@vertz/server 0.2.14 → 0.2.16

package/dist/index.js

@@ -1,6 +1,6 @@
 // src/index.ts
 import {
-  BadRequestException,
+  BadRequestException as BadRequestException2,
   ConflictException,
   createEnv,
   createImmutableProxy,
@@ -20,6 +20,8 @@ import {
 // src/auth/index.ts
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { join } from "node:path";
+import { BadRequestException } from "@vertz/core";
+import { parseBody } from "@vertz/core/internals";
 import {
   createAuthRateLimitedError,
   createAuthValidationError as createAuthValidationError2,
@@ -40,7 +42,13 @@ import {
 // src/auth/billing-period.ts
 function calculateBillingPeriod(startedAt, per, now = new Date) {
   if (per === "month") {
-    return calculateMonthlyPeriod(startedAt, now);
+    return calculateMultiMonthPeriod(startedAt, now, 1);
+  }
+  if (per === "quarter") {
+    return calculateMultiMonthPeriod(startedAt, now, 3);
+  }
+  if (per === "year") {
+    return calculateMultiMonthPeriod(startedAt, now, 12);
   }
   const durationMs = per === "day" ? 24 * 60 * 60 * 1000 : 60 * 60 * 1000;
   const elapsed = now.getTime() - startedAt.getTime();
@@ -49,19 +57,21 @@ function calculateBillingPeriod(startedAt, per, now = new Date) {
   const periodEnd = new Date(periodStart.getTime() + durationMs);
   return { periodStart, periodEnd };
 }
-function calculateMonthlyPeriod(startedAt, now) {
+function calculateMultiMonthPeriod(startedAt, now, monthInterval) {
   if (now.getTime() < startedAt.getTime()) {
-    return { periodStart: new Date(startedAt), periodEnd: addMonths(startedAt, 1) };
+    return { periodStart: new Date(startedAt), periodEnd: addMonths(startedAt, monthInterval) };
   }
-  let periodStart = new Date(startedAt);
   const approxMonths = (now.getUTCFullYear() - startedAt.getUTCFullYear()) * 12 + (now.getUTCMonth() - startedAt.getUTCMonth());
-  if (approxMonths > 0) {
-    periodStart = addMonths(startedAt, approxMonths);
-    if (periodStart.getTime() > now.getTime()) {
-      periodStart = addMonths(startedAt, approxMonths - 1);
-    }
+  const periodsElapsed = Math.floor(approxMonths / monthInterval);
+  let periodStart = addMonths(startedAt, periodsElapsed * monthInterval);
+  if (periodStart.getTime() > now.getTime()) {
+    periodStart = addMonths(startedAt, (periodsElapsed - 1) * monthInterval);
+  }
+  const nextStart = addMonths(startedAt, (periodsElapsed + 1) * monthInterval);
+  if (nextStart.getTime() <= now.getTime()) {
+    periodStart = nextStart;
   }
-  const periodEnd = addMonths(startedAt, getMonthOffset(startedAt, periodStart) + 1);
+  const periodEnd = addMonths(startedAt, getMonthOffset(startedAt, periodStart) + monthInterval);
   return { periodStart, periodEnd };
 }
 function addMonths(base, months) {
@@ -78,45 +88,95 @@ function getMonthOffset(base, target) {
   return (target.getUTCFullYear() - base.getUTCFullYear()) * 12 + (target.getUTCMonth() - base.getUTCMonth());
 }
 
-// src/auth/plan-store.ts
-function resolveEffectivePlan(orgPlan, plans, defaultPlan = "free", now) {
-  if (!orgPlan)
+// src/auth/resolve-inherited-role.ts
+function resolveInheritedRole(sourceType, sourceRole, targetType, accessDef) {
+  const hierarchy = accessDef.hierarchy;
+  const sourceIdx = hierarchy.indexOf(sourceType);
+  const targetIdx = hierarchy.indexOf(targetType);
+  if (sourceIdx === -1 || targetIdx === -1 || sourceIdx >= targetIdx)
+    return null;
+  let currentRole = sourceRole;
+  for (let i = sourceIdx;i < targetIdx; i++) {
+    const currentType = hierarchy[i];
+    const inheritanceMap = accessDef.inheritance[currentType];
+    if (!inheritanceMap || !(currentRole in inheritanceMap))
+      return null;
+    currentRole = inheritanceMap[currentRole];
+  }
+  return currentRole;
+}
+
+// src/auth/subscription-store.ts
+function resolveEffectivePlan(subscription, plans, defaultPlan = "free", now) {
+  if (!subscription)
     return null;
-  if (orgPlan.expiresAt && orgPlan.expiresAt.getTime() < (now ?? Date.now())) {
+  if (subscription.expiresAt && subscription.expiresAt.getTime() < (now ?? Date.now())) {
     return plans?.[defaultPlan] ? defaultPlan : null;
   }
-  if (!plans?.[orgPlan.planId])
+  if (!plans?.[subscription.planId])
     return null;
-  return orgPlan.planId;
+  return subscription.planId;
 }
 
-class InMemoryPlanStore {
-  plans = new Map;
-  async assignPlan(orgId, planId, startedAt = new Date, expiresAt = null) {
-    this.plans.set(orgId, {
-      orgId,
+class InMemorySubscriptionStore {
+  subscriptions = new Map;
+  addOns = new Map;
+  async assign(tenantId, planId, startedAt = new Date, expiresAt = null) {
+    this.subscriptions.set(tenantId, {
+      tenantId,
       planId,
       startedAt,
       expiresAt,
       overrides: {}
     });
   }
-  async getPlan(orgId) {
-    return this.plans.get(orgId) ?? null;
+  async get(tenantId) {
+    return this.subscriptions.get(tenantId) ?? null;
   }
-  async updateOverrides(orgId, overrides) {
-    const plan = this.plans.get(orgId);
-    if (!plan)
+  async updateOverrides(tenantId, overrides) {
+    const sub = this.subscriptions.get(tenantId);
+    if (!sub)
       return;
-    plan.overrides = { ...plan.overrides, ...overrides };
+    sub.overrides = { ...sub.overrides, ...overrides };
+  }
+  async remove(tenantId) {
+    this.subscriptions.delete(tenantId);
+  }
+  async attachAddOn(tenantId, addOnId) {
+    if (!this.addOns.has(tenantId)) {
+      this.addOns.set(tenantId, new Set);
+    }
+    this.addOns.get(tenantId).add(addOnId);
+  }
+  async detachAddOn(tenantId, addOnId) {
+    this.addOns.get(tenantId)?.delete(addOnId);
   }
-  async removePlan(orgId) {
-    this.plans.delete(orgId);
+  async getAddOns(tenantId) {
+    return [...this.addOns.get(tenantId) ?? []];
+  }
+  async listByPlan(planId) {
+    const result = [];
+    for (const [tenantId, sub] of this.subscriptions.entries()) {
+      if (sub.planId === planId) {
+        result.push(tenantId);
+      }
+    }
+    return result;
   }
   dispose() {
-    this.plans.clear();
+    this.subscriptions.clear();
+    this.addOns.clear();
   }
 }
+function checkAddOnCompatibility(accessDef, addOnId, currentPlanId) {
+  const addOnDef = accessDef.plans?.[addOnId];
+  if (!addOnDef?.requires)
+    return true;
+  return addOnDef.requires.plans.includes(currentPlanId);
+}
+function getIncompatibleAddOns(accessDef, activeAddOnIds, targetPlanId) {
+  return activeAddOnIds.filter((id) => !checkAddOnCompatibility(accessDef, id, targetPlanId));
+}
 
 // src/auth/access-set.ts
 async function computeAccessSet(config) {
@@ -125,14 +185,13 @@ async function computeAccessSet(config) {
     accessDef,
     roleStore,
     closureStore,
-    plan,
     flagStore,
-    planStore,
+    subscriptionStore,
     walletStore,
-    orgId
+    tenantId
   } = config;
   const entitlements = {};
-  let resolvedPlan = plan ?? null;
+  let resolvedPlan = null;
   if (!userId) {
     for (const name of Object.keys(accessDef.entitlements)) {
       entitlements[name] = {
@@ -144,7 +203,7 @@ async function computeAccessSet(config) {
     return {
       entitlements,
       flags: {},
-      plan: plan ?? null,
+      plan: null,
       computedAt: new Date().toISOString()
     };
   }
@@ -186,14 +245,14 @@ async function computeAccessSet(config) {
     }
   }
   const resolvedFlags = {};
-  if (flagStore && orgId) {
-    const orgFlags = flagStore.getFlags(orgId);
+  if (flagStore && tenantId) {
+    const orgFlags = flagStore.getFlags(tenantId);
     Object.assign(resolvedFlags, orgFlags);
     for (const [name, entDef] of Object.entries(accessDef.entitlements)) {
       if (entDef.flags?.length) {
         const disabledFlags = [];
         for (const flag of entDef.flags) {
-          if (!flagStore.getFlag(orgId, flag)) {
+          if (!flagStore.getFlag(tenantId, flag)) {
             disabledFlags.push(flag);
           }
         }
@@ -213,58 +272,105 @@ async function computeAccessSet(config) {
       }
     }
   }
-  if (planStore && orgId) {
-    const orgPlan = await planStore.getPlan(orgId);
-    if (orgPlan) {
-      const effectivePlanId = resolveEffectivePlan(orgPlan, accessDef.plans, accessDef.defaultPlan);
+  if (subscriptionStore && tenantId) {
+    const subscription = await subscriptionStore.get(tenantId);
+    if (subscription) {
+      const effectivePlanId = resolveEffectivePlan(subscription, accessDef.plans, accessDef.defaultPlan);
       resolvedPlan = effectivePlanId;
       if (effectivePlanId) {
         const planDef = accessDef.plans?.[effectivePlanId];
         if (planDef) {
-          for (const [name, entDef] of Object.entries(accessDef.entitlements)) {
-            if (entDef.plans?.length && !planDef.entitlements.includes(name)) {
+          const effectiveFeatures = new Set(planDef.features ?? []);
+          const addOns = await subscriptionStore.getAddOns?.(tenantId);
+          if (addOns) {
+            for (const addOnId of addOns) {
+              const addOnDef = accessDef.plans?.[addOnId];
+              if (addOnDef?.features) {
+                for (const f of addOnDef.features)
+                  effectiveFeatures.add(f);
+              }
+            }
+          }
+          for (const name of Object.keys(accessDef.entitlements)) {
+            if (accessDef._planGatedEntitlements.has(name) && !effectiveFeatures.has(name)) {
               const entry = entitlements[name];
               const reasons = [...entry.reasons];
               if (!reasons.includes("plan_required"))
                 reasons.push("plan_required");
+              const requiredPlans = [];
+              for (const [pName, pDef] of Object.entries(accessDef.plans ?? {})) {
+                if (pDef.features?.includes(name))
+                  requiredPlans.push(pName);
+              }
               entitlements[name] = {
                 ...entry,
                 allowed: false,
                 reasons,
                 reason: reasons[0],
-                meta: { ...entry.meta, requiredPlans: [...entDef.plans] }
+                meta: { ...entry.meta, requiredPlans }
               };
             }
-            if (walletStore && planDef.limits?.[name]) {
-              const limitDef = planDef.limits[name];
-              const override = orgPlan.overrides[name];
-              const effectiveLimit = override ? Math.max(override.max, limitDef.max) : limitDef.max;
-              const { periodStart, periodEnd } = calculateBillingPeriod(orgPlan.startedAt, limitDef.per);
-              const consumed = await walletStore.getConsumption(orgId, name, periodStart, periodEnd);
-              const remaining = Math.max(0, effectiveLimit - consumed);
-              const entry = entitlements[name];
-              if (consumed >= effectiveLimit) {
-                const reasons = [...entry.reasons];
-                if (!reasons.includes("limit_reached"))
-                  reasons.push("limit_reached");
-                entitlements[name] = {
-                  ...entry,
-                  allowed: false,
-                  reasons,
-                  reason: reasons[0],
-                  meta: {
-                    ...entry.meta,
-                    limit: { max: effectiveLimit, consumed, remaining }
+            const limitKeys = accessDef._entitlementToLimitKeys[name];
+            if (walletStore && limitKeys?.length) {
+              const limitKey = limitKeys[0];
+              const limitDef = planDef.limits?.[limitKey];
+              if (limitDef) {
+                let effectiveMax = limitDef.max;
+                if (addOns) {
+                  for (const addOnId of addOns) {
+                    const addOnDef = accessDef.plans?.[addOnId];
+                    const addOnLimit = addOnDef?.limits?.[limitKey];
+                    if (addOnLimit) {
+                      if (effectiveMax === -1)
+                        break;
+                      effectiveMax += addOnLimit.max;
+                    }
                   }
-                };
-              } else {
-                entitlements[name] = {
-                  ...entry,
-                  meta: {
-                    ...entry.meta,
-                    limit: { max: effectiveLimit, consumed, remaining }
+                }
+                const override = subscription.overrides[limitKey];
+                if (override)
+                  effectiveMax = Math.max(effectiveMax, override.max);
+                if (effectiveMax === -1) {
+                  const entry = entitlements[name];
+                  entitlements[name] = {
+                    ...entry,
+                    meta: {
+                      ...entry.meta,
+                      limit: { key: limitKey, max: -1, consumed: 0, remaining: -1 }
+                    }
+                  };
+                } else {
+                  const period = limitDef.per ? calculateBillingPeriod(subscription.startedAt, limitDef.per) : {
+                    periodStart: subscription.startedAt,
+                    periodEnd: new Date("9999-12-31T23:59:59Z")
+                  };
+                  const consumed = await walletStore.getConsumption(tenantId, limitKey, period.periodStart, period.periodEnd);
+                  const remaining = Math.max(0, effectiveMax - consumed);
+                  const entry = entitlements[name];
+                  if (consumed >= effectiveMax) {
+                    const reasons = [...entry.reasons];
+                    if (!reasons.includes("limit_reached"))
+                      reasons.push("limit_reached");
+                    entitlements[name] = {
+                      ...entry,
+                      allowed: false,
+                      reasons,
+                      reason: reasons[0],
+                      meta: {
+                        ...entry.meta,
+                        limit: { key: limitKey, max: effectiveMax, consumed, remaining }
+                      }
+                    };
+                  } else {
+                    entitlements[name] = {
+                      ...entry,
+                      meta: {
+                        ...entry.meta,
+                        limit: { key: limitKey, max: effectiveMax, consumed, remaining }
+                      }
+                    };
                   }
-                };
+                }
               }
             }
           }
@@ -342,22 +448,6 @@ function addRole(map, resourceType, role) {
   }
   roles.add(role);
 }
-function resolveInheritedRole(sourceType, sourceRole, targetType, accessDef) {
-  const hierarchy = accessDef.hierarchy;
-  const sourceIdx = hierarchy.indexOf(sourceType);
-  const targetIdx = hierarchy.indexOf(targetType);
-  if (sourceIdx === -1 || targetIdx === -1 || sourceIdx >= targetIdx)
-    return null;
-  let currentRole = sourceRole;
-  for (let i = sourceIdx;i < targetIdx; i++) {
-    const currentType = hierarchy[i];
-    const inheritanceMap = accessDef.inheritance[currentType];
-    if (!inheritanceMap || !(currentRole in inheritanceMap))
-      return null;
-    currentRole = inheritanceMap[currentRole];
-  }
-  return currentRole;
-}
 
 // src/auth/cookies.ts
 var DEFAULT_COOKIE_CONFIG = {
@@ -703,7 +793,7 @@ var DEFAULT_PASSWORD_REQUIREMENTS = {
   requireNumbers: false,
   requireSymbols: false
 };
-var BCRYPT_ROUNDS = 12;
+var BCRYPT_ROUNDS = process.env.VERTZ_TEST === "1" ? 4 : 12;
 async function hashPassword(password) {
   return bcrypt.hash(password, BCRYPT_ROUNDS);
 }
@@ -806,6 +896,60 @@ class InMemoryRateLimitStore {
   }
 }
 
+// src/auth/resolve-session-for-ssr.ts
+function extractAccessSet(acl) {
+  if (acl.overflow)
+    return null;
+  if (!acl.set)
+    return null;
+  return {
+    entitlements: Object.fromEntries(Object.entries(acl.set.entitlements).map(([name, check]) => {
+      const data = {
+        allowed: check.allowed,
+        reasons: check.reasons ?? [],
+        ...check.reason ? { reason: check.reason } : {},
+        ...check.meta ? { meta: check.meta } : {}
+      };
+      return [name, data];
+    })),
+    flags: acl.set.flags,
+    plan: acl.set.plan,
+    computedAt: acl.set.computedAt
+  };
+}
+function resolveSessionForSSR(config) {
+  const { jwtSecret, jwtAlgorithm, cookieName } = config;
+  return async (request) => {
+    const cookieHeader = request.headers.get("cookie");
+    if (!cookieHeader)
+      return null;
+    const cookieEntry = cookieHeader.split(";").find((c) => c.trim().startsWith(`${cookieName}=`));
+    if (!cookieEntry)
+      return null;
+    const token = cookieEntry.trim().slice(`${cookieName}=`.length);
+    if (!token)
+      return null;
+    const payload = await verifyJWT(token, jwtSecret, jwtAlgorithm);
+    if (!payload)
+      return null;
+    const user = {
+      id: payload.sub,
+      email: payload.email,
+      role: payload.role
+    };
+    if (payload.tenantId) {
+      user.tenantId = payload.tenantId;
+    }
+    const session = {
+      user,
+      expiresAt: payload.exp * 1000
+    };
+    const acl = payload.acl;
+    const accessSet = acl !== undefined ? extractAccessSet(acl) : undefined;
+    return { session, accessSet };
+  };
+}
+
 // src/auth/session-store.ts
 var DEFAULT_MAX_SESSIONS_PER_USER = 50;
 var CLEANUP_INTERVAL_MS2 = 60000;
@@ -880,6 +1024,13 @@ class InMemorySessionStore {
     }
     return null;
   }
+  async findActiveSessionById(id) {
+    const session = this.sessions.get(id);
+    if (!session || session.revokedAt || session.expiresAt <= new Date) {
+      return null;
+    }
+    return session;
+  }
   async findByPreviousRefreshHash(hash) {
     for (const session of this.sessions.values()) {
       if (session.previousRefreshHash !== null && timingSafeEqual(session.previousRefreshHash, hash) && !session.revokedAt && session.expiresAt > new Date) {
@@ -1050,6 +1201,40 @@ function timingSafeEqual2(a, b) {
   return equal && a.length === b.length;
 }
 
+// src/auth/types.ts
+import {
+  s
+} from "@vertz/schema";
+var authEmailFieldSchema = s.string().min(1).trim();
+var authPasswordFieldSchema = s.string().min(1);
+var signUpInputSchema = s.object({
+  email: authEmailFieldSchema,
+  password: authPasswordFieldSchema
+}).passthrough();
+var signInInputSchema = s.object({
+  email: authEmailFieldSchema,
+  password: authPasswordFieldSchema
+});
+var codeInputSchema = s.object({
+  code: s.string().min(1)
+});
+var passwordInputSchema = s.object({
+  password: s.string().min(1)
+});
+var tokenInputSchema = s.object({
+  token: s.string().min(1).optional()
+});
+var forgotPasswordInputSchema = s.object({
+  email: s.string().min(1).trim()
+});
+var resetPasswordInputSchema = s.object({
+  token: s.string().min(1).optional(),
+  password: s.string().min(1)
+});
+var switchTenantInputSchema = s.object({
+  tenantId: s.string().min(1)
+});
+
 // src/auth/user-store.ts
 class InMemoryUserStore {
   byEmail = new Map;
@@ -1079,6 +1264,13 @@ class InMemoryUserStore {
       user.emailVerified = verified;
     }
   }
+  async deleteUser(id) {
+    const user = this.byId.get(id);
+    if (user) {
+      this.byEmail.delete(user.email.toLowerCase());
+      this.byId.delete(id);
+    }
+  }
 }
 // src/auth/access.ts
 class AuthorizationError extends Error {
@@ -1214,11 +1406,13 @@ function createAccessContext(config) {
     closureStore,
     roleStore,
     flagStore,
-    planStore,
+    subscriptionStore,
     walletStore,
-    orgResolver
+    overrideStore,
+    orgResolver,
+    planVersionStore
   } = config;
-  async function checkLayers1to4(entitlement, resource, resolvedOrgId) {
+  async function checkLayers1to3(entitlement, resource, resolvedOrgId, overrides) {
     if (!userId)
       return false;
     const entDef = accessDef.entitlements[entitlement];
@@ -1241,29 +1435,44 @@ function createAccessContext(config) {
     } else if (entDef.roles.length > 0 && !resource) {
       return false;
     }
-    if (entDef.plans?.length && planStore && orgResolver) {
+    if (accessDef._planGatedEntitlements.has(entitlement) && subscriptionStore && orgResolver) {
       if (!resolvedOrgId)
         return false;
-      const orgPlan = await planStore.getPlan(resolvedOrgId);
-      const effectivePlanId = resolveEffectivePlan(orgPlan, accessDef.plans, accessDef.defaultPlan);
+      const subscription = await subscriptionStore.get(resolvedOrgId);
+      const effectivePlanId = resolveEffectivePlan(subscription, accessDef.plans, accessDef.defaultPlan);
       if (!effectivePlanId)
         return false;
-      const planDef = accessDef.plans?.[effectivePlanId];
-      if (!planDef || !planDef.entitlements.includes(entitlement)) {
+      const hasFeature = await resolveEffectiveFeatures(resolvedOrgId, entitlement, effectivePlanId, accessDef, subscriptionStore, planVersionStore, overrides);
+      if (!hasFeature)
         return false;
-      }
     }
     return true;
   }
   async function can(entitlement, resource) {
     const resolvedOrgId = orgResolver ? await orgResolver(resource) : null;
-    if (!await checkLayers1to4(entitlement, resource, resolvedOrgId))
+    const overrides = resolvedOrgId && overrideStore ? await overrideStore.get(resolvedOrgId) : null;
+    if (!await checkLayers1to3(entitlement, resource, resolvedOrgId, overrides))
       return false;
-    const entDef = accessDef.entitlements[entitlement];
-    if (entDef?.plans?.length && walletStore && planStore && resolvedOrgId) {
-      const walletState = await resolveWalletStateFromOrgId(entitlement, resolvedOrgId, accessDef, planStore, walletStore);
-      if (walletState && walletState.consumed >= walletState.limit) {
-        return false;
+    const limitKeys = accessDef._entitlementToLimitKeys[entitlement];
+    if (limitKeys?.length && walletStore && subscriptionStore && resolvedOrgId) {
+      const walletStates = await resolveAllLimitStates(entitlement, resolvedOrgId, accessDef, subscriptionStore, walletStore, planVersionStore, overrides);
+      for (const ws of walletStates) {
+        if (ws.max === 0)
+          return false;
+        if (ws.max === -1)
+          continue;
+        if (ws.consumed >= ws.max) {
+          if (ws.hasOverage) {
+            if (ws.overageCap !== undefined) {
+              const overageUnits = ws.consumed - ws.max;
+              const overageCost = overageUnits * (ws.overageAmount ?? 0) / (ws.overagePer ?? 1);
+              if (overageCost >= ws.overageCap)
+                return false;
+            }
+            continue;
+          }
+          return false;
+        }
       }
     }
     return true;
@@ -1287,6 +1496,7 @@ function createAccessContext(config) {
       };
     }
     const resolvedOrgId = orgResolver ? await orgResolver(resource) : null;
+    const overrides = resolvedOrgId && overrideStore ? await overrideStore.get(resolvedOrgId) : null;
     if (entDef.flags?.length && flagStore && orgResolver) {
       if (resolvedOrgId) {
         const disabledFlags = [];
@@ -1315,37 +1525,85 @@ function createAccessContext(config) {
         meta.requiredRoles = [...entDef.roles];
       }
     }
-    if (entDef.plans?.length && planStore && orgResolver) {
