npm - alepha - Versions diffs - 0.21.2 → 0.23.0 - Mend

alepha 0.21.2 → 0.23.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (519) hide show

package/README.md +0 -1
package/dist/api/audits/index.browser.js.map +1 -1
package/dist/api/audits/index.d.ts +393 -403
package/dist/api/audits/index.d.ts.map +1 -1
package/dist/api/audits/index.js +25 -56
package/dist/api/audits/index.js.map +1 -1
package/dist/api/files/index.browser.js +31 -1
package/dist/api/files/index.browser.js.map +1 -1
package/dist/api/files/index.d.ts +313 -208
package/dist/api/files/index.d.ts.map +1 -1
package/dist/api/files/index.js +152 -42
package/dist/api/files/index.js.map +1 -1
package/dist/api/jobs/index.browser.js +2 -2
package/dist/api/jobs/index.browser.js.map +1 -1
package/dist/api/jobs/index.d.ts +282 -285
package/dist/api/jobs/index.d.ts.map +1 -1
package/dist/api/jobs/index.js +39 -33
package/dist/api/jobs/index.js.map +1 -1
package/dist/api/keys/index.d.ts +217 -222
package/dist/api/keys/index.d.ts.map +1 -1
package/dist/api/keys/index.js.map +1 -1
package/dist/api/notifications/index.browser.js.map +1 -1
package/dist/api/notifications/index.d.ts +188 -195
package/dist/api/notifications/index.d.ts.map +1 -1
package/dist/api/notifications/index.js.map +1 -1
package/dist/api/oauth/index.d.ts +71 -76
package/dist/api/oauth/index.d.ts.map +1 -1
package/dist/api/oauth/index.js.map +1 -1
package/dist/api/organizations/index.browser.js.map +1 -1
package/dist/api/organizations/index.d.ts +104 -109
package/dist/api/organizations/index.d.ts.map +1 -1
package/dist/api/organizations/index.js.map +1 -1
package/dist/api/parameters/index.browser.js +43 -16
package/dist/api/parameters/index.browser.js.map +1 -1
package/dist/api/parameters/index.d.ts +488 -344
package/dist/api/parameters/index.d.ts.map +1 -1
package/dist/api/parameters/index.js +175 -35
package/dist/api/parameters/index.js.map +1 -1
package/dist/api/payments/index.d.ts +396 -402
package/dist/api/payments/index.d.ts.map +1 -1
package/dist/api/payments/index.js.map +1 -1
package/dist/api/subscriptions/index.d.ts +644 -652
package/dist/api/subscriptions/index.d.ts.map +1 -1
package/dist/api/subscriptions/index.js +1 -1
package/dist/api/subscriptions/index.js.map +1 -1
package/dist/api/users/index.browser.js +7 -0
package/dist/api/users/index.browser.js.map +1 -1
package/dist/api/users/index.d.ts +1106 -1005
package/dist/api/users/index.d.ts.map +1 -1
package/dist/api/users/index.js +307 -64
package/dist/api/users/index.js.map +1 -1
package/dist/api/verifications/index.browser.js.map +1 -1
package/dist/api/verifications/index.d.ts +137 -143
package/dist/api/verifications/index.d.ts.map +1 -1
package/dist/api/verifications/index.js.map +1 -1
package/dist/background/index.d.ts +95 -0
package/dist/background/index.d.ts.map +1 -0
package/dist/background/index.js +121 -0
package/dist/background/index.js.map +1 -0
package/dist/background/index.workerd.js +110 -0
package/dist/background/index.workerd.js.map +1 -0
package/dist/batch/index.d.ts +5 -7
package/dist/batch/index.d.ts.map +1 -1
package/dist/batch/index.js.map +1 -1
package/dist/bin/index.js.map +1 -1
package/dist/bucket/index.d.ts +76 -54
package/dist/bucket/index.d.ts.map +1 -1
package/dist/bucket/index.js +58 -11
package/dist/bucket/index.js.map +1 -1
package/dist/bucket/index.workerd.js +200 -5
package/dist/bucket/index.workerd.js.map +1 -1
package/dist/cache/core/index.d.ts +7 -10
package/dist/cache/core/index.d.ts.map +1 -1
package/dist/cache/core/index.js.map +1 -1
package/dist/cache/core/index.workerd.js.map +1 -1
package/dist/cache/database/index.d.ts +22 -26
package/dist/cache/database/index.d.ts.map +1 -1
package/dist/cache/database/index.js.map +1 -1
package/dist/cache/redis/index.d.ts +4 -7
package/dist/cache/redis/index.d.ts.map +1 -1
package/dist/cache/redis/index.js.map +1 -1
package/dist/captcha/index.d.ts +3 -6
package/dist/captcha/index.d.ts.map +1 -1
package/dist/captcha/index.js.map +1 -1
package/dist/cli/config/index.d.ts.map +1 -1
package/dist/cli/config/index.js.map +1 -1
package/dist/cli/core/index.d.ts +458 -249
package/dist/cli/core/index.d.ts.map +1 -1
package/dist/cli/core/index.js +372 -660
package/dist/cli/core/index.js.map +1 -1
package/dist/cli/devtools/index.d.ts +3 -5
package/dist/cli/devtools/index.d.ts.map +1 -1
package/dist/cli/devtools/index.js.map +1 -1
package/dist/cli/i18n/index.d.ts +20 -17
package/dist/cli/i18n/index.d.ts.map +1 -1
package/dist/cli/i18n/index.js +45 -11
package/dist/cli/i18n/index.js.map +1 -1
package/dist/cli/platform/index.d.ts +126 -1342
package/dist/cli/platform/index.d.ts.map +1 -1
package/dist/cli/platform/index.js +136 -2374
package/dist/cli/platform/index.js.map +1 -1
package/dist/cli/platform-lib/index.d.ts +1472 -0
package/dist/cli/platform-lib/index.d.ts.map +1 -0
package/dist/cli/platform-lib/index.js +2660 -0
package/dist/cli/platform-lib/index.js.map +1 -0
package/dist/cli/vendor/index.d.ts +17 -21
package/dist/cli/vendor/index.d.ts.map +1 -1
package/dist/cli/vendor/index.js.map +1 -1
package/dist/command/index.d.ts +20 -19
package/dist/command/index.d.ts.map +1 -1
package/dist/command/index.js +39 -10
package/dist/command/index.js.map +1 -1
package/dist/{containers → container}/core/index.d.ts +13 -15
package/dist/container/core/index.d.ts.map +1 -0
package/dist/{containers → container}/core/index.js +23 -14
package/dist/container/core/index.js.map +1 -0
package/dist/{containers → container}/core/index.workerd.js +37 -22
package/dist/container/core/index.workerd.js.map +1 -0
package/dist/core/index.browser.js +27 -1
package/dist/core/index.browser.js.map +1 -1
package/dist/core/index.d.ts +48 -24
package/dist/core/index.d.ts.map +1 -1
package/dist/core/index.js +27 -1
package/dist/core/index.js.map +1 -1
package/dist/core/index.native.js +27 -1
package/dist/core/index.native.js.map +1 -1
package/dist/core/index.workerd.js +27 -1
package/dist/core/index.workerd.js.map +1 -1
package/dist/crypto/index.browser.js.map +1 -1
package/dist/crypto/index.d.ts +5 -8
package/dist/crypto/index.d.ts.map +1 -1
package/dist/crypto/index.js.map +1 -1
package/dist/datetime/index.d.ts +3 -4
package/dist/datetime/index.d.ts.map +1 -1
package/dist/datetime/index.js.map +1 -1
package/dist/email/brevo/index.d.ts +2 -4
package/dist/email/brevo/index.d.ts.map +1 -1
package/dist/email/brevo/index.js.map +1 -1
package/dist/email/cloudflare/index.d.ts +20 -7
package/dist/email/cloudflare/index.d.ts.map +1 -1
package/dist/email/cloudflare/index.js +46 -9
package/dist/email/cloudflare/index.js.map +1 -1
package/dist/email/core/index.d.ts +6 -9
package/dist/email/core/index.d.ts.map +1 -1
package/dist/email/core/index.js.map +1 -1
package/dist/email/core/index.workerd.js.map +1 -1
package/dist/email/smtp/index.d.ts +10 -13
package/dist/email/smtp/index.d.ts.map +1 -1
package/dist/email/smtp/index.js +107 -32
package/dist/email/smtp/index.js.map +1 -1
package/dist/fake/index.d.ts +1 -2
package/dist/fake/index.d.ts.map +1 -1
package/dist/fake/index.js.map +1 -1
package/dist/lock/core/index.d.ts +9 -14
package/dist/lock/core/index.d.ts.map +1 -1
package/dist/lock/core/index.js.map +1 -1
