alepha 0.13.1 → 0.13.2

package/dist/api-users/index.d.ts

@@ -1,19 +1,18 @@
 import * as alepha23 from "alepha";
-import { Alepha, AlephaError, Async, Descriptor, FileLike, KIND, Page, PageQuery, Static, StaticEncode, TNull, TObject, TOptional, TSchema, TUnion } from "alepha";
-import * as alepha_batch0 from "alepha/batch";
-import { DateTime, DateTimeProvider, DurationLike } from "alepha/datetime";
-import * as alepha_logger1 from "alepha/logger";
+import { Alepha, AlephaError, Page, PageQuery, Primitive, Static, StaticEncode, TNull, TObject, TOptional, TSchema, TUnion } from "alepha";
+import * as alepha_api_notifications0 from "alepha/api/notifications";
+import { VerificationController } from "alepha/api/verifications";
 import * as alepha_orm204 from "alepha/orm";
 import { Page as Page$1, Repository } from "alepha/orm";
-import "alepha/queue";
-import { EmailProvider } from "alepha/email";
 import * as alepha_server0 from "alepha/server";
-import { ActionDescriptor, ClientRequestEntry, ClientRequestOptions, ClientRequestResponse, FetchOptions, FetchResponse, HttpClient, Ok, RequestConfigSchema, ServerHandler, ServerRequest, ServerRequestConfigEntry, ServerResponseBody, ServerRouterProvider, ServerTimingProvider } from "alepha/server";
+import * as alepha_logger1 from "alepha/logger";
+import { UserRealmOptions as UserRealmOptions$1 } from "alepha/api/users";
 import * as alepha_bucket0 from "alepha/bucket";
-import { BucketDescriptor } from "alepha/bucket";
 import * as alepha_cache0 from "alepha/cache";
-import { AccessTokenResponse, CryptoProvider, JwtProvider, RealmDescriptor, RealmDescriptorOptions, SecurityProvider, ServiceAccountDescriptor, UserAccount, UserAccountToken } from "alepha/security";
-import * as alepha_retry0 from "alepha/retry";
+import { DateTime, DateTimeProvider } from "alepha/datetime";
+import { CryptoProvider, RealmPrimitive, RealmPrimitiveOptions, UserAccount } from "alepha/security";
+import * as alepha_server_links0 from "alepha/server/links";
+import { OAuth2Profile, ServerAuthProvider, WithLinkFn, WithLoginFn } from "alepha/server/auth";
 import { FileSystemProvider } from "alepha/file";
 import * as drizzle_orm0 from "drizzle-orm";
 import { BuildExtraConfigColumns, SQL, SQLWrapper } from "drizzle-orm";
@@ -21,11 +20,12 @@ import * as drizzle_orm_pg_core0 from "drizzle-orm/pg-core";
 import { LockConfig, LockStrength, PgColumn, PgColumnBuilderBase, PgDatabase, PgInsertValue, PgSelectBase, PgSequenceOptions, PgTableExtraConfigValue, PgTableWithColumns, PgTransaction, UpdateDeleteAction } from "drizzle-orm/pg-core";
 import { PgTransactionConfig } from "drizzle-orm/pg-core/session";
 import * as DrizzleKit from "drizzle-kit/api";
+import "alepha/retry";
 import "alepha/lock";
 import "drizzle-orm/postgres-js";
 import "postgres";
 import "drizzle-orm/sqlite-core";
-import { Configuration } from "openid-client";
+import { FileController } from "alepha/api/files";
 
 //#region src/api-users/atoms/realmAuthSettingsAtom.d.ts
 declare const realmAuthSettingsAtom: alepha23.Atom<alepha23.TObject<{
@@ -52,7 +52,7 @@ declare const realmAuthSettingsAtom: alepha23.Atom<alepha23.TObject<{
 type RealmAuthSettings = Static<typeof realmAuthSettingsAtom.schema>;
 //#endregion
 //#region src/api-users/entities/identities.d.ts
-declare const identities: alepha_orm204.EntityDescriptor<alepha23.TObject<{
+declare const identities: alepha_orm204.EntityPrimitive<alepha23.TObject<{
   id: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_PRIMARY_KEY>, typeof alepha_orm204.PG_DEFAULT>;
   version: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TInteger, typeof alepha_orm204.PG_VERSION>, typeof alepha_orm204.PG_DEFAULT>;
   createdAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_CREATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
@@ -66,7 +66,7 @@ declare const identities: alepha_orm204.EntityDescriptor<alepha23.TObject<{
 type IdentityEntity = Static<typeof identities.schema>;
 //#endregion
 //#region src/api-users/entities/sessions.d.ts
-declare const sessions: alepha_orm204.EntityDescriptor<alepha23.TObject<{
+declare const sessions: alepha_orm204.EntityPrimitive<alepha23.TObject<{
   id: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_PRIMARY_KEY>, typeof alepha_orm204.PG_DEFAULT>;
   version: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TInteger, typeof alepha_orm204.PG_VERSION>, typeof alepha_orm204.PG_DEFAULT>;
   createdAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_CREATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
@@ -85,7 +85,7 @@ type SessionEntity = Static<typeof sessions.schema>;
 //#endregion
 //#region src/api-users/entities/users.d.ts
 declare const DEFAULT_USER_REALM_NAME = "default";
-declare const users: alepha_orm204.EntityDescriptor<alepha23.TObject<{
+declare const users: alepha_orm204.EntityPrimitive<alepha23.TObject<{
   id: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_PRIMARY_KEY>, typeof alepha_orm204.PG_DEFAULT>;
   version: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TInteger, typeof alepha_orm204.PG_VERSION>, typeof alepha_orm204.PG_DEFAULT>;
   createdAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_CREATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
@@ -159,9 +159,9 @@ declare class UserRealmProvider {
     emailVerified: alepha_orm204.PgAttr<alepha23.TBoolean, typeof alepha_orm204.PG_DEFAULT>;
   }>>;
   protected realms: Map<string, UserRealm>;
-  avatars: alepha_bucket0.BucketDescriptor;
-  protected readonly onConfigure: alepha23.HookDescriptor<"configure">;
-  register(userRealmName: string, userRealmOptions?: UserRealmOptions): void;
+  avatars: alepha_bucket0.BucketPrimitive;
+  protected readonly onConfigure: alepha23.HookPrimitive<"configure">;
+  register(userRealmName: string, userRealmOptions?: UserRealmOptions$1): void;
   /**
    * Gets a registered realm by name, auto-creating default if needed.
    */
@@ -218,7 +218,7 @@ declare class IdentityController {
   /**
    * Find identities with pagination and filtering.
    */
-  readonly findIdentities: alepha_server0.ActionDescriptorFn<{
+  readonly findIdentities: alepha_server0.ActionPrimitiveFn<{
     query: alepha23.TObject<{
       page: alepha23.TOptional<alepha23.TInteger>;
       size: alepha23.TOptional<alepha23.TInteger>;
@@ -241,7 +241,7 @@ declare class IdentityController {
   /**
    * Get an identity by ID.
    */
-  readonly getIdentity: alepha_server0.ActionDescriptorFn<{
+  readonly getIdentity: alepha_server0.ActionPrimitiveFn<{
     params: alepha23.TObject<{
       id: alepha23.TString;
     }>;
@@ -262,7 +262,7 @@ declare class IdentityController {
   /**
    * Delete an identity.
    */
-  readonly deleteIdentity: alepha_server0.ActionDescriptorFn<{
+  readonly deleteIdentity: alepha_server0.ActionPrimitiveFn<{
     params: alepha23.TObject<{
       id: alepha23.TString;
     }>;
@@ -327,7 +327,7 @@ declare class SessionController {
   /**
    * Find sessions with pagination and filtering.
    */
-  readonly findSessions: alepha_server0.ActionDescriptorFn<{
+  readonly findSessions: alepha_server0.ActionPrimitiveFn<{
     query: alepha23.TObject<{
       page: alepha23.TOptional<alepha23.TInteger>;
       size: alepha23.TOptional<alepha23.TInteger>;
@@ -354,7 +354,7 @@ declare class SessionController {
   /**
    * Get a session by ID.
    */
-  readonly getSession: alepha_server0.ActionDescriptorFn<{
+  readonly getSession: alepha_server0.ActionPrimitiveFn<{
     params: alepha23.TObject<{
       id: alepha23.TString;
     }>;
@@ -380,7 +380,7 @@ declare class SessionController {
   /**
    * Delete a session.
    */
-  readonly deleteSession: alepha_server0.ActionDescriptorFn<{
+  readonly deleteSession: alepha_server0.ActionPrimitiveFn<{
     params: alepha23.TObject<{
       id: alepha23.TString;
     }>;
@@ -395,485 +395,6 @@ declare class SessionController {
   }>;
 }
 //#endregion
-//#region src/server-security/providers/ServerBasicAuthProvider.d.ts
-interface BasicAuthOptions {
-  username: string;
-  password: string;
-}
-//#endregion
-//#region src/server-security/providers/ServerSecurityProvider.d.ts
-type ServerRouteSecure = {
-  realm?: string;
-  basic?: BasicAuthOptions;
-};
-//#endregion
-//#region src/server-security/index.d.ts
-declare module "alepha" {
-  interface State {
-    /**
-     * Real (or fake) user account, used for internal actions.
-     *
-     * If you define this, you assume that all actions are executed by this user by default.
-     * > To force a different user, you need to pass it explicitly in the options.
-     */
-    "alepha.server.security.system.user"?: UserAccountToken;
-    /**
-     * The authenticated user account attached to the server request state.
-     *
-     * @internal
-     */
-    "alepha.server.request.user"?: UserAccount;
-  }
-}
-declare module "alepha/server" {
-  interface ServerRequest<TConfig> {
-    user?: UserAccountToken;
-  }
-  interface ServerActionRequest<TConfig> {
-    user: UserAccountToken;
-  }
-  interface ServerRoute {
-    /**
-     * If true, the route will be protected by the security provider.
-     * All actions are secure by default, but you can disable it for specific actions.
-     */
-    secure?: boolean | ServerRouteSecure;
-  }
-  interface ClientRequestOptions extends FetchOptions {
-    /**
-     * Forward user from the previous request.
-     * If "system", use system user. @see {ServerSecurityProvider.localSystemUser}
-     * If "context", use the user from the current context (e.g. request).
-     *
-     * @default "system" if provided, else "context" if available.
-     */
-    user?: UserAccountToken | "system" | "context";
-  }
-}
-/**
- * Plugin for Alepha Server that provides security features. Based on the Alepha Security module.
- *
- * By default, all $action will be guarded by a permission check.
- *
- * @see {@link ServerSecurityProvider}
- * @module alepha.server.security
- */
-//#endregion
-//#region src/server-links/schemas/apiLinksResponseSchema.d.ts
-declare const apiLinkSchema: alepha23.TObject<{
-  name: alepha23.TString;
-  group: alepha23.TOptional<alepha23.TString>;
-  path: alepha23.TString;
-  method: alepha23.TOptional<alepha23.TString>;
-  requestBodyType: alepha23.TOptional<alepha23.TString>;
-  service: alepha23.TOptional<alepha23.TString>;
-}>;
-declare const apiLinksResponseSchema: alepha23.TObject<{
-  prefix: alepha23.TOptional<alepha23.TString>;
-  links: alepha23.TArray<alepha23.TObject<{
-    name: alepha23.TString;
-    group: alepha23.TOptional<alepha23.TString>;
-    path: alepha23.TString;
-    method: alepha23.TOptional<alepha23.TString>;
-    requestBodyType: alepha23.TOptional<alepha23.TString>;
-    service: alepha23.TOptional<alepha23.TString>;
-  }>>;
-}>;
-type ApiLinksResponse = Static<typeof apiLinksResponseSchema>;
-type ApiLink = Static<typeof apiLinkSchema>;
-//#endregion
-//#region src/server-links/providers/LinkProvider.d.ts
-/**
- * Browser, SSR friendly, service to handle links.
- */
-declare class LinkProvider {
-  static path: {
-    apiLinks: string;
-    apiSchema: string;
-  };
-  protected readonly log: alepha_logger1.Logger;
-  protected readonly alepha: Alepha;
-  protected readonly httpClient: HttpClient;
-  protected serverLinks: Array<HttpClientLink>;
-  /**
-   * Get applicative links registered on the server.
-   * This does not include lazy-loaded remote links.
-   */
-  getServerLinks(): HttpClientLink[];
-  /**
-   * Register a new link for the application.
-   */
-  registerLink(link: HttpClientLink): void;
-  get links(): HttpClientLink[];
-  /**
-   * Force browser to refresh links from the server.
-   */
-  fetchLinks(): Promise<HttpClientLink[]>;
-  /**
-   * Create a virtual client that can be used to call actions.
-   *
-   * Use js Proxy under the hood.
-   */
-  client<T extends object>(scope?: ClientScope): HttpVirtualClient<T>;
-  /**
-   * Check if a link with the given name exists.
-   * @param name
-   */
-  can(name: string): boolean;
-  /**
-   * Resolve a link by its name and call it.
-   * - If link is local, it will call the local handler.
-   * - If link is remote, it will make a fetch request to the remote server.
-   */
-  follow(name: string, config?: Partial<ServerRequestConfigEntry>, options?: ClientRequestOptions & ClientScope): Promise<any>;
-  protected createVirtualAction<T extends RequestConfigSchema>(name: string, scope?: ClientScope): VirtualAction<T>;
-  protected followRemote(link: HttpClientLink, config?: Partial<ServerRequestConfigEntry>, options?: ClientRequestOptions): Promise<FetchResponse>;
-  protected getLinkByName(name: string, options?: ClientScope): Promise<HttpClientLink>;
-}
-interface HttpClientLink extends ApiLink {
-  secured?: boolean | ServerRouteSecure;
-  prefix?: string;
-  host?: string;
-  service?: string;
-  schema?: RequestConfigSchema;
-  handler?: (request: ServerRequest, options: ClientRequestOptions) => Async<ServerResponseBody>;
-}
-interface ClientScope {
-  group?: string;
-  service?: string;
-  hostname?: string;
-}
-type HttpVirtualClient<T> = { [K in keyof T as T[K] extends ActionDescriptor<RequestConfigSchema> ? K : never]: T[K] extends ActionDescriptor<infer Schema> ? VirtualAction<Schema> : never };
-interface VirtualAction<T extends RequestConfigSchema> extends Pick<ActionDescriptor<T>, "name" | "run" | "fetch"> {
-  (config?: ClientRequestEntry<T>, opts?: ClientRequestOptions): Promise<ClientRequestResponse<T>>;
-  can: () => boolean;
-}
-//#endregion
-//#region src/server-proxy/descriptors/$proxy.d.ts
-type ProxyDescriptorOptions = {
-  /**
-   * Path pattern to match for proxying requests.
