najm-auth 0.1.12 → 0.1.13

package/dist/index.d.ts

@@ -1,76 +1,587 @@
-import { DB, PluginConfig } from 'najm-api';
+import * as najm_core from 'najm-core';
+import { ValidationPluginConfig } from 'najm-validation';
+import { RateLimitPluginConfig } from 'najm-rate';
+import { I18nService } from 'najm-i18n';
+import { EmailService } from 'najm-email';
+import { TDb, SeedEntry } from 'najm-database';
+import { User, NewUser, RoleEntity, NewRoleEntity, Permission, NewPermission, RolePermission } from './schema/pg.js';
+export { NewRolePermission, NewToken, Token, authSchema, baseFields, permissionsTable, rolePermissionsTable, rolesTable, tokensTable, usersTable } from './schema/pg.js';
+import { CacheService } from 'najm-cache';
 import { z } from 'zod';
-import * as drizzle_orm from 'drizzle-orm';
-import * as drizzle_orm_pg_core from 'drizzle-orm/pg-core';
+import { GuardResult } from 'najm-guard';
+import 'drizzle-orm';
+import 'drizzle-orm/pg-core';
 
+/**
+ * JWT configuration for token generation and verification
+ */
+interface JwtConfig {
+    /** Secret key for access token signing */
+    accessSecret: string;
+    /** Access token expiration time (e.g., '15m', '1h') */
+    accessExpiresIn: string;
+    /** Secret key for refresh token signing */
+    refreshSecret: string;
+    /** Refresh token expiration time (e.g., '7d', '30d') */
+    refreshExpiresIn: string;
+}
+/**
+ * Complete auth plugin configuration (internal)
+ */
+interface AuthConfig {
+    /** JWT configuration */
+    jwt: JwtConfig;
+    /** Refresh token cookie name (default: 'refreshToken') */
+    refreshCookieName: string;
+    /** Database name to use (default: 'default') */
+    database: string;
+    /** Cache key prefix for blacklist (default: 'auth:blacklist:') */
+    blacklistPrefix: string;
+    /** Default role name for new user registration (default: null - no role assigned) */
+    defaultRole: string | null;
+}
+/**
+ * Auth plugin configuration options
+ * Cache is provided by najm-cache plugin (auto-dependency)
+ */
+/**
+ * Auth schema shape (dialect-agnostic)
+ * Import from 'najm-auth/pg', 'najm-auth/sqlite', or 'najm-auth/mysql'
+ */
+interface AuthSchema {
+    users: any;
+    tokens: any;
+    roles: any;
+    permissions: any;
+    rolePermissions: any;
+}
+type AuthPluginConfig = {
+    /** Database dialect (default: 'pg'). Auto-selects the correct schema. */
+    dialect?: 'pg' | 'sqlite' | 'mysql';
+    /** Database schema tables (optional, overrides dialect). Use authSchema from 'najm-auth/sqlite' or 'najm-auth/mysql' */
+    schema?: AuthSchema;
+    /** JWT configuration (secrets can be set via env vars) */
+    jwt?: Partial<JwtConfig>;
+    /** Refresh token cookie name (default: 'refreshToken') */
+    refreshCookieName?: string;
+    /** Database name to use (default: 'default') */
+    database?: string;
+    /** Cache key prefix for blacklist (default: 'auth:blacklist:') */
+    blacklistPrefix?: string;
+    /** Default role name for new user registration (default: null - no role assigned). Set to 'user' for auto-assignment. */
+    defaultRole?: string | null;
+    /** Optional config forwarded to validation() dependency */
+    validation?: ValidationPluginConfig;
+    /** Optional config forwarded to rateLimit() dependency */
+    rateLimit?: RateLimitPluginConfig;
+};
+/**
+ * JWT payload structure
+ */
+interface JwtPayload {
+    userId: string;
+    /** Unique token ID for blacklist-based revocation */
+    jti: string;
+    exp?: number;
+    iat?: number;
+}
+/**
+ * Token pair returned after authentication
+ */
+interface TokenPair {
+    accessToken: string;
+    refreshToken: string;
+    accessTokenExpiresAt?: number;
+    refreshTokenExpiresAt?: number;
+}
+/**
+ * User data structure for authentication
+ */
+interface AuthUser {
+    id: string;
+    email: string;
+    name?: string;
+    role?: string;
+    permissions?: string[];
+}
+
+declare const auth$1: (config?: AuthPluginConfig) => najm_core.NajmPlugin;
+
+declare const AUTH_CONFIG: unique symbol;
+declare const AUTH_SCHEMA: unique symbol;
+declare const AUTH_USER: unique symbol;
+declare const AUTH_ROLE: unique symbol;
+declare const AUTH_PERMISSIONS: unique symbol;
+
+var auth = {
+	errors: {
+		invalidCredentials: "Invalid email or password",
+		emailExists: "Email already registered",
+		accessDenied: "Access denied",
+		tokenExpired: "Token has expired",
+		tokenInvalid: "Invalid token",
+		tokenMissing: "Authorization token is missing",
+		tokenVerificationFailed: "Token verification failed",
+		tokenRevoked: "Token has been revoked",
+		refreshTokenMissing: "Refresh token is missing",
+		refreshTokenInvalid: "Invalid refresh token",
+		invalidResetToken: "Invalid password reset token",
+		resetTokenExpired: "Password reset token has expired",
+		unauthorized: "Unauthorized access",
+		sessionExpired: "Session has expired"
+	},
+	success: {
+		login: "Login successful",
+		logout: "Logout successful",
+		passwordChanged: "Password changed successfully",
+		tokenRefreshed: "Token refreshed successfully"
+	}
+};
+var users = {
+	errors: {
+		notFound: "User not found",
+		idExists: "User ID already exists",
+		emailRequired: "Email is required",
+		passwordRequired: "Password is required",
+		invalidEmail: "Invalid email format",
+		weakPassword: "Password is too weak",
+		adminRoleNotFound: "Admin role not found in system"
+	},
+	success: {
+		created: "User created successfully",
+		updated: "User updated successfully",
+		deleted: "User deleted successfully",
+		retrieved: "User retrieved successfully"
+	}
+};
+var roles = {
+	errors: {
+		notFound: "Role not found",
+		exists: "Role already exists",
+		nameRequired: "Role name is required",
+		cannotDeleteSystem: "Cannot delete system role"
+	},
+	success: {
+		created: "Role created successfully",
+		updated: "Role updated successfully",
+		deleted: "Role deleted successfully",
+		assigned: "Role assigned successfully",
+		retrieved: "Role retrieved successfully"
+	}
+};
+var permissions = {
+	errors: {
+		notFound: "Permission not found",
+		nameExists: "Permission name already exists",
+		roleAlreadyHasPermission: "Role already has this permission",
+		cannotRemoveRequired: "Cannot remove required permission"
+	},
+	success: {
+		created: "Permission created successfully",
+		updated: "Permission updated successfully",
+		deleted: "Permission deleted successfully",
+		granted: "Permission granted successfully",
+		revoked: "Permission revoked successfully",
+		retrieved: "Permissions retrieved successfully",
+		assigned: "Permission assigned to role successfully",
+		removed: "Permission removed from role successfully",
+		allDeleted: "All permissions deleted successfully"
+	}
+};
+var en = {
+	auth: auth,
+	users: users,
+	roles: roles,
+	permissions: permissions
+};
+
+/**
+ * Default auth translations organized by language
+ * Can be imported and merged with user translations
+ */
+declare const AUTH_LOCALES: {
+    readonly en: {
+        auth: {
+            errors: {
+                invalidCredentials: string;
+                emailExists: string;
+                accessDenied: string;
+                tokenExpired: string;
+                tokenInvalid: string;
+                tokenMissing: string;
+                tokenVerificationFailed: string;
+                tokenRevoked: string;
+                refreshTokenMissing: string;
+                refreshTokenInvalid: string;
+                invalidResetToken: string;
+                resetTokenExpired: string;
+                unauthorized: string;
+                sessionExpired: string;
+            };
+            success: {
+                login: string;
+                logout: string;
+                passwordChanged: string;
+                tokenRefreshed: string;
+            };
+        };
+        users: {
+            errors: {
+                notFound: string;
+                idExists: string;
+                emailRequired: string;
+                passwordRequired: string;
+                invalidEmail: string;
+                weakPassword: string;
+                adminRoleNotFound: string;
+            };
+            success: {
+                created: string;
+                updated: string;
+                deleted: string;
+                retrieved: string;
+            };
+        };
+        roles: {
+            errors: {
+                notFound: string;
+                exists: string;
+                nameRequired: string;
+                cannotDeleteSystem: string;
+            };
+            success: {
+                created: string;
+                updated: string;
+                deleted: string;
+                assigned: string;
+                retrieved: string;
+            };
+        };
+        permissions: {
+            errors: {
+                notFound: string;
+                nameExists: string;
+                roleAlreadyHasPermission: string;
+                cannotRemoveRequired: string;
+            };
+            success: {
+                created: string;
+                updated: string;
+                deleted: string;
+                granted: string;
+                revoked: string;
+                retrieved: string;
+                assigned: string;
+                removed: string;
+                allDeleted: string;
+            };
+        };
+    };
+};
+/**
+ * Get translations for a specific language
+ * Falls back to English if language not found
+ */
+declare function getAuthLocale(lang: string): Record<string, any>;
+/**
+ * All supported languages in auth package
+ */
+declare const AUTH_SUPPORTED_LANGUAGES: string[];
+
+/**
+ * EncryptionService - Pure hashing utility
+ * Validation is handled by UserValidator (single source of truth)
+ */
 declare class EncryptionService {
     constructor();
-    hashPassword(password: any): Promise<any>;
-    comparePassword(password: any, hashedPassword: any): Promise<any>;
+    hashPassword(password: string): Promise<string>;
+    comparePassword(password: string, hashedPassword: string): Promise<boolean>;
 }
 
-declare class CookieService {
-    setRefreshCookie(refreshToken: any): void;
-    clearRefreshCookie(): void;
+declare class CookieManager {
+    private config;
+    private cookieService;
+    private get cookieName();
+    setRefreshToken(refreshToken: string): void;
+    clearRefreshToken(): void;
+    getRefreshToken(): string | undefined;
+    hasRefreshToken(): boolean;
+    getCookieName(): string;
 }
 
+interface UserWithPermissions extends Omit<User, 'password'> {
+    role?: string | null;
+    permissions: string[];
+}
 declare class UserRepository {
-    db: DB;
-    private getUser;
-    getAll(): Promise<any[]>;
-    getById(id: any): Promise<any>;
-    getByEmail(email: any): Promise<any>;
-    create(data: any): Promise<any>;
-    update(id: any, data: any): Promise<any>;
-    delete(id: any): Promise<any>;
-    deleteAll(): Promise<any>;
-    getRoleNameById(userId: any): Promise<any>;
-    getUserPassword(email: any): Promise<any>;
-    getUserPermissions(userId: any): Promise<any>;
+    db: TDb;
+    private schema;
+    private get users();
+    private get roles();
+    /** Shared query helper */
+    private get q();
+    getAll(): Promise<UserWithPermissions[]>;
+    getById(id: string): Promise<UserWithPermissions | undefined>;
+    getByEmail(email: string): Promise<(User & {
+        role?: string | null;
+    }) | undefined>;
+    create(data: NewUser): Promise<User>;
+    update(id: string, data: Partial<NewUser>): Promise<User>;
+    delete(id: string): Promise<User>;
+    deleteAll(): Promise<User[]>;
+    getRoleNameById(userId: string): Promise<string | null>;
+    getUserPassword(email: string): Promise<string | undefined>;
+    getUserPermissions(userId: string): Promise<string[]>;
 }
 
