npm - alepha - Versions diffs - 0.14.2 → 0.14.4 - Mend

alepha 0.14.2 → 0.14.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (405) hide show

package/README.md +1 -1
package/dist/api/audits/index.browser.js +5 -5
package/dist/api/audits/index.browser.js.map +1 -1
package/dist/api/audits/index.d.ts +706 -785
package/dist/api/audits/index.d.ts.map +1 -1
package/dist/api/audits/index.js +13 -13
package/dist/api/audits/index.js.map +1 -1
package/dist/api/files/index.browser.js +5 -5
package/dist/api/files/index.browser.js.map +1 -1
package/dist/api/files/index.d.ts +58 -137
package/dist/api/files/index.d.ts.map +1 -1
package/dist/api/files/index.js +71 -71
package/dist/api/files/index.js.map +1 -1
package/dist/api/jobs/index.browser.js +5 -5
package/dist/api/jobs/index.browser.js.map +1 -1
package/dist/api/jobs/index.d.ts +29 -108
package/dist/api/jobs/index.d.ts.map +1 -1
package/dist/api/jobs/index.js +10 -10
package/dist/api/jobs/index.js.map +1 -1
package/dist/api/notifications/index.browser.js +10 -10
package/dist/api/notifications/index.browser.js.map +1 -1
package/dist/api/notifications/index.d.ts +504 -171
package/dist/api/notifications/index.d.ts.map +1 -1
package/dist/api/notifications/index.js +12 -12
package/dist/api/notifications/index.js.map +1 -1
package/dist/api/parameters/index.browser.js +163 -10
package/dist/api/parameters/index.browser.js.map +1 -1
package/dist/api/parameters/index.d.ts +277 -351
package/dist/api/parameters/index.d.ts.map +1 -1
package/dist/api/parameters/index.js +196 -91
package/dist/api/parameters/index.js.map +1 -1
package/dist/api/users/index.browser.js +19 -19
package/dist/api/users/index.browser.js.map +1 -1
package/dist/api/users/index.d.ts +787 -852
package/dist/api/users/index.d.ts.map +1 -1
package/dist/api/users/index.js +827 -596
package/dist/api/users/index.js.map +1 -1
package/dist/api/verifications/index.browser.js +6 -6
package/dist/api/verifications/index.browser.js.map +1 -1
package/dist/api/verifications/index.d.ts +128 -128
package/dist/api/verifications/index.d.ts.map +1 -1
package/dist/api/verifications/index.js +6 -6
package/dist/api/verifications/index.js.map +1 -1
package/dist/bin/index.d.ts +1 -2
package/dist/bin/index.js +0 -1
package/dist/bin/index.js.map +1 -1
package/dist/cli/index.d.ts +252 -131
package/dist/cli/index.d.ts.map +1 -1
package/dist/cli/index.js +595 -395
package/dist/cli/index.js.map +1 -1
package/dist/command/index.d.ts +46 -11
package/dist/command/index.d.ts.map +1 -1
package/dist/command/index.js +99 -19
package/dist/command/index.js.map +1 -1
package/dist/core/index.browser.js +40 -22
package/dist/core/index.browser.js.map +1 -1
package/dist/core/index.d.ts +45 -1
package/dist/core/index.d.ts.map +1 -1
package/dist/core/index.js +40 -22
package/dist/core/index.js.map +1 -1
package/dist/core/index.native.js +40 -22
package/dist/core/index.native.js.map +1 -1
package/dist/fake/index.js +195 -168
package/dist/fake/index.js.map +1 -1
package/dist/file/index.d.ts +8 -0
package/dist/file/index.d.ts.map +1 -1
package/dist/file/index.js +3 -0
package/dist/file/index.js.map +1 -1
package/dist/logger/index.d.ts +1 -1
package/dist/logger/index.d.ts.map +1 -1
package/dist/logger/index.js +12 -2
package/dist/logger/index.js.map +1 -1
package/dist/mcp/index.js +1 -1
package/dist/mcp/index.js.map +1 -1
package/dist/orm/index.d.ts +59 -195
package/dist/orm/index.d.ts.map +1 -1
package/dist/orm/index.js +201 -430
package/dist/orm/index.js.map +1 -1
package/dist/security/index.d.ts +1 -1
package/dist/security/index.d.ts.map +1 -1
package/dist/security/index.js +1 -1
package/dist/security/index.js.map +1 -1
package/dist/server/auth/index.d.ts +171 -155
package/dist/server/auth/index.d.ts.map +1 -1
package/dist/server/auth/index.js +0 -1
package/dist/server/auth/index.js.map +1 -1
package/dist/server/cache/index.d.ts +12 -0
package/dist/server/cache/index.d.ts.map +1 -1
package/dist/server/cache/index.js +55 -2
package/dist/server/cache/index.js.map +1 -1
package/dist/server/compress/index.d.ts +6 -0
package/dist/server/compress/index.d.ts.map +1 -1
package/dist/server/compress/index.js +38 -1
package/dist/server/compress/index.js.map +1 -1
package/dist/server/core/index.browser.js +2 -2
package/dist/server/core/index.browser.js.map +1 -1
package/dist/server/core/index.d.ts +10 -10
package/dist/server/core/index.d.ts.map +1 -1
package/dist/server/core/index.js +7 -4
package/dist/server/core/index.js.map +1 -1
package/dist/server/links/index.browser.js +22 -6
package/dist/server/links/index.browser.js.map +1 -1
package/dist/server/links/index.d.ts +46 -44
package/dist/server/links/index.d.ts.map +1 -1
package/dist/server/links/index.js +24 -41
package/dist/server/links/index.js.map +1 -1
package/dist/server/static/index.d.ts.map +1 -1
package/dist/server/static/index.js +4 -0
package/dist/server/static/index.js.map +1 -1
package/dist/server/swagger/index.d.ts +2 -1
package/dist/server/swagger/index.d.ts.map +1 -1
package/dist/server/swagger/index.js +9 -5
package/dist/server/swagger/index.js.map +1 -1
package/dist/vite/index.d.ts +101 -106
package/dist/vite/index.d.ts.map +1 -1
package/dist/vite/index.js +574 -503
package/dist/vite/index.js.map +1 -1
package/dist/websocket/index.d.ts +7 -7
package/package.json +7 -7
package/src/api/audits/controllers/{AuditController.ts → AdminAuditController.ts} +5 -6
package/src/api/audits/entities/audits.ts +5 -5
package/src/api/audits/index.browser.ts +1 -1
package/src/api/audits/index.ts +3 -3
package/src/api/audits/primitives/$audit.spec.ts +276 -0
package/src/api/audits/services/AuditService.spec.ts +495 -0
package/src/api/files/__tests__/$bucket.spec.ts +91 -0
package/src/api/files/controllers/AdminFileStatsController.spec.ts +166 -0
package/src/api/files/controllers/{StorageStatsController.ts → AdminFileStatsController.ts} +2 -2
package/src/api/files/controllers/FileController.spec.ts +558 -0
package/src/api/files/controllers/FileController.ts +4 -5
package/src/api/files/entities/files.ts +5 -5
package/src/api/files/index.browser.ts +1 -1
package/src/api/files/index.ts +4 -4
package/src/api/files/jobs/FileJobs.spec.ts +52 -0
package/src/api/files/services/FileService.spec.ts +109 -0
package/src/api/jobs/__tests__/JobController.spec.ts +343 -0
package/src/api/jobs/controllers/{JobController.ts → AdminJobController.ts} +2 -2
package/src/api/jobs/entities/jobExecutions.ts +5 -5
package/src/api/jobs/index.ts +3 -3
package/src/api/jobs/primitives/$job.spec.ts +476 -0
package/src/api/notifications/controllers/{NotificationController.ts → AdminNotificationController.ts} +4 -5
package/src/api/notifications/entities/notifications.ts +5 -5
package/src/api/notifications/index.browser.ts +1 -1
package/src/api/notifications/index.ts +4 -4
package/src/api/parameters/controllers/{ConfigController.ts → AdminConfigController.ts} +46 -107
package/src/api/parameters/entities/parameters.ts +7 -17
package/src/api/parameters/index.ts +3 -3
package/src/api/parameters/primitives/$config.spec.ts +356 -0
package/src/api/parameters/schemas/activateConfigBodySchema.ts +12 -0
package/src/api/parameters/schemas/checkScheduledResponseSchema.ts +8 -0
package/src/api/parameters/schemas/configCurrentResponseSchema.ts +13 -0
package/src/api/parameters/schemas/configHistoryResponseSchema.ts +9 -0
package/src/api/parameters/schemas/configNameParamSchema.ts +10 -0
package/src/api/parameters/schemas/configNamesResponseSchema.ts +8 -0
package/src/api/parameters/schemas/configTreeNodeSchema.ts +13 -0
package/src/api/parameters/schemas/configVersionParamSchema.ts +9 -0
package/src/api/parameters/schemas/configVersionResponseSchema.ts +9 -0
package/src/api/parameters/schemas/configsByStatusResponseSchema.ts +9 -0
package/src/api/parameters/schemas/createConfigVersionBodySchema.ts +24 -0
package/src/api/parameters/schemas/index.ts +15 -0
package/src/api/parameters/schemas/parameterResponseSchema.ts +26 -0
package/src/api/parameters/schemas/parameterStatusSchema.ts +13 -0
package/src/api/parameters/schemas/rollbackConfigBodySchema.ts +15 -0
package/src/api/parameters/schemas/statusParamSchema.ts +9 -0
package/src/api/users/__tests__/EmailVerification.spec.ts +369 -0
package/src/api/users/__tests__/PasswordReset.spec.ts +550 -0
package/src/api/users/controllers/AdminIdentityController.spec.ts +365 -0
package/src/api/users/controllers/{IdentityController.ts → AdminIdentityController.ts} +3 -4
package/src/api/users/controllers/AdminSessionController.spec.ts +274 -0
package/src/api/users/controllers/{SessionController.ts → AdminSessionController.ts} +3 -4
package/src/api/users/controllers/AdminUserController.spec.ts +372 -0
package/src/api/users/controllers/AdminUserController.ts +116 -0
package/src/api/users/controllers/UserController.ts +4 -107
package/src/api/users/controllers/UserRealmController.ts +3 -0
package/src/api/users/entities/identities.ts +6 -6
package/src/api/users/entities/sessions.ts +6 -6
package/src/api/users/entities/users.ts +9 -9
package/src/api/users/index.ts +9 -6
package/src/api/users/primitives/$userRealm.ts +13 -8
package/src/api/users/services/CredentialService.spec.ts +509 -0
package/src/api/users/services/CredentialService.ts +46 -0
package/src/api/users/services/IdentityService.ts +15 -0