+    if (accessDef._planGatedEntitlements.has(entitlement) && subscriptionStore && orgResolver) {
       let planDenied = false;
       if (!resolvedOrgId) {
         planDenied = true;
       } else {
-        const orgPlan = await planStore.getPlan(resolvedOrgId);
-        const effectivePlanId = resolveEffectivePlan(orgPlan, accessDef.plans, accessDef.defaultPlan);
+        const subscription = await subscriptionStore.get(resolvedOrgId);
+        const effectivePlanId = resolveEffectivePlan(subscription, accessDef.plans, accessDef.defaultPlan);
         if (!effectivePlanId) {
           planDenied = true;
         } else {
-          const planDef = accessDef.plans?.[effectivePlanId];
-          if (!planDef || !planDef.entitlements.includes(entitlement)) {
+          const hasFeature = await resolveEffectiveFeatures(resolvedOrgId, entitlement, effectivePlanId, accessDef, subscriptionStore, planVersionStore, overrides);
+          if (!hasFeature) {
             planDenied = true;
           }
         }
       }
       if (planDenied) {
         reasons.push("plan_required");
-        meta.requiredPlans = [...entDef.plans];
+        const plansWithFeature = [];
+        if (accessDef.plans) {
+          for (const [pName, pDef] of Object.entries(accessDef.plans)) {
+            if (pDef.features?.includes(entitlement)) {
+              plansWithFeature.push(pName);
+            }
+          }
+        }
+        meta.requiredPlans = plansWithFeature;
       }
     }
-    if (entDef.plans?.length && walletStore && planStore && resolvedOrgId) {
-      const walletState = await resolveWalletStateFromOrgId(entitlement, resolvedOrgId, accessDef, planStore, walletStore);
-      if (walletState) {
-        meta.limit = {
-          max: walletState.limit,
-          consumed: walletState.consumed,
-          remaining: Math.max(0, walletState.limit - walletState.consumed)
-        };
-        if (walletState.consumed >= walletState.limit) {
+    const checkLimitKeys = accessDef._entitlementToLimitKeys[entitlement];
+    if (checkLimitKeys?.length && walletStore && subscriptionStore && resolvedOrgId) {
+      const walletStates = await resolveAllLimitStates(entitlement, resolvedOrgId, accessDef, subscriptionStore, walletStore, planVersionStore, overrides);
+      for (const ws of walletStates) {
+        const exceeded = ws.max === 0 || ws.max !== -1 && ws.consumed >= ws.max;
+        if (exceeded) {
+          if (ws.hasOverage && ws.max !== 0) {
+            let capHit = false;
+            if (ws.overageCap !== undefined) {
+              const overageUnits = ws.consumed - ws.max;
+              const overageCost = overageUnits * (ws.overageAmount ?? 0) / (ws.overagePer ?? 1);
+              if (overageCost >= ws.overageCap)
+                capHit = true;
+            }
+            if (capHit) {
+              reasons.push("limit_reached");
+              meta.limit = {
+                key: ws.key,
+                max: ws.max,
+                consumed: ws.consumed,
+                remaining: 0,
+                overage: true
+              };
+              break;
+            }
+            meta.limit = {
+              key: ws.key,
+              max: ws.max,
+              consumed: ws.consumed,
+              remaining: 0,
+              overage: true
+            };
+            continue;
+          }
           reasons.push("limit_reached");
+          meta.limit = {
+            key: ws.key,
+            max: ws.max,
+            consumed: ws.consumed,
+            remaining: Math.max(0, ws.max === -1 ? Infinity : ws.max - ws.consumed)
+          };
+          break;
+        }
+        if (!meta.limit) {
+          meta.limit = {
+            key: ws.key,
+            max: ws.max,
+            consumed: ws.consumed,
+            remaining: ws.max === -1 ? Infinity : Math.max(0, ws.max - ws.consumed)
+          };
         }
       }
     }
@@ -1375,57 +1633,96 @@ function createAccessContext(config) {
     }
     return results;
   }
+  async function canBatch(entitlement, resources) {
+    if (resources.length > MAX_BULK_CHECKS) {
+      throw new Error(`canBatch() is limited to ${MAX_BULK_CHECKS} resources per call`);
+    }
+    const results = new Map;
+    for (const resource of resources) {
+      const allowed = await can(entitlement, resource);
+      results.set(resource.id, allowed);
+    }
+    return results;
+  }
   async function canAndConsume(entitlement, resource, amount = 1) {
     const resolvedOrgId = orgResolver ? await orgResolver(resource) : null;
-    if (!await checkLayers1to4(entitlement, resource, resolvedOrgId))
+    const overrides = resolvedOrgId && overrideStore ? await overrideStore.get(resolvedOrgId) : null;
+    if (!await checkLayers1to3(entitlement, resource, resolvedOrgId, overrides))
       return false;
-    if (!walletStore || !planStore || !orgResolver)
+    if (!walletStore || !subscriptionStore || !orgResolver)
       return true;
-    const entDef = accessDef.entitlements[entitlement];
-    if (!entDef?.plans?.length)
+    const limitKeys = accessDef._entitlementToLimitKeys[entitlement];
+    if (!limitKeys?.length)
       return true;
     if (!resolvedOrgId)
       return false;
-    const orgPlan = await planStore.getPlan(resolvedOrgId);
-    if (!orgPlan)
+    const subscription = await subscriptionStore.get(resolvedOrgId);
+    if (!subscription)
       return false;
-    const effectivePlanId = resolveEffectivePlan(orgPlan, accessDef.plans, accessDef.defaultPlan);
+    const effectivePlanId = resolveEffectivePlan(subscription, accessDef.plans, accessDef.defaultPlan);
     if (!effectivePlanId)
       return false;
-    const planDef = accessDef.plans?.[effectivePlanId];
-    if (!planDef)
-      return false;
-    const limitDef = planDef.limits?.[entitlement];
-    if (!limitDef)
+    const limitsToConsume = await resolveAllLimitConsumptions(resolvedOrgId, entitlement, effectivePlanId, accessDef, subscriptionStore, walletStore, subscription, planVersionStore, overrides);
+    if (!limitsToConsume.length)
       return true;
-    const effectiveLimit = resolveEffectiveLimit(orgPlan, entitlement, limitDef);
-    const { periodStart, periodEnd } = calculateBillingPeriod(orgPlan.startedAt, limitDef.per);
-    const result = await walletStore.consume(resolvedOrgId, entitlement, periodStart, periodEnd, effectiveLimit, amount);
-    return result.success;
+    const consumed = [];
+    for (const lc of limitsToConsume) {
+      if (lc.effectiveMax === -1)
+        continue;
+      if (lc.effectiveMax === 0) {
+        await rollbackConsumptions(resolvedOrgId, consumed, walletStore, amount);
+        return false;
+      }
+      let consumeMax = lc.effectiveMax;
+      if (lc.hasOverage) {
+        if (lc.overageCap !== undefined) {
+          const currentConsumed = await walletStore.getConsumption(resolvedOrgId, lc.walletKey, lc.periodStart, lc.periodEnd);
+          const overageUnits = Math.max(0, currentConsumed + amount - lc.effectiveMax);
+          const overageCost = overageUnits * (lc.overageAmount ?? 0) / (lc.overagePer ?? 1);
+          if (overageCost > lc.overageCap) {
+            await rollbackConsumptions(resolvedOrgId, consumed, walletStore, amount);
+            return false;
+          }
+        }
+        consumeMax = Number.MAX_SAFE_INTEGER;
+      }
+      const result = await walletStore.consume(resolvedOrgId, lc.walletKey, lc.periodStart, lc.periodEnd, consumeMax, amount);
+      if (!result.success) {
+        await rollbackConsumptions(resolvedOrgId, consumed, walletStore, amount);
+        return false;
+      }
+      consumed.push({
+        key: lc.walletKey,
+        periodStart: lc.periodStart,
+        periodEnd: lc.periodEnd
+      });
+    }
+    return true;
   }
   async function unconsume(entitlement, resource, amount = 1) {
-    if (!walletStore || !planStore || !orgResolver)
+    if (!walletStore || !subscriptionStore || !orgResolver)
       return;
-    const entDef = accessDef.entitlements[entitlement];
-    if (!entDef?.plans?.length)
+    const limitKeys = accessDef._entitlementToLimitKeys[entitlement];
+    if (!limitKeys?.length)
       return;
     const orgId = await orgResolver(resource);
     if (!orgId)
       return;
-    const orgPlan = await planStore.getPlan(orgId);
-    if (!orgPlan)
+    const overrides = overrideStore ? await overrideStore.get(orgId) : null;
+    const subscription = await subscriptionStore.get(orgId);
+    if (!subscription)
       return;
-    const effectivePlanId = resolveEffectivePlan(orgPlan, accessDef.plans, accessDef.defaultPlan);
+    const effectivePlanId = resolveEffectivePlan(subscription, accessDef.plans, accessDef.defaultPlan);
     if (!effectivePlanId)
       return;
-    const planDef = accessDef.plans?.[effectivePlanId];
-    const limitDef = planDef?.limits?.[entitlement];
-    if (!limitDef)
-      return;
-    const { periodStart, periodEnd } = calculateBillingPeriod(orgPlan.startedAt, limitDef.per);
-    await walletStore.unconsume(orgId, entitlement, periodStart, periodEnd, amount);
+    const limitsToUnconsume = await resolveAllLimitConsumptions(orgId, entitlement, effectivePlanId, accessDef, subscriptionStore, walletStore, subscription, planVersionStore, overrides);
+    for (const lc of limitsToUnconsume) {
+      if (lc.effectiveMax === -1)
+        continue;
+      await walletStore.unconsume(orgId, lc.walletKey, lc.periodStart, lc.periodEnd, amount);
+    }
   }
-  return { can, check, authorize, canAll, canAndConsume, unconsume };
+  return { can, check, authorize, canAll, canBatch, canAndConsume, unconsume };
 }
 var DENIAL_ORDER = [
   "plan_required",
@@ -1439,25 +1736,174 @@ var DENIAL_ORDER = [
 function orderDenialReasons(reasons) {
   return [...reasons].sort((a, b) => DENIAL_ORDER.indexOf(a) - DENIAL_ORDER.indexOf(b));
 }
-async function resolveWalletStateFromOrgId(entitlement, orgId, accessDef, planStore, walletStore) {
-  const orgPlan = await planStore.getPlan(orgId);
-  const effectivePlanId = resolveEffectivePlan(orgPlan, accessDef.plans, accessDef.defaultPlan);
-  if (!effectivePlanId || !orgPlan)
-    return null;
+async function resolveEffectiveFeatures(orgId, entitlement, effectivePlanId, accessDef, subscriptionStore, planVersionStore, overrides) {
+  if (planVersionStore) {
+    const tenantVersion = await planVersionStore.getTenantVersion(orgId, effectivePlanId);
+    if (tenantVersion !== null) {
+      const versionInfo = await planVersionStore.getVersion(effectivePlanId, tenantVersion);
+      if (versionInfo) {
+        const snapshotFeatures = versionInfo.snapshot.features;
+        if (snapshotFeatures.includes(entitlement))
+          return true;
+        const addOns2 = await subscriptionStore.getAddOns?.(orgId);
+        if (addOns2) {
+          for (const addOnId of addOns2) {
+            const addOnDef = accessDef.plans?.[addOnId];
+            if (addOnDef?.features?.includes(entitlement))
+              return true;
+          }
+        }
+        if (overrides?.features?.includes(entitlement))
+          return true;
+        return false;
+      }
+    }
+  }
   const planDef = accessDef.plans?.[effectivePlanId];
-  const limitDef = planDef?.limits?.[entitlement];
-  if (!limitDef)
-    return null;
-  const effectiveLimit = resolveEffectiveLimit(orgPlan, entitlement, limitDef);
-  const { periodStart, periodEnd } = calculateBillingPeriod(orgPlan.startedAt, limitDef.per);
-  const consumed = await walletStore.getConsumption(orgId, entitlement, periodStart, periodEnd);
-  return { limit: effectiveLimit, consumed };
+  if (planDef?.features?.includes(entitlement))
+    return true;
+  const addOns = await subscriptionStore.getAddOns?.(orgId);
+  if (addOns) {
+    for (const addOnId of addOns) {
+      const addOnDef = accessDef.plans?.[addOnId];
+      if (addOnDef?.features?.includes(entitlement))
+        return true;
+    }
+  }
+  if (overrides?.features?.includes(entitlement))
+    return true;
+  return false;
+}
+async function resolveAllLimitStates(entitlement, orgId, accessDef, subscriptionStore, walletStore, planVersionStore, overrides) {
+  const subscription = await subscriptionStore.get(orgId);
+  const effectivePlanId = resolveEffectivePlan(subscription, accessDef.plans, accessDef.defaultPlan);
+  if (!effectivePlanId || !subscription)
+    return [];
+  const limitKeys = accessDef._entitlementToLimitKeys[entitlement];
+  if (!limitKeys?.length)
+    return [];
+  let versionedLimits = null;
+  if (planVersionStore) {
+    const tenantVersion = await planVersionStore.getTenantVersion(orgId, effectivePlanId);
+    if (tenantVersion !== null) {
+      const versionInfo = await planVersionStore.getVersion(effectivePlanId, tenantVersion);
+      if (versionInfo) {
+        versionedLimits = versionInfo.snapshot.limits;
+      }
+    }
+  }
+  const states = [];
+  for (const limitKey of limitKeys) {
+    let limitDef;
+    if (versionedLimits && limitKey in versionedLimits) {
+      limitDef = versionedLimits[limitKey];
+    } else {
+      const planDef = accessDef.plans?.[effectivePlanId];
+      limitDef = planDef?.limits?.[limitKey];
+    }
+    if (!limitDef)
+      continue;
+    const effectiveMax = computeEffectiveLimit(limitDef.max, limitKey, orgId, subscription, accessDef, subscriptionStore, overrides);
+    const resolvedMax = await effectiveMax;
+    const hasOverage = !!limitDef.overage;
+    if (resolvedMax === -1) {
+      states.push({ key: limitKey, max: -1, consumed: 0, hasOverage });
+      continue;
+    }
+    const walletKey = limitKey;
+    const period = limitDef.per ? calculateBillingPeriod(subscription.startedAt, limitDef.per) : { periodStart: subscription.startedAt, periodEnd: new Date("9999-12-31T23:59:59Z") };
+    const consumed = await walletStore.getConsumption(orgId, walletKey, period.periodStart, period.periodEnd);
+    states.push({
+      key: limitKey,
+      max: resolvedMax,
+      consumed,
+      hasOverage,
+      ...limitDef.overage ? {
+        overageCap: limitDef.overage.cap,
+        overageAmount: limitDef.overage.amount,
+        overagePer: limitDef.overage.per
+      } : {}
+    });
+  }
+  return states;
+}
+async function resolveAllLimitConsumptions(orgId, entitlement, effectivePlanId, accessDef, subscriptionStore, _walletStore, subscription, planVersionStore, overrides) {
+  const limitKeys = accessDef._entitlementToLimitKeys[entitlement];
+  if (!limitKeys?.length)
+    return [];
+  let versionedLimits = null;
+  if (planVersionStore) {
+    const tenantVersion = await planVersionStore.getTenantVersion(orgId, effectivePlanId);
+    if (tenantVersion !== null) {
+      const versionInfo = await planVersionStore.getVersion(effectivePlanId, tenantVersion);
+      if (versionInfo) {
+        versionedLimits = versionInfo.snapshot.limits;
+      }
+    }
+  }
+  const consumptions = [];
+  for (const limitKey of limitKeys) {
+    let limitDef;
+    if (versionedLimits && limitKey in versionedLimits) {
+      limitDef = versionedLimits[limitKey];
+    } else {
+      const planDef = accessDef.plans?.[effectivePlanId];
+      limitDef = planDef?.limits?.[limitKey];
+    }
+    if (!limitDef)
+      continue;
+    const effectiveMax = await computeEffectiveLimit(limitDef.max, limitKey, orgId, subscription, accessDef, subscriptionStore, overrides);
+    const walletKey = limitKey;
+    const period = limitDef.per ? calculateBillingPeriod(subscription.startedAt, limitDef.per) : { periodStart: subscription.startedAt, periodEnd: new Date("9999-12-31T23:59:59Z") };
+    consumptions.push({
+      walletKey,
+      periodStart: period.periodStart,
+      periodEnd: period.periodEnd,
+      effectiveMax,
+      hasOverage: !!limitDef.overage,
+      ...limitDef.overage ? {
+        overageCap: limitDef.overage.cap,
+        overageAmount: limitDef.overage.amount,
+        overagePer: limitDef.overage.per
+      } : {}
+    });
+  }
+  return consumptions;
+}
+async function computeEffectiveLimit(basePlanMax, limitKey, orgId, subscription, accessDef, subscriptionStore, overrides) {
+  let effectiveMax = basePlanMax;
+  const addOns = await subscriptionStore.getAddOns?.(orgId);
+  if (addOns) {
+    for (const addOnId of addOns) {
+      const addOnDef = accessDef.plans?.[addOnId];
+      const addOnLimit = addOnDef?.limits?.[limitKey];
+      if (addOnLimit) {
+        if (effectiveMax === -1)
+          break;
+        effectiveMax += addOnLimit.max;
+      }
+    }
+  }
+  const oldOverride = subscription.overrides[limitKey];
+  if (oldOverride) {
+    effectiveMax = Math.max(effectiveMax, oldOverride.max);
+  }
+  const limitOverride = overrides?.limits?.[limitKey];
+  if (limitOverride) {
+    if (limitOverride.max !== undefined) {
+      effectiveMax = limitOverride.max;
+    } else if (limitOverride.add !== undefined) {
+      if (effectiveMax !== -1) {
+        effectiveMax = Math.max(0, effectiveMax + limitOverride.add);
+      }
+    }
+  }
+  return effectiveMax;
 }
-function resolveEffectiveLimit(orgPlan, entitlement, planLimit) {
-  const override = orgPlan.overrides[entitlement];
-  if (!override)
-    return planLimit.max;
-  return Math.max(override.max, planLimit.max);
+async function rollbackConsumptions(orgId, consumed, walletStore, amount) {
+  for (const c of consumed) {
+    await walletStore.unconsume(orgId, c.key, c.periodStart, c.periodEnd, amount);
+  }
 }
 // src/auth/access-event-broadcaster.ts
 function createAccessEventBroadcaster(config) {
@@ -1605,6 +2051,22 @@ function createAccessEventBroadcaster(config) {
     const event = { type: "access:plan_changed", orgId };
     broadcastToOrg(orgId, JSON.stringify(event));
   }
+  function broadcastPlanAssigned(orgId, planId) {
+    const event = { type: "access:plan_assigned", orgId, planId };
+    broadcastToOrg(orgId, JSON.stringify(event));
+  }
+  function broadcastAddonAttached(orgId, addonId) {
+    const event = { type: "access:addon_attached", orgId, addonId };
+    broadcastToOrg(orgId, JSON.stringify(event));
+  }
+  function broadcastAddonDetached(orgId, addonId) {
+    const event = { type: "access:addon_detached", orgId, addonId };
+    broadcastToOrg(orgId, JSON.stringify(event));
+  }
+  function broadcastLimitReset(orgId, entitlement, max) {
+    const event = { type: "access:limit_reset", orgId, entitlement, max };
+    broadcastToOrg(orgId, JSON.stringify(event));
+  }
   return {
     handleUpgrade,
     websocket,
@@ -1612,148 +2074,1286 @@ function createAccessEventBroadcaster(config) {
     broadcastLimitUpdate,
     broadcastRoleChange,
     broadcastPlanChange,
+    broadcastPlanAssigned,
+    broadcastAddonAttached,
+    broadcastAddonDetached,
+    broadcastLimitReset,
     get getConnectionCount() {
       return connectionCount;
     }
   };
 }
-// src/auth/closure-store.ts
-var MAX_DEPTH = 4;
+// src/auth/auth-models.ts
+import { d } from "@vertz/db";
+var authUsersTable = d.table("auth_users", {
+  id: d.text().primary(),
+  email: d.text(),
+  passwordHash: d.text().nullable(),
+  role: d.text().default("user"),
+  plan: d.text().nullable(),
+  emailVerified: d.boolean().default(false),
+  createdAt: d.timestamp().default("now"),
+  updatedAt: d.timestamp().default("now")
+});
+var authSessionsTable = d.table("auth_sessions", {
+  id: d.text().primary(),
+  userId: d.text(),
+  refreshTokenHash: d.text(),
+  previousRefreshHash: d.text().nullable(),
+  currentTokens: d.text().nullable(),
+  ipAddress: d.text(),
+  userAgent: d.text(),
+  createdAt: d.timestamp().default("now"),
+  lastActiveAt: d.timestamp().default("now"),
+  expiresAt: d.timestamp(),
+  revokedAt: d.timestamp().nullable()
+});
+var authOauthAccountsTable = d.table("auth_oauth_accounts", {
+  id: d.text().primary(),
+  userId: d.text(),
+  provider: d.text(),
+  providerId: d.text(),
+  email: d.text().nullable(),
+  createdAt: d.timestamp().default("now")
+});
+var authRoleAssignmentsTable = d.table("auth_role_assignments", {
+  id: d.text().primary(),
+  userId: d.text(),
+  resourceType: d.text(),
+  resourceId: d.text(),
+  role: d.text(),
+  createdAt: d.timestamp().default("now")
+});
+var authClosureTable = d.table("auth_closure", {
+  id: d.text().primary(),
+  ancestorType: d.text(),
+  ancestorId: d.text(),
+  descendantType: d.text(),
+  descendantId: d.text(),
+  depth: d.integer()
+});
+var authPlansTable = d.table("auth_plans", {
+  id: d.text().primary(),
+  tenantId: d.text(),
+  planId: d.text(),
+  startedAt: d.timestamp().default("now"),
+  expiresAt: d.timestamp().nullable()
+});
+var authPlanAddonsTable = d.table("auth_plan_addons", {
+  id: d.text().primary(),
+  tenantId: d.text(),
+  addonId: d.text(),
+  isOneOff: d.boolean().default(false),
+  quantity: d.integer().default(1),
+  createdAt: d.timestamp().default("now")
+});
+var authFlagsTable = d.table("auth_flags", {
+  id: d.text().primary(),
+  tenantId: d.text(),
+  flag: d.text(),
+  enabled: d.boolean().default(false)
+});
+var authOverridesTable = d.table("auth_overrides", {
+  id: d.text().primary(),
+  tenantId: d.text(),
+  overrides: d.text(),
+  updatedAt: d.timestamp().default("now")
+});
+var authModels = {
+  auth_users: d.model(authUsersTable),
+  auth_sessions: d.model(authSessionsTable),
+  auth_oauth_accounts: d.model(authOauthAccountsTable),
+  auth_role_assignments: d.model(authRoleAssignmentsTable),
+  auth_closure: d.model(authClosureTable),
+  auth_plans: d.model(authPlansTable),
+  auth_plan_addons: d.model(authPlanAddonsTable),
+  auth_flags: d.model(authFlagsTable),
+  auth_overrides: d.model(authOverridesTable)
+};
+// src/auth/auth-tables.ts
+import { sql } from "@vertz/db/sql";
 
-class InMemoryClosureStore {
-  rows = [];
-  async addResource(type, id, parent) {
-    this.rows.push({
-      ancestorType: type,
-      ancestorId: id,
-      descendantType: type,
-      descendantId: id,
-      depth: 0
-    });
-    if (parent) {
-      const parentAncestors = await this.getAncestors(parent.parentType, parent.parentId);
-      const maxParentDepth = Math.max(...parentAncestors.map((a) => a.depth), 0);
-      if (maxParentDepth + 1 >= MAX_DEPTH) {
-        this.rows.pop();
-        throw new Error("Hierarchy depth exceeds maximum of 4 levels");
-      }
-      for (const ancestor of parentAncestors) {
-        this.rows.push({
-          ancestorType: ancestor.type,
-          ancestorId: ancestor.id,
-          descendantType: type,
-          descendantId: id,
-          depth: ancestor.depth + 1
-        });
-      }
-    }
+// src/auth/dialect-ddl.ts
+function dialectDDL(dialect) {
+  return {
+    boolean: (def) => dialect === "sqlite" ? `INTEGER NOT NULL DEFAULT ${def ? 1 : 0}` : `BOOLEAN NOT NULL DEFAULT ${def}`,
+    timestamp: () => dialect === "sqlite" ? "TEXT NOT NULL" : "TIMESTAMPTZ NOT NULL",
+    timestampNullable: () => dialect === "sqlite" ? "TEXT" : "TIMESTAMPTZ",
+    text: () => "TEXT",
+    textPrimary: () => "TEXT PRIMARY KEY",
+    integer: () => "INTEGER"
+  };
+}
+
+// src/auth/auth-tables.ts
+function generateAuthDDL(dialect) {
+  const t = dialectDDL(dialect);
