npm - alepha - Versions diffs - 0.15.0 → 0.15.2 - Mend

alepha 0.15.0 → 0.15.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (551) hide show

package/README.md +43 -98
package/dist/api/audits/index.d.ts +630 -653
package/dist/api/audits/index.d.ts.map +1 -1
package/dist/api/audits/index.js +12 -35
package/dist/api/audits/index.js.map +1 -1
package/dist/api/files/index.d.ts +365 -358
package/dist/api/files/index.d.ts.map +1 -1
package/dist/api/files/index.js +12 -5
package/dist/api/files/index.js.map +1 -1
package/dist/api/jobs/index.d.ts +255 -248
package/dist/api/jobs/index.d.ts.map +1 -1
package/dist/api/jobs/index.js +10 -3
package/dist/api/jobs/index.js.map +1 -1
package/dist/api/keys/index.d.ts +413 -0
package/dist/api/keys/index.d.ts.map +1 -0
package/dist/api/keys/index.js +476 -0
package/dist/api/keys/index.js.map +1 -0
package/dist/api/notifications/index.browser.js +4 -4
package/dist/api/notifications/index.browser.js.map +1 -1
package/dist/api/notifications/index.d.ts +84 -78
package/dist/api/notifications/index.d.ts.map +1 -1
package/dist/api/notifications/index.js +14 -8
package/dist/api/notifications/index.js.map +1 -1
package/dist/api/parameters/index.d.ts +528 -535
package/dist/api/parameters/index.d.ts.map +1 -1
package/dist/api/parameters/index.js +30 -37
package/dist/api/parameters/index.js.map +1 -1
package/dist/api/users/index.d.ts +1221 -910
package/dist/api/users/index.d.ts.map +1 -1
package/dist/api/users/index.js +2556 -248
package/dist/api/users/index.js.map +1 -1
package/dist/api/verifications/index.d.ts +142 -136
package/dist/api/verifications/index.d.ts.map +1 -1
package/dist/api/verifications/index.js +12 -4
package/dist/api/verifications/index.js.map +1 -1
package/dist/batch/index.d.ts +142 -162
package/dist/batch/index.d.ts.map +1 -1
package/dist/batch/index.js +31 -44
package/dist/batch/index.js.map +1 -1
package/dist/bucket/index.d.ts +595 -171
package/dist/bucket/index.d.ts.map +1 -1
package/dist/bucket/index.js +1856 -12
package/dist/bucket/index.js.map +1 -1
package/dist/cache/core/index.d.ts +225 -53
package/dist/cache/core/index.d.ts.map +1 -1
package/dist/cache/core/index.js +213 -7
package/dist/cache/core/index.js.map +1 -1
package/dist/cache/redis/index.d.ts +1 -0
package/dist/cache/redis/index.d.ts.map +1 -1
package/dist/cache/redis/index.js +6 -2
package/dist/cache/redis/index.js.map +1 -1
package/dist/cli/index.d.ts +834 -226
package/dist/cli/index.d.ts.map +1 -1
package/dist/cli/index.js +2872 -417
package/dist/cli/index.js.map +1 -1
package/dist/command/index.d.ts +458 -310
package/dist/command/index.d.ts.map +1 -1
package/dist/command/index.js +2011 -76
package/dist/command/index.js.map +1 -1
package/dist/core/index.browser.js +309 -97
package/dist/core/index.browser.js.map +1 -1
package/dist/core/index.d.ts +796 -701
package/dist/core/index.d.ts.map +1 -1
package/dist/core/index.js +329 -97
package/dist/core/index.js.map +1 -1
package/dist/core/index.native.js +309 -97
package/dist/core/index.native.js.map +1 -1
package/dist/datetime/index.d.ts +59 -44
package/dist/datetime/index.d.ts.map +1 -1
package/dist/datetime/index.js +15 -0
package/dist/datetime/index.js.map +1 -1
package/dist/email/index.d.ts +314 -19
package/dist/email/index.d.ts.map +1 -1
package/dist/email/index.js +1852 -7
package/dist/email/index.js.map +1 -1
package/dist/fake/index.d.ts +5500 -5418
package/dist/fake/index.d.ts.map +1 -1
package/dist/fake/index.js +113 -42
package/dist/fake/index.js.map +1 -1
package/dist/lock/core/index.d.ts +219 -212
package/dist/lock/core/index.d.ts.map +1 -1
package/dist/lock/core/index.js +11 -4
package/dist/lock/core/index.js.map +1 -1
package/dist/lock/redis/index.d.ts.map +1 -1
package/dist/logger/index.d.ts +41 -90
package/dist/logger/index.d.ts.map +1 -1
package/dist/logger/index.js +15 -68
package/dist/logger/index.js.map +1 -1
package/dist/mcp/index.d.ts +228 -230
package/dist/mcp/index.d.ts.map +1 -1
package/dist/mcp/index.js +32 -31
package/dist/mcp/index.js.map +1 -1
package/dist/orm/index.browser.js +12 -12
package/dist/orm/index.browser.js.map +1 -1
package/dist/orm/index.bun.js +90 -80
package/dist/orm/index.bun.js.map +1 -1
package/dist/orm/index.d.ts +1434 -1459
package/dist/orm/index.d.ts.map +1 -1
package/dist/orm/index.js +112 -130
package/dist/orm/index.js.map +1 -1
package/dist/queue/core/index.d.ts +262 -254
package/dist/queue/core/index.d.ts.map +1 -1
package/dist/queue/core/index.js +14 -6
package/dist/queue/core/index.js.map +1 -1
package/dist/queue/redis/index.d.ts.map +1 -1
package/dist/react/auth/index.browser.js +108 -0
package/dist/react/auth/index.browser.js.map +1 -0
package/dist/react/auth/index.d.ts +100 -0
package/dist/react/auth/index.d.ts.map +1 -0
package/dist/react/auth/index.js +145 -0
package/dist/react/auth/index.js.map +1 -0
package/dist/react/core/index.d.ts +469 -0
package/dist/react/core/index.d.ts.map +1 -0
package/dist/react/core/index.js +464 -0
package/dist/react/core/index.js.map +1 -0
package/dist/react/form/index.d.ts +232 -0
package/dist/react/form/index.d.ts.map +1 -0
package/dist/react/form/index.js +432 -0
package/dist/react/form/index.js.map +1 -0
package/dist/react/head/index.browser.js +423 -0
package/dist/react/head/index.browser.js.map +1 -0
package/dist/react/head/index.d.ts +288 -0
package/dist/react/head/index.d.ts.map +1 -0
package/dist/react/head/index.js +465 -0
package/dist/react/head/index.js.map +1 -0
package/dist/react/i18n/index.d.ts +175 -0
package/dist/react/i18n/index.d.ts.map +1 -0
package/dist/react/i18n/index.js +224 -0
package/dist/react/i18n/index.js.map +1 -0
package/dist/react/router/index.browser.js +1980 -0
package/dist/react/router/index.browser.js.map +1 -0
package/dist/react/router/index.d.ts +2068 -0
package/dist/react/router/index.d.ts.map +1 -0
package/dist/react/router/index.js +4932 -0
package/dist/react/router/index.js.map +1 -0
package/dist/react/websocket/index.d.ts +117 -0
package/dist/react/websocket/index.d.ts.map +1 -0
package/dist/react/websocket/index.js +107 -0
package/dist/react/websocket/index.js.map +1 -0
package/dist/redis/index.bun.js +4 -0
package/dist/redis/index.bun.js.map +1 -1
package/dist/redis/index.d.ts +127 -130
package/dist/redis/index.d.ts.map +1 -1
package/dist/redis/index.js +16 -25
package/dist/redis/index.js.map +1 -1
package/dist/retry/index.d.ts +80 -71
package/dist/retry/index.d.ts.map +1 -1
package/dist/retry/index.js +11 -2
package/dist/retry/index.js.map +1 -1
package/dist/router/index.d.ts +6 -6
package/dist/router/index.d.ts.map +1 -1
package/dist/scheduler/index.d.ts +119 -28
package/dist/scheduler/index.d.ts.map +1 -1
package/dist/scheduler/index.js +404 -3
package/dist/scheduler/index.js.map +1 -1
package/dist/security/index.d.ts +642 -228
package/dist/security/index.d.ts.map +1 -1
package/dist/security/index.js +1579 -37
package/dist/security/index.js.map +1 -1
package/dist/server/auth/index.d.ts +1141 -111
package/dist/server/auth/index.d.ts.map +1 -1
package/dist/server/auth/index.js +1261 -25
package/dist/server/auth/index.js.map +1 -1
package/dist/server/cache/index.d.ts +63 -78
package/dist/server/cache/index.d.ts.map +1 -1
package/dist/server/cache/index.js +7 -22
package/dist/server/cache/index.js.map +1 -1
package/dist/server/compress/index.d.ts +13 -5
package/dist/server/compress/index.d.ts.map +1 -1
package/dist/server/compress/index.js +10 -2
package/dist/server/compress/index.js.map +1 -1
package/dist/server/cookies/index.d.ts +46 -22
package/dist/server/cookies/index.d.ts.map +1 -1
package/dist/server/cookies/index.js +7 -5
package/dist/server/cookies/index.js.map +1 -1
package/dist/server/core/index.d.ts +307 -196
package/dist/server/core/index.d.ts.map +1 -1
package/dist/server/core/index.js +271 -38
package/dist/server/core/index.js.map +1 -1
package/dist/server/cors/index.d.ts +24 -34
package/dist/server/cors/index.d.ts.map +1 -1
package/dist/server/cors/index.js +7 -21
package/dist/server/cors/index.js.map +1 -1
package/dist/server/health/index.d.ts +25 -19
package/dist/server/health/index.d.ts.map +1 -1
package/dist/server/health/index.js +8 -2
package/dist/server/health/index.js.map +1 -1
package/dist/server/helmet/index.d.ts +13 -5
package/dist/server/helmet/index.d.ts.map +1 -1
package/dist/server/helmet/index.js +11 -3
package/dist/server/helmet/index.js.map +1 -1
package/dist/server/links/index.browser.js +9 -1
package/dist/server/links/index.browser.js.map +1 -1
package/dist/server/links/index.d.ts +133 -128
package/dist/server/links/index.d.ts.map +1 -1
package/dist/server/links/index.js +24 -11
package/dist/server/links/index.js.map +1 -1
package/dist/server/metrics/index.d.ts +524 -4
package/dist/server/metrics/index.d.ts.map +1 -1
package/dist/server/metrics/index.js +4472 -7
package/dist/server/metrics/index.js.map +1 -1
package/dist/server/multipart/index.d.ts +15 -9
package/dist/server/multipart/index.d.ts.map +1 -1
package/dist/server/multipart/index.js +9 -3
package/dist/server/multipart/index.js.map +1 -1
package/dist/server/proxy/index.d.ts +110 -104
package/dist/server/proxy/index.d.ts.map +1 -1
package/dist/server/proxy/index.js +8 -2
package/dist/server/proxy/index.js.map +1 -1
package/dist/server/rate-limit/index.d.ts +46 -51
package/dist/server/rate-limit/index.d.ts.map +1 -1
package/dist/server/rate-limit/index.js +18 -55
package/dist/server/rate-limit/index.js.map +1 -1
package/dist/server/static/index.d.ts +181 -48
package/dist/server/static/index.d.ts.map +1 -1
package/dist/server/static/index.js +1848 -5
package/dist/server/static/index.js.map +1 -1
package/dist/server/swagger/index.d.ts +348 -53
package/dist/server/swagger/index.d.ts.map +1 -1
package/dist/server/swagger/index.js +1849 -6
package/dist/server/swagger/index.js.map +1 -1
package/dist/sms/index.d.ts +312 -18
package/dist/sms/index.d.ts.map +1 -1
package/dist/sms/index.js +1854 -10
package/dist/sms/index.js.map +1 -1
package/dist/system/index.browser.js +496 -0
package/dist/system/index.browser.js.map +1 -0
package/dist/system/index.d.ts +1158 -0
package/dist/system/index.d.ts.map +1 -0
package/dist/{file → system}/index.js +412 -20
package/dist/system/index.js.map +1 -0
package/dist/thread/index.d.ts +82 -73
package/dist/thread/index.d.ts.map +1 -1
package/dist/thread/index.js +13 -4
package/dist/thread/index.js.map +1 -1
package/dist/topic/core/index.d.ts +330 -323
package/dist/topic/core/index.d.ts.map +1 -1
package/dist/topic/core/index.js +12 -5
package/dist/topic/core/index.js.map +1 -1
package/dist/topic/redis/index.d.ts +6 -6
package/dist/topic/redis/index.d.ts.map +1 -1
package/dist/vite/index.d.ts +163 -5825
package/dist/vite/index.d.ts.map +1 -1
package/dist/vite/index.js +130 -477
package/dist/vite/index.js.map +1 -1
package/dist/websocket/index.browser.js +3 -3
package/dist/websocket/index.browser.js.map +1 -1
package/dist/websocket/index.d.ts +287 -283
package/dist/websocket/index.d.ts.map +1 -1
package/dist/websocket/index.js +15 -11
package/dist/websocket/index.js.map +1 -1
package/package.json +86 -17
