@vertz/server 0.2.15 → 0.2.17

package/dist/index.d.ts

@@ -1,7 +1,8 @@
-import { AccumulateProvides, AppBuilder as AppBuilder2, AppConfig as AppConfig2, CorsConfig, Ctx, DeepReadonly, Deps, EnvConfig, HandlerCtx, HttpMethod, HttpStatusCode, Infer, InferSchema, ListenOptions, MiddlewareDef, NamedMiddlewareDef, RawRequest, ServerAdapter, ServerHandle } from "@vertz/core";
+import { AccumulateProvides, AppBuilder as AppBuilder2, AppConfig as AppConfig2, CorsConfig, Ctx, DeepReadonly, Deps, EnvConfig, HandlerCtx, HttpMethod, HttpStatusCode, Infer as Infer2, InferSchema, ListenOptions, MiddlewareDef, NamedMiddlewareDef, RawRequest, ServerAdapter, ServerHandle } from "@vertz/core";
 import { BadRequestException, ConflictException, createEnv, createImmutableProxy, createMiddleware, deepFreeze, ForbiddenException, InternalServerErrorException, makeImmutable, NotFoundException, ServiceUnavailableException, UnauthorizedException, ValidationException, VertzException, vertz } from "@vertz/core";
 import { ModelEntry } from "@vertz/db";
 import { AuthError, Result } from "@vertz/errors";
+import { Infer, ObjectSchema, StringSchema } from "@vertz/schema";
 /**
 * rules.* builders — declarative access rule data structures.
 *
@@ -280,15 +281,101 @@ declare class InMemoryRoleAssignmentStore implements RoleAssignmentStore {
 * Used by Layer 1 of access context to gate entitlements on feature flags.
 */
 interface FlagStore {
-	setFlag(orgId: string, flag: string, enabled: boolean): void;
-	getFlag(orgId: string, flag: string): boolean;
-	getFlags(orgId: string): Record<string, boolean>;
+	setFlag(tenantId: string, flag: string, enabled: boolean): void;
+	getFlag(tenantId: string, flag: string): boolean;
+	getFlags(tenantId: string): Record<string, boolean>;
 }
 declare class InMemoryFlagStore implements FlagStore {
 	private flags;
-	setFlag(orgId: string, flag: string, enabled: boolean): void;
-	getFlag(orgId: string, flag: string): boolean;
-	getFlags(orgId: string): Record<string, boolean>;
+	setFlag(tenantId: string, flag: string, enabled: boolean): void;
+	getFlag(tenantId: string, flag: string): boolean;
+	getFlags(tenantId: string): Record<string, boolean>;
+}
+/** Per-tenant limit override. Only affects the cap, not the billing period. */
+interface LimitOverride {
+	max: number;
+}
+interface Subscription {
+	tenantId: string;
+	planId: string;
+	startedAt: Date;
+	expiresAt: Date | null;
+	overrides: Record<string, LimitOverride>;
+}
+interface SubscriptionStore {
+	/**
+	* Assign a plan to a tenant. Resets per-tenant overrides (overrides are plan-specific).
+	* To preserve overrides across plan changes, re-apply them after calling assign().
+	*/
+	assign(tenantId: string, planId: string, startedAt?: Date, expiresAt?: Date | null): Promise<void>;
+	get(tenantId: string): Promise<Subscription | null>;
+	updateOverrides(tenantId: string, overrides: Record<string, LimitOverride>): Promise<void>;
+	remove(tenantId: string): Promise<void>;
+	/** Attach an add-on to a tenant. */
+	attachAddOn?(tenantId: string, addOnId: string): Promise<void>;
+	/** Detach an add-on from a tenant. */
+	detachAddOn?(tenantId: string, addOnId: string): Promise<void>;
+	/** Get all active add-on IDs for a tenant. */
+	getAddOns?(tenantId: string): Promise<string[]>;
+	/** List all tenant IDs assigned to a specific plan. */
+	listByPlan?(planId: string): Promise<string[]>;
+	dispose(): void;
+}
+declare class InMemorySubscriptionStore implements SubscriptionStore {
+	private subscriptions;
+	private addOns;
+	assign(tenantId: string, planId: string, startedAt?: Date, expiresAt?: Date | null): Promise<void>;
+	get(tenantId: string): Promise<Subscription | null>;
+	updateOverrides(tenantId: string, overrides: Record<string, LimitOverride>): Promise<void>;
+	remove(tenantId: string): Promise<void>;
+	attachAddOn(tenantId: string, addOnId: string): Promise<void>;
+	detachAddOn(tenantId: string, addOnId: string): Promise<void>;
+	getAddOns(tenantId: string): Promise<string[]>;
+	listByPlan(planId: string): Promise<string[]>;
+	dispose(): void;
+}
+/**
+* Check if an add-on is compatible with a given base plan.
+* Returns true if the add-on has no `requires` or if the plan is in the requires list.
+*/
+declare function checkAddOnCompatibility(accessDef: AccessDefinition, addOnId: string, currentPlanId: string): boolean;
+/**
+* Get add-ons that are incompatible with a target plan.
+* Used to flag incompatible add-ons when a tenant downgrades.
+*/
+declare function getIncompatibleAddOns(accessDef: AccessDefinition, activeAddOnIds: string[], targetPlanId: string): string[];
+/**
+* WalletStore — consumption tracking for plan-limited entitlements.
+*
+* Tracks per-tenant usage within billing periods with atomic
+* check-and-increment operations.
+*/
+interface WalletEntry {
+	tenantId: string;
+	entitlement: string;
+	periodStart: Date;
+	periodEnd: Date;
+	consumed: number;
+}
+interface ConsumeResult {
+	success: boolean;
+	consumed: number;
+	limit: number;
+	remaining: number;
+}
+interface WalletStore {
+	consume(tenantId: string, entitlement: string, periodStart: Date, periodEnd: Date, limit: number, amount?: number): Promise<ConsumeResult>;
+	unconsume(tenantId: string, entitlement: string, periodStart: Date, periodEnd: Date, amount?: number): Promise<void>;
+	getConsumption(tenantId: string, entitlement: string, periodStart: Date, periodEnd: Date): Promise<number>;
+	dispose(): void;
+}
+declare class InMemoryWalletStore implements WalletStore {
+	private entries;
+	private key;
+	consume(tenantId: string, entitlement: string, periodStart: Date, periodEnd: Date, limit: number, amount?: number): Promise<ConsumeResult>;
+	unconsume(tenantId: string, entitlement: string, periodStart: Date, _periodEnd: Date, amount?: number): Promise<void>;
+	getConsumption(tenantId: string, entitlement: string, periodStart: Date, _periodEnd: Date): Promise<number>;
+	dispose(): void;
 }
 /** Limit override: add (additive) or max (hard cap) */
 interface LimitOverrideDef {
@@ -324,59 +411,6 @@ declare class InMemoryOverrideStore implements OverrideStore {
 * Throws on invalid limit keys, invalid feature names, or invalid max values.
 */
 declare function validateOverrides(accessDef: AccessDefinition, overrides: TenantOverrides): void;
-/** Per-customer limit override. Only affects the cap, not the billing period. */
-interface LimitOverride {
-	max: number;
-}
-interface OrgPlan {
-	orgId: string;
-	planId: string;
-	startedAt: Date;
-	expiresAt: Date | null;
-	overrides: Record<string, LimitOverride>;
-}
-interface PlanStore {
-	/**
-	* Assign a plan to an org. Resets per-customer overrides (overrides are plan-specific).
-	* To preserve overrides across plan changes, re-apply them after calling assignPlan().