+  const statements = [];
+  statements.push(`CREATE TABLE IF NOT EXISTS auth_users (
+  id ${t.textPrimary()},
+  email ${t.text()} NOT NULL UNIQUE,
+  password_hash ${t.text()},
+  role ${t.text()} NOT NULL DEFAULT 'user',
+  email_verified ${t.boolean(false)},
+  created_at ${t.timestamp()},
+  updated_at ${t.timestamp()}
+)`);
+  statements.push(`CREATE TABLE IF NOT EXISTS auth_sessions (
+  id ${t.textPrimary()},
+  user_id ${t.text()} NOT NULL,
+  refresh_token_hash ${t.text()} NOT NULL,
+  previous_refresh_hash ${t.text()},
+  current_tokens ${t.text()},
+  ip_address ${t.text()} NOT NULL,
+  user_agent ${t.text()} NOT NULL,
+  created_at ${t.timestamp()},
+  last_active_at ${t.timestamp()},
+  expires_at ${t.timestamp()},
+  revoked_at ${t.timestampNullable()}
+)`);
+  statements.push(`CREATE TABLE IF NOT EXISTS auth_oauth_accounts (
+  id ${t.textPrimary()},
+  user_id ${t.text()} NOT NULL,
+  provider ${t.text()} NOT NULL,
+  provider_id ${t.text()} NOT NULL,
+  email ${t.text()},
+  created_at ${t.timestamp()},
+  UNIQUE(provider, provider_id)
+)`);
+  statements.push(`CREATE TABLE IF NOT EXISTS auth_role_assignments (
+  id ${t.textPrimary()},
+  user_id ${t.text()} NOT NULL,
+  resource_type ${t.text()} NOT NULL,
+  resource_id ${t.text()} NOT NULL,
+  role ${t.text()} NOT NULL,
+  created_at ${t.timestamp()},
+  UNIQUE(user_id, resource_type, resource_id, role)
+)`);
+  statements.push(`CREATE TABLE IF NOT EXISTS auth_closure (
+  id ${t.textPrimary()},
+  ancestor_type ${t.text()} NOT NULL,
+  ancestor_id ${t.text()} NOT NULL,
+  descendant_type ${t.text()} NOT NULL,
+  descendant_id ${t.text()} NOT NULL,
+  depth ${t.integer()} NOT NULL,
+  UNIQUE(ancestor_type, ancestor_id, descendant_type, descendant_id)
+)`);
+  statements.push(`CREATE TABLE IF NOT EXISTS auth_plans (
+  id ${t.textPrimary()},
+  tenant_id ${t.text()} NOT NULL UNIQUE,
+  plan_id ${t.text()} NOT NULL,
+  started_at ${t.timestamp()},
+  expires_at ${t.timestampNullable()}
+)`);
+  statements.push(`CREATE TABLE IF NOT EXISTS auth_plan_addons (
+  id ${t.textPrimary()},
+  tenant_id ${t.text()} NOT NULL,
+  addon_id ${t.text()} NOT NULL,
+  is_one_off ${t.boolean(false)},
+  quantity ${t.integer()} NOT NULL DEFAULT 1,
+  created_at ${t.timestamp()},
+  UNIQUE(tenant_id, addon_id)
+)`);
+  statements.push(`CREATE TABLE IF NOT EXISTS auth_flags (
+  id ${t.textPrimary()},
+  tenant_id ${t.text()} NOT NULL,
+  flag ${t.text()} NOT NULL,
+  enabled ${t.boolean(false)},
+  UNIQUE(tenant_id, flag)
+)`);
+  statements.push(`CREATE TABLE IF NOT EXISTS auth_overrides (
+  id ${t.textPrimary()},
+  tenant_id ${t.text()} NOT NULL UNIQUE,
+  overrides ${t.text()} NOT NULL,
+  updated_at ${t.timestamp()}
+)`);
+  return statements;
+}
+var AUTH_TABLE_NAMES = [
+  "auth_users",
+  "auth_sessions",
+  "auth_oauth_accounts",
+  "auth_role_assignments",
+  "auth_closure",
+  "auth_plans",
+  "auth_plan_addons",
+  "auth_flags",
+  "auth_overrides"
+];
+function validateAuthModels(db) {
+  const dbModels = db._internals.models;
+  const missing = AUTH_TABLE_NAMES.filter((m) => !(m in dbModels));
+  if (missing.length > 0) {
+    throw new Error(`Auth requires models ${missing.map((m) => `"${m}"`).join(", ")} in createDb(). ` + "Add authModels to your createDb() call: createDb({ models: { ...authModels, ...yourModels } })");
   }
-  async removeResource(type, id) {
-    const descendants = await this.getDescendants(type, id);
-    const descendantKeys = new Set(descendants.map((d) => `${d.type}:${d.id}`));
-    this.rows = this.rows.filter((row) => {
-      const ancestorKey = `${row.ancestorType}:${row.ancestorId}`;
-      const descendantKey = `${row.descendantType}:${row.descendantId}`;
-      return !descendantKeys.has(ancestorKey) && !descendantKeys.has(descendantKey);
-    });
+}
+async function initializeAuthTables(db) {
+  const dialectName = db._internals.dialect.name;
+  const statements = generateAuthDDL(dialectName);
+  for (const ddl of statements) {
+    await db.query(sql.raw(ddl));
   }
-  async getAncestors(type, id) {
+}
+// src/auth/billing/event-emitter.ts
+function createBillingEventEmitter() {
+  const handlers = new Map;
+  return {
+    on(eventType, handler) {
+      const list = handlers.get(eventType) ?? [];
+      list.push(handler);
+      handlers.set(eventType, list);
+    },
+    off(eventType, handler) {
+      const list = handlers.get(eventType);
+      if (!list)
+        return;
+      const idx = list.indexOf(handler);
+      if (idx >= 0)
+        list.splice(idx, 1);
+    },
+    emit(eventType, event) {
+      const list = handlers.get(eventType);
+      if (!list)
+        return;
+      for (const handler of list) {
+        try {
+          handler(event);
+        } catch {}
+      }
+    }
+  };
+}
+// src/auth/billing/overage.ts
+function computeOverage(input) {
+  const { consumed, max, rate } = input;
+  if (max === -1)
+    return 0;
+  if (consumed <= max)
+    return 0;
+  const overageUnits = consumed - max;
+  const charge = overageUnits * rate;
+  if (input.cap !== undefined && charge > input.cap) {
+    return input.cap;
+  }
+  return charge;
+}
+// src/auth/billing/stripe-adapter.ts
+var INTERVAL_MAP = {
+  month: "month",
+  quarter: "month",
+  year: "year"
+};
+function mapInterval(interval) {
+  if (interval === "quarter") {
+    return { interval: "month", interval_count: 3 };
+  }
+  return { interval: INTERVAL_MAP[interval] ?? "month" };
+}
+function createStripeBillingAdapter(config) {
+  const { stripe, currency = "usd" } = config;
+  async function syncPlans(plans) {
+    const existing = await stripe.products.list();
+    const existingByPlanId = new Map;
+    for (const product of existing.data) {
+      if (product.metadata.vertzPlanId) {
+        existingByPlanId.set(product.metadata.vertzPlanId, product);
+      }
+    }
+    for (const [planId, planDef] of Object.entries(plans)) {
+      const metadata = {
+        vertzPlanId: planId
+      };
+      if (planDef.group)
+        metadata.group = planDef.group;
+      if (planDef.addOn)
+        metadata.addOn = "true";
+      let product = existingByPlanId.get(planId);
+      if (!product) {
+        product = await stripe.products.create({
+          name: planDef.title ?? planId,
+          metadata,
+          description: planDef.description
+        });
+      } else {
+        await stripe.products.update(product.id, {
+          name: planDef.title ?? planId,
+          metadata
+        });
+      }
+      const amount = planDef.price?.amount ?? 0;
+      const interval = planDef.price?.interval;
+      const unitAmount = Math.round(amount * 100);
+      const existingPrices = await stripe.prices.list({ product: product.id });
+      const activePrices = existingPrices.data.filter((p) => p.active);
+      const matchingPrice = activePrices.find((p) => p.unit_amount === unitAmount);
+      if (!matchingPrice) {
+        for (const oldPrice of activePrices) {
+          await stripe.prices.update(oldPrice.id, { active: false });
+        }
+        const priceParams = {
+          product: product.id,
+          unit_amount: unitAmount,
+          currency,
+          metadata: { vertzPlanId: planId }
+        };
+        if (interval && interval !== "one_off") {
+          const mapped = mapInterval(interval);
+          priceParams.recurring = { interval: mapped.interval };
+        }
+        await stripe.prices.create(priceParams);
+      }
+    }
+  }
+  async function createSubscription(_tenantId, _planId) {
+    return "sub_placeholder";
+  }
+  async function cancelSubscription(_tenantId) {}
+  async function attachAddOn(_tenantId, _addOnId) {}
+  async function reportOverage(_tenantId, _limitKey, _amount) {}
+  async function getPortalUrl(_tenantId) {
+    return "https://billing.stripe.com/portal/placeholder";
+  }
+  return {
+    syncPlans,
+    createSubscription,
+    cancelSubscription,
+    attachAddOn,
+    reportOverage,
+    getPortalUrl
+  };
+}
+// src/auth/billing/webhook-handler.ts
+function extractTenantId(obj) {
+  const meta = obj.metadata;
+  if (meta?.tenantId)
+    return meta.tenantId;
+  const subDetails = obj.subscription_details;
+  if (subDetails?.metadata) {
+    const subMeta = subDetails.metadata;
+    if (subMeta.tenantId)
+      return subMeta.tenantId;
+  }
+  return null;
+}
+function extractPlanId(obj) {
+  const meta = obj.metadata;
+  if (meta?.vertzPlanId)
+    return meta.vertzPlanId;
+  const items = obj.items;
+  if (items?.data?.[0]?.price?.metadata?.vertzPlanId) {
+    return items.data[0].price.metadata.vertzPlanId;
+  }
+  return null;
+}
+function createWebhookHandler(config) {
+  const { subscriptionStore, emitter, defaultPlan, webhookSecret } = config;
+  return async (request) => {
+    const signature = request.headers.get("stripe-signature");
+    if (signature !== webhookSecret) {
+      return new Response(JSON.stringify({ error: "Invalid signature" }), {
+        status: 400,
+        headers: { "content-type": "application/json" }
+      });
+    }
+    let event;
+    try {
+      const body = await request.text();
+      event = JSON.parse(body);
+    } catch {
+      return new Response(JSON.stringify({ error: "Invalid JSON" }), {
+        status: 400,
+        headers: { "content-type": "application/json" }
+      });
+    }
+    const obj = event.data.object;
+    try {
+      switch (event.type) {
+        case "customer.subscription.created": {
+          const tenantId = extractTenantId(obj);
+          const planId = extractPlanId(obj);
+          if (tenantId && planId) {
+            await subscriptionStore.assign(tenantId, planId);
+            emitter.emit("subscription:created", { tenantId, planId });
+          }
+          break;
+        }
+        case "customer.subscription.updated": {
+          const tenantId = extractTenantId(obj);
+          const planId = extractPlanId(obj);
+          if (tenantId && planId) {
+            await subscriptionStore.assign(tenantId, planId);
+          }
+          break;
+        }
+        case "customer.subscription.deleted": {
+          const tenantId = extractTenantId(obj);
+          const planId = extractPlanId(obj);
+          if (tenantId) {
+            await subscriptionStore.assign(tenantId, defaultPlan);
+            emitter.emit("subscription:canceled", {
+              tenantId,
+              planId: planId ?? defaultPlan
+            });
+          }
+          break;
+        }
+        case "invoice.payment_failed": {
+          const tenantId = extractTenantId(obj);
+          const planId = extractPlanId(obj);
+          const attemptCount = obj.attempt_count ?? 1;
+          if (tenantId) {
+            emitter.emit("billing:payment_failed", {
+              tenantId,
+              planId: planId ?? "",
+              attempt: attemptCount
+            });
+          }
+          break;
+        }
+        case "checkout.session.completed": {
+          const tenantId = extractTenantId(obj);
+          const planId = extractPlanId(obj);
+          const meta = obj.metadata;
+          const isAddOn = meta?.isAddOn === "true";
+          if (tenantId && planId) {
+            if (isAddOn && subscriptionStore.attachAddOn) {
+              await subscriptionStore.attachAddOn(tenantId, planId);
+            } else {
+              await subscriptionStore.assign(tenantId, planId);
+            }
+          }
+          break;
+        }
+        default:
+          break;
+      }
+    } catch {
+      return new Response(JSON.stringify({ error: "Processing failed" }), {
+        status: 500,
+        headers: { "content-type": "application/json" }
+      });
+    }
+    return new Response(JSON.stringify({ received: true }), {
+      status: 200,
+      headers: { "content-type": "application/json" }
+    });
+  };
+}
+// src/auth/closure-store.ts
+var MAX_DEPTH = 4;
+
+class InMemoryClosureStore {
+  rows = [];
+  async addResource(type, id, parent) {
+    this.rows.push({
+      ancestorType: type,
+      ancestorId: id,
+      descendantType: type,
+      descendantId: id,
+      depth: 0
+    });
+    if (parent) {
+      const parentAncestors = await this.getAncestors(parent.parentType, parent.parentId);
+      const maxParentDepth = Math.max(...parentAncestors.map((a) => a.depth), 0);
+      if (maxParentDepth + 1 >= MAX_DEPTH) {
+        this.rows.pop();
+        throw new Error("Hierarchy depth exceeds maximum of 4 levels");
+      }
+      for (const ancestor of parentAncestors) {
+        this.rows.push({
+          ancestorType: ancestor.type,
+          ancestorId: ancestor.id,
+          descendantType: type,
+          descendantId: id,
+          depth: ancestor.depth + 1
+        });
+      }
+    }
+  }
+  async removeResource(type, id) {
+    const descendants = await this.getDescendants(type, id);
+    const descendantKeys = new Set(descendants.map((d2) => `${d2.type}:${d2.id}`));
+    this.rows = this.rows.filter((row) => {
+      const ancestorKey = `${row.ancestorType}:${row.ancestorId}`;
+      const descendantKey = `${row.descendantType}:${row.descendantId}`;
+      return !descendantKeys.has(ancestorKey) && !descendantKeys.has(descendantKey);
+    });
+  }
+  async getAncestors(type, id) {
     return this.rows.filter((row) => row.descendantType === type && row.descendantId === id).map((row) => ({
       type: row.ancestorType,
       id: row.ancestorId,
       depth: row.depth
     }));
   }
-  async getDescendants(type, id) {
-    return this.rows.filter((row) => row.ancestorType === type && row.ancestorId === id).map((row) => ({
-      type: row.descendantType,
-      id: row.descendantId,
-      depth: row.depth
-    }));
+  async getDescendants(type, id) {
+    return this.rows.filter((row) => row.ancestorType === type && row.ancestorId === id).map((row) => ({
+      type: row.descendantType,
+      id: row.descendantId,
+      depth: row.depth
+    }));
+  }
+  async hasPath(ancestorType, ancestorId, descendantType, descendantId) {
+    return this.rows.some((row) => row.ancestorType === ancestorType && row.ancestorId === ancestorId && row.descendantType === descendantType && row.descendantId === descendantId);
+  }
+  dispose() {
+    this.rows = [];
+  }
+}
+// src/auth/db-closure-store.ts
+import { sql as sql2 } from "@vertz/db/sql";
+
+// src/auth/db-types.ts
+function boolVal(db, value) {
+  return db._internals.dialect.name === "sqlite" ? value ? 1 : 0 : value;
+}
+function assertWrite(result, context) {
+  if (!result.ok) {
+    throw new Error(`Auth DB write failed (${context}): ${result.error.message}`);
+  }
+}
+
+// src/auth/db-closure-store.ts
+var MAX_DEPTH2 = 4;
+
+class DbClosureStore {
+  db;
+  constructor(db) {
+    this.db = db;
+  }
+  async addResource(type, id, parent) {
+    const selfId = crypto.randomUUID();
+    const selfResult = await this.db.query(sql2`INSERT INTO auth_closure (id, ancestor_type, ancestor_id, descendant_type, descendant_id, depth)
+          VALUES (${selfId}, ${type}, ${id}, ${type}, ${id}, ${0})
+          ON CONFLICT DO NOTHING`);
+    assertWrite(selfResult, "addResource/self");
+    if (parent) {
+      const parentAncestors = await this.getAncestors(parent.parentType, parent.parentId);
+      const maxParentDepth = Math.max(...parentAncestors.map((a) => a.depth), 0);
+      if (maxParentDepth + 1 >= MAX_DEPTH2) {
+        throw new Error("Hierarchy depth exceeds maximum of 4 levels");
+      }
+      for (const ancestor of parentAncestors) {
+        const rowId = crypto.randomUUID();
+        const ancestorResult = await this.db.query(sql2`INSERT INTO auth_closure (id, ancestor_type, ancestor_id, descendant_type, descendant_id, depth)
+              VALUES (${rowId}, ${ancestor.type}, ${ancestor.id}, ${type}, ${id}, ${ancestor.depth + 1})
+              ON CONFLICT DO NOTHING`);
+        assertWrite(ancestorResult, "addResource/ancestor");
+      }
+    }
+  }
+  async removeResource(type, id) {
+    const descendants = await this.getDescendants(type, id);
+    for (const desc of descendants) {
+      const delResult = await this.db.query(sql2`DELETE FROM auth_closure WHERE (descendant_type = ${desc.type} AND descendant_id = ${desc.id}) OR (ancestor_type = ${desc.type} AND ancestor_id = ${desc.id})`);
+      assertWrite(delResult, "removeResource");
+    }
+  }
+  async getAncestors(type, id) {
+    const result = await this.db.query(sql2`SELECT ancestor_type, ancestor_id, depth FROM auth_closure WHERE descendant_type = ${type} AND descendant_id = ${id}`);
+    if (!result.ok)
+      return [];
+    return result.data.rows.map((r) => ({
+      type: r.ancestor_type,
+      id: r.ancestor_id,
+      depth: r.depth
+    }));
+  }
+  async getDescendants(type, id) {
+    const result = await this.db.query(sql2`SELECT descendant_type, descendant_id, depth FROM auth_closure WHERE ancestor_type = ${type} AND ancestor_id = ${id}`);
+    if (!result.ok)
+      return [];
+    return result.data.rows.map((r) => ({
+      type: r.descendant_type,
+      id: r.descendant_id,
+      depth: r.depth
+    }));
+  }
+  async hasPath(ancestorType, ancestorId, descendantType, descendantId) {
+    const result = await this.db.query(sql2`SELECT COUNT(*) as cnt FROM auth_closure WHERE ancestor_type = ${ancestorType} AND ancestor_id = ${ancestorId} AND descendant_type = ${descendantType} AND descendant_id = ${descendantId}`);
+    if (!result.ok)
+      return false;
+    return (result.data.rows[0]?.cnt ?? 0) > 0;
+  }
+  dispose() {}
+}
+// src/auth/db-flag-store.ts
+import { sql as sql3 } from "@vertz/db/sql";
+class DbFlagStore {
+  db;
+  cache = new Map;
+  constructor(db) {
+    this.db = db;
+  }
+  async loadFlags() {
+    const result = await this.db.query(sql3`SELECT tenant_id, flag, enabled FROM auth_flags`);
+    if (!result.ok)
+      return;
+    this.cache.clear();
+    for (const row of result.data.rows) {
+      let orgFlags = this.cache.get(row.tenant_id);
+      if (!orgFlags) {
+        orgFlags = new Map;
+        this.cache.set(row.tenant_id, orgFlags);
+      }
+      orgFlags.set(row.flag, row.enabled === 1 || row.enabled === true);
+    }
+  }
+  setFlag(orgId, flag, enabled) {
+    let orgFlags = this.cache.get(orgId);
+    if (!orgFlags) {
+      orgFlags = new Map;
+      this.cache.set(orgId, orgFlags);
+    }
+    orgFlags.set(flag, enabled);
+    const id = crypto.randomUUID();
+    const val = boolVal(this.db, enabled);
+    this.db.query(sql3`INSERT INTO auth_flags (id, tenant_id, flag, enabled) VALUES (${id}, ${orgId}, ${flag}, ${val})
+          ON CONFLICT(tenant_id, flag) DO UPDATE SET enabled = ${val}`).then((result) => {
+      if (!result.ok) {
+        console.error("[DbFlagStore] Failed to persist flag:", result.error);
+      }
+    });
+  }
+  getFlag(orgId, flag) {
+    return this.cache.get(orgId)?.get(flag) ?? false;
+  }
+  getFlags(orgId) {
+    const orgFlags = this.cache.get(orgId);
+    if (!orgFlags)
+      return {};
+    const result = {};
+    for (const [key, value] of orgFlags) {
+      result[key] = value;
+    }
+    return result;
+  }
+}
+// src/auth/db-oauth-account-store.ts
+import { sql as sql4 } from "@vertz/db/sql";
+class DbOAuthAccountStore {
+  db;
+  constructor(db) {
+    this.db = db;
+  }
+  async linkAccount(userId, provider, providerId, email) {
+    const id = crypto.randomUUID();
+    const now = new Date().toISOString();
+    const emailValue = email ?? null;
+    const result = await this.db.query(sql4`INSERT INTO auth_oauth_accounts (id, user_id, provider, provider_id, email, created_at)
+          VALUES (${id}, ${userId}, ${provider}, ${providerId}, ${emailValue}, ${now})
+          ON CONFLICT DO NOTHING`);
+    assertWrite(result, "linkAccount");
+  }
+  async findByProviderAccount(provider, providerId) {
+    const result = await this.db.query(sql4`SELECT user_id FROM auth_oauth_accounts WHERE provider = ${provider} AND provider_id = ${providerId}`);
+    if (!result.ok || result.data.rows.length === 0)
+      return null;
+    return result.data.rows[0]?.user_id ?? null;
+  }
+  async findByUserId(userId) {
+    const result = await this.db.query(sql4`SELECT provider, provider_id FROM auth_oauth_accounts WHERE user_id = ${userId}`);
+    if (!result.ok)
+      return [];
+    return result.data.rows.map((r) => ({
+      provider: r.provider,
+      providerId: r.provider_id
+    }));
+  }
+  async unlinkAccount(userId, provider) {
+    const result = await this.db.query(sql4`DELETE FROM auth_oauth_accounts WHERE user_id = ${userId} AND provider = ${provider}`);
+    assertWrite(result, "unlinkAccount");
+  }
+  dispose() {}
+}
+// src/auth/db-role-assignment-store.ts
+import { sql as sql5 } from "@vertz/db/sql";
+class DbRoleAssignmentStore {
+  db;
+  constructor(db) {
+    this.db = db;
+  }
+  async assign(userId, resourceType, resourceId, role) {
+    const id = crypto.randomUUID();
+    const now = new Date().toISOString();
+    const result = await this.db.query(sql5`INSERT INTO auth_role_assignments (id, user_id, resource_type, resource_id, role, created_at)
+          VALUES (${id}, ${userId}, ${resourceType}, ${resourceId}, ${role}, ${now})
+          ON CONFLICT DO NOTHING`);
+    assertWrite(result, "assign");
+  }
+  async revoke(userId, resourceType, resourceId, role) {
+    const result = await this.db.query(sql5`DELETE FROM auth_role_assignments WHERE user_id = ${userId} AND resource_type = ${resourceType} AND resource_id = ${resourceId} AND role = ${role}`);
+    assertWrite(result, "revoke");
+  }
+  async getRoles(userId, resourceType, resourceId) {
+    const result = await this.db.query(sql5`SELECT role FROM auth_role_assignments WHERE user_id = ${userId} AND resource_type = ${resourceType} AND resource_id = ${resourceId}`);
+    if (!result.ok)
+      return [];
+    return result.data.rows.map((r) => r.role);
+  }
+  async getRolesForUser(userId) {
+    const result = await this.db.query(sql5`SELECT user_id, resource_type, resource_id, role FROM auth_role_assignments WHERE user_id = ${userId}`);
+    if (!result.ok)
+      return [];
+    return result.data.rows.map((r) => ({
+      userId: r.user_id,
+      resourceType: r.resource_type,
+      resourceId: r.resource_id,
+      role: r.role
+    }));
+  }
+  async getEffectiveRole(userId, resourceType, resourceId, accessDef, closureStore) {
+    const rolesForType = accessDef.roles[resourceType];
+    if (!rolesForType || rolesForType.length === 0)
+      return null;
+    const candidateRoles = [];
+    const directRoles = await this.getRoles(userId, resourceType, resourceId);
+    candidateRoles.push(...directRoles);
+    const ancestors = await closureStore.getAncestors(resourceType, resourceId);
+    for (const ancestor of ancestors) {
+      if (ancestor.depth === 0)
+        continue;
+      const ancestorRoles = await this.getRoles(userId, ancestor.type, ancestor.id);
+      for (const ancestorRole of ancestorRoles) {
+        const inheritedRole = resolveInheritedRole(ancestor.type, ancestorRole, resourceType, accessDef);
+        if (inheritedRole) {