package/src/api/audits/index.ts +10 -33
package/src/api/files/__tests__/$bucket.spec.ts +1 -1
package/src/api/files/controllers/AdminFileStatsController.spec.ts +1 -1
package/src/api/files/controllers/FileController.spec.ts +1 -1
package/src/api/files/index.ts +10 -3
package/src/api/files/jobs/FileJobs.spec.ts +1 -1
package/src/api/files/services/FileService.spec.ts +1 -1
package/src/api/jobs/index.ts +10 -3
package/src/api/keys/controllers/AdminApiKeyController.ts +75 -0
package/src/api/keys/controllers/ApiKeyController.ts +103 -0
package/src/api/keys/entities/apiKeyEntity.ts +41 -0
package/src/api/keys/index.ts +49 -0
package/src/api/keys/schemas/adminApiKeyQuerySchema.ts +7 -0
package/src/api/keys/schemas/adminApiKeyResourceSchema.ts +17 -0
package/src/api/keys/schemas/createApiKeyBodySchema.ts +7 -0
package/src/api/keys/schemas/createApiKeyResponseSchema.ts +11 -0
package/src/api/keys/schemas/listApiKeyResponseSchema.ts +15 -0
package/src/api/keys/schemas/revokeApiKeyParamsSchema.ts +5 -0
package/src/api/keys/schemas/revokeApiKeyResponseSchema.ts +5 -0
package/src/api/keys/services/ApiKeyService.spec.ts +553 -0
package/src/api/keys/services/ApiKeyService.ts +306 -0
package/src/api/logs/TODO.md +52 -0
package/src/api/notifications/index.ts +10 -4
package/src/api/parameters/index.ts +9 -30
package/src/api/parameters/primitives/$config.ts +12 -4
package/src/api/parameters/services/ConfigStore.ts +9 -3
package/src/api/users/__tests__/ApiKeys-integration.spec.ts +1035 -0
package/src/api/users/__tests__/ApiKeys.spec.ts +401 -0
package/src/api/users/index.ts +14 -3
package/src/api/users/primitives/$realm.ts +33 -5
package/src/api/users/providers/RealmProvider.ts +1 -12
package/src/api/users/services/SessionService.ts +1 -11
package/src/api/verifications/controllers/VerificationController.ts +2 -0
package/src/api/verifications/index.ts +10 -4
package/src/batch/index.ts +9 -36
package/src/batch/primitives/$batch.ts +0 -8
package/src/batch/providers/BatchProvider.ts +29 -2
package/src/bucket/__tests__/shared.ts +1 -1
package/src/bucket/index.ts +13 -6
package/src/bucket/primitives/$bucket.ts +1 -1
package/src/bucket/providers/LocalFileStorageProvider.ts +1 -1
package/src/bucket/providers/MemoryFileStorageProvider.ts +1 -1
package/src/cache/core/__tests__/shared.ts +30 -0
package/src/cache/core/index.ts +11 -6
package/src/cache/core/primitives/$cache.spec.ts +5 -0
package/src/cache/core/providers/CacheProvider.ts +17 -0
package/src/cache/core/providers/MemoryCacheProvider.ts +300 -1
package/src/cache/redis/__tests__/cache-redis.spec.ts +5 -0
package/src/cache/redis/providers/RedisCacheProvider.ts +9 -0
package/src/cli/apps/AlephaCli.ts +3 -16
package/src/cli/apps/AlephaPackageBuilderCli.ts +10 -2
package/src/cli/atoms/appEntryOptions.ts +13 -0
package/src/cli/atoms/buildOptions.ts +1 -1
package/src/cli/atoms/changelogOptions.ts +1 -1
package/src/cli/commands/build.ts +64 -52
package/src/cli/commands/db.ts +17 -11
package/src/cli/commands/deploy.ts +1 -1
package/src/cli/commands/dev.ts +13 -49
package/src/cli/commands/gen/env.ts +6 -3
package/src/cli/commands/gen/openapi.ts +5 -2
package/src/cli/commands/init.spec.ts +544 -0
package/src/cli/commands/init.ts +101 -58
package/src/cli/commands/lint.ts +8 -2
package/src/cli/commands/typecheck.ts +11 -0
package/src/cli/defineConfig.ts +9 -0
package/src/cli/index.ts +2 -1
package/src/cli/providers/AppEntryProvider.ts +131 -0
package/src/cli/providers/ViteBuildProvider.ts +40 -0
package/src/cli/providers/ViteDevServerProvider.ts +378 -0
package/src/cli/services/AlephaCliUtils.ts +39 -93
package/src/cli/services/PackageManagerUtils.ts +140 -17
package/src/cli/services/ProjectScaffolder.ts +169 -101
package/src/cli/services/ViteUtils.ts +82 -0
package/src/cli/{assets/claudeMd.ts → templates/agentMd.ts} +41 -28
package/src/cli/{assets → templates}/apiHelloControllerTs.ts +2 -1
package/src/cli/{assets → templates}/biomeJson.ts +2 -1
package/src/cli/{assets → templates}/dummySpecTs.ts +2 -1
package/src/cli/{assets → templates}/editorconfig.ts +2 -1
package/src/cli/templates/gitignore.ts +39 -0
package/src/cli/{assets → templates}/mainBrowserTs.ts +2 -1
package/src/cli/templates/mainCss.ts +33 -0
package/src/cli/templates/mainServerTs.ts +33 -0
package/src/cli/{assets → templates}/tsconfigJson.ts +2 -1
package/src/cli/templates/webAppRouterTs.ts +50 -0
package/src/cli/templates/webHelloComponentTsx.ts +20 -0
package/src/command/helpers/Runner.spec.ts +4 -0
package/src/command/helpers/Runner.ts +3 -21
package/src/command/index.ts +12 -4
package/src/command/providers/CliProvider.spec.ts +1067 -0
package/src/command/providers/CliProvider.ts +203 -40
package/src/core/Alepha.ts +3 -9
package/src/core/__tests__/Alepha-start.spec.ts +4 -4
package/src/core/helpers/jsonSchemaToTypeBox.spec.ts +771 -0
package/src/core/helpers/jsonSchemaToTypeBox.ts +62 -10
package/src/core/index.shared.ts +1 -0
package/src/core/index.ts +20 -0
package/src/core/primitives/$module.ts +12 -0
package/src/core/providers/EventManager.spec.ts +0 -71
package/src/core/providers/EventManager.ts +3 -15
package/src/core/providers/Json.ts +2 -14
package/src/core/providers/KeylessJsonSchemaCodec.spec.ts +257 -0
package/src/core/providers/KeylessJsonSchemaCodec.ts +396 -14
package/src/core/providers/SchemaValidator.spec.ts +236 -0
package/src/datetime/index.ts +15 -0
package/src/email/index.ts +10 -5
package/src/email/providers/LocalEmailProvider.spec.ts +1 -1
package/src/email/providers/LocalEmailProvider.ts +1 -1
package/src/fake/__tests__/keyName.example.ts +1 -1
package/src/fake/__tests__/keyName.spec.ts +5 -5
package/src/fake/index.ts +9 -6
package/src/fake/providers/FakeProvider.spec.ts +258 -40
package/src/fake/providers/FakeProvider.ts +133 -19
package/src/lock/core/index.ts +11 -4
package/src/logger/index.ts +17 -66
package/src/logger/providers/PrettyFormatterProvider.ts +0 -9
package/src/mcp/errors/McpError.ts +30 -0
package/src/mcp/index.ts +13 -27
package/src/mcp/transports/SseMcpTransport.ts +6 -7
package/src/orm/__tests__/PostgresProvider.spec.ts +2 -2
package/src/orm/index.browser.ts +2 -2
package/src/orm/index.bun.ts +4 -2
package/src/orm/index.ts +21 -47
package/src/orm/providers/DrizzleKitProvider.ts +3 -5
package/src/orm/providers/drivers/BunSqliteProvider.ts +1 -0
package/src/orm/services/Repository.ts +18 -3
package/src/queue/core/index.ts +14 -6
package/src/react/auth/__tests__/$auth.spec.ts +202 -0
package/src/react/auth/hooks/useAuth.ts +32 -0
package/src/react/auth/index.browser.ts +13 -0
package/src/react/auth/index.shared.ts +2 -0
package/src/react/auth/index.ts +48 -0
package/src/react/auth/providers/ReactAuthProvider.ts +16 -0
package/src/react/auth/services/ReactAuth.ts +135 -0
package/src/react/core/__tests__/Router.spec.tsx +169 -0
package/src/react/core/components/ClientOnly.tsx +49 -0
package/src/react/core/components/ErrorBoundary.tsx +73 -0
package/src/react/core/contexts/AlephaContext.ts +7 -0
package/src/react/core/contexts/AlephaProvider.tsx +42 -0
package/src/react/core/hooks/useAction.browser.spec.tsx +569 -0
package/src/react/core/hooks/useAction.ts +480 -0
package/src/react/core/hooks/useAlepha.ts +26 -0
package/src/react/core/hooks/useClient.ts +17 -0
package/src/react/core/hooks/useEvents.ts +51 -0
package/src/react/core/hooks/useInject.ts +12 -0
package/src/react/core/hooks/useStore.ts +52 -0
package/src/react/core/index.ts +90 -0
package/src/react/form/components/FormState.tsx +17 -0
package/src/react/form/errors/FormValidationError.ts +18 -0
package/src/react/form/hooks/useForm.browser.spec.tsx +366 -0
package/src/react/form/hooks/useForm.ts +47 -0
package/src/react/form/hooks/useFormState.ts +130 -0
package/src/react/form/index.ts +44 -0
package/src/react/form/services/FormModel.ts +614 -0
package/src/react/head/helpers/SeoExpander.spec.ts +203 -0
package/src/react/head/helpers/SeoExpander.ts +142 -0
package/src/react/head/hooks/useHead.spec.tsx +288 -0
package/src/react/head/hooks/useHead.ts +62 -0
package/src/react/head/index.browser.ts +26 -0
package/src/react/head/index.ts +44 -0
package/src/react/head/interfaces/Head.ts +105 -0
package/src/react/head/primitives/$head.ts +25 -0
package/src/react/head/providers/BrowserHeadProvider.browser.spec.ts +196 -0
package/src/react/head/providers/BrowserHeadProvider.ts +212 -0
package/src/react/head/providers/HeadProvider.ts +168 -0
package/src/react/head/providers/ServerHeadProvider.ts +31 -0
package/src/react/i18n/__tests__/integration.spec.tsx +239 -0
package/src/react/i18n/components/Localize.spec.tsx +357 -0
package/src/react/i18n/components/Localize.tsx +35 -0
package/src/react/i18n/hooks/useI18n.browser.spec.tsx +438 -0
package/src/react/i18n/hooks/useI18n.ts +18 -0
package/src/react/i18n/index.ts +41 -0
package/src/react/i18n/primitives/$dictionary.ts +69 -0
package/src/react/i18n/providers/I18nProvider.spec.ts +389 -0
package/src/react/i18n/providers/I18nProvider.ts +278 -0
package/src/react/router/__tests__/page-head-browser.browser.spec.ts +95 -0
package/src/react/router/__tests__/page-head.spec.ts +48 -0
package/src/react/router/__tests__/seo-head.spec.ts +125 -0
package/src/react/router/atoms/ssrManifestAtom.ts +58 -0
package/src/react/router/components/ErrorViewer.tsx +872 -0
package/src/react/router/components/Link.tsx +23 -0
package/src/react/router/components/NestedView.tsx +223 -0
package/src/react/router/components/NotFound.tsx +30 -0
package/src/react/router/constants/PAGE_PRELOAD_KEY.ts +6 -0
package/src/react/router/contexts/RouterLayerContext.ts +12 -0
package/src/react/router/errors/Redirection.ts +28 -0
package/src/react/router/hooks/useActive.ts +52 -0
package/src/react/router/hooks/useQueryParams.ts +63 -0
package/src/react/router/hooks/useRouter.ts +20 -0
package/src/react/router/hooks/useRouterState.ts +11 -0
package/src/react/router/index.browser.ts +45 -0
package/src/react/router/index.shared.ts +19 -0
package/src/react/router/index.ts +142 -0
package/src/react/router/primitives/$page.browser.spec.tsx +851 -0
package/src/react/router/primitives/$page.spec.tsx +708 -0
package/src/react/router/primitives/$page.ts +497 -0
package/src/react/router/providers/ReactBrowserProvider.ts +309 -0
package/src/react/router/providers/ReactBrowserRendererProvider.ts +25 -0
package/src/react/router/providers/ReactBrowserRouterProvider.ts +168 -0
package/src/react/router/providers/ReactPageProvider.ts +726 -0
package/src/react/router/providers/ReactServerProvider.spec.tsx +316 -0
package/src/react/router/providers/ReactServerProvider.ts +558 -0
package/src/react/router/providers/ReactServerTemplateProvider.ts +979 -0
package/src/react/router/providers/SSRManifestProvider.ts +334 -0
package/src/react/router/services/ReactPageServerService.ts +48 -0
package/src/react/router/services/ReactPageService.ts +27 -0
package/src/react/router/services/ReactRouter.ts +262 -0
package/src/react/websocket/hooks/useRoom.tsx +242 -0
package/src/react/websocket/index.ts +7 -0
package/src/redis/__tests__/redis.spec.ts +13 -0
package/src/redis/index.ts +9 -25