-   *
-   * Supports wildcards and path parameters:
-   * - `/api/*` - Matches all paths starting with `/api/`
-   * - `/api/v1/*` - Matches all paths starting with `/api/v1/`
-   * - `/users/:id` - Matches `/users/123`, `/users/abc`, etc.
-   *
-   * @example "/api/*"
-   * @example "/secure/admin/*"
-   * @example "/users/:id/posts"
-   */
-  path: string;
-  /**
-   * Target URL to which matching requests should be forwarded.
-   *
-   * Can be either:
-   * - **Static string**: A fixed URL like `"https://api.example.com"`
-   * - **Dynamic function**: A function that returns the URL, enabling runtime target resolution
-   *
-   * The target URL will be combined with the remaining path from the original request.
-   *
-   * @example "https://api.example.com"
-   * @example () => process.env.API_URL || "http://localhost:3001"
-   */
-  target: string | (() => string);
-  /**
-   * Whether this proxy is disabled.
-   *
-   * When `true`, requests matching the path will not be proxied and will be handled
-   * by other routes or return 404. Useful for feature toggles or conditional proxying.
-   *
-   * @default false
-   * @example !process.env.ENABLE_PROXY
-   */
-  disabled?: boolean;
-  /**
-   * Hook called before forwarding the request to the target server.
-   *
-   * Use this to:
-   * - Add authentication headers
-   * - Modify request headers or body
-   * - Add request tracking/logging
-   * - Transform the request before forwarding
-   *
-   * @param request - The original incoming server request
-   * @param proxyRequest - The request that will be sent to the target (modifiable)
-   *
-   * @example
-   * ```ts
-   * beforeRequest: async (request, proxyRequest) => {
-   *   proxyRequest.headers = {
-   *     ...proxyRequest.headers,
-   *     'Authorization': `Bearer ${await getToken()}`,
-   *     'X-Request-ID': generateRequestId()
-   *   };
-   * }
-   * ```
-   */
-  beforeRequest?: (request: ServerRequest, proxyRequest: RequestInit) => Async<void>;
-  /**
-   * Hook called after receiving the response from the target server.
-   *
-   * Use this to:
-   * - Log response details for monitoring
-   * - Add custom headers to the response
-   * - Transform response data
-   * - Handle error responses
-   *
-   * @param request - The original incoming server request
-   * @param proxyResponse - The response received from the target server
-   *
-   * @example
-   * ```ts
-   * afterResponse: async (request, proxyResponse) => {
-   *   console.log(`Proxy ${request.method} ${request.url} -> ${proxyResponse.status}`);
-   *
-   *   if (!proxyResponse.ok) {
-   *     await logError(`Proxy error: ${proxyResponse.status}`, { request, response: proxyResponse });
-   *   }
-   * }
-   * ```
-   */
-  afterResponse?: (request: ServerRequest, proxyResponse: Response) => Async<void>;
-  /**
-   * Function to rewrite the URL before sending to the target server.
-   *
-   * Use this to:
-   * - Remove or add path prefixes
-   * - Transform path parameters
-   * - Modify query parameters
-   * - Change the URL structure entirely
-   *
-   * The function receives a mutable URL object and should modify it in-place.
-   *
-   * @param url - The URL object to modify (mutable)
-   *
-   * @example
-   * ```ts
-   * // Remove /api prefix when forwarding
-   * rewrite: (url) => {
-   *   url.pathname = url.pathname.replace('/api', '');
-   * }
-   * ```
-   *
-   * @example
-   * ```ts
-   * // Add version prefix
-   * rewrite: (url) => {
-   *   url.pathname = `/v2${url.pathname}`;
-   * }
-   * ```
-   */
-  rewrite?: (url: URL) => void;
-};
-//#endregion
-//#region src/server-proxy/providers/ServerProxyProvider.d.ts
-declare class ServerProxyProvider {
-  protected readonly log: alepha_logger1.Logger;
-  protected readonly routerProvider: ServerRouterProvider;
-  protected readonly alepha: Alepha;
-  protected readonly configure: alepha23.HookDescriptor<"configure">;
-  createProxy(options: ProxyDescriptorOptions): void;
-  createProxyHandler(target: string, options: Omit<ProxyDescriptorOptions, "path">): ServerHandler;
-  private getRawRequestBody;
-}
-//#endregion
-//#region src/server-links/descriptors/$remote.d.ts
-interface RemoteDescriptorOptions {
-  /**
-   * The URL of the remote service.
-   * You can use a function to generate the URL dynamically.
-   * You probably should use $env(env) to get the URL from the environment.
-   *
-   * @example
-   * ```ts
-   * import { $remote } from "alepha/server";
-   * import { $inject, t } from "alepha";
-   *
-   * class App {
-   *   env = $env(t.object({
-   *     REMOTE_URL: t.text({default: "http://localhost:3000"}),
-   *   }));
-   *   remote = $remote({
-   *     url: this.env.REMOTE_URL,
-   *   });
-   * }
-   * ```
-   */
-  url: string | (() => string);
-  /**
-   * The name of the remote service.
-   *
-   * @default Member of the class containing the remote service.
-   */
-  name?: string;
-  /**
-   * If true, all methods of the remote service will be exposed as actions in this context.
-   * > Note: Proxy will never use the service account, it just... proxies the request.
-   */
-  proxy?: boolean | Partial<ProxyDescriptorOptions & {
-    /**
-     * If true, the remote service won't be available internally, only through the proxy.
-     */
-    noInternal: boolean;
-  }>;
-  /**
-   * For communication between the server and the remote service with a security layer.
-   * This will be used for internal communication and will not be exposed to the client.
-   */
-  serviceAccount?: ServiceAccountDescriptor;
-}
-declare class RemoteDescriptor extends Descriptor<RemoteDescriptorOptions> {
-  get name(): string;
-}
-//#endregion
-//#region src/server-links/providers/RemoteDescriptorProvider.d.ts
-declare class RemoteDescriptorProvider {
-  protected readonly env: {
-    SERVER_API_PREFIX: string;
-  };
-  protected readonly alepha: Alepha;
-  protected readonly proxyProvider: ServerProxyProvider;
-  protected readonly linkProvider: LinkProvider;
-  protected readonly remotes: Array<ServerRemote>;
-  protected readonly log: alepha_logger1.Logger;
-  getRemotes(): ServerRemote[];
-  readonly configure: alepha23.HookDescriptor<"configure">;
-  readonly start: alepha23.HookDescriptor<"start">;
-  registerRemote(value: RemoteDescriptor): Promise<void>;
-  protected readonly fetchLinks: alepha_retry0.RetryDescriptorFn<(opts: FetchLinksOptions) => Promise<ApiLinksResponse>>;
-}
-interface FetchLinksOptions {
-  /**
-   * Name of the remote service.
-   */
-  service: string;
-  /**
-   * URL to fetch links from.
-   */
-  url: string;
-  /**
-   * Authorization header containing access token.
-   */
-  authorization?: string;
-}
-interface ServerRemote {
-  /**
-   * URL of the remote service.
-   */
-  url: string;
-  /**
-   * Name of the remote service.
-   */
-  name: string;
-  /**
-   * Expose links as endpoint. It's not only internal.
-   */
-  proxy: boolean;
-  /**
-   * It's only used inside the application.
-   */
-  internal: boolean;
-  /**
-   * Links fetcher.
-   */
-  links: (args: {
-    authorization?: string;
-  }) => Promise<ApiLinksResponse>;
-  /**
-   * Fetches schema for the remote service.
-   */
-  schema: (args: {
-    name: string;
-    authorization?: string;
-  }) => Promise<any>;
-  /**
-   * Force a default access token provider when not provided.
-   */
-  serviceAccount?: ServiceAccountDescriptor;
-  /**
-   * Prefix for the remote service links.
-   */
-  prefix: string;
-}
-//#endregion
-//#region src/server-links/providers/ServerLinksProvider.d.ts
-declare class ServerLinksProvider {
-  protected readonly env: {
-    SERVER_API_PREFIX: string;
-  };
-  protected readonly alepha: Alepha;
-  protected readonly linkProvider: LinkProvider;
-  protected readonly remoteProvider: RemoteDescriptorProvider;
-  protected readonly serverTimingProvider: ServerTimingProvider;
-  get prefix(): string;
-  readonly onRoute: alepha23.HookDescriptor<"configure">;
-  /**
-   * First API - Get all API links for the user.
-   *
-   * This is based on the user's permissions.
-   */
-  readonly links: alepha_server0.RouteDescriptor<{
-    response: alepha23.TObject<{
-      prefix: alepha23.TOptional<alepha23.TString>;
-      links: alepha23.TArray<alepha23.TObject<{
-        name: alepha23.TString;
-        group: alepha23.TOptional<alepha23.TString>;
-        path: alepha23.TString;
-        method: alepha23.TOptional<alepha23.TString>;
-        requestBodyType: alepha23.TOptional<alepha23.TString>;
-        service: alepha23.TOptional<alepha23.TString>;
-      }>>;
-    }>;
-  }>;
-  /**
-   * Second API - Get schema for a specific API link.
-   *
-   * Note: Body/Response schema are not included in `links` API because it's TOO BIG.
-   * I mean for 150+ links, you got 50ms of serialization time.
-   */
-  readonly schema: alepha_server0.RouteDescriptor<{
-    params: alepha23.TObject<{
-      name: alepha23.TString;
-    }>;
-    response: alepha23.TRecord<string, alepha23.TAny>;
-  }>;
-  getSchemaByName(name: string, options?: GetApiLinksOptions): Promise<RequestConfigSchema>;
-  /**
-   * Retrieves API links for the user based on their permissions.
-   * Will check on local links and remote links.
-   */
-  getUserApiLinks(options: GetApiLinksOptions): Promise<ApiLinksResponse>;
-}
-interface GetApiLinksOptions {
-  user?: UserAccountToken;
-  authorization?: string;
-}
-//#endregion
-//#region src/server-links/index.d.ts
-declare module "alepha" {
-  interface State {
-    /**
-     * API links attached to the server request state.
-     *
-     * @see {@link ApiLinksResponse}
-     * @internal
-     */
-    "alepha.server.request.apiLinks"?: ApiLinksResponse;
-  }
-}
-/**
- * Provides server-side link management and remote capabilities for client-server interactions.
- *
- * The server-links module enables declarative link definitions using `$remote` and `$client` descriptors,
- * facilitating seamless API endpoint management and client-server communication. It integrates with server
- * security features to ensure safe and controlled access to resources.
- *
- * @see {@link $remote}
- * @see {@link $client}
- * @module alepha.server.links
- */
-//#endregion
 //#region src/orm/schemas/insertSchema.d.ts
 /**
  * Transforms a TObject schema for insert operations.
@@ -901,8 +422,8 @@ type TObjectInsert<T extends TObject> = TObject<{ [K in keyof T["properties"]]:
  */
 type TObjectUpdate<T extends TObject> = TObject<{ [K in keyof T["properties"]]: T["properties"][K] extends TOptional<infer U> ? TOptional<TUnion<[U, TNull]>> : T["properties"][K] }>;
 //#endregion
-//#region src/orm/descriptors/$entity.d.ts
-interface EntityDescriptorOptions<T extends TObject, Keys = keyof Static<T>> {
+//#region src/orm/primitives/$entity.d.ts
+interface EntityPrimitiveOptions<T extends TObject, Keys = keyof Static<T>> {
   /**
    * The database table name that will be created for this entity.
    * If not provided, name will be inferred from the $repository variable name.
@@ -1014,9 +535,9 @@ interface EntityDescriptorOptions<T extends TObject, Keys = keyof Static<T>> {
    */
   config?: (self: BuildExtraConfigColumns<string, FromSchema<T>, "pg">) => PgTableExtraConfigValue[];
 }
-declare class EntityDescriptor<T extends TObject = TObject> {
-  readonly options: EntityDescriptorOptions<T>;
-  constructor(options: EntityDescriptorOptions<T>);
+declare class EntityPrimitive<T extends TObject = TObject> {
+  readonly options: EntityPrimitiveOptions<T>;
+  constructor(options: EntityPrimitiveOptions<T>);
   alias(alias: string): this;
   get cols(): EntityColumns<T>;
   get name(): string;
@@ -1036,7 +557,7 @@ type SchemaToTableConfig<T extends TObject> = {
 };
 type EntityColumn<T extends TObject> = {
   name: string;
-  entity: EntityDescriptor<T>;
+  entity: EntityPrimitive<T>;
 };
 type EntityColumns<T extends TObject> = { [key in keyof T["properties"]]: EntityColumn<T> };
 //#endregion
@@ -1082,7 +603,7 @@ interface PgEnumOptions {
 interface PgRefOptions {
   ref: () => {
     name: string;
-    entity: EntityDescriptor;
+    entity: EntityPrimitive;
   };
   actions?: {
     onUpdate?: UpdateDeleteAction;
@@ -1096,19 +617,6 @@ declare class DbError extends AlephaError {
   constructor(message: string, cause?: unknown);
 }
 //#endregion
-//#region src/orm/helpers/pgAttr.d.ts
-/**
- * Type representation.
- */
-type PgAttr<T extends TSchema, TAttr extends PgSymbolKeys> = T & { [K in TAttr]: PgSymbols[K] };
-interface PgAttrField {
-  key: string;
-  type: TSchema;
-  data: any;
-  nested?: any[];
-  one?: boolean;
-}
-//#endregion
 //#region src/orm/interfaces/FilterOperators.d.ts
 interface FilterOperators<TValue> {
   /**
@@ -1525,85 +1033,6 @@ interface FilterOperators<TValue> {
   arrayOverlaps?: TValue;
 }
 //#endregion
-//#region src/orm/interfaces/PgQueryWhere.d.ts
-type PgQueryWhere<T extends TObject, Relations extends PgRelationMap<TObject> | undefined = undefined> = (PgQueryWhereOperators<T> & PgQueryWhereConditions<T>) | (PgQueryWhereRelations<Relations> & PgQueryWhereOperators<T> & PgQueryWhereConditions<T, Relations>);
-type PgQueryWhereOrSQL<T extends TObject, Relations extends PgRelationMap<TObject> | undefined = undefined> = SQLWrapper | PgQueryWhere<T, Relations>;
-type PgQueryWhereOperators<T extends TObject> = { [Key in keyof Static<T>]?: FilterOperators<Static<T>[Key]> | Static<T>[Key] | (Static<T>[Key] extends object ? NestedJsonbQuery<Static<T>[Key]> : never) };
-type PgQueryWhereConditions<T extends TObject, Relations extends PgRelationMap<TObject> | undefined = undefined> = {
-  /**
-   * Combine a list of conditions with the `and` operator. Conditions
-   * that are equal `undefined` are automatically ignored.
