@vertz/server 0.2.14 → 0.2.16

package/dist/index.d.ts

@@ -1,13 +1,71 @@
-import { AccumulateProvides, AppBuilder as AppBuilder2, AppConfig as AppConfig2, CorsConfig, Ctx, DeepReadonly, Deps, EnvConfig, HandlerCtx, HttpMethod, HttpStatusCode, Infer, InferSchema, ListenOptions, MiddlewareDef, NamedMiddlewareDef, RawRequest, ServerAdapter, ServerHandle } from "@vertz/core";
+import { AccumulateProvides, AppBuilder as AppBuilder2, AppConfig as AppConfig2, CorsConfig, Ctx, DeepReadonly, Deps, EnvConfig, HandlerCtx, HttpMethod, HttpStatusCode, Infer as Infer2, InferSchema, ListenOptions, MiddlewareDef, NamedMiddlewareDef, RawRequest, ServerAdapter, ServerHandle } from "@vertz/core";
 import { BadRequestException, ConflictException, createEnv, createImmutableProxy, createMiddleware, deepFreeze, ForbiddenException, InternalServerErrorException, makeImmutable, NotFoundException, ServiceUnavailableException, UnauthorizedException, ValidationException, VertzException, vertz } from "@vertz/core";
 import { ModelEntry } from "@vertz/db";
 import { AuthError, Result } from "@vertz/errors";
+import { Infer, ObjectSchema, StringSchema } from "@vertz/schema";
 /**
-* defineAccess() — Phase 6 RBAC & Access Control configuration
+* rules.* builders — declarative access rule data structures.
 *
-* Replaces createAccess() with hierarchical RBAC: resources form trees,
-* roles inherit down the hierarchy, and entitlements map to roles/plans/flags.
+* These are pure data structures with no evaluation logic.
+* The access context evaluates them at runtime (sub-phase 4).
 */
+interface RoleRule {
+	readonly type: "role";
+	readonly roles: readonly string[];
+}
+interface EntitlementRule {
+	readonly type: "entitlement";
+	readonly entitlement: string;
+}
+interface WhereRule {
+	readonly type: "where";
+	readonly conditions: Record<string, unknown>;
+}
+interface AllRule {
+	readonly type: "all";
+	readonly rules: readonly AccessRule[];
+}
+interface AnyRule {
+	readonly type: "any";
+	readonly rules: readonly AccessRule[];
+}
+interface AuthenticatedRule {
+	readonly type: "authenticated";
+}
+interface PublicRule {
+	readonly type: "public";
+}
+interface FvaRule {
+	readonly type: "fva";
+	readonly maxAge: number;
+}
+type AccessRule = PublicRule | RoleRule | EntitlementRule | WhereRule | AllRule | AnyRule | AuthenticatedRule | FvaRule;
+interface UserMarker {
+	readonly __marker: string;
+}
+declare const rules: {
+	/** Endpoint is public — no authentication required */
+	public: PublicRule;
+	/** User has at least one of the specified roles (OR) */
+	role(...roleNames: string[]): RoleRule;
+	/** User has the specified entitlement (resolves role+plan+flag from defineAccess config) */
+	entitlement(name: string): EntitlementRule;
+	/** Row-level condition — DB query syntax. Use rules.user.id for dynamic user markers */
+	where(conditions: Record<string, unknown>): WhereRule;
+	/** All sub-rules must pass (AND) */
+	all(...ruleList: AccessRule[]): AllRule;
+	/** At least one sub-rule must pass (OR) */
+	any(...ruleList: AccessRule[]): AnyRule;
+	/** User must be authenticated (no specific role required) */
+	authenticated(): AuthenticatedRule;
+	/** User must have verified MFA within maxAge seconds */
+	fva(maxAge: number): FvaRule;
+	/** Declarative user markers — resolved at evaluation time */
+	user: {
+		readonly id: UserMarker;
+		readonly tenantId: UserMarker;
+	};
+};
 /** Denial reasons ordered by actionability (most actionable first) */
 type DenialReason = "plan_required" | "role_required" | "limit_reached" | "flag_disabled" | "hierarchy_denied" | "step_up_required" | "not_authenticated";
 /** Metadata attached to denial reasons */
@@ -16,9 +74,12 @@ interface DenialMeta {
 	requiredRoles?: string[];
 	disabledFlags?: string[];
 	limit?: {
+		key?: string;
 		max: number;
 		consumed: number;
 		remaining: number;
+		/** True when the tenant is consuming beyond the limit under overage billing */
+		overage?: boolean;
 	};
 	fvaMaxAge?: number;
 }
@@ -29,43 +90,120 @@ interface AccessCheckResult {
 	reason?: DenialReason;
 	meta?: DenialMeta;
 }
-/** Entitlement definition — maps to roles, optional plans and flags */
-interface EntitlementDef {
-	roles: string[];
-	plans?: string[];
-	flags?: string[];
-}
 /** Billing period for plan limits */
-type BillingPeriod = "month" | "day" | "hour";
-/** Limit definition within a plan */
+type BillingPeriod = "month" | "day" | "hour" | "quarter" | "year";
+/** Valid price intervals for plans */
+type PriceInterval = "month" | "quarter" | "year" | "one_off";
+/** Plan price definition */
+interface PlanPrice {
+	amount: number;
+	interval: PriceInterval;
+}
+/** Overage billing configuration for a limit */
+interface OverageConfig {
+	/** Price per unit of overage (e.g., 0.01 for $0.01 per extra unit) */
+	amount: number;
+	/** Units per charge (e.g., 1 = charge per unit, 100 = charge per 100 units) */
+	per: number;
+	/** Maximum overage charge per period (safety cap). Omit for no cap. */
+	cap?: number;
+}
+/** Limit definition within a plan — gates an entitlement with optional scoping */
 interface LimitDef {
-	per: BillingPeriod;
 	max: number;
-}
-/** Plan definition — which entitlements are included and their usage limits */
+	gates: string;
+	/** Billing period for the limit. Omitted = lifetime (no reset). */
+	per?: BillingPeriod;
+	/** Entity scope — omitted = tenant-level, string = per entity instance */
+	scope?: string;
+	/** Overage billing: allow usage beyond limit at per-unit cost */
+	overage?: OverageConfig;
+}
+/** Add-on compatibility — restricts which base plans an add-on can be attached to */
+interface AddOnRequires {
+	group: string;
+	plans: readonly string[] | string[];
+}
+/** Grace period duration for grandfathering policy */
+type GraceDuration = "1m" | "3m" | "6m" | "12m" | "indefinite";
+/** Grandfathering policy for a plan */
+interface GrandfatheringPolicy {
+	grace?: GraceDuration;
+}
+/** Plan definition — features, limits, metadata, and billing */
 interface PlanDef {
-	entitlements: readonly string[] | string[];
+	title?: string;
+	description?: string;
+	group?: string;
+	addOn?: boolean;
+	price?: PlanPrice;
+	features?: readonly string[] | string[];
 	limits?: Record<string, LimitDef>;
+	/** Grandfathering policy — how long existing tenants keep old version on plan change */
+	grandfathering?: GrandfatheringPolicy;
+	/** Add-on only: restricts attachment to tenants on compatible base plans */
+	requires?: AddOnRequires;
+}
+/** Entity definition — roles and optional inheritance from parent entity roles */
+interface EntityDef {
+	roles: readonly string[] | string[];
+	inherits?: Record<string, string>;
+}
+/** Resolved entitlement definition — roles + optional rules */
+interface EntitlementDef {
+	roles: string[];
+	rules?: AccessRule[];
+	flags?: string[];
+	/** Plan names that gate this entitlement (evaluated in Layer 4) */
+	plans?: string[];
 }
+/** Entitlement callback context — provides `where()` and `user` for attribute rules */
+interface RuleContext {
+	where(conditions: Record<string, unknown>): AccessRule;
+	user: {
+		readonly id: {
+			readonly __marker: string;
+		};
+		readonly tenantId: {
+			readonly __marker: string;
+		};
+	};
+}
+/** Entitlement value: object or callback returning object */
+type EntitlementValue = EntitlementDef | ((r: RuleContext) => EntitlementDef);
 /** The input config for defineAccess() */
 interface DefineAccessInput {
-	hierarchy: string[];
-	roles: Record<string, string[]>;
-	inheritance?: Record<string, Record<string, string>>;
-	entitlements: Record<string, EntitlementDef>;
+	entities: Record<string, EntityDef>;
+	entitlements: Record<string, EntitlementValue>;
 	plans?: Record<string, PlanDef>;
 	/** Fallback plan name when an org's plan expires. Defaults to 'free'. */
 	defaultPlan?: string;
 }
 /** The frozen config returned by defineAccess() */
 interface AccessDefinition {
+	/** Inferred hierarchy from inherits declarations */
 	readonly hierarchy: readonly string[];
+	/** Entities keyed by name */
+	readonly entities: Readonly<Record<string, Readonly<EntityDef>>>;
+	/** Roles per entity (derived from entities for downstream compat) */
 	readonly roles: Readonly<Record<string, readonly string[]>>;
+	/** Inheritance map per entity (derived from entities for downstream compat) */
 	readonly inheritance: Readonly<Record<string, Readonly<Record<string, string>>>>;
+	/** Resolved entitlements */
 	readonly entitlements: Readonly<Record<string, Readonly<EntitlementDef>>>;
 	readonly plans?: Readonly<Record<string, Readonly<PlanDef>>>;
 	/** Fallback plan name when an org's plan expires. Defaults to 'free'. */
 	readonly defaultPlan?: string;
+	/**
+	* Computed: Set of entitlements that are gated by at least one plan's `features`.
+	* If an entitlement is in this set, a plan check is required during `can()`.
+	*/
+	readonly _planGatedEntitlements: ReadonlySet<string>;
+	/**
+	* Computed: Map from entitlement to all limit keys that gate it.
+	* Used during can() to find all limits that need to pass for an entitlement.
+	*/
+	readonly _entitlementToLimitKeys: Readonly<Record<string, readonly string[]>>;
 }
 declare function defineAccess(input: DefineAccessInput): AccessDefinition;
 /**
@@ -143,60 +281,77 @@ declare class InMemoryRoleAssignmentStore implements RoleAssignmentStore {
 * Used by Layer 1 of access context to gate entitlements on feature flags.