package/src/redis/providers/BunRedisProvider.ts +9 -0
package/src/redis/providers/NodeRedisProvider.ts +8 -0
package/src/redis/providers/RedisProvider.ts +16 -0
package/src/retry/index.ts +11 -2
package/src/router/index.ts +15 -0
package/src/scheduler/index.ts +11 -2
package/src/security/__tests__/BasicAuth.spec.ts +2 -0
package/src/security/__tests__/ServerSecurityProvider.spec.ts +13 -5
package/src/security/index.ts +15 -10
package/src/security/interfaces/IssuerResolver.ts +27 -0
package/src/security/primitives/$issuer.ts +55 -0
package/src/security/providers/SecurityProvider.ts +179 -0
package/src/security/providers/ServerBasicAuthProvider.ts +6 -2
package/src/security/providers/ServerSecurityProvider.ts +36 -22
package/src/server/auth/index.ts +12 -7
package/src/server/cache/index.ts +7 -22
package/src/server/compress/index.ts +10 -2
package/src/server/cookies/index.ts +7 -5
package/src/server/cookies/primitives/$cookie.ts +33 -11
package/src/server/core/index.ts +17 -7
package/src/server/core/interfaces/ServerRequest.ts +83 -1
package/src/server/core/primitives/$action.spec.ts +1 -1
package/src/server/core/primitives/$action.ts +8 -3
package/src/server/core/providers/BunHttpServerProvider.ts +1 -1
package/src/server/core/providers/NodeHttpServerProvider.spec.ts +125 -0
package/src/server/core/providers/NodeHttpServerProvider.ts +77 -22
package/src/server/core/providers/ServerLoggerProvider.ts +2 -2
package/src/server/core/providers/ServerProvider.ts +9 -12
package/src/server/core/services/ServerRequestParser.spec.ts +520 -0
package/src/server/core/services/ServerRequestParser.ts +306 -13
package/src/server/cors/index.ts +7 -21
package/src/server/cors/primitives/$cors.ts +6 -2
package/src/server/health/index.ts +8 -2
package/src/server/helmet/index.ts +11 -3
package/src/server/links/atoms/apiLinksAtom.ts +7 -0
package/src/server/links/index.browser.ts +2 -0
package/src/server/links/index.ts +13 -6
package/src/server/metrics/index.ts +10 -3
package/src/server/multipart/index.ts +9 -3
package/src/server/proxy/index.ts +8 -2
package/src/server/rate-limit/index.ts +21 -25
package/src/server/rate-limit/primitives/$rateLimit.ts +6 -2
package/src/server/rate-limit/providers/ServerRateLimitProvider.spec.ts +38 -14
package/src/server/rate-limit/providers/ServerRateLimitProvider.ts +22 -56
package/src/server/static/index.ts +8 -2
package/src/server/static/providers/ServerStaticProvider.ts +1 -1
package/src/server/swagger/index.ts +9 -4
package/src/server/swagger/providers/ServerSwaggerProvider.ts +1 -1
package/src/sms/index.ts +9 -5
package/src/sms/providers/LocalSmsProvider.spec.ts +1 -1
package/src/sms/providers/LocalSmsProvider.ts +1 -1
package/src/system/index.browser.ts +11 -0
package/src/system/index.ts +62 -0
package/src/{file → system}/providers/FileSystemProvider.ts +16 -0
package/src/{file → system}/providers/MemoryFileSystemProvider.ts +116 -3
package/src/system/providers/MemoryShellProvider.ts +164 -0
package/src/{file → system}/providers/NodeFileSystemProvider.spec.ts +2 -2
package/src/{file → system}/providers/NodeFileSystemProvider.ts +36 -0
package/src/system/providers/NodeShellProvider.ts +184 -0
package/src/system/providers/ShellProvider.ts +74 -0
package/src/{file → system}/services/FileDetector.spec.ts +2 -2
package/src/thread/index.ts +11 -2
package/src/topic/core/index.ts +12 -5
package/src/vite/index.ts +3 -2
package/src/vite/tasks/buildClient.ts +2 -8
package/src/vite/tasks/buildServer.ts +84 -21
package/src/vite/tasks/copyAssets.ts +5 -4
package/src/vite/tasks/generateSitemap.ts +64 -23
package/src/vite/tasks/index.ts +0 -2
package/src/vite/tasks/prerenderPages.ts +49 -24
package/src/websocket/index.ts +12 -8
package/dist/file/index.d.ts +0 -839
package/dist/file/index.d.ts.map +0 -1
package/dist/file/index.js.map +0 -1
package/src/cli/assets/indexHtml.ts +0 -15
package/src/cli/assets/mainServerTs.ts +0 -24
package/src/cli/assets/webAppRouterTs.ts +0 -15
package/src/cli/assets/webHelloComponentTsx.ts +0 -16
package/src/cli/commands/format.ts +0 -23
package/src/file/index.ts +0 -43
package/src/vite/helpers/boot.ts +0 -117
package/src/vite/plugins/viteAlephaDev.ts +0 -177
package/src/vite/tasks/devServer.ts +0 -71
package/src/vite/tasks/runAlepha.ts +0 -270
/package/dist/orm/{chunk-DtkW-qnP.js → chunk-DH6iiROE.js} +0 -0
/package/src/cli/{assets → templates}/apiIndexTs.ts +0 -0
/package/src/cli/{assets → templates}/webIndexTs.ts +0 -0
/package/src/{file → system}/errors/FileError.ts +0 -0
/package/src/{file → system}/services/FileDetector.ts +0 -0

package/dist/security/index.js CHANGED Viewed

@@ -3,8 +3,6 @@ import { $action, AlephaServer, ForbiddenError, HttpError, ServerRouterProvider,
 import { createSecretKey, randomBytes, randomUUID, scrypt, timingSafeEqual } from "node:crypto";
 import { $logger } from "alepha/logger";
 import { DateTimeProvider } from "alepha/datetime";
-import { SignJWT, createLocalJWKSet, createRemoteJWKSet, jwtVerify } from "jose";
-import { JWTClaimValidationFailed, JWTExpired } from "jose/errors";
 import { promisify } from "node:util";
 //#region ../../src/security/providers/ServerBasicAuthProvider.ts
@@ -152,6 +150,1419 @@ var SecurityError = class extends Error {
 	status = 403;
 };
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/buffer_utils.js
+const encoder = new TextEncoder();
+const decoder = new TextDecoder();
+const MAX_INT32 = 2 ** 32;
+function concat(...buffers) {
+	const size = buffers.reduce((acc, { length }) => acc + length, 0);
+	const buf = new Uint8Array(size);
+	let i = 0;
+	for (const buffer of buffers) {
+		buf.set(buffer, i);
+		i += buffer.length;
+	}
+	return buf;
+}
+function encode$1(string) {
+	const bytes = new Uint8Array(string.length);
+	for (let i = 0; i < string.length; i++) {
+		const code = string.charCodeAt(i);
+		if (code > 127) throw new TypeError("non-ASCII string encountered in encode()");
+		bytes[i] = code;
+	}
+	return bytes;
+}
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/base64.js
+function encodeBase64(input) {
+	if (Uint8Array.prototype.toBase64) return input.toBase64();
+	const CHUNK_SIZE = 32768;
+	const arr = [];
+	for (let i = 0; i < input.length; i += CHUNK_SIZE) arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));
+	return btoa(arr.join(""));
+}
+function decodeBase64(encoded) {
+	if (Uint8Array.fromBase64) return Uint8Array.fromBase64(encoded);
+	const binary = atob(encoded);
+	const bytes = new Uint8Array(binary.length);
+	for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+	return bytes;
+}
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/util/base64url.js
+function decode(input) {
+	if (Uint8Array.fromBase64) return Uint8Array.fromBase64(typeof input === "string" ? input : decoder.decode(input), { alphabet: "base64url" });
+	let encoded = input;
+	if (encoded instanceof Uint8Array) encoded = decoder.decode(encoded);
+	encoded = encoded.replace(/-/g, "+").replace(/_/g, "/");
+	try {
+		return decodeBase64(encoded);
+	} catch {
+		throw new TypeError("The input to be decoded is not correctly encoded.");
+	}
+}
+function encode(input) {
+	let unencoded = input;
+	if (typeof unencoded === "string") unencoded = encoder.encode(unencoded);
+	if (Uint8Array.prototype.toBase64) return unencoded.toBase64({
+		alphabet: "base64url",
+		omitPadding: true
+	});
+	return encodeBase64(unencoded).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/util/errors.js
+var JOSEError = class extends Error {
+	static code = "ERR_JOSE_GENERIC";
+	code = "ERR_JOSE_GENERIC";
+	constructor(message, options) {
+		super(message, options);
+		this.name = this.constructor.name;
+		Error.captureStackTrace?.(this, this.constructor);
+	}
+};
+var JWTClaimValidationFailed = class extends JOSEError {
+	static code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
+	code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
+	claim;
+	reason;
+	payload;
+	constructor(message, payload, claim = "unspecified", reason = "unspecified") {
+		super(message, { cause: {
+			claim,
+			reason,
+			payload
+		} });
+		this.claim = claim;
+		this.reason = reason;
+		this.payload = payload;
+	}
+};
+var JWTExpired = class extends JOSEError {
+	static code = "ERR_JWT_EXPIRED";
+	code = "ERR_JWT_EXPIRED";
+	claim;
+	reason;
+	payload;
+	constructor(message, payload, claim = "unspecified", reason = "unspecified") {
+		super(message, { cause: {
+			claim,
+			reason,
+			payload
+		} });
+		this.claim = claim;
+		this.reason = reason;
+		this.payload = payload;
+	}
+};
+var JOSEAlgNotAllowed = class extends JOSEError {
+	static code = "ERR_JOSE_ALG_NOT_ALLOWED";
+	code = "ERR_JOSE_ALG_NOT_ALLOWED";
+};
+var JOSENotSupported = class extends JOSEError {
+	static code = "ERR_JOSE_NOT_SUPPORTED";
+	code = "ERR_JOSE_NOT_SUPPORTED";
+};
+var JWSInvalid = class extends JOSEError {
+	static code = "ERR_JWS_INVALID";
+	code = "ERR_JWS_INVALID";
+};
+var JWTInvalid = class extends JOSEError {
+	static code = "ERR_JWT_INVALID";
+	code = "ERR_JWT_INVALID";
+};
+var JWKSInvalid = class extends JOSEError {
+	static code = "ERR_JWKS_INVALID";
+	code = "ERR_JWKS_INVALID";
+};
+var JWKSNoMatchingKey = class extends JOSEError {
+	static code = "ERR_JWKS_NO_MATCHING_KEY";
+	code = "ERR_JWKS_NO_MATCHING_KEY";
+	constructor(message = "no applicable key found in the JSON Web Key Set", options) {
+		super(message, options);
+	}
+};
+var JWKSMultipleMatchingKeys = class extends JOSEError {
+	[Symbol.asyncIterator];
+	static code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
+	code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
+	constructor(message = "multiple matching keys found in the JSON Web Key Set", options) {
+		super(message, options);
+	}
+};
+var JWKSTimeout = class extends JOSEError {
+	static code = "ERR_JWKS_TIMEOUT";
+	code = "ERR_JWKS_TIMEOUT";
+	constructor(message = "request timed out", options) {
+		super(message, options);
+	}
+};
+var JWSSignatureVerificationFailed = class extends JOSEError {
+	static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+	code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+	constructor(message = "signature verification failed", options) {
+		super(message, options);
+	}
+};
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/crypto_key.js
+const unusable = (name, prop = "algorithm.name") => /* @__PURE__ */ new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
+const isAlgorithm = (algorithm, name) => algorithm.name === name;
+function getHashLength(hash) {
+	return parseInt(hash.name.slice(4), 10);
+}
+function getNamedCurve(alg) {
+	switch (alg) {
+		case "ES256": return "P-256";
+		case "ES384": return "P-384";
+		case "ES512": return "P-521";
+		default: throw new Error("unreachable");
+	}
+}
+function checkUsage(key, usage) {
+	if (usage && !key.usages.includes(usage)) throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
+}
+function checkSigCryptoKey(key, alg, usage) {
+	switch (alg) {
+		case "HS256":
+		case "HS384":
+		case "HS512": {
+			if (!isAlgorithm(key.algorithm, "HMAC")) throw unusable("HMAC");
