alepha 0.7.0 → 0.7.2

package/server.d.ts

@@ -1,13 +1,15 @@
 import * as _alepha_core from '@alepha/core';
-import { Static as Static$1, TObject as TObject$1, TSchema as TSchema$2, Async, StreamLike, Alepha, OPTIONS, KIND, FileLike } from '@alepha/core';
+import { Static as Static$1, TObject as TObject$1, TSchema as TSchema$2, Async, StreamLike, Alepha, FileLike, OPTIONS, KIND, Service } from '@alepha/core';
 export { KIND } from '@alepha/core';
+import * as _alepha_cache from '@alepha/cache';
+import { CacheDescriptorOptions } from '@alepha/cache';
+import { DurationLike, DateTimeProvider } from '@alepha/datetime';
 import { UserAccountToken, Permission, ServiceAccountDescriptor as ServiceAccountDescriptor$1, SecurityProvider, JwtProvider } from '@alepha/security';
 import { IncomingMessage, ServerResponse as ServerResponse$1 } from 'node:http';
 import { Readable } from 'node:stream';
 import { ReadableStream } from 'node:stream/web';
 import { Route, RouterProvider } from '@alepha/router';
-import * as _alepha_cache from '@alepha/cache';
-import { DurationLike, DateTimeProvider } from '@alepha/datetime';
+import * as _alepha_retry from '@alepha/retry';
 import { BusboyConfig } from '@fastify/busboy';
 import * as http from 'http';
 
@@ -20,6 +22,11 @@ declare const Hint$1: unique symbol;
 /** Symbol key applied to types */
 declare const Kind$1: unique symbol;
 
+interface TAny extends TSchema$1 {
+    [Kind$1]: 'Any';
+    static: any;
+}
+
 type TReadonly<T extends TSchema$1> = T & {
     [ReadonlyKind$1]: 'Readonly';
 };
@@ -91,6 +98,19 @@ type TOptional<T extends TSchema$1> = T & {
     [OptionalKind$1]: 'Optional';
 };
 
+type RecordStatic<Key extends TSchema$1, Type extends TSchema$1, P extends unknown[]> = (Evaluate<{
+    [_ in Assert<Static<Key>, PropertyKey>]: Static<Type, P>;
+}>);
+interface TRecord<Key extends TSchema$1 = TSchema$1, Type extends TSchema$1 = TSchema$1> extends TSchema$1 {
+    [Kind$1]: 'Record';
+    static: RecordStatic<Key, Type, this['params']>;
+    type: 'object';
+    patternProperties: {
+        [pattern: string]: Type;
+    };
+    additionalProperties: TAdditionalProperties;
+}
+
 /** Creates a static type from a TypeBox type */
 type Static<Type extends TSchema$1, Params extends unknown[] = [], Result = (Type & {
     params: Params;
@@ -130,6 +150,7 @@ interface TObject<T extends TProperties = TProperties> extends TSchema$1, Object
     required?: string[];
 }
 
+type Assert<T, E> = T extends E ? T : never;
 type Evaluate<T> = T extends infer O ? {
     [K in keyof O]: O[K];
 } : never;
@@ -189,13 +210,23 @@ interface TSchema$1 extends TKind$1, SchemaOptions$1 {
 declare const routeMethods: readonly ["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS", "CONNECT", "TRACE"];
 type RouteMethod = (typeof routeMethods)[number];
 
