diff --git a/apps/blog-next/.env.example b/apps/blog-next/.env.example
index d382e1b..023507f 100644
--- a/apps/blog-next/.env.example
+++ b/apps/blog-next/.env.example
@@ -48,9 +48,9 @@ WORKOS_REDIRECT_URI=
 WORKOS_SESSION_COOKIE=
 CLERK_PUBLISHABLE_KEY=
 CLERK_SECRET_KEY=
-CLERK_JWT_KEY=
 CLERK_API_URL=
 CLERK_FRONTEND_API=
+CLERK_REDIRECT_URI=
 CLERK_SESSION_COOKIE=
 
 BROADCAST_CONNECTION=holo
diff --git a/apps/blog-next/app/api/auth/clerk/callback/route.ts b/apps/blog-next/app/api/auth/clerk/callback/route.ts
new file mode 100644
index 0000000..edc32ac
--- /dev/null
+++ b/apps/blog-next/app/api/auth/clerk/callback/route.ts
@@ -0,0 +1,10 @@
+import { completeClerkAuth } from '@holo-js/auth-clerk'
+
+export async function GET(request: Request) {
+  const result = await completeClerkAuth(request)
+  if (!result.ok) {
+    return Response.redirect(new URL(`/login?error=${encodeURIComponent(result.code)}`, request.url))
+  }
+
+  return Response.redirect(new URL('/admin', request.url))
+}
diff --git a/apps/blog-next/app/api/auth/clerk/login/route.ts b/apps/blog-next/app/api/auth/clerk/login/route.ts
new file mode 100644
index 0000000..c130bdd
--- /dev/null
+++ b/apps/blog-next/app/api/auth/clerk/login/route.ts
@@ -0,0 +1,5 @@
+import { loginWithClerk } from '@holo-js/auth-clerk'
+
+export async function GET(request: Request) {
+  return await loginWithClerk(request)
+}
diff --git a/apps/blog-next/app/api/auth/clerk/logout/route.ts b/apps/blog-next/app/api/auth/clerk/logout/route.ts
new file mode 100644
index 0000000..68a0d19
--- /dev/null
+++ b/apps/blog-next/app/api/auth/clerk/logout/route.ts
@@ -0,0 +1,10 @@
+import { logoutWithClerk } from '@holo-js/auth-clerk'
+
+export async function POST(request: Request) {
+  const result = await logoutWithClerk(request)
+  if (!result.ok) {
+    return Response.json(result, { status: 422 })
+  }
+
+  return Response.redirect(result.url, 303)
+}
diff --git a/apps/blog-next/app/api/auth/clerk/register/route.ts b/apps/blog-next/app/api/auth/clerk/register/route.ts
new file mode 100644
index 0000000..92861da
--- /dev/null
+++ b/apps/blog-next/app/api/auth/clerk/register/route.ts
@@ -0,0 +1,5 @@
+import { registerWithClerk } from '@holo-js/auth-clerk'
+
+export async function GET(request: Request) {
+  return await registerWithClerk(request)
+}
diff --git a/apps/blog-next/app/auth-nav.tsx b/apps/blog-next/app/auth-nav.tsx
index 61dcd30..82a76be 100644
--- a/apps/blog-next/app/auth-nav.tsx
+++ b/apps/blog-next/app/auth-nav.tsx
@@ -64,6 +64,9 @@ export function AuthNav() {
       <form action="/api/auth/workos/logout" method="post" style={logoutFormStyle}>
         <button type="submit" style={logoutButtonStyle}>Logout from WorkOS</button>
       </form>
+      <form action="/api/auth/clerk/logout" method="post" style={logoutFormStyle}>
+        <button type="submit" style={logoutButtonStyle}>Logout from Clerk</button>
+      </form>
     </>
   )
 }
diff --git a/apps/blog-next/app/login/page.tsx b/apps/blog-next/app/login/page.tsx
index 5b5c7f2..ca3826a 100644
--- a/apps/blog-next/app/login/page.tsx
+++ b/apps/blog-next/app/login/page.tsx
@@ -48,6 +48,7 @@ export default function LoginPage() {
         <a href="/auth/google" style={{ color: '#e5e7eb', textDecoration: 'none' }}>Continue with Google</a>
         <a href="/auth/github" style={{ color: '#e5e7eb', textDecoration: 'none' }}>Continue with GitHub</a>
         <a href="/api/auth/workos/login" style={{ color: '#e5e7eb', textDecoration: 'none' }}>Continue with WorkOS</a>
+        <a href="/api/auth/clerk/login" style={{ color: '#e5e7eb', textDecoration: 'none' }}>Continue with Clerk</a>
       </div>
 
       <form onSubmit={(event) => { event.preventDefault(); form.submit() }} style={{ display: 'grid', gap: '0.9rem' }}>
diff --git a/apps/blog-next/app/register/page.tsx b/apps/blog-next/app/register/page.tsx
index 168396d..4ce55e3 100644
--- a/apps/blog-next/app/register/page.tsx
+++ b/apps/blog-next/app/register/page.tsx
@@ -101,6 +101,7 @@ export default function RegisterPage() {
 
       <Link href="/login" style={{ color: '#7dd3fc' }}>Already have an account?</Link>
       <a href="/api/auth/workos/register" style={{ color: '#7dd3fc' }}>Register with WorkOS</a>
+      <a href="/api/auth/clerk/register" style={{ color: '#7dd3fc' }}>Register with Clerk</a>
     </section>
   )
 }
diff --git a/apps/blog-next/config/auth.ts b/apps/blog-next/config/auth.ts
index b54d336..c1ec02f 100644
--- a/apps/blog-next/config/auth.ts
+++ b/apps/blog-next/config/auth.ts
@@ -65,13 +65,14 @@ export default defineAuthConfig({
   },
   // Add a dedicated guard and provider if WorkOS users should resolve through a different model.
   clerk: {
+    provider: env('AUTH_CLERK_PROVIDER', 'app'),
     app: {
       publishableKey: env('CLERK_PUBLISHABLE_KEY'),
       secretKey: env('CLERK_SECRET_KEY'),
-      jwtKey: env('CLERK_JWT_KEY'),
       apiUrl: env('CLERK_API_URL'),
       frontendApi: env('CLERK_FRONTEND_API'),
-      sessionCookie: env('CLERK_SESSION_COOKIE', "__session"),
+      redirectUri: env('CLERK_REDIRECT_URI'),
+      sessionCookie: env('CLERK_SESSION_COOKIE', '__session'),
     },
   },
   // Add a dedicated guard and provider if Clerk users should resolve through a different model.
diff --git a/apps/blog-nuxt/.env.example b/apps/blog-nuxt/.env.example
index d382e1b..dd33c98 100644
--- a/apps/blog-nuxt/.env.example
+++ b/apps/blog-nuxt/.env.example
@@ -46,11 +46,11 @@ WORKOS_API_KEY=
 WORKOS_COOKIE_PASSWORD=
 WORKOS_REDIRECT_URI=
 WORKOS_SESSION_COOKIE=
-CLERK_PUBLISHABLE_KEY=
-CLERK_SECRET_KEY=
-CLERK_JWT_KEY=
 CLERK_API_URL=
 CLERK_FRONTEND_API=
+CLERK_PUBLISHABLE_KEY=
+CLERK_REDIRECT_URI=
+CLERK_SECRET_KEY=
 CLERK_SESSION_COOKIE=
 
 BROADCAST_CONNECTION=holo
diff --git a/apps/blog-nuxt/app/app.vue b/apps/blog-nuxt/app/app.vue
index 3f5562c..7fe6da3 100644
--- a/apps/blog-nuxt/app/app.vue
+++ b/apps/blog-nuxt/app/app.vue
@@ -24,6 +24,9 @@ async function logout() {
           <form action="/api/auth/workos/logout" method="post" class="logout-form">
             <button type="submit" class="logout-button">Logout from WorkOS</button>
           </form>
+          <form action="/api/auth/clerk/logout" method="post" class="logout-form">
+            <button type="submit" class="logout-button">Logout from Clerk</button>
+          </form>
         </template>
         <template v-else>
           <NuxtLink to="/login">Login</NuxtLink>
diff --git a/apps/blog-nuxt/app/pages/login/index.vue b/apps/blog-nuxt/app/pages/login/index.vue
index 3b6cc2d..4a12680 100644
--- a/apps/blog-nuxt/app/pages/login/index.vue
+++ b/apps/blog-nuxt/app/pages/login/index.vue
@@ -36,6 +36,7 @@ const form = useForm(loginForm, {
       <a href="/auth/google">Continue with Google</a>
       <a href="/auth/github">Continue with GitHub</a>
       <a href="/api/auth/workos/login">Continue with WorkOS</a>
+      <a href="/api/auth/clerk/login">Continue with Clerk</a>
     </div>
 
     <form class="stack" @submit.prevent="form.submit()">
diff --git a/apps/blog-nuxt/app/pages/register/index.vue b/apps/blog-nuxt/app/pages/register/index.vue
index 90fdebe..ad8a90a 100644
--- a/apps/blog-nuxt/app/pages/register/index.vue
+++ b/apps/blog-nuxt/app/pages/register/index.vue
@@ -70,6 +70,7 @@ const form = useForm(registerForm, {
 
     <NuxtLink to="/login">Already have an account?</NuxtLink>
     <a href="/api/auth/workos/register">Register with WorkOS</a>
+    <a href="/api/auth/clerk/register">Register with Clerk</a>
   </section>
 </template>
 
diff --git a/apps/blog-nuxt/config/auth.ts b/apps/blog-nuxt/config/auth.ts
index b54d336..c1ec02f 100644
--- a/apps/blog-nuxt/config/auth.ts
+++ b/apps/blog-nuxt/config/auth.ts
@@ -65,13 +65,14 @@ export default defineAuthConfig({
   },
   // Add a dedicated guard and provider if WorkOS users should resolve through a different model.
   clerk: {
+    provider: env('AUTH_CLERK_PROVIDER', 'app'),
     app: {
       publishableKey: env('CLERK_PUBLISHABLE_KEY'),
       secretKey: env('CLERK_SECRET_KEY'),
-      jwtKey: env('CLERK_JWT_KEY'),
       apiUrl: env('CLERK_API_URL'),
       frontendApi: env('CLERK_FRONTEND_API'),
-      sessionCookie: env('CLERK_SESSION_COOKIE', "__session"),
+      redirectUri: env('CLERK_REDIRECT_URI'),
+      sessionCookie: env('CLERK_SESSION_COOKIE', '__session'),
     },
   },
   // Add a dedicated guard and provider if Clerk users should resolve through a different model.
diff --git a/apps/blog-nuxt/server/api/auth/clerk/callback.get.ts b/apps/blog-nuxt/server/api/auth/clerk/callback.get.ts
new file mode 100644
index 0000000..c33a61a
--- /dev/null
+++ b/apps/blog-nuxt/server/api/auth/clerk/callback.get.ts
@@ -0,0 +1,12 @@
+import { completeClerkAuth } from '@holo-js/auth-clerk'
+import { sendRedirect } from 'h3'
+
+export default defineEventHandler(async (event) => {
+  const result = await completeClerkAuth(event)
+  if (!result.ok) {
+    const errCode = result.code ?? 'unknown_error'
+    return await sendRedirect(event, `/login?error=${encodeURIComponent(errCode)}`, 303)
+  }
+
+  return await sendRedirect(event, '/admin', 303)
+})
diff --git a/apps/blog-nuxt/server/api/auth/clerk/login.get.ts b/apps/blog-nuxt/server/api/auth/clerk/login.get.ts
new file mode 100644
index 0000000..0d860cf
--- /dev/null
+++ b/apps/blog-nuxt/server/api/auth/clerk/login.get.ts
@@ -0,0 +1,5 @@
+import { loginWithClerk } from '@holo-js/auth-clerk'
+
+export default defineEventHandler(async (event) => {
+  return await loginWithClerk(event)
+})
diff --git a/apps/blog-nuxt/server/api/auth/clerk/logout.post.ts b/apps/blog-nuxt/server/api/auth/clerk/logout.post.ts
new file mode 100644
index 0000000..ce54e6a
--- /dev/null
+++ b/apps/blog-nuxt/server/api/auth/clerk/logout.post.ts
@@ -0,0 +1,14 @@
+import { logoutWithClerk } from '@holo-js/auth-clerk'
+import { createError, sendRedirect } from 'h3'
+
+export default defineEventHandler(async (event) => {
+  const result = await logoutWithClerk(event)
+  if (!result.ok) {
+    throw createError({
+      statusCode: 422,
+      statusMessage: result.message,
+    })
+  }
+
+  return await sendRedirect(event, result.url, 303)
+})
diff --git a/apps/blog-nuxt/server/api/auth/clerk/register.get.ts b/apps/blog-nuxt/server/api/auth/clerk/register.get.ts
new file mode 100644
index 0000000..6c792c3
--- /dev/null
+++ b/apps/blog-nuxt/server/api/auth/clerk/register.get.ts
@@ -0,0 +1,5 @@
+import { registerWithClerk } from '@holo-js/auth-clerk'
+
+export default defineEventHandler(async (event) => {
+  return await registerWithClerk(event)
+})
diff --git a/apps/blog-sveltekit/.env.example b/apps/blog-sveltekit/.env.example
index d382e1b..023507f 100644
--- a/apps/blog-sveltekit/.env.example
+++ b/apps/blog-sveltekit/.env.example
@@ -48,9 +48,9 @@ WORKOS_REDIRECT_URI=
 WORKOS_SESSION_COOKIE=
 CLERK_PUBLISHABLE_KEY=
 CLERK_SECRET_KEY=
-CLERK_JWT_KEY=
 CLERK_API_URL=
 CLERK_FRONTEND_API=
+CLERK_REDIRECT_URI=
 CLERK_SESSION_COOKIE=
 
 BROADCAST_CONNECTION=holo
diff --git a/apps/blog-sveltekit/config/auth.ts b/apps/blog-sveltekit/config/auth.ts
index b54d336..c1ec02f 100644
--- a/apps/blog-sveltekit/config/auth.ts
+++ b/apps/blog-sveltekit/config/auth.ts
@@ -65,13 +65,14 @@ export default defineAuthConfig({
   },
   // Add a dedicated guard and provider if WorkOS users should resolve through a different model.
   clerk: {
+    provider: env('AUTH_CLERK_PROVIDER', 'app'),
     app: {
       publishableKey: env('CLERK_PUBLISHABLE_KEY'),
       secretKey: env('CLERK_SECRET_KEY'),
-      jwtKey: env('CLERK_JWT_KEY'),
       apiUrl: env('CLERK_API_URL'),
       frontendApi: env('CLERK_FRONTEND_API'),
-      sessionCookie: env('CLERK_SESSION_COOKIE', "__session"),
+      redirectUri: env('CLERK_REDIRECT_URI'),
+      sessionCookie: env('CLERK_SESSION_COOKIE', '__session'),
     },
   },
   // Add a dedicated guard and provider if Clerk users should resolve through a different model.
diff --git a/apps/blog-sveltekit/src/routes/+layout.svelte b/apps/blog-sveltekit/src/routes/+layout.svelte
index 87a94ab..da96cef 100644
--- a/apps/blog-sveltekit/src/routes/+layout.svelte
+++ b/apps/blog-sveltekit/src/routes/+layout.svelte
@@ -45,6 +45,9 @@
         <form action="/api/auth/workos/logout" method="post" class="logout-form">
           <button type="submit" class="logout-button">Logout from WorkOS</button>
         </form>
+        <form action="/api/auth/clerk/logout" method="post" class="logout-form">
+          <button type="submit" class="logout-button">Logout from Clerk</button>
+        </form>
       {:else}
         <a href="/login">Login</a>
         <a href="/register">Register</a>
diff --git a/apps/blog-sveltekit/src/routes/api/auth/clerk/callback/+server.ts b/apps/blog-sveltekit/src/routes/api/auth/clerk/callback/+server.ts
new file mode 100644
index 0000000..1d3e054
--- /dev/null
+++ b/apps/blog-sveltekit/src/routes/api/auth/clerk/callback/+server.ts
@@ -0,0 +1,11 @@
+import { redirect, type RequestHandler } from '@sveltejs/kit'
+import { completeClerkAuth } from '@holo-js/auth-clerk'
+
+export const GET = (async (event) => {
+  const result = await completeClerkAuth(event)
+  if (!result.ok) {
+    throw redirect(303, `/login?error=${encodeURIComponent(result.code)}`)
+  }
+
+  throw redirect(303, '/admin')
+}) satisfies RequestHandler
diff --git a/apps/blog-sveltekit/src/routes/api/auth/clerk/login/+server.ts b/apps/blog-sveltekit/src/routes/api/auth/clerk/login/+server.ts
new file mode 100644
index 0000000..1953979
--- /dev/null
+++ b/apps/blog-sveltekit/src/routes/api/auth/clerk/login/+server.ts
@@ -0,0 +1,6 @@
+import { loginWithClerk } from '@holo-js/auth-clerk'
+import type { RequestHandler } from './$types'
+
+export const GET = (async (event) => {
+  return await loginWithClerk(event)
+}) satisfies RequestHandler
diff --git a/apps/blog-sveltekit/src/routes/api/auth/clerk/logout/+server.ts b/apps/blog-sveltekit/src/routes/api/auth/clerk/logout/+server.ts
new file mode 100644
index 0000000..6bc08f9
--- /dev/null
+++ b/apps/blog-sveltekit/src/routes/api/auth/clerk/logout/+server.ts
@@ -0,0 +1,11 @@
+import { redirect, type RequestHandler } from '@sveltejs/kit'
+import { logoutWithClerk } from '@holo-js/auth-clerk'
+
+export const POST = (async (event) => {
+  const result = await logoutWithClerk(event)
+  if (!result.ok) {
+    return Response.json(result, { status: 422 })
+  }
+
+  throw redirect(303, result.url)
+}) satisfies RequestHandler
diff --git a/apps/blog-sveltekit/src/routes/api/auth/clerk/register/+server.ts b/apps/blog-sveltekit/src/routes/api/auth/clerk/register/+server.ts
new file mode 100644
index 0000000..341fe7c
--- /dev/null
+++ b/apps/blog-sveltekit/src/routes/api/auth/clerk/register/+server.ts
@@ -0,0 +1,6 @@
+import { registerWithClerk } from '@holo-js/auth-clerk'
+import type { RequestHandler } from './$types'
+
+export const GET = (async (event) => {
+  return await registerWithClerk(event)
+}) satisfies RequestHandler
diff --git a/apps/blog-sveltekit/src/routes/login/+page.svelte b/apps/blog-sveltekit/src/routes/login/+page.svelte
index 4a47248..0d10494 100644
--- a/apps/blog-sveltekit/src/routes/login/+page.svelte
+++ b/apps/blog-sveltekit/src/routes/login/+page.svelte
@@ -31,6 +31,7 @@
     <a href="/auth/google">Continue with Google</a>
     <a href="/auth/github">Continue with GitHub</a>
     <a href="/api/auth/workos/login">Continue with WorkOS</a>
+    <a href="/api/auth/clerk/login">Continue with Clerk</a>
   </div>
 
   <form class="stack" on:submit={(event) => { event.preventDefault(); form.submit() }}>
diff --git a/apps/blog-sveltekit/src/routes/register/+page.svelte b/apps/blog-sveltekit/src/routes/register/+page.svelte
index 2701da8..34d9321 100644
--- a/apps/blog-sveltekit/src/routes/register/+page.svelte
+++ b/apps/blog-sveltekit/src/routes/register/+page.svelte
@@ -97,6 +97,7 @@
 
   <a href="/login" class="link">Already have an account?</a>
   <a href="/api/auth/workos/register" class="link">Register with WorkOS</a>
+  <a href="/api/auth/clerk/register" class="link">Register with Clerk</a>
 </section>
 
 <style>
diff --git a/apps/docs/docs/auth/clerk.md b/apps/docs/docs/auth/clerk.md
index 4030a97..86c0b10 100644
--- a/apps/docs/docs/auth/clerk.md
+++ b/apps/docs/docs/auth/clerk.md
@@ -1,176 +1,136 @@
 # Clerk
 
-Clerk authentication keeps Clerk as the hosted identity provider while resolving into a local Holo user model.
+`@holo-js/auth-clerk` uses Clerk Account Portal as the hosted authentication UI, then syncs the authenticated Clerk user into your local Holo user model and logs that local user into the normal Holo session.
 
-## What This Package Does
-
-`@holo-js/auth-clerk` is useful when:
-
-- the sign-in UX is handled by Clerk
-- your application still owns a local `User` or `Admin` model
-- the local model needs to stay in sync with the hosted identity
-
-Think of the split like this:
-
-- Clerk proves who the user is
-- Holo finds or creates your local user record
-- Holo signs that local user into your configured guard
+## Configuration
 
-If you want the shortest answer to "how do I use this?":
+Install Clerk auth and enable the Clerk Account Portal in the Clerk Dashboard.
 
-- easy Holo way: call `authenticate(request, 'app')`
-- manual way: call `verifyRequest()`, then `syncIdentity()`, then `loginUsing()`
+```bash
+holo install auth --clerk
+```
 
-## Configuration
+The command wires the hosted-auth route scaffolding. Keep Account Portal enabled in Clerk so those routes can redirect to Clerk's hosted forms.
 
 ```ts
-import { defineAuthConfig } from '@holo-js/config'
+import { defineAuthConfig, env } from '@holo-js/config'
 
 export default defineAuthConfig({
   clerk: {
+    provider: env('AUTH_CLERK_PROVIDER', 'app'),
     app: {
-      publishableKey: process.env.CLERK_PUBLISHABLE_KEY,
-      secretKey: process.env.CLERK_SECRET_KEY,
-      jwtKey: process.env.CLERK_JWT_KEY,
-      sessionCookie: '__session',
-      guard: 'web',
+      publishableKey: env('CLERK_PUBLISHABLE_KEY'),
+      secretKey: env('CLERK_SECRET_KEY'),
+      apiUrl: env('CLERK_API_URL'),
+      frontendApi: env('CLERK_FRONTEND_API'),
+      redirectUri: env('CLERK_REDIRECT_URI'),
     },
   },
 })
 ```
 
-## Easy Holo Way
+Use these environment variables:
 
-This is the normal Holo flow. One call does everything:
+| Variable | Required | Value |
+| --- | --- | --- |
+| `AUTH_CLERK_PROVIDER` | No | Clerk provider key from `defineAuthConfig({ clerk })`. Defaults to `app`; valid values are the configured provider keys such as `app` or `org`. |
+| `CLERK_PUBLISHABLE_KEY` | Yes | Clerk publishable key, usually `pk_test_...` or `pk_live_...`. |
+| `CLERK_SECRET_KEY` | Yes | Clerk secret key, usually `sk_test_...` or `sk_live_...`. |
+| `CLERK_FRONTEND_API` | Yes | Clerk Frontend API URL, for example `https://steady-newt-5.clerk.accounts.dev` in development or `https://clerk.example.com` in production. |
+| `CLERK_REDIRECT_URI` | Yes | Your Holo callback URL, for example `http://localhost:3000/api/auth/clerk/callback`. |
+| `CLERK_API_URL` | No | Clerk API base URL. Leave empty unless you are using a custom Clerk API base. |
+| `CLERK_SESSION_COOKIE` | No | Clerk session cookie name. Defaults to `__session`. |
 
-- read the Clerk session from the request
-- verify it
-- find or create the local user
-- link the hosted identity
-- create the local Holo session
+`CLERK_FRONTEND_API` is not the Account Portal sign-in URL. Holo derives the matching Account Portal URL from it, appends `/sign-in` or `/sign-up`, and sends `CLERK_REDIRECT_URI` as Clerk's `redirect_url` query parameter. You do not configure a separate `CLERK_ACCOUNT_PORTAL_URL`.
 
-```ts
-import { authenticate } from '@holo-js/auth-clerk'
+`CLERK_SESSION_COOKIE` is optional and defaults to `__session`; you only need to set it if your Clerk instance uses a different session cookie name.
 
-export async function GET(request: Request) {
-  const result = await authenticate(request, 'app')
+In the Clerk Dashboard:
 
-  if (!result) {
-    return Response.json({ message: 'Unauthenticated.' }, { status: 401 })
-  }
+1. Copy the publishable and secret keys from the API keys page.
+2. Copy the Frontend API URL from the Clerk-provided domain settings.
+3. Enable Account Portal.
+4. Set Account Portal fallback redirects to your app pages, such as `/dashboard` after sign-in and `/onboarding` after sign-up.
 
-  return Response.json({
-    authenticated: true,
-    user: result.user,
-  })
-}
-```
+The Account Portal fallback redirects are only used when users visit Clerk pages directly. Holo login and registration routes always pass `redirect_url`, so normal Holo sign-in returns to `CLERK_REDIRECT_URI`.
 
-### What `authenticate()` Returns
+If your Holo app requires email verification, Clerk users must have a verified email address. Phone-only Clerk sign-up works only when your Holo auth config does not require email verification, or when you map the Clerk profile to a local user shape that your app can persist without a real email address.
 
-```ts
-import { authenticate } from '@holo-js/auth-clerk'
-```
+## Routes
 
-`authenticate()` returns:
+Login redirects the browser to the hosted Clerk sign-in form:
 
-- `result.user`
-  Your local Holo user model after serialization.
-- `result.status`
-  What happened during sync: `created`, `updated`, `linked`, or `relinked`.
-- `result.identity`
-  The stored hosted identity link row.
-- `result.session`
-  The verified Clerk session data, including the hosted session token as `result.session.accessToken`.
-- `result.authSession`
-  The local Holo session that was established for the selected guard.
+```ts
+import { loginWithClerk } from '@holo-js/auth-clerk'
 
-In practice:
+export async function GET(request: Request) {
+  return await loginWithClerk(request)
+}
+```
 
-- if you just want the signed-in local user, use `result.user`
-- if you care whether the local user was just created or reused, check `result.status`
-- if you need hosted Clerk details, inspect `result.session`
+Register redirects the browser to the hosted Clerk sign-up form:
 
-`result.session.accessToken` is the verified Clerk session token. It is hosted-session state, not a Holo personal
-access token and not a social-provider OAuth token.
+```ts
+import { registerWithClerk } from '@holo-js/auth-clerk'
 
-## Manual Way
+export async function GET(request: Request) {
+  return await registerWithClerk(request)
+}
+```
 
-Use the manual flow when your route needs full control over each step.
+The callback verifies the Clerk session on the request, syncs or creates the local user, links the Clerk identity, and logs the user into Holo:
 
 ```ts
-import { loginUsing } from '@holo-js/auth'
-import { syncIdentity, verifyRequest } from '@holo-js/auth-clerk'
+import { completeClerkAuth } from '@holo-js/auth-clerk'
 
 export async function GET(request: Request) {
-  const hosted = await verifyRequest(request, 'app')
-
-  if (!hosted) {
-    return Response.json({ message: 'Unauthenticated.' }, { status: 401 })
-  }
+  const result = await completeClerkAuth(request)
 
-  const linked = await syncIdentity(hosted, 'app')
-
-  if (linked.user.email !== 'allowed@app.test') {
-    return Response.json({ message: 'Forbidden.' }, { status: 403 })
+  if (!result.ok) {
+    return Response.redirect(new URL(`/login?error=${result.code}`, request.url))
   }
 
-  const authSession = await loginUsing(linked.user)
-
-  return Response.json({
-    authenticated: true,
-    user: linked.user,
-    status: linked.status,
-  })
+  return Response.redirect(new URL('/', request.url))
 }
 ```
 
-### What Each Manual Step Returns
-
-- `verifyRequest(request, 'app')`
-  Returns the verified Clerk session from the incoming request, or `null` if the request is not authenticated with Clerk.
-- `syncIdentity(hosted, 'app')`
-  Returns the local-user sync result. This includes `linked.user`, `linked.status`, `linked.identity`, and `linked.session`.
-- `loginUsing(linked.user)`
-  Returns the local Holo session result for your configured guard.
-
-Use the manual flow when you need to:
+Logout clears the local Holo session, revokes the Clerk session through the Clerk Backend API, and returns the final redirect URL:
 
-- inspect the verified Clerk session before creating local auth state
-- enforce your own checks after identity sync
-- allow Clerk authentication but delay local login
-- shape the response differently depending on `linked.status`
-
-## Verifying A Token Instead Of A Request
+```ts
+import { logoutWithClerk } from '@holo-js/auth-clerk'
 
-If your route already has the Clerk session token, use `verifySession(token, provider)` instead of `verifyRequest(request, provider)`.
+export async function POST(request: Request) {
+  const result = await logoutWithClerk(request, {
+    returnTo: '/login',
+  })
 
-```ts
-import { verifySession } from '@holo-js/auth-clerk'
+  if (!result.ok) {
+    return Response.json(result, { status: 422 })
+  }
 
-const hosted = await verifySession(token, 'app')
+  return Response.redirect(result.url, 303)
+}
 ```
 
-This returns the same kind of hosted Clerk session object as `verifyRequest()`, but starts from a token string instead of an incoming `Request`.
-
-## Logging Out
+## Mapping Local Fields
 
-Keep using the shared auth API:
+`completeClerkAuth()` passes a fully typed Clerk user to the optional mapper. Return any local user attributes you want Holo to save on create, update, or link.
 