+          candidateRoles.push(inheritedRole);
+        }
+      }
+    }
+    if (candidateRoles.length === 0)
+      return null;
+    const roleOrder = [...rolesForType];
+    let bestIndex = roleOrder.length;
+    for (const role of candidateRoles) {
+      const idx = roleOrder.indexOf(role);
+      if (idx !== -1 && idx < bestIndex) {
+        bestIndex = idx;
+      }
+    }
+    return bestIndex < roleOrder.length ? roleOrder[bestIndex] : null;
+  }
+  dispose() {}
+}
+// src/auth/db-session-store.ts
+import { sql as sql6 } from "@vertz/db/sql";
+class DbSessionStore {
+  db;
+  constructor(db) {
+    this.db = db;
+  }
+  async createSessionWithId(id, data) {
+    const now = new Date;
+    const tokensJson = data.currentTokens ? JSON.stringify(data.currentTokens) : null;
+    const result = await this.db.query(sql6`INSERT INTO auth_sessions (id, user_id, refresh_token_hash, previous_refresh_hash, current_tokens, ip_address, user_agent, created_at, last_active_at, expires_at, revoked_at)
+          VALUES (${id}, ${data.userId}, ${data.refreshTokenHash}, ${null}, ${tokensJson}, ${data.ipAddress}, ${data.userAgent}, ${now.toISOString()}, ${now.toISOString()}, ${data.expiresAt.toISOString()}, ${null})`);
+    assertWrite(result, "createSessionWithId");
+    return {
+      id,
+      userId: data.userId,
+      refreshTokenHash: data.refreshTokenHash,
+      previousRefreshHash: null,
+      ipAddress: data.ipAddress,
+      userAgent: data.userAgent,
+      createdAt: now,
+      lastActiveAt: now,
+      expiresAt: data.expiresAt,
+      revokedAt: null
+    };
+  }
+  async findByRefreshHash(hash) {
+    const nowStr = new Date().toISOString();
+    const result = await this.db.auth_sessions.get({
+      where: {
+        refreshTokenHash: hash,
+        revokedAt: null,
+        expiresAt: { gt: nowStr }
+      }
+    });
+    if (!result.ok)
+      return null;
+    const row = result.data;
+    if (!row)
+      return null;
+    return this.recordToSession(row);
+  }
+  async findActiveSessionById(id) {
+    const nowStr = new Date().toISOString();
+    const result = await this.db.auth_sessions.get({
+      where: {
+        id,
+        revokedAt: null,
+        expiresAt: { gt: nowStr }
+      }
+    });
+    if (!result.ok)
+      return null;
+    const row = result.data;
+    if (!row)
+      return null;
+    return this.recordToSession(row);
+  }
+  async findByPreviousRefreshHash(hash) {
+    const nowStr = new Date().toISOString();
+    const result = await this.db.auth_sessions.get({
+      where: {
+        previousRefreshHash: hash,
+        revokedAt: null,
+        expiresAt: { gt: nowStr }
+      }
+    });
+    if (!result.ok)
+      return null;
+    const row = result.data;
+    if (!row)
+      return null;
+    return this.recordToSession(row);
+  }
+  async revokeSession(id) {
+    const nowStr = new Date().toISOString();
+    const result = await this.db.query(sql6`UPDATE auth_sessions SET revoked_at = ${nowStr}, current_tokens = ${null} WHERE id = ${id}`);
+    assertWrite(result, "revokeSession");
+  }
+  async listActiveSessions(userId) {
+    const nowStr = new Date().toISOString();
+    const result = await this.db.query(sql6`SELECT * FROM auth_sessions WHERE user_id = ${userId} AND revoked_at IS NULL AND expires_at > ${nowStr}`);
+    if (!result.ok)
+      return [];
+    return result.data.rows.map((row) => this.rowToSession(row));
+  }
+  async countActiveSessions(userId) {
+    const nowStr = new Date().toISOString();
+    const result = await this.db.query(sql6`SELECT COUNT(*) as cnt FROM auth_sessions WHERE user_id = ${userId} AND revoked_at IS NULL AND expires_at > ${nowStr}`);
+    if (!result.ok)
+      return 0;
+    return result.data.rows[0]?.cnt ?? 0;
+  }
+  async getCurrentTokens(sessionId) {
+    const result = await this.db.query(sql6`SELECT current_tokens FROM auth_sessions WHERE id = ${sessionId} LIMIT 1`);
+    if (!result.ok)
+      return null;
+    const row = result.data.rows[0];
+    if (!row?.current_tokens)
+      return null;
+    try {
+      return JSON.parse(row.current_tokens);
+    } catch {
+      return null;
+    }
+  }
+  async updateSession(id, data) {
+    const tokensJson = data.currentTokens ? JSON.stringify(data.currentTokens) : null;
+    const result = await this.db.query(sql6`UPDATE auth_sessions SET refresh_token_hash = ${data.refreshTokenHash}, previous_refresh_hash = ${data.previousRefreshHash}, last_active_at = ${data.lastActiveAt.toISOString()}, current_tokens = ${tokensJson} WHERE id = ${id}`);
+    assertWrite(result, "updateSession");
+  }
+  dispose() {}
+  rowToSession(row) {
+    return {
+      id: row.id,
+      userId: row.user_id,
+      refreshTokenHash: row.refresh_token_hash,
+      previousRefreshHash: row.previous_refresh_hash,
+      ipAddress: row.ip_address,
+      userAgent: row.user_agent,
+      createdAt: new Date(row.created_at),
+      lastActiveAt: new Date(row.last_active_at),
+      expiresAt: new Date(row.expires_at),
+      revokedAt: row.revoked_at ? new Date(row.revoked_at) : null
+    };
   }
-  async hasPath(ancestorType, ancestorId, descendantType, descendantId) {
-    return this.rows.some((row) => row.ancestorType === ancestorType && row.ancestorId === ancestorId && row.descendantType === descendantType && row.descendantId === descendantId);
+  recordToSession(rec) {
+    return {
+      id: rec.id,
+      userId: rec.userId,
+      refreshTokenHash: rec.refreshTokenHash,
+      previousRefreshHash: rec.previousRefreshHash,
+      ipAddress: rec.ipAddress,
+      userAgent: rec.userAgent,
+      createdAt: new Date(rec.createdAt),
+      lastActiveAt: new Date(rec.lastActiveAt),
+      expiresAt: new Date(rec.expiresAt),
+      revokedAt: rec.revokedAt ? new Date(rec.revokedAt) : null
+    };
   }
-  dispose() {
-    this.rows = [];
+}
+// src/auth/db-subscription-store.ts
+import { sql as sql7 } from "@vertz/db/sql";
+class DbSubscriptionStore {
+  db;
+  constructor(db) {
+    this.db = db;
+  }
+  async assign(tenantId, planId, startedAt = new Date, expiresAt = null) {
+    await this.db.transaction(async (tx) => {
+      const id = crypto.randomUUID();
+      const startedAtIso = startedAt.toISOString();
+      const expiresAtIso = expiresAt ? expiresAt.toISOString() : null;
+      const upsertResult = await tx.query(sql7`INSERT INTO auth_plans (id, tenant_id, plan_id, started_at, expires_at)
+            VALUES (${id}, ${tenantId}, ${planId}, ${startedAtIso}, ${expiresAtIso})
+            ON CONFLICT(tenant_id) DO UPDATE SET plan_id = ${planId}, started_at = ${startedAtIso}, expires_at = ${expiresAtIso}`);
+      assertWrite(upsertResult, "assign/upsert");
+      const overrideResult = await tx.query(sql7`DELETE FROM auth_overrides WHERE tenant_id = ${tenantId}`);
+      assertWrite(overrideResult, "assign/clearOverrides");
+    });
+  }
+  async get(tenantId) {
+    const result = await this.db.query(sql7`SELECT tenant_id, plan_id, started_at, expires_at FROM auth_plans WHERE tenant_id = ${tenantId}`);
+    if (!result.ok)
+      return null;
+    const row = result.data.rows[0];
+    if (!row)
+      return null;
+    const overrides = await this.loadOverrides(tenantId);
+    return {
+      tenantId: row.tenant_id,
+      planId: row.plan_id,
+      startedAt: new Date(row.started_at),
+      expiresAt: row.expires_at ? new Date(row.expires_at) : null,
+      overrides
+    };
+  }
+  async updateOverrides(tenantId, overrides) {
+    const planResult = await this.db.query(sql7`SELECT tenant_id FROM auth_plans WHERE tenant_id = ${tenantId}`);
+    if (!planResult.ok || planResult.data.rows.length === 0)
+      return;
+    await this.db.transaction(async (tx) => {
+      const existing = await this.loadOverrides(tenantId);
+      const merged = { ...existing, ...overrides };
+      const overridesJson = JSON.stringify(merged);
+      const now = new Date().toISOString();
+      const overrideResult = await tx.query(sql7`SELECT tenant_id FROM auth_overrides WHERE tenant_id = ${tenantId}`);
+      if (overrideResult.ok && overrideResult.data.rows.length > 0) {
+        const updateResult = await tx.query(sql7`UPDATE auth_overrides SET overrides = ${overridesJson}, updated_at = ${now} WHERE tenant_id = ${tenantId}`);
+        assertWrite(updateResult, "updateOverrides/update");
+      } else {
+        const id = crypto.randomUUID();
+        const insertResult = await tx.query(sql7`INSERT INTO auth_overrides (id, tenant_id, overrides, updated_at)
+              VALUES (${id}, ${tenantId}, ${overridesJson}, ${now})`);
+        assertWrite(insertResult, "updateOverrides/insert");
+      }
+    });
+  }
+  async remove(tenantId) {
+    await this.db.transaction(async (tx) => {
+      const planResult = await tx.query(sql7`DELETE FROM auth_plans WHERE tenant_id = ${tenantId}`);
+      assertWrite(planResult, "remove/plans");
+      const overrideResult = await tx.query(sql7`DELETE FROM auth_overrides WHERE tenant_id = ${tenantId}`);
+      assertWrite(overrideResult, "remove/overrides");
+    });
+  }
+  async attachAddOn(tenantId, addOnId) {
+    const id = crypto.randomUUID();
+    const now = new Date().toISOString();
+    const result = await this.db.query(sql7`INSERT INTO auth_plan_addons (id, tenant_id, addon_id, quantity, created_at)
+          VALUES (${id}, ${tenantId}, ${addOnId}, ${1}, ${now})
+          ON CONFLICT(tenant_id, addon_id) DO NOTHING`);
+    assertWrite(result, "attachAddOn");
+  }
+  async detachAddOn(tenantId, addOnId) {
+    const result = await this.db.query(sql7`DELETE FROM auth_plan_addons WHERE tenant_id = ${tenantId} AND addon_id = ${addOnId}`);
+    assertWrite(result, "detachAddOn");
+  }
+  async getAddOns(tenantId) {
+    const result = await this.db.query(sql7`SELECT addon_id FROM auth_plan_addons WHERE tenant_id = ${tenantId}`);
+    if (!result.ok)
+      return [];
+    return result.data.rows.map((r) => r.addon_id);
+  }
+  dispose() {}
+  async loadOverrides(tenantId) {
+    const result = await this.db.query(sql7`SELECT overrides FROM auth_overrides WHERE tenant_id = ${tenantId}`);
+    if (!result.ok || result.data.rows.length === 0)
+      return {};
+    try {
+      const overridesStr = result.data.rows[0]?.overrides;
+      if (!overridesStr)
+        return {};
+      return JSON.parse(overridesStr);
+    } catch {
+      return {};
+    }
+  }
+}
+// src/auth/db-user-store.ts
+import { sql as sql8 } from "@vertz/db/sql";
+class DbUserStore {
+  db;
+  constructor(db) {
+    this.db = db;
+  }
+  async createUser(user, passwordHash) {
+    const result = await this.db.query(sql8`INSERT INTO auth_users (id, email, password_hash, role, email_verified, created_at, updated_at)
+          VALUES (${user.id}, ${user.email.toLowerCase()}, ${passwordHash}, ${user.role}, ${boolVal(this.db, user.emailVerified ?? false)}, ${user.createdAt.toISOString()}, ${user.updatedAt.toISOString()})`);
+    assertWrite(result, "createUser");
+  }
+  async findByEmail(email) {
+    const result = await this.db.query(sql8`SELECT * FROM auth_users WHERE email = ${email.toLowerCase()} LIMIT 1`);
+    if (!result.ok)
+      return null;
+    const row = result.data.rows[0];
+    if (!row)
+      return null;
+    return {
+      user: this.rowToUser(row),
+      passwordHash: row.password_hash
+    };
+  }
+  async findById(id) {
+    const result = await this.db.query(sql8`SELECT * FROM auth_users WHERE id = ${id} LIMIT 1`);
+    if (!result.ok)
+      return null;
+    const row = result.data.rows[0];
+    if (!row)
+      return null;
+    return this.rowToUser(row);
+  }
+  async updatePasswordHash(userId, passwordHash) {
+    const result = await this.db.query(sql8`UPDATE auth_users SET password_hash = ${passwordHash}, updated_at = ${new Date().toISOString()} WHERE id = ${userId}`);
+    assertWrite(result, "updatePasswordHash");
+  }
+  async updateEmailVerified(userId, verified) {
+    const val = boolVal(this.db, verified);
+    const result = await this.db.query(sql8`UPDATE auth_users SET email_verified = ${val}, updated_at = ${new Date().toISOString()} WHERE id = ${userId}`);
+    assertWrite(result, "updateEmailVerified");
+  }
+  async deleteUser(id) {
+    const result = await this.db.query(sql8`DELETE FROM auth_users WHERE id = ${id}`);
+    assertWrite(result, "deleteUser");
+  }
+  rowToUser(row) {
+    return {
+      id: row.id,
+      email: row.email,
+      role: row.role,
+      emailVerified: row.email_verified === 1 || row.email_verified === true,
+      createdAt: new Date(row.created_at),
+      updatedAt: new Date(row.updated_at)
+    };
   }
 }
 // src/auth/define-access.ts
 function defineAccess(input) {
-  if (input.hierarchy.length === 0) {
-    throw new Error("Hierarchy must have at least one resource type");
+  const { entities, entitlements: rawEntitlements } = input;
+  for (const [entityName, entityDef] of Object.entries(entities)) {
+    const roleSet = new Set;
+    for (const role of entityDef.roles) {
+      if (roleSet.has(role)) {
+        throw new Error(`Duplicate role '${role}' in entity '${entityName}'`);
+      }
+      roleSet.add(role);
+    }
+  }
+  const parentToChildren = new Map;
+  const childToParent = new Map;
+  const inheritanceMap = {};
+  for (const [entityName, entityDef] of Object.entries(entities)) {
+    if (!entityDef.inherits)
+      continue;
+    const parentEntities = new Set;
+    for (const [inheritKey, localRole] of Object.entries(entityDef.inherits)) {
+      const colonIdx = inheritKey.indexOf(":");
+      if (colonIdx === -1) {
+        throw new Error(`Invalid inherits key '${inheritKey}' in entity '${entityName}' — expected format 'entity:role'`);
+      }
+      const parentEntityName2 = inheritKey.substring(0, colonIdx);
+      const parentRoleName = inheritKey.substring(colonIdx + 1);
+      if (parentEntityName2 === entityName) {
+        throw new Error(`Entity '${entityName}' cannot inherit from itself`);
+      }
+      if (!(parentEntityName2 in entities)) {
+        throw new Error(`Entity '${parentEntityName2}' in ${entityName}.inherits is not defined`);
+      }
+      const parentEntity = entities[parentEntityName2];
+      if (!parentEntity.roles.includes(parentRoleName)) {
+        throw new Error(`Role '${parentRoleName}' does not exist on entity '${parentEntityName2}'`);
+      }
+      if (!entityDef.roles.includes(localRole)) {
+        throw new Error(`Role '${localRole}' does not exist on entity '${entityName}'`);
+      }
+      parentEntities.add(parentEntityName2);
+      if (!inheritanceMap[parentEntityName2]) {
+        inheritanceMap[parentEntityName2] = {};
+      }
+      inheritanceMap[parentEntityName2][parentRoleName] = localRole;
+    }
+    if (parentEntities.size > 1) {
+      throw new Error(`Entity '${entityName}' inherits from multiple parents (${[...parentEntities].join(", ")}). Each entity can only inherit from one parent.`);
+    }
+    const parentEntityName = [...parentEntities][0];
+    if (parentEntityName) {
+      if (!parentToChildren.has(parentEntityName)) {
+        parentToChildren.set(parentEntityName, new Set);
+      }
+      parentToChildren.get(parentEntityName).add(entityName);
+      if (childToParent.has(entityName)) {
+        throw new Error(`Entity '${entityName}' inherits from multiple parents`);
+      }
+      childToParent.set(entityName, parentEntityName);
+    }
   }
-  if (input.hierarchy.length > 4) {
+  detectCycles(childToParent);
+  const hierarchy = inferHierarchy(entities, childToParent, parentToChildren);
+  if (hierarchy.length > 4) {
     throw new Error("Hierarchy depth must not exceed 4 levels");
   }
-  const hierarchySet = new Set(input.hierarchy);
-  for (const resourceType of Object.keys(input.roles)) {
-    if (!hierarchySet.has(resourceType)) {
-      throw new Error(`Roles reference unknown resource type: ${resourceType}`);
+  const resolvedEntitlements = {};
+  const ruleContext = createRuleContext();
+  for (const [entName, entValue] of Object.entries(rawEntitlements)) {
+    const colonIdx = entName.indexOf(":");
+    if (colonIdx === -1) {
+      throw new Error(`Entitlement '${entName}' must use format 'entity:action'`);
     }
+    const entityPrefix = entName.substring(0, colonIdx);
+    if (!(entityPrefix in entities)) {
+      throw new Error(`Entitlement '${entName}' references undefined entity '${entityPrefix}'`);
+    }
+    let entDef;
+    if (typeof entValue === "function") {
+      entDef = entValue(ruleContext);
+    } else {
+      entDef = entValue;
+    }
+    const entityRoles = entities[entityPrefix].roles;
+    for (const role of entDef.roles) {
+      if (!entityRoles.includes(role)) {
+        throw new Error(`Role '${role}' in '${entName}' does not exist on entity '${entityPrefix}'`);
+      }
+    }
+    resolvedEntitlements[entName] = entDef;
   }
-  const inheritance = input.inheritance ?? {};
-  for (const [resourceType, mapping] of Object.entries(inheritance)) {
-    if (!hierarchySet.has(resourceType)) {
-      throw new Error(`Inheritance references unknown resource type: ${resourceType}`);
+  const entitlementSet = new Set(Object.keys(resolvedEntitlements));
+  const entityNameSet = new Set(Object.keys(entities));
+  if (input.plans) {
+    for (const [planName, planDef] of Object.entries(input.plans)) {
+      if (planDef.features) {
+        for (const feature of planDef.features) {
+          if (!entitlementSet.has(feature)) {
+            throw new Error(`Plan '${planName}' feature '${feature}' is not a defined entitlement`);
+          }
+        }
+      }
+      if (planDef.limits) {
+        for (const [limitKey, limitDef] of Object.entries(planDef.limits)) {
+          if (!entitlementSet.has(limitDef.gates)) {
+            throw new Error(`Limit '${limitKey}' gates '${limitDef.gates}' which is not defined`);
+          }
+          if (limitDef.scope && !entityNameSet.has(limitDef.scope)) {
+            throw new Error(`Limit '${limitKey}' scope '${limitDef.scope}' is not a defined entity`);
+          }
+          if (limitDef.max < -1 || limitDef.max < 0 && limitDef.max !== -1) {
+            throw new Error(`Limit '${limitKey}' max must be -1 (unlimited), 0 (disabled), or a positive integer, got ${limitDef.max}`);
+          }
+          if (!Number.isInteger(limitDef.max)) {
+            throw new Error(`Limit '${limitKey}' max must be -1 (unlimited), 0 (disabled), or a positive integer, got ${limitDef.max}`);
+          }
+        }
+      }
+      if (planDef.addOn) {
+        if (planDef.group) {
+          throw new Error(`Add-on '${planName}' must not have a group`);
+        }
+      } else {
+        if (!planDef.group) {
+          throw new Error(`Base plan '${planName}' must have a group`);
+        }
+        if (planDef.requires) {
+          throw new Error(`Plan '${planName}': 'requires' is only valid on add-on plans`);
+        }
+      }
+      if (planDef.addOn && planDef.requires) {
+        for (const reqPlan of planDef.requires.plans) {
+          if (!input.plans[reqPlan]) {
+            throw new Error(`Add-on '${planName}' requires plan '${reqPlan}' is not defined`);
+          }
+        }
+      }
     }
-    const parentRoles = new Set(input.roles[resourceType] ?? []);
-    const hierarchyIdx = input.hierarchy.indexOf(resourceType);
-    const childType = input.hierarchy[hierarchyIdx + 1];
-    const childRoles = childType ? new Set(input.roles[childType] ?? []) : new Set;
-    for (const [parentRole, childRole] of Object.entries(mapping)) {
-      if (!parentRoles.has(parentRole)) {
-        throw new Error(`Inheritance for ${resourceType} references undefined role: ${parentRole}`);
+    if (input.defaultPlan) {
+      const defaultPlanDef = input.plans[input.defaultPlan];
+      if (defaultPlanDef?.addOn) {
+        throw new Error(`defaultPlan '${input.defaultPlan}' is an add-on, not a base plan`);
       }
-      if (!childRoles.has(childRole)) {
-        throw new Error(`Inheritance for ${resourceType} maps to undefined child role: ${childRole}`);
+    }
+    const basePlanLimitKeys = new Set;
+    for (const [, planDef] of Object.entries(input.plans)) {
+      if (!planDef.addOn && planDef.limits) {
+        for (const limitKey of Object.keys(planDef.limits)) {
+          basePlanLimitKeys.add(limitKey);
+        }
       }
     }
-  }
-  const planNameSet = new Set(Object.keys(input.plans ?? {}));
-  for (const [entName, entDef] of Object.entries(input.entitlements)) {
-    if (entDef.plans) {
-      for (const planRef of entDef.plans) {
-        if (!planNameSet.has(planRef)) {
-          throw new Error(`Entitlement "${entName}" references unknown plan: ${planRef}`);
+    for (const [, planDef] of Object.entries(input.plans)) {
+      if (planDef.addOn && planDef.limits) {
+        for (const limitKey of Object.keys(planDef.limits)) {
+          if (!basePlanLimitKeys.has(limitKey)) {
+            throw new Error(`Add-on limit '${limitKey}' not defined in any base plan`);
+          }
         }
       }
     }
   }
-  const entitlementSet = new Set(Object.keys(input.entitlements));
+  const planGatedEntitlements = new Set;
+  const entitlementToLimitKeys = {};
   if (input.plans) {
-    for (const [planName, planDef] of Object.entries(input.plans)) {
-      const planEntitlementSet = new Set(planDef.entitlements);
-      for (const ent of planDef.entitlements) {
-        if (!entitlementSet.has(ent)) {
-          throw new Error(`Plan "${planName}" references unknown entitlement: ${ent}`);
+    for (const [, planDef] of Object.entries(input.plans)) {
+      if (planDef.features) {
+        for (const feature of planDef.features) {
+          planGatedEntitlements.add(feature);
         }
       }
       if (planDef.limits) {
-        for (const limitKey of Object.keys(planDef.limits)) {
-          if (!planEntitlementSet.has(limitKey)) {
-            throw new Error(`Plan "${planName}" has limit for "${limitKey}" which is not in the plan's entitlements`);
+        for (const [limitKey, limitDef] of Object.entries(planDef.limits)) {
+          if (!entitlementToLimitKeys[limitDef.gates]) {
+            entitlementToLimitKeys[limitDef.gates] = [];
+          }
+          if (!entitlementToLimitKeys[limitDef.gates].includes(limitKey)) {
+            entitlementToLimitKeys[limitDef.gates].push(limitKey);
           }
         }
       }
     }
   }
+  const rolesMap = {};
+  for (const [entityName, entityDef] of Object.entries(entities)) {
+    rolesMap[entityName] = Object.freeze([...entityDef.roles]);
+  }
   const config = {
-    hierarchy: Object.freeze([...input.hierarchy]),
-    roles: Object.freeze(Object.fromEntries(Object.entries(input.roles).map(([k, v]) => [k, Object.freeze([...v])]))),
-    inheritance: Object.freeze(Object.fromEntries(Object.entries(input.inheritance ?? {}).map(([k, v]) => [k, Object.freeze({ ...v })]))),
-    entitlements: Object.freeze(Object.fromEntries(Object.entries(input.entitlements).map(([k, v]) => [k, Object.freeze({ ...v })]))),
+    hierarchy: Object.freeze([...hierarchy]),