package/src/api/users/services/RegistrationService.spec.ts +630 -0
package/src/api/users/services/RegistrationService.ts +18 -0
package/src/api/users/services/SessionService.spec.ts +301 -0
package/src/api/users/services/SessionService.ts +110 -1
package/src/api/users/services/UserService.ts +67 -2
package/src/api/verifications/__tests__/CodeVerification.spec.ts +318 -0
package/src/api/verifications/__tests__/LinkVerification.spec.ts +279 -0
package/src/api/verifications/entities/verifications.ts +6 -6
package/src/api/verifications/jobs/VerificationJobs.spec.ts +50 -0
package/src/batch/__tests__/startup-buffering.spec.ts +458 -0
package/src/batch/primitives/$batch.spec.ts +766 -0
package/src/batch/providers/BatchProvider.spec.ts +786 -0
package/src/bin/index.ts +0 -1
package/src/bucket/__tests__/shared.ts +194 -0
package/src/bucket/primitives/$bucket.spec.ts +104 -0
package/src/bucket/providers/FileStorageProvider.spec.ts +13 -0
package/src/bucket/providers/LocalFileStorageProvider.spec.ts +77 -0
package/src/bucket/providers/MemoryFileStorageProvider.spec.ts +82 -0
package/src/cache/core/__tests__/shared.ts +377 -0
package/src/cache/core/primitives/$cache.spec.ts +111 -0
package/src/cache/redis/__tests__/cache-redis.spec.ts +70 -0
package/src/cli/apps/AlephaCli.ts +25 -6
package/src/cli/atoms/buildOptions.ts +88 -0
package/src/cli/commands/build.ts +32 -69
package/src/cli/commands/db.ts +0 -4
package/src/cli/commands/dev.ts +34 -10
package/src/cli/commands/gen/changelog.spec.ts +315 -0
package/src/cli/commands/{changelog.ts → gen/changelog.ts} +9 -9
package/src/cli/commands/gen/env.ts +53 -0
package/src/cli/commands/gen/openapi.ts +71 -0
package/src/cli/commands/gen/resource.ts +15 -0
package/src/cli/commands/gen.ts +24 -0
package/src/cli/commands/init.ts +2 -1
package/src/cli/commands/root.ts +12 -3
package/src/cli/commands/test.ts +0 -1
package/src/cli/commands/typecheck.ts +5 -0
package/src/cli/commands/verify.ts +1 -1
package/src/cli/defineConfig.ts +49 -7
package/src/cli/index.ts +2 -2
package/src/cli/services/AlephaCliUtils.ts +105 -55
package/src/cli/services/GitMessageParser.ts +1 -1
package/src/command/helpers/Asker.spec.ts +127 -0
package/src/command/helpers/Runner.spec.ts +126 -0
package/src/command/helpers/Runner.ts +1 -1
package/src/command/primitives/$command.spec.ts +1588 -0
package/src/command/primitives/$command.ts +0 -6
package/src/command/providers/CliProvider.ts +75 -27
package/src/core/Alepha.ts +87 -0
package/src/core/__tests__/Alepha-emit.spec.ts +22 -0
package/src/core/__tests__/Alepha-graph.spec.ts +93 -0
package/src/core/__tests__/Alepha-has.spec.ts +41 -0
package/src/core/__tests__/Alepha-inject.spec.ts +93 -0
package/src/core/__tests__/Alepha-register.spec.ts +81 -0
package/src/core/__tests__/Alepha-start.spec.ts +176 -0
package/src/core/__tests__/Alepha-with.spec.ts +14 -0
package/src/core/__tests__/TypeBox-usecases.spec.ts +35 -0
package/src/core/__tests__/TypeBoxLocale.spec.ts +15 -0
package/src/core/__tests__/descriptor.spec.ts +34 -0
package/src/core/__tests__/fixtures/A.ts +5 -0
package/src/core/__tests__/pagination.spec.ts +77 -0
package/src/core/helpers/jsonSchemaToTypeBox.ts +2 -2
package/src/core/primitives/$atom.spec.ts +43 -0
package/src/core/primitives/$hook.spec.ts +130 -0
package/src/core/primitives/$inject.spec.ts +175 -0
package/src/core/primitives/$module.spec.ts +115 -0
package/src/core/providers/CodecManager.spec.ts +740 -0
package/src/core/providers/EventManager.spec.ts +762 -0
package/src/core/providers/EventManager.ts +4 -0
package/src/core/providers/StateManager.spec.ts +365 -0
package/src/core/providers/TypeProvider.spec.ts +1607 -0
package/src/core/providers/TypeProvider.ts +20 -26
package/src/datetime/primitives/$interval.spec.ts +103 -0
package/src/datetime/providers/DateTimeProvider.spec.ts +86 -0
package/src/email/primitives/$email.spec.ts +175 -0
package/src/email/providers/LocalEmailProvider.spec.ts +341 -0
package/src/fake/__tests__/keyName.example.ts +40 -0
package/src/fake/__tests__/keyName.spec.ts +152 -0
package/src/fake/__tests__/module.example.ts +32 -0
package/src/fake/providers/FakeProvider.spec.ts +438 -0
package/src/file/providers/FileSystemProvider.ts +8 -0
package/src/file/providers/NodeFileSystemProvider.spec.ts +418 -0
package/src/file/providers/NodeFileSystemProvider.ts +5 -0
package/src/file/services/FileDetector.spec.ts +591 -0
package/src/lock/core/__tests__/shared.ts +190 -0
package/src/lock/core/providers/MemoryLockProvider.spec.ts +25 -0
package/src/lock/redis/providers/RedisLockProvider.spec.ts +25 -0
package/src/logger/__tests__/SimpleFormatterProvider.spec.ts +109 -0
package/src/logger/index.ts +15 -3
package/src/logger/primitives/$logger.spec.ts +108 -0
package/src/logger/services/Logger.spec.ts +295 -0
package/src/mcp/__tests__/errors.spec.ts +175 -0
package/src/mcp/__tests__/integration.spec.ts +450 -0
package/src/mcp/helpers/jsonrpc.spec.ts +380 -0
package/src/mcp/primitives/$prompt.spec.ts +468 -0
package/src/mcp/primitives/$resource.spec.ts +390 -0
package/src/mcp/primitives/$tool.spec.ts +406 -0
package/src/mcp/providers/McpServerProvider.spec.ts +797 -0
package/src/mcp/transports/StdioMcpTransport.ts +1 -1
package/src/orm/__tests__/$repository-crud.spec.ts +276 -0
package/src/orm/__tests__/$repository-hooks.spec.ts +325 -0
package/src/orm/__tests__/$repository-orderBy.spec.ts +128 -0
package/src/orm/__tests__/$repository-pagination-sort.spec.ts +149 -0
package/src/orm/__tests__/$repository-save.spec.ts +37 -0
package/src/orm/__tests__/ModelBuilder-integration.spec.ts +490 -0
package/src/orm/__tests__/ModelBuilder-types.spec.ts +186 -0
package/src/orm/__tests__/PostgresProvider.spec.ts +46 -0
package/src/orm/__tests__/delete-returning.spec.ts +256 -0
package/src/orm/__tests__/deletedAt.spec.ts +80 -0
package/src/orm/__tests__/enums.spec.ts +315 -0
package/src/orm/__tests__/execute.spec.ts +72 -0
package/src/orm/__tests__/fixtures/bigEntitySchema.ts +65 -0
package/src/orm/__tests__/fixtures/userEntitySchema.ts +27 -0
package/src/orm/__tests__/joins.spec.ts +1114 -0
package/src/orm/__tests__/page.spec.ts +287 -0
package/src/orm/__tests__/primaryKey.spec.ts +87 -0
package/src/orm/__tests__/query-date-encoding.spec.ts +402 -0
package/src/orm/__tests__/ref-auto-onDelete.spec.ts +156 -0
package/src/orm/__tests__/references.spec.ts +102 -0
package/src/orm/__tests__/security.spec.ts +710 -0
package/src/orm/__tests__/sqlite.spec.ts +111 -0
package/src/orm/__tests__/string-operators.spec.ts +429 -0
package/src/orm/__tests__/timestamps.spec.ts +388 -0
package/src/orm/__tests__/validation.spec.ts +183 -0
package/src/orm/__tests__/version.spec.ts +64 -0
package/src/orm/helpers/parseQueryString.spec.ts +196 -0
package/src/orm/index.ts +2 -8
package/src/orm/primitives/$repository.spec.ts +137 -0
package/src/orm/primitives/$sequence.spec.ts +29 -0
package/src/orm/primitives/$transaction.spec.ts +82 -0
package/src/orm/providers/drivers/BunPostgresProvider.ts +3 -3
package/src/orm/providers/drivers/BunSqliteProvider.ts +1 -1
package/src/orm/providers/drivers/CloudflareD1Provider.ts +1 -1
package/src/orm/providers/drivers/DatabaseProvider.ts +1 -1
package/src/orm/providers/drivers/NodePostgresProvider.ts +3 -3
package/src/orm/providers/drivers/NodeSqliteProvider.ts +1 -1
package/src/orm/providers/drivers/PglitePostgresProvider.ts +2 -2
package/src/orm/services/ModelBuilder.spec.ts +575 -0
package/src/orm/services/Repository.spec.ts +137 -0
package/src/queue/core/__tests__/shared.ts +143 -0
package/src/queue/core/providers/MemoryQueueProvider.spec.ts +23 -0
package/src/queue/core/providers/WorkerProvider.spec.ts +394 -0
package/src/queue/redis/providers/RedisQueueProvider.spec.ts +23 -0
package/src/redis/__tests__/redis.spec.ts +58 -0
package/src/retry/primitives/$retry.spec.ts +234 -0
package/src/retry/providers/RetryProvider.spec.ts +438 -0
package/src/router/__tests__/match.spec.ts +252 -0
package/src/router/providers/RouterProvider.spec.ts +197 -0
package/src/scheduler/__tests__/$scheduler-cron.spec.ts +25 -0
package/src/scheduler/__tests__/$scheduler-interval.spec.ts +25 -0
package/src/scheduler/__tests__/shared.ts +77 -0
package/src/security/__tests__/bug-1-wildcard-after-start.spec.ts +229 -0
package/src/security/__tests__/bug-2-password-validation.spec.ts +245 -0
package/src/security/__tests__/bug-3-regex-vulnerability.spec.ts +407 -0
package/src/security/__tests__/bug-4-oauth2-validation.spec.ts +439 -0
package/src/security/__tests__/multi-layer-permissions.spec.ts +522 -0
package/src/security/primitives/$permission.spec.ts +30 -0
package/src/security/primitives/$permission.ts +2 -2
package/src/security/primitives/$realm.spec.ts +101 -0
package/src/security/primitives/$role.spec.ts +52 -0
package/src/security/primitives/$serviceAccount.spec.ts +61 -0
package/src/security/providers/SecurityProvider.spec.ts +350 -0
package/src/server/auth/providers/ServerAuthProvider.ts +0 -2
package/src/server/cache/providers/ServerCacheProvider.spec.ts +1125 -0
package/src/server/cache/providers/ServerCacheProvider.ts +94 -9
package/src/server/compress/providers/ServerCompressProvider.spec.ts +31 -0
package/src/server/compress/providers/ServerCompressProvider.ts +63 -2