package/dist/lock/redis/index.d.ts +2 -4
package/dist/lock/redis/index.d.ts.map +1 -1
package/dist/lock/redis/index.js.map +1 -1
package/dist/logger/index.d.ts +105 -76
package/dist/logger/index.d.ts.map +1 -1
package/dist/logger/index.js +196 -174
package/dist/logger/index.js.map +1 -1
package/dist/mcp/index.d.ts +25 -20
package/dist/mcp/index.d.ts.map +1 -1
package/dist/mcp/index.js +23 -0
package/dist/mcp/index.js.map +1 -1
package/dist/orm/core/index.browser.js.map +1 -1
package/dist/orm/core/index.bun.js +19 -1
package/dist/orm/core/index.bun.js.map +1 -1
package/dist/orm/core/index.d.ts +76 -62
package/dist/orm/core/index.d.ts.map +1 -1
package/dist/orm/core/index.js +20 -2
package/dist/orm/core/index.js.map +1 -1
package/dist/orm/postgres/index.bun.js.map +1 -1
package/dist/orm/postgres/index.d.ts +28 -20
package/dist/orm/postgres/index.d.ts.map +1 -1
package/dist/orm/postgres/index.js.map +1 -1
package/dist/queue/core/index.d.ts +12 -15
package/dist/queue/core/index.d.ts.map +1 -1
package/dist/queue/core/index.js.map +1 -1
package/dist/queue/core/index.workerd.js.map +1 -1
package/dist/queue/redis/index.d.ts +3 -5
package/dist/queue/redis/index.d.ts.map +1 -1
package/dist/queue/redis/index.js.map +1 -1
package/dist/react/auth/index.browser.js +9 -2
package/dist/react/auth/index.browser.js.map +1 -1
package/dist/react/auth/index.d.ts +14 -9
package/dist/react/auth/index.d.ts.map +1 -1
package/dist/react/auth/index.js +9 -2
package/dist/react/auth/index.js.map +1 -1
package/dist/react/core/index.d.ts +7 -8
package/dist/react/core/index.d.ts.map +1 -1
package/dist/react/core/index.js +6 -3
package/dist/react/core/index.js.map +1 -1
package/dist/react/form/index.d.ts +2 -5
package/dist/react/form/index.d.ts.map +1 -1
package/dist/react/form/index.js +16 -15
package/dist/react/form/index.js.map +1 -1
package/dist/react/head/index.browser.js.map +1 -1
package/dist/react/head/index.d.ts +2 -4
package/dist/react/head/index.d.ts.map +1 -1
package/dist/react/head/index.js.map +1 -1
package/dist/react/i18n/index.d.ts +90 -11
package/dist/react/i18n/index.d.ts.map +1 -1
package/dist/react/i18n/index.js +147 -11
package/dist/react/i18n/index.js.map +1 -1
package/dist/react/intro/index.d.ts +1 -2
package/dist/react/intro/index.d.ts.map +1 -1
package/dist/react/intro/index.js +2 -2
package/dist/react/intro/index.js.map +1 -1
package/dist/react/router/index.browser.js +193 -24
package/dist/react/router/index.browser.js.map +1 -1
package/dist/react/router/index.d.ts +434 -222
package/dist/react/router/index.d.ts.map +1 -1
package/dist/react/router/index.js +249 -35
package/dist/react/router/index.js.map +1 -1
package/dist/react/sitemap/index.browser.js +35 -0
package/dist/react/sitemap/index.browser.js.map +1 -0
package/dist/react/sitemap/index.d.ts +92 -0
package/dist/react/sitemap/index.d.ts.map +1 -0
package/dist/react/sitemap/index.js +131 -0
package/dist/react/sitemap/index.js.map +1 -0
package/dist/react/testing/index.d.ts +1 -2
package/dist/react/testing/index.d.ts.map +1 -1
package/dist/react/testing/index.js +16 -17
package/dist/react/testing/index.js.map +1 -1
package/dist/react/ui/index.d.ts +20 -25
package/dist/react/ui/index.d.ts.map +1 -1
package/dist/react/ui/index.js.map +1 -1
package/dist/redis/index.bun.js.map +1 -1
package/dist/redis/index.d.ts +17 -19
package/dist/redis/index.d.ts.map +1 -1
package/dist/redis/index.js.map +1 -1
package/dist/retry/index.d.ts +2 -4
package/dist/retry/index.d.ts.map +1 -1
package/dist/retry/index.js.map +1 -1
package/dist/router/index.d.ts.map +1 -1
package/dist/router/index.js.map +1 -1
package/dist/scheduler/index.d.ts +10 -13
package/dist/scheduler/index.d.ts.map +1 -1
package/dist/scheduler/index.js.map +1 -1
package/dist/scheduler/index.workerd.js.map +1 -1
package/dist/security/index.browser.js.map +1 -1
package/dist/security/index.d.ts +45 -48
package/dist/security/index.d.ts.map +1 -1
package/dist/security/index.js.map +1 -1
package/dist/server/auth/index.browser.js.map +1 -1
package/dist/server/auth/index.d.ts +272 -173
package/dist/server/auth/index.d.ts.map +1 -1
package/dist/server/auth/index.js +1608 -15
package/dist/server/auth/index.js.map +1 -1
package/dist/server/cookies/index.browser.js.map +1 -1
package/dist/server/cookies/index.d.ts +20 -7
package/dist/server/cookies/index.d.ts.map +1 -1
package/dist/server/cookies/index.js +22 -3
package/dist/server/cookies/index.js.map +1 -1
package/dist/server/core/index.browser.js.map +1 -1
package/dist/server/core/index.d.ts +106 -73
package/dist/server/core/index.d.ts.map +1 -1
package/dist/server/core/index.js +44 -0
package/dist/server/core/index.js.map +1 -1
package/dist/server/cors/index.d.ts +11 -14
package/dist/server/cors/index.d.ts.map +1 -1
package/dist/server/cors/index.js.map +1 -1
package/dist/server/etag/index.d.ts +6 -9
package/dist/server/etag/index.d.ts.map +1 -1
package/dist/server/etag/index.js.map +1 -1
package/dist/server/health/index.d.ts +18 -21
package/dist/server/health/index.d.ts.map +1 -1
package/dist/server/health/index.js.map +1 -1
package/dist/server/links/index.browser.js +2 -0
package/dist/server/links/index.browser.js.map +1 -1
package/dist/server/links/index.d.ts +63 -67
package/dist/server/links/index.d.ts.map +1 -1
package/dist/server/links/index.js +2 -0
package/dist/server/links/index.js.map +1 -1
package/dist/server/metrics/index.d.ts +5 -7
package/dist/server/metrics/index.d.ts.map +1 -1
package/dist/server/metrics/index.js.map +1 -1
package/dist/server/proxy/index.d.ts +3 -5
package/dist/server/proxy/index.d.ts.map +1 -1
package/dist/server/proxy/index.js.map +1 -1
package/dist/server/rate-limit/index.d.ts +10 -13
package/dist/server/rate-limit/index.d.ts.map +1 -1
package/dist/server/rate-limit/index.js.map +1 -1
package/dist/server/static/index.d.ts +3 -5
package/dist/server/static/index.d.ts.map +1 -1
package/dist/server/static/index.js.map +1 -1
package/dist/server/swagger/index.d.ts +5 -8
package/dist/server/swagger/index.d.ts.map +1 -1
package/dist/server/swagger/index.js.map +1 -1
package/dist/sms/index.d.ts +3 -5
package/dist/sms/index.d.ts.map +1 -1
package/dist/sms/index.js.map +1 -1
package/dist/system/index.browser.js.map +1 -1
package/dist/system/index.d.ts +2 -4
package/dist/system/index.d.ts.map +1 -1
package/dist/system/index.js.map +1 -1
package/dist/system/index.workerd.js.map +1 -1
package/dist/topic/core/index.d.ts +4 -6
package/dist/topic/core/index.d.ts.map +1 -1
package/dist/topic/core/index.js.map +1 -1
package/dist/topic/redis/index.d.ts +5 -8
package/dist/topic/redis/index.d.ts.map +1 -1
package/dist/topic/redis/index.js.map +1 -1
package/package.json +59 -23
package/src/api/audits/__tests__/AuditService.spec.ts +18 -110
package/src/api/audits/controllers/AdminAuditController.ts +14 -0
package/src/api/audits/services/AuditService.ts +21 -88
package/src/api/files/__tests__/FileService.spec.ts +207 -2
package/src/api/files/index.ts +3 -0
package/src/api/files/schemas/fileCreatorSummarySchema.ts +22 -0
package/src/api/files/schemas/fileResourceSchema.ts +10 -1
package/src/api/files/services/FileService.ts +170 -72
package/src/api/jobs/__tests__/$job.spec.ts +24 -1
