najm-auth 1.1.1

package/dist/index.js

@@ -0,0 +1,3201 @@
+var __defProp = Object.defineProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/AuthPlugin.ts
+import { Err as Err8, plugin } from "najm-core";
+import { cache } from "najm-cache";
+
+// src/auth.tokens.ts
+var AUTH_CONFIG = /* @__PURE__ */ Symbol("auth:config");
+var AUTH_SCHEMA = /* @__PURE__ */ Symbol("auth:schema");
+var AUTH_USER = /* @__PURE__ */ Symbol("auth:user");
+var AUTH_ROLE = /* @__PURE__ */ Symbol("auth:role");
+var AUTH_PERMISSIONS = /* @__PURE__ */ Symbol("auth:permissions");
+
+// src/schema/pg.ts
+import { pgTable, text, boolean, timestamp, pgEnum, primaryKey } from "drizzle-orm/pg-core";
+import { sql } from "drizzle-orm";
+import { nanoid } from "nanoid";
+
+// src/schema/constants.ts
+var USER_STATUS = ["active", "inactive", "pending"];
+var TOKEN_STATUS = ["active", "revoked", "expired"];
+var TOKEN_TYPE = ["access", "refresh"];
+
+// src/schema/pg.ts
+var baseFields = /* @__PURE__ */ __name((idLength = 5) => ({
+  id: text("id").primaryKey().$defaultFn(() => nanoid(idLength)),
+  createdAt: timestamp("created_at", { mode: "string" }).defaultNow(),
+  updatedAt: timestamp("updated_at", { mode: "string" }).defaultNow().$onUpdate(() => sql`CURRENT_TIMESTAMP`)
+}), "baseFields");
+var userStatusEnum = pgEnum("user_status", USER_STATUS);
+var tokenStatusEnum = pgEnum("token_status", TOKEN_STATUS);
+var tokenTypeEnum = pgEnum("token_type", TOKEN_TYPE);
+var rolesTable = pgTable("roles", {
+  ...baseFields(5),
+  name: text("name").notNull(),
+  description: text("description")
+});
+var usersTable = pgTable("users", {
+  ...baseFields(8),
+  email: text("email").notNull().unique(),
+  emailVerified: boolean("email_verified").default(false),
+  password: text("password").notNull(),
+  image: text("image").default("noavatar.png"),
+  status: userStatusEnum("status").default("pending"),
+  roleId: text("role_id").references(() => rolesTable.id),
+  lastLogin: timestamp("last_login", { mode: "string" })
+});
+var permissionsTable = pgTable("permissions", {
+  ...baseFields(5),
+  name: text("name").notNull().unique(),
+  description: text("description"),
+  resource: text("resource").notNull(),
+  action: text("action").notNull()
+});
+var tokensTable = pgTable("tokens", {
+  ...baseFields(10),
+  userId: text("user_id").references(() => usersTable.id, { onDelete: "cascade" }).unique().notNull(),
+  token: text("token").notNull(),
+  type: tokenTypeEnum("type").default("refresh"),
+  status: tokenStatusEnum("status").default("active"),
+  expiresAt: timestamp("expires_at", { mode: "string" }).notNull()
+});
+var rolePermissionsTable = pgTable("role_permissions", {
+  ...baseFields(10),
+  roleId: text("role_id").notNull().references(() => rolesTable.id, { onDelete: "cascade" }),
+  permissionId: text("permission_id").notNull().references(() => permissionsTable.id, { onDelete: "cascade" })
+}, (table) => ({
+  pk: primaryKey({ columns: [table.roleId, table.permissionId] })
+}));
+var authSchema = {
+  users: usersTable,
+  tokens: tokensTable,
+  roles: rolesTable,
+  permissions: permissionsTable,
+  rolePermissions: rolePermissionsTable
+};
+
+// src/schema/sqlite.ts
+import { sqliteTable, text as text2, integer, uniqueIndex } from "drizzle-orm/sqlite-core";
+import { sql as sql2 } from "drizzle-orm";
+import { nanoid as nanoid2 } from "nanoid";
+var baseFields2 = /* @__PURE__ */ __name((idLength = 5) => ({
+  id: text2("id").primaryKey().$defaultFn(() => nanoid2(idLength)),
+  createdAt: text2("created_at").$defaultFn(() => (/* @__PURE__ */ new Date()).toISOString()),
+  updatedAt: text2("updated_at").$defaultFn(() => (/* @__PURE__ */ new Date()).toISOString()).$onUpdate(() => sql2`(datetime('now'))`)
+}), "baseFields");
+var rolesTable2 = sqliteTable("roles", {
+  ...baseFields2(5),
+  name: text2("name").notNull(),
+  description: text2("description")
+});
+var usersTable2 = sqliteTable("users", {
+  ...baseFields2(8),
+  email: text2("email").notNull().unique(),
+  emailVerified: integer("email_verified", { mode: "boolean" }).default(false),
+  password: text2("password").notNull(),
+  image: text2("image").default("noavatar.png"),
+  status: text2("status").$type().default("pending"),
+  roleId: text2("role_id").references(() => rolesTable2.id),
+  lastLogin: text2("last_login")
+});
+var permissionsTable2 = sqliteTable("permissions", {
+  ...baseFields2(5),
+  name: text2("name").notNull().unique(),
+  description: text2("description"),
+  resource: text2("resource").notNull(),
+  action: text2("action").notNull()
+});
+var tokensTable2 = sqliteTable("tokens", {
+  ...baseFields2(10),
+  userId: text2("user_id").references(() => usersTable2.id, { onDelete: "cascade" }).unique().notNull(),
+  token: text2("token").notNull(),
+  type: text2("type").$type().default("refresh"),
+  status: text2("status").$type().default("active"),
+  expiresAt: text2("expires_at").notNull()
+});
+var rolePermissionsTable2 = sqliteTable("role_permissions", {
+  ...baseFields2(10),
+  roleId: text2("role_id").notNull().references(() => rolesTable2.id, { onDelete: "cascade" }),
+  permissionId: text2("permission_id").notNull().references(() => permissionsTable2.id, { onDelete: "cascade" })
+}, (table) => ({
+  uniq: uniqueIndex("role_permission_unique").on(table.roleId, table.permissionId)
+}));
+var authSchema2 = {
+  users: usersTable2,
+  tokens: tokensTable2,
+  roles: rolesTable2,
+  permissions: permissionsTable2,
+  rolePermissions: rolePermissionsTable2
+};
+
+// src/schema/mysql.ts
+import { mysqlTable, varchar, boolean as boolean2, timestamp as timestamp2, mysqlEnum, primaryKey as primaryKey2 } from "drizzle-orm/mysql-core";
+import { sql as sql3 } from "drizzle-orm";
+import { nanoid as nanoid3 } from "nanoid";
+var baseFields3 = /* @__PURE__ */ __name((idLength = 5) => ({
+  id: varchar("id", { length: 21 }).primaryKey().$defaultFn(() => nanoid3(idLength)),
+  createdAt: timestamp2("created_at", { mode: "string" }).defaultNow(),
+  updatedAt: timestamp2("updated_at", { mode: "string" }).defaultNow().$onUpdate(() => sql3`CURRENT_TIMESTAMP`)
+}), "baseFields");
+var rolesTable3 = mysqlTable("roles", {
+  ...baseFields3(5),
+  name: varchar("name", { length: 255 }).notNull(),
+  description: varchar("description", { length: 1e3 })
+});
+var usersTable3 = mysqlTable("users", {
+  ...baseFields3(8),
+  email: varchar("email", { length: 255 }).notNull().unique(),
+  emailVerified: boolean2("email_verified").default(false),
+  password: varchar("password", { length: 255 }).notNull(),
+  image: varchar("image", { length: 255 }).default("noavatar.png"),
+  status: mysqlEnum("status", [...USER_STATUS]).default("pending"),
+  roleId: varchar("role_id", { length: 21 }).references(() => rolesTable3.id),
+  lastLogin: timestamp2("last_login", { mode: "string" })
+});
+var permissionsTable3 = mysqlTable("permissions", {
+  ...baseFields3(5),
+  name: varchar("name", { length: 255 }).notNull().unique(),
+  description: varchar("description", { length: 1e3 }),
+  resource: varchar("resource", { length: 255 }).notNull(),
+  action: varchar("action", { length: 255 }).notNull()
+});
+var tokensTable3 = mysqlTable("tokens", {
+  ...baseFields3(10),
+  userId: varchar("user_id", { length: 21 }).references(() => usersTable3.id, { onDelete: "cascade" }).unique().notNull(),
+  token: varchar("token", { length: 500 }).notNull(),
+  type: mysqlEnum("type", [...TOKEN_TYPE]).default("refresh"),
+  status: mysqlEnum("status", [...TOKEN_STATUS]).default("active"),
+  expiresAt: timestamp2("expires_at", { mode: "string" }).notNull()
+});
+var rolePermissionsTable3 = mysqlTable("role_permissions", {
+  ...baseFields3(10),
+  roleId: varchar("role_id", { length: 21 }).notNull().references(() => rolesTable3.id, { onDelete: "cascade" }),
+  permissionId: varchar("permission_id", { length: 21 }).notNull().references(() => permissionsTable3.id, { onDelete: "cascade" })
+}, (table) => ({
+  pk: primaryKey2({ columns: [table.roleId, table.permissionId] })
+}));
+var authSchema3 = {
+  users: usersTable3,
+  tokens: tokensTable3,
+  roles: rolesTable3,
+  permissions: permissionsTable3,
+  rolePermissions: rolePermissionsTable3
+};
+
+// src/auth/index.ts
+var auth_exports = {};
+__export(auth_exports, {
+  AUTH_MODULE: () => AUTH_MODULE,
+  AuthController: () => AuthController,
+  AuthGuard: () => AuthGuard,
+  AuthService: () => AuthService,
+  CookieManager: () => CookieManager,
+  EncryptionService: () => EncryptionService,
+  isAuth: () => isAuth
+});
+
+// src/auth/EncryptionService.ts
+import { Injectable } from "najm-core";
+import bcrypt from "bcryptjs";
+var __decorate = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var EncryptionService = class EncryptionService2 {
+  static {
+    __name(this, "EncryptionService");
+  }
+  constructor() {
+  }
+  async hashPassword(password) {
+    return bcrypt.hash(password, 10);
+  }
+  async comparePassword(password, hashedPassword) {
+    return bcrypt.compare(password, hashedPassword);
+  }
+};
+EncryptionService = __decorate([
+  Injectable(),
+  __metadata("design:paramtypes", [])
+], EncryptionService);
+
+// src/auth/CookieManager.ts
+import { Service, Inject } from "najm-core";
+import { CookieService } from "najm-cookies";
+import timestring from "timestring";
+var __decorate2 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata2 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var _a;
+var CookieManager = class CookieManager2 {
+  static {
+    __name(this, "CookieManager");
+  }
+  config;
+  cookieService;
+  get cookieName() {
+    return this.config.refreshCookieName || "refreshToken";
+  }
+  setRefreshToken(refreshToken) {
+    const maxAge = timestring(this.config.jwt.refreshExpiresIn, "s");
+    this.cookieService.set(this.cookieName, refreshToken, { maxAge });
+  }
+  clearRefreshToken() {
+    this.cookieService.delete(this.cookieName);
+  }
+  getRefreshToken() {
+    return this.cookieService.get(this.cookieName);
+  }
+  hasRefreshToken() {
+    return this.cookieService.has(this.cookieName);
+  }
+  getCookieName() {
+    return this.cookieName;
+  }
+};
+__decorate2([
+  Inject(AUTH_CONFIG),
+  __metadata2("design:type", Object)
+], CookieManager.prototype, "config", void 0);
+__decorate2([
+  Inject(CookieService),
+  __metadata2("design:type", typeof (_a = typeof CookieService !== "undefined" && CookieService) === "function" ? _a : Object)
+], CookieManager.prototype, "cookieService", void 0);
+CookieManager = __decorate2([
+  Service()
+], CookieManager);
+
+// src/auth/AuthController.ts
+import { Controller } from "najm-core";
+import { Get, Post, ResMsg } from "najm-core";
+import { Body, User, Headers as Headers2 } from "najm-core";
+
+// src/auth/AuthService.ts
+import { Injectable as Injectable7 } from "najm-core";
+import { Err as Err6, Log } from "najm-core";
+import { I18n as I18n4, I18nService as I18nService2 } from "najm-i18n";
+import { EmailService, passwordResetTemplate } from "najm-email";
+
+// src/users/UserService.ts
+import { Injectable as Injectable5, Inject as Inject4 } from "najm-core";
+import { Transaction } from "najm-database";
+import { I18nService } from "najm-i18n";
+
+// src/users/UserRepository.ts
+import { eq as eq2, ne } from "drizzle-orm";
+import { Repository, Inject as Inject2 } from "najm-core";
+import { DB } from "najm-database";
+
+// src/shared/queries.ts
+import { eq } from "drizzle-orm";
+var AuthQueries = class {
+  static {
+    __name(this, "AuthQueries");
+  }
+  db;
+  schema;
+  constructor(db, schema) {
+    this.db = db;
+    this.schema = schema;
+  }
+  /**
+   * Standard user selection fields with role join
+   */
+  userSelection() {
+    return {
+      id: this.schema.users.id,
+      email: this.schema.users.email,
+      emailVerified: this.schema.users.emailVerified,
+      image: this.schema.users.image,
+      status: this.schema.users.status,
+      roleId: this.schema.users.roleId,
+      role: this.schema.roles.name,
+      createdAt: this.schema.users.createdAt,
+      updatedAt: this.schema.users.updatedAt
+    };
+  }
+  /**
+   * Get permissions for a user by their userId
+   */
+  async getUserPermissions(userId) {
+    const [user] = await this.db.select({ roleId: this.schema.users.roleId }).from(this.schema.users).where(eq(this.schema.users.id, userId)).limit(1);
+    if (!user?.roleId)
+      return [];
+    const perms = await this.db.select({ name: this.schema.permissions.name }).from(this.schema.rolePermissions).leftJoin(this.schema.permissions, eq(this.schema.rolePermissions.permissionId, this.schema.permissions.id)).where(eq(this.schema.rolePermissions.roleId, user.roleId));
+    return perms.map((p) => p.name).filter(Boolean);
+  }
+  /**
+   * Get role name for a user
+   */
+  async getRoleName(userId) {
+    const [role] = await this.db.select({ roleName: this.schema.roles.name }).from(this.schema.users).leftJoin(this.schema.roles, eq(this.schema.users.roleId, this.schema.roles.id)).where(eq(this.schema.users.id, userId)).limit(1);
+    return role?.roleName ?? null;
+  }
+  /**
+   * Batch load permissions for multiple users (fixes N+1 query problem)