-	*/
-	assignPlan(orgId: string, planId: string, startedAt?: Date, expiresAt?: Date | null): Promise<void>;
-	getPlan(orgId: string): Promise<OrgPlan | null>;
-	updateOverrides(orgId: string, overrides: Record<string, LimitOverride>): Promise<void>;
-	removePlan(orgId: string): Promise<void>;
-	/** Attach an add-on to an org. */
-	attachAddOn?(orgId: string, addOnId: string): Promise<void>;
-	/** Detach an add-on from an org. */
-	detachAddOn?(orgId: string, addOnId: string): Promise<void>;
-	/** Get all active add-on IDs for an org. */
-	getAddOns?(orgId: string): Promise<string[]>;
-	/** List all org IDs assigned to a specific plan. */
-	listByPlan?(planId: string): Promise<string[]>;
-	dispose(): void;
-}
-declare class InMemoryPlanStore implements PlanStore {
-	private plans;
-	private addOns;
-	assignPlan(orgId: string, planId: string, startedAt?: Date, expiresAt?: Date | null): Promise<void>;
-	getPlan(orgId: string): Promise<OrgPlan | null>;
-	updateOverrides(orgId: string, overrides: Record<string, LimitOverride>): Promise<void>;
-	removePlan(orgId: string): Promise<void>;
-	attachAddOn(orgId: string, addOnId: string): Promise<void>;
-	detachAddOn(orgId: string, addOnId: string): Promise<void>;
-	getAddOns(orgId: string): Promise<string[]>;
-	listByPlan(planId: string): Promise<string[]>;
-	dispose(): void;
-}
-/**
-* Check if an add-on is compatible with a given base plan.
-* Returns true if the add-on has no `requires` or if the plan is in the requires list.
-*/
-declare function checkAddOnCompatibility(accessDef: AccessDefinition, addOnId: string, currentPlanId: string): boolean;
-/**
-* Get add-ons that are incompatible with a target plan.
-* Used to flag incompatible add-ons when a tenant downgrades.
-*/
-declare function getIncompatibleAddOns(accessDef: AccessDefinition, activeAddOnIds: string[], targetPlanId: string): string[];
 /**
 * Plan Version Store — tracks versioned snapshots of plan configurations.
 *
@@ -425,39 +459,6 @@ declare class InMemoryPlanVersionStore implements PlanVersionStore {
 	getCurrentHash(planId: string): Promise<string | null>;
 	dispose(): void;
 }
-/**
-* WalletStore — consumption tracking for plan-limited entitlements.
-*
-* Tracks per-org usage within billing periods with atomic
-* check-and-increment operations.
-*/
-interface WalletEntry {
-	orgId: string;
-	entitlement: string;
-	periodStart: Date;
-	periodEnd: Date;
-	consumed: number;
-}
-interface ConsumeResult {
-	success: boolean;
-	consumed: number;
-	limit: number;
-	remaining: number;
-}
-interface WalletStore {
-	consume(orgId: string, entitlement: string, periodStart: Date, periodEnd: Date, limit: number, amount?: number): Promise<ConsumeResult>;
-	unconsume(orgId: string, entitlement: string, periodStart: Date, periodEnd: Date, amount?: number): Promise<void>;
-	getConsumption(orgId: string, entitlement: string, periodStart: Date, periodEnd: Date): Promise<number>;
-	dispose(): void;
-}
-declare class InMemoryWalletStore implements WalletStore {
-	private entries;
-	private key;
-	consume(orgId: string, entitlement: string, periodStart: Date, periodEnd: Date, limit: number, amount?: number): Promise<ConsumeResult>;
-	unconsume(orgId: string, entitlement: string, periodStart: Date, _periodEnd: Date, amount?: number): Promise<void>;
-	getConsumption(orgId: string, entitlement: string, periodStart: Date, _periodEnd: Date): Promise<number>;
-	dispose(): void;
-}
 interface ResourceRef {
 	type: string;
 	id: string;
@@ -471,8 +472,8 @@ interface AccessContextConfig {
 	fva?: number;
 	/** Flag store — required for Layer 1 feature flag checks */
 	flagStore?: FlagStore;
-	/** Plan store — required for Layer 4 plan checks */
-	planStore?: PlanStore;
+	/** Subscription store — required for Layer 4 plan checks */
+	subscriptionStore?: SubscriptionStore;
 	/** Wallet store — required for Layer 5 wallet checks and canAndConsume() */
 	walletStore?: WalletStore;
 	/** Override store — per-tenant feature and limit overrides */
@@ -482,20 +483,28 @@ interface AccessContextConfig {
 	/** Plan version store — required for versioned plan resolution (grandfathered tenants) */
 	planVersionStore?: PlanVersionStore;
 }
+/**
+* Entitlement registry — augmented by @vertz/codegen to narrow entitlement strings.
+* When empty (no codegen), Entitlement falls back to `string`.
+* When codegen runs, it populates this with `{ 'entity:action': true }` entries.
+*/
+interface EntitlementRegistry {}
+/** Entitlement type — narrows to literal union when codegen populates EntitlementRegistry. */
+type Entitlement = keyof EntitlementRegistry extends never ? string : Extract<keyof EntitlementRegistry, string>;
 interface AccessContext {
-	can(entitlement: string, resource?: ResourceRef): Promise<boolean>;
-	check(entitlement: string, resource?: ResourceRef): Promise<AccessCheckResult>;
-	authorize(entitlement: string, resource?: ResourceRef): Promise<void>;
+	can(entitlement: Entitlement, resource?: ResourceRef): Promise<boolean>;
+	check(entitlement: Entitlement, resource?: ResourceRef): Promise<AccessCheckResult>;
+	authorize(entitlement: Entitlement, resource?: ResourceRef): Promise<void>;
 	canAll(checks: Array<{
-		entitlement: string;
+		entitlement: Entitlement;
 		resource?: ResourceRef;
 	}>): Promise<Map<string, boolean>>;
 	/** Batch check: single entitlement across multiple entities. Returns Map<entityId, boolean>. */
-	canBatch(entitlement: string, resources: ResourceRef[]): Promise<Map<string, boolean>>;
+	canBatch(entitlement: Entitlement, resources: ResourceRef[]): Promise<Map<string, boolean>>;
 	/** Atomic check + consume. Runs full can() then increments wallet if all layers pass. */
-	canAndConsume(entitlement: string, resource?: ResourceRef, amount?: number): Promise<boolean>;
+	canAndConsume(entitlement: Entitlement, resource?: ResourceRef, amount?: number): Promise<boolean>;
 	/** Rollback a previous canAndConsume(). Use when the operation fails after consumption. */
-	unconsume(entitlement: string, resource?: ResourceRef, amount?: number): Promise<void>;
+	unconsume(entitlement: Entitlement, resource?: ResourceRef, amount?: number): Promise<void>;
 }
 declare function createAccessContext(config: AccessContextConfig): AccessContext;
 interface AccessCheckData {
@@ -515,17 +524,16 @@ interface ComputeAccessSetConfig {
 	accessDef: AccessDefinition;
 	roleStore: RoleAssignmentStore;
 	closureStore: ClosureStore;
-	plan?: string | null;
 	/** Flag store — for feature flag state in access set */
 	flagStore?: FlagStore;
-	/** Plan store — for limit info in access set */
-	planStore?: PlanStore;
+	/** Subscription store — for limit info in access set */
+	subscriptionStore?: SubscriptionStore;
 	/** Wallet store — for consumption info in access set */
 	walletStore?: WalletStore;
 	/** Org resolver — for plan/wallet lookups */
 	orgResolver?: (resource?: ResourceRef) => Promise<string | null>;
-	/** Org ID — direct org ID for global access set (bypass orgResolver) */
-	orgId?: string | null;
+	/** Tenant ID — direct tenant ID for global access set (bypass orgResolver) */
+	tenantId?: string | null;
 }
 declare function computeAccessSet(config: ComputeAccessSetConfig): Promise<AccessSet>;
 /** Sparse encoding for JWT. Only includes allowed + denied-with-meta entries. */
@@ -593,6 +601,7 @@ interface SessionStore {
 		expiresAt: Date;
 		currentTokens?: AuthTokens;
 	}): Promise<StoredSession>;
+	findActiveSessionById(id: string): Promise<StoredSession | null>;
 	findByRefreshHash(hash: string): Promise<StoredSession | null>;
 	findByPreviousRefreshHash(hash: string): Promise<StoredSession | null>;
 	revokeSession(id: string): Promise<void>;
@@ -632,6 +641,8 @@ interface UserStore {
 	findById(id: string): Promise<AuthUser | null>;
 	updatePasswordHash(userId: string, passwordHash: string): Promise<void>;
 	updateEmailVerified(userId: string, verified: boolean): Promise<void>;
+	/** Delete a user by id. Used for rollback when onUserCreated fails. */
+	deleteUser(id: string): Promise<void>;
 }
 interface MfaConfig {
 	enabled?: boolean;
@@ -673,8 +684,7 @@ interface OAuthUserInfo {
 	providerId: string;
 	email: string;
 	emailVerified: boolean;
-	name?: string;
-	avatarUrl?: string;
+	raw: Record<string, unknown>;
 }
 interface OAuthProvider {
 	id: string;
@@ -695,6 +705,45 @@ interface OAuthAccountStore {
 	unlinkAccount(userId: string, provider: string): Promise<void>;
 	dispose(): void;
 }
+/** Context provided to auth lifecycle callbacks. */
+interface AuthCallbackContext {
+	/**
+	* System-level entity access — bypasses access rules.
