Release 0.16 (#196)

* initial refactor * fixes * test secrets extraction * updated lock * fix secret schema * updated schemas, fixed tests, skipping flow tests for now * added validator for rjsf, hook form via standard schema * removed @sinclair/typebox * remove unneeded vite dep * fix jsonv literal on Field.tsx * fix schema import path * fix schema modals * fix schema modals * fix json field form, replaced auth form * initial waku * finalize waku example * fix jsonv-ts version * fix schema updates with falsy values * fix media api to respect options' init, improve types * checking media controller test * checking media controller test * checking media controller test * clean up mediacontroller test * added cookie option `partitioned`, as well as cors `origin` to be array, option to enable `credentials` (#214) * added cookie option `partitioned`, as well as cors `origin` to be array, option to enable `credentials` * fix server test * fix data api (updated jsonv-ts) * enhance cloudflare image optimization plugin with new options and explain endpoint (#215) * feat: add ability to serve static by using dynamic imports (#197) * feat: add ability to serve static by using dynamic imports * serveStaticViaImport: make manifest optional * serveStaticViaImport: add error log * refactor/imports (#217) * refactored core and core/utils imports * refactored core and core/utils imports * refactored media imports * refactored auth imports * refactored data imports * updated package json exports, fixed mm config * fix tests * feat/deno (#219) * update bun version * fix module manager's em reference * add basic deno example * finalize * docs: fumadocs migration (#185) * feat(docs): initialize documentation structure with Fumadocs * feat(docs): remove home route and move /docs route to /route * feat(docs): add redirect to /start page * feat(docs): migrate Getting Started chapters * feat(docs): migrate Usage and Extending chapters * feat(callout): add CalloutCaution, CalloutDanger, CalloutInfo, and CalloutPositive * feat(layout): add Discord and GitHub links to documentation layout * feat(docs): add integration chapters draft * feat(docs): add modules chapters draft * refactor(mdx-components): remove unused Icon import * refactor(StackBlitz): enhance type safety by using unknown instead of any * refactor(layout): update navigation mode to 'top' in layout configuration * feat(docs): add @iconify/react package * docs(mdx-components): add Icon component to MDX components list * feat(docs): update Next.js integration guide * feat(docs): update React Router integration guide * feat(docs): update Astro integration guide * feat(docs): update Vite integration guide * fix(docs): update package manager initialization commands * feat(docs): migrate Modules chapters * chore(docs): update package.json with new devDependencies * feat(docs): migrate Integration Runtimes chapters * feat(docs): update Database usage chapter * feat(docs): restructure documentation paths * chore(docs): clean up unused imports and files in documentation * style(layout): revert navigation mode to previous state * fix(docs): routing for documentation structure * feat(openapi): add API documentation generation from OpenAPI schema * feat(docs): add icons to documentation pages * chore(dependencies): remove unused content-collections packages * fix(types): fix type error for attachFile in source.ts * feat(redirects): update root redirect destination to '/start' * feat(search): add static search functionality * chore(dependencies): update fumadocs-core and fumadocs-ui to latest versions * feat(search): add Powered by Orama link * feat(generate-openapi): add error handling for missing OpenAPI schema * feat(scripts): add OpenAPI generation to build process * feat(config): enable dynamic redirects and rewrites in development mode * feat(layout): add GitHub token support for improved API rate limits * feat(redirects): add 301 redirects for cloudflare pages * feat(docs): add Vercel redirects configuration * feat(config): enable standalone output for development environment * chore(layout): adjust layout settings * refactor(package): clean up ajv dependency versions * feat(docs): add twoslash support * refactor(layout): update DocsLayout import and navigation configuration * chore(layout): clean up layout.tsx by commenting out GithubInfo * fix(Search): add locale to search initialization * chore(package): update fumadocs and orama to latest versions * docs: add menu items descriptions * feat(layout): add GitHub URL to the layout component * feat(docs): add AutoTypeTable component to MDX components * feat(app): implement AutoTypeTable rendering for AppEvents type * docs(layout): switch callouts back to default components * fix(config): use __filename and __dirname for module paths * docs: add note about node.js 22 requirement * feat(styles): add custom color variables for light and dark themes * docs: add S3 setup instructions for media module * docs: fix typos and indentation in media module docs * docs: add local media adapter example for Node.js * docs(media): add S3/R2 URL format examples and fix typo * docs: add cross-links to initial config and seeding sections * indent numbered lists content, clarified media serve locations * fix mediacontroller tests * feat(layout): add AnimatedGridPattern component for dynamic background * style(layout): configure fancy ToC style ('clerk') * fix(AnimatedGridPattern): correct strokeDasharray type * docs: actualize docs * feat: add favicon * style(cloudflare): format code examples * feat(layout): add Github and Discord footer icons * feat(footer): add SVG social media icons for GitHub and Discord * docs: adjusted auto type table, added llm functions * added static deployment to cloudflare workers * docs: change cf redirects to proxy *.mdx instead of redirecting --------- Co-authored-by: dswbx <dennis.senn@gmx.ch> Co-authored-by: cameronapak <cameronandrewpak@gmail.com> * build: improve build script * add missing exports, fix EntityTypescript imports * media: Dropzone: add programmatic upload, additional events, loading state * schema object: disable extended defaults to allow empty config values * Feat/new docs deploy (#224) * test * try fixing pm * try fixing pm * fix docs on imports, export events correctly --------- Co-authored-by: Tim Seriakov <59409712+timseriakov@users.noreply.github.com> Co-authored-by: cameronapak <cameronandrewpak@gmail.com>
2026-03-16 04:27:21 +00:00 · 2025-08-01 15:55:59 +02:00
parent daaaae82b6
commit a298b65abf
430 changed files with 15041 additions and 12375 deletions
--- a/app/src/auth/AppAuth.ts
+++ b/app/src/auth/AppAuth.ts
@@ -1,8 +1,9 @@
-import { Authenticator, AuthPermissions, Role, type Strategy } from "auth";
-import type { PasswordStrategy } from "auth/authenticate/strategies";
-import type { DB } from "core";
+import type { DB } from "bknd";
+import * as AuthPermissions from "auth/auth-permissions";
+import type { AuthStrategy } from "auth/authenticate/strategies/Strategy";
+import type { PasswordStrategy } from "auth/authenticate/strategies/PasswordStrategy";
 import { $console, secureRandomString, transformObject } from "core/utils";
-import type { Entity, EntityManager } from "data";
+import type { Entity, EntityManager } from "data/entities";
 import { em, entity, enumm, type FieldSchema } from "data/prototype";
 import { Module } from "modules/Module";
 import { AuthController } from "./api/AuthController";
@@ -10,9 +11,11 @@ import { type AppAuthSchema, authConfigSchema, STRATEGIES } from "./auth-schema"
 import { AppUserPool } from "auth/AppUserPool";
 import type { AppEntity } from "core/config";
 import { usersFields } from "./auth-entities";
+import { Authenticator } from "./authenticate/Authenticator";
+import { Role } from "./authorize/Role";