package/src/server/cookies/providers/ServerCookiesProvider.spec.ts +253 -0
package/src/server/core/__tests__/ServerRouterProvider-getRoutes.spec.ts +334 -0
package/src/server/core/__tests__/ServerRouterProvider-requestId.spec.ts +129 -0
package/src/server/core/helpers/ServerReply.ts +2 -2
package/src/server/core/primitives/$action.spec.ts +191 -0
package/src/server/core/primitives/$route.spec.ts +65 -0
package/src/server/core/providers/ServerBodyParserProvider.spec.ts +93 -0
package/src/server/core/providers/ServerLoggerProvider.spec.ts +100 -0
package/src/server/core/providers/ServerProvider.ts +14 -2
package/src/server/core/services/HttpClient.spec.ts +123 -0
package/src/server/core/services/UserAgentParser.spec.ts +111 -0
package/src/server/cors/providers/ServerCorsProvider.spec.ts +481 -0
package/src/server/health/providers/ServerHealthProvider.spec.ts +22 -0
package/src/server/helmet/providers/ServerHelmetProvider.spec.ts +105 -0
package/src/server/links/__tests__/$action.spec.ts +238 -0
package/src/server/links/__tests__/fixtures/CrudApp.ts +122 -0
package/src/server/links/__tests__/requestId.spec.ts +120 -0
package/src/server/links/primitives/$remote.spec.ts +228 -0
package/src/server/links/providers/LinkProvider.spec.ts +54 -0
package/src/server/links/providers/LinkProvider.ts +49 -3
package/src/server/links/providers/ServerLinksProvider.ts +1 -53
package/src/server/links/schemas/apiLinksResponseSchema.ts +7 -0
package/src/server/metrics/providers/ServerMetricsProvider.spec.ts +25 -0
package/src/server/multipart/providers/ServerMultipartProvider.spec.ts +528 -0
package/src/server/proxy/primitives/$proxy.spec.ts +87 -0
package/src/server/rate-limit/__tests__/ActionRateLimit.spec.ts +211 -0
package/src/server/rate-limit/providers/ServerRateLimitProvider.spec.ts +344 -0
package/src/server/security/__tests__/BasicAuth.spec.ts +684 -0
package/src/server/security/__tests__/ServerSecurityProvider-realm.spec.ts +388 -0
package/src/server/security/providers/ServerSecurityProvider.spec.ts +123 -0
package/src/server/static/primitives/$serve.spec.ts +193 -0
package/src/server/static/providers/ServerStaticProvider.ts +10 -0
package/src/server/swagger/__tests__/ui.spec.ts +52 -0
package/src/server/swagger/primitives/$swagger.spec.ts +193 -0
package/src/server/swagger/providers/ServerSwaggerProvider.ts +19 -12
package/src/sms/primitives/$sms.spec.ts +165 -0
package/src/sms/providers/LocalSmsProvider.spec.ts +224 -0
package/src/sms/providers/MemorySmsProvider.spec.ts +193 -0
package/src/thread/primitives/$thread.spec.ts +186 -0
package/src/topic/core/__tests__/shared.ts +144 -0
package/src/topic/core/providers/MemoryTopicProvider.spec.ts +23 -0
package/src/topic/redis/providers/RedisTopicProvider.spec.ts +23 -0
package/src/vite/helpers/importViteReact.ts +13 -0
package/src/vite/index.ts +1 -21
package/src/vite/plugins/viteAlephaDev.ts +32 -5
package/src/vite/plugins/viteAlephaSsrPreload.ts +222 -0
package/src/vite/tasks/buildClient.ts +11 -0
package/src/vite/tasks/buildServer.ts +47 -3
package/src/vite/tasks/devServer.ts +69 -0
package/src/vite/tasks/index.ts +2 -1
package/src/vite/tasks/runAlepha.ts +7 -1
package/src/websocket/__tests__/$websocket-new.spec.ts +195 -0
package/src/websocket/primitives/$channel.spec.ts +30 -0
package/src/cli/assets/viteConfigTs.ts +0 -14
package/src/cli/commands/run.ts +0 -24
package/src/vite/plugins/viteAlepha.ts +0 -37
package/src/vite/plugins/viteAlephaBuild.ts +0 -281

package/dist/api/users/index.js CHANGED Viewed

@@ -4,20 +4,19 @@ import { AlephaApiVerification } from "alepha/api/verifications";
 import { AlephaEmail } from "alepha/email";
 import { AlephaServerCompress } from "alepha/server/compress";
 import { AlephaServerHelmet } from "alepha/server/helmet";
-import { $entity, $repository, pageQuerySchema, parseQueryString, pg } from "alepha/orm";
 import { $action, BadRequestError, ConflictError, HttpError, UnauthorizedError, okSchema } from "alepha/server";
+import { $entity, $repository, db, pageQuerySchema, parseQueryString } from "alepha/orm";
+import { AlephaApiAudits, AuditService } from "alepha/api/audits";
 import { $logger } from "alepha/logger";
 import { $bucket } from "alepha/bucket";
+import { $client } from "alepha/server/links";
 import { randomInt, randomUUID } from "node:crypto";
 import { $cache } from "alepha/cache";
 import { DateTimeProvider } from "alepha/datetime";
 import { $realm, CryptoProvider, InvalidCredentialsError, SecurityProvider } from "alepha/security";
-import { $client } from "alepha/server/links";
 import { $authCredentials, $authGithub, $authGoogle, ServerAuthProvider, authenticationProviderSchema } from "alepha/server/auth";
 import { FileSystemProvider } from "alepha/file";
-import { AlephaApiAudits } from "alepha/api/audits";
 import { AlephaApiFiles } from "alepha/api/files";
-import { AlephaApiJobs } from "alepha/api/jobs";
 //#region ../../src/api/users/schemas/identityQuerySchema.ts
 const identityQuerySchema = t.extend(pageQuerySchema, {
@@ -31,11 +30,11 @@ const DEFAULT_USER_REALM_NAME = "default";
 const users = $entity({
 	name: "users",
 	schema: t.object({
-		id: pg.primaryKey(t.uuid()),
-		version: pg.version(),
-		createdAt: pg.createdAt(),
-		updatedAt: pg.updatedAt(),
-		realm: pg.default(t.text(), DEFAULT_USER_REALM_NAME),
+		id: db.primaryKey(t.uuid()),
+		version: db.version(),
+		createdAt: db.createdAt(),
+		updatedAt: db.updatedAt(),
+		realm: db.default(t.text(), DEFAULT_USER_REALM_NAME),
 		username: t.optional(t.shortText({
 			minLength: 3,
 			maxLength: 50,
@@ -43,12 +42,12 @@ const users = $entity({
 		})),
 		email: t.optional(t.string({ format: "email" })),
 		phoneNumber: t.optional(t.e164()),
-		roles: pg.default(t.array(t.string()), []),
+		roles: db.default(t.array(t.string()), []),
 		firstName: t.optional(t.string()),
 		lastName: t.optional(t.string()),
 		picture: t.optional(t.string()),
-		enabled: pg.default(t.boolean(), true),
-		emailVerified: pg.default(t.boolean(), false)
+		enabled: db.default(t.boolean(), true),
+		emailVerified: db.default(t.boolean(), false)
 	}),
 	indexes: [
 		{
@@ -71,11 +70,11 @@ const users = $entity({
 const identities = $entity({
 	name: "identities",
 	schema: t.object({
-		id: pg.primaryKey(t.uuid()),
-		version: pg.version(),
-		createdAt: pg.createdAt(),
-		updatedAt: pg.updatedAt(),
-		userId: pg.ref(t.uuid(), () => users.cols.id),
+		id: db.primaryKey(t.uuid()),
+		version: db.version(),
+		createdAt: db.createdAt(),
+		updatedAt: db.updatedAt(),
+		userId: db.ref(t.uuid(), () => users.cols.id),
 		password: t.optional(t.text()),
 		provider: t.text(),
 		providerUserId: t.optional(t.text()),
@@ -147,12 +146,12 @@ const realmAuthSettingsAtom = $atom({
 const sessions = $entity({
 	name: "sessions",
 	schema: t.object({
-		id: pg.primaryKey(t.uuid()),
-		version: pg.version(),
-		createdAt: pg.createdAt(),
-		updatedAt: pg.updatedAt(),
+		id: db.primaryKey(t.uuid()),
+		version: db.version(),
+		createdAt: db.createdAt(),
+		updatedAt: db.updatedAt(),
 		refreshToken: t.uuid(),
-		userId: pg.ref(t.uuid(), () => users.cols.id),
+		userId: db.ref(t.uuid(), () => users.cols.id),
 		expiresAt: t.datetime(),
 		ip: t.optional(t.text()),
 		userAgent: t.optional(t.object({
@@ -242,6 +241,7 @@ var UserRealmProvider = class {
 var IdentityService = class {
 	log = $logger();
 	userRealmProvider = $inject(UserRealmProvider);
+	auditService = $inject(AuditService);
 	identities(userRealmName) {
 		return this.userRealmProvider.identityRepository(userRealmName);
 	}
@@ -295,14 +295,25 @@ var IdentityService = class {
 			provider: identity.provider,
 			userId: identity.userId
 		});
+		const realm = this.userRealmProvider.getRealm(userRealmName);
+		await this.auditService.recordUser("update", {
+			userRealm: realm.name,
+			resourceId: identity.userId,
+			description: `Identity provider disconnected: ${identity.provider}`,
+			metadata: {
+				identityId: id,
+				provider: identity.provider,
+				userId: identity.userId
+			}
+		});
 	}
 };
 //#endregion
-//#region ../../src/api/users/controllers/IdentityController.ts
-var IdentityController = class {
+//#region ../../src/api/users/controllers/AdminIdentityController.ts
+var AdminIdentityController = class {
 	url = "/identities";
-	group = "identities";
+	group = "admin:identities";
 	identityService = $inject(IdentityService);
 	/**
 	* Find identities with pagination and filtering.
@@ -313,7 +324,7 @@ var IdentityController = class {
 		description: "Find identities with pagination and filtering",
 		schema: {
 			query: t.extend(identityQuerySchema, { userRealmName: t.optional(t.string()) }),
-			response: pg.page(identityResourceSchema)
+			response: t.page(identityResourceSchema)
 		},
 		handler: ({ query }) => {
 			const { userRealmName, ...q } = query;
@@ -439,10 +450,10 @@ var SessionCrudService = class {
 };
 //#endregion
-//#region ../../src/api/users/controllers/SessionController.ts
-var SessionController = class {
+//#region ../../src/api/users/controllers/AdminSessionController.ts
+var AdminSessionController = class {
 	url = "/sessions";
-	group = "sessions";
+	group = "admin:sessions";
 	sessionService = $inject(SessionCrudService);
 	/**
 	* Find sessions with pagination and filtering.