 */
 interface FlagStore {
-	setFlag(orgId: string, flag: string, enabled: boolean): void;
-	getFlag(orgId: string, flag: string): boolean;
-	getFlags(orgId: string): Record<string, boolean>;
+	setFlag(tenantId: string, flag: string, enabled: boolean): void;
+	getFlag(tenantId: string, flag: string): boolean;
+	getFlags(tenantId: string): Record<string, boolean>;
 }
 declare class InMemoryFlagStore implements FlagStore {
 	private flags;
-	setFlag(orgId: string, flag: string, enabled: boolean): void;
-	getFlag(orgId: string, flag: string): boolean;
-	getFlags(orgId: string): Record<string, boolean>;
+	setFlag(tenantId: string, flag: string, enabled: boolean): void;
+	getFlag(tenantId: string, flag: string): boolean;
+	getFlags(tenantId: string): Record<string, boolean>;
 }
-/**
-* PlanStore — org-level plan assignments with overrides.
-*
-* Stores which plan an organization is on, when it started,
-* optional expiration, and per-customer limit overrides.
-*/
-/** Per-customer limit override. Only affects the cap, not the billing period. */
+/** Per-tenant limit override. Only affects the cap, not the billing period. */
 interface LimitOverride {
 	max: number;
 }
-interface OrgPlan {
-	orgId: string;
+interface Subscription {
+	tenantId: string;
 	planId: string;
 	startedAt: Date;
 	expiresAt: Date | null;
 	overrides: Record<string, LimitOverride>;
 }
-interface PlanStore {
+interface SubscriptionStore {
 	/**
-	* Assign a plan to an org. Resets per-customer overrides (overrides are plan-specific).
-	* To preserve overrides across plan changes, re-apply them after calling assignPlan().
+	* Assign a plan to a tenant. Resets per-tenant overrides (overrides are plan-specific).
+	* To preserve overrides across plan changes, re-apply them after calling assign().
 	*/
-	assignPlan(orgId: string, planId: string, startedAt?: Date, expiresAt?: Date | null): Promise<void>;
-	getPlan(orgId: string): Promise<OrgPlan | null>;
-	updateOverrides(orgId: string, overrides: Record<string, LimitOverride>): Promise<void>;
-	removePlan(orgId: string): Promise<void>;
+	assign(tenantId: string, planId: string, startedAt?: Date, expiresAt?: Date | null): Promise<void>;
+	get(tenantId: string): Promise<Subscription | null>;
+	updateOverrides(tenantId: string, overrides: Record<string, LimitOverride>): Promise<void>;
+	remove(tenantId: string): Promise<void>;
+	/** Attach an add-on to a tenant. */
+	attachAddOn?(tenantId: string, addOnId: string): Promise<void>;
+	/** Detach an add-on from a tenant. */
+	detachAddOn?(tenantId: string, addOnId: string): Promise<void>;
+	/** Get all active add-on IDs for a tenant. */
+	getAddOns?(tenantId: string): Promise<string[]>;
+	/** List all tenant IDs assigned to a specific plan. */
+	listByPlan?(planId: string): Promise<string[]>;
 	dispose(): void;
 }
-declare class InMemoryPlanStore implements PlanStore {
-	private plans;
-	assignPlan(orgId: string, planId: string, startedAt?: Date, expiresAt?: Date | null): Promise<void>;
-	getPlan(orgId: string): Promise<OrgPlan | null>;
-	updateOverrides(orgId: string, overrides: Record<string, LimitOverride>): Promise<void>;
-	removePlan(orgId: string): Promise<void>;
+declare class InMemorySubscriptionStore implements SubscriptionStore {
+	private subscriptions;
+	private addOns;
+	assign(tenantId: string, planId: string, startedAt?: Date, expiresAt?: Date | null): Promise<void>;
+	get(tenantId: string): Promise<Subscription | null>;
+	updateOverrides(tenantId: string, overrides: Record<string, LimitOverride>): Promise<void>;
+	remove(tenantId: string): Promise<void>;
+	attachAddOn(tenantId: string, addOnId: string): Promise<void>;
+	detachAddOn(tenantId: string, addOnId: string): Promise<void>;
+	getAddOns(tenantId: string): Promise<string[]>;
+	listByPlan(planId: string): Promise<string[]>;
 	dispose(): void;
 }
 /**
+* Check if an add-on is compatible with a given base plan.
+* Returns true if the add-on has no `requires` or if the plan is in the requires list.
+*/
+declare function checkAddOnCompatibility(accessDef: AccessDefinition, addOnId: string, currentPlanId: string): boolean;
+/**
+* Get add-ons that are incompatible with a target plan.
+* Used to flag incompatible add-ons when a tenant downgrades.
+*/
+declare function getIncompatibleAddOns(accessDef: AccessDefinition, activeAddOnIds: string[], targetPlanId: string): string[];
+/**
 * WalletStore — consumption tracking for plan-limited entitlements.
 *
-* Tracks per-org usage within billing periods with atomic
+* Tracks per-tenant usage within billing periods with atomic
 * check-and-increment operations.
 */
 interface WalletEntry {
-	orgId: string;
+	tenantId: string;
 	entitlement: string;
 	periodStart: Date;
 	periodEnd: Date;
@@ -209,17 +364,99 @@ interface ConsumeResult {
 	remaining: number;
 }
 interface WalletStore {
-	consume(orgId: string, entitlement: string, periodStart: Date, periodEnd: Date, limit: number, amount?: number): Promise<ConsumeResult>;
-	unconsume(orgId: string, entitlement: string, periodStart: Date, periodEnd: Date, amount?: number): Promise<void>;
-	getConsumption(orgId: string, entitlement: string, periodStart: Date, periodEnd: Date): Promise<number>;
+	consume(tenantId: string, entitlement: string, periodStart: Date, periodEnd: Date, limit: number, amount?: number): Promise<ConsumeResult>;
+	unconsume(tenantId: string, entitlement: string, periodStart: Date, periodEnd: Date, amount?: number): Promise<void>;
+	getConsumption(tenantId: string, entitlement: string, periodStart: Date, periodEnd: Date): Promise<number>;
 	dispose(): void;
 }
 declare class InMemoryWalletStore implements WalletStore {
 	private entries;
 	private key;
-	consume(orgId: string, entitlement: string, periodStart: Date, periodEnd: Date, limit: number, amount?: number): Promise<ConsumeResult>;
-	unconsume(orgId: string, entitlement: string, periodStart: Date, _periodEnd: Date, amount?: number): Promise<void>;
-	getConsumption(orgId: string, entitlement: string, periodStart: Date, _periodEnd: Date): Promise<number>;
+	consume(tenantId: string, entitlement: string, periodStart: Date, periodEnd: Date, limit: number, amount?: number): Promise<ConsumeResult>;
+	unconsume(tenantId: string, entitlement: string, periodStart: Date, _periodEnd: Date, amount?: number): Promise<void>;
+	getConsumption(tenantId: string, entitlement: string, periodStart: Date, _periodEnd: Date): Promise<number>;
+	dispose(): void;
+}
+/** Limit override: add (additive) or max (hard cap) */
+interface LimitOverrideDef {
+	add?: number;
+	max?: number;
+}
+/** Per-tenant overrides */
+interface TenantOverrides {
+	features?: string[];
+	limits?: Record<string, LimitOverrideDef>;
+}
+interface OverrideStore {
+	set(tenantId: string, overrides: TenantOverrides): Promise<void>;
+	remove(tenantId: string, keys: {
+		features?: string[];
+		limits?: string[];
+	}): Promise<void>;
+	get(tenantId: string): Promise<TenantOverrides | null>;
+	dispose(): void;
+}
+declare class InMemoryOverrideStore implements OverrideStore {
+	private overrides;
+	set(tenantId: string, overrides: TenantOverrides): Promise<void>;
+	remove(tenantId: string, keys: {
+		features?: string[];
+		limits?: string[];
+	}): Promise<void>;
+	get(tenantId: string): Promise<TenantOverrides | null>;
+	dispose(): void;
+}
+/**
+* Validate tenant overrides against the access definition.
+* Throws on invalid limit keys, invalid feature names, or invalid max values.
+*/
+declare function validateOverrides(accessDef: AccessDefinition, overrides: TenantOverrides): void;
+/**
+* Plan Version Store — tracks versioned snapshots of plan configurations.
+*
+* When a plan's config changes (hash differs), a new version is created
+* with a snapshot of the plan's features, limits, and price at that point.
+*/
+interface PlanSnapshot {
+	features: readonly string[] | string[];
+	limits: Record<string, unknown>;
+	price: {
+		amount: number;
+		interval: string;
+	} | null;
+}
+interface PlanVersionInfo {
+	planId: string;
+	version: number;
+	hash: string;
+	snapshot: PlanSnapshot;
+	createdAt: Date;
+}
+interface PlanVersionStore {
+	/** Create a new version for a plan. Returns the version number. */
+	createVersion(planId: string, hash: string, snapshot: PlanSnapshot): Promise<number>;
+	/** Get the current (latest) version number for a plan. Returns null if no versions exist. */
+	getCurrentVersion(planId: string): Promise<number | null>;
+	/** Get a specific version's info. Returns null if not found. */
+	getVersion(planId: string, version: number): Promise<PlanVersionInfo | null>;
+	/** Get the version number a tenant is on for a given plan. Returns null if not set. */
+	getTenantVersion(tenantId: string, planId: string): Promise<number | null>;
+	/** Set the version number a tenant is on for a given plan. */
+	setTenantVersion(tenantId: string, planId: string, version: number): Promise<void>;
+	/** Get the hash of the current (latest) version for a plan. Returns null if no versions. */
+	getCurrentHash(planId: string): Promise<string | null>;
+	/** Clean up resources. */
+	dispose(): void;
+}
+declare class InMemoryPlanVersionStore implements PlanVersionStore {
+	private versions;
+	private tenantVersions;
+	createVersion(planId: string, hash: string, snapshot: PlanSnapshot): Promise<number>;
+	getCurrentVersion(planId: string): Promise<number | null>;
+	getVersion(planId: string, version: number): Promise<PlanVersionInfo | null>;
+	getTenantVersion(tenantId: string, planId: string): Promise<number | null>;
+	setTenantVersion(tenantId: string, planId: string, version: number): Promise<void>;
+	getCurrentHash(planId: string): Promise<string | null>;
 	dispose(): void;
 }
 interface ResourceRef {
@@ -235,25 +472,39 @@ interface AccessContextConfig {
 	fva?: number;
 	/** Flag store — required for Layer 1 feature flag checks */
 	flagStore?: FlagStore;
-	/** Plan store — required for Layer 4 plan checks */
-	planStore?: PlanStore;
+	/** Subscription store — required for Layer 4 plan checks */
+	subscriptionStore?: SubscriptionStore;
 	/** Wallet store — required for Layer 5 wallet checks and canAndConsume() */
 	walletStore?: WalletStore;
+	/** Override store — per-tenant feature and limit overrides */
+	overrideStore?: OverrideStore;
 	/** Resolves an org ID from a resource. Required for plan/wallet checks. */
 	orgResolver?: (resource?: ResourceRef) => Promise<string | null>;
+	/** Plan version store — required for versioned plan resolution (grandfathered tenants) */
+	planVersionStore?: PlanVersionStore;
 }
+/**
+* Entitlement registry — augmented by @vertz/codegen to narrow entitlement strings.