+			const expected = parseInt(alg.slice(2), 10);
+			if (getHashLength(key.algorithm.hash) !== expected) throw unusable(`SHA-${expected}`, "algorithm.hash");
+			break;
+		}
+		case "RS256":
+		case "RS384":
+		case "RS512": {
+			if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5")) throw unusable("RSASSA-PKCS1-v1_5");
+			const expected = parseInt(alg.slice(2), 10);
+			if (getHashLength(key.algorithm.hash) !== expected) throw unusable(`SHA-${expected}`, "algorithm.hash");
+			break;
+		}
+		case "PS256":
+		case "PS384":
+		case "PS512": {
+			if (!isAlgorithm(key.algorithm, "RSA-PSS")) throw unusable("RSA-PSS");
+			const expected = parseInt(alg.slice(2), 10);
+			if (getHashLength(key.algorithm.hash) !== expected) throw unusable(`SHA-${expected}`, "algorithm.hash");
+			break;
+		}
+		case "Ed25519":
+		case "EdDSA":
+			if (!isAlgorithm(key.algorithm, "Ed25519")) throw unusable("Ed25519");
+			break;
+		case "ML-DSA-44":
+		case "ML-DSA-65":
+		case "ML-DSA-87":
+			if (!isAlgorithm(key.algorithm, alg)) throw unusable(alg);
+			break;
+		case "ES256":
+		case "ES384":
+		case "ES512": {
+			if (!isAlgorithm(key.algorithm, "ECDSA")) throw unusable("ECDSA");
+			const expected = getNamedCurve(alg);
+			if (key.algorithm.namedCurve !== expected) throw unusable(expected, "algorithm.namedCurve");
+			break;
+		}
+		default: throw new TypeError("CryptoKey does not support this operation");
+	}
+	checkUsage(key, usage);
+}
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/invalid_key_input.js
+function message(msg, actual, ...types) {
+	types = types.filter(Boolean);
+	if (types.length > 2) {
+		const last = types.pop();
+		msg += `one of type ${types.join(", ")}, or ${last}.`;
+	} else if (types.length === 2) msg += `one of type ${types[0]} or ${types[1]}.`;
+	else msg += `of type ${types[0]}.`;
+	if (actual == null) msg += ` Received ${actual}`;
+	else if (typeof actual === "function" && actual.name) msg += ` Received function ${actual.name}`;
+	else if (typeof actual === "object" && actual != null) {
+		if (actual.constructor?.name) msg += ` Received an instance of ${actual.constructor.name}`;
+	}
+	return msg;
+}
+const invalidKeyInput = (actual, ...types) => message("Key must be ", actual, ...types);
+const withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/is_key_like.js
+const isCryptoKey = (key) => {
+	if (key?.[Symbol.toStringTag] === "CryptoKey") return true;
+	try {
+		return key instanceof CryptoKey;
+	} catch {
+		return false;
+	}
+};
+const isKeyObject = (key) => key?.[Symbol.toStringTag] === "KeyObject";
+const isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/is_disjoint.js
+function isDisjoint(...headers) {
+	const sources = headers.filter(Boolean);
+	if (sources.length === 0 || sources.length === 1) return true;
+	let acc;
+	for (const header of sources) {
+		const parameters = Object.keys(header);
+		if (!acc || acc.size === 0) {
+			acc = new Set(parameters);
+			continue;
+		}
+		for (const parameter of parameters) {
+			if (acc.has(parameter)) return false;
+			acc.add(parameter);
+		}
+	}
+	return true;
+}
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/is_object.js
+const isObjectLike = (value) => typeof value === "object" && value !== null;
+function isObject(input) {
+	if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") return false;
+	if (Object.getPrototypeOf(input) === null) return true;
+	let proto = input;
+	while (Object.getPrototypeOf(proto) !== null) proto = Object.getPrototypeOf(proto);
+	return Object.getPrototypeOf(input) === proto;
+}
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/check_key_length.js
+function checkKeyLength(alg, key) {
+	if (alg.startsWith("RS") || alg.startsWith("PS")) {
+		const { modulusLength } = key.algorithm;
+		if (typeof modulusLength !== "number" || modulusLength < 2048) throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);
+	}
+}
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/jwk_to_key.js
+function subtleMapping(jwk) {
+	let algorithm;
+	let keyUsages;
+	switch (jwk.kty) {
+		case "AKP":
+			switch (jwk.alg) {
+				case "ML-DSA-44":
+				case "ML-DSA-65":
+				case "ML-DSA-87":
+					algorithm = { name: jwk.alg };
+					keyUsages = jwk.priv ? ["sign"] : ["verify"];
+					break;
+				default: throw new JOSENotSupported("Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value");
+			}
+			break;
+		case "RSA":
+			switch (jwk.alg) {
+				case "PS256":
+				case "PS384":
+				case "PS512":
+					algorithm = {
+						name: "RSA-PSS",
+						hash: `SHA-${jwk.alg.slice(-3)}`
+					};
+					keyUsages = jwk.d ? ["sign"] : ["verify"];
+					break;
+				case "RS256":
+				case "RS384":
+				case "RS512":
+					algorithm = {
+						name: "RSASSA-PKCS1-v1_5",
+						hash: `SHA-${jwk.alg.slice(-3)}`
+					};
+					keyUsages = jwk.d ? ["sign"] : ["verify"];
+					break;
+				case "RSA-OAEP":
+				case "RSA-OAEP-256":
+				case "RSA-OAEP-384":
+				case "RSA-OAEP-512":
+					algorithm = {
+						name: "RSA-OAEP",
+						hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`
+					};
+					keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
+					break;
+				default: throw new JOSENotSupported("Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value");
+			}
+			break;
+		case "EC":
+			switch (jwk.alg) {
+				case "ES256":
+					algorithm = {
+						name: "ECDSA",
+						namedCurve: "P-256"
+					};
+					keyUsages = jwk.d ? ["sign"] : ["verify"];
+					break;
+				case "ES384":
+					algorithm = {
+						name: "ECDSA",
+						namedCurve: "P-384"
+					};
+					keyUsages = jwk.d ? ["sign"] : ["verify"];
+					break;
+				case "ES512":
+					algorithm = {
+						name: "ECDSA",
+						namedCurve: "P-521"
+					};
+					keyUsages = jwk.d ? ["sign"] : ["verify"];
+					break;
+				case "ECDH-ES":
+				case "ECDH-ES+A128KW":
+				case "ECDH-ES+A192KW":
+				case "ECDH-ES+A256KW":
+					algorithm = {
+						name: "ECDH",
+						namedCurve: jwk.crv
+					};
+					keyUsages = jwk.d ? ["deriveBits"] : [];
+					break;
+				default: throw new JOSENotSupported("Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value");
+			}
+			break;
+		case "OKP":
+			switch (jwk.alg) {
+				case "Ed25519":
+				case "EdDSA":
+					algorithm = { name: "Ed25519" };
+					keyUsages = jwk.d ? ["sign"] : ["verify"];
+					break;
+				case "ECDH-ES":
+				case "ECDH-ES+A128KW":
+				case "ECDH-ES+A192KW":
+				case "ECDH-ES+A256KW":
+					algorithm = { name: jwk.crv };
+					keyUsages = jwk.d ? ["deriveBits"] : [];
+					break;
+				default: throw new JOSENotSupported("Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value");
+			}
+			break;
+		default: throw new JOSENotSupported("Invalid or unsupported JWK \"kty\" (Key Type) Parameter value");
+	}
+	return {
+		algorithm,
+		keyUsages
+	};
+}
+async function jwkToKey(jwk) {
+	if (!jwk.alg) throw new TypeError("\"alg\" argument is required when \"jwk.alg\" is not present");
+	const { algorithm, keyUsages } = subtleMapping(jwk);
+	const keyData = { ...jwk };
+	if (keyData.kty !== "AKP") delete keyData.alg;
+	delete keyData.use;
+	return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
+}
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/key/import.js
+async function importJWK(jwk, alg, options) {
+	if (!isObject(jwk)) throw new TypeError("JWK must be an object");
+	let ext;
+	alg ??= jwk.alg;
+	ext ??= options?.extractable ?? jwk.ext;
+	switch (jwk.kty) {
+		case "oct":
+			if (typeof jwk.k !== "string" || !jwk.k) throw new TypeError("missing \"k\" (Key Value) Parameter value");
+			return decode(jwk.k);
+		case "RSA":
+			if ("oth" in jwk && jwk.oth !== void 0) throw new JOSENotSupported("RSA JWK \"oth\" (Other Primes Info) Parameter value is not supported");
+			return jwkToKey({
+				...jwk,
+				alg,
+				ext
+			});
+		case "AKP":
+			if (typeof jwk.alg !== "string" || !jwk.alg) throw new TypeError("missing \"alg\" (Algorithm) Parameter value");
+			if (alg !== void 0 && alg !== jwk.alg) throw new TypeError("JWK alg and alg option value mismatch");
+			return jwkToKey({
+				...jwk,
+				ext
+			});
+		case "EC":
+		case "OKP": return jwkToKey({
+			...jwk,
+			alg,
+			ext
+		});
+		default: throw new JOSENotSupported("Unsupported \"kty\" (Key Type) Parameter value");
+	}
+}
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/validate_crit.js
+function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
+	if (joseHeader.crit !== void 0 && protectedHeader?.crit === void 0) throw new Err("\"crit\" (Critical) Header Parameter MUST be integrity protected");
+	if (!protectedHeader || protectedHeader.crit === void 0) return /* @__PURE__ */ new Set();
+	if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) throw new Err("\"crit\" (Critical) Header Parameter MUST be an array of non-empty strings when present");
+	let recognized;
+	if (recognizedOption !== void 0) recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
+	else recognized = recognizedDefault;
+	for (const parameter of protectedHeader.crit) {
+		if (!recognized.has(parameter)) throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
+		if (joseHeader[parameter] === void 0) throw new Err(`Extension Header Parameter "${parameter}" is missing`);
+		if (recognized.get(parameter) && protectedHeader[parameter] === void 0) throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
+	}
+	return new Set(protectedHeader.crit);
+}
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/validate_algorithms.js
+function validateAlgorithms(option, algorithms) {
+	if (algorithms !== void 0 && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) throw new TypeError(`"${option}" option must be an array of strings`);
+	if (!algorithms) return;
+	return new Set(algorithms);
+}
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/is_jwk.js
+const isJWK = (key) => isObject(key) && typeof key.kty === "string";
+const isPrivateJWK = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
+const isPublicJWK = (key) => key.kty !== "oct" && key.d === void 0 && key.priv === void 0;
+const isSecretJWK = (key) => key.kty === "oct" && typeof key.k === "string";
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/normalize_key.js
+let cache;
+const handleJWK = async (key, jwk, alg, freeze = false) => {
+	cache ||= /* @__PURE__ */ new WeakMap();
+	let cached = cache.get(key);
+	if (cached?.[alg]) return cached[alg];
+	const cryptoKey = await jwkToKey({
+		...jwk,
+		alg
+	});
+	if (freeze) Object.freeze(key);
+	if (!cached) cache.set(key, { [alg]: cryptoKey });
+	else cached[alg] = cryptoKey;
+	return cryptoKey;
+};
+const handleKeyObject = (keyObject, alg) => {
+	cache ||= /* @__PURE__ */ new WeakMap();
+	let cached = cache.get(keyObject);
+	if (cached?.[alg]) return cached[alg];
+	const isPublic = keyObject.type === "public";
+	const extractable = isPublic ? true : false;
+	let cryptoKey;
+	if (keyObject.asymmetricKeyType === "x25519") {
+		switch (alg) {
+			case "ECDH-ES":
+			case "ECDH-ES+A128KW":
+			case "ECDH-ES+A192KW":