+/**
+ * UserValidator - Business validation for user operations
+ * Handles database checks (unique, exists, permissions)
+ * Schema validation is handled by DTOs in user.dto.ts
+ */
 declare class UserValidator {
     private userRepository;
     private encryptionService;
+    private t;
     constructor(userRepository: UserRepository, encryptionService: EncryptionService);
-    validateCreateUser(data: any): Promise<any>;
-    isEmailExists(email: any): Promise<boolean>;
-    isPasswordValid(password: any, hashedPassword: any): Promise<boolean>;
-    isUserExist(id: any): Promise<boolean>;
-    checkUserIdIsUnique(id: any): Promise<void>;
-    isCorrectPass(password: any): Promise<boolean>;
-    hasRole(userId: any, roles: any): Promise<boolean>;
-    checkUserExistsByEmail(email: any): Promise<any>;
-    checkUserExists(id: any): Promise<true>;
-    checkEmailUnique(email: any, excludeId?: any): Promise<void>;
-    checkEmailExists(email: any): Promise<any>;
-    checkPasswordValid(password: any, hashedPassword: any): Promise<void>;
+    /**
+     * Check if email already exists in database
+     */
+    checkEmailUnique(email: string, excludeId?: string): Promise<void>;
+    /**
+     * Check if user exists by ID
+     */
+    checkUserExists(id: string): Promise<UserWithPermissions>;
+    /**
+     * Check if user exists by email
+     */
+    checkUserExistsByEmail(email: string): Promise<{
+        status: "active" | "inactive" | "pending";
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        email: string;
+        emailVerified: boolean;
+        password: string;
+        image: string;
+        roleId: string;
+        lastLogin: string;
+    } & {
+        role?: string | null;
+    }>;
+    /**
+     * Check if email exists in database
+     */
+    checkEmailExists(email: string): Promise<{
+        status: "active" | "inactive" | "pending";
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        email: string;
+        emailVerified: boolean;
+        password: string;
+        image: string;
+        roleId: string;
+        lastLogin: string;
+    } & {
+        role?: string | null;
+    }>;
+    /**
+     * Verify password against hashed password (throws on invalid)
+     */
+    checkPasswordValid(password: string, hashedPassword: string): Promise<void>;
+    /**
+     * Compare password against hash - returns boolean (no throw)
+     * Used for timing-safe authentication
+     */
+    comparePassword(password: string, hashedPassword: string): Promise<boolean>;
+    /**
+     * Check if user ID is unique (for custom IDs)
+     */
+    checkUserIdIsUnique(id: string): Promise<void>;
+    /**
+     * Check if user has required role
+     */
+    hasRole(userId: string, roles: string[]): Promise<boolean>;
+    /**
+     * Validate password strength and complexity
+     * Enforces:
+     * - Minimum 8 characters
+     * - At least one uppercase letter
+     * - At least one lowercase letter
+     * - At least one number
+     */
+    validatePasswordStrength(password: string): void;
 }
 
 declare class RoleRepository {
-    db: DB;
-    getAll(): Promise<any>;
-    getById(id: string): Promise<any>;
-    getByName(name: string): Promise<any>;
-    create(data: any): Promise<any>;
-    update(id: any, data: any): Promise<any>;
-    delete(id: any): Promise<any>;
+    db: TDb;
+    private schema;
+    private get roles();
+    getAll(): Promise<RoleEntity[]>;
+    getById(id: string): Promise<RoleEntity | undefined>;
+    getByName(name: string): Promise<RoleEntity | undefined>;
+    create(data: NewRoleEntity): Promise<RoleEntity>;
+    update(id: string, data: Partial<NewRoleEntity>): Promise<RoleEntity>;
+    delete(id: string): Promise<RoleEntity>;
 }
 
+/**
+ * RoleValidator - Business validation for role operations
+ * Handles database checks (unique, exists)
+ * Schema validation is handled by DTOs in role.dto.ts
+ */
 declare class RoleValidator {
     private roleRepository;
+    private t;
     constructor(roleRepository: RoleRepository);
-    validateCreateRole(data: any): Promise<any>;
+    /**
+     * Check if role name is unique
+     */
+    checkNameUnique(roleName: string, excludeId?: string): Promise<void>;
+    /**
+     * Check if role exists by ID
+     */
+    checkRoleExists(id: string): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+    }>;
+    /**
+     * Check if role exists by name
+     */
+    checkRoleExistsByName(roleName: string): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+    }>;
+    /**
+     * Check if admin role exists (required for system setup)
+     */
+    checkAdminRoleExists(): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+    }>;
+    /**
+     * Check if role name exists (returns boolean, doesn't throw)
+     */
     isRoleNameExists(roleName: string): Promise<boolean>;
-    isRoleIdExists(id: string): Promise<boolean>;
-    checkNameUnique(roleName: string, excludeId?: any): Promise<void>;
-    checkRoleExists(id: string): Promise<void>;
-    checkRoleExistsByName(roleName: string): Promise<void>;
-    checkAdminRoleExists(): Promise<any>;
+}
+
+declare class RoleService {
+    private roleRepository;
+    private roleValidator;
+    constructor(roleRepository: RoleRepository, roleValidator: RoleValidator);
+    getAll(): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+    }[]>;
+    getById(id: any): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+    }>;
+    getByName(name: any): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+    }>;
+    create(data: any): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+    }>;
+    update(id: any, data: any): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+    }>;
+    delete(id: any): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+    }>;
+    seedDefaultRoles(defaultRoles: any): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+    }[]>;
+    getRoleIdByName(name: any): Promise<string>;
+}
+
+type SanitizedUser = Omit<User, 'password'> & {
+    role?: string | null;
+    permissions?: string[];
+};
+declare class UserService {
+    private roleValidator;
+    private roleService;
+    private userRepository;
+    private userValidator;
+    private encryptionService;
+    private i18nService;
+    private authConfig;
+    constructor(roleValidator: RoleValidator, roleService: RoleService, userRepository: UserRepository, userValidator: UserValidator, encryptionService: EncryptionService, i18nService: I18nService, authConfig: AuthConfig);
+    private sanitizeUser;
+    private sanitizeUsers;
+    private resolveUserRole;
+    getAll(): Promise<SanitizedUser[]>;
+    getById(id: string): Promise<SanitizedUser>;
+    getByEmail(email: string): Promise<SanitizedUser>;
+    /**
+     * Find user by email without throwing - returns null if not found
+     * Used for timing-safe authentication
+     */
+    findByEmail(email: string): Promise<(User & {
+        role?: string | null;
+    }) | undefined>;
+    create(data: Record<string, any>): Promise<SanitizedUser>;
+    update(id: string, data: Record<string, any>): Promise<SanitizedUser>;
+    delete(id: string): Promise<SanitizedUser>;
+    deleteAll(): Promise<SanitizedUser[]>;
+    getRoleName(id: string): Promise<string | null>;
+    getPassword(email: string): Promise<string | undefined>;
+    assignRole(id: string, roleId?: string, roleName?: string): Promise<SanitizedUser>;
+    removeRole(id: string): Promise<SanitizedUser>;
+    seedAdminUser(config?: {
+        email?: string;
+        password?: string;
+        name?: string;
+    }): Promise<SanitizedUser>;
+    updateLang(language: string): Promise<string>;
+    getLang(): Promise<string>;
 }
 
 declare class TokenRepository {
-    db: DB;
+    db: TDb;
+    private schema;
+    private get tokens();
+    private get users();
+    private get roles();
+    /** Shared query helper */
+    private get q();
     storeRefreshToken(tokenData: {
         userId: string;
         token: string;
@@ -79,1478 +590,396 @@ declare class TokenRepository {
     getRefreshToken(userId: string): Promise<any>;
     revokeToken(userId: string): Promise<any>;
     isUserExists(userId: string): Promise<boolean>;
-    getRoleNameById(userId: string): Promise<any>;
-    getUserPermissions(userId: string): Promise<any>;
+    getRoleNameById(userId: string): Promise<string>;
+    getUserPermissions(userId: string): Promise<string[]>;
     getUser(userId: string): Promise<any>;
 }
 
-interface JwtPayload {
-    userId: string;
-    exp?: number;
-    iat?: number;
-}
 declare class TokenService {
     private tokenRepository;
-    private accessSecretKey;
-    private accessExpiresIn;
-    private refreshSecretKey;
-    private refreshExpiresIn;
-    constructor(tokenRepository: TokenRepository);
-    extractAccessToken(authorization: any): any;
-    verifyAccessToken(token: string): JwtPayload;
+    private cookieManager;
+    private cache;
+    private config;
+    private t;
+    constructor(tokenRepository: TokenRepository, cookieManager: CookieManager, cache: CacheService);
+    /**
+     * Get blacklist key prefix
+     */
+    private get blacklistPrefix();
+    extractAccessToken(authorization: string): string;
+    /**
+     * Verify access token and check blacklist
+     * Throws error if token is invalid, expired, or blacklisted
+     */
+    verifyAccessToken(token: string): Promise<JwtPayload>;
     verifyRefreshToken(token: string): string;
-    getUserIdByAccessToken(header: string): Promise<string>;
-    storeRefreshToken(userId: any, refreshToken: any): Promise<void>;
-    getTokenExpire(token: any): number | undefined;
+    getUser(auth: string): Promise<any>;
+    getTokenExpire(token: string): number | undefined;
+    /**
+     * Generate access token with unique jti for blacklist support
+     */
     generateAccessToken(data: {
         userId: string;
     }): string;
+    /**
+     * Generate refresh token with unique jti
+     */
     generateRefreshToken(data: {
         userId: string;
     }): string;
-    generateTokens(userId: any): Promise<{
+    generateTokens(userId: string): Promise<{
         accessToken: string;
         refreshToken: string;
         accessTokenExpiresAt: number;
         refreshTokenExpiresAt: number;
     }>;
+    /**
+     * Blacklist an access token by its jti
+     * Token will be rejected until it naturally expires
+     */
+    blacklistToken(jti: string, expiresInSeconds: number): Promise<void>;
+    /**
+     * Check if a token is blacklisted
+     */
+    isTokenBlacklisted(jti: string): Promise<boolean>;
+    /**
+     * Blacklist the current access token (for logout)
+     * Extracts jti and remaining TTL from the token
+     */
+    blacklistCurrentToken(token: string): Promise<void>;
+    /**
+     * Store hashed refresh token in database for security
+     * This prevents token theft in case of database breach
+     */
+    storeRefreshToken(userId: string, refreshToken: string): Promise<void>;
+    /**
+     * Refresh tokens with secure token comparison
+     * Compares provided token with hashed version in database
+     */
     refreshTokens(): Promise<{
         accessToken: string;
         refreshToken: string;
         accessTokenExpiresAt: number;
         refreshTokenExpiresAt: number;
     }>;
-    revokeToken(userId: any): Promise<any>;
-    getUserPermissions(auth: any): Promise<any>;
-    getUserRole(auth: any): Promise<any>;
-    getUser(auth: any): Promise<any>;
-    storeUserInCache(auth: any, ctx: any): Promise<any>;
-}
-
-declare const ROLES: {
-    readonly ADMIN: "admin";
-    readonly PRINCIPAL: "principal";
-    readonly ACCOUNTING: "accounting";
-    readonly SECRETARY: "secretary";
-    readonly TEACHER: "teacher";
-    readonly STUDENT: "student";
-    readonly PARENT: "parent";
-};
-declare const ROLE_GROUPS: {
-    readonly ADMINISTRATORS: readonly ["admin", "principal"];
-    readonly FINANCIAL: readonly ["admin", "accounting"];
-    readonly STAFF: readonly ["admin", "principal", "accounting", "secretary", "teacher"];
-    readonly END_USERS: readonly ["student", "parent"];
-    readonly ALL: readonly ["admin", "principal", "accounting", "secretary", "teacher", "student", "parent"];
-};
-type RoleGroup = typeof ROLE_GROUPS[keyof typeof ROLE_GROUPS];
-declare class RoleChecker {
-    isInGroup(userRole: any, group: readonly string[]): boolean;
-    isAdministrator(userRole: any): boolean;
-    isStaff(userRole: any): boolean;
-    hasAnyRole(userRole: any, roles: readonly string[]): boolean;
-    hasExactRole(userRole: any, requiredRole: any): boolean;
-}
-declare class RoleGuards {
-    private roleChecker;
-    private tokenService;
-    constructor(roleChecker: RoleChecker, tokenService: TokenService);
-    isAuth(auth: any, ctx: any): Promise<boolean>;
-    hasRoles(auth: any, ctx: any, roles: any): Promise<boolean>;
+    revokeToken(userId: string): Promise<any>;
+    /**
+     * Logout user - blacklist access token and revoke refresh token
+     */
+    logout(userId: string, authorization?: string): Promise<void>;
+    /**
+     * Generate secure password reset token
+     * Returns both the plain token (to send via email) and userId for identification
+     */
+    generateResetToken(userId: string): {
+        token: string;
+        userId: string;
+    };
+    /**
+     * Verify password reset token
+     * Returns userId if valid, throws error if expired/invalid
+     */
+    verifyResetToken(token: string): string;
 }
-declare const isAdmin: () => (target: any, propertyKey?: string) => void;
-declare const isPrincipal: () => (target: any, propertyKey?: string) => void;
-declare const isAccounting: () => (target: any, propertyKey?: string) => void;
-declare const isSecretary: () => (target: any, propertyKey?: string) => void;
-declare const isTeacher: () => (target: any, propertyKey?: string) => void;
-declare const isParent: () => (target: any, propertyKey?: string) => void;
-declare const isStudent: () => (target: any, propertyKey?: string) => void;
-declare const isAdministrator: () => (target: any, propertyKey?: string) => void;
-declare const isFinancial: () => (target: any, propertyKey?: string) => void;
-declare const isStaff: () => (target: any, propertyKey?: string) => void;
-declare const isAuth: (...params: any[]) => (target: any, propertyKey?: string) => void;
-type Role = typeof ROLES[keyof typeof ROLES];
-declare const Role: (...roles: any[]) => (target: any, propertyKey?: string) => void;
 