+	* During sign-up, the user isn't authenticated yet,
+	* so access rules like rules.authenticated() would block the callback.
+	*/
+	entities: Record<string, AuthEntityProxy>;
+}
+/** Minimal CRUD interface for entity access within auth callbacks. */
+interface AuthEntityProxy {
+	get(id: string): Promise<unknown>;
+	list(options?: unknown): Promise<unknown>;
+	create(data: Record<string, unknown>): Promise<unknown>;
+	update(id: string, data: Record<string, unknown>): Promise<unknown>;
+	delete(id: string): Promise<void>;
+}
+/**
+* Discriminated union for onUserCreated callback payload.
+* OAuth and email/password sign-ups provide different data shapes.
+*/
+type OnUserCreatedPayload = {
+	/** The auth user that was just created. */
+	user: AuthUser;
+	/** The OAuth provider that created this user. */
+	provider: {
+		id: string;
+		name: string;
+	};
+	/** Full provider API response (cast to GithubProfile, GoogleProfile, etc.). */
+	profile: Record<string, unknown>;
+} | {
+	/** The auth user that was just created. */
+	user: AuthUser;
+	/** null for email/password sign-up. */
+	provider: null;
+	/** Extra fields from the sign-up form (via schema passthrough). */
+	signUpData: Record<string, unknown>;
+};
 interface EmailVerificationConfig {
 	enabled: boolean;
 	tokenTtl?: string | number;
@@ -790,6 +839,21 @@ interface AuthConfig {
 	passwordResetStore?: PasswordResetStore;
 	/** Access control configuration — enables ACL claim in JWT */
 	access?: AuthAccessConfig;
+	/** Tenant switching configuration — enables POST /auth/switch-tenant */
+	tenant?: TenantConfig;
+	/**
+	* Called after a new user is created in the auth system.
+	* Fires before the session is created.
+	* If this throws, the auth user is rolled back (deleted).
+	*/
+	onUserCreated?: (payload: OnUserCreatedPayload, ctx: AuthCallbackContext) => Promise<void>;
+	/** @internal Entity proxy for onUserCreated callback. Set by createServer(). */
+	_entityProxy?: Record<string, AuthEntityProxy>;
+}
+/** Configuration for multi-tenant session switching. */
+interface TenantConfig {
+	/** Verify that user has membership in the target tenant. Return false to deny. */
+	verifyMembership: (userId: string, tenantId: string) => Promise<boolean>;
 }
 /** Access control configuration for JWT acl claim computation. */
 interface AuthAccessConfig {
@@ -797,16 +861,16 @@ interface AuthAccessConfig {
 	roleStore: RoleAssignmentStore;
 	closureStore: ClosureStore;
 	flagStore?: FlagStore;
+	subscriptionStore?: SubscriptionStore;
+	walletStore?: WalletStore;
 }
 interface AuthUser {
 	id: string;
 	email: string;
 	role: string;
-	plan?: string;
 	emailVerified?: boolean;
 	createdAt: Date;
 	updatedAt: Date;
-	[key: string]: unknown;
 }
 interface SessionPayload {
 	sub: string;
@@ -816,6 +880,7 @@ interface SessionPayload {
 	exp: number;
 	jti: string;
 	sid: string;
+	tenantId?: string;
 	claims?: Record<string, unknown>;
 	fva?: number;
 	acl?: AclClaim;
@@ -850,16 +915,18 @@ interface SessionInfo {
 	expiresAt: Date;
 	isCurrent: boolean;
 }
-interface SignUpInput {
-	email: string;
-	password: string;
-	role?: string;
-	[key: string]: unknown;
-}
-interface SignInInput {
-	email: string;
-	password: string;
-}
+type ReservedSignUpField = "role" | "emailVerified" | "id" | "createdAt" | "updatedAt";
+type ReservedSignUpFields = { [K in ReservedSignUpField]? : never };
+declare const signUpInputSchema: ObjectSchema<{
+	email: StringSchema;
+	password: StringSchema;
+}>;
+declare const signInInputSchema: ObjectSchema<{
+	email: StringSchema;
+	password: StringSchema;
+}>;
+type SignUpInput = Infer<typeof signUpInputSchema> & ReservedSignUpFields & Record<string, unknown>;
+type SignInInput = Infer<typeof signInInputSchema>;
 interface AuthApi {
 	signUp: (data: SignUpInput, ctx?: {
 		headers: Headers;
@@ -889,6 +956,19 @@ interface AuthInstance {
 	initialize: () => Promise<void>;
 	/** Dispose stores and cleanup intervals */
 	dispose: () => void;
+	/**
+	* JWT-only session resolver for SSR injection.
+	* Reads the session cookie, verifies JWT (no DB lookup), and returns
+	* minimal session data + optional access set for client hydration.
+	*/
+	resolveSessionForSSR: (request: Request) => Promise<{
+		session: {
+			user: Record<string, unknown>;
+			expiresAt: number;
+		};
+		/** AccessSet | null at runtime; typed as unknown to avoid cross-package dependency on @vertz/ui */
+		accessSet?: unknown;
+	} | null>;
 }
 interface AuthContext {
 	headers: Headers;
@@ -914,9 +994,6 @@ interface UserTableEntry extends ModelEntry<any, any> {
 		role: {
 			type: string;
 		};
-		plan?: {
-			type: string;
-		};
 		createdAt: {
 			type: Date;
 		};
@@ -945,9 +1022,8 @@ import { AuthValidationError } from "@vertz/errors";
 declare function hashPassword(password: string): Promise<string>;
 declare function verifyPassword(password: string, hash: string): Promise<boolean>;
 declare function validatePassword(password: string, requirements?: PasswordRequirements): AuthValidationError | null;
-type Entitlement = string;
 interface RoleDefinition {
-	entitlements: Entitlement[];
+	entitlements: string[];
 }
 interface EntitlementDefinition {
 	roles: string[];
@@ -960,20 +1036,20 @@ interface AccessConfig {
 }
 interface AccessInstance {
 	/** Check if user has a specific entitlement */
-	can(entitlement: Entitlement, user: AuthUser | null): Promise<boolean>;
+	can(entitlement: string, user: AuthUser | null): Promise<boolean>;
 	/** Check with resource context */
-	canWithResource(entitlement: Entitlement, resource: Resource, user: AuthUser | null): Promise<boolean>;
+	canWithResource(entitlement: string, resource: Resource, user: AuthUser | null): Promise<boolean>;
 	/** Throws if not authorized */
-	authorize(entitlement: Entitlement, user: AuthUser | null): Promise<void>;
+	authorize(entitlement: string, user: AuthUser | null): Promise<void>;
 	/** Authorize with resource context */
-	authorizeWithResource(entitlement: Entitlement, resource: Resource, user: AuthUser | null): Promise<void>;
+	authorizeWithResource(entitlement: string, resource: Resource, user: AuthUser | null): Promise<void>;
 	/** Check multiple entitlements at once */
 	canAll(checks: Array<{
-		entitlement: Entitlement;
+		entitlement: string;
 		resource?: Resource;
 	}>, user: AuthUser | null): Promise<Map<string, boolean>>;
 	/** Get all entitlements for a role */
-	getEntitlementsForRole(role: string): Entitlement[];
+	getEntitlementsForRole(role: string): string[];
 	/** Middleware that adds ctx.can() and ctx.authorize() to context */
 	middleware: () => any;
 }
@@ -984,9 +1060,9 @@ interface Resource {
 	[key: string]: unknown;
 }
 declare class AuthorizationError extends Error {
-	readonly entitlement: Entitlement;
+	readonly entitlement: string;
 	readonly userId?: string | undefined;
-	constructor(message: string, entitlement: Entitlement, userId?: string | undefined);
+	constructor(message: string, entitlement: string, userId?: string | undefined);
 }
 declare function createAccess(config: AccessConfig): AccessInstance;
 declare const defaultAccess: AccessInstance;
@@ -1071,22 +1147,17 @@ interface BunWebSocket<T> {
 declare function createAccessEventBroadcaster(config: AccessEventBroadcasterConfig): AccessEventBroadcaster;
 import { ModelDef } from "@vertz/db";
 declare const authModels: Record<string, ModelDef>;
-import { QueryResult, ReadError } from "@vertz/db";
-import { SqlFragment } from "@vertz/db/sql";
-import { Result as Result2 } from "@vertz/errors";
+import { DatabaseClient } from "@vertz/db";
+type AuthModels = typeof authModels;
 /**
 * Minimal database interface for auth stores.