-   *
-   * ## Examples
-   *
-   * ```ts
-   * db.select().from(cars)
-   *   .where(
-   *     and(
-   *       eq(cars.make, 'Volvo'),
-   *       eq(cars.year, 1950),
-   *     )
-   *   )
-   * ```
-   */
-  and?: Array<PgQueryWhereOrSQL<T, Relations>>;
-  /**
-   * Combine a list of conditions with the `or` operator. Conditions
-   * that are equal `undefined` are automatically ignored.
-   *
-   * ## Examples
-   *
-   * ```ts
-   * db.select().from(cars)
-   *   .where(
-   *     or(
-   *       eq(cars.make, 'GM'),
-   *       eq(cars.make, 'Ford'),
-   *     )
-   *   )
-   * ```
-   */
-  or?: Array<PgQueryWhereOrSQL<T, Relations>>;
-  /**
-   * Negate the meaning of an expression using the `not` keyword.
-   *
-   * ## Examples
-   *
-   * ```ts
-   * // Select cars _not_ made by GM or Ford.
-   * db.select().from(cars)
-   *   .where(not(inArray(cars.make, ['GM', 'Ford'])))
-   * ```
-   */
-  not?: PgQueryWhereOrSQL<T, Relations>;
-  /**
-   * Test whether a subquery evaluates to have any rows.
-   *
-   * ## Examples
-   *
-   * ```ts
-   * // Users whose `homeCity` column has a match in a cities
-   * // table.
-   * db
-   *   .select()
-   *   .from(users)
-   *   .where(
-   *     exists(db.select()
-   *       .from(cities)
-   *       .where(eq(users.homeCity, cities.id))),
-   *   );
-   * ```
-   *
-   * @see notExists for the inverse of this test
-   */
-  exists?: SQLWrapper;
-};
-type PgQueryWhereRelations<Relations extends PgRelationMap<TObject> | undefined = undefined> = Relations extends PgRelationMap<TObject> ? { [K in keyof Relations]?: PgQueryWhere<Relations[K]["join"]["schema"], Relations[K]["with"]> } : {};
-/**
- * Recursively allow nested queries for JSONB object/array types
- */
-type NestedJsonbQuery<T> = T extends object ? T extends Array<infer U> ? U extends object ? { [K in keyof U]?: FilterOperators<U[K]> | U[K] } : FilterOperators<U> | U : { [K in keyof T]?: FilterOperators<T[K]> | T[K] | (T[K] extends object ? NestedJsonbQuery<T[K]> : never) } : FilterOperators<T> | T;
-//#endregion
 //#region src/orm/interfaces/PgQuery.d.ts
 /**
  * Order direction for sorting
@@ -1653,15 +1082,107 @@ type PgRelation<Base extends TObject> = {
   with?: PgRelationMap<TObject>;
 };
 //#endregion
-//#region src/orm/descriptors/$sequence.d.ts
-interface SequenceDescriptorOptions extends PgSequenceOptions {
+//#region src/orm/interfaces/PgQueryWhere.d.ts
+type PgQueryWhere<T extends TObject, Relations extends PgRelationMap<TObject> | undefined = undefined> = (PgQueryWhereOperators<T> & PgQueryWhereConditions<T>) | (PgQueryWhereRelations<Relations> & PgQueryWhereOperators<T> & PgQueryWhereConditions<T, Relations>);
+type PgQueryWhereOrSQL<T extends TObject, Relations extends PgRelationMap<TObject> | undefined = undefined> = SQLWrapper | PgQueryWhere<T, Relations>;
+type PgQueryWhereOperators<T extends TObject> = { [Key in keyof Static<T>]?: FilterOperators<Static<T>[Key]> | Static<T>[Key] | (Static<T>[Key] extends object ? NestedJsonbQuery<Static<T>[Key]> : never) };
+type PgQueryWhereConditions<T extends TObject, Relations extends PgRelationMap<TObject> | undefined = undefined> = {
+  /**
+   * Combine a list of conditions with the `and` operator. Conditions
+   * that are equal `undefined` are automatically ignored.
+   *
+   * ## Examples
+   *
+   * ```ts
+   * db.select().from(cars)
+   *   .where(
+   *     and(
+   *       eq(cars.make, 'Volvo'),
+   *       eq(cars.year, 1950),
+   *     )
+   *   )
+   * ```
+   */
+  and?: Array<PgQueryWhereOrSQL<T, Relations>>;
+  /**
+   * Combine a list of conditions with the `or` operator. Conditions
+   * that are equal `undefined` are automatically ignored.
+   *
+   * ## Examples
+   *
+   * ```ts
+   * db.select().from(cars)
+   *   .where(
+   *     or(
+   *       eq(cars.make, 'GM'),
+   *       eq(cars.make, 'Ford'),
+   *     )
+   *   )
+   * ```
+   */
+  or?: Array<PgQueryWhereOrSQL<T, Relations>>;
+  /**
+   * Negate the meaning of an expression using the `not` keyword.
+   *
+   * ## Examples
+   *
+   * ```ts
+   * // Select cars _not_ made by GM or Ford.
+   * db.select().from(cars)
+   *   .where(not(inArray(cars.make, ['GM', 'Ford'])))
+   * ```
+   */
+  not?: PgQueryWhereOrSQL<T, Relations>;
+  /**
+   * Test whether a subquery evaluates to have any rows.
+   *
+   * ## Examples
+   *
+   * ```ts
+   * // Users whose `homeCity` column has a match in a cities
+   * // table.
+   * db
+   *   .select()
+   *   .from(users)
+   *   .where(
+   *     exists(db.select()
+   *       .from(cities)
+   *       .where(eq(users.homeCity, cities.id))),
+   *   );
+   * ```
+   *
+   * @see notExists for the inverse of this test
+   */
+  exists?: SQLWrapper;
+};
+type PgQueryWhereRelations<Relations extends PgRelationMap<TObject> | undefined = undefined> = Relations extends PgRelationMap<TObject> ? { [K in keyof Relations]?: PgQueryWhere<Relations[K]["join"]["schema"], Relations[K]["with"]> } : {};
+/**
+ * Recursively allow nested queries for JSONB object/array types
+ */
+type NestedJsonbQuery<T> = T extends object ? T extends Array<infer U> ? U extends object ? { [K in keyof U]?: FilterOperators<U[K]> | U[K] } : FilterOperators<U> | U : { [K in keyof T]?: FilterOperators<T[K]> | T[K] | (T[K] extends object ? NestedJsonbQuery<T[K]> : never) } : FilterOperators<T> | T;
+//#endregion
+//#region src/orm/helpers/pgAttr.d.ts
+/**
+ * Type representation.
+ */
+type PgAttr<T extends TSchema, TAttr extends PgSymbolKeys> = T & { [K in TAttr]: PgSymbols[K] };
+interface PgAttrField {
+  key: string;
+  type: TSchema;
+  data: any;
+  nested?: any[];
+  one?: boolean;
+}
+//#endregion
+//#region src/orm/primitives/$sequence.d.ts
+interface SequencePrimitiveOptions extends PgSequenceOptions {
   /**
    * The name of the sequence. If not provided, the property key will be used.
    */
   name?: string;
   provider?: DatabaseProvider;
 }
-declare class SequenceDescriptor extends Descriptor<SequenceDescriptorOptions> {
+declare class SequencePrimitive extends Primitive<SequencePrimitiveOptions> {
   readonly provider: DatabaseProvider;
   onInit(): void;
   get name(): string;
@@ -1692,22 +1213,22 @@ interface TableConfigBuilders<TConfig> {
   }) => TConfig;
 }
 /**
- * Abstract base class for transforming Alepha Descriptors (Entity, Sequence, etc...)
+ * Abstract base class for transforming Alepha Primitives (Entity, Sequence, etc...)
  * into drizzle models (tables, enums, sequences, etc...).
  */
 declare abstract class ModelBuilder {
   /**
-   * Build a table from an entity descriptor.
+   * Build a table from an entity primitive.
    */
-  abstract buildTable(entity: EntityDescriptor, options: {
+  abstract buildTable(entity: EntityPrimitive, options: {
     tables: Map<string, unknown>;
     enums: Map<string, unknown>;
     schema: string;
   }): void;
   /**
-   * Build a sequence from a sequence descriptor.
+   * Build a sequence from a sequence primitive.
    */
-  abstract buildSequence(sequence: SequenceDescriptor, options: {
+  abstract buildSequence(sequence: SequencePrimitive, options: {
     sequences: Map<string, unknown>;
     schema: string;
   }): void;
@@ -1719,12 +1240,12 @@ declare abstract class ModelBuilder {
    * Build the table configuration function for any database.
    * This includes indexes, foreign keys, constraints, and custom config.
    *
-   * @param entity - The entity descriptor
+   * @param entity - The entity primitive
    * @param builders - Database-specific builder functions
    * @param tableResolver - Function to resolve entity references to table columns
    * @param customConfigHandler - Optional handler for custom config
    */
-  protected buildTableConfig<TConfig, TSelf>(entity: EntityDescriptor, builders: TableConfigBuilders<TConfig>, tableResolver?: (entityName: string) => any, customConfigHandler?: (config: any, self: TSelf) => TConfig[]): ((self: TSelf) => TConfig[]) | undefined;
+  protected buildTableConfig<TConfig, TSelf>(entity: EntityPrimitive, builders: TableConfigBuilders<TConfig>, tableResolver?: (entityName: string) => any, customConfigHandler?: (config: any, self: TSelf) => TConfig[]): ((self: TSelf) => TConfig[]) | undefined;
 }
 //#endregion
 //#region src/orm/providers/DrizzleKitProvider.d.ts
@@ -1788,9 +1309,9 @@ declare abstract class DatabaseProvider {
   readonly sequences: Map<string, unknown>;
   get name(): string;
   get schema(): string;
-  table<T extends TObject>(entity: EntityDescriptor<T>): PgTableWithColumns<SchemaToTableConfig<T>>;
-  registerEntity(entity: EntityDescriptor): void;
-  registerSequence(sequence: SequenceDescriptor): void;
+  table<T extends TObject>(entity: EntityPrimitive<T>): PgTableWithColumns<SchemaToTableConfig<T>>;
+  registerEntity(entity: EntityPrimitive): void;
+  registerSequence(sequence: SequencePrimitive): void;
   abstract execute(statement: SQLLike): Promise<Record<string, unknown>[]>;
   run<T extends TObject>(statement: SQLLike, schema: T): Promise<Array<Static<T>>>;
   /**
@@ -1998,13 +1519,13 @@ declare class PgRelationManager {
 //#endregion
 //#region src/orm/services/Repository.d.ts
 declare abstract class Repository$1<T extends TObject> {
-  readonly entity: EntityDescriptor<T>;
+  readonly entity: EntityPrimitive<T>;
   readonly provider: DatabaseProvider;
   protected readonly relationManager: PgRelationManager;
   protected readonly queryManager: QueryManager;
   protected readonly dateTimeProvider: DateTimeProvider;
   protected readonly alepha: Alepha;
-  constructor(entity: EntityDescriptor<T>, provider?: typeof DatabaseProvider);
+  constructor(entity: EntityPrimitive<T>, provider?: typeof DatabaseProvider);
   /**
    * Represents the primary key of the table.
    * - Key is the name of the primary key column.