+   * Returns a Map of roleId -> permissions[]
+   */
+  async batchLoadPermissionsByRole() {
+    const allPermissions = await this.db.select({
+      roleId: this.schema.rolePermissions.roleId,
+      name: this.schema.permissions.name
+    }).from(this.schema.rolePermissions).leftJoin(this.schema.permissions, eq(this.schema.rolePermissions.permissionId, this.schema.permissions.id));
+    const permissionsByRole = /* @__PURE__ */ new Map();
+    for (const p of allPermissions) {
+      if (!p.name)
+        continue;
+      const list = permissionsByRole.get(p.roleId) || [];
+      list.push(p.name);
+      permissionsByRole.set(p.roleId, list);
+    }
+    return permissionsByRole;
+  }
+};
+
+// src/roles/constants.ts
+var ROLES = {
+  ADMIN: "admin"
+};
+var ROLE_GROUPS = {
+  ADMINISTRATORS: [ROLES.ADMIN]
+};
+
+// src/users/UserRepository.ts
+var __decorate3 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata3 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var UserRepository = class UserRepository2 {
+  static {
+    __name(this, "UserRepository");
+  }
+  db;
+  schema;
+  get users() {
+    return this.schema.users;
+  }
+  get roles() {
+    return this.schema.roles;
+  }
+  /** Shared query helper */
+  get q() {
+    return new AuthQueries(this.db, this.schema);
+  }
+  async getAll() {
+    const allUsers = await this.db.select(this.q.userSelection()).from(this.users).leftJoin(this.roles, eq2(this.users.roleId, this.roles.id));
+    const permissionsByRole = await this.q.batchLoadPermissionsByRole();
+    return allUsers.map((user) => ({
+      ...user,
+      permissions: user.roleId ? permissionsByRole.get(user.roleId) ?? [] : []
+    }));
+  }
+  async getById(id) {
+    const [user] = await this.db.select(this.q.userSelection()).from(this.users).leftJoin(this.roles, eq2(this.users.roleId, this.roles.id)).where(eq2(this.users.id, id)).limit(1);
+    if (!user)
+      return user;
+    return {
+      ...user,
+      permissions: await this.q.getUserPermissions(user.id)
+    };
+  }
+  async getByEmail(email2) {
+    const [existingUser] = await this.db.select({
+      ...this.q.userSelection(),
+      password: this.users.password
+    }).from(this.users).leftJoin(this.roles, eq2(this.users.roleId, this.roles.id)).where(eq2(this.users.email, email2));
+    return existingUser;
+  }
+  async create(data) {
+    const [newUser] = await this.db.insert(this.users).values(data).returning();
+    return newUser;
+  }
+  async update(id, data) {
+    const [updatedUser] = await this.db.update(this.users).set(data).where(eq2(this.users.id, id)).returning();
+    return updatedUser;
+  }
+  async delete(id) {
+    const [deletedUser] = await this.db.delete(this.users).where(eq2(this.users.id, id)).returning();
+    return deletedUser;
+  }
+  async deleteAll() {
+    const adminRole = await this.db.select({ id: this.roles.id }).from(this.roles).where(eq2(this.roles.name, ROLES.ADMIN)).limit(1);
+    if (adminRole.length === 0) {
+      const deletedUsers2 = await this.db.delete(this.users).returning();
+      return deletedUsers2;
+    }
+    const deletedUsers = await this.db.delete(this.users).where(ne(this.users.roleId, adminRole[0].id)).returning();
+    return deletedUsers;
+  }
+  async getRoleNameById(userId) {
+    return this.q.getRoleName(userId);
+  }
+  async getUserPassword(email2) {
+    const [user] = await this.db.select({
+      id: this.users.id,
+      email: this.users.email,
+      password: this.users.password
+    }).from(this.users).where(eq2(this.users.email, email2)).limit(1);
+    return user?.password;
+  }
+  async getUserPermissions(userId) {
+    return this.q.getUserPermissions(userId);
+  }
+};
+__decorate3([
+  DB(),
+  __metadata3("design:type", Object)
+], UserRepository.prototype, "db", void 0);
+__decorate3([
+  Inject2(AUTH_SCHEMA),
+  __metadata3("design:type", Object)
+], UserRepository.prototype, "schema", void 0);
+UserRepository = __decorate3([
+  Repository()
+], UserRepository);
+
+// src/users/UserValidator.ts
+import { Injectable as Injectable2 } from "najm-core";
+import { Err } from "najm-core";
+import { I18n } from "najm-i18n";
+var __decorate4 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata4 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var _a2;
+var _b;
+var UserValidator = class UserValidator2 {
+  static {
+    __name(this, "UserValidator");
+  }
+  userRepository;
+  encryptionService;
+  t;
+  constructor(userRepository, encryptionService) {
+    this.userRepository = userRepository;
+    this.encryptionService = encryptionService;
+  }
+  /**
+   * Check if email already exists in database
+   */
+  async checkEmailUnique(email2, excludeId) {
+    if (!email2)
+      return;
+    const existingUser = await this.userRepository.getByEmail(email2);
+    if (existingUser && existingUser.id !== excludeId) {
+      Err(this.t("errors.emailExists"), 409);
+    }
+  }
+  /**
+   * Check if user exists by ID
+   */
+  async checkUserExists(id) {
+    const user = await this.userRepository.getById(id);
+    if (!user) {
+      Err(this.t("errors.notFound"), 404);
+    }
+    return user;
+  }
+  /**
+   * Check if user exists by email
+   */
+  async checkUserExistsByEmail(email2) {
+    const user = await this.userRepository.getByEmail(email2);
+    if (!user) {
+      Err(this.t("errors.invalidCredentials"), 401);
+    }
+    return user;
+  }
+  /**
+   * Check if email exists in database
+   */
+  async checkEmailExists(email2) {
+    const user = await this.userRepository.getByEmail(email2);
+    if (!user) {
+      Err(this.t("errors.notFound"), 404);
+    }
+    return user;
+  }
+  /**
+   * Verify password against hashed password (throws on invalid)
+   */
+  async checkPasswordValid(password, hashedPassword) {
+    const isPasswordValid = await this.encryptionService.comparePassword(password, hashedPassword);
+    if (!isPasswordValid) {
+      Err(this.t("auth.errors.invalidCredentials"), 401);
+    }
+  }
+  /**
+   * Compare password against hash - returns boolean (no throw)
+   * Used for timing-safe authentication
+   */
+  async comparePassword(password, hashedPassword) {
+    return await this.encryptionService.comparePassword(password, hashedPassword);
+  }
+  /**
+   * Check if user ID is unique (for custom IDs)
+   */
+  async checkUserIdIsUnique(id) {
+    if (!id)
+      return;
+    const existingUser = await this.userRepository.getById(id);
+    if (existingUser) {
+      Err(this.t("errors.idExists"), 409);
+    }
+  }
+  /**
+   * Check if user has required role
+   */
+  async hasRole(userId, roles) {
+    const roleName = await this.userRepository.getRoleNameById(userId);
+    if (!roleName) {
+      Err(this.t("errors.accessDenied"), 403);
+    }
+    const hasRole = roles.some((item) => roleName.toLowerCase() === item.toLowerCase());
+    if (!hasRole) {
+      Err(this.t("errors.accessDenied"), 403);
+    }
+    return true;
+  }
+  /**
+   * Validate password strength and complexity
+   * Enforces:
+   * - Minimum 8 characters
+   * - At least one uppercase letter
+   * - At least one lowercase letter
+   * - At least one number
+   */
+  validatePasswordStrength(password) {
+    if (!password) {
+      Err("Password is required", 400);
+    }
+    const minLength = 8;
+    const hasUppercase = /[A-Z]/.test(password);
+    const hasLowercase = /[a-z]/.test(password);
+    const hasNumber = /\d/.test(password);
+    if (password.length < minLength) {
+      Err(`Password must be at least ${minLength} characters long`, 400);
+    }
+    if (!hasUppercase) {
+      Err("Password must contain at least one uppercase letter", 400);
+    }
+    if (!hasLowercase) {
+      Err("Password must contain at least one lowercase letter", 400);
+    }
+    if (!hasNumber) {
+      Err("Password must contain at least one number", 400);
+    }
+  }
+};
+__decorate4([
+  I18n("users"),
+  __metadata4("design:type", Object)
+], UserValidator.prototype, "t", void 0);
+UserValidator = __decorate4([
+  Injectable2(),
+  __metadata4("design:paramtypes", [typeof (_a2 = typeof UserRepository !== "undefined" && UserRepository) === "function" ? _a2 : Object, typeof (_b = typeof EncryptionService !== "undefined" && EncryptionService) === "function" ? _b : Object])
+], UserValidator);
+
+// src/roles/RoleService.ts
+import { Injectable as Injectable4 } from "najm-core";
+
+// src/roles/RoleRepository.ts
+import { eq as eq3 } from "drizzle-orm";
+import { Repository as Repository2, Inject as Inject3 } from "najm-core";
+import { DB as DB2 } from "najm-database";
+var __decorate5 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata5 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var RoleRepository = class RoleRepository2 {
+  static {
+    __name(this, "RoleRepository");
+  }
+  db;
+  schema;
+  get roles() {
+    return this.schema.roles;
+  }
+  async getAll() {
+    return await this.db.select().from(this.roles);
+  }
+  async getById(id) {
+    const [existingRole] = await this.db.select().from(this.roles).where(eq3(this.roles.id, id));
+    return existingRole;
+  }
+  async getByName(name) {
+    const [existingRole] = await this.db.select().from(this.roles).where(eq3(this.roles.name, name));
+    return existingRole;
+  }
+  async create(data) {
+    const [newRole] = await this.db.insert(this.roles).values(data).returning();
+    return newRole;
+  }
+  async update(id, data) {
+    const [updatedRole] = await this.db.update(this.roles).set(data).where(eq3(this.roles.id, id)).returning();
+    return updatedRole;
+  }
+  async delete(id) {
+    const [deletedRole] = await this.db.delete(this.roles).where(eq3(this.roles.id, id)).returning();
+    return deletedRole;
+  }
+};
+__decorate5([
+  DB2(),
+  __metadata5("design:type", Object)
+], RoleRepository.prototype, "db", void 0);
+__decorate5([
+  Inject3(AUTH_SCHEMA),
+  __metadata5("design:type", Object)
+], RoleRepository.prototype, "schema", void 0);
+RoleRepository = __decorate5([
+  Repository2()
+], RoleRepository);
+
+// src/roles/RoleValidator.ts
+import { Injectable as Injectable3 } from "najm-core";
+import { I18n as I18n2 } from "najm-i18n";
+import { Err as Err2 } from "najm-core";
+var __decorate6 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata6 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var _a3;
+var RoleValidator = class RoleValidator2 {
+  static {
+    __name(this, "RoleValidator");
+  }
+  roleRepository;
+  t;
+  constructor(roleRepository) {
+    this.roleRepository = roleRepository;
+  }
+  /**
+   * Check if role name is unique
+   */
+  async checkNameUnique(roleName, excludeId) {
+    if (!roleName)
+      return;
+    const existingRole = await this.roleRepository.getByName(roleName);
+    if (existingRole && existingRole.id !== excludeId) {
+      Err2(this.t("errors.exists"), 409);
+    }
+  }
+  /**
+   * Check if role exists by ID
+   */
+  async checkRoleExists(id) {
+    const role = await this.roleRepository.getById(id);
+    if (!role) {
+      Err2(this.t("errors.notFound"), 404);
+    }
+    return role;
+  }
+  /**
+   * Check if role exists by name
+   */
+  async checkRoleExistsByName(roleName) {
+    const role = await this.roleRepository.getByName(roleName);
+    if (!role) {
+      Err2(this.t("errors.notFound"), 404);
+    }
+    return role;
+  }
+  /**
+   * Check if admin role exists (required for system setup)
+   */
+  async checkAdminRoleExists() {
+    const adminRole = await this.roleRepository.getByName(ROLES.ADMIN);
+    if (!adminRole) {
+      Err2(this.t("errors.adminRoleNotFound"), 500);
+    }
+    return adminRole;
+  }
+  /**
+   * Check if role name exists (returns boolean, doesn't throw)
+   */
+  async isRoleNameExists(roleName) {
+    const existingRole = await this.roleRepository.getByName(roleName);
+    return !!existingRole;
+  }
+};
+__decorate6([
+  I18n2("roles"),
+  __metadata6("design:type", Object)
+], RoleValidator.prototype, "t", void 0);
+RoleValidator = __decorate6([
+  Injectable3(),
+  __metadata6("design:paramtypes", [typeof (_a3 = typeof RoleRepository !== "undefined" && RoleRepository) === "function" ? _a3 : Object])
+], RoleValidator);
+
+// src/roles/RoleService.ts
+var __decorate7 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata7 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var _a4;
+var _b2;
+var RoleService = class RoleService2 {
+  static {
+    __name(this, "RoleService");
+  }
+  roleRepository;
+  roleValidator;
+  constructor(roleRepository, roleValidator) {
+    this.roleRepository = roleRepository;
+    this.roleValidator = roleValidator;
+  }
+  async getAll() {
+    return await this.roleRepository.getAll();
+  }
+  async getById(id) {
+    await this.roleValidator.checkRoleExists(id);
+    return await this.roleRepository.getById(id);
+  }
+  async getByName(name) {
+    return await this.roleRepository.getByName(name);
+  }
+  async create(data) {
+    await this.roleValidator.checkNameUnique(data.name);
+    return await this.roleRepository.create(data);
+  }
+  async update(id, data) {
+    await this.roleValidator.checkRoleExists(id);
+    await this.roleValidator.checkNameUnique(data.name, id);
