npm - @vertz/server - Versions diffs - 0.2.14 → 0.2.15 - Mend

@vertz/server 0.2.14 → 0.2.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -3,11 +3,68 @@ import { BadRequestException, ConflictException, createEnv, createImmutableProxy
 import { ModelEntry } from "@vertz/db";
 import { AuthError, Result } from "@vertz/errors";
 /**
-* defineAccess() — Phase 6 RBAC & Access Control configuration
+* rules.* builders — declarative access rule data structures.
 *
-* Replaces createAccess() with hierarchical RBAC: resources form trees,
-* roles inherit down the hierarchy, and entitlements map to roles/plans/flags.
+* These are pure data structures with no evaluation logic.
+* The access context evaluates them at runtime (sub-phase 4).
 */
+interface RoleRule {
+	readonly type: "role";
+	readonly roles: readonly string[];
+}
+interface EntitlementRule {
+	readonly type: "entitlement";
+	readonly entitlement: string;
+}
+interface WhereRule {
+	readonly type: "where";
+	readonly conditions: Record<string, unknown>;
+}
+interface AllRule {
+	readonly type: "all";
+	readonly rules: readonly AccessRule[];
+}
+interface AnyRule {
+	readonly type: "any";
+	readonly rules: readonly AccessRule[];
+}
+interface AuthenticatedRule {
+	readonly type: "authenticated";
+}
+interface PublicRule {
+	readonly type: "public";
+}
+interface FvaRule {
+	readonly type: "fva";
+	readonly maxAge: number;
+}
+type AccessRule = PublicRule | RoleRule | EntitlementRule | WhereRule | AllRule | AnyRule | AuthenticatedRule | FvaRule;
+interface UserMarker {
+	readonly __marker: string;
+}
+declare const rules: {
+	/** Endpoint is public — no authentication required */
+	public: PublicRule;
+	/** User has at least one of the specified roles (OR) */
+	role(...roleNames: string[]): RoleRule;
+	/** User has the specified entitlement (resolves role+plan+flag from defineAccess config) */
+	entitlement(name: string): EntitlementRule;
+	/** Row-level condition — DB query syntax. Use rules.user.id for dynamic user markers */
+	where(conditions: Record<string, unknown>): WhereRule;
+	/** All sub-rules must pass (AND) */
+	all(...ruleList: AccessRule[]): AllRule;
+	/** At least one sub-rule must pass (OR) */
+	any(...ruleList: AccessRule[]): AnyRule;
+	/** User must be authenticated (no specific role required) */
+	authenticated(): AuthenticatedRule;
+	/** User must have verified MFA within maxAge seconds */
+	fva(maxAge: number): FvaRule;
+	/** Declarative user markers — resolved at evaluation time */
+	user: {
+		readonly id: UserMarker;
+		readonly tenantId: UserMarker;
+	};
+};
 /** Denial reasons ordered by actionability (most actionable first) */
 type DenialReason = "plan_required" | "role_required" | "limit_reached" | "flag_disabled" | "hierarchy_denied" | "step_up_required" | "not_authenticated";
 /** Metadata attached to denial reasons */
@@ -16,9 +73,12 @@ interface DenialMeta {
 	requiredRoles?: string[];
 	disabledFlags?: string[];
 	limit?: {
+		key?: string;
 		max: number;
 		consumed: number;
 		remaining: number;
+		/** True when the tenant is consuming beyond the limit under overage billing */
+		overage?: boolean;
 	};
 	fvaMaxAge?: number;
 }
@@ -29,43 +89,120 @@ interface AccessCheckResult {
 	reason?: DenialReason;
 	meta?: DenialMeta;
 }
-/** Entitlement definition — maps to roles, optional plans and flags */
-interface EntitlementDef {
-	roles: string[];
-	plans?: string[];
-	flags?: string[];
-}
 /** Billing period for plan limits */
-type BillingPeriod = "month" | "day" | "hour";
-/** Limit definition within a plan */
+type BillingPeriod = "month" | "day" | "hour" | "quarter" | "year";
+/** Valid price intervals for plans */
+type PriceInterval = "month" | "quarter" | "year" | "one_off";
+/** Plan price definition */
+interface PlanPrice {
+	amount: number;
+	interval: PriceInterval;
+}
+/** Overage billing configuration for a limit */
+interface OverageConfig {
+	/** Price per unit of overage (e.g., 0.01 for $0.01 per extra unit) */
+	amount: number;
+	/** Units per charge (e.g., 1 = charge per unit, 100 = charge per 100 units) */
+	per: number;
+	/** Maximum overage charge per period (safety cap). Omit for no cap. */
+	cap?: number;
+}
+/** Limit definition within a plan — gates an entitlement with optional scoping */
 interface LimitDef {
-	per: BillingPeriod;
 	max: number;
-}
-/** Plan definition — which entitlements are included and their usage limits */
+	gates: string;
+	/** Billing period for the limit. Omitted = lifetime (no reset). */
+	per?: BillingPeriod;
+	/** Entity scope — omitted = tenant-level, string = per entity instance */
+	scope?: string;
+	/** Overage billing: allow usage beyond limit at per-unit cost */
+	overage?: OverageConfig;
+}
+/** Add-on compatibility — restricts which base plans an add-on can be attached to */
+interface AddOnRequires {
+	group: string;
+	plans: readonly string[] | string[];
+}
+/** Grace period duration for grandfathering policy */
+type GraceDuration = "1m" | "3m" | "6m" | "12m" | "indefinite";
+/** Grandfathering policy for a plan */
+interface GrandfatheringPolicy {
+	grace?: GraceDuration;
+}
+/** Plan definition — features, limits, metadata, and billing */
 interface PlanDef {
-	entitlements: readonly string[] | string[];
+	title?: string;
+	description?: string;
+	group?: string;
+	addOn?: boolean;
+	price?: PlanPrice;
+	features?: readonly string[] | string[];
 	limits?: Record<string, LimitDef>;
+	/** Grandfathering policy — how long existing tenants keep old version on plan change */
+	grandfathering?: GrandfatheringPolicy;
+	/** Add-on only: restricts attachment to tenants on compatible base plans */
+	requires?: AddOnRequires;
+}
+/** Entity definition — roles and optional inheritance from parent entity roles */
+interface EntityDef {
+	roles: readonly string[] | string[];
+	inherits?: Record<string, string>;
+}
+/** Resolved entitlement definition — roles + optional rules */
+interface EntitlementDef {
+	roles: string[];
+	rules?: AccessRule[];
+	flags?: string[];
+	/** Plan names that gate this entitlement (evaluated in Layer 4) */
+	plans?: string[];
 }
+/** Entitlement callback context — provides `where()` and `user` for attribute rules */
+interface RuleContext {
+	where(conditions: Record<string, unknown>): AccessRule;
+	user: {
+		readonly id: {
+			readonly __marker: string;
+		};
+		readonly tenantId: {
+			readonly __marker: string;
+		};
+	};
+}
+/** Entitlement value: object or callback returning object */
+type EntitlementValue = EntitlementDef | ((r: RuleContext) => EntitlementDef);
 /** The input config for defineAccess() */
 interface DefineAccessInput {
-	hierarchy: string[];
-	roles: Record<string, string[]>;
-	inheritance?: Record<string, Record<string, string>>;
-	entitlements: Record<string, EntitlementDef>;
+	entities: Record<string, EntityDef>;
+	entitlements: Record<string, EntitlementValue>;
 	plans?: Record<string, PlanDef>;
 	/** Fallback plan name when an org's plan expires. Defaults to 'free'. */
 	defaultPlan?: string;
 }
 /** The frozen config returned by defineAccess() */
 interface AccessDefinition {
+	/** Inferred hierarchy from inherits declarations */
 	readonly hierarchy: readonly string[];
+	/** Entities keyed by name */
+	readonly entities: Readonly<Record<string, Readonly<EntityDef>>>;
+	/** Roles per entity (derived from entities for downstream compat) */
 	readonly roles: Readonly<Record<string, readonly string[]>>;
+	/** Inheritance map per entity (derived from entities for downstream compat) */
 	readonly inheritance: Readonly<Record<string, Readonly<Record<string, string>>>>;
+	/** Resolved entitlements */
 	readonly entitlements: Readonly<Record<string, Readonly<EntitlementDef>>>;
 	readonly plans?: Readonly<Record<string, Readonly<PlanDef>>>;
 	/** Fallback plan name when an org's plan expires. Defaults to 'free'. */
 	readonly defaultPlan?: string;
+	/**
+	* Computed: Set of entitlements that are gated by at least one plan's `features`.