-declare class RoleService {
-    private roleRepository;
-    private roleValidator;
-    constructor(roleRepository: RoleRepository, roleValidator: RoleValidator);
-    getAll(): Promise<any>;
-    getById(id: any): Promise<any>;
-    getByName(name: any): Promise<any>;
-    create(data: any): Promise<any>;
-    update(id: any, data: any): Promise<any>;
-    delete(id: any): Promise<any>;
-    seedDefaultRoles(defaultRoles: any): Promise<any[]>;
-    getRoleIdByName(name: any): Promise<any>;
-}
+declare const createUserDto: z.ZodObject<{
+    email: z.ZodString;
+    password: z.ZodString;
+    username: z.ZodOptional<z.ZodString>;
+    roleId: z.ZodOptional<z.ZodString>;
+    image: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<File, File>]>>;
+    emailVerified: z.ZodDefault<z.ZodBoolean>;
+    status: z.ZodDefault<z.ZodEnum<{
+        active: "active";
+        inactive: "inactive";
+        pending: "pending";
+    }>>;
+}, z.core.$strip>;
+declare const updateUserDto: z.ZodObject<{
+    email: z.ZodOptional<z.ZodString>;
+    password: z.ZodOptional<z.ZodString>;
+    username: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    roleId: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    image: z.ZodOptional<z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<File, File>]>>>;
+    emailVerified: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
+    status: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
+        active: "active";
+        inactive: "inactive";
+        pending: "pending";
+    }>>>;
+}, z.core.$strip>;
+declare const userIdParam: z.ZodObject<{
+    id: z.ZodString;
+}, z.core.$strip>;
+declare const loginDto: z.ZodObject<{
+    email: z.ZodString;
+    password: z.ZodString;
+}, z.core.$strip>;
+declare const changePasswordDto: z.ZodObject<{
+    currentPassword: z.ZodString;
+    newPassword: z.ZodString;
+}, z.core.$strip>;
+declare const resetPasswordDto: z.ZodObject<{
+    email: z.ZodString;
+}, z.core.$strip>;
+declare const confirmResetPasswordDto: z.ZodObject<{
+    token: z.ZodString;
+    newPassword: z.ZodString;
+}, z.core.$strip>;
+declare const languageParam: z.ZodObject<{
+    language: z.ZodString;
+}, z.core.$strip>;
+declare const emailParam: z.ZodObject<{
+    email: z.ZodString;
+}, z.core.$strip>;
+declare const userIdInParam: z.ZodObject<{
+    userId: z.ZodString;
+}, z.core.$strip>;
+declare const assignRoleParams: z.ZodObject<{
+    userId: z.ZodString;
+    roleId: z.ZodString;
+}, z.core.$strip>;
+type CreateUserDto = z.infer<typeof createUserDto>;
+type UpdateUserDto = z.infer<typeof updateUserDto>;
+type UserIdParam = z.infer<typeof userIdParam>;
+type LoginDto = z.infer<typeof loginDto>;
+type ChangePasswordDto = z.infer<typeof changePasswordDto>;
+type ResetPasswordDto = z.infer<typeof resetPasswordDto>;
+type ConfirmResetPasswordDto = z.infer<typeof confirmResetPasswordDto>;
+type LanguageParam = z.infer<typeof languageParam>;
+type EmailParam = z.infer<typeof emailParam>;
+type UserIdInParam = z.infer<typeof userIdInParam>;
+type AssignRoleParams = z.infer<typeof assignRoleParams>;
 
-declare class RoleController {
-    private roleService;
-    constructor(roleService: RoleService);
-    getRoles(): Promise<{
-        data: any;
-        message: string;
-        status: string;
-    }>;
-    getRole(id: any): Promise<{
+declare class AuthService {
+    private tokenService;
+    private userService;
+    private userValidator;
+    private cookieManager;
+    private i18nService;
+    private emailService;
+    private t;
+    private logger;
+    private static readonly DUMMY_HASH;
+    constructor(tokenService: TokenService, userService: UserService, userValidator: UserValidator, cookieManager: CookieManager, i18nService: I18nService, emailService: EmailService);
+    registerUser(body: CreateUserDto): Promise<SanitizedUser>;
+    loginUser(body: LoginDto): Promise<TokenPair>;
+    refreshTokens(): Promise<TokenPair>;
+    logoutUser(userId: string, authorization?: string): Promise<{
         data: any;
         message: string;
-        status: string;
     }>;
-    createRole(body: any): Promise<{
-        data: any;
-        message: string;
-        status: string;
+    getUserProfile(userData: AuthUser): Promise<AuthUser & {
+        language: string;
     }>;
-    updateRole(id: any, body: any): Promise<{
-        data: any;
+    forgotPassword(email: string): Promise<{
         message: string;
-        status: string;
     }>;
-    deleteRole(id: any): Promise<{
-        data: any;
+    resetPassword(token: string, newPassword: string): Promise<{
         message: string;
-        status: string;
     }>;
 }
 
-declare class UserService {
-    private roleValidator;
-    private roleService;
-    private userRepository;
-    private userValidator;
-    private encryptionService;
-    constructor(roleValidator: RoleValidator, roleService: RoleService, userRepository: UserRepository, userValidator: UserValidator, encryptionService: EncryptionService);
-    private sanitizeUser;
-    private sanitizeUsers;
-    private resolveUserRole;
-    getAll(): Promise<any>;
-    getById(id: any): Promise<any>;
-    getByEmail(email: any): Promise<any>;
-    create(data: any): Promise<any>;
-    update(id: any, data: any): Promise<any>;
-    delete(id: any): Promise<any>;
-    deleteAll(): Promise<any>;
-    getRoleName(id: any): Promise<any>;
-    getPassword(email: any): Promise<any>;
-    assignRole(id: any, roleId: any, roleName?: any): Promise<any>;
-    removeRole(id: any): Promise<any>;
-    seedAdminUser(): Promise<any>;
-    updateLang(language: any): Promise<any>;
-    getLang(): Promise<string>;
-}
-
-declare class UserController {
-    private userService;
-    constructor(userService: UserService);
-    getUsers(): Promise<{
-        data: any;
-        message: string;
-        status: string;
-    }>;
-    getLang(): Promise<{
-        data: {
-            language: string;
-        };
-        message: string;
-        status: string;
-    }>;
-    updateLang(language: any): Promise<{
-        data: any;
-        message: string;
-        status: string;
-    }>;
-    getUser(id: any): Promise<{
-        data: any;
-        message: string;
-        status: string;
-    }>;
-    getByEmail(email: any): Promise<{
-        data: any;
-        message: string;
-        status: string;
-    }>;
-    getRole(userId: any): Promise<{
-        data: any;
-        message: string;
-        status: string;
-    }>;
-    create(body: any): Promise<{
-        data: any;
-        message: string;
-        status: string;
-    }>;
-    update(id: any, body: any): Promise<{
-        data: any;
-        message: string;
-        status: string;
-    }>;
-    delete(id: any): Promise<{
+declare class AuthController {
+    private authService;
+    constructor(authService: AuthService);
+    registerUser(body: CreateUserDto): Promise<SanitizedUser>;
+    loginUser(body: LoginDto): Promise<TokenPair>;
+    refreshTokens(): Promise<TokenPair>;
+    logoutUser(userId: string, authorization?: string): Promise<{
         data: any;
         message: string;
-        status: string;
     }>;
-    deleteAll(): Promise<{
-        data: any;
-        message: string;
-        status: string;
+    userProfile(user: any): Promise<AuthUser & {
+        language: string;
     }>;
-    assignRole(userId: any, roleId: any): Promise<{
+    forgotPassword(body: ResetPasswordDto): Promise<{
         message: string;
-        status: string;
     }>;
-    removeRole(userId: any): Promise<{
+    resetPassword(body: ConfirmResetPasswordDto): Promise<{
         message: string;
-        status: string;
     }>;
 }
 
-declare class AuthService {
+declare class AuthGuard {
     private tokenService;
-    private userService;
-    private userValidator;
-    private cookieService;
-    constructor(tokenService: TokenService, userService: UserService, userValidator: UserValidator, cookieService: CookieService);
-    registerUser(body: any): Promise<any>;
-    loginUser(body: any): Promise<{
-        accessToken: string;
-        refreshToken: string;
-        accessTokenExpiresAt: number;
-        refreshTokenExpiresAt: number;
-    }>;
-    refreshTokens(): Promise<{
-        accessToken: string;
-        refreshToken: string;
-        accessTokenExpiresAt: number;
-        refreshTokenExpiresAt: number;
-    }>;
-    logoutUser(userId: any): Promise<{
-        data: any;
-        message: string;
-    }>;
-    getUserProfile(userData: any): Promise<any>;
-    forgotPassword(email: any): Promise<void>;
+    canActivate(auth: string): Promise<GuardResult | false>;
 }
+declare const isAuth: () => ClassDecorator & MethodDecorator;
 
-declare class AuthController {
-    private authService;
-    constructor(authService: AuthService);
-    registerUser(body: any): Promise<{
-        data: any;
-        message: string;
-        status: string;
-    }>;
-    loginUser(body: any): Promise<{
-        data: {
-            accessToken: string;
-            refreshToken: string;
-            accessTokenExpiresAt: number;
-            refreshTokenExpiresAt: number;
-        };
-        message: string;
-        status: string;
-    }>;
-    refreshTokens(): Promise<{
-        data: {
-            accessToken: string;
-            refreshToken: string;
-            accessTokenExpiresAt: number;
-            refreshTokenExpiresAt: number;
-        };
-        message: string;
-        status: string;
-    }>;
-    logoutUser(id: any): Promise<{
-        data: {
-            data: any;
-            message: string;
-        };
-        message: string;
-        status: string;
-    }>;
-    userProfile(user: any): Promise<{
-        data: any;
-        message: string;
-        status: string;
-    }>;
-    forgotPassword(body: any): Promise<{
-        data: void;
-        message: string;
-        status: string;
-    }>;
+declare const AUTH_MODULE: readonly [typeof AuthService, typeof CookieManager, typeof EncryptionService, typeof AuthGuard, typeof AuthController];
+
+declare class PermissionRepository {
+    db: TDb;
+    private schema;
+    private get permissions();
+    private get rolePermissions();
+    private get roles();
+    getAll(): Promise<Permission[]>;
+    getById(id: string): Promise<Permission | undefined>;
+    getByName(name: string): Promise<Permission | undefined>;
+    getByResource(resource: string): Promise<Permission[]>;
+    create(data: NewPermission): Promise<Permission>;
+    update(id: string, data: Partial<NewPermission>): Promise<Permission>;
+    delete(id: string): Promise<Permission>;
+    getPermissionsByRole(roleId: string): Promise<Array<Pick<Permission, 'id' | 'name' | 'description' | 'resource' | 'action'>>>;
+    getRolesByPermission(permissionId: string): Promise<Array<Pick<RoleEntity, 'id' | 'name' | 'description'>>>;
+    assignPermissionToRole(roleId: string, permissionId: string): Promise<RolePermission>;
+    removePermissionFromRole(roleId: string, permissionId: string): Promise<RolePermission>;
+    checkRoleHasPermission(roleId: string, permissionId: string): Promise<boolean>;
+    deleteAll(): Promise<Permission[]>;
 }
 