 ```ts
-import { logout } from '@holo-js/auth'
-
-const signedOut = await logout()
+const result = await completeClerkAuth(request, {
+  user: (clerkUser) => ({
+    email: clerkUser.email,
+    name: clerkUser.name,
+    avatarUrl: clerkUser.imageUrl,
+    clerkUserId: clerkUser.id,
+  }),
+})
 ```
 
-When the guard is mapped to Clerk, `logout()` clears:
-
-- the local Holo auth session
-- the configured Clerk session cookie for that guard
+The normalized `clerkUser` includes `email` and `name`, derived from Clerk identity data with stable fallbacks. If no mapper is provided, Holo saves `email` and `name` by default. If your mapper omits either field, Holo still fills the missing `email` or `name` before writing the local user.
 
-This keeps logout behavior consistent with local auth while avoiding immediate re-authentication from the hosted cookie.
+## Lower-Level APIs
 
-## Session Cookie
+Use `authenticate(request, provider)` when you already have a Clerk-authenticated request and want one call to verify the session, sync the identity, and create the Holo session.
 
-By default Clerk uses `__session`. This can be customized through the auth config when the application needs a
-different session cookie name.
+Use `verifyRequest()`, `verifySession()`, and `syncIdentity()` when your route needs lower-level control before creating local auth state.
diff --git a/bun.lock b/bun.lock
index 1c6d191..932e9b2 100644
--- a/bun.lock
+++ b/bun.lock
@@ -4,6 +4,14 @@
   "workspaces": {
     "": {
       "name": "strata-monorepo",
+      "dependencies": {
+        "@types/react": "^19.2.14",
+        "@types/react-dom": "^19.2.3",
+        "@types/react-test-renderer": "^19.1.0",
+        "react": "^19.2.6",
+        "react-dom": "^19.2.6",
+        "react-test-renderer": "^19.2.6",
+      },
       "devDependencies": {
         "@changesets/cli": "^2.30.0",
         "@eslint/js": "catalog:",
@@ -283,20 +291,20 @@
       "name": "@holo-js/adapter-next",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/config": "^0.1.4",
-        "@holo-js/core": "^0.1.4",
+        "@holo-js/config": "catalog:",
+        "@holo-js/core": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
+        "@types/node": "catalog:",
         "next": "catalog:",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
       "peerDependencies": {
-        "@holo-js/forms": "^0.1.4",
-        "next": "^13.0.0 || ^14.0.0 || ^15.0.0 || ^16.0.0",
-        "react": "^18.3.1 || ^19.0.0",
+        "@holo-js/forms": "catalog:",
+        "next": "catalog:",
+        "react": "catalog:",
       },
       "optionalPeers": [
         "@holo-js/forms",
@@ -306,23 +314,24 @@
       "name": "@holo-js/adapter-nuxt",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/config": "^0.1.4",
-        "@holo-js/core": "^0.1.4",
-        "@holo-js/db": "^0.1.4",
+        "@holo-js/config": "catalog:",
+        "@holo-js/core": "catalog:",
+        "@holo-js/db": "catalog:",
         "@nuxt/kit": "catalog:",
+        "h3": "catalog:",
       },
       "devDependencies": {
-        "@holo-js/storage-s3": "workspace:*",
-        "@nuxt/module-builder": "^1.0.2",
-        "@types/node": "^22.10.2",
+        "@holo-js/storage-s3": "catalog:",
+        "@nuxt/module-builder": "catalog:",
+        "@types/node": "catalog:",
         "nuxt": "catalog:",
-        "typescript": "^5.7.2",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
       "peerDependencies": {
-        "@holo-js/forms": "^0.1.4",
-        "@holo-js/storage": "^0.1.4",
-        "@holo-js/storage-s3": "^0.1.4",
+        "@holo-js/forms": "catalog:",
+        "@holo-js/storage": "catalog:",
+        "@holo-js/storage-s3": "catalog:",
       },
       "optionalPeers": [
         "@holo-js/forms",
@@ -334,18 +343,20 @@
       "name": "@holo-js/adapter-sveltekit",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/config": "^0.1.4",
-        "@holo-js/core": "^0.1.4",
+        "@holo-js/config": "catalog:",
+        "@holo-js/core": "catalog:",
         "svelte": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@sveltejs/kit": "catalog:",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
       "peerDependencies": {
-        "@holo-js/forms": "^0.1.4",
+        "@holo-js/forms": "catalog:",
+        "@sveltejs/kit": "catalog:",
       },
       "optionalPeers": [
         "@holo-js/forms",
@@ -355,7 +366,7 @@
       "name": "@holo-js/auth",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/config": "^0.1.4",
+        "@holo-js/config": "catalog:",
       },
       "devDependencies": {
         "@types/node": "catalog:",
@@ -368,9 +379,9 @@
         "vitest": "catalog:",
       },
       "peerDependencies": {
-        "@holo-js/security": "^0.1.4",
+        "@holo-js/security": "catalog:",
         "nuxt": "catalog:",
-        "react": "^18.3.1 || ^19.0.0",
+        "react": "catalog:",
         "svelte": "catalog:",
       },
       "optionalPeers": [
@@ -384,14 +395,15 @@
       "name": "@holo-js/auth-clerk",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/auth": "workspace:*",
-        "@holo-js/config": "workspace:*",
-        "@holo-js/session": "workspace:*",
+        "@clerk/backend": "catalog:",
+        "@holo-js/auth": "catalog:",
+        "@holo-js/config": "catalog:",
+        "@holo-js/session": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
     },
@@ -399,13 +411,13 @@
       "name": "@holo-js/auth-social",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/auth": "^0.1.4",
-        "@holo-js/config": "^0.1.4",
+        "@holo-js/auth": "catalog:",
+        "@holo-js/config": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
     },
@@ -413,13 +425,13 @@
       "name": "@holo-js/auth-social-apple",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/auth-social": "workspace:*",
-        "@holo-js/config": "workspace:*",
+        "@holo-js/auth-social": "catalog:",
+        "@holo-js/config": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
     },
@@ -427,13 +439,13 @@
       "name": "@holo-js/auth-social-discord",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/auth-social": "workspace:*",
-        "@holo-js/config": "workspace:*",
+        "@holo-js/auth-social": "catalog:",
+        "@holo-js/config": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
     },
@@ -441,13 +453,13 @@
       "name": "@holo-js/auth-social-facebook",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/auth-social": "workspace:*",
-        "@holo-js/config": "workspace:*",
+        "@holo-js/auth-social": "catalog:",
+        "@holo-js/config": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
     },
@@ -455,13 +467,13 @@
       "name": "@holo-js/auth-social-github",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/auth-social": "workspace:*",
-        "@holo-js/config": "workspace:*",
+        "@holo-js/auth-social": "catalog:",
+        "@holo-js/config": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
     },
@@ -469,13 +481,13 @@
       "name": "@holo-js/auth-social-google",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/auth-social": "workspace:*",
-        "@holo-js/config": "workspace:*",
+        "@holo-js/auth-social": "catalog:",
+        "@holo-js/config": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
     },
@@ -483,13 +495,13 @@
       "name": "@holo-js/auth-social-linkedin",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/auth-social": "workspace:*",
-        "@holo-js/config": "workspace:*",
+        "@holo-js/auth-social": "catalog:",
+        "@holo-js/config": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
     },
@@ -497,14 +509,14 @@
       "name": "@holo-js/auth-workos",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/auth": "workspace:*",
-        "@holo-js/config": "workspace:*",
-        "@holo-js/session": "workspace:*",
+        "@holo-js/auth": "catalog:",
+        "@holo-js/config": "catalog:",
+        "@holo-js/session": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
     },
@@ -512,9 +524,9 @@
       "name": "@holo-js/authorization",
       "version": "0.1.4",
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
     },
@@ -522,16 +534,16 @@
       "name": "@holo-js/broadcast",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/config": "^0.1.4",
-        "@holo-js/validation": "^0.1.4",
-        "ws": "^8.18.3",
+        "@holo-js/config": "catalog:",
+        "@holo-js/validation": "catalog:",
+        "ws": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "@types/ws": "^8.18.1",
+        "@types/node": "catalog:",
+        "@types/ws": "catalog:",
         "ioredis": "catalog:",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
       "peerDependencies": {
@@ -545,12 +557,12 @@
       "name": "@holo-js/cache",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/config": "^0.1.4",
+        "@holo-js/config": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
     },
@@ -558,19 +570,19 @@
       "name": "@holo-js/cache-db",
       "version": "0.1.4",
       "dependencies": {
-        "tslib": "^2.8.1",
+        "tslib": "catalog:",
       },
       "devDependencies": {
-        "@holo-js/cache": "workspace:*",
-        "@holo-js/db": "workspace:*",
+        "@holo-js/cache": "catalog:",
+        "@holo-js/db": "catalog:",
         "@types/node": "catalog:",
         "tsup": "catalog:",
         "typescript": "catalog:",
         "vitest": "catalog:",
       },
       "peerDependencies": {
-        "@holo-js/cache": "^0.1.4",
-        "@holo-js/db": "^0.1.4",
+        "@holo-js/cache": "catalog:",
+        "@holo-js/db": "catalog:",
       },
     },
     "packages/cache-redis": {
@@ -578,17 +590,17 @@
       "version": "0.1.4",
       "dependencies": {
         "ioredis": "catalog:",
-        "tslib": "^2.8.1",
+        "tslib": "catalog:",
       },
       "devDependencies": {
-        "@holo-js/cache": "workspace:*",
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@holo-js/cache": "catalog:",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
       "peerDependencies": {
-        "@holo-js/cache": "^0.1.4",
+        "@holo-js/cache": "catalog:",
       },
     },
     "packages/cli": {
@@ -599,19 +611,19 @@
         "holo-js": "./dist/bin/holo.mjs",
       },
       "dependencies": {
-        "@holo-js/config": "^0.1.4",
-        "@holo-js/core": "^0.1.4",
-        "@holo-js/db": "^0.1.4",
-        "esbuild": "^0.27.4",
+        "@holo-js/config": "catalog:",
+        "@holo-js/core": "catalog:",
+        "@holo-js/db": "catalog:",
+        "esbuild": "catalog:",
         "inflection": "catalog:",
       },
       "devDependencies": {
-        "@holo-js/events": "^0.1.4",
-        "@holo-js/queue": "^0.1.4",
-        "@holo-js/queue-db": "^0.1.4",
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@holo-js/events": "catalog:",
+        "@holo-js/queue": "catalog:",
+        "@holo-js/queue-db": "catalog:",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
     },
@@ -619,11 +631,11 @@
       "name": "@holo-js/config",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/db": "^0.1.4",
+        "@holo-js/db": "catalog:",
       },
       "devDependencies": {
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
     },
@@ -631,36 +643,36 @@
       "name": "@holo-js/core",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/config": "^0.1.4",
-        "@holo-js/db": "^0.1.4",
-        "esbuild": "^0.27.4",
+        "@holo-js/config": "catalog:",
+        "@holo-js/db": "catalog:",
+        "esbuild": "catalog:",
       },
       "devDependencies": {
-        "@holo-js/auth": "^0.1.4",
-        "@holo-js/authorization": "^0.1.4",
-        "@holo-js/events": "^0.1.4",
-        "@holo-js/mail": "^0.1.4",
-        "@holo-js/notifications": "^0.1.4",
-        "@holo-js/queue-db": "^0.1.4",
-        "@holo-js/session": "^0.1.4",
-        "@holo-js/storage": "^0.1.4",
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@holo-js/auth": "catalog:",
+        "@holo-js/authorization": "catalog:",
+        "@holo-js/events": "catalog:",
+        "@holo-js/mail": "catalog:",
+        "@holo-js/notifications": "catalog:",
+        "@holo-js/queue-db": "catalog:",
+        "@holo-js/session": "catalog:",
+        "@holo-js/storage": "catalog:",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
       "peerDependencies": {
-        "@holo-js/auth": "^0.1.4",
-        "@holo-js/auth-clerk": "^0.1.4",
-        "@holo-js/auth-social": "^0.1.4",
-        "@holo-js/auth-workos": "^0.1.4",
-        "@holo-js/authorization": "^0.1.4",
-        "@holo-js/mail": "^0.1.4",
-        "@holo-js/notifications": "^0.1.4",
-        "@holo-js/queue": "^0.1.4",
-        "@holo-js/security": "^0.1.4",
-        "@holo-js/session": "^0.1.4",
-        "@holo-js/storage": "^0.1.4",
+        "@holo-js/auth": "catalog:",
+        "@holo-js/auth-clerk": "catalog:",
+        "@holo-js/auth-social": "catalog:",
+        "@holo-js/auth-workos": "catalog:",
+        "@holo-js/authorization": "catalog:",
+        "@holo-js/mail": "catalog:",
+        "@holo-js/notifications": "catalog:",
+        "@holo-js/queue": "catalog:",
+        "@holo-js/security": "catalog:",
+        "@holo-js/session": "catalog:",
+        "@holo-js/storage": "catalog:",
       },
       "optionalPeers": [
         "@holo-js/auth",
@@ -680,15 +692,15 @@
       "name": "create-holo-js",
       "version": "0.1.4",
       "bin": {
-        "create-holo-js": "./dist/bin/create-holo-js.mjs",
+        "create-holo-js": "dist/bin/create-holo-js.mjs",
       },
       "dependencies": {
-        "@holo-js/cli": "^0.1.0",
+        "@holo-js/cli": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
       },
     },
     "packages/db": {
@@ -700,18 +712,18 @@
         "uuid": "catalog:",
       },
       "devDependencies": {
-        "@holo-js/db-mysql": "workspace:*",
-        "@holo-js/db-postgres": "workspace:*",
-        "@holo-js/db-sqlite": "workspace:*",
-        "@types/better-sqlite3": "^7.6.12",
-        "@types/pg": "^8.11.0",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@holo-js/db-mysql": "catalog:",
+        "@holo-js/db-postgres": "catalog:",
+        "@holo-js/db-sqlite": "catalog:",
+        "@types/better-sqlite3": "catalog:",
+        "@types/pg": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
       },
       "peerDependencies": {
-        "@holo-js/db-mysql": "^0.1.4",
-        "@holo-js/db-postgres": "^0.1.4",
-        "@holo-js/db-sqlite": "^0.1.4",
+        "@holo-js/db-mysql": "catalog:",
+        "@holo-js/db-postgres": "catalog:",
+        "@holo-js/db-sqlite": "catalog:",
       },
       "optionalPeers": [
         "@holo-js/db-mysql",
@@ -723,66 +735,66 @@
       "name": "@holo-js/db-mysql",
       "version": "0.1.4",
       "dependencies": {
-        "mysql2": "^3.17.1",
+        "mysql2": "catalog:",
       },
       "devDependencies": {
-        "@holo-js/db": "workspace:*",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@holo-js/db": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
       "peerDependencies": {
-        "@holo-js/db": "^0.1.4",
+        "@holo-js/db": "catalog:",
       },
     },
     "packages/db-postgres": {
       "name": "@holo-js/db-postgres",
       "version": "0.1.4",
       "dependencies": {
-        "pg": "^8.13.0",
+        "pg": "catalog:",
       },
       "devDependencies": {
-        "@holo-js/db": "workspace:*",
-        "@types/pg": "^8.11.0",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@holo-js/db": "catalog:",
+        "@types/pg": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
       "peerDependencies": {
-        "@holo-js/db": "^0.1.4",
+        "@holo-js/db": "catalog:",
       },
     },
     "packages/db-sqlite": {
       "name": "@holo-js/db-sqlite",
       "version": "0.1.4",
       "dependencies": {
-        "better-sqlite3": "^11.7.0",
+        "better-sqlite3": "catalog:",
       },
       "devDependencies": {
-        "@holo-js/db": "workspace:*",
-        "@types/better-sqlite3": "^7.6.12",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@holo-js/db": "catalog:",
+        "@types/better-sqlite3": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
       "peerDependencies": {
-        "@holo-js/db": "^0.1.4",
+        "@holo-js/db": "catalog:",
       },
     },
     "packages/events": {
       "name": "@holo-js/events",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/db": "^0.1.4",
+        "@holo-js/db": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
       "peerDependencies": {
-        "@holo-js/queue": "^0.1.4",
+        "@holo-js/queue": "catalog:",
       },
       "optionalPeers": [
         "@holo-js/queue",
@@ -792,12 +804,12 @@
       "name": "@holo-js/flux",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/broadcast": "^0.1.4",
+        "@holo-js/broadcast": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
     },
@@ -805,73 +817,73 @@
       "name": "@holo-js/flux-react",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/broadcast": "^0.1.4",
-        "@holo-js/flux": "^0.1.4",
+        "@holo-js/broadcast": "catalog:",
+        "@holo-js/flux": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "@types/react": "^18.3.12",
-        "@types/react-test-renderer": "^18.3.1",
-        "react": "^18.3.1",
-        "react-test-renderer": "^18.3.1",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@types/node": "catalog:",
+        "@types/react": "catalog:",
+        "@types/react-test-renderer": "catalog:",
+        "react": "catalog:",
+        "react-test-renderer": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
       "peerDependencies": {
-        "react": "^18.3.1 || ^19.0.0",
+        "react": "catalog:",
       },
     },
     "packages/flux-svelte": {
       "name": "@holo-js/flux-svelte",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/broadcast": "^0.1.4",
-        "@holo-js/flux": "^0.1.4",
+        "@holo-js/broadcast": "catalog:",
+        "@holo-js/flux": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "svelte": "^5.16.0",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@types/node": "catalog:",
+        "svelte": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
       "peerDependencies": {
-        "svelte": "^5.16.0",
+        "svelte": "catalog:",
       },
     },
     "packages/flux-vue": {
       "name": "@holo-js/flux-vue",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/broadcast": "^0.1.4",
-        "@holo-js/flux": "^0.1.4",
+        "@holo-js/broadcast": "catalog:",
+        "@holo-js/flux": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
-        "vue": "^3.5.13",
+        "vue": "catalog:",
       },
       "peerDependencies": {
-        "vue": "^3.5.13",
+        "vue": "catalog:",
       },
     },
     "packages/forms": {
       "name": "@holo-js/forms",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/validation": "^0.1.4",
+        "@holo-js/validation": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
       "peerDependencies": {
-        "@holo-js/security": "^0.1.4",
+        "@holo-js/security": "catalog:",
       },
       "optionalPeers": [
         "@holo-js/security",
@@ -881,18 +893,18 @@
       "name": "@holo-js/mail",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/config": "^0.1.4",
-        "nodemailer": "^6.10.1",
+        "@holo-js/config": "catalog:",
+        "nodemailer": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
       "peerDependencies": {
-        "@holo-js/queue": "^0.1.4",
-        "@holo-js/storage": "^0.1.4",
+        "@holo-js/queue": "catalog:",
+        "@holo-js/storage": "catalog:",
       },
       "optionalPeers": [
         "@holo-js/queue",
@@ -903,14 +915,14 @@
       "name": "@holo-js/media",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/db": "^0.1.4",
-        "@holo-js/queue": "^0.1.4",
-        "@holo-js/storage": "^0.1.4",
-        "sharp": "^0.34.4",
+        "@holo-js/db": "catalog:",
+        "@holo-js/queue": "catalog:",
+        "@holo-js/storage": "catalog:",
+        "sharp": "catalog:",
       },
       "devDependencies": {
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
     },
@@ -918,16 +930,16 @@
       "name": "@holo-js/notifications",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/config": "^0.1.4",
+        "@holo-js/config": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
       "peerDependencies": {
-        "@holo-js/queue": "^0.1.4",
+        "@holo-js/queue": "catalog:",
       },
       "optionalPeers": [
         "@holo-js/queue",
@@ -937,14 +949,14 @@
       "name": "@holo-js/queue",
       "version": "0.1.4",
       "devDependencies": {
-        "@holo-js/queue-redis": "workspace:*",
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@holo-js/queue-redis": "catalog:",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
       "peerDependencies": {
-        "@holo-js/queue-redis": "^0.1.4",
+        "@holo-js/queue-redis": "catalog:",
       },
       "optionalPeers": [
         "@holo-js/queue-redis",
@@ -954,13 +966,13 @@
       "name": "@holo-js/queue-db",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/db": "^0.1.4",
-        "@holo-js/queue": "^0.1.4",
+        "@holo-js/db": "catalog:",
+        "@holo-js/queue": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
     },
@@ -968,32 +980,32 @@
       "name": "@holo-js/queue-redis",
       "version": "0.1.4",
       "dependencies": {
-        "bullmq": "^5.71.0",
+        "bullmq": "catalog:",
         "ioredis": "catalog:",
-        "tslib": "^2.8.1",
+        "tslib": "catalog:",
       },
       "devDependencies": {
-        "@holo-js/queue": "workspace:*",
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@holo-js/queue": "catalog:",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
       "peerDependencies": {
-        "@holo-js/queue": "^0.1.4",
+        "@holo-js/queue": "catalog:",
       },
     },
     "packages/security": {
       "name": "@holo-js/security",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/config": "^0.1.4",
+        "@holo-js/config": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
+        "@types/node": "catalog:",
         "ioredis": "catalog:",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
       "peerDependencies": {
@@ -1007,13 +1019,13 @@
       "name": "@holo-js/session",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/config": "^0.1.4",
+        "@holo-js/config": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
+        "@types/node": "catalog:",
         "ioredis": "catalog:",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
       "peerDependencies": {
@@ -1027,17 +1039,17 @@
       "name": "@holo-js/storage",
       "version": "0.1.4",
       "dependencies": {
-        "@holo-js/config": "^0.1.4",
+        "@holo-js/config": "catalog:",
       },
       "devDependencies": {
-        "@holo-js/storage-s3": "workspace:*",
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@holo-js/storage-s3": "catalog:",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
       "peerDependencies": {
-        "@holo-js/storage-s3": "^0.1.4",
+        "@holo-js/storage-s3": "catalog:",
       },
       "optionalPeers": [
         "@holo-js/storage-s3",
@@ -1047,9 +1059,9 @@
       "name": "@holo-js/storage-s3",
       "version": "0.1.4",
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
     },
@@ -1057,12 +1069,12 @@
       "name": "@holo-js/validation",
       "version": "0.1.4",
       "dependencies": {
-        "valibot": "^1.1.0",
+        "valibot": "catalog:",
       },
       "devDependencies": {
-        "@types/node": "^22.10.2",
-        "tsup": "^8.3.5",
-        "typescript": "^5.7.2",
+        "@types/node": "catalog:",
+        "tsup": "catalog:",
+        "typescript": "catalog:",
         "vitest": "catalog:",
       },
     },
@@ -1081,7 +1093,50 @@
     "sharp",
   ],
   "catalog": {
+    "@clerk/backend": "^3.4.7",
     "@eslint/js": "^9.17.0",
+    "@holo-js/adapter-next": "^0.1.4",
+    "@holo-js/adapter-nuxt": "^0.1.4",
+    "@holo-js/adapter-sveltekit": "^0.1.4",
+    "@holo-js/auth": "^0.1.4",
+    "@holo-js/auth-clerk": "^0.1.4",
+    "@holo-js/auth-social": "^0.1.4",
+    "@holo-js/auth-social-apple": "^0.1.4",
+    "@holo-js/auth-social-discord": "^0.1.4",
+    "@holo-js/auth-social-facebook": "^0.1.4",
+    "@holo-js/auth-social-github": "^0.1.4",
+    "@holo-js/auth-social-google": "^0.1.4",
+    "@holo-js/auth-social-linkedin": "^0.1.4",
+    "@holo-js/auth-workos": "^0.1.4",
+    "@holo-js/authorization": "^0.1.4",
+    "@holo-js/broadcast": "^0.1.4",
+    "@holo-js/cache": "^0.1.4",
+    "@holo-js/cache-db": "^0.1.4",
+    "@holo-js/cache-redis": "^0.1.4",
+    "@holo-js/cli": "^0.1.4",
+    "@holo-js/config": "^0.1.4",
+    "@holo-js/core": "^0.1.4",
+    "@holo-js/db": "^0.1.4",
+    "@holo-js/db-mysql": "^0.1.4",
+    "@holo-js/db-postgres": "^0.1.4",
+    "@holo-js/db-sqlite": "^0.1.4",
+    "@holo-js/events": "^0.1.4",
+    "@holo-js/flux": "^0.1.4",
+    "@holo-js/flux-react": "^0.1.4",
+    "@holo-js/flux-svelte": "^0.1.4",
+    "@holo-js/flux-vue": "^0.1.4",
+    "@holo-js/forms": "^0.1.4",
+    "@holo-js/mail": "^0.1.4",
+    "@holo-js/media": "^0.1.4",
+    "@holo-js/notifications": "^0.1.4",
+    "@holo-js/queue": "^0.1.4",
+    "@holo-js/queue-db": "^0.1.4",
+    "@holo-js/queue-redis": "^0.1.4",
+    "@holo-js/security": "^0.1.4",
+    "@holo-js/session": "^0.1.4",
+    "@holo-js/storage": "^0.1.4",
+    "@holo-js/storage-s3": "^0.1.4",
+    "@holo-js/validation": "^0.1.4",
     "@nuxt/kit": "^4.4.4",
     "@nuxt/module-builder": "^1.0.2",
     "@sveltejs/adapter-node": "^5.5.4",
@@ -1092,21 +1147,29 @@
     "@types/pg": "^8.11.0",
     "@types/react": "^19.0.0",
     "@types/react-dom": "^19.0.0",
+    "@types/react-test-renderer": "^19.0.0",
+    "@types/ws": "^8.18.1",
     "@vitest/coverage-istanbul": "^4.1.5",
     "@vitest/coverage-v8": "^4.1.5",
     "better-sqlite3": "^11.7.0",
+    "bullmq": "^5.71.0",
+    "create-holo-js": "^0.1.4",
     "esbuild": "^0.27.4",
     "eslint": "^9.17.0",
     "fast-check": "^4.5.3",
     "globals": "^15.14.0",
+    "h3": "^1.15.11",
     "inflection": "^3.0.2",
     "ioredis": "^5.4.2",
     "mysql2": "^3.17.1",
     "next": "^16.2.4",
+    "nodemailer": "^6.10.1",
     "nuxt": "^4.4.4",
     "pg": "^8.13.0",
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
+    "react-test-renderer": "^19.0.0",
+    "sharp": "^0.34.4",
     "svelte": "^5.55.5",
     "tslib": "^2.8.1",
     "tsup": "^8.3.5",
@@ -1114,12 +1177,14 @@
     "typescript-eslint": "^8.30.1",
     "ulid": "^3.0.1",
     "uuid": "^12.0.0",
+    "valibot": "^1.1.0",
     "vite": "^8.0.10",
     "vitepress": "^1.6.3",
     "vitest": "^4.1.5",
     "vue": "^3.5.13",
     "vue-router": "^5.0.4",
     "vue-tsc": "^2.2.0",
+    "ws": "^8.18.3",
   },
   "packages": {