+	* If an entitlement is in this set, a plan check is required during `can()`.
+	*/
+	readonly _planGatedEntitlements: ReadonlySet<string>;
+	/**
+	* Computed: Map from entitlement to all limit keys that gate it.
+	* Used during can() to find all limits that need to pass for an entitlement.
+	*/
+	readonly _entitlementToLimitKeys: Readonly<Record<string, readonly string[]>>;
 }
 declare function defineAccess(input: DefineAccessInput): AccessDefinition;
 /**
@@ -153,12 +290,40 @@ declare class InMemoryFlagStore implements FlagStore {
 	getFlag(orgId: string, flag: string): boolean;
 	getFlags(orgId: string): Record<string, boolean>;
 }
+/** Limit override: add (additive) or max (hard cap) */
+interface LimitOverrideDef {
+	add?: number;
+	max?: number;
+}
+/** Per-tenant overrides */
+interface TenantOverrides {
+	features?: string[];
+	limits?: Record<string, LimitOverrideDef>;
+}
+interface OverrideStore {
+	set(tenantId: string, overrides: TenantOverrides): Promise<void>;
+	remove(tenantId: string, keys: {
+		features?: string[];
+		limits?: string[];
+	}): Promise<void>;
+	get(tenantId: string): Promise<TenantOverrides | null>;
+	dispose(): void;
+}
+declare class InMemoryOverrideStore implements OverrideStore {
+	private overrides;
+	set(tenantId: string, overrides: TenantOverrides): Promise<void>;
+	remove(tenantId: string, keys: {
+		features?: string[];
+		limits?: string[];
+	}): Promise<void>;
+	get(tenantId: string): Promise<TenantOverrides | null>;
+	dispose(): void;
+}
 /**
-* PlanStore — org-level plan assignments with overrides.
-*
-* Stores which plan an organization is on, when it started,
-* optional expiration, and per-customer limit overrides.
+* Validate tenant overrides against the access definition.
+* Throws on invalid limit keys, invalid feature names, or invalid max values.
 */
+declare function validateOverrides(accessDef: AccessDefinition, overrides: TenantOverrides): void;
 /** Per-customer limit override. Only affects the cap, not the billing period. */
 interface LimitOverride {
 	max: number;
@@ -179,14 +344,85 @@ interface PlanStore {
 	getPlan(orgId: string): Promise<OrgPlan | null>;
 	updateOverrides(orgId: string, overrides: Record<string, LimitOverride>): Promise<void>;
 	removePlan(orgId: string): Promise<void>;
+	/** Attach an add-on to an org. */
+	attachAddOn?(orgId: string, addOnId: string): Promise<void>;
+	/** Detach an add-on from an org. */
+	detachAddOn?(orgId: string, addOnId: string): Promise<void>;
+	/** Get all active add-on IDs for an org. */
+	getAddOns?(orgId: string): Promise<string[]>;
+	/** List all org IDs assigned to a specific plan. */
+	listByPlan?(planId: string): Promise<string[]>;
 	dispose(): void;
 }
 declare class InMemoryPlanStore implements PlanStore {
 	private plans;
+	private addOns;
 	assignPlan(orgId: string, planId: string, startedAt?: Date, expiresAt?: Date | null): Promise<void>;
 	getPlan(orgId: string): Promise<OrgPlan | null>;
 	updateOverrides(orgId: string, overrides: Record<string, LimitOverride>): Promise<void>;
 	removePlan(orgId: string): Promise<void>;
+	attachAddOn(orgId: string, addOnId: string): Promise<void>;
+	detachAddOn(orgId: string, addOnId: string): Promise<void>;
+	getAddOns(orgId: string): Promise<string[]>;
+	listByPlan(planId: string): Promise<string[]>;
+	dispose(): void;
+}
+/**
+* Check if an add-on is compatible with a given base plan.
+* Returns true if the add-on has no `requires` or if the plan is in the requires list.
+*/
+declare function checkAddOnCompatibility(accessDef: AccessDefinition, addOnId: string, currentPlanId: string): boolean;
+/**
+* Get add-ons that are incompatible with a target plan.
+* Used to flag incompatible add-ons when a tenant downgrades.
+*/
+declare function getIncompatibleAddOns(accessDef: AccessDefinition, activeAddOnIds: string[], targetPlanId: string): string[];
+/**
+* Plan Version Store — tracks versioned snapshots of plan configurations.
+*
+* When a plan's config changes (hash differs), a new version is created
+* with a snapshot of the plan's features, limits, and price at that point.