-declare const ENUMS: {
-    userType: {
-        values: string[];
-        translationKey: string;
-    };
-    userStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    tokenStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    tokenType: {
-        values: string[];
-        translationKey: string;
-    };
-    fileStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    gender: {
-        values: string[];
-        translationKey: string;
-    };
-    studentStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    teacherStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    employmentType: {
-        values: string[];
-        translationKey: string;
-    };
-    relationshipType: {
-        values: string[];
-        translationKey: string;
-    };
-    semester: {
-        values: string[];
-        translationKey: string;
-    };
-    classStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    sectionStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    language: {
-        values: string[];
-        translationKey: string;
-    };
-    enrollmentStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    assignmentStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    calendarSystem: {
-        values: string[];
-        translationKey: string;
-    };
-    assessmentType: {
-        values: string[];
-        translationKey: string;
-    };
-    assessmentStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    submissionType: {
-        values: string[];
-        translationKey: string;
-    };
-    examType: {
-        values: string[];
-        translationKey: string;
-    };
-    examSecurity: {
-        values: string[];
-        translationKey: string;
-    };
-    examStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    gradeStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    attendanceStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    proficiencyLevel: {
-        values: string[];
-        translationKey: string;
-    };
-    dayOfWeek: {
-        values: string[];
-        translationKey: string;
-    };
-    alertType: {
-        values: string[];
-        translationKey: string;
-    };
-    alertPriority: {
-        values: string[];
-        translationKey: string;
-    };
-    alertStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    feeTypeStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    feeCategory: {
-        values: string[];
-        translationKey: string;
-    };
-    paymentType: {
-        values: string[];
-        translationKey: string;
-    };
-    schedule: {
-        values: string[];
-        translationKey: string;
-    };
-    feeStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    feeInstallmentStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    paymentMethod: {
-        values: string[];
-        translationKey: string;
-    };
-    paymentStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    eventType: {
-        values: string[];
-        translationKey: string;
-    };
-    eventStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    eventVisibility: {
-        values: string[];
-        translationKey: string;
-    };
-    participantType: {
-        values: string[];
-        translationKey: string;
-    };
-    expenseCategory: {
-        values: string[];
-        translationKey: string;
-    };
-    expenseStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    trackerMode: {
-        values: string[];
-        translationKey: string;
-    };
-    driverStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    vehicleStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    vehicleType: {
-        values: string[];
-        translationKey: string;
-    };
-    vehicleDocumentType: {
-        values: string[];
-        translationKey: string;
-    };
-    busStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    refuelStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    fuelType: {
-        values: string[];
-        translationKey: string;
-    };
-    maintenanceType: {
-        values: string[];
-        translationKey: string;
-    };
-    maintenanceStatus: {
-        values: string[];
-        translationKey: string;
-    };
-    maritalStatus: {
-        values: string[];
-        translationKey: string;
-    };
+declare class PermissionGuard {
+    canActivate(requiredPermission: string, permissions: string[]): GuardResult | false;
+    private checkPermission;
+}
+declare const Can: (permission: string) => ClassDecorator & MethodDecorator;
+declare const canCreate: (resource: string) => ClassDecorator & MethodDecorator;
+declare const canRead: (resource: string) => ClassDecorator & MethodDecorator;
+declare const canUpdate: (resource: string) => ClassDecorator & MethodDecorator;
+declare const canDelete: (resource: string) => ClassDecorator & MethodDecorator;
+declare const canManage: (resource: string) => ClassDecorator & MethodDecorator;
+
+declare const ROLES: {
+    readonly ADMIN: "admin";
 };
-declare const getEnumConfig: (enumKey: any) => any;
-declare const getEnumValues: (enumKey: any) => any;
+declare const ROLE_GROUPS: {
+    ADMINISTRATORS: "admin"[];
+};
+type RoleType = typeof ROLES[keyof typeof ROLES];
+type RoleInput = string | string[];
 