+    entities: Object.freeze(Object.fromEntries(Object.entries(entities).map(([k, v]) => [
+      k,
+      Object.freeze({
+        roles: Object.freeze([...v.roles]),
+        ...v.inherits ? { inherits: Object.freeze({ ...v.inherits }) } : {}
+      })
+    ]))),
+    roles: Object.freeze(rolesMap),
+    inheritance: Object.freeze(Object.fromEntries(Object.entries(inheritanceMap).map(([k, v]) => [k, Object.freeze({ ...v })]))),
+    entitlements: Object.freeze(Object.fromEntries(Object.entries(resolvedEntitlements).map(([k, v]) => [k, Object.freeze({ ...v })]))),
+    _planGatedEntitlements: Object.freeze(planGatedEntitlements),
+    _entitlementToLimitKeys: Object.freeze(Object.fromEntries(Object.entries(entitlementToLimitKeys).map(([k, v]) => [k, Object.freeze([...v])]))),
     ...input.defaultPlan ? { defaultPlan: input.defaultPlan } : {},
     ...input.plans ? {
       plans: Object.freeze(Object.fromEntries(Object.entries(input.plans).map(([planName, planDef]) => [
         planName,
         Object.freeze({
-          entitlements: Object.freeze([...planDef.entitlements]),
+          ...planDef.title ? { title: planDef.title } : {},
+          ...planDef.description ? { description: planDef.description } : {},
+          ...planDef.group ? { group: planDef.group } : {},
+          ...planDef.addOn ? { addOn: planDef.addOn } : {},
+          ...planDef.price ? { price: Object.freeze({ ...planDef.price }) } : {},
+          ...planDef.features ? { features: Object.freeze([...planDef.features]) } : {},
           ...planDef.limits ? {
             limits: Object.freeze(Object.fromEntries(Object.entries(planDef.limits).map(([k, v]) => [
               k,
               Object.freeze({ ...v })
             ])))
+          } : {},
+          ...planDef.grandfathering ? { grandfathering: Object.freeze({ ...planDef.grandfathering }) } : {},
+          ...planDef.requires ? {
+            requires: Object.freeze({
+              group: planDef.requires.group,
+              plans: Object.freeze([...planDef.requires.plans])
+            })
           } : {}
         })
       ])))
@@ -1761,6 +3361,79 @@ function defineAccess(input) {
   };
   return Object.freeze(config);
 }
+function inferHierarchy(entities, childToParent, parentToChildren) {
+  const inInheritance = new Set;
+  for (const [child, parent] of childToParent.entries()) {
+    inInheritance.add(child);
+    inInheritance.add(parent);
+  }
+  if (inInheritance.size === 0) {
+    return Object.keys(entities);
+  }
+  const roots = [];
+  for (const entity of inInheritance) {
+    if (!childToParent.has(entity)) {
+      roots.push(entity);
+    }
+  }
+  const hierarchy = [];
+  const visited = new Set;
+  function walkChain(entity) {
+    if (visited.has(entity))
+      return;
+    visited.add(entity);
+    hierarchy.push(entity);
+    const children = parentToChildren.get(entity);
+    if (children) {
+      for (const child of children) {
+        walkChain(child);
+      }
+    }
+  }
+  for (const root of roots) {
+    walkChain(root);
+  }
+  for (const entityName of Object.keys(entities)) {
+    if (!visited.has(entityName)) {
+      hierarchy.push(entityName);
+    }
+  }
+  return hierarchy;
+}
+function detectCycles(childToParent) {
+  const visited = new Set;
+  const inPath = new Set;
+  for (const entity of childToParent.keys()) {
+    if (!visited.has(entity)) {
+      walkForCycles(entity, childToParent, visited, inPath);
+    }
+  }
+}
+function walkForCycles(entity, childToParent, visited, inPath) {
+  if (inPath.has(entity)) {
+    throw new Error("Circular inheritance detected");
+  }
+  if (visited.has(entity))
+    return;
+  inPath.add(entity);
+  const parent = childToParent.get(entity);
+  if (parent) {
+    walkForCycles(parent, childToParent, visited, inPath);
+  }
+  inPath.delete(entity);
+  visited.add(entity);
+}
+function createRuleContext() {
+  return {
+    where(conditions) {
+      return { type: "where", conditions: Object.freeze({ ...conditions }) };
+    },
+    user: {
+      id: Object.freeze({ __marker: "user.id" }),
+      tenantId: Object.freeze({ __marker: "user.tenantId" })
+    }
+  };
+}
 // src/auth/entity-access.ts
 async function computeEntityAccess(entitlements, entity, accessContext) {
   const results = {};
@@ -1775,23 +3448,23 @@ async function computeEntityAccess(entitlements, entity, accessContext) {
 // src/auth/flag-store.ts
 class InMemoryFlagStore {
   flags = new Map;
-  setFlag(orgId, flag, enabled) {
-    let orgFlags = this.flags.get(orgId);
-    if (!orgFlags) {
-      orgFlags = new Map;
-      this.flags.set(orgId, orgFlags);
+  setFlag(tenantId, flag, enabled) {
+    let tenantFlags = this.flags.get(tenantId);
+    if (!tenantFlags) {
+      tenantFlags = new Map;
+      this.flags.set(tenantId, tenantFlags);
     }
-    orgFlags.set(flag, enabled);
+    tenantFlags.set(flag, enabled);
   }
-  getFlag(orgId, flag) {
-    return this.flags.get(orgId)?.get(flag) ?? false;
+  getFlag(tenantId, flag) {
+    return this.flags.get(tenantId)?.get(flag) ?? false;
   }
-  getFlags(orgId) {
-    const orgFlags = this.flags.get(orgId);
-    if (!orgFlags)
+  getFlags(tenantId) {
+    const tenantFlags = this.flags.get(tenantId);
+    if (!tenantFlags)
       return {};
     const result = {};
-    for (const [key, value] of orgFlags) {
+    for (const [key, value] of tenantFlags) {
       result[key] = value;
     }
     return result;
@@ -1804,6 +3477,385 @@ function checkFva(payload, maxAgeSeconds) {
   const now = Math.floor(Date.now() / 1000);
   return now - payload.fva < maxAgeSeconds;
 }
+// src/auth/grandfathering-store.ts
+class InMemoryGrandfatheringStore {
+  states = new Map;
+  async setGrandfathered(tenantId, planId, version, graceEnds) {
+    this.states.set(`${tenantId}:${planId}`, { tenantId, planId, version, graceEnds });
+  }
+  async getGrandfathered(tenantId, planId) {
+    return this.states.get(`${tenantId}:${planId}`) ?? null;
+  }
+  async listGrandfathered(planId) {
+    const result = [];
+    for (const state of this.states.values()) {
+      if (state.planId === planId) {
+        result.push(state);
+      }
+    }
+    return result;
+  }
+  async removeGrandfathered(tenantId, planId) {
+    this.states.delete(`${tenantId}:${planId}`);
+  }
+  dispose() {
+    this.states.clear();
+  }
+}
+// src/auth/override-store.ts
+class InMemoryOverrideStore {
+  overrides = new Map;
+  async set(tenantId, overrides) {
+    const existing = this.overrides.get(tenantId) ?? {};
+    if (overrides.features) {
+      const featureSet = new Set(existing.features ?? []);
+      for (const f of overrides.features) {
+        featureSet.add(f);
+      }
+      existing.features = [...featureSet];
+    }
+    if (overrides.limits) {
+      existing.limits = { ...existing.limits, ...overrides.limits };
+    }
+    this.overrides.set(tenantId, existing);
+  }
+  async remove(tenantId, keys) {
+    const existing = this.overrides.get(tenantId);
+    if (!existing)
+      return;
+    if (keys.features && existing.features) {
+      const removeSet = new Set(keys.features);
+      existing.features = existing.features.filter((f) => !removeSet.has(f));
+      if (existing.features.length === 0) {
+        delete existing.features;
+      }
+    }
+    if (keys.limits && existing.limits) {
+      for (const key of keys.limits) {
+        delete existing.limits[key];
+      }
+      if (Object.keys(existing.limits).length === 0) {
+        delete existing.limits;
+      }
+    }
+    if (!existing.features && !existing.limits) {
+      this.overrides.delete(tenantId);
+    }
+  }
+  async get(tenantId) {
+    return this.overrides.get(tenantId) ?? null;
+  }
+  dispose() {
+    this.overrides.clear();
+  }
+}
+function validateOverrides(accessDef, overrides) {
+  const allLimitKeys = new Set;
+  if (accessDef.plans) {
+    for (const planDef of Object.values(accessDef.plans)) {
+      if (planDef.limits) {
+        for (const key of Object.keys(planDef.limits)) {
+          allLimitKeys.add(key);
+        }
+      }
+    }
+  }
+  if (overrides.limits) {
+    for (const [key, limitDef] of Object.entries(overrides.limits)) {
+      if (!allLimitKeys.has(key)) {
+        throw new Error(`Override limit key '${key}' is not defined in any plan`);
+      }
+      if (limitDef.max !== undefined) {
+        if (limitDef.max < -1) {
+          throw new Error(`Override limit '${key}' max must be -1 (unlimited), 0 (disabled), or a positive integer, got ${limitDef.max}`);
+        }
+      }
+      if (limitDef.add !== undefined) {
+        if (!Number.isFinite(limitDef.add)) {
+          throw new Error(`Override limit '${key}' add must be a finite integer, got ${limitDef.add}`);
+        }
+        if (!Number.isInteger(limitDef.add)) {
+          throw new Error(`Override limit '${key}' add must be an integer, got ${limitDef.add}`);
+        }
+      }
+    }
+  }
+  if (overrides.features) {
+    for (const feature of overrides.features) {
+      if (!accessDef.entitlements[feature]) {
+        throw new Error(`Override feature '${feature}' is not a defined entitlement`);
+      }
+    }
+  }
+}
+// src/auth/plan-hash.ts
+async function computePlanHash(config) {
+  const canonical = {
+    features: config.features ?? [],
+    limits: config.limits ?? {},
+    price: config.price ?? null
+  };
+  const json = JSON.stringify(canonical, sortedReplacer);
+  return sha256Hex(json);
+}
+function sortedReplacer(_key, value) {
+  if (value !== null && typeof value === "object" && !Array.isArray(value)) {
+    const sorted = {};
+    for (const k of Object.keys(value).sort()) {
+      sorted[k] = value[k];
+    }
+    return sorted;
+  }
+  return value;
+}
+// src/auth/plan-manager.ts
+var GRACE_DURATION_MS = {
+  "1m": 30 * 24 * 60 * 60 * 1000,
+  "3m": 90 * 24 * 60 * 60 * 1000,
+  "6m": 180 * 24 * 60 * 60 * 1000,
+  "12m": 365 * 24 * 60 * 60 * 1000
+};
+function resolveGraceEnd(planDef, now) {
+  const grace = planDef.grandfathering?.grace;
+  if (grace === "indefinite")
+    return null;
+  if (grace && GRACE_DURATION_MS[grace]) {
+    return new Date(now.getTime() + GRACE_DURATION_MS[grace]);
+  }
+  const interval = planDef.price?.interval;
+  if (interval === "year") {
+    return new Date(now.getTime() + GRACE_DURATION_MS["3m"]);
+  }
+  return new Date(now.getTime() + GRACE_DURATION_MS["1m"]);
+}
+function createPlanManager(config) {
+  const { plans, versionStore, grandfatheringStore, subscriptionStore } = config;
+  const clock = config.clock ?? (() => new Date);
+  const handlers = [];
+  function emit(event) {
+    for (const handler of handlers) {
+      handler(event);
+    }
+  }
+  function extractSnapshot(planDef) {
+    return {
+      features: planDef.features ? [...planDef.features] : [],
+      limits: planDef.limits ? { ...planDef.limits } : {},
+      price: planDef.price ? { ...planDef.price } : null
+    };
+  }
+  async function initialize() {
+    const now = clock();
+    for (const [planId, planDef] of Object.entries(plans)) {
+      if (planDef.addOn)
+        continue;
+      const snapshot = extractSnapshot(planDef);
+      const hash = await computePlanHash(snapshot);
+      const currentHash = await versionStore.getCurrentHash(planId);
+      if (currentHash === hash)
+        continue;
+      const version = await versionStore.createVersion(planId, hash, snapshot);
+      const currentVersion = version;
+      emit({
+        type: "plan:version_created",
+        planId,
+        version,
+        currentVersion,
+        timestamp: now
+      });
+      if (version > 1) {
+        const grandfatheredTenants = await listTenantsOnPlan(planId);
+        const graceEnds = resolveGraceEnd(planDef, now);
+        for (const tenantId of grandfatheredTenants) {
+          const tenantVersion = await versionStore.getTenantVersion(tenantId, planId);
+          if (tenantVersion !== null && tenantVersion < version) {
+            await grandfatheringStore.setGrandfathered(tenantId, planId, tenantVersion, graceEnds);
+          }
+        }
+      }
+    }
+  }
+  async function listTenantsOnPlan(planId) {
+    if (subscriptionStore.listByPlan) {
+      return subscriptionStore.listByPlan(planId);
+    }
+    return [];
+  }
+  async function migrate(planId, opts) {
+    const now = clock();
+    const currentVersion = await versionStore.getCurrentVersion(planId);
+    if (currentVersion === null)
+      return;
+    if (opts?.tenantId) {
+      await migrateTenant(opts.tenantId, planId, currentVersion, now);
+      return;
+    }
+    const grandfatheredList = await grandfatheringStore.listGrandfathered(planId);
+    for (const state of grandfatheredList) {
+      if (state.graceEnds === null)
+        continue;
+      if (state.graceEnds.getTime() <= now.getTime()) {
+        await migrateTenant(state.tenantId, planId, currentVersion, now);
+      }
+    }
+  }
+  async function migrateTenant(tenantId, planId, targetVersion, now) {
+    const previousVersion = await versionStore.getTenantVersion(tenantId, planId);
+    if (previousVersion !== null) {
+      const prevInfo = await versionStore.getVersion(planId, previousVersion);
+      const targetInfo = await versionStore.getVersion(planId, targetVersion);
+      if (prevInfo && targetInfo) {
+        const prevFeatures = new Set(prevInfo.snapshot.features);
+        const targetFeatures = new Set(targetInfo.snapshot.features);
+        for (const f of prevFeatures) {
+          if (!targetFeatures.has(f)) {
+            break;
+          }
+        }
+      }
+    }
+    await versionStore.setTenantVersion(tenantId, planId, targetVersion);
+    await grandfatheringStore.removeGrandfathered(tenantId, planId);
+    emit({
+      type: "plan:migrated",
+      planId,
+      tenantId,
+      version: targetVersion,
+      previousVersion: previousVersion ?? undefined,
+      timestamp: now
+    });
+  }
+  async function schedule(planId, opts) {
+    const at = typeof opts.at === "string" ? new Date(opts.at) : opts.at;
+    const grandfatheredList = await grandfatheringStore.listGrandfathered(planId);
+    for (const state of grandfatheredList) {
+      await grandfatheringStore.setGrandfathered(state.tenantId, planId, state.version, at);
+    }
+  }
+  async function resolve(tenantId) {
+    const subscription = await subscriptionStore.get(tenantId);
+    if (!subscription)
+      return null;
+    const planId = subscription.planId;
+    const currentVersion = await versionStore.getCurrentVersion(planId);
+    if (currentVersion === null)
+      return null;
+    const tenantVersion = await versionStore.getTenantVersion(tenantId, planId);
+    const effectiveVersion = tenantVersion ?? currentVersion;
+    const grandfatheringState = await grandfatheringStore.getGrandfathered(tenantId, planId);
+    const versionInfo = await versionStore.getVersion(planId, effectiveVersion);
+    if (!versionInfo)
+      return null;
+    return {
+      planId,
+      version: effectiveVersion,
+      currentVersion,
+      grandfathered: grandfatheringState !== null,
+      graceEnds: grandfatheringState?.graceEnds ?? null,
+      snapshot: versionInfo.snapshot
+    };
+  }
+  async function grandfatheredFn(planId) {
+    return grandfatheringStore.listGrandfathered(planId);
+  }
+  const THIRTY_DAYS_MS = 30 * 24 * 60 * 60 * 1000;
+  const SEVEN_DAYS_MS = 7 * 24 * 60 * 60 * 1000;
+  async function checkGraceEvents() {
+    const now = clock();
+    for (const planId of Object.keys(plans)) {
+      const grandfatheredList = await grandfatheringStore.listGrandfathered(planId);
+      for (const state of grandfatheredList) {
+        if (state.graceEnds === null)
+          continue;
+        const timeUntilGraceEnd = state.graceEnds.getTime() - now.getTime();
+        if (timeUntilGraceEnd <= SEVEN_DAYS_MS && timeUntilGraceEnd > 0) {
+          emit({
+            type: "plan:grace_expiring",
+            planId,
+            tenantId: state.tenantId,
+            version: state.version,
+            graceEnds: state.graceEnds,
+            timestamp: now
+          });
+        } else if (timeUntilGraceEnd <= THIRTY_DAYS_MS && timeUntilGraceEnd > SEVEN_DAYS_MS) {
+          emit({
+            type: "plan:grace_approaching",
+            planId,
+            tenantId: state.tenantId,
+            version: state.version,
+            graceEnds: state.graceEnds,
+            timestamp: now
+          });
+        }
+      }
+    }
+  }
+  function on(handler) {
+    handlers.push(handler);
+  }
+  function off(handler) {
+    const idx = handlers.indexOf(handler);
+    if (idx >= 0)
+      handlers.splice(idx, 1);
+  }
+  return {
+    initialize,
+    migrate,
+    schedule,
+    resolve,
+    grandfathered: grandfatheredFn,
+    checkGraceEvents,
+    on,
+    off
+  };
+}
+// src/auth/plan-version-store.ts
+class InMemoryPlanVersionStore {
+  versions = new Map;
+  tenantVersions = new Map;
+  async createVersion(planId, hash, snapshot) {
+    const planVersions = this.versions.get(planId) ?? [];
+    const version = planVersions.length + 1;
+    const info = {
+      planId,
+      version,
+      hash,
+      snapshot,
+      createdAt: new Date
+    };
+    planVersions.push(info);
+    this.versions.set(planId, planVersions);
+    return version;
+  }
+  async getCurrentVersion(planId) {
+    const planVersions = this.versions.get(planId);
+    if (!planVersions || planVersions.length === 0)
+      return null;
+    return planVersions.length;
+  }
+  async getVersion(planId, version) {
+    const planVersions = this.versions.get(planId);
+    if (!planVersions)
+      return null;
+    return planVersions[version - 1] ?? null;
+  }
+  async getTenantVersion(tenantId, planId) {
+    return this.tenantVersions.get(`${tenantId}:${planId}`) ?? null;
+  }
+  async setTenantVersion(tenantId, planId, version) {
+    this.tenantVersions.set(`${tenantId}:${planId}`, version);
+  }
+  async getCurrentHash(planId) {
+    const planVersions = this.versions.get(planId);
+    if (!planVersions || planVersions.length === 0)
+      return null;
+    return planVersions[planVersions.length - 1].hash;
+  }
+  dispose() {
+    this.versions.clear();
+    this.tenantVersions.clear();
+  }
+}
 // src/auth/providers/discord.ts
 var AUTHORIZATION_URL = "https://discord.com/api/oauth2/authorize";
 var TOKEN_URL = "https://discord.com/api/oauth2/token";
@@ -1862,8 +3914,7 @@ function discord(config) {
         providerId: data.id,
         email: data.email ?? "",
         emailVerified: data.verified ?? false,
-        name: data.global_name ?? data.username,
-        avatarUrl: data.avatar ? `https://cdn.discordapp.com/avatars/${data.id}/${data.avatar}.png` : undefined
+        raw: data
       };
     }
   };
@@ -1905,6 +3956,9 @@ function github(config) {
         })
       });
       const data = await response.json();
+      if (data.error) {
+        throw new Error(`GitHub token exchange failed: ${data.error} — ${data.error_description}`);
+      }
       return {
         accessToken: data.access_token
       };
@@ -1933,8 +3987,7 @@ function github(config) {
         providerId: String(userData.id),
         email: email?.email ?? "",
         emailVerified: email?.verified ?? false,
-        name: userData.name,
-        avatarUrl: userData.avatar_url
+        raw: userData
       };
     }
   };
@@ -2006,8 +4059,7 @@ function google(config) {
         providerId: payload.sub,
         email: payload.email,
         emailVerified: payload.email_verified,
-        name: payload.name,
-        avatarUrl: payload.picture
+        raw: payload
       };
     }
   };
@@ -2043,7 +4095,7 @@ class InMemoryRoleAssignmentStore {
         continue;
       const ancestorRoles = await this.getRoles(userId, ancestor.type, ancestor.id);
       for (const ancestorRole of ancestorRoles) {
-        const inheritedRole = resolveInheritedRole2(ancestor.type, ancestorRole, resourceType, accessDef);
+        const inheritedRole = resolveInheritedRole(ancestor.type, ancestorRole, resourceType, accessDef);
         if (inheritedRole) {
           candidateRoles.push(inheritedRole);
         }
@@ -2065,28 +4117,13 @@ class InMemoryRoleAssignmentStore {
     this.assignments = [];
   }
 }
-function resolveInheritedRole2(sourceType, sourceRole, targetType, accessDef) {
-  const hierarchy = accessDef.hierarchy;
-  const sourceIdx = hierarchy.indexOf(sourceType);
-  const targetIdx = hierarchy.indexOf(targetType);
-  if (sourceIdx === -1 || targetIdx === -1 || sourceIdx >= targetIdx)
-    return null;
-  let currentRole = sourceRole;
-  for (let i = sourceIdx;i < targetIdx; i++) {
-    const currentType = hierarchy[i];
-    const inheritanceMap = accessDef.inheritance[currentType];
-    if (!inheritanceMap || !(currentRole in inheritanceMap))
-      return null;
-    currentRole = inheritanceMap[currentRole];
-  }
-  return currentRole;
-}
 // src/auth/rules.ts
 var userMarkers = {
   id: Object.freeze({ __marker: "user.id" }),
   tenantId: Object.freeze({ __marker: "user.tenantId" })
 };
 var rules = {
+  public: Object.freeze({ type: "public" }),
   role(...roleNames) {
     return { type: "role", roles: Object.freeze([...roleNames]) };
   },
@@ -2113,13 +4150,13 @@ var rules = {
 // src/auth/wallet-store.ts
 class InMemoryWalletStore {
   entries = new Map;
-  key(orgId, entitlement, periodStart) {
-    return `${orgId}:${entitlement}:${periodStart.getTime()}`;
+  key(tenantId, entitlement, periodStart) {
+    return `${tenantId}:${entitlement}:${periodStart.getTime()}`;
   }
-  async consume(orgId, entitlement, periodStart, periodEnd, limit, amount = 1) {
-    const k = this.key(orgId, entitlement, periodStart);
+  async consume(tenantId, entitlement, periodStart, periodEnd, limit, amount = 1) {
+    const k = this.key(tenantId, entitlement, periodStart);
     if (!this.entries.has(k)) {
-      this.entries.set(k, { orgId, entitlement, periodStart, periodEnd, consumed: 0 });
+      this.entries.set(k, { tenantId, entitlement, periodStart, periodEnd, consumed: 0 });
     }
     const entry = this.entries.get(k);
     if (entry.consumed + amount > limit) {
@@ -2138,15 +4175,15 @@ class InMemoryWalletStore {
       remaining: limit - entry.consumed
     };
   }
-  async unconsume(orgId, entitlement, periodStart, _periodEnd, amount = 1) {
-    const k = this.key(orgId, entitlement, periodStart);
+  async unconsume(tenantId, entitlement, periodStart, _periodEnd, amount = 1) {
+    const k = this.key(tenantId, entitlement, periodStart);
     const entry = this.entries.get(k);
     if (!entry)
       return;
     entry.consumed = Math.max(0, entry.consumed - amount);
   }
-  async getConsumption(orgId, entitlement, periodStart, _periodEnd) {
-    const k = this.key(orgId, entitlement, periodStart);
+  async getConsumption(tenantId, entitlement, periodStart, _periodEnd) {
+    const k = this.key(tenantId, entitlement, periodStart);
     const entry = this.entries.get(k);
     return entry?.consumed ?? 0;
   }
@@ -2185,7 +4222,12 @@ function createAuth(config) {