+			case "ECDH-ES+A256KW": break;
+			default: throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+		}
+		cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ["deriveBits"]);
+	}
+	if (keyObject.asymmetricKeyType === "ed25519") {
+		if (alg !== "EdDSA" && alg !== "Ed25519") throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+		cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [isPublic ? "verify" : "sign"]);
+	}
+	switch (keyObject.asymmetricKeyType) {
+		case "ml-dsa-44":
+		case "ml-dsa-65":
+		case "ml-dsa-87":
+			if (alg !== keyObject.asymmetricKeyType.toUpperCase()) throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+			cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [isPublic ? "verify" : "sign"]);
+	}
+	if (keyObject.asymmetricKeyType === "rsa") {
+		let hash;
+		switch (alg) {
+			case "RSA-OAEP":
+				hash = "SHA-1";
+				break;
+			case "RS256":
+			case "PS256":
+			case "RSA-OAEP-256":
+				hash = "SHA-256";
+				break;
+			case "RS384":
+			case "PS384":
+			case "RSA-OAEP-384":
+				hash = "SHA-384";
+				break;
+			case "RS512":
+			case "PS512":
+			case "RSA-OAEP-512":
+				hash = "SHA-512";
+				break;
+			default: throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+		}
+		if (alg.startsWith("RSA-OAEP")) return keyObject.toCryptoKey({
+			name: "RSA-OAEP",
+			hash
+		}, extractable, isPublic ? ["encrypt"] : ["decrypt"]);
+		cryptoKey = keyObject.toCryptoKey({
+			name: alg.startsWith("PS") ? "RSA-PSS" : "RSASSA-PKCS1-v1_5",
+			hash
+		}, extractable, [isPublic ? "verify" : "sign"]);
+	}
+	if (keyObject.asymmetricKeyType === "ec") {
+		const namedCurve = new Map([
+			["prime256v1", "P-256"],
+			["secp384r1", "P-384"],
+			["secp521r1", "P-521"]
+		]).get(keyObject.asymmetricKeyDetails?.namedCurve);
+		if (!namedCurve) throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+		if (alg === "ES256" && namedCurve === "P-256") cryptoKey = keyObject.toCryptoKey({
+			name: "ECDSA",
+			namedCurve
+		}, extractable, [isPublic ? "verify" : "sign"]);
+		if (alg === "ES384" && namedCurve === "P-384") cryptoKey = keyObject.toCryptoKey({
+			name: "ECDSA",
+			namedCurve
+		}, extractable, [isPublic ? "verify" : "sign"]);
+		if (alg === "ES512" && namedCurve === "P-521") cryptoKey = keyObject.toCryptoKey({
+			name: "ECDSA",
+			namedCurve
+		}, extractable, [isPublic ? "verify" : "sign"]);
+		if (alg.startsWith("ECDH-ES")) cryptoKey = keyObject.toCryptoKey({
+			name: "ECDH",
+			namedCurve
+		}, extractable, isPublic ? [] : ["deriveBits"]);
+	}
+	if (!cryptoKey) throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+	if (!cached) cache.set(keyObject, { [alg]: cryptoKey });
+	else cached[alg] = cryptoKey;
+	return cryptoKey;
+};
+async function normalizeKey(key, alg) {
+	if (key instanceof Uint8Array) return key;
+	if (isCryptoKey(key)) return key;
+	if (isKeyObject(key)) {
+		if (key.type === "secret") return key.export();
+		if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") try {
+			return handleKeyObject(key, alg);
+		} catch (err) {
+			if (err instanceof TypeError) throw err;
+		}
+		return handleJWK(key, key.export({ format: "jwk" }), alg);
+	}
+	if (isJWK(key)) {
+		if (key.k) return decode(key.k);
+		return handleJWK(key, key, alg, true);
+	}
+	throw new Error("unreachable");
+}
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/check_key_type.js
+const tag = (key) => key?.[Symbol.toStringTag];
+const jwkMatchesOp = (alg, key, usage) => {
+	if (key.use !== void 0) {
+		let expected;
+		switch (usage) {
+			case "sign":
+			case "verify":
+				expected = "sig";
+				break;
+			case "encrypt":
+			case "decrypt":
+				expected = "enc";
+				break;
+		}
+		if (key.use !== expected) throw new TypeError(`Invalid key for this operation, its "use" must be "${expected}" when present`);
+	}
+	if (key.alg !== void 0 && key.alg !== alg) throw new TypeError(`Invalid key for this operation, its "alg" must be "${alg}" when present`);
+	if (Array.isArray(key.key_ops)) {
+		let expectedKeyOp;
+		switch (true) {
+			case usage === "sign" || usage === "verify":
+			case alg === "dir":
+			case alg.includes("CBC-HS"):
+				expectedKeyOp = usage;
+				break;
+			case alg.startsWith("PBES2"):
+				expectedKeyOp = "deriveBits";
+				break;
+			case /^A\d{3}(?:GCM)?(?:KW)?$/.test(alg):
+				if (!alg.includes("GCM") && alg.endsWith("KW")) expectedKeyOp = usage === "encrypt" ? "wrapKey" : "unwrapKey";
+				else expectedKeyOp = usage;
+				break;
+			case usage === "encrypt" && alg.startsWith("RSA"):
+				expectedKeyOp = "wrapKey";
+				break;
+			case usage === "decrypt":
+				expectedKeyOp = alg.startsWith("RSA") ? "unwrapKey" : "deriveBits";
+				break;
+		}
+		if (expectedKeyOp && key.key_ops?.includes?.(expectedKeyOp) === false) throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${expectedKeyOp}" when present`);
+	}
+	return true;
+};
+const symmetricTypeCheck = (alg, key, usage) => {
+	if (key instanceof Uint8Array) return;
+	if (isJWK(key)) {
+		if (isSecretJWK(key) && jwkMatchesOp(alg, key, usage)) return;
+		throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present`);
+	}
+	if (!isKeyLike(key)) throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key", "Uint8Array"));
+	if (key.type !== "secret") throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type "secret"`);
+};
+const asymmetricTypeCheck = (alg, key, usage) => {
+	if (isJWK(key)) switch (usage) {
+		case "decrypt":
+		case "sign":
+			if (isPrivateJWK(key) && jwkMatchesOp(alg, key, usage)) return;
+			throw new TypeError(`JSON Web Key for this operation must be a private JWK`);
+		case "encrypt":
+		case "verify":
+			if (isPublicJWK(key) && jwkMatchesOp(alg, key, usage)) return;
+			throw new TypeError(`JSON Web Key for this operation must be a public JWK`);
+	}
+	if (!isKeyLike(key)) throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key"));
+	if (key.type === "secret") throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type "secret"`);
+	if (key.type === "public") switch (usage) {
+		case "sign": throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type "private"`);
+		case "decrypt": throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type "private"`);
+	}
+	if (key.type === "private") switch (usage) {
+		case "verify": throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type "public"`);
+		case "encrypt": throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type "public"`);
+	}
+};
+function checkKeyType(alg, key, usage) {
+	switch (alg.substring(0, 2)) {
+		case "A1":
+		case "A2":
+		case "di":
+		case "HS":
+		case "PB":
+			symmetricTypeCheck(alg, key, usage);
+			break;
+		default: asymmetricTypeCheck(alg, key, usage);
+	}
+}
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/subtle_dsa.js
+function subtleAlgorithm(alg, algorithm) {
+	const hash = `SHA-${alg.slice(-3)}`;
+	switch (alg) {
+		case "HS256":
+		case "HS384":
+		case "HS512": return {
+			hash,
+			name: "HMAC"
+		};
+		case "PS256":
+		case "PS384":
+		case "PS512": return {
+			hash,
+			name: "RSA-PSS",
+			saltLength: parseInt(alg.slice(-3), 10) >> 3
+		};
+		case "RS256":
+		case "RS384":
+		case "RS512": return {
+			hash,
+			name: "RSASSA-PKCS1-v1_5"
+		};
+		case "ES256":
+		case "ES384":
+		case "ES512": return {
+			hash,
+			name: "ECDSA",
+			namedCurve: algorithm.namedCurve
+		};
+		case "Ed25519":
+		case "EdDSA": return { name: "Ed25519" };
+		case "ML-DSA-44":
+		case "ML-DSA-65":
+		case "ML-DSA-87": return { name: alg };
+		default: throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
+	}
+}
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/get_sign_verify_key.js
+async function getSigKey(alg, key, usage) {
+	if (key instanceof Uint8Array) {
+		if (!alg.startsWith("HS")) throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
+		return crypto.subtle.importKey("raw", key, {
+			hash: `SHA-${alg.slice(-3)}`,
+			name: "HMAC"
+		}, false, [usage]);
+	}
+	checkSigCryptoKey(key, alg, usage);
+	return key;
+}
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/verify.js
+async function verify(alg, key, signature, data) {
+	const cryptoKey = await getSigKey(alg, key, "verify");
+	checkKeyLength(alg, cryptoKey);
+	const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);
+	try {
+		return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
+	} catch {
+		return false;
+	}
+}
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/jws/flattened/verify.js
+async function flattenedVerify(jws, key, options) {
+	if (!isObject(jws)) throw new JWSInvalid("Flattened JWS must be an object");
+	if (jws.protected === void 0 && jws.header === void 0) throw new JWSInvalid("Flattened JWS must have either of the \"protected\" or \"header\" members");
+	if (jws.protected !== void 0 && typeof jws.protected !== "string") throw new JWSInvalid("JWS Protected Header incorrect type");
+	if (jws.payload === void 0) throw new JWSInvalid("JWS Payload missing");
+	if (typeof jws.signature !== "string") throw new JWSInvalid("JWS Signature missing or incorrect type");
+	if (jws.header !== void 0 && !isObject(jws.header)) throw new JWSInvalid("JWS Unprotected Header incorrect type");
+	let parsedProt = {};
+	if (jws.protected) try {
+		const protectedHeader = decode(jws.protected);
+		parsedProt = JSON.parse(decoder.decode(protectedHeader));
+	} catch {
+		throw new JWSInvalid("JWS Protected Header is invalid");
+	}
+	if (!isDisjoint(parsedProt, jws.header)) throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+	const joseHeader = {
+		...parsedProt,
+		...jws.header
+	};
+	const extensions = validateCrit(JWSInvalid, new Map([["b64", true]]), options?.crit, parsedProt, joseHeader);
+	let b64 = true;
+	if (extensions.has("b64")) {
+		b64 = parsedProt.b64;
+		if (typeof b64 !== "boolean") throw new JWSInvalid("The \"b64\" (base64url-encode payload) Header Parameter must be a boolean");
+	}
+	const { alg } = joseHeader;
+	if (typeof alg !== "string" || !alg) throw new JWSInvalid("JWS \"alg\" (Algorithm) Header Parameter missing or invalid");
+	const algorithms = options && validateAlgorithms("algorithms", options.algorithms);
+	if (algorithms && !algorithms.has(alg)) throw new JOSEAlgNotAllowed("\"alg\" (Algorithm) Header Parameter value not allowed");
+	if (b64) {
+		if (typeof jws.payload !== "string") throw new JWSInvalid("JWS Payload must be a string");
+	} else if (typeof jws.payload !== "string" && !(jws.payload instanceof Uint8Array)) throw new JWSInvalid("JWS Payload must be a string or an Uint8Array instance");
+	let resolvedKey = false;
+	if (typeof key === "function") {
+		key = await key(parsedProt, jws);
+		resolvedKey = true;
+	}
+	checkKeyType(alg, key, "verify");
+	const data = concat(jws.protected !== void 0 ? encode$1(jws.protected) : new Uint8Array(), encode$1("."), typeof jws.payload === "string" ? b64 ? encode$1(jws.payload) : encoder.encode(jws.payload) : jws.payload);
+	let signature;
+	try {
+		signature = decode(jws.signature);
+	} catch {