+* When empty (no codegen), Entitlement falls back to `string`.
+* When codegen runs, it populates this with `{ 'entity:action': true }` entries.
+*/
+interface EntitlementRegistry {}
+/** Entitlement type — narrows to literal union when codegen populates EntitlementRegistry. */
+type Entitlement = keyof EntitlementRegistry extends never ? string : Extract<keyof EntitlementRegistry, string>;
 interface AccessContext {
-	can(entitlement: string, resource?: ResourceRef): Promise<boolean>;
-	check(entitlement: string, resource?: ResourceRef): Promise<AccessCheckResult>;
-	authorize(entitlement: string, resource?: ResourceRef): Promise<void>;
+	can(entitlement: Entitlement, resource?: ResourceRef): Promise<boolean>;
+	check(entitlement: Entitlement, resource?: ResourceRef): Promise<AccessCheckResult>;
+	authorize(entitlement: Entitlement, resource?: ResourceRef): Promise<void>;
 	canAll(checks: Array<{
-		entitlement: string;
+		entitlement: Entitlement;
 		resource?: ResourceRef;
 	}>): Promise<Map<string, boolean>>;
+	/** Batch check: single entitlement across multiple entities. Returns Map<entityId, boolean>. */
+	canBatch(entitlement: Entitlement, resources: ResourceRef[]): Promise<Map<string, boolean>>;
 	/** Atomic check + consume. Runs full can() then increments wallet if all layers pass. */
-	canAndConsume(entitlement: string, resource?: ResourceRef, amount?: number): Promise<boolean>;
+	canAndConsume(entitlement: Entitlement, resource?: ResourceRef, amount?: number): Promise<boolean>;
 	/** Rollback a previous canAndConsume(). Use when the operation fails after consumption. */
-	unconsume(entitlement: string, resource?: ResourceRef, amount?: number): Promise<void>;
+	unconsume(entitlement: Entitlement, resource?: ResourceRef, amount?: number): Promise<void>;
 }
 declare function createAccessContext(config: AccessContextConfig): AccessContext;
 interface AccessCheckData {
@@ -273,17 +524,16 @@ interface ComputeAccessSetConfig {
 	accessDef: AccessDefinition;
 	roleStore: RoleAssignmentStore;
 	closureStore: ClosureStore;
-	plan?: string | null;
 	/** Flag store — for feature flag state in access set */
 	flagStore?: FlagStore;
-	/** Plan store — for limit info in access set */
-	planStore?: PlanStore;
+	/** Subscription store — for limit info in access set */
+	subscriptionStore?: SubscriptionStore;
 	/** Wallet store — for consumption info in access set */
 	walletStore?: WalletStore;
 	/** Org resolver — for plan/wallet lookups */
 	orgResolver?: (resource?: ResourceRef) => Promise<string | null>;
-	/** Org ID — direct org ID for global access set (bypass orgResolver) */
-	orgId?: string | null;
+	/** Tenant ID — direct tenant ID for global access set (bypass orgResolver) */
+	tenantId?: string | null;
 }
 declare function computeAccessSet(config: ComputeAccessSetConfig): Promise<AccessSet>;
 /** Sparse encoding for JWT. Only includes allowed + denied-with-meta entries. */
@@ -351,6 +601,7 @@ interface SessionStore {
 		expiresAt: Date;
 		currentTokens?: AuthTokens;
 	}): Promise<StoredSession>;
+	findActiveSessionById(id: string): Promise<StoredSession | null>;
 	findByRefreshHash(hash: string): Promise<StoredSession | null>;
 	findByPreviousRefreshHash(hash: string): Promise<StoredSession | null>;
 	revokeSession(id: string): Promise<void>;
@@ -390,6 +641,8 @@ interface UserStore {
 	findById(id: string): Promise<AuthUser | null>;
 	updatePasswordHash(userId: string, passwordHash: string): Promise<void>;
 	updateEmailVerified(userId: string, verified: boolean): Promise<void>;
+	/** Delete a user by id. Used for rollback when onUserCreated fails. */
+	deleteUser(id: string): Promise<void>;
 }
 interface MfaConfig {
 	enabled?: boolean;
@@ -431,8 +684,7 @@ interface OAuthUserInfo {
 	providerId: string;
 	email: string;
 	emailVerified: boolean;
-	name?: string;
-	avatarUrl?: string;
+	raw: Record<string, unknown>;
 }
 interface OAuthProvider {
 	id: string;
@@ -453,6 +705,45 @@ interface OAuthAccountStore {
 	unlinkAccount(userId: string, provider: string): Promise<void>;
 	dispose(): void;
 }
+/** Context provided to auth lifecycle callbacks. */
+interface AuthCallbackContext {
+	/**
+	* System-level entity access — bypasses access rules.
+	* During sign-up, the user isn't authenticated yet,
+	* so access rules like rules.authenticated() would block the callback.
+	*/
+	entities: Record<string, AuthEntityProxy>;
+}
+/** Minimal CRUD interface for entity access within auth callbacks. */
+interface AuthEntityProxy {
+	get(id: string): Promise<unknown>;
+	list(options?: unknown): Promise<unknown>;
+	create(data: Record<string, unknown>): Promise<unknown>;
+	update(id: string, data: Record<string, unknown>): Promise<unknown>;
+	delete(id: string): Promise<void>;
+}
+/**
+* Discriminated union for onUserCreated callback payload.
+* OAuth and email/password sign-ups provide different data shapes.
+*/
+type OnUserCreatedPayload = {
+	/** The auth user that was just created. */
+	user: AuthUser;
+	/** The OAuth provider that created this user. */
+	provider: {
+		id: string;
+		name: string;
+	};
+	/** Full provider API response (cast to GithubProfile, GoogleProfile, etc.). */
+	profile: Record<string, unknown>;
+} | {
+	/** The auth user that was just created. */
+	user: AuthUser;
+	/** null for email/password sign-up. */
+	provider: null;
+	/** Extra fields from the sign-up form (via schema passthrough). */
+	signUpData: Record<string, unknown>;
+};
 interface EmailVerificationConfig {
 	enabled: boolean;
 	tokenTtl?: string | number;
@@ -548,6 +839,21 @@ interface AuthConfig {
 	passwordResetStore?: PasswordResetStore;
 	/** Access control configuration — enables ACL claim in JWT */
 	access?: AuthAccessConfig;
+	/** Tenant switching configuration — enables POST /auth/switch-tenant */
+	tenant?: TenantConfig;
+	/**
+	* Called after a new user is created in the auth system.
+	* Fires before the session is created.
+	* If this throws, the auth user is rolled back (deleted).
+	*/
+	onUserCreated?: (payload: OnUserCreatedPayload, ctx: AuthCallbackContext) => Promise<void>;
+	/** @internal Entity proxy for onUserCreated callback. Set by createServer(). */
+	_entityProxy?: Record<string, AuthEntityProxy>;
+}
+/** Configuration for multi-tenant session switching. */
+interface TenantConfig {
+	/** Verify that user has membership in the target tenant. Return false to deny. */
+	verifyMembership: (userId: string, tenantId: string) => Promise<boolean>;
 }
 /** Access control configuration for JWT acl claim computation. */
 interface AuthAccessConfig {
@@ -555,16 +861,16 @@ interface AuthAccessConfig {
 	roleStore: RoleAssignmentStore;
 	closureStore: ClosureStore;
 	flagStore?: FlagStore;
+	subscriptionStore?: SubscriptionStore;
+	walletStore?: WalletStore;
 }
 interface AuthUser {
 	id: string;
 	email: string;
 	role: string;
-	plan?: string;
 	emailVerified?: boolean;
 	createdAt: Date;
 	updatedAt: Date;
-	[key: string]: unknown;
 }
 interface SessionPayload {
 	sub: string;
@@ -574,6 +880,7 @@ interface SessionPayload {
 	exp: number;
 	jti: string;
 	sid: string;
+	tenantId?: string;
 	claims?: Record<string, unknown>;
 	fva?: number;
 	acl?: AclClaim;
@@ -608,16 +915,18 @@ interface SessionInfo {
 	expiresAt: Date;
 	isCurrent: boolean;
 }
-interface SignUpInput {
-	email: string;
-	password: string;
-	role?: string;
-	[key: string]: unknown;
-}
-interface SignInInput {
-	email: string;
-	password: string;
-}
+type ReservedSignUpField = "role" | "emailVerified" | "id" | "createdAt" | "updatedAt";
+type ReservedSignUpFields = { [K in ReservedSignUpField]? : never };
+declare const signUpInputSchema: ObjectSchema<{
+	email: StringSchema;
+	password: StringSchema;
+}>;
+declare const signInInputSchema: ObjectSchema<{
+	email: StringSchema;
+	password: StringSchema;
+}>;
+type SignUpInput = Infer<typeof signUpInputSchema> & ReservedSignUpFields & Record<string, unknown>;
+type SignInInput = Infer<typeof signInInputSchema>;
 interface AuthApi {
 	signUp: (data: SignUpInput, ctx?: {
 		headers: Headers;
@@ -647,6 +956,19 @@ interface AuthInstance {
 	initialize: () => Promise<void>;
 	/** Dispose stores and cleanup intervals */
 	dispose: () => void;
+	/**
+	* JWT-only session resolver for SSR injection.
+	* Reads the session cookie, verifies JWT (no DB lookup), and returns
+	* minimal session data + optional access set for client hydration.