 export type UserFieldSchema = FieldSchema<typeof AppAuth.usersFields>;
-declare module "core" {
+declare module "bknd" {
   interface Users extends AppEntity, UserFieldSchema {}
   interface DB {
      users: Users;
@@ -21,7 +24,7 @@ declare module "core" {

 export type CreateUserPayload = { email: string; password: string; [key: string]: any };

-export class AppAuth extends Module<typeof authConfigSchema> {
+export class AppAuth extends Module<AppAuthSchema> {
   private _authenticator?: Authenticator;
   cache: Record<string, any> = {};
   _controller!: AuthController;
@@ -88,7 +91,7 @@ export class AppAuth extends Module<typeof authConfigSchema> {
      this.ctx.guard.registerPermissions(AuthPermissions);
   }

-   isStrategyEnabled(strategy: Strategy | string) {
+   isStrategyEnabled(strategy: AuthStrategy | string) {
      const name = typeof strategy === "string" ? strategy : strategy.getName();
      // for now, password is always active
      if (name === "password") return true;
@@ -187,6 +190,6 @@ export class AppAuth extends Module<typeof authConfigSchema> {
            enabled: this.isStrategyEnabled(strategy),
            ...strategy.toJSON(secrets),
         })),
-      };
+      } as AppAuthSchema;
   }
 }
--- a/app/src/auth/api/AuthApi.ts
+++ b/app/src/auth/api/AuthApi.ts
@@ -1,6 +1,6 @@
 import type { AuthActionResponse } from "auth/api/AuthController";
 import type { AppAuthSchema } from "auth/auth-schema";
-import type { AuthResponse, SafeUser, Strategy } from "auth/authenticate/Authenticator";
+import type { AuthResponse, SafeUser, AuthStrategy } from "bknd";
 import { type BaseModuleApiOptions, ModuleApi } from "modules/ModuleApi";

 export type AuthApiOptions = BaseModuleApiOptions & {
@@ -39,7 +39,7 @@ export class AuthApi extends ModuleApi<AuthApiOptions> {
   }

   async actionSchema(strategy: string, action: string) {
-      return this.get<Strategy>([strategy, "actions", action, "schema.json"]);
+      return this.get<AuthStrategy>([strategy, "actions", action, "schema.json"]);
   }

