alepha 0.14.4 → 0.15.1

package/dist/server/security/index.js

@@ -1,311 +0,0 @@
-import { $hook, $inject, $module, Alepha, KIND, Primitive, createPrimitive } from "alepha";
-import { $permission, $realm, $role, AlephaSecurity, JwtProvider, SecurityProvider, userAccountInfoSchema } from "alepha/security";
-import { $action, AlephaServer, ForbiddenError, HttpError, ServerRouterProvider, UnauthorizedError } from "alepha/server";
-import { randomUUID, timingSafeEqual } from "node:crypto";
-import { $logger } from "alepha/logger";
-
-//#region ../../src/server/security/providers/ServerBasicAuthProvider.ts
-var ServerBasicAuthProvider = class {
-	alepha = $inject(Alepha);
-	log = $logger();
-	routerProvider = $inject(ServerRouterProvider);
-	realm = "Secure Area";
-	/**
-	* Registered basic auth primitives with their configurations
-	*/
-	registeredAuths = [];
-	/**
-	* Register a basic auth configuration (called by primitives)
-	*/
-	registerAuth(config) {
-		this.registeredAuths.push(config);
-	}
-	onStart = $hook({
-		on: "start",
-		handler: async () => {
-			for (const auth of this.registeredAuths) if (auth.paths) for (const pattern of auth.paths) {
-				const matchedRoutes = this.routerProvider.getRoutes(pattern);
-				for (const route of matchedRoutes) route.secure = { basic: {
-					username: auth.username,
-					password: auth.password
-				} };
-			}
-			if (this.registeredAuths.length > 0) this.log.info(`Initialized with ${this.registeredAuths.length} registered basic-auth configurations.`);
-		}
-	});
-	/**
-	* Hook into server:onRequest to check basic auth
-	*/
-	onRequest = $hook({
-		on: "server:onRequest",
-		handler: async ({ route, request }) => {
-			const routeAuth = route.secure;
-			if (typeof routeAuth === "object" && "basic" in routeAuth && routeAuth.basic) this.checkAuth(request, routeAuth.basic);
-		}
-	});
-	/**
-	* Hook into action:onRequest to check basic auth for actions
-	*/
-	onActionRequest = $hook({
-		on: "action:onRequest",
-		handler: async ({ action, request }) => {
-			const routeAuth = action.route.secure;
-			if (isBasicAuth(routeAuth)) this.checkAuth(request, routeAuth.basic);
-		}
-	});
-	/**
-	* Check basic authentication
-	*/
-	checkAuth(request, options) {
-		const authHeader = request.headers?.authorization;
-		if (!authHeader || !authHeader.startsWith("Basic ")) {
-			this.sendAuthRequired(request);
-			throw new HttpError({
-				status: 401,
-				message: "Authentication required"
-			});
-		}
-		const base64Credentials = authHeader.slice(6);
-		const credentials = Buffer.from(base64Credentials, "base64").toString("utf-8");
-		const colonIndex = credentials.indexOf(":");
-		const username = colonIndex !== -1 ? credentials.slice(0, colonIndex) : credentials;
-		const password = colonIndex !== -1 ? credentials.slice(colonIndex + 1) : "";
-		if (!this.timingSafeCredentialCheck(username, password, options.username, options.password)) {
-			this.sendAuthRequired(request);
-			this.log.warn(`Failed basic auth attempt for user`, { username });
-			throw new HttpError({
-				status: 401,
-				message: "Invalid credentials"
-			});
-		}
-	}
-	/**
-	* Performs a timing-safe comparison of credentials to prevent timing attacks.
-	* Always compares both username and password to avoid leaking which one is wrong.
-	*/
-	timingSafeCredentialCheck(inputUsername, inputPassword, expectedUsername, expectedPassword) {
-		const inputUserBuf = Buffer.from(inputUsername, "utf-8");
-		const expectedUserBuf = Buffer.from(expectedUsername, "utf-8");
-		const inputPassBuf = Buffer.from(inputPassword, "utf-8");
-		const expectedPassBuf = Buffer.from(expectedPassword, "utf-8");
-		return (this.safeCompare(inputUserBuf, expectedUserBuf) & this.safeCompare(inputPassBuf, expectedPassBuf)) === 1;
-	}
-	/**
-	* Compares two buffers in constant time, handling different lengths safely.
-	* Returns 1 if equal, 0 if not equal.
-	*/
-	safeCompare(input, expected) {
-		if (input.length !== expected.length) {
-			timingSafeEqual(input, input);
-			return 0;
-		}
-		return timingSafeEqual(input, expected) ? 1 : 0;
-	}
-	/**
-	* Send WWW-Authenticate header
-	*/
-	sendAuthRequired(request) {
-		request.reply.setHeader("WWW-Authenticate", `Basic realm="${this.realm}"`);
-	}
-};
-const isBasicAuth = (value) => {
-	return typeof value === "object" && !!value && "basic" in value && !!value.basic;
-};
-
-//#endregion
-//#region ../../src/server/security/primitives/$basicAuth.ts
-/**
-* Declares HTTP Basic Authentication for server routes.
-* This primitive provides methods to protect routes with username/password authentication.
-*/
-const $basicAuth = (options) => {
-	return createPrimitive(BasicAuthPrimitive, options);
-};
-var BasicAuthPrimitive = class extends Primitive {
-	serverBasicAuthProvider = $inject(ServerBasicAuthProvider);
-	get name() {
-		return this.options.name ?? `${this.config.propertyKey}`;
-	}
-	onInit() {
-		this.serverBasicAuthProvider.registerAuth(this.options);
-	}
-	/**
-	* Checks basic auth for the given request using this primitive's configuration.
-	*/
-	check(request, options) {
-		const mergedOptions = {
-			...this.options,
-			...options
-		};
-		this.serverBasicAuthProvider.checkAuth(request, mergedOptions);
-	}
-};
-$basicAuth[KIND] = BasicAuthPrimitive;
-
-//#endregion
-//#region ../../src/server/security/providers/ServerSecurityProvider.ts
-var ServerSecurityProvider = class {
-	log = $logger();
-	securityProvider = $inject(SecurityProvider);
-	jwtProvider = $inject(JwtProvider);
-	alepha = $inject(Alepha);
-	onConfigure = $hook({
-		on: "configure",
-		handler: async () => {
-			for (const action of this.alepha.primitives($action)) {
-				if (action.options.disabled || action.options.secure === false || this.securityProvider.getRealms().length === 0) continue;
-				if (typeof action.options.secure !== "object") this.securityProvider.createPermission({