package/src/api/jobs/index.ts +4 -3
package/src/api/jobs/primitives/$job.ts +7 -3
package/src/api/jobs/providers/DirectJobDispatcher.ts +17 -36
package/src/api/jobs/providers/JobProvider.ts +53 -24
package/src/api/jobs/schemas/jobConfigAtom.ts +1 -1
package/src/api/jobs/schemas/jobExecutionResourceSchema.ts +4 -1
package/src/api/keys/schemas/adminApiKeyResourceSchema.ts +3 -1
package/src/api/parameters/__tests__/$parameter.spec.ts +19 -2
package/src/api/parameters/audits/ParameterAudits.ts +17 -0
package/src/api/parameters/controllers/AdminParameterController.ts +95 -19
package/src/api/parameters/index.ts +3 -0
package/src/api/parameters/schemas/activateParameterBodySchema.ts +3 -3
package/src/api/parameters/schemas/createParameterVersionBodySchema.ts +3 -2
package/src/api/parameters/schemas/parameterCreatorSummarySchema.ts +25 -0
package/src/api/parameters/schemas/parameterResponseSchema.ts +5 -0
package/src/api/parameters/schemas/rollbackParameterBodySchema.ts +4 -2
package/src/api/parameters/services/ParameterProvider.ts +69 -6
package/src/api/subscriptions/jobs/SubscriptionJobs.ts +1 -1
package/src/api/users/__tests__/AdminSessionController.spec.ts +37 -0
package/src/api/users/audits/SessionAudits.ts +33 -0
package/src/api/users/audits/UserAudits.ts +19 -43
package/src/api/users/controllers/AdminUserController.ts +66 -1
package/src/api/users/controllers/RealmController.ts +1 -0
package/src/api/users/entities/sessions.ts +6 -0
package/src/api/users/entities/users.ts +2 -0
package/src/api/users/index.ts +9 -1
package/src/api/users/primitives/$realm.ts +29 -0
package/src/api/users/providers/RealmProvider.ts +15 -0
package/src/api/users/schemas/realmConfigSchema.ts +14 -0
package/src/api/users/schemas/sessionResourceSchema.ts +16 -0
package/src/api/users/schemas/updateUserSchema.ts +1 -8
package/src/api/users/schemas/userQuerySchema.ts +7 -0
package/src/api/users/services/CredentialService.ts +15 -6
package/src/api/users/services/IdentityService.ts +2 -1
package/src/api/users/services/RegistrationService.ts +2 -1
package/src/api/users/services/SessionCrudService.ts +19 -2
package/src/api/users/services/SessionService.ts +39 -19
package/src/api/users/services/UserService.ts +106 -8
package/src/background/__tests__/BackgroundTaskProvider.spec.ts +96 -0
package/src/background/index.ts +37 -0
package/src/background/index.workerd.ts +28 -0
package/src/background/providers/BackgroundTaskProvider.ts +70 -0
package/src/background/providers/WorkerdBackgroundTaskProvider.ts +43 -0
package/src/bucket/__tests__/$bucket.spec.ts +18 -0
package/src/bucket/__tests__/LocalFileStorageProvider.spec.ts +5 -0
package/src/bucket/__tests__/MemoryFileStorageProvider.spec.ts +5 -0
package/src/bucket/__tests__/NodeS3BucketProvider.spec.ts +23 -4
package/src/bucket/__tests__/shared.ts +30 -0
package/src/bucket/index.ts +5 -5
package/src/bucket/index.workerd.ts +11 -4
package/src/bucket/primitives/$bucket.ts +27 -0
package/src/bucket/providers/FileStorageProvider.ts +13 -0
package/src/bucket/providers/LocalFileStorageProvider.ts +17 -1
package/src/bucket/providers/MemoryFileStorageProvider.ts +7 -0
package/src/bucket/providers/{CloudflareR2Provider.ts → R2FileStorageProvider.ts} +10 -1
package/src/bucket/providers/{NodeS3BucketProvider.ts → S3FileStorageProvider.ts} +27 -5
package/src/cli/core/__tests__/BuildDockerTask.spec.ts +25 -1
package/src/cli/core/__tests__/init.spec.ts +0 -219
package/src/cli/core/atoms/buildOptions.ts +0 -12
package/src/cli/core/commands/__tests__/BuildCommand.spec.ts +43 -0
package/src/cli/core/commands/build.ts +105 -37
package/src/cli/core/commands/init.ts +0 -12
package/src/cli/core/commands/pack.ts +133 -0
package/src/cli/core/index.ts +3 -3
package/src/cli/core/providers/ViteDevServerProvider.ts +40 -16
package/src/cli/core/services/PackageManagerUtils.ts +0 -16
package/src/cli/core/services/ProjectScaffolder.ts +29 -291
package/src/cli/core/tasks/BuildCloudflareTask.ts +382 -56
package/src/cli/core/tasks/BuildDockerTask.ts +33 -3
package/src/cli/core/tasks/BuildPrerenderTask.ts +44 -7
package/src/cli/core/tasks/BuildTask.ts +34 -0
package/src/cli/core/templates/apiIndexTs.ts +1 -22
package/src/cli/core/templates/mainCss.ts +0 -1
package/src/cli/core/templates/webAppRouterTs.ts +0 -99
package/src/cli/core/templates/webIndexTs.ts +1 -22
package/src/cli/i18n/__tests__/I18nCheckService.spec.ts +48 -0
package/src/cli/i18n/services/I18nCheckService.ts +65 -11
package/src/cli/platform/__tests__/SecretsCommand.spec.ts +5 -3
package/src/cli/platform/commands/SecretsCommand.ts +8 -6
package/src/cli/platform/commands/platform.ts +192 -46
package/src/cli/platform/index.ts +12 -52
package/src/cli/{platform → platform-lib}/__tests__/CloudflareAdapter.spec.ts +426 -169
package/src/cli/{platform → platform-lib}/__tests__/NamingService.spec.ts +91 -4
package/src/cli/{platform → platform-lib}/__tests__/VercelAdapter.spec.ts +56 -85
package/src/cli/{platform → platform-lib}/adapters/CloudflareAdapter.ts +519 -190
package/src/cli/{platform → platform-lib}/adapters/PlatformAdapter.ts +62 -35
package/src/cli/{platform → platform-lib}/adapters/VercelAdapter.ts +6 -10
package/src/cli/{platform → platform-lib}/atoms/platformOptions.ts +34 -1
package/src/cli/platform-lib/index.ts +67 -0
package/src/cli/platform-lib/services/NamingService.ts +136 -0
package/src/cli/{platform → platform-lib}/services/PlatformInspector.ts +60 -13
package/src/cli/{platform → platform-lib}/services/PlatformOrchestrator.ts +54 -43
package/src/cli/{platform → platform-lib}/services/WranglerApi.ts +4 -2
package/src/command/__tests__/Runner.spec.ts +20 -0
package/src/command/helpers/EnvUtils.ts +19 -3
package/src/command/helpers/Runner.ts +12 -2
package/src/command/providers/CliProvider.ts +34 -1
package/src/{containers → container}/core/__tests__/$container.spec.ts +5 -5
package/src/{containers → container}/core/index.ts +4 -4
package/src/{containers → container}/core/index.workerd.ts +19 -3
package/src/{containers → container}/core/primitives/$container.ts +1 -1
package/src/{containers → container}/core/providers/CloudflareContainerProvider.ts +17 -19
package/src/{containers → container}/core/providers/ContainerProvider.ts +16 -2
package/src/{containers → container}/core/providers/MockContainerProvider.ts +1 -1
package/src/core/Alepha.ts +49 -1
package/src/core/__tests__/$env.spec.ts +42 -0
package/src/core/__tests__/dump.spec.ts +47 -0
package/src/email/cloudflare/__tests__/CloudflareEmailProvider.spec.ts +42 -10
package/src/email/cloudflare/index.ts +14 -5
package/src/email/cloudflare/providers/CloudflareEmailProvider.ts +54 -9
package/src/logger/__tests__/Logger.spec.ts +55 -0
package/src/logger/index.ts +13 -0
package/src/logger/services/Logger.ts +31 -1
package/src/mcp/__tests__/McpServerProvider.spec.ts +71 -0
package/src/mcp/providers/McpServerProvider.ts +55 -0
package/src/orm/__tests__/orm-showcase-tests.ts +27 -0
package/src/orm/__tests__/orm-showcase.spec.ts +12 -0
package/src/orm/core/interfaces/PgQuery.ts +4 -1
package/src/orm/core/services/Repository.ts +27 -11
package/src/react/auth/hooks/useAuth.ts +10 -5
package/src/react/core/__tests__/useQuery.browser.spec.tsx +25 -0