+	*/
+	resolveSessionForSSR: (request: Request) => Promise<{
+		session: {
+			user: Record<string, unknown>;
+			expiresAt: number;
+		};
+		/** AccessSet | null at runtime; typed as unknown to avoid cross-package dependency on @vertz/ui */
+		accessSet?: unknown;
+	} | null>;
 }
 interface AuthContext {
 	headers: Headers;
@@ -672,9 +994,6 @@ interface UserTableEntry extends ModelEntry<any, any> {
 		role: {
 			type: string;
 		};
-		plan?: {
-			type: string;
-		};
 		createdAt: {
 			type: Date;
 		};
@@ -703,9 +1022,8 @@ import { AuthValidationError } from "@vertz/errors";
 declare function hashPassword(password: string): Promise<string>;
 declare function verifyPassword(password: string, hash: string): Promise<boolean>;
 declare function validatePassword(password: string, requirements?: PasswordRequirements): AuthValidationError | null;
-type Entitlement = string;
 interface RoleDefinition {
-	entitlements: Entitlement[];
+	entitlements: string[];
 }
 interface EntitlementDefinition {
 	roles: string[];
@@ -718,20 +1036,20 @@ interface AccessConfig {
 }
 interface AccessInstance {
 	/** Check if user has a specific entitlement */
-	can(entitlement: Entitlement, user: AuthUser | null): Promise<boolean>;
+	can(entitlement: string, user: AuthUser | null): Promise<boolean>;
 	/** Check with resource context */
-	canWithResource(entitlement: Entitlement, resource: Resource, user: AuthUser | null): Promise<boolean>;
+	canWithResource(entitlement: string, resource: Resource, user: AuthUser | null): Promise<boolean>;
 	/** Throws if not authorized */
-	authorize(entitlement: Entitlement, user: AuthUser | null): Promise<void>;
+	authorize(entitlement: string, user: AuthUser | null): Promise<void>;
 	/** Authorize with resource context */
-	authorizeWithResource(entitlement: Entitlement, resource: Resource, user: AuthUser | null): Promise<void>;
+	authorizeWithResource(entitlement: string, resource: Resource, user: AuthUser | null): Promise<void>;
 	/** Check multiple entitlements at once */
 	canAll(checks: Array<{
-		entitlement: Entitlement;
+		entitlement: string;
 		resource?: Resource;
 	}>, user: AuthUser | null): Promise<Map<string, boolean>>;
 	/** Get all entitlements for a role */
-	getEntitlementsForRole(role: string): Entitlement[];
+	getEntitlementsForRole(role: string): string[];
 	/** Middleware that adds ctx.can() and ctx.authorize() to context */
 	middleware: () => any;
 }
@@ -742,9 +1060,9 @@ interface Resource {
 	[key: string]: unknown;
 }
 declare class AuthorizationError extends Error {
-	readonly entitlement: Entitlement;
+	readonly entitlement: string;
 	readonly userId?: string | undefined;
-	constructor(message: string, entitlement: Entitlement, userId?: string | undefined);
+	constructor(message: string, entitlement: string, userId?: string | undefined);
 }
 declare function createAccess(config: AccessConfig): AccessInstance;
 declare const defaultAccess: AccessInstance;
@@ -766,6 +1084,23 @@ type AccessEvent = {
 } | {
 	type: "access:plan_changed";
 	orgId: string;
+} | {
+	type: "access:plan_assigned";
+	orgId: string;
+	planId: string;
+} | {
+	type: "access:addon_attached";
+	orgId: string;
+	addonId: string;
+} | {
+	type: "access:addon_detached";
+	orgId: string;
+	addonId: string;
+} | {
+	type: "access:limit_reset";
+	orgId: string;
+	entitlement: string;
+	max: number;
 };
 interface AccessWsData {
 	userId: string;
@@ -790,6 +1125,10 @@ interface AccessEventBroadcaster {
 	broadcastLimitUpdate(orgId: string, entitlement: string, consumed: number, remaining: number, max: number): void;
 	broadcastRoleChange(userId: string): void;
 	broadcastPlanChange(orgId: string): void;
+	broadcastPlanAssigned(orgId: string, planId: string): void;
+	broadcastAddonAttached(orgId: string, addonId: string): void;
+	broadcastAddonDetached(orgId: string, addonId: string): void;
+	broadcastLimitReset(orgId: string, entitlement: string, max: number): void;
 	getConnectionCount: number;
 }
 /** Minimal Bun.Server interface for WebSocket upgrade */
@@ -806,6 +1145,156 @@ interface BunWebSocket<T> {
 	ping(): void;
 }
 declare function createAccessEventBroadcaster(config: AccessEventBroadcasterConfig): AccessEventBroadcaster;
+import { ModelDef } from "@vertz/db";
+declare const authModels: Record<string, ModelDef>;
+import { DatabaseClient } from "@vertz/db";
+type AuthModels = typeof authModels;
+/**
+* Minimal database interface for auth stores.
+*
+* Keeps raw query support for legacy stores, but exposes the typed
+* `auth_sessions` delegate so session lookups can go through the generated
+* client instead of ad hoc SQL strings. Includes `transaction` for atomic
+* multi-statement writes in plan and closure stores.
+*/
+type AuthDbClient = Pick<DatabaseClient<AuthModels>, "auth_sessions" | "query" | "_internals" | "transaction">;
+/**
+* Dialect-aware DDL helpers for auth table creation.
+*
+* Produces SQL column type fragments for SQLite and PostgreSQL,
+* enabling portable CREATE TABLE statements.
+*/
+type DbDialectName = "sqlite" | "postgres";
+/**
+* Names of all auth tables — used for model validation.
+*/
+declare const AUTH_TABLE_NAMES: readonly ["auth_users", "auth_sessions", "auth_oauth_accounts", "auth_role_assignments", "auth_closure", "auth_plans", "auth_plan_addons", "auth_flags", "auth_overrides"];
+/**
+* Validate that all required auth models are registered in the DatabaseClient.
+*
+* Throws a prescriptive error when models are missing, telling the developer
+* exactly what to add to their createDb() call.
+*/
+declare function validateAuthModels(db: AuthDbClient): void;
+/**
+* Initialize auth tables in the database.
+*
+* Executes CREATE TABLE IF NOT EXISTS for all 9 auth tables.
+* Idempotent — safe to call on every server start.
+*/
+declare function initializeAuthTables(db: AuthDbClient): Promise<void>;
+interface BillingAdapter {
+	/** Push plan definitions to the payment processor. Idempotent. */
+	syncPlans(plans: Record<string, PlanDef>): Promise<void>;
+	/** Create a subscription for a tenant. */
+	createSubscription(tenantId: string, planId: string): Promise<string>;
+	/** Cancel a tenant's subscription. */
+	cancelSubscription(tenantId: string): Promise<void>;
+	/** Attach an add-on to a tenant's subscription. */
+	attachAddOn(tenantId: string, addOnId: string): Promise<void>;
+	/** Report metered usage (overage) for a tenant. */
+	reportOverage(tenantId: string, limitKey: string, amount: number): Promise<void>;
+	/** Get the billing portal URL for a tenant. */
+	getPortalUrl(tenantId: string): Promise<string>;
+}
+/**
+* Billing Event Emitter — typed event system for billing lifecycle events.
+*
+* Events: subscription:created, subscription:canceled, billing:payment_failed
+*/
+type BillingEventType = "subscription:created" | "subscription:canceled" | "billing:payment_failed";
+interface BillingEvent {
+	tenantId: string;
+	planId: string;
+	attempt?: number;
+}
+type BillingEventHandler = (event: BillingEvent) => void;
+interface BillingEventEmitter {
+	on(eventType: BillingEventType, handler: BillingEventHandler): void;
+	off(eventType: BillingEventType, handler: BillingEventHandler): void;
+	emit(eventType: BillingEventType, event: BillingEvent): void;
+}
+declare function createBillingEventEmitter(): BillingEventEmitter;
+/**
+* Overage Computation — calculates overage charges for limit usage.
+*
+* Formula: (consumed - max) * rate, capped if cap is specified.
+* Returns 0 if usage is within the limit.
+*/
+interface OverageInput {
+	consumed: number;
+	max: number;
+	rate: number;
+	cap?: number;
+}
+/**
+* Compute overage charge for a given usage period.
+*
+* @returns The overage charge amount (0 if within limit)
+*/
+declare function computeOverage(input: OverageInput): number;
+interface StripeProduct {
+	id: string;
+	name: string;
+	metadata: Record<string, string>;
+}
+interface StripePrice {
+	id: string;
+	product: string;
+	unit_amount: number;
+	recurring: {
+		interval: string;
+	} | null;
+	active: boolean;
+	metadata: Record<string, string>;
+}
+interface StripeClient {
+	products: {
+		list(): Promise<{
+			data: StripeProduct[];
+		}>;
+		create(params: {
+			name: string;
+			metadata: Record<string, string>;
+			description?: string;
+		}): Promise<StripeProduct>;
+		update(id: string, params: {
+			name?: string;
+			metadata?: Record<string, string>;
+		}): Promise<StripeProduct>;
+	};
+	prices: {
+		list(params: {
+			product: string;
+		}): Promise<{
+			data: StripePrice[];
+		}>;
+		create(params: {
+			product: string;
+			unit_amount: number;
+			currency: string;
+			recurring?: {
+				interval: string;
+			};
+			metadata: Record<string, string>;
+		}): Promise<StripePrice>;
+		update(id: string, params: {
+			active: boolean;
+		}): Promise<StripePrice>;
+	};
+}
+interface StripeBillingAdapterConfig {
+	stripe: StripeClient;
+	currency?: string;
+}
+declare function createStripeBillingAdapter(config: StripeBillingAdapterConfig): BillingAdapter;
+interface WebhookHandlerConfig {
+	subscriptionStore: SubscriptionStore;
+	emitter: BillingEventEmitter;
+	defaultPlan: string;
+	webhookSecret: string;
+}
+declare function createWebhookHandler(config: WebhookHandlerConfig): (request: Request) => Promise<Response>;
 interface Period {
 	periodStart: Date;
 	periodEnd: Date;
@@ -817,6 +1306,107 @@ interface Period {
 * the period containing now. For 'day'/'hour': uses fixed-duration periods.
 */
 declare function calculateBillingPeriod(startedAt: Date, per: BillingPeriod, now?: Date): Period;
+declare class DbClosureStore implements ClosureStore {
+	private db;
+	constructor(db: AuthDbClient);
+	addResource(type: string, id: string, parent?: ParentRef): Promise<void>;
+	removeResource(type: string, id: string): Promise<void>;
+	getAncestors(type: string, id: string): Promise<ClosureEntry[]>;
+	getDescendants(type: string, id: string): Promise<ClosureEntry[]>;
+	hasPath(ancestorType: string, ancestorId: string, descendantType: string, descendantId: string): Promise<boolean>;
+	dispose(): void;
+}
+declare class DbFlagStore implements FlagStore {
+	private db;
+	private cache;
+	constructor(db: AuthDbClient);
+	/**
+	* Load all flags from DB into memory. Call once on initialization.