-					name: action.name,
-					group: action.group,
-					method: action.route.method,
-					path: action.route.path
-				});
-			}
-		}
-	});
-	onActionRequest = $hook({
-		on: "action:onRequest",
-		handler: async ({ action, request, options }) => {
-			if (action.options.secure === false && !options.user) {
-				this.log.trace("Skipping security check for route");
-				return;
-			}
-			if (isBasicAuth(action.route.secure)) return;
-			const permission = this.securityProvider.getPermissions().find((it) => it.path === action.route.path && it.method === action.route.method);
-			try {
-				request.user = this.createUserFromLocalFunctionContext(options, permission);
-				const route = action.route;
-				if (typeof route.secure === "object") this.check(request.user, route.secure);
-				this.alepha.store.set("alepha.server.request.user", this.alepha.codec.decode(userAccountInfoSchema, request.user));
-			} catch (error) {
-				if (action.options.secure || permission) throw error;
-				this.log.trace("Skipping security check for action");
-			}
-		}
-	});
-	onRequest = $hook({
-		on: "server:onRequest",
-		priority: "last",
-		handler: async ({ request, route }) => {
-			if (route.secure === false) {
-				this.log.trace("Skipping security check for route - explicitly disabled");
-				return;
-			}
-			if (isBasicAuth(route.secure)) return;
-			const permission = this.securityProvider.getPermissions().find((it) => it.path === route.path && it.method === route.method);
-			if (!request.headers.authorization && !route.secure && !permission) {
-				this.log.trace("Skipping security check for route - no authorization header and not secure");
-				return;
-			}
-			try {
-				request.user = await this.securityProvider.createUserFromToken(request.headers.authorization, { permission });
-				if (typeof route.secure === "object") this.check(request.user, route.secure);
-				this.alepha.store.set("alepha.server.request.user", this.alepha.codec.decode(userAccountInfoSchema, request.user));
-				this.log.trace("User set from request token", {
-					user: request.user,
-					permission
-				});
-			} catch (error) {
-				if (route.secure || permission) throw error;
-				this.log.trace("Skipping security check for route - error occurred", error);
-			}
-		}
-	});
-	check(user, secure) {
-		if (secure.realm) {
-			if (user.realm !== secure.realm) throw new ForbiddenError(`User must belong to realm '${secure.realm}' to access this route`);
-		}
-	}
-	/**
-	* Get the user account token for a local action call.
-	* There are three possible sources for the user:
-	* - `options.user`: the user passed in the options
-	* - `"system"`: the system user from the state (you MUST set state `server.security.system.user`)
-	* - `"context"`: the user from the request context (you MUST be in an HTTP request context)
-	*
-	* Priority order: `options.user` > `"system"` > `"context"`.
-	*
-	* In testing environment, if no user is provided, a test user is created based on the SecurityProvider's roles.
-	*/
-	createUserFromLocalFunctionContext(options, permission) {
-		const fromOptions = typeof options.user === "object" ? options.user : void 0;
-		const type = typeof options.user === "string" ? options.user : void 0;
-		let user;
-		const fromContext = this.alepha.context.get("request")?.user;
-		const fromSystem = this.alepha.store.get("alepha.server.security.system.user");
-		if (type === "system") user = fromSystem;
-		else if (type === "context") user = fromContext;
-		else user = fromOptions ?? fromContext ?? fromSystem;
-		if (!user) {
-			if (this.alepha.isTest() && !("user" in options)) return this.createTestUser();
-			throw new UnauthorizedError("User is required for calling this action");
-		}
-		const roles = user.roles ?? (this.alepha.isTest() ? this.securityProvider.getRoles().map((role) => role.name) : []);
-		let ownership;
-		if (permission) {
-			const result = this.securityProvider.checkPermission(permission, ...roles);
-			if (!result.isAuthorized) throw new ForbiddenError(`Permission '${this.securityProvider.permissionToString(permission)}' is required for this route`);
-			ownership = result.ownership;
-		}
-		return {
-			...user,
-			ownership
-		};
-	}
-	createTestUser() {
-		return {
-			id: randomUUID(),
-			name: "Test",
-			roles: this.securityProvider.getRoles().map((role) => role.name)
-		};
-	}
-	onClientRequest = $hook({
-		on: "client:onRequest",
-		handler: async ({ request, options }) => {
-			if (!this.alepha.isTest()) return;
-			if ("user" in options && options.user === void 0) return;
-			request.headers = new Headers(request.headers);
-			if (!request.headers.has("authorization")) {
-				const test = this.createTestUser();
-				const user = typeof options?.user === "object" ? options.user : void 0;
-				const sub = user?.id ?? test.id;
-				const roles = user?.roles ?? test.roles;
-				const token = await this.jwtProvider.create({
-					sub,
-					roles
-				}, user?.realm ?? this.securityProvider.getRealms()[0]?.name);
-				request.headers.set("authorization", `Bearer ${token}`);
-			}
-		}
-	});
-};
-
-//#endregion
-//#region ../../src/server/security/index.ts
-/**
-* Plugin for Alepha Server that provides security features. Based on the Alepha Security module.
-*
-* By default, all $action will be guarded by a permission check.
-*
-* @see {@link ServerSecurityProvider}
-* @module alepha.server.security
-*/
-const AlephaServerSecurity = $module({
-	name: "alepha.server.security",
-	primitives: [
-		$realm,
-		$role,
-		$permission,
-		$basicAuth
-	],
-	services: [
-		AlephaServer,
-		AlephaSecurity,
-		ServerSecurityProvider,
-		ServerBasicAuthProvider
-	]
-});
-
-//#endregion
-export { $basicAuth, AlephaServerSecurity, BasicAuthPrimitive, ServerBasicAuthProvider, ServerSecurityProvider, isBasicAuth };
-//# sourceMappingURL=index.js.map