+    return await this.roleRepository.update(id, data);
+  }
+  async delete(id) {
+    await this.roleValidator.checkRoleExists(id);
+    return await this.roleRepository.delete(id);
+  }
+  async seedDefaultRoles(defaultRoles) {
+    const rolesToCreate = [];
+    for (const role of defaultRoles) {
+      const exists = await this.roleValidator.isRoleNameExists(role.name);
+      if (!exists) {
+        rolesToCreate.push(role);
+      }
+    }
+    const createdRoles = await Promise.all(rolesToCreate.map((role) => this.roleRepository.create(role)));
+    return createdRoles;
+  }
+  async getRoleIdByName(name) {
+    const role = await this.getByName(name);
+    return role?.id;
+  }
+};
+RoleService = __decorate7([
+  Injectable4(),
+  __metadata7("design:paramtypes", [typeof (_a4 = typeof RoleRepository !== "undefined" && RoleRepository) === "function" ? _a4 : Object, typeof (_b2 = typeof RoleValidator !== "undefined" && RoleValidator) === "function" ? _b2 : Object])
+], RoleService);
+
+// src/users/UserService.ts
+import { nanoid as nanoid4 } from "nanoid";
+
+// src/shared/index.ts
+import * as fs from "fs/promises";
+import * as path from "path";
+import _isEmpty from "lodash.isempty";
+import { Err as Err3 } from "najm-core";
+var avatarsPath = path.join(process.cwd(), "avatars");
+var parseSchema = /* @__PURE__ */ __name(async (schema, data) => {
+  try {
+    return await schema.parseAsync(data);
+  } catch (error) {
+    const errors = error.issues || error.errors || [];
+    const errorMessage = errors.map((err) => `${err.path.join(".")}: ${err.message}`).join("; ");
+    Err3(errorMessage);
+  }
+}, "parseSchema");
+var clean = /* @__PURE__ */ __name((obj) => {
+  const cleaned = {};
+  for (const [key, value] of Object.entries(obj)) {
+    if (value !== null && value !== void 0 && value !== "") {
+      cleaned[key] = value;
+    }
+  }
+  return cleaned;
+}, "clean");
+var getAvatarFile = /* @__PURE__ */ __name(async (fileName) => {
+  try {
+    const filePath = path.join(avatarsPath, fileName);
+    const buffer = await fs.readFile(filePath);
+    const file = new File([buffer], fileName, {
+      type: "image/png"
+    });
+    return file;
+  } catch (error) {
+    return null;
+  }
+}, "getAvatarFile");
+var formatDate = /* @__PURE__ */ __name((dateValue) => {
+  if (!dateValue)
+    return null;
+  let date;
+  if (dateValue instanceof Date) {
+    date = dateValue;
+  } else if (typeof dateValue === "string") {
+    date = new Date(dateValue);
+  } else {
+    return null;
+  }
+  if (isNaN(date.getTime()))
+    return null;
+  return date.toISOString().split("T")[0];
+}, "formatDate");
+function calculateAge(dateOfBirth) {
+  if (!dateOfBirth)
+    return null;
+  const formattedDate = formatDate(dateOfBirth);
+  if (!formattedDate)
+    return null;
+  const birth = new Date(formattedDate);
+  const today = /* @__PURE__ */ new Date();
+  let age = today.getFullYear() - birth.getFullYear();
+  const monthDiff = today.getMonth() - birth.getMonth();
+  if (monthDiff < 0 || monthDiff === 0 && today.getDate() < birth.getDate()) {
+    age--;
+  }
+  return age;
+}
+__name(calculateAge, "calculateAge");
+function calculateYearsOfExperience(hireDate) {
+  if (!hireDate)
+    return null;
+  const formattedDate = formatDate(hireDate);
+  if (!formattedDate)
+    return null;
+  const hire = new Date(formattedDate);
+  const today = /* @__PURE__ */ new Date();
+  let years = today.getFullYear() - hire.getFullYear();
+  const monthDiff = today.getMonth() - hire.getMonth();
+  if (monthDiff < 0 || monthDiff === 0 && today.getDate() < hire.getDate()) {
+    years--;
+  }
+  return years;
+}
+__name(calculateYearsOfExperience, "calculateYearsOfExperience");
+function pickProps(source, keys) {
+  const result = {};
+  for (const key of keys) {
+    if (source[key] !== void 0) {
+      result[key] = source[key];
+    }
+  }
+  return result;
+}
+__name(pickProps, "pickProps");
+var isEmpty = _isEmpty;
+var isPath = /* @__PURE__ */ __name((img) => typeof img === "string" && img.trim().length > 0 && (img.startsWith("/") || img.startsWith("http") || img.startsWith("storage/")), "isPath");
+var isFile = /* @__PURE__ */ __name((img) => !!img && typeof img !== "string" && img instanceof File, "isFile");
+
+// src/users/UserService.ts
+import { Err as Err4 } from "najm-core";
+var __decorate8 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata8 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = function(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+};
+var _a5;
+var _b3;
+var _c;
+var _d;
+var _e;
+var _f;
+var _g;
+var _h;
+var UserService = class UserService2 {
+  static {
+    __name(this, "UserService");
+  }
+  roleValidator;
+  roleService;
+  userRepository;
+  userValidator;
+  encryptionService;
+  i18nService;
+  authConfig;
+  constructor(roleValidator, roleService, userRepository, userValidator, encryptionService, i18nService, authConfig) {
+    this.roleValidator = roleValidator;
+    this.roleService = roleService;
+    this.userRepository = userRepository;
+    this.userValidator = userValidator;
+    this.encryptionService = encryptionService;
+    this.i18nService = i18nService;
+    this.authConfig = authConfig;
+  }
+  sanitizeUser(user) {
+    if (!user)
+      return user;
+    const { password, ...sanitizedUser } = user;
+    return sanitizedUser;
+  }
+  sanitizeUsers(users) {
+    return users.map((user) => this.sanitizeUser(user)).filter(Boolean);
+  }
+  async resolveUserRole(roleId, roleName) {
+    if (roleId) {
+      await this.roleValidator.checkRoleExists(roleId);
+      return roleId;
+    }
+    if (roleName) {
+      const roleByName = await this.roleService.getByName(roleName);
+      if (roleByName) {
+        return roleByName.id;
+      }
+      Err4(`Role '${roleName}' not found`);
+    }
+    if (this.authConfig.defaultRole) {
+      const defaultRole = await this.roleService.getByName(this.authConfig.defaultRole);
+      if (!defaultRole) {
+        Err4(`Default role '${this.authConfig.defaultRole}' not found. Create it first or set defaultRole to null in auth config.`);
+      }
+      return defaultRole.id;
+    }
+    return null;
+  }
+  async getAll() {
+    const users = await this.userRepository.getAll();
+    return this.sanitizeUsers(users);
+  }
+  async getById(id) {
+    await this.userValidator.checkUserExists(id);
+    const user = await this.userRepository.getById(id);
+    return this.sanitizeUser(user);
+  }
+  async getByEmail(email2) {
+    const user = await this.userValidator.checkUserExistsByEmail(email2);
+    return this.sanitizeUser(user);
+  }
+  /**
+   * Find user by email without throwing - returns null if not found
+   * Used for timing-safe authentication
+   */
+  async findByEmail(email2) {
+    return await this.userRepository.getByEmail(email2);
+  }
+  async create(data) {
+    const { id, email: email2, image, emailVerified, password, roleId, role } = data;
+    if (!password || typeof password !== "string" || password.trim().length === 0) {
+      Err4("Password is required");
+    }
+    this.userValidator.validatePasswordStrength(password);
+    let userId = id || nanoid4(5);
+    await this.userValidator.checkEmailUnique(data.email);
+    await this.userValidator.checkUserIdIsUnique(id);
+    const hashedPassword = await this.encryptionService.hashPassword(password);
+    const resolvedRoleId = await this.resolveUserRole(roleId, role);
+    const userDetails = {
+      id: userId,
+      email: email2,
+      image,
+      password: hashedPassword,
+      roleId: resolvedRoleId,
+      emailVerified,
+      status: "pending"
+    };
+    const newUser = await this.userRepository.create(userDetails);
+    return this.sanitizeUser(newUser);
+  }
+  async update(id, data) {
+    const { password, image } = data;
+    await this.userValidator.checkUserExists(id);
+    await this.userValidator.checkEmailUnique(data.email, id);
+    let hashedPassword;
+    if (password) {
+      this.userValidator.validatePasswordStrength(password);
+      hashedPassword = await this.encryptionService.hashPassword(password);
+    }
+    const updateData = {
+      ...data,
+      image,
+      ...hashedPassword && { password: hashedPassword }
+    };
+    const cleanedUpdateData = clean(updateData);
+    const updatedUser = await this.userRepository.update(id, cleanedUpdateData);
+    return this.sanitizeUser(updatedUser);
+  }
+  async delete(id) {
+    await this.userValidator.checkUserExists(id);
+    const user = await this.userRepository.delete(id);
+    return this.sanitizeUser(user);
+  }
+  async deleteAll() {
+    const deletedUsers = await this.userRepository.deleteAll();
+    return this.sanitizeUsers(deletedUsers);
+  }
+  async getRoleName(id) {
+    await this.userValidator.checkUserExists(id);
+    return await this.userRepository.getRoleNameById(id);
+  }
+  async getPassword(email2) {
+    await this.userValidator.checkUserExistsByEmail(email2);
+    return await this.userRepository.getUserPassword(email2);
+  }
+  async assignRole(id, roleId, roleName) {
+    await this.userValidator.checkUserExists(id);
+    const resolvedRoleId = await this.resolveUserRole(roleId, roleName);
+    const updatedUser = await this.userRepository.update(id, { roleId: resolvedRoleId });
+    return this.sanitizeUser(updatedUser);
+  }
+  async removeRole(id) {
+    await this.userValidator.checkUserExists(id);
+    const updatedUser = await this.userRepository.update(id, { roleId: null });
+    return this.sanitizeUser(updatedUser);
+  }
+  async seedAdminUser(config) {
+    if (!config?.email || !config?.password) {
+      Err4("Admin email and password must be provided via config parameter");
+    }
+    if (config.password.length < 12) {
+      Err4("Admin password must be at least 12 characters");
+    }
+    const adminRole = await this.roleValidator.checkAdminRoleExists();
+    const existingUser = await this.userRepository.getByEmail(config.email);
+    if (existingUser) {
+      await this.delete(existingUser.id);
+    }
+    const newAdminUser = await this.create({
+      id: nanoid4(10),
+      // Random ID instead of predictable 'USR00'
+      name: config.name || "System Administrator",
+      email: config.email,
+      password: config.password,
+      image: null,
+      roleId: adminRole.id,
+      status: "active",
+      emailVerified: true
+    });
+    return this.sanitizeUser(newAdminUser);
+  }
+  async updateLang(language) {
+    this.i18nService.setLanguage(language);
+    return language;
+  }
+  async getLang() {
+    return this.i18nService.getCurrentLanguage();
+  }
+};
+__decorate8([
+  Transaction(),
+  __metadata8("design:type", Function),
+  __metadata8("design:paramtypes", [typeof (_g = typeof Record !== "undefined" && Record) === "function" ? _g : Object]),
+  __metadata8("design:returntype", typeof (_h = typeof Promise !== "undefined" && Promise) === "function" ? _h : Object)
+], UserService.prototype, "create", null);
+UserService = __decorate8([
+  Injectable5(),
+  __param(6, Inject4(AUTH_CONFIG)),
+  __metadata8("design:paramtypes", [typeof (_a5 = typeof RoleValidator !== "undefined" && RoleValidator) === "function" ? _a5 : Object, typeof (_b3 = typeof RoleService !== "undefined" && RoleService) === "function" ? _b3 : Object, typeof (_c = typeof UserRepository !== "undefined" && UserRepository) === "function" ? _c : Object, typeof (_d = typeof UserValidator !== "undefined" && UserValidator) === "function" ? _d : Object, typeof (_e = typeof EncryptionService !== "undefined" && EncryptionService) === "function" ? _e : Object, typeof (_f = typeof I18nService !== "undefined" && I18nService) === "function" ? _f : Object, Object])
+], UserService);
+
+// src/tokens/TokenService.ts
+import { Injectable as Injectable6, Inject as Inject6 } from "najm-core";
+import { I18n as I18n3 } from "najm-i18n";
+import { CacheService } from "najm-cache";
+import jwt from "jsonwebtoken";
+import { jwtDecode } from "jwt-decode";
+import bcrypt2 from "bcryptjs";
+import { nanoid as nanoid5 } from "nanoid";
+
+// src/tokens/TokenRepository.ts
+import { eq as eq4 } from "drizzle-orm";
+import { Repository as Repository3, Inject as Inject5 } from "najm-core";
+import { DB as DB3 } from "najm-database";
+var __decorate9 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata9 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var TokenRepository = class TokenRepository2 {
+  static {
+    __name(this, "TokenRepository");
+  }
+  db;
+  schema;
+  get tokens() {
+    return this.schema.tokens;
+  }
+  get users() {
+    return this.schema.users;
+  }
+  get roles() {
+    return this.schema.roles;
+  }
+  /** Shared query helper */
+  get q() {
+    return new AuthQueries(this.db, this.schema);
+  }
+  async storeRefreshToken(tokenData) {
+    return await this.db.insert(this.tokens).values(tokenData).onConflictDoUpdate({
+      target: this.tokens.userId,
+      set: {
+        token: tokenData.token,
+        expiresAt: tokenData.expiresAt
+      }
+    }).returning();
+  }
+  async getRefreshToken(userId) {
+    const [token] = await this.db.select().from(this.tokens).where(eq4(this.tokens.userId, userId));