-* Only requires raw query capability and dialect info.
+*
+* Keeps raw query support for legacy stores, but exposes the typed
+* `auth_sessions` delegate so session lookups can go through the generated
+* client instead of ad hoc SQL strings. Includes `transaction` for atomic
+* multi-statement writes in plan and closure stores.
 */
-interface AuthDbClient {
-	query<T = Record<string, unknown>>(fragment: SqlFragment): Promise<Result2<QueryResult<T>, ReadError>>;
-	_internals: {
-		readonly models: Record<string, unknown>;
-		readonly dialect: {
-			readonly name: "postgres" | "sqlite";
-		};
-	};
-}
+type AuthDbClient = Pick<DatabaseClient<AuthModels>, "auth_sessions" | "query" | "_internals" | "transaction">;
 /**
 * Dialect-aware DDL helpers for auth table creation.
 *
@@ -1218,7 +1289,7 @@ interface StripeBillingAdapterConfig {
 }
 declare function createStripeBillingAdapter(config: StripeBillingAdapterConfig): BillingAdapter;
 interface WebhookHandlerConfig {
-	planStore: PlanStore;
+	subscriptionStore: SubscriptionStore;
 	emitter: BillingEventEmitter;
 	defaultPlan: string;
 	webhookSecret: string;
@@ -1269,19 +1340,6 @@ declare class DbOAuthAccountStore implements OAuthAccountStore {
 	unlinkAccount(userId: string, provider: string): Promise<void>;
 	dispose(): void;
 }
-declare class DbPlanStore implements PlanStore {
-	private db;
-	constructor(db: AuthDbClient);
-	assignPlan(orgId: string, planId: string, startedAt?: Date, expiresAt?: Date | null): Promise<void>;
-	getPlan(orgId: string): Promise<OrgPlan | null>;
-	updateOverrides(orgId: string, overrides: Record<string, LimitOverride>): Promise<void>;
-	removePlan(orgId: string): Promise<void>;
-	attachAddOn(orgId: string, addOnId: string): Promise<void>;
-	detachAddOn(orgId: string, addOnId: string): Promise<void>;
-	getAddOns(orgId: string): Promise<string[]>;
-	dispose(): void;
-	private loadOverrides;
-}
 declare class DbRoleAssignmentStore implements RoleAssignmentStore {
 	private db;
 	constructor(db: AuthDbClient);
@@ -1304,6 +1362,7 @@ declare class DbSessionStore implements SessionStore {
 		currentTokens?: AuthTokens;
 	}): Promise<StoredSession>;
 	findByRefreshHash(hash: string): Promise<StoredSession | null>;
+	findActiveSessionById(id: string): Promise<StoredSession | null>;
 	findByPreviousRefreshHash(hash: string): Promise<StoredSession | null>;
 	revokeSession(id: string): Promise<void>;
 	listActiveSessions(userId: string): Promise<StoredSession[]>;
@@ -1316,7 +1375,23 @@ declare class DbSessionStore implements SessionStore {
 		currentTokens?: AuthTokens;
 	}): Promise<void>;
 	dispose(): void;
+	/** Map a raw SQL row (snake_case) to StoredSession. */
 	private rowToSession;
+	/** Map an ORM record (camelCase) to StoredSession. */
+	private recordToSession;
+}
+declare class DbSubscriptionStore implements SubscriptionStore {
+	private db;
+	constructor(db: AuthDbClient);
+	assign(tenantId: string, planId: string, startedAt?: Date, expiresAt?: Date | null): Promise<void>;
+	get(tenantId: string): Promise<Subscription | null>;
+	updateOverrides(tenantId: string, overrides: Record<string, LimitOverride>): Promise<void>;
+	remove(tenantId: string): Promise<void>;
+	attachAddOn(tenantId: string, addOnId: string): Promise<void>;
+	detachAddOn(tenantId: string, addOnId: string): Promise<void>;
+	getAddOns(tenantId: string): Promise<string[]>;
+	dispose(): void;
+	private loadOverrides;
 }
 declare class DbUserStore implements UserStore {
 	private db;
@@ -1329,6 +1404,7 @@ declare class DbUserStore implements UserStore {
 	findById(id: string): Promise<AuthUser | null>;
 	updatePasswordHash(userId: string, passwordHash: string): Promise<void>;
 	updateEmailVerified(userId: string, verified: boolean): Promise<void>;
+	deleteUser(id: string): Promise<void>;
 	private rowToUser;
 }
 declare class InMemoryEmailVerificationStore implements EmailVerificationStore {
@@ -1476,7 +1552,7 @@ interface PlanManagerConfig {
 	plans: Record<string, PlanDef>;
 	versionStore: PlanVersionStore;
 	grandfatheringStore: GrandfatheringStore;
-	planStore: PlanStore;
+	subscriptionStore: SubscriptionStore;
 	clock?: () => Date;
 }
 interface PlanManager {
@@ -1531,6 +1607,7 @@ declare class InMemorySessionStore implements SessionStore {
 		currentTokens?: AuthTokens;
 	}): Promise<StoredSession>;
 	findByRefreshHash(hash: string): Promise<StoredSession | null>;
+	findActiveSessionById(id: string): Promise<StoredSession | null>;
 	findByPreviousRefreshHash(hash: string): Promise<StoredSession | null>;
 	revokeSession(id: string): Promise<void>;
 	listActiveSessions(userId: string): Promise<StoredSession[]>;
@@ -1556,14 +1633,78 @@ declare class InMemoryUserStore implements UserStore {
 	findById(id: string): Promise<AuthUser | null>;
 	updatePasswordHash(userId: string, passwordHash: string): Promise<void>;
 	updateEmailVerified(userId: string, verified: boolean): Promise<void>;
+	deleteUser(id: string): Promise<void>;
 }
 declare function createAuth(config: AuthConfig): AuthInstance;
+import { SchemaLike } from "@vertz/db";
+/**
+* A content type descriptor that implements SchemaLike.
+* Carries HTTP metadata alongside parse/validate behavior.
+*/
+interface ContentDescriptor<T> extends SchemaLike<T> {
+	/** Discriminator — distinguishes from plain SchemaLike */
+	readonly _kind: "content";
+	/** MIME type for HTTP headers */
+	readonly _contentType: string;
+}
+/**
+* Runtime check: is the given SchemaLike a ContentDescriptor?