-declare const envSchema$5: TObject$1<{
+type ServiceRouteCache = boolean | DurationLike | Omit<CacheDescriptorOptions<any>, "handler" | "key">;
+
+declare const envSchema$4: TObject$1<{
     SERVER_ALS_ENABLED: TBoolean;
 }>;
 declare module "alepha" {
-    interface Env extends Partial<Static$1<typeof envSchema$5>> {
+    interface Env extends Partial<Static$1<typeof envSchema$4>> {
     }
 }
+/**
+ * Main router for all routes on the server side.
+ *
+ * Remember:
+ * - $route => generic route
+ * - $action => action route (for API calls)
+ * - $page => React route (for SSR)
+ */
 declare class ServerRouterProvider extends RouterProvider<ServerRouteWithHandler> {
     protected readonly alepha: Alepha;
     protected readonly env: {
@@ -203,7 +234,7 @@ declare class ServerRouterProvider extends RouterProvider<ServerRouteWithHandler
     };
     createRequestId(): string;
     route<TConfig extends RequestConfigSchema = RequestConfigSchema>(route: ServerRoute<TConfig>): Promise<void>;
-    handle(route: ServerRoute, rawRequest: ServerRawRequest, responseType: ResponseType, withAls: boolean): Promise<ServerResponse>;
+    onRequest(route: ServerRoute, rawRequest: ServerRawRequest, responseType: ResponseType, withAls: boolean): Promise<ServerResponse>;
     protected processRequest(request: ServerRequest, route: ServerRoute, responseType: ResponseType, withAls: boolean): Promise<{
         status: number;
         headers: Record<string, string> & {
@@ -211,7 +242,7 @@ declare class ServerRouterProvider extends RouterProvider<ServerRouteWithHandler
         };
         body: any;
     }>;
-    protected tryRequestProcessing(route: ServerRoute, request: ServerRequest, responseType: ResponseType, withAls: boolean): Promise<void>;
+    protected runRouteHandler(route: ServerRoute, request: ServerRequest, responseType: ResponseType, withAls: boolean): Promise<void>;
     protected getResponseType(schema?: RequestConfigSchema): ResponseType;
     protected errorHandler(route: ServerRoute, request: ServerRequest, error: Error): Promise<void>;
     validateRequest(route: {
@@ -248,14 +279,26 @@ interface ServerRequest<TConfig extends RequestConfigSchema = RequestConfigSchem
 }
 interface ServerRoute<TConfig extends RequestConfigSchema = RequestConfigSchema> extends Route {
     method?: RouteMethod;
-    silent?: boolean;
     handler: ServerHandler<TConfig>;
     schema?: TConfig;
+    /**
+     * @see ServerLoggerProvider
+     */
+    silent?: boolean;
+    /**
+     * @see ServerSecurityProvider
+     */
+    secure?: ServerRouteSecure;
+    /**
+     * @see ServerCacheProvider
+     */
+    cache?: ServiceRouteCache;
 }
 type ServerResponseBody<TConfig extends RequestConfigSchema = RequestConfigSchema> = TConfig["response"] extends TSchema$2 ? Static$1<TConfig["response"]> : ResponseBodyType;
 type ResponseType = "json" | "text" | "void" | "file" | "any";
 type ResponseBodyType = string | Buffer | StreamLike | undefined | null | void;
 type ServerHandler<TConfig extends RequestConfigSchema = RequestConfigSchema> = (request: ServerRequest<TConfig>) => Async<ServerResponseBody<TConfig>>;
+type ServerMiddlewareHandler<TConfig extends RequestConfigSchema = RequestConfigSchema> = (request: ServerRequest<TConfig>) => Async<ServerResponseBody<TConfig> | undefined>;
 interface ServerReply {
     headers: Record<string, string> & {
         "set-cookie"?: string[];
@@ -265,7 +308,7 @@ interface ServerReply {
     redirect(url: string): void;
 }
 interface ServerResponse {
-    body: string | ArrayBuffer | Readable | ReadableStream;
+    body: string | Buffer | ArrayBuffer | Readable | ReadableStream;
     headers: Record<string, string>;
     status: number;
 }
@@ -285,6 +328,149 @@ interface ServerRawRequest {
         };
     };
 }
+type ServerRouteSecure = boolean | {
+    permissions?: string[];
+    roles?: string[];
+    realms?: string[];
+    organizations?: string[];
+};
+
+declare class ActionDescriptorHelper {
+    name(options: ActionDescriptorOptions, _instance: any, key: string): string;
+    path(options: ActionDescriptorOptions, _instance: any, key: string): string;
+    link(options: ActionDescriptorOptions, instance: any, key: string, prefix?: string): HttpClientLink;
+    method(options: {
+        method?: string;
+        schema?: any;
+    }): RouteMethod;
+    permission(options: ActionDescriptorOptions, instance: any, key: string): Permission;
+    group(options: ActionDescriptorOptions, instance: any): string;
+    isMultipart(options: {
+        schema?: RequestConfigSchema;
+    }): boolean;
+    bodyContentType(options: ActionDescriptorOptions): string | undefined;
+    protected short(name: string): string;
+    fetchLinks(_url: string): void;
+}
+
+declare const apiLinkSchema: TObject<{
+    name: TString$1;
+    path: TString$1;
+    method: TOptional<TString$1>;
+    group: TOptional<TString$1>;
+    requestBodyType: TOptional<TString$1>;
+    service: TOptional<TString$1>;
+}>;
+declare const apiLinksResponseSchema: TObject<{
+    prefix: TOptional<TString$1>;
+    links: TArray<TObject<{
+        name: TString$1;
+        path: TString$1;
+        method: TOptional<TString$1>;
+        group: TOptional<TString$1>;
+        requestBodyType: TOptional<TString$1>;
+        service: TOptional<TString$1>;
+    }>>;
+}>;
+type ApiLinksResponse = Static$1<typeof apiLinksResponseSchema>;
+type ApiLink = Static$1<typeof apiLinkSchema>;
+
+declare class HttpClient {
+    protected readonly log: _alepha_core.Logger;
+    protected readonly alepha: Alepha;
+    protected readonly helper: ActionDescriptorHelper;
+    readonly cache: _alepha_cache.CacheDescriptor<HttpClientCache, any[]>;
+    protected readonly pendingRequests: HttpClientPendingRequests;
+    readonly URL_LINKS = "/api/_links";
+    links?: Array<HttpClientLink>;
+    pushLink(link: HttpClientLink): void;
+    clear(): Promise<void>;
+    fetch<T>(url: string, request?: RequestInit, options?: FetchRunOptions): Promise<FetchResponse<T>>;
+    json<T = any>(url: string, options?: RequestInit): Promise<T>;
+    protected url(host: string, link: HttpClientLink, args: ServerRequestConfigEntry): string;
+    protected body(init: RequestInit, headers: Record<string, string>, link: HttpClientLink, args?: ServerRequestConfigEntry): Promise<void>;
+    protected responseData(response: Response, options: FetchRunOptions): Promise<any>;
+    protected isMaybeFile(response: Response): boolean;
+    protected createFileLike(response: Response, defaultFileName?: string): FileLike;
+    protected pathVariables(url: string, action: HttpClientLink, args?: ServerRequestConfigEntry): string;
+    protected queryParams(url: string, action: {
+        schema?: {
+            query?: TObject$1;
+        };
+    }, args?: ServerRequestConfigEntry): string;
+    /**
+     * Transform a link into a fetch-request then call fetch().
+     */
+    fetchLink(args: FetchLinkArgs): Promise<FetchResponse>;
+    /**
+     * Create a proxy client.
+     * This allows to call actions as methods, e.g. `client.actionName()`.
+     */
+    of<T extends object>(scope?: ClientScope): HttpVirtualClient<T>;
+    protected getLinkByName(name: string, options?: ClientScope): Promise<HttpClientLink>;
+    /**
+     * Resolve a link by its name and call it.
+     * - If link is local, it will call the local handler.
+     * - If link is remote, it will make a fetch request to the remote server.
+     */
+    follow(name: string, config?: Partial<ServerRequestConfigEntry>, options?: ClientRequestOptions & ClientScope): Promise<any>;
+    protected followRemote(link: HttpClientLink, config?: Partial<ServerRequestConfigEntry>, options?: ClientRequestOptions): Promise<FetchResponse>;
+    can(name: string): boolean;
+    getLinks(force?: boolean): Promise<HttpClientLink[]>;
+}
+type HttpClientPendingRequests = Record<string, Promise<any> | undefined>;
+interface FetchFactoryAdditionalOptions {
+    host?: string | (() => string);
+}
+interface FetchRunOptions {
+    /**
+     * Key to identify the request in the pending requests.
+     */
+    key?: string;
+    /**
+     * The schema to validate the response against.
+     */
+    schema?: TSchema$2;
+    /**
+     * Built-in cache options.
+     */
+    cache?: boolean | number | DurationLike;
+}
+interface HttpClientLink extends ApiLink {
+    secured?: boolean;
+    prefix?: string;
+    host?: string;
+    service?: string;
+    schema?: RequestConfigSchema;
+    handler?: ServerHandler;
+}
+interface ClientScope {
+    group?: string;
+    service?: string;
+}
+type HttpVirtualClient<T> = {
+    [K in keyof T as T[K] extends ActionDescriptor ? K : never]: T[K] extends ActionDescriptor<infer Schema> ? T[K] & {
+        can: () => boolean;
+        schema: Schema;
+    } : never;
+};
+interface HttpClientCache {
+    data: any;
+    etag?: string;
+}
+interface FetchResponse<T = any> {
+    data: T;
+    status: number;
+    statusText: string;
+    headers: Headers;
+    raw?: Response;
+}
+interface FetchLinkArgs {
+    link: HttpClientLink;
+    host?: string;
+    config?: ServerRequestConfigEntry;
+    options?: ClientRequestOptions;
+}
 