@@ -2379,470 +1900,81 @@ declare module "alepha" {
   }
 }
 //#endregion
-//#region src/api-verifications/entities/verifications.d.ts
-declare const verifications: alepha_orm204.EntityDescriptor<alepha23.TObject<{
-  id: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_PRIMARY_KEY>, typeof alepha_orm204.PG_DEFAULT>;
-  createdAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_CREATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-  updatedAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_UPDATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-  version: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TInteger, typeof alepha_orm204.PG_VERSION>, typeof alepha_orm204.PG_DEFAULT>;
-  type: alepha23.TUnsafe<"link" | "code">;
-  target: alepha23.TString;
-  code: alepha23.TString;
-  verifiedAt: alepha23.TOptional<alepha23.TString>;
-  attempts: alepha_orm204.PgAttr<alepha23.TInteger, typeof alepha_orm204.PG_DEFAULT>;
-}>>;
-type VerificationEntity = Static<typeof verifications.schema>;
-//#endregion
-//#region src/api-verifications/schemas/verificationSettingsSchema.d.ts
-declare const verificationSettingsSchema: alepha23.TObject<{
-  code: alepha23.TObject<{
-    maxAttempts: alepha23.TInteger;
-    codeLength: alepha23.TInteger;
-    codeExpiration: alepha23.TInteger;
-    verificationCooldown: alepha23.TInteger;
-    limitPerDay: alepha23.TInteger;
-  }>;
-  link: alepha23.TObject<{
-    maxAttempts: alepha23.TInteger;
-    codeExpiration: alepha23.TInteger;
-    verificationCooldown: alepha23.TInteger;
-    limitPerDay: alepha23.TInteger;
-  }>;
-  purgeDays: alepha23.TInteger;
-}>;
-type VerificationSettings = Static<typeof verificationSettingsSchema>;
-//#endregion
-//#region src/api-verifications/parameters/VerificationParameters.d.ts
-/**
- * Verification settings configuration atom
- */
-declare const verificationOptions: alepha23.Atom<alepha23.TObject<{
-  code: alepha23.TObject<{
-    maxAttempts: alepha23.TInteger;
-    codeLength: alepha23.TInteger;
-    codeExpiration: alepha23.TInteger;
-    verificationCooldown: alepha23.TInteger;
-    limitPerDay: alepha23.TInteger;
-  }>;
-  link: alepha23.TObject<{
-    maxAttempts: alepha23.TInteger;
-    codeExpiration: alepha23.TInteger;
-    verificationCooldown: alepha23.TInteger;
-    limitPerDay: alepha23.TInteger;
-  }>;
-  purgeDays: alepha23.TInteger;
-}>, "alepha.api.verifications.options">;
-type VerificationOptions = Static<typeof verificationOptions.schema>;
-declare module "alepha" {
-  interface State {
-    [verificationOptions.key]: VerificationOptions;
-  }
-}
-declare class VerificationParameters {
-  protected readonly options: Readonly<{
-    link: {
-      maxAttempts: number;
-      codeExpiration: number;
-      verificationCooldown: number;
-      limitPerDay: number;
-    };
-    code: {
-      maxAttempts: number;
-      codeLength: number;
-      codeExpiration: number;
-      verificationCooldown: number;
-      limitPerDay: number;
-    };
-    purgeDays: number;
-  }>;
-  get<K$1 extends keyof VerificationSettings>(key: K$1): VerificationSettings[K$1];
-}
-//#endregion
-//#region src/api-verifications/schemas/requestVerificationCodeResponseSchema.d.ts
-declare const requestVerificationCodeResponseSchema: alepha23.TObject<{
-  token: alepha23.TString;
-  codeExpiration: alepha23.TInteger;
-  verificationCooldown: alepha23.TInteger;
-  maxVerificationAttempts: alepha23.TInteger;
-}>;
-type RequestVerificationResponse = Static<typeof requestVerificationCodeResponseSchema>;
-//#endregion
-//#region src/api-verifications/schemas/validateVerificationCodeResponseSchema.d.ts
-declare const validateVerificationCodeResponseSchema: alepha23.TObject<{
-  ok: alepha23.TBoolean;
-  alreadyVerified: alepha23.TOptional<alepha23.TBoolean>;
-}>;
-type ValidateVerificationCodeResponse = Static<typeof validateVerificationCodeResponseSchema>;
-//#endregion
-//#region src/api-verifications/schemas/verificationTypeEnumSchema.d.ts
-declare const verificationTypeEnumSchema: alepha23.TUnsafe<"link" | "code">;
-type VerificationTypeEnum = Static<typeof verificationTypeEnumSchema>;
-//#endregion
-//#region src/api-verifications/services/VerificationService.d.ts
-declare class VerificationService {
-  protected readonly log: alepha_logger1.Logger;
-  protected readonly dateTimeProvider: DateTimeProvider;
-  protected readonly verificationParameters: VerificationParameters;
-  protected readonly verificationRepository: alepha_orm204.Repository<alepha23.TObject<{
-    id: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_PRIMARY_KEY>, typeof alepha_orm204.PG_DEFAULT>;
-    createdAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_CREATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-    updatedAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_UPDATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-    version: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TInteger, typeof alepha_orm204.PG_VERSION>, typeof alepha_orm204.PG_DEFAULT>;
-    type: alepha23.TUnsafe<"link" | "code">;
-    target: alepha23.TString;
+//#region src/api-users/notifications/UserNotifications.d.ts
+declare class UserNotifications {
+  readonly passwordReset: alepha_api_notifications0.NotificationPrimitive<alepha23.TObject<{
+    email: alepha23.TString;
     code: alepha23.TString;
-    verifiedAt: alepha23.TOptional<alepha23.TString>;
-    attempts: alepha_orm204.PgAttr<alepha23.TInteger, typeof alepha_orm204.PG_DEFAULT>;
+    expiresInMinutes: alepha23.TNumber;
   }>>;
-  findByEntry(entry: VerificationEntry): Promise<VerificationEntity>;
-  findRecentsByEntry(entry: VerificationEntry): Promise<alepha_orm204.PgStatic<alepha23.TObject<{
-    id: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_PRIMARY_KEY>, typeof alepha_orm204.PG_DEFAULT>;
-    createdAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_CREATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-    updatedAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_UPDATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-    version: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TInteger, typeof alepha_orm204.PG_VERSION>, typeof alepha_orm204.PG_DEFAULT>;
-    type: alepha23.TUnsafe<"link" | "code">;
-    target: alepha23.TString;
+  readonly emailVerification: alepha_api_notifications0.NotificationPrimitive<alepha23.TObject<{
+    email: alepha23.TString;
     code: alepha23.TString;
-    verifiedAt: alepha23.TOptional<alepha23.TString>;
-    attempts: alepha_orm204.PgAttr<alepha23.TInteger, typeof alepha_orm204.PG_DEFAULT>;
-  }>, alepha_orm204.PgRelationMap<alepha23.TObject<{
-    id: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_PRIMARY_KEY>, typeof alepha_orm204.PG_DEFAULT>;
-    createdAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_CREATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-    updatedAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_UPDATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-    version: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TInteger, typeof alepha_orm204.PG_VERSION>, typeof alepha_orm204.PG_DEFAULT>;
-    type: alepha23.TUnsafe<"link" | "code">;
-    target: alepha23.TString;
+    expiresInMinutes: alepha23.TNumber;
+  }>>;
+  readonly phoneVerification: alepha_api_notifications0.NotificationPrimitive<alepha23.TObject<{
+    phoneNumber: alepha23.TString;
     code: alepha23.TString;
-    verifiedAt: alepha23.TOptional<alepha23.TString>;
-    attempts: alepha_orm204.PgAttr<alepha23.TInteger, typeof alepha_orm204.PG_DEFAULT>;
-  }>>>[]>;
-  /**
-   * Creates a verification entry and returns the token.
-   * The caller is responsible for sending notifications with the token.
-   * This allows for context-specific notifications (e.g., password reset vs email verification).
-   */
-  createVerification(entry: VerificationEntry): Promise<RequestVerificationResponse>;
-  verifyCode(entry: VerificationEntry, code: string): Promise<ValidateVerificationCodeResponse>;
-  hashCode(code: string): string;
-  generateToken(type: VerificationTypeEnum): string;
-}
-interface VerificationEntry {
-  type: VerificationTypeEnum;
-  target: string;
-}
-//#endregion
-//#region src/api-verifications/controllers/VerificationController.d.ts
-declare class VerificationController {
-  protected readonly verificationService: VerificationService;
-  readonly url = "/verifications";
-  readonly group = "verifications";
-  readonly requestVerificationCode: alepha_server0.ActionDescriptorFn<{
-    params: alepha23.TObject<{
-      type: alepha23.TUnsafe<"link" | "code">;
-    }>;
-    body: alepha23.TObject<{
-      target: alepha23.TString;
-    }>;
-    response: alepha23.TObject<{
-      token: alepha23.TString;
-      codeExpiration: alepha23.TInteger;
-      verificationCooldown: alepha23.TInteger;
-      maxVerificationAttempts: alepha23.TInteger;
-    }>;
-  }>;
-  readonly validateVerificationCode: alepha_server0.ActionDescriptorFn<{
-    params: alepha23.TObject<{
-      type: alepha23.TUnsafe<"link" | "code">;
-    }>;
-    body: alepha23.TObject<{
-      target: alepha23.TString;
-      token: alepha23.TString;
-    }>;
-    response: alepha23.TObject<{
-      ok: alepha23.TBoolean;
-      alreadyVerified: alepha23.TOptional<alepha23.TBoolean>;
-    }>;
-  }>;
+    expiresInMinutes: alepha23.TNumber;
+  }>>;
+  readonly passwordResetLink: alepha_api_notifications0.NotificationPrimitive<alepha23.TObject<{
+    email: alepha23.TString;
+    resetUrl: alepha23.TString;
+    expiresInMinutes: alepha23.TNumber;
+  }>>;
+  readonly emailVerificationLink: alepha_api_notifications0.NotificationPrimitive<alepha23.TObject<{
+    email: alepha23.TString;
+    verifyUrl: alepha23.TString;
+    expiresInMinutes: alepha23.TNumber;
+  }>>;
 }
 //#endregion
-//#region src/api-notifications/schemas/notificationCreateSchema.d.ts
-declare const notificationCreateSchema: alepha23.TObject<{
-  type: alepha23.TUnsafe<"email" | "sms">;
-  template: alepha23.TString;
-  contact: alepha23.TString;
-  variables: alepha23.TOptional<alepha23.TRecord<"^.*$", alepha23.TAny>>;
+//#region src/api-users/schemas/completePasswordResetRequestSchema.d.ts
+/**
+ * Request schema for completing a password reset.
+ *
+ * Requires the intent ID from Phase 1, the verification code,
+ * and the new password.
+ */
+declare const completePasswordResetRequestSchema: alepha23.TObject<{
+  intentId: alepha23.TString;
+  code: alepha23.TString;
+  newPassword: alepha23.TString;
 }>;
-type NotificationCreate = Static<typeof notificationCreateSchema>;
+type CompletePasswordResetRequest = Static<typeof completePasswordResetRequestSchema>;
 //#endregion
-//#region src/api-notifications/entities/notifications.d.ts
-declare const notifications: alepha_orm204.EntityDescriptor<alepha23.TObject<{
-  id: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_PRIMARY_KEY>, typeof alepha_orm204.PG_DEFAULT>;
-  version: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TInteger, typeof alepha_orm204.PG_VERSION>, typeof alepha_orm204.PG_DEFAULT>;
-  createdAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_CREATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-  updatedAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_UPDATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-  type: alepha23.TUnsafe<"email" | "sms">;
-  template: alepha23.TString;
-  category: alepha23.TOptional<alepha23.TString>;
-  critical: alepha23.TOptional<alepha23.TBoolean>;
-  sensitive: alepha23.TOptional<alepha23.TBoolean>;
-  contact: alepha23.TString;
-  variables: alepha23.TOptional<alepha23.TRecord<"^.*$", alepha23.TAny>>;
-  scheduledAt: alepha23.TOptional<alepha23.TString>;
-  sentAt: alepha23.TOptional<alepha23.TString>;
-  error: alepha23.TOptional<alepha23.TObject<{
-    at: alepha23.TString;
-    name: alepha23.TString;
-    message: alepha23.TString;
-  }>>;
-}>>;
-type NotificationEntity = Static<typeof notifications.schema>;
+//#region src/api-users/schemas/passwordResetIntentResponseSchema.d.ts
+/**
+ * Response schema for password reset intent creation.
+ *
+ * Contains the intent ID needed for Phase 2 completion,
+ * along with expiration time.
+ */
+declare const passwordResetIntentResponseSchema: alepha23.TObject<{
+  intentId: alepha23.TString;
+  expiresAt: alepha23.TString;
+}>;
+type PasswordResetIntentResponse = Static<typeof passwordResetIntentResponseSchema>;
 //#endregion
-//#region src/api-notifications/providers/SmsProvider.d.ts
-declare abstract class SmsProvider {
-  abstract send(options: SmsSendOptions): Promise<void>;
-}
-interface SmsSendOptions {
-  to: string;
-  message: string;
+//#region src/api-users/services/CredentialService.d.ts
+/**
+ * Intent stored in cache during the password reset flow.
+ */
+interface PasswordResetIntent {
+  email: string;
+  userId: string;
+  identityId: string;
+  realmName?: string;
+  expiresAt: string;
 }
-//#endregion
-//#region src/api-notifications/services/NotificationSenderService.d.ts
-declare class NotificationSenderService {
-  protected readonly alepha: Alepha;
-  protected readonly log: alepha_logger1.Logger;
-  protected readonly notificationRepository: alepha_orm204.Repository<alepha23.TObject<{
-    id: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_PRIMARY_KEY>, typeof alepha_orm204.PG_DEFAULT>;
-    version: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TInteger, typeof alepha_orm204.PG_VERSION>, typeof alepha_orm204.PG_DEFAULT>;
-    createdAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_CREATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-    updatedAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_UPDATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-    type: alepha23.TUnsafe<"email" | "sms">;
-    template: alepha23.TString;
-    category: alepha23.TOptional<alepha23.TString>;
-    critical: alepha23.TOptional<alepha23.TBoolean>;
-    sensitive: alepha23.TOptional<alepha23.TBoolean>;
-    contact: alepha23.TString;
-    variables: alepha23.TOptional<alepha23.TRecord<"^.*$", alepha23.TAny>>;
-    scheduledAt: alepha23.TOptional<alepha23.TString>;
-    sentAt: alepha23.TOptional<alepha23.TString>;
-    error: alepha23.TOptional<alepha23.TObject<{
-      at: alepha23.TString;
-      name: alepha23.TString;
-      message: alepha23.TString;
-    }>>;
-  }>>;
-  protected readonly dateTimeProvider: DateTimeProvider;
-  protected readonly emailProvider: EmailProvider;
-  protected readonly smsProvider: SmsProvider;
-  send(notificationId: string | NotificationEntity): Promise<void>;
-  renderSms(notification: NotificationEntity): {
-    to: string;
-    message: string;
-  };
-  renderEmail(notification: NotificationEntity): {
-    to: string;
-    subject: string;
-    body: string;
-  };
-  protected load(notification: NotificationEntity): {
-    template: NotificationDescriptor<alepha23.TObject<alepha23.TProperties>>;
-    variables: Record<string, any>;
-    contact: string;
-  };
-}
-//#endregion
-//#region src/api-notifications/services/NotificationService.d.ts
-declare const notificationServiceEnvSchema: alepha23.TObject<{
-  NOTIFICATION_QUEUE: alepha23.TOptional<alepha23.TBoolean>;
-}>;
-declare module "alepha" {
-  interface Env extends Partial<Static<typeof notificationServiceEnvSchema>> {}
-}
-declare class NotificationService {
-  protected readonly alepha: Alepha;
-  protected readonly log: alepha_logger1.Logger;
-  protected readonly env: {
-    NOTIFICATION_QUEUE?: boolean | undefined;
-  };
-  protected readonly notificationRepository: alepha_orm204.Repository<alepha23.TObject<{
-    id: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_PRIMARY_KEY>, typeof alepha_orm204.PG_DEFAULT>;
-    version: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TInteger, typeof alepha_orm204.PG_VERSION>, typeof alepha_orm204.PG_DEFAULT>;
-    createdAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_CREATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-    updatedAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_UPDATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-    type: alepha23.TUnsafe<"email" | "sms">;
-    template: alepha23.TString;
-    category: alepha23.TOptional<alepha23.TString>;
-    critical: alepha23.TOptional<alepha23.TBoolean>;
-    sensitive: alepha23.TOptional<alepha23.TBoolean>;
-    contact: alepha23.TString;
-    variables: alepha23.TOptional<alepha23.TRecord<"^.*$", alepha23.TAny>>;
-    scheduledAt: alepha23.TOptional<alepha23.TString>;
-    sentAt: alepha23.TOptional<alepha23.TString>;
-    error: alepha23.TOptional<alepha23.TObject<{
-      at: alepha23.TString;
-      name: alepha23.TString;
-      message: alepha23.TString;
-    }>>;
-  }>>;
-  protected readonly dateTimeProvider: DateTimeProvider;
-  protected readonly notificationSenderService: NotificationSenderService;
-  readonly notificationBatch: alepha_batch0.BatchDescriptor<alepha23.TObject<{
-    type: alepha23.TUnsafe<"email" | "sms">;
-    template: alepha23.TString;
-    contact: alepha23.TString;
-    variables: alepha23.TOptional<alepha23.TRecord<"^.*$", alepha23.TAny>>;
-  }>, Promise<void>>;
-  findNotificationById(id: string): Promise<alepha_orm204.PgStatic<alepha23.TObject<{
-    id: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_PRIMARY_KEY>, typeof alepha_orm204.PG_DEFAULT>;
-    version: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TInteger, typeof alepha_orm204.PG_VERSION>, typeof alepha_orm204.PG_DEFAULT>;
-    createdAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_CREATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-    updatedAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_UPDATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-    type: alepha23.TUnsafe<"email" | "sms">;
-    template: alepha23.TString;
-    category: alepha23.TOptional<alepha23.TString>;
-    critical: alepha23.TOptional<alepha23.TBoolean>;
-    sensitive: alepha23.TOptional<alepha23.TBoolean>;
-    contact: alepha23.TString;
-    variables: alepha23.TOptional<alepha23.TRecord<"^.*$", alepha23.TAny>>;
-    scheduledAt: alepha23.TOptional<alepha23.TString>;
-    sentAt: alepha23.TOptional<alepha23.TString>;
-    error: alepha23.TOptional<alepha23.TObject<{
-      at: alepha23.TString;
-      name: alepha23.TString;
-      message: alepha23.TString;
-    }>>;
-  }>, alepha_orm204.PgRelationMap<alepha23.TObject<{
-    id: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_PRIMARY_KEY>, typeof alepha_orm204.PG_DEFAULT>;
-    version: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TInteger, typeof alepha_orm204.PG_VERSION>, typeof alepha_orm204.PG_DEFAULT>;
-    createdAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_CREATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-    updatedAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_UPDATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-    type: alepha23.TUnsafe<"email" | "sms">;
-    template: alepha23.TString;
-    category: alepha23.TOptional<alepha23.TString>;
-    critical: alepha23.TOptional<alepha23.TBoolean>;
-    sensitive: alepha23.TOptional<alepha23.TBoolean>;
-    contact: alepha23.TString;
-    variables: alepha23.TOptional<alepha23.TRecord<"^.*$", alepha23.TAny>>;
-    scheduledAt: alepha23.TOptional<alepha23.TString>;
-    sentAt: alepha23.TOptional<alepha23.TString>;
-    error: alepha23.TOptional<alepha23.TObject<{
-      at: alepha23.TString;
-      name: alepha23.TString;
-      message: alepha23.TString;
-    }>>;
-  }>>>>;
-  /**
-   * Create a new notification.