+*/
+interface PlanSnapshot {
+	features: readonly string[] | string[];
+	limits: Record<string, unknown>;
+	price: {
+		amount: number;
+		interval: string;
+	} | null;
+}
+interface PlanVersionInfo {
+	planId: string;
+	version: number;
+	hash: string;
+	snapshot: PlanSnapshot;
+	createdAt: Date;
+}
+interface PlanVersionStore {
+	/** Create a new version for a plan. Returns the version number. */
+	createVersion(planId: string, hash: string, snapshot: PlanSnapshot): Promise<number>;
+	/** Get the current (latest) version number for a plan. Returns null if no versions exist. */
+	getCurrentVersion(planId: string): Promise<number | null>;
+	/** Get a specific version's info. Returns null if not found. */
+	getVersion(planId: string, version: number): Promise<PlanVersionInfo | null>;
+	/** Get the version number a tenant is on for a given plan. Returns null if not set. */
+	getTenantVersion(tenantId: string, planId: string): Promise<number | null>;
+	/** Set the version number a tenant is on for a given plan. */
+	setTenantVersion(tenantId: string, planId: string, version: number): Promise<void>;
+	/** Get the hash of the current (latest) version for a plan. Returns null if no versions. */
+	getCurrentHash(planId: string): Promise<string | null>;
+	/** Clean up resources. */
+	dispose(): void;
+}
+declare class InMemoryPlanVersionStore implements PlanVersionStore {
+	private versions;
+	private tenantVersions;
+	createVersion(planId: string, hash: string, snapshot: PlanSnapshot): Promise<number>;
+	getCurrentVersion(planId: string): Promise<number | null>;
+	getVersion(planId: string, version: number): Promise<PlanVersionInfo | null>;
+	getTenantVersion(tenantId: string, planId: string): Promise<number | null>;
+	setTenantVersion(tenantId: string, planId: string, version: number): Promise<void>;
+	getCurrentHash(planId: string): Promise<string | null>;
 	dispose(): void;
 }
 /**
@@ -239,8 +475,12 @@ interface AccessContextConfig {
 	planStore?: PlanStore;
 	/** Wallet store — required for Layer 5 wallet checks and canAndConsume() */
 	walletStore?: WalletStore;
+	/** Override store — per-tenant feature and limit overrides */
+	overrideStore?: OverrideStore;
 	/** Resolves an org ID from a resource. Required for plan/wallet checks. */
 	orgResolver?: (resource?: ResourceRef) => Promise<string | null>;
+	/** Plan version store — required for versioned plan resolution (grandfathered tenants) */
+	planVersionStore?: PlanVersionStore;
 }
 interface AccessContext {
 	can(entitlement: string, resource?: ResourceRef): Promise<boolean>;
@@ -250,6 +490,8 @@ interface AccessContext {
 		entitlement: string;
 		resource?: ResourceRef;
 	}>): Promise<Map<string, boolean>>;
+	/** Batch check: single entitlement across multiple entities. Returns Map<entityId, boolean>. */
+	canBatch(entitlement: string, resources: ResourceRef[]): Promise<Map<string, boolean>>;
 	/** Atomic check + consume. Runs full can() then increments wallet if all layers pass. */
 	canAndConsume(entitlement: string, resource?: ResourceRef, amount?: number): Promise<boolean>;
 	/** Rollback a previous canAndConsume(). Use when the operation fails after consumption. */
@@ -766,6 +1008,23 @@ type AccessEvent = {
 } | {
 	type: "access:plan_changed";
 	orgId: string;
+} | {
+	type: "access:plan_assigned";
+	orgId: string;
+	planId: string;
+} | {
+	type: "access:addon_attached";
+	orgId: string;
+	addonId: string;
+} | {
+	type: "access:addon_detached";
+	orgId: string;
+	addonId: string;
+} | {
+	type: "access:limit_reset";
+	orgId: string;
+	entitlement: string;
+	max: number;
 };
 interface AccessWsData {
 	userId: string;
@@ -790,6 +1049,10 @@ interface AccessEventBroadcaster {
 	broadcastLimitUpdate(orgId: string, entitlement: string, consumed: number, remaining: number, max: number): void;
 	broadcastRoleChange(userId: string): void;
 	broadcastPlanChange(orgId: string): void;
+	broadcastPlanAssigned(orgId: string, planId: string): void;
+	broadcastAddonAttached(orgId: string, addonId: string): void;
+	broadcastAddonDetached(orgId: string, addonId: string): void;
+	broadcastLimitReset(orgId: string, entitlement: string, max: number): void;
 	getConnectionCount: number;
 }
 /** Minimal Bun.Server interface for WebSocket upgrade */
@@ -806,6 +1069,161 @@ interface BunWebSocket<T> {
 	ping(): void;
 }
 declare function createAccessEventBroadcaster(config: AccessEventBroadcasterConfig): AccessEventBroadcaster;
+import { ModelDef } from "@vertz/db";
+declare const authModels: Record<string, ModelDef>;
+import { QueryResult, ReadError } from "@vertz/db";
+import { SqlFragment } from "@vertz/db/sql";
+import { Result as Result2 } from "@vertz/errors";
+/**
+* Minimal database interface for auth stores.
+* Only requires raw query capability and dialect info.
+*/
+interface AuthDbClient {
+	query<T = Record<string, unknown>>(fragment: SqlFragment): Promise<Result2<QueryResult<T>, ReadError>>;
+	_internals: {
+		readonly models: Record<string, unknown>;
+		readonly dialect: {
+			readonly name: "postgres" | "sqlite";
+		};
+	};
+}
+/**
+* Dialect-aware DDL helpers for auth table creation.
+*
+* Produces SQL column type fragments for SQLite and PostgreSQL,
+* enabling portable CREATE TABLE statements.
+*/
+type DbDialectName = "sqlite" | "postgres";
+/**
+* Names of all auth tables — used for model validation.
+*/
+declare const AUTH_TABLE_NAMES: readonly ["auth_users", "auth_sessions", "auth_oauth_accounts", "auth_role_assignments", "auth_closure", "auth_plans", "auth_plan_addons", "auth_flags", "auth_overrides"];
+/**
+* Validate that all required auth models are registered in the DatabaseClient.
+*
+* Throws a prescriptive error when models are missing, telling the developer
+* exactly what to add to their createDb() call.
+*/
+declare function validateAuthModels(db: AuthDbClient): void;
+/**
+* Initialize auth tables in the database.
+*
+* Executes CREATE TABLE IF NOT EXISTS for all 9 auth tables.
+* Idempotent — safe to call on every server start.
+*/
+declare function initializeAuthTables(db: AuthDbClient): Promise<void>;
+interface BillingAdapter {
+	/** Push plan definitions to the payment processor. Idempotent. */
+	syncPlans(plans: Record<string, PlanDef>): Promise<void>;
+	/** Create a subscription for a tenant. */
+	createSubscription(tenantId: string, planId: string): Promise<string>;
+	/** Cancel a tenant's subscription. */
+	cancelSubscription(tenantId: string): Promise<void>;
+	/** Attach an add-on to a tenant's subscription. */
+	attachAddOn(tenantId: string, addOnId: string): Promise<void>;
+	/** Report metered usage (overage) for a tenant. */
+	reportOverage(tenantId: string, limitKey: string, amount: number): Promise<void>;
+	/** Get the billing portal URL for a tenant. */
+	getPortalUrl(tenantId: string): Promise<string>;
+}
+/**
+* Billing Event Emitter — typed event system for billing lifecycle events.