   if (session.strategy !== "jwt") {
     throw new Error(`Session strategy "${session.strategy}" is not yet supported. Use "jwt".`);
   }
-  const cookieConfig = { ...DEFAULT_COOKIE_CONFIG, ...session.cookie };
+  const ttlSeconds = Math.floor(parseDuration(session.ttl) / 1000);
+  const cookieConfig = {
+    ...DEFAULT_COOKIE_CONFIG,
+    maxAge: ttlSeconds,
+    ...session.cookie
+  };
   const refreshName = session.refreshName ?? "vertz.ref";
   const refreshTtlMs = parseDuration(session.refreshTtl ?? "7d");
   const refreshMaxAge = Math.floor(refreshTtlMs / 1000);
@@ -2198,7 +4240,7 @@ function createAuth(config) {
   if (!isProduction && cookieConfig.secure === false) {
     console.warn("Cookie 'secure' flag is disabled. This is allowed in development but must be enabled in production.");
   }
-  const ttlMs = parseDuration(session.ttl);
+  const ttlMs = ttlSeconds * 1000;
   const DUMMY_HASH = "$2a$12$000000000000000000000uGWDREoC/y2KhZ5l2QkI4j0LpDjWcaq";
   const sessionStore = config.sessionStore ?? new InMemorySessionStore;
   const userStore = config.userStore ?? new InMemoryUserStore;
@@ -2228,6 +4270,9 @@ function createAuth(config) {
   const passwordResetTtlMs = parseDuration(passwordResetConfig?.tokenTtl ?? "1h");
   const revokeSessionsOnReset = passwordResetConfig?.revokeSessionsOnReset ?? true;
   const passwordResetStore = config.passwordResetStore ?? (passwordResetEnabled ? new InMemoryPasswordResetStore : undefined);
+  const tenantConfig = config.tenant;
+  const onUserCreated = config.onUserCreated;
+  const entityProxy = config._entityProxy ?? {};
   const rateLimitStore = config.rateLimitStore ?? new InMemoryRateLimitStore;
   const signInWindowMs = parseDuration(emailPassword?.rateLimit?.window || "15m");
   const signUpWindowMs = parseDuration("1h");
@@ -2237,6 +4282,7 @@ function createAuth(config) {
     const expiresAt = new Date(Date.now() + ttlMs);
     const userClaims = claims ? claims(user) : {};
     const fvaClaim = options?.fva !== undefined ? { fva: options.fva } : {};
+    const tenantClaim = options?.tenantId ? { tenantId: options.tenantId } : {};
     let aclClaim = {};
     if (config.access) {
       const accessSet = await computeAccessSet({
@@ -2245,7 +4291,8 @@ function createAuth(config) {
         roleStore: config.access.roleStore,
         closureStore: config.access.closureStore,
         flagStore: config.access.flagStore,
-        plan: user.plan ?? null
+        subscriptionStore: config.access?.subscriptionStore,
+        tenantId: null
       });
       const encoded = encodeAccessSet(accessSet);
       const canonicalJson = JSON.stringify(encoded);
@@ -2265,6 +4312,7 @@ function createAuth(config) {
     const jwt = await createJWT(user, jwtSecret, ttlMs, jwtAlgorithm, () => ({
       ...userClaims,
       ...fvaClaim,
+      ...tenantClaim,
       ...aclClaim,
       jti,
       sid: sessionId
@@ -2280,16 +4328,24 @@ function createAuth(config) {
       sid: sessionId,
       claims: userClaims || undefined,
       ...options?.fva !== undefined ? { fva: options.fva } : {},
+      ...options?.tenantId ? { tenantId: options.tenantId } : {},
       ...aclClaim
     };
     return { jwt, refreshToken, payload, expiresAt };
   }
+  const FORGOT_PASSWORD_MIN_RESPONSE_MS = 15;
   function generateToken() {
     const bytes = crypto.getRandomValues(new Uint8Array(32));
     return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
   }
+  async function waitForMinimumDuration(startedAt, minDurationMs) {
+    const remaining = minDurationMs - (Date.now() - startedAt);
+    if (remaining > 0) {
+      await new Promise((resolve) => setTimeout(resolve, remaining));
+    }
+  }
   async function signUp(data, ctx) {
-    const { email, password, role = "user", ...additionalFields } = data;
+    const { email, password, ...additionalFields } = data;
     if (!email || !email.includes("@")) {
       return err(createAuthValidationError2("Invalid email format", "email", "INVALID_FORMAT"));
     }
@@ -2311,18 +4367,37 @@ function createAuth(config) {
       id: _id,
       createdAt: _c,
       updatedAt: _u,
+      role: _role,
+      emailVerified: _emailVerified,
       ...safeFields
     } = additionalFields;
     const user = {
-      ...safeFields,
       id: crypto.randomUUID(),
       email: email.toLowerCase(),
-      role,
+      role: "user",
       emailVerified: !emailVerificationEnabled,
       createdAt: now,
       updatedAt: now
     };
     await userStore.createUser(user, passwordHash);
+    if (onUserCreated) {
+      const callbackCtx = { entities: entityProxy };
+      const payload = {
+        user,
+        provider: null,
+        signUpData: { ...safeFields }
+      };
+      try {
+        await onUserCreated(payload, callbackCtx);
+      } catch (callbackErr) {
+        try {
+          await userStore.deleteUser(user.id);
+        } catch (rollbackErr) {
+          console.error("[Auth] Failed to rollback user after onUserCreated failure:", rollbackErr);
+        }
+        return err(createAuthValidationError2("User setup failed", "general", "CALLBACK_FAILED"));
+      }
+    }
     if (emailVerificationEnabled && emailVerificationStore && emailVerificationConfig?.onSend) {
       const token = generateToken();
       const tokenHash = await sha256Hex(token);
@@ -2414,6 +4489,10 @@ function createAuth(config) {
     if (!payload) {
       return ok(null);
     }
+    const storedSession = await sessionStore.findActiveSessionById(payload.sid);
+    if (!storedSession || storedSession.userId !== payload.sub) {
+      return ok(null);
+    }
     const user = await userStore.findById(payload.sub);
     if (!user) {
       return ok(null);
@@ -2496,16 +4575,16 @@ function createAuth(config) {
     }
     const currentSid = sessionResult.data.payload.sid;
     const sessions = await sessionStore.listActiveSessions(sessionResult.data.user.id);
-    const infos = sessions.map((s) => ({
-      id: s.id,
-      userId: s.userId,
-      ipAddress: s.ipAddress,
-      userAgent: s.userAgent,
-      deviceName: parseDeviceName(s.userAgent),
-      createdAt: s.createdAt,
-      lastActiveAt: s.lastActiveAt,
-      expiresAt: s.expiresAt,
-      isCurrent: s.id === currentSid
+    const infos = sessions.map((s2) => ({
+      id: s2.id,
+      userId: s2.userId,
+      ipAddress: s2.ipAddress,
+      userAgent: s2.userAgent,
+      deviceName: parseDeviceName(s2.userAgent),
+      createdAt: s2.createdAt,
+      lastActiveAt: s2.lastActiveAt,
+      expiresAt: s2.expiresAt,
+      isCurrent: s2.id === currentSid
     }));
     return ok(infos);
   }
@@ -2517,7 +4596,7 @@ function createAuth(config) {
       return err(createSessionExpiredError("Not authenticated"));
     }
     const targetSessions = await sessionStore.listActiveSessions(sessionResult.data.user.id);
-    const target = targetSessions.find((s) => s.id === sessionId);
+    const target = targetSessions.find((s2) => s2.id === sessionId);
     if (!target) {
       return err(createSessionNotFoundError("Session not found"));
     }
@@ -2533,9 +4612,9 @@ function createAuth(config) {
     }
     const currentSid = sessionResult.data.payload.sid;
     const sessions = await sessionStore.listActiveSessions(sessionResult.data.user.id);
-    for (const s of sessions) {
-      if (s.id !== currentSid) {
-        await sessionStore.revokeSession(s.id);
+    for (const s2 of sessions) {
+      if (s2.id !== currentSid) {
+        await sessionStore.revokeSession(s2.id);
       }
     }
     return ok(undefined);
@@ -2568,6 +4647,32 @@ function createAuth(config) {
       "Referrer-Policy": "strict-origin-when-cross-origin"
     };
   }
+  function authValidationResponse(message) {
+    return new Response(JSON.stringify({
+      error: {
+        code: "AUTH_VALIDATION_ERROR",
+        message
+      }
+    }), {
+      status: 400,
+      headers: { "Content-Type": "application/json", ...securityHeaders() }
+    });
+  }
+  async function parseJsonAuthBody(request, schema) {
+    try {
+      const body = await parseBody(request);
+      const result = schema.safeParse(body);
+      if (!result.ok) {
+        return { ok: false, response: authValidationResponse(result.error.message) };
+      }
+      return { ok: true, data: result.data };
+    } catch (error) {
+      if (error instanceof BadRequestException) {
+        return { ok: false, response: authValidationResponse(error.message) };
+      }
+      throw error;
+    }
+  }
   async function handleAuthRequest(request) {
     const url = new URL(request.url);
     const path = url.pathname.replace("/api/auth", "") || "/";
@@ -2611,7 +4716,11 @@ function createAuth(config) {
     }
     try {
       if (method === "POST" && path === "/signup") {
-        const body = await request.json();
+        const bodyResult = await parseJsonAuthBody(request, signUpInputSchema);
+        if (!bodyResult.ok) {
+          return bodyResult.response;
+        }
+        const body = bodyResult.data;
         const result = await signUp(body, { headers: request.headers });
         if (!result.ok) {
           return new Response(JSON.stringify({ error: result.error }), {
@@ -2636,7 +4745,11 @@ function createAuth(config) {
         });
       }
       if (method === "POST" && path === "/signin") {
-        const body = await request.json();
+        const bodyResult = await parseJsonAuthBody(request, signInInputSchema);
+        if (!bodyResult.ok) {
+          return bodyResult.response;
+        }
+        const body = bodyResult.data;
         const result = await signIn(body, { headers: request.headers });
         if (!result.ok) {
           if (result.error.code === "MFA_REQUIRED" && oauthEncryptionKey) {
@@ -2725,7 +4838,8 @@ function createAuth(config) {
           roleStore: config.access.roleStore,
           closureStore: config.access.closureStore,
           flagStore: config.access.flagStore,
-          plan: sessionResult.data.user.plan ?? null
+          subscriptionStore: config.access?.subscriptionStore,
+          tenantId: sessionResult.data.payload?.tenantId ?? null
         });
         const encoded = encodeAccessSet(accessSet);
         const hashPayload = {
@@ -2741,8 +4855,9 @@ function createAuth(config) {
             status: 304,
             headers: {
               ETag: quotedEtag,
+              Vary: "Cookie",
               ...securityHeaders(),
-              "Cache-Control": "no-cache"
+              "Cache-Control": "private, no-cache"
             }
           });
         }
@@ -2751,8 +4866,9 @@ function createAuth(config) {
           headers: {
             "Content-Type": "application/json",
             ETag: quotedEtag,
+            Vary: "Cookie",
             ...securityHeaders(),
-            "Cache-Control": "no-cache"
+            "Cache-Control": "private, no-cache"
           }
         });
       }
@@ -2826,6 +4942,17 @@ function createAuth(config) {
           headers: { "Content-Type": "application/json", ...securityHeaders() }
         });
       }
+      if (method === "GET" && path === "/providers") {
+        const providerList = Array.from(providers.values()).map((p) => ({
+          id: p.id,
+          name: p.name,
+          authUrl: `/api/auth/oauth/${p.id}`
+        }));
+        return new Response(JSON.stringify(providerList), {
+          status: 200,
+          headers: { "Content-Type": "application/json", ...securityHeaders() }
+        });
+      }
       if (method === "GET" && path.startsWith("/oauth/") && !path.includes("/callback")) {
         const providerId = path.replace("/oauth/", "");
         const provider = providers.get(providerId);
@@ -2872,12 +4999,17 @@ function createAuth(config) {
       if (method === "GET" && path.includes("/oauth/") && path.endsWith("/callback")) {
         const providerId = path.replace("/oauth/", "").replace("/callback", "");
         const provider = providers.get(providerId);
-        const errorRedirect = oauthErrorRedirect;
+        const isAbsoluteUrl = /^https?:\/\//.test(oauthErrorRedirect);
+        const errorUrl = (error) => {
+          const url2 = new URL(oauthErrorRedirect, "http://localhost");
+          url2.searchParams.set("error", error);
+          return isAbsoluteUrl ? url2.toString() : url2.pathname + url2.search + url2.hash;
+        };
         if (!provider || !oauthEncryptionKey || !oauthAccountStore) {
           return new Response(null, {
             status: 302,
             headers: {
-              Location: `${errorRedirect}?error=provider_not_configured`,
+              Location: errorUrl("provider_not_configured"),
               ...securityHeaders()
             }
           });
@@ -2888,7 +5020,7 @@ function createAuth(config) {
           return new Response(null, {
             status: 302,
             headers: {
-              Location: `${errorRedirect}?error=invalid_state`,
+              Location: errorUrl("invalid_state"),
               ...securityHeaders()
             }
           });
@@ -2898,7 +5030,7 @@ function createAuth(config) {
           return new Response(null, {
             status: 302,
             headers: {
-              Location: `${errorRedirect}?error=invalid_state`,
+              Location: errorUrl("invalid_state"),
               ...securityHeaders()
             }
           });
@@ -2909,7 +5041,7 @@ function createAuth(config) {
         const providerError = url.searchParams.get("error");
         if (providerError) {
           const headers = new Headers({
-            Location: `${errorRedirect}?error=${encodeURIComponent(providerError)}`,
+            Location: errorUrl(providerError),
             ...securityHeaders()
           });
           headers.append("Set-Cookie", buildOAuthStateCookie("", cookieConfig, true));
@@ -2917,7 +5049,7 @@ function createAuth(config) {
         }
         if (stateData.state !== queryState || stateData.provider !== providerId) {
           const headers = new Headers({
-            Location: `${errorRedirect}?error=invalid_state`,
+            Location: errorUrl("invalid_state"),
             ...securityHeaders()
           });
           headers.append("Set-Cookie", buildOAuthStateCookie("", cookieConfig, true));
@@ -2925,7 +5057,7 @@ function createAuth(config) {
         }
         if (stateData.expiresAt < Date.now()) {
           const headers = new Headers({
-            Location: `${errorRedirect}?error=invalid_state`,
+            Location: errorUrl("invalid_state"),
             ...securityHeaders()
           });
           headers.append("Set-Cookie", buildOAuthStateCookie("", cookieConfig, true));
@@ -2952,7 +5084,7 @@ function createAuth(config) {
             if (!userId) {
               if (!userInfo.email || !userInfo.email.includes("@")) {
                 const headers = new Headers({
-                  Location: `${errorRedirect}?error=email_required`,
+                  Location: errorUrl("email_required"),
                   ...securityHeaders()
                 });
                 headers.append("Set-Cookie", buildOAuthStateCookie("", cookieConfig, true));
@@ -2962,6 +5094,7 @@ function createAuth(config) {
               const newUser = {
                 id: crypto.randomUUID(),
                 email: userInfo.email.toLowerCase(),
+                emailVerified: userInfo.emailVerified,
                 role: "user",
                 createdAt: now,
                 updatedAt: now
@@ -2969,6 +5102,34 @@ function createAuth(config) {
               await userStore.createUser(newUser, null);
               userId = newUser.id;
               await oauthAccountStore.linkAccount(userId, provider.id, userInfo.providerId, userInfo.email);
+              if (onUserCreated) {
+                const callbackCtx = { entities: entityProxy };
+                const payload = {
+                  user: newUser,
+                  provider: { id: provider.id, name: provider.name },
+                  profile: userInfo.raw
+                };
+                try {
+                  await onUserCreated(payload, callbackCtx);
+                } catch {
+                  try {
+                    await oauthAccountStore.unlinkAccount(userId, provider.id);
+                  } catch (rollbackErr) {
+                    console.error("[Auth] Failed to unlink OAuth account during rollback:", rollbackErr);
+                  }
+                  try {
+                    await userStore.deleteUser(userId);
+                  } catch (rollbackErr) {
+                    console.error("[Auth] Failed to delete user during rollback:", rollbackErr);
+                  }
+                  const headers = new Headers({
+                    Location: errorUrl("user_setup_failed"),
+                    ...securityHeaders()
+                  });
+                  headers.append("Set-Cookie", buildOAuthStateCookie("", cookieConfig, true));
+                  return new Response(null, { status: 302, headers });
+                }
+              }
             }
           }
           const user = await userStore.findById(userId);
@@ -2976,7 +5137,7 @@ function createAuth(config) {
             return new Response(null, {
               status: 302,
               headers: {
-                Location: `${errorRedirect}?error=user_info_failed`,
+                Location: errorUrl("user_info_failed"),
                 ...securityHeaders()
               }
             });
@@ -2997,9 +5158,10 @@ function createAuth(config) {
           responseHeaders.append("Set-Cookie", buildSessionCookie(sessionTokens.jwt, cookieConfig));
           responseHeaders.append("Set-Cookie", buildRefreshCookie(sessionTokens.refreshToken, cookieConfig, refreshName, refreshMaxAge));
           return new Response(null, { status: 302, headers: responseHeaders });
-        } catch {
+        } catch (oauthErr) {
+          console.error("[Auth] OAuth callback error:", oauthErr);
           const headers = new Headers({
-            Location: `${errorRedirect}?error=token_exchange_failed`,
+            Location: errorUrl("token_exchange_failed"),
             ...securityHeaders()
           });
           headers.append("Set-Cookie", buildOAuthStateCookie("", cookieConfig, true));
@@ -3049,7 +5211,11 @@ function createAuth(config) {
             headers: { "Content-Type": "application/json", ...securityHeaders() }
           });
         }
-        const body = await request.json();
+        const bodyResult = await parseJsonAuthBody(request, codeInputSchema);
+        if (!bodyResult.ok) {
+          return bodyResult.response;
+        }
+        const body = bodyResult.data;
         const userId = challengeData.userId;
         const encryptedSecret = await mfaStore.getSecret(userId);
         if (!encryptedSecret) {
@@ -3169,7 +5335,11 @@ function createAuth(config) {
             headers: { "Content-Type": "application/json", ...securityHeaders() }
           });
         }
-        const body = await request.json();
+        const bodyResult = await parseJsonAuthBody(request, codeInputSchema);
+        if (!bodyResult.ok) {
+          return bodyResult.response;
+        }
+        const body = bodyResult.data;
         const valid = await verifyTotpCode(pendingEntry.secret, body.code);
         if (!valid) {
           return new Response(JSON.stringify({ error: createMfaInvalidCodeError() }), {
@@ -3203,7 +5373,11 @@ function createAuth(config) {
           });
         }
         const userId = sessionResult.data.user.id;
-        const body = await request.json();
+        const bodyResult = await parseJsonAuthBody(request, passwordInputSchema);
+        if (!bodyResult.ok) {
+          return bodyResult.response;
+        }
+        const body = bodyResult.data;
         const stored = await userStore.findByEmail(sessionResult.data.user.email);
         if (!stored || !stored.passwordHash) {
           return new Response(JSON.stringify({ error: createInvalidCredentialsError() }), {
@@ -3238,7 +5412,11 @@ function createAuth(config) {
             headers: { "Content-Type": "application/json", ...securityHeaders() }
           });
         }
-        const body = await request.json();
+        const bodyResult = await parseJsonAuthBody(request, passwordInputSchema);
+        if (!bodyResult.ok) {
+          return bodyResult.response;
+        }
+        const body = bodyResult.data;
         const stored = await userStore.findByEmail(sessionResult.data.user.email);
         if (!stored || !stored.passwordHash) {
           return new Response(JSON.stringify({ error: createInvalidCredentialsError() }), {
@@ -3325,7 +5503,11 @@ function createAuth(config) {
             headers: { "Content-Type": "application/json", ...securityHeaders() }
           });
         }
-        const body = await request.json();
+        const bodyResult = await parseJsonAuthBody(request, codeInputSchema);
+        if (!bodyResult.ok) {
+          return bodyResult.response;
+        }
+        const body = bodyResult.data;
         const valid = await verifyTotpCode(totpSecret, body.code);
         if (!valid) {
           return new Response(JSON.stringify({ error: createMfaInvalidCodeError() }), {
@@ -3369,7 +5551,11 @@ function createAuth(config) {
             headers: { "Content-Type": "application/json", ...securityHeaders() }
           });
         }
-        const body = await request.json();
+        const bodyResult = await parseJsonAuthBody(request, tokenInputSchema);
+        if (!bodyResult.ok) {
+          return bodyResult.response;
+        }
+        const body = bodyResult.data;
         if (!body.token) {
           return new Response(JSON.stringify({ error: createTokenInvalidError("Token is required") }), {
             status: 400,
@@ -3448,25 +5634,32 @@ function createAuth(config) {
             headers: { "Content-Type": "application/json", ...securityHeaders() }
           });
         }
-        const body = await request.json();
+        const bodyResult = await parseJsonAuthBody(request, forgotPasswordInputSchema);
+        if (!bodyResult.ok) {
+          return bodyResult.response;
+        }
+        const body = bodyResult.data;
+        const startedAt = Date.now();
         const forgotRateLimit = await rateLimitStore.check(`forgot-password:${(body.email ?? "").toLowerCase()}`, 3, parseDuration("1h"));
         if (!forgotRateLimit.allowed) {
+          await waitForMinimumDuration(startedAt, FORGOT_PASSWORD_MIN_RESPONSE_MS);
           return new Response(JSON.stringify({ ok: true }), {
             status: 200,
             headers: { "Content-Type": "application/json", ...securityHeaders() }
           });
         }
+        const token = generateToken();
+        const tokenHash = await sha256Hex(token);
         const stored = await userStore.findByEmail((body.email ?? "").toLowerCase());
         if (stored) {
-          const token = generateToken();
-          const tokenHash = await sha256Hex(token);
           await passwordResetStore.createReset({
             userId: stored.user.id,
             tokenHash,