package/src/react/core/hooks/useAction.ts +14 -3
package/src/react/core/hooks/useQuery.ts +24 -4
package/src/react/form/__tests__/FormModel-submit-loading.spec.ts +71 -0
package/src/react/form/__tests__/form-submitting-reactive.browser.spec.tsx +96 -0
package/src/react/form/services/FormModel.ts +57 -39
package/src/react/i18n/__tests__/I18nProvider.spec.ts +89 -0
package/src/react/i18n/__tests__/locale-routing.spec.ts +107 -0
package/src/react/i18n/components/Translate.tsx +47 -0
package/src/react/i18n/index.ts +2 -0
package/src/react/i18n/providers/I18nProvider.ts +171 -12
package/src/react/intro/components/GettingStartedAdminSlide.tsx +2 -2
package/src/react/router/__tests__/$page.spec.tsx +3 -2
package/src/react/router/__tests__/RouterLocaleProvider.spec.ts +127 -0
package/src/react/router/__tests__/page-can.spec.ts +18 -13
package/src/react/router/hooks/useQueryParams.ts +114 -14
package/src/react/router/index.browser.ts +4 -0
package/src/react/router/index.shared.ts +1 -0
package/src/react/router/index.ts +9 -0
package/src/react/router/primitives/$page.ts +85 -4
package/src/react/router/providers/ReactBrowserRouterProvider.ts +18 -8
package/src/react/router/providers/ReactPageProvider.ts +12 -1
package/src/react/router/providers/ReactServerProvider.ts +96 -14
package/src/react/router/providers/RootComponentsProvider.ts +13 -0
package/src/react/router/providers/RouterLocaleProvider.ts +125 -0
package/src/react/router/providers/__tests__/RootComponentsProvider.spec.ts +15 -0
package/src/react/router/providers/__tests__/rootComponents.ssr.browser.spec.tsx +67 -0
package/src/react/sitemap/__tests__/$sitemap.spec.ts +131 -0
package/src/react/sitemap/index.browser.ts +21 -0
package/src/react/sitemap/index.ts +25 -0
package/src/react/sitemap/primitives/$sitemap.browser.ts +26 -0
package/src/react/sitemap/primitives/$sitemap.ts +196 -0
package/src/react/ui/services/SchemaControl.ts +3 -4
package/src/server/auth/__tests__/appleClientSecret.spec.ts +34 -0
package/src/server/auth/__tests__/authFederationClient.spec.ts +40 -0
package/src/server/auth/__tests__/federationAssertion.spec.ts +146 -0
package/src/server/auth/__tests__/federationRedirectReplay.spec.ts +44 -0
package/src/server/auth/helpers/appleClientSecret.ts +24 -0
package/src/server/auth/helpers/federationAssertion.ts +74 -0
package/src/server/auth/helpers/jtiReplayGuard.ts +41 -0
package/src/server/auth/helpers/safeRedirectPath.ts +19 -0
package/src/server/auth/index.ts +4 -0
package/src/server/auth/primitives/$authFederationBroker.ts +273 -0
package/src/server/auth/primitives/$authFederationClient.ts +89 -0
package/src/server/auth/providers/ServerAuthProvider.ts +18 -4
package/src/server/cookies/__tests__/ServerCookiesProvider.spec.ts +70 -0
package/src/server/cookies/providers/ServerCookiesProvider.ts +23 -3
package/src/server/core/interfaces/ServerRequest.ts +8 -0
package/src/server/core/primitives/$route.ts +27 -0
package/src/server/core/providers/ServerMultipartProvider.ts +19 -0
package/src/server/links/providers/LinkProvider.ts +10 -0
package/dist/containers/core/index.d.ts.map +0 -1
package/dist/containers/core/index.js.map +0 -1
package/dist/containers/core/index.workerd.js.map +0 -1
package/src/cli/core/tasks/BuildSitemapTask.ts +0 -130
package/src/cli/core/templates/componentsJsonTs.ts +0 -39
package/src/cli/core/templates/saasAdminLayoutTsx.ts +0 -77
package/src/cli/core/templates/saasAdminPagesTsx.ts +0 -26
package/src/cli/core/templates/saasAuthLayoutTsx.ts +0 -22
package/src/cli/core/templates/saasAuthPagesTsx.ts +0 -62
package/src/cli/core/templates/saasRealmProviderTs.ts +0 -52
package/src/cli/platform/services/NamingService.ts +0 -54
/package/dist/orm/core/{chunk-o8xxKEmq.js → chunk-B4FMCO8f.js} +0 -0
/package/dist/react/testing/{chunk-6Ep1yQYe.js → chunk-BpyX8vjI.js} +0 -0
/package/src/cli/{platform → platform-lib}/__tests__/GitHubSecretStore.spec.ts +0 -0
/package/src/cli/{platform → platform-lib}/__tests__/PlatformCacheProvider.spec.ts +0 -0
/package/src/cli/{platform → platform-lib}/__tests__/PlatformInspector.spec.ts +0 -0
/package/src/cli/{platform → platform-lib}/__tests__/PlatformOrchestrator.spec.ts +0 -0
/package/src/cli/{platform → platform-lib}/__tests__/SecretFilterService.spec.ts +0 -0
/package/src/cli/{platform → platform-lib}/__tests__/detectResources.spec.ts +0 -0
/package/src/cli/{platform → platform-lib}/providers/GitHubSecretStore.ts +0 -0
/package/src/cli/{platform → platform-lib}/providers/MemorySecretStore.ts +0 -0
/package/src/cli/{platform → platform-lib}/providers/PlatformCacheProvider.ts +0 -0
/package/src/cli/{platform → platform-lib}/providers/SecretStoreProvider.ts +0 -0
/package/src/cli/{platform → platform-lib}/schemas/cloudflare.ts +0 -0
/package/src/cli/{platform → platform-lib}/schemas/platform.ts +0 -0
/package/src/cli/{platform → platform-lib}/schemas/vercel.ts +0 -0
/package/src/cli/{platform → platform-lib}/services/CloudflareApi.ts +0 -0
/package/src/cli/{platform → platform-lib}/services/SecretFilterService.ts +0 -0
/package/src/cli/{platform → platform-lib}/services/VercelApi.ts +0 -0
/package/src/cli/{platform → platform-lib}/services/VercelCli.ts +0 -0
/package/src/{containers → container}/core/interfaces/ContainerOptions.ts +0 -0
/package/src/{containers → container}/core/providers/NodeContainerProvider.ts +0 -0

package/dist/api/users/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 import { $atom, $context, $inject, $module, Alepha, AlephaError, t } from "alepha";
-import { AuditService } from "alepha/api/audits";
+import { $audit } from "alepha/api/audits";
 import { $bucket } from "alepha/bucket";
 import { $issuer, $permission, $secure, CryptoProvider, InvalidCredentialsError, SecurityProvider } from "alepha/security";
 import { $action, BadRequestError, ConflictError, HttpError, UnauthorizedError, okSchema } from "alepha/server";
@@ -8,7 +8,7 @@ import { $logger } from "alepha/logger";
 import { $client } from "alepha/server/links";
 import { $notification } from "alepha/api/notifications";
 import { CaptchaProvider } from "alepha/captcha";
-import { $authApple, $authCredentials, $authFacebook, $authFranceConnect, $authGithub, $authGoogle, $authMicrosoft, ServerAuthProvider, authenticationProviderSchema } from "alepha/server/auth";
+import { $authApple, $authCredentials, $authFacebook, $authFederationClient, $authFranceConnect, $authGithub, $authGoogle, $authMicrosoft, ServerAuthProvider, authenticationProviderSchema } from "alepha/server/auth";
 import { $etag } from "alepha/server/etag";
 import { AlephaApiVerification, VerificationService } from "alepha/api/verifications";
 import { $cache, CacheProvider } from "alepha/cache";
@@ -21,35 +21,65 @@ import { AlephaApiKeys, ApiKeyService } from "alepha/api/keys";
 import { AlephaOAuth, OAuthClientService, oauthOptions } from "alepha/api/oauth";
 import { $parameter, AlephaApiParameters } from "alepha/api/parameters";
 import { mcpStreamableHttpOptions } from "alepha/mcp";
-//#region ../../src/api/users/audits/UserAudits.ts
+//#region ../../src/api/users/audits/SessionAudits.ts
 /**
-* User-specific audit wrapper service.