package/dist/server/security/index.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.js","names":[],"sources":["../../../src/server/security/providers/ServerBasicAuthProvider.ts","../../../src/server/security/primitives/$basicAuth.ts","../../../src/server/security/providers/ServerSecurityProvider.ts","../../../src/server/security/index.ts"],"sourcesContent":["import { timingSafeEqual } from \"node:crypto\";\nimport { $hook, $inject, Alepha } from \"alepha\";\nimport { $logger } from \"alepha/logger\";\nimport {\n  HttpError,\n  type ServerRequest,\n  ServerRouterProvider,\n} from \"alepha/server\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface BasicAuthOptions {\n  username: string;\n  password: string;\n}\n\nexport interface BasicAuthPrimitiveConfig extends BasicAuthOptions {\n  /** Name identifier for this basic auth (default: property key) */\n  name?: string;\n  /** Path patterns to match (supports wildcards like /devtools/*) */\n  paths?: string[];\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class ServerBasicAuthProvider {\n  protected readonly alepha = $inject(Alepha);\n  protected readonly log = $logger();\n  protected readonly routerProvider = $inject(ServerRouterProvider);\n  protected readonly realm = \"Secure Area\";\n\n  /**\n   * Registered basic auth primitives with their configurations\n   */\n  public readonly registeredAuths: BasicAuthPrimitiveConfig[] = [];\n\n  /**\n   * Register a basic auth configuration (called by primitives)\n   */\n  public registerAuth(config: BasicAuthPrimitiveConfig): void {\n    this.registeredAuths.push(config);\n  }\n\n  public readonly onStart = $hook({\n    on: \"start\",\n    handler: async () => {\n      for (const auth of this.registeredAuths) {\n        if (auth.paths) {\n          for (const pattern of auth.paths) {\n            const matchedRoutes = this.routerProvider.getRoutes(pattern);\n            for (const route of matchedRoutes) {\n              route.secure = {\n                basic: {\n                  username: auth.username,\n                  password: auth.password,\n                },\n              };\n            }\n          }\n        }\n      }\n\n      if (this.registeredAuths.length > 0) {\n        this.log.info(\n          `Initialized with ${this.registeredAuths.length} registered basic-auth configurations.`,\n        );\n      }\n    },\n  });\n\n  /**\n   * Hook into server:onRequest to check basic auth\n   */\n  public readonly onRequest = $hook({\n    on: \"server:onRequest\",\n    handler: async ({ route, request }) => {\n      const routeAuth = route.secure;\n      if (\n        typeof routeAuth === \"object\" &&\n        \"basic\" in routeAuth &&\n        routeAuth.basic\n      ) {\n        this.checkAuth(request, routeAuth.basic);\n      }\n    },\n  });\n\n  /**\n   * Hook into action:onRequest to check basic auth for actions\n   */\n  public readonly onActionRequest = $hook({\n    on: \"action:onRequest\",\n    handler: async ({ action, request }) => {\n      const routeAuth = action.route.secure;\n      if (isBasicAuth(routeAuth)) {\n        this.checkAuth(request, routeAuth.basic);\n      }\n    },\n  });\n\n  /**\n   * Check basic authentication\n   */\n  public checkAuth(request: ServerRequest, options: BasicAuthOptions): void {\n    const authHeader = request.headers?.authorization;\n\n    if (!authHeader || !authHeader.startsWith(\"Basic \")) {\n      this.sendAuthRequired(request);\n      throw new HttpError({\n        status: 401,\n        message: \"Authentication required\",\n      });\n    }\n\n    // decode base64 credentials\n    const base64Credentials = authHeader.slice(6); // Remove \"Basic \"\n    const credentials = Buffer.from(base64Credentials, \"base64\").toString(\n      \"utf-8\",\n    );\n\n    // split only on the first colon to handle passwords with colons\n    const colonIndex = credentials.indexOf(\":\");\n    const username =\n      colonIndex !== -1 ? credentials.slice(0, colonIndex) : credentials;\n    const password = colonIndex !== -1 ? credentials.slice(colonIndex + 1) : \"\";\n\n    // verify credentials using timing-safe comparison to prevent timing attacks\n    const isValid = this.timingSafeCredentialCheck(\n      username,\n      password,\n      options.username,\n      options.password,\n    );\n\n    if (!isValid) {\n      this.sendAuthRequired(request);\n      this.log.warn(`Failed basic auth attempt for user`, {\n        username,\n      });\n      throw new HttpError({\n        status: 401,\n        message: \"Invalid credentials\",\n      });\n    }\n  }\n\n  /**\n   * Performs a timing-safe comparison of credentials to prevent timing attacks.\n   * Always compares both username and password to avoid leaking which one is wrong.