   async action(strategy: string, action: string, input: any) {
--- a/app/src/auth/api/AuthController.ts
+++ b/app/src/auth/api/AuthController.ts
@@ -1,9 +1,11 @@
-import { type AppAuth, AuthPermissions, type SafeUser, type Strategy } from "auth";
-import { TypeInvalidError, parse, transformObject } from "core/utils";
-import { DataPermissions } from "data";
+import type { SafeUser } from "bknd";
+import type { AuthStrategy } from "auth/authenticate/strategies/Strategy";
+import type { AppAuth } from "auth/AppAuth";
+import * as AuthPermissions from "auth/auth-permissions";
+import * as DataPermissions from "data/permissions";
 import type { Hono } from "hono";
 import { Controller, type ServerEnv } from "modules/Controller";
-import { describeRoute, jsc, s } from "core/object/schema";
+import { describeRoute, jsc, s, parse, InvalidSchemaError, transformObject } from "bknd/utils";

 export type AuthActionResponse = {
   success: boolean;
@@ -30,7 +32,7 @@ export class AuthController extends Controller {
      return this.em.repo(entity_name as "users");
   }

-   private registerStrategyActions(strategy: Strategy, mainHono: Hono<ServerEnv>) {
+   private registerStrategyActions(strategy: AuthStrategy, mainHono: Hono<ServerEnv>) {
      if (!this.auth.isStrategyEnabled(strategy)) {
         return;
      }
@@ -58,7 +60,7 @@ export class AuthController extends Controller {
               try {
                  const body = await this.auth.authenticator.getBody(c);
                  const valid = parse(create.schema, body, {
-                     skipMark: true,
+                     //skipMark: true,
                  });
                  const processed = (await create.preprocess?.(valid)) ?? valid;

@@ -78,7 +80,7 @@ export class AuthController extends Controller {
                     data: created as unknown as SafeUser,
                  } as AuthActionResponse);
               } catch (e) {
-                  if (e instanceof TypeInvalidError) {
+                  if (e instanceof InvalidSchemaError) {
                     return c.json(
                        {
                           success: false,
--- a/app/src/auth/auth-permissions.ts
+++ b/app/src/auth/auth-permissions.ts
@@ -1,4 +1,4 @@
-import { Permission } from "core";
+import { Permission } from "core/security/Permission";

 export const createUser = new Permission("auth.user.create");
 //export const updateUser = new Permission("auth.user.update");
--- a/app/src/auth/auth-schema.ts
+++ b/app/src/auth/auth-schema.ts
@@ -1,8 +1,6 @@
 import { cookieConfig, jwtConfig } from "auth/authenticate/Authenticator";
 import { CustomOAuthStrategy, OAuthStrategy, PasswordStrategy } from "auth/authenticate/strategies";
-import { type Static, StringRecord, objectTransform } from "core/utils";
-import * as tbbox from "@sinclair/typebox";
-const { Type } = tbbox;
+import { objectTransform, s } from "bknd/utils";

 export const Strategies = {
   password: {
@@ -21,64 +19,58 @@ export const Strategies = {

 export const STRATEGIES = Strategies;
 const strategiesSchemaObject = objectTransform(STRATEGIES, (strategy, name) => {
-   return Type.Object(
+   return s.strictObject(
      {
-         enabled: Type.Optional(Type.Boolean({ default: true })),
-         type: Type.Const(name, { default: name, readOnly: true }),
+         enabled: s.boolean({ default: true }).optional(),
+         type: s.literal(name),
         config: strategy.schema,
      },
      {
         title: name,
-         additionalProperties: false,
      },
   );
 });
-const strategiesSchema = Type.Union(Object.values(strategiesSchemaObject));
-export type AppAuthStrategies = Static<typeof strategiesSchema>;
-export type AppAuthOAuthStrategy = Static<typeof STRATEGIES.oauth.schema>;
-export type AppAuthCustomOAuthStrategy = Static<typeof STRATEGIES.custom_oauth.schema>;

-const guardConfigSchema = Type.Object({
-   enabled: Type.Optional(Type.Boolean({ default: false })),
+const strategiesSchema = s.anyOf(Object.values(strategiesSchemaObject));
+export type AppAuthStrategies = s.Static<typeof strategiesSchema>;
+export type AppAuthOAuthStrategy = s.Static<typeof STRATEGIES.oauth.schema>;
+export type AppAuthCustomOAuthStrategy = s.Static<typeof STRATEGIES.custom_oauth.schema>;
+
+const guardConfigSchema = s.object({
+   enabled: s.boolean({ default: false }).optional(),
+});
+export const guardRoleSchema = s.strictObject({
+   permissions: s.array(s.string()).optional(),
+   is_default: s.boolean().optional(),
+   implicit_allow: s.boolean().optional(),
 });
-export const guardRoleSchema = Type.Object(
-   {
-      permissions: Type.Optional(Type.Array(Type.String())),
-      is_default: Type.Optional(Type.Boolean()),
-      implicit_allow: Type.Optional(Type.Boolean()),
-   },
-   { additionalProperties: false },
-);