@@ -453,7 +464,7 @@ var SessionController = class {
 		description: "Find sessions with pagination and filtering",
 		schema: {
 			query: t.extend(sessionQuerySchema, { userRealmName: t.optional(t.string()) }),
-			response: pg.page(sessionResourceSchema)
+			response: t.page(sessionResourceSchema)
 		},
 		handler: ({ query }) => {
 			const { userRealmName, ...q } = query;
@@ -497,92 +508,10 @@ var SessionController = class {
 	});
 };
-//#endregion
-//#region ../../src/api/users/schemas/completePasswordResetRequestSchema.ts
-/**
-* Request schema for completing a password reset.
-*
-* Requires the intent ID from Phase 1, the verification code,
-* and the new password.
-*/
-const completePasswordResetRequestSchema = t.object({
-	intentId: t.uuid({ description: "The intent ID from createPasswordResetIntent" }),
-	code: t.string({ description: "6-digit verification code sent via email" }),
-	newPassword: t.string({
-		minLength: 8,
-		description: "New password (minimum 8 characters)"
-	})
-});
-//#endregion
-//#region ../../src/api/users/schemas/completeRegistrationRequestSchema.ts
-const completeRegistrationRequestSchema = t.object({
-	intentId: t.uuid({ description: "The registration intent ID from the first phase" }),
-	emailCode: t.optional(t.string({ description: "Email verification code (if email verification required)" })),
-	phoneCode: t.optional(t.string({ description: "Phone verification code (if phone verification required)" })),
-	captchaToken: t.optional(t.string({ description: "Captcha token (if captcha required)" }))
-});
 //#endregion
 //#region ../../src/api/users/schemas/createUserSchema.ts
 const createUserSchema = t.omit(users.insertSchema, ["realm"]);
-//#endregion
-//#region ../../src/api/users/schemas/passwordResetIntentResponseSchema.ts
-/**
-* Response schema for password reset intent creation.
-*
-* Contains the intent ID needed for Phase 2 completion,
-* along with expiration time.
-*/
-const passwordResetIntentResponseSchema = t.object({
-	intentId: t.uuid({ description: "Unique identifier for this password reset intent" }),
-	expiresAt: t.datetime({ description: "ISO timestamp when this intent expires" })
-});
-//#endregion
-//#region ../../src/api/users/schemas/registerQuerySchema.ts
-/**
-* Schema for user registration query parameters.
-* Allows specifying a custom user realm.
-*/
-const registerQuerySchema = t.object({ userRealmName: t.optional(t.text({ description: "The user realm to register the user in (defaults to 'default')" })) });
-//#endregion
-//#region ../../src/api/users/schemas/registerRequestSchema.ts
-/**
-* Schema for user registration request body.
-* Password is always required, other fields depend on realm settings.
-*/
-const registerRequestSchema = t.object({
-	password: t.string({
-		minLength: 8,
-		description: "Password for the account"
-	}),
-	username: t.optional(t.string({
-		minLength: 3,
-		description: "Unique username for the account"
-	})),
-	email: t.optional(t.string({
-		format: "email",
-		description: "User's email address"
-	})),
-	phoneNumber: t.optional(t.string({ description: "User's phone number" })),
-	firstName: t.optional(t.string({ description: "User's first name" })),
-	lastName: t.optional(t.string({ description: "User's last name" })),
-	picture: t.optional(t.string({ description: "User's profile picture URL" }))
-});
-//#endregion
-//#region ../../src/api/users/schemas/registrationIntentResponseSchema.ts
-const registrationIntentResponseSchema = t.object({
-	intentId: t.uuid({ description: "Unique identifier for the registration intent" }),
-	expectCaptcha: t.boolean({ description: "Whether captcha verification is required" }),
-	expectEmailVerification: t.boolean({ description: "Whether email verification is required" }),
-	expectPhoneVerification: t.boolean({ description: "Whether phone verification is required" }),
-	expiresAt: t.datetime({ description: "When the registration intent expires" })
-});
 //#endregion
 //#region ../../src/api/users/schemas/updateUserSchema.ts
 const updateUserSchema = t.partial(t.omit(users.insertSchema, [
@@ -738,136 +667,578 @@ var UserNotifications = class {
 };
 //#endregion
-//#region ../../src/api/users/services/CredentialService.ts
-const INTENT_TTL_MINUTES$1 = 10;
-var CredentialService = class {
+//#region ../../src/api/users/services/UserService.ts
+var UserService = class {
 	log = $logger();
-	cryptoProvider = $inject(CryptoProvider);
-	dateTimeProvider = $inject(DateTimeProvider);
 	verificationController = $client();
 	userNotifications = $inject(UserNotifications);
 	userRealmProvider = $inject(UserRealmProvider);
-	intentCache = $cache({
-		name: "password-reset-intents",
-		ttl: [INTENT_TTL_MINUTES$1, "minutes"]
-	});
+	auditService = $inject(AuditService);
 	users(userRealmName) {
 		return this.userRealmProvider.userRepository(userRealmName);
 	}
-	sessions(userRealmName) {
-		return this.userRealmProvider.sessionRepository(userRealmName);
-	}
-	identities(userRealmName) {
-		return this.userRealmProvider.identityRepository(userRealmName);
-	}
 	/**
-	* Phase 1: Create a password reset intent.
-	*
-	* Validates the email, checks for existing user with credentials,
-	* sends verification code, and stores the intent in cache.
-	*
-	* @param email - User's email address
-	* @param userRealmName - Optional realm name
-	* @returns Intent response with intentId and expiration (always returns for security)
+	* Request email verification for a user.
+	* @param email - The email address to verify.
+	* @param userRealmName - Optional realm name.
+	* @param method - The verification method: "code" (default) or "link".
+	* @param verifyUrl - Base URL for verification link (required when method is "link").
 	*/
-	async createPasswordResetIntent(email, userRealmName) {
-		this.log.trace("Creating password reset intent", {
+	async requestEmailVerification(email, userRealmName, method = "code", verifyUrl) {
+		this.log.trace("Requesting email verification", {
 			email,
-			userRealmName
+			userRealmName,
+			method
 		});
-		const intentId = randomUUID();
-		const expiresAt = this.dateTimeProvider.now().add(INTENT_TTL_MINUTES$1, "minutes").toISOString();
 		const user = await this.users(userRealmName).findOne({ where: { email: { eq: email } } }).catch(() => void 0);
 		if (!user) {
-			this.log.debug("Password reset requested for non-existent email", { email });
-			return {
-				intentId,
-				expiresAt
-			};
+			this.log.debug("Email verification requested for non-existent user", { email });
+			return true;
 		}
-		const identity = await this.identities(userRealmName).findOne({ where: {
-			userId: { eq: user.id },
-			provider: { eq: "credentials" }
-		} }).catch(() => void 0);
-		if (!identity) {
-			this.log.debug("Password reset requested for user without credentials", { userId: user.id });
-			return {
-				intentId,
-				expiresAt
-			};
+		if (user.emailVerified) {
+			this.log.debug("Email verification requested for already verified user", {
+				email,
+				userId: user.id
+			});
+			return true;
 		}
 		try {
 			const verification = await this.verificationController.requestVerificationCode({
-				params: { type: "code" },
+				params: { type: method },
 				body: { target: email }
 			});
-			await this.userNotifications.passwordReset.push({
-				contact: email,
-				variables: {
+			if (method === "link") {
+				const url = new URL(verifyUrl || "/verify-email", "http://localhost");
+				url.searchParams.set("email", email);
+				url.searchParams.set("token", verification.token);
+				const fullVerifyUrl = verifyUrl ? `${verifyUrl}${url.search}` : url.pathname + url.search;
+				await this.userNotifications.emailVerificationLink.push({
+					contact: email,
+					variables: {
+						email,
+						verifyUrl: fullVerifyUrl,
+						expiresInMinutes: Math.floor(verification.codeExpiration / 60)
+					}
+				});
+				this.log.debug("Email verification link sent", {
 					email,
-					code: verification.token,
-					expiresInMinutes: Math.floor(verification.codeExpiration / 60)
-				}
-			});
-			const intent = {
+					userId: user.id
+				});
+			} else {
+				await this.userNotifications.emailVerification.push({
+					contact: email,
+					variables: {
+						email,
+						code: verification.token,
+						expiresInMinutes: Math.floor(verification.codeExpiration / 60)
+					}
+				});
+				this.log.debug("Email verification code sent", {
+					email,
+					userId: user.id
+				});
+			}
+		} catch (error) {
+			this.log.warn("Failed to send email verification", {
 				email,
-				userId: user.id,
-				identityId: identity.id,
-				realmName: userRealmName,
-				expiresAt
-			};
-			await this.intentCache.set(intentId, intent);
-			this.log.info("Password reset intent created", {
-				intentId,
-				userId: user.id,
-				email
+				error
 			});
-		} catch (error) {
-			this.log.warn("Failed to create password reset verification", error);
 		}
-		return {
-			intentId,
-			expiresAt
-		};
+		return true;
 	}
 	/**
-	* Phase 2: Complete password reset using an intent.
-	*
-	* Validates the verification code, updates the password,
-	* and invalidates all existing sessions.
-	*
-	* @param body - Request body with intentId, code, and newPassword
+	* Verify a user's email using a valid verification token.
+	* Supports both code (6-digit) and link (UUID) verification tokens.
 	*/
-	async completePasswordReset(body) {
-		this.log.trace("Completing password reset", { intentId: body.intentId });
-		const intent = await this.intentCache.get(body.intentId);
-		if (!intent) {
-			this.log.warn("Invalid or expired password reset intent", { intentId: body.intentId });
-			throw new HttpError({
-				status: 410,
-				message: "Invalid or expired password reset intent"
-			});
-		}
+	async verifyEmail(email, token, userRealmName) {
+		this.log.trace("Verifying email", {
+			email,
+			userRealmName
+		});
+		const type = /^\d{6}$/.test(token) ? "code" : "link";
 		if ((await this.verificationController.validateVerificationCode({
-			params: { type: "code" },
+			params: { type },
 			body: {
-				target: intent.email,
-				token: body.code
+				target: email,
+				token
 			}
 		}).catch(() => {
-			this.log.warn("Invalid verification code for password reset", {
-				intentId: body.intentId,
-				email: intent.email
+			this.log.warn("Invalid email verification token", {
+				email,
+				type
 			});
-			throw new BadRequestError("Invalid or expired verification code");
+			throw new BadRequestError("Invalid or expired verification token");
 		})).alreadyVerified) {
-			this.log.warn("Verification code reuse attempt", {
-				intentId: body.intentId,
-				email: intent.email
-			});
-			throw new BadRequestError("Verification code has already been used");
+			this.log.warn("Email verification token already used", { email });
+			throw new BadRequestError("Invalid or expired verification token");
 		}
-		await this.intentCache.invalidate(body.intentId);
+		const user = await this.users(userRealmName).findOne({ where: { email: { eq: email } } });
+		await this.users(userRealmName).updateById(user.id, { emailVerified: true });
+		this.log.info("Email verified", {
+			email,
+			userId: user.id,
+			type
+		});
+		const realm = this.userRealmProvider.getRealm(userRealmName);
+		await this.auditService.recordUser("update", {
+			userId: user.id,
+			userEmail: email,
+			userRealm: realm.name,
+			resourceId: user.id,
+			description: "Email verified",
+			metadata: {
+				email,
+				verificationType: type
+			}
+		});
+	}
+	/**
+	* Check if an email is verified.