\n   */\n  protected timingSafeCredentialCheck(\n    inputUsername: string,\n    inputPassword: string,\n    expectedUsername: string,\n    expectedPassword: string,\n  ): boolean {\n    // Convert to buffers for timing-safe comparison\n    const inputUserBuf = Buffer.from(inputUsername, \"utf-8\");\n    const expectedUserBuf = Buffer.from(expectedUsername, \"utf-8\");\n    const inputPassBuf = Buffer.from(inputPassword, \"utf-8\");\n    const expectedPassBuf = Buffer.from(expectedPassword, \"utf-8\");\n\n    // timingSafeEqual requires same-length buffers\n    // When lengths differ, we compare against a dummy buffer to maintain constant time\n    const userMatch = this.safeCompare(inputUserBuf, expectedUserBuf);\n    const passMatch = this.safeCompare(inputPassBuf, expectedPassBuf);\n\n    // Both must match - bitwise AND avoids short-circuit evaluation\n    // eslint-disable-next-line no-bitwise\n    return (userMatch & passMatch) === 1;\n  }\n\n  /**\n   * Compares two buffers in constant time, handling different lengths safely.\n   * Returns 1 if equal, 0 if not equal.\n   */\n  protected safeCompare(input: Buffer, expected: Buffer): number {\n    // If lengths differ, compare input against itself to maintain timing\n    // but return 0 (not equal)\n    if (input.length !== expected.length) {\n      // Still perform a comparison to keep timing consistent\n      timingSafeEqual(input, input);\n      return 0;\n    }\n\n    return timingSafeEqual(input, expected) ? 1 : 0;\n  }\n\n  /**\n   * Send WWW-Authenticate header\n   */\n  protected sendAuthRequired(request: ServerRequest): void {\n    request.reply.setHeader(\"WWW-Authenticate\", `Basic realm=\"${this.realm}\"`);\n  }\n}\n\nexport const isBasicAuth = (\n  value: unknown,\n): value is { basic: BasicAuthOptions } => {\n  return (\n    typeof value === \"object\" && !!value && \"basic\" in value && !!value.basic\n  );\n};\n","import { $inject, createPrimitive, KIND, Primitive } from \"alepha\";\nimport type { ServerRequest } from \"alepha/server\";\nimport type {\n  BasicAuthOptions,\n  BasicAuthPrimitiveConfig,\n} from \"../providers/ServerBasicAuthProvider.ts\";\nimport { ServerBasicAuthProvider } from \"../providers/ServerBasicAuthProvider.ts\";\n\n/**\n * Declares HTTP Basic Authentication for server routes.\n * This primitive provides methods to protect routes with username/password authentication.\n */\nexport const $basicAuth = (\n  options: BasicAuthPrimitiveConfig,\n): AbstractBasicAuthPrimitive => {\n  return createPrimitive(BasicAuthPrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface AbstractBasicAuthPrimitive {\n  readonly name: string;\n  readonly options: BasicAuthPrimitiveConfig;\n  check(request: ServerRequest, options?: BasicAuthOptions): void;\n}\n\nexport class BasicAuthPrimitive\n  extends Primitive<BasicAuthPrimitiveConfig>\n  implements AbstractBasicAuthPrimitive\n{\n  protected readonly serverBasicAuthProvider = $inject(ServerBasicAuthProvider);\n\n  public get name(): string {\n    return this.options.name ?? `${this.config.propertyKey}`;\n  }\n\n  protected onInit() {\n    // Register this auth configuration with the provider\n    this.serverBasicAuthProvider.registerAuth(this.options);\n  }\n\n  /**\n   * Checks basic auth for the given request using this primitive's configuration.\n   */\n  public check(request: ServerRequest, options?: BasicAuthOptions): void {\n    const mergedOptions = { ...this.options, ...options };\n    this.serverBasicAuthProvider.checkAuth(request, mergedOptions);\n  }\n}\n\n$basicAuth[KIND] = BasicAuthPrimitive;\n","import { randomUUID } from \"node:crypto\";\nimport { $hook, $inject, Alepha } from \"alepha\";\nimport { $logger } from \"alepha/logger\";\nimport {\n  JwtProvider,\n  type Permission,\n  SecurityProvider,\n  type UserAccountToken,\n  userAccountInfoSchema,\n} from \"alepha/security\";\nimport {\n  $action,\n  ForbiddenError,\n  type ServerRequest,\n  UnauthorizedError,\n} from \"alepha/server\";\nimport {\n  type BasicAuthOptions,\n  isBasicAuth,\n} from \"./ServerBasicAuthProvider.ts\";\n\nexport class ServerSecurityProvider {\n  protected readonly log = $logger();\n  protected readonly securityProvider = $inject(SecurityProvider);\n  protected readonly jwtProvider = $inject(JwtProvider);\n  protected readonly alepha = $inject(Alepha);\n\n  protected readonly onConfigure = $hook({\n    on: \"configure\",\n    handler: async () => {\n      for (const action of this.alepha.primitives($action)) {\n        // -------------------------------------------------------------------------------------------------------------\n        // if the action is disabled or not secure, we do NOT create a permission for it\n        // -------------------------------------------------------------------------------------------------------------\n        if (\n          action.options.disabled ||\n          action.options.secure === false ||\n          this.securityProvider.getRealms().length === 0\n        ) {\n          continue;\n        }\n\n        const secure = action.options.secure;\n        if (typeof secure !