-   */
-  createNotification(entry: NotificationCreate): Promise<void>;
-}
-//#endregion
-//#region src/api-notifications/descriptors/$notification.d.ts
-interface NotificationDescriptorOptions<T extends TObject> extends NotificationMessage<T> {
-  name?: string;
-  description?: string;
-  category?: string;
-  critical?: boolean;
-  sensitive?: boolean;
-  translations?: {
-    [lang: string]: NotificationMessage<T>;
-  };
-  schema: T;
-}
-declare class NotificationDescriptor<T extends TObject> extends Descriptor<NotificationDescriptorOptions<T>> {
-  protected readonly notificationService: NotificationService;
-  get name(): string;
-  push(options: NotificationPushOptions<T>): Promise<void>;
-  configure(options: Partial<NotificationDescriptorOptions<T>>): void;
-}
-interface NotificationPushOptions<T extends TObject> {
-  variables: StaticEncode<T>;
-  contact: string;
-}
-interface NotificationMessage<T extends TObject> {
-  email?: {
-    subject: string;
-    body: string | ((variables: Static<T>) => string);
-  };
-  sms?: {
-    message: string | ((variables: Static<T>) => string);
-  };
-}
-//#endregion
-//#region src/api-users/notifications/UserNotifications.d.ts
-declare class UserNotifications {
-  readonly passwordReset: NotificationDescriptor<alepha23.TObject<{
-    email: alepha23.TString;
-    code: alepha23.TString;
-    expiresInMinutes: alepha23.TNumber;
-  }>>;
-  readonly emailVerification: NotificationDescriptor<alepha23.TObject<{
-    email: alepha23.TString;
-    code: alepha23.TString;
-    expiresInMinutes: alepha23.TNumber;
-  }>>;
-  readonly phoneVerification: NotificationDescriptor<alepha23.TObject<{
-    phoneNumber: alepha23.TString;
-    code: alepha23.TString;
-    expiresInMinutes: alepha23.TNumber;
-  }>>;
-  readonly passwordResetLink: NotificationDescriptor<alepha23.TObject<{
-    email: alepha23.TString;
-    resetUrl: alepha23.TString;
-    expiresInMinutes: alepha23.TNumber;
-  }>>;
-  readonly emailVerificationLink: NotificationDescriptor<alepha23.TObject<{
-    email: alepha23.TString;
-    verifyUrl: alepha23.TString;
-    expiresInMinutes: alepha23.TNumber;
-  }>>;
-}
-//#endregion
-//#region src/api-users/schemas/completePasswordResetRequestSchema.d.ts
-/**
- * Request schema for completing a password reset.
- *
- * Requires the intent ID from Phase 1, the verification code,
- * and the new password.
- */
-declare const completePasswordResetRequestSchema: alepha23.TObject<{
-  intentId: alepha23.TString;
-  code: alepha23.TString;
-  newPassword: alepha23.TString;
-}>;
-type CompletePasswordResetRequest = Static<typeof completePasswordResetRequestSchema>;
-//#endregion
-//#region src/api-users/schemas/passwordResetIntentResponseSchema.d.ts
-/**
- * Response schema for password reset intent creation.
- *
- * Contains the intent ID needed for Phase 2 completion,
- * along with expiration time.
- */
-declare const passwordResetIntentResponseSchema: alepha23.TObject<{
-  intentId: alepha23.TString;
-  expiresAt: alepha23.TString;
-}>;
-type PasswordResetIntentResponse = Static<typeof passwordResetIntentResponseSchema>;
-//#endregion
-//#region src/api-users/services/CredentialService.d.ts
-/**
- * Intent stored in cache during the password reset flow.
- */
-interface PasswordResetIntent {
-  email: string;
-  userId: string;
-  identityId: string;
-  realmName?: string;
-  expiresAt: string;
-}
-declare class CredentialService {
+declare class CredentialService {
   protected readonly log: alepha_logger1.Logger;
   protected readonly cryptoProvider: CryptoProvider;
   protected readonly dateTimeProvider: DateTimeProvider;
-  protected readonly verificationController: HttpVirtualClient<VerificationController>;
+  protected readonly verificationController: alepha_server_links0.HttpVirtualClient<VerificationController>;
   protected readonly userNotifications: UserNotifications;
   protected readonly userRealmProvider: UserRealmProvider;
-  protected readonly intentCache: alepha_cache0.CacheDescriptorFn<PasswordResetIntent, any[]>;
+  protected readonly intentCache: alepha_cache0.CachePrimitiveFn<PasswordResetIntent, any[]>;
   users(userRealmName?: string): Repository$1<alepha23.TObject<{
     id: PgAttr<PgAttr<alepha23.TString, typeof PG_PRIMARY_KEY>, typeof PG_DEFAULT>;
     version: PgAttr<PgAttr<alepha23.TInteger, typeof PG_VERSION>, typeof PG_DEFAULT>;
@@ -2980,10 +2112,10 @@ declare class RegistrationService {
   protected readonly log: alepha_logger1.Logger;
   protected readonly dateTimeProvider: DateTimeProvider;
   protected readonly cryptoProvider: CryptoProvider;
-  protected readonly verificationController: HttpVirtualClient<VerificationController>;
+  protected readonly verificationController: alepha_server_links0.HttpVirtualClient<VerificationController>;
   protected readonly userNotifications: UserNotifications;
   protected readonly userRealmProvider: UserRealmProvider;
-  protected readonly intentCache: alepha_cache0.CacheDescriptorFn<RegistrationIntent, any[]>;
+  protected readonly intentCache: alepha_cache0.CachePrimitiveFn<RegistrationIntent, any[]>;
   /**
    * Phase 1: Create a registration intent.
    *
@@ -3067,7 +2199,7 @@ type UserQuery = Static<typeof userQuerySchema>;
 //#region src/api-users/services/UserService.d.ts
 declare class UserService {
   protected readonly log: alepha_logger1.Logger;
-  protected readonly verificationController: HttpVirtualClient<VerificationController>;
+  protected readonly verificationController: alepha_server_links0.HttpVirtualClient<VerificationController>;
   protected readonly userNotifications: UserNotifications;
   protected readonly userRealmProvider: UserRealmProvider;
   users(userRealmName?: string): alepha_orm204.Repository<alepha23.TObject<{
@@ -3131,7 +2263,7 @@ declare class UserController {
    * Phase 1: Create a registration intent.
    * Validates data, creates verification sessions, and stores intent in cache.
    */
-  readonly createRegistrationIntent: alepha_server0.ActionDescriptorFn<{
+  readonly createRegistrationIntent: alepha_server0.ActionPrimitiveFn<{
     body: alepha23.TObject<{
       password: alepha23.TString;
       username: alepha23.TOptional<alepha23.TString>;
@@ -3155,7 +2287,7 @@ declare class UserController {
   /**
    * Find users with pagination and filtering.
    */
-  readonly findUsers: alepha_server0.ActionDescriptorFn<{
+  readonly findUsers: alepha_server0.ActionPrimitiveFn<{
     query: alepha23.TObject<{
       page: alepha23.TOptional<alepha23.TInteger>;
       size: alepha23.TOptional<alepha23.TInteger>;
@@ -3187,7 +2319,7 @@ declare class UserController {
   /**
    * Get a user by ID.
    */
-  readonly getUser: alepha_server0.ActionDescriptorFn<{
+  readonly getUser: alepha_server0.ActionPrimitiveFn<{
     params: alepha23.TObject<{
       id: alepha23.TString;
     }>;
@@ -3214,7 +2346,7 @@ declare class UserController {
   /**
    * Create a new user.
    */
-  readonly createUser: alepha_server0.ActionDescriptorFn<{
+  readonly createUser: alepha_server0.ActionPrimitiveFn<{
     query: alepha23.TObject<{
       userRealmName: alepha23.TOptional<alepha23.TString>;
     }>;
@@ -3254,7 +2386,7 @@ declare class UserController {
    * Phase 2: Complete registration using an intent.
    * Validates verification codes and creates the user.
    */
-  readonly createUserFromIntent: alepha_server0.ActionDescriptorFn<{
+  readonly createUserFromIntent: alepha_server0.ActionPrimitiveFn<{
     body: alepha23.TObject<{
       intentId: alepha23.TString;
       emailCode: alepha23.TOptional<alepha23.TString>;
@@ -3281,7 +2413,7 @@ declare class UserController {
   /**
    * Update a user.
    */
-  readonly updateUser: alepha_server0.ActionDescriptorFn<{
+  readonly updateUser: alepha_server0.ActionPrimitiveFn<{
     params: alepha23.TObject<{
       id: alepha23.TString;
     }>;
@@ -3318,7 +2450,7 @@ declare class UserController {
   /**
    * Delete a user.
    */
-  readonly deleteUser: alepha_server0.ActionDescriptorFn<{
+  readonly deleteUser: alepha_server0.ActionPrimitiveFn<{
     params: alepha23.TObject<{
       id: alepha23.TString;
     }>;
@@ -3335,7 +2467,7 @@ declare class UserController {
    * Phase 1: Create a password reset intent.
    * Validates email, sends verification code, and stores intent in cache.
    */
-  readonly createPasswordResetIntent: alepha_server0.ActionDescriptorFn<{
+  readonly createPasswordResetIntent: alepha_server0.ActionPrimitiveFn<{
     query: alepha23.TObject<{
       userRealmName: alepha23.TOptional<alepha23.TString>;
     }>;
@@ -3351,7 +2483,7 @@ declare class UserController {
    * Phase 2: Complete password reset using an intent.
    * Validates verification code, updates password, and invalidates sessions.
    */
-  readonly completePasswordReset: alepha_server0.ActionDescriptorFn<{
+  readonly completePasswordReset: alepha_server0.ActionPrimitiveFn<{
     body: alepha23.TObject<{
       intentId: alepha23.TString;
       code: alepha23.TString;
@@ -3366,7 +2498,7 @@ declare class UserController {
   /**
    * @deprecated Use createPasswordResetIntent instead
    */
-  requestPasswordReset: alepha_server0.ActionDescriptorFn<{
+  requestPasswordReset: alepha_server0.ActionPrimitiveFn<{
     query: alepha23.TObject<{
       userRealmName: alepha23.TOptional<alepha23.TString>;
     }>;
@@ -3381,7 +2513,7 @@ declare class UserController {
   /**
    * @deprecated Use completePasswordReset instead
    */
-  validateResetToken: alepha_server0.ActionDescriptorFn<{
+  validateResetToken: alepha_server0.ActionPrimitiveFn<{
     query: alepha23.TObject<{
       email: alepha23.TString;
       token: alepha23.TString;
@@ -3395,7 +2527,7 @@ declare class UserController {
   /**
    * @deprecated Use completePasswordReset instead
    */
-  resetPassword: alepha_server0.ActionDescriptorFn<{
+  resetPassword: alepha_server0.ActionPrimitiveFn<{
     query: alepha23.TObject<{
       userRealmName: alepha23.TOptional<alepha23.TString>;
     }>;
@@ -3413,7 +2545,7 @@ declare class UserController {
    * Request email verification.
    * Generates a verification token using verification service and sends an email to the user.
    */
-  requestEmailVerification: alepha_server0.ActionDescriptorFn<{
+  requestEmailVerification: alepha_server0.ActionPrimitiveFn<{
     query: alepha23.TObject<{
       userRealmName: alepha23.TOptional<alepha23.TString>;
     }>;
@@ -3429,7 +2561,7 @@ declare class UserController {
    * Verify email with a valid token.
    * Updates the user's emailVerified status.
    */
-  verifyEmail: alepha_server0.ActionDescriptorFn<{
+  verifyEmail: alepha_server0.ActionPrimitiveFn<{
     query: alepha23.TObject<{
       userRealmName: alepha23.TOptional<alepha23.TString>;
     }>;
@@ -3445,7 +2577,7 @@ declare class UserController {
   /**
    * Check if an email is verified.