-export const authConfigSchema = Type.Object(
+export const authConfigSchema = s.strictObject(
   {
-      enabled: Type.Boolean({ default: false }),
-      basepath: Type.String({ default: "/api/auth" }),
-      entity_name: Type.String({ default: "users" }),
-      allow_register: Type.Optional(Type.Boolean({ default: true })),
+      enabled: s.boolean({ default: false }),
+      basepath: s.string({ default: "/api/auth" }),
+      entity_name: s.string({ default: "users" }),
+      allow_register: s.boolean({ default: true }).optional(),
      jwt: jwtConfig,
      cookie: cookieConfig,
-      strategies: Type.Optional(
-         StringRecord(strategiesSchema, {
-            title: "Strategies",
-            default: {
-               password: {
-                  type: "password",
-                  enabled: true,
-                  config: {
-                     hashing: "sha256",
-                  },
+      strategies: s.record(strategiesSchema, {
+         title: "Strategies",
+         default: {
+            password: {
+               type: "password",
+               enabled: true,
+               config: {
+                  hashing: "sha256",
               },
            },
-         }),
-      ),
-      guard: Type.Optional(guardConfigSchema),
-      roles: Type.Optional(StringRecord(guardRoleSchema, { default: {} })),
-   },
-   {
-      title: "Authentication",
-      additionalProperties: false,
+         },
+      }),
+      guard: guardConfigSchema.optional(),
+      roles: s.record(guardRoleSchema, { default: {} }).optional(),
   },
+   { title: "Authentication" },
 );

-export type AppAuthSchema = Static<typeof authConfigSchema>;
+export type AppAuthJWTConfig = s.Static<typeof jwtConfig>;
+
+export type AppAuthSchema = s.Static<typeof authConfigSchema>;
--- a/app/src/auth/authenticate/Authenticator.ts
+++ b/app/src/auth/authenticate/Authenticator.ts
@@ -1,46 +1,27 @@
-import { type DB, Exception } from "core";
+import type { DB } from "bknd";
+import { Exception } from "core/errors";
 import { addFlashMessage } from "core/server/flash";
-import {
-   $console,
-   type Static,
-   StringEnum,
-   type TObject,
-   parse,
-   runtimeSupports,
-   truncate,
-} from "core/utils";
-import type { Context, Hono } from "hono";
+import type { Context } from "hono";
 import { deleteCookie, getSignedCookie, setSignedCookie } from "hono/cookie";
 import { sign, verify } from "hono/jwt";
-import type { CookieOptions } from "hono/utils/cookie";
+import { type CookieOptions, serializeSigned } from "hono/utils/cookie";
 import type { ServerEnv } from "modules/Controller";
 import { pick } from "lodash-es";
-import * as tbbox from "@sinclair/typebox";
 import { InvalidConditionsException } from "auth/errors";
-const { Type } = tbbox;
+import { s, parse, secret, runtimeSupports, truncate, $console } from "bknd/utils";
+import type { AuthStrategy } from "./strategies/Strategy";

 type Input = any; // workaround
 export type JWTPayload = Parameters<typeof sign>[0];

 export const strategyActions = ["create", "change"] as const;
 export type StrategyActionName = (typeof strategyActions)[number];
-export type StrategyAction<S extends TObject = TObject> = {
+export type StrategyAction<S extends s.ObjectSchema = s.ObjectSchema> = {
   schema: S;
-   preprocess: (input: Static<S>) => Promise<Omit<DB["users"], "id" | "strategy">>;
+   preprocess: (input: s.Static<S>) => Promise<Omit<DB["users"], "id" | "strategy">>;
 };
 export type StrategyActions = Partial<Record<StrategyActionName, StrategyAction>>;