+*
+* Events: subscription:created, subscription:canceled, billing:payment_failed
+*/
+type BillingEventType = "subscription:created" | "subscription:canceled" | "billing:payment_failed";
+interface BillingEvent {
+	tenantId: string;
+	planId: string;
+	attempt?: number;
+}
+type BillingEventHandler = (event: BillingEvent) => void;
+interface BillingEventEmitter {
+	on(eventType: BillingEventType, handler: BillingEventHandler): void;
+	off(eventType: BillingEventType, handler: BillingEventHandler): void;
+	emit(eventType: BillingEventType, event: BillingEvent): void;
+}
+declare function createBillingEventEmitter(): BillingEventEmitter;
+/**
+* Overage Computation — calculates overage charges for limit usage.
+*
+* Formula: (consumed - max) * rate, capped if cap is specified.
+* Returns 0 if usage is within the limit.
+*/
+interface OverageInput {
+	consumed: number;
+	max: number;
+	rate: number;
+	cap?: number;
+}
+/**
+* Compute overage charge for a given usage period.
+*
+* @returns The overage charge amount (0 if within limit)
+*/
+declare function computeOverage(input: OverageInput): number;
+interface StripeProduct {
+	id: string;
+	name: string;
+	metadata: Record<string, string>;
+}
+interface StripePrice {
+	id: string;
+	product: string;
+	unit_amount: number;
+	recurring: {
+		interval: string;
+	} | null;
+	active: boolean;
+	metadata: Record<string, string>;
+}
+interface StripeClient {
+	products: {
+		list(): Promise<{
+			data: StripeProduct[];
+		}>;
+		create(params: {
+			name: string;
+			metadata: Record<string, string>;
+			description?: string;
+		}): Promise<StripeProduct>;
+		update(id: string, params: {
+			name?: string;
+			metadata?: Record<string, string>;
+		}): Promise<StripeProduct>;
+	};
+	prices: {
+		list(params: {
+			product: string;
+		}): Promise<{
+			data: StripePrice[];
+		}>;
+		create(params: {
+			product: string;
+			unit_amount: number;
+			currency: string;
+			recurring?: {
+				interval: string;
+			};
+			metadata: Record<string, string>;
+		}): Promise<StripePrice>;
+		update(id: string, params: {
+			active: boolean;
+		}): Promise<StripePrice>;
+	};
+}
+interface StripeBillingAdapterConfig {
+	stripe: StripeClient;
+	currency?: string;
+}
+declare function createStripeBillingAdapter(config: StripeBillingAdapterConfig): BillingAdapter;
+interface WebhookHandlerConfig {
+	planStore: PlanStore;
+	emitter: BillingEventEmitter;
+	defaultPlan: string;
+	webhookSecret: string;
+}
+declare function createWebhookHandler(config: WebhookHandlerConfig): (request: Request) => Promise<Response>;
 interface Period {
 	periodStart: Date;
 	periodEnd: Date;
@@ -817,6 +1235,102 @@ interface Period {
 * the period containing now. For 'day'/'hour': uses fixed-duration periods.
 */
 declare function calculateBillingPeriod(startedAt: Date, per: BillingPeriod, now?: Date): Period;
+declare class DbClosureStore implements ClosureStore {
+	private db;
+	constructor(db: AuthDbClient);
+	addResource(type: string, id: string, parent?: ParentRef): Promise<void>;
+	removeResource(type: string, id: string): Promise<void>;
+	getAncestors(type: string, id: string): Promise<ClosureEntry[]>;
+	getDescendants(type: string, id: string): Promise<ClosureEntry[]>;
+	hasPath(ancestorType: string, ancestorId: string, descendantType: string, descendantId: string): Promise<boolean>;
+	dispose(): void;
+}
+declare class DbFlagStore implements FlagStore {
+	private db;
+	private cache;
+	constructor(db: AuthDbClient);
+	/**
+	* Load all flags from DB into memory. Call once on initialization.
+	*/
+	loadFlags(): Promise<void>;
+	setFlag(orgId: string, flag: string, enabled: boolean): void;
+	getFlag(orgId: string, flag: string): boolean;
+	getFlags(orgId: string): Record<string, boolean>;
+}
+declare class DbOAuthAccountStore implements OAuthAccountStore {
+	private db;
+	constructor(db: AuthDbClient);
+	linkAccount(userId: string, provider: string, providerId: string, email?: string): Promise<void>;
+	findByProviderAccount(provider: string, providerId: string): Promise<string | null>;
+	findByUserId(userId: string): Promise<{
+		provider: string;
+		providerId: string;
+	}[]>;
+	unlinkAccount(userId: string, provider: string): Promise<void>;
+	dispose(): void;
+}
+declare class DbPlanStore implements PlanStore {
+	private db;
+	constructor(db: AuthDbClient);
+	assignPlan(orgId: string, planId: string, startedAt?: Date, expiresAt?: Date | null): Promise<void>;
+	getPlan(orgId: string): Promise<OrgPlan | null>;
+	updateOverrides(orgId: string, overrides: Record<string, LimitOverride>): Promise<void>;
+	removePlan(orgId: string): Promise<void>;
+	attachAddOn(orgId: string, addOnId: string): Promise<void>;
+	detachAddOn(orgId: string, addOnId: string): Promise<void>;
+	getAddOns(orgId: string): Promise<string[]>;
+	dispose(): void;
+	private loadOverrides;
+}
+declare class DbRoleAssignmentStore implements RoleAssignmentStore {
+	private db;
+	constructor(db: AuthDbClient);
+	assign(userId: string, resourceType: string, resourceId: string, role: string): Promise<void>;
+	revoke(userId: string, resourceType: string, resourceId: string, role: string): Promise<void>;
+	getRoles(userId: string, resourceType: string, resourceId: string): Promise<string[]>;
+	getRolesForUser(userId: string): Promise<RoleAssignment[]>;
+	getEffectiveRole(userId: string, resourceType: string, resourceId: string, accessDef: AccessDefinition, closureStore: ClosureStore): Promise<string | null>;
+	dispose(): void;
+}
+declare class DbSessionStore implements SessionStore {
+	private db;
+	constructor(db: AuthDbClient);
+	createSessionWithId(id: string, data: {
+		userId: string;
+		refreshTokenHash: string;
+		ipAddress: string;
+		userAgent: string;
+		expiresAt: Date;
+		currentTokens?: AuthTokens;
+	}): Promise<StoredSession>;
+	findByRefreshHash(hash: string): Promise<StoredSession | null>;
+	findByPreviousRefreshHash(hash: string): Promise<StoredSession | null>;
+	revokeSession(id: string): Promise<void>;
+	listActiveSessions(userId: string): Promise<StoredSession[]>;
+	countActiveSessions(userId: string): Promise<number>;
+	getCurrentTokens(sessionId: string): Promise<AuthTokens | null>;
+	updateSession(id: string, data: {
+		refreshTokenHash: string;
+		previousRefreshHash: string;
+		lastActiveAt: Date;
+		currentTokens?: AuthTokens;
+	}): Promise<void>;
+	dispose(): void;
+	private rowToSession;
+}
+declare class DbUserStore implements UserStore {
+	private db;
+	constructor(db: AuthDbClient);
+	createUser(user: AuthUser, passwordHash: string | null): Promise<void>;
+	findByEmail(email: string): Promise<{
+		user: AuthUser;
+		passwordHash: string | null;
+	} | null>;
+	findById(id: string): Promise<AuthUser | null>;
+	updatePasswordHash(userId: string, passwordHash: string): Promise<void>;
+	updateEmailVerified(userId: string, verified: boolean): Promise<void>;
+	private rowToUser;
+}
 declare class InMemoryEmailVerificationStore implements EmailVerificationStore {
 	private byId;
 	private byTokenHash;
@@ -848,6 +1362,38 @@ declare function computeEntityAccess(entitlements: string[], entity: {
 * Returns true if `fva` exists and (now - fva) < maxAgeSeconds.
