
+    return this.rows.filter((row) => row.ancestorType === type && row.ancestorId === id).map((row) => ({
+      type: row.descendantType,
+      id: row.descendantId,
+      depth: row.depth
+    }));
+  }
+  async hasPath(ancestorType, ancestorId, descendantType, descendantId) {
+    return this.rows.some((row) => row.ancestorType === ancestorType && row.ancestorId === ancestorId && row.descendantType === descendantType && row.descendantId === descendantId);
+  }
+  dispose() {
+    this.rows = [];
+  }
+}
+// src/auth/define-access.ts
+function defineAccess(input) {
+  if (input.hierarchy.length === 0) {
+    throw new Error("Hierarchy must have at least one resource type");
+  }
+  if (input.hierarchy.length > 4) {
+    throw new Error("Hierarchy depth must not exceed 4 levels");
+  }
+  const hierarchySet = new Set(input.hierarchy);
+  for (const resourceType of Object.keys(input.roles)) {
+    if (!hierarchySet.has(resourceType)) {
+      throw new Error(`Roles reference unknown resource type: ${resourceType}`);
+    }
+  }
+  const inheritance = input.inheritance ?? {};
+  for (const [resourceType, mapping] of Object.entries(inheritance)) {
+    if (!hierarchySet.has(resourceType)) {
+      throw new Error(`Inheritance references unknown resource type: ${resourceType}`);
+    }
+    const parentRoles = new Set(input.roles[resourceType] ?? []);
+    const hierarchyIdx = input.hierarchy.indexOf(resourceType);
+    const childType = input.hierarchy[hierarchyIdx + 1];
+    const childRoles = childType ? new Set(input.roles[childType] ?? []) : new Set;
+    for (const [parentRole, childRole] of Object.entries(mapping)) {
+      if (!parentRoles.has(parentRole)) {
+        throw new Error(`Inheritance for ${resourceType} references undefined role: ${parentRole}`);
+      }
+      if (!childRoles.has(childRole)) {
+        throw new Error(`Inheritance for ${resourceType} maps to undefined child role: ${childRole}`);
+      }
+    }
+  }
+  const planNameSet = new Set(Object.keys(input.plans ?? {}));
+  for (const [entName, entDef] of Object.entries(input.entitlements)) {
+    if (entDef.plans) {
+      for (const planRef of entDef.plans) {
+        if (!planNameSet.has(planRef)) {
+          throw new Error(`Entitlement "${entName}" references unknown plan: ${planRef}`);
+        }
+      }
+    }
+  }
+  const entitlementSet = new Set(Object.keys(input.entitlements));
+  if (input.plans) {
+    for (const [planName, planDef] of Object.entries(input.plans)) {
+      const planEntitlementSet = new Set(planDef.entitlements);
+      for (const ent of planDef.entitlements) {
+        if (!entitlementSet.has(ent)) {
+          throw new Error(`Plan "${planName}" references unknown entitlement: ${ent}`);
+        }
+      }
+      if (planDef.limits) {
+        for (const limitKey of Object.keys(planDef.limits)) {
+          if (!planEntitlementSet.has(limitKey)) {
+            throw new Error(`Plan "${planName}" has limit for "${limitKey}" which is not in the plan's entitlements`);
+          }
+        }
+      }
+    }
+  }
+  const config = {
+    hierarchy: Object.freeze([...input.hierarchy]),
+    roles: Object.freeze(Object.fromEntries(Object.entries(input.roles).map(([k, v]) => [k, Object.freeze([...v])]))),
+    inheritance: Object.freeze(Object.fromEntries(Object.entries(input.inheritance ?? {}).map(([k, v]) => [k, Object.freeze({ ...v })]))),
+    entitlements: Object.freeze(Object.fromEntries(Object.entries(input.entitlements).map(([k, v]) => [k, Object.freeze({ ...v })]))),
+    ...input.defaultPlan ? { defaultPlan: input.defaultPlan } : {},
+    ...input.plans ? {
+      plans: Object.freeze(Object.fromEntries(Object.entries(input.plans).map(([planName, planDef]) => [
+        planName,
+        Object.freeze({
+          entitlements: Object.freeze([...planDef.entitlements]),
+          ...planDef.limits ? {
+            limits: Object.freeze(Object.fromEntries(Object.entries(planDef.limits).map(([k, v]) => [
+              k,
+              Object.freeze({ ...v })
+            ])))
+          } : {}
+        })
+      ])))
+    } : {}
+  };
+  return Object.freeze(config);
+}
+// src/auth/entity-access.ts
+async function computeEntityAccess(entitlements, entity, accessContext) {
+  const results = {};
+  for (const entitlement of entitlements) {
+    results[entitlement] = await accessContext.check(entitlement, {
+      type: entity.type,
+      id: entity.id
+    });
+  }
+  return results;
+}
+// src/auth/flag-store.ts
+class InMemoryFlagStore {
+  flags = new Map;
+  setFlag(orgId, flag, enabled) {
+    let orgFlags = this.flags.get(orgId);
+    if (!orgFlags) {
+      orgFlags = new Map;
+      this.flags.set(orgId, orgFlags);
+    }
+    orgFlags.set(flag, enabled);
+  }
+  getFlag(orgId, flag) {
+    return this.flags.get(orgId)?.get(flag) ?? false;
+  }
+  getFlags(orgId) {
+    const orgFlags = this.flags.get(orgId);
+    if (!orgFlags)
+      return {};
+    const result = {};
+    for (const [key, value] of orgFlags) {
+      result[key] = value;
+    }
+    return result;
+  }
+}
+// src/auth/fva.ts
+function checkFva(payload, maxAgeSeconds) {
+  if (payload.fva === undefined)
+    return false;
+  const now = Math.floor(Date.now() / 1000);
+  return now - payload.fva < maxAgeSeconds;
+}
+// src/auth/providers/discord.ts
+var AUTHORIZATION_URL = "https://discord.com/api/oauth2/authorize";
+var TOKEN_URL = "https://discord.com/api/oauth2/token";
+var USER_URL = "https://discord.com/api/users/@me";
+var DEFAULT_SCOPES = ["identify", "email"];
+function discord(config) {
+  const scopes = config.scopes ?? DEFAULT_SCOPES;
+  return {
+    id: "discord",
+    name: "Discord",
+    scopes,
+    trustEmail: false,
+    getAuthorizationUrl(state, codeChallenge) {
+      const params = new URLSearchParams({
+        client_id: config.clientId,
+        redirect_uri: config.redirectUrl ?? "",
+        response_type: "code",
+        scope: scopes.join(" "),
+        state
+      });
+      if (codeChallenge) {
+        params.set("code_challenge", codeChallenge);
+        params.set("code_challenge_method", "S256");
+      }
+      return `${AUTHORIZATION_URL}?${params.toString()}`;
+    },
+    async exchangeCode(code, codeVerifier) {
+      const body = new URLSearchParams({
+        client_id: config.clientId,
+        client_secret: config.clientSecret,
+        code,
+        grant_type: "authorization_code",
+        redirect_uri: config.redirectUrl ?? ""
+      });
+      if (codeVerifier) {
+        body.set("code_verifier", codeVerifier);
+      }
+      const response = await fetch(TOKEN_URL, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: body.toString()
+      });
+      const data = await response.json();
+      return {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token,
+        expiresIn: data.expires_in
+      };
+    },
+    async getUserInfo(accessToken) {
+      const response = await fetch(USER_URL, {
+        headers: { Authorization: `Bearer ${accessToken}` }
+      });
+      const data = await response.json();
+      return {
+        providerId: data.id,
+        email: data.email ?? "",
+        emailVerified: data.verified ?? false,
+        name: data.global_name ?? data.username,
+        avatarUrl: data.avatar ? `https://cdn.discordapp.com/avatars/${data.id}/${data.avatar}.png` : undefined
+      };
+    }
+  };
+}
+// src/auth/providers/github.ts
+var AUTHORIZATION_URL2 = "https://github.com/login/oauth/authorize";
+var TOKEN_URL2 = "https://github.com/login/oauth/access_token";
+var USER_URL2 = "https://api.github.com/user";
+var EMAILS_URL = "https://api.github.com/user/emails";
+var DEFAULT_SCOPES2 = ["read:user", "user:email"];
+function github(config) {
+  const scopes = config.scopes ?? DEFAULT_SCOPES2;
+  return {
+    id: "github",
+    name: "GitHub",
+    scopes,
+    trustEmail: false,
+    getAuthorizationUrl(state) {
+      const params = new URLSearchParams({
+        client_id: config.clientId,
+        redirect_uri: config.redirectUrl ?? "",
+        scope: scopes.join(" "),
+        state
+      });
+      return `${AUTHORIZATION_URL2}?${params.toString()}`;
+    },
+    async exchangeCode(code) {
+      const response = await fetch(TOKEN_URL2, {
+        method: "POST",
+        headers: {
+          Accept: "application/json",
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          client_id: config.clientId,
+          client_secret: config.clientSecret,
+          code,
+          redirect_uri: config.redirectUrl ?? ""
+        })
+      });
+      const data = await response.json();
+      return {
+        accessToken: data.access_token
+      };
+    },
+    async getUserInfo(accessToken) {
+      const [userResponse, emailsResponse] = await Promise.all([
+        fetch(USER_URL2, {
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            "User-Agent": "vertz-auth/1.0"
+          }
+        }),
+        fetch(EMAILS_URL, {
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            "User-Agent": "vertz-auth/1.0"
+          }
+        })
+      ]);
+      const userData = await userResponse.json();
+      const emails = await emailsResponse.json();
+      const primaryEmail = emails.find((e) => e.primary && e.verified);
+      const fallbackEmail = emails.find((e) => e.verified);
+      const email = primaryEmail ?? fallbackEmail;
+      return {
+        providerId: String(userData.id),
+        email: email?.email ?? "",
+        emailVerified: email?.verified ?? false,
+        name: userData.name,
+        avatarUrl: userData.avatar_url
+      };
+    }
+  };
+}
+// src/auth/providers/google.ts
+var AUTHORIZATION_URL3 = "https://accounts.google.com/o/oauth2/v2/auth";
+var TOKEN_URL3 = "https://oauth2.googleapis.com/token";
+var DEFAULT_SCOPES3 = ["openid", "email", "profile"];
+function google(config) {
+  const scopes = config.scopes ?? DEFAULT_SCOPES3;
+  return {
+    id: "google",
+    name: "Google",
+    scopes,
+    trustEmail: true,
+    getAuthorizationUrl(state, codeChallenge, nonce) {
+      const params = new URLSearchParams({
+        client_id: config.clientId,
+        redirect_uri: config.redirectUrl ?? "",
+        response_type: "code",
+        scope: scopes.join(" "),
+        state,
+        access_type: "offline",
+        prompt: "consent"
+      });
+      if (codeChallenge) {
+        params.set("code_challenge", codeChallenge);
+        params.set("code_challenge_method", "S256");
+      }
+      if (nonce) {
+        params.set("nonce", nonce);
+      }
+      return `${AUTHORIZATION_URL3}?${params.toString()}`;
+    },
+    async exchangeCode(code, codeVerifier) {
+      const body = new URLSearchParams({
+        client_id: config.clientId,
+        client_secret: config.clientSecret,
+        code,
+        grant_type: "authorization_code",
+        redirect_uri: config.redirectUrl ?? ""
+      });
+      if (codeVerifier) {
+        body.set("code_verifier", codeVerifier);
+      }
+      const response = await fetch(TOKEN_URL3, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: body.toString()
+      });
+      const data = await response.json();
+      return {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token,
+        expiresIn: data.expires_in,
+        idToken: data.id_token
+      };
+    },
+    async getUserInfo(_accessToken, idToken, nonce) {
+      if (!idToken) {
+        throw new Error("Google provider requires an ID token");
+      }
+      const parts = idToken.split(".");
+      const payload = JSON.parse(atob(parts[1]));
+      if (nonce && payload.nonce !== nonce) {
+        throw new Error("ID token nonce mismatch");
+      }
+      return {
+        providerId: payload.sub,
+        email: payload.email,
+        emailVerified: payload.email_verified,
+        name: payload.name,
+        avatarUrl: payload.picture
+      };
+    }
+  };
+}
+// src/auth/role-assignment-store.ts
+class InMemoryRoleAssignmentStore {
+  assignments = [];
+  async assign(userId, resourceType, resourceId, role) {
+    const exists = this.assignments.some((a) => a.userId === userId && a.resourceType === resourceType && a.resourceId === resourceId && a.role === role);
+    if (!exists) {
+      this.assignments.push({ userId, resourceType, resourceId, role });
     }
-    return allowedRoles.has(user.role) || roleHasEntitlement(user.role, entitlement);
   }
-  async function can(entitlement, user) {
-    return checkEntitlement(entitlement, user);
+  async revoke(userId, resourceType, resourceId, role) {
+    this.assignments = this.assignments.filter((a) => !(a.userId === userId && a.resourceType === resourceType && a.resourceId === resourceId && a.role === role));
   }
-  async function canWithResource(entitlement, resource, user) {
-    const hasEntitlement = await checkEntitlement(entitlement, user);
-    if (!hasEntitlement)
-      return false;
-    if (resource.ownerId != null && resource.ownerId !== "" && resource.ownerId !== user?.id) {
-      return false;
-    }
-    return true;
+  async getRoles(userId, resourceType, resourceId) {
+    return this.assignments.filter((a) => a.userId === userId && a.resourceType === resourceType && a.resourceId === resourceId).map((a) => a.role);
   }
-  async function authorize(entitlement, user) {
-    const allowed = await can(entitlement, user);
-    if (!allowed) {
-      throw new AuthorizationError(`Not authorized to perform this action: ${entitlement}`, entitlement, user?.id);
-    }
+  async getRolesForUser(userId) {
+    return this.assignments.filter((a) => a.userId === userId);
   }
-  async function authorizeWithResource(entitlement, resource, user) {