             expiresAt: new Date(Date.now() + passwordResetTtlMs)
           });
-          await passwordResetConfig.onSend(stored.user, token);
+          passwordResetConfig.onSend(stored.user, token).catch((error) => console.error("[Auth] Failed to send password reset email", error));
         }
+        await waitForMinimumDuration(startedAt, FORGOT_PASSWORD_MIN_RESPONSE_MS);
         return new Response(JSON.stringify({ ok: true }), {
           status: 200,
           headers: { "Content-Type": "application/json", ...securityHeaders() }
@@ -3481,7 +5674,11 @@ function createAuth(config) {
             headers: { "Content-Type": "application/json", ...securityHeaders() }
           });
         }
-        const body = await request.json();
+        const bodyResult = await parseJsonAuthBody(request, resetPasswordInputSchema);
+        if (!bodyResult.ok) {
+          return bodyResult.response;
+        }
+        const body = bodyResult.data;
         if (!body.token) {
           return new Response(JSON.stringify({ error: createTokenInvalidError("Token is required") }), {
             status: 400,
@@ -3515,8 +5712,8 @@ function createAuth(config) {
         await passwordResetStore.deleteByUserId(resetRecord.userId);
         if (revokeSessionsOnReset) {
           const activeSessions = await sessionStore.listActiveSessions(resetRecord.userId);
-          for (const s of activeSessions) {
-            await sessionStore.revokeSession(s.id);
+          for (const s2 of activeSessions) {
+            await sessionStore.revokeSession(s2.id);
           }
         }
         return new Response(JSON.stringify({ ok: true }), {
@@ -3524,6 +5721,63 @@ function createAuth(config) {
           headers: { "Content-Type": "application/json", ...securityHeaders() }
         });
       }
+      if (method === "POST" && path === "/switch-tenant") {
+        if (!tenantConfig) {
+          return new Response(JSON.stringify({ error: "Not found" }), {
+            status: 404,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const sessionResult = await getSession(request.headers);
+        if (!sessionResult.ok || !sessionResult.data) {
+          return new Response(JSON.stringify({ error: { code: "SESSION_EXPIRED", message: "Not authenticated" } }), {
+            status: 401,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const bodyResult = await parseJsonAuthBody(request, switchTenantInputSchema);
+        if (!bodyResult.ok) {
+          return bodyResult.response;
+        }
+        const { tenantId } = bodyResult.data;
+        const userId = sessionResult.data.user.id;
+        const hasMembership = await tenantConfig.verifyMembership(userId, tenantId);
+        if (!hasMembership) {
+          return new Response(JSON.stringify({
+            error: { code: "AUTH_FORBIDDEN", message: "Not a member of this tenant" }
+          }), {
+            status: 403,
+            headers: { "Content-Type": "application/json", ...securityHeaders() }
+          });
+        }
+        const currentPayload = sessionResult.data.payload;
+        const tokens = await createSessionTokens(sessionResult.data.user, currentPayload.sid, {
+          fva: currentPayload.fva,
+          tenantId
+        });
+        const refreshTokenHash = await sha256Hex(tokens.refreshToken);
+        const previousRefreshHash = (await sessionStore.findActiveSessionById(currentPayload.sid))?.refreshTokenHash ?? "";
+        await sessionStore.updateSession(currentPayload.sid, {
+          refreshTokenHash,
+          previousRefreshHash,
+          lastActiveAt: new Date,
+          currentTokens: { jwt: tokens.jwt, refreshToken: tokens.refreshToken }
+        });
+        const headers = new Headers({
+          "Content-Type": "application/json",
+          ...securityHeaders()
+        });
+        headers.append("Set-Cookie", buildSessionCookie(tokens.jwt, cookieConfig));
+        headers.append("Set-Cookie", buildRefreshCookie(tokens.refreshToken, cookieConfig, refreshName, refreshMaxAge));
+        return new Response(JSON.stringify({
+          tenantId,
+          user: sessionResult.data.user,
+          expiresAt: tokens.expiresAt.getTime()
+        }), {
+          status: 200,
+          headers
+        });
+      }
       return new Response(JSON.stringify({ error: "Not found" }), {
         status: 404,
         headers: { "Content-Type": "application/json" }
@@ -3574,9 +5828,49 @@ function createAuth(config) {
       emailVerificationStore?.dispose();
       passwordResetStore?.dispose();
       pendingMfaSecrets.clear();
+    },
+    resolveSessionForSSR: resolveSessionForSSR({
+      jwtSecret,
+      jwtAlgorithm,
+      cookieName: cookieConfig.name || "vertz.sid"
+    })
+  };
+}
+// src/content/builders.ts
+function stringDescriptor(contentType) {
+  return {
+    _kind: "content",
+    _contentType: contentType,
+    parse(value) {
+      if (typeof value === "string") {
+        return { ok: true, data: value };
+      }
+      return { ok: false, error: new Error(`Expected string, got ${typeof value}`) };
     }
   };
 }
+var content = {
+  xml: () => stringDescriptor("application/xml"),
+  html: () => stringDescriptor("text/html"),
+  text: () => stringDescriptor("text/plain"),
+  binary: () => ({
+    _kind: "content",
+    _contentType: "application/octet-stream",
+    parse(value) {
+      if (value instanceof Uint8Array) {
+        return { ok: true, data: value };
+      }
+      return {
+        ok: false,
+        error: new Error(`Expected Uint8Array, got ${typeof value}`)
+      };
+    }
+  })
+};
+// src/content/content-descriptor.ts
+function isContentDescriptor(value) {
+  return value != null && typeof value === "object" && "_kind" in value && value._kind === "content";
+}
 // src/create-server.ts
 import { createServer as coreCreateServer } from "@vertz/core";
 import {
@@ -3657,10 +5951,15 @@ function narrowRelationFields(relationsConfig, data) {
     if (config === undefined || config === true) {
       result[key] = value;
     } else if (config === false) {} else if (typeof config === "object" && value !== null && typeof value === "object") {
+      const selectMap = config.select;
+      if (!selectMap) {
+        result[key] = value;
+        continue;
+      }
       if (Array.isArray(value)) {
         result[key] = value.map((item) => {
           const narrowed = {};
-          for (const field of Object.keys(config)) {
+          for (const field of Object.keys(selectMap)) {
             if (field in item) {
               narrowed[field] = item[field];
             }
@@ -3669,7 +5968,7 @@ function narrowRelationFields(relationsConfig, data) {
         });
       } else {
         const narrowed = {};
-        for (const field of Object.keys(config)) {
+        for (const field of Object.keys(selectMap)) {
           if (field in value) {
             narrowed[field] = value[field];
           }
@@ -3722,7 +6021,138 @@ import {
 
 // src/entity/access-enforcer.ts
 import { EntityForbiddenError, err as err2, ok as ok2 } from "@vertz/errors";
-async function enforceAccess(operation, accessRules, ctx, row) {
+function deny(operation) {
+  return err2(new EntityForbiddenError(`Access denied for operation "${operation}"`));
+}
+function isUserMarker(value) {
+  return typeof value === "object" && value !== null && "__marker" in value;
+}
+function resolveMarker(marker, ctx) {
+  switch (marker.__marker) {
+    case "user.id":
+      return ctx.userId;
+    case "user.tenantId":
+      return ctx.tenantId;
+    default:
+      return;
+  }
+}
+async function evaluateRule(rule, operation, ctx, row, options) {
+  switch (rule.type) {
+    case "public":
+      return ok2(undefined);
+    case "authenticated":
+      return ctx.authenticated() ? ok2(undefined) : deny(operation);
+    case "role":
+      return ctx.role(...rule.roles) ? ok2(undefined) : deny(operation);
+    case "entitlement": {
+      if (!options.can) {
+        return deny(operation);
+      }
+      const allowed = await options.can(rule.entitlement);
+      return allowed ? ok2(undefined) : deny(operation);
+    }
+    case "where": {
+      for (const [key, expected] of Object.entries(rule.conditions)) {
+        const resolved = isUserMarker(expected) ? resolveMarker(expected, ctx) : expected;
+        if (row[key] !== resolved) {
+          return deny(operation);
+        }
+      }
+      return ok2(undefined);
+    }
+    case "all": {
+      for (const sub of rule.rules) {
+        const result = await evaluateDescriptor(sub, operation, ctx, row, options);
+        if (!result.ok)
+          return result;
+      }
+      return ok2(undefined);
+    }
+    case "any": {
+      for (const sub of rule.rules) {
+        const result = await evaluateDescriptor(sub, operation, ctx, row, options);
+        if (result.ok)
+          return result;
+      }
+      return deny(operation);
+    }
+    case "fva": {
+      if (options.fvaAge === undefined) {
+        return deny(operation);
+      }
+      return options.fvaAge <= rule.maxAge ? ok2(undefined) : deny(operation);
+    }
+  }
+}
+async function evaluateDescriptor(rule, operation, ctx, row, options) {
+  if (typeof rule === "function") {
+    const allowed = await rule(ctx, row);
+    return allowed ? ok2(undefined) : deny(operation);
+  }
+  return evaluateRule(rule, operation, ctx, row, options);
+}
+async function evaluateRuleSkipWhere(rule, operation, ctx, row, options) {
+  if (rule.type === "where") {
+    return ok2(undefined);
+  }
+  if (rule.type === "all") {
+    for (const sub of rule.rules) {
+      const result = await evaluateDescriptorSkipWhere(sub, operation, ctx, row, options);
+      if (!result.ok)
+        return result;
+    }
+    return ok2(undefined);
+  }
+  if (rule.type === "any") {
+    for (const sub of rule.rules) {
+      const result = await evaluateDescriptorSkipWhere(sub, operation, ctx, row, options);
+      if (result.ok)
+        return result;
+    }
+    return deny(operation);
+  }
+  return evaluateRule(rule, operation, ctx, row, options);
+}
+async function evaluateDescriptorSkipWhere(rule, operation, ctx, row, options) {
+  if (typeof rule === "function") {
+    const allowed = await rule(ctx, row);
+    return allowed ? ok2(undefined) : deny(operation);
+  }
+  return evaluateRuleSkipWhere(rule, operation, ctx, row, options);
+}
+function extractFromDescriptor(rule, ctx) {
+  if (typeof rule === "function")
+    return null;
+  switch (rule.type) {
+    case "where": {
+      const resolved = {};
+      for (const [key, value] of Object.entries(rule.conditions)) {
+        resolved[key] = isUserMarker(value) ? resolveMarker(value, ctx) : value;
+      }
+      return resolved;
+    }
+    case "all": {
+      let merged = null;
+      for (const sub of rule.rules) {
+        const extracted = extractFromDescriptor(sub, ctx);
+        if (extracted) {
+          merged = { ...merged ?? {}, ...extracted };
+        }
+      }
+      return merged;
+    }
+    default:
+      return null;
+  }
+}
+function extractWhereConditions(operation, accessRules, ctx) {
+  const rule = accessRules[operation];
+  if (rule === undefined || rule === false)
+    return null;
+  return extractFromDescriptor(rule, ctx);
+}
+async function enforceAccess(operation, accessRules, ctx, row, options) {
   const rule = accessRules[operation];
   if (rule === undefined) {
     return err2(new EntityForbiddenError(`Access denied: no access rule for operation "${operation}"`));
@@ -3730,11 +6160,10 @@ async function enforceAccess(operation, accessRules, ctx, row) {
   if (rule === false) {
     return err2(new EntityForbiddenError(`Operation "${operation}" is disabled`));
   }
-  const allowed = await rule(ctx, row ?? {});
-  if (!allowed) {
-    return err2(new EntityForbiddenError(`Access denied for operation "${operation}"`));
+  if (options?.skipWhere) {
+    return evaluateDescriptorSkipWhere(rule, operation, ctx, row ?? {}, options);
   }
-  return ok2(undefined);
+  return evaluateDescriptor(rule, operation, ctx, row ?? {}, options ?? {});
 }
 
 // src/entity/action-pipeline.ts
@@ -3776,6 +6205,7 @@ function createEntityContext(request, entityOps, registryProxy) {
   const tenantId = request.tenantId ?? null;
   return {
     userId,
+    tenantId,
     authenticated() {
       return userId !== null;
     },
@@ -3791,7 +6221,12 @@ function createEntityContext(request, entityOps, registryProxy) {
 }
 
 // src/entity/crud-pipeline.ts
-import { EntityNotFoundError as EntityNotFoundError2, err as err4, ok as ok4 } from "@vertz/errors";
+import {
+  EntityForbiddenError as EntityForbiddenError2,
+  EntityNotFoundError as EntityNotFoundError2,
+  err as err4,
+  ok as ok4
+} from "@vertz/errors";
 function resolvePrimaryKeyColumn(table) {
   for (const key of Object.keys(table._columns)) {
     const col = table._columns[key];
@@ -3800,20 +6235,82 @@ function resolvePrimaryKeyColumn(table) {
   }
   return "id";
 }
-function createCrudHandlers(def, db) {
+function createCrudHandlers(def, db, options) {
   const table = def.model.table;
+  const isTenantScoped = def.tenantScoped;
+  const tenantChain = options?.tenantChain ?? def.tenantChain ?? null;
+  const isIndirectlyScoped = tenantChain !== null;
+  const queryParentIds = options?.queryParentIds ?? null;
+  function notFound(id) {
+    return err4(new EntityNotFoundError2(`${def.name} with id "${id}" not found`));
+  }
+  function isSameTenant(ctx, row) {
+    if (!isTenantScoped)
+      return true;
+    if (isIndirectlyScoped)
+      return true;
+    return row.tenantId === ctx.tenantId;
+  }
+  function withTenantFilter(ctx, where) {
+    if (!isTenantScoped)
+      return where;
+    if (isIndirectlyScoped)
+      return where;
+    return { ...where, tenantId: ctx.tenantId };
+  }
+  async function resolveIndirectTenantWhere(ctx) {
+    if (!isIndirectlyScoped || !tenantChain || !queryParentIds)
+      return null;
+    if (!ctx.tenantId) {
+      return { [tenantChain.hops[0].foreignKey]: { in: [] } };
+    }
+    const { hops, tenantColumn } = tenantChain;
+    const lastHop = hops[hops.length - 1];
+    let currentIds = await queryParentIds(lastHop.tableName, { [tenantColumn]: ctx.tenantId });
+    for (let i = hops.length - 2;i >= 0; i--) {
+      if (currentIds.length === 0)
+        break;
+      const hop = hops[i];
+      const nextHop = hops[i + 1];
+      currentIds = await queryParentIds(hop.tableName, {
+        [nextHop.foreignKey]: { in: currentIds }
+      });
+    }
+    return { [hops[0].foreignKey]: { in: currentIds } };
+  }
+  async function verifyIndirectTenantOwnership(ctx, row) {
+    if (!isIndirectlyScoped || !tenantChain || !queryParentIds)
+      return true;
+    if (!ctx.tenantId)
+      return false;
+    const indirectWhere = await resolveIndirectTenantWhere(ctx);
+    if (!indirectWhere)
+      return false;
+    const firstHopFK = tenantChain.hops[0].foreignKey;
+    const allowed = indirectWhere[firstHopFK];
+    if (!allowed)
+      return false;
+    return allowed.in.includes(row[firstHopFK]);
+  }
   return {
-    async list(ctx, options) {
-      const accessResult = await enforceAccess("list", def.access, ctx);
+    async list(ctx, options2) {
+      const accessWhere = extractWhereConditions("list", def.access, ctx);
+      const accessResult = await enforceAccess("list", def.access, ctx, undefined, {
+        skipWhere: accessWhere !== null
+      });
       if (!accessResult.ok)
         return err4(accessResult.error);
-      const rawWhere = options?.where;
+      const rawWhere = options2?.where;
       const safeWhere = rawWhere ? stripHiddenFields(table, rawWhere) : undefined;
-      const where = safeWhere && Object.keys(safeWhere).length > 0 ? safeWhere : undefined;
-      const limit = Math.max(0, options?.limit ?? 20);
-      const after = options?.after && options.after.length <= 512 ? options.after : undefined;
-      const orderBy = options?.orderBy;
-      const { data: rows, total } = await db.list({ where, orderBy, limit, after });
+      const cleanWhere = safeWhere && Object.keys(safeWhere).length > 0 ? safeWhere : undefined;
+      const directWhere = withTenantFilter(ctx, { ...accessWhere, ...cleanWhere });
+      const indirectWhere = await resolveIndirectTenantWhere(ctx);
+      const where = indirectWhere ? { ...directWhere, ...indirectWhere } : directWhere;
+      const limit = Math.max(0, options2?.limit ?? 20);
+      const after = options2?.after && options2.after.length <= 512 ? options2.after : undefined;
+      const orderBy = options2?.orderBy;
+      const include = options2?.include;
+      const { data: rows, total } = await db.list({ where, orderBy, limit, after, include });
       const data = rows.map((row) => narrowRelationFields(def.relations, stripHiddenFields(table, row)));
       const pkColumn = resolvePrimaryKeyColumn(table);
       const lastRow = rows[rows.length - 1];
@@ -3821,10 +6318,15 @@ function createCrudHandlers(def, db) {
       const hasNextPage = nextCursor !== null;
       return ok4({ status: 200, body: { items: data, total, limit, nextCursor, hasNextPage } });
     },
-    async get(ctx, id) {
-      const row = await db.get(id);
-      if (!row) {
-        return err4(new EntityNotFoundError2(`${def.name} with id "${id}" not found`));
+    async get(ctx, id, options2) {
+      const getOptions = options2?.include ? { include: options2.include } : undefined;
+      const row = await db.get(id, getOptions);
+      if (!row)
+        return notFound(id);
+      if (!isSameTenant(ctx, row))
+        return notFound(id);
+      if (isIndirectlyScoped && !await verifyIndirectTenantOwnership(ctx, row)) {
+        return notFound(id);
       }
       const accessResult = await enforceAccess("get", def.access, ctx, row);
       if (!accessResult.ok)
@@ -3839,6 +6341,29 @@ function createCrudHandlers(def, db) {
       if (!accessResult.ok)
         return err4(accessResult.error);
       let input = stripReadOnlyFields(table, data);
+      if (isIndirectlyScoped && tenantChain && queryParentIds && ctx.tenantId) {
+        const firstHop = tenantChain.hops[0];
+        const parentId = input[firstHop.foreignKey];
+        if (!parentId) {
+          return err4(new EntityNotFoundError2(`Referenced parent not found: ${firstHop.foreignKey} is required`));
+        }
+        const parentExists = await queryParentIds(firstHop.tableName, {
+          [firstHop.targetColumn]: parentId
+        });
+        if (parentExists.length === 0) {
+          return err4(new EntityNotFoundError2(`Referenced parent not found: ${firstHop.tableName} with ${firstHop.targetColumn} "${parentId}" does not exist`));
+        }
+        const indirectWhere = await resolveIndirectTenantWhere(ctx);
+        if (indirectWhere) {
+          const allowed = indirectWhere[firstHop.foreignKey];
+          if (!allowed || !allowed.in.includes(parentId)) {
+            return err4(new EntityForbiddenError2(`Referenced ${firstHop.tableName} does not belong to your tenant`));
+          }
+        }
+      }
+      if (isTenantScoped && !isIndirectlyScoped && ctx.tenantId) {
+        input = { ...input, tenantId: ctx.tenantId };
+      }
       if (def.before.create) {
         input = await def.before.create(input, ctx);
       }
@@ -3849,12 +6374,19 @@ function createCrudHandlers(def, db) {
           await def.after.create(strippedResult, ctx);
         } catch {}
       }
-      return ok4({ status: 201, body: narrowRelationFields(def.relations, strippedResult) });
+      return ok4({
+        status: 201,
+        body: narrowRelationFields(def.relations, strippedResult)
+      });
     },
     async update(ctx, id, data) {
       const existing = await db.get(id);
-      if (!existing) {
-        return err4(new EntityNotFoundError2(`${def.name} with id "${id}" not found`));
+      if (!existing)
+        return notFound(id);
+      if (!isSameTenant(ctx, existing))
+        return notFound(id);
+      if (isIndirectlyScoped && !await verifyIndirectTenantOwnership(ctx, existing)) {
+        return notFound(id);
       }
       const accessResult = await enforceAccess("update", def.access, ctx, existing);
       if (!accessResult.ok)
@@ -3878,8 +6410,12 @@ function createCrudHandlers(def, db) {
     },
     async delete(ctx, id) {
       const existing = await db.get(id);
-      if (!existing) {
-        return err4(new EntityNotFoundError2(`${def.name} with id "${id}" not found`));
+      if (!existing)
+        return notFound(id);
+      if (!isSameTenant(ctx, existing))
+        return notFound(id);
+      if (isIndirectlyScoped && !await verifyIndirectTenantOwnership(ctx, existing)) {
+        return notFound(id);
       }
       const accessResult = await enforceAccess("delete", def.access, ctx, existing);
       if (!accessResult.ok)
@@ -3960,14 +6496,7 @@ function entityErrorHandler(error) {
 // src/entity/vertzql-parser.ts
 var MAX_LIMIT = 1000;
 var MAX_Q_BASE64_LENGTH = 10240;
-var ALLOWED_Q_KEYS = new Set([
-  "select",
-  "include",
-  "where",
-  "orderBy",
-  "limit",
-  "offset"
-]);
+var ALLOWED_Q_KEYS = new Set(["select", "include", "where", "orderBy", "limit", "offset"]);
 function parseVertzQL(query) {
   const result = {};
   for (const [key, value] of Object.entries(query)) {
@@ -4077,22 +6606,94 @@ function validateVertzQL(options, table, relationsConfig) {
     }
   }
   if (options.include && relationsConfig) {
-    for (const [relation, requested] of Object.entries(options.include)) {
-      const entityConfig = relationsConfig[relation];
-      if (entityConfig === undefined || entityConfig === false) {
-        return { ok: false, error: `Relation "${relation}" is not exposed` };
-      }
-      if (typeof entityConfig === "object" && typeof requested === "object") {
-        for (const field of Object.keys(requested)) {
-          if (!(field in entityConfig)) {
-            return {
-              ok: false,
-              error: `Field "${field}" is not exposed on relation "${relation}"`
-            };
-          }
+    const includeResult = validateInclude(options.include, relationsConfig, "");
+    if (!includeResult.ok)
+      return includeResult;
+  }
+  return { ok: true };
+}
+function validateInclude(include, relationsConfig, pathPrefix) {
+  for (const [relation, requested] of Object.entries(include)) {
+    const entityConfig = relationsConfig[relation];
+    const relationPath = pathPrefix ? `${pathPrefix}.${relation}` : relation;
+    if (entityConfig === undefined || entityConfig === false) {
+      return { ok: false, error: `Relation "${relationPath}" is not exposed` };
+    }
+    if (requested === true)
+      continue;
+    const configObj = typeof entityConfig === "object" ? entityConfig : undefined;
+    if (requested.where) {
+      if (!configObj || !configObj.allowWhere || configObj.allowWhere.length === 0) {
+        return {
+          ok: false,
+          error: `Filtering is not enabled on relation '${relationPath}'. ` + "Add 'allowWhere' to the entity relations config."