     "@algolia/abtesting": ["@algolia/abtesting@1.16.0", "", { "dependencies": { "@algolia/client-common": "5.50.0", "@algolia/requester-browser-xhr": "5.50.0", "@algolia/requester-fetch": "5.50.0", "@algolia/requester-node-http": "5.50.0" } }, "sha512-alHFZ68/i9qLC/muEB07VQ9r7cB8AvCcGX6dVQi2PNHhc/ZQRmmFAv8KK1ay4UiseGSFr7f0nXBKsZ/jRg7e4g=="],
@@ -1254,6 +1319,10 @@
 
     "@clack/prompts": ["@clack/prompts@1.1.0", "", { "dependencies": { "@clack/core": "1.1.0", "sisteransi": "^1.0.5" } }, "sha512-pkqbPGtohJAvm4Dphs2M8xE29ggupihHdy1x84HNojZuMtFsHiUlRvqD24tM2+XmI+61LlfNceM3Wr7U5QES5g=="],
 
+    "@clerk/backend": ["@clerk/backend@3.4.7", "", { "dependencies": { "@clerk/shared": "^4.10.2", "standardwebhooks": "^1.0.0", "tslib": "2.8.1" } }, "sha512-zAELfaYtrlxlxxB6PT3EHPsHck6IPuyTQSKm7hWQqXp9GoFOM6wKOflFZgI0Q2M1C5SgrkDcrMNchkWXRwbsQw=="],
+
+    "@clerk/shared": ["@clerk/shared@4.10.2", "", { "dependencies": { "@tanstack/query-core": "^5.100.6", "dequal": "2.0.3", "glob-to-regexp": "0.4.1", "js-cookie": "3.0.5", "std-env": "^3.9.0" }, "peerDependencies": { "react": "^18.0.0 || ~19.0.3 || ~19.1.4 || ~19.2.3 || ~19.3.0-0", "react-dom": "^18.0.0 || ~19.0.3 || ~19.1.4 || ~19.2.3 || ~19.3.0-0" }, "optionalPeers": ["react", "react-dom"] }, "sha512-2RXGaCV94U2wYWaMQZA/AhVkqjcSx8f+oVjh6wgr4yXDmZ24BQRjPJ+K4L6IHiB/agoaXtKWJ0GI8InRZjo9/g=="],
+
     "@cloudflare/kv-asset-handler": ["@cloudflare/kv-asset-handler@0.4.2", "", {}, "sha512-SIOD2DxrRRwQ+jgzlXCqoEFiKOFqaPjhnNTGKXSRLvp1HiOvapLaFG2kEr9dYQTYe8rKrd9uvDUzmAITeNyaHQ=="],
 
     "@colordx/core": ["@colordx/core@5.4.3", "", {}, "sha512-kIxYSfA5T8HXjav55UaaH/o/cKivF6jCCGIb8eqtcsfI46wsvlSiT8jMDyrl779qLec3c2c2oHBZo4oAhvbjrQ=="],
@@ -1864,6 +1933,8 @@
 
     "@speed-highlight/core": ["@speed-highlight/core@1.2.15", "", {}, "sha512-BMq1K3DsElxDWawkX6eLg9+CKJrTVGCBAWVuHXVUV2u0s2711qiChLSId6ikYPfxhdYocLNt3wWwSvDiTvFabw=="],
 
+    "@stablelib/base64": ["@stablelib/base64@1.0.1", "", {}, "sha512-1bnPQqSxSuc3Ii6MhBysoWCg58j97aUjuCSZrGSmDxNqtytIi0k8utUenAwTZN4V5mXXYGsVUI9zeBqy+jBOSQ=="],
+
     "@standard-schema/spec": ["@standard-schema/spec@1.1.0", "", {}, "sha512-l2aFy5jALhniG5HgqrD6jXLi/rUWrKvqN/qJx6yoJsgKhblVd+iqqU4RCXavm/jPityDo5TCvKMnpjKnOriy0w=="],
 
     "@sveltejs/acorn-typescript": ["@sveltejs/acorn-typescript@1.0.9", "", { "peerDependencies": { "acorn": "^8.9.0" } }, "sha512-lVJX6qEgs/4DOcRTpo56tmKzVPtoWAaVbL4hfO7t7NVwl9AAXzQR6cihesW1BmNMPl+bK6dreu2sOKBP2Q9CIA=="],
@@ -1876,6 +1947,8 @@
 
     "@swc/helpers": ["@swc/helpers@0.5.15", "", { "dependencies": { "tslib": "^2.8.0" } }, "sha512-JQ5TuMi45Owi4/BIMAJBoSQoOJu12oOk/gADqlcUL9JEdHB8vyjUSsxqeNXnmXHjYKMi2WcYtezGEEhqUI/E2g=="],
 
+    "@tanstack/query-core": ["@tanstack/query-core@5.100.10", "", {}, "sha512-8UR0yJR+GiQ40m3lPhUr0xbfAupe6GSQiksSBSa9SM2NjezFyxXCIA69/lz8cSoNKZLrw1/PktIyQBJcVeMi3w=="],
+
     "@tybys/wasm-util": ["@tybys/wasm-util@0.10.1", "", { "dependencies": { "tslib": "^2.4.0" } }, "sha512-9tTaPJLSiejZKx+Bmog4uSubteqTvFrVrURwkmHixBo0G4seD0zUxp98E1DzUBJxLQ3NPwXrGKDiVjwx/DpPsg=="],
 
     "@types/better-sqlite3": ["@types/better-sqlite3@7.6.13", "", { "dependencies": { "@types/node": "*" } }, "sha512-NMv9ASNARoKksWtsq/SHakpYAYnhBrQgGD8zkLYk/jaK8jUGn08CfEdTRgYhMypUQAfzSP8W6gNLe0q19/t4VA=="],
@@ -1904,13 +1977,11 @@
 
     "@types/pg": ["@types/pg@8.20.0", "", { "dependencies": { "@types/node": "*", "pg-protocol": "*", "pg-types": "^2.2.0" } }, "sha512-bEPFOaMAHTEP1EzpvHTbmwR8UsFyHSKsRisLIHVMXnpNefSbGA1bD6CVy+qKjGSqmZqNqBDV2azOBo8TgkcVow=="],
 
-    "@types/prop-types": ["@types/prop-types@15.7.15", "", {}, "sha512-F6bEyamV9jKGAFBEmlQnesRPGOQqS2+Uwi0Em15xenOxHaf2hv6L8YCVn3rPdPJOiJfPiCnLIRyvwVaqMY3MIw=="],
-
     "@types/react": ["@types/react@19.2.14", "", { "dependencies": { "csstype": "^3.2.2" } }, "sha512-ilcTH/UniCkMdtexkoCN0bI7pMcJDvmQFPvuPvmEaYA/NSfFTAgdUSLAoVjaRJm7+6PvcM+q1zYOwS4wTYMF9w=="],
 
     "@types/react-dom": ["@types/react-dom@19.2.3", "", { "peerDependencies": { "@types/react": "^19.2.0" } }, "sha512-jp2L/eY6fn+KgVVQAOqYItbF0VY/YApe5Mz2F0aykSO8gx31bYCZyvSeYxCHKvzHG5eZjc+zyaS5BrBWya2+kQ=="],
 
-    "@types/react-test-renderer": ["@types/react-test-renderer@18.3.1", "", { "dependencies": { "@types/react": "^18" } }, "sha512-vAhnk0tG2eGa37lkU9+s5SoroCsRI08xnsWFiAXOuPH2jqzMbcXvKExXViPi1P5fIklDeCvXqyrdmipFaSkZrA=="],
+    "@types/react-test-renderer": ["@types/react-test-renderer@19.1.0", "", { "dependencies": { "@types/react": "*" } }, "sha512-XD0WZrHqjNrxA/MaR9O22w/RNidWR9YZmBdRGI7wcnWGrv/3dA8wKCJ8m63Sn+tLJhcjmuhOi629N66W6kgWzQ=="],
 
     "@types/resolve": ["@types/resolve@1.20.2", "", {}, "sha512-60BCwRFOZCQhDncwQdxxeOEEkbc5dIMccYLwbxsS4TUNeVECQ/pBJ0j09mrHOl/JJvpRPGwO9SvE4nR2Nb/a4Q=="],
 
@@ -2388,6 +2459,8 @@
 
     "fast-npm-meta": ["fast-npm-meta@1.4.2", "", { "bin": { "fast-npm-meta": "dist/cli.mjs" } }, "sha512-XXyd9d3ie/JeIIjm6WeKalvapGGFI4ShAjPJM78vgUFYzoEsuNSjvvVTuht0XZcwbVdOnEEGzhxwguRbxkIcDg=="],
 
+    "fast-sha256": ["fast-sha256@1.3.0", "", {}, "sha512-n11RGP/lrWEFI/bWdygLxhI+pVeo1ZYIVwvvPkW7azl/rOy+F3HYRZ2K5zeE9mmkhQppyv9sQFx0JM9UabnpPQ=="],
+
     "fast-string-truncated-width": ["fast-string-truncated-width@3.0.3", "", {}, "sha512-0jjjIEL6+0jag3l2XWWizO64/aZVtpiGE3t0Zgqxv0DPuxiMjvB3M24fCyhZUO4KomJQPj3LTSUnDP3GpdwC0g=="],
 
     "fast-string-width": ["fast-string-width@3.0.2", "", { "dependencies": { "fast-string-truncated-width": "^3.0.2" } }, "sha512-gX8LrtNEI5hq8DVUfRQMbr5lpaS4nMIWV+7XEbXk2b8kiQIizgnlr12B4dA3ZEx3308ze0O4Q1R+cHts8kyUJg=="],
@@ -2452,6 +2525,8 @@
 
     "glob-parent": ["glob-parent@6.0.2", "", { "dependencies": { "is-glob": "^4.0.3" } }, "sha512-XxwI8EOhVQgWp6iDL+3b0r86f4d6AX6zSU55HfB4ydCEuXLXc5FcYeOu+nnGftS4TEju/11rt4KJPTMgbfmv4A=="],
 
+    "glob-to-regexp": ["glob-to-regexp@0.4.1", "", {}, "sha512-lkX1HJXwyMcprw/5YUZc2s7DrpAiHB21/V+E1rHUrVNokkvB6bqMzT0VfV6/86ZNabt1k14YOIaT7nDvOX3Iiw=="],
+
     "global-directory": ["global-directory@4.0.1", "", { "dependencies": { "ini": "4.1.1" } }, "sha512-wHTUcDUoZ1H5/0iVqEudYW4/kAlN5cZ3j/bXn0Dpbizl9iaUVeWSHqiOjsgk6OW2bkLclbBjzewBz6weQ1zA2Q=="],
 
     "globals": ["globals@15.15.0", "", {}, "sha512-7ACyT3wmyp3I61S4fG682L0VA2RGD9otkqGJIwNUMF1SWUombIIk+af1unuDYgMm082aHYwD+mzJvv9Iu8dsgg=="],
@@ -2570,6 +2645,8 @@
 
     "joycon": ["joycon@3.1.1", "", {}, "sha512-34wB/Y7MW7bzjKRjUKTa46I2Z7eV62Rkhva+KkopW7Qvv/OSWBqvkSY7vusOPrNuZcUG3tApvdVgNB8POj3SPw=="],
 
+    "js-cookie": ["js-cookie@3.0.5", "", {}, "sha512-cEiJEAEoIbWfCZYKWhVwFuvPX1gETRYPw6LlaTKoxD3s2AkXzkCjnp6h0V77ozyqj0jakteJ4YqDJT830+lVGw=="],
+
     "js-tokens": ["js-tokens@10.0.0", "", {}, "sha512-lM/UBzQmfJRo9ABXbPWemivdCW8V2G8FHaHdypQaIy523snUjog0W71ayWXTjiR+ixeMyVHN2XcpnTd/liPg/Q=="],
 
     "js-yaml": ["js-yaml@4.1.1", "", { "dependencies": { "argparse": "^2.0.1" }, "bin": { "js-yaml": "bin/js-yaml.js" } }, "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA=="],
@@ -2654,8 +2731,6 @@
 
     "long": ["long@5.3.2", "", {}, "sha512-mNAgZ1GmyNhD7AuqnTG3/VQ26o760+ZYBPKjPvugO8+nLbYfX6TVpJPseBvopbdY+qpZ/lKUnmEc1LeZYS3QAA=="],
 
-    "loose-envify": ["loose-envify@1.4.0", "", { "dependencies": { "js-tokens": "^3.0.0 || ^4.0.0" }, "bin": { "loose-envify": "cli.js" } }, "sha512-lyuxPGr/Wfhrlem2CL/UcnUc1zcqKAImBDzukY7Y5F/yQiNdko6+fRLevlw1HgMySw7f611UIY408EtxRSoK3Q=="],
-
     "lru-cache": ["lru-cache@5.1.1", "", { "dependencies": { "yallist": "^3.0.2" } }, "sha512-KpNARQA3Iwv+jTA0utUVVbrh+Jlrr1Fv0e56GGzAFOXN7dk/FviaDW8LHmK52DlcH4WP2n6gI8vN1aesBFgo9w=="],
 
     "lru.min": ["lru.min@1.1.4", "", {}, "sha512-DqC6n3QQ77zdFpCMASA1a3Jlb64Hv2N2DciFGkO/4L9+q/IpIAuRlKOvCXabtRW6cQf8usbmM6BE/TOPysCdIA=="],
@@ -2996,15 +3071,13 @@
 
     "rc9": ["rc9@3.0.1", "", { "dependencies": { "defu": "^6.1.6", "destr": "^2.0.5" } }, "sha512-gMDyleLWVE+i6Sgtc0QbbY6pEKqYs97NGi6isHQPqYlLemPoO8dxQ3uGi0f4NiP98c+jMW6cG1Kx9dDwfvqARQ=="],
 
-    "react": ["react@19.2.4", "", {}, "sha512-9nfp2hYpCwOjAN+8TZFGhtWEwgvWHXqESH8qT89AT/lWklpLON22Lc8pEtnpsZz7VmawabSU0gCjnj8aC0euHQ=="],
+    "react": ["react@19.2.6", "", {}, "sha512-sfWGGfavi0xr8Pg0sVsyHMAOziVYKgPLNrS7ig+ivMNb3wbCBw3KxtflsGBAwD3gYQlE/AEZsTLgToRrSCjb0Q=="],
 
-    "react-dom": ["react-dom@19.2.4", "", { "dependencies": { "scheduler": "^0.27.0" }, "peerDependencies": { "react": "^19.2.4" } }, "sha512-AXJdLo8kgMbimY95O2aKQqsz2iWi9jMgKJhRBAxECE4IFxfcazB2LmzloIoibJI3C12IlY20+KFaLv+71bUJeQ=="],
+    "react-dom": ["react-dom@19.2.6", "", { "dependencies": { "scheduler": "^0.27.0" }, "peerDependencies": { "react": "^19.2.6" } }, "sha512-0prMI+hvBbPjsWnxDLxlCGyM8PN6UuWjEUCYmZhO67xIV9Xasa/r/vDnq+Xyq4Lo27g8QSbO5YzARu0D1Sps3g=="],
 
-    "react-is": ["react-is@18.3.1", "", {}, "sha512-/LLMVyas0ljjAtoYiPqYiL8VWXzUUdThrmU5+n20DZv+a+ClRoevUzw5JxU+Ieh5/c87ytoTBV9G1FiKfNJdmg=="],
+    "react-is": ["react-is@19.2.6", "", {}, "sha512-XjBR15BhXuylgWGuslhDKqlSayuqvqBX91BP8pauG8kd1zY8kotkNWbXksTCNRarse4kuGbe2kIY05ARtwNIvw=="],
 
-    "react-shallow-renderer": ["react-shallow-renderer@16.15.0", "", { "dependencies": { "object-assign": "^4.1.1", "react-is": "^16.12.0 || ^17.0.0 || ^18.0.0" }, "peerDependencies": { "react": "^16.0.0 || ^17.0.0 || ^18.0.0" } }, "sha512-oScf2FqQ9LFVQgA73vr86xl2NaOIX73rh+YFqcOp68CWj56tSfgtGKrEbyhCj0rSijyG9M1CYprTh39fBi5hzA=="],
-
-    "react-test-renderer": ["react-test-renderer@18.3.1", "", { "dependencies": { "react-is": "^18.3.1", "react-shallow-renderer": "^16.15.0", "scheduler": "^0.23.2" }, "peerDependencies": { "react": "^18.3.1" } }, "sha512-KkAgygexHUkQqtvvx/otwxtuFu5cVjfzTCtjXLH9boS19/Nbtg84zS7wIQn39G8IlrhThBpQsMKkq5ZHZIYFXA=="],
+    "react-test-renderer": ["react-test-renderer@19.2.6", "", { "dependencies": { "react-is": "^19.2.6", "scheduler": "^0.27.0" }, "peerDependencies": { "react": "^19.2.6" } }, "sha512-GbS6V23YduFTPiWJ5xICbKEjRcqx1Z90js/V5miqhz7qp/d6xSe9Dd6NjSQODFRdzdsqRMPW82E/sFpPRbY5Mw=="],
 
     "read-yaml-file": ["read-yaml-file@1.1.0", "", { "dependencies": { "graceful-fs": "^4.1.5", "js-yaml": "^3.6.1", "pify": "^4.0.1", "strip-bom": "^3.0.0" } }, "sha512-VIMnQi/Z4HT2Fxuwg5KrY174U1VdUIASQVWXXyqtNRtxSr9IYkn1rsI6Tb6HsrHCmB7gVpNwX6JxPTHcH6IoTA=="],
 
@@ -3056,7 +3129,7 @@
 
     "sax": ["sax@1.6.0", "", {}, "sha512-6R3J5M4AcbtLUdZmRv2SygeVaM7IhrLXu9BmnOGmmACak8fiUtOsYNWUS4uK7upbmHIBbLBeFeI//477BKLBzA=="],
 
-    "scheduler": ["scheduler@0.23.2", "", { "dependencies": { "loose-envify": "^1.1.0" } }, "sha512-UOShsPwz7NrMUqhR6t0hWjFduvOzbtv7toDH1/hIrfRNIDBnnBWd0CwJTGvTpngVlmwGCdP9/Zl/tVrDqcuYzQ=="],
+    "scheduler": ["scheduler@0.27.0", "", {}, "sha512-eNv+WrVbKu1f3vbYJT/xtiF5syA5HPIMtf9IgY/nKg0sWqzAUEvqY/xm7OcZc/qafLx/iO9FgOmeSAp4v5ti/Q=="],
 
     "scule": ["scule@1.3.0", "", {}, "sha512-6FtHJEvt+pVMIB9IBY+IcCJ6Z5f1iQnytgyfKMhDKgmzYG+TeH/wx1y3l27rshSbLiSanrR9ffZDrEsmjlQF2g=="],
 
@@ -3130,6 +3203,8 @@
 
     "standard-as-callback": ["standard-as-callback@2.1.0", "", {}, "sha512-qoRRSyROncaz1z0mvYqIE4lCd9p2R90i6GxW3uZv5ucSu8tU7B5HXUP1gG8pVZsYNVaXjk8ClXHPttLyxAL48A=="],
 
+    "standardwebhooks": ["standardwebhooks@1.0.0", "", { "dependencies": { "@stablelib/base64": "^1.0.0", "fast-sha256": "^1.3.0" } }, "sha512-BbHGOQK9olHPMvQNHWul6MYlrRTAOKn03rOe4A8O3CLWhNf4YHBqq2HJKKC+sfqpxiBY52pNeesD6jIiLDz8jg=="],
+
     "statuses": ["statuses@2.0.2", "", {}, "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw=="],
 
     "std-env": ["std-env@4.1.0", "", {}, "sha512-Rq7ybcX2RuC55r9oaPVEW7/xu3tj8u4GeBYHBWCychFtzMIr86A7e3PPEBPT37sHStKX3+TiX/Fr/ACmJLVlLQ=="],
@@ -3398,9 +3473,7 @@
 
     "@babel/helper-create-class-features-plugin/semver": ["semver@6.3.1", "", { "bin": { "semver": "bin/semver.js" } }, "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA=="],
 
-    "@docsearch/react/@types/react": ["@types/react@18.3.28", "", { "dependencies": { "@types/prop-types": "*", "csstype": "^3.2.2" } }, "sha512-z9VXpC7MWrhfWipitjNdgCauoMLRdIILQsAEV+ZesIzBq/oUlxk0m3ApZuMFCXdnS4U7KrI+l3WRUEGQ8K1QKw=="],
-
-    "@docsearch/react/react": ["react@18.3.1", "", { "dependencies": { "loose-envify": "^1.1.0" } }, "sha512-wS+hAgJShR0KhEvPJArfuPVN1+Hz1t0Y6n5jLrGQbkb4urgPE/0Rve+1kMB1v/oWgHgm4WIcV+i7F2pTVj+2iQ=="],
+    "@clerk/shared/std-env": ["std-env@3.10.0", "", {}, "sha512-5GS12FdOZNliM5mAOxFRg7Ir0pWz8MdpYm6AY6VPkGpbA7ZzmbzNcBJQ0GPvvyWgcY7QAhCgf9Uy89I03faLkg=="],
 
     "@dxup/nuxt/chokidar": ["chokidar@5.0.0", "", { "dependencies": { "readdirp": "^5.0.0" } }, "sha512-TQMmc3w+5AxjpL8iIiwebF73dRDF4fBIieAqGn9RGCWaEVwQ6Fb2cGe31Yns0RRIzii5goJ1Y7xbMwo1TxMplw=="],
 
@@ -3408,10 +3481,6 @@
 
     "@eslint/eslintrc/globals": ["globals@14.0.0", "", {}, "sha512-oahGvuMGQlPw/ivIYBjVSrWAfWLBeku5tpPE2fOPLi+WHffIWbuh2tCjhyQhTBPMf5E9jDEH4FOmTYgYwbKwtQ=="],
 
-    "@holo-js/flux-react/@types/react": ["@types/react@18.3.28", "", { "dependencies": { "@types/prop-types": "*", "csstype": "^3.2.2" } }, "sha512-z9VXpC7MWrhfWipitjNdgCauoMLRdIILQsAEV+ZesIzBq/oUlxk0m3ApZuMFCXdnS4U7KrI+l3WRUEGQ8K1QKw=="],
-
-    "@holo-js/flux-react/react": ["react@18.3.1", "", { "dependencies": { "loose-envify": "^1.1.0" } }, "sha512-wS+hAgJShR0KhEvPJArfuPVN1+Hz1t0Y6n5jLrGQbkb4urgPE/0Rve+1kMB1v/oWgHgm4WIcV+i7F2pTVj+2iQ=="],
-
     "@isaacs/cliui/string-width": ["string-width@5.1.2", "", { "dependencies": { "eastasianwidth": "^0.2.0", "emoji-regex": "^9.2.2", "strip-ansi": "^7.0.1" } }, "sha512-HnLOCR3vjcY8beoNLtcjZ5/nxn2afmME6lhrDrebokqMap+XbeW8n9TXpPDOqdGK5qcI3oT0GKTW6wC7EMiVqA=="],
 
     "@isaacs/cliui/strip-ansi": ["strip-ansi@7.2.0", "", { "dependencies": { "ansi-regex": "^6.2.2" } }, "sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w=="],
@@ -3506,8 +3575,6 @@
 
     "@rollup/pluginutils/estree-walker": ["estree-walker@2.0.2", "", {}, "sha512-Rfkk/Mp/DL7JVje3u18FxFujQlTNR2q6QfMSMB7AvCBx91NGj/ba3kCfza0f6dVDbw7YlRf/nDrn7pQrCCyQ/w=="],
 
-    "@types/react-test-renderer/@types/react": ["@types/react@18.3.28", "", { "dependencies": { "@types/prop-types": "*", "csstype": "^3.2.2" } }, "sha512-z9VXpC7MWrhfWipitjNdgCauoMLRdIILQsAEV+ZesIzBq/oUlxk0m3ApZuMFCXdnS4U7KrI+l3WRUEGQ8K1QKw=="],
-
     "@typescript-eslint/eslint-plugin/ignore": ["ignore@7.0.5", "", {}, "sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg=="],
 
     "@typescript-eslint/typescript-estree/minimatch": ["minimatch@10.2.4", "", { "dependencies": { "brace-expansion": "^5.0.2" } }, "sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg=="],
@@ -3624,8 +3691,6 @@
 
     "listhen/ufo": ["ufo@1.6.3", "", {}, "sha512-yDJTmhydvl5lJzBmy/hyOAA0d+aqCBuwl818haVdYCRrWV84o7YyeVm4QlVHStqNrrJSTb6jKuFAVqAFsr+K3Q=="],
 
-    "loose-envify/js-tokens": ["js-tokens@4.0.0", "", {}, "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ=="],
-
     "magic-regexp/ufo": ["ufo@1.6.3", "", {}, "sha512-yDJTmhydvl5lJzBmy/hyOAA0d+aqCBuwl818haVdYCRrWV84o7YyeVm4QlVHStqNrrJSTb6jKuFAVqAFsr+K3Q=="],
 
     "magic-regexp/unplugin": ["unplugin@2.3.11", "", { "dependencies": { "@jridgewell/remapping": "^2.3.5", "acorn": "^8.15.0", "picomatch": "^4.0.3", "webpack-virtual-modules": "^0.6.2" } }, "sha512-5uKD0nqiYVzlmCRs01Fhs2BdkEgBS3SAVP6ndrBsuK42iC2+JHyxM05Rm9G8+5mkmRtzMZGY8Ct5+mliZxU/Ww=="],
@@ -3748,12 +3813,6 @@
 
     "rc9/defu": ["defu@6.1.7", "", {}, "sha512-7z22QmUWiQ/2d0KkdYmANbRUVABpZ9SNYyH5vx6PZ+nE5bcC0l7uFvEfHlyld/HcGBFTL536ClDt3DEcSlEJAQ=="],
 
-    "react-dom/scheduler": ["scheduler@0.27.0", "", {}, "sha512-eNv+WrVbKu1f3vbYJT/xtiF5syA5HPIMtf9IgY/nKg0sWqzAUEvqY/xm7OcZc/qafLx/iO9FgOmeSAp4v5ti/Q=="],
-
-    "react-shallow-renderer/react": ["react@18.3.1", "", { "dependencies": { "loose-envify": "^1.1.0" } }, "sha512-wS+hAgJShR0KhEvPJArfuPVN1+Hz1t0Y6n5jLrGQbkb4urgPE/0Rve+1kMB1v/oWgHgm4WIcV+i7F2pTVj+2iQ=="],
-
-    "react-test-renderer/react": ["react@18.3.1", "", { "dependencies": { "loose-envify": "^1.1.0" } }, "sha512-wS+hAgJShR0KhEvPJArfuPVN1+Hz1t0Y6n5jLrGQbkb4urgPE/0Rve+1kMB1v/oWgHgm4WIcV+i7F2pTVj+2iQ=="],
-
     "read-yaml-file/js-yaml": ["js-yaml@3.14.2", "", { "dependencies": { "argparse": "^1.0.7", "esprima": "^4.0.0" }, "bin": { "js-yaml": "bin/js-yaml.js" } }, "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg=="],
 
     "readdir-glob/minimatch": ["minimatch@5.1.9", "", { "dependencies": { "brace-expansion": "^2.0.1" } }, "sha512-7o1wEA2RyMP7Iu7GNba9vc0RWWGACJOCZBJX2GJWip0ikV+wcOsgVuY9uE8CPiyQhkGFSlhuSkZPavN7u1c2Fw=="],
diff --git a/package.json b/package.json
index 5ab4783..f53afea 100644
--- a/package.json
+++ b/package.json
@@ -10,46 +10,99 @@
       "apps/*",
       "playground"
     ],
-"catalog": {
-      "better-sqlite3": "^11.7.0",
-      "@types/better-sqlite3": "^7.6.12",
-      "nuxt": "^4.4.4",
-      "vue": "^3.5.13",
-      "vue-router": "^5.0.4",
-      "vite": "^8.0.10",
-      "svelte": "^5.55.5",
-      "next": "^16.2.4",
-      "react": "^19.0.0",
-      "react-dom": "^19.0.0",
-      "@types/react": "^19.0.0",
-      "@types/react-dom": "^19.0.0",
-      "@sveltejs/kit": "^2.59.1",
-      "@sveltejs/vite-plugin-svelte": "^7.1.0",
-      "@sveltejs/adapter-node": "^5.5.4",
+    "catalog": {
+      "@clerk/backend": "^3.4.7",
+      "@eslint/js": "^9.17.0",
+      "@holo-js/adapter-next": "^0.1.4",
+      "@holo-js/adapter-nuxt": "^0.1.4",
+      "@holo-js/adapter-sveltekit": "^0.1.4",
+      "@holo-js/auth": "^0.1.4",
+      "@holo-js/auth-clerk": "^0.1.4",
+      "@holo-js/auth-social": "^0.1.4",
+      "@holo-js/auth-social-apple": "^0.1.4",
+      "@holo-js/auth-social-discord": "^0.1.4",
+      "@holo-js/auth-social-facebook": "^0.1.4",
+      "@holo-js/auth-social-github": "^0.1.4",
+      "@holo-js/auth-social-google": "^0.1.4",
+      "@holo-js/auth-social-linkedin": "^0.1.4",
+      "@holo-js/auth-workos": "^0.1.4",
+      "@holo-js/authorization": "^0.1.4",
+      "@holo-js/broadcast": "^0.1.4",
+      "@holo-js/cache": "^0.1.4",
+      "@holo-js/cache-db": "^0.1.4",
+      "@holo-js/cache-redis": "^0.1.4",
+      "@holo-js/cli": "^0.1.4",
+      "@holo-js/config": "^0.1.4",
+      "@holo-js/core": "^0.1.4",
+      "@holo-js/db": "^0.1.4",
+      "@holo-js/db-mysql": "^0.1.4",
+      "@holo-js/db-postgres": "^0.1.4",
+      "@holo-js/db-sqlite": "^0.1.4",
+      "@holo-js/events": "^0.1.4",
+      "@holo-js/flux": "^0.1.4",
+      "@holo-js/flux-react": "^0.1.4",
+      "@holo-js/flux-svelte": "^0.1.4",
+      "@holo-js/flux-vue": "^0.1.4",
+      "@holo-js/forms": "^0.1.4",
+      "@holo-js/mail": "^0.1.4",
+      "@holo-js/media": "^0.1.4",
+      "@holo-js/notifications": "^0.1.4",
+      "@holo-js/queue": "^0.1.4",
+      "@holo-js/queue-db": "^0.1.4",
+      "@holo-js/queue-redis": "^0.1.4",
+      "@holo-js/security": "^0.1.4",
+      "@holo-js/session": "^0.1.4",
+      "@holo-js/storage": "^0.1.4",
+      "@holo-js/storage-s3": "^0.1.4",
+      "@holo-js/validation": "^0.1.4",
       "@nuxt/kit": "^4.4.4",
       "@nuxt/module-builder": "^1.0.2",
-      "@eslint/js": "^9.17.0",
+      "@sveltejs/adapter-node": "^5.5.4",
+      "@sveltejs/kit": "^2.59.1",
+      "@sveltejs/vite-plugin-svelte": "^7.1.0",
+      "@types/better-sqlite3": "^7.6.12",
       "@types/node": "^22.10.2",
+      "@types/pg": "^8.11.0",
+      "@types/react": "^19.0.0",
+      "@types/react-dom": "^19.0.0",
+      "@types/react-test-renderer": "^19.0.0",
+      "@types/ws": "^8.18.1",
+      "@vitest/coverage-istanbul": "^4.1.5",
+      "@vitest/coverage-v8": "^4.1.5",
+      "better-sqlite3": "^11.7.0",
+      "bullmq": "^5.71.0",
+      "create-holo-js": "^0.1.4",
       "esbuild": "^0.27.4",
+      "eslint": "^9.17.0",
+      "fast-check": "^4.5.3",
       "globals": "^15.14.0",
-      "@types/pg": "^8.11.0",
+      "h3": "^1.15.11",
       "inflection": "^3.0.2",
+      "ioredis": "^5.4.2",
       "mysql2": "^3.17.1",
+      "next": "^16.2.4",
+      "nodemailer": "^6.10.1",
+      "nuxt": "^4.4.4",
       "pg": "^8.13.0",
-      "ioredis": "^5.4.2",
+      "react": "^19.0.0",
+      "react-dom": "^19.0.0",
+      "react-test-renderer": "^19.0.0",
+      "sharp": "^0.34.4",
+      "svelte": "^5.55.5",
       "tslib": "^2.8.1",
-      "typescript-eslint": "^8.30.1",
+      "tsup": "^8.3.5",
       "typescript": "^5.7.2",
-      "vue-tsc": "^2.2.0",
+      "typescript-eslint": "^8.30.1",
+      "ulid": "^3.0.1",
+      "uuid": "^12.0.0",
+      "valibot": "^1.1.0",
+      "vite": "^8.0.10",
       "vitepress": "^1.6.3",
       "vitest": "^4.1.5",
-      "@vitest/coverage-istanbul": "^4.1.5",
-      "@vitest/coverage-v8": "^4.1.5",
-      "tsup": "^8.3.5",
-      "eslint": "^9.17.0",
-      "fast-check": "^4.5.3",
-      "ulid": "^3.0.1",
-      "uuid": "^12.0.0"
+      "vue": "^3.5.13",
+      "vue-router": "^5.0.4",
+      "vue-tsc": "^2.2.0",
+      "ws": "^8.18.3"
     }
   },
   "scripts": {
@@ -77,7 +130,7 @@
     "test:example:blog-next": "bun run --cwd apps/blog-next test",
     "test:example:blog-sveltekit": "bun run --cwd apps/blog-sveltekit test",
     "test:examples": "bun run test:example:blog-nuxt && bun run test:example:blog-next && bun run test:example:blog-sveltekit",
-    "test:dependency-policy": "node --test scripts/validate-dependency-version-policy.test.mjs && node scripts/validate-dependency-version-policy.mjs",
+    "test:dependency-policy": "node --test scripts/validate-dependency-version-policy.test.mjs scripts/publish-with-resolved-catalogs.test.mjs && node scripts/validate-dependency-version-policy.mjs",
     "test:config:coverage": "rm -rf coverage/config && bun run --cwd packages/config test -- --coverage --coverage.clean=false --coverage.reportsDirectory='../../coverage/config' --coverage.include='src/**/*.ts' --coverage.exclude='src/**/types.ts'",
     "test:core:coverage": "rm -rf coverage/core && bun run --cwd packages/core test -- --coverage --coverage.clean=false --coverage.reportsDirectory='../../coverage/core' --coverage.include='src/**/*.ts' --coverage.exclude='src/**/types.ts' --coverage.exclude='src/runtime/**/*.d.ts'",
     "test:db:coverage": "rm -rf coverage/db && bun run --cwd packages/db test -- --coverage --coverage.clean=false --coverage.reportsDirectory='../../coverage/db' --coverage.include='src/**/*.ts' --coverage.exclude='src/**/types.ts' --coverage.exclude='src/migrations/templates/**' --coverage.exclude='src/drivers/index.ts' --coverage.exclude='src/drivers/SQLiteAdapter.ts' --coverage.exclude='src/drivers/PostgresAdapter.ts' --coverage.exclude='src/drivers/MySQLAdapter.ts'",
@@ -113,7 +166,7 @@
     "make:migration": "holo make:migration",
     "changeset": "changeset",
     "version-packages": "changeset version",
-    "release": "bun run build && changeset publish",
+    "release": "bun run build && node scripts/publish-with-resolved-catalogs.mjs",
     "clean": "rm -rf node_modules packages/*/node_modules apps/*/node_modules playground/node_modules packages/*/dist apps/*/dist playground/.output .nuxt apps/*/.nuxt playground/.nuxt"
   },
   "devDependencies": {
@@ -142,5 +195,13 @@
   "trustedDependencies": [
     "better-sqlite3",
     "sharp"
-  ]
+  ],
+  "dependencies": {
+    "@types/react": "^19.2.14",
+    "@types/react-dom": "^19.2.3",
+    "@types/react-test-renderer": "^19.1.0",
+    "react": "^19.2.6",
+    "react-dom": "^19.2.6",
+    "react-test-renderer": "^19.2.6"
+  }
 }
diff --git a/packages/adapter-next/package.json b/packages/adapter-next/package.json
index 2d1f977..309e6a8 100644
--- a/packages/adapter-next/package.json
+++ b/packages/adapter-next/package.json
@@ -38,13 +38,13 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/config": "^0.1.4",
-    "@holo-js/core": "^0.1.4"
+    "@holo-js/config": "catalog:",
+    "@holo-js/core": "catalog:"
   },
   "peerDependencies": {
-    "@holo-js/forms": "^0.1.4",
-    "next": "^13.0.0 || ^14.0.0 || ^15.0.0 || ^16.0.0",
-    "react": "^18.3.1 || ^19.0.0"
+    "@holo-js/forms": "catalog:",
+    "next": "catalog:",
+    "react": "catalog:"
   },
   "peerDependenciesMeta": {
     "@holo-js/forms": {
@@ -52,10 +52,10 @@
     }
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
+    "@types/node": "catalog:",
     "next": "catalog:",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/adapter-next/src/config.ts b/packages/adapter-next/src/config.ts
index 12c50a9..d2643dc 100644
--- a/packages/adapter-next/src/config.ts
+++ b/packages/adapter-next/src/config.ts
@@ -1,5 +1,5 @@
-import { existsSync, readFileSync } from 'node:fs'
-import { resolve } from 'node:path'
+import { readFileSync } from 'node:fs'
+import { join } from 'node:path'
 
 const HOLO_SERVER_EXTERNAL_PACKAGES = [
   '@holo-js/core',
@@ -39,12 +39,16 @@ const HOLO_OPTIONAL_SERVER_EXTERNAL_PACKAGES = [
   '@holo-js/validation',
 ] as const
 
-interface PackageJson {
-  readonly dependencies?: Readonly<Record<string, string>>
-  readonly devDependencies?: Readonly<Record<string, string>>
-  readonly peerDependencies?: Readonly<Record<string, string>>
-  readonly optionalDependencies?: Readonly<Record<string, string>>
-}
+type PackageDependencyField = 'dependencies' | 'devDependencies' | 'optionalDependencies' | 'peerDependencies'
+type PackageDependencyMap = Readonly<Record<string, string>>
+type PackageManifest = Partial<Record<PackageDependencyField, PackageDependencyMap>>
+
+const PACKAGE_DEPENDENCY_FIELDS = [
+  'dependencies',
+  'devDependencies',
+  'optionalDependencies',
+  'peerDependencies',
+] as const satisfies readonly PackageDependencyField[]
 
 interface TurbopackIgnoreIssueRule {
   readonly path: string | RegExp
@@ -64,60 +68,45 @@ interface NextConfig {
   readonly [key: string]: unknown
 }
 
-function isStringRecord(value: unknown): value is Readonly<Record<string, string>> {
-  if (!value || typeof value !== 'object' || Array.isArray(value)) {
-    return false
-  }
-
-  return Object.values(value).every(entry => typeof entry === 'string')
+function isPackageDependencyMap(value: unknown): value is PackageDependencyMap {
+  return value !== null
+    && typeof value === 'object'
+    && Object.values(value).every(dependency => typeof dependency === 'string')
 }
 
-function readPackageJson(projectRoot: string): PackageJson | undefined {
-  const packageJsonPath = resolve(projectRoot, 'package.json')
-  if (!existsSync(packageJsonPath)) {
-    return undefined
-  }
-
-  let parsed: unknown
+function readProjectPackageManifest(): PackageManifest | null {
   try {
-    parsed = JSON.parse(readFileSync(packageJsonPath, 'utf8')) as unknown
-  } catch {
-    return undefined
-  }
-
-  if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
-    return undefined
-  }
+    const parsed = JSON.parse(readFileSync(join(process.cwd(), 'package.json'), 'utf8')) as unknown
+    if (!parsed || typeof parsed !== 'object') {
+      return null
+    }
+
+    const manifest: PackageManifest = {}
+    for (const field of PACKAGE_DEPENDENCY_FIELDS) {
+      const dependencies = (parsed as Partial<Record<PackageDependencyField, unknown>>)[field]
+      if (isPackageDependencyMap(dependencies)) {
+        manifest[field] = dependencies
+      }
+    }
 
-  return {
-    ...('dependencies' in parsed && isStringRecord(parsed.dependencies) ? { dependencies: parsed.dependencies } : {}),
-    ...('devDependencies' in parsed && isStringRecord(parsed.devDependencies) ? { devDependencies: parsed.devDependencies } : {}),
-    ...('peerDependencies' in parsed && isStringRecord(parsed.peerDependencies) ? { peerDependencies: parsed.peerDependencies } : {}),
-    ...('optionalDependencies' in parsed && isStringRecord(parsed.optionalDependencies) ? { optionalDependencies: parsed.optionalDependencies } : {}),