-declare const userSchema: z.ZodObject<{
-    id: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    username: z.ZodOptional<z.ZodString>;
-    email: z.ZodUnion<[z.ZodString, z.ZodLiteral<"">]>;
-    password: z.ZodString;
-    roleId: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    roleName: z.ZodOptional<z.ZodString>;
-    lastLogin: z.ZodOptional<z.ZodNullable<z.ZodString>>;
-    image: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<File, File>, z.ZodUndefined]>>;
-    emailVerified: z.ZodDefault<z.ZodBoolean>;
-    status: z.ZodEnum<{
-        [x: string]: any;
-    }>;
-    createdAt: z.ZodOptional<z.ZodNullable<z.ZodString>>;
-}, z.core.$strip>;
-declare const roleSchema: z.ZodObject<{
-    id: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    name: z.ZodString;
-    description: z.ZodOptional<z.ZodString>;
-    createdAt: z.ZodOptional<z.ZodNullable<z.ZodString>>;
-}, z.core.$strip>;
-declare const studentSchema: z.ZodObject<{
-    id: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    classId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    sectionId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    studentCode: z.ZodString;
-    name: z.ZodString;
-    email: z.ZodUnion<[z.ZodString, z.ZodLiteral<"">]>;
-    phone: z.ZodOptional<z.ZodNullable<z.ZodString>>;
-    address: z.ZodOptional<z.ZodString>;
-    dateOfBirth: z.ZodOptional<z.ZodNullable<z.ZodString>>;
-    gender: z.ZodEnum<{
-        [x: string]: any;
-    }>;
-    enrollmentDate: z.ZodString;
-    medicalConditions: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    previousSchool: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    image: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<File, File>, z.ZodNull]>>;
-    status: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-}, z.core.$strip>;
-declare const parentSchema: z.ZodObject<{
-    id: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    name: z.ZodString;
-    email: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodLiteral<"">]>>;
-    phone: z.ZodString;
-    gender: z.ZodOptional<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    address: z.ZodOptional<z.ZodString>;
-    dateOfBirth: z.ZodOptional<z.ZodNullable<z.ZodString>>;
-    cin: z.ZodString;
-    occupation: z.ZodOptional<z.ZodString>;
-    nationality: z.ZodOptional<z.ZodString>;
-    maritalStatus: z.ZodOptional<z.ZodString>;
-    relationshipType: z.ZodEnum<{
-        [x: string]: any;
-    }>;
-    image: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<File, File>, z.ZodNull]>>;
-    isEmergencyContact: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
-    financialResponsibility: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
-}, z.core.$strip>;
-declare const driverSchema: z.ZodObject<{
-    id: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    name: z.ZodString;
-    email: z.ZodUnion<[z.ZodString, z.ZodLiteral<"">]>;
-    cin: z.ZodString;
-    phone: z.ZodString;
-    address: z.ZodOptional<z.ZodString>;
-    gender: z.ZodOptional<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    licenseNumber: z.ZodString;
-    licenseType: z.ZodString;
-    licenseExpiry: z.ZodString;
-    hireDate: z.ZodString;
-    salary: any;
-    yearsOfExperience: any;
-    emergencyContact: z.ZodOptional<z.ZodString>;
-    emergencyPhone: z.ZodOptional<z.ZodString>;
-    image: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<File, File>, z.ZodNull]>>;
-    status: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    notes: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-}, z.core.$strip>;
-declare const teacherPersonalSchema: z.ZodObject<{
-    id: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    name: z.ZodString;
-    cin: z.ZodString;
-    email: z.ZodUnion<[z.ZodString, z.ZodLiteral<"">]>;
-    phone: z.ZodString;
-    address: z.ZodOptional<z.ZodString>;
-    gender: z.ZodOptional<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    emergencyContact: z.ZodOptional<z.ZodString>;
-    emergencyPhone: z.ZodString;
-    status: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    image: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<File, File>, z.ZodNull]>>;
-}, z.core.$strip>;
-declare const teacherProfessionalSchema: z.ZodObject<{
-    specialization: z.ZodOptional<z.ZodString>;
-    yearsOfExperience: any;
-    salary: any;
-    hireDate: z.ZodString;
-    bankAccount: z.ZodOptional<z.ZodCoercedString<unknown>>;
-    employmentType: z.ZodOptional<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    workloadHours: any;
-    academicDegrees: z.ZodOptional<z.ZodString>;
-}, z.core.$strip>;
-declare const assignmentSchema: z.ZodObject<{
-    classId: z.ZodString;
-    sectionIds: z.ZodArray<z.ZodString>;
-    subjectIds: z.ZodArray<z.ZodString>;
-    academicYear: z.ZodOptional<z.ZodString>;
-}, z.core.$strip>;
-declare const assignmentsSchema: z.ZodObject<{
-    assignments: z.ZodArray<z.ZodObject<{
-        classId: z.ZodString;
-        sectionIds: z.ZodArray<z.ZodString>;
-        subjectIds: z.ZodArray<z.ZodString>;
-        academicYear: z.ZodOptional<z.ZodString>;
-    }, z.core.$strip>>;
-}, z.core.$strip>;
-declare const teacherFullSchema: z.ZodObject<{
-    assignments: z.ZodArray<z.ZodObject<{
-        classId: z.ZodString;
-        sectionIds: z.ZodArray<z.ZodString>;
-        subjectIds: z.ZodArray<z.ZodString>;
-        academicYear: z.ZodOptional<z.ZodString>;
-    }, z.core.$strip>>;
-    specialization: z.ZodOptional<z.ZodString>;
-    yearsOfExperience: any;
-    salary: any;
-    hireDate: z.ZodString;
-    bankAccount: z.ZodOptional<z.ZodCoercedString<unknown>>;
-    employmentType: z.ZodOptional<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    workloadHours: any;
-    academicDegrees: z.ZodOptional<z.ZodString>;
-    id: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    name: z.ZodString;
-    cin: z.ZodString;
-    email: z.ZodUnion<[z.ZodString, z.ZodLiteral<"">]>;
-    phone: z.ZodString;
-    address: z.ZodOptional<z.ZodString>;
-    gender: z.ZodOptional<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    emergencyContact: z.ZodOptional<z.ZodString>;
-    emergencyPhone: z.ZodString;
-    status: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    image: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<File, File>, z.ZodNull]>>;
-}, z.core.$strip>;
-declare const feeTypeSchema: z.ZodObject<{
-    id: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    name: z.ZodString;
-    description: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    category: z.ZodString;
-    amount: any;
-    paymentType: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    status: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>>;
-}, z.core.$strip>;
-declare const feeSchema: z.ZodObject<{
-    id: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    studentId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    feeTypeId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    academicYear: z.ZodOptional<z.ZodString>;
-    status: z.ZodOptional<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    schedule: z.ZodEnum<{
-        [x: string]: any;
-    }>;
-    baseAmount: any;
-    grossAmount: any;
-    netAmount: any;
-    paidAmount: any;
-    discountAmount: any;
-    discountReason: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    assignedBy: z.ZodNullable<z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>>;
-    notes: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-}, z.core.$strip>;
-declare const bulkFeeItemSchema: z.ZodObject<{
-    id: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    status: z.ZodOptional<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    schedule: z.ZodEnum<{
-        [x: string]: any;
-    }>;
-    notes: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    academicYear: z.ZodOptional<z.ZodString>;
-    feeTypeId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    baseAmount: any;
-    grossAmount: any;
-    netAmount: any;
-    paidAmount: any;
-    discountAmount: any;
-    discountReason: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    assignedBy: z.ZodNullable<z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>>;
-}, z.core.$strip>;
-declare const bulkFeeFormSchema: z.ZodObject<{
-    studentId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    fees: z.ZodArray<z.ZodObject<{
-        id: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-        status: z.ZodOptional<z.ZodEnum<{
-            [x: string]: any;
-        }>>;
-        schedule: z.ZodEnum<{
-            [x: string]: any;
-        }>;
-        notes: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-        academicYear: z.ZodOptional<z.ZodString>;
-        feeTypeId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-        baseAmount: any;
-        grossAmount: any;
-        netAmount: any;
-        paidAmount: any;
-        discountAmount: any;
-        discountReason: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-        assignedBy: z.ZodNullable<z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>>;
-    }, z.core.$strip>>;
-}, z.core.$strip>;
-declare const feeInstallmentSchema: z.ZodObject<{
-    feeId: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    number: any;
-    dueDate: z.ZodString;
-    amount: any;
-    paidAmount: any;
-    status: z.ZodOptional<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-}, z.core.$strip>;
-declare const feePaymentSchema: z.ZodObject<{
-    studentId: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    amount: any;
-    paymentMethod: z.ZodEnum<{
-        [x: string]: any;
-    }>;
-    paymentDate: z.ZodString;
-    checkNumber: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodNullable<z.ZodOptional<z.ZodString>>>;
-    checkDueDate: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodNullable<z.ZodOptional<z.ZodNullable<z.ZodString>>>>;
-    transactionRef: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodNullable<z.ZodOptional<z.ZodString>>>;
-    receiptNumber: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodNullable<z.ZodOptional<z.ZodString>>>;
-    status: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    processedBy: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    notes: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodNullable<z.ZodOptional<z.ZodString>>>;
-    allocations: z.ZodNullable<z.ZodOptional<z.ZodArray<z.ZodObject<{
-        feeId: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-        number: z.ZodNumber;
-        amount: any;
-    }, z.core.$strip>>>>;
-}, z.core.$strip>;
-declare const paymentAllocationSchema: z.ZodObject<{
-    paymentId: z.ZodString;
-    feeId: z.ZodString;
-    installmentId: z.ZodOptional<z.ZodString>;
-    amount: z.ZodNumber;
-    type: z.ZodDefault<z.ZodEnum<{
-        fee: "fee";
-        installment: "installment";
-    }>>;
-    notes: z.ZodOptional<z.ZodString>;
-}, z.core.$strip>;
-declare const parentsSchema: z.ZodObject<{
-    parents: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodObject<{
-        id: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-        name: z.ZodString;
-        email: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodLiteral<"">]>>;
-        phone: z.ZodString;
-        gender: z.ZodOptional<z.ZodEnum<{
-            [x: string]: any;
-        }>>;
-        address: z.ZodOptional<z.ZodString>;
-        dateOfBirth: z.ZodOptional<z.ZodNullable<z.ZodString>>;
-        cin: z.ZodString;
-        occupation: z.ZodOptional<z.ZodString>;
-        nationality: z.ZodOptional<z.ZodString>;
-        maritalStatus: z.ZodOptional<z.ZodString>;
-        relationshipType: z.ZodEnum<{
-            [x: string]: any;
-        }>;
-        image: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<File, File>, z.ZodNull]>>;
-        isEmergencyContact: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
-        financialResponsibility: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
-    }, z.core.$strip>>>>;
-}, z.core.$strip>;
-declare const feesSchema: z.ZodObject<{
-    fees: z.ZodArray<z.ZodObject<{
-        id: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-        status: z.ZodOptional<z.ZodEnum<{
-            [x: string]: any;
-        }>>;
-        schedule: z.ZodEnum<{
-            [x: string]: any;
-        }>;
-        notes: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-        academicYear: z.ZodOptional<z.ZodString>;
-        feeTypeId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-        baseAmount: any;
-        grossAmount: any;
-        netAmount: any;
-        paidAmount: any;
-        discountAmount: any;
-        discountReason: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-        assignedBy: z.ZodNullable<z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>>;
-    }, z.core.$strip>>;
-}, z.core.$strip>;
-declare const fullStudentSchema: z.ZodObject<{
-    fees: z.ZodArray<z.ZodObject<{
-        id: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-        status: z.ZodOptional<z.ZodEnum<{
-            [x: string]: any;
-        }>>;
-        schedule: z.ZodEnum<{
-            [x: string]: any;
-        }>;
-        notes: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-        academicYear: z.ZodOptional<z.ZodString>;
-        feeTypeId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-        baseAmount: any;
-        grossAmount: any;
-        netAmount: any;
-        paidAmount: any;
-        discountAmount: any;
-        discountReason: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-        assignedBy: z.ZodNullable<z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>>;
-    }, z.core.$strip>>;
-    parents: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodObject<{
-        id: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-        name: z.ZodString;
-        email: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodLiteral<"">]>>;
-        phone: z.ZodString;
-        gender: z.ZodOptional<z.ZodEnum<{
-            [x: string]: any;
-        }>>;
-        address: z.ZodOptional<z.ZodString>;
-        dateOfBirth: z.ZodOptional<z.ZodNullable<z.ZodString>>;
-        cin: z.ZodString;
-        occupation: z.ZodOptional<z.ZodString>;
-        nationality: z.ZodOptional<z.ZodString>;
-        maritalStatus: z.ZodOptional<z.ZodString>;
-        relationshipType: z.ZodEnum<{
-            [x: string]: any;
-        }>;
-        image: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<File, File>, z.ZodNull]>>;
-        isEmergencyContact: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
-        financialResponsibility: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
-    }, z.core.$strip>>>>;
-    id: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    classId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    sectionId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    studentCode: z.ZodString;
-    name: z.ZodString;
-    email: z.ZodUnion<[z.ZodString, z.ZodLiteral<"">]>;
-    phone: z.ZodOptional<z.ZodNullable<z.ZodString>>;
-    address: z.ZodOptional<z.ZodString>;
-    dateOfBirth: z.ZodOptional<z.ZodNullable<z.ZodString>>;
-    gender: z.ZodEnum<{
-        [x: string]: any;
-    }>;
-    enrollmentDate: z.ZodString;
-    medicalConditions: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    previousSchool: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    image: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodCustom<File, File>, z.ZodNull]>>;
-    status: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-}, z.core.$strip>;
-declare const subjectSchema: z.ZodObject<{
-    id: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    code: z.ZodString;
-    name: z.ZodString;
-    description: z.ZodOptional<z.ZodString>;
-    gradeLevel: any;
-}, z.core.$strip>;
-declare const sectionSchema: z.ZodObject<{
-    id: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    classId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    name: z.ZodString;
-    maxStudents: any;
-    roomNumber: any;
-    status: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-}, z.core.$strip>;
-declare const classSchema: z.ZodObject<{
-    id: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
+declare class RoleGuard {
+    canActivate(allowedRoles: RoleInput, userRole: string): false | {
+        role: string;
+    };
+}
+declare const Role: (roles: RoleInput) => any;
+declare const isAdmin: () => ClassDecorator & MethodDecorator;
+declare const isAdministrator: () => ClassDecorator & MethodDecorator;
+
+declare const createRoleDto: z.ZodObject<{
     name: z.ZodString;
     description: z.ZodOptional<z.ZodString>;
-    academicYear: z.ZodString;
-    level: z.ZodString;
 }, z.core.$strip>;
-declare const attendanceSchema: z.ZodObject<{
-    studentId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    teacherId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    subjectId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    sectionId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    date: z.ZodString;
-    status: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    notes: z.ZodOptional<z.ZodString>;
-}, z.core.$strip>;
-declare const assessmentSchema: z.ZodObject<{
-    classId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    sectionId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    subjectId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    teacherId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    teacherAssignmentId: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    title: z.ZodString;
-    description: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    type: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    date: z.ZodString;
-    duration: any;
-    totalMarks: any;
-    passingMarks: any;
-    instructions: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    status: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    assessmentId: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-}, z.core.$strip>;
-declare const bulkAssessmentSchema: z.ZodObject<{
-    assessments: z.ZodArray<z.ZodObject<{
-        classId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-        sectionId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-        subjectId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-        teacherId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-        teacherAssignmentId: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-        title: z.ZodString;
-        description: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-        type: z.ZodDefault<z.ZodEnum<{
-            [x: string]: any;
-        }>>;
-        date: z.ZodString;
-        duration: any;
-        totalMarks: any;
-        passingMarks: any;
-        instructions: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-        status: z.ZodDefault<z.ZodEnum<{
-            [x: string]: any;
-        }>>;
-        assessmentId: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    }, z.core.$strip>>;
+declare const updateRoleDto: z.ZodObject<{
+    name: z.ZodOptional<z.ZodString>;
+    description: z.ZodOptional<z.ZodOptional<z.ZodString>>;
 }, z.core.$strip>;
-declare const gradeSchema: z.ZodObject<{
-    assessmentId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    teacherId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    subjectId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    sectionId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    studentId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    gradeId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    assessmentTitle: z.ZodOptional<z.ZodString>;
-    marksObtained: any;
-    feedback: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    status: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-}, z.core.$strip>;
-declare const examSchema: z.ZodObject<{
-    classId: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    sectionId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    subjectId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    teacherId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    examId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    teacherAssignmentId: z.ZodPipe<z.ZodTransform<unknown, unknown>, z.ZodString>;
-    title: z.ZodString;
-    description: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    type: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    date: z.ZodString;
-    startTime: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    endTime: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    duration: any;
-    totalMarks: any;
-    passingMarks: any;
-    roomNumber: any;
-    allowedMaterials: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    instructions: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    status: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
+declare const roleIdParam: z.ZodObject<{
+    id: z.ZodString;
 }, z.core.$strip>;
-declare const announcementSchema: z.ZodObject<{
-    title: z.ZodString;
-    content: z.ZodString;
-    authorId: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    targetAudience: z.ZodEnum<{
-        teachers: "teachers";
-        students: "students";
-        parents: "parents";
-        all: "all";
-        class: "class";
-    }>;
-    classId: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    isPublished: z.ZodDefault<z.ZodBoolean>;
-    publishDate: z.ZodOptional<z.ZodString>;
-    expiryDate: z.ZodOptional<z.ZodString>;
+declare const assignRoleDto: z.ZodObject<{
+    userId: z.ZodString;
+    roleId: z.ZodString;
 }, z.core.$strip>;
-declare const alertSchema: z.ZodObject<{
-    type: z.ZodEnum<{
-        [x: string]: any;
-    }>;
-    title: z.ZodString;
-    message: z.ZodString;
-    priority: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    status: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    studentId: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    teacherId: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    classId: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    subjectId: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    targetAudience: z.ZodOptional<z.ZodEnum<{
-        teachers: "teachers";
-        students: "students";
-        parents: "parents";
-        all: "all";
-    }>>;
-    authorId: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    isRead: z.ZodDefault<z.ZodBoolean>;
-}, z.core.$strip>;
-declare const eventSchema: z.ZodObject<{
-    title: z.ZodString;
-    description: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    type: z.ZodEnum<{
-        [x: string]: any;
-    }>;
-    startDate: z.ZodString;
-    endDate: z.ZodString;
-    startTime: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    endTime: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    location: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    venue: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    organizerId: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    classId: z.ZodNullable<z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>>;
-    sectionId: z.ZodNullable<z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>>;
-    visibility: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    status: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    capacity: any;
-    registrationRequired: z.ZodDefault<z.ZodBoolean>;
-    registrationDeadline: z.ZodNullable<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    attachments: z.ZodNullable<z.ZodOptional<z.ZodAny>>;
-    notes: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-}, z.core.$strip>;
-declare const eventParticipantSchema: z.ZodObject<{
-    eventId: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    participantId: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    participantType: z.ZodEnum<{
-        [x: string]: any;
+type CreateRoleDto = z.infer<typeof createRoleDto>;
+type UpdateRoleDto = z.infer<typeof updateRoleDto>;
+type RoleIdParam = z.infer<typeof roleIdParam>;
+type AssignRoleDto = z.infer<typeof assignRoleDto>;
+
+declare class RoleController {
+    private roleService;
+    constructor(roleService: RoleService);
+    getRoles(): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+    }[]>;
+    getRole(params: RoleIdParam): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
     }>;
-    attendanceStatus: z.ZodNullable<z.ZodOptional<z.ZodEnum<{
-        [x: string]: any;
-    }>>>;
-    notes: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-}, z.core.$strip>;
-declare const expenseSchema: z.ZodObject<{
-    id: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    category: z.ZodEnum<{
-        [x: string]: any;
+    createRole(body: CreateRoleDto): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
     }>;
-    title: z.ZodString;
-    amount: any;
-    expenseDate: z.ZodString;
-    paymentMethod: z.ZodNullable<z.ZodOptional<z.ZodEnum<{
-        [x: string]: any;
-    }>>>;
-    paymentDate: z.ZodNullable<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    vendor: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    invoiceNumber: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    receiptNumber: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    checkNumber: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    transactionRef: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    status: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    notes: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-}, z.core.$strip>;
-declare const expenseApprovalSchema: z.ZodObject<{
-    action: z.ZodEnum<{
-        approve: "approve";
-        reject: "reject";
+    updateRole(params: RoleIdParam, body: UpdateRoleDto): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
     }>;
-    rejectionReason: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-}, z.core.$strip>;
-declare const expensePaymentSchema: z.ZodObject<{
-    paymentMethod: z.ZodEnum<{
-        [x: string]: any;
+    deleteRole(params: RoleIdParam): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
     }>;
-    paymentDate: z.ZodString;
-    checkNumber: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    transactionRef: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    notes: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-}, z.core.$strip>;
-declare const vehicleSchema: z.ZodObject<{
-    id: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    name: z.ZodString;
-    brand: z.ZodString;
-    model: z.ZodString;
-    year: any;
-    type: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    capacity: any;
-    licensePlate: z.ZodString;
-    driverId: z.ZodNullable<z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>>;
-    image: z.ZodDefault<z.ZodNullable<z.ZodOptional<z.ZodString>>>;
-    purchaseDate: z.ZodNullable<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    purchasePrice: any;
-    initialMileage: any;
-    currentMileage: any;
-    status: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    notes: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-}, z.core.$strip>;
-declare const refuelSchema: z.ZodObject<{
-    id: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    busId: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-    refuelDate: z.ZodString;
-    quantity: any;
-    unitPrice: any;
-    totalCost: any;
-    fuelType: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    odometer: any;
-    fuelStation: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    invoiceNumber: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-    paymentMethod: z.ZodNullable<z.ZodOptional<z.ZodEnum<{
-        [x: string]: any;
-    }>>>;
-    paidBy: z.ZodNullable<z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>>;
-    status: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    notes: z.ZodNullable<z.ZodOptional<z.ZodString>>;
-}, z.core.$strip>;
-declare const settingsSchema: z.ZodObject<{
-    schoolName: z.ZodString;
-    schoolAddress: z.ZodOptional<z.ZodString>;
-    schoolPhone: z.ZodString;
-    schoolEmail: z.ZodUnion<[z.ZodString, z.ZodLiteral<"">]>;
-    schoolWebsite: z.ZodOptional<z.ZodString>;
-    schoolLogo: z.ZodOptional<z.ZodString>;
-    currentAcademicYear: z.ZodString;
-    gradingScale: z.ZodOptional<z.ZodAny>;
-    attendanceRequirement: any;
-    maxClassSize: any;
-    minimumPassingGrade: any;
-    defaultExamDuration: any;
-    calendarSystem: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    startMonth: z.ZodDefault<z.ZodString>;
-    endMonth: z.ZodDefault<z.ZodString>;
-    academicAlerts: z.ZodDefault<z.ZodBoolean>;
-    attendanceAlerts: z.ZodDefault<z.ZodBoolean>;
-    eventAlerts: z.ZodDefault<z.ZodBoolean>;
-    homeworkAlerts: z.ZodDefault<z.ZodBoolean>;
-    feesReminder: z.ZodDefault<z.ZodBoolean>;
-    feesOverdueAlerts: z.ZodDefault<z.ZodBoolean>;
-    emailNotifications: z.ZodDefault<z.ZodBoolean>;
-    smsNotifications: z.ZodDefault<z.ZodBoolean>;
-    parentNotifications: z.ZodDefault<z.ZodBoolean>;
-    lowGradeAlerts: z.ZodDefault<z.ZodBoolean>;
-    allowLateSubmission: z.ZodDefault<z.ZodBoolean>;
-    examResultsAlerts: z.ZodDefault<z.ZodBoolean>;
-    disciplinaryAlerts: z.ZodDefault<z.ZodBoolean>;
-    achievementAlerts: z.ZodDefault<z.ZodBoolean>;
-    maintenanceNotifications: z.ZodDefault<z.ZodBoolean>;
-    twoFactorEnabled: z.ZodDefault<z.ZodBoolean>;
-    sessionTimeout: z.ZodDefault<z.ZodString>;
-    passwordRequireSymbols: z.ZodDefault<z.ZodBoolean>;
-    loginNotifications: z.ZodDefault<z.ZodBoolean>;
-    parentAccessEnabled: z.ZodDefault<z.ZodBoolean>;
-    teacherAccessEnabled: z.ZodDefault<z.ZodBoolean>;
-    studentAccessEnabled: z.ZodDefault<z.ZodBoolean>;
-    timeZone: z.ZodDefault<z.ZodString>;
-    language: z.ZodDefault<z.ZodEnum<{
-        [x: string]: any;
-    }>>;
-    theme: z.ZodDefault<z.ZodEnum<{
-        system: "system";
-        light: "light";
-        dark: "dark";
-    }>>;
-    dateFormat: z.ZodDefault<z.ZodEnum<{
-        "YYYY-MM-DD": "YYYY-MM-DD";
-        "MM/DD/YYYY": "MM/DD/YYYY";
-        "DD/MM/YYYY": "DD/MM/YYYY";
-        "DD-MM-YY": "DD-MM-YY";
-        "DD-MM-YYYY": "DD-MM-YYYY";
-    }>>;
-    timeFormat: z.ZodDefault<z.ZodEnum<{
-        12: "12";
-        24: "24";
-    }>>;
-    currency: z.ZodDefault<z.ZodString>;
-    gradingPeriods: any;
-    schoolStartTime: z.ZodDefault<z.ZodString>;
-    schoolEndTime: z.ZodDefault<z.ZodString>;
-    lunchBreakDuration: any;
-    maintenanceMode: z.ZodDefault<z.ZodBoolean>;
-    autoBackup: z.ZodDefault<z.ZodBoolean>;
-}, z.core.$strip>;
-declare const idParamSchema: z.ZodObject<{
-    id: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
-}, z.core.$strip>;
-declare const paginationSchema: z.ZodObject<{
-    page: any;
-    limit: any;
-}, z.core.$strip>;
-declare const dateRangeSchema: z.ZodObject<{
-    dateFrom: z.ZodString;
-    dateTo: z.ZodString;
-}, z.core.$strip>;
-
-declare const userTypeEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const userStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const tokenStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const tokenTypeEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const fileStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const genderEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const studentStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const teacherStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const employmentTypeEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const relationshipTypeEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const semesterEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const classStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const sectionStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const languageEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const enrollmentStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const assignmentStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const calendarSystemEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const assessmentTypeEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const assessmentStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const submissionTypeEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const examTypeEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const examSecurityEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const examStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const gradeStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const attendanceStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const proficiencyLevelEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const dayOfWeekEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const alertTypeEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const alertPriorityEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const alertStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const feeTypeStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const paymentTypeEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const scheduleEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const feeStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const feeInstallmentStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const paymentMethodEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const paymentStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const eventTypeEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const eventStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const eventVisibilityEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const participantTypeEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const expenseCategoryEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const expenseStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const trackerModeEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const driverStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const vehicleStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const vehicleTypeEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const vehicleDocumentTypeEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const busStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const refuelStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const fuelTypeEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const maintenanceTypeEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const maintenanceStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-declare const maritalStatusEnum: z.ZodEnum<{
-    [x: string]: any;
-}>;
-
-declare class PermissionRepository {
-    db: DB;
-    getAll(): Promise<any>;
-    getById(id: string): Promise<any>;
-    getByName(name: string): Promise<any>;
-    create(data: any): Promise<any>;
-    update(id: string, data: any): Promise<any>;
-    delete(id: string): Promise<any>;
-    getPermissionsByRole(roleId: string): Promise<any>;
-    getRolesByPermission(permissionId: string): Promise<any>;
-    assignPermissionToRole(roleId: string, permissionId: string): Promise<any>;
-    removePermissionFromRole(roleId: string, permissionId: string): Promise<any>;
-    checkRoleHasPermission(roleId: string, permissionId: string): Promise<boolean>;
-    deleteAll(): Promise<any>;
-}
-
-declare class PermissionGuards {
-    private tokenService;
-    constructor(tokenService: TokenService);
-    private getUserPermissions;
-    private checkPermissionMatch;
-    hasPermission(auth: any, ctx: any, requiredPermission: any): Promise<boolean>;
 }
-declare const Permission: (...permissions: any[]) => (target: any, propertyKey?: string) => void;
 