+	*/
+	loadFlags(): Promise<void>;
+	setFlag(orgId: string, flag: string, enabled: boolean): void;
+	getFlag(orgId: string, flag: string): boolean;
+	getFlags(orgId: string): Record<string, boolean>;
+}
+declare class DbOAuthAccountStore implements OAuthAccountStore {
+	private db;
+	constructor(db: AuthDbClient);
+	linkAccount(userId: string, provider: string, providerId: string, email?: string): Promise<void>;
+	findByProviderAccount(provider: string, providerId: string): Promise<string | null>;
+	findByUserId(userId: string): Promise<{
+		provider: string;
+		providerId: string;
+	}[]>;
+	unlinkAccount(userId: string, provider: string): Promise<void>;
+	dispose(): void;
+}
+declare class DbRoleAssignmentStore implements RoleAssignmentStore {
+	private db;
+	constructor(db: AuthDbClient);
+	assign(userId: string, resourceType: string, resourceId: string, role: string): Promise<void>;
+	revoke(userId: string, resourceType: string, resourceId: string, role: string): Promise<void>;
+	getRoles(userId: string, resourceType: string, resourceId: string): Promise<string[]>;
+	getRolesForUser(userId: string): Promise<RoleAssignment[]>;
+	getEffectiveRole(userId: string, resourceType: string, resourceId: string, accessDef: AccessDefinition, closureStore: ClosureStore): Promise<string | null>;
+	dispose(): void;
+}
+declare class DbSessionStore implements SessionStore {
+	private db;
+	constructor(db: AuthDbClient);
+	createSessionWithId(id: string, data: {
+		userId: string;
+		refreshTokenHash: string;
+		ipAddress: string;
+		userAgent: string;
+		expiresAt: Date;
+		currentTokens?: AuthTokens;
+	}): Promise<StoredSession>;
+	findByRefreshHash(hash: string): Promise<StoredSession | null>;
+	findActiveSessionById(id: string): Promise<StoredSession | null>;
+	findByPreviousRefreshHash(hash: string): Promise<StoredSession | null>;
+	revokeSession(id: string): Promise<void>;
+	listActiveSessions(userId: string): Promise<StoredSession[]>;
+	countActiveSessions(userId: string): Promise<number>;
+	getCurrentTokens(sessionId: string): Promise<AuthTokens | null>;
+	updateSession(id: string, data: {
+		refreshTokenHash: string;
+		previousRefreshHash: string;
+		lastActiveAt: Date;
+		currentTokens?: AuthTokens;
+	}): Promise<void>;
+	dispose(): void;
+	/** Map a raw SQL row (snake_case) to StoredSession. */
+	private rowToSession;
+	/** Map an ORM record (camelCase) to StoredSession. */
+	private recordToSession;
+}
+declare class DbSubscriptionStore implements SubscriptionStore {
+	private db;
+	constructor(db: AuthDbClient);
+	assign(tenantId: string, planId: string, startedAt?: Date, expiresAt?: Date | null): Promise<void>;
+	get(tenantId: string): Promise<Subscription | null>;
+	updateOverrides(tenantId: string, overrides: Record<string, LimitOverride>): Promise<void>;
+	remove(tenantId: string): Promise<void>;
+	attachAddOn(tenantId: string, addOnId: string): Promise<void>;
+	detachAddOn(tenantId: string, addOnId: string): Promise<void>;
+	getAddOns(tenantId: string): Promise<string[]>;
+	dispose(): void;
+	private loadOverrides;
+}
+declare class DbUserStore implements UserStore {
+	private db;
+	constructor(db: AuthDbClient);
+	createUser(user: AuthUser, passwordHash: string | null): Promise<void>;
+	findByEmail(email: string): Promise<{
+		user: AuthUser;
+		passwordHash: string | null;
+	} | null>;
+	findById(id: string): Promise<AuthUser | null>;
+	updatePasswordHash(userId: string, passwordHash: string): Promise<void>;
+	updateEmailVerified(userId: string, verified: boolean): Promise<void>;
+	deleteUser(id: string): Promise<void>;
+	private rowToUser;
+}
 declare class InMemoryEmailVerificationStore implements EmailVerificationStore {
 	private byId;
 	private byTokenHash;
@@ -848,6 +1438,38 @@ declare function computeEntityAccess(entitlements: string[], entity: {
 * Returns true if `fva` exists and (now - fva) < maxAgeSeconds.
 */
 declare function checkFva(payload: SessionPayload, maxAgeSeconds: number): boolean;
+/**
+* Grandfathering Store — tracks which tenants are grandfathered on old plan versions.
+*
+* When a plan version changes, existing tenants keep their old version
+* during a grace period. This store tracks that state.
+*/
+interface GrandfatheringState {
+	tenantId: string;
+	planId: string;
+	version: number;
+	graceEnds: Date | null;
+}
+interface GrandfatheringStore {
+	/** Mark a tenant as grandfathered on a specific plan version. */
+	setGrandfathered(tenantId: string, planId: string, version: number, graceEnds: Date | null): Promise<void>;
+	/** Get grandfathering state for a tenant on a plan. Returns null if not grandfathered. */
+	getGrandfathered(tenantId: string, planId: string): Promise<GrandfatheringState | null>;
+	/** List all grandfathered tenants for a plan. */
+	listGrandfathered(planId: string): Promise<GrandfatheringState[]>;
+	/** Remove grandfathering state (after migration). */
+	removeGrandfathered(tenantId: string, planId: string): Promise<void>;
+	/** Clean up resources. */
+	dispose(): void;
+}
+declare class InMemoryGrandfatheringStore implements GrandfatheringStore {
+	private states;
+	setGrandfathered(tenantId: string, planId: string, version: number, graceEnds: Date | null): Promise<void>;
+	getGrandfathered(tenantId: string, planId: string): Promise<GrandfatheringState | null>;
+	listGrandfathered(planId: string): Promise<GrandfatheringState[]>;
+	removeGrandfathered(tenantId: string, planId: string): Promise<void>;
+	dispose(): void;
+}
 declare class InMemoryMFAStore implements MFAStore {
 	private secrets;
 	private backupCodes;
@@ -887,6 +1509,71 @@ declare class InMemoryPasswordResetStore implements PasswordResetStore {
 	deleteByUserId(userId: string): Promise<void>;
 	dispose(): void;
 }
+interface PlanHashInput {
+	features?: readonly string[] | string[];
+	limits?: Record<string, unknown>;
+	price?: {
+		amount: number;
+		interval: string;
+	} | null;
+}
+/**
+* Compute SHA-256 hash of canonical JSON representation of plan config.
+* Keys are sorted recursively for deterministic output regardless of object key order.
+*/
+declare function computePlanHash(config: PlanHashInput): Promise<string>;
+type PlanEventType = "plan:version_created" | "plan:grace_approaching" | "plan:grace_expiring" | "plan:migrated";
+interface PlanEvent {
+	type: PlanEventType;
+	planId: string;
+	tenantId?: string;
+	version?: number;
+	previousVersion?: number;
+	currentVersion?: number;
+	graceEnds?: Date | null;
+	timestamp: Date;
+}
+type PlanEventHandler = (event: PlanEvent) => void;
+interface TenantPlanState {
+	planId: string;
+	version: number;
+	currentVersion: number;
+	grandfathered: boolean;
+	graceEnds: Date | null;
+	snapshot: PlanSnapshot;
+}
+interface MigrateOpts {
+	tenantId?: string;
+}
+interface ScheduleOpts {
+	at: Date | string;
+}
+interface PlanManagerConfig {
+	plans: Record<string, PlanDef>;
+	versionStore: PlanVersionStore;
+	grandfatheringStore: GrandfatheringStore;
+	subscriptionStore: SubscriptionStore;
+	clock?: () => Date;
+}
+interface PlanManager {
+	/** Hash plan configs, compare with stored, create new versions if different. Idempotent. */
+	initialize(): Promise<void>;
+	/** Migrate tenants past grace period (or specific tenant immediately). */
+	migrate(planId: string, opts?: MigrateOpts): Promise<void>;
+	/** Schedule future migration date for all grandfathered tenants. */
+	schedule(planId: string, opts: ScheduleOpts): Promise<void>;
+	/** Return tenant's plan state (planId, version, grandfathered, snapshot). */
+	resolve(tenantId: string): Promise<TenantPlanState | null>;
+	/** List all grandfathered tenants for a plan. */
+	grandfathered(planId: string): Promise<GrandfatheringState[]>;
+	/** Check all grandfathered tenants and emit grace_approaching / grace_expiring events. */
+	checkGraceEvents(): Promise<void>;
+	/** Register an event handler. */
+	on(handler: PlanEventHandler): void;
+	/** Remove an event handler. */
+	off(handler: PlanEventHandler): void;
+}
+declare function createPlanManager(config: PlanManagerConfig): PlanManager;
 declare function discord(config: OAuthProviderConfig): OAuthProvider;
 declare function github(config: OAuthProviderConfig): OAuthProvider;
 declare function google(config: OAuthProviderConfig): OAuthProvider;
@@ -898,64 +1585,6 @@ declare class InMemoryRateLimitStore implements RateLimitStore {
 	dispose(): void;
 	private cleanup;
 }
-/**
-* rules.* builders — declarative access rule data structures.
-*
-* These are pure data structures with no evaluation logic.
-* The access context evaluates them at runtime (sub-phase 4).