+*/
+declare function isContentDescriptor(value: SchemaLike<unknown>): value is ContentDescriptor<unknown>;
+declare const content: {
+	/** application/xml → string */
+	readonly xml: () => ContentDescriptor<string>;
+	/** text/html → string */
+	readonly html: () => ContentDescriptor<string>;
+	/** text/plain → string */
+	readonly text: () => ContentDescriptor<string>;
+	/** application/octet-stream → Uint8Array */
+	readonly binary: () => ContentDescriptor<Uint8Array>;
+};
 import { AppBuilder, AppConfig } from "@vertz/core";
-import { DatabaseClient, EntityDbAdapter as EntityDbAdapter3, ModelEntry as ModelEntry2 } from "@vertz/db";
-import { ModelDef as ModelDef3, RelationDef, SchemaLike, TableDef } from "@vertz/db";
-import { ModelDef as ModelDef2 } from "@vertz/db";
-import { EntityDbAdapter, ListOptions } from "@vertz/db";
+import { DatabaseClient as DatabaseClient2, EntityDbAdapter as EntityDbAdapter3, ModelEntry as ModelEntry2 } from "@vertz/db";
+import { ModelDef as ModelDef4, RelationDef as RelationDef2, SchemaLike as SchemaLike2, TableDef } from "@vertz/db";
+import { ListOptions as ListOptions3, ModelDef as ModelDef3 } from "@vertz/db";
+import { EntityDbAdapter, GetOptions, ListOptions, ModelDef as ModelDef2 } from "@vertz/db";
 import { EntityError, Result as Result3 } from "@vertz/errors";
+import { RelationDef, TenantGraph } from "@vertz/db";
+/** One hop in the relation chain from entity to tenant root. */
+interface TenantChainHop {
+	/** Target table name (e.g., 'projects') */
+	readonly tableName: string;
+	/** FK column on the current table (e.g., 'projectId') */
+	readonly foreignKey: string;
+	/** PK column on the target table (e.g., 'id') */
+	readonly targetColumn: string;
+}
+/** Full chain from an indirectly scoped entity to the tenant root. */
+interface TenantChain {
+	/** Ordered hops from entity → ... → directly-scoped table */
+	readonly hops: readonly TenantChainHop[];
+	/** The tenant FK column on the final hop's target table (e.g., 'organizationId') */
+	readonly tenantColumn: string;
+}
+interface ModelRegistryEntry {
+	readonly table: {
+		readonly _name: string;
+		readonly _columns: Record<string, unknown>;
+	};
+	readonly relations: Record<string, RelationDef>;
+	readonly _tenant?: string | null;
+}
+type ModelRegistry = Record<string, ModelRegistryEntry>;
+/**
+* Resolves the relation chain from an indirectly scoped entity back to the
+* tenant root.
+*
+* Returns null if the entity is not indirectly scoped (i.e., it's the root,
+* directly scoped, shared, or unscoped).
+*
+* The chain is computed by walking `ref.one` relations from the entity until
+* we reach a directly-scoped model. The tenant column is read from the
+* directly-scoped model's `_tenant` relation FK.
+*/
+declare function resolveTenantChain(entityKey: string, tenantGraph: TenantGraph, registry: ModelRegistry): TenantChain | null;
 import { EntityDbAdapter as EntityDbAdapter2, ListOptions as ListOptions2 } from "@vertz/db";
 interface ListResult<T = Record<string, unknown>> {
 	items: T[];
@@ -1576,29 +1717,38 @@ interface CrudResult<T = unknown> {
 	status: number;
 	body: T;
 }
-interface CrudHandlers {
-	list(ctx: EntityContext, options?: ListOptions): Promise<Result3<CrudResult<ListResult>, EntityError>>;
-	get(ctx: EntityContext, id: string): Promise<Result3<CrudResult<Record<string, unknown>>, EntityError>>;
-	create(ctx: EntityContext, data: Record<string, unknown>): Promise<Result3<CrudResult<Record<string, unknown>>, EntityError>>;
-	update(ctx: EntityContext, id: string, data: Record<string, unknown>): Promise<Result3<CrudResult<Record<string, unknown>>, EntityError>>;
-	delete(ctx: EntityContext, id: string): Promise<Result3<CrudResult<null>, EntityError>>;
-}
-declare function createCrudHandlers(def: EntityDefinition, db: EntityDbAdapter): CrudHandlers;
+interface CrudHandlers<TModel extends ModelDef2 = ModelDef2> {
+	list(ctx: EntityContext<TModel>, options?: ListOptions): Promise<Result3<CrudResult<ListResult<TModel["table"]["$response"]>>, EntityError>>;
+	get(ctx: EntityContext<TModel>, id: string, options?: GetOptions): Promise<Result3<CrudResult<TModel["table"]["$response"]>, EntityError>>;
+	create(ctx: EntityContext<TModel>, data: Record<string, unknown>): Promise<Result3<CrudResult<TModel["table"]["$response"]>, EntityError>>;
+	update(ctx: EntityContext<TModel>, id: string, data: Record<string, unknown>): Promise<Result3<CrudResult<TModel["table"]["$response"]>, EntityError>>;
+	delete(ctx: EntityContext<TModel>, id: string): Promise<Result3<CrudResult<null>, EntityError>>;
+}
+/** Resolves IDs from a table matching a where condition. Used for indirect tenant filtering. */
+type QueryParentIdsFn = (tableName: string, where: Record<string, unknown>) => Promise<string[]>;
+/** Options for the CRUD pipeline factory. */
+interface CrudPipelineOptions {
+	/** Tenant chain for indirectly scoped entities. */
+	tenantChain?: TenantChain | null;
+	/** Resolves parent IDs for indirect tenant chain traversal. */
+	queryParentIds?: QueryParentIdsFn;
+}
+declare function createCrudHandlers<TModel extends ModelDef2 = ModelDef2>(def: EntityDefinition<TModel>, db: EntityDbAdapter, options?: CrudPipelineOptions): CrudHandlers<TModel>;
 /**
 * EntityOperations — typed CRUD facade for a single entity.
 *
 * When used as `ctx.entity`, TModel fills in actual column types.
 * When used as `ctx.entities.*`, TModel defaults to `ModelDef` (loose typing).
 */
-interface EntityOperations<TModel extends ModelDef2 = ModelDef2> {
+interface EntityOperations<TModel extends ModelDef3 = ModelDef3> {
 	get(id: string): Promise<TModel["table"]["$response"]>;
-	list(options?: ListOptions2): Promise<ListResult<TModel["table"]["$response"]>>;
+	list(options?: ListOptions3<TModel>): Promise<ListResult<TModel["table"]["$response"]>>;
 	create(data: TModel["table"]["$create_input"]): Promise<TModel["table"]["$response"]>;
 	update(id: string, data: TModel["table"]["$update_input"]): Promise<TModel["table"]["$response"]>;
 	delete(id: string): Promise<void>;
 }
 /** Extracts the model type from an EntityDefinition */
-type ExtractModel<T> = T extends EntityDefinition<infer M> ? M : ModelDef3;
+type ExtractModel<T> = T extends EntityDefinition<infer M> ? M : ModelDef4;
 /**
 * Maps an inject config `{ key: EntityDefinition<TModel> }` to
 * `{ key: EntityOperations<TModel> }` for typed ctx.entities access.