 declare const KEY$2 = "ACTION";
 interface ActionDescriptorOptions<TConfig extends RequestConfigSchema = RequestConfigSchema> extends Omit<ServerRoute, "handler" | "path" | "schema"> {
@@ -305,12 +491,6 @@ interface ActionDescriptorOptions<TConfig extends RequestConfigSchema = RequestC
      * @deprecated
      */
     security?: boolean;
-    /**
-     * If true, the route is secure.
-     *
-     * Can be a string or an array of strings to specify required roles or permissions.
-     */
-    secure?: boolean | string | string[];
     /**
      * Pathname of the route.
      */
@@ -357,6 +537,11 @@ interface ActionDescriptorOptions<TConfig extends RequestConfigSchema = RequestC
      * Main route handler. This is where the route logic is implemented.
      */
     handler?: ServerHandler<TConfig>;
+    /**
+     * If true, the route will be cached.
+     * - Number as seconds or boolean to enable cache.
+     */
+    cache?: boolean | DurationLike | Omit<CacheDescriptorOptions<any>, "handler" | "key">;
 }
 interface ActionDescriptor<TConfig extends RequestConfigSchema = RequestConfigSchema> {
     [KIND]: typeof KEY$2;
@@ -364,15 +549,20 @@ interface ActionDescriptor<TConfig extends RequestConfigSchema = RequestConfigSc
     /**
      * Fetch or just call local route when available.
      */
-    (config?: ClientRequestEntry<TConfig>, opts?: ClientRequestOptions): ClientRequestResponse<TConfig>;
+    (config?: ClientRequestEntry<TConfig>, opts?: ClientRequestOptions): Promise<ClientRequestResponse<TConfig>>;
     /**
      * Just fetch the route. Skip any local route.
      */
-    fetch: (config?: ClientRequestEntry<TConfig>, opts?: ClientRequestOptions) => ClientRequestResponse<TConfig>;
+    fetch: (config?: ClientRequestEntry<TConfig>, opts?: ClientRequestOptions) => Promise<FetchResponse<ClientRequestResponse<TConfig>>>;
     /**
      * Name of the permission required to access this route.
      */
     permission: () => string;
+    /**
+     * Invalidate the cache for this action.
+     * This is only available if the action has cache enabled.
+     */
+    invalidate: () => Promise<void>;
 }
 declare const $action: {
     <TConfig extends RequestConfigSchema>(options: ActionDescriptorOptions<TConfig>): ActionDescriptor<TConfig>;
@@ -387,24 +577,21 @@ type ClientRequestEntryContainer<TConfig extends RequestConfigSchema = RequestCo
     headers?: TConfig["headers"] extends TSchema$2 ? Static$1<TConfig["headers"]> : undefined;
     query?: TConfig["query"] extends TSchema$2 ? Partial<Static$1<TConfig["query"]>> : undefined;
 };
-interface ClientRequestOptions {
-    /**
-     * Built-in cache options.
-     * Number as seconds or boolean to enable cache.
-     */
-    cache?: number | boolean;
+interface ClientRequestOptions extends FetchRunOptions {
     /**
      * Forward user from the previous request.
+     * If "system", use system user. @see {ServerSecurityProvider.localSystemUser}
+     * If "context", use the user from the current context (e.g. request).
      *
-     * In testing environments, you can pass a partial user token.
+     * @default "system" is provided, else "context" is used.
      */
-    user?: Partial<UserAccountToken>;
+    user?: UserAccountToken | "system" | "context";
     /**
      * Standard request fetch options.
      */
     request?: RequestInit;
 }
-type ClientRequestResponse<TConfig extends RequestConfigSchema> = Promise<TConfig["response"] extends TSchema$2 ? Static$1<TConfig["response"]> : Response>;
+type ClientRequestResponse<TConfig extends RequestConfigSchema> = TConfig["response"] extends TSchema$2 ? Static$1<TConfig["response"]> : any;
 