-    const allowed = await canWithResource(entitlement, resource, user);
-    if (!allowed) {
-      throw new AuthorizationError(`Not authorized to perform this action on this resource: ${entitlement}`, entitlement, user?.id);
+  async getEffectiveRole(userId, resourceType, resourceId, accessDef, closureStore) {
+    const rolesForType = accessDef.roles[resourceType];
+    if (!rolesForType || rolesForType.length === 0)
+      return null;
+    const candidateRoles = [];
+    const directRoles = await this.getRoles(userId, resourceType, resourceId);
+    candidateRoles.push(...directRoles);
+    const ancestors = await closureStore.getAncestors(resourceType, resourceId);
+    for (const ancestor of ancestors) {
+      if (ancestor.depth === 0)
+        continue;
+      const ancestorRoles = await this.getRoles(userId, ancestor.type, ancestor.id);
+      for (const ancestorRole of ancestorRoles) {
+        const inheritedRole = resolveInheritedRole2(ancestor.type, ancestorRole, resourceType, accessDef);
+        if (inheritedRole) {
+          candidateRoles.push(inheritedRole);
+        }
+      }
     }
-  }
-  async function canAll(checks, user) {
-    const results = new Map;
-    for (const { entitlement, resource } of checks) {
-      const key = resource ? `${entitlement}:${resource.id}` : entitlement;
-      const allowed = resource ? await canWithResource(entitlement, resource, user) : await can(entitlement, user);
-      results.set(key, allowed);
+    if (candidateRoles.length === 0)
+      return null;
+    const roleOrder = [...rolesForType];
+    let bestIndex = roleOrder.length;
+    for (const role of candidateRoles) {
+      const idx = roleOrder.indexOf(role);
+      if (idx !== -1 && idx < bestIndex) {
+        bestIndex = idx;
+      }
     }
-    return results;
+    return bestIndex < roleOrder.length ? roleOrder[bestIndex] : null;
   }
-  function getEntitlementsForRole(role) {
-    const roleEnts = roleEntitlements.get(role);
-    return roleEnts ? Array.from(roleEnts) : [];
+  dispose() {
+    this.assignments = [];
   }
-  function createMiddleware() {
-    return async (ctx, next) => {
-      ctx.can = async (entitlement, resource) => {
-        if (resource) {
-          return canWithResource(entitlement, resource, ctx.user ?? null);
-        }
-        return can(entitlement, ctx.user ?? null);
-      };
-      ctx.authorize = async (entitlement, resource) => {
-        if (resource) {
-          return authorizeWithResource(entitlement, resource, ctx.user ?? null);
-        }
-        return authorize(entitlement, ctx.user ?? null);
-      };
-      await next();
-    };
+}
+function resolveInheritedRole2(sourceType, sourceRole, targetType, accessDef) {
+  const hierarchy = accessDef.hierarchy;
+  const sourceIdx = hierarchy.indexOf(sourceType);
+  const targetIdx = hierarchy.indexOf(targetType);
+  if (sourceIdx === -1 || targetIdx === -1 || sourceIdx >= targetIdx)
+    return null;
+  let currentRole = sourceRole;
+  for (let i = sourceIdx;i < targetIdx; i++) {
+    const currentType = hierarchy[i];
+    const inheritanceMap = accessDef.inheritance[currentType];
+    if (!inheritanceMap || !(currentRole in inheritanceMap))
+      return null;
+    currentRole = inheritanceMap[currentRole];
   }
-  return {
-    can,
-    canWithResource,
-    authorize,
-    authorizeWithResource,
-    canAll,
-    getEntitlementsForRole,
-    middleware: createMiddleware
-  };
+  return currentRole;
 }
-var defaultAccess = createAccess({
-  roles: {
-    user: { entitlements: ["read", "create"] },
-    editor: { entitlements: ["read", "create", "update"] },
-    admin: { entitlements: ["read", "create", "update", "delete"] }
+// src/auth/rules.ts
+var userMarkers = {
+  id: Object.freeze({ __marker: "user.id" }),
+  tenantId: Object.freeze({ __marker: "user.tenantId" })
+};
+var rules = {
+  role(...roleNames) {
+    return { type: "role", roles: Object.freeze([...roleNames]) };
   },
-  entitlements: {
-    "user:read": { roles: ["user", "editor", "admin"] },
-    "user:create": { roles: ["user", "editor", "admin"] },
-    "user:update": { roles: ["editor", "admin"] },
-    "user:delete": { roles: ["admin"] },
-    read: { roles: ["user", "editor", "admin"] },
-    create: { roles: ["user", "editor", "admin"] },
-    update: { roles: ["editor", "admin"] },
-    delete: { roles: ["admin"] }
+  entitlement(name) {
+    return { type: "entitlement", entitlement: name };
+  },
+  where(conditions) {
+    return { type: "where", conditions: Object.freeze({ ...conditions }) };
+  },
+  all(...ruleList) {
+    return { type: "all", rules: Object.freeze([...ruleList]) };
+  },
+  any(...ruleList) {
+    return { type: "any", rules: Object.freeze([...ruleList]) };
+  },
+  authenticated() {
+    return { type: "authenticated" };
+  },
+  fva(maxAge) {
+    return { type: "fva", maxAge };
+  },
+  user: userMarkers
+};
+// src/auth/wallet-store.ts
+class InMemoryWalletStore {
+  entries = new Map;
+  key(orgId, entitlement, periodStart) {
+    return `${orgId}:${entitlement}:${periodStart.getTime()}`;
   }
-});
-
-// src/auth/index.ts
-class RateLimiter {
-  store = new Map;
-  windowMs;
-  constructor(window) {
-    this.windowMs = this.parseDuration(window);
-  }
-  parseDuration(duration) {
-    const match = duration.match(/^(\d+)([smh])$/);
-    if (!match)
-      throw new Error(`Invalid duration: ${duration}`);
-    const value = parseInt(match[1], 10);
-    const unit = match[2];
-    const multipliers = { s: 1000, m: 60000, h: 3600000 };
-    return value * multipliers[unit];
-  }
-  check(key, maxAttempts) {
-    const now = new Date;
-    const entry = this.store.get(key);
-    if (!entry || entry.resetAt < now) {
-      const resetAt = new Date(now.getTime() + this.windowMs);
-      this.store.set(key, { count: 1, resetAt });
-      return { allowed: true, remaining: maxAttempts - 1, resetAt };
-    }
-    if (entry.count >= maxAttempts) {
-      return { allowed: false, remaining: 0, resetAt: entry.resetAt };
+  async consume(orgId, entitlement, periodStart, periodEnd, limit, amount = 1) {
+    const k = this.key(orgId, entitlement, periodStart);
+    if (!this.entries.has(k)) {
+      this.entries.set(k, { orgId, entitlement, periodStart, periodEnd, consumed: 0 });
     }
-    entry.count++;
-    return { allowed: true, remaining: maxAttempts - entry.count, resetAt: entry.resetAt };
-  }
-  cleanup() {
-    const now = new Date;
-    for (const [key, entry] of this.store) {
-      if (entry.resetAt < now) {
-        this.store.delete(key);
-      }
+    const entry = this.entries.get(k);
+    if (entry.consumed + amount > limit) {
+      return {
+        success: false,
+        consumed: entry.consumed,
+        limit,
+        remaining: Math.max(0, limit - entry.consumed)
+      };
     }
+    entry.consumed += amount;
+    return {
+      success: true,
+      consumed: entry.consumed,
+      limit,
+      remaining: limit - entry.consumed
+    };
   }
-}
-var DEFAULT_PASSWORD_REQUIREMENTS = {
-  minLength: 8,
-  requireUppercase: false,
-  requireNumbers: false,
-  requireSymbols: false
-};
-var BCRYPT_ROUNDS = 12;
-async function hashPassword(password) {
-  return bcrypt.hash(password, BCRYPT_ROUNDS);
-}
-async function verifyPassword(password, hash) {
-  return bcrypt.compare(password, hash);
-}
-function validatePassword(password, requirements) {
-  const req = { ...DEFAULT_PASSWORD_REQUIREMENTS, ...requirements };
-  if (password.length < (req.minLength ?? 8)) {
-    return createAuthValidationError(`Password must be at least ${req.minLength} characters`, "password", "TOO_SHORT");
-  }
-  if (req.requireUppercase && !/[A-Z]/.test(password)) {
-    return createAuthValidationError("Password must contain at least one uppercase letter", "password", "NO_UPPERCASE");
-  }
-  if (req.requireNumbers && !/\d/.test(password)) {
-    return createAuthValidationError("Password must contain at least one number", "password", "NO_NUMBER");
+  async unconsume(orgId, entitlement, periodStart, _periodEnd, amount = 1) {
+    const k = this.key(orgId, entitlement, periodStart);
+    const entry = this.entries.get(k);
+    if (!entry)
+      return;
+    entry.consumed = Math.max(0, entry.consumed - amount);
   }
-  if (req.requireSymbols && !/[!@#$%^&*(),.?":{}|<>]/.test(password)) {
-    return createAuthValidationError("Password must contain at least one symbol", "password", "NO_SYMBOL");
+  async getConsumption(orgId, entitlement, periodStart, _periodEnd) {
+    const k = this.key(orgId, entitlement, periodStart);
+    const entry = this.entries.get(k);
+    return entry?.consumed ?? 0;
   }
-  return null;
-}
-var DEFAULT_COOKIE_CONFIG = {
-  name: "vertz.sid",
-  httpOnly: true,
-  secure: true,
-  sameSite: "lax",
-  path: "/",
-  maxAge: 60 * 60 * 24 * 7
-};
-function parseDuration(duration) {
-  if (typeof duration === "number")
-    return duration;
-  const match = duration.match(/^(\d+)([smhd])$/);
-  if (!match)
-    throw new Error(`Invalid duration: ${duration}`);
-  const value = parseInt(match[1], 10);
-  const unit = match[2];
-  const multipliers = { s: 1, m: 60, h: 3600, d: 86400 };
-  return value * multipliers[unit] * 1000;
-}
-async function createJWT(user, secret, ttl, algorithm, customClaims) {
-  const claims = customClaims ? customClaims(user) : {};
-  const jwt = await new jose.SignJWT({
-    sub: user.id,
-    email: user.email,
-    role: user.role,
-    ...claims
-  }).setProtectedHeader({ alg: algorithm }).setIssuedAt().setExpirationTime(Math.floor(ttl / 1000)).sign(new TextEncoder().encode(secret));
-  return jwt;
-}
-async function verifyJWT(token, secret, algorithm) {
-  try {
-    const { payload } = await jose.jwtVerify(token, new TextEncoder().encode(secret), {
-      algorithms: [algorithm]
-    });
-    return payload;
-  } catch {
-    return null;
+  dispose() {
+    this.entries.clear();
   }
 }
-var users = new Map;
-var sessions = new Map;
+
+// src/auth/index.ts
 function createAuth(config) {
   const {
     session,
@@ -312,7 +2182,13 @@ function createAuth(config) {
       console.warn(`[Auth] Auto-generated dev JWT secret at ${secretFile}. Add this path to .gitignore.`);
     }
   }
+  if (session.strategy !== "jwt") {
+    throw new Error(`Session strategy "${session.strategy}" is not yet supported. Use "jwt".`);
+  }
   const cookieConfig = { ...DEFAULT_COOKIE_CONFIG, ...session.cookie };
+  const refreshName = session.refreshName ?? "vertz.ref";
+  const refreshTtlMs = parseDuration(session.refreshTtl ?? "7d");
+  const refreshMaxAge = Math.floor(refreshTtlMs / 1000);
   if (cookieConfig.sameSite === "none" && cookieConfig.secure !== true) {
     throw new Error("SameSite=None requires secure=true");
   }
@@ -323,145 +2199,346 @@ function createAuth(config) {
     console.warn("Cookie 'secure' flag is disabled. This is allowed in development but must be enabled in production.");
   }
   const ttlMs = parseDuration(session.ttl);
-  const signInLimiter = new RateLimiter(emailPassword?.rateLimit?.window || "15m");
-  const signUpLimiter = new RateLimiter("1h");
-  const refreshLimiter = new RateLimiter("1m");
-  setInterval(() => {
-    signInLimiter.cleanup();
-    signUpLimiter.cleanup();
-    refreshLimiter.cleanup();
-  }, 60000);
-  function buildAuthUser(stored) {
-    return stored.user;
-  }
-  async function signUp(data) {
+  const DUMMY_HASH = "$2a$12$000000000000000000000uGWDREoC/y2KhZ5l2QkI4j0LpDjWcaq";
+  const sessionStore = config.sessionStore ?? new InMemorySessionStore;
+  const userStore = config.userStore ?? new InMemoryUserStore;
+  const providers = new Map;
+  if (config.providers) {
+    for (const provider of config.providers) {
+      providers.set(provider.id, provider);
+    }
+  }
+  const oauthAccountStore = config.oauthAccountStore ?? (providers.size > 0 ? new InMemoryOAuthAccountStore : undefined);
+  const oauthEncryptionKey = config.oauthEncryptionKey;
+  const oauthSuccessRedirect = config.oauthSuccessRedirect ?? "/";
+  const oauthErrorRedirect = config.oauthErrorRedirect ?? "/auth/error";
+  const mfaConfig = config.mfa;
+  const mfaEnabled = mfaConfig?.enabled ?? false;
+  const mfaIssuer = mfaConfig?.issuer ?? "Vertz";
+  const mfaBackupCodeCount = mfaConfig?.backupCodeCount ?? 10;
+  const mfaStore = config.mfaStore ?? (mfaEnabled ? new InMemoryMFAStore : undefined);
+  const PENDING_MFA_TTL = 10 * 60 * 1000;
+  const pendingMfaSecrets = new Map;
+  const emailVerificationConfig = config.emailVerification;
+  const emailVerificationEnabled = emailVerificationConfig?.enabled ?? false;
+  const emailVerificationTtlMs = parseDuration(emailVerificationConfig?.tokenTtl ?? "24h");
+  const emailVerificationStore = config.emailVerificationStore ?? (emailVerificationEnabled ? new InMemoryEmailVerificationStore : undefined);
+  const passwordResetConfig = config.passwordReset;
+  const passwordResetEnabled = passwordResetConfig?.enabled ?? false;
+  const passwordResetTtlMs = parseDuration(passwordResetConfig?.tokenTtl ?? "1h");
+  const revokeSessionsOnReset = passwordResetConfig?.revokeSessionsOnReset ?? true;
+  const passwordResetStore = config.passwordResetStore ?? (passwordResetEnabled ? new InMemoryPasswordResetStore : undefined);
+  const rateLimitStore = config.rateLimitStore ?? new InMemoryRateLimitStore;
+  const signInWindowMs = parseDuration(emailPassword?.rateLimit?.window || "15m");
+  const signUpWindowMs = parseDuration("1h");
+  const refreshWindowMs = parseDuration("1m");
+  async function createSessionTokens(user, sessionId, options) {
+    const jti = crypto.randomUUID();
+    const expiresAt = new Date(Date.now() + ttlMs);
+    const userClaims = claims ? claims(user) : {};