 */
 declare function checkFva(payload: SessionPayload, maxAgeSeconds: number): boolean;
+/**
+* Grandfathering Store — tracks which tenants are grandfathered on old plan versions.
+*
+* When a plan version changes, existing tenants keep their old version
+* during a grace period. This store tracks that state.
+*/
+interface GrandfatheringState {
+	tenantId: string;
+	planId: string;
+	version: number;
+	graceEnds: Date | null;
+}
+interface GrandfatheringStore {
+	/** Mark a tenant as grandfathered on a specific plan version. */
+	setGrandfathered(tenantId: string, planId: string, version: number, graceEnds: Date | null): Promise<void>;
+	/** Get grandfathering state for a tenant on a plan. Returns null if not grandfathered. */
+	getGrandfathered(tenantId: string, planId: string): Promise<GrandfatheringState | null>;
+	/** List all grandfathered tenants for a plan. */
+	listGrandfathered(planId: string): Promise<GrandfatheringState[]>;
+	/** Remove grandfathering state (after migration). */
+	removeGrandfathered(tenantId: string, planId: string): Promise<void>;
+	/** Clean up resources. */
+	dispose(): void;
+}
+declare class InMemoryGrandfatheringStore implements GrandfatheringStore {
+	private states;
+	setGrandfathered(tenantId: string, planId: string, version: number, graceEnds: Date | null): Promise<void>;
+	getGrandfathered(tenantId: string, planId: string): Promise<GrandfatheringState | null>;
+	listGrandfathered(planId: string): Promise<GrandfatheringState[]>;
+	removeGrandfathered(tenantId: string, planId: string): Promise<void>;
+	dispose(): void;
+}
 declare class InMemoryMFAStore implements MFAStore {
 	private secrets;
 	private backupCodes;
@@ -887,6 +1433,71 @@ declare class InMemoryPasswordResetStore implements PasswordResetStore {
 	deleteByUserId(userId: string): Promise<void>;
 	dispose(): void;
 }
+interface PlanHashInput {
+	features?: readonly string[] | string[];
+	limits?: Record<string, unknown>;
+	price?: {
+		amount: number;
+		interval: string;
+	} | null;
+}
+/**
+* Compute SHA-256 hash of canonical JSON representation of plan config.
+* Keys are sorted recursively for deterministic output regardless of object key order.
+*/
+declare function computePlanHash(config: PlanHashInput): Promise<string>;
+type PlanEventType = "plan:version_created" | "plan:grace_approaching" | "plan:grace_expiring" | "plan:migrated";
+interface PlanEvent {
+	type: PlanEventType;
+	planId: string;
+	tenantId?: string;
+	version?: number;
+	previousVersion?: number;
+	currentVersion?: number;
+	graceEnds?: Date | null;
+	timestamp: Date;
+}
+type PlanEventHandler = (event: PlanEvent) => void;
+interface TenantPlanState {
+	planId: string;
+	version: number;
+	currentVersion: number;
+	grandfathered: boolean;
+	graceEnds: Date | null;
+	snapshot: PlanSnapshot;
+}
+interface MigrateOpts {
+	tenantId?: string;
+}
+interface ScheduleOpts {
+	at: Date | string;
+}
+interface PlanManagerConfig {
+	plans: Record<string, PlanDef>;
+	versionStore: PlanVersionStore;
+	grandfatheringStore: GrandfatheringStore;
+	planStore: PlanStore;
+	clock?: () => Date;
+}
+interface PlanManager {
+	/** Hash plan configs, compare with stored, create new versions if different. Idempotent. */
+	initialize(): Promise<void>;
+	/** Migrate tenants past grace period (or specific tenant immediately). */
+	migrate(planId: string, opts?: MigrateOpts): Promise<void>;
+	/** Schedule future migration date for all grandfathered tenants. */
+	schedule(planId: string, opts: ScheduleOpts): Promise<void>;
+	/** Return tenant's plan state (planId, version, grandfathered, snapshot). */
+	resolve(tenantId: string): Promise<TenantPlanState | null>;
+	/** List all grandfathered tenants for a plan. */
+	grandfathered(planId: string): Promise<GrandfatheringState[]>;
+	/** Check all grandfathered tenants and emit grace_approaching / grace_expiring events. */
+	checkGraceEvents(): Promise<void>;
+	/** Register an event handler. */
+	on(handler: PlanEventHandler): void;
+	/** Remove an event handler. */
+	off(handler: PlanEventHandler): void;
+}
+declare function createPlanManager(config: PlanManagerConfig): PlanManager;
 declare function discord(config: OAuthProviderConfig): OAuthProvider;
 declare function github(config: OAuthProviderConfig): OAuthProvider;
 declare function google(config: OAuthProviderConfig): OAuthProvider;
@@ -898,64 +1509,6 @@ declare class InMemoryRateLimitStore implements RateLimitStore {
 	dispose(): void;
 	private cleanup;
 }
-/**
-* rules.* builders — declarative access rule data structures.
-*
-* These are pure data structures with no evaluation logic.
-* The access context evaluates them at runtime (sub-phase 4).