 declare class HttpError extends Error {
     static toJSON(error: HttpError): {
@@ -438,116 +625,59 @@ declare class HttpError extends Error {
     }, cause?: unknown);
 }
 declare const errorNameByStatus: Record<number, string>;
-
-declare class ActionDescriptorHelper {
-    name(options: ActionDescriptorOptions, instance: any, key: string): string;
-    path(options: ActionDescriptorOptions, instance: any, key: string): string;
-    link(options: ActionDescriptorOptions, instance: any, key: string, prefix?: string): HttpClientLink;
-    method(options: {
-        method?: string;
-        schema?: any;
-    }): RouteMethod;
-    permission(options: ActionDescriptorOptions, instance: any, key: string): Permission;
-    group(options: ActionDescriptorOptions, instance: any): string;
-    isMultipart(options: {
-        schema?: RequestConfigSchema;
-    }): boolean;
-    bodyContentType(options: ActionDescriptorOptions): string | undefined;
-    protected short(name: string): string;
-    fetchLinks(url: string): void;
+declare const isHttpError: (error: unknown) => error is HttpErrorLike;
+interface HttpErrorLike extends Error {
+    status: number;
 }
 
-declare const apiLinkSchema: TObject<{
-    name: TString$1;
-    path: TString$1;
-    method: TOptional<TString$1>;
-    group: TOptional<TString$1>;
-    requestBodyType: TOptional<TString$1>;
-    service: TOptional<TString$1>;
-}>;
-declare const apiLinksResponseSchema: TObject<{
-    userId: TOptional<TString$1>;
-    prefix: TOptional<TString$1>;
-    links: TArray<TObject<{
-        name: TString$1;
-        path: TString$1;
-        method: TOptional<TString$1>;
-        group: TOptional<TString$1>;
-        requestBodyType: TOptional<TString$1>;
-        service: TOptional<TString$1>;
-    }>>;
-}>;
-type ApiLinksResponse = Static$1<typeof apiLinksResponseSchema>;
-type ApiLink = Static$1<typeof apiLinkSchema>;
+declare const $client: <T extends object>(scope?: ClientScope) => HttpVirtualClient<T>;
 
-declare class HttpClient {
-    protected readonly alepha: Alepha;
-    protected readonly helper: ActionDescriptorHelper;
-    readonly URL_LINKS = "/api/_links";
-    readonly cache: _alepha_cache.CacheDescriptor<any, any[]>;
-    protected links?: Array<HttpClientLink>;
-    protected readonly pendingRequests: HttpClientPendingRequests;
-    pushLink(link: HttpClientLink): void;
-    clear(): Promise<void>;
-    createFetchFunction(link: HttpClientLink, args?: FetchFactoryAdditionalOptions): (config?: Partial<ClientRequestEntry>, options?: ClientRequestOptions) => Promise<any>;
-    request(args: {
-        config?: ServerRequestConfigEntry;
-        link: HttpClientLink;
-        options?: ClientRequestOptions;
-        host?: string;
-    }): Promise<any>;
-    protected url(host: string, link: HttpClientLink, args: ServerRequestConfigEntry): string;
-    protected body(init: RequestInit, headers: Record<string, string>, link: HttpClientLink, args?: ServerRequestConfigEntry): Promise<void>;
-    fetch<T>(url: string, request: RequestInit, options?: FetchRunOptions): Promise<T>;
+type ProxyDescriptorOptions = {
+    path: string;
+    target: string;
+    disabled?: boolean;
+    beforeRequest?: (request: ServerRequest, proxyRequest: RequestInit) => Async<void>;
+    afterResponse?: (request: ServerRequest, proxyResponse: Response) => Async<void>;
+    rewrite?: (url: URL) => void;
+};
+interface ProxyDescriptor {
+    [KIND]: "PROXY";
+    [OPTIONS]: ProxyDescriptorOptions;
+}
+declare const $proxy: {
+    (options: ProxyDescriptorOptions): ProxyDescriptor;
+    [KIND]: string;
+};
+
+/**
+ * Represents a User Account extracted from JWT.
+ */
+interface UserAccountInfo {
     /**
-     * Parse the response.
-     *
-     * @param response
-     * @param options
-     * @protected
+     * ID of user account. Based on JWT.sub.
      */
-    protected response(response: Response, options: FetchRunOptions): Promise<Response | any>;
-    protected isMaybeFile(response: Response): boolean;
-    protected getFileLike(response: Response, defaultFileName?: string): FileLike;
-    protected pathVariables(url: string, action: HttpClientLink, args?: ServerRequestConfigEntry): string;
-    queryParams(url: string, action: {
-        schema?: {
-            query?: TObject$1;
-        };
-    }, args?: ServerRequestConfigEntry): string;
-    of<T extends object>(link?: {
-        group?: string;
-    }): HttpVirtualClient<T>;
-    follow(name: string, config?: Partial<ServerRequestConfigEntry>, options?: ClientRequestOptions & {
-        group?: string;
-        service?: string;
-    }): Promise<any>;
-    can(name: string): boolean;
-    getLinks(): Promise<HttpClientLink[]>;
-    json<T = any>(url: string, options?: RequestInit): Promise<T>;
-}
-type HttpClientPendingRequests = Record<string, Promise<any> | undefined>;
-interface FetchFactoryAdditionalOptions {
-    host?: string | (() => string);
-}
-interface FetchRunOptions {
-    schema?: TSchema$2;
-    raw?: boolean;
-    cache?: boolean | DurationLike;
-}
-interface HttpClientLink extends ApiLink {
-    secured?: boolean;
-    prefix?: string;
-    host?: string;
-    service?: string;
-    schema?: RequestConfigSchema;
-    handler?: ServerHandler;
+    id: string;
+    /**
+     * Represents the roles assigned to a user.
+     */
+    roles?: string[];
+    /**
+     * User full name, if available.
+     */
+    name?: string;
+    /**
+     * User email, if available.
+     */
+    email?: string;
+    /**
+     * User profile picture URL, if available.
+     */
+    picture?: string;
+    /**
+     * Organization ID, if available.
+     */
+    organization?: string;
 }
-type HttpVirtualClient<T> = {
-    [K in keyof T as T[K] extends ActionDescriptor ? K : never]: T[K] & {
-        can: () => boolean;
-    };
-};
 