+    const fvaClaim = options?.fva !== undefined ? { fva: options.fva } : {};
+    let aclClaim = {};
+    if (config.access) {
+      const accessSet = await computeAccessSet({
+        userId: user.id,
+        accessDef: config.access.definition,
+        roleStore: config.access.roleStore,
+        closureStore: config.access.closureStore,
+        flagStore: config.access.flagStore,
+        plan: user.plan ?? null
+      });
+      const encoded = encodeAccessSet(accessSet);
+      const canonicalJson = JSON.stringify(encoded);
+      const stablePayload = {
+        entitlements: encoded.entitlements,
+        flags: encoded.flags,
+        plan: encoded.plan
+      };
+      const hash = await sha256Hex(JSON.stringify(stablePayload));
+      const byteLength = new TextEncoder().encode(canonicalJson).length;
+      if (byteLength <= 2048) {
+        aclClaim = { acl: { set: encoded, hash, overflow: false } };
+      } else {
+        aclClaim = { acl: { hash, overflow: true } };
+      }
+    }
+    const jwt = await createJWT(user, jwtSecret, ttlMs, jwtAlgorithm, () => ({
+      ...userClaims,
+      ...fvaClaim,
+      ...aclClaim,
+      jti,
+      sid: sessionId
+    }));
+    const refreshToken = btoa(String.fromCharCode(...crypto.getRandomValues(new Uint8Array(32)))).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+    const payload = {
+      sub: user.id,
+      email: user.email,
+      role: user.role,
+      iat: Math.floor(Date.now() / 1000),
+      exp: Math.floor(expiresAt.getTime() / 1000),
+      jti,
+      sid: sessionId,
+      claims: userClaims || undefined,
+      ...options?.fva !== undefined ? { fva: options.fva } : {},
+      ...aclClaim
+    };
+    return { jwt, refreshToken, payload, expiresAt };
+  }
+  function generateToken() {
+    const bytes = crypto.getRandomValues(new Uint8Array(32));
+    return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+  }
+  async function signUp(data, ctx) {
     const { email, password, role = "user", ...additionalFields } = data;
     if (!email || !email.includes("@")) {
-      return err(createAuthValidationError("Invalid email format", "email", "INVALID_FORMAT"));
+      return err(createAuthValidationError2("Invalid email format", "email", "INVALID_FORMAT"));
     }
     const passwordError = validatePassword(password, emailPassword?.password);
     if (passwordError) {
       return err(passwordError);
     }
-    if (users.has(email.toLowerCase())) {
-      return err(createUserExistsError("User already exists", email.toLowerCase()));
-    }
-    const signUpRateLimit = signUpLimiter.check(`signup:${email.toLowerCase()}`, emailPassword?.rateLimit?.maxAttempts || 3);
+    const signUpRateLimit = await rateLimitStore.check(`signup:${email.toLowerCase()}`, emailPassword?.rateLimit?.maxAttempts || 3, signUpWindowMs);
     if (!signUpRateLimit.allowed) {
       return err(createAuthRateLimitedError("Too many sign up attempts"));
     }
+    const existing = await userStore.findByEmail(email.toLowerCase());
+    if (existing) {
+      return err(createUserExistsError("User already exists", email.toLowerCase()));
+    }
     const passwordHash = await hashPassword(password);
     const now = new Date;
+    const {
+      id: _id,
+      createdAt: _c,
+      updatedAt: _u,
+      ...safeFields
+    } = additionalFields;
     const user = {
+      ...safeFields,
       id: crypto.randomUUID(),
       email: email.toLowerCase(),
       role,
+      emailVerified: !emailVerificationEnabled,
       createdAt: now,
-      updatedAt: now,
-      ...additionalFields
-    };
-    users.set(email.toLowerCase(), { user, passwordHash });
-    const token = await createJWT(user, jwtSecret, ttlMs, jwtAlgorithm, claims);
-    const expiresAt = new Date(Date.now() + ttlMs);
-    const payload = {
-      sub: user.id,
-      email: user.email,
-      role: user.role,
-      iat: Math.floor(Date.now() / 1000),
-      exp: Math.floor(expiresAt.getTime() / 1000),
-      claims: claims ? claims(user) : undefined
+      updatedAt: now
     };
-    sessions.set(token, { userId: user.id, expiresAt });
-    return ok({ user, expiresAt, payload });
+    await userStore.createUser(user, passwordHash);
+    if (emailVerificationEnabled && emailVerificationStore && emailVerificationConfig?.onSend) {
+      const token = generateToken();
+      const tokenHash = await sha256Hex(token);
+      await emailVerificationStore.createVerification({
+        userId: user.id,
+        tokenHash,
+        expiresAt: new Date(Date.now() + emailVerificationTtlMs)
+      });
+      await emailVerificationConfig.onSend(user, token);
+    }
+    const sessionId = crypto.randomUUID();
+    const tokens = await createSessionTokens(user, sessionId);
+    const refreshTokenHash = await sha256Hex(tokens.refreshToken);
+    const ipAddress = ctx?.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ?? ctx?.headers.get("x-real-ip") ?? "";
+    const userAgent = ctx?.headers.get("user-agent") ?? "";
+    await sessionStore.createSessionWithId(sessionId, {
+      userId: user.id,
+      refreshTokenHash,
+      ipAddress,
+      userAgent,
+      expiresAt: new Date(Date.now() + refreshTtlMs),
+      currentTokens: { jwt: tokens.jwt, refreshToken: tokens.refreshToken }
+    });
+    return ok({
+      user,
+      expiresAt: tokens.expiresAt,
+      payload: tokens.payload,
+      tokens: { jwt: tokens.jwt, refreshToken: tokens.refreshToken }
+    });
   }
-  async function signIn(data) {
+  async function signIn(data, ctx) {
     const { email, password } = data;
-    const stored = users.get(email.toLowerCase());
+    const signInRateLimit = await rateLimitStore.check(`signin:${email.toLowerCase()}`, emailPassword?.rateLimit?.maxAttempts || 5, signInWindowMs);
+    if (!signInRateLimit.allowed) {
+      return err(createAuthRateLimitedError("Too many sign in attempts"));
+    }
+    const stored = await userStore.findByEmail(email.toLowerCase());
     if (!stored) {
+      await verifyPassword(password, DUMMY_HASH);
       return err(createInvalidCredentialsError());
     }
-    const signInRateLimit = signInLimiter.check(`signin:${email.toLowerCase()}`, emailPassword?.rateLimit?.maxAttempts || 5);
-    if (!signInRateLimit.allowed) {
-      return err(createAuthRateLimitedError("Too many sign in attempts"));
+    if (stored.passwordHash === null) {
+      await verifyPassword(password, DUMMY_HASH);
+      return err(createInvalidCredentialsError());
     }
     const valid = await verifyPassword(password, stored.passwordHash);
     if (!valid) {
       return err(createInvalidCredentialsError());
     }
-    const user = buildAuthUser(stored);
-    const token = await createJWT(user, jwtSecret, ttlMs, jwtAlgorithm, claims);
-    const expiresAt = new Date(Date.now() + ttlMs);
-    const payload = {
-      sub: user.id,
-      email: user.email,
-      role: user.role,
-      iat: Math.floor(Date.now() / 1000),
-      exp: Math.floor(expiresAt.getTime() / 1000),
-      claims: claims ? claims(user) : undefined
-    };
-    sessions.set(token, { userId: user.id, expiresAt });
-    return ok({ user, expiresAt, payload });
+    const user = stored.user;
+    if (mfaStore && await mfaStore.isMfaEnabled(user.id)) {
+      return err(createMfaRequiredError("MFA verification required"));
+    }
+    const sessionId = crypto.randomUUID();
+    const tokens = await createSessionTokens(user, sessionId);
+    const refreshTokenHash = await sha256Hex(tokens.refreshToken);
+    const ipAddress = ctx?.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ?? ctx?.headers.get("x-real-ip") ?? "";
+    const userAgent = ctx?.headers.get("user-agent") ?? "";
+    await sessionStore.createSessionWithId(sessionId, {
+      userId: user.id,
+      refreshTokenHash,
+      ipAddress,
+      userAgent,
+      expiresAt: new Date(Date.now() + refreshTtlMs),
+      currentTokens: { jwt: tokens.jwt, refreshToken: tokens.refreshToken }
+    });
+    return ok({
+      user,
+      expiresAt: tokens.expiresAt,
+      payload: tokens.payload,
+      tokens: { jwt: tokens.jwt, refreshToken: tokens.refreshToken }
+    });
   }
   async function signOut(ctx) {
-    const cookieName = cookieConfig.name || "vertz.sid";
-    const token = ctx.headers.get("cookie")?.split(";").find((c) => c.trim().startsWith(`${cookieName}=`))?.split("=")[1];
-    if (token) {
-      sessions.delete(token);
+    const sessionResult = await getSession(ctx.headers);
+    if (sessionResult.ok && sessionResult.data) {
+      await sessionStore.revokeSession(sessionResult.data.payload.sid);
     }
     return ok(undefined);
   }
   async function getSession(headers) {
     const cookieName = cookieConfig.name || "vertz.sid";
-    const token = headers.get("cookie")?.split(";").find((c) => c.trim().startsWith(`${cookieName}=`))?.split("=")[1];
+    const cookieEntry = headers.get("cookie")?.split(";").find((c) => c.trim().startsWith(`${cookieName}=`));
+    const token = cookieEntry ? cookieEntry.trim().slice(`${cookieName}=`.length) : undefined;
     if (!token) {
       return ok(null);
     }
-    const session2 = sessions.get(token);
-    if (!session2) {
-      return ok(null);
-    }
-    if (session2.expiresAt < new Date) {
-      sessions.delete(token);
-      return ok(null);
-    }
     const payload = await verifyJWT(token, jwtSecret, jwtAlgorithm);
     if (!payload) {
-      sessions.delete(token);
       return ok(null);
     }
-    const stored = users.get(payload.email);
-    if (!stored) {
+    const user = await userStore.findById(payload.sub);
+    if (!user) {
       return ok(null);
     }
-    const user = buildAuthUser(stored);
     const expiresAt = new Date(payload.exp * 1000);
     return ok({ user, expiresAt, payload });
   }
   async function refreshSession(ctx) {
-    const refreshRateLimit = refreshLimiter.check(`refresh:${ctx.headers.get("x-forwarded-ip") || "default"}`, 10);
+    const refreshRateLimit = await rateLimitStore.check(`refresh:${ctx.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || "default"}`, 10, refreshWindowMs);
     if (!refreshRateLimit.allowed) {
       return err(createAuthRateLimitedError("Too many refresh attempts"));
     }
-    const sessionResult = await getSession(ctx.headers);
-    if (!sessionResult.ok) {
+    const refreshEntry = ctx.headers.get("cookie")?.split(";").find((c) => c.trim().startsWith(`${refreshName}=`));
+    const refreshToken = refreshEntry ? refreshEntry.trim().slice(`${refreshName}=`.length) : undefined;
+    if (!refreshToken) {
+      return err(createSessionExpiredError("No refresh token"));
+    }
+    const refreshHash = await sha256Hex(refreshToken);
+    let storedSession = await sessionStore.findByRefreshHash(refreshHash);
+    let isGracePeriod = false;
+    if (!storedSession) {
+      storedSession = await sessionStore.findByPreviousRefreshHash(refreshHash);
+      if (storedSession && storedSession.lastActiveAt.getTime() + 1e4 > Date.now()) {
+        isGracePeriod = true;
+      } else {
+        return err(createSessionExpiredError("Invalid refresh token"));
+      }
+    }
+    const user = await userStore.findById(storedSession.userId);
+    if (!user) {
+      return err(createSessionExpiredError("User not found"));
+    }
+    if (isGracePeriod) {
+      const currentTokens = await sessionStore.getCurrentTokens(storedSession.id);
+      if (currentTokens) {
+        const payload = await verifyJWT(currentTokens.jwt, jwtSecret, jwtAlgorithm);
+        return ok({
+          user,
+          expiresAt: payload ? new Date(payload.exp * 1000) : new Date(Date.now() + ttlMs),
+          payload: payload ?? {
+            sub: user.id,
+            email: user.email,
+            role: user.role,
+            iat: Math.floor(Date.now() / 1000),
+            exp: Math.floor((Date.now() + ttlMs) / 1000),
+            jti: "",
+            sid: storedSession.id
+          },
+          tokens: currentTokens
+        });
+      }
+    }
+    let existingFva;
+    const oldTokens = await sessionStore.getCurrentTokens(storedSession.id);
+    if (oldTokens) {
+      const oldPayload = await verifyJWT(oldTokens.jwt, jwtSecret, jwtAlgorithm);
+      existingFva = oldPayload?.fva;
+    }
+    const newTokens = await createSessionTokens(user, storedSession.id, existingFva !== undefined ? { fva: existingFva } : undefined);
+    const newRefreshHash = await sha256Hex(newTokens.refreshToken);
+    await sessionStore.updateSession(storedSession.id, {
+      refreshTokenHash: newRefreshHash,
+      previousRefreshHash: storedSession.refreshTokenHash,
+      lastActiveAt: new Date,
+      currentTokens: { jwt: newTokens.jwt, refreshToken: newTokens.refreshToken }
+    });
+    return ok({
+      user,
+      expiresAt: newTokens.expiresAt,
+      payload: newTokens.payload,
+      tokens: { jwt: newTokens.jwt, refreshToken: newTokens.refreshToken }
+    });
+  }
+  async function listSessions(headers) {
+    const sessionResult = await getSession(headers);
+    if (!sessionResult.ok)
+      return sessionResult;
+    if (!sessionResult.data) {
+      return err(createSessionExpiredError("Not authenticated"));
+    }
+    const currentSid = sessionResult.data.payload.sid;
+    const sessions = await sessionStore.listActiveSessions(sessionResult.data.user.id);
+    const infos = sessions.map((s) => ({
+      id: s.id,
+      userId: s.userId,
+      ipAddress: s.ipAddress,
+      userAgent: s.userAgent,
+      deviceName: parseDeviceName(s.userAgent),
+      createdAt: s.createdAt,
+      lastActiveAt: s.lastActiveAt,
+      expiresAt: s.expiresAt,
+      isCurrent: s.id === currentSid
+    }));
+    return ok(infos);
+  }