+		throw new JWSInvalid("Failed to base64url decode the signature");
+	}
+	const k = await normalizeKey(key, alg);
+	if (!await verify(alg, k, signature, data)) throw new JWSSignatureVerificationFailed();
+	let payload;
+	if (b64) try {
+		payload = decode(jws.payload);
+	} catch {
+		throw new JWSInvalid("Failed to base64url decode the payload");
+	}
+	else if (typeof jws.payload === "string") payload = encoder.encode(jws.payload);
+	else payload = jws.payload;
+	const result = { payload };
+	if (jws.protected !== void 0) result.protectedHeader = parsedProt;
+	if (jws.header !== void 0) result.unprotectedHeader = jws.header;
+	if (resolvedKey) return {
+		...result,
+		key: k
+	};
+	return result;
+}
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/jws/compact/verify.js
+async function compactVerify(jws, key, options) {
+	if (jws instanceof Uint8Array) jws = decoder.decode(jws);
+	if (typeof jws !== "string") throw new JWSInvalid("Compact JWS must be a string or Uint8Array");
+	const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split(".");
+	if (length !== 3) throw new JWSInvalid("Invalid Compact JWS");
+	const verified = await flattenedVerify({
+		payload,
+		protected: protectedHeader,
+		signature
+	}, key, options);
+	const result = {
+		payload: verified.payload,
+		protectedHeader: verified.protectedHeader
+	};
+	if (typeof key === "function") return {
+		...result,
+		key: verified.key
+	};
+	return result;
+}
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/jwt_claims_set.js
+const epoch = (date) => Math.floor(date.getTime() / 1e3);
+const minute = 60;
+const hour = minute * 60;
+const day = hour * 24;
+const week = day * 7;
+const year = day * 365.25;
+const REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
+function secs(str) {
+	const matched = REGEX.exec(str);
+	if (!matched || matched[4] && matched[1]) throw new TypeError("Invalid time period format");
+	const value = parseFloat(matched[2]);
+	const unit = matched[3].toLowerCase();
+	let numericDate;
+	switch (unit) {
+		case "sec":
+		case "secs":
+		case "second":
+		case "seconds":
+		case "s":
+			numericDate = Math.round(value);
+			break;
+		case "minute":
+		case "minutes":
+		case "min":
+		case "mins":
+		case "m":
+			numericDate = Math.round(value * minute);
+			break;
+		case "hour":
+		case "hours":
+		case "hr":
+		case "hrs":
+		case "h":
+			numericDate = Math.round(value * hour);
+			break;
+		case "day":
+		case "days":
+		case "d":
+			numericDate = Math.round(value * day);
+			break;
+		case "week":
+		case "weeks":
+		case "w":
+			numericDate = Math.round(value * week);
+			break;
+		default:
+			numericDate = Math.round(value * year);
+			break;
+	}
+	if (matched[1] === "-" || matched[4] === "ago") return -numericDate;
+	return numericDate;
+}
+function validateInput(label, input) {
+	if (!Number.isFinite(input)) throw new TypeError(`Invalid ${label} input`);
+	return input;
+}
+const normalizeTyp = (value) => {
+	if (value.includes("/")) return value.toLowerCase();
+	return `application/${value.toLowerCase()}`;
+};
+const checkAudiencePresence = (audPayload, audOption) => {
+	if (typeof audPayload === "string") return audOption.includes(audPayload);
+	if (Array.isArray(audPayload)) return audOption.some(Set.prototype.has.bind(new Set(audPayload)));
+	return false;
+};
+function validateClaimsSet(protectedHeader, encodedPayload, options = {}) {
+	let payload;
+	try {
+		payload = JSON.parse(decoder.decode(encodedPayload));
+	} catch {}
+	if (!isObject(payload)) throw new JWTInvalid("JWT Claims Set must be a top-level JSON object");
+	const { typ } = options;
+	if (typ && (typeof protectedHeader.typ !== "string" || normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) throw new JWTClaimValidationFailed("unexpected \"typ\" JWT header value", payload, "typ", "check_failed");
+	const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options;
+	const presenceCheck = [...requiredClaims];
+	if (maxTokenAge !== void 0) presenceCheck.push("iat");
+	if (audience !== void 0) presenceCheck.push("aud");
+	if (subject !== void 0) presenceCheck.push("sub");
+	if (issuer !== void 0) presenceCheck.push("iss");
+	for (const claim of new Set(presenceCheck.reverse())) if (!(claim in payload)) throw new JWTClaimValidationFailed(`missing required "${claim}" claim`, payload, claim, "missing");
+	if (issuer && !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) throw new JWTClaimValidationFailed("unexpected \"iss\" claim value", payload, "iss", "check_failed");
+	if (subject && payload.sub !== subject) throw new JWTClaimValidationFailed("unexpected \"sub\" claim value", payload, "sub", "check_failed");
+	if (audience && !checkAudiencePresence(payload.aud, typeof audience === "string" ? [audience] : audience)) throw new JWTClaimValidationFailed("unexpected \"aud\" claim value", payload, "aud", "check_failed");
+	let tolerance;
+	switch (typeof options.clockTolerance) {
+		case "string":
+			tolerance = secs(options.clockTolerance);
+			break;
+		case "number":
+			tolerance = options.clockTolerance;
+			break;
+		case "undefined":
+			tolerance = 0;
+			break;
+		default: throw new TypeError("Invalid clockTolerance option type");
+	}
+	const { currentDate } = options;
+	const now = epoch(currentDate || /* @__PURE__ */ new Date());
+	if ((payload.iat !== void 0 || maxTokenAge) && typeof payload.iat !== "number") throw new JWTClaimValidationFailed("\"iat\" claim must be a number", payload, "iat", "invalid");
+	if (payload.nbf !== void 0) {
+		if (typeof payload.nbf !== "number") throw new JWTClaimValidationFailed("\"nbf\" claim must be a number", payload, "nbf", "invalid");
+		if (payload.nbf > now + tolerance) throw new JWTClaimValidationFailed("\"nbf\" claim timestamp check failed", payload, "nbf", "check_failed");
+	}
+	if (payload.exp !== void 0) {
+		if (typeof payload.exp !== "number") throw new JWTClaimValidationFailed("\"exp\" claim must be a number", payload, "exp", "invalid");
+		if (payload.exp <= now - tolerance) throw new JWTExpired("\"exp\" claim timestamp check failed", payload, "exp", "check_failed");
+	}
+	if (maxTokenAge) {
+		const age = now - payload.iat;
+		const max = typeof maxTokenAge === "number" ? maxTokenAge : secs(maxTokenAge);
+		if (age - tolerance > max) throw new JWTExpired("\"iat\" claim timestamp check failed (too far in the past)", payload, "iat", "check_failed");
+		if (age < 0 - tolerance) throw new JWTClaimValidationFailed("\"iat\" claim timestamp check failed (it should be in the past)", payload, "iat", "check_failed");
+	}
+	return payload;
+}
+var JWTClaimsBuilder = class {
+	#payload;
+	constructor(payload) {
+		if (!isObject(payload)) throw new TypeError("JWT Claims Set MUST be an object");
+		this.#payload = structuredClone(payload);
+	}
+	data() {
+		return encoder.encode(JSON.stringify(this.#payload));
+	}
+	get iss() {
+		return this.#payload.iss;
+	}
+	set iss(value) {
+		this.#payload.iss = value;
+	}
+	get sub() {
+		return this.#payload.sub;
+	}
+	set sub(value) {
+		this.#payload.sub = value;
+	}
+	get aud() {
+		return this.#payload.aud;
+	}
+	set aud(value) {
+		this.#payload.aud = value;
+	}
+	set jti(value) {
+		this.#payload.jti = value;
+	}
+	set nbf(value) {
+		if (typeof value === "number") this.#payload.nbf = validateInput("setNotBefore", value);
+		else if (value instanceof Date) this.#payload.nbf = validateInput("setNotBefore", epoch(value));
+		else this.#payload.nbf = epoch(/* @__PURE__ */ new Date()) + secs(value);
+	}
+	set exp(value) {
+		if (typeof value === "number") this.#payload.exp = validateInput("setExpirationTime", value);
+		else if (value instanceof Date) this.#payload.exp = validateInput("setExpirationTime", epoch(value));
+		else this.#payload.exp = epoch(/* @__PURE__ */ new Date()) + secs(value);
+	}
+	set iat(value) {
+		if (value === void 0) this.#payload.iat = epoch(/* @__PURE__ */ new Date());
+		else if (value instanceof Date) this.#payload.iat = validateInput("setIssuedAt", epoch(value));
+		else if (typeof value === "string") this.#payload.iat = validateInput("setIssuedAt", epoch(/* @__PURE__ */ new Date()) + secs(value));
+		else this.#payload.iat = validateInput("setIssuedAt", value);
+	}
+};
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/jwt/verify.js
+async function jwtVerify(jwt, key, options) {
+	const verified = await compactVerify(jwt, key, options);
+	if (verified.protectedHeader.crit?.includes("b64") && verified.protectedHeader.b64 === false) throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
+	const result = {
+		payload: validateClaimsSet(verified.protectedHeader, verified.payload, options),
+		protectedHeader: verified.protectedHeader
+	};
+	if (typeof key === "function") return {
+		...result,
+		key: verified.key
+	};
+	return result;
+}
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/sign.js
+async function sign(alg, key, data) {
+	const cryptoKey = await getSigKey(alg, key, "sign");
+	checkKeyLength(alg, cryptoKey);
+	const signature = await crypto.subtle.sign(subtleAlgorithm(alg, cryptoKey.algorithm), cryptoKey, data);
+	return new Uint8Array(signature);
+}
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/jws/flattened/sign.js
+var FlattenedSign = class {
+	#payload;
+	#protectedHeader;
+	#unprotectedHeader;
+	constructor(payload) {
+		if (!(payload instanceof Uint8Array)) throw new TypeError("payload must be an instance of Uint8Array");
+		this.#payload = payload;
+	}
+	setProtectedHeader(protectedHeader) {
+		if (this.#protectedHeader) throw new TypeError("setProtectedHeader can only be called once");
+		this.#protectedHeader = protectedHeader;
+		return this;
+	}
+	setUnprotectedHeader(unprotectedHeader) {
+		if (this.#unprotectedHeader) throw new TypeError("setUnprotectedHeader can only be called once");
+		this.#unprotectedHeader = unprotectedHeader;
+		return this;
+	}
+	async sign(key, options) {
+		if (!this.#protectedHeader && !this.#unprotectedHeader) throw new JWSInvalid("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");
+		if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader)) throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+		const joseHeader = {
+			...this.#protectedHeader,
+			...this.#unprotectedHeader
+		};
+		const extensions = validateCrit(JWSInvalid, new Map([["b64", true]]), options?.crit, this.#protectedHeader, joseHeader);
+		let b64 = true;
+		if (extensions.has("b64")) {
+			b64 = this.#protectedHeader.b64;
+			if (typeof b64 !== "boolean") throw new JWSInvalid("The \"b64\" (base64url-encode payload) Header Parameter must be a boolean");
+		}
+		const { alg } = joseHeader;
+		if (typeof alg !== "string" || !alg) throw new JWSInvalid("JWS \"alg\" (Algorithm) Header Parameter missing or invalid");
+		checkKeyType(alg, key, "sign");
+		let payloadS;
+		let payloadB;
+		if (b64) {
+			payloadS = encode(this.#payload);
+			payloadB = encode$1(payloadS);
+		} else {
+			payloadB = this.#payload;
+			payloadS = "";
+		}
+		let protectedHeaderString;
+		let protectedHeaderBytes;
+		if (this.#protectedHeader) {