 /** Symbol key applied to readonly types */
 declare const ReadonlyKind: unique symbol;
@@ -609,69 +739,25 @@ interface TSchema extends TKind, SchemaOptions {
     static: unknown;
 }
 
-declare const envSchema$4: _alepha_core.TObject<{
+declare const envSchema$3: _alepha_core.TObject<{
     SECURITY_SECRET_KEY: TString;
 }>;
-declare module "alepha/core" {
-    interface Env extends Partial<Static$1<typeof envSchema$4>> {
-    }
-}
-type ServiceAccountDescriptorOptions = {
-    oauth2: {
-        /**
-         * Get Token URL.
-         */
-        url: string;
-        /**
-         * Client ID.
-         */
-        clientId: string;
-        /**
-         * Client Secret.
-         */
-        clientSecret: string;
-        /**
-         * Scopes to request.
-         */
-        scope?: string;
-    };
-} | {
-    jwt: {
-        secret: string;
-        roles?: string[];
-    };
-};
 interface ServiceAccountDescriptor {
-    options: ServiceAccountDescriptorOptions;
-    store: ServiceAccountStore;
     token: () => Promise<string>;
-    fetch(url: string, options?: RequestInit): Promise<Response>;
 }
-interface AccessTokenResponse {
-    access_token: string;
-    expires_in: number;
-    at: number;
-}
-interface ServiceAccountStore {
-    response?: AccessTokenResponse;
+declare module "alepha/core" {
+    interface Env extends Partial<Static$1<typeof envSchema$3>> {
+    }
 }
 
-type ProxyDescriptorOptions = {
-    path: string;
-    target: string;
-    disabled?: boolean;
-    beforeRequest?: (request: ServerRequest, proxyRequest: RequestInit) => Async<void>;
-    afterResponse?: (request: ServerRequest, proxyResponse: Response) => Async<void>;
-    rewrite?: (url: URL) => void;
-};
-interface ProxyDescriptor {
-    [KIND]: "PROXY";
-    [OPTIONS]: ProxyDescriptorOptions;
+declare module "@alepha/core" {
+    interface Hooks {
+        "security:user:created": {
+            realm: string;
+            user: UserAccountInfo;
+        };
+    }
 }
-declare const $proxy: {
-    (options: ProxyDescriptorOptions): ProxyDescriptor;
-    [KIND]: string;
-};
 
 declare const KEY$1 = "REMOTE";
 interface RemoteDescriptorOptions {
@@ -706,7 +792,12 @@ interface RemoteDescriptorOptions {
      * If true, all methods of the remote service will be exposed as actions in this context.
      * > Note: Proxy will never use the service account, it just... proxies the request.
      */
-    proxy?: boolean | Partial<ProxyDescriptorOptions>;
+    proxy?: boolean | Partial<ProxyDescriptorOptions & {
+        /**
+         * If true, the remote service won't be available internally, only through the proxy.
+         */
+        noInternal: boolean;
+    }>;
     /**
      * For communication between the server and the remote service with a security layer.
      * This will be used for internal communication and will not be exposed to the client.
@@ -731,8 +822,6 @@ declare const $remote: {
     [KIND]: string;
 };
 
-declare const $client: <T extends object>() => HttpVirtualClient<T>;
-
 declare const KEY = "ROUTE";
 interface RouteDescriptorOptions<TConfig extends RequestConfigSchema = RequestConfigSchema> extends ServerRoute<TConfig> {
 }
@@ -745,17 +834,77 @@ declare const $route: {
     [KIND]: string;
 };
 
+declare class BadRequestError extends HttpError {
+    constructor(message?: string, cause?: unknown);
+}
+
+declare class ConflictError extends HttpError {
+    constructor(message?: string, cause?: unknown);
+}
+
+declare class ForbiddenError extends HttpError {
+    constructor(message?: string, cause?: unknown);
+}
+
+declare class NotFoundError extends HttpError {
+    constructor(message?: string, cause?: unknown);
+}
+
+declare class UnauthorizedError extends HttpError {
+    constructor(message?: string, cause?: unknown);
+}
+
+declare class ValidationError extends HttpError {
+    constructor(message?: string, cause?: unknown);
+}
+
+/**
+ * Register `/health` endpoint.
+ *
+ * - Provides basic health information about the server.
+ */
+declare class ServerHealthProvider {
+    protected readonly dateTimeProvider: DateTimeProvider;
+    protected readonly alepha: Alepha;
+    readonly health: RouteDescriptor<{
+        response: TObject<{
+            message: TString$1;
+            uptime: TNumber;
+            date: TString$1;
+            ready: TBoolean;
+        }>;
+    }>;
+}
+
+declare class ProxyDescriptorProvider {
+    protected readonly log: _alepha_core.Logger;
+    protected readonly routerProvider: ServerRouterProvider;
+    protected readonly alepha: Alepha;
+    readonly configure: _alepha_core.HookDescriptor<"configure">;
+    createProxyHandler(options: Omit<ProxyDescriptorOptions, "path">): ServerHandler;
+    proxy(options: ProxyDescriptorOptions): Promise<void>;
+    private getRawRequestBody;
+}
+
 declare class ServerProvider {
     constructor();
     get hostname(): string;
 }
 