+  async function revokeSessionById(sessionId, headers) {
+    const sessionResult = await getSession(headers);
+    if (!sessionResult.ok)
+      return sessionResult;
+    if (!sessionResult.data) {
+      return err(createSessionExpiredError("Not authenticated"));
+    }
+    const targetSessions = await sessionStore.listActiveSessions(sessionResult.data.user.id);
+    const target = targetSessions.find((s) => s.id === sessionId);
+    if (!target) {
+      return err(createSessionNotFoundError("Session not found"));
+    }
+    await sessionStore.revokeSession(sessionId);
+    return ok(undefined);
+  }
+  async function revokeAllSessions(headers) {
+    const sessionResult = await getSession(headers);
+    if (!sessionResult.ok)
       return sessionResult;
-    }
     if (!sessionResult.data) {
-      return err(createSessionExpiredError("No active session"));
+      return err(createSessionExpiredError("Not authenticated"));
     }
-    const user = sessionResult.data.user;
-    const token = await createJWT(user, jwtSecret, ttlMs, jwtAlgorithm, claims);
-    const expiresAt = new Date(Date.now() + ttlMs);
-    const payload = {
-      sub: user.id,
-      email: user.email,
-      role: user.role,
-      iat: Math.floor(Date.now() / 1000),
-      exp: Math.floor(expiresAt.getTime() / 1000),
-      claims: claims ? claims(user) : undefined
-    };
-    sessions.set(token, { userId: user.id, expiresAt });
-    return ok({ user, expiresAt, payload });
+    const currentSid = sessionResult.data.payload.sid;
+    const sessions = await sessionStore.listActiveSessions(sessionResult.data.user.id);
+    for (const s of sessions) {
+      if (s.id !== currentSid) {
+        await sessionStore.revokeSession(s.id);
+      }
+    }
+    return ok(undefined);
   }
   function authErrorToStatus(error) {
     switch (error.code) {
@@ -471,6 +2548,8 @@ function createAuth(config) {
         return 401;
       case "SESSION_EXPIRED":
         return 401;
+      case "SESSION_NOT_FOUND":
+        return 404;
       case "USER_EXISTS":
         return 409;
       case "RATE_LIMITED":
@@ -481,6 +2560,14 @@ function createAuth(config) {
         return 500;
     }
   }
+  function securityHeaders() {
+    return {
+      "Cache-Control": "no-store, no-cache, must-revalidate",
+      Pragma: "no-cache",
+      "X-Content-Type-Options": "nosniff",
+      "Referrer-Policy": "strict-origin-when-cross-origin"
+    };
+  }
   async function handleAuthRequest(request) {
     const url = new URL(request.url);
     const path = url.pathname.replace("/api/auth", "") || "/";
@@ -504,7 +2591,7 @@ function createAuth(config) {
         if (isProduction) {
           return new Response(JSON.stringify({ error: "CSRF validation failed" }), {
             status: 403,
-            headers: { "Content-Type": "application/json" }
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
           });
         } else {
           console.warn("[Auth] CSRF warning: Origin/Referer missing or mismatched (allowed in development)");
@@ -515,7 +2602,7 @@ function createAuth(config) {
         if (isProduction) {
           return new Response(JSON.stringify({ error: "Missing required X-VTZ-Request header" }), {
             status: 403,
-            headers: { "Content-Type": "application/json" }
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
           });
         } else {
           console.warn("[Auth] CSRF warning: Missing X-VTZ-Request header (allowed in development)");
@@ -525,78 +2612,916 @@ function createAuth(config) {
     try {
       if (method === "POST" && path === "/signup") {
         const body = await request.json();
-        const result = await signUp(body);
+        const result = await signUp(body, { headers: request.headers });
         if (!result.ok) {
           return new Response(JSON.stringify({ error: result.error }), {
             status: authErrorToStatus(result.error),
-            headers: { "Content-Type": "application/json" }
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
           });
         }
-        const cookieValue = await createJWT(result.data.user, jwtSecret, ttlMs, jwtAlgorithm, claims);
-        return new Response(JSON.stringify({ user: result.data.user }), {
+        const headers = new Headers({
+          "Content-Type": "application/json",
+          ...securityHeaders()
+        });
+        if (result.data.tokens) {
+          headers.append("Set-Cookie", buildSessionCookie(result.data.tokens.jwt, cookieConfig));
+          headers.append("Set-Cookie", buildRefreshCookie(result.data.tokens.refreshToken, cookieConfig, refreshName, refreshMaxAge));
+        }
+        return new Response(JSON.stringify({
+          user: result.data.user,
+          expiresAt: result.data.expiresAt.getTime()
+        }), {
           status: 201,
-          headers: {
-            "Content-Type": "application/json",
-            "Set-Cookie": buildCookie(cookieValue)
-          }
+          headers
         });
       }
       if (method === "POST" && path === "/signin") {
         const body = await request.json();
-        const result = await signIn(body);
+        const result = await signIn(body, { headers: request.headers });
         if (!result.ok) {
+          if (result.error.code === "MFA_REQUIRED" && oauthEncryptionKey) {
+            const stored = await userStore.findByEmail(body.email.toLowerCase());
+            if (stored) {
+              const challengeData = JSON.stringify({
+                userId: stored.user.id,
+                expiresAt: Date.now() + 300000
+              });
+              const encryptedChallenge = await encrypt(challengeData, oauthEncryptionKey);
+              const headers2 = new Headers({
+                "Content-Type": "application/json",
+                ...securityHeaders()
+              });
+              headers2.append("Set-Cookie", buildMfaChallengeCookie(encryptedChallenge, cookieConfig));
+              return new Response(JSON.stringify({ error: result.error }), {
+                status: 403,
+                headers: headers2
+              });
+            }
+          }
           return new Response(JSON.stringify({ error: result.error }), {
             status: authErrorToStatus(result.error),
-            headers: { "Content-Type": "application/json" }
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
           });
         }
-        const cookieValue = await createJWT(result.data.user, jwtSecret, ttlMs, jwtAlgorithm, claims);
-        return new Response(JSON.stringify({ user: result.data.user }), {
+        const headers = new Headers({
+          "Content-Type": "application/json",
+          ...securityHeaders()
+        });
+        if (result.data.tokens) {
+          headers.append("Set-Cookie", buildSessionCookie(result.data.tokens.jwt, cookieConfig));
+          headers.append("Set-Cookie", buildRefreshCookie(result.data.tokens.refreshToken, cookieConfig, refreshName, refreshMaxAge));
+        }
+        return new Response(JSON.stringify({
+          user: result.data.user,
+          expiresAt: result.data.expiresAt.getTime()
+        }), {
           status: 200,
-          headers: {
-            "Content-Type": "application/json",
-            "Set-Cookie": buildCookie(cookieValue)
-          }
+          headers
         });
       }
       if (method === "POST" && path === "/signout") {
         await signOut({ headers: request.headers });
+        const headers = new Headers({
+          "Content-Type": "application/json",
+          ...securityHeaders()
+        });
+        headers.append("Set-Cookie", buildSessionCookie("", cookieConfig, true));
+        headers.append("Set-Cookie", buildRefreshCookie("", cookieConfig, refreshName, refreshMaxAge, true));
         return new Response(JSON.stringify({ ok: true }), {
+          status: 200,
+          headers
+        });
+      }
+      if (method === "GET" && path === "/session") {
+        const result = await getSession(request.headers);
+        if (!result.ok) {
+          return new Response(JSON.stringify({ error: result.error }), {
+            status: 500,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        return new Response(JSON.stringify({ session: result.data }), {
+          status: 200,
+          headers: { "Content-Type": "application/json", ...securityHeaders() }
+        });
+      }
+      if (method === "GET" && path === "/access-set") {
+        if (!config.access) {
+          return new Response(JSON.stringify({ error: "Access control not configured" }), {
+            status: 404,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const sessionResult = await getSession(request.headers);
+        if (!sessionResult.ok || !sessionResult.data) {
+          return new Response(JSON.stringify({ error: "Unauthorized" }), {
+            status: 401,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const accessSet = await computeAccessSet({
+          userId: sessionResult.data.user.id,
+          accessDef: config.access.definition,
+          roleStore: config.access.roleStore,
+          closureStore: config.access.closureStore,
+          flagStore: config.access.flagStore,
+          plan: sessionResult.data.user.plan ?? null
+        });
+        const encoded = encodeAccessSet(accessSet);
+        const hashPayload = {
+          entitlements: encoded.entitlements,
+          flags: encoded.flags,
+          plan: encoded.plan
+        };
+        const hash = await sha256Hex(JSON.stringify(hashPayload));
+        const quotedEtag = `"${hash}"`;
+        const ifNoneMatch = request.headers.get("If-None-Match");
+        if (ifNoneMatch && ifNoneMatch.replace(/"/g, "") === hash) {
+          return new Response(null, {
+            status: 304,
+            headers: {
+              ETag: quotedEtag,
+              ...securityHeaders(),
+              "Cache-Control": "no-cache"
+            }
+          });
+        }
+        return new Response(JSON.stringify({ accessSet }), {
           status: 200,
           headers: {
             "Content-Type": "application/json",
-            "Set-Cookie": buildCookie("", true)
+            ETag: quotedEtag,
+            ...securityHeaders(),
+            "Cache-Control": "no-cache"
           }
         });
       }
-      if (method === "GET" && path === "/session") {
-        const result = await getSession(request.headers);
+      if (method === "POST" && path === "/refresh") {
+        const result = await refreshSession({ headers: request.headers });
+        if (!result.ok) {
+          const headers2 = new Headers({
+            "Content-Type": "application/json",
+            ...securityHeaders()
+          });
+          headers2.append("Set-Cookie", buildSessionCookie("", cookieConfig, true));
+          headers2.append("Set-Cookie", buildRefreshCookie("", cookieConfig, refreshName, refreshMaxAge, true));
+          return new Response(JSON.stringify({ error: result.error }), {
+            status: authErrorToStatus(result.error),
+            headers: headers2
+          });
+        }
+        const headers = new Headers({
+          "Content-Type": "application/json",
+          ...securityHeaders()
+        });
+        if (result.data.tokens) {
+          headers.append("Set-Cookie", buildSessionCookie(result.data.tokens.jwt, cookieConfig));
+          headers.append("Set-Cookie", buildRefreshCookie(result.data.tokens.refreshToken, cookieConfig, refreshName, refreshMaxAge));
+        }
+        return new Response(JSON.stringify({
+          user: result.data.user,
+          expiresAt: result.data.expiresAt.getTime()
+        }), {
+          status: 200,
+          headers
+        });
+      }
+      if (method === "GET" && path === "/sessions") {
+        const result = await listSessions(request.headers);
+        if (!result.ok) {
+          return new Response(JSON.stringify({ error: result.error }), {
+            status: authErrorToStatus(result.error),
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        return new Response(JSON.stringify({ sessions: result.data }), {
+          status: 200,
+          headers: { "Content-Type": "application/json", ...securityHeaders() }
+        });
+      }
+      if (method === "DELETE" && path.startsWith("/sessions/")) {
+        const sessionId = path.replace("/sessions/", "");
+        const result = await revokeSessionById(sessionId, request.headers);
+        if (!result.ok) {
+          return new Response(JSON.stringify({ error: result.error }), {
+            status: authErrorToStatus(result.error),
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        return new Response(JSON.stringify({ ok: true }), {
+          status: 200,
+          headers: { "Content-Type": "application/json", ...securityHeaders() }
+        });
+      }
+      if (method === "DELETE" && path === "/sessions") {
+        const result = await revokeAllSessions(request.headers);
         if (!result.ok) {
           return new Response(JSON.stringify({ error: result.error }), {
+            status: authErrorToStatus(result.error),
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        return new Response(JSON.stringify({ ok: true }), {
+          status: 200,
+          headers: { "Content-Type": "application/json", ...securityHeaders() }
+        });
+      }
+      if (method === "GET" && path.startsWith("/oauth/") && !path.includes("/callback")) {
+        const providerId = path.replace("/oauth/", "");
+        const provider = providers.get(providerId);
+        if (!provider) {
+          return new Response(JSON.stringify({ error: "Provider not found" }), {