@@ -1606,12 +1756,13 @@ type ExtractModel<T> = T extends EntityDefinition<infer M> ? M : ModelDef3;
 type InjectToOperations<TInject extends Record<string, EntityDefinition> = {}> = { readonly [K in keyof TInject] : EntityOperations<ExtractModel<TInject[K]>> };
 interface BaseContext {
 	readonly userId: string | null;
+	readonly tenantId: string | null;
 	authenticated(): boolean;
 	tenant(): boolean;
 	role(...roles: string[]): boolean;
 }
 interface EntityContext<
-	TModel extends ModelDef3 = ModelDef3,
+	TModel extends ModelDef4 = ModelDef4,
 	TInject extends Record<string, EntityDefinition> = {}
 > extends BaseContext {
 	/** Typed CRUD on the current entity */
@@ -1619,7 +1770,7 @@ interface EntityContext<
 	/** Typed access to injected entities only */
 	readonly entities: InjectToOperations<TInject>;
 }
-type AccessRule2 = false | PublicRule | ((ctx: BaseContext, row: Record<string, unknown>) => boolean | Promise<boolean>);
+type AccessRule2 = false | AccessRule | ((ctx: BaseContext, row: Record<string, unknown>) => boolean | Promise<boolean>);
 interface EntityBeforeHooks<
 	TCreateInput = unknown,
 	TUpdateInput = unknown
@@ -1640,20 +1791,72 @@ interface EntityActionDef<
 > {
 	readonly method?: string;
 	readonly path?: string;
-	readonly body: SchemaLike<TInput>;
-	readonly response: SchemaLike<TOutput>;
+	readonly body: SchemaLike2<TInput>;
+	readonly response: SchemaLike2<TOutput>;
 	readonly handler: (input: TInput, ctx: TCtx, row: TResponse | null) => Promise<TOutput>;
 }
 /** Extract column keys from a RelationDef's target table. */
-type RelationColumnKeys<R> = R extends RelationDef<infer TTarget> ? TTarget extends TableDef<infer TCols> ? Extract<keyof TCols, string> : string : string;
-type EntityRelationsConfig<TRelations extends Record<string, RelationDef> = Record<string, RelationDef>> = { [K in keyof TRelations]? : true | false | { [F in RelationColumnKeys<TRelations[K]>]? : true } };
+type RelationColumnKeys<R> = R extends RelationDef2<infer TTarget> ? TTarget extends TableDef<infer TCols> ? Extract<keyof TCols, string> : string : string;
+/** Structured relation config with select, allowWhere, allowOrderBy, maxLimit. */
+interface RelationConfigObject<TColumnKeys extends string = string> {
+	/** Which fields can be selected. Record<field, true>. */
+	readonly select?: { readonly [F in TColumnKeys]? : true };
+	/** Which fields can be filtered via `where`. */
+	readonly allowWhere?: readonly string[];
+	/** Which fields can be sorted via `orderBy`. */
+	readonly allowOrderBy?: readonly string[];
+	/** Max items per parent row. Defaults to DEFAULT_RELATION_LIMIT (100). */
+	readonly maxLimit?: number;
+}
+type EntityRelationsConfig<TRelations extends Record<string, RelationDef2> = Record<string, RelationDef2>> = { [K in keyof TRelations]? : true | false | RelationConfigObject<RelationColumnKeys<TRelations[K]>> };
+/** Extract the target table type from a RelationDef. */
+type RelationTargetTable<R> = R extends RelationDef2<infer T> ? T : TableDef;
+/** Structured expose config for a relation. Controls field, filter, sort, and nested relation exposure. */
+interface RelationExposeConfig<R extends RelationDef2 = RelationDef2> {
+	/** Which fields of the related entity to expose. */
+	readonly select: { [K in PublicColumnKeys<RelationTargetTable<R>>]? : true | AccessRule };
+	/** Which fields clients can filter on via VertzQL `where`. */
+	readonly allowWhere?: { [K in PublicColumnKeys<RelationTargetTable<R>>]? : true | AccessRule };
+	/** Which fields clients can sort on via VertzQL `orderBy`. */
+	readonly allowOrderBy?: { [K in PublicColumnKeys<RelationTargetTable<R>>]? : true | AccessRule };
+	/** Max items returned per parent row. Defaults to DEFAULT_RELATION_LIMIT. */
+	readonly maxLimit?: number;
+	/** Nested relation exposure (loosely typed — target model relations not available from RelationDef). */
+	readonly include?: Record<string, true | false | RelationExposeConfig>;
+}
+/** Controls which fields, filters, sorts, and relations are exposed through the entity API. */
+interface ExposeConfig<
+	TTable extends TableDef = TableDef,
+	TModel extends ModelDef4 = ModelDef4
+> {
+	/** Which fields of the entity to expose. Required when expose is present. */
+	readonly select: { [K in PublicColumnKeys<TTable>]? : true | AccessRule };
+	/** Which fields clients can filter on via VertzQL `where`. */
+	readonly allowWhere?: { [K in PublicColumnKeys<TTable>]? : true | AccessRule };
+	/** Which fields clients can sort on via VertzQL `orderBy`. */
+	readonly allowOrderBy?: { [K in PublicColumnKeys<TTable>]? : true | AccessRule };
+	/** Which relations to expose and how. */
+	readonly include?: { [K in keyof TModel["relations"]]? : true | false | RelationExposeConfig<TModel["relations"][K] extends RelationDef2 ? TModel["relations"][K] : RelationDef2> };
+}
+/** Extract non-hidden column keys from a table (public fields). */
+type PublicColumnKeys<TTable extends TableDef> = TTable extends TableDef<infer TCols> ? { [K in keyof TCols & string] : TCols[K] extends {
+	_meta: {
+		_annotations: {
+			hidden: true;
+		};
+	};
+} ? never : K }[keyof TCols & string] : string;
 interface EntityConfig<
-	TModel extends ModelDef3 = ModelDef3,
+	TModel extends ModelDef4 = ModelDef4,
 	TActions extends Record<string, EntityActionDef<any, any, any, any>> = {},
 	TInject extends Record<string, EntityDefinition> = {}
 > {
 	readonly model: TModel;
 	readonly inject?: TInject;
+	/** Override the DB table name (defaults to entity name). For admin entities over shared tables. */
+	readonly table?: string;
+	/** Whether CRUD auto-filters by tenantId. Defaults to true when model has tenantId column. */
+	readonly tenantScoped?: boolean;
 	readonly access?: Partial<Record<"list" | "get" | "create" | "update" | "delete" | Extract<keyof NoInfer<TActions>, string>, AccessRule2>>;
 	readonly before?: {
 		readonly create?: (data: TModel["table"]["$create_input"], ctx: EntityContext<TModel, TInject>) => TModel["table"]["$create_input"] | Promise<TModel["table"]["$create_input"]>;
@@ -1665,9 +1868,9 @@ interface EntityConfig<
 		readonly delete?: (row: TModel["table"]["$response"], ctx: EntityContext<TModel, TInject>) => void | Promise<void>;
 	};
 	readonly actions?: { readonly [K in keyof TActions] : TActions[K] };
-	readonly relations?: EntityRelationsConfig<TModel["relations"]>;
+	readonly expose?: ExposeConfig<TModel["table"], TModel>;
 }
-interface EntityDefinition<TModel extends ModelDef3 = ModelDef3> {
+interface EntityDefinition<TModel extends ModelDef4 = ModelDef4> {
 	readonly kind: "entity";
 	readonly name: string;
 	readonly model: TModel;
@@ -1676,9 +1879,15 @@ interface EntityDefinition<TModel extends ModelDef3 = ModelDef3> {
 	readonly before: EntityBeforeHooks;
 	readonly after: EntityAfterHooks;
 	readonly actions: Record<string, EntityActionDef>;
-	readonly relations: EntityRelationsConfig<TModel["relations"]>;
-}
-import { SchemaLike as SchemaLike2 } from "@vertz/db";
+	readonly expose?: ExposeConfig<TModel["table"], TModel>;
+	/** DB table name (defaults to entity name). */
+	readonly table: string;
+	/** Whether CRUD auto-filters by tenantId. */
+	readonly tenantScoped: boolean;
+	/** Relation chain for indirect tenant scoping. Null for direct or unscoped. */
+	readonly tenantChain: TenantChain | null;
+}
+import { SchemaLike as SchemaLike3 } from "@vertz/db";
 /** Extracts the model type from an EntityDefinition */
 type ExtractModel2<T> = T extends EntityDefinition<infer M> ? M : never;
 /**
@@ -1686,9 +1895,18 @@ type ExtractModel2<T> = T extends EntityDefinition<infer M> ? M : never;
 * `{ key: EntityOperations<TModel> }` for typed ctx.entities access.