-*/
-interface RoleRule {
-	readonly type: "role";
-	readonly roles: readonly string[];
-}
-interface EntitlementRule {
-	readonly type: "entitlement";
-	readonly entitlement: string;
-}
-interface WhereRule {
-	readonly type: "where";
-	readonly conditions: Record<string, unknown>;
-}
-interface AllRule {
-	readonly type: "all";
-	readonly rules: readonly AccessRule[];
-}
-interface AnyRule {
-	readonly type: "any";
-	readonly rules: readonly AccessRule[];
-}
-interface AuthenticatedRule {
-	readonly type: "authenticated";
-}
-interface FvaRule {
-	readonly type: "fva";
-	readonly maxAge: number;
-}
-type AccessRule = RoleRule | EntitlementRule | WhereRule | AllRule | AnyRule | AuthenticatedRule | FvaRule;
-interface UserMarker {
-	readonly __marker: string;
-}
-declare const rules: {
-	/** User has at least one of the specified roles (OR) */
-	role(...roleNames: string[]): RoleRule;
-	/** User has the specified entitlement (resolves role+plan+flag from defineAccess config) */
-	entitlement(name: string): EntitlementRule;
-	/** Row-level condition — DB query syntax. Use rules.user.id for dynamic user markers */
-	where(conditions: Record<string, unknown>): WhereRule;
-	/** All sub-rules must pass (AND) */
-	all(...ruleList: AccessRule[]): AllRule;
-	/** At least one sub-rule must pass (OR) */
-	any(...ruleList: AccessRule[]): AnyRule;
-	/** User must be authenticated (no specific role required) */
-	authenticated(): AuthenticatedRule;
-	/** User must have verified MFA within maxAge seconds */
-	fva(maxAge: number): FvaRule;
-	/** Declarative user markers — resolved at evaluation time */
-	user: {
-		readonly id: UserMarker;
-		readonly tenantId: UserMarker;
-	};
-};
 declare class InMemorySessionStore implements SessionStore {
 	private sessions;
 	private currentTokens;
@@ -1007,10 +1560,10 @@ declare class InMemoryUserStore implements UserStore {
 declare function createAuth(config: AuthConfig): AuthInstance;
 import { AppBuilder, AppConfig } from "@vertz/core";
 import { DatabaseClient, EntityDbAdapter as EntityDbAdapter3, ModelEntry as ModelEntry2 } from "@vertz/db";
-import { ModelDef as ModelDef2, RelationDef, SchemaLike, TableDef } from "@vertz/db";
-import { ModelDef } from "@vertz/db";
+import { ModelDef as ModelDef3, RelationDef, SchemaLike, TableDef } from "@vertz/db";
+import { ModelDef as ModelDef2 } from "@vertz/db";
 import { EntityDbAdapter, ListOptions } from "@vertz/db";
-import { EntityError, Result as Result2 } from "@vertz/errors";
+import { EntityError, Result as Result3 } from "@vertz/errors";
 import { EntityDbAdapter as EntityDbAdapter2, ListOptions as ListOptions2 } from "@vertz/db";
 interface ListResult<T = Record<string, unknown>> {
 	items: T[];
@@ -1024,11 +1577,11 @@ interface CrudResult<T = unknown> {
 	body: T;
 }
 interface CrudHandlers {
-	list(ctx: EntityContext, options?: ListOptions): Promise<Result2<CrudResult<ListResult>, EntityError>>;
-	get(ctx: EntityContext, id: string): Promise<Result2<CrudResult<Record<string, unknown>>, EntityError>>;
-	create(ctx: EntityContext, data: Record<string, unknown>): Promise<Result2<CrudResult<Record<string, unknown>>, EntityError>>;
-	update(ctx: EntityContext, id: string, data: Record<string, unknown>): Promise<Result2<CrudResult<Record<string, unknown>>, EntityError>>;
-	delete(ctx: EntityContext, id: string): Promise<Result2<CrudResult<null>, EntityError>>;
+	list(ctx: EntityContext, options?: ListOptions): Promise<Result3<CrudResult<ListResult>, EntityError>>;
+	get(ctx: EntityContext, id: string): Promise<Result3<CrudResult<Record<string, unknown>>, EntityError>>;
+	create(ctx: EntityContext, data: Record<string, unknown>): Promise<Result3<CrudResult<Record<string, unknown>>, EntityError>>;
+	update(ctx: EntityContext, id: string, data: Record<string, unknown>): Promise<Result3<CrudResult<Record<string, unknown>>, EntityError>>;
+	delete(ctx: EntityContext, id: string): Promise<Result3<CrudResult<null>, EntityError>>;
 }
 declare function createCrudHandlers(def: EntityDefinition, db: EntityDbAdapter): CrudHandlers;
 /**
@@ -1037,7 +1590,7 @@ declare function createCrudHandlers(def: EntityDefinition, db: EntityDbAdapter):
 * When used as `ctx.entity`, TModel fills in actual column types.
 * When used as `ctx.entities.*`, TModel defaults to `ModelDef` (loose typing).
 */
-interface EntityOperations<TModel extends ModelDef = ModelDef> {
+interface EntityOperations<TModel extends ModelDef2 = ModelDef2> {
 	get(id: string): Promise<TModel["table"]["$response"]>;
 	list(options?: ListOptions2): Promise<ListResult<TModel["table"]["$response"]>>;
 	create(data: TModel["table"]["$create_input"]): Promise<TModel["table"]["$response"]>;
@@ -1045,7 +1598,7 @@ interface EntityOperations<TModel extends ModelDef = ModelDef> {
 	delete(id: string): Promise<void>;
 }
 /** Extracts the model type from an EntityDefinition */
-type ExtractModel<T> = T extends EntityDefinition<infer M> ? M : ModelDef2;
+type ExtractModel<T> = T extends EntityDefinition<infer M> ? M : ModelDef3;
 /**
 * Maps an inject config `{ key: EntityDefinition<TModel> }` to
 * `{ key: EntityOperations<TModel> }` for typed ctx.entities access.