    */
-  checkEmailVerification: alepha_server0.ActionDescriptorFn<{
+  checkEmailVerification: alepha_server0.ActionPrimitiveFn<{
     query: alepha23.TObject<{
       email: alepha23.TString;
       userRealmName: alepha23.TOptional<alepha23.TString>;
@@ -3456,535 +2588,6 @@ declare class UserController {
   }>;
 }
 //#endregion
-//#region src/server-cookies/services/CookieParser.d.ts
-declare class CookieParser {
-  parseRequestCookies(header: string): Record<string, string>;
-  serializeResponseCookies(cookies: Record<string, Cookie | null>, isHttps: boolean): string[];
-  cookieToString(name: string, cookie: Cookie, isHttps?: boolean): string;
-}
-//#endregion
-//#region src/server-cookies/providers/ServerCookiesProvider.d.ts
-declare class ServerCookiesProvider {
-  protected readonly alepha: Alepha;
-  protected readonly log: alepha_logger1.Logger;
-  protected readonly cookieParser: CookieParser;
-  protected readonly dateTimeProvider: DateTimeProvider;
-  protected readonly env: {
-    APP_SECRET: string;
-  };
-  protected readonly ALGORITHM = "aes-256-gcm";
-  protected readonly IV_LENGTH = 16;
-  protected readonly AUTH_TAG_LENGTH = 16;
-  protected readonly SIGNATURE_LENGTH = 32;
-  readonly onRequest: alepha23.HookDescriptor<"server:onRequest">;
-  readonly onAction: alepha23.HookDescriptor<"action:onRequest">;
-  readonly onSend: alepha23.HookDescriptor<"server:onSend">;
-  protected getCookiesFromContext(cookies?: Cookies): Cookies;
-  getCookie<T extends TSchema>(name: string, options: CookieDescriptorOptions<T>, contextCookies?: Cookies): Static<T> | undefined;
-  setCookie<T extends TSchema>(name: string, options: CookieDescriptorOptions<T>, data: Static<T>, contextCookies?: Cookies): void;
-  deleteCookie<T extends TSchema>(name: string, contextCookies?: Cookies): void;
-  protected encrypt(text: string): string;
-  protected decrypt(encryptedText: string): string;
-  secretKey(): string;
-  protected sign(data: string): string;
-}
-//#endregion
-//#region src/server-cookies/descriptors/$cookie.d.ts
-interface CookieDescriptorOptions<T extends TSchema> {
-  /** The schema for the cookie's value, used for validation and type safety. */
-  schema: T;
-  /** The name of the cookie. */
-  name?: string;
-  /** The cookie's path. Defaults to "/". */
-  path?: string;
-  /** Time-to-live for the cookie. Maps to `Max-Age`. */
-  ttl?: DurationLike;
-  /** If true, the cookie is only sent over HTTPS. Defaults to true in production. */
-  secure?: boolean;
-  /** If true, the cookie cannot be accessed by client-side scripts. */
-  httpOnly?: boolean;
-  /** SameSite policy for the cookie. Defaults to "lax". */
-  sameSite?: "strict" | "lax" | "none";
-  /** The domain for the cookie. */
-  domain?: string;
-  /** If true, the cookie value will be compressed using zlib. */
-  compress?: boolean;
-  /** If true, the cookie value will be encrypted. Requires `COOKIE_SECRET` env var. */
-  encrypt?: boolean;
-  /** If true, the cookie will be signed to prevent tampering. Requires `COOKIE_SECRET` env var. */
-  sign?: boolean;
-}
-interface AbstractCookieDescriptor<T extends TSchema> {
-  readonly name: string;
-  readonly options: CookieDescriptorOptions<T>;
-  set(value: Static<T>, options?: {
-    cookies?: Cookies;
-    ttl?: DurationLike;
-  }): void;
-  get(options?: {
-    cookies?: Cookies;
-  }): Static<T> | undefined;
-  del(options?: {
-    cookies?: Cookies;
-  }): void;
-}
-interface Cookies {
-  req: Record<string, string>;
-  res: Record<string, Cookie | null>;
-}
-interface Cookie {
-  value: string;
-  path?: string;
-  maxAge?: number;
-  secure?: boolean;
-  httpOnly?: boolean;
-  sameSite?: "strict" | "lax" | "none";
-  domain?: string;
-}
-//#endregion
-//#region src/server-cookies/index.d.ts
-declare module "alepha/server" {
-  interface ServerRequest {
-    cookies: Cookies;
-  }
-}
-/**
- * Provides HTTP cookie management capabilities for server requests and responses with type-safe cookie descriptors.
- *
- * The server-cookies module enables declarative cookie handling using the `$cookie` descriptor on class properties.
- * It offers automatic cookie parsing, secure cookie configuration, and seamless integration with server routes
- * for managing user sessions, preferences, and authentication tokens.
- *
- * @see {@link $cookie}
- * @module alepha.server.cookies
- */
-//#endregion
-//#region src/server-auth/schemas/authenticationProviderSchema.d.ts
-declare const authenticationProviderSchema: alepha23.TObject<{
-  name: alepha23.TString;
-  type: alepha23.TUnsafe<"OAUTH2" | "OIDC" | "CREDENTIALS">;
-}>;
-type AuthenticationProvider = Static<typeof authenticationProviderSchema>;
-//#endregion
-//#region src/server-auth/schemas/tokensSchema.d.ts
-declare const tokensSchema: alepha23.TObject<{
-  provider: alepha23.TString;
-  access_token: alepha23.TString;
-  issued_at: alepha23.TNumber;
-  expires_in: alepha23.TOptional<alepha23.TNumber>;
-  refresh_token: alepha23.TOptional<alepha23.TString>;
-  refresh_token_expires_in: alepha23.TOptional<alepha23.TNumber>;
-  refresh_expires_in: alepha23.TOptional<alepha23.TNumber>;
-  id_token: alepha23.TOptional<alepha23.TString>;
-  scope: alepha23.TOptional<alepha23.TString>;
-}>;
-type Tokens = Static<typeof tokensSchema>;
-//#endregion
-//#region src/server-auth/providers/ServerAuthProvider.d.ts
-declare class ServerAuthProvider {
-  protected readonly log: alepha_logger1.Logger;
-  protected readonly alepha: Alepha;
-  protected readonly serverCookiesProvider: ServerCookiesProvider;
-  protected readonly dateTimeProvider: DateTimeProvider;
-  protected readonly serverLinksProvider: ServerLinksProvider;
-  protected readonly authorizationCode: AbstractCookieDescriptor<alepha23.TObject<{
-    provider: alepha23.TString;
-    codeVerifier: alepha23.TOptional<alepha23.TString>;
-    redirectUri: alepha23.TOptional<alepha23.TString>;
-    state: alepha23.TOptional<alepha23.TString>;
-    nonce: alepha23.TOptional<alepha23.TString>;
-  }>>;
-  readonly tokens: AbstractCookieDescriptor<alepha23.TObject<{
-    provider: alepha23.TString;
-    access_token: alepha23.TString;
-    issued_at: alepha23.TNumber;
-    expires_in: alepha23.TOptional<alepha23.TNumber>;
-    refresh_token: alepha23.TOptional<alepha23.TString>;
-    refresh_token_expires_in: alepha23.TOptional<alepha23.TNumber>;
-    refresh_expires_in: alepha23.TOptional<alepha23.TNumber>;
-    id_token: alepha23.TOptional<alepha23.TString>;
-    scope: alepha23.TOptional<alepha23.TString>;
-  }>>;
-  get identities(): Array<AuthDescriptor>;
-  getAuthenticationProviders(filters?: {
-    realmName?: string;
-  }): AuthenticationProvider[];
-  protected readonly configure: alepha23.HookDescriptor<"configure">;
-  protected getAccessTokens(tokens: Tokens): string | undefined;
-  /**
-   * Fill request headers with access token from cookies or fallback to provider's fallback function.
-   */
-  protected readonly onRequest: alepha23.HookDescriptor<"server:onRequest">;
-  /**
-   * Convert cookies to tokens.
-   * If the tokens are expired, try to refresh them using the refresh token.
-   */
-  protected cookiesToTokens(cookies: Cookies): Promise<Tokens | undefined>;
-  protected refreshTokens(tokens: Tokens): Promise<Tokens | undefined>;
-  /**
-   * Get user information.
-   */
-  readonly userinfo: alepha_server0.RouteDescriptor<{
-    response: alepha23.TObject<{
-      user: alepha23.TOptional<alepha23.TObject<{
-        id: alepha23.TString;
-        name: alepha23.TOptional<alepha23.TString>;
-        email: alepha23.TOptional<alepha23.TString>;
-        username: alepha23.TOptional<alepha23.TString>;
-        picture: alepha23.TOptional<alepha23.TString>;
-        sessionId: alepha23.TOptional<alepha23.TString>;
-        organizations: alepha23.TOptional<alepha23.TArray<alepha23.TString>>;
-        roles: alepha23.TOptional<alepha23.TArray<alepha23.TString>>;
-      }>>;
-      api: alepha23.TObject<{
-        prefix: alepha23.TOptional<alepha23.TString>;
-        links: alepha23.TArray<alepha23.TObject<{
-          name: alepha23.TString;
-          group: alepha23.TOptional<alepha23.TString>;
-          path: alepha23.TString;
-          method: alepha23.TOptional<alepha23.TString>;
-          requestBodyType: alepha23.TOptional<alepha23.TString>;
-          service: alepha23.TOptional<alepha23.TString>;
-        }>>;
-      }>;
-    }>;
-  }>;
-  /**
-   * Refresh a token for internal providers.
-   */
-  readonly refresh: alepha_server0.RouteDescriptor<{
-    query: alepha23.TObject<{
-      provider: alepha23.TString;
-    }>;
-    body: alepha23.TObject<{
-      refresh_token: alepha23.TString;
-      access_token: alepha23.TOptional<alepha23.TString>;
-    }>;
-    response: alepha23.TObject<{
-      provider: alepha23.TString;
-      access_token: alepha23.TString;
-      issued_at: alepha23.TNumber;
-      expires_in: alepha23.TOptional<alepha23.TNumber>;
-      refresh_token: alepha23.TOptional<alepha23.TString>;
-      refresh_token_expires_in: alepha23.TOptional<alepha23.TNumber>;
-      refresh_expires_in: alepha23.TOptional<alepha23.TNumber>;
-      id_token: alepha23.TOptional<alepha23.TString>;
-      scope: alepha23.TOptional<alepha23.TString>;
-    }>;
-  }>;
-  /**
-   * Login for local password-based authentication.
-   */
-  readonly token: alepha_server0.RouteDescriptor<{
-    query: alepha23.TObject<{
-      provider: alepha23.TString;
-    }>;
-    body: alepha23.TObject<{
-      username: alepha23.TString;
-      password: alepha23.TString;
-    }>;
-    response: alepha23.TObject<{
-      provider: alepha23.TString;
-      access_token: alepha23.TString;
-      issued_at: alepha23.TNumber;
-      expires_in: alepha23.TOptional<alepha23.TNumber>;
-      refresh_token: alepha23.TOptional<alepha23.TString>;
-      refresh_token_expires_in: alepha23.TOptional<alepha23.TNumber>;
-      refresh_expires_in: alepha23.TOptional<alepha23.TNumber>;
-      id_token: alepha23.TOptional<alepha23.TString>;
-      scope: alepha23.TOptional<alepha23.TString>;
-      user: alepha23.TObject<{
-        id: alepha23.TString;
-        name: alepha23.TOptional<alepha23.TString>;
-        email: alepha23.TOptional<alepha23.TString>;
-        username: alepha23.TOptional<alepha23.TString>;
-        picture: alepha23.TOptional<alepha23.TString>;
-        sessionId: alepha23.TOptional<alepha23.TString>;
-        organizations: alepha23.TOptional<alepha23.TArray<alepha23.TString>>;
-        roles: alepha23.TOptional<alepha23.TArray<alepha23.TString>>;
-      }>;
-      api: alepha23.TObject<{
-        prefix: alepha23.TOptional<alepha23.TString>;
-        links: alepha23.TArray<alepha23.TObject<{
-          name: alepha23.TString;
-          group: alepha23.TOptional<alepha23.TString>;
-          path: alepha23.TString;
-          method: alepha23.TOptional<alepha23.TString>;
-          requestBodyType: alepha23.TOptional<alepha23.TString>;
-          service: alepha23.TOptional<alepha23.TString>;
-        }>>;
-      }>;
-    }>;
-  }>;
-  /**
-   * Oauth2/OIDC login route.
-   */
-  readonly login: alepha_server0.RouteDescriptor<{
-    query: alepha23.TObject<{
-      provider: alepha23.TString;
-      redirect_uri: alepha23.TOptional<alepha23.TString>;
-    }>;
-  }>;
-  /**
-   * Callback for OAuth2/OIDC providers.
-   * It handles the authorization code flow and retrieves the access token.
-   */
-  readonly callback: alepha_server0.RouteDescriptor<alepha_server0.RequestConfigSchema>;
-  /**
-   * Logout route for OAuth2/OIDC providers.
-   */
-  readonly logout: alepha_server0.RouteDescriptor<{
-    query: alepha23.TObject<{
-      post_logout_redirect_uri: alepha23.TOptional<alepha23.TString>;
-    }>;
-  }>;
-  protected provider(opts: string | {
-    provider: string;
-  }): AuthDescriptor;
-  protected setTokens(tokens: Tokens, cookies?: Cookies): void;
-}
-interface OAuth2Profile {
-  sub: string;
-  email?: string;
-  name?: string;
-  given_name?: string;
-  family_name?: string;
-  middle_name?: string;
-  nickname?: string;
-  preferred_username?: string;
-  profile?: string;
-  picture?: string;
-  website?: string;
-  email_verified?: boolean;
-  gender?: string;
-  birthdate?: string;
-  zoneinfo?: string;
-  locale?: string;
-  phone_number?: string;
-  phone_number_verified?: boolean;
-  address?: {
-    formatted?: string;
-    street_address?: string;
-    locality?: string;
-    region?: string;
-    postal_code?: string;
-    country?: string;
-  };
-  updated_at?: number;
-  [key: string]: unknown;
-}
-//#endregion
-//#region src/server-auth/descriptors/$auth.d.ts
-type AuthDescriptorOptions = {
-  /**
-   * Name of the identity provider.
-   * If not provided, it will be derived from the property key.
-   */
-  name?: string;
-  /**
-   * If true, auth provider will be skipped.
-   */
-  disabled?: boolean;
-} & (AuthExternal | AuthInternal);
-/**
- * When you let an external service handle authentication. (e.g. Keycloak, Auth0, etc.)
- */
-type AuthExternal = {
-  /**
-   * Only OIDC is supported for external authentication.