 */
 type InjectToOperations2<TInject extends Record<string, EntityDefinition> = {}> = { readonly [K in keyof TInject] : EntityOperations<ExtractModel2<TInject[K]>> };
+/** Raw request metadata exposed to service handlers */
+interface ServiceRequestInfo {
+	readonly url: string;
+	readonly method: string;
+	readonly headers: Headers;
+	readonly body: unknown;
+}
 interface ServiceContext<TInject extends Record<string, EntityDefinition> = {}> extends BaseContext {
 	/** Typed access to injected entities only */
 	readonly entities: InjectToOperations2<TInject>;
+	/** Raw request metadata — URL, method, headers, pre-parsed body */
+	readonly request: ServiceRequestInfo;
 }
 interface ServiceActionDef<
 	TInput = unknown,
@@ -1697,8 +1915,8 @@ interface ServiceActionDef<
 > {
 	readonly method?: string;
 	readonly path?: string;
-	readonly body: SchemaLike2<TInput>;
-	readonly response: SchemaLike2<TOutput>;
+	readonly body?: SchemaLike3<TInput>;
+	readonly response: SchemaLike3<TOutput>;
 	readonly handler: (input: TInput, ctx: TCtx) => Promise<TOutput>;
 }
 interface ServiceConfig<
@@ -1719,6 +1937,8 @@ interface ServiceDefinition {
 interface ServerInstance extends AppBuilder {
 	auth: AuthInstance;
 	initialize(): Promise<void>;
+	/** Routes auth requests (/api/auth/*) to auth.handler, everything else to entity handler */
+	readonly requestHandler: (request: Request) => Promise<Response>;
 }
 interface ServerConfig extends Omit<AppConfig, "_entityDbFactory" | "entities"> {
 	/** Entity definitions created via entity() from @vertz/server */
@@ -1731,9 +1951,13 @@ interface ServerConfig extends Omit<AppConfig, "_entityDbFactory" | "entities">
 	* - A DatabaseClient from createDb() (recommended — auto-bridged per entity)
 	* - An EntityDbAdapter (deprecated — simple adapter with get/list/create/update/delete)
 	*/
-	db?: DatabaseClient<Record<string, ModelEntry2>> | EntityDbAdapter3;
+	db?: DatabaseClient2<Record<string, ModelEntry2>> | EntityDbAdapter3;
 	/** @internal Factory to create a DB adapter for each entity. Prefer `db` instead. */
 	_entityDbFactory?: (entityDef: EntityDefinition) => EntityDbAdapter3;
+	/** @internal Resolves parent IDs for indirect tenant chain traversal. For testing only. */
+	_queryParentIds?: QueryParentIdsFn;
+	/** @internal Tenant chains for indirect scoping. For testing without DatabaseClient. */
+	_tenantChains?: Map<string, TenantChain>;
 	/** Auth configuration — when combined with db, auto-wires DB-backed stores */
 	auth?: AuthConfig;
 }
@@ -1747,11 +1971,17 @@ interface ServerConfig extends Omit<AppConfig, "_entityDbFactory" | "entities">
 * - Returns ServerInstance with `.auth` and `.initialize()`
 */
 declare function createServer(config: ServerConfig & {
-	db: DatabaseClient<Record<string, ModelEntry2>>;
+	db: DatabaseClient2<Record<string, ModelEntry2>>;
 	auth: AuthConfig;
 }): ServerInstance;
 declare function createServer(config: ServerConfig): AppBuilder;
 import { EntityForbiddenError, Result as Result4 } from "@vertz/errors";
+interface EnforceAccessOptions {
+	/** Evaluate an entitlement via the access context (defineAccess) */
+	readonly can?: (entitlement: string) => Promise<boolean>;
+	/** Seconds since last MFA verification (for rules.fva) */
+	readonly fvaAge?: number;
+}
 /**
 * Evaluates an access rule for the given operation.
 * Returns err(EntityForbiddenError) if access is denied.
@@ -1760,11 +1990,16 @@ import { EntityForbiddenError, Result as Result4 } from "@vertz/errors";
 *
 * - No rule defined → deny (deny by default)
 * - Rule is false → operation is disabled
-* - Rule is { type: 'public' } → always allow
-* - Rule is a function → evaluate and deny if returns false
+* - Descriptor rule → dispatch by type
+* - Function rule → evaluate and deny if returns false
+*
+* When `skipWhere` is true, `where` rules are treated as ok() — used
+* when where conditions have already been pushed to the DB query.
 */
-declare function enforceAccess(operation: string, accessRules: Partial<Record<string, AccessRule2>>, ctx: BaseContext, row?: Record<string, unknown>): Promise<Result4<void, EntityForbiddenError>>;
-import { ModelDef as ModelDef4 } from "@vertz/db";
+declare function enforceAccess(operation: string, accessRules: Partial<Record<string, AccessRule2>>, ctx: BaseContext, row?: Record<string, unknown>, options?: EnforceAccessOptions & {
+	skipWhere?: boolean;
+}): Promise<Result4<void, EntityForbiddenError>>;
+import { ModelDef as ModelDef6 } from "@vertz/db";
 /**
 * Request info extracted from HTTP context / auth middleware.
 */
@@ -1776,10 +2011,10 @@ interface RequestInfo {
 /**
 * Creates an EntityContext from request info, entity operations, and registry proxy.
 */
-declare function createEntityContext<TModel extends ModelDef4 = ModelDef4>(request: RequestInfo, entityOps: EntityOperations<TModel>, registryProxy: Record<string, EntityOperations>): EntityContext<TModel>;
-import { ModelDef as ModelDef5 } from "@vertz/db";
+declare function createEntityContext<TModel extends ModelDef6 = ModelDef6>(request: RequestInfo, entityOps: EntityOperations<TModel>, registryProxy: Record<string, EntityOperations>): EntityContext<TModel>;
+import { ModelDef as ModelDef7 } from "@vertz/db";
 declare function entity<
-	TModel extends ModelDef5,
+	TModel extends ModelDef7,
 	TInject extends Record<string, EntityDefinition> = {},
 	TActions extends Record<string, EntityActionDef<any, any, TModel["table"]["$response"], EntityContext<TModel, TInject>>> = {}
 >(name: string, config: EntityConfig<TModel, TActions, TInject>): EntityDefinition<TModel>;
@@ -1827,6 +2062,10 @@ declare function stripReadOnlyFields(table: TableDef2, data: Record<string, unkn
 import { EntityRouteEntry } from "@vertz/core";
 interface EntityRouteOptions {
 	apiPrefix?: string;
+	/** Tenant chain for indirectly scoped entities. */
+	tenantChain?: TenantChain | null;
+	/** Resolves parent IDs for indirect tenant chain traversal. */
+	queryParentIds?: QueryParentIdsFn;
 }
 /**
 * Generates HTTP route entries for a single entity definition.