+    return manifest
+  } catch {
+    return null
   }
 }
 
-function hasPackage(packageJson: PackageJson, packageName: string): boolean {
-  return packageJson.dependencies?.[packageName] !== undefined
-    || packageJson.devDependencies?.[packageName] !== undefined
-    || packageJson.peerDependencies?.[packageName] !== undefined
-    || packageJson.optionalDependencies?.[packageName] !== undefined
-}
-
-function resolveInstalledOptionalServerExternalPackages(projectRoot: string): readonly string[] {
-  const packageJson = readPackageJson(projectRoot)
-  if (!packageJson) {
-    return []
-  }
-
-  return HOLO_OPTIONAL_SERVER_EXTERNAL_PACKAGES.filter(packageName => hasPackage(packageJson, packageName))
+function isOptionalServerExternalPackageInstalled(packageName: string, manifest: PackageManifest | null): boolean {
+  return PACKAGE_DEPENDENCY_FIELDS.some(field => Boolean(manifest?.[field]?.[packageName]))
 }
 
 export function withHolo<TConfig extends NextConfig>(nextConfig: TConfig = {} as TConfig): TConfig {
   const existingExternal = nextConfig.serverExternalPackages ?? []
-  const optionalExternal = resolveInstalledOptionalServerExternalPackages(process.cwd())
+  const packageManifest = readProjectPackageManifest()
+  const installedOptionalExternal = HOLO_OPTIONAL_SERVER_EXTERNAL_PACKAGES.filter(packageName => (
+    isOptionalServerExternalPackageInstalled(packageName, packageManifest)
+  ))
   const mergedExternal = [
-    ...new Set([...HOLO_SERVER_EXTERNAL_PACKAGES, ...optionalExternal, ...existingExternal]),
+    ...new Set([...HOLO_SERVER_EXTERNAL_PACKAGES, ...installedOptionalExternal, ...existingExternal]),
   ]
 
   const existingExcludes = nextConfig.outputFileTracingExcludes ?? {}
diff --git a/packages/adapter-next/src/runtime.ts b/packages/adapter-next/src/runtime.ts
index 1c27f26..7d8b403 100644
--- a/packages/adapter-next/src/runtime.ts
+++ b/packages/adapter-next/src/runtime.ts
@@ -29,6 +29,10 @@ type MutableNextCookieStore = {
   set(name: string, value: string, options?: ResponseCookieOptions): void
 }
 
+type NextNavigationModule = {
+  readonly redirect: (url: string) => never
+}
+
 function safeDecodeCookieSegment(value: string): string {
   try {
     return decodeURIComponent(value)
@@ -129,6 +133,10 @@ function resolveNextAuthRequestAccessors(): NonNullable<CreateHoloOptions['authR
       const store = await cookies() as unknown as MutableNextCookieStore
       store.set(parsed.name, parsed.value, parsed.options)
     },
+    async redirectResponse(url: string) {
+      const { redirect } = await import('next/navigation') as NextNavigationModule
+      redirect(url)
+    },
   }
 }
 
diff --git a/packages/adapter-next/tests/adapter.test.ts b/packages/adapter-next/tests/adapter.test.ts
index fe6e916..bf6a115 100644
--- a/packages/adapter-next/tests/adapter.test.ts
+++ b/packages/adapter-next/tests/adapter.test.ts
@@ -173,14 +173,16 @@ export default defineConfig({
     expect(resolved.runtime.renderView).toBe(renderView)
   })
 
-  it('externalizes installed optional Holo server packages', async () => {
+  it('externalizes only installed optional Holo server packages', async () => {
     const root = await createProject()
     await writeFile(join(root, 'package.json'), JSON.stringify({
       dependencies: {
         '@holo-js/auth': 'workspace:*',
-        '@holo-js/auth-social': 'workspace:*',
         '@holo-js/auth-social-google': 'workspace:*',
       },
+      peerDependencies: {
+        '@holo-js/auth-social': 'workspace:*',
+      },
     }), 'utf8')
 
     const previousCwd = process.cwd()
@@ -205,7 +207,7 @@ export default defineConfig({
     }
   })
 
-  it('ignores optional externals when package.json cannot be parsed', async () => {
+  it('skips optional Holo packages when package.json cannot be parsed', async () => {
     const root = await createProject()
     await writeFile(join(root, 'package.json'), '{', 'utf8')
 
diff --git a/packages/adapter-nuxt/package.json b/packages/adapter-nuxt/package.json
index aa1dadd..4201237 100644
--- a/packages/adapter-nuxt/package.json
+++ b/packages/adapter-nuxt/package.json
@@ -35,14 +35,15 @@
   },
   "dependencies": {
     "@nuxt/kit": "catalog:",
-    "@holo-js/config": "^0.1.4",
-    "@holo-js/core": "^0.1.4",
-    "@holo-js/db": "^0.1.4"
+    "@holo-js/config": "catalog:",
+    "@holo-js/core": "catalog:",
+    "@holo-js/db": "catalog:",
+    "h3": "catalog:"
   },
   "peerDependencies": {
-    "@holo-js/forms": "^0.1.4",
-    "@holo-js/storage": "^0.1.4",
-    "@holo-js/storage-s3": "^0.1.4"
+    "@holo-js/forms": "catalog:",
+    "@holo-js/storage": "catalog:",
+    "@holo-js/storage-s3": "catalog:"
   },
   "peerDependenciesMeta": {
     "@holo-js/forms": {
@@ -56,11 +57,11 @@
     }
   },
   "devDependencies": {
-    "@holo-js/storage-s3": "workspace:*",
-    "@nuxt/module-builder": "^1.0.2",
-    "@types/node": "^22.10.2",
+    "@holo-js/storage-s3": "catalog:",
+    "@nuxt/module-builder": "catalog:",
+    "@types/node": "catalog:",
     "nuxt": "catalog:",
-    "typescript": "^5.7.2",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/adapter-nuxt/src/runtime/composables/index.ts b/packages/adapter-nuxt/src/runtime/composables/index.ts
index 6fc3c06..ef7bb2a 100644
--- a/packages/adapter-nuxt/src/runtime/composables/index.ts
+++ b/packages/adapter-nuxt/src/runtime/composables/index.ts
@@ -40,6 +40,14 @@ type NitroContextModule = {
   readonly useEvent: () => NuxtAuthRequestEvent | undefined
 }
 
+type H3RedirectModule = {
+  readonly sendRedirect: (
+    event: NuxtAuthRequestEvent,
+    location: string,
+    code?: 301 | 302 | 303 | 307 | 308,
+  ) => Promise<void>
+}
+
 export function configureHoloRuntimeConfig(config: RuntimeConfigShape): void {
   const runtimeGlobals = globalThis as RuntimeGlobals
   runtimeGlobals.__holoRuntimeConfig = config
@@ -178,10 +186,22 @@ export function createNuxtAuthRequestAccessors() {
     await appendCookie(cookie)
   }
 
+  const redirectResponse: NonNullable<CreateHoloOptions['authRequest']>['redirectResponse'] = async (url, status) => {
+    const nitroContext = await loadNitroContextModule()
+    const event = nitroContext.useEvent()
+    if (!event) {
+      throw new TypeError('Holo Nuxt auth redirect requires an active Nitro event.')
+    }
+
+    const { sendRedirect } = await import('h3') as unknown as H3RedirectModule
+    await sendRedirect(event, url, status)
+  }
+
   return {
     getCookie: getCookieValue,
     getHeader: getHeaderValue,
     appendResponseCookie,
+    redirectResponse,
   } satisfies NonNullable<CreateHoloOptions['authRequest']>
 }
 
diff --git a/packages/adapter-sveltekit/package.json b/packages/adapter-sveltekit/package.json
index 32284a0..a597b4b 100644
--- a/packages/adapter-sveltekit/package.json
+++ b/packages/adapter-sveltekit/package.json
@@ -33,12 +33,13 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/config": "^0.1.4",
-    "@holo-js/core": "^0.1.4",
+    "@holo-js/config": "catalog:",
+    "@holo-js/core": "catalog:",
     "svelte": "catalog:"
   },
   "peerDependencies": {
-    "@holo-js/forms": "^0.1.4"
+    "@holo-js/forms": "catalog:",
+    "@sveltejs/kit": "catalog:"
   },
   "peerDependenciesMeta": {
     "@holo-js/forms": {
@@ -46,9 +47,10 @@
     }
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@sveltejs/kit": "catalog:",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/adapter-sveltekit/src/index.ts b/packages/adapter-sveltekit/src/index.ts
index 7eead71..f1f1665 100644
--- a/packages/adapter-sveltekit/src/index.ts
+++ b/packages/adapter-sveltekit/src/index.ts
@@ -45,6 +45,12 @@ type SvelteKitRuntimeGlobal = typeof globalThis & {
   __holoSvelteKitRequestEventStore?: AsyncLocalStorage<SvelteKitRequestEvent>
 }
 
+type SvelteKitModule = {
+  readonly redirect: (status: SvelteKitRedirectStatus, location: string) => never
+}
+
+type SvelteKitRedirectStatus = 301 | 302 | 303 | 307 | 308
+
 // Shared AsyncLocalStorage contract with packages/auth/src/sveltekit/server.ts:
 // keep this exact global key and compatible AsyncLocalStorage<SvelteKitRequestEvent>
 // / AsyncLocalStorage<SvelteKitStoredRequestEvent> value types in sync.
@@ -150,6 +156,10 @@ function resolveSvelteKitAuthRequestAccessors(): NonNullable<SvelteKitHoloOption
 
       event.cookies.set(parsed.name, parsed.value, parsed.options)
     },
+    async redirectResponse(url: string, status: SvelteKitRedirectStatus = 307) {
+      const { redirect } = await import('@sveltejs/kit') as SvelteKitModule
+      redirect(status, url)
+    },
   }
 }
 
diff --git a/packages/auth-clerk/package.json b/packages/auth-clerk/package.json
index 5c89fb0..890749f 100644
--- a/packages/auth-clerk/package.json
+++ b/packages/auth-clerk/package.json
@@ -23,14 +23,15 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/auth": "workspace:*",
-    "@holo-js/config": "workspace:*",
-    "@holo-js/session": "workspace:*"
+    "@clerk/backend": "catalog:",
+    "@holo-js/auth": "catalog:",
+    "@holo-js/config": "catalog:",
+    "@holo-js/session": "catalog:"
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/auth-clerk/src/contracts.ts b/packages/auth-clerk/src/contracts.ts
index fec7248..50f3461 100644
--- a/packages/auth-clerk/src/contracts.ts
+++ b/packages/auth-clerk/src/contracts.ts
@@ -1,4 +1,4 @@
-import type { AuthEstablishedSession, AuthUserLike } from '@holo-js/auth'
+import type { AuthEstablishedSession, AuthLogoutResult, AuthUserLike } from '@holo-js/auth'
 import type { AuthClerkProviderConfig } from '@holo-js/config'
 
 export interface ClerkEmailAddress {
@@ -9,17 +9,29 @@ export interface ClerkEmailAddress {
 
 export interface ClerkUserProfile {
   readonly id: string
-  readonly email?: string
-  readonly emailVerified?: boolean
+  readonly email: string
+  readonly emailVerified: boolean
   readonly firstName?: string
   readonly lastName?: string
-  readonly name?: string
+  readonly name: string
   readonly imageUrl?: string
   readonly primaryEmailAddressId?: string
   readonly emailAddresses?: readonly ClerkEmailAddress[]
   readonly raw?: unknown
 }
 
+export type ClerkUserAttributeValue =
+  | string
+  | number
+  | boolean
+  | Date
+  | null
+  | undefined
+  | readonly ClerkUserAttributeValue[]
+  | { readonly [key: string]: ClerkUserAttributeValue }
+
+export type ClerkUserAttributes = Readonly<Record<string, ClerkUserAttributeValue>>
+
 export interface ClerkVerifiedSession {
   readonly sessionId: string
   readonly user: ClerkUserProfile
@@ -31,6 +43,77 @@ export interface ClerkVerifiedSession {
   readonly raw?: unknown
 }
 
+export interface ClerkLogoutSession {
+  readonly provider: string
+  readonly sessionId: string
+}
+
+export type ClerkCompleteAuthResult<TUser extends Readonly<Record<string, unknown>> = Readonly<Record<string, unknown>>> =
+  | Readonly<{
+    readonly ok: true
+    readonly provider: string
+    readonly guard: string
+    readonly authProvider: string
+    readonly status: ClerkSyncStatus
+    readonly user: AuthUserLike & TUser
+    readonly identity: HostedIdentityRecord
+    readonly session: ClerkVerifiedSession
+    readonly authSession?: AuthEstablishedSession
+  }>
+  | Readonly<{
+    readonly ok: false
+    readonly code: string
+    readonly message: string
+  }>
+
+export type ClerkRequestHeaders =
+  | Headers
+  | ReadonlyArray<readonly [string, string]>
+  | Record<string, string | readonly string[] | undefined>
+  | {
+    readonly get?: (name: string) => string | null | undefined
+    readonly forEach?: (callback: (value: string, key: string) => void) => void
+    readonly entries?: () => Iterable<readonly [string, string]>
+  }
+
+export type ClerkRequestLike = {
+  readonly method?: string
+  readonly path?: string
+  readonly url?: string | URL
+  readonly headers?: ClerkRequestHeaders
+  readonly request?: Request
+  readonly req?: Request | {
+    readonly method?: string
+    readonly url?: string
+    readonly headers?: ClerkRequestHeaders
+  }
+  readonly node?: {
+    readonly req?: {
+      readonly method?: string
+      readonly url?: string
+      readonly headers?: ClerkRequestHeaders
+    }
+  }
+  readonly web?: {
+    readonly request?: Request
+  }
+}
+
+export type ClerkRequestInput = Request | ClerkRequestLike
+
+export type ClerkLogoutResult =
+  | Readonly<{
+    readonly ok: true
+    readonly url: string
+    readonly local: AuthLogoutResult
+  }>
+  | Readonly<{
+    readonly ok: false
+    readonly code: 'clerk_logout_failed' | 'clerk_session_missing'
+    readonly message: string
+    readonly local?: AuthLogoutResult
+  }>
+
 export interface ClerkVerifyRequestContext {
   readonly provider: string
   readonly request: Request
@@ -69,12 +152,12 @@ export interface HostedIdentityStore {
 
 export type ClerkSyncStatus = 'created' | 'updated' | 'linked' | 'relinked'
 
-export interface ClerkAuthenticationResult {
+export interface ClerkAuthenticationResult<TUser extends Readonly<Record<string, unknown>> = Readonly<Record<string, unknown>>> {
   readonly provider: string
   readonly guard: string
   readonly authProvider: string
   readonly status: ClerkSyncStatus
-  readonly user: AuthUserLike
+  readonly user: AuthUserLike & TUser
   readonly identity: HostedIdentityRecord
   readonly session: ClerkVerifiedSession
   readonly authSession?: AuthEstablishedSession
@@ -91,7 +174,17 @@ export interface ConfigureClerkAuthRuntimeOptions {
 }
 
 export interface ClerkAuthFacade {
-  verifyRequest(request: Request, provider?: string): Promise<ClerkVerifiedSession | null>
+  loginWithClerk(request: ClerkRequestInput, options?: { readonly provider?: string }): Promise<Response>
+  registerWithClerk(request: ClerkRequestInput, options?: { readonly provider?: string }): Promise<Response>
+  logoutWithClerk(request: ClerkRequestInput, options?: { readonly provider?: string, readonly returnTo?: string }): Promise<ClerkLogoutResult>
+  completeClerkAuth<TUserAttributes extends ClerkUserAttributes = ClerkUserAttributes>(
+    request: ClerkRequestInput,
+    options?: {
+      readonly provider?: string
+      readonly user?: (clerkUser: ClerkUserProfile) => TUserAttributes
+    },
+  ): Promise<ClerkCompleteAuthResult<TUserAttributes>>
+  verifyRequest(request: ClerkRequestInput, provider?: string): Promise<ClerkVerifiedSession | null>
   verifySession(token: string, provider?: string): Promise<ClerkVerifiedSession | null>
   syncIdentity(session: ClerkVerifiedSession, provider?: string): Promise<ClerkAuthenticationResult>
   authenticate(request: Request, provider?: string): Promise<ClerkAuthenticationResult | null>
diff --git a/packages/auth-clerk/src/index.ts b/packages/auth-clerk/src/index.ts
index 1a5d953..52431bf 100644
--- a/packages/auth-clerk/src/index.ts
+++ b/packages/auth-clerk/src/index.ts
@@ -1,7 +1,7 @@
-import { authRuntimeInternals } from '@holo-js/auth'
+import { authRuntimeInternals, getAuthRuntime } from '@holo-js/auth'
 import type { AuthEstablishedSession, AuthUserLike } from '@holo-js/auth'
 import { parseCookieHeader } from '@holo-js/session'
-import type { AuthClerkProviderConfig } from '@holo-js/config'
+import type { AuthClerkProviderConfig, NormalizedAuthClerkProviderConfig } from '@holo-js/config'
 export {
   ClerkAuthConflictError,
 } from './contracts'
@@ -9,9 +9,17 @@ export type {
   ClerkAuthBindings,
   ClerkAuthFacade,
   ClerkAuthenticationResult,
+  ClerkCompleteAuthResult,
   ClerkEmailAddress,
+  ClerkLogoutResult,
+  ClerkLogoutSession,
   ClerkProviderRuntime,
+  ClerkRequestHeaders,
+  ClerkRequestInput,
+  ClerkRequestLike,
   ClerkSyncStatus,
+  ClerkUserAttributes,
+  ClerkUserAttributeValue,
   ClerkUserProfile,
   ClerkVerifiedSession,
   ClerkVerifyRequestContext,
@@ -24,8 +32,15 @@ import {
   ClerkAuthConflictError,
   type ClerkAuthBindings,
   type ClerkAuthenticationResult,
+  type ClerkCompleteAuthResult,
   type ClerkEmailAddress,
+  type ClerkLogoutResult,
+  type ClerkLogoutSession,
   type ClerkProviderRuntime,
+  type ClerkRequestHeaders,
+  type ClerkRequestInput,
+  type ClerkRequestLike,
+  type ClerkUserAttributes,
   type ClerkUserProfile,
   type ClerkVerifiedSession,
   type ClerkVerifySessionContext,
@@ -39,20 +54,192 @@ import {
   resolveClerkJwksUrl,
   type JwkKey,
   verifyJwtSignatureWithJwk,
-  verifyJwtSignatureWithPem,
 } from './jwt'
 
 type RuntimeAuthProviderAdapter = ReturnType<typeof authRuntimeInternals.getRuntimeBindings>['providers'][string]
 
-let clerkBindings: ConfigureClerkAuthRuntimeOptions | undefined
+type ClerkDefaultUserAttributes = {
+  readonly email: string
+  readonly name: string
+}
+
+type CompleteClerkAuthOptions<TUserAttributes extends ClerkUserAttributes = ClerkDefaultUserAttributes> = {
+  readonly provider?: string
+  readonly user?: (clerkUser: ClerkUserProfile) => TUserAttributes
+}
+
+type SerializedClerkAuthUser = AuthUserLike & {
+  readonly id: string | number
+}
+
+type ClerkSessionPayload = {
+  readonly guard: string
+  readonly provider: string
+  readonly userId: string | number
+  readonly user: SerializedClerkAuthUser
+  readonly clerk: ClerkLogoutSession
+}
+
+interface ClerkRuntimeState {
+  bindings?: ConfigureClerkAuthRuntimeOptions
+}
+
+const CLERK_RUNTIME_STATE_KEY = '__holoJsAuthClerkRuntime'
+
+type ClerkRuntimeStateHost = {
+  [CLERK_RUNTIME_STATE_KEY]?: ClerkRuntimeState
+}
+
 const clerkDefaultProviderRuntimeCache = new Map<string, ClerkProviderRuntime>()
 const AUTH_PROVIDER_MARKER = Symbol.for('holo-js.auth.provider')
 
+function getRuntimeState(): ClerkRuntimeState {
+  const runtimeGlobal = globalThis as typeof globalThis & {
+    readonly process?: ClerkRuntimeStateHost
+  } & ClerkRuntimeStateHost
+  const runtimeHost: ClerkRuntimeStateHost = runtimeGlobal.process ?? runtimeGlobal
+
+  if (!runtimeHost[CLERK_RUNTIME_STATE_KEY]) {
+    Object.defineProperty(runtimeHost, CLERK_RUNTIME_STATE_KEY, {
+      value: {},
+      enumerable: false,
+      configurable: true,
+      writable: true,
+    })
+  }
+
+  return runtimeHost[CLERK_RUNTIME_STATE_KEY]!
+}
+
 function throwUnconfigured(): never {
   throw new Error('[@holo-js/auth-clerk] Clerk auth runtime is not configured yet.')
 }
 
+function isPlainHeaderRecord(value: unknown): value is Record<string, string | readonly string[] | undefined> {
+  return Boolean(value) && typeof value === 'object' && Object.getPrototypeOf(value) === Object.prototype
+}
+
+function appendKnownHeaders(headers: Headers, input: { readonly get?: (name: string) => string | null | undefined }): void {
+  for (const name of ['authorization', 'cookie', 'host', 'x-forwarded-host', 'x-forwarded-proto']) {
+    const value = input.get?.(name)
+    if (typeof value === 'string' && value) {
+      headers.set(name, value)
+    }
+  }
+}
+
+function hasHeaderForEach(input: ClerkRequestHeaders): input is { readonly forEach: (callback: (value: string, key: string) => void) => void } {
+  return !Array.isArray(input) && 'forEach' in input && typeof input.forEach === 'function'
+}
+
+function hasHeaderEntries(input: ClerkRequestHeaders): input is { readonly entries: () => Iterable<readonly [string, string]> } {
+  return !Array.isArray(input) && 'entries' in input && typeof input.entries === 'function'
+}
+
+function hasHeaderGet(input: ClerkRequestHeaders): input is { readonly get: (name: string) => string | null | undefined } {
+  return !Array.isArray(input) && 'get' in input && typeof input.get === 'function'
+}
+
+function normalizeRequestHeaders(input: ClerkRequestHeaders | undefined): Headers {
+  const headers = new Headers()
+  if (!input) {
+    return headers
+  }
+
+  if (input instanceof Headers || Array.isArray(input)) {
+    new Headers(input).forEach((value, name) => headers.append(name, value))
+    return headers
+  }
+
+  if (hasHeaderForEach(input)) {
+    input.forEach((value, name) => headers.append(name, value))
+    return headers
+  }
+
+  if (hasHeaderEntries(input)) {
+    for (const [name, value] of input.entries()) {
+      headers.append(name, value)
+    }
+    return headers
+  }
+
+  if (hasHeaderGet(input)) {
+    appendKnownHeaders(headers, input)
+    return headers
+  }
+
+  if (isPlainHeaderRecord(input)) {
+    for (const [name, value] of Object.entries(input)) {
+      if (typeof value === 'string') {
+        headers.append(name, value)
+        continue
+      }
+
+      if (Array.isArray(value)) {
+        const separator = name.toLowerCase() === 'cookie' ? '; ' : ','
+        const joined = value.filter((entry): entry is string => typeof entry === 'string').join(separator)
+        if (joined) {
+          headers.append(name, joined)
+        }
+      }
+    }
+  }
+
+  return headers
+}
+
+function getRequestFromLikeInput(input: ClerkRequestLike): Request | undefined {
+  return input.request ?? input.web?.request ?? (input.req instanceof Request ? input.req : undefined)
+}
+
+function getRequestLikeHeaders(input: ClerkRequestLike) {
+  return input.headers
+    ?? (typeof input.req === 'object' && !(input.req instanceof Request) ? input.req.headers : undefined)
+    ?? input.node?.req?.headers
+}
+
+function getRequestLikeMethod(input: ClerkRequestLike): string {
+  return input.method
+    ?? (typeof input.req === 'object' && !(input.req instanceof Request) ? input.req.method : undefined)
+    ?? input.node?.req?.method
+    ?? 'GET'
+}
+
+function getRequestLikeUrl(input: ClerkRequestLike, headers: Headers): string {
+  const url = (typeof input.url === 'string' ? input.url : input.url?.toString())
+    ?? (typeof input.req === 'object' && !(input.req instanceof Request) ? input.req.url : undefined)
+    ?? input.node?.req?.url
+    ?? input.path
+    ?? '/'
+
+  try {
+    return new URL(url).toString()
+  } catch {
+    const protocol = headers.get('x-forwarded-proto') ?? 'http'
+    const host = headers.get('x-forwarded-host') ?? headers.get('host') ?? 'localhost'
+    return new URL(url, `${protocol}://${host}`).toString()
+  }
+}
+
+function normalizeClerkRequest(input: ClerkRequestInput): Request {
+  if (input instanceof Request) {
+    return input
+  }
+
+  const request = getRequestFromLikeInput(input)
+  if (request) {
+    return request
+  }
+
+  const headers = normalizeRequestHeaders(getRequestLikeHeaders(input))
+  return new Request(getRequestLikeUrl(input, headers), {
+    method: getRequestLikeMethod(input),
+    headers,
+  })
+}
+
 function getBindings(): ClerkAuthBindings {
+  const clerkBindings = getRuntimeState().bindings
   if (!clerkBindings?.identityStore) {
     throwUnconfigured()
   }
@@ -69,36 +256,21 @@ async function verifyClerkSessionToken(
   authorizedParties: readonly string[] = [],
 ): Promise<Readonly<Record<string, unknown>>> {
   const parsed = parseJwt(token)
-  const verified = (() => {
-    const pem = config.jwtKey?.trim()
-    if (pem) {
-      return verifyJwtSignatureWithPem(parsed, pem)
-    }
-
-    return undefined
-  })()
-
-  if (verified === false) {
-    throw new Error('[@holo-js/auth-clerk] Clerk token signature verification failed.')
+  const headerKid = typeof parsed.header.kid === 'string' ? parsed.header.kid : undefined
+  const jwksUrl = resolveClerkJwksUrl(config)
+  const resolveKey = async (refresh = false): Promise<JwkKey | undefined> => {
+    const keys = await fetchClerkJwks(jwksUrl, { refresh })
+    return headerKid
+      ? keys.find(candidate => candidate.kid === headerKid)
+      : keys[0]
   }
 
-  if (typeof verified === 'undefined') {
-    const headerKid = typeof parsed.header.kid === 'string' ? parsed.header.kid : undefined
-    const jwksUrl = resolveClerkJwksUrl(config)
-    const resolveKey = async (refresh = false): Promise<JwkKey | undefined> => {
-      const keys = await fetchClerkJwks(jwksUrl, { refresh })
-      return headerKid
-        ? keys.find(candidate => candidate.kid === headerKid)
-        : keys[0]
-    }
-
-    let key = await resolveKey()
-    if (!key || !verifyJwtSignatureWithJwk(parsed, key)) {
-      key = await resolveKey(true)
-    }
-    if (!key || !verifyJwtSignatureWithJwk(parsed, key)) {
-      throw new Error('[@holo-js/auth-clerk] Clerk token signature verification failed.')
-    }
+  let key = await resolveKey()
+  if (!key || !verifyJwtSignatureWithJwk(parsed, key)) {
+    key = await resolveKey(true)
+  }
+  if (!key || !verifyJwtSignatureWithJwk(parsed, key)) {
+    throw new Error('[@holo-js/auth-clerk] Clerk token signature verification failed.')
   }
 
   const exp = typeof parsed.payload.exp === 'number' ? parsed.payload.exp : undefined
@@ -145,36 +317,56 @@ function normalizeClerkEmailAddress(value: Readonly<Record<string, unknown>>): C
 }
 
 function normalizeClerkUserProfile(user: Readonly<Record<string, unknown>>): ClerkUserProfile {
+  const emailAddresses = Array.isArray(user.emailAddresses)
+    ? user.emailAddresses.map(entry => normalizeClerkEmailAddress(entry as Readonly<Record<string, unknown>>))
+    : Array.isArray(user.email_addresses)
+      ? user.email_addresses.map(entry => normalizeClerkEmailAddress(entry as Readonly<Record<string, unknown>>))
+      : undefined
+  const primaryEmailAddressId = typeof user.primaryEmailAddressId === 'string'
+    ? user.primaryEmailAddressId
+    : typeof user.primary_email_address_id === 'string'
+      ? user.primary_email_address_id
+      : undefined
+  const email = typeof user.email === 'string' && user.email.trim()
+    ? user.email.trim()
+    : (
+        emailAddresses?.find((entry) => entry.id === primaryEmailAddressId)
+        ?? emailAddresses?.[0]
+      )?.emailAddress.trim()
+      ?? ''
+  const emailVerified = user.emailVerified === true
+    || user.email_verified === true
+    || (
+      emailAddresses?.find((entry) => entry.id === primaryEmailAddressId)
+      ?? emailAddresses?.[0]
+    )?.verificationStatus === 'verified'
+  const firstName = typeof user.firstName === 'string'
+    ? user.firstName
+    : typeof user.first_name === 'string'
+      ? user.first_name
+      : undefined
+  const lastName = typeof user.lastName === 'string'
+    ? user.lastName
+    : typeof user.last_name === 'string'
+      ? user.last_name
+      : undefined
+  const explicitName = typeof user.name === 'string' ? user.name.trim() : ''
+  const name = explicitName || [firstName?.trim(), lastName?.trim()].filter(Boolean).join(' ').trim()
+
   return Object.freeze({
     id: String(user.id ?? ''),
-    email: typeof user.email === 'string' ? user.email : undefined,
-    emailVerified: user.emailVerified === true || user.email_verified === true,
-    firstName: typeof user.firstName === 'string'
-      ? user.firstName
-      : typeof user.first_name === 'string'
-        ? user.first_name
-        : undefined,
-    lastName: typeof user.lastName === 'string'
-      ? user.lastName
-      : typeof user.last_name === 'string'
-        ? user.last_name
-        : undefined,
-    name: typeof user.name === 'string' ? user.name : undefined,
+    email,
+    emailVerified,
+    firstName,
+    lastName,
+    name: name || email || String(user.id ?? ''),