-// @todo: add schema to interface to ensure proper inference
-// @todo: add tests (e.g. invalid strategy_value)
-export interface Strategy {
-   getController: (auth: Authenticator) => Hono<any>;
-   getType: () => string;
-   getMode: () => "form" | "external";
-   getName: () => string;
-   toJSON: (secrets?: boolean) => any;
-   getActions?: () => StrategyActions;
-}
-
 export type User = DB["users"];

 export type ProfileExchange = {
@@ -60,43 +41,45 @@ export interface UserPool {
 }

 const defaultCookieExpires = 60 * 60 * 24 * 7; // 1 week in seconds
-export const cookieConfig = Type.Partial(
-   Type.Object({
-      path: Type.String({ default: "/" }),
-      sameSite: StringEnum(["strict", "lax", "none"], { default: "lax" }),
-      secure: Type.Boolean({ default: true }),
-      httpOnly: Type.Boolean({ default: true }),
-      expires: Type.Number({ default: defaultCookieExpires }), // seconds
-      renew: Type.Boolean({ default: true }),
-      pathSuccess: Type.String({ default: "/" }),
-      pathLoggedOut: Type.String({ default: "/" }),
-   }),
-   { default: {}, additionalProperties: false },
-);
+export const cookieConfig = s
+   .object({
+      path: s.string({ default: "/" }),
+      sameSite: s.string({ enum: ["strict", "lax", "none"], default: "lax" }),
+      secure: s.boolean({ default: true }),
+      httpOnly: s.boolean({ default: true }),
+      expires: s.number({ default: defaultCookieExpires }), // seconds
+      partitioned: s.boolean({ default: false }),
+      renew: s.boolean({ default: true }),
+      pathSuccess: s.string({ default: "/" }),
+      pathLoggedOut: s.string({ default: "/" }),
+   })
+   .partial()
+   .strict();

 // @todo: maybe add a config to not allow cookie/api tokens to be used interchangably?
 // see auth.integration test for further details

-export const jwtConfig = Type.Object(
-   {
-      // @todo: autogenerate a secret if not present. But it must be persisted from AppAuth
-      secret: Type.String({ default: "" }),
-      alg: Type.Optional(StringEnum(["HS256", "HS384", "HS512"], { default: "HS256" })),
-      expires: Type.Optional(Type.Number()), // seconds
-      issuer: Type.Optional(Type.String()),
-      fields: Type.Array(Type.String(), { default: ["id", "email", "role"] }),
-   },
-   {
-      default: {},
-      additionalProperties: false,
-   },
-);
-export const authenticatorConfig = Type.Object({
+export const jwtConfig = s
+   .object(
+      {
+         // @todo: autogenerate a secret if not present. But it must be persisted from AppAuth
+         secret: secret({ default: "" }),
+         alg: s.string({ enum: ["HS256", "HS384", "HS512"], default: "HS256" }).optional(),
+         expires: s.number().optional(), // seconds
+         issuer: s.string().optional(),
+         fields: s.array(s.string(), { default: ["id", "email", "role"] }),
+      },
+      {
+         default: {},
+      },
+   )
+   .strict();
+export const authenticatorConfig = s.object({
   jwt: jwtConfig,
   cookie: cookieConfig,
 });

-type AuthConfig = Static<typeof authenticatorConfig>;
+type AuthConfig = s.Static<typeof authenticatorConfig>;
 export type AuthAction = "login" | "register";
 export type AuthResolveOptions = {
   identifier?: "email" | string;
@@ -105,7 +88,7 @@ export type AuthResolveOptions = {
 };
 export type AuthUserResolver = (
   action: AuthAction,
-   strategy: Strategy,
+   strategy: AuthStrategy,
   profile: ProfileExchange,
   opts?: AuthResolveOptions,
 ) => Promise<ProfileExchange | undefined>;
@@ -115,7 +98,9 @@ type AuthClaims = SafeUser & {
   exp?: number;
 };

-export class Authenticator<Strategies extends Record<string, Strategy> = Record<string, Strategy>> {
+export class Authenticator<
+   Strategies extends Record<string, AuthStrategy> = Record<string, AuthStrategy>,
+> {
   private readonly config: AuthConfig;

   constructor(
@@ -128,7 +113,7 @@ export class Authenticator<Strategies extends Record<string, Strategy> = Record<

   async resolveLogin(
      c: Context,
-      strategy: Strategy,
+      strategy: AuthStrategy,
      profile: Partial<SafeUser>,
      verify: (user: User) => Promise<void>,
      opts?: AuthResolveOptions,
@@ -166,7 +151,7 @@ export class Authenticator<Strategies extends Record<string, Strategy> = Record<

   async resolveRegister(
      c: Context,
-      strategy: Strategy,
+      strategy: AuthStrategy,
      profile: CreateUser,
      verify: (user: User) => Promise<void>,
      opts?: AuthResolveOptions,
@@ -235,7 +220,7 @@ export class Authenticator<Strategies extends Record<string, Strategy> = Record<

   strategy<
      StrategyName extends keyof Strategies,
-      Strat extends Strategy = Strategies[StrategyName],
+      Strat extends AuthStrategy = Strategies[StrategyName],
   >(strategy: StrategyName): Strat {
      try {
         return this.strategies[strategy] as unknown as Strat;
@@ -342,6 +327,11 @@ export class Authenticator<Strategies extends Record<string, Strategy> = Record<
      await setSignedCookie(c, "auth", token, secret, this.cookieOptions);
   }