+            status: 404,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const oauthIp = request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || "default";
+        const oauthRateLimit = await rateLimitStore.check(`oauth:${oauthIp}`, 10, 5 * 60 * 1000);
+        if (!oauthRateLimit.allowed) {
+          return new Response(JSON.stringify({ error: "Too many requests" }), {
+            status: 429,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        if (!oauthEncryptionKey) {
+          return new Response(JSON.stringify({ error: "OAuth not configured" }), {
+            status: 500,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const codeVerifier = generateCodeVerifier();
+        const codeChallenge = await generateCodeChallenge(codeVerifier);
+        const state = generateNonce();
+        const nonce = generateNonce();
+        const stateData = {
+          provider: providerId,
+          state,
+          codeVerifier,
+          nonce,
+          expiresAt: Date.now() + 300000
+        };
+        const encryptedState = await encrypt(JSON.stringify(stateData), oauthEncryptionKey);
+        const authUrl = provider.getAuthorizationUrl(state, codeChallenge, nonce);
+        const headers = new Headers({
+          Location: authUrl,
+          ...securityHeaders()
+        });
+        headers.append("Set-Cookie", buildOAuthStateCookie(encryptedState, cookieConfig));
+        return new Response(null, { status: 302, headers });
+      }
+      if (method === "GET" && path.includes("/oauth/") && path.endsWith("/callback")) {
+        const providerId = path.replace("/oauth/", "").replace("/callback", "");
+        const provider = providers.get(providerId);
+        const errorRedirect = oauthErrorRedirect;
+        if (!provider || !oauthEncryptionKey || !oauthAccountStore) {
+          return new Response(null, {
+            status: 302,
+            headers: {
+              Location: `${errorRedirect}?error=provider_not_configured`,
+              ...securityHeaders()
+            }
+          });
+        }
+        const oauthCookieEntry = request.headers.get("cookie")?.split(";").find((c) => c.trim().startsWith("vertz.oauth="));
+        const encryptedState = oauthCookieEntry ? oauthCookieEntry.trim().slice("vertz.oauth=".length) : undefined;
+        if (!encryptedState) {
+          return new Response(null, {
+            status: 302,
+            headers: {
+              Location: `${errorRedirect}?error=invalid_state`,
+              ...securityHeaders()
+            }
+          });
+        }
+        const decryptedState = await decrypt(encryptedState, oauthEncryptionKey);
+        if (!decryptedState) {
+          return new Response(null, {
+            status: 302,
+            headers: {
+              Location: `${errorRedirect}?error=invalid_state`,
+              ...securityHeaders()
+            }
+          });
+        }
+        const stateData = JSON.parse(decryptedState);
+        const queryState = url.searchParams.get("state");
+        const code = url.searchParams.get("code");
+        const providerError = url.searchParams.get("error");
+        if (providerError) {
+          const headers = new Headers({
+            Location: `${errorRedirect}?error=${encodeURIComponent(providerError)}`,
+            ...securityHeaders()
+          });
+          headers.append("Set-Cookie", buildOAuthStateCookie("", cookieConfig, true));
+          return new Response(null, { status: 302, headers });
+        }
+        if (stateData.state !== queryState || stateData.provider !== providerId) {
+          const headers = new Headers({
+            Location: `${errorRedirect}?error=invalid_state`,
+            ...securityHeaders()
+          });
+          headers.append("Set-Cookie", buildOAuthStateCookie("", cookieConfig, true));
+          return new Response(null, { status: 302, headers });
+        }
+        if (stateData.expiresAt < Date.now()) {
+          const headers = new Headers({
+            Location: `${errorRedirect}?error=invalid_state`,
+            ...securityHeaders()
+          });
+          headers.append("Set-Cookie", buildOAuthStateCookie("", cookieConfig, true));
+          return new Response(null, { status: 302, headers });
+        }
+        try {
+          const tokens = await provider.exchangeCode(code ?? "", stateData.codeVerifier);
+          const userInfo = await provider.getUserInfo(tokens.accessToken, tokens.idToken, stateData.nonce);
+          const responseHeaders = new Headers({
+            Location: oauthSuccessRedirect,
+            ...securityHeaders()
+          });
+          responseHeaders.append("Set-Cookie", buildOAuthStateCookie("", cookieConfig, true));
+          let userId = null;
+          userId = await oauthAccountStore.findByProviderAccount(provider.id, userInfo.providerId);
+          if (!userId) {
+            if (provider.trustEmail && userInfo.emailVerified) {
+              const existingUser = await userStore.findByEmail(userInfo.email.toLowerCase());
+              if (existingUser) {
+                userId = existingUser.user.id;
+                await oauthAccountStore.linkAccount(userId, provider.id, userInfo.providerId, userInfo.email);
+              }
+            }
+            if (!userId) {
+              if (!userInfo.email || !userInfo.email.includes("@")) {
+                const headers = new Headers({
+                  Location: `${errorRedirect}?error=email_required`,
+                  ...securityHeaders()
+                });
+                headers.append("Set-Cookie", buildOAuthStateCookie("", cookieConfig, true));
+                return new Response(null, { status: 302, headers });
+              }
+              const now = new Date;
+              const newUser = {
+                id: crypto.randomUUID(),
+                email: userInfo.email.toLowerCase(),
+                role: "user",
+                createdAt: now,
+                updatedAt: now
+              };
+              await userStore.createUser(newUser, null);
+              userId = newUser.id;
+              await oauthAccountStore.linkAccount(userId, provider.id, userInfo.providerId, userInfo.email);
+            }
+          }
+          const user = await userStore.findById(userId);
+          if (!user) {
+            return new Response(null, {
+              status: 302,
+              headers: {
+                Location: `${errorRedirect}?error=user_info_failed`,
+                ...securityHeaders()
+              }
+            });
+          }
+          const sessionId = crypto.randomUUID();
+          const sessionTokens = await createSessionTokens(user, sessionId);
+          const refreshTokenHash = await sha256Hex(sessionTokens.refreshToken);
+          const ipAddress = request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ?? request.headers.get("x-real-ip") ?? "";
+          const userAgent = request.headers.get("user-agent") ?? "";
+          await sessionStore.createSessionWithId(sessionId, {
+            userId: user.id,
+            refreshTokenHash,
+            ipAddress,
+            userAgent,
+            expiresAt: new Date(Date.now() + refreshTtlMs),
+            currentTokens: { jwt: sessionTokens.jwt, refreshToken: sessionTokens.refreshToken }
+          });
+          responseHeaders.append("Set-Cookie", buildSessionCookie(sessionTokens.jwt, cookieConfig));
+          responseHeaders.append("Set-Cookie", buildRefreshCookie(sessionTokens.refreshToken, cookieConfig, refreshName, refreshMaxAge));
+          return new Response(null, { status: 302, headers: responseHeaders });
+        } catch {
+          const headers = new Headers({
+            Location: `${errorRedirect}?error=token_exchange_failed`,
+            ...securityHeaders()
+          });
+          headers.append("Set-Cookie", buildOAuthStateCookie("", cookieConfig, true));
+          return new Response(null, { status: 302, headers });
+        }
+      }
+      if (method === "POST" && path === "/mfa/challenge") {
+        if (!mfaStore || !oauthEncryptionKey) {
+          return new Response(JSON.stringify({ error: "MFA not configured" }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const challengeIp = request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || "default";
+        const challengeRateLimit = await rateLimitStore.check(`mfa-challenge:${challengeIp}`, 5, signInWindowMs);
+        if (!challengeRateLimit.allowed) {
+          return new Response(JSON.stringify({ error: createAuthRateLimitedError("Too many MFA attempts") }), {
+            status: 429,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const mfaCookieEntry = request.headers.get("cookie")?.split(";").find((c) => c.trim().startsWith("vertz.mfa="));
+        const mfaToken = mfaCookieEntry ? mfaCookieEntry.trim().slice("vertz.mfa=".length) : undefined;
+        if (!mfaToken) {
+          return new Response(JSON.stringify({
+            error: { code: "SESSION_EXPIRED", message: "No MFA challenge token" }
+          }), {
+            status: 401,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const decrypted = await decrypt(mfaToken, oauthEncryptionKey);
+        if (!decrypted) {
+          return new Response(JSON.stringify({
+            error: { code: "SESSION_EXPIRED", message: "Invalid MFA challenge token" }
+          }), {
+            status: 401,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const challengeData = JSON.parse(decrypted);
+        if (challengeData.expiresAt < Date.now()) {
+          return new Response(JSON.stringify({
+            error: { code: "SESSION_EXPIRED", message: "MFA challenge expired" }
+          }), {
+            status: 401,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const body = await request.json();
+        const userId = challengeData.userId;
+        const encryptedSecret = await mfaStore.getSecret(userId);
+        if (!encryptedSecret) {
+          return new Response(JSON.stringify({ error: createMfaNotEnabledError() }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const totpSecret = await decrypt(encryptedSecret, oauthEncryptionKey);
+        if (!totpSecret) {
+          return new Response(JSON.stringify({ error: "Internal error" }), {
+            status: 500,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        let codeValid = await verifyTotpCode(totpSecret, body.code);
+        if (!codeValid) {
+          const hashedCodes = await mfaStore.getBackupCodes(userId);
+          for (const hashed of hashedCodes) {
+            if (await verifyBackupCode(body.code, hashed)) {
+              await mfaStore.consumeBackupCode(userId, hashed);
+              codeValid = true;
+              break;
+            }
+          }
+        }
+        if (!codeValid) {
+          return new Response(JSON.stringify({ error: createMfaInvalidCodeError() }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const user = await userStore.findById(userId);
+        if (!user) {
+          return new Response(JSON.stringify({ error: "User not found" }), {
+            status: 500,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const sessionId = crypto.randomUUID();
+        const fvaTimestamp = Math.floor(Date.now() / 1000);
+        const tokens = await createSessionTokens(user, sessionId, { fva: fvaTimestamp });
+        const refreshTokenHash = await sha256Hex(tokens.refreshToken);
+        const ipAddress = request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ?? request.headers.get("x-real-ip") ?? "";
+        const userAgent = request.headers.get("user-agent") ?? "";
+        await sessionStore.createSessionWithId(sessionId, {
+          userId: user.id,
+          refreshTokenHash,
+          ipAddress,
+          userAgent,
+          expiresAt: new Date(Date.now() + refreshTtlMs),
+          currentTokens: { jwt: tokens.jwt, refreshToken: tokens.refreshToken }
+        });
+        const headers = new Headers({
+          "Content-Type": "application/json",
+          ...securityHeaders()
+        });
+        headers.append("Set-Cookie", buildSessionCookie(tokens.jwt, cookieConfig));
+        headers.append("Set-Cookie", buildRefreshCookie(tokens.refreshToken, cookieConfig, refreshName, refreshMaxAge));
+        headers.append("Set-Cookie", buildMfaChallengeCookie("", cookieConfig, true));
+        return new Response(JSON.stringify({ user }), {
+          status: 200,
+          headers
+        });
+      }
+      if (method === "POST" && path === "/mfa/setup") {
+        if (!mfaStore) {
+          return new Response(JSON.stringify({ error: "MFA not configured" }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const sessionResult = await getSession(request.headers);
+        if (!sessionResult.ok || !sessionResult.data) {
+          return new Response(JSON.stringify({ error: { code: "SESSION_EXPIRED", message: "Not authenticated" } }), {
+            status: 401,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const userId = sessionResult.data.user.id;
+        const alreadyEnabled = await mfaStore.isMfaEnabled(userId);
+        if (alreadyEnabled) {
+          return new Response(JSON.stringify({ error: createMfaAlreadyEnabledError() }), {
+            status: 409,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const secret = generateTotpSecret();
+        const uri = generateTotpUri(secret, sessionResult.data.user.email, mfaIssuer);
+        pendingMfaSecrets.set(userId, { secret, createdAt: Date.now() });
+        return new Response(JSON.stringify({ secret, uri }), {
+          status: 200,
+          headers: { "Content-Type": "application/json", ...securityHeaders() }