-declare const envSchema$3: _alepha_core.TObject<{
+declare const envSchema$2: _alepha_core.TObject<{
     SERVER_API_PREFIX: TString$1;
     SERVER_SECURITY_ENABLED: TBoolean;
 }>;
 declare module "@alepha/core" {
-    interface Env extends Partial<Static$1<typeof envSchema$3>> {
+    interface Env extends Partial<Static$1<typeof envSchema$2>> {
+    }
+    interface State {
+        /**
+         * Real (or fake) user account, used for internal actions.
+         * If you define this, you assume that all actions are executed by this user by default.
+         * And to force a different user, you need to pass it explicitly in the options.
+         */
+        "ServerSecurityProvider.localSystemUser"?: UserAccountToken;
     }
 }
 declare class ServerActionDescriptorProvider {
@@ -774,37 +923,33 @@ declare class ServerActionDescriptorProvider {
     getPrefix(): string;
     readonly configure: _alepha_core.HookDescriptor<"configure">;
     registerAction(value: ActionDescriptor, key: string, instance: any, prefix?: string): Promise<void>;
-    /**
-     * @deprecated
-     */
-    registerActionApi(routeDescriptor: ActionDescriptor, instance: any, key: string): void;
     /**
      * Check a mock function for the specified route.
      *
      * This is mostly used for testing purposes.
-     *
-     * @param value
-     * @param permission
-     * @protected
      */
-    protected createLocalFunction(value: ActionDescriptor, permission: Permission): (config?: ServerRequestConfigEntry, options?: ClientRequestOptions) => Promise<any>;
+    protected createLocalFunction(action: ActionDescriptorOptions, permission: Permission): (config?: ServerRequestConfigEntry, options?: ClientRequestOptions) => Promise<any>;
     /**
-     * Security adapted for local function.
+     * Get the user account token for a local action call.
+     * It will check the options, context, and system user.
      */
     protected getUserFromLocalFunctionContext(options: {
-        user?: Partial<UserAccountToken>;
-    }, permission: Permission, security: boolean): UserAccountToken | undefined;
-    /**
-     * TODO: remove it, this is a hack for testing purposes
-     */
-    protected createSystemUser(): UserAccountToken;
+        user?: UserAccountToken | "system" | "context";
+    }, permission: Permission, isRouteSecure: boolean): UserAccountToken | undefined;
 }
 declare const isServerAction: (value: any) => value is ServerRouteAction;
 interface ServerRemote {
     url: string;
     name: string;
     proxy: boolean;
-    links: (authorization?: string) => Promise<ApiLinksResponse>;
+    internal: boolean;
+    links: (args: {
+        authorization?: string;
+    }) => Promise<ApiLinksResponse>;
+    schema: (args: {
+        name: string;
+        authorization?: string;
+    }) => Promise<any>;
     serviceAccount?: ServiceAccountDescriptor$1;
     prefix: string;
 }
@@ -817,16 +962,10 @@ interface ServerRouteAction<TConfig extends RequestConfigSchema = RequestConfigS
     options: ActionDescriptorOptions;
 }
 
-declare class ProxyDescriptorProvider {
-    protected readonly routerProvider: ServerRouterProvider;
-    protected readonly alepha: Alepha;
-    readonly configure: _alepha_core.HookDescriptor<"configure">;
-    createProxyHandler(options: Omit<ProxyDescriptorOptions, "path">): ServerHandler;
-    proxy(options: ProxyDescriptorOptions): Promise<void>;
-    private getRawRequestBody;
-}
-
 declare class RemoteDescriptorProvider {
+    static path: {
+        apiLinks: string;
+    };
     protected readonly alepha: Alepha;
     protected readonly client: HttpClient;
     protected readonly proxyProvider: ProxyDescriptorProvider;
@@ -836,52 +975,21 @@ declare class RemoteDescriptorProvider {
     readonly configure: _alepha_core.HookDescriptor<"configure">;
     readonly start: _alepha_core.HookDescriptor<"start">;
     registerRemote(value: RemoteDescriptor, key: string): Promise<void>;
-    protected readonly fetchLinks: (opts: {
+    protected readonly fetchLinks: _alepha_retry.RetryDescriptor<(opts: {
         service: string;
         url: string;
         authorization?: string;
     }) => Promise<{
-        userId?: string | undefined;
         prefix?: string | undefined;
         links: {
-            method?: string | undefined;
             group?: string | undefined;
+            method?: string | undefined;
             requestBodyType?: string | undefined;
             service?: string | undefined;
             path: string;
             name: string;
         }[];
-    }>;
-}
-
-declare const envSchema$2: _alepha_core.TObject<{
-    SERVER_API_URL: TString$1;
-}>;
-declare module "@alepha/core" {
-    interface Env extends Partial<Static$1<typeof envSchema$2>> {
-    }
-}
-declare class BrowserActionDescriptorProvider {
-    protected readonly log: _alepha_core.Logger;
-    protected readonly alepha: Alepha;
-    protected readonly client: HttpClient;
-    protected readonly env: {
-        SERVER_API_URL: string;
-    };
-    protected readonly helper: ActionDescriptorHelper;
-    readonly configure: _alepha_core.HookDescriptor<"configure">;
-    configureActions(): void;
-    registerAction(value: ActionDescriptor, instance: any, key: string): void;
-}
-
-declare class ServerSecurityProvider {
-    protected readonly log: _alepha_core.Logger;
-    protected readonly securityProvider: SecurityProvider;
-    protected readonly jwtProvider: JwtProvider;
-    protected readonly alepha: Alepha;
-    readonly onClientRequest: _alepha_core.HookDescriptor<"client:onRequest">;
-    protected readonly onRequest: _alepha_core.HookDescriptor<"server:onRequest">;
-    protected readonly onRoute: _alepha_core.HookDescriptor<"server:onRoute">;
+    }>>;
 }
 