+    return token?.token;
+  }
+  async revokeToken(userId) {
+    const [deletedToken] = await this.db.delete(this.tokens).where(eq4(this.tokens.userId, userId)).returning();
+    return deletedToken;
+  }
+  async isUserExists(userId) {
+    const [user] = await this.db.select({ id: this.users.id }).from(this.users).where(eq4(this.users.id, userId)).limit(1);
+    return !!user;
+  }
+  async getRoleNameById(userId) {
+    return this.q.getRoleName(userId);
+  }
+  async getUserPermissions(userId) {
+    return this.q.getUserPermissions(userId);
+  }
+  async getUser(userId) {
+    const [user] = await this.db.select(this.q.userSelection()).from(this.users).leftJoin(this.roles, eq4(this.users.roleId, this.roles.id)).where(eq4(this.users.id, userId)).limit(1);
+    if (!user)
+      return null;
+    return {
+      ...user,
+      permissions: await this.q.getUserPermissions(userId)
+    };
+  }
+};
+__decorate9([
+  DB3(),
+  __metadata9("design:type", Object)
+], TokenRepository.prototype, "db", void 0);
+__decorate9([
+  Inject5(AUTH_SCHEMA),
+  __metadata9("design:type", Object)
+], TokenRepository.prototype, "schema", void 0);
+TokenRepository = __decorate9([
+  Repository3()
+], TokenRepository);
+
+// src/tokens/TokenService.ts
+import timestring2 from "timestring";
+import { Err as Err5 } from "najm-core";
+var __decorate10 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata10 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var _a6;
+var _b4;
+var _c2;
+var TokenService = class TokenService2 {
+  static {
+    __name(this, "TokenService");
+  }
+  tokenRepository;
+  cookieManager;
+  cache;
+  config;
+  t;
+  constructor(tokenRepository, cookieManager, cache2) {
+    this.tokenRepository = tokenRepository;
+    this.cookieManager = cookieManager;
+    this.cache = cache2;
+  }
+  /**
+   * Get blacklist key prefix
+   */
+  get blacklistPrefix() {
+    return this.config.blacklistPrefix ?? "auth:blacklist:";
+  }
+  // ============ TOKEN VALIDATION ============
+  extractAccessToken(authorization) {
+    if (authorization?.startsWith("Bearer ")) {
+      return authorization.split(" ")[1];
+    }
+    Err5(this.t("errors.tokenMissing"));
+  }
+  /**
+   * Verify access token and check blacklist
+   * Throws error if token is invalid, expired, or blacklisted
+   */
+  async verifyAccessToken(token) {
+    let payload;
+    try {
+      payload = jwt.verify(token, this.config.jwt.accessSecret);
+    } catch {
+      Err5(this.t("errors.tokenVerificationFailed"));
+    }
+    if (payload.jti) {
+      const isBlacklisted = await this.isTokenBlacklisted(payload.jti);
+      if (isBlacklisted) {
+        Err5(this.t("errors.tokenRevoked"));
+      }
+    }
+    return payload;
+  }
+  verifyRefreshToken(token) {
+    try {
+      const decoded = jwt.verify(token, this.config.jwt.refreshSecret);
+      return decoded.userId;
+    } catch {
+      Err5(this.t("errors.tokenVerificationFailed"));
+    }
+  }
+  // ============ USER RETRIEVAL (MAIN METHOD) ============
+  async getUser(auth2) {
+    if (!auth2)
+      return null;
+    const token = this.extractAccessToken(auth2);
+    const { userId } = await this.verifyAccessToken(token);
+    return this.tokenRepository.getUser(userId);
+  }
+  // ============ TOKEN GENERATION ============
+  getTokenExpire(token) {
+    return jwtDecode(token).exp;
+  }
+  /**
+   * Generate access token with unique jti for blacklist support
+   */
+  generateAccessToken(data) {
+    const jti = nanoid5(16);
+    return jwt.sign({ ...data, jti }, this.config.jwt.accessSecret, {
+      expiresIn: this.config.jwt.accessExpiresIn
+    });
+  }
+  /**
+   * Generate refresh token with unique jti
+   */
+  generateRefreshToken(data) {
+    const jti = nanoid5(16);
+    return jwt.sign({ ...data, jti }, this.config.jwt.refreshSecret, {
+      expiresIn: this.config.jwt.refreshExpiresIn
+    });
+  }
+  async generateTokens(userId) {
+    const tokenData = { userId };
+    const accessToken = this.generateAccessToken(tokenData);
+    const refreshToken = this.generateRefreshToken(tokenData);
+    await this.storeRefreshToken(userId, refreshToken);
+    return {
+      accessToken,
+      refreshToken,
+      accessTokenExpiresAt: this.getTokenExpire(accessToken),
+      refreshTokenExpiresAt: this.getTokenExpire(refreshToken)
+    };
+  }
+  // ============ TOKEN BLACKLIST (Cache) ============
+  /**
+   * Blacklist an access token by its jti
+   * Token will be rejected until it naturally expires
+   */
+  async blacklistToken(jti, expiresInSeconds) {
+    const key = `${this.blacklistPrefix}${jti}`;
+    await this.cache.set(key, "1", expiresInSeconds * 1e3);
+  }
+  /**
+   * Check if a token is blacklisted
+   */
+  async isTokenBlacklisted(jti) {
+    const key = `${this.blacklistPrefix}${jti}`;
+    return this.cache.exists(key);
+  }
+  /**
+   * Blacklist the current access token (for logout)
+   * Extracts jti and remaining TTL from the token
+   */
+  async blacklistCurrentToken(token) {
+    try {
+      const decoded = jwtDecode(token);
+      if (!decoded.jti) {
+        return;
+      }
+      const now = Math.floor(Date.now() / 1e3);
+      const exp = decoded.exp ?? now;
+      const ttl = Math.max(0, exp - now);
+      if (ttl > 0) {
+        await this.blacklistToken(decoded.jti, ttl);
+      }
+    } catch {
+    }
+  }
+  // ============ REFRESH TOKEN ============
+  /**
+   * Store hashed refresh token in database for security
+   * This prevents token theft in case of database breach
+   */
+  async storeRefreshToken(userId, refreshToken) {
+    const expireInSecond = timestring2(this.config.jwt.refreshExpiresIn, "s");
+    const hashedToken = await bcrypt2.hash(refreshToken, 10);
+    await this.tokenRepository.storeRefreshToken({
+      userId,
+      token: hashedToken,
+      expiresAt: new Date(Date.now() + expireInSecond * 1e3).toISOString()
+    });
+  }
+  /**
+   * Refresh tokens with secure token comparison
+   * Compares provided token with hashed version in database
+   */
+  async refreshTokens() {
+    const refreshToken = this.cookieManager.getRefreshToken();
+    if (!refreshToken) {
+      Err5(this.t("errors.refreshTokenMissing"));
+    }
+    const userId = this.verifyRefreshToken(refreshToken);
+    const storedHashedToken = await this.tokenRepository.getRefreshToken(userId);
+    if (!storedHashedToken) {
+      Err5(this.t("errors.refreshTokenInvalid"));
+    }
+    const isValid = await bcrypt2.compare(refreshToken, storedHashedToken);
+    if (!isValid) {
+      Err5(this.t("errors.refreshTokenInvalid"));
+    }
+    return this.generateTokens(userId);
+  }
+  async revokeToken(userId) {
+    return this.tokenRepository.revokeToken(userId);
+  }
+  /**
+   * Logout user - blacklist access token and revoke refresh token
+   */
+  async logout(userId, authorization) {
+    if (authorization) {
+      try {
+        const accessToken = this.extractAccessToken(authorization);
+        await this.blacklistCurrentToken(accessToken);
+      } catch {
+      }
+    }
+    await this.revokeToken(userId);
+  }
+  // ============ PASSWORD RESET TOKENS ============
+  /**
+   * Generate secure password reset token
+   * Returns both the plain token (to send via email) and userId for identification
+   */
+  generateResetToken(userId) {
+    const resetData = {
+      userId,
+      type: "reset",
+      timestamp: Date.now()
+    };
+    const token = jwt.sign(resetData, this.config.jwt.accessSecret, {
+      expiresIn: "1h"
+    });
+    return { token, userId };
+  }
+  /**
+   * Verify password reset token
+   * Returns userId if valid, throws error if expired/invalid
+   */
+  verifyResetToken(token) {
+    try {
+      const decoded = jwt.verify(token, this.config.jwt.accessSecret);
+      if (decoded.type !== "reset") {
+        Err5(this.t("errors.invalidResetToken"));
+      }
+      return decoded.userId;
+    } catch (error) {
+      Err5(this.t("errors.resetTokenExpired"));
+    }
+  }
+};
+__decorate10([
+  Inject6(AUTH_CONFIG),
+  __metadata10("design:type", Object)
+], TokenService.prototype, "config", void 0);
+__decorate10([
+  I18n3("auth"),
+  __metadata10("design:type", Object)
+], TokenService.prototype, "t", void 0);
+TokenService = __decorate10([
+  Injectable6(),
+  __metadata10("design:paramtypes", [typeof (_a6 = typeof TokenRepository !== "undefined" && TokenRepository) === "function" ? _a6 : Object, typeof (_b4 = typeof CookieManager !== "undefined" && CookieManager) === "function" ? _b4 : Object, typeof (_c2 = typeof CacheService !== "undefined" && CacheService) === "function" ? _c2 : Object])
+], TokenService);
+
+// src/auth/AuthService.ts
+var __decorate11 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata11 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var AuthService_1;
+var _a7;
+var _b5;
+var _c3;
+var _d2;
+var _e2;
+var _f2;
+var AuthService = class AuthService2 {
+  static {
+    __name(this, "AuthService");
+  }
+  static {
+    AuthService_1 = this;
+  }
+  tokenService;
+  userService;
+  userValidator;
+  cookieManager;
+  i18nService;
+  emailService;
+  t;
+  logger;
+  static DUMMY_HASH = "$2b$10$dummyhashfortimingatackprevention000000000000000";
+  constructor(tokenService, userService, userValidator, cookieManager, i18nService, emailService) {
+    this.tokenService = tokenService;
+    this.userService = userService;
+    this.userValidator = userValidator;
+    this.cookieManager = cookieManager;
+    this.i18nService = i18nService;
+    this.emailService = emailService;
+  }
+  async registerUser(body) {
+    return await this.userService.create(body);
+  }
+  async loginUser(body) {
+    const { email: email2, password } = body;
+    const user = await this.userService.findByEmail(email2);
+    const storedHash = user?.password ?? AuthService_1.DUMMY_HASH;
+    const isValid = await this.userValidator.comparePassword(password, storedHash);
+    if (!user || !isValid) {
+      Err6(this.t("errors.invalidCredentials"));
+    }
+    const data = await this.tokenService.generateTokens(user.id);
+    this.cookieManager.setRefreshToken(data.refreshToken);
+    return data;
+  }
+  async refreshTokens() {
+    const data = await this.tokenService.refreshTokens();
+    this.cookieManager.setRefreshToken(data.refreshToken);
+    return data;
+  }
+  async logoutUser(userId, authorization) {
+    await this.userValidator.checkUserExists(userId);
+    await this.tokenService.logout(userId, authorization);
+    this.cookieManager.clearRefreshToken();
+    return { data: null, message: this.t("auth.success.logout") };
+  }
+  async getUserProfile(userData) {
+    const lang = this.i18nService.getCurrentLanguage();
+    return {
+      ...userData,
+      language: lang
+    };
+  }
+  async forgotPassword(email2) {
+    const user = await this.userService.findByEmail(email2);
+    if (user) {
+      const { token } = this.tokenService.generateResetToken(user.id);
+      const resetLink = `${process.env.FRONTEND_URL || "http://localhost:3000"}/reset-password?token=${token}`;
+      try {
+        await this.emailService.sendHtml(email2, this.t("emails.passwordReset.subject"), passwordResetTemplate({
+          resetLink,
+          userName: user.name || email2
+        }));
+      } catch (error) {
+        this.logger.warn("Password reset email failed", { email: email2, error });
+      }
+    }
+    return { message: this.t("success.passwordResetSent") };
+  }
+  async resetPassword(token, newPassword) {
+    const userId = this.tokenService.verifyResetToken(token);
+    this.userValidator.validatePasswordStrength(newPassword);
+    await this.userService.update(userId, { password: newPassword });
+    await this.tokenService.revokeToken(userId);
+    return { message: this.t("success.passwordReset") };
+  }
+};
+__decorate11([
+  I18n4("auth"),
+  __metadata11("design:type", Object)
+], AuthService.prototype, "t", void 0);
+__decorate11([
+  Log(),
+  __metadata11("design:type", Object)
+], AuthService.prototype, "logger", void 0);
+AuthService = AuthService_1 = __decorate11([
+  Injectable7(),
+  __metadata11("design:paramtypes", [typeof (_a7 = typeof TokenService !== "undefined" && TokenService) === "function" ? _a7 : Object, typeof (_b5 = typeof UserService !== "undefined" && UserService) === "function" ? _b5 : Object, typeof (_c3 = typeof UserValidator !== "undefined" && UserValidator) === "function" ? _c3 : Object, typeof (_d2 = typeof CookieManager !== "undefined" && CookieManager) === "function" ? _d2 : Object, typeof (_e2 = typeof I18nService2 !== "undefined" && I18nService2) === "function" ? _e2 : Object, typeof (_f2 = typeof EmailService !== "undefined" && EmailService) === "function" ? _f2 : Object])
+], AuthService);
+
+// src/auth/AuthGuard.ts
+import { Service as Service2, Inject as Inject7 } from "najm-core";
+import { Headers } from "najm-core";
+import { createGuard } from "najm-guard";
+var __decorate12 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata12 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param2 = function(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+};
+var _a8;
+var _b6;