@@ -1058,7 +1611,7 @@ interface BaseContext {
 	role(...roles: string[]): boolean;
 }
 interface EntityContext<
-	TModel extends ModelDef2 = ModelDef2,
+	TModel extends ModelDef3 = ModelDef3,
 	TInject extends Record<string, EntityDefinition> = {}
 > extends BaseContext {
 	/** Typed CRUD on the current entity */
@@ -1066,7 +1619,7 @@ interface EntityContext<
 	/** Typed access to injected entities only */
 	readonly entities: InjectToOperations<TInject>;
 }
-type AccessRule2 = false | ((ctx: BaseContext, row: Record<string, unknown>) => boolean | Promise<boolean>);
+type AccessRule2 = false | PublicRule | ((ctx: BaseContext, row: Record<string, unknown>) => boolean | Promise<boolean>);
 interface EntityBeforeHooks<
 	TCreateInput = unknown,
 	TUpdateInput = unknown
@@ -1095,7 +1648,7 @@ interface EntityActionDef<
 type RelationColumnKeys<R> = R extends RelationDef<infer TTarget> ? TTarget extends TableDef<infer TCols> ? Extract<keyof TCols, string> : string : string;
 type EntityRelationsConfig<TRelations extends Record<string, RelationDef> = Record<string, RelationDef>> = { [K in keyof TRelations]? : true | false | { [F in RelationColumnKeys<TRelations[K]>]? : true } };
 interface EntityConfig<
-	TModel extends ModelDef2 = ModelDef2,
+	TModel extends ModelDef3 = ModelDef3,
 	TActions extends Record<string, EntityActionDef<any, any, any, any>> = {},
 	TInject extends Record<string, EntityDefinition> = {}
 > {
@@ -1114,7 +1667,7 @@ interface EntityConfig<
 	readonly actions?: { readonly [K in keyof TActions] : TActions[K] };
 	readonly relations?: EntityRelationsConfig<TModel["relations"]>;
 }
-interface EntityDefinition<TModel extends ModelDef2 = ModelDef2> {
+interface EntityDefinition<TModel extends ModelDef3 = ModelDef3> {
 	readonly kind: "entity";
 	readonly name: string;
 	readonly model: TModel;
@@ -1163,6 +1716,10 @@ interface ServiceDefinition {
 	readonly access: Partial<Record<string, AccessRule2>>;
 	readonly actions: Record<string, ServiceActionDef>;
 }
+interface ServerInstance extends AppBuilder {
+	auth: AuthInstance;
+	initialize(): Promise<void>;
+}
 interface ServerConfig extends Omit<AppConfig, "_entityDbFactory" | "entities"> {
 	/** Entity definitions created via entity() from @vertz/server */
 	entities?: EntityDefinition[];
@@ -1177,13 +1734,24 @@ interface ServerConfig extends Omit<AppConfig, "_entityDbFactory" | "entities">
 	db?: DatabaseClient<Record<string, ModelEntry2>> | EntityDbAdapter3;
 	/** @internal Factory to create a DB adapter for each entity. Prefer `db` instead. */
 	_entityDbFactory?: (entityDef: EntityDefinition) => EntityDbAdapter3;
+	/** Auth configuration — when combined with db, auto-wires DB-backed stores */
+	auth?: AuthConfig;
 }
 /**
 * Creates an HTTP server with entity route generation.
 * Wraps @vertz/core's createServer to inject entity CRUD handlers.
+*
+* When both `db` (DatabaseClient) and `auth` are provided:
+* - Validates auth models are registered in the DatabaseClient
+* - Auto-wires DB-backed UserStore and SessionStore
+* - Returns ServerInstance with `.auth` and `.initialize()`
 */
+declare function createServer(config: ServerConfig & {
+	db: DatabaseClient<Record<string, ModelEntry2>>;
+	auth: AuthConfig;
+}): ServerInstance;
 declare function createServer(config: ServerConfig): AppBuilder;
-import { EntityForbiddenError, Result as Result3 } from "@vertz/errors";
+import { EntityForbiddenError, Result as Result4 } from "@vertz/errors";
 /**
 * Evaluates an access rule for the given operation.
 * Returns err(EntityForbiddenError) if access is denied.
@@ -1192,10 +1760,11 @@ import { EntityForbiddenError, Result as Result3 } from "@vertz/errors";
 *
 * - No rule defined → deny (deny by default)
 * - Rule is false → operation is disabled
+* - Rule is { type: 'public' } → always allow
 * - Rule is a function → evaluate and deny if returns false
 */
-declare function enforceAccess(operation: string, accessRules: Partial<Record<string, AccessRule2>>, ctx: BaseContext, row?: Record<string, unknown>): Promise<Result3<void, EntityForbiddenError>>;
-import { ModelDef as ModelDef3 } from "@vertz/db";
+declare function enforceAccess(operation: string, accessRules: Partial<Record<string, AccessRule2>>, ctx: BaseContext, row?: Record<string, unknown>): Promise<Result4<void, EntityForbiddenError>>;
+import { ModelDef as ModelDef4 } from "@vertz/db";
 /**
 * Request info extracted from HTTP context / auth middleware.
 */
@@ -1207,10 +1776,10 @@ interface RequestInfo {
 /**
 * Creates an EntityContext from request info, entity operations, and registry proxy.
 */
-declare function createEntityContext<TModel extends ModelDef3 = ModelDef3>(request: RequestInfo, entityOps: EntityOperations<TModel>, registryProxy: Record<string, EntityOperations>): EntityContext<TModel>;
-import { ModelDef as ModelDef4 } from "@vertz/db";
+declare function createEntityContext<TModel extends ModelDef4 = ModelDef4>(request: RequestInfo, entityOps: EntityOperations<TModel>, registryProxy: Record<string, EntityOperations>): EntityContext<TModel>;
+import { ModelDef as ModelDef5 } from "@vertz/db";
 declare function entity<
-	TModel extends ModelDef4,
+	TModel extends ModelDef5,
 	TInject extends Record<string, EntityDefinition> = {},
 	TActions extends Record<string, EntityActionDef<any, any, TModel["table"]["$response"], EntityContext<TModel, TInject>>> = {}
 >(name: string, config: EntityConfig<TModel, TActions, TInject>): EntityDefinition<TModel>;
@@ -1271,4 +1840,4 @@ declare function service<
 	TInject extends Record<string, EntityDefinition> = {},
 	TActions extends Record<string, ServiceActionDef<any, any, any>> = Record<string, ServiceActionDef<any, any, any>>
 >(name: string, config: ServiceConfig<TActions, TInject>): ServiceDefinition;