+	*/
+	async isEmailVerified(email, userRealmName) {
+		this.log.trace("Checking if email is verified", {
+			email,
+			userRealmName
+		});
+		return (await this.users(userRealmName).findOne({ where: { email: { eq: email } } }).catch(() => void 0))?.emailVerified ?? false;
+	}
+	/**
+	* Find users with pagination and filtering.
+	*/
+	async findUsers(q = {}, userRealmName) {
+		this.log.trace("Finding users", {
+			query: q,
+			userRealmName
+		});
+		q.sort ??= "-createdAt";
+		const where = this.users(userRealmName).createQueryWhere();
+		if (q.email) where.email = { like: q.email };
+		if (q.enabled !== void 0) where.enabled = { eq: q.enabled };
+		if (q.emailVerified !== void 0) where.emailVerified = { eq: q.emailVerified };
+		if (q.roles) where.roles = { arrayContains: q.roles };
+		if (q.query) Object.assign(where, parseQueryString(q.query));
+		const result = await this.users(userRealmName).paginate(q, { where }, { count: true });
+		this.log.debug("Users found", {
+			count: result.content.length,
+			total: result.page.totalElements
+		});
+		return result;
+	}
+	/**
+	* Get a user by ID.
+	*/
+	async getUserById(id, userRealmName) {
+		this.log.trace("Getting user by ID", {
+			id,
+			userRealmName
+		});
+		return await this.users(userRealmName).findById(id);
+	}
+	/**
+	* Create a new user.
+	*/
+	async createUser(data, userRealmName) {
+		this.log.trace("Creating user", {
+			username: data.username,
+			email: data.email,
+			userRealmName
+		});
+		const realm = this.userRealmProvider.getRealm(userRealmName);
+		if (data.username) {
+			if (await this.users(userRealmName).findOne({ where: { username: { eq: data.username } } }).catch(() => void 0)) {
+				this.log.debug("Username already taken", { username: data.username });
+				throw new BadRequestError("User with this username already exists");
+			}
+		}
+		if (data.email) {
+			if (await this.users(userRealmName).findOne({ where: { email: { eq: data.email } } }).catch(() => void 0)) {
+				this.log.debug("Email already taken", { email: data.email });
+				throw new BadRequestError("User with this email already exists");
+			}
+		}
+		if (data.phoneNumber) {
+			if (await this.users(userRealmName).findOne({ where: { phoneNumber: { eq: data.phoneNumber } } }).catch(() => void 0)) {
+				this.log.debug("Phone number already taken", { phoneNumber: data.phoneNumber });
+				throw new BadRequestError("User with this phone number already exists");
+			}
+		}
+		const user = await this.users(userRealmName).create({
+			...data,
+			roles: data.roles ?? ["user"],
+			realm: realm.name
+		});
+		this.log.info("User created", {
+			userId: user.id,
+			username: user.username,
+			email: user.email
+		});
+		await this.auditService.recordUser("create", {
+			userRealm: realm.name,
+			resourceId: user.id,
+			description: "User created",
+			metadata: {
+				username: user.username,
+				email: user.email,
+				roles: user.roles
+			}
+		});
+		return user;
+	}
+	/**
+	* Update an existing user.
+	*/
+	async updateUser(id, data, userRealmName) {
+		this.log.trace("Updating user", {
+			id,
+			userRealmName
+		});
+		const before = await this.getUserById(id, userRealmName);
+		const user = await this.users(userRealmName).updateById(id, data);
+		this.log.debug("User updated", { userId: id });
+		const realm = this.userRealmProvider.getRealm(userRealmName);
+		const changes = {};
+		for (const key of Object.keys(data)) if (data[key] !== void 0 && before[key] !== data[key]) changes[key] = {
+			from: before[key],
+			to: data[key]
+		};
+		const isRoleChange = data.roles !== void 0 && JSON.stringify(before.roles) !== JSON.stringify(data.roles);
+		await this.auditService.recordUser(isRoleChange ? "role_change" : "update", {
+			userRealm: realm.name,
+			resourceId: user.id,
+			description: isRoleChange ? "User roles changed" : `User updated: ${Object.keys(changes).join(", ")}`,
+			metadata: { changes }
+		});
+		return user;
+	}
+	/**
+	* Delete a user by ID.
+	*/
+	async deleteUser(id, userRealmName) {
+		this.log.trace("Deleting user", {
+			id,
+			userRealmName
+		});
+		const user = await this.getUserById(id, userRealmName);
+		await this.users(userRealmName).deleteById(id);
+		this.log.info("User deleted", { userId: id });
+		const realm = this.userRealmProvider.getRealm(userRealmName);
+		await this.auditService.recordUser("delete", {
+			userRealm: realm.name,
+			resourceId: id,
+			severity: "warning",
+			description: "User deleted",
+			metadata: {
+				username: user.username,
+				email: user.email
+			}
+		});
+	}
+};
+//#endregion
+//#region ../../src/api/users/controllers/AdminUserController.ts
+var AdminUserController = class {
+	url = "/users";
+	group = "admin:users";
+	userService = $inject(UserService);
+	/**
+	* Find users with pagination and filtering.
+	*/
+	findUsers = $action({
+		path: this.url,
+		group: this.group,
+		description: "Find users with pagination and filtering",
+		schema: {
+			query: t.extend(userQuerySchema, { userRealmName: t.optional(t.string()) }),
+			response: t.page(userResourceSchema)
+		},
+		handler: ({ query }) => {
+			const { userRealmName, ...q } = query;
+			return this.userService.findUsers(q, userRealmName);
+		}
+	});
+	/**
+	* Get a user by ID.
+	*/
+	getUser = $action({
+		path: `${this.url}/:id`,
+		group: this.group,
+		description: "Get a user by ID",
+		schema: {
+			params: t.object({ id: t.uuid() }),
+			query: t.object({ userRealmName: t.optional(t.string()) }),
+			response: userResourceSchema
+		},
+		handler: ({ params, query }) => this.userService.getUserById(params.id, query.userRealmName)
+	});
+	/**
+	* Create a new user.
+	*/
+	createUser = $action({
+		method: "POST",
+		path: this.url,
+		group: this.group,
+		description: "Create a new user",
+		schema: {
+			query: t.object({ userRealmName: t.optional(t.string()) }),
+			body: createUserSchema,
+			response: userResourceSchema
+		},
+		handler: ({ body, query }) => this.userService.createUser(body, query.userRealmName)
+	});
+	/**
+	* Update a user.
+	*/
+	updateUser = $action({
+		method: "PATCH",
+		path: `${this.url}/:id`,
+		group: this.group,
+		description: "Update a user",
+		schema: {
+			params: t.object({ id: t.uuid() }),
+			query: t.object({ userRealmName: t.optional(t.string()) }),
+			body: updateUserSchema,
+			response: userResourceSchema
+		},
+		handler: ({ params, body, query }) => this.userService.updateUser(params.id, body, query.userRealmName)
+	});
+	/**
+	* Delete a user.
+	*/
+	deleteUser = $action({
+		method: "DELETE",
+		path: `${this.url}/:id`,
+		group: this.group,
+		description: "Delete a user",
+		schema: {
+			params: t.object({ id: t.uuid() }),
+			query: t.object({ userRealmName: t.optional(t.string()) }),
+			response: okSchema
+		},
+		handler: async ({ params, query }) => {
+			await this.userService.deleteUser(params.id, query.userRealmName);
+			return {
+				ok: true,
+				id: params.id
+			};
+		}
+	});
+};
+//#endregion
+//#region ../../src/api/users/schemas/completePasswordResetRequestSchema.ts
+/**
+* Request schema for completing a password reset.
+*
+* Requires the intent ID from Phase 1, the verification code,
+* and the new password.
+*/
+const completePasswordResetRequestSchema = t.object({
+	intentId: t.uuid({ description: "The intent ID from createPasswordResetIntent" }),
+	code: t.string({ description: "6-digit verification code sent via email" }),
+	newPassword: t.string({
+		minLength: 8,
+		description: "New password (minimum 8 characters)"
+	})
+});
+//#endregion
+//#region ../../src/api/users/schemas/completeRegistrationRequestSchema.ts
+const completeRegistrationRequestSchema = t.object({
+	intentId: t.uuid({ description: "The registration intent ID from the first phase" }),
+	emailCode: t.optional(t.string({ description: "Email verification code (if email verification required)" })),
+	phoneCode: t.optional(t.string({ description: "Phone verification code (if phone verification required)" })),
+	captchaToken: t.optional(t.string({ description: "Captcha token (if captcha required)" }))
+});
+//#endregion
+//#region ../../src/api/users/schemas/passwordResetIntentResponseSchema.ts
+/**
+* Response schema for password reset intent creation.
+*
+* Contains the intent ID needed for Phase 2 completion,
+* along with expiration time.
+*/
+const passwordResetIntentResponseSchema = t.object({
+	intentId: t.uuid({ description: "Unique identifier for this password reset intent" }),
+	expiresAt: t.datetime({ description: "ISO timestamp when this intent expires" })
+});
+//#endregion
+//#region ../../src/api/users/schemas/registerQuerySchema.ts
+/**
+* Schema for user registration query parameters.
+* Allows specifying a custom user realm.
+*/
+const registerQuerySchema = t.object({ userRealmName: t.optional(t.text({ description: "The user realm to register the user in (defaults to 'default')" })) });
+//#endregion
+//#region ../../src/api/users/schemas/registerRequestSchema.ts
+/**
+* Schema for user registration request body.
+* Password is always required, other fields depend on realm settings.