+* Authentication & session-security audit events.
 *
-* This service wraps the core AuditService to provide user-related audit logging.
+* Holds two audit types:
+* - `auth` — login / logout / token refresh / MFA.
+* - `security` — rate limiting, session invalidation, and related guards.
 *
-* Declared as a module variant — not auto-injected. It is instantiated
-* lazily the first time something calls `alepha.inject(UserAudits)`.
+* Failed events are logged with `success: false`; severity (`warning`) is
+* derived centrally in `AuditService.create`. Register as a module variant
+* and log via the exposed primitives:
+* `sessionAudits(realm)?.auth.log("login", { success: false, … })`.
+*/
+var SessionAudits = class {
+	auth = $audit({
+		type: "auth",
+		description: "Authentication events (login, logout, token refresh, MFA).",
+		actions: [
+			"login",
+			"logout",
+			"token_refresh",
+			"mfa_setup",
+			"mfa_verify"
+		]
+	});
+	security = $audit({
+		type: "security",
+		description: "Security events (rate limiting, session invalidation, blocked access).",
+		actions: [
+			"rate_limited",
+			"sessions_invalidated",
+			"permission_denied",
+			"blocked"
+		]
+	});
+};
+//#endregion
+//#region ../../src/api/users/audits/UserAudits.ts
+/**
+* User-management audit events.
+*
+* Holds the `user` audit type. Mirrors the `$notification`/`$job` holder
+* pattern (see {@link UserNotifications}) — register as a module variant and
+* log via the exposed primitive: `userAudits(realm)?.user.log("create", …)`.
 */
 var UserAudits = class {
-	auditService = $inject(AuditService);
-	/**
-	* Record a user-related audit event.
-	*/
-	recordUser(action, context) {
-		return this.auditService.recordUser(action, context);
-	}
-	/**
-	* Record an authentication-related audit event.
-	*/
-	recordAuth(action, context) {
-		return this.auditService.recordAuth(action, context);
-	}
-	/**
-	* Record a generic audit event.
-	*/
-	record(category, action, context) {
-		return this.auditService.record(category, action, context);
-	}
+	user = $audit({
+		type: "user",
+		description: "User management events (create, update, delete, role/password changes).",
+		actions: [
+			"create",
+			"update",
+			"delete",
+			"role_change",
+			"password_change",
+			"enable",
+			"disable"
+		]
+	});
 };
 //#endregion
 //#region ../../src/api/users/buckets/UserBuckets.ts
@@ -105,6 +135,7 @@ const users = $entity({
 		picture: t.optional(t.string()),
 		enabled: db.default(t.boolean(), true),
 		emailVerified: db.default(t.boolean(), false),
+		lastLoginAt: t.optional(t.datetime()),
 		organizationId: db.organization()
 	}),
 	indexes: [
@@ -281,6 +312,12 @@ const sessions = $entity({
 		*/
 		lastUsedAt: t.optional(t.datetime()),
 		ip: t.optional(t.text()),
+		/**
+		* ISO 3166-1 alpha-2 country code derived from the request geo headers
+		* (`cf-ipcountry` on Cloudflare, CDN equivalents elsewhere) at login time.
+		* `null` on pre-migration rows and where geo isn't available.
+		*/
+		country: t.optional(t.text({ maxLength: 2 })),
 		userAgent: t.optional(t.object({
 			os: t.text(),
 			browser: t.text(),
@@ -343,6 +380,10 @@ var RealmProvider = class {
 				}
 			},
 			features,
+			federated: realmOptions.identities?.federated ? {
+				brokerUrl: realmOptions.identities.federated.brokerUrl,
+				providers: realmOptions.identities.federated.providers
+			} : void 0,
 			getSettings: async function() {
 				if (this.settingsParameter) return await this.settingsParameter.get();
 				return this.settings;
@@ -437,7 +478,8 @@ var IdentityService = class {
 			userId: identity.userId
 		});
 		const realm = this.realmProvider.getRealm(userRealmName);
-		await this.userAudits(userRealmName)?.recordUser("update", {
+		await this.userAudits(userRealmName)?.user.log("update", {
+			resourceType: "user",
 			userRealm: realm.name,
 			resourceId: identity.userId,
 			description: `Identity provider disconnected: ${identity.provider}`,
@@ -515,6 +557,22 @@ var AdminIdentityController = class {
 const sessionQuerySchema = t.extend(pageQuerySchema, { userId: t.optional(t.uuid()) });
 //#endregion
 //#region ../../src/api/users/schemas/sessionResourceSchema.ts
+/**
+* Slim view of the session's owner — embedded by the admin listing so the
+* UI can render a human-readable identifier instead of just a UUID. Comes
+* back via a left join, so it's optional (a session whose user was deleted
+* still returns; `user` is undefined).
+*/
+const sessionUserSummarySchema = t.object({
+	id: t.uuid(),
+	email: t.optional(t.string({ format: "email" })),
+	username: t.optional(t.shortText({
+		minLength: 3,
+		maxLength: 30
+	})),
+	firstName: t.optional(t.string()),
+	lastName: t.optional(t.string())
+});
 const sessionResourceSchema = t.object({
 	id: t.uuid(),
 	version: t.number(),
@@ -524,6 +582,7 @@ const sessionResourceSchema = t.object({
 	userId: t.uuid(),
 	expiresAt: t.datetime(),
 	ip: t.optional(t.string()),
+	country: t.optional(t.string()),
 	userAgent: t.optional(t.object({
 		os: t.string(),
 		browser: t.string(),
@@ -532,10 +591,21 @@ const sessionResourceSchema = t.object({
 			"DESKTOP",
 			"TABLET"
 		])
-	}))
+	})),
+	user: t.optional(sessionUserSummarySchema)
 });
 //#endregion
 //#region ../../src/api/users/services/SessionCrudService.ts
+/**
+* Relation map embedding a slim user summary on every session row, so the
+* admin UI can render `user.email`/`user.username` instead of a bare UUID.
+* Left-join (default) so sessions whose owner was deleted still come back
+* with `user: undefined`.