-export { vertz, verifyPassword, validatePassword, stripReadOnlyFields, stripHiddenFields, service, rules, makeImmutable, hashPassword, google, github, generateEntityRoutes, entityErrorHandler, entity, enforceAccess, encodeAccessSet, discord, defineAccess, defaultAccess, deepFreeze, decodeAccessSet, createServer, createMiddleware, createImmutableProxy, createEnv, createEntityContext, createCrudHandlers, createAuth, createAccessEventBroadcaster, createAccessContext, createAccess, computeEntityAccess, computeAccessSet, checkFva, calculateBillingPeriod, WalletStore, WalletEntry, VertzException, ValidationException, UserTableEntry, UserStore, UnauthorizedException, StoredSession, StoredPasswordReset, StoredEmailVerification, SignUpInput, SignInInput, SessionStrategy, SessionStore, SessionPayload, SessionInfo, SessionConfig, Session, ServiceUnavailableException, ServiceDefinition, ServiceContext, ServiceConfig, ServiceActionDef, ServerHandle, ServerConfig, ServerAdapter, RoleAssignmentTableEntry, RoleAssignmentStore, RoleAssignment, ResourceRef, Resource, RequestInfo, RawRequest, RateLimitStore, RateLimitResult, RateLimitConfig, PlanStore, PlanDef, Period, PasswordResetStore, PasswordResetConfig, PasswordRequirements, ParentRef, OrgPlan, OAuthUserInfo, OAuthTokens, OAuthProviderConfig, OAuthProvider, OAuthAccountStore, NotFoundException, NamedMiddlewareDef, MiddlewareDef, MfaSetupData, MfaConfig, MfaChallengeData, MFAStore, ListenOptions, ListResult, ListOptions2 as ListOptions, LimitOverride, LimitDef, InternalServerErrorException, InferSchema, Infer, InMemoryWalletStore, InMemoryUserStore, InMemorySessionStore, InMemoryRoleAssignmentStore, InMemoryRateLimitStore, InMemoryPlanStore, InMemoryPasswordResetStore, InMemoryOAuthAccountStore, InMemoryMFAStore, InMemoryFlagStore, InMemoryEmailVerificationStore, InMemoryClosureStore, HttpStatusCode, HttpMethod, HandlerCtx, ForbiddenException, FlagStore, EnvConfig, EntityRouteOptions, EntityRelationsConfig, EntityRegistry, EntityOperations, EntityErrorResult, EntityDefinition, EntityDbAdapter2 as EntityDbAdapter, EntityContext, EntityConfig, EntityActionDef, EntitlementDefinition, EntitlementDef, Entitlement, EncodedAccessSet, EmailVerificationStore, EmailVerificationConfig, EmailPasswordConfig, Deps, DenialReason, DenialMeta, DefineAccessInput, DeepReadonly, Ctx, CrudResult, CrudHandlers, CorsConfig, CookieConfig, ConsumeResult, ConflictException, ComputeAccessSetConfig, ClosureStore, ClosureRow, ClosureEntry, BillingPeriod, BaseContext, BadRequestException, AuthorizationError, AuthUser, AuthTokens, AuthInstance, AuthContext, AuthConfig, AuthApi, AppConfig2 as AppConfig, AppBuilder2 as AppBuilder, AclClaim, AccumulateProvides, AccessWsData, AccessSet, AccessRule2 as AccessRule, AccessInstance, AccessEventBroadcasterConfig, AccessEventBroadcaster, AccessEvent, AccessDefinition, AccessContextConfig, AccessContext, AccessConfig, AccessCheckResult, AccessCheckData };
+export { vertz, verifyPassword, validatePassword, validateOverrides, validateAuthModels, stripReadOnlyFields, stripHiddenFields, service, rules, makeImmutable, initializeAuthTables, hashPassword, google, github, getIncompatibleAddOns, generateEntityRoutes, entityErrorHandler, entity, enforceAccess, encodeAccessSet, discord, defineAccess, defaultAccess, deepFreeze, decodeAccessSet, createWebhookHandler, createStripeBillingAdapter, createServer, createPlanManager, createMiddleware, createImmutableProxy, createEnv, createEntityContext, createCrudHandlers, createBillingEventEmitter, createAuth, createAccessEventBroadcaster, createAccessContext, createAccess, computePlanHash, computeOverage, computeEntityAccess, computeAccessSet, checkFva, checkAddOnCompatibility, calculateBillingPeriod, authModels, WebhookHandlerConfig, WalletStore, WalletEntry, VertzException, ValidationException, UserTableEntry, UserStore, UnauthorizedException, TenantOverrides, StripeProduct, StripePrice, StripeClient, StripeBillingAdapterConfig, StoredSession, StoredPasswordReset, StoredEmailVerification, SignUpInput, SignInInput, SessionStrategy, SessionStore, SessionPayload, SessionInfo, SessionConfig, Session, ServiceUnavailableException, ServiceDefinition, ServiceContext, ServiceConfig, ServiceActionDef, ServerInstance, ServerHandle, ServerConfig, ServerAdapter, RuleContext, RoleAssignmentTableEntry, RoleAssignmentStore, RoleAssignment, ResourceRef, Resource, RequestInfo, RawRequest, RateLimitStore, RateLimitResult, RateLimitConfig, PriceInterval, PlanVersionStore, PlanVersionInfo, PlanStore, PlanSnapshot, PlanPrice, PlanHashInput, PlanDef, Period, PasswordResetStore, PasswordResetConfig, PasswordRequirements, ParentRef, OverrideStore, OverageInput, OverageConfig, OrgPlan, OAuthUserInfo, OAuthTokens, OAuthProviderConfig, OAuthProvider, OAuthAccountStore, NotFoundException, NamedMiddlewareDef, MiddlewareDef, MfaSetupData, MfaConfig, MfaChallengeData, MFAStore, ListenOptions, ListResult, ListOptions2 as ListOptions, LimitOverrideDef, LimitOverride, LimitDef, InternalServerErrorException, InferSchema, Infer, InMemoryWalletStore, InMemoryUserStore, InMemorySessionStore, InMemoryRoleAssignmentStore, InMemoryRateLimitStore, InMemoryPlanVersionStore, InMemoryPlanStore, InMemoryPasswordResetStore, InMemoryOverrideStore, InMemoryOAuthAccountStore, InMemoryMFAStore, InMemoryGrandfatheringStore, InMemoryFlagStore, InMemoryEmailVerificationStore, InMemoryClosureStore, HttpStatusCode, HttpMethod, HandlerCtx, GrandfatheringStore, GrandfatheringState, ForbiddenException, FlagStore, EnvConfig, EntityRouteOptions, EntityRelationsConfig, EntityRegistry, EntityOperations, EntityErrorResult, EntityDefinition, EntityDef, EntityDbAdapter2 as EntityDbAdapter, EntityContext, EntityConfig, EntityActionDef, EntitlementValue, EntitlementDefinition, EntitlementDef, Entitlement, EncodedAccessSet, EmailVerificationStore, EmailVerificationConfig, EmailPasswordConfig, Deps, DenialReason, DenialMeta, DefineAccessInput, DeepReadonly, DbUserStore, DbSessionStore, DbRoleAssignmentStore, DbPlanStore, DbOAuthAccountStore, DbFlagStore, DbDialectName, DbClosureStore, Ctx, CrudResult, CrudHandlers, CorsConfig, CookieConfig, ConsumeResult, ConflictException, ComputeAccessSetConfig, ClosureStore, ClosureRow, ClosureEntry, BillingPeriod, BillingEventType, BillingEventHandler, BillingEventEmitter, BillingEvent, BillingAdapter, BaseContext, BadRequestException, AuthorizationError, AuthUser, AuthTokens, AuthInstance, AuthDbClient, AuthContext, AuthConfig, AuthApi, AppConfig2 as AppConfig, AppBuilder2 as AppBuilder, AddOnRequires, AclClaim, AccumulateProvides, AccessWsData, AccessSet, AccessRule2 as AccessRule, AccessInstance, AccessEventBroadcasterConfig, AccessEventBroadcaster, AccessEvent, AccessDefinition, AccessContextConfig, AccessContext, AccessConfig, AccessCheckResult, AccessCheckData, AUTH_TABLE_NAMES };