+/**
+ * PermissionValidator - Business validation for permission operations
+ * Handles database checks (unique, exists, role permissions)
+ * Schema validation is handled by DTOs in permission.dto.ts
+ */
 declare class PermissionValidator {
     private permissionRepository;
     private roleValidator;
+    private t;
     constructor(permissionRepository: PermissionRepository, roleValidator: RoleValidator);
-    validateCreatePermission(data: any): Promise<any>;
-    isPermissionExists(id: string): Promise<boolean>;
-    isPermissionNameExists(name: string): Promise<boolean>;
-    checkPermissionExists(id: string): Promise<true>;
-    checkPermissionExistsByName(name: string): Promise<true>;
-    checkPermissionNameUnique(name: string, excludeId?: any): Promise<void>;
-    checkRoleExists(id: string): Promise<void>;
-    checkRoleExistsByName(name: string): Promise<void>;
+    /**
+     * Check if permission exists by ID
+     */
+    checkPermissionExists(id: string): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        resource: string;
+        action: string;
+    }>;
+    /**
+     * Check if permission exists by name
+     */
+    checkPermissionExistsByName(name: string): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        resource: string;
+        action: string;
+    }>;
+    /**
+     * Check if permission name is unique
+     */
+    checkPermissionNameUnique(name: string, excludeId?: string): Promise<void>;
+    /**
+     * Check if role exists (delegates to RoleValidator)
+     */
+    checkRoleExists(id: string): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+    }>;
+    /**
+     * Check if role exists by name (delegates to RoleValidator)
+     */
+    checkRoleExistsByName(name: string): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+    }>;
+    /**
+     * Check if role already has permission
+     */
     checkRoleHasPermission(roleId: string, permissionId: string): Promise<void>;
 }
 
@@ -1559,75 +988,272 @@ declare class PermissionService {
     private permissionValidator;
     private roleService;
     constructor(permissionRepository: PermissionRepository, permissionValidator: PermissionValidator, roleService: RoleService);
-    getAll(): Promise<any>;
-    getById(id: string): Promise<any>;
-    getByName(name: string): Promise<any>;
-    getByResource(resource: string): Promise<any>;
-    create(data: any): Promise<any>;
-    update(id: string, data: any): Promise<any>;
-    delete(id: string): Promise<any>;
-    getPermissionsByRole(roleId: string): Promise<any>;
-    getRolesByPermission(permissionId: string): Promise<any>;
-    assignPermissionToRole(roleId: string, permissionId: string): Promise<any>;
-    removePermissionFromRole(roleId: string, permissionId: string): Promise<any>;
-    seedDefaultPermissions(defaultPermissions: any): Promise<any[]>;
-    seedDefaultRolePermissions(defaultRolePermissions: any): Promise<any[]>;
-    deleteAll(): Promise<any>;
+    getAll(): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        resource: string;
+        action: string;
+    }[]>;
+    getById(id: string): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        resource: string;
+        action: string;
+    }>;
+    getByName(name: string): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        resource: string;
+        action: string;
+    }>;
+    getByResource(resource: string): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        resource: string;
+        action: string;
+    }[]>;
+    create(data: any): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        resource: string;
+        action: string;
+    }>;
+    update(id: string, data: any): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        resource: string;
+        action: string;
+    }>;
+    delete(id: string): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        resource: string;
+        action: string;
+    }>;
+    getPermissionsByRole(roleId: string): Promise<Pick<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        resource: string;
+        action: string;
+    }, "description" | "name" | "id" | "resource" | "action">[]>;
+    getRolesByPermission(permissionId: string): Promise<Pick<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+    }, "description" | "name" | "id">[]>;
+    assignPermissionToRole(roleId: string, permissionId: string): Promise<{
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        roleId: string;
+        permissionId: string;
+    }>;
+    removePermissionFromRole(roleId: string, permissionId: string): Promise<{
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        roleId: string;
+        permissionId: string;
+    }>;
+    seedDefaultPermissions(defaultPermissions: any): Promise<{
+        created: any[];
+        skipped: any[];
+    }>;
+    seedDefaultRolePermissions(defaultRolePermissions: any): Promise<{
+        assigned: any[];
+        skipped: any[];
+    }>;
+    deleteAll(): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        resource: string;
+        action: string;
+    }[]>;
 }
 
+declare const createPermissionDto: z.ZodObject<{
+    name: z.ZodString;
+    description: z.ZodOptional<z.ZodString>;
+    resource: z.ZodString;
+    action: z.ZodString;
+}, z.core.$strip>;
+declare const updatePermissionDto: z.ZodObject<{
+    name: z.ZodOptional<z.ZodString>;
+    description: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    resource: z.ZodOptional<z.ZodString>;
+    action: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+declare const permissionIdParam: z.ZodObject<{
+    id: z.ZodString;
+}, z.core.$strip>;
+declare const assignPermissionDto: z.ZodObject<{
+    roleId: z.ZodString;
+    permissionId: z.ZodString;
+}, z.core.$strip>;
+declare const checkPermissionDto: z.ZodObject<{
+    userId: z.ZodString;
+    resource: z.ZodString;
+    action: z.ZodString;
+}, z.core.$strip>;
+type CreatePermissionDto = z.infer<typeof createPermissionDto>;
+type UpdatePermissionDto = z.infer<typeof updatePermissionDto>;
+type PermissionIdParam = z.infer<typeof permissionIdParam>;
+type AssignPermissionDto = z.infer<typeof assignPermissionDto>;
+type CheckPermissionDto = z.infer<typeof checkPermissionDto>;
+
 declare class PermissionController {
     private permissionService;
     constructor(permissionService: PermissionService);
     getPermissions(): Promise<{
-        data: any;
-        message: string;
-        status: string;
-    }>;
-    getPermission(id: string): Promise<{
-        data: any;
-        message: string;
-        status: string;
-    }>;
-    create(body: any): Promise<{
-        data: any;
-        message: string;
-        status: string;
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        resource: string;
+        action: string;
+    }[]>;
+    getPermission(params: PermissionIdParam): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        resource: string;
+        action: string;
     }>;
-    update(id: string, body: any): Promise<{
-        data: any;
-        message: string;
-        status: string;
+    create(body: CreatePermissionDto): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        resource: string;
+        action: string;
     }>;
-    delete(id: string): Promise<{
-        data: any;
-        message: string;
-        status: string;
+    update(params: PermissionIdParam, body: UpdatePermissionDto): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        resource: string;
+        action: string;
     }>;
-    getByRole(roleId: string): Promise<{
-        data: any;
-        message: string;
-        status: string;
+    delete(params: PermissionIdParam): Promise<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        resource: string;
+        action: string;
     }>;
-    getRolesByPermission(permissionId: string): Promise<{
-        data: any;
-        message: string;
-        status: string;
+    getByRole(params: RoleIdParam): Promise<Pick<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        resource: string;
+        action: string;
+    }, "description" | "name" | "id" | "resource" | "action">[]>;
+    getRolesByPermission(params: PermissionIdParam): Promise<Pick<{
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+    }, "description" | "name" | "id">[]>;
+    assignToRole(params: AssignPermissionDto): Promise<{
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        roleId: string;
+        permissionId: string;
     }>;
-    assignToRole(roleId: string, permissionId: string): Promise<{
-        data: any;
-        message: string;
-        status: string;
-    }>;
-    removeFromRole(roleId: string, permissionId: string): Promise<{
-        data: any;
-        message: string;
-        status: string;
+    removeFromRole(params: AssignPermissionDto): Promise<{
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        roleId: string;
+        permissionId: string;
     }>;
     deleteAll(): Promise<{
-        data: any;
-        message: string;
-        status: string;
-    }>;
+        description: string;
+        name: string;
+        id: string;
+        createdAt: string;
+        updatedAt: string;
+        resource: string;
+        action: string;
+    }[]>;
+}
+
+/**
+ * Shared query builders used across auth repositories.
+ * Eliminates duplication between UserRepository and TokenRepository.
+ */
+declare class AuthQueries {
+    private db;
+    private schema;
+    constructor(db: any, schema: AuthSchema);
+    /**
+     * Standard user selection fields with role join
+     */
+    userSelection(): {
+        id: any;
+        email: any;
+        emailVerified: any;
+        image: any;
+        status: any;
+        roleId: any;
+        role: any;
+        createdAt: any;
+        updatedAt: any;
+    };
+    /**
+     * Get permissions for a user by their userId
+     */
+    getUserPermissions(userId: string): Promise<string[]>;
+    /**
+     * Get role name for a user
+     */
+    getRoleName(userId: string): Promise<string | null>;
+    /**
+     * Batch load permissions for multiple users (fixes N+1 query problem)
+     * Returns a Map of roleId -> permissions[]
+     */
+    batchLoadPermissionsByRole(): Promise<Map<string, string[]>>;
 }
 
 declare const avatarsPath: string;
@@ -1642,604 +1268,199 @@ declare const isEmpty: any;
 declare const isPath: (img: any) => boolean;
 declare const isFile: (img: any) => boolean;
 