== \"object\") {\n          this.securityProvider.createPermission({\n            name: action.name,\n            group: action.group,\n            method: action.route.method,\n            path: action.route.path,\n          });\n        }\n      }\n    },\n  });\n\n  // -------------------------------------------------------------------------------------------------------------------\n\n  protected readonly onActionRequest = $hook({\n    on: \"action:onRequest\",\n    handler: async ({ action, request, options }) => {\n      // if you set explicitly secure: false, we assume you don't want any security check\n      // but only if no user is provided in options\n      if (action.options.secure === false && !options.user) {\n        this.log.trace(\"Skipping security check for route\");\n        return;\n      }\n\n      if (isBasicAuth(action.route.secure)) {\n        return;\n      }\n\n      const permission = this.securityProvider\n        .getPermissions()\n        .find(\n          (it) =>\n            it.path === action.route.path && it.method === action.route.method,\n        );\n\n      try {\n        request.user = this.createUserFromLocalFunctionContext(\n          options,\n          permission,\n        );\n\n        const route = action.route;\n        if (typeof route.secure === \"object\") {\n          this.check(request.user, route.secure);\n        }\n\n        this.alepha.store.set(\n          \"alepha.server.request.user\",\n          this.alepha.codec.decode(userAccountInfoSchema, request.user),\n        );\n      } catch (error) {\n        if (action.options.secure || permission) {\n          throw error;\n        }\n        // else, we skip the security check\n        this.log.trace(\"Skipping security check for action\");\n      }\n    },\n  });\n\n  protected readonly onRequest = $hook({\n    on: \"server:onRequest\",\n    priority: \"last\",\n    handler: async ({ request, route }) => {\n      // if you set explicitly secure: false, we assume you don't want any security check\n      if (route.secure === false) {\n        this.log.trace(\n          \"Skipping security check for route - explicitly disabled\",\n        );\n        return;\n      }\n\n      if (isBasicAuth(route.secure)) {\n        return;\n      }\n\n      const permission = this.securityProvider\n        .getPermissions()\n        .find((it) => it.path === route.path && it.method === route.method);\n\n      if (!request.headers.authorization && !route.secure && !permission) {\n        this.log.trace(\n          \"Skipping security check for route - no authorization header and not secure\",\n        );\n        return;\n      }\n\n      try {\n        // set user to request\n        request.user = await this.securityProvider.createUserFromToken(\n          request.headers.authorization,\n          { permission },\n        );\n\n        if (typeof route.secure === \"object\") {\n          this.check(request.user, route.secure);\n        }\n\n        this.alepha.store.set(\n          \"alepha.server.request.user\",\n          // remove sensitive info\n          this.alepha.codec.decode(userAccountInfoSchema, request.user),\n        );\n\n        this.log.trace(\"User set from request token\", {\n          user: request.user,\n          permission,\n        });\n      } catch (error) {\n        if (route.secure || permission) {\n          throw error;\n        }\n\n        // else, we skip the security check\n        this.log.trace(\n          \"Skipping security check for route - error occurred\",\n          error,\n        );\n      }\n    },\n  });\n\n  // -------------------------------------------------------------------------------------------------------------------\n\n  protected check(user: UserAccountToken, secure: ServerRouteSecure) {\n    if (secure.realm) {\n      if (user.realm !== secure.realm) {\n        throw new ForbiddenError(\n          `User must belong to realm '${secure.realm}' to access this route`,\n        );\n      }\n    }\n  }\n\n  /**\n   * Get the user account token for a local action call.\n   * There are three possible sources for the user:\n   * - `options.user`: the user passed in the options\n   * - `\"system\"`: the system user from the state (you MUST set state `server.security.system.user`)\n   * - `\"context\"`: the user from the request context (you MUST be in an HTTP request context)\n   *\n   * Priority order: `options.user` > `\"system\"` > `\"context\"`.\n   *\n   * In testing environment, if no user is provided, a test user is created based on the SecurityProvider's roles.\n   */\n  protected createUserFromLocalFunctionContext(\n    options: { user?: UserAccountToken | \"system\" | \"context\" },\n    permission?: Permission,\n  ): UserAccountToken {\n    const fromOptions =\n      typeof options.user === \"object\" ? options.user : undefined;\n\n    const type = typeof options.user === \"string\" ? options.user : undefined;\n\n    let user: UserAccountToken | undefined;\n\n    const fromContext = this.alepha.context.get<ServerRequest>(\"request\")?.user;\n    const fromSystem = this.alepha.store.get(\n      \"alepha.server.security.system.user\",\n    );\n\n    if (type === \"system\") {\n      user = fromSystem;\n    } else if (type === \"context\") {\n      user = fromContext;\n    } else {\n      user = fromOptions ?? fromContext ?? fromSystem;\n    }\n\n    if (!user) {\n      // in testing mode, we create a test user\n      if (this.alepha.isTest() && !(\"user\" in options)) {\n        return this.createTestUser();\n      }\n\n      throw new UnauthorizedError(\"User is required for calling this action\");\n    }\n\n    const roles =\n      user.roles ??