+        });
+      }
+      if (method === "POST" && path === "/mfa/verify-setup") {
+        if (!mfaStore || !oauthEncryptionKey) {
+          return new Response(JSON.stringify({ error: "MFA not configured" }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const sessionResult = await getSession(request.headers);
+        if (!sessionResult.ok || !sessionResult.data) {
+          return new Response(JSON.stringify({ error: { code: "SESSION_EXPIRED", message: "Not authenticated" } }), {
+            status: 401,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const userId = sessionResult.data.user.id;
+        const pendingEntry = pendingMfaSecrets.get(userId);
+        if (!pendingEntry || Date.now() - pendingEntry.createdAt > PENDING_MFA_TTL) {
+          if (pendingEntry)
+            pendingMfaSecrets.delete(userId);
+          return new Response(JSON.stringify({ error: createMfaNotEnabledError("No pending MFA setup") }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const body = await request.json();
+        const valid = await verifyTotpCode(pendingEntry.secret, body.code);
+        if (!valid) {
+          return new Response(JSON.stringify({ error: createMfaInvalidCodeError() }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const encryptedSecret = await encrypt(pendingEntry.secret, oauthEncryptionKey);
+        await mfaStore.enableMfa(userId, encryptedSecret);
+        pendingMfaSecrets.delete(userId);
+        const backupCodes = generateBackupCodes(mfaBackupCodeCount);
+        const hashedCodes = await Promise.all(backupCodes.map((c) => hashBackupCode(c)));
+        await mfaStore.setBackupCodes(userId, hashedCodes);
+        return new Response(JSON.stringify({ backupCodes }), {
+          status: 200,
+          headers: { "Content-Type": "application/json", ...securityHeaders() }
+        });
+      }
+      if (method === "POST" && path === "/mfa/disable") {
+        if (!mfaStore) {
+          return new Response(JSON.stringify({ error: "MFA not configured" }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const sessionResult = await getSession(request.headers);
+        if (!sessionResult.ok || !sessionResult.data) {
+          return new Response(JSON.stringify({ error: { code: "SESSION_EXPIRED", message: "Not authenticated" } }), {
+            status: 401,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const userId = sessionResult.data.user.id;
+        const body = await request.json();
+        const stored = await userStore.findByEmail(sessionResult.data.user.email);
+        if (!stored || !stored.passwordHash) {
+          return new Response(JSON.stringify({ error: createInvalidCredentialsError() }), {
+            status: 401,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const valid = await verifyPassword(body.password, stored.passwordHash);
+        if (!valid) {
+          return new Response(JSON.stringify({ error: createInvalidCredentialsError() }), {
+            status: 401,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        await mfaStore.disableMfa(userId);
+        return new Response(JSON.stringify({ ok: true }), {
+          status: 200,
+          headers: { "Content-Type": "application/json", ...securityHeaders() }
+        });
+      }
+      if (method === "POST" && path === "/mfa/backup-codes") {
+        if (!mfaStore) {
+          return new Response(JSON.stringify({ error: "MFA not configured" }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const sessionResult = await getSession(request.headers);
+        if (!sessionResult.ok || !sessionResult.data) {
+          return new Response(JSON.stringify({ error: { code: "SESSION_EXPIRED", message: "Not authenticated" } }), {
+            status: 401,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const body = await request.json();
+        const stored = await userStore.findByEmail(sessionResult.data.user.email);
+        if (!stored || !stored.passwordHash) {
+          return new Response(JSON.stringify({ error: createInvalidCredentialsError() }), {
+            status: 401,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const valid = await verifyPassword(body.password, stored.passwordHash);
+        if (!valid) {
+          return new Response(JSON.stringify({ error: createInvalidCredentialsError() }), {
+            status: 401,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const userId = sessionResult.data.user.id;
+        const backupCodes = generateBackupCodes(mfaBackupCodeCount);
+        const hashedCodes = await Promise.all(backupCodes.map((c) => hashBackupCode(c)));
+        await mfaStore.setBackupCodes(userId, hashedCodes);
+        return new Response(JSON.stringify({ backupCodes }), {
+          status: 200,
+          headers: { "Content-Type": "application/json", ...securityHeaders() }
+        });
+      }
+      if (method === "GET" && path === "/mfa/status") {
+        if (!mfaStore) {
+          return new Response(JSON.stringify({ error: "MFA not configured" }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const sessionResult = await getSession(request.headers);
+        if (!sessionResult.ok || !sessionResult.data) {
+          return new Response(JSON.stringify({ error: { code: "SESSION_EXPIRED", message: "Not authenticated" } }), {
+            status: 401,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const userId = sessionResult.data.user.id;
+        const enabled = await mfaStore.isMfaEnabled(userId);
+        const codes = await mfaStore.getBackupCodes(userId);
+        return new Response(JSON.stringify({
+          enabled,
+          hasBackupCodes: codes.length > 0,
+          backupCodesRemaining: codes.length
+        }), {
+          status: 200,
+          headers: { "Content-Type": "application/json", ...securityHeaders() }
+        });
+      }
+      if (method === "POST" && path === "/mfa/step-up") {
+        if (!mfaStore || !oauthEncryptionKey) {
+          return new Response(JSON.stringify({ error: "MFA not configured" }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const stepUpIp = request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || "default";
+        const stepUpRateLimit = await rateLimitStore.check(`mfa-stepup:${stepUpIp}`, 5, signInWindowMs);
+        if (!stepUpRateLimit.allowed) {
+          return new Response(JSON.stringify({ error: createAuthRateLimitedError("Too many step-up attempts") }), {
+            status: 429,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const sessionResult = await getSession(request.headers);
+        if (!sessionResult.ok || !sessionResult.data) {
+          return new Response(JSON.stringify({ error: { code: "SESSION_EXPIRED", message: "Not authenticated" } }), {
+            status: 401,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const userId = sessionResult.data.user.id;
+        const encryptedSecret = await mfaStore.getSecret(userId);
+        if (!encryptedSecret) {
+          return new Response(JSON.stringify({ error: createMfaNotEnabledError() }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const totpSecret = await decrypt(encryptedSecret, oauthEncryptionKey);
+        if (!totpSecret) {
+          return new Response(JSON.stringify({ error: "Internal error" }), {
             status: 500,
-            headers: { "Content-Type": "application/json" }
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const body = await request.json();
+        const valid = await verifyTotpCode(totpSecret, body.code);
+        if (!valid) {
+          return new Response(JSON.stringify({ error: createMfaInvalidCodeError() }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const user = sessionResult.data.user;
+        const currentSid = sessionResult.data.payload.sid;
+        const fvaTimestamp = Math.floor(Date.now() / 1000);
+        const tokens = await createSessionTokens(user, currentSid, { fva: fvaTimestamp });
+        const newRefreshHash = await sha256Hex(tokens.refreshToken);
+        const oldTokens = await sessionStore.getCurrentTokens(currentSid);
+        const previousRefreshHash = oldTokens ? await sha256Hex(oldTokens.refreshToken) : newRefreshHash;
+        await sessionStore.updateSession(currentSid, {
+          refreshTokenHash: newRefreshHash,
+          previousRefreshHash,
+          lastActiveAt: new Date,
+          currentTokens: { jwt: tokens.jwt, refreshToken: tokens.refreshToken }
+        });
+        const headers = new Headers({
+          "Content-Type": "application/json",
+          ...securityHeaders()
+        });
+        headers.append("Set-Cookie", buildSessionCookie(tokens.jwt, cookieConfig));
+        headers.append("Set-Cookie", buildRefreshCookie(tokens.refreshToken, cookieConfig, refreshName, refreshMaxAge));
+        return new Response(JSON.stringify({ user }), {
+          status: 200,
+          headers
+        });
+      }
+      if (method === "POST" && path === "/verify-email") {
+        if (!emailVerificationStore || !emailVerificationEnabled) {
+          return new Response(JSON.stringify({
+            error: {
+              code: "AUTH_VALIDATION_ERROR",
+              message: "Email verification not configured"
+            }
+          }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const body = await request.json();
+        if (!body.token) {
+          return new Response(JSON.stringify({ error: createTokenInvalidError("Token is required") }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const tokenHash = await sha256Hex(body.token);
+        const verification = await emailVerificationStore.findByTokenHash(tokenHash);
+        if (!verification) {
+          return new Response(JSON.stringify({ error: createTokenInvalidError() }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        if (verification.expiresAt < new Date) {
+          await emailVerificationStore.deleteByTokenHash(tokenHash);
+          return new Response(JSON.stringify({ error: createTokenExpiredError() }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        await userStore.updateEmailVerified(verification.userId, true);
+        await emailVerificationStore.deleteByUserId(verification.userId);
+        return new Response(JSON.stringify({ ok: true }), {
+          status: 200,
+          headers: { "Content-Type": "application/json", ...securityHeaders() }
+        });
+      }
+      if (method === "POST" && path === "/resend-verification") {
+        if (!emailVerificationStore || !emailVerificationEnabled || !emailVerificationConfig?.onSend) {
+          return new Response(JSON.stringify({
+            error: {
+              code: "AUTH_VALIDATION_ERROR",
+              message: "Email verification not configured"
+            }
+          }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const sessionResult = await getSession(request.headers);
+        if (!sessionResult.ok || !sessionResult.data) {
+          return new Response(JSON.stringify({ error: { code: "SESSION_EXPIRED", message: "Not authenticated" } }), {
+            status: 401,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const userId = sessionResult.data.user.id;
+        const resendRateLimit = await rateLimitStore.check(`resend-verification:${userId}`, 3, parseDuration("1h"));
+        if (!resendRateLimit.allowed) {
+          return new Response(JSON.stringify({ error: createAuthRateLimitedError("Too many resend attempts") }), {
+            status: 429,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        await emailVerificationStore.deleteByUserId(userId);
+        const token = generateToken();
+        const tokenHash = await sha256Hex(token);
+        await emailVerificationStore.createVerification({
+          userId,
+          tokenHash,
+          expiresAt: new Date(Date.now() + emailVerificationTtlMs)
+        });
+        await emailVerificationConfig.onSend(sessionResult.data.user, token);
+        return new Response(JSON.stringify({ ok: true }), {
+          status: 200,
+          headers: { "Content-Type": "application/json", ...securityHeaders() }
+        });
+      }
+      if (method === "POST" && path === "/forgot-password") {
+        if (!passwordResetStore || !passwordResetEnabled || !passwordResetConfig?.onSend) {
+          return new Response(JSON.stringify({
+            error: { code: "AUTH_VALIDATION_ERROR", message: "Password reset not configured" }
+          }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const body = await request.json();
+        const forgotRateLimit = await rateLimitStore.check(`forgot-password:${(body.email ?? "").toLowerCase()}`, 3, parseDuration("1h"));
+        if (!forgotRateLimit.allowed) {
+          return new Response(JSON.stringify({ ok: true }), {
+            status: 200,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
           });
         }
-        return new Response(JSON.stringify({ session: result.data }), {
+        const stored = await userStore.findByEmail((body.email ?? "").toLowerCase());
+        if (stored) {
+          const token = generateToken();
+          const tokenHash = await sha256Hex(token);
+          await passwordResetStore.createReset({
+            userId: stored.user.id,
+            tokenHash,
+            expiresAt: new Date(Date.now() + passwordResetTtlMs)
+          });
+          await passwordResetConfig.onSend(stored.user, token);
+        }
+        return new Response(JSON.stringify({ ok: true }), {
           status: 200,
-          headers: { "Content-Type": "application/json" }
+          headers: { "Content-Type": "application/json", ...securityHeaders() }
         });
       }
-      if (method === "POST" && path === "/refresh") {