+var AuthGuard = class AuthGuard2 {
+  static {
+    __name(this, "AuthGuard");
+  }
+  tokenService;
+  async canActivate(auth2) {
+    if (!auth2)
+      return false;
+    try {
+      const user = await this.tokenService.getUser(auth2);
+      if (!user)
+        return false;
+      return { user };
+    } catch (error) {
+      return false;
+    }
+  }
+};
+__decorate12([
+  Inject7(TokenService),
+  __metadata12("design:type", typeof (_a8 = typeof TokenService !== "undefined" && TokenService) === "function" ? _a8 : Object)
+], AuthGuard.prototype, "tokenService", void 0);
+__decorate12([
+  __param2(0, Headers("authorization")),
+  __metadata12("design:type", Function),
+  __metadata12("design:paramtypes", [String]),
+  __metadata12("design:returntype", typeof (_b6 = typeof Promise !== "undefined" && Promise) === "function" ? _b6 : Object)
+], AuthGuard.prototype, "canActivate", null);
+AuthGuard = __decorate12([
+  Service2()
+], AuthGuard);
+var isAuth = createGuard(AuthGuard);
+
+// src/auth/AuthController.ts
+import { Validate } from "najm-validation";
+import { RateLimit } from "najm-rate";
+
+// src/users/UserDto.ts
+import { z } from "zod";
+var emailField = z.string().email("Invalid email format");
+var passwordField = z.string().min(8, "Password must be at least 8 characters");
+var nameField = z.string().min(2, "Name must be at least 2 characters").max(100, "Name too long");
+var optionalDateField = z.string().regex(/^\d{4}-\d{2}-\d{2}$/, "Date must be in YYYY-MM-DD format").nullable().optional();
+var createUserDto = z.object({
+  email: emailField,
+  password: passwordField,
+  username: nameField.max(50).optional(),
+  roleId: z.string().min(1).optional(),
+  image: z.union([z.string(), z.instanceof(File)]).optional(),
+  emailVerified: z.boolean().default(false),
+  status: z.enum(["active", "inactive", "pending"]).default("pending")
+});
+var updateUserDto = createUserDto.partial();
+var userIdParam = z.object({
+  id: z.string().min(1, "User ID is required")
+});
+var loginDto = z.object({
+  email: emailField,
+  password: passwordField
+});
+var changePasswordDto = z.object({
+  currentPassword: passwordField,
+  newPassword: passwordField
+});
+var resetPasswordDto = z.object({
+  email: emailField
+});
+var confirmResetPasswordDto = z.object({
+  token: z.string().min(10, "Invalid reset token"),
+  newPassword: passwordField
+});
+var languageParam = z.object({
+  language: z.string().min(2)
+});
+var emailParam = z.object({
+  email: emailField
+});
+var userIdInParam = z.object({
+  userId: z.string().min(1, "User ID is required")
+});
+var assignRoleParams = z.object({
+  userId: z.string().min(1, "User ID is required"),
+  roleId: z.string().min(1)
+});
+
+// src/auth/AuthController.ts
+var __decorate13 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata13 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param3 = function(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+};
+var _a9;
+var AuthController = class AuthController2 {
+  static {
+    __name(this, "AuthController");
+  }
+  authService;
+  constructor(authService) {
+    this.authService = authService;
+  }
+  async registerUser(body) {
+    return this.authService.registerUser(body);
+  }
+  async loginUser(body) {
+    return this.authService.loginUser(body);
+  }
+  async refreshTokens() {
+    return this.authService.refreshTokens();
+  }
+  async logoutUser(userId, authorization) {
+    return this.authService.logoutUser(userId, authorization);
+  }
+  async userProfile(user) {
+    return this.authService.getUserProfile(user);
+  }
+  async forgotPassword(body) {
+    return this.authService.forgotPassword(body.email);
+  }
+  async resetPassword(body) {
+    return this.authService.resetPassword(body.token, body.newPassword);
+  }
+};
+__decorate13([
+  Post("/register"),
+  RateLimit({ limit: 5, window: "15m", key: "ip" }),
+  Validate(createUserDto),
+  ResMsg("auth.success.register"),
+  __param3(0, Body()),
+  __metadata13("design:type", Function),
+  __metadata13("design:paramtypes", [Object]),
+  __metadata13("design:returntype", Promise)
+], AuthController.prototype, "registerUser", null);
+__decorate13([
+  Post("/login"),
+  RateLimit({ limit: 5, window: "15m", key: "ip", message: "Too many login attempts. Please try again later." }),
+  Validate(loginDto),
+  ResMsg("auth.success.login"),
+  __param3(0, Body()),
+  __metadata13("design:type", Function),
+  __metadata13("design:paramtypes", [Object]),
+  __metadata13("design:returntype", Promise)
+], AuthController.prototype, "loginUser", null);
+__decorate13([
+  Get("/refresh"),
+  RateLimit({ limit: 10, window: "15m", key: "ip" }),
+  ResMsg("auth.success.tokenRefreshed"),
+  __metadata13("design:type", Function),
+  __metadata13("design:paramtypes", []),
+  __metadata13("design:returntype", Promise)
+], AuthController.prototype, "refreshTokens", null);
+__decorate13([
+  Get("/logout"),
+  isAuth(),
+  __param3(0, User("id")),
+  __param3(1, Headers2("authorization")),
+  __metadata13("design:type", Function),
+  __metadata13("design:paramtypes", [String, String]),
+  __metadata13("design:returntype", Promise)
+], AuthController.prototype, "logoutUser", null);
+__decorate13([
+  Get("/me"),
+  isAuth(),
+  ResMsg("auth.users.success.retrieved"),
+  __param3(0, User()),
+  __metadata13("design:type", Function),
+  __metadata13("design:paramtypes", [Object]),
+  __metadata13("design:returntype", Promise)
+], AuthController.prototype, "userProfile", null);
+__decorate13([
+  Post("/forgot-password"),
+  RateLimit({ limit: 3, window: "15m", key: "ip", message: "Too many password reset requests. Please try again later." }),
+  Validate(resetPasswordDto),
+  ResMsg("auth.success.passwordResetSent"),
+  __param3(0, Body()),
+  __metadata13("design:type", Function),
+  __metadata13("design:paramtypes", [Object]),
+  __metadata13("design:returntype", Promise)
+], AuthController.prototype, "forgotPassword", null);
+__decorate13([
+  Post("/reset-password"),
+  RateLimit({ limit: 5, window: "15m", key: "ip", message: "Too many password reset attempts. Please try again later." }),
+  Validate(confirmResetPasswordDto),
+  ResMsg("auth.success.passwordReset"),
+  __param3(0, Body()),
+  __metadata13("design:type", Function),
+  __metadata13("design:paramtypes", [Object]),
+  __metadata13("design:returntype", Promise)
+], AuthController.prototype, "resetPassword", null);
+AuthController = __decorate13([
+  Controller("/auth"),
+  __metadata13("design:paramtypes", [typeof (_a9 = typeof AuthService !== "undefined" && AuthService) === "function" ? _a9 : Object])
+], AuthController);
+
+// src/auth/index.ts
+var AUTH_MODULE = [
+  AuthService,
+  CookieManager,
+  EncryptionService,
+  AuthGuard,
+  AuthController
+];
+
+// src/users/index.ts
+var users_exports = {};
+__export(users_exports, {
+  UserController: () => UserController,
+  UserRepository: () => UserRepository,
+  UserService: () => UserService,
+  UserValidator: () => UserValidator,
+  assignRoleParams: () => assignRoleParams,
+  changePasswordDto: () => changePasswordDto,
+  confirmResetPasswordDto: () => confirmResetPasswordDto,
+  createUserDto: () => createUserDto,
+  emailParam: () => emailParam,
+  languageParam: () => languageParam,
+  loginDto: () => loginDto,
+  resetPasswordDto: () => resetPasswordDto,
+  updateUserDto: () => updateUserDto,
+  userIdInParam: () => userIdInParam,
+  userIdParam: () => userIdParam
+});
+
+// src/users/UserController.ts
+import { Controller as Controller3 } from "najm-core";
+import { Get as Get3, Post as Post3, Put as Put2, Delete as Delete2, ResMsg as ResMsg3 } from "najm-core";
+import { Params as Params2, Body as Body3 } from "najm-core";
+
+// src/roles/index.ts
+var roles_exports = {};
+__export(roles_exports, {
+  ROLES: () => ROLES,
+  ROLE_GROUPS: () => ROLE_GROUPS,
+  Role: () => Role,
+  RoleController: () => RoleController,
+  RoleGuard: () => RoleGuard,
+  RoleRepository: () => RoleRepository,
+  RoleService: () => RoleService,
+  RoleValidator: () => RoleValidator,
+  assignRoleDto: () => assignRoleDto,
+  createRoleDto: () => createRoleDto,
+  isAdmin: () => isAdmin,
+  isAdministrator: () => isAdministrator,
+  roleIdParam: () => roleIdParam,
+  updateRoleDto: () => updateRoleDto
+});
+
+// src/roles/RoleGuards.ts
+import { Service as Service3 } from "najm-core";
+import { GuardParams, User as User2 } from "najm-core";
+import { composeGuards, createGuard as createGuard2 } from "najm-guard";
+var __decorate14 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata14 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param4 = function(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+};
+var RoleGuard = class RoleGuard2 {
+  static {
+    __name(this, "RoleGuard");
+  }
+  canActivate(allowedRoles, userRole) {
+    if (!userRole)
+      return false;
+    const requiredRoles = Array.isArray(allowedRoles) ? allowedRoles : [allowedRoles];
+    const hasRole = requiredRoles.some((r) => r.toLowerCase() === userRole.toLowerCase());
+    if (hasRole) {
+      return { role: userRole };
+    }
+    return false;
+  }
+};
+__decorate14([
+  __param4(0, GuardParams()),
+  __param4(1, User2("role")),
+  __metadata14("design:type", Function),
+  __metadata14("design:paramtypes", [Object, String]),
+  __metadata14("design:returntype", void 0)
+], RoleGuard.prototype, "canActivate", null);
+RoleGuard = __decorate14([
+  Service3()
+], RoleGuard);
+var Role = createGuard2(RoleGuard);
+var isAdmin = composeGuards(isAuth(), Role(ROLES.ADMIN));
+var isAdministrator = composeGuards(isAuth(), Role(ROLE_GROUPS.ADMINISTRATORS));
+
+// src/roles/RoleController.ts
+import { Controller as Controller2 } from "najm-core";
+import { Get as Get2, Post as Post2, Put, Delete, ResMsg as ResMsg2 } from "najm-core";
+import { Params, Body as Body2 } from "najm-core";
+import { Validate as Validate2 } from "najm-validation";
+
+// src/roles/RoleDto.ts
+import { z as z2 } from "zod";
+var nameField2 = z2.string().min(2, "Name must be at least 2 characters").max(50, "Name too long");
+var descriptionField = z2.string().max(255, "Description too long").optional();
+var createRoleDto = z2.object({
+  name: nameField2,
+  description: descriptionField
+});
+var updateRoleDto = createRoleDto.partial();
+var roleIdParam = z2.object({
+  id: z2.string().length(5, "Role ID must be 5 characters")
+});
+var assignRoleDto = z2.object({
+  userId: z2.string().length(8, "User ID must be 8 characters"),
+  roleId: z2.string().length(5, "Role ID must be 5 characters")
+});
+
+// src/roles/RoleController.ts
+var __decorate15 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata15 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param5 = function(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+};
+var _a10;
+var RoleController = class RoleController2 {
+  static {
+    __name(this, "RoleController");
+  }
+  roleService;
+  constructor(roleService) {
+    this.roleService = roleService;
+  }
+  async getRoles() {
+    return this.roleService.getAll();
+  }
+  async getRole(params) {
+    return this.roleService.getById(params.id);
+  }
+  async createRole(body) {
+    return this.roleService.create(body);
+  }
+  async updateRole(params, body) {
+    return this.roleService.update(params.id, body);
+  }
+  async deleteRole(params) {
+    return this.roleService.delete(params.id);
+  }
+};
+__decorate15([
+  Get2(),
+  isAdmin(),
+  ResMsg2("roles.success.retrieved"),
+  __metadata15("design:type", Function),
+  __metadata15("design:paramtypes", []),
+  __metadata15("design:returntype", Promise)
+], RoleController.prototype, "getRoles", null);
+__decorate15([
+  Get2("/:id"),
+  isAdmin(),
+  Validate2({ params: roleIdParam }),
+  ResMsg2("roles.success.retrieved"),
+  __param5(0, Params()),
+  __metadata15("design:type", Function),
+  __metadata15("design:paramtypes", [Object]),
+  __metadata15("design:returntype", Promise)
+], RoleController.prototype, "getRole", null);
+__decorate15([
+  Post2(),
+  isAdmin(),
+  Validate2(createRoleDto),
+  ResMsg2("roles.success.created"),
+  __param5(0, Body2()),
+  __metadata15("design:type", Function),
+  __metadata15("design:paramtypes", [Object]),
+  __metadata15("design:returntype", Promise)
+], RoleController.prototype, "createRole", null);
+__decorate15([
+  Put("/:id"),
+  isAdmin(),
+  Validate2({
+    params: roleIdParam,
+    body: updateRoleDto
+  }),
+  ResMsg2("roles.success.updated"),
+  __param5(0, Params()),
+  __param5(1, Body2()),
+  __metadata15("design:type", Function),
+  __metadata15("design:paramtypes", [Object, Object]),
+  __metadata15("design:returntype", Promise)
+], RoleController.prototype, "updateRole", null);
+__decorate15([
+  Delete("/:id"),
+  isAdmin(),
+  Validate2({ params: roleIdParam }),
+  ResMsg2("roles.success.deleted"),
+  __param5(0, Params()),
+  __metadata15("design:type", Function),
+  __metadata15("design:paramtypes", [Object]),
+  __metadata15("design:returntype", Promise)
+], RoleController.prototype, "deleteRole", null);
+RoleController = __decorate15([
+  Controller2("/roles"),