-   */
-  oidc: OidcOptions;
-  /**
-   * For anonymous access, this will expect a service account access token.
-   *
-   * ```ts
-   * class App {
-   *   anonymous = $serviceAccount(...);
-   *   auth = $auth({
-   *     // ... config ...
-   *     fallback: this.anonymous,
-   *   })
-   * }
-   * ```
-   */
-  fallback?: () => Async<AccessToken>;
-};
-/**
- * When using your own authentication system, e.g. using a database to store user accounts.
- * This is usually used with a custom login form.
- *
- * This relies on the `realm`, which is used to create/verify the access token.
- */
-type AuthInternal = {
-  realm: RealmDescriptor;
-} & ({
-  /**
-   * The common username/password authentication.
-   *
-   * - It uses the OAuth2 Client Credentials flow to obtain an access token.
-   *
-   * This is usually used with a custom login form on your website or mobile app.
-   */
-  credentials: CredentialsOptions;
-} | {
-  /**
-   * OAuth2 authentication. Delegates authentication to an OAuth2 provider. (e.g. Google, GitHub, etc.)
-   *
-   * - It uses the OAuth2 Authorization Code flow to obtain an access token and user information.
-   *
-   * This is usually used with a login button that redirects to the OAuth2 provider.
-   */
-  oauth: OAuth2Options;
-} | {
-  /**
-   * Like OAuth2, but uses OIDC (OpenID Connect) for authentication and user information retrieval.
-   * OIDC is an identity layer on top of OAuth2, providing user authentication and profile information.
-   *
-   * - It uses the OAuth2 Authorization Code flow to obtain an access token and user information.
-   * - PCKE (Proof Key for Code Exchange) is recommended for security.
-   *
-   * This is usually used with a login button that redirects to the OIDC provider.
-   */
-  oidc: OidcOptions;
-});
-type CredentialsOptions = {
-  account: CredentialsFn;
-};
-type CredentialsFn = (credentials: Credentials) => Async<UserAccount | undefined>;
-interface Credentials {
-  username: string;
-  password: string;
-}
-interface OidcOptions {
-  /**
-   * URL of the OIDC issuer.
-   */
-  issuer: string;
-  /**
-   * Client ID for the OIDC client.
-   */
-  clientId: string;
-  /**
-   * Client secret for the OIDC client.
-   * Optional if PKCE (Proof Key for Code Exchange) is used.
-   */
-  clientSecret?: string;
-  /**
-   * Redirect URI for the OIDC client.
-   * This is where the user will be redirected after authentication.
-   */
-  redirectUri?: string;
-  /**
-   * For external auth providers only.
-   * Take the ID token instead of the access token for validation.
-   */
-  useIdToken?: boolean;
-  /**
-   * URI to redirect the user after logout.
-   */
-  logoutUri?: string;
-  /**
-   * Optional scope for the OIDC client.
-   * @default "openid profile email".
-   */
-  scope?: string;
-  account?: LinkAccountFn;
-}
-interface LinkAccountOptions {
-  access_token: string;
-  user: OAuth2Profile;
-  id_token?: string;
-  expires_in?: number;
-  scope?: string;
-}
-type LinkAccountFn = (tokens: LinkAccountOptions) => Async<UserAccount>;
-interface OAuth2Options {
-  /**
-   * URL of the OAuth2 authorization endpoint.
-   */
-  clientId: string;
-  /**
-   * Client secret for the OAuth2 client.
-   */
-  clientSecret: string;
-  /**
-   * URL of the OAuth2 authorization endpoint.
-   */
-  authorization: string;
-  /**
-   * URL of the OAuth2 token endpoint.
-   */
-  token: string;
-  /**
-   * Function to retrieve user profile information from the OAuth2 tokens.
-   */
-  userinfo: (tokens: Tokens) => Async<OAuth2Profile>;
-  account?: LinkAccountFn;
-  /**
-   * URL of the OAuth2 authorization endpoint.
-   */
-  redirectUri?: string;
-  /**
-   * URL of the OAuth2 authorization endpoint.
-   */
-  scope?: string;
-}
-declare class AuthDescriptor extends Descriptor<AuthDescriptorOptions> {
-  protected readonly securityProvider: SecurityProvider;
-  protected readonly dateTimeProvider: DateTimeProvider;
-  oauth?: Configuration;
-  get name(): string;
-  get jwks_uri(): string;
-  get scope(): string | undefined;
-  get redirect_uri(): string | undefined;
-  /**
-   * Refreshes the access token using the refresh token.
-   * Can be used on oauth2, oidc or credentials auth providers.
-   */
-  refresh(refreshToken: string, accessToken?: string): Promise<AccessTokenResponse>;
-  /**
-   * Extracts user information from the access token.
-   * This is used to create a user account from the access token.
-   */
-  user(tokens: Tokens): Promise<UserAccount>;
-  protected getUserFromIdToken(idToken: string): OAuth2Profile;
-  prepare(): Promise<void>;
-}
-type AccessToken = string | {
-  token: () => Async<string>;
-};
-interface WithLinkFn {
-  link?: (name: string) => (opts: LinkAccountOptions) => Async<UserAccount>;
-}
-interface WithLoginFn {
-  login?: (provider: string) => (creds: Credentials) => Async<UserAccount | undefined>;
-}
-//#endregion
-//#region src/server-auth/index.d.ts
-declare module "alepha" {
-  interface State {
-    /**
-     * The authenticated user account attached to the server request state.
-     *
-     * @internal
-     */
-    "alepha.server.request.user"?: UserAccount;
-  }
-}
-/**
- * Allow authentication services for server applications.
- * It provides login and logout functionalities.
- *
- * There are multiple authentication providers available (e.g., Google, GitHub).
- * You can also delegate authentication to your own OIDC/OAuth2, for example using Keycloak or Auth0.
- *
- * It's cookie-based and SSR friendly.
- *
- * @see {@link $auth}
- * @see {@link ServerAuthProvider}
- * @module alepha.server.auth
- */
-//#endregion
 //#region src/api-users/controllers/UserRealmController.d.ts
 /**
  * Controller for exposing realm configuration.
@@ -3999,7 +2602,7 @@ declare class UserRealmController {
    * Get realm configuration settings.
    * This endpoint is not exposed in the API documentation.
    */
-  readonly getRealmConfig: alepha_server0.ActionDescriptorFn<{
+  readonly getRealmConfig: alepha_server0.ActionPrimitiveFn<{
     query: alepha23.TObject<{
       userRealmName: alepha23.TOptional<alepha23.TString>;
     }>;
@@ -4032,7 +2635,7 @@ declare class UserRealmController {
       }>>;
     }>;
   }>;
-  readonly checkUsernameAvailability: alepha_server0.ActionDescriptorFn<{
+  readonly checkUsernameAvailability: alepha_server0.ActionPrimitiveFn<{
     query: alepha23.TObject<{
       userRealmName: alepha23.TOptional<alepha23.TString>;
     }>;
@@ -4045,8 +2648,8 @@ declare class UserRealmController {
   }>;
 }
 //#endregion
-//#region src/api-users/descriptors/$userRealm.d.ts
-type UserRealmDescriptor = RealmDescriptor & WithLinkFn & WithLoginFn;
+//#region src/api-users/primitives/$userRealm.d.ts
+type UserRealmPrimitive = RealmPrimitive & WithLinkFn & WithLoginFn;
 /**
  * Already configured realm for user management.
  *
@@ -4060,7 +2663,7 @@ type UserRealmDescriptor = RealmDescriptor & WithLinkFn & WithLoginFn;
  * Environment Variables:
  * - `APP_SECRET`: Secret key for signing tokens (if not provided in options).
  */
-declare const $userRealm: (options?: UserRealmOptions) => UserRealmDescriptor;
+declare const $userRealm: (options?: UserRealmOptions) => UserRealmPrimitive;
 interface UserRealmOptions {
   /**
    * Secret key for signing tokens.
@@ -4073,7 +2676,7 @@ interface UserRealmOptions {
    *
    * It's already pre-configured for user management with admin and user roles.
    */
-  realm?: Partial<RealmDescriptorOptions>;
+  realm?: Partial<RealmPrimitiveOptions>;
   /**
    * Override entities.
    */
@@ -4201,386 +2804,6 @@ declare const userResourceSchema: alepha23.TObject<{
 }>;
 type UserResource = Static<typeof userResourceSchema>;
 //#endregion
-//#region src/api-files/entities/files.d.ts
-declare const files: alepha_orm204.EntityDescriptor<alepha23.TObject<{
-  id: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_PRIMARY_KEY>, typeof alepha_orm204.PG_DEFAULT>;
-  version: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TInteger, typeof alepha_orm204.PG_VERSION>, typeof alepha_orm204.PG_DEFAULT>;
-  createdAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_CREATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-  updatedAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_UPDATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-  blobId: alepha23.TString;
-  creator: alepha23.TOptional<alepha23.TString>;
-  creatorRealm: alepha23.TOptional<alepha23.TString>;
-  creatorName: alepha23.TOptional<alepha23.TString>;
-  bucket: alepha23.TString;
-  expirationDate: alepha23.TOptional<alepha23.TString>;
-  name: alepha23.TString;
-  size: alepha23.TNumber;
-  mimeType: alepha23.TString;
-  tags: alepha23.TOptional<alepha23.TArray<alepha23.TString>>;
-  checksum: alepha23.TOptional<alepha23.TString>;
-}>>;
-type FileEntity = Static<typeof files.schema>;
-//#endregion
-//#region src/api-files/schemas/fileQuerySchema.d.ts
-declare const fileQuerySchema: alepha23.TObject<{
-  page: alepha23.TOptional<alepha23.TInteger>;
-  size: alepha23.TOptional<alepha23.TInteger>;
-  sort: alepha23.TOptional<alepha23.TString>;
-  bucket: alepha23.TOptional<alepha23.TString>;
-  tags: alepha23.TOptional<alepha23.TArray<alepha23.TString>>;
-  name: alepha23.TOptional<alepha23.TString>;
-  mimeType: alepha23.TOptional<alepha23.TString>;
-  creator: alepha23.TOptional<alepha23.TString>;
-  createdAfter: alepha23.TOptional<alepha23.TString>;
-  createdBefore: alepha23.TOptional<alepha23.TString>;
-}>;
-type FileQuery = Static<typeof fileQuerySchema>;
-//#endregion
-//#region src/api-files/schemas/fileResourceSchema.d.ts
-declare const fileResourceSchema: alepha23.TObject<{
-  id: PgAttr<PgAttr<alepha23.TString, typeof PG_PRIMARY_KEY>, typeof PG_DEFAULT>;
-  version: PgAttr<PgAttr<alepha23.TInteger, typeof PG_VERSION>, typeof PG_DEFAULT>;
-  createdAt: PgAttr<PgAttr<alepha23.TString, typeof PG_CREATED_AT>, typeof PG_DEFAULT>;
-  updatedAt: PgAttr<PgAttr<alepha23.TString, typeof PG_UPDATED_AT>, typeof PG_DEFAULT>;
-  blobId: alepha23.TString;
-  creator: alepha23.TOptional<alepha23.TString>;
-  creatorRealm: alepha23.TOptional<alepha23.TString>;
-  creatorName: alepha23.TOptional<alepha23.TString>;
-  bucket: alepha23.TString;
-  expirationDate: alepha23.TOptional<alepha23.TString>;
-  name: alepha23.TString;
-  size: alepha23.TNumber;
-  mimeType: alepha23.TString;
-  tags: alepha23.TOptional<alepha23.TArray<alepha23.TString>>;
-  checksum: alepha23.TOptional<alepha23.TString>;
-}>;
-type FileResource = Static<typeof fileResourceSchema>;
-//#endregion
-//#region src/api-files/schemas/storageStatsSchema.d.ts
-declare const storageStatsSchema: alepha23.TObject<{
-  totalSize: alepha23.TNumber;
-  totalFiles: alepha23.TNumber;
-  byBucket: alepha23.TArray<alepha23.TObject<{
-    bucket: alepha23.TString;
-    totalSize: alepha23.TNumber;
-    fileCount: alepha23.TNumber;
-  }>>;
-  byMimeType: alepha23.TArray<alepha23.TObject<{
-    mimeType: alepha23.TString;
-    fileCount: alepha23.TNumber;
-  }>>;
-}>;
-type StorageStats = Static<typeof storageStatsSchema>;
-//#endregion
-//#region src/api-files/services/FileService.d.ts
-declare class FileService {
-  protected readonly alepha: Alepha;
-  protected readonly log: alepha_logger1.Logger;
-  protected readonly fileRepository: alepha_orm204.Repository<alepha23.TObject<{
-    id: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_PRIMARY_KEY>, typeof alepha_orm204.PG_DEFAULT>;
-    version: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TInteger, typeof alepha_orm204.PG_VERSION>, typeof alepha_orm204.PG_DEFAULT>;
-    createdAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_CREATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-    updatedAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_UPDATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-    blobId: alepha23.TString;
-    creator: alepha23.TOptional<alepha23.TString>;
-    creatorRealm: alepha23.TOptional<alepha23.TString>;
-    creatorName: alepha23.TOptional<alepha23.TString>;
-    bucket: alepha23.TString;
-    expirationDate: alepha23.TOptional<alepha23.TString>;
-    name: alepha23.TString;
-    size: alepha23.TNumber;
-    mimeType: alepha23.TString;
-    tags: alepha23.TOptional<alepha23.TArray<alepha23.TString>>;
-    checksum: alepha23.TOptional<alepha23.TString>;
-  }>>;
-  protected readonly dateTimeProvider: DateTimeProvider;
-  protected readonly defaultBucket: BucketDescriptor;
-  protected onUploadFile: alepha23.HookDescriptor<"bucket:file:uploaded">;
-  protected onDeleteBucketFile: alepha23.HookDescriptor<"bucket:file:deleted">;
-  /**
-   * Calculates SHA-256 checksum of a file.
-   *
-   * @param file - The file to calculate checksum for
-   * @returns Hexadecimal string representation of the SHA-256 hash
-   * @protected
-   */
-  protected calculateChecksum(file: FileLike): Promise<string>;
-  /**
-   * Gets a bucket descriptor by name.
-   *
-   * @param bucketName - The name of the bucket to retrieve (defaults to "default")
-   * @returns The bucket descriptor
-   * @throws {NotFoundError} If the bucket is not found
-   */
-  bucket(bucketName?: string): BucketDescriptor;
-  /**
-   * Finds files matching the given query criteria with pagination support.
-   * Supports filtering by bucket, tags, name, mimeType, creator, and date range.