     imageUrl: typeof user.imageUrl === 'string'
       ? user.imageUrl
       : typeof user.image_url === 'string'
         ? user.image_url
         : undefined,
-    primaryEmailAddressId: typeof user.primaryEmailAddressId === 'string'
-      ? user.primaryEmailAddressId
-      : typeof user.primary_email_address_id === 'string'
-        ? user.primary_email_address_id
-        : undefined,
-    emailAddresses: Array.isArray(user.emailAddresses)
-      ? user.emailAddresses.map(entry => normalizeClerkEmailAddress(entry as Readonly<Record<string, unknown>>))
-      : Array.isArray(user.email_addresses)
-        ? user.email_addresses.map(entry => normalizeClerkEmailAddress(entry as Readonly<Record<string, unknown>>))
-        : undefined,
+    primaryEmailAddressId,
+    emailAddresses,
     raw: user,
   })
 }
@@ -207,7 +399,6 @@ function createDefaultProviderRuntime(providerName: string, config: AuthClerkPro
     providerName,
     config.apiUrl ?? '',
     config.frontendApi ?? '',
-    config.jwtKey ?? '',
     config.secretKey ?? '',
     [...(config.authorizedParties ?? [])].sort(),
   ])
@@ -254,7 +445,18 @@ function resolveConfiguredProviderName(provider?: string): string {
     return provider.trim()
   }
 
-  const configuredProviders = Object.keys(bindings.config.clerk)
+  const configuredDefaultProvider = typeof bindings.config.clerk.provider === 'string'
+    ? bindings.config.clerk.provider.trim()
+    : ''
+  if (configuredDefaultProvider) {
+    return configuredDefaultProvider
+  }
+
+  const configuredProviders = Object.entries(bindings.config.clerk).flatMap(([name, value]) => (
+    name !== 'provider' && typeof value === 'object' && value !== null
+      ? [name]
+      : []
+  ))
   if (configuredProviders.length === 0) {
     return 'default'
   }
@@ -272,20 +474,11 @@ function resolveConfiguredProviderName(provider?: string): string {
 
 function getConfiguredProviderConfig(provider?: string): {
   readonly name: string
-  readonly publishableKey?: string
-  readonly secretKey?: string
-  readonly jwtKey?: string
-  readonly apiUrl?: string
-  readonly frontendApi?: string
-  readonly sessionCookie: string
-  readonly authorizedParties: readonly string[]
-  readonly guard?: string
-  readonly mapToProvider?: string
-} {
+} & NormalizedAuthClerkProviderConfig {
   const providerName = resolveConfiguredProviderName(provider)
   const authBindings = authRuntimeInternals.getRuntimeBindings()
   const configured = authBindings.config.clerk[providerName]
-  if (!configured) {
+  if (!configured || typeof configured !== 'object') {
     throw new Error(`[@holo-js/auth-clerk] Clerk provider "${providerName}" is not configured in auth.clerk.`)
   }
 
@@ -293,9 +486,9 @@ function getConfiguredProviderConfig(provider?: string): {
     name: providerName,
     publishableKey: configured.publishableKey,
     secretKey: configured.secretKey,
-    jwtKey: configured.jwtKey,
     apiUrl: configured.apiUrl,
     frontendApi: configured.frontendApi,
+    redirectUri: configured.redirectUri,
     sessionCookie: configured.sessionCookie,
     authorizedParties: configured.authorizedParties ?? [],
     guard: configured.guard,
@@ -309,6 +502,88 @@ function getProviderRuntime(provider?: string): ClerkProviderRuntime {
     ?? createDefaultProviderRuntime(providerName, getConfiguredProviderConfig(providerName))
 }
 
+function requireClerkHostedConfig(config: NormalizedAuthClerkProviderConfig): {
+  readonly frontendApi: string
+  readonly redirectUri: string
+} {
+  const frontendApi = config.frontendApi?.trim()
+  const redirectUri = config.redirectUri?.trim()
+  if (!frontendApi) {
+    throw new Error('[@holo-js/auth-clerk] Clerk hosted auth requires frontendApi to be configured.')
+  }
+  if (!redirectUri) {
+    throw new Error('[@holo-js/auth-clerk] Clerk hosted auth requires redirectUri to be configured.')
+  }
+
+  return { frontendApi, redirectUri }
+}
+
+function resolveClerkAccountPortalUrl(frontendApi: string): string {
+  const url = new URL(frontendApi)
+  if (url.hostname.endsWith('.clerk.accounts.dev')) {
+    url.hostname = `${url.hostname.slice(0, -'.clerk.accounts.dev'.length)}.accounts.dev`
+  } else if (url.hostname.startsWith('clerk.')) {
+    url.hostname = `accounts.${url.hostname.slice('clerk.'.length)}`
+  }
+  url.pathname = '/'
+  url.search = ''
+  url.hash = ''
+
+  return url.toString()
+}
+
+function createAuthorizationUrl(config: NormalizedAuthClerkProviderConfig, page: 'sign-in' | 'sign-up'): string {
+  const { frontendApi, redirectUri } = requireClerkHostedConfig(config)
+  const portalBaseUrl = resolveClerkAccountPortalUrl(frontendApi)
+  const url = new URL(page, portalBaseUrl)
+  url.searchParams.set('redirect_url', redirectUri)
+
+  return url.toString()
+}
+
+function createClerkReturnUrl(request: Request, returnTo?: string): string {
+  const requestUrl = new URL(request.url)
+  const safeDefault = new URL('/', requestUrl).toString()
+  const trimmed = returnTo?.trim()
+  if (!trimmed || hasControlCharacter(trimmed)) {
+    return safeDefault
+  }
+
+  try {
+    const parsed = new URL(trimmed, requestUrl)
+    const isRelativePath = trimmed.startsWith('/') && !trimmed.startsWith('//')
+    const isAbsoluteUrl = /^[a-z][a-z\d+.-]*:/iu.test(trimmed)
+    if (parsed.origin !== requestUrl.origin || !parsed.pathname.startsWith('/') || (!isRelativePath && !isAbsoluteUrl)) {
+      return safeDefault
+    }
+
+    return parsed.toString()
+  } catch {
+    return safeDefault
+  }
+}
+
+function hasControlCharacter(value: string): boolean {
+  for (const character of value) {
+    const codePoint = character.codePointAt(0)
+    if (typeof codePoint === 'number' && (codePoint < 32 || codePoint === 127)) {
+      return true
+    }
+  }
+
+  return false
+}
+
+function createClerkErrorResponse(error: unknown, code: string): Response {
+  return Response.json({
+    ok: false,
+    code,
+    message: getErrorMessage(error),
+  } as const, {
+    status: error instanceof ClerkAuthConflictError ? 409 : 422,
+  })
+}
+
 function resolveGuardAndProvider(provider?: string): {
   readonly guard: string
   readonly authProvider: string
@@ -363,11 +638,62 @@ function requireUserRecord(user: unknown, message: string): Record<string, unkno
   return user as Record<string, unknown>
 }
 
-function serializeLocalUser(
+function requireSerializedUser(user: AuthUserLike, message: string): SerializedClerkAuthUser {
+  if (typeof user.id === 'string' || typeof user.id === 'number') {
+    return user as SerializedClerkAuthUser
+  }
+
+  throw new Error(message)
+}
+
+function createClerkSessionPayload(
+  authenticated: Pick<ClerkAuthenticationResult, 'guard' | 'authProvider' | 'provider' | 'user'>,
+  session: ClerkVerifiedSession,
+): ClerkSessionPayload {
+  const user = requireSerializedUser(
+    authenticated.user,
+    '[@holo-js/auth-clerk] Clerk-authenticated local users must expose a serializable id.',
+  )
+
+  return Object.freeze({
+    guard: authenticated.guard,
+    provider: authenticated.authProvider,
+    userId: user.id,
+    user,
+    clerk: Object.freeze({
+      provider: authenticated.provider,
+      sessionId: session.sessionId,
+    }),
+  })
+}
+
+function getClerkLogoutSession(payload: unknown, providerName: string): ClerkLogoutSession | null {
+  if (!payload || typeof payload !== 'object' || !('clerk' in payload)) {
+    return null
+  }
+
+  const clerk = (payload as { readonly clerk?: unknown }).clerk
+  if (!clerk || typeof clerk !== 'object') {
+    return null
+  }
+
+  const provider = (clerk as { readonly provider?: unknown }).provider
+  const sessionId = (clerk as { readonly sessionId?: unknown }).sessionId
+  if (provider !== providerName || typeof sessionId !== 'string' || !sessionId.trim()) {
+    return null
+  }
+
+  return Object.freeze({
+    provider,
+    sessionId,
+  })
+}
+
+function serializeLocalUser<TUserAttributes extends ClerkUserAttributes = ClerkDefaultUserAttributes>(
   adapter: RuntimeAuthProviderAdapter,
   user: Record<string, unknown>,
   providerName: string,
-): AuthUserLike {
+): AuthUserLike & TUserAttributes {
   const id = adapter.getId(user)
   const serialized = adapter.serialize
     ? adapter.serialize(user)
@@ -383,7 +709,7 @@ function serializeLocalUser(
     configurable: true,
   })
 
-  return Object.freeze(result)
+  return Object.freeze(result) as AuthUserLike & TUserAttributes
 }
 
 function resolvePrimaryEmail(profile: ClerkUserProfile): { email?: string, emailVerified: boolean } {
@@ -410,13 +736,13 @@ function resolvePrimaryEmail(profile: ClerkUserProfile): { email?: string, email
   }
 }
 
-function resolveDisplayName(profile: ClerkUserProfile): string | undefined {
+function resolveDisplayName(profile: ClerkUserProfile): string {
   if (profile.name?.trim()) {
     return profile.name.trim()
   }
 
   const fullName = [profile.firstName?.trim(), profile.lastName?.trim()].filter(Boolean).join(' ').trim()
-  return fullName || undefined
+  return fullName || profile.email || profile.id
 }
 
 function resolveEmailForCreation(profile: ClerkUserProfile): string {
@@ -428,6 +754,44 @@ function resolveEmailForCreation(profile: ClerkUserProfile): string {
   return `${profile.id}@clerk.hosted.local`
 }
 
+function toAdapterInput(input: ClerkUserAttributes): Readonly<Record<string, unknown>> {
+  return Object.freeze(Object.fromEntries(
+    Object.entries(input).filter((entry) => typeof entry[1] !== 'undefined'),
+  ))
+}
+
+function withRequiredUserFields(input: ClerkUserAttributes, profile: ClerkUserProfile): ClerkUserAttributes {
+  return Object.freeze({
+    ...input,
+    email: typeof input.email === 'undefined' ? resolveEmailForCreation(profile) : input.email,
+    name: typeof input.name === 'undefined' ? resolveDisplayName(profile) : input.name,
+  })
+}
+
+function resolveCreateUserInput<TUserAttributes extends ClerkUserAttributes>(
+  profile: ClerkUserProfile,
+  mapper?: (clerkUser: ClerkUserProfile) => TUserAttributes,
+): Readonly<Record<string, unknown>> {
+  return toAdapterInput(withRequiredUserFields({
+    password: null,
+    avatar: profile.imageUrl ?? null,
+    email_verified_at: profile.emailVerified ? new Date() : null,
+    ...(mapper?.(profile) ?? {}),
+  }, profile))
+}
+
+function resolveUpdateUserInput<TUserAttributes extends ClerkUserAttributes>(
+  profile: ClerkUserProfile,
+  mapper?: (clerkUser: ClerkUserProfile) => TUserAttributes,
+): Readonly<Record<string, unknown>> {
+  return toAdapterInput(withRequiredUserFields({
+    email: profile.email.trim() || undefined,
+    avatar: profile.imageUrl,
+    email_verified_at: profile.emailVerified ? new Date() : undefined,
+    ...(mapper?.(profile) ?? {}),
+  }, profile))
+}
+
 function normalizeHostedProfile(profile: ClerkUserProfile): Readonly<Record<string, unknown>> {
   const resolvedEmail = resolvePrimaryEmail(profile)
 
@@ -462,23 +826,11 @@ async function findUserByEmail(
 async function updateLocalUser(
   adapter: RuntimeAuthProviderAdapter,
   user: Record<string, unknown>,
-  input: {
-    readonly name?: string
-    readonly email?: string
-    readonly avatar?: string
-    readonly emailVerified?: boolean
-  },
+  input: Readonly<Record<string, unknown>>,
 ): Promise<{
   readonly user: Record<string, unknown>
   readonly changed: boolean
 }> {
-  const nextInput = {
-    name: input.name,
-    email: input.email,
-    avatar: typeof input.avatar === 'undefined' ? undefined : input.avatar,
-    email_verified_at: input.emailVerified === true ? new Date() : undefined,
-  }
-
   const current = user as {
     name?: string
     email?: string
@@ -486,12 +838,13 @@ async function updateLocalUser(
     email_verified_at?: Date | string | null
   }
 
-  const changed = (
-    (typeof nextInput.name !== 'undefined' && nextInput.name !== current.name)
-    || (typeof nextInput.email !== 'undefined' && nextInput.email !== current.email)
-    || (typeof nextInput.avatar !== 'undefined' && nextInput.avatar !== (current.avatar ?? undefined))
-    || (input.emailVerified === true && !current.email_verified_at)
-  )
+  const changed = Object.entries(input).some(([key, value]) => {
+    if (key === 'email_verified_at') {
+      return value instanceof Date && !current.email_verified_at
+    }
+
+    return !Object.is(value, user[key])
+  })
 
   if (!changed) {
     return { user, changed: false }
@@ -500,7 +853,7 @@ async function updateLocalUser(
   if (adapter.update) {
     return {
       user: requireUserRecord(
-        await adapter.update(user, nextInput),
+        await adapter.update(user, input),
         '[@holo-js/auth-clerk] Auth provider updates must return object users.',
       ),
       changed: true,
@@ -608,6 +961,75 @@ function getSessionTokenFromRequest(request: Request, sessionCookie: string): st
   return cookies[sessionCookie] ?? null
 }
 
+function hasClerkCallbackState(request: Request): boolean {
+  const url = new URL(request.url)
+  return [...url.searchParams.keys()].some(key => key.startsWith('__clerk'))
+}
+
+function hasClerkHandshakeAttempt(request: Request): boolean {
+  const url = new URL(request.url)
+  if (
+    url.searchParams.has('__clerk_handshake')
+    || url.searchParams.has('__clerk_handshake_nonce')
+    || url.searchParams.has('__clerk_synced')
+  ) {
+    return true
+  }
+
+  const cookies = parseCookieHeader(request.headers.get('cookie'))
+  const redirectCount = cookies.__clerk_redirect_count
+  return typeof redirectCount === 'string' && redirectCount !== '' && redirectCount !== '0'
+}
+
+function isConfiguredClerkRedirectRequest(
+  request: Request,
+  config: NormalizedAuthClerkProviderConfig,
+): boolean {
+  const redirectUri = config.redirectUri?.trim()
+  if (!redirectUri) {
+    return hasClerkCallbackState(request)
+  }
+
+  try {
+    const requestUrl = new URL(request.url)
+    const configuredUrl = new URL(redirectUri, requestUrl.origin)
+    return requestUrl.origin === configuredUrl.origin && requestUrl.pathname === configuredUrl.pathname
+  } catch {
+    return false
+  }
+}
+
+function splitSetCookieHeader(value: string): readonly string[] {
+  return value
+    .split(/,(?=\s*[^;,=\s]+=)/g)
+    .map(cookie => cookie.trim())
+    .filter(Boolean)
+}
+
+function getSetCookieHeaders(headers: Headers): readonly string[] {
+  const withGetSetCookie = headers as Headers & {
+    readonly getSetCookie?: () => string[]
+  }
+  const explicit = withGetSetCookie.getSetCookie?.()
+  if (explicit?.length) {
+    return explicit
+  }
+
+  const combined = headers.get('set-cookie')
+  return combined ? splitSetCookieHeader(combined) : []
+}
+
+async function appendClerkResponseCookies(headers: Headers): Promise<void> {
+  const append = authRuntimeInternals.getRuntimeBindings().context.appendResponseCookie
+  if (!append) {
+    return
+  }
+
+  for (const cookie of getSetCookieHeaders(headers)) {
+    await append(cookie)
+  }
+}
+
 function getHoloSessionIdFromRequest(request: Request): string | null {
   const cookieHeader = authRuntimeInternals.getRuntimeBindings().session.sessionCookie('')
   const separator = cookieHeader.indexOf('=')
@@ -667,7 +1089,89 @@ export async function verifySession(token: string, provider?: string): Promise<C
   })
 }
 
-export async function verifyRequest(request: Request, provider?: string): Promise<ClerkVerifiedSession | null> {
+function resolveRequestAuthorizedParties(
+  config: NormalizedAuthClerkProviderConfig,
+  request: Request,
+): readonly string[] {
+  return Object.freeze([
+    ...new Set([
+      ...(config.authorizedParties ?? []),
+      new URL(request.url).origin,
+    ]),
+  ])
+}
+
+async function verifyDefaultSessionToken(
+  token: string,
+  providerConfig: { readonly name: string } & NormalizedAuthClerkProviderConfig,
+  authorizedParties: readonly string[],
+): Promise<ClerkVerifiedSession | null> {
+  const config = {
+    ...providerConfig,
+    authorizedParties,
+  }
+  const defaultRuntime = createDefaultProviderRuntime(providerConfig.name, config)
+  if (!defaultRuntime.verifySession) {
+    throw new Error(`[@holo-js/auth-clerk] Clerk provider runtime "${providerConfig.name}" does not implement verifySession().`)
+  }
+
+  return defaultRuntime.verifySession({
+    provider: providerConfig.name,
+    token,
+    config,
+  })
+}
+
+async function verifyRequestWithClerkBackendSdk(
+  request: Request,
+  providerConfig: { readonly name: string } & NormalizedAuthClerkProviderConfig,
+): Promise<ClerkVerifiedSession | null> {
+  const publishableKey = providerConfig.publishableKey?.trim()
+  const secretKey = providerConfig.secretKey?.trim()
+  if (!publishableKey || !secretKey) {
+    return null
+  }
+
+  const { createClerkClient } = await import('@clerk/backend')
+  const client = createClerkClient({
+    apiUrl: providerConfig.apiUrl,
+    publishableKey,
+    secretKey,
+  })
+  const authenticateOptions = {
+    apiUrl: providerConfig.apiUrl,
+    authorizedParties: [...resolveRequestAuthorizedParties(providerConfig, request)],
+    publishableKey,
+    secretKey,
+  }
+  const requestState = await client.authenticateRequest(request, authenticateOptions)
+
+  await appendClerkResponseCookies(requestState.headers)
+  if (requestState.status === 'handshake') {
+    const redirectUrl = requestState.headers.get('location')
+    if (redirectUrl && !hasClerkHandshakeAttempt(request)) {
+      await authRuntimeInternals.redirectResponse(
+        authRuntimeInternals.getRuntimeBindings(),
+        new URL(redirectUrl, request.url).toString(),
+        307,
+      )
+    }
+    return null
+  }
+
+  if (requestState.status !== 'signed-in') {
+    return null
+  }
+
+  return verifyDefaultSessionToken(
+    requestState.token,
+    providerConfig,
+    resolveRequestAuthorizedParties(providerConfig, request),
+  )
+}
+
+export async function verifyRequest(input: ClerkRequestInput, provider?: string): Promise<ClerkVerifiedSession | null> {
+  const request = normalizeClerkRequest(input)
   const providerConfig = getConfiguredProviderConfig(provider)
   const configuredRuntime = getBindings().providers[providerConfig.name]
   const runtime = configuredRuntime ?? getProviderRuntime(providerConfig.name)
@@ -681,6 +1185,13 @@ export async function verifyRequest(request: Request, provider?: string): Promis
   }
 
   const token = getSessionTokenFromRequest(request, providerConfig.sessionCookie)
+  if (!configuredRuntime && (hasClerkCallbackState(request) || isConfiguredClerkRedirectRequest(request, providerConfig))) {
+    const clerkSession = await verifyRequestWithClerkBackendSdk(request, providerConfig)
+    if (clerkSession) {
+      return clerkSession
+    }
+  }
+
   if (!token) {
     return null
   }
@@ -697,39 +1208,16 @@ export async function verifyRequest(request: Request, provider?: string): Promis
     })
   }
 
-  const requestOrigin = new URL(request.url).origin
-  const defaultRuntime = createDefaultProviderRuntime(providerConfig.name, {
-    ...providerConfig,
-    authorizedParties: Object.freeze([
-      ...new Set([
-        ...(providerConfig.authorizedParties ?? []),
-        requestOrigin,
-      ]),
-    ]),
-  })
-  if (!defaultRuntime.verifySession) {
-    throw new Error(`[@holo-js/auth-clerk] Clerk provider runtime "${providerConfig.name}" does not implement verifySession().`)
-  }
-
-  return defaultRuntime.verifySession({
-    provider: providerConfig.name,
-    token,
-    config: {
-      ...providerConfig,
-      authorizedParties: Object.freeze([
-        ...new Set([
-          ...(providerConfig.authorizedParties ?? []),
-          requestOrigin,
-        ]),
-      ]),
-    },
-  })
+  return verifyDefaultSessionToken(token, providerConfig, resolveRequestAuthorizedParties(providerConfig, request))
 }
 
-export async function syncIdentity(
+export async function syncIdentity<TUserAttributes extends ClerkUserAttributes = ClerkDefaultUserAttributes>(
   session: ClerkVerifiedSession,
   provider?: string,
-): Promise<ClerkAuthenticationResult> {
+  options: {
+    readonly user?: (clerkUser: ClerkUserProfile) => TUserAttributes
+  } = {},
+): Promise<ClerkAuthenticationResult<TUserAttributes>> {
   const providerConfig = getConfiguredProviderConfig(provider)
   const providerName = providerConfig.name
   const profile = session.user
@@ -761,21 +1249,13 @@ export async function syncIdentity(
       }
 
       if (!linkedUser) {
-        linkedUser = requireUserRecord(await adapter.create({
-          name: resolveDisplayName(profile),
-          email: resolveEmailForCreation(profile),
-          password: null,
-          avatar: profile.imageUrl ?? null,
-          email_verified_at: resolvedEmail.emailVerified ? new Date() : null,
-        }), '[@holo-js/auth-clerk] Auth provider create() must return an object user.')
+        linkedUser = requireUserRecord(
+          await adapter.create(resolveCreateUserInput(profile, options.user)),
+          '[@holo-js/auth-clerk] Auth provider create() must return an object user.',
+        )
       }
 
-      const relinked = await updateLocalUser(adapter, linkedUser, {
-        name: resolveDisplayName(profile),
-        email: resolvedEmail.email,
-        avatar: profile.imageUrl,
-        emailVerified: resolvedEmail.emailVerified,
-      })
+      const relinked = await updateLocalUser(adapter, linkedUser, resolveUpdateUserInput(profile, options.user))
       const relinkedUser = relinked.user
       const identity = createIdentityRecord({
         provider: providerName,
@@ -796,7 +1276,7 @@ export async function syncIdentity(
         guard,
         authProvider,
         status: 'relinked',
-        user: serializeLocalUser(adapter, relinkedUser, authProvider),
+        user: serializeLocalUser<TUserAttributes>(adapter, relinkedUser, authProvider),
         identity,
         session,
       })
@@ -812,12 +1292,7 @@ export async function syncIdentity(
         '[@holo-js/auth-clerk] Linked local users must expose a serializable id.',
       ),
     )
-    const updated = await updateLocalUser(adapter, linkedUser, {
-      name: resolveDisplayName(profile),
-      email: resolvedEmail.email,
-      avatar: profile.imageUrl,
-      emailVerified: resolvedEmail.emailVerified,
-    })
+    const updated = await updateLocalUser(adapter, linkedUser, resolveUpdateUserInput(profile, options.user))
     const identity = createIdentityRecord({
       provider: providerName,
       guard,
@@ -837,7 +1312,7 @@ export async function syncIdentity(
       guard,
       authProvider,
       status: updated.changed ? 'updated' : 'linked',
-      user: serializeLocalUser(adapter, updated.user, authProvider),
+      user: serializeLocalUser<TUserAttributes>(adapter, updated.user, authProvider),
       identity,
       session,
     })
@@ -849,12 +1324,7 @@ export async function syncIdentity(
 
   if (localUser) {
     await assertUserLinkAvailable(providerName, authProvider, adapter, localUser, profile.id)
-    const linked = await updateLocalUser(adapter, localUser, {
-      name: resolveDisplayName(profile),
-      email: resolvedEmail.email,
-      avatar: profile.imageUrl,
-      emailVerified: resolvedEmail.emailVerified,
-    })
+    const linked = await updateLocalUser(adapter, localUser, resolveUpdateUserInput(profile, options.user))
     const identity = createIdentityRecord({
       provider: providerName,
       guard,
@@ -873,19 +1343,16 @@ export async function syncIdentity(
       guard,
       authProvider,
       status: 'linked',
-      user: serializeLocalUser(adapter, linked.user, authProvider),
+      user: serializeLocalUser<TUserAttributes>(adapter, linked.user, authProvider),
       identity,
       session,
     })
   }
 
-  localUser = requireUserRecord(await adapter.create({
-    name: resolveDisplayName(profile),
-    email: resolveEmailForCreation(profile),
-    password: null,
-    avatar: profile.imageUrl ?? null,
-    email_verified_at: resolvedEmail.emailVerified ? new Date() : null,
-  }), '[@holo-js/auth-clerk] Auth provider create() must return an object user.')
+  localUser = requireUserRecord(
+    await adapter.create(resolveCreateUserInput(profile, options.user)),
+    '[@holo-js/auth-clerk] Auth provider create() must return an object user.',
+  )
   const identity = createIdentityRecord({
     provider: providerName,
     guard,
@@ -904,13 +1371,14 @@ export async function syncIdentity(
     guard,
     authProvider,
     status: 'created',
-    user: serializeLocalUser(adapter, localUser, authProvider),
+    user: serializeLocalUser<TUserAttributes>(adapter, localUser, authProvider),
     identity,
     session,
   })
 }
 
-export async function authenticate(request: Request, provider?: string): Promise<ClerkAuthenticationResult | null> {
+export async function authenticate(input: ClerkRequestInput, provider?: string): Promise<ClerkAuthenticationResult | null> {
+  const request = normalizeClerkRequest(input)
   const session = await verifyRequest(request, provider)
   if (!session) {
     return null
@@ -921,6 +1389,7 @@ export async function authenticate(request: Request, provider?: string): Promise
     ?? await authRuntimeInternals.establishSessionForUser(authenticated.user, {
       guard: authenticated.guard,
       provider: authenticated.authProvider,
+      payload: createClerkSessionPayload(authenticated, session),
     })
   return Object.freeze({
     ...authenticated,
@@ -928,24 +1397,192 @@ export async function authenticate(request: Request, provider?: string): Promise
   })
 }
 
+function getErrorMessage(error: unknown): string {
+  return error instanceof Error ? error.message : 'Clerk authentication failed.'
+}
+
+export async function loginWithClerk(
+  _input: ClerkRequestInput,
+  options: {
+    readonly provider?: string
+  } = {},
+): Promise<Response> {
+  try {
+    const providerConfig = getConfiguredProviderConfig(options.provider)
+    return Response.redirect(createAuthorizationUrl(providerConfig, 'sign-in'), 302)
+  } catch (error) {
+    return createClerkErrorResponse(error, 'clerk_login_failed')
+  }
+}
+
+export async function registerWithClerk(
+  _input: ClerkRequestInput,
+  options: {
+    readonly provider?: string
+  } = {},
+): Promise<Response> {
+  try {
+    const providerConfig = getConfiguredProviderConfig(options.provider)
+    return Response.redirect(createAuthorizationUrl(providerConfig, 'sign-up'), 302)
+  } catch (error) {
+    return createClerkErrorResponse(error, 'clerk_register_failed')
+  }
+}
+
+async function readCurrentClerkLogoutSession(guard: string, providerName: string): Promise<ClerkLogoutSession | null> {
+  const bindings = authRuntimeInternals.getRuntimeBindings()
+  const sessionId = bindings.context.getSessionId(guard)
+  if (!sessionId) {
+    return null
+  }
+
+  const record = await bindings.session.read(sessionId)
+  return getClerkLogoutSession(authRuntimeInternals.readSessionPayload(record, guard), providerName)
+}
+
+async function revokeClerkSession(config: NormalizedAuthClerkProviderConfig, sessionId: string): Promise<void> {