 declare class ServerLinksProvider {
@@ -891,7 +999,6 @@ declare class ServerLinksProvider {
     protected readonly serverActionDescriptorProvider: ServerActionDescriptorProvider;
     readonly links: RouteDescriptor<{
         response: TObject<{
-            userId: TOptional<TString$1>;
             prefix: TOptional<TString$1>;
             links: TArray<TObject<{
                 name: TString$1;
@@ -903,21 +1010,16 @@ declare class ServerLinksProvider {
             }>>;
         }>;
     }>;
+    readonly schema: RouteDescriptor<{
+        params: TObject<{
+            name: TString$1;
+        }>;
+        response: TRecord<TString$1, TAny>;
+    }>;
     getLinks(options: {
         user?: UserAccountToken;
         authorization?: string;
-    }): Promise<{
-        userId: string | undefined;
-        prefix: string;
-        links: {
-            method?: string | undefined;
-            group?: string | undefined;
-            requestBodyType?: string | undefined;
-            service?: string | undefined;
-            path: string;
-            name: string;
-        }[];
-    }>;
+    }): Promise<ApiLinksResponse>;
 }
 
 declare class ServerLoggerProvider {
@@ -928,36 +1030,6 @@ declare class ServerLoggerProvider {
     readonly onResponse: _alepha_core.HookDescriptor<"server:onResponse">;
 }
 
-/**
- * Register `/health` endpoint.
- *
- * - Provides basic health information about the server.
- */
-declare class ServerHealthProvider {
-    protected readonly dateTimeProvider: DateTimeProvider;
-    protected readonly alepha: Alepha;
-    readonly health: RouteDescriptor<{
-        response: TObject<{
-            message: TString$1;
-            uptime: TNumber;
-            date: TString$1;
-            ready: TBoolean;
-        }>;
-    }>;
-}
-
-/**
- * On every request, this provider checks if the server is ready.
- *
- * If the server is not ready, it responds with a 503 status code and a message indicating that the server is not ready yet.
- *
- * The response also includes a `Retry-After` header indicating that the client should retry after 5 seconds.
- */
-declare class ServerNotReadyProvider {
-    protected readonly alepha: Alepha;
-    readonly onRequest: _alepha_core.HookDescriptor<"server:onRequest">;
-}
-
 declare class ServerMultipartProvider {
     protected readonly helper: ActionDescriptorHelper;
     protected readonly alepha: Alepha;
@@ -981,17 +1053,40 @@ interface HybridFile extends FileLike {
         tmpPath: string;
     };
 }
+
 /**
- * Create a file-like object from various sources.
+ * On every request, this provider checks if the server is ready.
+ *
+ * If the server is not ready, it responds with a 503 status code and a message indicating that the server is not ready yet.
+ *
+ * The response also includes a `Retry-After` header indicating that the client should retry after 5 seconds.
  */
-declare const file: (source: string | Buffer | ArrayBuffer | StreamLike, options?: {
-    type?: string;
-    name?: string;
-}) => FileLike;
-declare const bufferToStream: (buffer: Buffer) => Readable;
-declare const streamToBuffer: (stream: Readable) => Promise<Buffer>;
-declare const bufferToArrayBuffer: (buffer: Buffer) => ArrayBuffer;
-declare const getContentType: (filename: string) => string;
+declare class ServerNotReadyProvider {
+    protected readonly alepha: Alepha;
+    readonly onRequest: _alepha_core.HookDescriptor<"server:onRequest">;
+}
+
+declare class ServerSecurityProvider {
+    protected readonly log: _alepha_core.Logger;
+    protected readonly securityProvider: SecurityProvider;
+    protected readonly jwtProvider: JwtProvider;
+    protected readonly alepha: Alepha;
+    readonly onClientRequest: _alepha_core.HookDescriptor<"client:onRequest">;
+    protected readonly onRequest: _alepha_core.HookDescriptor<"server:onRequest">;
+    protected readonly onRoute: _alepha_core.HookDescriptor<"server:onRoute">;
+}
+
+type TimingMap = Record<string, [number, number]>;
+declare class ServerTimingProvider {
+    protected readonly log: _alepha_core.Logger;
+    protected readonly alepha: Alepha;
+    readonly onRequest: _alepha_core.HookDescriptor<"server:onRequest">;
+    readonly onResponse: _alepha_core.HookDescriptor<"server:onResponse">;
+    protected get handlerName(): string;
+    beginTiming(name: string): void;
+    endTiming(name: string): void;
+    protected setDuration(name: string, timing: TimingMap): void;
+}
 
 declare const envSchema$1: _alepha_core.TObject<{
     SERVER_PORT: TNumber;
@@ -1012,6 +1107,7 @@ declare class NodeHttpServerProvider implements ServerProvider {
     protected readonly server: http.Server<typeof IncomingMessage, typeof ServerResponse$1>;
     handle(req: IncomingMessage, res: ServerResponse$1): Promise<number | void>;
     createRouterRequest(req: IncomingMessage, res: ServerResponse$1, params?: Record<string, string>): ServerRawRequest;
+    getProtocol(req: IncomingMessage): "http" | "https";
     shouldHaveBody(method: string): boolean;
     get hostname(): string;
     readonly start: _alepha_core.HookDescriptor<"start">;
@@ -1038,34 +1134,11 @@ declare const okSchema: TObject<{
 }>;
 type Ok = Static$1<typeof okSchema>;
 