-declare const idField: (length?: number) => drizzle_orm.HasRuntimeDefault<drizzle_orm.HasDefault<drizzle_orm.NotNull<drizzle_orm.IsPrimaryKey<drizzle_orm.NotNull<drizzle_orm_pg_core.PgTextBuilderInitial<"id", [string, ...string[]]>>>>>>;
-declare const rolesTable: drizzle_orm_pg_core.PgTableWithColumns<{
-    name: "roles";
-    schema: undefined;
-    columns: {
-        id: drizzle_orm_pg_core.PgColumn<{
-            name: "id";
-            tableName: "roles";
-            dataType: "string";
-            columnType: "PgText";
-            data: string;
-            driverParam: string;
-            notNull: true;
-            hasDefault: true;
-            isPrimaryKey: true;
-            isAutoincrement: false;
-            hasRuntimeDefault: true;
-            enumValues: [string, ...string[]];
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        name: drizzle_orm_pg_core.PgColumn<{
-            name: "name";
-            tableName: "roles";
-            dataType: "string";
-            columnType: "PgText";
-            data: string;
-            driverParam: string;
-            notNull: true;
-            hasDefault: false;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: [string, ...string[]];
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        description: drizzle_orm_pg_core.PgColumn<{
-            name: "description";
-            tableName: "roles";
-            dataType: "string";
-            columnType: "PgText";
-            data: string;
-            driverParam: string;
-            notNull: false;
-            hasDefault: false;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: [string, ...string[]];
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-    };
-    dialect: "pg";
-}>;
-declare const usersTable: drizzle_orm_pg_core.PgTableWithColumns<{
-    name: "users";
-    schema: undefined;
-    columns: {
-        createdAt: drizzle_orm_pg_core.PgColumn<{
-            name: "created_at";
-            tableName: "users";
-            dataType: "string";
-            columnType: "PgTimestampString";
-            data: string;
-            driverParam: string;
-            notNull: false;
-            hasDefault: true;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: undefined;
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        updatedAt: drizzle_orm_pg_core.PgColumn<{
-            name: "updated_at";
-            tableName: "users";
-            dataType: "string";
-            columnType: "PgTimestampString";
-            data: string;
-            driverParam: string;
-            notNull: false;
-            hasDefault: true;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: undefined;
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        id: drizzle_orm_pg_core.PgColumn<{
-            name: "id";
-            tableName: "users";
-            dataType: "string";
-            columnType: "PgText";
-            data: string;
-            driverParam: string;
-            notNull: true;
-            hasDefault: true;
-            isPrimaryKey: true;
-            isAutoincrement: false;
-            hasRuntimeDefault: true;
-            enumValues: [string, ...string[]];
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        email: drizzle_orm_pg_core.PgColumn<{
-            name: "email";
-            tableName: "users";
-            dataType: "string";
-            columnType: "PgText";
-            data: string;
-            driverParam: string;
-            notNull: true;
-            hasDefault: false;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: [string, ...string[]];
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        emailVerified: drizzle_orm_pg_core.PgColumn<{
-            name: "email_verified";
-            tableName: "users";
-            dataType: "boolean";
-            columnType: "PgBoolean";
-            data: boolean;
-            driverParam: boolean;
-            notNull: false;
-            hasDefault: true;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: undefined;
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        password: drizzle_orm_pg_core.PgColumn<{
-            name: "password";
-            tableName: "users";
-            dataType: "string";
-            columnType: "PgText";
-            data: string;
-            driverParam: string;
-            notNull: true;
-            hasDefault: false;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: [string, ...string[]];
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        image: drizzle_orm_pg_core.PgColumn<{
-            name: "image";
-            tableName: "users";
-            dataType: "string";
-            columnType: "PgText";
-            data: string;
-            driverParam: string;
-            notNull: false;
-            hasDefault: true;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: [string, ...string[]];
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        status: drizzle_orm_pg_core.PgColumn<{
-            name: "status";
-            tableName: "users";
-            dataType: "string";
-            columnType: "PgEnumColumn";
-            data: any;
-            driverParam: string;
-            notNull: false;
-            hasDefault: true;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: any;
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        roleId: drizzle_orm_pg_core.PgColumn<{
-            name: "role_id";
-            tableName: "users";
-            dataType: "string";
-            columnType: "PgText";
-            data: string;
-            driverParam: string;
-            notNull: false;
-            hasDefault: false;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: [string, ...string[]];
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        lastLogin: drizzle_orm_pg_core.PgColumn<{
-            name: "last_login";
-            tableName: "users";
-            dataType: "string";
-            columnType: "PgTimestampString";
-            data: string;
-            driverParam: string;
-            notNull: false;
-            hasDefault: false;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: undefined;
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-    };
-    dialect: "pg";
-}>;
-declare const tokensTable: drizzle_orm_pg_core.PgTableWithColumns<{
-    name: "tokens";
-    schema: undefined;
-    columns: {
-        createdAt: drizzle_orm_pg_core.PgColumn<{
-            name: "created_at";
-            tableName: "tokens";
-            dataType: "string";
-            columnType: "PgTimestampString";
-            data: string;
-            driverParam: string;
-            notNull: false;
-            hasDefault: true;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: undefined;
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        updatedAt: drizzle_orm_pg_core.PgColumn<{
-            name: "updated_at";
-            tableName: "tokens";
-            dataType: "string";
-            columnType: "PgTimestampString";
-            data: string;
-            driverParam: string;
-            notNull: false;
-            hasDefault: true;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: undefined;
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        id: drizzle_orm_pg_core.PgColumn<{
-            name: "id";
-            tableName: "tokens";
-            dataType: "string";
-            columnType: "PgText";
-            data: string;
-            driverParam: string;
-            notNull: true;
-            hasDefault: true;
-            isPrimaryKey: true;
-            isAutoincrement: false;
-            hasRuntimeDefault: true;
-            enumValues: [string, ...string[]];
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        userId: drizzle_orm_pg_core.PgColumn<{
-            name: "user_id";
-            tableName: "tokens";
-            dataType: "string";
-            columnType: "PgText";
-            data: string;
-            driverParam: string;
-            notNull: true;
-            hasDefault: false;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: [string, ...string[]];
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        token: drizzle_orm_pg_core.PgColumn<{
-            name: "token";
-            tableName: "tokens";
-            dataType: "string";
-            columnType: "PgText";
-            data: string;
-            driverParam: string;
-            notNull: true;
-            hasDefault: false;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: [string, ...string[]];
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        type: drizzle_orm_pg_core.PgColumn<{
-            name: "type";
-            tableName: "tokens";
-            dataType: "string";
-            columnType: "PgEnumColumn";
-            data: any;
-            driverParam: string;
-            notNull: false;
-            hasDefault: true;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: any;
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        status: drizzle_orm_pg_core.PgColumn<{
-            name: "status";
-            tableName: "tokens";
-            dataType: "string";
-            columnType: "PgEnumColumn";
-            data: any;
-            driverParam: string;
-            notNull: false;
-            hasDefault: true;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: any;
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        expiresAt: drizzle_orm_pg_core.PgColumn<{
-            name: "expires_at";
-            tableName: "tokens";
-            dataType: "string";
-            columnType: "PgTimestampString";
-            data: string;
-            driverParam: string;
-            notNull: true;
-            hasDefault: false;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: undefined;
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-    };
-    dialect: "pg";
-}>;
-declare const permissionsTable: drizzle_orm_pg_core.PgTableWithColumns<{
-    name: "permissions";
-    schema: undefined;
-    columns: {
-        createdAt: drizzle_orm_pg_core.PgColumn<{
-            name: "created_at";
-            tableName: "permissions";
-            dataType: "string";
-            columnType: "PgTimestampString";
-            data: string;
-            driverParam: string;
-            notNull: false;
-            hasDefault: true;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: undefined;
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        updatedAt: drizzle_orm_pg_core.PgColumn<{
-            name: "updated_at";
-            tableName: "permissions";
-            dataType: "string";
-            columnType: "PgTimestampString";
-            data: string;
-            driverParam: string;
-            notNull: false;
-            hasDefault: true;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: undefined;
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        id: drizzle_orm_pg_core.PgColumn<{
-            name: "id";
-            tableName: "permissions";
-            dataType: "string";
-            columnType: "PgText";
-            data: string;
-            driverParam: string;
-            notNull: true;
-            hasDefault: true;
-            isPrimaryKey: true;
-            isAutoincrement: false;
-            hasRuntimeDefault: true;
-            enumValues: [string, ...string[]];
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        name: drizzle_orm_pg_core.PgColumn<{
-            name: "name";
-            tableName: "permissions";
-            dataType: "string";
-            columnType: "PgText";
-            data: string;
-            driverParam: string;
-            notNull: true;
-            hasDefault: false;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: [string, ...string[]];
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        description: drizzle_orm_pg_core.PgColumn<{
-            name: "description";
-            tableName: "permissions";
-            dataType: "string";
-            columnType: "PgText";
-            data: string;
-            driverParam: string;
-            notNull: false;
-            hasDefault: false;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: [string, ...string[]];
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        resource: drizzle_orm_pg_core.PgColumn<{
-            name: "resource";
-            tableName: "permissions";
-            dataType: "string";
-            columnType: "PgText";
-            data: string;
-            driverParam: string;
-            notNull: true;
-            hasDefault: false;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: [string, ...string[]];
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        action: drizzle_orm_pg_core.PgColumn<{
-            name: "action";
-            tableName: "permissions";
-            dataType: "string";
-            columnType: "PgText";
-            data: string;
-            driverParam: string;
-            notNull: true;
-            hasDefault: false;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: [string, ...string[]];
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-    };
-    dialect: "pg";
-}>;
-declare const rolePermissionsTable: drizzle_orm_pg_core.PgTableWithColumns<{
-    name: "role_permissions";
-    schema: undefined;
-    columns: {
-        createdAt: drizzle_orm_pg_core.PgColumn<{
-            name: "created_at";
-            tableName: "role_permissions";
-            dataType: "string";
-            columnType: "PgTimestampString";
-            data: string;
-            driverParam: string;
-            notNull: false;
-            hasDefault: true;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: undefined;
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        updatedAt: drizzle_orm_pg_core.PgColumn<{
-            name: "updated_at";
-            tableName: "role_permissions";
-            dataType: "string";
-            columnType: "PgTimestampString";
-            data: string;
-            driverParam: string;
-            notNull: false;
-            hasDefault: true;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: undefined;
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        id: drizzle_orm_pg_core.PgColumn<{
-            name: "id";
-            tableName: "role_permissions";
-            dataType: "string";
-            columnType: "PgText";
-            data: string;
-            driverParam: string;
-            notNull: true;
-            hasDefault: true;
-            isPrimaryKey: true;
-            isAutoincrement: false;
-            hasRuntimeDefault: true;
-            enumValues: [string, ...string[]];
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        roleId: drizzle_orm_pg_core.PgColumn<{
-            name: "role_id";
-            tableName: "role_permissions";
-            dataType: "string";
-            columnType: "PgText";
-            data: string;
-            driverParam: string;
-            notNull: true;
-            hasDefault: false;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: [string, ...string[]];
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-        permissionId: drizzle_orm_pg_core.PgColumn<{
-            name: "permission_id";
-            tableName: "role_permissions";
-            dataType: "string";
-            columnType: "PgText";
-            data: string;
-            driverParam: string;
-            notNull: true;
-            hasDefault: false;
-            isPrimaryKey: false;
-            isAutoincrement: false;
-            hasRuntimeDefault: false;
-            enumValues: [string, ...string[]];
-            baseColumn: never;
-            identity: undefined;
-            generated: undefined;
-        }, {}, {}>;
-    };
-    dialect: "pg";
-}>;
+declare const createTokenDto: z.ZodObject<{
+    userId: z.ZodString;
+    token: z.ZodString;
+    type: z.ZodDefault<z.ZodEnum<{
+        access: "access";
+        refresh: "refresh";
+    }>>;
+    status: z.ZodDefault<z.ZodEnum<{
+        active: "active";
+        revoked: "revoked";
+        expired: "expired";
+    }>>;
+    expiresAt: z.ZodString;
+}, z.core.$strip>;
+declare const updateTokenDto: z.ZodObject<{
+    status: z.ZodEnum<{
+        active: "active";
+        revoked: "revoked";
+        expired: "expired";
+    }>;
+}, z.core.$strip>;
+declare const tokenIdParam: z.ZodObject<{
+    id: z.ZodString;
+}, z.core.$strip>;
+declare const verifyTokenDto: z.ZodObject<{
+    token: z.ZodString;
+}, z.core.$strip>;
+declare const refreshTokenDto: z.ZodObject<{
+    refreshToken: z.ZodString;
+}, z.core.$strip>;
+declare const revokeTokenDto: z.ZodObject<{
+    userId: z.ZodString;
+}, z.core.$strip>;
+type CreateTokenDto = z.infer<typeof createTokenDto>;
+type UpdateTokenDto = z.infer<typeof updateTokenDto>;
+type TokenIdParam = z.infer<typeof tokenIdParam>;
+type VerifyTokenDto = z.infer<typeof verifyTokenDto>;
+type RefreshTokenDto = z.infer<typeof refreshTokenDto>;
+type RevokeTokenDto = z.infer<typeof revokeTokenDto>;
+
+declare class UserController {
+    private userService;
+    constructor(userService: UserService);
+    getUsers(): Promise<SanitizedUser[]>;
+    getLang(): Promise<{
+        language: string;
+    }>;
+    updateLang(params: LanguageParam): Promise<string>;
+    getUser(params: UserIdParam): Promise<SanitizedUser>;
+    getByEmail(params: EmailParam): Promise<SanitizedUser>;
+    getRole(params: UserIdInParam): Promise<string>;
+    create(body: CreateUserDto): Promise<SanitizedUser>;
+    update(params: UserIdParam, body: UpdateUserDto): Promise<SanitizedUser>;
+    delete(params: UserIdParam): Promise<SanitizedUser>;
+    deleteAll(): Promise<SanitizedUser[]>;
+    assignRole(params: AssignRoleParams): Promise<SanitizedUser>;
+    removeRole(params: UserIdInParam): Promise<SanitizedUser>;
+}
+
+declare const USER_STATUS: readonly ["active", "inactive", "pending"];
+declare const TOKEN_STATUS: readonly ["active", "revoked", "expired"];
+declare const TOKEN_TYPE: readonly ["access", "refresh"];
+
+/**
+ * Shared user configuration for seeding
+ */
+interface SeedUserConfig {
+    email: string;
+    password: string;
+    roleName: string;
+    emailVerified?: boolean;
+    status?: 'active' | 'inactive' | 'pending';
+    image?: string;
+    username?: string;
+}
+/**
+ * Low-level factory config (for use with SeedService)
+ */
+interface AuthSeedConfig {
+    adminEmail: string;
+    adminPass: string;
+    roles?: Array<{
+        name: string;
+        description?: string;
+    }>;
+    permissions?: Array<{
+        action: string;
+        resource: string;
+        name: string;
+        description?: string;
+    }>;
+    additionalUsers?: SeedUserConfig[];
+}
+/**
+ * High-level standalone function config
+ */
+interface SeedAuthDataConfig {
+    /** Drizzle database instance (required) */
+    db: any;
+    /** Admin email (required) */
+    adminEmail: string;
+    /** Admin password (required) */
+    adminPassword: string;
+    /** Additional users to seed (optional) */
+    users?: SeedUserConfig[];
+    /** Custom roles (optional - uses defaults if omitted) */
+    roles?: Array<{
+        name: string;
+        description?: string;
+    }>;
+    /** Custom permissions (optional - uses defaults if omitted) */
+    permissions?: Array<{
+        action: string;
+        resource: string;
+        name: string;
+        description?: string;
+    }>;
+    /** Show verbose logging (optional) */
+    verbose?: boolean;
+    /** Conflict handling strategy (optional) */
+    onConflict?: 'skip' | 'replace' | 'fail';
+}
+/**
+ * Result of seedAuthData operation
+ */
+interface SeedAuthDataResult {
+    inserted: number;
+    skipped: number;
+    failed: number;
+    users: Array<{
+        id: string;
+        email: string;
+        roleId: string;
+    }>;
+    roles: Array<{
+        id: string;
+        name: string;
+    }>;
+}
+
+/**
+ * Composable seed definition factory for najm-auth plugin.
+ *
+ * Provides default roles, permissions, and admin user with proper validation and password hashing.
+ *
+ * @example
+ * ```typescript
+ * const seeder = server.container.get(SeedService);
+ *
+ * await seeder.run({
+ *   ...authSeed({ adminEmail: 'admin@test.com', adminPass: 'Admin123!' }),
+ *   // ... your app-specific seeds
+ * });
+ * ```
+ */
+declare const authSeed: (config: AuthSeedConfig) => Record<string, SeedEntry>;
 