+  const secretKey = config.secretKey?.trim()
+  if (!secretKey) {
+    throw new Error('[@holo-js/auth-clerk] Clerk logout requires secretKey to be configured.')
+  }
+
+  const apiBase = config.apiUrl?.trim() || CLERK_API_BASE_URL
+  const response = await fetch(`${apiBase.replace(/\/$/, '')}/v1/sessions/${encodeURIComponent(sessionId)}/revoke`, {
+    method: 'POST',
+    headers: {
+      accept: 'application/json',
+      authorization: `Bearer ${secretKey}`,
+    },
+  })
+  if (!response.ok) {
+    throw new Error(`[@holo-js/auth-clerk] Failed to revoke Clerk session "${sessionId}".`)
+  }
+}
+
+export async function logoutWithClerk(
+  input: ClerkRequestInput,
+  options: {
+    readonly provider?: string
+    readonly returnTo?: string
+  } = {},
+): Promise<ClerkLogoutResult> {
+  const request = normalizeClerkRequest(input)
+  try {
+    const providerConfig = getConfiguredProviderConfig(options.provider)
+    const providerName = providerConfig.name
+    const { guard } = resolveGuardAndProvider(providerName)
+    const requestSessionId = getHoloSessionIdFromRequest(request)
+    if (requestSessionId) {
+      authRuntimeInternals.getRuntimeBindings().context.setSessionId(guard, requestSessionId)
+    }
+    const clerkSession = await readCurrentClerkLogoutSession(guard, providerName)
+    if (!clerkSession) {
+      return Object.freeze({
+        ok: false,
+        code: 'clerk_session_missing',
+        message: 'The current Holo session was not created by Clerk.',
+      } as const)
+    }
+
+    await revokeClerkSession(providerConfig, clerkSession.sessionId)
+    const local = await getAuthRuntime().guard(guard).logout()
+    return Object.freeze({
+      ok: true,
+      url: createClerkReturnUrl(request, options.returnTo),
+      local,
+    } as const)
+  } catch (error) {
+    return Object.freeze({
+      ok: false,
+      code: 'clerk_logout_failed',
+      message: getErrorMessage(error),
+    } as const)
+  }
+}
+
+export async function completeClerkAuth<TUserAttributes extends ClerkUserAttributes = ClerkDefaultUserAttributes>(
+  input: ClerkRequestInput,
+  options: CompleteClerkAuthOptions<TUserAttributes> = {},
+): Promise<ClerkCompleteAuthResult<TUserAttributes>> {
+  try {
+    const request = normalizeClerkRequest(input)
+    const url = new URL(request.url)
+    const callbackError = url.searchParams.get('error')?.trim()
+    if (callbackError) {
+      return Object.freeze({
+        ok: false,
+        code: callbackError,
+        message: url.searchParams.get('error_description')?.trim() || 'Clerk authentication failed.',
+      } as const)
+    }
+
+    const providerConfig = getConfiguredProviderConfig(options.provider)
+    const session = await verifyRequest(request, providerConfig.name)
+    if (!session) {
+      return Object.freeze({
+        ok: false,
+        code: 'clerk_session_required',
+        message: 'Clerk callback did not include an active session.',
+      } as const)
+    }
+
+    const authenticated = await syncIdentity(session, providerConfig.name, {
+      user: options.user,
+    })
+    const authSession = await authRuntimeInternals.establishSessionForUser(authenticated.user, {
+      guard: authenticated.guard,
+      provider: authenticated.authProvider,
+      payload: createClerkSessionPayload(authenticated, session),
+    })
+
+    return Object.freeze({
+      ok: true,
+      provider: authenticated.provider,
+      guard: authenticated.guard,
+      authProvider: authenticated.authProvider,
+      status: authenticated.status,
+      user: authenticated.user,
+      identity: authenticated.identity,
+      session,
+      authSession,
+    } as const)
+  } catch (error) {
+    if (authRuntimeInternals.isResponseInterrupt(error)) {
+      throw error
+    }
+
+    return Object.freeze({
+      ok: false,
+      code: error instanceof ClerkAuthConflictError ? error.code : 'clerk_auth_failed',
+      message: getErrorMessage(error),
+    } as const)
+  }
+}
+
 export function configureClerkAuthRuntime(bindings?: ConfigureClerkAuthRuntimeOptions): void {
+  const runtimeState = getRuntimeState()
   if (!bindings) {
-    clerkBindings = undefined
+    runtimeState.bindings = undefined
     return
   }
 
-  clerkBindings = Object.freeze({
-    providers: bindings.providers ?? clerkBindings?.providers,
-    identityStore: bindings.identityStore ?? clerkBindings?.identityStore,
+  runtimeState.bindings = Object.freeze({
+    providers: bindings.providers ?? runtimeState.bindings?.providers,
+    identityStore: bindings.identityStore ?? runtimeState.bindings?.identityStore,
   })
 }
 
 export function resetClerkAuthRuntime(): void {
-  clerkBindings = undefined
+  getRuntimeState().bindings = undefined
+  clerkDefaultProviderRuntimeCache.clear()
 }
 
 export const clerkAuth = Object.freeze({
   authenticate,
+  completeClerkAuth,
+  loginWithClerk,
+  logoutWithClerk,
+  registerWithClerk,
   syncIdentity,
   verifyRequest,
   verifySession,
@@ -955,6 +1592,7 @@ export const clerkAuthInternals = {
   getBindings,
   getConfiguredProviderConfig,
   getSessionTokenFromRequest,
+  normalizeClerkUserProfile,
   normalizeHostedProfile,
   resolveConfiguredProviderName,
   resolveDisplayName,
diff --git a/packages/auth-clerk/src/jwt.ts b/packages/auth-clerk/src/jwt.ts
index ff95ce9..2047f3d 100644
--- a/packages/auth-clerk/src/jwt.ts
+++ b/packages/auth-clerk/src/jwt.ts
@@ -54,25 +54,6 @@ export function verifyJwtSignatureWithJwk(
   }
 }
 
-export function verifyJwtSignatureWithPem(
-  token: ReturnType<typeof parseJwt>,
-  pem: string,
-): boolean {
-  const algorithm = typeof token.header.alg === 'string' ? token.header.alg : ''
-  const key = createPublicKey(pem.replace(/\\n/g, '\n'))
-
-  switch (algorithm) {
-    case 'RS256':
-      return verifySignature('RSA-SHA256', token.signingInput, key, token.signature)
-    case 'RS384':
-      return verifySignature('RSA-SHA384', token.signingInput, key, token.signature)
-    case 'RS512':
-      return verifySignature('RSA-SHA512', token.signingInput, key, token.signature)
-    default:
-      throw new Error(`[@holo-js/auth-clerk] Unsupported Clerk JWT algorithm "${algorithm || 'unknown'}".`)
-  }
-}
-
 export function resolveClerkJwksUrl(config: AuthClerkProviderConfig): string {
   const frontendApi = config.frontendApi?.trim()
   if (frontendApi) {
diff --git a/packages/auth-clerk/tests/package.test.ts b/packages/auth-clerk/tests/package.test.ts
index 2c3fc31..d492ba9 100644
--- a/packages/auth-clerk/tests/package.test.ts
+++ b/packages/auth-clerk/tests/package.test.ts
@@ -8,8 +8,12 @@ import {
   authenticate,
   clerkAuth,
   clerkAuthInternals,
+  completeClerkAuth,
   configureClerkAuthRuntime,
+  loginWithClerk,
+  logoutWithClerk,
   resetClerkAuthRuntime,
+  registerWithClerk,
   syncIdentity,
   verifyRequest,
   verifySession,
@@ -35,10 +39,13 @@ type SessionStore = {
 
 type UserRecord = {
   id: number
-  name?: string
+  name: string
   email: string
+  role: 'admin' | 'member'
+  avatarUrl?: string | null
   password?: string | null
   avatar?: string | null
+  clerkUserId?: string
   email_verified_at?: Date | null
 }
 
@@ -62,6 +69,20 @@ type ClerkSessionFixture = {
   readonly raw?: unknown
 }
 
+type FetchMockInput = string | URL | Request
+
+function resolveFetchMockUrl(input: FetchMockInput): string {
+  if (input instanceof Request) {
+    return input.url
+  }
+
+  if (input instanceof URL) {
+    return input.href
+  }
+
+  return input
+}
+
 class InMemorySessionStore implements SessionStore {
   readonly records = new Map<string, SessionRecord>()
   async read(sessionId: string): Promise<SessionRecord | null> {
@@ -96,14 +117,18 @@ class InMemoryProviderAdapter implements AuthProviderAdapter<UserRecord> {
     readonly email: string
     readonly password?: string | null
     readonly avatar?: string | null
+    readonly clerkUserId?: string
     readonly email_verified_at?: Date | null
   }): Promise<UserRecord> {
     const created: UserRecord = {
       id: this.nextId,
-      name: input.name,
+      name: input.name ?? input.email,
       email: input.email,
+      role: 'member',
+      avatarUrl: input.avatar ?? null,
       password: input.password,
       avatar: input.avatar,
+      clerkUserId: input.clerkUserId,
       email_verified_at: input.email_verified_at,
     }
     this.nextId += 1
@@ -116,6 +141,7 @@ class InMemoryProviderAdapter implements AuthProviderAdapter<UserRecord> {
     readonly name?: string
     readonly email?: string
     readonly avatar?: string | null
+    readonly clerkUserId?: string
     readonly email_verified_at?: Date | null
     readonly password?: string | null
   }): Promise<UserRecord> {
@@ -128,6 +154,10 @@ class InMemoryProviderAdapter implements AuthProviderAdapter<UserRecord> {
     }
     if (typeof input.avatar !== 'undefined') {
       user.avatar = input.avatar
+      user.avatarUrl = input.avatar
+    }
+    if (typeof input.clerkUserId !== 'undefined') {
+      user.clerkUserId = input.clerkUserId
     }
     if (typeof input.email_verified_at !== 'undefined') {
       user.email_verified_at = input.email_verified_at
@@ -152,7 +182,10 @@ class InMemoryProviderAdapter implements AuthProviderAdapter<UserRecord> {
       id: user.id,
       name: user.name,
       email: user.email,
+      role: user.role,
       avatar: user.avatar ?? null,
+      avatarUrl: user.avatarUrl ?? user.avatar ?? null,
+      clerkUserId: user.clerkUserId,
       email_verified_at: user.email_verified_at ?? null,
     }
   }
@@ -185,8 +218,10 @@ class SnapshotProviderAdapter implements AuthProviderAdapter<UserRecord> {
   }): Promise<UserRecord> {
     const created: UserRecord = {
       id: this.nextId,
-      name: input.name,
+      name: input.name ?? input.email,
       email: input.email,
+      role: 'member',
+      avatarUrl: input.avatar ?? null,
       password: input.password,
       avatar: input.avatar,
       email_verified_at: input.email_verified_at,
@@ -206,7 +241,9 @@ class SnapshotProviderAdapter implements AuthProviderAdapter<UserRecord> {
       id: user.id,
       name: user.name,
       email: user.email,
+      role: user.role,
       avatar: user.avatar ?? null,
+      avatarUrl: user.avatarUrl ?? user.avatar ?? null,
       email_verified_at: user.email_verified_at ?? null,
     }
   }
@@ -261,6 +298,13 @@ function configureRuntime(options: {
   clerkGuard?: 'web' | 'admin' | 'api'
   includeClerkConfig?: boolean
   configureClerkRuntime?: boolean
+  frontendApi?: string
+  publishableKey?: string
+  responseCookies?: string[]
+  redirectResponses?: {
+    url: string
+    status?: 301 | 302 | 303 | 307 | 308
+  }[]
 } = {}) {
   const sessionStore = new InMemorySessionStore()
   configureSessionRuntime({
@@ -294,6 +338,19 @@ function configureRuntime(options: {
 
   const usersProvider = new InMemoryProviderAdapter()
   const adminsProvider = new InMemoryProviderAdapter()
+  const context = authRuntimeInternals.createMemoryAuthContext()
+  const authContext = options.responseCookies || options.redirectResponses
+    ? {
+        ...context,
+        appendResponseCookie(cookie: string) {
+          options.responseCookies?.push(cookie)
+        },
+        redirectResponse(url: string, status?: 301 | 302 | 303 | 307 | 308) {
+          options.redirectResponses?.push({ url, status })
+        },
+      }
+    : context
+
   configureAuthRuntime({
     config: defineAuthConfig({
       defaults: {
@@ -315,10 +372,12 @@ function configureRuntime(options: {
       clerk: options.includeClerkConfig === false
         ? undefined
         : {
+            provider: 'app',
             app: {
-              publishableKey: 'pk_test',
+              publishableKey: options.publishableKey ?? 'pk_test',
               secretKey: 'sk_test',
-              jwtKey: 'jwt-key',
+              frontendApi: options.frontendApi ?? 'https://accounts.app.test',
+              redirectUri: 'https://app.test/api/auth/clerk/callback',
               sessionCookie: '__session',
               guard: options.clerkGuard,
               mapToProvider: options.clerkGuard === 'admin' ? 'admins' : undefined,
@@ -330,7 +389,7 @@ function configureRuntime(options: {
       users: usersProvider,
       admins: adminsProvider,
     },
-    context: authRuntimeInternals.createMemoryAuthContext(),
+    context: authContext,
   })
 
   const identityStore = new InMemoryIdentityStore()
@@ -348,6 +407,7 @@ function configureRuntime(options: {
 
             return {
               ...session,
+              user: clerkAuthInternals.normalizeClerkUserProfile(session.user),
               accessToken: token,
             }
           },
@@ -370,6 +430,7 @@ afterEach(() => {
   resetClerkAuthRuntime()
   resetAuthRuntime()
   resetSessionRuntime()
+  vi.doUnmock('@clerk/backend')
   vi.restoreAllMocks()
   vi.unstubAllGlobals()
 })
@@ -394,14 +455,40 @@ function createSignedJwt(
   return `${signingInput}.${signature}`
 }
 
+function createJwksResponse(publicKey: ReturnType<typeof generateKeyPairSync>['publicKey']): Response {
+  return new Response(JSON.stringify({
+    keys: [
+      {
+        ...(publicKey.export({ format: 'jwk' }) as Record<string, unknown>),
+        kid: 'clerk-test-key',
+        use: 'sig',
+        alg: 'RS256',
+      },
+    ],
+  }), {
+    status: 200,
+    headers: { 'content-type': 'application/json' },
+  })
+}
+
 describe('@holo-js/auth-clerk', () => {
   it('exports the Clerk auth facade and helpers', () => {
     expect(clerkAuth.authenticate).toBe(authenticate)
+    expect(clerkAuth.completeClerkAuth).toBe(completeClerkAuth)
+    expect(clerkAuth.loginWithClerk).toBe(loginWithClerk)
+    expect(clerkAuth.logoutWithClerk).toBe(logoutWithClerk)
+    expect(clerkAuth.registerWithClerk).toBe(registerWithClerk)
     expect(clerkAuth.verifyRequest).toBe(verifyRequest)
     expect(clerkAuth.verifySession).toBe(verifySession)
     expect(typeof clerkAuthInternals.resolveEmailForCreation).toBe('function')
   })
 
+  it('normalizes fetch mock request inputs to URL strings', () => {
+    expect(resolveFetchMockUrl('https://api.clerk.test/v1/jwks')).toBe('https://api.clerk.test/v1/jwks')
+    expect(resolveFetchMockUrl(new URL('https://api.clerk.test/v1/users/user_1'))).toBe('https://api.clerk.test/v1/users/user_1')
+    expect(resolveFetchMockUrl(new Request('https://api.clerk.test/v1/sessions/session_1/revoke'))).toBe('https://api.clerk.test/v1/sessions/session_1/revoke')
+  })
+
   it('merges partial runtime configuration updates', () => {
     const identityStore = new InMemoryIdentityStore()
     const providers = Object.freeze({
@@ -446,8 +533,12 @@ describe('@holo-js/auth-clerk', () => {
       sid: 'sess_clerk_1',
       exp: Math.floor(Date.now() / 1000) + 3600,
     }, privateKey)
-    const fetchMock = vi.fn(async (input: RequestInfo | URL) => {
-      const url = String(input)
+    const fetchMock = vi.fn(async (input: FetchMockInput) => {
+      const url = resolveFetchMockUrl(input)
+      if (url === 'https://api.clerk.com/v1/jwks') {
+        return createJwksResponse(publicKey)
+      }
+
       if (url === 'https://api.clerk.com/v1/users/user_clerk_1') {
         return new Response(JSON.stringify({
           id: 'user_clerk_1',
@@ -482,7 +573,6 @@ describe('@holo-js/auth-clerk', () => {
           app: {
             publishableKey: 'pk_test',
             secretKey: 'sk_test',
-            jwtKey: publicKey.export({ format: 'pem', type: 'spki' }).toString(),
             sessionCookie: '__session',
           },
         },
@@ -527,8 +617,12 @@ describe('@holo-js/auth-clerk', () => {
       azp: 'https://app.test',
       exp: Math.floor(Date.now() / 1000) + 3600,
     }, privateKey)
-    const fetchMock = vi.fn(async (input: RequestInfo | URL) => {
-      const url = String(input)
+    const fetchMock = vi.fn(async (input: FetchMockInput) => {
+      const url = resolveFetchMockUrl(input)
+      if (url === 'https://api.clerk.com/v1/jwks') {
+        return createJwksResponse(publicKey)
+      }
+
       if (url === 'https://api.clerk.com/v1/users/user_clerk_azp_match') {
         return new Response(JSON.stringify({
           id: 'user_clerk_azp_match',
@@ -562,7 +656,6 @@ describe('@holo-js/auth-clerk', () => {
           app: {
             publishableKey: 'pk_test',
             secretKey: 'sk_test',
-            jwtKey: publicKey.export({ format: 'pem', type: 'spki' }).toString(),
             sessionCookie: '__session',
             authorizedParties: ['https://app.test'],
           },
@@ -588,7 +681,7 @@ describe('@holo-js/auth-clerk', () => {
     })
   })
 
-  it('uses frontendApi JWKS when jwtKey and apiUrl are not configured', async () => {
+  it('uses frontendApi JWKS when apiUrl is not configured', async () => {
     const runtime = configureRuntime({
       configureClerkRuntime: false,
     })
@@ -604,8 +697,8 @@ describe('@holo-js/auth-clerk', () => {
       sid: 'sess_clerk_frontend',
       exp: Math.floor(Date.now() / 1000) + 3600,
     }, privateKey)
-    const fetchMock = vi.fn(async (input: RequestInfo | URL) => {
-      const url = String(input)
+    const fetchMock = vi.fn(async (input: FetchMockInput) => {
+      const url = resolveFetchMockUrl(input)
       if (url === 'https://clerk.example.test/.well-known/jwks.json') {
         return new Response(JSON.stringify({
           keys: [
@@ -719,8 +812,8 @@ describe('@holo-js/auth-clerk', () => {
     })
 
     let jwksRequestCount = 0
-    const fetchMock = vi.fn(async (input: RequestInfo | URL) => {
-      const url = String(input)
+    const fetchMock = vi.fn(async (input: FetchMockInput) => {
+      const url = resolveFetchMockUrl(input)
       if (url === 'https://rotate.clerk.test/.well-known/jwks.json') {
         jwksRequestCount += 1
         const publicKey = (jwksRequestCount === 1 ? firstKeyPair.publicKey : secondKeyPair.publicKey)
@@ -833,8 +926,8 @@ describe('@holo-js/auth-clerk', () => {
       sid: 'sess_clerk_frontend_second',
       exp: Math.floor(Date.now() / 1000) + 3600,
     }, secondKeyPair.privateKey)
-    const fetchMock = vi.fn(async (input: RequestInfo | URL) => {
-      const url = String(input)
+    const fetchMock = vi.fn(async (input: FetchMockInput) => {
+      const url = resolveFetchMockUrl(input)
       if (url === 'https://first.clerk.test/.well-known/jwks.json') {
         return new Response(JSON.stringify({
           keys: [
@@ -983,8 +1076,12 @@ describe('@holo-js/auth-clerk', () => {
       nbf: Math.floor(Date.now() / 1000) + 3600,
       exp: Math.floor(Date.now() / 1000) + 7200,
     }, privateKey)
-    vi.stubGlobal('fetch', vi.fn(async (input: RequestInfo | URL) => {
-      const url = String(input)
+    vi.stubGlobal('fetch', vi.fn(async (input: FetchMockInput) => {
+      const url = resolveFetchMockUrl(input)
+      if (url === 'https://api.clerk.com/v1/jwks') {
+        return createJwksResponse(publicKey)
+      }
+
       if (url === 'https://api.clerk.com/v1/users/user_clerk_future') {
         return new Response(JSON.stringify({
           id: 'user_clerk_future',
@@ -1007,7 +1104,6 @@ describe('@holo-js/auth-clerk', () => {
           app: {
             publishableKey: 'pk_test',
             secretKey: 'sk_test',
-            jwtKey: publicKey.export({ format: 'pem', type: 'spki' }).toString(),
             sessionCookie: '__session',
           },
         },
@@ -1127,6 +1223,383 @@ describe('@holo-js/auth-clerk', () => {
     expect(sessionId).toBeTypeOf('string')
   })
 
+  it('returns hosted Account Portal redirects for login and register', async () => {
+    configureRuntime()
+
+    const login = await loginWithClerk(new Request('https://app.test/login'))
+    expect(login.status).toBe(302)
+    expect(login.headers.get('location')).toBe('https://accounts.app.test/sign-in?redirect_url=https%3A%2F%2Fapp.test%2Fapi%2Fauth%2Fclerk%2Fcallback')
+
+    const register = await registerWithClerk({
+      node: {
+        req: {
+          method: 'GET',
+          url: '/register',
+          headers: {
+            host: 'app.test',
+          },
+        },
+      },
+    })
+    expect(register.status).toBe(302)
+    expect(register.headers.get('location')).toBe('https://accounts.app.test/sign-up?redirect_url=https%3A%2F%2Fapp.test%2Fapi%2Fauth%2Fclerk%2Fcallback')
+  })
+
+  it('derives Account Portal redirects from Clerk frontend API hosts', async () => {
+    configureRuntime({
+      frontendApi: 'https://steady-newt-5.clerk.accounts.dev',
+    })
+
+    const developmentLogin = await loginWithClerk(new Request('https://app.test/login'))
+    expect(developmentLogin.headers.get('location')).toBe('https://steady-newt-5.accounts.dev/sign-in?redirect_url=https%3A%2F%2Fapp.test%2Fapi%2Fauth%2Fclerk%2Fcallback')
+
+    configureRuntime({
+      frontendApi: 'https://clerk.example.com',
+    })
+
+    const productionLogin = await loginWithClerk(new Request('https://app.test/login'))
+    expect(productionLogin.headers.get('location')).toBe('https://accounts.example.com/sign-in?redirect_url=https%3A%2F%2Fapp.test%2Fapi%2Fauth%2Fclerk%2Fcallback')
+  })
+
+  it('completes the hosted Clerk callback with typed user mapping', async () => {
+    const runtime = configureRuntime()
+    runtime.sessions.set('callback-token', {
+      sessionId: 'sess_callback',
+      user: {
+        id: 'user_callback',
+        email: 'callback@app.test',
+        emailVerified: true,
+        firstName: 'Callback',
+        lastName: 'User',
+        imageUrl: 'https://cdn.test/callback.png',
+      },
+    })
+
+    const result = await completeClerkAuth(new Request('https://app.test/api/auth/clerk/callback', {
+      headers: {
+        cookie: '__session=callback-token',
+      },
+    }), {
+      user: clerkUser => ({
+        email: clerkUser.email,
+        name: clerkUser.name,
+        avatar: clerkUser.imageUrl,
+        clerkUserId: clerkUser.id,
+      }),
+    })
+
+    expect(result).toMatchObject({
+      ok: true,
+      provider: 'app',
+      guard: 'web',
+      authProvider: 'users',
+      status: 'created',
+      user: {
+        email: 'callback@app.test',
+        name: 'Callback User',
+        avatar: 'https://cdn.test/callback.png',
+        clerkUserId: 'user_callback',
+      },
+      identity: {
+        provider: 'app',
+        providerUserId: 'user_callback',
+        email: 'callback@app.test',
+      },
+      session: {
+        sessionId: 'sess_callback',
+        accessToken: 'callback-token',
+      },
+    })
+    expect(runtime.usersProvider.users.get(1)).toMatchObject({
+      email: 'callback@app.test',
+      name: 'Callback User',
+      avatar: 'https://cdn.test/callback.png',
+      clerkUserId: 'user_callback',
+    })
+  })
+
+  it('redirects Clerk SDK callback handshakes through the auth runtime', async () => {
+    const redirectResponses: { url: string, status?: 301 | 302 | 303 | 307 | 308 }[] = []
+    configureRuntime({
+      configureClerkRuntime: false,
+      publishableKey: 'pk_test_mocked',
+      redirectResponses,
+    })
+    configureClerkAuthRuntime({
+      identityStore: new InMemoryIdentityStore(),
+    })
+
+    const authenticateRequest = vi.fn().mockResolvedValueOnce({
+      status: 'handshake',
+      headers: new Headers({
+        location: 'https://steady-newt-5.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fapp.test%2Fapi%2Fauth%2Fclerk%2Fcallback',
+      }),
+    })
+    const createClerkClient = vi.fn(() => ({
+      authenticateRequest,
+    }))
+    vi.doMock('@clerk/backend', () => ({
+      createClerkClient,
+    }))
+
+    await expect(
+      completeClerkAuth(new Request('https://app.test/api/auth/clerk/callback')),
+    ).rejects.toThrow('Holo auth response was already handled.')
+
+    expect(authenticateRequest).toHaveBeenCalledTimes(1)
+    expect(redirectResponses).toEqual([
+      {
+        url: 'https://steady-newt-5.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fapp.test%2Fapi%2Fauth%2Fclerk%2Fcallback',
+        status: 307,
+      },
+    ])
+  })
+
+  it('creates the local user after Clerk SDK resolves the callback handshake', async () => {
+    const { publicKey, privateKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
+    const token = createSignedJwt({
+      sub: 'user_sdk_callback',
+      sid: 'sess_sdk_callback',
+      exp: Math.floor(Date.now() / 1000) + 300,
+      azp: 'https://app.test',
+    }, privateKey)
+    const responseCookies: string[] = []
+    const runtime = configureRuntime({
+      configureClerkRuntime: false,
+      publishableKey: 'pk_test_mocked',
+      responseCookies,
+    })
+    configureClerkAuthRuntime({
+      identityStore: runtime.identityStore,
+    })
+
+    const authenticateRequest = vi.fn()
+    authenticateRequest.mockImplementationOnce(async () => {
+      const headers = new Headers()
+      headers.append('Set-Cookie', '__session=sdk-callback-token; Path=/; SameSite=Lax')
+
+      return {
+        status: 'signed-in',
+        token,
+        headers,
+      }
+    })
+    const createClerkClient = vi.fn(() => ({
+      authenticateRequest,
+    }))
+    vi.doMock('@clerk/backend', () => ({
+      createClerkClient,
+    }))
+    vi.stubGlobal('fetch', async (url: string | URL | Request, init?: RequestInit) => {
+      const requestUrl = String(url)
+      if (requestUrl === 'https://accounts.app.test/.well-known/jwks.json') {
+        return createJwksResponse(publicKey)
+      }
+
+      expect(requestUrl).toBe('https://api.clerk.com/v1/users/user_sdk_callback')
+      expect(init?.headers).toMatchObject({
+        authorization: 'Bearer sk_test',
+      })
+
+      return new Response(JSON.stringify({
+        id: 'user_sdk_callback',
+        first_name: 'SDK',
+        last_name: 'Callback',
+        primary_email_address_id: 'email_sdk_callback',
+        email_addresses: [
+          {
+            id: 'email_sdk_callback',
+            email_address: 'sdk-callback@app.test',
+            verification: {
+              status: 'verified',
+            },
+          },
+        ],
+      }), {
+        status: 200,
+        headers: {
+          'content-type': 'application/json',
+        },
+      })
+    })
+
+    const result = await completeClerkAuth(new Request('https://app.test/api/auth/clerk/callback?__clerk_handshake_nonce=nonce'))
+
+    expect(createClerkClient).toHaveBeenCalledWith({
+      apiUrl: undefined,
+      publishableKey: 'pk_test_mocked',
+      secretKey: 'sk_test',
+    })
+    expect(authenticateRequest).toHaveBeenCalledTimes(1)
+    expect(authenticateRequest).toHaveBeenCalledWith(expect.any(Request), {
+      apiUrl: undefined,
+      authorizedParties: ['https://app.test'],
+      publishableKey: 'pk_test_mocked',
+      secretKey: 'sk_test',
+    })
+    const authenticatedRequest = authenticateRequest.mock.calls[0]?.[0]
+    expect(authenticatedRequest).toBeInstanceOf(Request)
+    if (!(authenticatedRequest instanceof Request)) {