\n      (this.alepha.isTest()\n        ? this.securityProvider.getRoles().map((role) => role.name)\n        : []);\n    let ownership: boolean | string | undefined;\n\n    if (permission) {\n      const result = this.securityProvider.checkPermission(\n        permission,\n        ...roles,\n      );\n      if (!result.isAuthorized) {\n        throw new ForbiddenError(\n          `Permission '${this.securityProvider.permissionToString(permission)}' is required for this route`,\n        );\n      }\n      ownership = result.ownership;\n    }\n\n    // create a new user object with ownership if needed\n    return {\n      ...user,\n      ownership,\n    };\n  }\n\n  // ---------------------------------------------------------------------------------------------------------------\n  // TESTING ONLY\n  // ---------------------------------------------------------------------------------------------------------------\n\n  protected createTestUser(): UserAccountToken {\n    return {\n      id: randomUUID(),\n      name: \"Test\",\n      roles: this.securityProvider.getRoles().map((role) => role.name),\n    };\n  }\n\n  protected readonly onClientRequest = $hook({\n    on: \"client:onRequest\",\n    handler: async ({ request, options }) => {\n      if (!this.alepha.isTest()) {\n        return;\n      }\n\n      // skip helper if user is explicitly set to undefined\n      if (\"user\" in options && options.user === undefined) {\n        return;\n      }\n\n      request.headers = new Headers(request.headers);\n\n      if (!request.headers.has(\"authorization\")) {\n        const test = this.createTestUser();\n        const user =\n          typeof options?.user === \"object\" ? options.user : undefined;\n        const sub = user?.id ?? test.id;\n        const roles = user?.roles ?? test.roles;\n\n        const token = await this.jwtProvider.create(\n          {\n            sub,\n            roles,\n          },\n          user?.realm ?? this.securityProvider.getRealms()[0]?.name,\n        );\n\n        request.headers.set(\"authorization\", `Bearer ${token}`);\n      }\n    },\n  });\n}\n\nexport type ServerRouteSecure = {\n  realm?: string;\n  basic?: BasicAuthOptions;\n};\n","import { $module } from \"alepha\";\nimport {\n  $permission,\n  $realm,\n  $role,\n  AlephaSecurity,\n  type UserAccount,\n  type UserAccountToken,\n} from \"alepha/security\";\nimport { AlephaServer, type FetchOptions } from \"alepha/server\";\nimport { $basicAuth } from \"./primitives/$basicAuth.ts\";\nimport { ServerBasicAuthProvider } from \"./providers/ServerBasicAuthProvider.ts\";\nimport {\n  type ServerRouteSecure,\n  ServerSecurityProvider,\n} from \"./providers/ServerSecurityProvider.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport * from \"./primitives/$basicAuth.ts\";\nexport * from \"./providers/ServerBasicAuthProvider.ts\";\nexport * from \"./providers/ServerSecurityProvider.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\ndeclare module \"alepha\" {\n  interface State {\n    /**\n     * Real (or fake) user account, used for internal actions.\n     *\n     * If you define this, you assume that all actions are executed by this user by default.\n     * > To force a different user, you need to pass it explicitly in the options.\n     */\n\n    \"alepha.server.security.system.user\"?: UserAccountToken;\n\n    /**\n     * The authenticated user account attached to the server request state.\n     *\n     * @internal\n     */\n    \"alepha.server.request.user\"?: UserAccount;\n  }\n}\n\ndeclare module \"alepha/server\" {\n  interface ServerRequest<TConfig> {\n    user?: UserAccountToken; // for all routes, user is maybe present\n  }\n\n  interface ServerActionRequest<TConfig> {\n    user: UserAccountToken; // for actions, user is always present\n  }\n\n  interface ServerRoute {\n    /**\n     * If true, the route will be protected by the security provider.\n     * All actions are secure by default, but you can disable it for specific actions.\n     */\n    secure?: boolean | ServerRouteSecure;\n  }\n\n  interface ClientRequestOptions extends FetchOptions {\n    /**\n     * Forward user from the previous request.\n     * If \"system\", use system user. @see {ServerSecurityProvider.localSystemUser}\n     * If \"context\", use the user from the current context (e.g. request).\n     *\n     * @default \"system\" if provided, else \"context\" if available.\n     */\n    user?: UserAccountToken | \"system\" | \"context\";\n  }\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\n/**\n * Plugin for Alepha Server that provides security features. Based on the Alepha Security module.\n *\n * By default, all $action will be guarded by a permission check.\n *\n * @see {@link ServerSecurityProvider}\n * @module alepha.server.security\n */\nexport const AlephaServerSecurity = $module({\n  name: \"alepha.server.security\",\n  primitives: [$realm, $role, $permission, $basicAuth],\n  services: [\n    AlephaServer,\n    AlephaSecurity,\n    ServerSecurityProvider,\n    ServerBasicAuthProvider,\n  ],\n});\n"],"mappings":";;;;;;;AAyBA,IAAa,0BAAb,MAAqC;CACnC,AAAmB,SAAS,QAAQ,OAAO;CAC3C,AAAmB,MAAM,SAAS;CAClC,AAAmB,iBAAiB,QAAQ,qBAAqB;CACjE,AAAmB,QAAQ;;;;CAK3B,AAAgB,kBAA8C,EAAE;;;;CAKhE,AAAO,aAAa,QAAwC;AAC1D,OAAK,gBAAgB,KAAK,OAAO;;CAGnC,AAAgB,UAAU,MAAM;EAC9B,IAAI;EACJ,SAAS,YAAY;AACnB,QAAK,MAAM,QAAQ,KAAK,gBACtB,KAAI,KAAK,MACP,MAAK,MAAM,WAAW,KAAK,OAAO;IAChC,MAAM,gBAAgB,KAAK,eAAe,UAAU,QAAQ;AAC5D,SAAK,MAAM,SAAS,cAClB,OAAM,SAAS,EACb,OAAO;KACL,UAAU,KAAK;KACf,UAAU,KAAK;KAChB,EACF;;AAMT,OAAI,KAAK,gBAAgB,SAAS,EAChC,MAAK,IAAI,KACP,oBAAoB,KAAK,gBAAgB,OAAO,wCACjD;;EAGN,CAAC;;;;CAKF,AAAgB,YAAY,MAAM;EAChC,IAAI;EACJ,SAAS,OAAO,EAAE,OAAO,cAAc;GACrC,MAAM,YAAY,MAAM;AACxB,OACE,OAAO,cAAc,YACrB,WAAW,aACX,UAAU,MAEV,MAAK,UAAU,SAAS,UAAU,MAAM;;EAG7C,CAAC;;;;CAKF,AAAgB,kBAAkB,MAAM;EACtC,IAAI;EACJ,SAAS,OAAO,EAAE,QAAQ,cAAc;GACtC,MAAM,YAAY,OAAO,MAAM;AAC/B,OAAI,YAAY,UAAU,CACxB,MAAK,UAAU,SAAS,UAAU,MAAM;;EAG7C,CAAC;;;;CAKF,AAAO,UAAU,SAAwB,SAAiC;EACxE,MAAM,aAAa,QAAQ,SAAS;AAEpC,MAAI,CAAC,cAAc,CAAC,WAAW,WAAW,SAAS,EAAE;AACnD,QAAK,iBAAiB,QAAQ;AAC9B,SAAM,IAAI,UAAU;IAClB,QAAQ;IACR,SAAS;IACV,CAAC;;EAIJ,MAAM,oBAAoB,WAAW,MAAM,EAAE;EAC7C,MAAM,cAAc,OAAO,KAAK,mBAAmB,SAAS,CAAC,SAC3D,QACD;EAGD,MAAM,aAAa,YAAY,QAAQ,IAAI;EAC3C,MAAM,WACJ,eAAe,KAAK,YAAY,MAAM,GAAG,WAAW,GAAG;EACzD,MAAM,WAAW,eAAe,KAAK,YAAY,MAAM,aAAa,EAAE,GAAG;AAUzE,MAAI,CAPY,KAAK,0BACnB,UACA,UACA,QAAQ,UACR,QAAQ,SACT,EAEa;AACZ,QAAK,iBAAiB,QAAQ;AAC9B,QAAK,IAAI,KAAK,sCAAsC,EAClD,UACD,CAAC;AACF,SAAM,IAAI,UAAU;IAClB,QAAQ;IACR,SAAS;IACV,CAAC;;;;;;;CAQN,AAAU,0BACR,eACA,eACA,kBACA,kBACS;EAET,MAAM,eAAe,OAAO,KAAK,eAAe,QAAQ;EACxD,MAAM,kBAAkB,OAAO,KAAK,kBAAkB,QAAQ;EAC9D,MAAM,eAAe,OAAO,KAAK,eAAe,QAAQ;EACxD,MAAM,kBAAkB,OAAO,KAAK,kBAAkB,QAAQ;AAS9D,UALkB,KAAK,YAAY,cAAc,gBAAgB,GAC/C,KAAK,YAAY,cAAc,gBAAgB,MAI9B;;;;;;CAOrC,AAAU,YAAY,OAAe,UAA0B;AAG7D,MAAI,MAAM,WAAW,SAAS,QAAQ;AAEpC,mBAAgB,OAAO,MAAM;AAC7B,UAAO;;AAGT,SAAO,gBAAgB,OAAO,SAAS,GAAG,IAAI;;;;;CAMhD,AAAU,iBAAiB,SAA8B;AACvD,UAAQ,MAAM,UAAU,oBAAoB,gBAAgB,KAAK,MAAM,GAAG;;;AAI9E,MAAa,eACX,UACyC;AACzC,QACE,OAAO,UAAU,YAAY,CAAC,CAAC,SAAS,WAAW,SAAS,CAAC,CAAC,MAAM;;;;;;;;;AC5LxE,MAAa,cACX,YAC+B;AAC/B,QAAO,gBAAgB,oBAAoB,QAAQ;;AAWrD,IAAa,qBAAb,cACU,UAEV;CACE,AAAmB,0BAA0B,QAAQ,wBAAwB;CAE7E,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,GAAG,KAAK,OAAO;;CAG7C,AAAU,SAAS;AAEjB,OAAK,wBAAwB,aAAa,KAAK,QAAQ;;;;;CAMzD,AAAO,MAAM,SAAwB,SAAkC;EACrE,MAAM,gBAAgB;GAAE,GAAG,KAAK;GAAS,GAAG;GAAS;AACrD,OAAK,wBAAwB,UAAU,SAAS,cAAc;;;AAIlE,WAAW,QAAQ;;;;AC7BnB,IAAa,yBAAb,MAAoC;CAClC,AAAmB,MAAM,SAAS;CAClC,AAAmB,mBAAmB,QAAQ,iBAAiB;CAC/D,AAAmB,cAAc,QAAQ,YAAY;CACrD,AAAmB,SAAS,QAAQ,OAAO;CAE3C,AAAmB,cAAc,MAAM;EACrC,IAAI;EACJ,SAAS,YAAY;AACnB,QAAK,MAAM,UAAU,KAAK,OAAO,WAAW,QAAQ,EAAE;AAIpD,QACE,OAAO,QAAQ,YACf,OAAO,QAAQ,WAAW,SAC1B,KAAK,iBAAiB,WAAW,CAAC,WAAW,EAE7C;AAIF,QAAI,OADW,OAAO,QAAQ,WACR,SACpB,MAAK,iBAAiB,iBAAiB;KACrC,MAAM,OAAO;KACb,OAAO,OAAO;KACd,QAAQ,OAAO,MAAM;KACrB,MAAM,OAAO,MAAM;KACpB,CAAC;;;EAIT,CAAC;CAIF,AAAmB,kBAAkB,MAAM;EACzC,IAAI;EACJ,SAAS,OAAO,EAAE,QAAQ,SAAS,cAAc;AAG/C,OAAI,OAAO,QAAQ,WAAW,SAAS,CAAC,QAAQ,MAAM;AACpD,SAAK,IAAI,MAAM,oCAAoC;AACnD;;AAGF,OAAI,YAAY,OAAO,MAAM,OAAO,CAClC;GAGF,MAAM,aAAa,KAAK,iBACrB,gBAAgB,CAChB,MACE,OACC,GAAG,SAAS,OAAO,MAAM,QAAQ,GAAG,WAAW,OAAO,MAAM,OAC/D;AAEH,OAAI;AACF,YAAQ,OAAO,KAAK,mCAClB,SACA,WACD;IAED,MAAM,QAAQ,OAAO;AACrB,QAAI,OAAO,MAAM,WAAW,SAC1B,MAAK,MAAM,QAAQ,MAAM,MAAM,OAAO;AAGxC,SAAK,OAAO,MAAM,IAChB,8BACA,KAAK,OAAO,MAAM,OAAO,uBAAuB,QAAQ,KAAK,CAC9D;YACM,OAAO;AACd,QAAI,OAAO,QAAQ,UAAU,WAC3B,OAAM;AAGR,SAAK,IAAI,MAAM,qCAAqC;;;EAGzD,CAAC;CAEF,AAAmB,YAAY,MAAM;EACnC,IAAI;EACJ,UAAU;EACV,SAAS,OAAO,EAAE,SAAS,YAAY;AAErC,OAAI,MAAM,WAAW,OAAO;AAC1B,SAAK,IAAI,MACP,0DACD;AACD;;AAGF,OAAI,YAAY,MAAM,OAAO,CAC3B;GAGF,MAAM,aAAa,KAAK,iBACrB,gBAAgB,CAChB,MAAM,OAAO,GAAG,SAAS,MAAM,QAAQ,GAAG,WAAW,MAAM,OAAO;AAErE,OAAI,CAAC,QAAQ,QAAQ,iBAAiB,CAAC,MAAM,UAAU,CAAC,YAAY;AAClE,SAAK,IAAI,MACP,6EACD;AACD;;AAGF,OAAI;AAEF,YAAQ,OAAO,MAAM,KAAK,iBAAiB,oBACzC,QAAQ,QAAQ,eAChB,EAAE,YAAY,CACf;AAED,QAAI,OAAO,MAAM,WAAW,SAC1B,MAAK,MAAM,QAAQ,MAAM,MAAM,OAAO;AAGxC,SAAK,OAAO,MAAM,IAChB,8BAEA,KAAK,OAAO,MAAM,OAAO,uBAAuB,QAAQ,KAAK,CAC9D;AAED,SAAK,IAAI,MAAM,+BAA+B;KAC5C,MAAM,QAAQ;KACd;KACD,CAAC;YACK,OAAO;AACd,QAAI,MAAM,UAAU,WAClB,OAAM;AAIR,SAAK,IAAI,MACP,sDACA,MACD;;;EAGN,CAAC;CAIF,AAAU,MAAM,MAAwB,QAA2B;AACjE,MAAI,OAAO,OACT;OAAI,KAAK,UAAU,OAAO,MACxB,OAAM,IAAI,eACR,8BAA8B,OAAO,MAAM,wBAC5C;;;;;;;;;;;;;;CAgBP,AAAU,mCACR,SACA,YACkB;EAClB,MAAM,cACJ,OAAO,QAAQ,SAAS,WAAW,QAAQ,OAAO;EAEpD,MAAM,OAAO,OAAO,QAAQ,SAAS,WAAW,QAAQ,OAAO;EAE/D,IAAI;EAEJ,MAAM,cAAc,KAAK,OAAO,QAAQ,IAAmB,UAAU,EAAE;EACvE,MAAM,aAAa,KAAK,OAAO,MAAM,IACnC,qCACD;AAED,MAAI,SAAS,SACX,QAAO;WACE,SAAS,UAClB,QAAO;MAEP,QAAO,eAAe,eAAe;AAGvC,MAAI,CAAC,MAAM;AAET,OAAI,KAAK,OAAO,QAAQ,IAAI,EAAE,UAAU,SACtC,QAAO,KAAK,gBAAgB;AAG9B,SAAM,IAAI,kBAAkB,2CAA2C;;EAGzE,MAAM,QACJ,KAAK,UACJ,KAAK,OAAO,QAAQ,GACjB,KAAK,iBAAiB,UAAU,CAAC,KAAK,SAAS,KAAK,KAAK,GACzD,EAAE;EACR,IAAI;AAEJ,MAAI,YAAY;GACd,MAAM,SAAS,KAAK,iBAAiB,gBACnC,YACA,GAAG,MACJ;AACD,OAAI,CAAC,OAAO,aACV,OAAM,IAAI,eACR,eAAe,KAAK,iBAAiB,mBAAmB,WAAW,CAAC,8BACrE;AAEH,eAAY,OAAO;;AAIrB,SAAO;GACL,GAAG;GACH;GACD;;CAOH,AAAU,iBAAmC;AAC3C,SAAO;GACL,IAAI,YAAY;GAChB,MAAM;GACN,OAAO,KAAK,iBAAiB,UAAU,CAAC,KAAK,SAAS,KAAK,KAAK;GACjE;;CAGH,AAAmB,kBAAkB,MAAM;EACzC,IAAI;EACJ,SAAS,OAAO,EAAE,SAAS,cAAc;AACvC,OAAI,CAAC,KAAK,OAAO,QAAQ,CACvB;AAIF,OAAI,UAAU,WAAW,QAAQ,SAAS,OACxC;AAGF,WAAQ,UAAU,IAAI,QAAQ,QAAQ,QAAQ;AAE9C,OAAI,CAAC,QAAQ,QAAQ,IAAI,gBAAgB,EAAE;IACzC,MAAM,OAAO,KAAK,gBAAgB;IAClC,MAAM,OACJ,OAAO,SAAS,SAAS,WAAW,QAAQ,OAAO;IACrD,MAAM,MAAM,MAAM,MAAM,KAAK;IAC7B,MAAM,QAAQ,MAAM,SAAS,KAAK;IAElC,MAAM,QAAQ,MAAM,KAAK,YAAY,OACnC;KACE;KACA;KACD,EACD,MAAM,SAAS,KAAK,iBAAiB,WAAW,CAAC,IAAI,KACtD;AAED,YAAQ,QAAQ,IAAI,iBAAiB,UAAU,QAAQ;;;EAG5D,CAAC;;;;;;;;;;;;;AChNJ,MAAa,uBAAuB,QAAQ;CAC1C,MAAM;CACN,YAAY;EAAC;EAAQ;EAAO;EAAa;EAAW;CACpD,UAAU;EACR;EACA;EACA;EACA;EACD;CACF,CAAC"}