+   async unsafeGetAuthCookie(token: string): Promise<string | undefined> {
+      // this works for as long as cookieOptions.prefix is not set
+      return serializeSigned("auth", token, this.config.jwt.secret, this.cookieOptions);
+   }
+
   private deleteAuthCookie(c: Context) {
      $console.debug("deleting auth cookie");
      deleteCookie(c, "auth", this.cookieOptions);
--- a/app/src/auth/authenticate/strategies/PasswordStrategy.ts
+++ b/app/src/auth/authenticate/strategies/PasswordStrategy.ts
@@ -1,21 +1,22 @@
-import { type Authenticator, InvalidCredentialsException, type User } from "auth";
-import { tbValidator as tb } from "core";
-import { $console, hash, parse, type Static, StrictObject, StringEnum } from "core/utils";
+import type { User } from "bknd";
+import type { Authenticator } from "auth/authenticate/Authenticator";
+import { InvalidCredentialsException } from "auth/errors";
+import { hash, $console } from "core/utils";
 import { Hono } from "hono";
 import { compare as bcryptCompare, genSalt as bcryptGenSalt, hash as bcryptHash } from "bcryptjs";
-import * as tbbox from "@sinclair/typebox";
-import { Strategy } from "./Strategy";
+import { AuthStrategy } from "./Strategy";
+import { s, parse, jsc } from "bknd/utils";

-const { Type } = tbbox;
+const schema = s
+   .object({
+      hashing: s.string({ enum: ["plain", "sha256", "bcrypt"], default: "sha256" }),
+      rounds: s.number({ minimum: 1, maximum: 10 }).optional(),
+   })
+   .strict();

-const schema = StrictObject({
-   hashing: StringEnum(["plain", "sha256", "bcrypt"], { default: "sha256" }),
-   rounds: Type.Optional(Type.Number({ minimum: 1, maximum: 10 })),
-});
+export type PasswordStrategyOptions = s.Static<typeof schema>;

-export type PasswordStrategyOptions = Static<typeof schema>;
-
-export class PasswordStrategy extends Strategy<typeof schema> {
+export class PasswordStrategy extends AuthStrategy<typeof schema> {
   constructor(config: Partial<PasswordStrategyOptions> = {}) {
      super(config as any, "password", "password", "form");

@@ -32,11 +33,11 @@ export class PasswordStrategy extends Strategy<typeof schema> {
   }

   private getPayloadSchema() {
-      return Type.Object({
-         email: Type.String({
-            pattern: "^[\\w-\\.\\+_]+@([\\w-]+\\.)+[\\w-]{2,4}$",
+      return s.object({
+         email: s.string({
+            format: "email",
         }),
-         password: Type.String({
+         password: s.string({
            minLength: 8, // @todo: this should be configurable
         }),
      });
@@ -79,12 +80,12 @@ export class PasswordStrategy extends Strategy<typeof schema> {

   getController(authenticator: Authenticator): Hono<any> {
      const hono = new Hono();
-      const redirectQuerySchema = Type.Object({
-         redirect: Type.Optional(Type.String()),
+      const redirectQuerySchema = s.object({
+         redirect: s.string().optional(),
      });
      const payloadSchema = this.getPayloadSchema();

-      hono.post("/login", tb("query", redirectQuerySchema), async (c) => {
+      hono.post("/login", jsc("query", redirectQuerySchema), async (c) => {
         try {
            const body = parse(payloadSchema, await authenticator.getBody(c), {
               onError: (errors) => {
@@ -102,7 +103,7 @@ export class PasswordStrategy extends Strategy<typeof schema> {
         }
      });

-      hono.post("/register", tb("query", redirectQuerySchema), async (c) => {
+      hono.post("/register", jsc("query", redirectQuerySchema), async (c) => {
         try {
            const { redirect } = c.req.valid("query");
            const { password, email, ...body } = parse(
--- a/app/src/auth/authenticate/strategies/Strategy.ts
+++ b/app/src/auth/authenticate/strategies/Strategy.ts
@@ -5,31 +5,31 @@ import type {
   StrategyActions,
 } from "../Authenticator";
 import type { Hono } from "hono";
-import type { Static, TSchema } from "@sinclair/typebox";
-import { parse, type TObject } from "core/utils";
+import { type s, parse } from "bknd/utils";

 export type StrategyMode = "form" | "external";