+      throw new Error('Expected Clerk SDK to receive a Request after handshake resolution.')
+    }
+    expect(authenticatedRequest.url).toBe('https://app.test/api/auth/clerk/callback?__clerk_handshake_nonce=nonce')
+    expect(result).toMatchObject({
+      ok: true,
+      status: 'created',
+      user: {
+        email: 'sdk-callback@app.test',
+        name: 'SDK Callback',
+      },
+      identity: {
+        providerUserId: 'user_sdk_callback',
+        email: 'sdk-callback@app.test',
+      },
+      session: {
+        sessionId: 'sess_sdk_callback',
+        accessToken: token,
+      },
+    })
+    expect(runtime.usersProvider.users.get(1)).toMatchObject({
+      email: 'sdk-callback@app.test',
+      name: 'SDK Callback',
+    })
+    expect(responseCookies).toContain('__session=sdk-callback-token; Path=/; SameSite=Lax')
+    expect(responseCookies).toContainEqual(expect.stringContaining('holo_session='))
+  })
+
+  it('logs out locally, revokes the Clerk session, and returns a redirect URL', async () => {
+    vi.stubGlobal('fetch', async (url: string | URL | Request, init?: RequestInit) => {
+      expect(String(url)).toBe('https://api.clerk.com/v1/sessions/sess_logout_callback/revoke')
+      expect(init?.method).toBe('POST')
+      expect(init?.headers).toMatchObject({
+        authorization: 'Bearer sk_test',
+      })
+
+      return new Response(JSON.stringify({ id: 'sess_logout_callback', status: 'revoked' }), {
+        status: 200,
+        headers: {
+          'content-type': 'application/json',
+        },
+      })
+    })
+
+    const runtime = configureRuntime()
+    runtime.sessions.set('logout-callback-token', {
+      sessionId: 'sess_logout_callback',
+      user: {
+        id: 'user_logout_callback',
+        email: 'logout-callback@app.test',
+        emailVerified: true,
+      },
+    })
+
+    const callback = await completeClerkAuth(new Request('https://app.test/api/auth/clerk/callback', {
+      headers: {
+        cookie: '__session=logout-callback-token',
+      },
+    }))
+    expect(callback.ok).toBe(true)
+    if (!callback.ok || !callback.authSession) {
+      throw new Error('Expected Clerk callback to establish an auth session.')
+    }
+    const sessionCookie = callback.authSession.cookies[0]?.split(';', 1)[0]
+
+    authRuntimeInternals.getRuntimeBindings().context.setSessionId('web')
+    authRuntimeInternals.getRuntimeBindings().context.setCachedUser('web', null)
+
+    const result = await logoutWithClerk(new Request('https://app.test/api/auth/clerk/logout', {
+      method: 'POST',
+      headers: sessionCookie ? { cookie: sessionCookie } : undefined,
+    }), {
+      returnTo: '/login',
+    })
+
+    expect(result).toMatchObject({
+      ok: true,
+      url: 'https://app.test/login',
+      local: {
+        guard: 'web',
+      },
+    })
+    expect(result.ok ? result.local.cookies : []).toContainEqual(expect.stringContaining('holo_session=;'))
+  })
+
+  it('normalizes Clerk logout return URLs to relative or same-origin destinations', async () => {
+    vi.stubGlobal('fetch', async () => new Response(JSON.stringify({ id: 'sess_logout_callback', status: 'revoked' }), {
+      status: 200,
+      headers: {
+        'content-type': 'application/json',
+      },
+    }))
+
+    const runtime = configureRuntime()
+
+    async function completeAndLogout(returnTo: string) {
+      runtime.sessions.set('logout-callback-token', {
+        sessionId: 'sess_logout_callback',
+        user: {
+          id: 'user_logout_callback',
+          email: 'logout-callback@app.test',
+          emailVerified: true,
+        },
+      })
+
+      const callback = await completeClerkAuth(new Request('https://app.test/api/auth/clerk/callback', {
+        headers: {
+          cookie: '__session=logout-callback-token',
+        },
+      }))
+      expect(callback.ok).toBe(true)
+      if (!callback.ok || !callback.authSession) {
+        throw new Error('Expected Clerk callback to establish an auth session.')
+      }
+      const sessionCookie = callback.authSession.cookies[0]?.split(';', 1)[0]
+
+      authRuntimeInternals.getRuntimeBindings().context.setSessionId('web')
+      authRuntimeInternals.getRuntimeBindings().context.setCachedUser('web', null)
+
+      return logoutWithClerk(new Request('https://app.test/api/auth/clerk/logout', {
+        method: 'POST',
+        headers: sessionCookie ? { cookie: sessionCookie } : undefined,
+      }), {
+        returnTo,
+      })
+    }
+
+    await expect(completeAndLogout('/login')).resolves.toMatchObject({
+      ok: true,
+      url: 'https://app.test/login',
+    })
+    await expect(completeAndLogout('https://app.test/settings')).resolves.toMatchObject({
+      ok: true,
+      url: 'https://app.test/settings',
+    })
+    await expect(completeAndLogout('https://evil.test/phish')).resolves.toMatchObject({
+      ok: true,
+      url: 'https://app.test/',
+    })
+    await expect(completeAndLogout('//evil.test/phish')).resolves.toMatchObject({
+      ok: true,
+      url: 'https://app.test/',
+    })
+  })
+
+  it('returns typed callback failures without combining response behavior', async () => {
+    configureRuntime()
+
+    await expect(completeClerkAuth(new Request('https://app.test/api/auth/clerk/callback'))).resolves.toEqual({
+      ok: false,
+      code: 'clerk_session_required',
+      message: 'Clerk callback did not include an active session.',
+    })
+
+    await expect(completeClerkAuth(new Request('https://app.test/api/auth/clerk/callback?error=access_denied&error_description=Denied'))).resolves.toEqual({
+      ok: false,
+      code: 'access_denied',
+      message: 'Denied',
+    })
+  })
+
   it('reuses an existing Holo session when the request already carries the session cookie', async () => {
     const runtime = configureRuntime()
     runtime.sessions.set('repeat-token', {
@@ -1200,6 +1673,7 @@ describe('@holo-js/auth-clerk', () => {
         email: 'sync@app.test',
         emailVerified: true,
         name: 'First Name',
+        imageUrl: 'https://cdn.test/first.png',
       },
     })
 
@@ -1232,6 +1706,7 @@ describe('@holo-js/auth-clerk', () => {
         id: 1,
         name: 'Updated Name',
         avatar: 'https://cdn.test/updated.png',
+        avatarUrl: 'https://cdn.test/updated.png',
       },
     })
 
@@ -1321,7 +1796,6 @@ describe('@holo-js/auth-clerk', () => {
           app: {
             publishableKey: 'pk_test',
             secretKey: 'sk_test',
-            jwtKey: 'jwt-key',
             sessionCookie: '__session',
           },
         },
diff --git a/packages/auth-clerk/tests/package.type.test.ts b/packages/auth-clerk/tests/package.type.test.ts
new file mode 100644
index 0000000..536d12e
--- /dev/null
+++ b/packages/auth-clerk/tests/package.type.test.ts
@@ -0,0 +1,41 @@
+import { describe, expectTypeOf, it } from 'vitest'
+import { completeClerkAuth } from '../src'
+import type { ClerkAuthFacade, ClerkCompleteAuthResult } from '../src'
+
+describe('@holo-js/auth-clerk typing', () => {
+  it('accepts hosted route request-like inputs and preserves mapped callback users', () => {
+    type NuxtEventLike = {
+      readonly node: {
+        readonly req: {
+          readonly method: 'GET'
+          readonly url: '/api/auth/clerk/login'
+          readonly headers: {
+            readonly host: 'app.test'
+          }
+        }
+      }
+    }
+    type MappedUser = Readonly<{
+      email: string
+      name: string
+      avatar: string | null
+      clerkUserId: string
+    }>
+
+    expectTypeOf<NuxtEventLike>().toMatchTypeOf<Parameters<ClerkAuthFacade['loginWithClerk']>[0]>()
+    expectTypeOf<NuxtEventLike>().toMatchTypeOf<Parameters<ClerkAuthFacade['registerWithClerk']>[0]>()
+    expectTypeOf<NuxtEventLike>().toMatchTypeOf<Parameters<ClerkAuthFacade['logoutWithClerk']>[0]>()
+    expectTypeOf<NuxtEventLike>().toMatchTypeOf<Parameters<ClerkAuthFacade['completeClerkAuth']>[0]>()
+
+    const result = completeClerkAuth(new Request('https://app.test/api/auth/clerk/callback'), {
+      user: (clerkUser): MappedUser => ({
+        email: clerkUser.email,
+        name: clerkUser.name,
+        avatar: clerkUser.imageUrl ?? null,
+        clerkUserId: clerkUser.id,
+      }),
+    })
+
+    expectTypeOf(result).toEqualTypeOf<Promise<ClerkCompleteAuthResult<MappedUser>>>()
+  })
+})
diff --git a/packages/auth-social-apple/package.json b/packages/auth-social-apple/package.json
index 125afe2..508a535 100644
--- a/packages/auth-social-apple/package.json
+++ b/packages/auth-social-apple/package.json
@@ -23,13 +23,13 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/auth-social": "workspace:*",
-    "@holo-js/config": "workspace:*"
+    "@holo-js/auth-social": "catalog:",
+    "@holo-js/config": "catalog:"
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/auth-social-discord/package.json b/packages/auth-social-discord/package.json
index 4326dd1..62198eb 100644
--- a/packages/auth-social-discord/package.json
+++ b/packages/auth-social-discord/package.json
@@ -23,13 +23,13 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/auth-social": "workspace:*",
-    "@holo-js/config": "workspace:*"
+    "@holo-js/auth-social": "catalog:",
+    "@holo-js/config": "catalog:"
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/auth-social-facebook/package.json b/packages/auth-social-facebook/package.json
index 92b85ff..e3f20e5 100644
--- a/packages/auth-social-facebook/package.json
+++ b/packages/auth-social-facebook/package.json
@@ -23,13 +23,13 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/auth-social": "workspace:*",
-    "@holo-js/config": "workspace:*"
+    "@holo-js/auth-social": "catalog:",
+    "@holo-js/config": "catalog:"
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/auth-social-github/package.json b/packages/auth-social-github/package.json
index 251a189..176234e 100644
--- a/packages/auth-social-github/package.json
+++ b/packages/auth-social-github/package.json
@@ -23,13 +23,13 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/auth-social": "workspace:*",
-    "@holo-js/config": "workspace:*"
+    "@holo-js/auth-social": "catalog:",
+    "@holo-js/config": "catalog:"
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/auth-social-google/package.json b/packages/auth-social-google/package.json
index 1f4c5fd..dc37311 100644
--- a/packages/auth-social-google/package.json
+++ b/packages/auth-social-google/package.json
@@ -23,13 +23,13 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/auth-social": "workspace:*",
-    "@holo-js/config": "workspace:*"
+    "@holo-js/auth-social": "catalog:",
+    "@holo-js/config": "catalog:"
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/auth-social-linkedin/package.json b/packages/auth-social-linkedin/package.json
index c039d4f..8b6fe50 100644
--- a/packages/auth-social-linkedin/package.json
+++ b/packages/auth-social-linkedin/package.json
@@ -23,13 +23,13 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/auth-social": "workspace:*",
-    "@holo-js/config": "workspace:*"
+    "@holo-js/auth-social": "catalog:",
+    "@holo-js/config": "catalog:"
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/auth-social/package.json b/packages/auth-social/package.json
index 3e1c5fb..dc57cf2 100644
--- a/packages/auth-social/package.json
+++ b/packages/auth-social/package.json
@@ -23,13 +23,13 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/auth": "^0.1.4",
-    "@holo-js/config": "^0.1.4"
+    "@holo-js/auth": "catalog:",
+    "@holo-js/config": "catalog:"
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/auth-workos/package.json b/packages/auth-workos/package.json
index abaa97f..0401ab5 100644
--- a/packages/auth-workos/package.json
+++ b/packages/auth-workos/package.json
@@ -23,14 +23,14 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/auth": "workspace:*",
-    "@holo-js/config": "workspace:*",
-    "@holo-js/session": "workspace:*"
+    "@holo-js/auth": "catalog:",
+    "@holo-js/config": "catalog:",
+    "@holo-js/session": "catalog:"
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/auth/package.json b/packages/auth/package.json
index 54db114..15237d9 100644
--- a/packages/auth/package.json
+++ b/packages/auth/package.json
@@ -58,12 +58,12 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/config": "^0.1.4"
+    "@holo-js/config": "catalog:"
   },
   "peerDependencies": {
-    "@holo-js/security": "^0.1.4",
+    "@holo-js/security": "catalog:",
     "nuxt": "catalog:",
-    "react": "^18.3.1 || ^19.0.0",
+    "react": "catalog:",
     "svelte": "catalog:"
   },
   "peerDependenciesMeta": {
diff --git a/packages/auth/src/contracts.ts b/packages/auth/src/contracts.ts
index 402eb69..1ac7be7 100644
--- a/packages/auth/src/contracts.ts
+++ b/packages/auth/src/contracts.ts
@@ -482,6 +482,7 @@ export interface AuthRuntimeContext {
   getRequestCookie?(name: string): string | undefined | Promise<string | undefined>
   getRequestHeader?(name: string): string | undefined | Promise<string | undefined>
   appendResponseCookie?(cookie: string): void | Promise<void>
+  redirectResponse?(url: string, status?: 301 | 302 | 303 | 307 | 308): void | Promise<void>
   getAccessToken?(guardName: string): string | undefined
   setAccessToken?(guardName: string, token?: string): void
   getRememberToken?(guardName: string): string | undefined
diff --git a/packages/auth/src/runtime.ts b/packages/auth/src/runtime.ts
index db46889..9bd6c9b 100644
--- a/packages/auth/src/runtime.ts
+++ b/packages/auth/src/runtime.ts
@@ -71,7 +71,9 @@ import {
 } from './runtime/optionalSecurity'
 import {
   appendResponseCookies,
+  isAuthResponseInterrupt,
   parseBearerToken,
+  redirectResponse,
   resolveRequestCookie,
   resolveRequestHeader,
 } from './runtime/requestAccess'
@@ -2465,9 +2467,11 @@ export const authRuntimeInternals = {
   getProviderIdentifiers,
   getRuntimeBindings: getExposedRuntimeBindings,
   hashTokenSecret,
+  isResponseInterrupt: isAuthResponseInterrupt,
   parsePlainTextToken,
   parseSetCookieDefinition,
   readSessionPayload,
+  redirectResponse,
   serializeCookie,
   toLookupCredentials,
   toPlainTextTokenResult,
diff --git a/packages/auth/src/runtime/requestAccess.ts b/packages/auth/src/runtime/requestAccess.ts
index 5860a72..cf532a9 100644
--- a/packages/auth/src/runtime/requestAccess.ts
+++ b/packages/auth/src/runtime/requestAccess.ts
@@ -3,9 +3,52 @@ type RequestAccessBindings = {
     getRequestCookie?(name: string): Promise<string | undefined> | string | undefined
     getRequestHeader?(name: string): Promise<string | undefined> | string | undefined
     appendResponseCookie?(cookie: string): Promise<void> | void
+    redirectResponse?(url: string, status?: 301 | 302 | 303 | 307 | 308): Promise<void> | void
   }
 }
 
+const AUTH_RESPONSE_INTERRUPT = Symbol.for('holo-js.auth.response-interrupt')
+
+type AuthResponseInterruptShape = {
+  readonly [AUTH_RESPONSE_INTERRUPT]?: true
+}
+
+type FrameworkRedirectShape = {
+  readonly digest?: unknown
+  readonly status?: unknown
+  readonly location?: unknown
+}
+
+export class AuthResponseInterrupt extends Error {
+  readonly [AUTH_RESPONSE_INTERRUPT] = true
+
+  constructor() {
+    super('Holo auth response was already handled.')
+    this.name = 'AuthResponseInterrupt'
+  }
+}
+
+export function isAuthResponseInterrupt(error: unknown): boolean {
+  if (!error || typeof error !== 'object') {
+    return false
+  }
+
+  const interrupt = error as AuthResponseInterruptShape
+  if (interrupt[AUTH_RESPONSE_INTERRUPT] === true) {
+    return true
+  }
+
+  const frameworkRedirect = error as FrameworkRedirectShape
+  if (typeof frameworkRedirect.digest === 'string' && frameworkRedirect.digest.startsWith('NEXT_REDIRECT')) {
+    return true
+  }
+
+  return typeof frameworkRedirect.status === 'number'
+    && frameworkRedirect.status >= 300
+    && frameworkRedirect.status < 400
+    && typeof frameworkRedirect.location === 'string'
+}
+
 export async function resolveRequestCookie(
   bindings: RequestAccessBindings,
   name: string,
@@ -34,6 +77,19 @@ export async function appendResponseCookies(
   }
 }
 
+export async function redirectResponse(
+  bindings: RequestAccessBindings,
+  url: string,
+  status: 301 | 302 | 303 | 307 | 308 = 307,
+): Promise<never> {
+  if (!bindings.context.redirectResponse) {
+    throw new Error('Holo auth runtime cannot redirect the current framework response.')
+  }
+
+  await bindings.context.redirectResponse(url, status)
+  throw new AuthResponseInterrupt()
+}
+
 export function parseBearerToken(header: string | undefined): string | undefined {
   if (typeof header !== 'string') {
     return undefined
diff --git a/packages/auth/src/runtime/responseCookies.ts b/packages/auth/src/runtime/responseCookies.ts
index b3c885b..6f8f852 100644
--- a/packages/auth/src/runtime/responseCookies.ts
+++ b/packages/auth/src/runtime/responseCookies.ts
@@ -14,7 +14,7 @@ type AuthCookieBindings = {
   readonly config: {
     readonly defaults: { readonly guard: string }
     readonly workos: Readonly<Record<string, HostedProviderConfig | string | undefined>>
-    readonly clerk: Readonly<Record<string, HostedProviderConfig>>
+    readonly clerk: Readonly<Record<string, HostedProviderConfig | string | undefined>>
   }
   readonly session: {
     cookie?(name: string, value: string, options: CookieSerializationOptions): string
@@ -51,7 +51,7 @@ function getHostedSessionCookieNamesForGuard(
       names.add(provider.sessionCookie)
     }
   }
-  for (const provider of Object.values(config.clerk)) {
+  for (const provider of Object.values(config.clerk).filter(isHostedProviderConfig)) {
     if ((provider.guard ?? config.defaults.guard) === guardName) {
       names.add(provider.sessionCookie)
     }
diff --git a/packages/auth/tests/package.test.ts b/packages/auth/tests/package.test.ts
index 04e9ee8..da680e3 100644
--- a/packages/auth/tests/package.test.ts
+++ b/packages/auth/tests/package.test.ts
@@ -654,7 +654,7 @@ describe('@holo-js/auth package runtime', () => {
       readonly peerDependenciesMeta?: Record<string, { readonly optional?: boolean }>
     }
 
-    expect(packageJson.peerDependencies?.['@holo-js/security']).toBe('^0.1.4')
+    expect(packageJson.peerDependencies?.['@holo-js/security']).toBe('catalog:')
     expect(packageJson.peerDependenciesMeta?.['@holo-js/security']?.optional).toBe(true)
     expect(packageJson.peerDependencies?.react).toBeDefined()
     expect(packageJson.peerDependencies?.svelte).toBeDefined()
diff --git a/packages/authorization/package.json b/packages/authorization/package.json
index 51d698d..d99d946 100644
--- a/packages/authorization/package.json
+++ b/packages/authorization/package.json
@@ -34,9 +34,9 @@
     "test": "vitest --run"
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/broadcast/package.json b/packages/broadcast/package.json
index 7ece2e0..9737b84 100644
--- a/packages/broadcast/package.json
+++ b/packages/broadcast/package.json
@@ -38,9 +38,9 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/config": "^0.1.4",
-    "@holo-js/validation": "^0.1.4",
-    "ws": "^8.18.3"
+    "@holo-js/config": "catalog:",
+    "@holo-js/validation": "catalog:",
+    "ws": "catalog:"
   },
   "peerDependencies": {
     "ioredis": "catalog:"
@@ -51,11 +51,11 @@
     }
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "@types/ws": "^8.18.1",
+    "@types/node": "catalog:",
+    "@types/ws": "catalog:",
     "ioredis": "catalog:",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/cache-db/package.json b/packages/cache-db/package.json
index a86141c..d869c3a 100644
--- a/packages/cache-db/package.json
+++ b/packages/cache-db/package.json
@@ -23,15 +23,15 @@
     "test": "vitest --run"
   },
   "peerDependencies": {
-    "@holo-js/cache": "^0.1.4",
-    "@holo-js/db": "^0.1.4"
+    "@holo-js/cache": "catalog:",
+    "@holo-js/db": "catalog:"
   },
   "dependencies": {
-    "tslib": "^2.8.1"
+    "tslib": "catalog:"
   },
   "devDependencies": {
-    "@holo-js/cache": "workspace:*",
-    "@holo-js/db": "workspace:*",
+    "@holo-js/cache": "catalog:",
+    "@holo-js/db": "catalog:",
     "@types/node": "catalog:",
     "tsup": "catalog:",
     "typescript": "catalog:",
diff --git a/packages/cache-redis/package.json b/packages/cache-redis/package.json
index bf62b1e..ff6e613 100644
--- a/packages/cache-redis/package.json
+++ b/packages/cache-redis/package.json
@@ -23,17 +23,17 @@
     "test": "vitest --run"
   },
   "peerDependencies": {
-    "@holo-js/cache": "^0.1.4"
+    "@holo-js/cache": "catalog:"
   },
   "dependencies": {
     "ioredis": "catalog:",
-    "tslib": "^2.8.1"
+    "tslib": "catalog:"
   },
   "devDependencies": {
-    "@holo-js/cache": "workspace:*",
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@holo-js/cache": "catalog:",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/cache/package.json b/packages/cache/package.json
index 711bc7f..8174d42 100644
--- a/packages/cache/package.json
+++ b/packages/cache/package.json
@@ -28,12 +28,12 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/config": "^0.1.4"
+    "@holo-js/config": "catalog:"
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/cli/package.json b/packages/cli/package.json
index 46895ff..6177136 100644
--- a/packages/cli/package.json
+++ b/packages/cli/package.json
@@ -27,19 +27,19 @@
     "test:integration": "HOLO_CLI_INCLUDE_INTEGRATION=1 vitest --run tests/cli.test.ts"
   },
   "dependencies": {
-    "@holo-js/config": "^0.1.4",
-    "@holo-js/core": "^0.1.4",
-    "@holo-js/db": "^0.1.4",
-    "esbuild": "^0.27.4",
+    "@holo-js/config": "catalog:",
+    "@holo-js/core": "catalog:",
+    "@holo-js/db": "catalog:",
+    "esbuild": "catalog:",
     "inflection": "catalog:"
   },
   "devDependencies": {
-    "@holo-js/events": "^0.1.4",
-    "@holo-js/queue": "^0.1.4",
-    "@holo-js/queue-db": "^0.1.4",
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@holo-js/events": "catalog:",
+    "@holo-js/queue": "catalog:",
+    "@holo-js/queue-db": "catalog:",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   },
   "engines": {
diff --git a/packages/cli/src/generated/workspaceCatalog.ts b/packages/cli/src/generated/workspaceCatalog.ts
index 31b50b6..929a654 100644
--- a/packages/cli/src/generated/workspaceCatalog.ts
+++ b/packages/cli/src/generated/workspaceCatalog.ts
@@ -1,43 +1,96 @@
 // Generated by scripts/generate-cli-workspace-catalog.mjs. Do not edit by hand.
 
 export const WORKSPACE_CATALOG = Object.freeze({
-  "better-sqlite3": "^11.7.0",
-  "@types/better-sqlite3": "^7.6.12",
-  "nuxt": "^4.4.4",
-  "vue": "^3.5.13",
-  "vue-router": "^5.0.4",
-  "vite": "^8.0.10",
-  "svelte": "^5.55.5",
-  "next": "^16.2.4",
-  "react": "^19.0.0",
-  "react-dom": "^19.0.0",
-  "@types/react": "^19.0.0",
-  "@types/react-dom": "^19.0.0",
-  "@sveltejs/kit": "^2.59.1",
-  "@sveltejs/vite-plugin-svelte": "^7.1.0",
-  "@sveltejs/adapter-node": "^5.5.4",
+  "@clerk/backend": "^3.4.7",
+  "@eslint/js": "^9.17.0",
+  "@holo-js/adapter-next": "^0.1.4",
+  "@holo-js/adapter-nuxt": "^0.1.4",
+  "@holo-js/adapter-sveltekit": "^0.1.4",
+  "@holo-js/auth": "^0.1.4",
+  "@holo-js/auth-clerk": "^0.1.4",
+  "@holo-js/auth-social": "^0.1.4",
+  "@holo-js/auth-social-apple": "^0.1.4",
+  "@holo-js/auth-social-discord": "^0.1.4",
+  "@holo-js/auth-social-facebook": "^0.1.4",
+  "@holo-js/auth-social-github": "^0.1.4",
+  "@holo-js/auth-social-google": "^0.1.4",
+  "@holo-js/auth-social-linkedin": "^0.1.4",
+  "@holo-js/auth-workos": "^0.1.4",
+  "@holo-js/authorization": "^0.1.4",
+  "@holo-js/broadcast": "^0.1.4",
+  "@holo-js/cache": "^0.1.4",
+  "@holo-js/cache-db": "^0.1.4",
+  "@holo-js/cache-redis": "^0.1.4",
+  "@holo-js/cli": "^0.1.4",
+  "@holo-js/config": "^0.1.4",
+  "@holo-js/core": "^0.1.4",
+  "@holo-js/db": "^0.1.4",
+  "@holo-js/db-mysql": "^0.1.4",
+  "@holo-js/db-postgres": "^0.1.4",
+  "@holo-js/db-sqlite": "^0.1.4",
+  "@holo-js/events": "^0.1.4",
+  "@holo-js/flux": "^0.1.4",
+  "@holo-js/flux-react": "^0.1.4",
+  "@holo-js/flux-svelte": "^0.1.4",
+  "@holo-js/flux-vue": "^0.1.4",
+  "@holo-js/forms": "^0.1.4",
+  "@holo-js/mail": "^0.1.4",
+  "@holo-js/media": "^0.1.4",
+  "@holo-js/notifications": "^0.1.4",
+  "@holo-js/queue": "^0.1.4",
+  "@holo-js/queue-db": "^0.1.4",
+  "@holo-js/queue-redis": "^0.1.4",
+  "@holo-js/security": "^0.1.4",
+  "@holo-js/session": "^0.1.4",
+  "@holo-js/storage": "^0.1.4",
+  "@holo-js/storage-s3": "^0.1.4",
+  "@holo-js/validation": "^0.1.4",
   "@nuxt/kit": "^4.4.4",
   "@nuxt/module-builder": "^1.0.2",
-  "@eslint/js": "^9.17.0",
+  "@sveltejs/adapter-node": "^5.5.4",
+  "@sveltejs/kit": "^2.59.1",
+  "@sveltejs/vite-plugin-svelte": "^7.1.0",
+  "@types/better-sqlite3": "^7.6.12",
   "@types/node": "^22.10.2",
+  "@types/pg": "^8.11.0",
+  "@types/react": "^19.0.0",
+  "@types/react-dom": "^19.0.0",
+  "@types/react-test-renderer": "^19.0.0",
+  "@types/ws": "^8.18.1",
+  "@vitest/coverage-istanbul": "^4.1.5",
+  "@vitest/coverage-v8": "^4.1.5",
+  "better-sqlite3": "^11.7.0",
+  "bullmq": "^5.71.0",
+  "create-holo-js": "^0.1.4",
   "esbuild": "^0.27.4",
+  "eslint": "^9.17.0",
+  "fast-check": "^4.5.3",
   "globals": "^15.14.0",
-  "@types/pg": "^8.11.0",
+  "h3": "^1.15.11",
   "inflection": "^3.0.2",
+  "ioredis": "^5.4.2",
   "mysql2": "^3.17.1",
+  "next": "^16.2.4",
+  "nodemailer": "^6.10.1",
+  "nuxt": "^4.4.4",
   "pg": "^8.13.0",
-  "ioredis": "^5.4.2",
+  "react": "^19.0.0",
+  "react-dom": "^19.0.0",
+  "react-test-renderer": "^19.0.0",
+  "sharp": "^0.34.4",
+  "svelte": "^5.55.5",
   "tslib": "^2.8.1",
-  "typescript-eslint": "^8.30.1",
+  "tsup": "^8.3.5",
   "typescript": "^5.7.2",
-  "vue-tsc": "^2.2.0",
+  "typescript-eslint": "^8.30.1",
+  "ulid": "^3.0.1",
+  "uuid": "^12.0.0",
+  "valibot": "^1.1.0",
+  "vite": "^8.0.10",
   "vitepress": "^1.6.3",
   "vitest": "^4.1.5",
-  "@vitest/coverage-istanbul": "^4.1.5",
-  "@vitest/coverage-v8": "^4.1.5",
-  "tsup": "^8.3.5",
-  "eslint": "^9.17.0",
-  "fast-check": "^4.5.3",
-  "ulid": "^3.0.1",
-  "uuid": "^12.0.0"
+  "vue": "^3.5.13",
+  "vue-router": "^5.0.4",
+  "vue-tsc": "^2.2.0",
+  "ws": "^8.18.3"
 } as const)
diff --git a/packages/cli/src/project.ts b/packages/cli/src/project.ts
index fdc4187..e259197 100644
--- a/packages/cli/src/project.ts
+++ b/packages/cli/src/project.ts
@@ -98,6 +98,7 @@ import {
   renderAuthConfig,
   renderAuthMigration,
   renderAuthEnvFiles,
+  renderAuthProviderRouteFiles,
   renderAuthUserModel,
   renderMediaConfig,
   renderMailConfig,
@@ -221,6 +222,7 @@ export const projectInternals = {
   renderAuthConfig,
   renderAuthMigration,
   renderAuthEnvFiles,
+  renderAuthProviderRouteFiles,
   renderAuthUserModel,
   renderScaffoldAppConfig,
   renderScaffoldDatabaseConfig,
diff --git a/packages/cli/src/project/scaffold.ts b/packages/cli/src/project/scaffold.ts
index 918e047..f4c7402 100644
--- a/packages/cli/src/project/scaffold.ts
+++ b/packages/cli/src/project/scaffold.ts
@@ -1,5 +1,5 @@