-        const result = await refreshSession({ headers: request.headers });
-        if (!result.ok) {
-          return new Response(JSON.stringify({ error: result.error }), {
-            status: authErrorToStatus(result.error),
-            headers: { "Content-Type": "application/json" }
+      if (method === "POST" && path === "/reset-password") {
+        if (!passwordResetStore || !passwordResetEnabled) {
+          return new Response(JSON.stringify({
+            error: { code: "AUTH_VALIDATION_ERROR", message: "Password reset not configured" }
+          }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
           });
         }
-        const cookieValue = await createJWT(result.data.user, jwtSecret, ttlMs, jwtAlgorithm, claims);
-        return new Response(JSON.stringify({ user: result.data.user }), {
-          status: 200,
-          headers: {
-            "Content-Type": "application/json",
-            "Set-Cookie": buildCookie(cookieValue)
+        const body = await request.json();
+        if (!body.token) {
+          return new Response(JSON.stringify({ error: createTokenInvalidError("Token is required") }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const passwordError = validatePassword(body.password, emailPassword?.password);
+        if (passwordError) {
+          return new Response(JSON.stringify({ error: passwordError }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const tokenHash = await sha256Hex(body.token);
+        const resetRecord = await passwordResetStore.findByTokenHash(tokenHash);
+        if (!resetRecord) {
+          return new Response(JSON.stringify({ error: createTokenInvalidError() }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        if (resetRecord.expiresAt < new Date) {
+          await passwordResetStore.deleteByUserId(resetRecord.userId);
+          return new Response(JSON.stringify({ error: createTokenExpiredError() }), {
+            status: 400,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const newPasswordHash = await hashPassword(body.password);
+        await userStore.updatePasswordHash(resetRecord.userId, newPasswordHash);
+        await passwordResetStore.deleteByUserId(resetRecord.userId);
+        if (revokeSessionsOnReset) {
+          const activeSessions = await sessionStore.listActiveSessions(resetRecord.userId);
+          for (const s of activeSessions) {
+            await sessionStore.revokeSession(s.id);
           }
+        }
+        return new Response(JSON.stringify({ ok: true }), {
+          status: 200,
+          headers: { "Content-Type": "application/json", ...securityHeaders() }
         });
       }
       return new Response(JSON.stringify({ error: "Not found" }), {
@@ -610,17 +3535,6 @@ function createAuth(config) {
       });
     }
   }
-  function buildCookie(value, clear = false) {
-    const name = cookieConfig.name || "vertz.sid";
-    const maxAge = cookieConfig.maxAge ?? 60 * 60 * 24 * 7;
-    const path = cookieConfig.path || "/";
-    const sameSite = cookieConfig.sameSite || "lax";
-    const secure = cookieConfig.secure ?? true;
-    if (clear) {
-      return `${name}=; Path=${path}; HttpOnly; SameSite=${sameSite}; Max-Age=0`;
-    }
-    return `${name}=${value}; Path=${path}; HttpOnly${secure ? "; Secure" : ""}; SameSite=${sameSite}; Max-Age=${maxAge}`;
-  }
   function createMiddleware() {
     return async (ctx, next) => {
       const sessionResult = await getSession(ctx.headers);
@@ -642,13 +3556,25 @@ function createAuth(config) {
     signIn,
     signOut,
     getSession,
-    refreshSession
+    refreshSession,
+    listSessions,
+    revokeSession: revokeSessionById,
+    revokeAllSessions
   };
   return {
     handler: handleAuthRequest,
     api,
     middleware: createMiddleware,
-    initialize
+    initialize,
+    dispose() {
+      sessionStore.dispose();
+      rateLimitStore.dispose();
+      oauthAccountStore?.dispose();
+      mfaStore?.dispose();
+      emailVerificationStore?.dispose();
+      passwordResetStore?.dispose();
+      pendingMfaSecrets.clear();
+    }
   };
 }
 // src/create-server.ts
@@ -657,116 +3583,6 @@ import {
   createDatabaseBridgeAdapter
 } from "@vertz/db";
 
-// src/entity/access-enforcer.ts
-import { EntityForbiddenError, err as err2, ok as ok2 } from "@vertz/errors";
-async function enforceAccess(operation, accessRules, ctx, row) {
-  const rule = accessRules[operation];
-  if (rule === undefined) {
-    return err2(new EntityForbiddenError(`Access denied: no access rule for operation "${operation}"`));
-  }
-  if (rule === false) {
-    return err2(new EntityForbiddenError(`Operation "${operation}" is disabled`));
-  }
-  const allowed = await rule(ctx, row ?? {});
-  if (!allowed) {
-    return err2(new EntityForbiddenError(`Access denied for operation "${operation}"`));
-  }
-  return ok2(undefined);
-}
-
-// src/action/context.ts
-function createActionContext(request, registryProxy) {
-  const userId = request.userId ?? null;
-  const roles = request.roles ?? [];
-  const tenantId = request.tenantId ?? null;
-  return {
-    userId,
-    authenticated() {
-      return userId !== null;
-    },
-    tenant() {
-      return tenantId !== null;
-    },
-    role(...rolesToCheck) {
-      return rolesToCheck.some((r) => roles.includes(r));
-    },
-    entities: registryProxy
-  };
-}
-
-// src/action/route-generator.ts
-function jsonResponse(data, status = 200) {
-  return new Response(JSON.stringify(data), {
-    status,
-    headers: { "content-type": "application/json" }
-  });
-}
-function extractRequestInfo(ctx) {
-  return {
-    userId: ctx.userId ?? null,
-    tenantId: ctx.tenantId ?? null,
-    roles: ctx.roles ?? []
-  };
-}
-function generateActionRoutes(def, registry, options) {
-  const prefix = options?.apiPrefix ?? "/api";
-  const inject = def.inject ?? {};
-  const registryProxy = Object.keys(inject).length > 0 ? registry.createScopedProxy(inject) : {};
-  const routes = [];
-  for (const [handlerName, handlerDef] of Object.entries(def.actions)) {
-    const accessRule = def.access[handlerName];
-    if (accessRule === undefined)
-      continue;
-    const method = (handlerDef.method ?? "POST").toUpperCase();
-    const handlerPath = handlerDef.path ?? `${prefix}/${def.name}/${handlerName}`;
-    const routePath = handlerDef.path ? handlerPath : `${prefix}/${def.name}/${handlerName}`;
-    if (accessRule === false) {
-      routes.push({
-        method,
-        path: routePath,
-        handler: async () => jsonResponse({
-          error: {
-            code: "MethodNotAllowed",
-            message: `Action "${handlerName}" is disabled for ${def.name}`
-          }
-        }, 405)
-      });
-      continue;
-    }
-    routes.push({
-      method,
-      path: routePath,
-      handler: async (ctx) => {
-        try {
-          const requestInfo = extractRequestInfo(ctx);
-          const actionCtx = createActionContext(requestInfo, registryProxy);
-          const accessResult = await enforceAccess(handlerName, def.access, actionCtx);
-          if (!accessResult.ok) {
-            return jsonResponse({ error: { code: "Forbidden", message: accessResult.error.message } }, 403);
-          }
-          const rawBody = ctx.body ?? {};
-          const parsed = handlerDef.body.parse(rawBody);
-          if (!parsed.ok) {
-            const message = parsed.error instanceof Error ? parsed.error.message : "Invalid request body";
-            return jsonResponse({ error: { code: "BadRequest", message } }, 400);
-          }
-          const result = await handlerDef.handler(parsed.data, actionCtx);
-          const responseParsed = handlerDef.response.parse(result);
-          if (!responseParsed.ok) {
-            const message = responseParsed.error instanceof Error ? responseParsed.error.message : "Response validation failed";
-            console.warn(`[vertz] Action response validation warning: ${message}`);
-          }
-          return jsonResponse(result, 200);
-        } catch (error) {
-          const message = error instanceof Error ? error.message : "Internal server error";
-          return jsonResponse({ error: { code: "InternalServerError", message } }, 500);
-        }
-      }
-    });
-  }
-  return routes;
-}
-
 // src/entity/entity-registry.ts
 class EntityRegistry {
   entries = new Map;
@@ -903,6 +3719,25 @@ import {
   err as err3,
   ok as ok3
 } from "@vertz/errors";
+
+// src/entity/access-enforcer.ts
+import { EntityForbiddenError, err as err2, ok as ok2 } from "@vertz/errors";
+async function enforceAccess(operation, accessRules, ctx, row) {
+  const rule = accessRules[operation];
+  if (rule === undefined) {
+    return err2(new EntityForbiddenError(`Access denied: no access rule for operation "${operation}"`));
+  }
+  if (rule === false) {
+    return err2(new EntityForbiddenError(`Operation "${operation}" is disabled`));
+  }
+  const allowed = await rule(ctx, row ?? {});
+  if (!allowed) {
+    return err2(new EntityForbiddenError(`Access denied for operation "${operation}"`));
+  }
+  return ok2(undefined);
+}
+
+// src/entity/action-pipeline.ts
 function createActionHandler(def, actionName, actionDef, db, hasId) {
   return async (ctx, id, rawInput) => {
     let row = null;
@@ -1263,7 +4098,7 @@ function validateVertzQL(options, table, relationsConfig) {
 }
 
 // src/entity/route-generator.ts
-function jsonResponse2(data, status = 200) {
+function jsonResponse(data, status = 200) {
   return new Response(JSON.stringify(data), {
     status,
     headers: { "content-type": "application/json" }
@@ -1272,7 +4107,7 @@ function jsonResponse2(data, status = 200) {
 function emptyResponse(status) {
   return new Response(null, { status });
 }
-function extractRequestInfo2(ctx) {
+function extractRequestInfo(ctx) {
   return {
     userId: ctx.userId ?? null,
     tenantId: ctx.tenantId ?? null,
@@ -1290,7 +4125,7 @@ function generateEntityRoutes(def, registry, db, options) {
   const registryProxy = Object.keys(inject).length > 0 ? registry.createScopedProxy(inject) : {};
   const routes = [];
   function makeEntityCtx(ctx) {
-    const requestInfo = extractRequestInfo2(ctx);
+    const requestInfo = extractRequestInfo(ctx);
     const entityOps = {};
     return createEntityContext(requestInfo, entityOps, registryProxy);
   }
@@ -1299,7 +4134,7 @@ function generateEntityRoutes(def, registry, db, options) {
       routes.push({
         method: "GET",
         path: basePath,
-        handler: async () => jsonResponse2({
+        handler: async () => jsonResponse({
           error: {
             code: "MethodNotAllowed",
             message: `Operation "list" is disabled for ${def.name}`
@@ -1318,7 +4153,7 @@ function generateEntityRoutes(def, registry, db, options) {
             const relationsConfig = def.relations;
             const validation = validateVertzQL(parsed, def.model.table, relationsConfig);
             if (!validation.ok) {
-              return jsonResponse2({ error: { code: "BadRequest", message: validation.error } }, 400);
+              return jsonResponse({ error: { code: "BadRequest", message: validation.error } }, 400);
             }
             const options2 = {
               where: parsed.where ? parsed.where : undefined,
@@ -1329,15 +4164,15 @@ function generateEntityRoutes(def, registry, db, options) {
             const result = await crudHandlers.list(entityCtx, options2);
             if (!result.ok) {
               const { status, body } = entityErrorHandler(result.error);
-              return jsonResponse2(body, status);
+              return jsonResponse(body, status);
             }
             if (parsed.select && result.data.body.items) {
               result.data.body.items = result.data.body.items.map((row) => applySelect(parsed.select, row));
             }
-            return jsonResponse2(result.data.body, result.data.status);
+            return jsonResponse(result.data.body, result.data.status);
           } catch (error) {
             const { status, body } = entityErrorHandler(error);
-            return jsonResponse2(body, status);
+            return jsonResponse(body, status);
           }
         }
       });
@@ -1360,7 +4195,7 @@ function generateEntityRoutes(def, registry, db, options) {
           const relationsConfig = def.relations;
           const validation = validateVertzQL(parsed, def.model.table, relationsConfig);
           if (!validation.ok) {
-            return jsonResponse2({ error: { code: "BadRequest", message: validation.error } }, 400);
+            return jsonResponse({ error: { code: "BadRequest", message: validation.error } }, 400);
           }
           const options2 = {
             where: parsed.where,
@@ -1371,15 +4206,15 @@ function generateEntityRoutes(def, registry, db, options) {
           const result = await crudHandlers.list(entityCtx, options2);
           if (!result.ok) {
             const { status, body: errBody } = entityErrorHandler(result.error);
-            return jsonResponse2(errBody, status);
+            return jsonResponse(errBody, status);
           }
           if (parsed.select && result.data.body.items) {
             result.data.body.items = result.data.body.items.map((row) => applySelect(parsed.select, row));
           }
-          return jsonResponse2(result.data.body, result.data.status);
+          return jsonResponse(result.data.body, result.data.status);
         } catch (error) {
           const { status, body: errBody } = entityErrorHandler(error);
-          return jsonResponse2(errBody, status);
+          return jsonResponse(errBody, status);
         }
       }
     });