-   *
-   * @param q - Query parameters including bucket, tags, name, mimeType, creator, date range, pagination, and sorting
-   * @returns Paginated list of file entities
-   */
-  findFiles(q?: FileQuery): Promise<Page$1<FileEntity>>;
-  /**
-   * Finds files that have expired based on their expiration date.
-   * Limited to 1000 files per call to prevent memory issues.
-   *
-   * @returns Array of expired file entities
-   */
-  findExpiredFiles(): Promise<FileEntity[]>;
-  /**
-   * Calculates an expiration date based on a TTL (time to live) duration.
-   *
-   * @param ttl - Duration like "1 day", "2 hours", etc.
-   * @returns DateTime representation of the expiration date, or undefined if no TTL provided
-   * @protected
-   */
-  protected getExpirationDate(ttl?: DurationLike): string | undefined;
-  /**
-   * Uploads a file to a bucket and creates a database record with metadata.
-   * Automatically calculates and stores the file checksum (SHA-256).
-   *
-   * @param file - The file to upload
-   * @param options - Upload options including bucket, expiration, user, and tags
-   * @param options.bucket - Target bucket name (defaults to "default")
-   * @param options.expirationDate - When the file should expire
-   * @param options.user - User performing the upload (for audit trail)
-   * @param options.tags - Tags to associate with the file
-   * @returns The created file entity with all metadata
-   * @throws {NotFoundError} If the specified bucket doesn't exist
-   */
-  uploadFile(file: FileLike, options?: {
-    expirationDate?: string | DateTime;
-    bucket?: string;
-    user?: UserAccountToken;
-    tags?: string[];
-  }): Promise<FileEntity>;
-  /**
-   * Streams a file from storage by its database ID.
-   *
-   * @param id - The database ID (UUID) of the file to stream
-   * @returns The file object ready for streaming/downloading
-   * @throws {NotFoundError} If the file doesn't exist in the database
-   * @throws {FileNotFoundError} If the file exists in database but not in storage
-   */
-  streamFile(id: string): Promise<FileLike>;
-  /**
-   * Updates file metadata (name, tags, expiration date).
-   * Does not modify the actual file content in storage.
-   *
-   * @param id - The database ID (UUID) of the file to update
-   * @param data - Partial file data to update
-   * @param data.name - New file name
-   * @param data.tags - New tags array
-   * @param data.expirationDate - New expiration date
-   * @returns The updated file entity
-   * @throws {NotFoundError} If the file doesn't exist in the database
-   */
-  updateFile(id: string, data: {
-    name?: string;
-    tags?: string[];
-    expirationDate?: DateTime | string;
-  }): Promise<FileEntity>;
-  /**
-   * Deletes a file from both storage and database.
-   * Handles cases where file is already deleted from storage gracefully.
-   * Always ensures database record is removed even if storage deletion fails.
-   *
-   * @param id - The database ID (UUID) of the file to delete
-   * @returns Success response with the deleted file ID
-   * @throws {NotFoundError} If the file doesn't exist in the database
-   */
-  deleteFile(id: string): Promise<Ok>;
-  /**
-   * Retrieves a file entity by its ID.
-   * If already an entity object, returns it as-is (convenience method).
-   *
-   * @param id - Either a UUID string or an existing FileEntity object
-   * @returns The file entity
-   * @throws {NotFoundError} If the file doesn't exist in the database
-   */
-  getFileById(id: string | FileEntity): Promise<FileEntity>;
-  /**
-   * Gets storage statistics including total size, file count, and breakdowns by bucket and MIME type.
-   *
-   * @returns Storage statistics with aggregated data
-   */
-  getStorageStats(): Promise<StorageStats>;
-  /**
-   * Converts a file entity to a file resource (API response format).
-   * Currently a pass-through, but allows for future transformation logic.
-   *
-   * @param entity - The file entity to convert
-   * @returns The file resource for API responses
-   */
-  entityToResource(entity: FileEntity): FileResource;
-}
-//#endregion
-//#region src/api-files/controllers/FileController.d.ts
-/**
- * REST API controller for file management operations.
- * Provides endpoints for uploading, downloading, listing, and deleting files.
- */
-declare class FileController {
-  protected readonly url = "/files";
-  protected readonly group = "files";
-  protected readonly fileService: FileService;
-  /**
-   * GET /files - Lists files with optional filtering and pagination.
-   * Supports filtering by bucket and tags.
-   */
-  readonly findFiles: alepha_server0.ActionDescriptorFn<{
-    query: alepha23.TObject<{
-      page: alepha23.TOptional<alepha23.TInteger>;
-      size: alepha23.TOptional<alepha23.TInteger>;
-      sort: alepha23.TOptional<alepha23.TString>;
-      bucket: alepha23.TOptional<alepha23.TString>;
-      tags: alepha23.TOptional<alepha23.TArray<alepha23.TString>>;
-      name: alepha23.TOptional<alepha23.TString>;
-      mimeType: alepha23.TOptional<alepha23.TString>;
-      creator: alepha23.TOptional<alepha23.TString>;
-      createdAfter: alepha23.TOptional<alepha23.TString>;
-      createdBefore: alepha23.TOptional<alepha23.TString>;
-    }>;
-    response: alepha23.TPage<alepha23.TObject<{
-      id: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_PRIMARY_KEY>, typeof alepha_orm204.PG_DEFAULT>;
-      version: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TInteger, typeof alepha_orm204.PG_VERSION>, typeof alepha_orm204.PG_DEFAULT>;
-      createdAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_CREATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-      updatedAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_UPDATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-      blobId: alepha23.TString;
-      creator: alepha23.TOptional<alepha23.TString>;
-      creatorRealm: alepha23.TOptional<alepha23.TString>;
-      creatorName: alepha23.TOptional<alepha23.TString>;
-      bucket: alepha23.TString;
-      expirationDate: alepha23.TOptional<alepha23.TString>;
-      name: alepha23.TString;
-      size: alepha23.TNumber;
-      mimeType: alepha23.TString;
-      tags: alepha23.TOptional<alepha23.TArray<alepha23.TString>>;
-      checksum: alepha23.TOptional<alepha23.TString>;
-    }>>;
-  }>;
-  /**
-   * DELETE /files/:id - Deletes a file from both storage and database.
-   * Removes the file from the bucket and cleans up the database record.
-   */
-  readonly deleteFile: alepha_server0.ActionDescriptorFn<{
-    params: alepha23.TObject<{
-      id: alepha23.TString;
-    }>;
-    response: alepha23.TObject<{
-      ok: alepha23.TBoolean;
-      id: alepha23.TOptional<alepha23.TUnion<[alepha23.TString, alepha23.TInteger]>>;
-      count: alepha23.TOptional<alepha23.TNumber>;
-    }>;
-  }>;
-  /**
-   * POST /files - Uploads a new file to storage.
-   * Creates a database record with metadata and calculates checksum.
-   * Optionally specify bucket and expiration date.
-   */
-  readonly uploadFile: alepha_server0.ActionDescriptorFn<{
-    body: alepha23.TObject<{
-      file: alepha23.TFile;
-    }>;
-    query: alepha23.TObject<{
-      expirationDate: alepha23.TOptional<alepha23.TString>;
-      bucket: alepha23.TOptional<alepha23.TString>;
-    }>;
-    response: alepha23.TObject<{
-      id: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_PRIMARY_KEY>, typeof alepha_orm204.PG_DEFAULT>;
-      version: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TInteger, typeof alepha_orm204.PG_VERSION>, typeof alepha_orm204.PG_DEFAULT>;
-      createdAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_CREATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-      updatedAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_UPDATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-      blobId: alepha23.TString;
-      creator: alepha23.TOptional<alepha23.TString>;
-      creatorRealm: alepha23.TOptional<alepha23.TString>;
-      creatorName: alepha23.TOptional<alepha23.TString>;
-      bucket: alepha23.TString;
-      expirationDate: alepha23.TOptional<alepha23.TString>;
-      name: alepha23.TString;
-      size: alepha23.TNumber;
-      mimeType: alepha23.TString;
-      tags: alepha23.TOptional<alepha23.TArray<alepha23.TString>>;
-      checksum: alepha23.TOptional<alepha23.TString>;
-    }>;
-  }>;
-  /**
-   * PATCH /files/:id - Updates file metadata.
-   * Allows updating name, tags, and expiration date without modifying file content.
-   */
-  readonly updateFile: alepha_server0.ActionDescriptorFn<{
-    params: alepha23.TObject<{
-      id: alepha23.TString;
-    }>;
-    body: alepha23.TObject<{
-      name: alepha23.TOptional<alepha23.TString>;
-      tags: alepha23.TOptional<alepha23.TArray<alepha23.TString>>;
-      expirationDate: alepha23.TOptional<alepha23.TString>;
-    }>;
-    response: alepha23.TObject<{
-      id: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_PRIMARY_KEY>, typeof alepha_orm204.PG_DEFAULT>;
-      version: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TInteger, typeof alepha_orm204.PG_VERSION>, typeof alepha_orm204.PG_DEFAULT>;
-      createdAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_CREATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-      updatedAt: alepha_orm204.PgAttr<alepha_orm204.PgAttr<alepha23.TString, typeof alepha_orm204.PG_UPDATED_AT>, typeof alepha_orm204.PG_DEFAULT>;
-      blobId: alepha23.TString;
-      creator: alepha23.TOptional<alepha23.TString>;
-      creatorRealm: alepha23.TOptional<alepha23.TString>;
-      creatorName: alepha23.TOptional<alepha23.TString>;
-      bucket: alepha23.TString;
-      expirationDate: alepha23.TOptional<alepha23.TString>;
-      name: alepha23.TString;
-      size: alepha23.TNumber;
-      mimeType: alepha23.TString;
-      tags: alepha23.TOptional<alepha23.TArray<alepha23.TString>>;
-      checksum: alepha23.TOptional<alepha23.TString>;
-    }>;
-  }>;
-  /**
-   * GET /files/:id - Streams/downloads a file by its ID.
-   * Returns the file content with appropriate Content-Type header.
-   * Cached with ETag support for 1 year (immutable).
-   */
-  readonly streamFile: alepha_server0.ActionDescriptorFn<{
-    params: alepha23.TObject<{
-      id: alepha23.TString;
-    }>;
-    response: alepha23.TFile;
-  }>;
-}
-//#endregion
-//#region src/api-files/index.d.ts
-declare module "alepha/bucket" {
-  interface BucketFileOptions {
-    /**
-     * Time to live for the files in the bucket.
-     */
-    ttl?: DurationLike;
-    /**
-     * Tags for the bucket.
-     */
-    tags?: string[];
-    /**
-     * User performing the operation.
-     */
-    user?: UserAccountToken;
-    /**
-     * Whether to persist the file metadata in the database.
-     *
-     * @default true
-     */
-    persist?: boolean;
-  }
-}
-/**
- * Provides file management API endpoints for Alepha applications.
- *
- * This module includes file upload, download, storage management,
- * and file metadata operations.
- *
- * @module alepha.api.files
- */
-//#endregion
 //#region src/api-users/services/SessionService.d.ts
 declare class SessionService {
   protected readonly alepha: Alepha;
@@ -4589,7 +2812,7 @@ declare class SessionService {
   protected readonly cryptoProvider: CryptoProvider;
   protected readonly log: alepha_logger1.Logger;
   protected readonly userRealmProvider: UserRealmProvider;
-  protected readonly fileController: HttpVirtualClient<FileController>;
+  protected readonly fileController: alepha_server_links0.HttpVirtualClient<FileController>;
   users(userRealmName?: string): Repository$1<alepha23.TObject<{
     id: PgAttr<PgAttr<alepha23.TString, typeof PG_PRIMARY_KEY>, typeof PG_DEFAULT>;
     version: PgAttr<PgAttr<alepha23.TInteger, typeof PG_VERSION>, typeof PG_DEFAULT>;
@@ -4739,5 +2962,5 @@ declare class SessionService {
  */
 declare const AlephaApiUsers: alepha23.Service<alepha23.Module>;
 //#endregion
-export { $userRealm, AlephaApiUsers, CompletePasswordResetRequest, CompleteRegistrationRequest, CreateUser, CredentialService, DEFAULT_USER_REALM_NAME, IdentityController, IdentityEntity, IdentityQuery, IdentityResource, IdentityService, LoginInput, PasswordResetIntentResponse, RealmAuthSettings, RegisterInput, RegistrationIntentResponse, RegistrationService, ResetPasswordInput, ResetPasswordRequest, SessionController, SessionCrudService, SessionEntity, SessionQuery, SessionResource, SessionService, UpdateUser, UserController, UserEntity, UserQuery, UserRealm, UserRealmConfig, UserRealmController, UserRealmDescriptor, UserRealmOptions, UserRealmProvider, UserRealmRepositories, UserResource, UserService, completePasswordResetRequestSchema, completeRegistrationRequestSchema, createUserSchema, identities, identityQuerySchema, identityResourceSchema, loginSchema, passwordResetIntentResponseSchema, realmAuthSettingsAtom, registerSchema, registrationIntentResponseSchema, resetPasswordRequestSchema, resetPasswordSchema, sessionQuerySchema, sessionResourceSchema, sessions, updateUserSchema, userQuerySchema, userRealmConfigSchema, userResourceSchema, users };
+export { $userRealm, AlephaApiUsers, CompletePasswordResetRequest, CompleteRegistrationRequest, CreateUser, CredentialService, DEFAULT_USER_REALM_NAME, IdentityController, IdentityEntity, IdentityQuery, IdentityResource, IdentityService, LoginInput, PasswordResetIntentResponse, RealmAuthSettings, RegisterInput, RegistrationIntentResponse, RegistrationService, ResetPasswordInput, ResetPasswordRequest, SessionController, SessionCrudService, SessionEntity, SessionQuery, SessionResource, SessionService, UpdateUser, UserController, UserEntity, UserQuery, UserRealm, UserRealmConfig, UserRealmController, UserRealmOptions, UserRealmPrimitive, UserRealmProvider, UserRealmRepositories, UserResource, UserService, completePasswordResetRequestSchema, completeRegistrationRequestSchema, createUserSchema, identities, identityQuerySchema, identityResourceSchema, loginSchema, passwordResetIntentResponseSchema, realmAuthSettingsAtom, registerSchema, registrationIntentResponseSchema, resetPasswordRequestSchema, resetPasswordSchema, sessionQuerySchema, sessionResourceSchema, sessions, updateUserSchema, userQuerySchema, userRealmConfigSchema, userResourceSchema, users };
 //# sourceMappingURL=index.d.ts.map