+*/
+const withUser = { user: {
+	join: users,
+	on: ["userId", users.cols.id]
+} };
 var SessionCrudService = class {
 	log = $logger();
 	realmProvider = $inject(RealmProvider);
@@ -553,7 +623,10 @@ var SessionCrudService = class {
 		q.sort ??= "-createdAt";
 		const where = this.sessions(userRealmName).createQueryWhere();
 		if (q.userId) where.userId = { eq: q.userId };
-		const result = await this.sessions(userRealmName).paginate(q, { where }, { count: true });
+		const result = await this.sessions(userRealmName).paginate(q, {
+			where,
+			with: withUser
+		}, { count: true });
 		this.log.debug("Sessions found", {
 			count: result.content.length,
 			total: result.page.totalElements
@@ -568,7 +641,10 @@ var SessionCrudService = class {
 			id,
 			userRealmName
 		});
-		const session = await this.sessions(userRealmName).getById(id);
+		const session = await this.sessions(userRealmName).getOne({
+			where: { id: { eq: id } },
+			with: withUser
+		});
 		this.log.debug("Session retrieved", {
 			id,
 			userId: session.userId
@@ -692,13 +768,18 @@ const updateUserSchema = t.partial(t.omit(users.insertSchema, [
 	"id",
 	"version",
 	"createdAt",
-	"updatedAt",
-	"username",
-	"emailVerified"
+	"updatedAt"
 ]));
 //#endregion
 //#region ../../src/api/users/schemas/userQuerySchema.ts
 const userQuerySchema = t.extend(pageQuerySchema, {
+	/**
+	* Free-text search applied (case-insensitive) across `email`,
+	* `username`, `firstName`, and `lastName`. Matches with a leading and
+	* trailing wildcard, so `?search=foo` finds any user whose email,
+	* username, or name contains `foo`.
+	*/
+	search: t.optional(t.string()),
 	email: t.optional(t.string()),
 	enabled: t.optional(t.boolean()),
 	emailVerified: t.optional(t.boolean()),
@@ -863,6 +944,7 @@ var UserService = class {
 	log = $logger();
 	verificationController = $client();
 	realmProvider = $inject(RealmProvider);
+	cryptoProvider = $inject(CryptoProvider);
 	userAudits(realmName) {
 		if (this.realmProvider.getRealm(realmName).features.audits) return this.alepha.inject(UserAudits);
 	}
@@ -977,7 +1059,8 @@ var UserService = class {
 			type
 		});
 		const realm = this.realmProvider.getRealm(userRealmName);
-		await this.userAudits(userRealmName)?.recordUser("update", {
+		await this.userAudits(userRealmName)?.user.log("update", {
+			resourceType: "user",
 			userId: user.id,
 			userEmail: email,
 			userRealm: realm.name,
@@ -1009,6 +1092,15 @@ var UserService = class {
 		});
 		q.sort ??= "-createdAt";
 		const where = this.users(userRealmName).createQueryWhere();
+		if (q.search) {
+			const pattern = `%${q.search}%`;
+			where.or = [
+				{ email: { ilike: pattern } },
+				{ username: { ilike: pattern } },
+				{ firstName: { ilike: pattern } },
+				{ lastName: { ilike: pattern } }
+			];
+		}
 		if (q.email) where.email = { like: q.email };
 		if (q.enabled !== void 0) where.enabled = { eq: q.enabled };
 		if (q.emailVerified !== void 0) where.emailVerified = { eq: q.emailVerified };
@@ -1078,7 +1170,8 @@ var UserService = class {
 			username: user.username,
 			email: user.email
 		});
-		await this.userAudits(userRealmName)?.recordUser("create", {
+		await this.userAudits(userRealmName)?.user.log("create", {
+			resourceType: "user",
 			userRealm: realm.name,
 			resourceId: user.id,
 			description: "User created",
@@ -1099,16 +1192,33 @@ var UserService = class {
 			userRealmName
 		});
 		const before = await this.getUserById(id, userRealmName);
-		const user = await this.users(userRealmName).updateById(id, data);
-		this.log.debug("User updated", { userId: id });
 		const realm = this.realmProvider.getRealm(userRealmName);
+		const users = this.users(userRealmName);
+		if (data.username !== void 0 && data.username !== null && data.username !== before.username) {
+			const existing = await users.findOne({ where: {
+				realm: realm.name,
+				username: { ilike: data.username }
+			} });
+			if (existing && existing.id !== id) throw new ConflictError("User with this username already exists");
+		}
+		if (data.email !== void 0 && data.email !== null && data.email !== before.email) {
+			const existing = await users.findOne({ where: {
+				realm: realm.name,
+				email: { eq: data.email }
+			} });
+			if (existing && existing.id !== id) throw new ConflictError("User with this email already exists");
+			data.emailVerified = false;
+		}
+		const user = await users.updateById(id, data);
+		this.log.debug("User updated", { userId: id });
 		const changes = {};
 		for (const key of Object.keys(data)) if (data[key] !== void 0 && before[key] !== data[key]) changes[key] = {
 			from: before[key],
 			to: data[key]
 		};
 		const isRoleChange = data.roles !== void 0 && JSON.stringify(before.roles) !== JSON.stringify(data.roles);
-		await this.userAudits(userRealmName)?.recordUser(isRoleChange ? "role_change" : "update", {
+		await this.userAudits(userRealmName)?.user.log(isRoleChange ? "role_change" : "update", {
+			resourceType: "user",
 			userRealm: realm.name,
 			resourceId: user.id,
 			description: isRoleChange ? "User roles changed" : `User updated: ${Object.keys(changes).join(", ")}`,
@@ -1117,6 +1227,46 @@ var UserService = class {
 		return user;
 	}
 	/**
+	* Set (or reset) a user's password. Upserts a "credentials" identity
+	* with the new hash. Used by admin password-set flows; does NOT
+	* verify any old password or token — the caller is responsible for
+	* authorization.
+	*/
+	async setPassword(id, newPassword, userRealmName) {
+		this.log.trace("Setting password", {
+			id,
+			userRealmName
+		});
+		const user = await this.getUserById(id, userRealmName);
+		const realm = this.realmProvider.getRealm(userRealmName);
+		const settings = await realm.getSettings();
+		if (settings.passwordPolicy) {
+			const policy = settings.passwordPolicy;
+			if (policy.minLength && newPassword.length < policy.minLength) throw new BadRequestError(`Password must be at least ${policy.minLength} characters`);
+		}
+		const hash = await this.cryptoProvider.hashPassword(newPassword);
+		const identities = this.realmProvider.identityRepository(userRealmName);
+		const existing = await identities.findOne({ where: {
+			userId: { eq: id },
+			provider: { eq: "credentials" }
+		} });
+		if (existing) await identities.updateById(existing.id, { password: hash });
+		else await identities.create({
+			userId: id,
+			provider: "credentials",
+			password: hash
+		});
+		await this.userAudits(userRealmName)?.user.log("password_change", {
+			resourceType: "user",
+			userId: id,
+			userEmail: user.email ?? void 0,
+			userRealm: realm.name,
+			resourceId: id,
+			severity: "warning",
+			description: "Password set by admin"
+		});
+	}
+	/**
 	* Delete a user by ID.
 	*/
 	async deleteUser(id, userRealmName) {
@@ -1130,7 +1280,8 @@ var UserService = class {
 		await this.users(userRealmName).deleteById(id);
 		this.log.info("User deleted", { userId: id });
 		const realm = this.realmProvider.getRealm(userRealmName);
-		await this.userAudits(userRealmName)?.recordUser("delete", {
+		await this.userAudits(userRealmName)?.user.log("delete", {
+			resourceType: "user",
 			userRealm: realm.name,
 			resourceId: id,
 			severity: "warning",
@@ -1148,6 +1299,32 @@ var AdminUserController = class {
 	url = "/users";
 	group = "admin:users";
 	userService = $inject(UserService);
+	securityProvider = $inject(SecurityProvider);
+	/**
+	* List roles available in a realm. Used by the admin UI to render the
+	* role picker and grey out defaults (which cannot be removed).
+	*/
+	findRoles = $action({
+		path: "/metadata/roles",
+		group: this.group,
+		use: [$secure({ permissions: ["admin:user:read"] })],
+		description: "List roles available in a realm",
+		schema: {
+			query: t.object({ userRealmName: t.optional(t.string()) }),
+			response: t.array(t.object({
+				name: t.string(),
+				default: t.optional(t.boolean()),
+				description: t.optional(t.string())
+			}))
+		},
+		handler: ({ query }) => {
+			return this.securityProvider.getRoles(query.userRealmName).map((r) => ({
+				name: r.name,
+				default: r.default,
+				description: r.description
+			}));
+		}
+	});
 	/**
 	* Find users with pagination and filtering.