@@ -1840,4 +2079,4 @@ declare function service<
 	TInject extends Record<string, EntityDefinition> = {},
 	TActions extends Record<string, ServiceActionDef<any, any, any>> = Record<string, ServiceActionDef<any, any, any>>
 >(name: string, config: ServiceConfig<TActions, TInject>): ServiceDefinition;
-export { vertz, verifyPassword, validatePassword, validateOverrides, validateAuthModels, stripReadOnlyFields, stripHiddenFields, service, rules, makeImmutable, initializeAuthTables, hashPassword, google, github, getIncompatibleAddOns, generateEntityRoutes, entityErrorHandler, entity, enforceAccess, encodeAccessSet, discord, defineAccess, defaultAccess, deepFreeze, decodeAccessSet, createWebhookHandler, createStripeBillingAdapter, createServer, createPlanManager, createMiddleware, createImmutableProxy, createEnv, createEntityContext, createCrudHandlers, createBillingEventEmitter, createAuth, createAccessEventBroadcaster, createAccessContext, createAccess, computePlanHash, computeOverage, computeEntityAccess, computeAccessSet, checkFva, checkAddOnCompatibility, calculateBillingPeriod, authModels, WebhookHandlerConfig, WalletStore, WalletEntry, VertzException, ValidationException, UserTableEntry, UserStore, UnauthorizedException, TenantOverrides, StripeProduct, StripePrice, StripeClient, StripeBillingAdapterConfig, StoredSession, StoredPasswordReset, StoredEmailVerification, SignUpInput, SignInInput, SessionStrategy, SessionStore, SessionPayload, SessionInfo, SessionConfig, Session, ServiceUnavailableException, ServiceDefinition, ServiceContext, ServiceConfig, ServiceActionDef, ServerInstance, ServerHandle, ServerConfig, ServerAdapter, RuleContext, RoleAssignmentTableEntry, RoleAssignmentStore, RoleAssignment, ResourceRef, Resource, RequestInfo, RawRequest, RateLimitStore, RateLimitResult, RateLimitConfig, PriceInterval, PlanVersionStore, PlanVersionInfo, PlanStore, PlanSnapshot, PlanPrice, PlanHashInput, PlanDef, Period, PasswordResetStore, PasswordResetConfig, PasswordRequirements, ParentRef, OverrideStore, OverageInput, OverageConfig, OrgPlan, OAuthUserInfo, OAuthTokens, OAuthProviderConfig, OAuthProvider, OAuthAccountStore, NotFoundException, NamedMiddlewareDef, MiddlewareDef, MfaSetupData, MfaConfig, MfaChallengeData, MFAStore, ListenOptions, ListResult, ListOptions2 as ListOptions, LimitOverrideDef, LimitOverride, LimitDef, InternalServerErrorException, InferSchema, Infer, InMemoryWalletStore, InMemoryUserStore, InMemorySessionStore, InMemoryRoleAssignmentStore, InMemoryRateLimitStore, InMemoryPlanVersionStore, InMemoryPlanStore, InMemoryPasswordResetStore, InMemoryOverrideStore, InMemoryOAuthAccountStore, InMemoryMFAStore, InMemoryGrandfatheringStore, InMemoryFlagStore, InMemoryEmailVerificationStore, InMemoryClosureStore, HttpStatusCode, HttpMethod, HandlerCtx, GrandfatheringStore, GrandfatheringState, ForbiddenException, FlagStore, EnvConfig, EntityRouteOptions, EntityRelationsConfig, EntityRegistry, EntityOperations, EntityErrorResult, EntityDefinition, EntityDef, EntityDbAdapter2 as EntityDbAdapter, EntityContext, EntityConfig, EntityActionDef, EntitlementValue, EntitlementDefinition, EntitlementDef, Entitlement, EncodedAccessSet, EmailVerificationStore, EmailVerificationConfig, EmailPasswordConfig, Deps, DenialReason, DenialMeta, DefineAccessInput, DeepReadonly, DbUserStore, DbSessionStore, DbRoleAssignmentStore, DbPlanStore, DbOAuthAccountStore, DbFlagStore, DbDialectName, DbClosureStore, Ctx, CrudResult, CrudHandlers, CorsConfig, CookieConfig, ConsumeResult, ConflictException, ComputeAccessSetConfig, ClosureStore, ClosureRow, ClosureEntry, BillingPeriod, BillingEventType, BillingEventHandler, BillingEventEmitter, BillingEvent, BillingAdapter, BaseContext, BadRequestException, AuthorizationError, AuthUser, AuthTokens, AuthInstance, AuthDbClient, AuthContext, AuthConfig, AuthApi, AppConfig2 as AppConfig, AppBuilder2 as AppBuilder, AddOnRequires, AclClaim, AccumulateProvides, AccessWsData, AccessSet, AccessRule2 as AccessRule, AccessInstance, AccessEventBroadcasterConfig, AccessEventBroadcaster, AccessEvent, AccessDefinition, AccessContextConfig, AccessContext, AccessConfig, AccessCheckResult, AccessCheckData, AUTH_TABLE_NAMES };
+export { vertz, verifyPassword, validatePassword, validateOverrides, validateAuthModels, stripReadOnlyFields, stripHiddenFields, service, rules, resolveTenantChain, makeImmutable, isContentDescriptor, initializeAuthTables, hashPassword, google, github, getIncompatibleAddOns, generateEntityRoutes, entityErrorHandler, entity, enforceAccess, encodeAccessSet, discord, defineAccess, defaultAccess, deepFreeze, decodeAccessSet, createWebhookHandler, createStripeBillingAdapter, createServer, createPlanManager, createMiddleware, createImmutableProxy, createEnv, createEntityContext, createCrudHandlers, createBillingEventEmitter, createAuth, createAccessEventBroadcaster, createAccessContext, createAccess, content, computePlanHash, computeOverage, computeEntityAccess, computeAccessSet, checkFva, checkAddOnCompatibility, calculateBillingPeriod, authModels, WebhookHandlerConfig, WalletStore, WalletEntry, VertzException, ValidationException, UserTableEntry, UserStore, UnauthorizedException, TenantOverrides, TenantChainHop, TenantChain, SubscriptionStore, Subscription, StripeProduct, StripePrice, StripeClient, StripeBillingAdapterConfig, StoredSession, StoredPasswordReset, StoredEmailVerification, SignUpInput, SignInInput, SessionStrategy, SessionStore, SessionPayload, SessionInfo, SessionConfig, Session, ServiceUnavailableException, ServiceRequestInfo, ServiceDefinition, ServiceContext, ServiceConfig, ServiceActionDef, ServerInstance, ServerHandle, ServerConfig, ServerAdapter, RuleContext, RoleAssignmentTableEntry, RoleAssignmentStore, RoleAssignment, ResourceRef, Resource, RequestInfo, RelationExposeConfig, RawRequest, RateLimitStore, RateLimitResult, RateLimitConfig, PriceInterval, PlanVersionStore, PlanVersionInfo, PlanSnapshot, PlanPrice, PlanHashInput, PlanDef, Period, PasswordResetStore, PasswordResetConfig, PasswordRequirements, ParentRef, OverrideStore, OverageInput, OverageConfig, OnUserCreatedPayload, OAuthUserInfo, OAuthTokens, OAuthProviderConfig, OAuthProvider, OAuthAccountStore, NotFoundException, NamedMiddlewareDef, MiddlewareDef, MfaSetupData, MfaConfig, MfaChallengeData, MFAStore, ListenOptions, ListResult, ListOptions2 as ListOptions, LimitOverrideDef, LimitOverride, LimitDef, InternalServerErrorException, InferSchema, Infer2 as Infer, InMemoryWalletStore, InMemoryUserStore, InMemorySubscriptionStore, InMemorySessionStore, InMemoryRoleAssignmentStore, InMemoryRateLimitStore, InMemoryPlanVersionStore, InMemoryPasswordResetStore, InMemoryOverrideStore, InMemoryOAuthAccountStore, InMemoryMFAStore, InMemoryGrandfatheringStore, InMemoryFlagStore, InMemoryEmailVerificationStore, InMemoryClosureStore, HttpStatusCode, HttpMethod, HandlerCtx, GrandfatheringStore, GrandfatheringState, ForbiddenException, FlagStore, ExposeConfig, EnvConfig, EntityRouteOptions, EntityRelationsConfig, EntityRegistry, EntityOperations, EntityErrorResult, EntityDefinition, EntityDef, EntityDbAdapter2 as EntityDbAdapter, EntityContext, EntityConfig, EntityActionDef, EntitlementValue, EntitlementRegistry, EntitlementDefinition, EntitlementDef, Entitlement, EncodedAccessSet, EmailVerificationStore, EmailVerificationConfig, EmailPasswordConfig, Deps, DenialReason, DenialMeta, DefineAccessInput, DeepReadonly, DbUserStore, DbSubscriptionStore, DbSessionStore, DbRoleAssignmentStore, DbOAuthAccountStore, DbFlagStore, DbDialectName, DbClosureStore, Ctx, CrudResult, CrudHandlers, CorsConfig, CookieConfig, ContentDescriptor, ConsumeResult, ConflictException, ComputeAccessSetConfig, ClosureStore, ClosureRow, ClosureEntry, BillingPeriod, BillingEventType, BillingEventHandler, BillingEventEmitter, BillingEvent, BillingAdapter, BaseContext, BadRequestException, AuthorizationError, AuthUser, AuthTokens, AuthInstance, AuthEntityProxy, AuthDbClient, AuthContext, AuthConfig, AuthCallbackContext, AuthApi, AppConfig2 as AppConfig, AppBuilder2 as AppBuilder, AddOnRequires, AclClaim, AccumulateProvides, AccessWsData, AccessSet, AccessRule2 as AccessRule, AccessInstance, AccessEventBroadcasterConfig, AccessEventBroadcaster, AccessEvent, AccessDefinition, AccessContextConfig, AccessContext, AccessConfig, AccessCheckResult, AccessCheckData, AUTH_TABLE_NAMES };