-*/
-interface RoleRule {
-	readonly type: "role";
-	readonly roles: readonly string[];
-}
-interface EntitlementRule {
-	readonly type: "entitlement";
-	readonly entitlement: string;
-}
-interface WhereRule {
-	readonly type: "where";
-	readonly conditions: Record<string, unknown>;
-}
-interface AllRule {
-	readonly type: "all";
-	readonly rules: readonly AccessRule[];
-}
-interface AnyRule {
-	readonly type: "any";
-	readonly rules: readonly AccessRule[];
-}
-interface AuthenticatedRule {
-	readonly type: "authenticated";
-}
-interface FvaRule {
-	readonly type: "fva";
-	readonly maxAge: number;
-}
-type AccessRule = RoleRule | EntitlementRule | WhereRule | AllRule | AnyRule | AuthenticatedRule | FvaRule;
-interface UserMarker {
-	readonly __marker: string;
-}
-declare const rules: {
-	/** User has at least one of the specified roles (OR) */
-	role(...roleNames: string[]): RoleRule;
-	/** User has the specified entitlement (resolves role+plan+flag from defineAccess config) */
-	entitlement(name: string): EntitlementRule;
-	/** Row-level condition — DB query syntax. Use rules.user.id for dynamic user markers */
-	where(conditions: Record<string, unknown>): WhereRule;
-	/** All sub-rules must pass (AND) */
-	all(...ruleList: AccessRule[]): AllRule;
-	/** At least one sub-rule must pass (OR) */
-	any(...ruleList: AccessRule[]): AnyRule;
-	/** User must be authenticated (no specific role required) */
-	authenticated(): AuthenticatedRule;
-	/** User must have verified MFA within maxAge seconds */
-	fva(maxAge: number): FvaRule;
-	/** Declarative user markers — resolved at evaluation time */
-	user: {
-		readonly id: UserMarker;
-		readonly tenantId: UserMarker;
-	};
-};
 declare class InMemorySessionStore implements SessionStore {
 	private sessions;
 	private currentTokens;
@@ -978,6 +1607,7 @@ declare class InMemorySessionStore implements SessionStore {
 		currentTokens?: AuthTokens;
 	}): Promise<StoredSession>;
 	findByRefreshHash(hash: string): Promise<StoredSession | null>;
+	findActiveSessionById(id: string): Promise<StoredSession | null>;
 	findByPreviousRefreshHash(hash: string): Promise<StoredSession | null>;
 	revokeSession(id: string): Promise<void>;
 	listActiveSessions(userId: string): Promise<StoredSession[]>;
@@ -1003,14 +1633,78 @@ declare class InMemoryUserStore implements UserStore {
 	findById(id: string): Promise<AuthUser | null>;
 	updatePasswordHash(userId: string, passwordHash: string): Promise<void>;
 	updateEmailVerified(userId: string, verified: boolean): Promise<void>;
+	deleteUser(id: string): Promise<void>;
 }
 declare function createAuth(config: AuthConfig): AuthInstance;
+import { SchemaLike } from "@vertz/db";
+/**
+* A content type descriptor that implements SchemaLike.
+* Carries HTTP metadata alongside parse/validate behavior.
+*/
+interface ContentDescriptor<T> extends SchemaLike<T> {
+	/** Discriminator — distinguishes from plain SchemaLike */
+	readonly _kind: "content";
+	/** MIME type for HTTP headers */
+	readonly _contentType: string;
+}
+/**
+* Runtime check: is the given SchemaLike a ContentDescriptor?
+*/
+declare function isContentDescriptor(value: SchemaLike<unknown>): value is ContentDescriptor<unknown>;
+declare const content: {
+	/** application/xml → string */
+	readonly xml: () => ContentDescriptor<string>;
+	/** text/html → string */
+	readonly html: () => ContentDescriptor<string>;
+	/** text/plain → string */
+	readonly text: () => ContentDescriptor<string>;
+	/** application/octet-stream → Uint8Array */
+	readonly binary: () => ContentDescriptor<Uint8Array>;
+};
 import { AppBuilder, AppConfig } from "@vertz/core";
-import { DatabaseClient, EntityDbAdapter as EntityDbAdapter3, ModelEntry as ModelEntry2 } from "@vertz/db";
-import { ModelDef as ModelDef2, RelationDef, SchemaLike, TableDef } from "@vertz/db";
-import { ModelDef } from "@vertz/db";
-import { EntityDbAdapter, ListOptions } from "@vertz/db";
-import { EntityError, Result as Result2 } from "@vertz/errors";
+import { DatabaseClient as DatabaseClient2, EntityDbAdapter as EntityDbAdapter3, ModelEntry as ModelEntry2 } from "@vertz/db";
+import { ModelDef as ModelDef4, RelationDef as RelationDef2, SchemaLike as SchemaLike2, TableDef } from "@vertz/db";
+import { ListOptions as ListOptions3, ModelDef as ModelDef3 } from "@vertz/db";
+import { EntityDbAdapter, GetOptions, ListOptions, ModelDef as ModelDef2 } from "@vertz/db";
+import { EntityError, Result as Result3 } from "@vertz/errors";
+import { RelationDef, TenantGraph } from "@vertz/db";
+/** One hop in the relation chain from entity to tenant root. */
+interface TenantChainHop {
+	/** Target table name (e.g., 'projects') */
+	readonly tableName: string;
+	/** FK column on the current table (e.g., 'projectId') */
+	readonly foreignKey: string;
+	/** PK column on the target table (e.g., 'id') */
+	readonly targetColumn: string;
+}
+/** Full chain from an indirectly scoped entity to the tenant root. */
+interface TenantChain {
+	/** Ordered hops from entity → ... → directly-scoped table */
+	readonly hops: readonly TenantChainHop[];
+	/** The tenant FK column on the final hop's target table (e.g., 'organizationId') */
+	readonly tenantColumn: string;
+}
+interface ModelRegistryEntry {
+	readonly table: {
+		readonly _name: string;
+		readonly _columns: Record<string, unknown>;
+	};
+	readonly relations: Record<string, RelationDef>;
+	readonly _tenant?: string | null;
+}
+type ModelRegistry = Record<string, ModelRegistryEntry>;
+/**
+* Resolves the relation chain from an indirectly scoped entity back to the
+* tenant root.
+*
+* Returns null if the entity is not indirectly scoped (i.e., it's the root,
+* directly scoped, shared, or unscoped).
+*
+* The chain is computed by walking `ref.one` relations from the entity until
+* we reach a directly-scoped model. The tenant column is read from the
+* directly-scoped model's `_tenant` relation FK.
+*/
+declare function resolveTenantChain(entityKey: string, tenantGraph: TenantGraph, registry: ModelRegistry): TenantChain | null;
 import { EntityDbAdapter as EntityDbAdapter2, ListOptions as ListOptions2 } from "@vertz/db";
 interface ListResult<T = Record<string, unknown>> {
 	items: T[];
@@ -1023,29 +1717,38 @@ interface CrudResult<T = unknown> {
 	status: number;
 	body: T;
 }
-interface CrudHandlers {
-	list(ctx: EntityContext, options?: ListOptions): Promise<Result2<CrudResult<ListResult>, EntityError>>;
-	get(ctx: EntityContext, id: string): Promise<Result2<CrudResult<Record<string, unknown>>, EntityError>>;
-	create(ctx: EntityContext, data: Record<string, unknown>): Promise<Result2<CrudResult<Record<string, unknown>>, EntityError>>;
-	update(ctx: EntityContext, id: string, data: Record<string, unknown>): Promise<Result2<CrudResult<Record<string, unknown>>, EntityError>>;
-	delete(ctx: EntityContext, id: string): Promise<Result2<CrudResult<null>, EntityError>>;
-}
-declare function createCrudHandlers(def: EntityDefinition, db: EntityDbAdapter): CrudHandlers;
+interface CrudHandlers<TModel extends ModelDef2 = ModelDef2> {
+	list(ctx: EntityContext<TModel>, options?: ListOptions): Promise<Result3<CrudResult<ListResult<TModel["table"]["$response"]>>, EntityError>>;
+	get(ctx: EntityContext<TModel>, id: string, options?: GetOptions): Promise<Result3<CrudResult<TModel["table"]["$response"]>, EntityError>>;
+	create(ctx: EntityContext<TModel>, data: Record<string, unknown>): Promise<Result3<CrudResult<TModel["table"]["$response"]>, EntityError>>;
+	update(ctx: EntityContext<TModel>, id: string, data: Record<string, unknown>): Promise<Result3<CrudResult<TModel["table"]["$response"]>, EntityError>>;
+	delete(ctx: EntityContext<TModel>, id: string): Promise<Result3<CrudResult<null>, EntityError>>;
+}
+/** Resolves IDs from a table matching a where condition. Used for indirect tenant filtering. */
+type QueryParentIdsFn = (tableName: string, where: Record<string, unknown>) => Promise<string[]>;
+/** Options for the CRUD pipeline factory. */
+interface CrudPipelineOptions {
+	/** Tenant chain for indirectly scoped entities. */
+	tenantChain?: TenantChain | null;
+	/** Resolves parent IDs for indirect tenant chain traversal. */
+	queryParentIds?: QueryParentIdsFn;
+}
+declare function createCrudHandlers<TModel extends ModelDef2 = ModelDef2>(def: EntityDefinition<TModel>, db: EntityDbAdapter, options?: CrudPipelineOptions): CrudHandlers<TModel>;
 /**
 * EntityOperations — typed CRUD facade for a single entity.
 *
 * When used as `ctx.entity`, TModel fills in actual column types.
 * When used as `ctx.entities.*`, TModel defaults to `ModelDef` (loose typing).
 */
-interface EntityOperations<TModel extends ModelDef = ModelDef> {
+interface EntityOperations<TModel extends ModelDef3 = ModelDef3> {
 	get(id: string): Promise<TModel["table"]["$response"]>;
-	list(options?: ListOptions2): Promise<ListResult<TModel["table"]["$response"]>>;
+	list(options?: ListOptions3<TModel>): Promise<ListResult<TModel["table"]["$response"]>>;
 	create(data: TModel["table"]["$create_input"]): Promise<TModel["table"]["$response"]>;
 	update(id: string, data: TModel["table"]["$update_input"]): Promise<TModel["table"]["$response"]>;
 	delete(id: string): Promise<void>;
 }
 /** Extracts the model type from an EntityDefinition */
-type ExtractModel<T> = T extends EntityDefinition<infer M> ? M : ModelDef2;
+type ExtractModel<T> = T extends EntityDefinition<infer M> ? M : ModelDef4;
 /**
 * Maps an inject config `{ key: EntityDefinition<TModel> }` to
 * `{ key: EntityOperations<TModel> }` for typed ctx.entities access.