-declare const AuthPlugin: PluginConfig;
+/**
+ * Standalone function to seed authentication data.
+ * Handles Server setup, seeding, and cleanup automatically.
+ *
+ * @example
+ * ```typescript
+ * // In a seed script
+ * import { seedAuthData } from 'najm-auth';
+ * import { db } from './database';
+ *
+ * await seedAuthData({
+ *   db,
+ *   adminEmail: 'admin@app.com',
+ *   adminPassword: 'Secret123!',
+ *   users: [
+ *     { email: 'user@app.com', password: 'User123!', roleName: 'user' }
+ *   ]
+ * });
+ * ```
+ *
+ * @example
+ * ```typescript
+ * // In a service method
+ * @Service()
+ * class SetupService {
+ *   async seedDefaultData() {
+ *     await seedAuthData({
+ *       db: this.db,
+ *       adminEmail: process.env.ADMIN_EMAIL!,
+ *       adminPassword: process.env.ADMIN_PASSWORD!,
+ *       verbose: true
+ *     });
+ *   }
+ * }
+ * ```
+ */
+declare function seedAuthData(config: SeedAuthDataConfig): Promise<SeedAuthDataResult>;
 
-export { AuthController, AuthPlugin, AuthService, CookieService, ENUMS, EncryptionService, Permission, PermissionController, PermissionGuards, PermissionRepository, PermissionService, PermissionValidator, ROLES, ROLE_GROUPS, Role, RoleChecker, RoleController, type RoleGroup, RoleGuards, RoleRepository, RoleService, RoleValidator, TokenRepository, TokenService, UserController, UserRepository, UserService, UserValidator, alertPriorityEnum, alertSchema, alertStatusEnum, alertTypeEnum, announcementSchema, assessmentSchema, assessmentStatusEnum, assessmentTypeEnum, assignmentSchema, assignmentStatusEnum, assignmentsSchema, attendanceSchema, attendanceStatusEnum, avatarsPath, bulkAssessmentSchema, bulkFeeFormSchema, bulkFeeItemSchema, busStatusEnum, calculateAge, calculateYearsOfExperience, calendarSystemEnum, classSchema, classStatusEnum, clean, dateRangeSchema, dayOfWeekEnum, driverSchema, driverStatusEnum, employmentTypeEnum, enrollmentStatusEnum, eventParticipantSchema, eventSchema, eventStatusEnum, eventTypeEnum, eventVisibilityEnum, examSchema, examSecurityEnum, examStatusEnum, examTypeEnum, expenseApprovalSchema, expenseCategoryEnum, expensePaymentSchema, expenseSchema, expenseStatusEnum, feeInstallmentSchema, feeInstallmentStatusEnum, feePaymentSchema, feeSchema, feeStatusEnum, feeTypeSchema, feeTypeStatusEnum, feesSchema, fileStatusEnum, formatDate, fuelTypeEnum, fullStudentSchema, genderEnum, getAvatarFile, getEnumConfig, getEnumValues, gradeSchema, gradeStatusEnum, idField, idParamSchema, isAccounting, isAdmin, isAdministrator, isAuth, isEmpty, isFile, isFinancial, isParent, isPath, isPrincipal, isSecretary, isStaff, isStudent, isTeacher, languageEnum, maintenanceStatusEnum, maintenanceTypeEnum, maritalStatusEnum, paginationSchema, parentSchema, parentsSchema, parseSchema, participantTypeEnum, paymentAllocationSchema, paymentMethodEnum, paymentStatusEnum, paymentTypeEnum, permissionsTable, pickProps, proficiencyLevelEnum, refuelSchema, refuelStatusEnum, relationshipTypeEnum, rolePermissionsTable, roleSchema, rolesTable, scheduleEnum, sectionSchema, sectionStatusEnum, semesterEnum, settingsSchema, studentSchema, studentStatusEnum, subjectSchema, submissionTypeEnum, teacherFullSchema, teacherPersonalSchema, teacherProfessionalSchema, teacherStatusEnum, tokenStatusEnum, tokenTypeEnum, tokensTable, trackerModeEnum, userSchema, userStatusEnum, userTypeEnum, usersTable, vehicleDocumentTypeEnum, vehicleSchema, vehicleStatusEnum, vehicleTypeEnum };
+export { AUTH_CONFIG, en as AUTH_EN, AUTH_LOCALES, AUTH_MODULE, AUTH_PERMISSIONS, AUTH_ROLE, AUTH_SCHEMA, AUTH_SUPPORTED_LANGUAGES, AUTH_USER, type AssignPermissionDto, type AssignRoleDto, type AssignRoleParams, type AuthConfig, AuthController, AuthGuard, type AuthPluginConfig, AuthQueries, type AuthSchema, type AuthSeedConfig, AuthService, type AuthUser, Can, type ChangePasswordDto, type CheckPermissionDto, type ConfirmResetPasswordDto, CookieManager, type CreatePermissionDto, type CreateRoleDto, type CreateTokenDto, type CreateUserDto, type EmailParam, EncryptionService, type JwtConfig, type JwtPayload, type LanguageParam, type LoginDto, NewPermission, NewRoleEntity, NewUser, Permission, PermissionController, PermissionGuard, type PermissionIdParam, PermissionRepository, PermissionService, PermissionValidator, ROLES, ROLE_GROUPS, type RefreshTokenDto, type ResetPasswordDto, type RevokeTokenDto, Role, RoleController, RoleEntity, RoleGuard, type RoleIdParam, type RoleInput, RolePermission, RoleRepository, RoleService, type RoleType, RoleValidator, type SanitizedUser, type SeedAuthDataConfig, type SeedAuthDataResult, type SeedUserConfig, TOKEN_STATUS, TOKEN_TYPE, type TokenIdParam, type TokenPair, TokenRepository, TokenService, USER_STATUS, type UpdatePermissionDto, type UpdateRoleDto, type UpdateTokenDto, type UpdateUserDto, User, UserController, type UserIdInParam, type UserIdParam, UserRepository, UserService, UserValidator, type UserWithPermissions, type VerifyTokenDto, assignPermissionDto, assignRoleDto, assignRoleParams, auth$1 as auth, authSeed, avatarsPath, calculateAge, calculateYearsOfExperience, canCreate, canDelete, canManage, canRead, canUpdate, changePasswordDto, checkPermissionDto, clean, confirmResetPasswordDto, createPermissionDto, createRoleDto, createTokenDto, createUserDto, emailParam, formatDate, getAuthLocale, getAvatarFile, isAdmin, isAdministrator, isAuth, isEmpty, isFile, isPath, languageParam, loginDto, parseSchema, permissionIdParam, pickProps, refreshTokenDto, resetPasswordDto, revokeTokenDto, roleIdParam, seedAuthData, tokenIdParam, updatePermissionDto, updateRoleDto, updateTokenDto, updateUserDto, userIdInParam, userIdParam, verifyTokenDto };