+  __metadata15("design:paramtypes", [typeof (_a10 = typeof RoleService !== "undefined" && RoleService) === "function" ? _a10 : Object])
+], RoleController);
+
+// src/users/UserController.ts
+import { Validate as Validate3 } from "najm-validation";
+var __decorate16 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata16 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param6 = function(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+};
+var _a11;
+var UserController = class UserController2 {
+  static {
+    __name(this, "UserController");
+  }
+  userService;
+  constructor(userService) {
+    this.userService = userService;
+  }
+  async getUsers() {
+    return this.userService.getAll();
+  }
+  async getLang() {
+    const language = await this.userService.getLang();
+    return { language };
+  }
+  async updateLang(params) {
+    return this.userService.updateLang(params.language);
+  }
+  async getUser(params) {
+    return this.userService.getById(params.id);
+  }
+  async getByEmail(params) {
+    return this.userService.getByEmail(params.email);
+  }
+  async getRole(params) {
+    return this.userService.getRoleName(params.userId);
+  }
+  async create(body) {
+    return this.userService.create(body);
+  }
+  async update(params, body) {
+    return this.userService.update(params.id, body);
+  }
+  async delete(params) {
+    return this.userService.delete(params.id);
+  }
+  async deleteAll() {
+    return this.userService.deleteAll();
+  }
+  async assignRole(params) {
+    return this.userService.assignRole(params.userId, params.roleId);
+  }
+  async removeRole(params) {
+    return this.userService.removeRole(params.userId);
+  }
+};
+__decorate16([
+  Get3(),
+  isAdmin(),
+  ResMsg3("users.success.retrieved"),
+  __metadata16("design:type", Function),
+  __metadata16("design:paramtypes", []),
+  __metadata16("design:returntype", Promise)
+], UserController.prototype, "getUsers", null);
+__decorate16([
+  Get3("/lang"),
+  isAuth(),
+  ResMsg3("users.success.retrieved"),
+  __metadata16("design:type", Function),
+  __metadata16("design:paramtypes", []),
+  __metadata16("design:returntype", Promise)
+], UserController.prototype, "getLang", null);
+__decorate16([
+  Post3("/lang/:language"),
+  isAuth(),
+  Validate3({ params: languageParam }),
+  ResMsg3("users.success.updated"),
+  __param6(0, Params2()),
+  __metadata16("design:type", Function),
+  __metadata16("design:paramtypes", [Object]),
+  __metadata16("design:returntype", Promise)
+], UserController.prototype, "updateLang", null);
+__decorate16([
+  Get3("/:id"),
+  isAdmin(),
+  Validate3({ params: userIdParam }),
+  ResMsg3("users.success.retrieved"),
+  __param6(0, Params2()),
+  __metadata16("design:type", Function),
+  __metadata16("design:paramtypes", [Object]),
+  __metadata16("design:returntype", Promise)
+], UserController.prototype, "getUser", null);
+__decorate16([
+  Get3("/email/:email"),
+  isAdmin(),
+  Validate3({ params: emailParam }),
+  ResMsg3("users.success.retrieved"),
+  __param6(0, Params2()),
+  __metadata16("design:type", Function),
+  __metadata16("design:paramtypes", [Object]),
+  __metadata16("design:returntype", Promise)
+], UserController.prototype, "getByEmail", null);
+__decorate16([
+  Get3("/role/:userId"),
+  isAdmin(),
+  Validate3({ params: userIdInParam }),
+  ResMsg3("users.success.retrieved"),
+  __param6(0, Params2()),
+  __metadata16("design:type", Function),
+  __metadata16("design:paramtypes", [Object]),
+  __metadata16("design:returntype", Promise)
+], UserController.prototype, "getRole", null);
+__decorate16([
+  Post3(),
+  isAdmin(),
+  Validate3(createUserDto),
+  ResMsg3("users.success.created"),
+  __param6(0, Body3()),
+  __metadata16("design:type", Function),
+  __metadata16("design:paramtypes", [Object]),
+  __metadata16("design:returntype", Promise)
+], UserController.prototype, "create", null);
+__decorate16([
+  Put2("/:id"),
+  isAdmin(),
+  Validate3({
+    params: userIdParam,
+    body: updateUserDto
+  }),
+  ResMsg3("users.success.updated"),
+  __param6(0, Params2()),
+  __param6(1, Body3()),
+  __metadata16("design:type", Function),
+  __metadata16("design:paramtypes", [Object, Object]),
+  __metadata16("design:returntype", Promise)
+], UserController.prototype, "update", null);
+__decorate16([
+  Delete2("/:id"),
+  isAdmin(),
+  Validate3({ params: userIdParam }),
+  ResMsg3("users.success.deleted"),
+  __param6(0, Params2()),
+  __metadata16("design:type", Function),
+  __metadata16("design:paramtypes", [Object]),
+  __metadata16("design:returntype", Promise)
+], UserController.prototype, "delete", null);
+__decorate16([
+  Delete2(),
+  isAdmin(),
+  ResMsg3("users.success.allDeleted"),
+  __metadata16("design:type", Function),
+  __metadata16("design:paramtypes", []),
+  __metadata16("design:returntype", Promise)
+], UserController.prototype, "deleteAll", null);
+__decorate16([
+  Post3("/assign/:userId/:roleId"),
+  isAdmin(),
+  Validate3({ params: assignRoleParams }),
+  ResMsg3("users.success.updated"),
+  __param6(0, Params2()),
+  __metadata16("design:type", Function),
+  __metadata16("design:paramtypes", [Object]),
+  __metadata16("design:returntype", Promise)
+], UserController.prototype, "assignRole", null);
+__decorate16([
+  Delete2("/remove/:userId"),
+  isAdmin(),
+  Validate3({ params: userIdInParam }),
+  ResMsg3("users.success.updated"),
+  __param6(0, Params2()),
+  __metadata16("design:type", Function),
+  __metadata16("design:paramtypes", [Object]),
+  __metadata16("design:returntype", Promise)
+], UserController.prototype, "removeRole", null);
+UserController = __decorate16([
+  Controller3("/users"),
+  __metadata16("design:paramtypes", [typeof (_a11 = typeof UserService !== "undefined" && UserService) === "function" ? _a11 : Object])
+], UserController);
+
+// src/permissions/index.ts
+var permissions_exports = {};
+__export(permissions_exports, {
+  Can: () => Can,
+  PermissionController: () => PermissionController,
+  PermissionGuard: () => PermissionGuard,
+  PermissionRepository: () => PermissionRepository,
+  PermissionService: () => PermissionService,
+  PermissionValidator: () => PermissionValidator,
+  assignPermissionDto: () => assignPermissionDto,
+  canCreate: () => canCreate,
+  canDelete: () => canDelete,
+  canManage: () => canManage,
+  canRead: () => canRead,
+  canUpdate: () => canUpdate,
+  checkPermissionDto: () => checkPermissionDto,
+  createPermissionDto: () => createPermissionDto,
+  permissionIdParam: () => permissionIdParam,
+  updatePermissionDto: () => updatePermissionDto
+});
+
+// src/permissions/PermissionRepository.ts
+import { eq as eq5, and } from "drizzle-orm";
+import { Repository as Repository4, Inject as Inject8 } from "najm-core";
+import { DB as DB4 } from "najm-database";
+var __decorate17 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata17 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var PermissionRepository = class PermissionRepository2 {
+  static {
+    __name(this, "PermissionRepository");
+  }
+  db;
+  schema;
+  get permissions() {
+    return this.schema.permissions;
+  }
+  get rolePermissions() {
+    return this.schema.rolePermissions;
+  }
+  get roles() {
+    return this.schema.roles;
+  }
+  async getAll() {
+    return await this.db.select().from(this.permissions);
+  }
+  async getById(id) {
+    const [existingPermission] = await this.db.select().from(this.permissions).where(eq5(this.permissions.id, id));
+    return existingPermission;
+  }
+  async getByName(name) {
+    const [existingPermission] = await this.db.select().from(this.permissions).where(eq5(this.permissions.name, name));
+    return existingPermission;
+  }
+  async getByResource(resource) {
+    return await this.db.select().from(this.permissions).where(eq5(this.permissions.resource, resource));
+  }
+  async create(data) {
+    const [newPermission] = await this.db.insert(this.permissions).values(data).returning();
+    return newPermission;
+  }
+  async update(id, data) {
+    const [updatedPermission] = await this.db.update(this.permissions).set(data).where(eq5(this.permissions.id, id)).returning();
+    return updatedPermission;
+  }
+  async delete(id) {
+    const [deletedPermission] = await this.db.delete(this.permissions).where(eq5(this.permissions.id, id)).returning();
+    return deletedPermission;
+  }
+  async getPermissionsByRole(roleId) {
+    return await this.db.select({
+      id: this.permissions.id,
+      name: this.permissions.name,
+      description: this.permissions.description,
+      resource: this.permissions.resource,
+      action: this.permissions.action
+    }).from(this.rolePermissions).leftJoin(this.permissions, eq5(this.rolePermissions.permissionId, this.permissions.id)).where(eq5(this.rolePermissions.roleId, roleId));
+  }
+  async getRolesByPermission(permissionId) {
+    return await this.db.select({
+      id: this.roles.id,
+      name: this.roles.name,
+      description: this.roles.description
+    }).from(this.rolePermissions).leftJoin(this.roles, eq5(this.rolePermissions.roleId, this.roles.id)).where(eq5(this.rolePermissions.permissionId, permissionId));
+  }
+  async assignPermissionToRole(roleId, permissionId) {
+    const [newRolePermission] = await this.db.insert(this.rolePermissions).values({ roleId, permissionId }).returning();
+    return newRolePermission;
+  }
+  async removePermissionFromRole(roleId, permissionId) {
+    const [deletedRolePermission] = await this.db.delete(this.rolePermissions).where(and(eq5(this.rolePermissions.roleId, roleId), eq5(this.rolePermissions.permissionId, permissionId))).returning();
+    return deletedRolePermission;
+  }
+  async checkRoleHasPermission(roleId, permissionId) {
+    const [rolePermission] = await this.db.select().from(this.rolePermissions).where(and(eq5(this.rolePermissions.roleId, roleId), eq5(this.rolePermissions.permissionId, permissionId)));
+    return !!rolePermission;
+  }
+  async deleteAll() {
+    await this.db.delete(this.rolePermissions);
+    const deletedPermissions = await this.db.delete(this.permissions).returning();
+    return deletedPermissions;
+  }
+};
+__decorate17([
+  DB4(),
+  __metadata17("design:type", Object)
+], PermissionRepository.prototype, "db", void 0);
+__decorate17([
+  Inject8(AUTH_SCHEMA),
+  __metadata17("design:type", Object)
+], PermissionRepository.prototype, "schema", void 0);
+PermissionRepository = __decorate17([
+  Repository4()
+], PermissionRepository);
+
+// src/permissions/PermissionGuards.ts
+import { Injectable as Injectable8 } from "najm-core";
+import { GuardParams as GuardParams2, User as User3 } from "najm-core";
+import { createGuard as createGuard3, composeGuards as composeGuards2 } from "najm-guard";
+var __decorate18 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata18 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param7 = function(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+};
+var PermissionGuard = class PermissionGuard2 {
+  static {
+    __name(this, "PermissionGuard");
+  }
+  canActivate(requiredPermission, permissions) {
+    if (!permissions || !Array.isArray(permissions))
+      return false;
+    const hasPermission = this.checkPermission(permissions, requiredPermission);
+    if (hasPermission) {
+      return { permissions };
+    }
+    return false;
+  }
+  checkPermission(permissions, required) {
+    if (permissions.includes(required))
+      return true;
+    if (permissions.includes("*:*"))
+      return true;
+    const [action, resource] = required.split(":");
+    if (action && resource) {
+      if (permissions.includes(`${action}:*`))
+        return true;
+      if (permissions.includes(`*:${resource}`))
+        return true;
+    }
+    return false;
+  }
+};
+__decorate18([
+  __param7(0, GuardParams2()),
+  __param7(1, User3("permissions")),
+  __metadata18("design:type", Function),
+  __metadata18("design:paramtypes", [String, Array]),
+  __metadata18("design:returntype", Object)
+], PermissionGuard.prototype, "canActivate", null);
+PermissionGuard = __decorate18([
+  Injectable8()
+], PermissionGuard);
+var Permission = createGuard3(PermissionGuard);
+var Can = /* @__PURE__ */ __name((permission) => composeGuards2(isAuth(), Permission(permission))(), "Can");
+var canCreate = /* @__PURE__ */ __name((resource) => Can(`create:${resource}`), "canCreate");
+var canRead = /* @__PURE__ */ __name((resource) => Can(`read:${resource}`), "canRead");
+var canUpdate = /* @__PURE__ */ __name((resource) => Can(`update:${resource}`), "canUpdate");
+var canDelete = /* @__PURE__ */ __name((resource) => Can(`delete:${resource}`), "canDelete");
+var canManage = /* @__PURE__ */ __name((resource) => Can(`*:${resource}`), "canManage");
+
+// src/permissions/PermissionController.ts
+import { Controller as Controller4 } from "najm-core";
+import { Get as Get4, Post as Post4, Put as Put3, Delete as Delete3, ResMsg as ResMsg4 } from "najm-core";
+import { Params as Params3, Body as Body4 } from "najm-core";
+
+// src/permissions/PermissionService.ts
+import { Injectable as Injectable10 } from "najm-core";
+
+// src/permissions/PermissionValidator.ts
+import { Injectable as Injectable9 } from "najm-core";
+import { I18n as I18n5 } from "najm-i18n";