-declare class BadRequestError extends HttpError {
-    constructor(message?: string, cause?: unknown);
-}
-
-declare class ConflictError extends HttpError {
-    constructor(message?: string, cause?: unknown);
-}
-
-declare class ForbiddenError extends HttpError {
-    constructor(message?: string, cause?: unknown);
-}
-
-declare class NotFoundError extends HttpError {
-    constructor(message?: string, cause?: unknown);
-}
-
-declare class UnauthorizedError extends HttpError {
-    constructor(message?: string, cause?: unknown);
-}
-
-declare class ValidationError extends HttpError {
-    constructor(message?: string, cause?: unknown);
-}
-
 declare const envSchema: _alepha_core.TObject<{
     SERVER_LINKS_ENABLED: TBoolean;
     SERVER_HEALTH_ENABLED: TBoolean;
     SERVER_NOT_READY_ENABLED: TBoolean;
+    SERVER_TIMING_ENABLED: TOptional<TBoolean>;
 }>;
 declare module "@alepha/core" {
     interface Hooks {
@@ -1113,7 +1186,9 @@ declare module "@alepha/core" {
     }
 }
 declare class ServerModule {
+    static plugins: Array<Service>;
     protected readonly env: {
+        SERVER_TIMING_ENABLED?: boolean | undefined;
         SERVER_LINKS_ENABLED: boolean;
         SERVER_HEALTH_ENABLED: boolean;
         SERVER_NOT_READY_ENABLED: boolean;
@@ -1122,4 +1197,4 @@ declare class ServerModule {
     constructor();
 }
 
-export { $action, $client, $proxy, $remote, $route, type ActionDescriptor, type ActionDescriptorOptions, type ApiLink, type ApiLinksResponse, BadRequestError, BrowserActionDescriptorProvider, type ClientRequestEntry, type ClientRequestEntryContainer, type ClientRequestOptions, type ClientRequestResponse, ConflictError, type FetchFactoryAdditionalOptions, type FetchRunOptions, ForbiddenError, HttpClient, type HttpClientLink, type HttpClientPendingRequests, HttpError, type HttpVirtualClient, NodeHttpServerProvider, NotFoundError, type Ok, type ProxyDescriptor, type ProxyDescriptorOptions, ProxyDescriptorProvider, type RemoteDescriptor, type RemoteDescriptorOptions, RemoteDescriptorProvider, type RequestConfigSchema, type ResponseBodyType, type ResponseType, type RouteDescriptor, type RouteDescriptorOptions, type RouteMethod, ServerActionDescriptorProvider, type ServerHandler, ServerHealthProvider, ServerLinksProvider, ServerLoggerProvider, ServerModule, ServerMultipartProvider, ServerNotReadyProvider, ServerProvider, type ServerRawRequest, type ServerRemote, type ServerReply, type ServerRequest, type ServerRequestConfig, type ServerRequestConfigEntry, type ServerResponse, type ServerResponseBody, type ServerRoute, type ServerRouteAction, type ServerRouteWithHandler, ServerRouterProvider, ServerSecurityProvider, UnauthorizedError, ValidationError, apiLinkSchema, apiLinksResponseSchema, bufferToArrayBuffer, bufferToStream, errorNameByStatus, errorSchema, file, getContentType, isServerAction, okSchema, routeMethods, streamToBuffer };
+export { $action, $client, $proxy, $remote, $route, type ActionDescriptor, type ActionDescriptorOptions, type ApiLink, type ApiLinksResponse, BadRequestError, type ClientRequestEntry, type ClientRequestEntryContainer, type ClientRequestOptions, type ClientRequestResponse, type ClientScope, ConflictError, type FetchFactoryAdditionalOptions, type FetchLinkArgs, type FetchResponse, type FetchRunOptions, ForbiddenError, HttpClient, type HttpClientLink, type HttpClientPendingRequests, HttpError, type HttpErrorLike, type HttpVirtualClient, NodeHttpServerProvider, NotFoundError, type Ok, type ProxyDescriptor, type ProxyDescriptorOptions, ProxyDescriptorProvider, type RemoteDescriptor, type RemoteDescriptorOptions, RemoteDescriptorProvider, type RequestConfigSchema, type ResponseBodyType, type ResponseType, type RouteDescriptor, type RouteDescriptorOptions, type RouteMethod, ServerActionDescriptorProvider, type ServerHandler, ServerHealthProvider, ServerLinksProvider, ServerLoggerProvider, type ServerMiddlewareHandler, ServerModule, ServerMultipartProvider, ServerNotReadyProvider, ServerProvider, type ServerRawRequest, type ServerRemote, type ServerReply, type ServerRequest, type ServerRequestConfig, type ServerRequestConfigEntry, type ServerResponse, type ServerResponseBody, type ServerRoute, type ServerRouteAction, type ServerRouteSecure, type ServerRouteWithHandler, ServerRouterProvider, ServerSecurityProvider, ServerTimingProvider, UnauthorizedError, ValidationError, apiLinkSchema, apiLinksResponseSchema, errorNameByStatus, errorSchema, isHttpError, isServerAction, okSchema, routeMethods };