+*/
+const registerRequestSchema = t.object({
+	password: t.string({
+		minLength: 8,
+		description: "Password for the account"
+	}),
+	username: t.optional(t.string({
+		minLength: 3,
+		description: "Unique username for the account"
+	})),
+	email: t.optional(t.string({
+		format: "email",
+		description: "User's email address"
+	})),
+	phoneNumber: t.optional(t.string({ description: "User's phone number" })),
+	firstName: t.optional(t.string({ description: "User's first name" })),
+	lastName: t.optional(t.string({ description: "User's last name" })),
+	picture: t.optional(t.string({ description: "User's profile picture URL" }))
+});
+//#endregion
+//#region ../../src/api/users/schemas/registrationIntentResponseSchema.ts
+const registrationIntentResponseSchema = t.object({
+	intentId: t.uuid({ description: "Unique identifier for the registration intent" }),
+	expectCaptcha: t.boolean({ description: "Whether captcha verification is required" }),
+	expectEmailVerification: t.boolean({ description: "Whether email verification is required" }),
+	expectPhoneVerification: t.boolean({ description: "Whether phone verification is required" }),
+	expiresAt: t.datetime({ description: "When the registration intent expires" })
+});
+//#endregion
+//#region ../../src/api/users/services/CredentialService.ts
+const INTENT_TTL_MINUTES$1 = 10;
+var CredentialService = class {
+	log = $logger();
+	cryptoProvider = $inject(CryptoProvider);
+	dateTimeProvider = $inject(DateTimeProvider);
+	verificationController = $client();
+	userNotifications = $inject(UserNotifications);
+	userRealmProvider = $inject(UserRealmProvider);
+	auditService = $inject(AuditService);
+	intentCache = $cache({
+		name: "password-reset-intents",
+		ttl: [INTENT_TTL_MINUTES$1, "minutes"]
+	});
+	users(userRealmName) {
+		return this.userRealmProvider.userRepository(userRealmName);
+	}
+	sessions(userRealmName) {
+		return this.userRealmProvider.sessionRepository(userRealmName);
+	}
+	identities(userRealmName) {
+		return this.userRealmProvider.identityRepository(userRealmName);
+	}
+	/**
+	* Phase 1: Create a password reset intent.
+	*
+	* Validates the email, checks for existing user with credentials,
+	* sends verification code, and stores the intent in cache.
+	*
+	* @param email - User's email address
+	* @param userRealmName - Optional realm name
+	* @returns Intent response with intentId and expiration (always returns for security)
+	*/
+	async createPasswordResetIntent(email, userRealmName) {
+		this.log.trace("Creating password reset intent", {
+			email,
+			userRealmName
+		});
+		const intentId = randomUUID();
+		const expiresAt = this.dateTimeProvider.now().add(INTENT_TTL_MINUTES$1, "minutes").toISOString();
+		const user = await this.users(userRealmName).findOne({ where: { email: { eq: email } } }).catch(() => void 0);
+		if (!user) {
+			this.log.debug("Password reset requested for non-existent email", { email });
+			return {
+				intentId,
+				expiresAt
+			};
+		}
+		const identity = await this.identities(userRealmName).findOne({ where: {
+			userId: { eq: user.id },
+			provider: { eq: "credentials" }
+		} }).catch(() => void 0);
+		if (!identity) {
+			this.log.debug("Password reset requested for user without credentials", { userId: user.id });
+			return {
+				intentId,
+				expiresAt
+			};
+		}
+		try {
+			const verification = await this.verificationController.requestVerificationCode({
+				params: { type: "code" },
+				body: { target: email }
+			});
+			await this.userNotifications.passwordReset.push({
+				contact: email,
+				variables: {
+					email,
+					code: verification.token,
+					expiresInMinutes: Math.floor(verification.codeExpiration / 60)
+				}
+			});
+			const intent = {
+				email,
+				userId: user.id,
+				identityId: identity.id,
+				realmName: userRealmName,
+				expiresAt
+			};
+			await this.intentCache.set(intentId, intent);
+			this.log.info("Password reset intent created", {
+				intentId,
+				userId: user.id,
+				email
+			});
+		} catch (error) {
+			this.log.warn("Failed to create password reset verification", error);
+		}
+		return {
+			intentId,
+			expiresAt
+		};
+	}
+	/**
+	* Phase 2: Complete password reset using an intent.
+	*
+	* Validates the verification code, updates the password,
+	* and invalidates all existing sessions.
+	*
+	* @param body - Request body with intentId, code, and newPassword
+	*/
+	async completePasswordReset(body) {
+		this.log.trace("Completing password reset", { intentId: body.intentId });
+		const intent = await this.intentCache.get(body.intentId);
+		if (!intent) {
+			this.log.warn("Invalid or expired password reset intent", { intentId: body.intentId });
+			throw new HttpError({
+				status: 410,
+				message: "Invalid or expired password reset intent"
+			});
+		}
+		if ((await this.verificationController.validateVerificationCode({
+			params: { type: "code" },
+			body: {
+				target: intent.email,
+				token: body.code
+			}
+		}).catch(() => {
+			this.log.warn("Invalid verification code for password reset", {
+				intentId: body.intentId,
+				email: intent.email
+			});
+			throw new BadRequestError("Invalid or expired verification code");
+		})).alreadyVerified) {
+			this.log.warn("Verification code reuse attempt", {
+				intentId: body.intentId,
+				email: intent.email
+			});
+			throw new BadRequestError("Verification code has already been used");
+		}
+		await this.intentCache.invalidate(body.intentId);
 		const hashedPassword = await this.cryptoProvider.hashPassword(body.newPassword);
 		await this.identities(intent.realmName).updateById(intent.identityId, { password: hashedPassword });
 		await this.sessions(intent.realmName).deleteMany({ userId: { eq: intent.userId } });
@@ -875,6 +1246,23 @@ var CredentialService = class {
 			userId: intent.userId,
 			email: intent.email
 		});
+		const realm = this.userRealmProvider.getRealm(intent.realmName);
+		await this.auditService.recordUser("update", {
+			userId: intent.userId,
+			userEmail: intent.email,
+			userRealm: realm.name,
+			resourceId: intent.userId,
+			description: "Password reset completed",
+			metadata: { email: intent.email }
+		});
+		await this.auditService.record("security", "sessions_invalidated", {
+			userId: intent.userId,
+			userEmail: intent.email,
+			userRealm: realm.name,
+			resourceId: intent.userId,
+			severity: "warning",
+			description: "All sessions invalidated after password reset"
+		});
 	}
 	/**
 	* @deprecated Use createPasswordResetIntent instead
@@ -917,6 +1305,23 @@ var CredentialService = class {
 		const hashedPassword = await this.cryptoProvider.hashPassword(newPassword);
 		await this.identities(userRealmName).updateById(identity.id, { password: hashedPassword });
 		await this.sessions(userRealmName).deleteMany({ userId: { eq: user.id } });
+		const realm = this.userRealmProvider.getRealm(userRealmName);
+		await this.auditService.recordUser("update", {
+			userId: user.id,
+			userEmail: email,
+			userRealm: realm.name,
+			resourceId: user.id,
+			description: "Password reset completed (legacy)",
+			metadata: { email }
+		});
+		await this.auditService.record("security", "sessions_invalidated", {
+			userId: user.id,
+			userEmail: email,
+			userRealm: realm.name,
+			resourceId: user.id,
+			severity: "warning",
+			description: "All sessions invalidated after password reset"
+		});
 	}
 };
@@ -930,6 +1335,7 @@ var RegistrationService = class {
 	verificationController = $client();
 	userNotifications = $inject(UserNotifications);
 	userRealmProvider = $inject(UserRealmProvider);
+	auditService = $inject(AuditService);
 	intentCache = $cache({
 		name: "registration-intents",
 		ttl: [INTENT_TTL_MINUTES, "minutes"]
@@ -1071,6 +1477,20 @@ var RegistrationService = class {
 			email: user.email,
 			username: user.username
 		});
+		const realm = this.userRealmProvider.getRealm(userRealmName);
+		await this.auditService.recordUser("create", {
+			userId: user.id,
+			userEmail: user.email ?? void 0,
+			userRealm: realm.name,
+			resourceId: user.id,
+			description: "User registered",
+			metadata: {
+				username: user.username,
+				email: user.email,
+				emailVerified: user.emailVerified,
+				registrationMethod: "credentials"
+			}
+		});
 		return user;
 	}
 	/**
@@ -1092,317 +1512,95 @@ var RegistrationService = class {
 		}
 		if (body.phoneNumber) {
 			if (await userRepository.findOne({ where: { phoneNumber: { eq: body.phoneNumber } } }).catch(() => void 0)) {
-				this.log.debug("Phone number already taken", { phoneNumber: body.phoneNumber });
-				throw new ConflictError("User with this phone number already exists");
-			}
-		}
-	}
-	/**
-	* Send email verification code.
-	*/
-	async sendEmailVerification(email) {
-		this.log.debug("Sending email verification code", { email });
-		try {
-			const verification = await this.verificationController.requestVerificationCode({
-				params: { type: "code" },
-				body: { target: email }
-			});
-			await this.userNotifications.emailVerification.push({
-				contact: email,
-				variables: {
-					email,
-					code: verification.token,
-					expiresInMinutes: Math.floor(verification.codeExpiration / 60)
-				}
-			});
-			this.log.debug("Email verification code sent", { email });
-		} catch (error) {
-			this.log.warn("Failed to send email verification code", error);
-		}
-	}
-	/**
-	* Send phone verification code.
-	*/
-	async sendPhoneVerification(phoneNumber) {
-		this.log.debug("Sending phone verification code", { phoneNumber });
-		try {
-			const verification = await this.verificationController.requestVerificationCode({
-				params: { type: "code" },
-				body: { target: phoneNumber }
-			});
-			await this.userNotifications.phoneVerification.push({
-				contact: phoneNumber,
-				variables: {
-					phoneNumber,
-					code: verification.token,
-					expiresInMinutes: Math.floor(verification.codeExpiration / 60)
-				}
-			});
-			this.log.debug("Phone verification code sent", { phoneNumber });
-		} catch (error) {
-			this.log.warn("Failed to send phone verification code", {
-				phoneNumber,
-				error
-			});
-		}
-	}
-	/**
-	* Verify email code using verification service.
-	*/
-	async verifyEmailCode(email, code) {
-		if ((await this.verificationController.validateVerificationCode({
-			params: { type: "code" },
-			body: {
-				target: email,
-				token: code
-			}
-		}).catch(() => {
-			this.log.warn("Invalid email verification code", { email });
-			throw new BadRequestError("Invalid or expired email verification code");
-		})).alreadyVerified) {
-			this.log.warn("Email verification code already used", { email });
-			throw new BadRequestError("Email verification code has already been used");
-		}
-	}
-	/**
-	* Verify phone code using verification service.
-	*/
-	async verifyPhoneCode(phoneNumber, code) {
-		if ((await this.verificationController.validateVerificationCode({
-			params: { type: "code" },
-			body: {
-				target: phoneNumber,
-				token: code
-			}
-		}).catch(() => {
-			this.log.warn("Invalid phone verification code", { phoneNumber });
-			throw new BadRequestError("Invalid or expired phone verification code");
-		})).alreadyVerified) {
-			this.log.warn("Phone verification code already used", { phoneNumber });
-			throw new BadRequestError("Phone verification code has already been used");
-		}
-	}
-};
-//#endregion
-//#region ../../src/api/users/services/UserService.ts
-var UserService = class {
-	log = $logger();
-	verificationController = $client();
-	userNotifications = $inject(UserNotifications);
-	userRealmProvider = $inject(UserRealmProvider);
-	users(userRealmName) {
-		return this.userRealmProvider.userRepository(userRealmName);
-	}
-	/**
-	* Request email verification for a user.
-	* @param email - The email address to verify.
-	* @param userRealmName - Optional realm name.
-	* @param method - The verification method: "code" (default) or "link".
-	* @param verifyUrl - Base URL for verification link (required when method is "link").