package/src/cli/assets/appRouterTs.ts

@@ -1,9 +0,0 @@
-export const appRouterTs = () => `
-import { $page } from "@alepha/react/router";
-
-export class AppRouter {
-  home = $page({
-    component: () => "Hello World",
-  });
-}
-`.trim();

package/src/cli/assets/indexHtml.ts

@@ -1,15 +0,0 @@
-export const indexHtml = (
-  browserEntry: string,
-) => `
-<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="UTF-8">
-  <title>App</title>
-</head>
-<body>
-<div id="root"></div>
-<script type="module" src="${browserEntry}"></script>
-</body>
-</html>
-`.trim();

package/src/cli/assets/mainTs.ts

@@ -1,13 +0,0 @@
-export const mainTs = () => `
-import { run } from "alepha";
-import { $route } from "alepha/server";
-
-class App {
-  root = $route({
-    path: "/",
-    handler: () => "Hello, Alepha!",
-  });
-}
-
-run(App);
-`.trim();

package/src/cli/commands/format.ts

@@ -1,17 +0,0 @@
-import { $inject } from "alepha";
-import { $command } from "alepha/command";
-import { AlephaCliUtils } from "../services/AlephaCliUtils.ts";
-
-export class FormatCommand {
-  protected readonly utils = $inject(AlephaCliUtils);
-
-  public readonly format = $command({
-    name: "format",
-    description: "Format the codebase using Biome",
-    handler: async ({ root }) => {
-      await this.utils.ensureConfig(root, { biomeJson: true });
-      await this.utils.ensureDependency(root, "@biomejs/biome");
-      await this.utils.exec("biome format --fix");
-    },
-  });
-}

package/src/server/security/index.browser.ts

@@ -1,10 +0,0 @@
-import { $module } from "alepha";
-import { AlephaSecurity } from "alepha/security";
-import { AlephaServer } from "alepha/server";
-
-// ---------------------------------------------------------------------------------------------------------------------
-
-export const AlephaServerSecurity = $module({
-  name: "alepha.server.security",
-  services: [AlephaServer, AlephaSecurity],
-});

package/src/server/security/index.ts

@@ -1,94 +0,0 @@
-import { $module } from "alepha";
-import {
-  $permission,
-  $realm,
-  $role,
-  AlephaSecurity,
-  type UserAccount,
-  type UserAccountToken,
-} from "alepha/security";
-import { AlephaServer, type FetchOptions } from "alepha/server";
-import { $basicAuth } from "./primitives/$basicAuth.ts";
-import { ServerBasicAuthProvider } from "./providers/ServerBasicAuthProvider.ts";
-import {
-  type ServerRouteSecure,
-  ServerSecurityProvider,
-} from "./providers/ServerSecurityProvider.ts";
-
-// ---------------------------------------------------------------------------------------------------------------------
-
-export * from "./primitives/$basicAuth.ts";
-export * from "./providers/ServerBasicAuthProvider.ts";
-export * from "./providers/ServerSecurityProvider.ts";
-
-// ---------------------------------------------------------------------------------------------------------------------
-
-declare module "alepha" {
-  interface State {
-    /**
-     * Real (or fake) user account, used for internal actions.
-     *
-     * If you define this, you assume that all actions are executed by this user by default.
-     * > To force a different user, you need to pass it explicitly in the options.
-     */
-
-    "alepha.server.security.system.user"?: UserAccountToken;
-
-    /**
-     * The authenticated user account attached to the server request state.
-     *
-     * @internal
-     */
-    "alepha.server.request.user"?: UserAccount;
-  }
-}
-
-declare module "alepha/server" {
-  interface ServerRequest<TConfig> {
-    user?: UserAccountToken; // for all routes, user is maybe present
-  }
-
-  interface ServerActionRequest<TConfig> {
-    user: UserAccountToken; // for actions, user is always present
-  }
-
-  interface ServerRoute {
-    /**
-     * If true, the route will be protected by the security provider.
-     * All actions are secure by default, but you can disable it for specific actions.
-     */
-    secure?: boolean | ServerRouteSecure;
-  }
-
-  interface ClientRequestOptions extends FetchOptions {
-    /**
-     * Forward user from the previous request.
-     * If "system", use system user. @see {ServerSecurityProvider.localSystemUser}
-     * If "context", use the user from the current context (e.g. request).
-     *
-     * @default "system" if provided, else "context" if available.
-     */
-    user?: UserAccountToken | "system" | "context";
-  }
-}
-
-// ---------------------------------------------------------------------------------------------------------------------
-
-/**
- * Plugin for Alepha Server that provides security features. Based on the Alepha Security module.
- *
- * By default, all $action will be guarded by a permission check.
- *
- * @see {@link ServerSecurityProvider}
- * @module alepha.server.security
- */
-export const AlephaServerSecurity = $module({
-  name: "alepha.server.security",
-  primitives: [$realm, $role, $permission, $basicAuth],
-  services: [
-    AlephaServer,
-    AlephaSecurity,
-    ServerSecurityProvider,
-    ServerBasicAuthProvider,
-  ],
-});

package/src/vite/helpers/boot.ts

@@ -1,106 +0,0 @@
-import { access, readFile } from "node:fs/promises";
-import { join } from "node:path";
-import { AlephaError } from "alepha";
-
-/**
- * Remember:
- * At first, functions was inside alepha/vite package, but it's now used in alepha too.
- * For avoiding cli -> vite, all code moved here.
- */
-
-/**
- * Find browser/client entry file path.
- */
-const getClientEntry = async (
-  root = process.cwd(),
-): Promise<string | undefined> => {
-  const indexPath = join(root, "index.html");
-  try {
-    const html = await readFile(indexPath, "utf8");
-    return extractFirstModuleScriptSrc(html).replace(/\\/g, "/");
-  } catch {
-    return undefined;
-  }
-};
-
-/**
- * Find server entry file path.
- */
-const getServerEntry = async (
-  root = process.cwd(),
-  explicitEntry?: string,
-): Promise<string> => {
-  if (explicitEntry) {
-    const explicitPath = join(root, explicitEntry);
-    try {
-      await access(explicitPath);
-      return explicitPath;
-    } catch {
-      throw new AlephaError(
-        `Explicit server entry file "${explicitEntry}" not found.`,
-      );
-    }
-  }
-
-  const maybeEntry = [
-    "src/main.server.ts",
-    "src/server-entry.ts",
-    "src/main.server.tsx",
-    "src/server-entry.tsx",
-    "src/main.ts",
-    "src/main.tsx",
-  ];
-
-  for (const entry of maybeEntry) {
-    try {
-      const path = join(root, entry).replace(/\\/g, "/");
-      await access(path);
-      return path;
-    } catch {
-      // continue to next entry
-    }
-  }
-
-  const clientEntry = await getClientEntry(root);
-  if (clientEntry) {
-    return clientEntry;
-  }
-
-  throw new AlephaError(
-    `Could not find a server entry file. List of supported entry file: ${maybeEntry.join(", ")}`,
-  );
-};
-
-/**
- * Extract first module script src from HTML.
- */
-function extractFirstModuleScriptSrc(html: string): string {
-  const scriptRegex = /<script\b[^>]*>[\s\S]*?<\/script>/gi;
-  let match: RegExpExecArray | null = scriptRegex.exec(html);
-
-  while (match) {
-    const tag = match[0];
-
-    // Check for type="module"
-    if (/type=["']module["']/i.test(tag)) {
-      // Extract the src value
-      const srcMatch = tag.match(/\bsrc=["']([^"']+)["']/i);
-      const entry = srcMatch?.[1];
-      if (entry) {
-        if (entry.startsWith("/")) {
-          return entry.substring(1); // Remove leading slash
-        }
-        return entry;
-      }
-    }
-
-    match = scriptRegex.exec(html);
-  }
-
-  throw new AlephaError(`No module script found in the provided HTML.`);
-}
-
-export const boot = {
-  getClientEntry,
-  getServerEntry,
-};