-export abstract class Strategy<Schema extends TSchema = TSchema> {
+export abstract class AuthStrategy<Schema extends s.Schema = s.Schema> {
   protected actions: StrategyActions = {};

   constructor(
-      protected config: Static<Schema>,
+      protected config: s.Static<Schema>,
      public type: string,
      public name: string,
      public mode: StrategyMode,
   ) {
      // don't worry about typing, it'll throw if invalid
-      this.config = parse(this.getSchema(), (config ?? {}) as any) as Static<Schema>;
+      this.config = parse(this.getSchema(), (config ?? {}) as any) as s.Static<Schema>;
   }

-   protected registerAction<S extends TObject = TObject>(
+   protected registerAction<S extends s.ObjectSchema = s.ObjectSchema>(
      name: StrategyActionName,
      schema: S,
      preprocess: StrategyAction<S>["preprocess"],
   ): void {
      this.actions[name] = {
         schema,
+         // @ts-expect-error - @todo: fix this
         preprocess,
      } as const;
   }
@@ -50,7 +50,7 @@ export abstract class Strategy<Schema extends TSchema = TSchema> {
      return this.name;
   }

-   toJSON(secrets?: boolean): { type: string; config: Static<Schema> | {} | undefined } {
+   toJSON(secrets?: boolean): { type: string; config: s.Static<Schema> | {} | undefined } {
      return {
         type: this.getType(),
         config: secrets ? this.config : undefined,
--- a/app/src/auth/authenticate/strategies/oauth/CustomOAuthStrategy.ts
+++ b/app/src/auth/authenticate/strategies/oauth/CustomOAuthStrategy.ts
@@ -1,38 +1,36 @@
-import { type Static, StrictObject, StringEnum } from "core/utils";
-import * as tbbox from "@sinclair/typebox";
 import type * as oauth from "oauth4webapi";
 import { OAuthStrategy } from "./OAuthStrategy";
-const { Type } = tbbox;
+import { s } from "bknd/utils";

 type SupportedTypes = "oauth2" | "oidc";

 type RequireKeys<T extends object, K extends keyof T> = Required<Pick<T, K>> & Omit<T, K>;

-const UrlString = Type.String({ pattern: "^(https?|wss?)://[^\\s/$.?#].[^\\s]*$" });
-const oauthSchemaCustom = StrictObject(
+const UrlString = s.string({ pattern: "^(https?|wss?)://[^\\s/$.?#].[^\\s]*$" });
+const oauthSchemaCustom = s.strictObject(
   {
-      type: StringEnum(["oidc", "oauth2"] as const, { default: "oidc" }),
-      name: Type.String(),
-      client: StrictObject({
-         client_id: Type.String(),
-         client_secret: Type.String(),
-         token_endpoint_auth_method: StringEnum(["client_secret_basic"]),
+      type: s.string({ enum: ["oidc", "oauth2"] as const, default: "oidc" }),
+      name: s.string(),
+      client: s.object({
+         client_id: s.string(),
+         client_secret: s.string(),
+         token_endpoint_auth_method: s.string({ enum: ["client_secret_basic"] }),
      }),
-      as: StrictObject({
-         issuer: Type.String(),
-         code_challenge_methods_supported: Type.Optional(StringEnum(["S256"])),
-         scopes_supported: Type.Optional(Type.Array(Type.String())),
-         scope_separator: Type.Optional(Type.String({ default: " " })),
-         authorization_endpoint: Type.Optional(UrlString),
-         token_endpoint: Type.Optional(UrlString),
-         userinfo_endpoint: Type.Optional(UrlString),
+      as: s.strictObject({
+         issuer: s.string(),
+         code_challenge_methods_supported: s.string({ enum: ["S256"] }).optional(),
+         scopes_supported: s.array(s.string()).optional(),
+         scope_separator: s.string({ default: " " }).optional(),
+         authorization_endpoint: UrlString.optional(),
+         token_endpoint: UrlString.optional(),
+         userinfo_endpoint: UrlString.optional(),
      }),
      // @todo: profile mapping
   },
   { title: "Custom OAuth" },
 );