+        };
+      }
+      const allowedSet = new Set(configObj.allowWhere);
+      for (const field of Object.keys(requested.where)) {
+        if (!allowedSet.has(field)) {
+          return {
+            ok: false,
+            error: `Field '${field}' is not filterable on relation '${relationPath}'. ` + `Allowed: ${configObj.allowWhere.join(", ")}`
+          };
+        }
+      }
+    }
+    if (requested.orderBy) {
+      if (!configObj || !configObj.allowOrderBy || configObj.allowOrderBy.length === 0) {
+        return {
+          ok: false,
+          error: `Sorting is not enabled on relation '${relationPath}'. ` + "Add 'allowOrderBy' to the entity relations config."
+        };
+      }
+      const allowedSet = new Set(configObj.allowOrderBy);
+      for (const [field, dir] of Object.entries(requested.orderBy)) {
+        if (!allowedSet.has(field)) {
+          return {
+            ok: false,
+            error: `Field '${field}' is not sortable on relation '${relationPath}'. ` + `Allowed: ${configObj.allowOrderBy.join(", ")}`
+          };
+        }
+        if (dir !== "asc" && dir !== "desc") {
+          return {
+            ok: false,
+            error: `Invalid orderBy direction '${String(dir)}' for field '${field}' on relation '${relationPath}'. Must be 'asc' or 'desc'.`
+          };
+        }
+      }
+    }
+    if (requested.limit !== undefined) {
+      if (typeof requested.limit !== "number" || !Number.isFinite(requested.limit)) {
+        return {
+          ok: false,
+          error: `Invalid limit on relation '${relationPath}': must be a finite number`
+        };
+      }
+      if (requested.limit < 0) {
+        requested.limit = 0;
+      }
+      if (configObj?.maxLimit !== undefined && requested.limit > configObj.maxLimit) {
+        requested.limit = configObj.maxLimit;
+      }
+    }
+    if (requested.select && configObj?.select) {
+      for (const field of Object.keys(requested.select)) {
+        if (!(field in configObj.select)) {
+          return {
+            ok: false,
+            error: `Field "${field}" is not exposed on relation "${relationPath}"`
+          };
         }
       }
     }
+    if (requested.include) {
+      if (entityConfig === true) {
+        return {
+          ok: false,
+          error: `Nested includes are not supported on relation '${relationPath}' ` + "without a structured relations config."
+        };
+      }
+    }
   }
   return { ok: true };
 }
@@ -4120,7 +6721,11 @@ function getParams(ctx) {
 function generateEntityRoutes(def, registry, db, options) {
   const prefix = options?.apiPrefix ?? "/api";
   const basePath = `${prefix}/${def.name}`;
-  const crudHandlers = createCrudHandlers(def, db);
+  const tenantChain = options?.tenantChain ?? null;
+  const crudHandlers = createCrudHandlers(def, db, {
+    tenantChain,
+    queryParentIds: options?.queryParentIds
+  });
   const inject = def.inject ?? {};
   const registryProxy = Object.keys(inject).length > 0 ? registry.createScopedProxy(inject) : {};
   const routes = [];
@@ -4159,7 +6764,8 @@ function generateEntityRoutes(def, registry, db, options) {
               where: parsed.where ? parsed.where : undefined,
               orderBy: parsed.orderBy,
               limit: parsed.limit,
-              after: parsed.after
+              after: parsed.after,
+              include: parsed.include
             };
             const result = await crudHandlers.list(entityCtx, options2);
             if (!result.ok) {
@@ -4201,7 +6807,8 @@ function generateEntityRoutes(def, registry, db, options) {
             where: parsed.where,
             orderBy: parsed.orderBy,
             limit: parsed.limit,
-            after: parsed.after
+            after: parsed.after,
+            include: parsed.include
           };
           const result = await crudHandlers.list(entityCtx, options2);
           if (!result.ok) {
@@ -4246,7 +6853,8 @@ function generateEntityRoutes(def, registry, db, options) {
             if (!validation.ok) {
               return jsonResponse({ error: { code: "BadRequest", message: validation.error } }, 400);
             }
-            const result = await crudHandlers.get(entityCtx, id);
+            const getOptions = parsed.include ? { include: parsed.include } : undefined;
+            const result = await crudHandlers.get(entityCtx, id, getOptions);
             if (!result.ok) {
               const { status, body: body2 } = entityErrorHandler(result.error);
               return jsonResponse(body2, status);
@@ -4411,13 +7019,106 @@ function generateEntityRoutes(def, registry, db, options) {
   return routes;
 }
 
+// src/entity/tenant-chain.ts
+function resolveTenantChain(entityKey, tenantGraph, registry) {
+  if (!tenantGraph.indirectlyScoped.includes(entityKey)) {
+    return null;
+  }
+  if (tenantGraph.root === null) {
+    return null;
+  }
+  const rootEntry = registry[tenantGraph.root];
+  if (!rootEntry)
+    return null;
+  const rootTableName = rootEntry.table._name;
+  const tableNameToKey = new Map;
+  for (const [key, entry] of Object.entries(registry)) {
+    tableNameToKey.set(entry.table._name, key);
+  }
+  const directlyScopedTableNames = new Set;
+  for (const key of tenantGraph.directlyScoped) {
+    const entry = registry[key];
+    if (entry)
+      directlyScopedTableNames.add(entry.table._name);
+  }
+  directlyScopedTableNames.add(rootTableName);
+  const hops = [];
+  let currentKey = entityKey;
+  const visited = new Set;
+  while (true) {
+    if (visited.has(currentKey)) {
+      return null;
+    }
+    visited.add(currentKey);
+    const currentEntry = registry[currentKey];
+    if (!currentEntry)
+      return null;
+    let foundHop = false;
+    for (const [, rel] of Object.entries(currentEntry.relations)) {
+      if (rel._type !== "one" || !rel._foreignKey)
+        continue;
+      const targetTableName = rel._target()._name;
+      const targetKey = tableNameToKey.get(targetTableName);
+      if (!targetKey)
+        continue;
+      const targetIsDirectlyScoped = directlyScopedTableNames.has(targetTableName);
+      const targetIsIndirectlyScoped = tenantGraph.indirectlyScoped.includes(targetKey);
+      if (!targetIsDirectlyScoped && !targetIsIndirectlyScoped)
+        continue;
+      const targetEntry = registry[targetKey];
+      if (!targetEntry)
+        continue;
+      const targetPk = resolvePrimaryKey(targetEntry.table._columns);
+      hops.push({
+        tableName: targetTableName,
+        foreignKey: rel._foreignKey,
+        targetColumn: targetPk
+      });
+      if (targetIsDirectlyScoped && targetKey !== tenantGraph.root) {
+        const tenantColumn = resolveTenantFk(targetKey, registry);
+        if (!tenantColumn)
+          return null;
+        return { hops, tenantColumn };
+      }
+      if (targetKey === tenantGraph.root) {
+        return { hops, tenantColumn: rel._foreignKey };
+      }
+      currentKey = targetKey;
+      foundHop = true;
+      break;
+    }
+    if (!foundHop)
+      return null;
+  }
+}
+function resolvePrimaryKey(columns) {
+  for (const [key, col] of Object.entries(columns)) {
+    if (col && typeof col === "object" && "_meta" in col) {
+      const meta = col._meta;
+      if (meta.primary)
+        return key;
+    }
+  }
+  return "id";
+}
+function resolveTenantFk(modelKey, registry) {
+  const entry = registry[modelKey];
+  if (!entry || !entry._tenant)
+    return null;
+  const tenantRel = entry.relations[entry._tenant];
+  if (!tenantRel || !tenantRel._foreignKey)
+    return null;
+  return tenantRel._foreignKey;
+}
+
 // src/service/context.ts
-function createServiceContext(request, registryProxy) {
+function createServiceContext(request, registryProxy, rawRequest) {
   const userId = request.userId ?? null;
   const roles = request.roles ?? [];
   const tenantId = request.tenantId ?? null;
   return {
     userId,
+    tenantId,
     authenticated() {
       return userId !== null;
     },
@@ -4427,7 +7128,8 @@ function createServiceContext(request, registryProxy) {
     role(...rolesToCheck) {
       return rolesToCheck.some((r) => roles.includes(r));
     },
-    entities: registryProxy
+    entities: registryProxy,
+    request: rawRequest ?? { url: "", method: "", headers: new Headers, body: undefined }
   };
 }
 
@@ -4476,23 +7178,56 @@ function generateServiceRoutes(def, registry, options) {
       handler: async (ctx) => {
         try {
           const requestInfo = extractRequestInfo2(ctx);
-          const serviceCtx = createServiceContext(requestInfo, registryProxy);
+          const raw = ctx.raw;
+          const ctxHeaders = ctx.headers;
+          const rawRequest = {
+            url: raw?.url ?? "",
+            method: raw?.method ?? "",
+            headers: new Headers(ctxHeaders ?? {}),
+            body: ctx.body
+          };
+          const serviceCtx = createServiceContext(requestInfo, registryProxy, rawRequest);
           const accessResult = await enforceAccess(handlerName, def.access, serviceCtx);
           if (!accessResult.ok) {
             return jsonResponse2({ error: { code: "Forbidden", message: accessResult.error.message } }, 403);
           }
-          const rawBody = ctx.body ?? {};
-          const parsed = handlerDef.body.parse(rawBody);
-          if (!parsed.ok) {
-            const message = parsed.error instanceof Error ? parsed.error.message : "Invalid request body";
-            return jsonResponse2({ error: { code: "BadRequest", message } }, 400);
+          if (handlerDef.body && isContentDescriptor(handlerDef.body)) {
+            const reqContentType = rawRequest.headers.get("content-type")?.toLowerCase() ?? "";
+            const expected = handlerDef.body._contentType;
+            const isXml = expected === "application/xml";
+            const matches = isXml ? reqContentType.includes("application/xml") || reqContentType.includes("text/xml") : reqContentType.includes(expected);
+            if (reqContentType && !matches) {
+              return jsonResponse2({
+                error: {
+                  code: "UnsupportedMediaType",
+                  message: `Expected content-type ${expected}, got ${reqContentType}`
+                }
+              }, 415);
+            }
+          }
+          let input;
+          if (handlerDef.body) {
+            const rawBody = ctx.body ?? {};
+            const parsed = handlerDef.body.parse(rawBody);
+            if (!parsed.ok) {
+              const message = parsed.error instanceof Error ? parsed.error.message : "Invalid request body";
+              return jsonResponse2({ error: { code: "BadRequest", message } }, 400);
+            }
+            input = parsed.data;
           }
-          const result = await handlerDef.handler(parsed.data, serviceCtx);
+          const result = await handlerDef.handler(input, serviceCtx);
           const responseParsed = handlerDef.response.parse(result);
           if (!responseParsed.ok) {
             const message = responseParsed.error instanceof Error ? responseParsed.error.message : "Response validation failed";
             console.warn(`[vertz] Service response validation warning: ${message}`);
           }
+          if (isContentDescriptor(handlerDef.response)) {
+            const body = result instanceof Uint8Array ? result : String(result);
+            return new Response(body, {
+              status: 200,
+              headers: { "content-type": handlerDef.response._contentType }
+            });
+          }
           return jsonResponse2(result, 200);
         } catch (error) {
           const message = error instanceof Error ? error.message : "Internal server error";
@@ -4565,23 +7300,62 @@ function createServer(config) {
   const allRoutes = [];
   const registry = new EntityRegistry;
   const apiPrefix = config.apiPrefix === undefined ? "/api" : config.apiPrefix;
+  const { db } = config;
+  const hasDbClient = db && isDatabaseClient(db);
+  if (hasDbClient && config.auth) {
+    validateAuthModels(db);
+  }
   if (config.entities && config.entities.length > 0) {
-    const { db } = config;
     let dbFactory;
-    if (db && isDatabaseClient(db)) {
+    const tableOf = (e) => e.table ?? e.name;
+    if (hasDbClient) {
       const dbModels = db._internals.models;
-      const missing = config.entities.filter((e) => !(e.name in dbModels)).map((e) => `"${e.name}"`);
-      if (missing.length > 0) {
+      const missing = config.entities.filter((e) => !(tableOf(e) in dbModels)).map((e) => `"${tableOf(e)}"`);
+      const uniqueMissing = [...new Set(missing)];
+      if (uniqueMissing.length > 0) {
         const registered = Object.keys(dbModels).map((k) => `"${k}"`).join(", ");
-        const plural = missing.length > 1;
-        throw new Error(`${plural ? "Entities" : "Entity"} ${missing.join(", ")} ${plural ? "are" : "is"} not registered in createDb(). ` + `Add the missing model${plural ? "s" : ""} to the models object in your createDb() call. ` + `Registered models: ${registered || "(none)"}`);
+        const plural = uniqueMissing.length > 1;
+        throw new Error(`${plural ? "Entities" : "Entity"} ${uniqueMissing.join(", ")} ${plural ? "are" : "is"} not registered in createDb(). ` + `Add the missing model${plural ? "s" : ""} to the models object in your createDb() call. ` + `Registered models: ${registered || "(none)"}`);
       }
-      dbFactory = (entityDef) => createDatabaseBridgeAdapter(db, entityDef.name);
+      dbFactory = (entityDef) => createDatabaseBridgeAdapter(db, tableOf(entityDef));
     } else if (db) {
       dbFactory = () => db;
     } else {
       dbFactory = config._entityDbFactory ?? createNoopDbAdapter;
     }
+    const tenantChains = new Map;
+    let queryParentIds;
+    if (hasDbClient) {
+      const dbClient = db;
+      const tenantGraph = dbClient._internals.tenantGraph;
+      const dbModelsMap = dbClient._internals.models;
+      for (const entityDef of config.entities) {
+        const eDef = entityDef;
+        if (eDef.tenantScoped === false)
+          continue;
+        const modelKey = tableOf(eDef);
+        const chain = resolveTenantChain(modelKey, tenantGraph, dbModelsMap);
+        if (chain) {
+          tenantChains.set(eDef.name, chain);
+        }
+      }
+      if (tenantChains.size > 0) {
+        queryParentIds = async (tableName, where) => {
+          const delegate = dbClient[tableName];
+          if (!delegate)
+            return [];
+          const result = await delegate.list({ where });
+          if (!result.ok || !result.data)
+            return [];
+          return result.data.map((row) => row.id);
+        };
+      }
+    }
+    if (config._tenantChains) {
+      for (const [name, chain] of config._tenantChains) {
+        tenantChains.set(name, chain);
+      }
+    }
     for (const entityDef of config.entities) {
       const entityDb = dbFactory(entityDef);
       const ops = createEntityOps(entityDef, entityDb);
@@ -4589,8 +7363,11 @@ function createServer(config) {
     }
     for (const entityDef of config.entities) {
       const entityDb = dbFactory(entityDef);
+      const tenantChain = tenantChains.get(entityDef.name) ?? null;
       const routes = generateEntityRoutes(entityDef, registry, entityDb, {
-        apiPrefix
+        apiPrefix,
+        tenantChain,
+        queryParentIds: tenantChain ? queryParentIds ?? config._queryParentIds : undefined
       });
       allRoutes.push(...routes);
     }
@@ -4601,10 +7378,53 @@ function createServer(config) {
       allRoutes.push(...routes);
     }
   }
-  return coreCreateServer({
+  const app = coreCreateServer({
     ...config,
     _entityRoutes: allRoutes.length > 0 ? allRoutes : undefined
   });
+  if (hasDbClient && config.auth) {
+    const dbClient = db;
+    const authConfig = {
+      ...config.auth,
+      userStore: config.auth.userStore ?? new DbUserStore(dbClient),
+      sessionStore: config.auth.sessionStore ?? new DbSessionStore(dbClient),
+      oauthAccountStore: config.auth.oauthAccountStore ?? (config.auth.providers?.length ? new DbOAuthAccountStore(dbClient) : undefined),
+      _entityProxy: config.auth.onUserCreated ? config.auth._entityProxy ?? registry.createProxy() : undefined
+    };
+    const auth = createAuth(authConfig);
+    if (apiPrefix !== "/api") {
+      throw new Error(`requestHandler requires apiPrefix to be '/api' (got '${apiPrefix}'). ` + "Custom API prefixes are not yet supported with auth.");
+    }
+    const authPrefix = `${apiPrefix}/auth`;
+    const authPrefixSlash = `${authPrefix}/`;
+    const serverInstance = app;
+    serverInstance.auth = auth;
+    serverInstance.initialize = async () => {
+      await initializeAuthTables(dbClient);
+      await auth.initialize();
+    };
+    let cachedRequestHandler = null;
+    Object.defineProperty(serverInstance, "requestHandler", {
+      get() {
+        if (!cachedRequestHandler) {
+          const entityHandler = this.handler;
+          const authHandler = this.auth.handler;
+          cachedRequestHandler = (request) => {
+            const pathname = new URL(request.url).pathname;
+            if (pathname === authPrefix || pathname.startsWith(authPrefixSlash)) {
+              return authHandler(request);
+            }
+            return entityHandler(request);
+          };
+        }
+        return cachedRequestHandler;
+      },
+      enumerable: true,
+      configurable: false
+    });
+    return serverInstance;
+  }
+  return app;
 }
 // src/entity/entity.ts
 import { deepFreeze } from "@vertz/core";
@@ -4616,6 +7436,8 @@ function entity(name, config) {
   if (!config.model) {
     throw new Error("entity() requires a model in the config.");
   }
+  const hasTenantIdColumn = "tenantId" in config.model.table._columns;
+  const tenantScoped = config.tenantScoped ?? hasTenantIdColumn;
   const def = {
     kind: "entity",
     name,
@@ -4625,7 +7447,10 @@ function entity(name, config) {
     before: config.before ?? {},
     after: config.after ?? {},
     actions: config.actions ?? {},
-    relations: config.relations ?? {}
+    relations: config.relations ?? {},
+    table: config.table ?? name,
+    tenantScoped,
+    tenantChain: null
   };
   return deepFreeze(def);
 }
@@ -4652,14 +7477,20 @@ export {
   vertz,
   verifyPassword,
   validatePassword,
+  validateOverrides,
+  validateAuthModels,
   stripReadOnlyFields,
   stripHiddenFields,
   service,
   rules,
+  resolveTenantChain,
   makeImmutable,
+  isContentDescriptor,
+  initializeAuthTables,
   hashPassword,
   google,
   github,
+  getIncompatibleAddOns,
   generateEntityRoutes,
   entityErrorHandler,
   entity,
@@ -4670,20 +7501,29 @@ export {
   defaultAccess,
   deepFreeze3 as deepFreeze,
   decodeAccessSet,
+  createWebhookHandler,
+  createStripeBillingAdapter,
   createServer,
+  createPlanManager,
   createMiddleware,
   createImmutableProxy,
   createEnv,
   createEntityContext,
   createCrudHandlers,
+  createBillingEventEmitter,
   createAuth,
   createAccessEventBroadcaster,
   createAccessContext,
   createAccess,
+  content,
+  computePlanHash,
+  computeOverage,
   computeEntityAccess,
   computeAccessSet,
   checkFva,
+  checkAddOnCompatibility,
   calculateBillingPeriod,
+  authModels,
   VertzException2 as VertzException,
   ValidationException2 as ValidationException,
   UnauthorizedException,
@@ -4692,19 +7532,30 @@ export {
   InternalServerErrorException,
   InMemoryWalletStore,
   InMemoryUserStore,
+  InMemorySubscriptionStore,
   InMemorySessionStore,
   InMemoryRoleAssignmentStore,
   InMemoryRateLimitStore,
-  InMemoryPlanStore,
+  InMemoryPlanVersionStore,
   InMemoryPasswordResetStore,
+  InMemoryOverrideStore,
   InMemoryOAuthAccountStore,
   InMemoryMFAStore,
+  InMemoryGrandfatheringStore,
   InMemoryFlagStore,
   InMemoryEmailVerificationStore,
   InMemoryClosureStore,
   ForbiddenException,
   EntityRegistry,
+  DbUserStore,
+  DbSubscriptionStore,
+  DbSessionStore,
+  DbRoleAssignmentStore,
+  DbOAuthAccountStore,
+  DbFlagStore,
+  DbClosureStore,
   ConflictException,
-  BadRequestException,
-  AuthorizationError
+  BadRequestException2 as BadRequestException,
+  AuthorizationError,
+  AUTH_TABLE_NAMES
 };