+import { Err as Err7 } from "najm-core";
+var __decorate19 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata19 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var _a12;
+var _b7;
+var PermissionValidator = class PermissionValidator2 {
+  static {
+    __name(this, "PermissionValidator");
+  }
+  permissionRepository;
+  roleValidator;
+  t;
+  constructor(permissionRepository, roleValidator) {
+    this.permissionRepository = permissionRepository;
+    this.roleValidator = roleValidator;
+  }
+  /**
+   * Check if permission exists by ID
+   */
+  async checkPermissionExists(id) {
+    const permission = await this.permissionRepository.getById(id);
+    if (!permission) {
+      Err7(this.t("errors.notFound"), 404);
+    }
+    return permission;
+  }
+  /**
+   * Check if permission exists by name
+   */
+  async checkPermissionExistsByName(name) {
+    const permission = await this.permissionRepository.getByName(name);
+    if (!permission) {
+      Err7(this.t("errors.notFound"), 404);
+    }
+    return permission;
+  }
+  /**
+   * Check if permission name is unique
+   */
+  async checkPermissionNameUnique(name, excludeId) {
+    if (!name)
+      return;
+    const existingPermission = await this.permissionRepository.getByName(name);
+    if (existingPermission && existingPermission.id !== excludeId) {
+      Err7(this.t("errors.nameExists"), 409);
+    }
+  }
+  /**
+   * Check if role exists (delegates to RoleValidator)
+   */
+  async checkRoleExists(id) {
+    return await this.roleValidator.checkRoleExists(id);
+  }
+  /**
+   * Check if role exists by name (delegates to RoleValidator)
+   */
+  async checkRoleExistsByName(name) {
+    return await this.roleValidator.checkRoleExistsByName(name);
+  }
+  /**
+   * Check if role already has permission
+   */
+  async checkRoleHasPermission(roleId, permissionId) {
+    await this.roleValidator.checkRoleExists(roleId);
+    await this.checkPermissionExists(permissionId);
+    const hasPermission = await this.permissionRepository.checkRoleHasPermission(roleId, permissionId);
+    if (hasPermission) {
+      Err7(this.t("errors.roleAlreadyHasPermission"), 409);
+    }
+  }
+};
+__decorate19([
+  I18n5("permissions"),
+  __metadata19("design:type", Object)
+], PermissionValidator.prototype, "t", void 0);
+PermissionValidator = __decorate19([
+  Injectable9(),
+  __metadata19("design:paramtypes", [typeof (_a12 = typeof PermissionRepository !== "undefined" && PermissionRepository) === "function" ? _a12 : Object, typeof (_b7 = typeof RoleValidator !== "undefined" && RoleValidator) === "function" ? _b7 : Object])
+], PermissionValidator);
+
+// src/permissions/PermissionService.ts
+var __decorate20 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata20 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var _a13;
+var _b8;
+var _c4;
+var PermissionService = class PermissionService2 {
+  static {
+    __name(this, "PermissionService");
+  }
+  permissionRepository;
+  permissionValidator;
+  roleService;
+  constructor(permissionRepository, permissionValidator, roleService) {
+    this.permissionRepository = permissionRepository;
+    this.permissionValidator = permissionValidator;
+    this.roleService = roleService;
+  }
+  async getAll() {
+    return await this.permissionRepository.getAll();
+  }
+  async getById(id) {
+    await this.permissionValidator.checkPermissionExists(id);
+    return await this.permissionRepository.getById(id);
+  }
+  async getByName(name) {
+    return await this.permissionRepository.getByName(name);
+  }
+  async getByResource(resource) {
+    return await this.permissionRepository.getByResource(resource);
+  }
+  async create(data) {
+    await this.permissionValidator.checkPermissionNameUnique(data.name);
+    return await this.permissionRepository.create(data);
+  }
+  async update(id, data) {
+    await this.permissionValidator.checkPermissionExists(id);
+    await this.permissionValidator.checkPermissionNameUnique(data.name, id);
+    return await this.permissionRepository.update(id, data);
+  }
+  async delete(id) {
+    await this.permissionValidator.checkPermissionExists(id);
+    return await this.permissionRepository.delete(id);
+  }
+  async getPermissionsByRole(roleId) {
+    return await this.permissionRepository.getPermissionsByRole(roleId);
+  }
+  async getRolesByPermission(permissionId) {
+    await this.permissionValidator.checkPermissionExists(permissionId);
+    return await this.permissionRepository.getRolesByPermission(permissionId);
+  }
+  async assignPermissionToRole(roleId, permissionId) {
+    await this.permissionValidator.checkRoleHasPermission(roleId, permissionId);
+    return await this.permissionRepository.assignPermissionToRole(roleId, permissionId);
+  }
+  async removePermissionFromRole(roleId, permissionId) {
+    return await this.permissionRepository.removePermissionFromRole(roleId, permissionId);
+  }
+  async seedDefaultPermissions(defaultPermissions) {
+    const created = [];
+    const skipped = [];
+    for (const permission of defaultPermissions) {
+      try {
+        const entity = await this.create(permission);
+        created.push(entity);
+      } catch (error) {
+        skipped.push({
+          permission: permission.name,
+          reason: error instanceof Error ? error.message : String(error)
+        });
+      }
+    }
+    return { created, skipped };
+  }
+  async seedDefaultRolePermissions(defaultRolePermissions) {
+    const assigned = [];
+    const skipped = [];
+    for (const { roleName, permissions } of defaultRolePermissions) {
+      try {
+        await this.permissionValidator.checkRoleExistsByName(roleName);
+        const role = await this.roleService.getByName(roleName);
+        for (const permissionName of permissions) {
+          try {
+            await this.permissionValidator.checkPermissionExistsByName(permissionName);
+            const permission = await this.getByName(permissionName);
+            await this.permissionValidator.checkRoleHasPermission(role.id, permission.id);
+            await this.assignPermissionToRole(role.id, permission.id);
+            assigned.push({ role: roleName, permission: permissionName });
+          } catch (error) {
+            skipped.push({
+              role: roleName,
+              permission: permissionName,
+              reason: error instanceof Error ? error.message : String(error)
+            });
+          }
+        }
+      } catch (error) {
+        skipped.push({
+          role: roleName,
+          permission: "all",
+          reason: error instanceof Error ? error.message : String(error)
+        });
+      }
+    }
+    return { assigned, skipped };
+  }
+  async deleteAll() {
+    return await this.permissionRepository.deleteAll();
+  }
+};
+PermissionService = __decorate20([
+  Injectable10(),
+  __metadata20("design:paramtypes", [typeof (_a13 = typeof PermissionRepository !== "undefined" && PermissionRepository) === "function" ? _a13 : Object, typeof (_b8 = typeof PermissionValidator !== "undefined" && PermissionValidator) === "function" ? _b8 : Object, typeof (_c4 = typeof RoleService !== "undefined" && RoleService) === "function" ? _c4 : Object])
+], PermissionService);
+
+// src/permissions/PermissionController.ts
+import { Validate as Validate4 } from "najm-validation";
+
+// src/permissions/PermissionDto.ts
+import { z as z3 } from "zod";
+var nameField3 = z3.string().min(2, "Name must be at least 2 characters").max(50, "Name too long");
+var descriptionField2 = z3.string().max(255, "Description too long").optional();
+var resourceField = z3.string().min(1, "Resource is required").max(50, "Resource too long");
+var actionField = z3.string().min(1, "Action is required").max(50, "Action too long");
+var createPermissionDto = z3.object({
+  name: nameField3,
+  description: descriptionField2,
+  resource: resourceField,
+  action: actionField
+});
+var updatePermissionDto = createPermissionDto.partial();
+var permissionIdParam = z3.object({
+  id: z3.string().length(5, "Permission ID must be 5 characters")
+});
+var assignPermissionDto = z3.object({
+  roleId: z3.string().length(5, "Role ID must be 5 characters"),
+  permissionId: z3.string().length(5, "Permission ID must be 5 characters")
+});
+var checkPermissionDto = z3.object({
+  userId: z3.string().length(8, "User ID must be 8 characters"),
+  resource: resourceField,
+  action: actionField
+});
+
+// src/permissions/PermissionController.ts
+var __decorate21 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata21 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param8 = function(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+};
+var _a14;
+var PermissionController = class PermissionController2 {
+  static {
+    __name(this, "PermissionController");
+  }
+  permissionService;
+  constructor(permissionService) {
+    this.permissionService = permissionService;
+  }
+  // ============================================================================
+  // Option 1: @ResMsg with i18n key (recommended)
+  // ============================================================================
+  async getPermissions() {
+    return this.permissionService.getAll();
+  }
+  async getPermission(params) {
+    return this.permissionService.getById(params.id);
+  }
+  // ============================================================================
+  // Option 2: @ResMsg with plain text
+  // ============================================================================
+  async create(body) {
+    return this.permissionService.create(body);
+  }
+  async update(params, body) {
+    return this.permissionService.update(params.id, body);
+  }
+  async delete(params) {
+    return this.permissionService.delete(params.id);
+  }
+  async getByRole(params) {
+    return this.permissionService.getPermissionsByRole(params.id);
+  }
+  async getRolesByPermission(params) {
+    return this.permissionService.getRolesByPermission(params.id);
+  }
+  async assignToRole(params) {
+    return this.permissionService.assignPermissionToRole(params.roleId, params.permissionId);
+  }
+  async removeFromRole(params) {
+    return this.permissionService.removePermissionFromRole(params.roleId, params.permissionId);
+  }
+  async deleteAll() {
+    return this.permissionService.deleteAll();
+  }
+};
+__decorate21([
+  Get4(),
+  ResMsg4("permissions.success.retrieved"),
+  __metadata21("design:type", Function),
+  __metadata21("design:paramtypes", []),
+  __metadata21("design:returntype", Promise)
+], PermissionController.prototype, "getPermissions", null);
+__decorate21([
+  Get4("/:id"),
+  Validate4({ params: permissionIdParam }),
+  ResMsg4("permissions.success.retrieved"),
+  __param8(0, Params3()),
+  __metadata21("design:type", Function),
+  __metadata21("design:paramtypes", [Object]),
+  __metadata21("design:returntype", Promise)
+], PermissionController.prototype, "getPermission", null);
+__decorate21([
+  Post4(),
+  Validate4(createPermissionDto),
+  ResMsg4({ message: "Permission created successfully", status: 201 }),
+  __param8(0, Body4()),
+  __metadata21("design:type", Function),
+  __metadata21("design:paramtypes", [Object]),
+  __metadata21("design:returntype", Promise)
+], PermissionController.prototype, "create", null);
+__decorate21([
+  Put3("/:id"),
+  Validate4({
+    params: permissionIdParam,
+    body: updatePermissionDto
+  }),
+  ResMsg4("permissions.success.updated"),
+  __param8(0, Params3()),
+  __param8(1, Body4()),
+  __metadata21("design:type", Function),
+  __metadata21("design:paramtypes", [Object, Object]),
+  __metadata21("design:returntype", Promise)
+], PermissionController.prototype, "update", null);
+__decorate21([
+  Delete3("/:id"),
+  Validate4({ params: permissionIdParam }),
+  ResMsg4("permissions.success.deleted"),
+  __param8(0, Params3()),
+  __metadata21("design:type", Function),
+  __metadata21("design:paramtypes", [Object]),
+  __metadata21("design:returntype", Promise)
+], PermissionController.prototype, "delete", null);
+__decorate21([
+  Get4("/role/:id"),
+  Validate4({ params: roleIdParam }),
+  ResMsg4("permissions.success.retrieved"),
+  __param8(0, Params3()),
+  __metadata21("design:type", Function),
+  __metadata21("design:paramtypes", [Object]),
+  __metadata21("design:returntype", Promise)
+], PermissionController.prototype, "getByRole", null);
+__decorate21([
+  Get4("/roles/:id"),
+  Validate4({ params: permissionIdParam }),
+  ResMsg4("permissions.success.retrieved"),
+  __param8(0, Params3()),
+  __metadata21("design:type", Function),
+  __metadata21("design:paramtypes", [Object]),
+  __metadata21("design:returntype", Promise)
+], PermissionController.prototype, "getRolesByPermission", null);
+__decorate21([
+  Post4("/assign/:roleId/:permissionId"),
+  Validate4({ params: assignPermissionDto }),
+  ResMsg4("permissions.success.assigned"),
+  __param8(0, Params3()),
+  __metadata21("design:type", Function),
+  __metadata21("design:paramtypes", [Object]),
+  __metadata21("design:returntype", Promise)
+], PermissionController.prototype, "assignToRole", null);
+__decorate21([
+  Delete3("/remove/:roleId/:permissionId"),