+			protectedHeaderString = encode(JSON.stringify(this.#protectedHeader));
+			protectedHeaderBytes = encode$1(protectedHeaderString);
+		} else {
+			protectedHeaderString = "";
+			protectedHeaderBytes = new Uint8Array();
+		}
+		const data = concat(protectedHeaderBytes, encode$1("."), payloadB);
+		const jws = {
+			signature: encode(await sign(alg, await normalizeKey(key, alg), data)),
+			payload: payloadS
+		};
+		if (this.#unprotectedHeader) jws.header = this.#unprotectedHeader;
+		if (this.#protectedHeader) jws.protected = protectedHeaderString;
+		return jws;
+	}
+};
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/jws/compact/sign.js
+var CompactSign = class {
+	#flattened;
+	constructor(payload) {
+		this.#flattened = new FlattenedSign(payload);
+	}
+	setProtectedHeader(protectedHeader) {
+		this.#flattened.setProtectedHeader(protectedHeader);
+		return this;
+	}
+	async sign(key, options) {
+		const jws = await this.#flattened.sign(key, options);
+		if (jws.payload === void 0) throw new TypeError("use the flattened module for creating JWS with b64: false");
+		return `${jws.protected}.${jws.payload}.${jws.signature}`;
+	}
+};
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/jwt/sign.js
+var SignJWT = class {
+	#protectedHeader;
+	#jwt;
+	constructor(payload = {}) {
+		this.#jwt = new JWTClaimsBuilder(payload);
+	}
+	setIssuer(issuer) {
+		this.#jwt.iss = issuer;
+		return this;
+	}
+	setSubject(subject) {
+		this.#jwt.sub = subject;
+		return this;
+	}
+	setAudience(audience) {
+		this.#jwt.aud = audience;
+		return this;
+	}
+	setJti(jwtId) {
+		this.#jwt.jti = jwtId;
+		return this;
+	}
+	setNotBefore(input) {
+		this.#jwt.nbf = input;
+		return this;
+	}
+	setExpirationTime(input) {
+		this.#jwt.exp = input;
+		return this;
+	}
+	setIssuedAt(input) {
+		this.#jwt.iat = input;
+		return this;
+	}
+	setProtectedHeader(protectedHeader) {
+		this.#protectedHeader = protectedHeader;
+		return this;
+	}
+	async sign(key, options) {
+		const sig = new CompactSign(this.#jwt.data());
+		sig.setProtectedHeader(this.#protectedHeader);
+		if (Array.isArray(this.#protectedHeader?.crit) && this.#protectedHeader.crit.includes("b64") && this.#protectedHeader.b64 === false) throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
+		return sig.sign(key, options);
+	}
+};
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/jwks/local.js
+function getKtyFromAlg(alg) {
+	switch (typeof alg === "string" && alg.slice(0, 2)) {
+		case "RS":
+		case "PS": return "RSA";
+		case "ES": return "EC";
+		case "Ed": return "OKP";
+		case "ML": return "AKP";
+		default: throw new JOSENotSupported("Unsupported \"alg\" value for a JSON Web Key Set");
+	}
+}
+function isJWKSLike(jwks) {
+	return jwks && typeof jwks === "object" && Array.isArray(jwks.keys) && jwks.keys.every(isJWKLike);
+}
+function isJWKLike(key) {
+	return isObject(key);
+}
+var LocalJWKSet = class {
+	#jwks;
+	#cached = /* @__PURE__ */ new WeakMap();
+	constructor(jwks) {
+		if (!isJWKSLike(jwks)) throw new JWKSInvalid("JSON Web Key Set malformed");
+		this.#jwks = structuredClone(jwks);
+	}
+	jwks() {
+		return this.#jwks;
+	}
+	async getKey(protectedHeader, token) {
+		const { alg, kid } = {
+			...protectedHeader,
+			...token?.header
+		};
+		const kty = getKtyFromAlg(alg);
+		const candidates = this.#jwks.keys.filter((jwk) => {
+			let candidate = kty === jwk.kty;
+			if (candidate && typeof kid === "string") candidate = kid === jwk.kid;
+			if (candidate && (typeof jwk.alg === "string" || kty === "AKP")) candidate = alg === jwk.alg;
+			if (candidate && typeof jwk.use === "string") candidate = jwk.use === "sig";
+			if (candidate && Array.isArray(jwk.key_ops)) candidate = jwk.key_ops.includes("verify");
+			if (candidate) switch (alg) {
+				case "ES256":
+					candidate = jwk.crv === "P-256";
+					break;
+				case "ES384":
+					candidate = jwk.crv === "P-384";
+					break;
+				case "ES512":
+					candidate = jwk.crv === "P-521";
+					break;
+				case "Ed25519":
+				case "EdDSA":
+					candidate = jwk.crv === "Ed25519";
+					break;
+			}
+			return candidate;
+		});
+		const { 0: jwk, length } = candidates;
+		if (length === 0) throw new JWKSNoMatchingKey();
+		if (length !== 1) {
+			const error = new JWKSMultipleMatchingKeys();
+			const _cached = this.#cached;
+			error[Symbol.asyncIterator] = async function* () {
+				for (const jwk of candidates) try {
+					yield await importWithAlgCache(_cached, jwk, alg);
+				} catch {}
+			};
+			throw error;
+		}
+		return importWithAlgCache(this.#cached, jwk, alg);
+	}
+};
+async function importWithAlgCache(cache, jwk, alg) {
+	const cached = cache.get(jwk) || cache.set(jwk, {}).get(jwk);
+	if (cached[alg] === void 0) {
+		const key = await importJWK({
+			...jwk,
+			ext: true
+		}, alg);
+		if (key instanceof Uint8Array || key.type !== "public") throw new JWKSInvalid("JSON Web Key Set members must be public keys");
+		cached[alg] = key;
+	}
+	return cached[alg];
+}
+function createLocalJWKSet(jwks) {
+	const set = new LocalJWKSet(jwks);
+	const localJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
+	Object.defineProperties(localJWKSet, { jwks: {
+		value: () => structuredClone(set.jwks()),
+		enumerable: false,
+		configurable: false,
+		writable: false
+	} });
+	return localJWKSet;
+}
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/jwks/remote.js
+function isCloudflareWorkers() {
+	return typeof WebSocketPair !== "undefined" || typeof navigator !== "undefined" && navigator.userAgent === "Cloudflare-Workers" || typeof EdgeRuntime !== "undefined" && EdgeRuntime === "vercel";
+}
+let USER_AGENT;
+if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) USER_AGENT = `jose/v6.1.3`;
+const customFetch = Symbol();
+async function fetchJwks(url, headers, signal, fetchImpl = fetch) {
+	const response = await fetchImpl(url, {
+		method: "GET",
+		signal,
+		redirect: "manual",
+		headers
+	}).catch((err) => {
+		if (err.name === "TimeoutError") throw new JWKSTimeout();
+		throw err;
+	});
+	if (response.status !== 200) throw new JOSEError("Expected 200 OK from the JSON Web Key Set HTTP response");
+	try {
+		return await response.json();
+	} catch {
+		throw new JOSEError("Failed to parse the JSON Web Key Set HTTP response as JSON");
+	}
+}
+const jwksCache = Symbol();
+function isFreshJwksCache(input, cacheMaxAge) {
+	if (typeof input !== "object" || input === null) return false;
+	if (!("uat" in input) || typeof input.uat !== "number" || Date.now() - input.uat >= cacheMaxAge) return false;
+	if (!("jwks" in input) || !isObject(input.jwks) || !Array.isArray(input.jwks.keys) || !Array.prototype.every.call(input.jwks.keys, isObject)) return false;
+	return true;
+}
+var RemoteJWKSet = class {
+	#url;
+	#timeoutDuration;
+	#cooldownDuration;
+	#cacheMaxAge;
+	#jwksTimestamp;
+	#pendingFetch;
+	#headers;
+	#customFetch;
+	#local;
+	#cache;
+	constructor(url, options) {
+		if (!(url instanceof URL)) throw new TypeError("url must be an instance of URL");
+		this.#url = new URL(url.href);
+		this.#timeoutDuration = typeof options?.timeoutDuration === "number" ? options?.timeoutDuration : 5e3;
+		this.#cooldownDuration = typeof options?.cooldownDuration === "number" ? options?.cooldownDuration : 3e4;
+		this.#cacheMaxAge = typeof options?.cacheMaxAge === "number" ? options?.cacheMaxAge : 6e5;
+		this.#headers = new Headers(options?.headers);
+		if (USER_AGENT && !this.#headers.has("User-Agent")) this.#headers.set("User-Agent", USER_AGENT);
+		if (!this.#headers.has("accept")) {
+			this.#headers.set("accept", "application/json");
+			this.#headers.append("accept", "application/jwk-set+json");
+		}
+		this.#customFetch = options?.[customFetch];
+		if (options?.[jwksCache] !== void 0) {
+			this.#cache = options?.[jwksCache];
+			if (isFreshJwksCache(options?.[jwksCache], this.#cacheMaxAge)) {
+				this.#jwksTimestamp = this.#cache.uat;
+				this.#local = createLocalJWKSet(this.#cache.jwks);
+			}
+		}
+	}
+	pendingFetch() {
+		return !!this.#pendingFetch;
+	}
+	coolingDown() {
+		return typeof this.#jwksTimestamp === "number" ? Date.now() < this.#jwksTimestamp + this.#cooldownDuration : false;
+	}
+	fresh() {
+		return typeof this.#jwksTimestamp === "number" ? Date.now() < this.#jwksTimestamp + this.#cacheMaxAge : false;
+	}
+	jwks() {
+		return this.#local?.jwks();
+	}
+	async getKey(protectedHeader, token) {
+		if (!this.#local || !this.fresh()) await this.reload();
+		try {
+			return await this.#local(protectedHeader, token);
+		} catch (err) {
+			if (err instanceof JWKSNoMatchingKey) {
+				if (this.coolingDown() === false) {
+					await this.reload();
+					return this.#local(protectedHeader, token);
+				}
+			}
+			throw err;
+		}
+	}
+	async reload() {
+		if (this.#pendingFetch && isCloudflareWorkers()) this.#pendingFetch = void 0;
+		this.#pendingFetch ||= fetchJwks(this.#url.href, this.#headers, AbortSignal.timeout(this.#timeoutDuration), this.#customFetch).then((json) => {
+			this.#local = createLocalJWKSet(json);
+			if (this.#cache) {
+				this.#cache.uat = Date.now();
+				this.#cache.jwks = json;
+			}
+			this.#jwksTimestamp = Date.now();
+			this.#pendingFetch = void 0;
+		}).catch((err) => {
+			this.#pendingFetch = void 0;
+			throw err;
+		});
+		await this.#pendingFetch;
+	}
+};
+function createRemoteJWKSet(url, options) {
+	const set = new RemoteJWKSet(url, options);
+	const remoteJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
+	Object.defineProperties(remoteJWKSet, {
+		coolingDown: {
+			get: () => set.coolingDown(),
+			enumerable: true,
+			configurable: false
+		},
+		fresh: {
+			get: () => set.fresh(),
+			enumerable: true,
+			configurable: false
+		},
+		reload: {
+			value: () => set.reload(),
+			enumerable: true,
+			configurable: false,
+			writable: false
+		},
+		reloading: {
+			get: () => set.pendingFetch(),
+			enumerable: true,
+			configurable: false
+		},
+		jwks: {
+			value: () => set.jwks(),
+			enumerable: true,
+			configurable: false,
+			writable: false
+		}
+	});
+	return remoteJWKSet;
+}
 //#endregion
 //#region ../../src/security/providers/JwtProvider.ts
 /**
@@ -310,13 +1721,32 @@ var SecurityProvider = class {
 		on: "start",
 		handler: async () => {
 			if (this.alepha.isProduction() && this.secretKey === DEFAULT_APP_SECRET) this.log.warn("Using default APP_SECRET in production is not recommended. Please set a strong APP_SECRET value.");
-			for (const realm of this.realms) if (realm.secret) {
-				const secret = typeof realm.secret === "function" ? realm.secret() : realm.secret;
-				this.jwt.setKeyLoader(realm.name, secret);
+			for (const realm of this.realms) {
+				if (realm.secret) {
+					const secret = typeof realm.secret === "function" ? realm.secret() : realm.secret;
+					this.jwt.setKeyLoader(realm.name, secret);
+				}
+				if (!realm.resolvers || realm.resolvers.length === 0) this.registerResolver(this.createDefaultJwtResolver(realm.name), realm.name);
 			}
 		}
 	});
 	/**
+	* Creates a default JWT resolver for a realm.