 	*/
@@ -1214,6 +1391,31 @@ var AdminUserController = class {
 		handler: ({ params, body, query }) => this.userService.updateUser(params.id, body, query.userRealmName)
 	});
 	/**
+	* Set (or reset) a user's password. Admin-only flow — does NOT
+	* require knowing the previous password. Hash is stored as a
+	* "credentials" identity for the user (upsert).
+	*/
+	setUserPassword = $action({
+		method: "POST",
+		path: `${this.url}/:id/password`,
+		group: this.group,
+		use: [$secure({ permissions: ["admin:user:update"] })],
+		description: "Set a user's password",
+		schema: {
+			params: t.object({ id: t.uuid() }),
+			query: t.object({ userRealmName: t.optional(t.string()) }),
+			body: t.object({ password: t.string({ minLength: 1 }) }),
+			response: okSchema
+		},
+		handler: async ({ params, body, query }) => {
+			await this.userService.setPassword(params.id, body.password, query.userRealmName);
+			return {
+				ok: true,
+				id: params.id
+			};
+		}
+	});
+	/**
 	* Delete a user.
 	*/
 	deleteUser = $action({
@@ -1270,7 +1472,15 @@ const realmConfigSchema = t.object({
 	settings: realmAuthSettingsAtom.schema,
 	realmName: t.string(),
 	authenticationMethods: t.array(authenticationProviderSchema),
-	captchaSiteKey: t.optional(t.string({ description: "Public site key for the captcha widget (when settings.captchaRequired is true)" }))
+	captchaSiteKey: t.optional(t.string({ description: "Public site key for the captcha widget (when settings.captchaRequired is true)" })),
+	/**
+	* Federated (broker) social login. When present, the login UI renders one
+	* button per provider linking to `{brokerUrl}/auth/federated/start`.
+	*/
+	federated: t.optional(t.object({
+		brokerUrl: t.string({ description: "Broker origin that performs the OIDC dance." }),
+		providers: t.array(t.union([t.const("google"), t.const("apple")]), { description: "Federated providers to surface as login buttons." })
+	}))
 });
 //#endregion
 //#region ../../src/api/users/controllers/RealmController.ts
@@ -1305,7 +1515,8 @@ var RealmController = class {
 				settings,
 				realmName,
 				authenticationMethods: this.serverAuthProvider.getAuthenticationProviders({ realmName }),
-				captchaSiteKey: settings.captchaRequired ? this.captchaProvider.getSiteKey() : void 0
+				captchaSiteKey: settings.captchaRequired ? this.captchaProvider.getSiteKey() : void 0,
+				federated: realm.federated
 			};
 		}
 	});
@@ -1421,6 +1632,9 @@ var CredentialService = class {
 	userAudits(realmName) {
 		if (this.realmProvider.getRealm(realmName).features.audits) return this.alepha.inject(UserAudits);
 	}
+	sessionAudits(realmName) {
+		if (this.realmProvider.getRealm(realmName).features.audits) return this.alepha.inject(SessionAudits);
+	}
 	userNotifications(realmName) {
 		if (this.realmProvider.getRealm(realmName).features.notifications) return this.alepha.inject(UserNotifications);
 	}
@@ -1572,7 +1786,8 @@ var CredentialService = class {
 			userId: intent.userId,
 			email: intent.email
 		});
-		await this.userAudits(intent.realmName)?.recordUser("update", {
+		await this.userAudits(intent.realmName)?.user.log("update", {
+			resourceType: "user",
 			userId: intent.userId,
 			userEmail: intent.email,
 			userRealm: realm.name,
@@ -1580,7 +1795,7 @@ var CredentialService = class {
 			description: "Password reset completed",
 			metadata: { email: intent.email }
 		});
-		await this.userAudits(intent.realmName)?.record("security", "sessions_invalidated", {
+		await this.sessionAudits(intent.realmName)?.security.log("sessions_invalidated", {
 			userId: intent.userId,
 			userEmail: intent.email,
 			userRealm: realm.name,
@@ -1629,7 +1844,8 @@ var CredentialService = class {
 		const hashedPassword = await this.cryptoProvider.hashPassword(newPassword);
 		await this.identities(userRealmName).updateById(identity.id, { password: hashedPassword });
 		await this.sessions(userRealmName).deleteMany({ userId: { eq: user.id } });
-		await this.userAudits(userRealmName)?.recordUser("update", {
+		await this.userAudits(userRealmName)?.user.log("update", {
+			resourceType: "user",
 			userId: user.id,
 			userEmail: email,
 			userRealm: realm.name,
@@ -1637,7 +1853,7 @@ var CredentialService = class {
 			description: "Password reset completed (legacy)",
 			metadata: { email }
 		});
-		await this.userAudits(userRealmName)?.record("security", "sessions_invalidated", {
+		await this.sessionAudits(userRealmName)?.security.log("sessions_invalidated", {
 			userId: user.id,
 			userEmail: email,
 			userRealm: realm.name,
@@ -1986,7 +2202,8 @@ var RegistrationService = class {
 			email: user.email,
 			username: user.username
 		});
-		await this.userAudits(userRealmName)?.recordUser("create", {
+		await this.userAudits(userRealmName)?.user.log("create", {
+			resourceType: "user",
 			userId: user.id,
 			userEmail: user.email ?? void 0,
 			userRealm: realm.name,
@@ -2409,6 +2626,9 @@ var SessionService = class SessionService {
 	userAudits(realmName) {
 		if (this.realmProvider.getRealm(realmName).features.audits) return this.alepha.inject(UserAudits);
 	}
+	sessionAudits(realmName) {
+		if (this.realmProvider.getRealm(realmName).features.audits) return this.alepha.inject(SessionAudits);
+	}
 	userNotifications(realmName) {
 		if (this.realmProvider.getRealm(realmName).features.notifications) return this.alepha.inject(UserNotifications);
 	}
@@ -2444,7 +2664,8 @@ var SessionService = class SessionService {
 			username: user.username,
 			realm: name
 		});
-		await this.userAudits(userRealmName)?.recordUser("role_change", {
+		await this.userAudits(userRealmName)?.user.log("role_change", {
+			resourceType: "user",
 			userId: user.id,
 			userEmail: user.email ?? void 0,
 			userRealm: name,
@@ -2541,8 +2762,9 @@ var SessionService = class SessionService {
 							username,
 							realm: name
 						});
-						await this.userAudits(userRealmName)?.recordAuth("login_failed", {
+						await this.sessionAudits(userRealmName)?.auth.log("login", {
 							userRealm: name,
+							success: false,
 							description: "Username does not match required format",
 							metadata: {
 								provider,
@@ -2561,8 +2783,9 @@ var SessionService = class SessionService {
 					username,
 					realm: name
 				});
-				await this.userAudits(userRealmName)?.recordAuth("login_failed", {
+				await this.sessionAudits(userRealmName)?.auth.log("login", {
 					userRealm: name,
+					success: false,
 					description: "Invalid login identifier format",
 					metadata: {
 						provider,
@@ -2578,8 +2801,9 @@ var SessionService = class SessionService {
 					username,
 					realm: name
 				});
-				await this.userAudits(userRealmName)?.recordAuth("login_failed", {
+				await this.sessionAudits(userRealmName)?.auth.log("login", {
 					userRealm: name,
+					success: false,
 					description: "User not found",
 					metadata: {
 						provider,
@@ -2587,7 +2811,7 @@ var SessionService = class SessionService {
 					}
 				});
 				if (ipKey) {
-					if (await this.recordFailedLogin(ipKey, loginRateLimit.ipMaxAttempts, loginRateLimit.windowMs)) await this.userAudits(userRealmName)?.record("security", "rate_limited", {
+					if (await this.recordFailedLogin(ipKey, loginRateLimit.ipMaxAttempts, loginRateLimit.windowMs)) await this.sessionAudits(userRealmName)?.security.log("rate_limited", {
 						userRealm: name,
 						success: false,
 						description: "IP temporarily locked due to too many failed login attempts",
@@ -2601,8 +2825,9 @@ var SessionService = class SessionService {
 					userId: user.id,
 					realm: name
 				});