+  Validate4({ params: assignPermissionDto }),
+  ResMsg4("permissions.success.removed"),
+  __param8(0, Params3()),
+  __metadata21("design:type", Function),
+  __metadata21("design:paramtypes", [Object]),
+  __metadata21("design:returntype", Promise)
+], PermissionController.prototype, "removeFromRole", null);
+__decorate21([
+  Delete3(),
+  isAdmin(),
+  ResMsg4("permissions.success.allDeleted"),
+  __metadata21("design:type", Function),
+  __metadata21("design:paramtypes", []),
+  __metadata21("design:returntype", Promise)
+], PermissionController.prototype, "deleteAll", null);
+PermissionController = __decorate21([
+  Controller4("/permissions"),
+  isAdmin(),
+  __metadata21("design:paramtypes", [typeof (_a14 = typeof PermissionService !== "undefined" && PermissionService) === "function" ? _a14 : Object])
+], PermissionController);
+
+// src/tokens/index.ts
+var tokens_exports = {};
+__export(tokens_exports, {
+  TokenRepository: () => TokenRepository,
+  TokenService: () => TokenService,
+  createTokenDto: () => createTokenDto,
+  refreshTokenDto: () => refreshTokenDto,
+  revokeTokenDto: () => revokeTokenDto,
+  tokenIdParam: () => tokenIdParam,
+  updateTokenDto: () => updateTokenDto,
+  verifyTokenDto: () => verifyTokenDto
+});
+
+// src/tokens/TokenDto.ts
+import { z as z4 } from "zod";
+var tokenField = z4.string().min(1, "Token is required");
+var userIdField = z4.string().length(8, "User ID must be 8 characters");
+var expiresAtField = z4.string().datetime("Invalid datetime format");
+var createTokenDto = z4.object({
+  userId: userIdField,
+  token: tokenField,
+  type: z4.enum(["access", "refresh"]).default("refresh"),
+  status: z4.enum(["active", "revoked", "expired"]).default("active"),
+  expiresAt: expiresAtField
+});
+var updateTokenDto = z4.object({
+  status: z4.enum(["active", "revoked", "expired"])
+});
+var tokenIdParam = z4.object({
+  id: z4.string().length(10, "Token ID must be 10 characters")
+});
+var verifyTokenDto = z4.object({
+  token: tokenField
+});
+var refreshTokenDto = z4.object({
+  refreshToken: tokenField
+});
+var revokeTokenDto = z4.object({
+  userId: userIdField
+});
+
+// src/AuthPlugin.ts
+import { cookies } from "najm-cookies";
+import { i18n, I18N_CONTRIBUTIONS } from "najm-i18n";
+import { guards } from "najm-guard";
+import { validation } from "najm-validation";
+import { rateLimit } from "najm-rate";
+import { email } from "najm-email";
+
+// src/locales/en.json
+var en_default = {
+  auth: {
+    errors: {
+      invalidCredentials: "Invalid email or password",
+      emailExists: "Email already registered",
+      accessDenied: "Access denied",
+      tokenExpired: "Token has expired",
+      tokenInvalid: "Invalid token",
+      tokenMissing: "Authorization token is missing",
+      tokenVerificationFailed: "Token verification failed",
+      tokenRevoked: "Token has been revoked",
+      refreshTokenMissing: "Refresh token is missing",
+      refreshTokenInvalid: "Invalid refresh token",
+      invalidResetToken: "Invalid password reset token",
+      resetTokenExpired: "Password reset token has expired",
+      unauthorized: "Unauthorized access",
+      sessionExpired: "Session has expired"
+    },
+    success: {
+      login: "Login successful",
+      logout: "Logout successful",
+      passwordChanged: "Password changed successfully",
+      tokenRefreshed: "Token refreshed successfully"
+    }
+  },
+  users: {
+    errors: {
+      notFound: "User not found",
+      idExists: "User ID already exists",
+      emailRequired: "Email is required",
+      passwordRequired: "Password is required",
+      invalidEmail: "Invalid email format",
+      weakPassword: "Password is too weak",
+      adminRoleNotFound: "Admin role not found in system"
+    },
+    success: {
+      created: "User created successfully",
+      updated: "User updated successfully",
+      deleted: "User deleted successfully",
+      retrieved: "User retrieved successfully"
+    }
+  },
+  roles: {
+    errors: {
+      notFound: "Role not found",
+      exists: "Role already exists",
+      nameRequired: "Role name is required",
+      cannotDeleteSystem: "Cannot delete system role"
+    },
+    success: {
+      created: "Role created successfully",
+      updated: "Role updated successfully",
+      deleted: "Role deleted successfully",
+      assigned: "Role assigned successfully",
+      retrieved: "Role retrieved successfully"
+    }
+  },
+  permissions: {
+    errors: {
+      notFound: "Permission not found",
+      nameExists: "Permission name already exists",
+      roleAlreadyHasPermission: "Role already has this permission",
+      cannotRemoveRequired: "Cannot remove required permission"
+    },
+    success: {
+      created: "Permission created successfully",
+      updated: "Permission updated successfully",
+      deleted: "Permission deleted successfully",
+      granted: "Permission granted successfully",
+      revoked: "Permission revoked successfully",
+      retrieved: "Permissions retrieved successfully",
+      assigned: "Permission assigned to role successfully",
+      removed: "Permission removed from role successfully",
+      allDeleted: "All permissions deleted successfully"
+    }
+  }
+};
+
+// src/locales/index.ts
+var AUTH_LOCALES = {
+  en: en_default
+};
+function getAuthLocale(lang) {
+  return AUTH_LOCALES[lang] ?? AUTH_LOCALES.en;
+}
+__name(getAuthLocale, "getAuthLocale");
+var AUTH_SUPPORTED_LANGUAGES = Object.keys(AUTH_LOCALES);
+
+// src/AuthPlugin.ts
+var DEFAULT_JWT = {
+  accessSecret: process.env.JWT_ACCESS_SECRET || "",
+  accessExpiresIn: process.env.ACCESS_EXPIRES_IN || "1h",
+  refreshSecret: process.env.JWT_REFRESH_SECRET || "",
+  refreshExpiresIn: process.env.REFRESH_EXPIRES_IN || "7d"
+};
+var mergeConfig = /* @__PURE__ */ __name((config) => {
+  const finalConfig = {
+    jwt: {
+      ...DEFAULT_JWT,
+      ...config?.jwt
+    },
+    refreshCookieName: config?.refreshCookieName ?? "refreshToken",
+    database: config?.database ?? "default",
+    blacklistPrefix: config?.blacklistPrefix ?? "auth:blacklist:",
+    defaultRole: config?.defaultRole ?? null
+  };
+  if (!finalConfig.jwt.accessSecret) {
+    throw Err8.configRequired("auth", "JWT_ACCESS_SECRET");
+  }
+  if (!finalConfig.jwt.refreshSecret) {
+    throw Err8.configRequired("auth", "JWT_REFRESH_SECRET");
+  }
+  return finalConfig;
+}, "mergeConfig");
+var selectSchema = /* @__PURE__ */ __name((config) => {
+  if (config?.schema)
+    return config.schema;
+  const dialect = config?.dialect ?? "pg";
+  switch (dialect) {
+    case "sqlite":
+      return authSchema2;
+    case "mysql":
+      return authSchema3;
+    case "pg":
+    default:
+      return authSchema;
+  }
+}, "selectSchema");
+var auth = /* @__PURE__ */ __name((config) => plugin("auth").version("1.0.0").depends(cache(), cookies(), i18n(), guards(), validation(config?.validation), rateLimit(config?.rateLimit), email()).requires("database").contributes(I18N_CONTRIBUTIONS, AUTH_LOCALES).services(auth_exports, users_exports, roles_exports, permissions_exports, tokens_exports).config(AUTH_CONFIG, mergeConfig(config)).set(AUTH_SCHEMA, selectSchema(config)).build(), "auth");
+
+// src/seed.ts
+import { hash } from "bcryptjs";
+var toSeedId = /* @__PURE__ */ __name((prefix, value) => {
+  const normalized = value.toLowerCase().replace(/[^a-z0-9]+/g, "_").replace(/^_+|_+$/g, "").slice(0, 48);
+  return `${prefix}_${normalized || "item"}`;
+}, "toSeedId");
+var authSeed = /* @__PURE__ */ __name((config) => ({
+  roles: {
+    schema: createRoleDto,
+    rows: (config.roles ?? [
+      { name: "admin", description: "System administrator with full access" },
+      { name: "user", description: "Regular user with limited access" }
+    ]).map((role) => ({
+      id: toSeedId("role", role.name),
+      ...role
+    }))
+  },
+  permissions: {
+    schema: createPermissionDto,
+    by: ["name"],
+    onConflict: "replace",
+    // Permissions are code-defined, always sync
+    rows: config.permissions ?? [
+      { action: "read", resource: "users", name: "read:users", description: "View user information" },
+      { action: "create", resource: "users", name: "create:users", description: "Create new users" },
+      { action: "update", resource: "users", name: "update:users", description: "Update user information" },
+      { action: "delete", resource: "users", name: "delete:users", description: "Delete users" },
+      { action: "manage", resource: "roles", name: "manage:roles", description: "Manage roles and permissions" }
+    ]
+  },
+  rolePermissions: {
+    by: ["roleId", "permissionId"],
+    rows: /* @__PURE__ */ __name((seeded) => {
+      const admin = seeded.roles.find((r) => r.name === "admin");
+      return seeded.permissions.map((p) => ({
+        roleId: admin.id,
+        permissionId: p.id
+      }));
+    }, "rows")
+  },
+  // No schema on entry — validation + hashing handled inside resolver
+  users: {
+    by: ["email"],
+    rows: /* @__PURE__ */ __name(async (seeded) => {
+      createUserDto.pick({ email: true, password: true }).parse({
+        email: config.adminEmail,
+        password: config.adminPass
+      });
+      const adminRole = seeded.roles.find((r) => r.name === "admin");
+      const users = [
+        {
+          email: config.adminEmail,
+          password: await hash(config.adminPass, 10),
+          roleId: adminRole.id,
+          emailVerified: true,
+          status: "active",
+          image: void 0,
+          username: void 0
+        }
+      ];
+      if (config.additionalUsers) {
+        for (const user of config.additionalUsers) {
+          createUserDto.pick({ email: true, password: true }).parse({
+            email: user.email,
+            password: user.password
+          });
+          const role = seeded.roles.find((r) => r.name === user.roleName);
+          if (!role) {
+            throw new Error(`Role '${user.roleName}' not found for user ${user.email}`);
+          }
+          users.push({
+            email: user.email,
+            password: await hash(user.password, 10),
+            roleId: role.id,
+            emailVerified: user.emailVerified ?? true,
+            status: user.status ?? "active",
+            image: user.image,
+            username: user.username
+          });
+        }
+      }
+      return users;
+    }, "rows")
+  }
+}), "authSeed");
+
+// src/seedAuthData.ts
+import { Server } from "najm-core";
+import { database, SeedService } from "najm-database";
+async function seedAuthData(config) {
+  let server = null;
+  try {
+    server = new Server({ isolated: true }).use(database({ default: config.db }));
+    await server.init();
+    const seeder = server.container.get(SeedService);
+    const report = await seeder.run(authSeed({
+      adminEmail: config.adminEmail,
+      adminPass: config.adminPassword,
+      roles: config.roles,
+      permissions: config.permissions,
+      additionalUsers: config.users
+    }), {
+      verbose: config.verbose ?? false,
+      onConflict: config.onConflict ?? "skip",
+      transaction: false
+      // Disable transaction for now to test
+    });
+    return {
+      inserted: report.inserted,
+      skipped: report.skipped,
+      failed: report.failed,
+      users: [],
+      // Users can query db directly if needed
+      roles: []
+      // Users can query db directly if needed
+    };
+  } finally {
+    if (server) {
+      await server.stop();
+    }
+  }
+}
+__name(seedAuthData, "seedAuthData");
+export {
+  AUTH_CONFIG,
+  en_default as AUTH_EN,
+  AUTH_LOCALES,
+  AUTH_MODULE,
+  AUTH_PERMISSIONS,
+  AUTH_ROLE,
+  AUTH_SCHEMA,
+  AUTH_SUPPORTED_LANGUAGES,
+  AUTH_USER,
+  AuthController,
+  AuthGuard,
+  AuthQueries,
+  AuthService,
+  Can,
+  CookieManager,
+  EncryptionService,
+  PermissionController,
+  PermissionGuard,
+  PermissionRepository,
+  PermissionService,
+  PermissionValidator,
+  ROLES,
+  ROLE_GROUPS,
+  Role,
+  RoleController,
+  RoleGuard,
+  RoleRepository,
+  RoleService,
+  RoleValidator,
+  TOKEN_STATUS,
+  TOKEN_TYPE,
+  TokenRepository,
+  TokenService,
+  USER_STATUS,
+  UserController,
+  UserRepository,
+  UserService,
+  UserValidator,
+  assignPermissionDto,
+  assignRoleDto,
+  assignRoleParams,
+  auth,
+  authSchema,
+  authSeed,
+  avatarsPath,
+  baseFields,
+  calculateAge,
+  calculateYearsOfExperience,
+  canCreate,
+  canDelete,
+  canManage,
+  canRead,
+  canUpdate,
+  changePasswordDto,
+  checkPermissionDto,
+  clean,
+  confirmResetPasswordDto,
+  createPermissionDto,
+  createRoleDto,
+  createTokenDto,
+  createUserDto,
+  emailParam,
+  formatDate,
+  getAuthLocale,
+  getAvatarFile,
+  isAdmin,
+  isAdministrator,
+  isAuth,
+  isEmpty,
+  isFile,
+  isPath,
+  languageParam,
+  loginDto,
+  parseSchema,
+  permissionIdParam,
+  permissionsTable,
+  pickProps,
+  refreshTokenDto,
+  resetPasswordDto,
+  revokeTokenDto,
+  roleIdParam,
+  rolePermissionsTable,
+  rolesTable,
+  seedAuthData,
+  tokenIdParam,
+  tokensTable,
+  updatePermissionDto,
+  updateRoleDto,
+  updateTokenDto,
+  updateUserDto,
+  userIdInParam,
+  userIdParam,
+  usersTable,
+  verifyTokenDto
+};