-	*/
-	async requestEmailVerification(email, userRealmName, method = "code", verifyUrl) {
-		this.log.trace("Requesting email verification", {
-			email,
-			userRealmName,
-			method
-		});
-		const user = await this.users(userRealmName).findOne({ where: { email: { eq: email } } }).catch(() => void 0);
-		if (!user) {
-			this.log.debug("Email verification requested for non-existent user", { email });
-			return true;
-		}
-		if (user.emailVerified) {
-			this.log.debug("Email verification requested for already verified user", {
-				email,
-				userId: user.id
-			});
-			return true;
-		}
-		try {
-			const verification = await this.verificationController.requestVerificationCode({
-				params: { type: method },
-				body: { target: email }
-			});
-			if (method === "link") {
-				const url = new URL(verifyUrl || "/verify-email", "http://localhost");
-				url.searchParams.set("email", email);
-				url.searchParams.set("token", verification.token);
-				const fullVerifyUrl = verifyUrl ? `${verifyUrl}${url.search}` : url.pathname + url.search;
-				await this.userNotifications.emailVerificationLink.push({
-					contact: email,
-					variables: {
-						email,
-						verifyUrl: fullVerifyUrl,
-						expiresInMinutes: Math.floor(verification.codeExpiration / 60)
-					}
-				});
-				this.log.debug("Email verification link sent", {
-					email,
-					userId: user.id
-				});
-			} else {
-				await this.userNotifications.emailVerification.push({
-					contact: email,
-					variables: {
-						email,
-						code: verification.token,
-						expiresInMinutes: Math.floor(verification.codeExpiration / 60)
-					}
-				});
-				this.log.debug("Email verification code sent", {
-					email,
-					userId: user.id
-				});
-			}
-		} catch (error) {
-			this.log.warn("Failed to send email verification", {
-				email,
-				error
-			});
-		}
-		return true;
-	}
-	/**
-	* Verify a user's email using a valid verification token.
-	* Supports both code (6-digit) and link (UUID) verification tokens.
-	*/
-	async verifyEmail(email, token, userRealmName) {
-		this.log.trace("Verifying email", {
-			email,
-			userRealmName
-		});
-		const type = /^\d{6}$/.test(token) ? "code" : "link";
-		if ((await this.verificationController.validateVerificationCode({
-			params: { type },
-			body: {
-				target: email,
-				token
-			}
-		}).catch(() => {
-			this.log.warn("Invalid email verification token", {
-				email,
-				type
-			});
-			throw new BadRequestError("Invalid or expired verification token");
-		})).alreadyVerified) {
-			this.log.warn("Email verification token already used", { email });
-			throw new BadRequestError("Invalid or expired verification token");
-		}
-		const user = await this.users(userRealmName).findOne({ where: { email: { eq: email } } });
-		await this.users(userRealmName).updateById(user.id, { emailVerified: true });
-		this.log.info("Email verified", {
-			email,
-			userId: user.id,
-			type
-		});
-	}
-	/**
-	* Check if an email is verified.
-	*/
-	async isEmailVerified(email, userRealmName) {
-		this.log.trace("Checking if email is verified", {
-			email,
-			userRealmName
-		});
-		return (await this.users(userRealmName).findOne({ where: { email: { eq: email } } }).catch(() => void 0))?.emailVerified ?? false;
-	}
-	/**
-	* Find users with pagination and filtering.
-	*/
-	async findUsers(q = {}, userRealmName) {
-		this.log.trace("Finding users", {
-			query: q,
-			userRealmName
-		});
-		q.sort ??= "-createdAt";
-		const where = this.users(userRealmName).createQueryWhere();
-		if (q.email) where.email = { like: q.email };
-		if (q.enabled !== void 0) where.enabled = { eq: q.enabled };
-		if (q.emailVerified !== void 0) where.emailVerified = { eq: q.emailVerified };
-		if (q.roles) where.roles = { arrayContains: q.roles };
-		if (q.query) Object.assign(where, parseQueryString(q.query));
-		const result = await this.users(userRealmName).paginate(q, { where }, { count: true });
-		this.log.debug("Users found", {
-			count: result.content.length,
-			total: result.page.totalElements
-		});
-		return result;
+				this.log.debug("Phone number already taken", { phoneNumber: body.phoneNumber });
+				throw new ConflictError("User with this phone number already exists");
+			}
+		}
 	}
 	/**
-	* Get a user by ID.
+	* Send email verification code.
 	*/
-	async getUserById(id, userRealmName) {
-		this.log.trace("Getting user by ID", {
-			id,
-			userRealmName
-		});
-		return await this.users(userRealmName).findById(id);
+	async sendEmailVerification(email) {
+		this.log.debug("Sending email verification code", { email });
+		try {
+			const verification = await this.verificationController.requestVerificationCode({
+				params: { type: "code" },
+				body: { target: email }
+			});
+			await this.userNotifications.emailVerification.push({
+				contact: email,
+				variables: {
+					email,
+					code: verification.token,
+					expiresInMinutes: Math.floor(verification.codeExpiration / 60)
+				}
+			});
+			this.log.debug("Email verification code sent", { email });
+		} catch (error) {
+			this.log.warn("Failed to send email verification code", error);
+		}
 	}
 	/**
-	* Create a new user.
+	* Send phone verification code.
 	*/
-	async createUser(data, userRealmName) {
-		this.log.trace("Creating user", {
-			username: data.username,
-			email: data.email,
-			userRealmName
-		});
-		const realm = this.userRealmProvider.getRealm(userRealmName);
-		if (data.username) {
-			if (await this.users(userRealmName).findOne({ where: { username: { eq: data.username } } }).catch(() => void 0)) {
-				this.log.debug("Username already taken", { username: data.username });
-				throw new BadRequestError("User with this username already exists");
-			}
-		}
-		if (data.email) {
-			if (await this.users(userRealmName).findOne({ where: { email: { eq: data.email } } }).catch(() => void 0)) {
-				this.log.debug("Email already taken", { email: data.email });
-				throw new BadRequestError("User with this email already exists");
-			}
-		}
-		if (data.phoneNumber) {
-			if (await this.users(userRealmName).findOne({ where: { phoneNumber: { eq: data.phoneNumber } } }).catch(() => void 0)) {
-				this.log.debug("Phone number already taken", { phoneNumber: data.phoneNumber });
-				throw new BadRequestError("User with this phone number already exists");
-			}
+	async sendPhoneVerification(phoneNumber) {
+		this.log.debug("Sending phone verification code", { phoneNumber });
+		try {
+			const verification = await this.verificationController.requestVerificationCode({
+				params: { type: "code" },
+				body: { target: phoneNumber }
+			});
+			await this.userNotifications.phoneVerification.push({
+				contact: phoneNumber,
+				variables: {
+					phoneNumber,
+					code: verification.token,
+					expiresInMinutes: Math.floor(verification.codeExpiration / 60)
+				}
+			});
+			this.log.debug("Phone verification code sent", { phoneNumber });
+		} catch (error) {
+			this.log.warn("Failed to send phone verification code", {
+				phoneNumber,
+				error
+			});
 		}
-		const user = await this.users(userRealmName).create({
-			...data,
-			roles: data.roles ?? ["user"],
-			realm: realm.name
-		});
-		this.log.info("User created", {
-			userId: user.id,
-			username: user.username,
-			email: user.email
-		});
-		return user;
 	}
 	/**
-	* Update an existing user.
+	* Verify email code using verification service.
 	*/
-	async updateUser(id, data, userRealmName) {
-		this.log.trace("Updating user", {
-			id,
-			userRealmName
-		});
-		await this.getUserById(id, userRealmName);
-		const user = await this.users(userRealmName).updateById(id, data);
-		this.log.debug("User updated", { userId: id });
-		return user;
+	async verifyEmailCode(email, code) {
+		if ((await this.verificationController.validateVerificationCode({
+			params: { type: "code" },
+			body: {
+				target: email,
+				token: code
+			}
+		}).catch(() => {
+			this.log.warn("Invalid email verification code", { email });
+			throw new BadRequestError("Invalid or expired email verification code");
+		})).alreadyVerified) {
+			this.log.warn("Email verification code already used", { email });
+			throw new BadRequestError("Email verification code has already been used");
+		}
 	}
 	/**
-	* Delete a user by ID.
+	* Verify phone code using verification service.
 	*/
-	async deleteUser(id, userRealmName) {
-		this.log.trace("Deleting user", {
-			id,
-			userRealmName
-		});
-		await this.getUserById(id, userRealmName);
-		await this.users(userRealmName).deleteById(id);
-		this.log.info("User deleted", { userId: id });
+	async verifyPhoneCode(phoneNumber, code) {
+		if ((await this.verificationController.validateVerificationCode({
+			params: { type: "code" },
+			body: {
+				target: phoneNumber,
+				token: code
+			}
+		}).catch(() => {
+			this.log.warn("Invalid phone verification code", { phoneNumber });
+			throw new BadRequestError("Invalid or expired phone verification code");
+		})).alreadyVerified) {
+			this.log.warn("Phone verification code already used", { phoneNumber });
+			throw new BadRequestError("Phone verification code has already been used");
+		}
 	}
 };
@@ -1419,6 +1617,7 @@ var UserController = class {
 	* Validates data, creates verification sessions, and stores intent in cache.
 	*/
 	createRegistrationIntent = $action({
+		group: this.group,
 		method: "POST",
 		path: `${this.url}/register`,
 		secure: false,
@@ -1430,55 +1629,11 @@ var UserController = class {
 		handler: ({ body, query }) => this.registrationService.createRegistrationIntent(body, query.userRealmName)
 	});
 	/**
-	* Find users with pagination and filtering.
-	*/
-	findUsers = $action({
-		path: this.url,
-		group: this.group,
-		description: "Find users with pagination and filtering",
-		schema: {
-			query: t.extend(userQuerySchema, { userRealmName: t.optional(t.string()) }),
-			response: pg.page(userResourceSchema)
-		},
-		handler: ({ query }) => {
-			const { userRealmName, ...q } = query;
-			return this.userService.findUsers(q, userRealmName);
-		}
-	});
-	/**
-	* Get a user by ID.
-	*/
-	getUser = $action({
-		path: `${this.url}/:id`,
-		group: this.group,
-		description: "Get a user by ID",
-		schema: {
-			params: t.object({ id: t.uuid() }),
-			query: t.object({ userRealmName: t.optional(t.string()) }),
-			response: userResourceSchema
-		},
-		handler: ({ params, query }) => this.userService.getUserById(params.id, query.userRealmName)
-	});
-	/**
-	* Create a new user.
-	*/
-	createUser = $action({
-		method: "POST",
-		path: this.url,
-		group: this.group,
-		description: "Create a new user",
-		schema: {
-			query: t.object({ userRealmName: t.optional(t.string()) }),
-			body: createUserSchema,
-			response: userResourceSchema
-		},
-		handler: ({ body, query }) => this.userService.createUser(body, query.userRealmName)
-	});
-	/**
 	* Phase 2: Complete registration using an intent.