-				await this.userAudits(userRealmName)?.recordAuth("login_failed", {
+				await this.sessionAudits(userRealmName)?.auth.log("login", {
 					userRealm: name,
+					success: false,
 					resourceId: user.id,
 					description: "Login attempt for disabled account",
 					metadata: {
@@ -2640,8 +2865,9 @@ var SessionService = class SessionService {
 					username,
 					realm: name
 				});
-				await this.userAudits(userRealmName)?.recordAuth("login_failed", {
+				await this.sessionAudits(userRealmName)?.auth.log("login", {
 					userRealm: name,
+					success: false,
 					resourceId: user.id,
 					description: "Invalid password",
 					metadata: {
@@ -2650,7 +2876,7 @@ var SessionService = class SessionService {
 					}
 				});
 				if (ipKey) {
-					if (await this.recordFailedLogin(ipKey, loginRateLimit.ipMaxAttempts, loginRateLimit.windowMs)) await this.userAudits(userRealmName)?.record("security", "rate_limited", {
+					if (await this.recordFailedLogin(ipKey, loginRateLimit.ipMaxAttempts, loginRateLimit.windowMs)) await this.sessionAudits(userRealmName)?.security.log("rate_limited", {
 						userRealm: name,
 						success: false,
 						description: "IP temporarily locked due to too many failed login attempts",
@@ -2658,7 +2884,7 @@ var SessionService = class SessionService {
 					});
 				}
 				if (await this.recordFailedLogin(accountKey, loginRateLimit.accountMaxAttempts, loginRateLimit.windowMs)) {
-					await this.userAudits(userRealmName)?.record("security", "rate_limited", {
+					await this.sessionAudits(userRealmName)?.security.log("rate_limited", {
 						userRealm: name,
 						resourceId: user.id,
 						success: false,
@@ -2678,7 +2904,7 @@ var SessionService = class SessionService {
 				}
 				throw new InvalidCredentialsError();
 			}
-			await this.userAudits(userRealmName)?.recordAuth("login", {
+			await this.sessionAudits(userRealmName)?.auth.log("login", {
 				userId: user.id,
 				userEmail: user.email ?? void 0,
 				userRealm: name,
@@ -2705,15 +2931,18 @@ var SessionService = class SessionService {
 		const request = this.alepha.store.get("alepha.http.request");
 		const refreshToken = this.cryptoProvider.randomUUID();
 		const expiresAt = this.dateTimeProvider.now().add(expiresIn, "seconds").toISOString();
+		const nowIso = this.dateTimeProvider.nowISOString();
 		const session = await this.sessions(userRealmName).create({
 			userId: user.id,
 			expiresAt,
-			lastUsedAt: this.dateTimeProvider.nowISOString(),
+			lastUsedAt: nowIso,
 			ip: request?.ip,
+			country: request?.geo?.country,
 			userAgent: request?.userAgent,
 			refreshToken,
 			clientId
 		});
+		await this.users(userRealmName).updateById(user.id, { lastLoginAt: nowIso });
 		this.log.info("Session created", {
 			sessionId: session.id,
 			userId: user.id,
@@ -2780,7 +3009,7 @@ var SessionService = class SessionService {
 		this.log.debug("Session deleted");
 		if (session) {
 			const { name } = this.realmProvider.getRealm(userRealmName);
-			await this.userAudits(userRealmName)?.recordAuth("logout", {
+			await this.sessionAudits(userRealmName)?.auth.log("logout", {
 				userId: session.userId,
 				userRealm: name,
 				sessionId: session.id,
@@ -2808,7 +3037,7 @@ var SessionService = class SessionService {
 				userId: identity.userId
 			});
 			const user = await users.getById(identity.userId);
-			await this.userAudits(userRealmName)?.recordAuth("login", {
+			await this.sessionAudits(userRealmName)?.auth.log("login", {
 				userId: user.id,
 				userEmail: user.email ?? void 0,
 				userRealm: realm.name,
@@ -2856,7 +3085,7 @@ var SessionService = class SessionService {
 				providerUserId: profile.sub,
 				userId: existing.id
 			});
-			await this.userAudits(userRealmName)?.recordAuth("login", {
+			await this.sessionAudits(userRealmName)?.auth.log("login", {
 				userId: existing.id,
 				userEmail: existing.email ?? void 0,
 				userRealm: realm.name,
@@ -2918,7 +3147,8 @@ var SessionService = class SessionService {
 			email: user.email,
 			username: user.username
 		});
-		await this.userAudits(userRealmName)?.recordUser("create", {
+		await this.userAudits(userRealmName)?.user.log("create", {
+			resourceType: "user",
 			userId: user.id,
 			userEmail: user.email ?? void 0,
 			userRealm: realm.name,
@@ -2931,7 +3161,7 @@ var SessionService = class SessionService {
 				email: user.email
 			}
 		});
-		await this.userAudits(userRealmName)?.recordAuth("login", {
+		await this.sessionAudits(userRealmName)?.auth.log("login", {
 			userId: user.id,
 			userEmail: user.email ?? void 0,
 			userRealm: realm.name,
@@ -2986,7 +3216,10 @@ const $realm = (options = {}) => {
 	}
 	const realmRegistration = realmProvider.register(name, options);
 	if (features.avatars) alepha.with(UserBuckets);
-	if (features.audits) alepha.with(UserAudits);
+	if (features.audits) {
+		alepha.with(UserAudits);
+		alepha.with(SessionAudits);
+	}
 	if (features.jobs) alepha.with(UserJobs);
 	if (features.notifications) {
 		alepha.with(UserNotifications);
@@ -3008,6 +3241,7 @@ const $realm = (options = {}) => {
 			permissions: [{ name: "*" }]
 		}, {
 			name: "user",
+			default: true,
 			permissions: [{
 				name: "*",
 				ownership: true,
@@ -3088,6 +3322,14 @@ const $realm = (options = {}) => {
 		if (identities.microsoft) auth.microsoft = $authMicrosoft(realm);
 		if (identities.franceconnect) auth.franceconnect = $authFranceConnect(realm);
 		alepha.with(() => auth);
+		if (identities.federated) {
+			const fed = $authFederationClient({
+				realm,
+				brokerUrl: identities.federated.brokerUrl,
+				publicKeyPem: identities.federated.publicKey
+			});
+			alepha.with(() => ({ federationCallback: fed.callback }));
+		}
 	}
 	if (features.parameters) {
 		alepha.with(AlephaApiParameters);
@@ -3194,10 +3436,11 @@ const AlephaApiUsers = $module({
 		UserJobs,
 		UserNotifications,
 		UserAudits,
+		SessionAudits,
 		UserBuckets
 	]
 });
 //#endregion
-export { $realm, AdminIdentityController, AdminSessionController, AdminUserController, AlephaApiUsers, CredentialService, DEFAULT_USER_REALM_NAME, IdentityService, RealmController, RealmProvider, RegistrationService, SessionCrudService, SessionService, UserAudits, UserBuckets, UserController, UserJobs, UserNotifications, UserService, UsernameSlugger, completePasswordResetRequestSchema, completeRegistrationRequestSchema, createUserSchema, identities, identityQuerySchema, identityResourceSchema, loginSchema, passwordResetIntentResponseSchema, realmAuthSettingsAtom, realmConfigSchema, registerSchema, registrationIntentResponseSchema, resetPasswordRequestSchema, resetPasswordSchema, sessionQuerySchema, sessionResourceSchema, sessions, updateUserSchema, userQuerySchema, userResourceSchema, users };
+export { $realm, AdminIdentityController, AdminSessionController, AdminUserController, AlephaApiUsers, CredentialService, DEFAULT_USER_REALM_NAME, IdentityService, RealmController, RealmProvider, RegistrationService, SessionAudits, SessionCrudService, SessionService, UserAudits, UserBuckets, UserController, UserJobs, UserNotifications, UserService, UsernameSlugger, completePasswordResetRequestSchema, completeRegistrationRequestSchema, createUserSchema, identities, identityQuerySchema, identityResourceSchema, loginSchema, passwordResetIntentResponseSchema, realmAuthSettingsAtom, realmConfigSchema, registerSchema, registrationIntentResponseSchema, resetPasswordRequestSchema, resetPasswordSchema, sessionQuerySchema, sessionResourceSchema, sessionUserSummarySchema, sessions, updateUserSchema, userQuerySchema, userResourceSchema, users };
 //# sourceMappingURL=index.js.map