+	*/
+	createDefaultJwtResolver(realmName) {
+		return {
+			priority: 100,
+			onRequest: async (req) => {
+				const auth = req.headers.authorization;
+				if (!auth?.startsWith("Bearer ")) return null;
+				const token = auth.slice(7);
+				if (!token.includes(".")) return null;
+				const { result } = await this.jwt.parse(token, realmName);
+				return this.createUserFromPayload(result.payload, realmName);
+			}
+		};
+	}
+	/**
 	* Adds a role to one or more realms.
 	*
 	* @param role
@@ -435,6 +1865,82 @@ var SecurityProvider = class {
 		};
 	}
 	/**
+	* Generic user creation from any source (JWT, API key, etc.).
+	* Handles permission checking, ownership, default roles.
+	*/
+	createUser(userInfo, options = {}) {
+		const realmRoles = this.getRoles(options.realm).filter((it) => it.default);
+		const roles = [...userInfo.roles ?? []];
+		for (const role of realmRoles) if (!roles.includes(role.name)) roles.push(role.name);
+		let ownership;
+		if (options.permission) {
+			const check = this.checkPermission(options.permission, ...roles);
+			if (!check.isAuthorized) throw new SecurityError(`User is not allowed to access '${this.permissionToString(options.permission)}'`);
+			ownership = check.ownership;
+		}
+		return {
+			...userInfo,
+			roles,
+			ownership,
+			realm: options.realm
+		};
+	}
+	/**
+	* Register a resolver to a realm.
+	* Resolvers are sorted by priority (lower = first).
+	*/
+	registerResolver(resolver, realmName) {
+		const realm = this.getRealm(realmName);
+		if (!realm.resolvers) realm.resolvers = [];
+		realm.resolvers.push(resolver);
+		realm.resolvers.sort((a, b) => (a.priority ?? 100) - (b.priority ?? 100));
+	}
+	/**
+	* Get a realm by name.
+	* Throws if realm not found.
+	*/
+	getRealm(realmName) {
+		const realm = realmName ? this.realms.find((it) => it.name === realmName) : this.realms[0];
+		if (!realm) throw new RealmNotFoundError(realmName ?? "default");
+		return realm;
+	}
+	/**
+	* Resolve user from request using registered resolvers.
+	* Returns undefined if no resolver could authenticate (no auth provided).
+	* Throws UnauthorizedError if auth was provided but invalid.
+	*
+	* Note: This method tries resolvers from ALL realms to find a match,
+	* regardless of the `realm` option. The `realm` option is only used for
+	* permission checking after the user is resolved.
+	*/
+	async resolveUserFromServerRequest(req, options = {}) {
+		const allResolvers = [];
+		for (const realm of this.realms) for (const resolver of realm.resolvers ?? []) allResolvers.push({
+			resolver,
+			realmName: realm.name
+		});
+		allResolvers.sort((a, b) => (a.resolver.priority ?? 100) - (b.resolver.priority ?? 100));
+		for (const { resolver, realmName } of allResolvers) {
+			let userInfo;
+			try {
+				userInfo = await resolver.onRequest(req);
+			} catch {
+				continue;
+			}
+			if (userInfo) {
+				const user = this.createUser(userInfo, {
+					realm: realmName,
+					permission: options.permission
+				});
+				await this.alepha.events.emit("security:user:created", {
+					realm: realmName,
+					user
+				});
+				return user;
+			}
+		}
+	}
+	/**
 	* Checks if the user has the specified permission.
 	*
 	* Bonus: we check also if the user has "ownership" flag.
@@ -444,12 +1950,12 @@ var SecurityProvider = class {
 	*/
 	checkPermission(permissionLike, ...roleEntries) {
 		const roles = roleEntries.map((it) => {
-			const role = this.getRoles().find((role$1) => role$1.name === it);
+			const role = this.getRoles().find((role) => role.name === it);
 			if (!role) throw new SecurityError(`Role '${it}' not found`);
 			return role;
 		});
 		const permission = this.permissionToString(permissionLike);
-		if (roles.find((it) => it.permissions.find((it$1) => it$1.name === "*" && !it$1.exclude && !it$1.ownership))) return {
+		if (roles.find((it) => it.permissions.find((it) => it.name === "*" && !it.exclude && !it.ownership))) return {
 			isAuthorized: true,
 			ownership: false
 		};
@@ -696,7 +2202,7 @@ var IssuerPrimitive = class extends Primitive {
 	onInit() {
 		const roles = this.options.roles?.map((it) => {
 			if (typeof it === "string") {
-				const role = this.getRoles().find((role$1) => role$1.name === it);
+				const role = this.getRoles().find((role) => role.name === it);
 				if (!role) throw new SecurityError(`Role '${it}' not found`);
 				return role;
 			}
@@ -706,8 +2212,34 @@ var IssuerPrimitive = class extends Primitive {
 			name: this.name,
 			profile: this.options.profile,
 			secret: "jwks" in this.options ? this.options.jwks : this.options.secret,
-			roles
+			roles,
+			resolvers: []
 		});
+		for (const resolver of this.options.resolvers ?? []) this.registerResolver(resolver);
+		this.registerResolver(this.createJwtResolver());
+	}
+	/**
+	* Creates the default JWT resolver.
+	*/
+	createJwtResolver() {
+		return {
+			priority: 100,
+			onRequest: async (req) => {
+				const auth = req.headers.authorization;
+				if (!auth?.startsWith("Bearer ")) return null;
+				const token = auth.slice(7);
+				if (!token.includes(".")) return null;
+				const { result } = await this.jwt.parse(token, this.name);
+				return this.securityProvider.createUserFromPayload(result.payload, this.name);
+			}
+		};
+	}
+	/**
+	* Register a resolver to this issuer.
+	* Resolvers are sorted by priority (lower = first).
+	*/
+	registerResolver(resolver) {
+		this.securityProvider.registerResolver(resolver, this.name);
 	}
 	/**
 	* Get all roles in the issuer.
@@ -746,8 +2278,8 @@ var IssuerPrimitive = class extends Primitive {
 			const create = this.options.settings?.onCreateSession;
 			if (create) {
 				const expiresIn = this.refreshTokenExpiration.asSeconds();
-				const { refreshToken: refreshToken$1, sessionId } = await create(user, { expiresIn });
-				refresh_token = refreshToken$1;
+				const { refreshToken, sessionId } = await create(user, { expiresIn });
+				refresh_token = refreshToken;
 				refresh_token_expires_in = expiresIn;
 				sid = sessionId;
 			} else {
@@ -792,13 +2324,13 @@ var IssuerPrimitive = class extends Primitive {
 	}
 	async refreshToken(refreshToken, accessToken) {
 		if (this.options.settings?.onRefreshSession) {
-			const { user: user$1, expiresIn: expiresIn$1, sessionId } = await this.options.settings.onRefreshSession(refreshToken);
+			const { user, expiresIn, sessionId } = await this.options.settings.onRefreshSession(refreshToken);
 			return {
-				user: user$1,
-				tokens: await this.createToken(user$1, {
+				user,
+				tokens: await this.createToken(user, {
 					sid: sessionId,
 					refresh_token: refreshToken,
-					refresh_token_expires_in: expiresIn$1
+					refresh_token_expires_in: expiresIn
 				})
 			};
 		}
@@ -952,6 +2484,7 @@ var ServerSecurityProvider = class {
 	securityProvider = $inject(SecurityProvider);
 	jwtProvider = $inject(JwtProvider);
 	alepha = $inject(Alepha);
+	resolvers = [];
 	onConfigure = $hook({
 		on: "configure",
 		handler: async () => {
@@ -996,15 +2529,23 @@ var ServerSecurityProvider = class {
 			}
 			if (isBasicAuth(route.secure)) return;
 			const permission = this.securityProvider.getPermissions().find((it) => it.path === route.path && it.method === route.method);
-			if (!request.headers.authorization && !route.secure && !permission) {
-				this.log.trace("Skipping security check for route - no authorization header and not secure");
-				return;
-			}
+			const realm = typeof route.secure === "object" ? route.secure.realm : void 0;
 			try {
-				request.user = await this.securityProvider.createUserFromToken(request.headers.authorization, { permission });
+				request.user = await this.securityProvider.resolveUserFromServerRequest(request, {
+					permission,
+					realm
+				});
+				if (!request.user) {
+					if (route.secure || permission) {
+						if (!request.headers.authorization) throw new InvalidTokenError("Invalid authorization header, maybe token is missing ?");
+						throw new UnauthorizedError("Authentication required");
+					}
+					this.log.trace("Skipping security check for route - no auth provided and not required");
+					return;
+				}
 				if (typeof route.secure === "object") this.check(request.user, route.secure);
 				this.alepha.store.set("alepha.server.request.user", this.alepha.codec.decode(userAccountInfoSchema, request.user));
-				this.log.trace("User set from request token", {
+				this.log.trace("User set from request", {
 					user: request.user,
 					permission
 				});
@@ -1039,11 +2580,8 @@ var ServerSecurityProvider = class {
 		if (type === "system") user = fromSystem;
 		else if (type === "context") user = fromContext;
 		else user = fromOptions ?? fromContext ?? fromSystem;
-		if (!user) {
-			if (this.alepha.isTest() && !("user" in options)) return this.createTestUser();
-			throw new UnauthorizedError("User is required for calling this action");
-		}
-		const roles = user.roles ?? (this.alepha.isTest() ? this.securityProvider.getRoles().map((role) => role.name) : []);
+		if (!user) throw new UnauthorizedError("User is required for calling this action");
+		const roles = user.roles ?? [];
 		let ownership;
 		if (permission) {
 			const result = this.securityProvider.checkPermission(permission, ...roles);
@@ -1066,7 +2604,7 @@ var ServerSecurityProvider = class {
 		on: "client:onRequest",
 		handler: async ({ request, options }) => {
 			if (!this.alepha.isTest()) return;
-			if ("user" in options && options.user === void 0) return;
+			if (!options.user) return;
 			request.headers = new Headers(request.headers);
 			if (!request.headers.has("authorization")) {
 				const test = this.createTestUser();
@@ -1224,19 +2762,23 @@ const roleSchema = t.object({
 //#endregion
 //#region ../../src/security/index.ts
 /**
-* Provides comprehensive authentication and authorization capabilities with JWT tokens, role-based access control, and user management.
+* | type | quality | stability |
+* |------|---------|-----------|
+* | backend | epic | stable |
 *
-* The security module enables building secure applications using primitives like `$issuer`, `$role`, and `$permission`
-* on class properties. It offers JWT-based authentication, fine-grained permissions, service accounts, and seamless
-* integration with various authentication providers and user management systems.
+* Complete authentication and authorization system with JWT, RBAC, and multi-issuer support.
 *
-* When used with `AlephaServer`, this module automatically registers `ServerSecurityProvider` and `ServerBasicAuthProvider`
-* to protect HTTP routes and actions with JWT and Basic Auth.
+* **Features:**
+* - JWT token issuer with role definitions
+* - Role-based access control (RBAC)
+* - Fine-grained permissions
+* - HTTP Basic Authentication
+* - Service-to-service authentication
+* - Multi-issuer support for federated auth
+* - JWKS (JSON Web Key Set) for external issuers
+* - Token refresh logic
+* - User profile extraction from JWT
 *
-* @see {@link $issuer}
-* @see {@link $role}
-* @see {@link $permission}
-* @see {@link $basicAuth}
 * @module alepha.security
 */
 const AlephaSecurity = $module({