@@ -1053,12 +1756,13 @@ type ExtractModel<T> = T extends EntityDefinition<infer M> ? M : ModelDef2;
 type InjectToOperations<TInject extends Record<string, EntityDefinition> = {}> = { readonly [K in keyof TInject] : EntityOperations<ExtractModel<TInject[K]>> };
 interface BaseContext {
 	readonly userId: string | null;
+	readonly tenantId: string | null;
 	authenticated(): boolean;
 	tenant(): boolean;
 	role(...roles: string[]): boolean;
 }
 interface EntityContext<
-	TModel extends ModelDef2 = ModelDef2,
+	TModel extends ModelDef4 = ModelDef4,
 	TInject extends Record<string, EntityDefinition> = {}
 > extends BaseContext {
 	/** Typed CRUD on the current entity */
@@ -1066,7 +1770,7 @@ interface EntityContext<
 	/** Typed access to injected entities only */
 	readonly entities: InjectToOperations<TInject>;
 }
-type AccessRule2 = false | ((ctx: BaseContext, row: Record<string, unknown>) => boolean | Promise<boolean>);
+type AccessRule2 = false | AccessRule | ((ctx: BaseContext, row: Record<string, unknown>) => boolean | Promise<boolean>);
 interface EntityBeforeHooks<
 	TCreateInput = unknown,
 	TUpdateInput = unknown
@@ -1087,20 +1791,35 @@ interface EntityActionDef<
 > {
 	readonly method?: string;
 	readonly path?: string;
-	readonly body: SchemaLike<TInput>;
-	readonly response: SchemaLike<TOutput>;
+	readonly body: SchemaLike2<TInput>;
+	readonly response: SchemaLike2<TOutput>;
 	readonly handler: (input: TInput, ctx: TCtx, row: TResponse | null) => Promise<TOutput>;
 }
 /** Extract column keys from a RelationDef's target table. */
-type RelationColumnKeys<R> = R extends RelationDef<infer TTarget> ? TTarget extends TableDef<infer TCols> ? Extract<keyof TCols, string> : string : string;
-type EntityRelationsConfig<TRelations extends Record<string, RelationDef> = Record<string, RelationDef>> = { [K in keyof TRelations]? : true | false | { [F in RelationColumnKeys<TRelations[K]>]? : true } };
+type RelationColumnKeys<R> = R extends RelationDef2<infer TTarget> ? TTarget extends TableDef<infer TCols> ? Extract<keyof TCols, string> : string : string;
+/** Structured relation config with select, allowWhere, allowOrderBy, maxLimit. */
+interface RelationConfigObject<TColumnKeys extends string = string> {
+	/** Which fields can be selected. Record<field, true>. */
+	readonly select?: { readonly [F in TColumnKeys]? : true };
+	/** Which fields can be filtered via `where`. */
+	readonly allowWhere?: readonly string[];
+	/** Which fields can be sorted via `orderBy`. */
+	readonly allowOrderBy?: readonly string[];
+	/** Max items per parent row. Defaults to DEFAULT_RELATION_LIMIT (100). */
+	readonly maxLimit?: number;
+}
+type EntityRelationsConfig<TRelations extends Record<string, RelationDef2> = Record<string, RelationDef2>> = { [K in keyof TRelations]? : true | false | RelationConfigObject<RelationColumnKeys<TRelations[K]>> };
 interface EntityConfig<
-	TModel extends ModelDef2 = ModelDef2,
+	TModel extends ModelDef4 = ModelDef4,
 	TActions extends Record<string, EntityActionDef<any, any, any, any>> = {},
 	TInject extends Record<string, EntityDefinition> = {}
 > {
 	readonly model: TModel;
 	readonly inject?: TInject;
+	/** Override the DB table name (defaults to entity name). For admin entities over shared tables. */
+	readonly table?: string;
+	/** Whether CRUD auto-filters by tenantId. Defaults to true when model has tenantId column. */
+	readonly tenantScoped?: boolean;
 	readonly access?: Partial<Record<"list" | "get" | "create" | "update" | "delete" | Extract<keyof NoInfer<TActions>, string>, AccessRule2>>;
 	readonly before?: {
 		readonly create?: (data: TModel["table"]["$create_input"], ctx: EntityContext<TModel, TInject>) => TModel["table"]["$create_input"] | Promise<TModel["table"]["$create_input"]>;
@@ -1114,7 +1833,7 @@ interface EntityConfig<
 	readonly actions?: { readonly [K in keyof TActions] : TActions[K] };
 	readonly relations?: EntityRelationsConfig<TModel["relations"]>;
 }
-interface EntityDefinition<TModel extends ModelDef2 = ModelDef2> {
+interface EntityDefinition<TModel extends ModelDef4 = ModelDef4> {
 	readonly kind: "entity";
 	readonly name: string;
 	readonly model: TModel;
@@ -1124,8 +1843,14 @@ interface EntityDefinition<TModel extends ModelDef2 = ModelDef2> {
 	readonly after: EntityAfterHooks;
 	readonly actions: Record<string, EntityActionDef>;
 	readonly relations: EntityRelationsConfig<TModel["relations"]>;
-}
-import { SchemaLike as SchemaLike2 } from "@vertz/db";
+	/** DB table name (defaults to entity name). */
+	readonly table: string;
+	/** Whether CRUD auto-filters by tenantId. */
+	readonly tenantScoped: boolean;
+	/** Relation chain for indirect tenant scoping. Null for direct or unscoped. */
+	readonly tenantChain: TenantChain | null;
+}
+import { SchemaLike as SchemaLike3 } from "@vertz/db";
 /** Extracts the model type from an EntityDefinition */
 type ExtractModel2<T> = T extends EntityDefinition<infer M> ? M : never;
 /**
@@ -1133,9 +1858,18 @@ type ExtractModel2<T> = T extends EntityDefinition<infer M> ? M : never;
 * `{ key: EntityOperations<TModel> }` for typed ctx.entities access.
 */
 type InjectToOperations2<TInject extends Record<string, EntityDefinition> = {}> = { readonly [K in keyof TInject] : EntityOperations<ExtractModel2<TInject[K]>> };
+/** Raw request metadata exposed to service handlers */
+interface ServiceRequestInfo {
+	readonly url: string;
+	readonly method: string;
+	readonly headers: Headers;
+	readonly body: unknown;
+}
 interface ServiceContext<TInject extends Record<string, EntityDefinition> = {}> extends BaseContext {
 	/** Typed access to injected entities only */
 	readonly entities: InjectToOperations2<TInject>;
+	/** Raw request metadata — URL, method, headers, pre-parsed body */
+	readonly request: ServiceRequestInfo;
 }
 interface ServiceActionDef<
 	TInput = unknown,
@@ -1144,8 +1878,8 @@ interface ServiceActionDef<
 > {
 	readonly method?: string;
 	readonly path?: string;
-	readonly body: SchemaLike2<TInput>;
-	readonly response: SchemaLike2<TOutput>;
+	readonly body?: SchemaLike3<TInput>;
+	readonly response: SchemaLike3<TOutput>;
 	readonly handler: (input: TInput, ctx: TCtx) => Promise<TOutput>;
 }
 interface ServiceConfig<
@@ -1163,6 +1897,12 @@ interface ServiceDefinition {
 	readonly access: Partial<Record<string, AccessRule2>>;
 	readonly actions: Record<string, ServiceActionDef>;
 }
+interface ServerInstance extends AppBuilder {
+	auth: AuthInstance;
+	initialize(): Promise<void>;
+	/** Routes auth requests (/api/auth/*) to auth.handler, everything else to entity handler */
+	readonly requestHandler: (request: Request) => Promise<Response>;
+}
 interface ServerConfig extends Omit<AppConfig, "_entityDbFactory" | "entities"> {
 	/** Entity definitions created via entity() from @vertz/server */
 	entities?: EntityDefinition[];
@@ -1174,16 +1914,37 @@ interface ServerConfig extends Omit<AppConfig, "_entityDbFactory" | "entities">
 	* - A DatabaseClient from createDb() (recommended — auto-bridged per entity)
 	* - An EntityDbAdapter (deprecated — simple adapter with get/list/create/update/delete)
 	*/
-	db?: DatabaseClient<Record<string, ModelEntry2>> | EntityDbAdapter3;
+	db?: DatabaseClient2<Record<string, ModelEntry2>> | EntityDbAdapter3;
 	/** @internal Factory to create a DB adapter for each entity. Prefer `db` instead. */
 	_entityDbFactory?: (entityDef: EntityDefinition) => EntityDbAdapter3;
+	/** @internal Resolves parent IDs for indirect tenant chain traversal. For testing only. */
+	_queryParentIds?: QueryParentIdsFn;
+	/** @internal Tenant chains for indirect scoping. For testing without DatabaseClient. */
+	_tenantChains?: Map<string, TenantChain>;
+	/** Auth configuration — when combined with db, auto-wires DB-backed stores */
+	auth?: AuthConfig;
 }
 /**
 * Creates an HTTP server with entity route generation.
 * Wraps @vertz/core's createServer to inject entity CRUD handlers.
+*
+* When both `db` (DatabaseClient) and `auth` are provided:
+* - Validates auth models are registered in the DatabaseClient
+* - Auto-wires DB-backed UserStore and SessionStore
+* - Returns ServerInstance with `.auth` and `.initialize()`
 */
+declare function createServer(config: ServerConfig & {
+	db: DatabaseClient2<Record<string, ModelEntry2>>;
+	auth: AuthConfig;
+}): ServerInstance;
 declare function createServer(config: ServerConfig): AppBuilder;
-import { EntityForbiddenError, Result as Result3 } from "@vertz/errors";
+import { EntityForbiddenError, Result as Result4 } from "@vertz/errors";
+interface EnforceAccessOptions {
+	/** Evaluate an entitlement via the access context (defineAccess) */
+	readonly can?: (entitlement: string) => Promise<boolean>;
+	/** Seconds since last MFA verification (for rules.fva) */
+	readonly fvaAge?: number;
+}
 /**
 * Evaluates an access rule for the given operation.
 * Returns err(EntityForbiddenError) if access is denied.
@@ -1192,10 +1953,16 @@ import { EntityForbiddenError, Result as Result3 } from "@vertz/errors";
 *
 * - No rule defined → deny (deny by default)
 * - Rule is false → operation is disabled
-* - Rule is a function → evaluate and deny if returns false
+* - Descriptor rule → dispatch by type
+* - Function rule → evaluate and deny if returns false
+*
+* When `skipWhere` is true, `where` rules are treated as ok() — used
+* when where conditions have already been pushed to the DB query.
 */
-declare function enforceAccess(operation: string, accessRules: Partial<Record<string, AccessRule2>>, ctx: BaseContext, row?: Record<string, unknown>): Promise<Result3<void, EntityForbiddenError>>;
-import { ModelDef as ModelDef3 } from "@vertz/db";
+declare function enforceAccess(operation: string, accessRules: Partial<Record<string, AccessRule2>>, ctx: BaseContext, row?: Record<string, unknown>, options?: EnforceAccessOptions & {
+	skipWhere?: boolean;
+}): Promise<Result4<void, EntityForbiddenError>>;
+import { ModelDef as ModelDef6 } from "@vertz/db";
 /**
 * Request info extracted from HTTP context / auth middleware.