 	* Validates verification codes and creates the user.
 	*/
 	createUserFromIntent = $action({
+		group: this.group,
 		method: "POST",
 		path: `${this.url}/register/complete`,
 		secure: false,
@@ -1489,47 +1644,11 @@ var UserController = class {
 		handler: ({ body }) => this.registrationService.completeRegistration(body)
 	});
 	/**
-	* Update a user.
-	*/
-	updateUser = $action({
-		method: "PATCH",
-		path: `${this.url}/:id`,
-		group: this.group,
-		description: "Update a user",
-		schema: {
-			params: t.object({ id: t.uuid() }),
-			query: t.object({ userRealmName: t.optional(t.string()) }),
-			body: updateUserSchema,
-			response: userResourceSchema
-		},
-		handler: ({ params, body, query }) => this.userService.updateUser(params.id, body, query.userRealmName)
-	});
-	/**
-	* Delete a user.
-	*/
-	deleteUser = $action({
-		method: "DELETE",
-		path: `${this.url}/:id`,
-		group: this.group,
-		description: "Delete a user",
-		schema: {
-			params: t.object({ id: t.uuid() }),
-			query: t.object({ userRealmName: t.optional(t.string()) }),
-			response: okSchema
-		},
-		handler: async ({ params, query }) => {
-			await this.userService.deleteUser(params.id, query.userRealmName);
-			return {
-				ok: true,
-				id: params.id
-			};
-		}
-	});
-	/**
 	* Phase 1: Create a password reset intent.
 	* Validates email, sends verification code, and stores intent in cache.
 	*/
 	createPasswordResetIntent = $action({
+		group: this.group,
 		method: "POST",
 		path: `${this.url}/password-reset`,
 		secure: false,
@@ -1545,6 +1664,7 @@ var UserController = class {
 	* Validates verification code, updates password, and invalidates sessions.
 	*/
 	completePasswordReset = $action({
+		group: this.group,
 		method: "POST",
 		path: `${this.url}/password-reset/complete`,
 		secure: false,
@@ -1727,6 +1847,7 @@ const userRealmConfigSchema = t.object({
 */
 var UserRealmController = class {
 	url = "/realms";
+	group = "realms";
 	userRealmProvider = $inject(UserRealmProvider);
 	serverAuthProvider = $inject(ServerAuthProvider);
 	/**
@@ -1734,6 +1855,7 @@ var UserRealmController = class {
 	* This endpoint is not exposed in the API documentation.
 	*/
 	getRealmConfig = $action({
+		group: this.group,
 		method: "GET",
 		path: `${this.url}/config`,
 		secure: false,
@@ -1755,6 +1877,7 @@ var UserRealmController = class {
 		}
 	});
 	checkUsernameAvailability = $action({
+		group: this.group,
 		path: `${this.url}/check-username`,
 		secure: false,
 		schema: {
@@ -1779,6 +1902,7 @@ var SessionService = class {
 	log = $logger();
 	userRealmProvider = $inject(UserRealmProvider);
 	fileController = $client();
+	auditService = $inject(AuditService);
 	users(userRealmName) {
 		return this.userRealmProvider.userRepository(userRealmName);
 	}
@@ -1818,6 +1942,14 @@ var SessionService = class {
 					username,
 					realm: name
 				});
+				await this.auditService.recordAuth("login_failed", {
+					userRealm: name,
+					description: "Invalid login identifier format",
+					metadata: {
+						provider,
+						username
+					}
+				});
 				throw new InvalidCredentialsError();
 			}
 			const user = await users$1.findOne({ where }).catch(() => void 0);
@@ -1827,6 +1959,14 @@ var SessionService = class {
 					username,
 					realm: name
 				});
+				await this.auditService.recordAuth("login_failed", {
+					userRealm: name,
+					description: "User not found",
+					metadata: {
+						provider,
+						username
+					}
+				});
 				throw new InvalidCredentialsError();
 			}
 			const identity = await identities$1.findOne({ where: {
@@ -1849,8 +1989,28 @@ var SessionService = class {
 					username,
 					realm: name
 				});
+				await this.auditService.recordAuth("login_failed", {
+					userRealm: name,
+					resourceId: user.id,
+					description: "Invalid password",
+					metadata: {
+						provider,
+						username
+					}
+				});
 				throw new InvalidCredentialsError();
 			}
+			await this.auditService.recordAuth("login", {
+				userId: user.id,
+				userEmail: user.email ?? void 0,
+				userRealm: name,
+				resourceId: user.id,
+				description: `User logged in via ${provider}`,
+				metadata: {
+					provider,
+					username
+				}
+			});
 			return user;
 		} catch (error) {
 			if (error instanceof InvalidCredentialsError) throw error;
@@ -1901,6 +2061,14 @@ var SessionService = class {
 			sessionId: session.id,
 			userId: session.userId
 		});
+		const { name } = this.userRealmProvider.getRealm(userRealmName);
+		await this.auditService.recordAuth("token_refresh", {
+			userId: user.id,
+			userEmail: user.email ?? void 0,
+			userRealm: name,
+			sessionId: session.id,
+			description: "Session token refreshed"
+		});
 		return {
 			user,
 			expiresIn: expiresAt.unix() - now.unix(),
@@ -1909,8 +2077,18 @@ var SessionService = class {
 	}
 	async deleteSession(refreshToken, userRealmName) {
 		this.log.trace("Deleting session");
+		const session = await this.sessions(userRealmName).findOne({ where: { refreshToken: { eq: refreshToken } } }).catch(() => void 0);
 		await this.sessions(userRealmName).deleteOne({ refreshToken });
 		this.log.debug("Session deleted");
+		if (session) {
+			const { name } = this.userRealmProvider.getRealm(userRealmName);
+			await this.auditService.recordAuth("logout", {
+				userId: session.userId,
+				userRealm: name,
+				sessionId: session.id,
+				description: "User logged out"
+			});
+		}
 	}
 	async link(provider, profile, userRealmName) {
 		this.log.trace("Linking OAuth2 profile", {
@@ -1931,7 +2109,19 @@ var SessionService = class {
 				identityId: identity.id,
 				userId: identity.userId
 			});
-			return users$1.findById(identity.userId);
+			const user$1 = await users$1.findById(identity.userId);
+			await this.auditService.recordAuth("login", {
+				userId: user$1.id,
+				userEmail: user$1.email ?? void 0,
+				userRealm: realm.name,
+				resourceId: user$1.id,
+				description: `User logged in via OAuth2 (${provider})`,
+				metadata: {
+					provider,
+					providerUserId: profile.sub
+				}
+			});
+			return user$1;
 		}
 		if (!profile.email) {
 			this.log.debug("OAuth2 profile has no email, returning profile as-is", {
@@ -1956,6 +2146,18 @@ var SessionService = class {
 				providerUserId: profile.sub,
 				userId: existing.id
 			});
+			await this.auditService.recordAuth("login", {
+				userId: existing.id,
+				userEmail: existing.email ?? void 0,
+				userRealm: realm.name,
+				resourceId: existing.id,
+				description: `OAuth2 identity linked to existing user (${provider})`,
+				metadata: {
+					provider,
+					providerUserId: profile.sub,
+					linked: true
+				}
+			});
 			return existing;
 		}
 		const user = await users$1.create({
@@ -1992,6 +2194,31 @@ var SessionService = class {
 			email: user.email,
 			username: user.username
 		});
+		await this.auditService.recordUser("create", {
+			userId: user.id,
+			userEmail: user.email ?? void 0,
+			userRealm: realm.name,
+			resourceId: user.id,
+			description: `User created via OAuth2 (${provider})`,
+			metadata: {
+				provider,
+				providerUserId: profile.sub,
+				username: user.username,
+				email: user.email
+			}
+		});
+		await this.auditService.recordAuth("login", {
+			userId: user.id,
+			userEmail: user.email ?? void 0,
+			userRealm: realm.name,
+			resourceId: user.id,
+			description: `First login via OAuth2 (${provider})`,
+			metadata: {
+				provider,
+				providerUserId: profile.sub,
+				firstLogin: true
+			}
+		});
 		return user;
 	}
 };
@@ -2017,10 +2244,13 @@ const $userRealm = (options = {}) => {
 	const securityProvider = alepha.inject(SecurityProvider);
 	const userRealmProvider = alepha.inject(UserRealmProvider);
 	const name = options.realm?.name ?? DEFAULT_USER_REALM_NAME;
+	options.settings ??= {};
+	if (options.settings.emailRequired) options.settings.emailEnabled = true;
+	if (options.settings.usernameRequired) options.settings.usernameEnabled = true;
+	if (options.settings.phoneRequired) options.settings.phoneEnabled = true;
 	const userRealm = userRealmProvider.register(name, options);
-	if (options.modules?.audits) alepha.with(AlephaApiAudits);
-	if (options.modules?.files) alepha.with(AlephaApiFiles);
-	if (options.modules?.jobs) alepha.with(AlephaApiJobs);
+	alepha.with(AlephaApiFiles);
+	alepha.with(AlephaApiAudits);
 	const realm = $realm({
 		...options.realm,
 		name,
@@ -2154,13 +2384,14 @@ const AlephaApiUsers = $module({
 		UserService,
 		IdentityService,
 		UserController,
-		SessionController,
-		IdentityController,
+		AdminUserController,
+		AdminSessionController,
+		AdminIdentityController,
 		UserRealmController,
 		UserNotifications
 	]
 });
 //#endregion
-export { $userRealm, AlephaApiUsers, CredentialService, DEFAULT_USER_REALM_NAME, IdentityController, IdentityService, RegistrationService, SessionController, SessionCrudService, SessionService, UserController, UserRealmController, UserRealmProvider, UserService, completePasswordResetRequestSchema, completeRegistrationRequestSchema, createUserSchema, identities, identityQuerySchema, identityResourceSchema, loginSchema, passwordResetIntentResponseSchema, realmAuthSettingsAtom, registerSchema, registrationIntentResponseSchema, resetPasswordRequestSchema, resetPasswordSchema, sessionQuerySchema, sessionResourceSchema, sessions, updateUserSchema, userQuerySchema, userRealmConfigSchema, userResourceSchema, users };
+export { $userRealm, AdminIdentityController, AdminSessionController, AdminUserController, AlephaApiUsers, CredentialService, DEFAULT_USER_REALM_NAME, IdentityService, RegistrationService, SessionCrudService, SessionService, UserController, UserRealmController, UserRealmProvider, UserService, completePasswordResetRequestSchema, completeRegistrationRequestSchema, createUserSchema, identities, identityQuerySchema, identityResourceSchema, loginSchema, passwordResetIntentResponseSchema, realmAuthSettingsAtom, registerSchema, registrationIntentResponseSchema, resetPasswordRequestSchema, resetPasswordSchema, sessionQuerySchema, sessionResourceSchema, sessions, updateUserSchema, userQuerySchema, userRealmConfigSchema, userResourceSchema, users };
 //# sourceMappingURL=index.js.map