-type OAuthConfigCustom = Static<typeof oauthSchemaCustom>;
+type OAuthConfigCustom = s.Static<typeof oauthSchemaCustom>;

 export type UserProfile = {
   sub: string;
--- a/app/src/auth/authenticate/strategies/oauth/OAuthStrategy.ts
+++ b/app/src/auth/authenticate/strategies/oauth/OAuthStrategy.ts
@@ -1,31 +1,32 @@
-import type { AuthAction, Authenticator } from "auth";
-import { Exception, isDebug } from "core";
-import { type Static, StringEnum, filterKeys, StrictObject } from "core/utils";
+import type { Authenticator, AuthAction } from "auth/authenticate/Authenticator";
 import { type Context, Hono } from "hono";
 import { getSignedCookie, setSignedCookie } from "hono/cookie";
 import * as oauth from "oauth4webapi";
 import * as issuers from "./issuers";
-import * as tbbox from "@sinclair/typebox";
-import { Strategy } from "auth/authenticate/strategies/Strategy";
-const { Type } = tbbox;
+import { s, filterKeys } from "bknd/utils";
+import { Exception } from "core/errors";
+import { isDebug } from "core/env";
+import { AuthStrategy } from "../Strategy";

 type ConfiguredIssuers = keyof typeof issuers;
 type SupportedTypes = "oauth2" | "oidc";

 type RequireKeys<T extends object, K extends keyof T> = Required<Pick<T, K>> & Omit<T, K>;

-const schemaProvided = Type.Object(
+const schemaProvided = s.object(
   {
-      name: StringEnum(Object.keys(issuers) as ConfiguredIssuers[]),
-      type: StringEnum(["oidc", "oauth2"] as const, { default: "oauth2" }),
-      client: StrictObject({
-         client_id: Type.String(),
-         client_secret: Type.String(),
-      }),
+      name: s.string({ enum: Object.keys(issuers) as ConfiguredIssuers[] }),
+      type: s.string({ enum: ["oidc", "oauth2"] as const, default: "oauth2" }),
+      client: s
+         .object({
+            client_id: s.string(),
+            client_secret: s.string(),
+         })
+         .strict(),
   },
   { title: "OAuth" },
 );
-type ProvidedOAuthConfig = Static<typeof schemaProvided>;
+type ProvidedOAuthConfig = s.Static<typeof schemaProvided>;

 export type CustomOAuthConfig = {
   type: SupportedTypes;
@@ -69,7 +70,7 @@ export class OAuthCallbackException extends Exception {
   }
 }

-export class OAuthStrategy extends Strategy<typeof schemaProvided> {
+export class OAuthStrategy extends AuthStrategy<typeof schemaProvided> {
   constructor(config: ProvidedOAuthConfig) {
      super(config, "oauth", config.name, "external");
   }
--- a/app/src/auth/authorize/Guard.ts
+++ b/app/src/auth/authorize/Guard.ts
@@ -1,5 +1,6 @@
-import { Exception, Permission } from "core";
+import { Exception } from "core/errors";
 import { $console, objectTransform } from "core/utils";
+import { Permission } from "core/security/Permission";
 import type { Context } from "hono";
 import type { ServerEnv } from "modules/Controller";
 import { Role } from "./Role";
--- a/app/src/auth/authorize/Role.ts
+++ b/app/src/auth/authorize/Role.ts
@@ -1,4 +1,4 @@
-import { Permission } from "core";
+import { Permission } from "core/security/Permission";

 export class RolePermission {
   constructor(
--- a/app/src/auth/errors.ts
+++ b/app/src/auth/errors.ts
@@ -1,5 +1,6 @@
-import { Exception, isDebug } from "core";
-import { HttpStatus } from "core/utils";
+import { Exception } from "core/errors";
+import { isDebug } from "core/env";
+import { HttpStatus } from "bknd/utils";

 export class AuthException extends Exception {
   getSafeErrorAndCode() {
--- a/app/src/auth/index.ts
+++ b/app/src/auth/index.ts
@@ -1,22 +0,0 @@
-export { UserExistsException, UserNotFoundException, InvalidCredentialsException } from "./errors";
-export {
-   type ProfileExchange,
-   type Strategy,
-   type User,
-   type SafeUser,
-   type CreateUser,
-   type AuthResponse,
-   type UserPool,
-   type AuthAction,
-   type AuthUserResolver,
-   Authenticator,
-   authenticatorConfig,
-   jwtConfig,
-} from "./authenticate/Authenticator";
-
-export { AppAuth, type UserFieldSchema } from "./AppAuth";
-
-export { Guard, type GuardUserContext, type GuardConfig } from "./authorize/Guard";
-export { Role } from "./authorize/Role";
-
-export * as AuthPermissions from "./auth-permissions";
--- a/app/src/auth/middlewares.ts
+++ b/app/src/auth/middlewares.ts
@@ -1,5 +1,5 @@
-import type { Permission } from "core";
-import { $console, patternMatch } from "core/utils";
+import type { Permission } from "core/security/Permission";
+import { $console, patternMatch } from "bknd/utils";
 import type { Context } from "hono";
 import { createMiddleware } from "hono/factory";
 import type { ServerEnv } from "modules/Controller";