@@ -1389,7 +4224,7 @@ function generateEntityRoutes(def, registry, db, options) {
       routes.push({
         method: "GET",
         path: `${basePath}/:id`,
-        handler: async () => jsonResponse2({
+        handler: async () => jsonResponse({
           error: {
             code: "MethodNotAllowed",
             message: `Operation "get" is disabled for ${def.name}`
@@ -1409,18 +4244,18 @@ function generateEntityRoutes(def, registry, db, options) {
             const relationsConfig = def.relations;
             const validation = validateVertzQL(parsed, def.model.table, relationsConfig);
             if (!validation.ok) {
-              return jsonResponse2({ error: { code: "BadRequest", message: validation.error } }, 400);
+              return jsonResponse({ error: { code: "BadRequest", message: validation.error } }, 400);
             }
             const result = await crudHandlers.get(entityCtx, id);
             if (!result.ok) {
               const { status, body: body2 } = entityErrorHandler(result.error);
-              return jsonResponse2(body2, status);
+              return jsonResponse(body2, status);
             }
             const body = parsed.select ? applySelect(parsed.select, result.data.body) : result.data.body;
-            return jsonResponse2(body, result.data.status);
+            return jsonResponse(body, result.data.status);
           } catch (error) {
             const { status, body } = entityErrorHandler(error);
-            return jsonResponse2(body, status);
+            return jsonResponse(body, status);
           }
         }
       });
@@ -1431,7 +4266,7 @@ function generateEntityRoutes(def, registry, db, options) {
       routes.push({
         method: "POST",
         path: basePath,
-        handler: async () => jsonResponse2({
+        handler: async () => jsonResponse({
           error: {
             code: "MethodNotAllowed",
             message: `Operation "create" is disabled for ${def.name}`
@@ -1449,12 +4284,12 @@ function generateEntityRoutes(def, registry, db, options) {
             const result = await crudHandlers.create(entityCtx, data);
             if (!result.ok) {
               const { status, body } = entityErrorHandler(result.error);
-              return jsonResponse2(body, status);
+              return jsonResponse(body, status);
             }
-            return jsonResponse2(result.data.body, result.data.status);
+            return jsonResponse(result.data.body, result.data.status);
           } catch (error) {
             const { status, body } = entityErrorHandler(error);
-            return jsonResponse2(body, status);
+            return jsonResponse(body, status);
           }
         }
       });
@@ -1465,7 +4300,7 @@ function generateEntityRoutes(def, registry, db, options) {
       routes.push({
         method: "PATCH",
         path: `${basePath}/:id`,
-        handler: async () => jsonResponse2({
+        handler: async () => jsonResponse({
           error: {
             code: "MethodNotAllowed",
             message: `Operation "update" is disabled for ${def.name}`
@@ -1484,12 +4319,12 @@ function generateEntityRoutes(def, registry, db, options) {
             const result = await crudHandlers.update(entityCtx, id, data);
             if (!result.ok) {
               const { status, body } = entityErrorHandler(result.error);
-              return jsonResponse2(body, status);
+              return jsonResponse(body, status);
             }
-            return jsonResponse2(result.data.body, result.data.status);
+            return jsonResponse(result.data.body, result.data.status);
           } catch (error) {
             const { status, body } = entityErrorHandler(error);
-            return jsonResponse2(body, status);
+            return jsonResponse(body, status);
           }
         }
       });
@@ -1500,7 +4335,7 @@ function generateEntityRoutes(def, registry, db, options) {
       routes.push({
         method: "DELETE",
         path: `${basePath}/:id`,
-        handler: async () => jsonResponse2({
+        handler: async () => jsonResponse({
           error: {
             code: "MethodNotAllowed",
             message: `Operation "delete" is disabled for ${def.name}`
@@ -1518,15 +4353,15 @@ function generateEntityRoutes(def, registry, db, options) {
             const result = await crudHandlers.delete(entityCtx, id);
             if (!result.ok) {
               const { status, body } = entityErrorHandler(result.error);
-              return jsonResponse2(body, status);
+              return jsonResponse(body, status);
             }
             if (result.data.status === 204) {
               return emptyResponse(204);
             }
-            return jsonResponse2(result.data.body, result.data.status);
+            return jsonResponse(result.data.body, result.data.status);
           } catch (error) {
             const { status, body } = entityErrorHandler(error);
-            return jsonResponse2(body, status);
+            return jsonResponse(body, status);
           }
         }
       });
@@ -1542,7 +4377,7 @@ function generateEntityRoutes(def, registry, db, options) {
       routes.push({
         method,
         path: actionPath,
-        handler: async () => jsonResponse2({
+        handler: async () => jsonResponse({
           error: {
             code: "MethodNotAllowed",
             message: `Action "${actionName}" is disabled for ${def.name}`
@@ -1562,12 +4397,12 @@ function generateEntityRoutes(def, registry, db, options) {
             const result = await actionHandler(entityCtx, id, input);
             if (!result.ok) {
               const { status, body } = entityErrorHandler(result.error);
-              return jsonResponse2(body, status);
+              return jsonResponse(body, status);
             }
-            return jsonResponse2(result.data.body, result.data.status);
+            return jsonResponse(result.data.body, result.data.status);
           } catch (error) {
             const { status, body } = entityErrorHandler(error);
-            return jsonResponse2(body, status);
+            return jsonResponse(body, status);
           }
         }
       });
@@ -1576,6 +4411,99 @@ function generateEntityRoutes(def, registry, db, options) {
   return routes;
 }
 
+// src/service/context.ts
+function createServiceContext(request, registryProxy) {
+  const userId = request.userId ?? null;
+  const roles = request.roles ?? [];
+  const tenantId = request.tenantId ?? null;
+  return {
+    userId,
+    authenticated() {
+      return userId !== null;
+    },
+    tenant() {
+      return tenantId !== null;
+    },
+    role(...rolesToCheck) {
+      return rolesToCheck.some((r) => roles.includes(r));
+    },
+    entities: registryProxy
+  };
+}
+
+// src/service/route-generator.ts
+function jsonResponse2(data, status = 200) {
+  return new Response(JSON.stringify(data), {
+    status,
+    headers: { "content-type": "application/json" }
+  });
+}
+function extractRequestInfo2(ctx) {
+  return {
+    userId: ctx.userId ?? null,
+    tenantId: ctx.tenantId ?? null,
+    roles: ctx.roles ?? []
+  };
+}
+function generateServiceRoutes(def, registry, options) {
+  const prefix = options?.apiPrefix ?? "/api";
+  const inject = def.inject ?? {};
+  const registryProxy = Object.keys(inject).length > 0 ? registry.createScopedProxy(inject) : {};
+  const routes = [];
+  for (const [handlerName, handlerDef] of Object.entries(def.actions)) {
+    const accessRule = def.access[handlerName];
+    if (accessRule === undefined)
+      continue;
+    const method = (handlerDef.method ?? "POST").toUpperCase();
+    const handlerPath = handlerDef.path ?? `${prefix}/${def.name}/${handlerName}`;
+    const routePath = handlerDef.path ? handlerPath : `${prefix}/${def.name}/${handlerName}`;
+    if (accessRule === false) {
+      routes.push({
+        method,
+        path: routePath,
+        handler: async () => jsonResponse2({
+          error: {
+            code: "MethodNotAllowed",
+            message: `Action "${handlerName}" is disabled for ${def.name}`
+          }
+        }, 405)
+      });
+      continue;
+    }
+    routes.push({
+      method,
+      path: routePath,
+      handler: async (ctx) => {
+        try {
+          const requestInfo = extractRequestInfo2(ctx);
+          const serviceCtx = createServiceContext(requestInfo, registryProxy);
+          const accessResult = await enforceAccess(handlerName, def.access, serviceCtx);
+          if (!accessResult.ok) {
+            return jsonResponse2({ error: { code: "Forbidden", message: accessResult.error.message } }, 403);
+          }
+          const rawBody = ctx.body ?? {};
+          const parsed = handlerDef.body.parse(rawBody);
+          if (!parsed.ok) {
+            const message = parsed.error instanceof Error ? parsed.error.message : "Invalid request body";
+            return jsonResponse2({ error: { code: "BadRequest", message } }, 400);
+          }
+          const result = await handlerDef.handler(parsed.data, serviceCtx);
+          const responseParsed = handlerDef.response.parse(result);
+          if (!responseParsed.ok) {
+            const message = responseParsed.error instanceof Error ? responseParsed.error.message : "Response validation failed";
+            console.warn(`[vertz] Service response validation warning: ${message}`);
+          }
+          return jsonResponse2(result, 200);
+        } catch (error) {
+          const message = error instanceof Error ? error.message : "Internal server error";
+          return jsonResponse2({ error: { code: "InternalServerError", message } }, 500);
+        }
+      }
+    });
+  }
+  return routes;
+}
+
 // src/create-server.ts
 function isDatabaseClient(db) {
   return db !== null && typeof db === "object" && "_internals" in db;
@@ -1641,6 +4569,13 @@ function createServer(config) {
     const { db } = config;
     let dbFactory;
     if (db && isDatabaseClient(db)) {
+      const dbModels = db._internals.models;
+      const missing = config.entities.filter((e) => !(e.name in dbModels)).map((e) => `"${e.name}"`);
+      if (missing.length > 0) {
+        const registered = Object.keys(dbModels).map((k) => `"${k}"`).join(", ");
+        const plural = missing.length > 1;
+        throw new Error(`${plural ? "Entities" : "Entity"} ${missing.join(", ")} ${plural ? "are" : "is"} not registered in createDb(). ` + `Add the missing model${plural ? "s" : ""} to the models object in your createDb() call. ` + `Registered models: ${registered || "(none)"}`);
+      }
       dbFactory = (entityDef) => createDatabaseBridgeAdapter(db, entityDef.name);
     } else if (db) {
       dbFactory = () => db;
@@ -1660,9 +4595,9 @@ function createServer(config) {
       allRoutes.push(...routes);
     }
   }
-  if (config.actions && config.actions.length > 0) {
-    for (const actionDef of config.actions) {
-      const routes = generateActionRoutes(actionDef, registry, { apiPrefix });
+  if (config.services && config.services.length > 0) {
+    for (const serviceDef of config.services) {
+      const routes = generateServiceRoutes(serviceDef, registry, { apiPrefix });
       allRoutes.push(...routes);
     }
   }
@@ -1672,7 +4607,7 @@ function createServer(config) {
   });
 }
 // src/entity/entity.ts
-import { deepFreeze as deepFreeze2 } from "@vertz/core";
+import { deepFreeze } from "@vertz/core";
 var ENTITY_NAME_PATTERN = /^[a-z][a-z0-9-]*$/;
 function entity(name, config) {
   if (!name || !ENTITY_NAME_PATTERN.test(name)) {
@@ -1692,6 +4627,25 @@ function entity(name, config) {
     actions: config.actions ?? {},
     relations: config.relations ?? {}
   };
+  return deepFreeze(def);
+}
+// src/service/service.ts
+import { deepFreeze as deepFreeze2 } from "@vertz/core";
+var SERVICE_NAME_PATTERN = /^[a-z][a-z0-9-]*$/;
+function service(name, config) {
+  if (!name || !SERVICE_NAME_PATTERN.test(name)) {
+    throw new Error(`service() name must be a non-empty lowercase string matching /^[a-z][a-z0-9-]*$/. Got: "${name}"`);
+  }
+  if (!config.actions || Object.keys(config.actions).length === 0) {
+    throw new Error("service() requires at least one action in the actions config.");
+  }
+  const def = {
+    kind: "service",
+    name,
+    inject: config.inject ?? {},
+    access: config.access ?? {},
+    actions: config.actions
+  };
   return deepFreeze2(def);
 }
 export {
@@ -1700,14 +4654,22 @@ export {
   validatePassword,
   stripReadOnlyFields,
   stripHiddenFields,
+  service,
+  rules,
   makeImmutable,
   hashPassword,
+  google,
+  github,
   generateEntityRoutes,
   entityErrorHandler,
   entity,
   enforceAccess,
+  encodeAccessSet,
+  discord,
+  defineAccess,
   defaultAccess,
   deepFreeze3 as deepFreeze,
+  decodeAccessSet,
   createServer,
   createMiddleware,
   createImmutableProxy,
@@ -1715,14 +4677,31 @@ export {
   createEntityContext,
   createCrudHandlers,
   createAuth,
+  createAccessEventBroadcaster,
+  createAccessContext,
   createAccess,
-  action,
+  computeEntityAccess,
+  computeAccessSet,
+  checkFva,
+  calculateBillingPeriod,
   VertzException2 as VertzException,
   ValidationException2 as ValidationException,
   UnauthorizedException,
   ServiceUnavailableException,
   NotFoundException,
   InternalServerErrorException,
+  InMemoryWalletStore,
+  InMemoryUserStore,
+  InMemorySessionStore,
+  InMemoryRoleAssignmentStore,
+  InMemoryRateLimitStore,
+  InMemoryPlanStore,
+  InMemoryPasswordResetStore,
+  InMemoryOAuthAccountStore,
+  InMemoryMFAStore,
+  InMemoryFlagStore,
+  InMemoryEmailVerificationStore,
+  InMemoryClosureStore,
   ForbiddenException,
   EntityRegistry,
   ConflictException,