 */
@@ -1207,10 +1974,10 @@ interface RequestInfo {
 /**
 * Creates an EntityContext from request info, entity operations, and registry proxy.
 */
-declare function createEntityContext<TModel extends ModelDef3 = ModelDef3>(request: RequestInfo, entityOps: EntityOperations<TModel>, registryProxy: Record<string, EntityOperations>): EntityContext<TModel>;
-import { ModelDef as ModelDef4 } from "@vertz/db";
+declare function createEntityContext<TModel extends ModelDef6 = ModelDef6>(request: RequestInfo, entityOps: EntityOperations<TModel>, registryProxy: Record<string, EntityOperations>): EntityContext<TModel>;
+import { ModelDef as ModelDef7 } from "@vertz/db";
 declare function entity<
-	TModel extends ModelDef4,
+	TModel extends ModelDef7,
 	TInject extends Record<string, EntityDefinition> = {},
 	TActions extends Record<string, EntityActionDef<any, any, TModel["table"]["$response"], EntityContext<TModel, TInject>>> = {}
 >(name: string, config: EntityConfig<TModel, TActions, TInject>): EntityDefinition<TModel>;
@@ -1258,6 +2025,10 @@ declare function stripReadOnlyFields(table: TableDef2, data: Record<string, unkn
 import { EntityRouteEntry } from "@vertz/core";
 interface EntityRouteOptions {
 	apiPrefix?: string;
+	/** Tenant chain for indirectly scoped entities. */
+	tenantChain?: TenantChain | null;
+	/** Resolves parent IDs for indirect tenant chain traversal. */
+	queryParentIds?: QueryParentIdsFn;
 }
 /**
 * Generates HTTP route entries for a single entity definition.
@@ -1271,4 +2042,4 @@ declare function service<
 	TInject extends Record<string, EntityDefinition> = {},
 	TActions extends Record<string, ServiceActionDef<any, any, any>> = Record<string, ServiceActionDef<any, any, any>>
 >(name: string, config: ServiceConfig<TActions, TInject>): ServiceDefinition;
-export { vertz, verifyPassword, validatePassword, stripReadOnlyFields, stripHiddenFields, service, rules, makeImmutable, hashPassword, google, github, generateEntityRoutes, entityErrorHandler, entity, enforceAccess, encodeAccessSet, discord, defineAccess, defaultAccess, deepFreeze, decodeAccessSet, createServer, createMiddleware, createImmutableProxy, createEnv, createEntityContext, createCrudHandlers, createAuth, createAccessEventBroadcaster, createAccessContext, createAccess, computeEntityAccess, computeAccessSet, checkFva, calculateBillingPeriod, WalletStore, WalletEntry, VertzException, ValidationException, UserTableEntry, UserStore, UnauthorizedException, StoredSession, StoredPasswordReset, StoredEmailVerification, SignUpInput, SignInInput, SessionStrategy, SessionStore, SessionPayload, SessionInfo, SessionConfig, Session, ServiceUnavailableException, ServiceDefinition, ServiceContext, ServiceConfig, ServiceActionDef, ServerHandle, ServerConfig, ServerAdapter, RoleAssignmentTableEntry, RoleAssignmentStore, RoleAssignment, ResourceRef, Resource, RequestInfo, RawRequest, RateLimitStore, RateLimitResult, RateLimitConfig, PlanStore, PlanDef, Period, PasswordResetStore, PasswordResetConfig, PasswordRequirements, ParentRef, OrgPlan, OAuthUserInfo, OAuthTokens, OAuthProviderConfig, OAuthProvider, OAuthAccountStore, NotFoundException, NamedMiddlewareDef, MiddlewareDef, MfaSetupData, MfaConfig, MfaChallengeData, MFAStore, ListenOptions, ListResult, ListOptions2 as ListOptions, LimitOverride, LimitDef, InternalServerErrorException, InferSchema, Infer, InMemoryWalletStore, InMemoryUserStore, InMemorySessionStore, InMemoryRoleAssignmentStore, InMemoryRateLimitStore, InMemoryPlanStore, InMemoryPasswordResetStore, InMemoryOAuthAccountStore, InMemoryMFAStore, InMemoryFlagStore, InMemoryEmailVerificationStore, InMemoryClosureStore, HttpStatusCode, HttpMethod, HandlerCtx, ForbiddenException, FlagStore, EnvConfig, EntityRouteOptions, EntityRelationsConfig, EntityRegistry, EntityOperations, EntityErrorResult, EntityDefinition, EntityDbAdapter2 as EntityDbAdapter, EntityContext, EntityConfig, EntityActionDef, EntitlementDefinition, EntitlementDef, Entitlement, EncodedAccessSet, EmailVerificationStore, EmailVerificationConfig, EmailPasswordConfig, Deps, DenialReason, DenialMeta, DefineAccessInput, DeepReadonly, Ctx, CrudResult, CrudHandlers, CorsConfig, CookieConfig, ConsumeResult, ConflictException, ComputeAccessSetConfig, ClosureStore, ClosureRow, ClosureEntry, BillingPeriod, BaseContext, BadRequestException, AuthorizationError, AuthUser, AuthTokens, AuthInstance, AuthContext, AuthConfig, AuthApi, AppConfig2 as AppConfig, AppBuilder2 as AppBuilder, AclClaim, AccumulateProvides, AccessWsData, AccessSet, AccessRule2 as AccessRule, AccessInstance, AccessEventBroadcasterConfig, AccessEventBroadcaster, AccessEvent, AccessDefinition, AccessContextConfig, AccessContext, AccessConfig, AccessCheckResult, AccessCheckData };
+export { vertz, verifyPassword, validatePassword, validateOverrides, validateAuthModels, stripReadOnlyFields, stripHiddenFields, service, rules, resolveTenantChain, makeImmutable, isContentDescriptor, initializeAuthTables, hashPassword, google, github, getIncompatibleAddOns, generateEntityRoutes, entityErrorHandler, entity, enforceAccess, encodeAccessSet, discord, defineAccess, defaultAccess, deepFreeze, decodeAccessSet, createWebhookHandler, createStripeBillingAdapter, createServer, createPlanManager, createMiddleware, createImmutableProxy, createEnv, createEntityContext, createCrudHandlers, createBillingEventEmitter, createAuth, createAccessEventBroadcaster, createAccessContext, createAccess, content, computePlanHash, computeOverage, computeEntityAccess, computeAccessSet, checkFva, checkAddOnCompatibility, calculateBillingPeriod, authModels, WebhookHandlerConfig, WalletStore, WalletEntry, VertzException, ValidationException, UserTableEntry, UserStore, UnauthorizedException, TenantOverrides, TenantChainHop, TenantChain, SubscriptionStore, Subscription, StripeProduct, StripePrice, StripeClient, StripeBillingAdapterConfig, StoredSession, StoredPasswordReset, StoredEmailVerification, SignUpInput, SignInInput, SessionStrategy, SessionStore, SessionPayload, SessionInfo, SessionConfig, Session, ServiceUnavailableException, ServiceRequestInfo, ServiceDefinition, ServiceContext, ServiceConfig, ServiceActionDef, ServerInstance, ServerHandle, ServerConfig, ServerAdapter, RuleContext, RoleAssignmentTableEntry, RoleAssignmentStore, RoleAssignment, ResourceRef, Resource, RequestInfo, RawRequest, RateLimitStore, RateLimitResult, RateLimitConfig, PriceInterval, PlanVersionStore, PlanVersionInfo, PlanSnapshot, PlanPrice, PlanHashInput, PlanDef, Period, PasswordResetStore, PasswordResetConfig, PasswordRequirements, ParentRef, OverrideStore, OverageInput, OverageConfig, OnUserCreatedPayload, OAuthUserInfo, OAuthTokens, OAuthProviderConfig, OAuthProvider, OAuthAccountStore, NotFoundException, NamedMiddlewareDef, MiddlewareDef, MfaSetupData, MfaConfig, MfaChallengeData, MFAStore, ListenOptions, ListResult, ListOptions2 as ListOptions, LimitOverrideDef, LimitOverride, LimitDef, InternalServerErrorException, InferSchema, Infer2 as Infer, InMemoryWalletStore, InMemoryUserStore, InMemorySubscriptionStore, InMemorySessionStore, InMemoryRoleAssignmentStore, InMemoryRateLimitStore, InMemoryPlanVersionStore, InMemoryPasswordResetStore, InMemoryOverrideStore, InMemoryOAuthAccountStore, InMemoryMFAStore, InMemoryGrandfatheringStore, InMemoryFlagStore, InMemoryEmailVerificationStore, InMemoryClosureStore, HttpStatusCode, HttpMethod, HandlerCtx, GrandfatheringStore, GrandfatheringState, ForbiddenException, FlagStore, EnvConfig, EntityRouteOptions, EntityRelationsConfig, EntityRegistry, EntityOperations, EntityErrorResult, EntityDefinition, EntityDef, EntityDbAdapter2 as EntityDbAdapter, EntityContext, EntityConfig, EntityActionDef, EntitlementValue, EntitlementRegistry, EntitlementDefinition, EntitlementDef, Entitlement, EncodedAccessSet, EmailVerificationStore, EmailVerificationConfig, EmailPasswordConfig, Deps, DenialReason, DenialMeta, DefineAccessInput, DeepReadonly, DbUserStore, DbSubscriptionStore, DbSessionStore, DbRoleAssignmentStore, DbOAuthAccountStore, DbFlagStore, DbDialectName, DbClosureStore, Ctx, CrudResult, CrudHandlers, CorsConfig, CookieConfig, ContentDescriptor, ConsumeResult, ConflictException, ComputeAccessSetConfig, ClosureStore, ClosureRow, ClosureEntry, BillingPeriod, BillingEventType, BillingEventHandler, BillingEventEmitter, BillingEvent, BillingAdapter, BaseContext, BadRequestException, AuthorizationError, AuthUser, AuthTokens, AuthInstance, AuthEntityProxy, AuthDbClient, AuthContext, AuthConfig, AuthCallbackContext, AuthApi, AppConfig2 as AppConfig, AppBuilder2 as AppBuilder, AddOnRequires, AclClaim, AccumulateProvides, AccessWsData, AccessSet, AccessRule2 as AccessRule, AccessInstance, AccessEventBroadcasterConfig, AccessEventBroadcaster, AccessEvent, AccessDefinition, AccessContextConfig, AccessContext, AccessConfig, AccessCheckResult, AccessCheckData, AUTH_TABLE_NAMES };