 import { mkdir, readdir } from 'node:fs/promises'
-import { extname, resolve } from 'node:path'
+import { dirname, extname, resolve } from 'node:path'
 import { loadConfigDirectory } from '@holo-js/config'
 import {
   loadProjectConfig,
@@ -79,6 +79,7 @@ import {
   upsertSecurityPackageDependency,
 } from './scaffold/dependencies'
 import {
+  renderAuthProviderRouteFiles,
   renderFrameworkFiles,
   renderFrameworkRunner,
   renderNextHoloHelper,
@@ -209,6 +210,28 @@ async function writeAuthNotificationFiles(projectRoot: string): Promise<{
   }
 }
 
+async function syncHostedAuthRouteFiles(projectRoot: string, features: AuthInstallFeatures): Promise<void> {
+  if (!features.workos && !features.clerk) {
+    return
+  }
+
+  const { dependencies, devDependencies } = await readPackageJsonDependencyState(projectRoot)
+  const framework = detectProjectFrameworkFromPackageJson(dependencies, devDependencies)
+  if (!framework) {
+    return
+  }
+
+  for (const file of renderAuthProviderRouteFiles(framework, features)) {
+    const targetPath = resolve(projectRoot, file.path)
+    if (await pathExists(targetPath)) {
+      continue
+    }
+
+    await mkdir(dirname(targetPath), { recursive: true })
+    await writeTextFile(targetPath, file.contents)
+  }
+}
+
 export async function installAuthIntoProject(
   projectRoot: string,
   features: AuthInstallFeatures = {},
@@ -260,6 +283,7 @@ export async function installAuthIntoProject(
     }
 
     await syncBroadcastAuthSupportAfterAuthInstall(projectRoot)
+    await syncHostedAuthRouteFiles(projectRoot, nextAuthFeatures)
 
     return {
       updatedPackageJson: await upsertAuthPackageDependencies(projectRoot, nextAuthFeatures),
@@ -329,6 +353,7 @@ export async function installAuthIntoProject(
   }
 
   await syncBroadcastAuthSupportAfterAuthInstall(projectRoot)
+  await syncHostedAuthRouteFiles(projectRoot, features)
 
   return {
     updatedPackageJson: await upsertAuthPackageDependencies(projectRoot, features),
@@ -731,6 +756,7 @@ export {
   renderAuthConfig,
   renderAuthEnvFiles,
   renderAuthMigration,
+  renderAuthProviderRouteFiles,
   renderAuthUserModel,
   renderCacheConfig,
   renderCacheEnvFiles,
diff --git a/packages/cli/src/project/scaffold/config-renderers.ts b/packages/cli/src/project/scaffold/config-renderers.ts
index b0f9bbd..9664ceb 100644
--- a/packages/cli/src/project/scaffold/config-renderers.ts
+++ b/packages/cli/src/project/scaffold/config-renderers.ts
@@ -792,12 +792,13 @@ export function renderAuthConfig(
   if (features.clerk) {
     lines.push(
       '  clerk: {',
+      `    provider: ${envValue('AUTH_CLERK_PROVIDER', 'app')},`,
       '    app: {',
       `      publishableKey: ${envValue('CLERK_PUBLISHABLE_KEY')},`,
       `      secretKey: ${envValue('CLERK_SECRET_KEY')},`,
-      `      jwtKey: ${envValue('CLERK_JWT_KEY')},`,
       `      apiUrl: ${envValue('CLERK_API_URL')},`,
       `      frontendApi: ${envValue('CLERK_FRONTEND_API')},`,
+      `      redirectUri: ${envValue('CLERK_REDIRECT_URI')},`,
       `      sessionCookie: ${envValue('CLERK_SESSION_COOKIE', '__session')},`,
       '    },',
       '  },',
diff --git a/packages/cli/src/project/scaffold/framework-renderers.ts b/packages/cli/src/project/scaffold/framework-renderers.ts
index dcc352b..7d3e888 100644
--- a/packages/cli/src/project/scaffold/framework-renderers.ts
+++ b/packages/cli/src/project/scaffold/framework-renderers.ts
@@ -2,7 +2,41 @@ import {
   normalizeScaffoldOptionalPackages,
   type ProjectScaffoldOptions,
 } from '../shared'
-import type { ScaffoldedFile } from './types'
+import type { AuthInstallFeatures, ScaffoldedFile } from './types'
+
+type HostedAuthProvider = 'clerk' | 'workos'
+
+type HostedAuthProviderSpec = {
+  readonly packageName: string
+  readonly loginFunction: string
+  readonly registerFunction: string
+  readonly callbackFunction: string
+  readonly logoutFunction: string
+}
+
+const HOSTED_AUTH_PROVIDERS = {
+  workos: {
+    packageName: '@holo-js/auth-workos',
+    loginFunction: 'loginWithWorkos',
+    registerFunction: 'registerWithWorkos',
+    callbackFunction: 'completeWorkosAuth',
+    logoutFunction: 'logoutWithWorkos',
+  },
+  clerk: {
+    packageName: '@holo-js/auth-clerk',
+    loginFunction: 'loginWithClerk',
+    registerFunction: 'registerWithClerk',
+    callbackFunction: 'completeClerkAuth',
+    logoutFunction: 'logoutWithClerk',
+  },
+} as const satisfies Record<HostedAuthProvider, HostedAuthProviderSpec>
+
+function getRequestedHostedAuthProviders(features: AuthInstallFeatures): readonly HostedAuthProvider[] {
+  return [
+    ...(features.workos ? ['workos'] as const : []),
+    ...(features.clerk ? ['clerk'] as const : []),
+  ]
+}
 
 function renderNuxtAppVue(projectName: string): string {
   return [
@@ -101,6 +135,76 @@ function renderNuxtCurrentAuthRoute(): string {
   ].join('\n')
 }
 
+function renderNuxtHostedAuthLoginRoute(spec: HostedAuthProviderSpec): string {
+  return [
+    `import { ${spec.loginFunction} } from '${spec.packageName}'`,
+    '',
+    'export default defineEventHandler(async (event) => {',
+    `  return await ${spec.loginFunction}(event)`,
+    '})',
+    '',
+  ].join('\n')
+}
+
+function renderNuxtHostedAuthRegisterRoute(spec: HostedAuthProviderSpec): string {
+  return [
+    `import { ${spec.registerFunction} } from '${spec.packageName}'`,
+    '',
+    'export default defineEventHandler(async (event) => {',
+    `  return await ${spec.registerFunction}(event)`,
+    '})',
+    '',
+  ].join('\n')
+}
+
+function renderNuxtHostedAuthCallbackRoute(spec: HostedAuthProviderSpec): string {
+  return [
+    `import { ${spec.callbackFunction} } from '${spec.packageName}'`,
+    'import { sendRedirect } from \'h3\'',
+    '',
+    'export default defineEventHandler(async (event) => {',
+    `  const result = await ${spec.callbackFunction}(event)`,
+    '  if (!result.ok) {',
+    '    const errCode = result.code ?? \'unknown_error\'',
+    '    return await sendRedirect(event, `/login?error=${encodeURIComponent(errCode)}`, 303)',
+    '  }',
+    '',
+    '  return await sendRedirect(event, \'/\', 303)',
+    '})',
+    '',
+  ].join('\n')
+}
+
+function renderNuxtHostedAuthLogoutRoute(spec: HostedAuthProviderSpec): string {
+  return [
+    `import { ${spec.logoutFunction} } from '${spec.packageName}'`,
+    'import { createError, sendRedirect } from \'h3\'',
+    '',
+    'export default defineEventHandler(async (event) => {',
+    `  const result = await ${spec.logoutFunction}(event)`,
+    '  if (!result.ok) {',
+    '    throw createError({',
+    '      statusCode: 422,',
+    '      statusMessage: result.message,',
+    '    })',
+    '  }',
+    '',
+    '  return await sendRedirect(event, result.url, 303)',
+    '})',
+    '',
+  ].join('\n')
+}
+
+function renderNuxtHostedAuthRouteFiles(provider: HostedAuthProvider): readonly ScaffoldedFile[] {
+  const spec = HOSTED_AUTH_PROVIDERS[provider]
+  return [
+    { path: `server/api/auth/${provider}/login.get.ts`, contents: renderNuxtHostedAuthLoginRoute(spec) },
+    { path: `server/api/auth/${provider}/register.get.ts`, contents: renderNuxtHostedAuthRegisterRoute(spec) },
+    { path: `server/api/auth/${provider}/callback.get.ts`, contents: renderNuxtHostedAuthCallbackRoute(spec) },
+    { path: `server/api/auth/${provider}/logout.post.ts`, contents: renderNuxtHostedAuthLogoutRoute(spec) },
+  ]
+}
+
 function renderNextConfig(): string {
   return [
     'import type { NextConfig } from \'next\'',
@@ -227,6 +331,70 @@ function renderNextCurrentAuthRoute(): string {
   ].join('\n')
 }
 
+function renderNextHostedAuthLoginRoute(spec: HostedAuthProviderSpec): string {
+  return [
+    `import { ${spec.loginFunction} } from '${spec.packageName}'`,
+    '',
+    'export async function GET(request: Request) {',
+    `  return await ${spec.loginFunction}(request)`,
+    '}',
+    '',
+  ].join('\n')
+}
+
+function renderNextHostedAuthRegisterRoute(spec: HostedAuthProviderSpec): string {
+  return [
+    `import { ${spec.registerFunction} } from '${spec.packageName}'`,
+    '',
+    'export async function GET(request: Request) {',
+    `  return await ${spec.registerFunction}(request)`,
+    '}',
+    '',
+  ].join('\n')
+}
+
+function renderNextHostedAuthCallbackRoute(spec: HostedAuthProviderSpec): string {
+  return [
+    `import { ${spec.callbackFunction} } from '${spec.packageName}'`,
+    '',
+    'export async function GET(request: Request) {',
+    `  const result = await ${spec.callbackFunction}(request)`,
+    '  if (!result.ok) {',
+    '    return Response.redirect(new URL(`/login?error=${encodeURIComponent(result.code)}`, request.url))',
+    '  }',
+    '',
+    '  return Response.redirect(new URL(\'/\', request.url))',
+    '}',
+    '',
+  ].join('\n')
+}
+
+function renderNextHostedAuthLogoutRoute(spec: HostedAuthProviderSpec): string {
+  return [
+    `import { ${spec.logoutFunction} } from '${spec.packageName}'`,
+    '',
+    'export async function POST(request: Request) {',
+    `  const result = await ${spec.logoutFunction}(request)`,
+    '  if (!result.ok) {',
+    '    return Response.json(result, { status: 422 })',
+    '  }',
+    '',
+    '  return Response.redirect(result.url, 303)',
+    '}',
+    '',
+  ].join('\n')
+}
+
+function renderNextHostedAuthRouteFiles(provider: HostedAuthProvider): readonly ScaffoldedFile[] {
+  const spec = HOSTED_AUTH_PROVIDERS[provider]
+  return [
+    { path: `app/api/auth/${provider}/login/route.ts`, contents: renderNextHostedAuthLoginRoute(spec) },
+    { path: `app/api/auth/${provider}/register/route.ts`, contents: renderNextHostedAuthRegisterRoute(spec) },
+    { path: `app/api/auth/${provider}/callback/route.ts`, contents: renderNextHostedAuthCallbackRoute(spec) },
+    { path: `app/api/auth/${provider}/logout/route.ts`, contents: renderNextHostedAuthLogoutRoute(spec) },
+  ]
+}
+
 function renderNextStorageRoute(): string {
   return [
     'import { holo } from \'@/server/holo\'',
@@ -439,6 +607,91 @@ function renderSvelteCurrentAuthRoute(): string {
   ].join('\n')
 }
 
+function renderSvelteHostedAuthLoginRoute(spec: HostedAuthProviderSpec): string {
+  return [
+    `import { ${spec.loginFunction} } from '${spec.packageName}'`,
+    'import type { RequestHandler } from \'./$types\'',
+    '',
+    'export const GET = (async (event) => {',
+    `  return await ${spec.loginFunction}(event)`,
+    '}) satisfies RequestHandler',
+    '',
+  ].join('\n')
+}
+
+function renderSvelteHostedAuthRegisterRoute(spec: HostedAuthProviderSpec): string {
+  return [
+    `import { ${spec.registerFunction} } from '${spec.packageName}'`,
+    'import type { RequestHandler } from \'./$types\'',
+    '',
+    'export const GET = (async (event) => {',
+    `  return await ${spec.registerFunction}(event)`,
+    '}) satisfies RequestHandler',
+    '',
+  ].join('\n')
+}
+
+function renderSvelteHostedAuthCallbackRoute(spec: HostedAuthProviderSpec): string {
+  return [
+    'import { redirect, type RequestHandler } from \'@sveltejs/kit\'',
+    `import { ${spec.callbackFunction} } from '${spec.packageName}'`,
+    '',
+    'export const GET = (async (event) => {',
+    `  const result = await ${spec.callbackFunction}(event)`,
+    '  if (!result.ok) {',
+    '    throw redirect(303, `/login?error=${encodeURIComponent(result.code)}`)',
+    '  }',
+    '',
+    '  throw redirect(303, \'/\')',
+    '}) satisfies RequestHandler',
+    '',
+  ].join('\n')
+}
+
+function renderSvelteHostedAuthLogoutRoute(spec: HostedAuthProviderSpec): string {
+  return [
+    'import { redirect, type RequestHandler } from \'@sveltejs/kit\'',
+    `import { ${spec.logoutFunction} } from '${spec.packageName}'`,
+    '',
+    'export const POST = (async (event) => {',
+    `  const result = await ${spec.logoutFunction}(event)`,
+    '  if (!result.ok) {',
+    '    return Response.json(result, { status: 422 })',
+    '  }',
+    '',
+    '  throw redirect(303, result.url)',
+    '}) satisfies RequestHandler',
+    '',
+  ].join('\n')
+}
+
+function renderSvelteHostedAuthRouteFiles(provider: HostedAuthProvider): readonly ScaffoldedFile[] {
+  const spec = HOSTED_AUTH_PROVIDERS[provider]
+  return [
+    { path: `src/routes/api/auth/${provider}/login/+server.ts`, contents: renderSvelteHostedAuthLoginRoute(spec) },
+    { path: `src/routes/api/auth/${provider}/register/+server.ts`, contents: renderSvelteHostedAuthRegisterRoute(spec) },
+    { path: `src/routes/api/auth/${provider}/callback/+server.ts`, contents: renderSvelteHostedAuthCallbackRoute(spec) },
+    { path: `src/routes/api/auth/${provider}/logout/+server.ts`, contents: renderSvelteHostedAuthLogoutRoute(spec) },
+  ]
+}
+
+export function renderAuthProviderRouteFiles(
+  framework: ProjectScaffoldOptions['framework'],
+  features: AuthInstallFeatures,
+): readonly ScaffoldedFile[] {
+  return getRequestedHostedAuthProviders(features).flatMap((provider) => {
+    if (framework === 'nuxt') {
+      return renderNuxtHostedAuthRouteFiles(provider)
+    }
+
+    if (framework === 'next') {
+      return renderNextHostedAuthRouteFiles(provider)
+    }
+
+    return renderSvelteHostedAuthRouteFiles(provider)
+  })
+}
+
 function renderSvelteStorageRoute(): string {
   return [
     'import { holo } from \'$lib/server/holo\'',
diff --git a/packages/cli/src/project/scaffold/framework.ts b/packages/cli/src/project/scaffold/framework.ts
index 55ad465..64082e5 100644
--- a/packages/cli/src/project/scaffold/framework.ts
+++ b/packages/cli/src/project/scaffold/framework.ts
@@ -73,6 +73,7 @@ export {
   renderNextHoloHelper,
   renderSvelteHoloHelper,
 } from './framework-renderers'
+export { renderAuthProviderRouteFiles } from './framework-renderers'
 
 export function resolvePackageManagerVersion(value: SupportedScaffoldPackageManager): string {
   return SCAFFOLD_PACKAGE_MANAGER_VERSIONS[value]
diff --git a/packages/cli/src/project/scaffold/project-renderers.ts b/packages/cli/src/project/scaffold/project-renderers.ts
index 37ddeca..f987b0d 100644
--- a/packages/cli/src/project/scaffold/project-renderers.ts
+++ b/packages/cli/src/project/scaffold/project-renderers.ts
@@ -64,9 +64,9 @@ export function renderAuthEnvFiles(
     env.push(
       'CLERK_PUBLISHABLE_KEY=',
       'CLERK_SECRET_KEY=',
-      'CLERK_JWT_KEY=',
       'CLERK_API_URL=',
       'CLERK_FRONTEND_API=',
+      'CLERK_REDIRECT_URI=',
       'CLERK_SESSION_COOKIE=__session',
     )
   }
diff --git a/packages/cli/tests/cli.test.ts b/packages/cli/tests/cli.test.ts
index 621f042..ac2f6c0 100644
--- a/packages/cli/tests/cli.test.ts
+++ b/packages/cli/tests/cli.test.ts
@@ -977,6 +977,11 @@ export default {
     await expect(stat(join(authRoot, 'app/api/logout/route.ts'))).rejects.toThrow()
     await expect(stat(join(authRoot, 'proxy.ts'))).rejects.toThrow()
     await expect(stat(join(authRoot, 'server/notifications/auth/email-verification.ts'))).rejects.toThrow()
+    await expect(projectInternals.installAuthIntoProject(authRoot, { workos: true, clerk: true })).resolves.toMatchObject({
+      updatedPackageJson: true,
+    })
+    expect(await readFile(join(authRoot, 'app/api/auth/workos/callback/route.ts'), 'utf8')).toContain('completeWorkosAuth')
+    expect(await readFile(join(authRoot, 'app/api/auth/clerk/callback/route.ts'), 'utf8')).toContain('completeClerkAuth')
     expect((await readdir(join(authRoot, 'server/db/migrations'))).filter(entry => entry.endsWith('.ts'))).toHaveLength(6)
 
     const authNotificationsRoot = join(baseRoot, 'auth-notifications-runtime-app')
@@ -1269,6 +1274,19 @@ export default {
     expect(projectInternals.renderAuthMigration('create_auth_identities')).toContain('table.string(\'user_id\')')
     expect(projectInternals.renderAuthConfig({ workos: true })).toContain('WORKOS_CLIENT_ID')
     expect(projectInternals.renderAuthConfig({ clerk: true })).toContain('CLERK_PUBLISHABLE_KEY')
+    expect(projectInternals.renderAuthEnvFiles({ clerk: true }).env).toContain('CLERK_REDIRECT_URI=')
+    const hostedAuthRoutes = [
+      ...projectInternals.renderAuthProviderRouteFiles('next', { clerk: true }),
+      ...projectInternals.renderAuthProviderRouteFiles('nuxt', { clerk: true }),
+      ...projectInternals.renderAuthProviderRouteFiles('sveltekit', { clerk: true }),
+    ].filter(file => file.path.includes('/callback'))
+    expect(hostedAuthRoutes).toHaveLength(3)
+    for (const route of hostedAuthRoutes) {
+      expect(route.contents).not.toContain('/admin')
+    }
+    expect(hostedAuthRoutes.find(route => route.path.startsWith('app/'))?.contents).toContain('new URL(\'/\', request.url)')
+    expect(hostedAuthRoutes.find(route => route.path.startsWith('server/'))?.contents).toContain('sendRedirect(event, \'/\', 303)')
+    expect(hostedAuthRoutes.find(route => route.path.startsWith('src/'))?.contents).toContain('redirect(303, \'/\')')
     expect(projectInternals.authFeaturesRequireConfigUpdate({ socialProviders: ['google'] })).toBe(true)
     expect(projectInternals.detectAuthInstallFeaturesFromConfig(projectInternals.renderAuthConfig({
       workos: true,
@@ -2108,6 +2126,9 @@ export default defineSessionConfig({
     expect(rerunEnv).toContain('AUTH_GOOGLE_CLIENT_ID=')
     expect(rerunEnv).toContain('WORKOS_CLIENT_ID=')
     expect(rerunEnv).toContain('CLERK_PUBLISHABLE_KEY=')
+    expect(rerunEnv).toContain('CLERK_REDIRECT_URI=')
+    const rerunEnvExample = await readFile(join(projectRoot, '.env.example'), 'utf8')
+    expect(rerunEnvExample).toContain('CLERK_REDIRECT_URI=')
 
     const packageJson = JSON.parse(await readFile(join(projectRoot, 'package.json'), 'utf8')) as {
       dependencies?: Record<string, string>
@@ -2121,7 +2142,7 @@ export default defineSessionConfig({
     tempDirs.push(collisionRoot)
     await writeProjectFile(collisionRoot, 'server/models/User.ts', 'export default null\n')
     await expect(projectInternals.installAuthIntoProject(collisionRoot)).rejects.toThrow('Auth support is partially installed.')
-  })
+  }, 30000)
 
   it('treats an existing session config as part of partial auth collisions once auth artifacts already exist', async () => {
     const projectRoot = await createTempProject()
diff --git a/packages/config/package.json b/packages/config/package.json
index 13e099a..b8817c0 100644
--- a/packages/config/package.json
+++ b/packages/config/package.json
@@ -22,11 +22,11 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/db": "^0.1.4"
+    "@holo-js/db": "catalog:"
   },
   "devDependencies": {
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/config/src/defaults.ts b/packages/config/src/defaults.ts
index c9dde81..cda6f19 100644
--- a/packages/config/src/defaults.ts
+++ b/packages/config/src/defaults.ts
@@ -8,6 +8,7 @@ import type {
   AuthPasswordBrokerConfig,
   AuthProviderConfig,
   AuthSocialProviderConfig,
+  HoloAuthClerkConfig,
   HoloAuthWorkosConfig,
   AuthWorkosProviderConfig,
   BaseBroadcastConnectionConfig,
@@ -35,6 +36,7 @@ import type {
   NormalizedAuthPasswordBrokerConfig,
   NormalizedAuthProviderConfig,
   NormalizedAuthSocialProviderConfig,
+  NormalizedHoloAuthClerkConfig,
   NormalizedHoloAuthWorkosConfig,
   NormalizedAuthWorkosProviderConfig,
   NormalizedBroadcastConnectionOptionsConfig,
@@ -1552,14 +1554,22 @@ function normalizeClerkProvider(
   if (mapToProvider && !(mapToProvider in providers)) {
     throw new Error(`[Holo Auth] Clerk provider "${name}" references unknown provider "${mapToProvider}".`)
   }
+  const redirectUri = config.redirectUri?.trim()
+  if (redirectUri) {
+    try {
+      new URL(redirectUri)
+    } catch {
+      throw new Error(`Invalid redirectUri in Clerk provider "${name}": ${redirectUri}`)
+    }
+  }
 
   return Object.freeze({
     name,
     publishableKey: config.publishableKey?.trim() || undefined,
     secretKey: config.secretKey?.trim() || undefined,
-    jwtKey: config.jwtKey?.trim() || undefined,
     apiUrl: config.apiUrl?.trim() || undefined,
     frontendApi: config.frontendApi?.trim() || undefined,
+    redirectUri: redirectUri || undefined,
     sessionCookie: config.sessionCookie?.trim() || DEFAULT_CLERK_SESSION_COOKIE,
     authorizedParties: Object.freeze((config.authorizedParties ?? [])
       .map(value => value.trim())
@@ -1569,6 +1579,77 @@ function normalizeClerkProvider(
   })
 }
 
+function isClerkProviderConfig(value: unknown): value is AuthClerkProviderConfig {
+  if (!value || typeof value !== 'object' || Array.isArray(value)) {
+    return false
+  }
+
+  const candidate = value as Record<string, unknown>
+  for (const key of ['publishableKey', 'secretKey', 'apiUrl', 'frontendApi', 'redirectUri', 'sessionCookie', 'guard', 'mapToProvider']) {
+    const field = candidate[key]
+    if (typeof field !== 'undefined' && typeof field !== 'string') {
+      return false
+    }
+  }
+
+  return typeof candidate.authorizedParties === 'undefined'
+    || (Array.isArray(candidate.authorizedParties) && candidate.authorizedParties.every(value => typeof value === 'string'))
+}
+
+function getClerkProviderEntries(config: HoloAuthClerkConfig | undefined): readonly [string, AuthClerkProviderConfig][] {
+  if (!config) {
+    return Object.freeze([])
+  }
+
+  const entries: [string, AuthClerkProviderConfig][] = []
+  for (const [name, value] of Object.entries(config)) {
+    if (name === 'provider') {
+      if (typeof value !== 'undefined' && typeof value !== 'string') {
+        throw new Error('[Holo Auth] Clerk provider key "provider" is reserved for the default provider name.')
+      }
+      continue
+    }
+    if (!isClerkProviderConfig(value)) {
+      throw new Error(`[Holo Auth] Clerk provider "${name}" must be a Clerk provider config object.`)
+    }
+    entries.push([name, value])
+  }
+
+  return Object.freeze(entries)
+}
+
+function normalizeClerkConfig(
+  config: HoloAuthClerkConfig | undefined,
+  guards: Readonly<Record<string, NormalizedAuthGuardConfig>>,
+  providers: Readonly<Record<string, NormalizedAuthProviderConfig>>,
+): NormalizedHoloAuthClerkConfig {
+  const providerEntries = getClerkProviderEntries(config)
+  const provider = typeof config?.provider === 'string' ? config.provider.trim() || undefined : undefined
+  if (providerEntries.length === 0) {
+    if (provider) {
+      throw new Error(`[Holo Auth] Clerk provider "${provider}" is not configured.`)
+    }
+
+    return holoAuthDefaults.clerk
+  }
+
+  const normalizedEntries = providerEntries.map(([name, providerConfig]) => {
+    const normalizedName = normalizeConnectionName(name, 'Auth Clerk provider name')
+    return [normalizedName, providerConfig] as const
+  })
+  if (provider && !normalizedEntries.some(([name]) => name === provider)) {
+    throw new Error(`[Holo Auth] Clerk provider "${provider}" is not configured.`)
+  }
+
+  return Object.freeze({
+    ...(typeof provider === 'undefined' ? {} : { provider }),
+    ...Object.fromEntries(normalizedEntries.map(([name, providerConfig]) => [
+      name,
+      normalizeClerkProvider(name, providerConfig, guards, providers),
+    ])),
+  })
+}
+
 export function normalizeAuthConfig(
   config: HoloAuthConfig = {},
   _options: {
@@ -1627,12 +1708,7 @@ export function normalizeAuthConfig(
 
   const workos = normalizeWorkosConfig(config.workos, guards, providers)
 
-  const clerk = !config.clerk || Object.keys(config.clerk).length === 0
-    ? holoAuthDefaults.clerk
-    : Object.freeze(Object.fromEntries(Object.entries(config.clerk).map(([name, provider]) => {
-      const normalizedName = normalizeConnectionName(name, 'Auth Clerk provider name')
-      return [normalizedName, normalizeClerkProvider(normalizedName, provider, guards, providers)]
-    })))
+  const clerk = normalizeClerkConfig(config.clerk, guards, providers)
 
   return Object.freeze({
     defaults: Object.freeze({
diff --git a/packages/config/src/index.ts b/packages/config/src/index.ts
index 3d68023..4ac7524 100644
--- a/packages/config/src/index.ts
+++ b/packages/config/src/index.ts
@@ -135,6 +135,8 @@ export type {
   HoloSessionConfig,
   HoloSessionCookieConfig,
   HoloAuthConfig,
+  HoloAuthClerkConfig,
+  HoloAuthWorkosConfig,
   AuthGuardConfig,
   AuthProviderConfig,
   AuthPasswordBrokerConfig,
@@ -152,6 +154,8 @@ export type {
   NormalizedSessionDatabaseStoreConfig,
   NormalizedSessionRedisStoreConfig,
   NormalizedHoloAuthConfig,
+  NormalizedHoloAuthClerkConfig,
+  NormalizedHoloAuthWorkosConfig,
   NormalizedAuthGuardConfig,
   NormalizedAuthProviderConfig,
   NormalizedAuthPasswordBrokerConfig,
diff --git a/packages/config/src/types.ts b/packages/config/src/types.ts
index f682366..41c6427 100644
--- a/packages/config/src/types.ts
+++ b/packages/config/src/types.ts
@@ -633,15 +633,20 @@ export interface HoloAuthWorkosConfig {
 export interface AuthClerkProviderConfig {
   readonly publishableKey?: string
   readonly secretKey?: string
-  readonly jwtKey?: string
   readonly apiUrl?: string
   readonly frontendApi?: string
+  readonly redirectUri?: string
   readonly sessionCookie?: string
   readonly authorizedParties?: readonly string[]
   readonly guard?: string
   readonly mapToProvider?: string
 }
 
+export interface HoloAuthClerkConfig {
+  readonly provider?: string
+  readonly [provider: string]: AuthClerkProviderConfig | string | undefined
+}
+
 export interface HoloAuthConfig {
   readonly defaults?: {
     readonly guard?: string
@@ -655,7 +660,7 @@ export interface HoloAuthConfig {
   readonly socialEncryptionKey?: string
   readonly social?: Readonly<Record<string, AuthSocialProviderConfig>>
   readonly workos?: HoloAuthWorkosConfig
-  readonly clerk?: Readonly<Record<string, AuthClerkProviderConfig>>
+  readonly clerk?: HoloAuthClerkConfig
 }
 
 export interface NormalizedAuthGuardConfig {
@@ -710,15 +715,20 @@ export interface NormalizedAuthClerkProviderConfig {
   readonly name: string
   readonly publishableKey?: string
   readonly secretKey?: string
-  readonly jwtKey?: string
   readonly apiUrl?: string
   readonly frontendApi?: string
+  readonly redirectUri?: string
   readonly sessionCookie: string
   readonly authorizedParties: readonly string[]
   readonly guard?: string
   readonly mapToProvider?: string
 }
 
+export interface NormalizedHoloAuthClerkConfig {
+  readonly provider?: string
+  readonly [provider: string]: NormalizedAuthClerkProviderConfig | string | undefined
+}
+
 export interface NormalizedHoloAuthConfig {
   readonly defaults: {
     readonly guard: string
@@ -737,7 +747,7 @@ export interface NormalizedHoloAuthConfig {
   readonly socialEncryptionKey?: string
   readonly social: Readonly<Record<string, NormalizedAuthSocialProviderConfig>>
   readonly workos: NormalizedHoloAuthWorkosConfig
-  readonly clerk: Readonly<Record<string, NormalizedAuthClerkProviderConfig>>
+  readonly clerk: NormalizedHoloAuthClerkConfig
 }
 
 export interface QueueRedisConnectionConfig {
diff --git a/packages/config/tests/config.test.ts b/packages/config/tests/config.test.ts
index 94c7b90..596ab56 100644
--- a/packages/config/tests/config.test.ts
+++ b/packages/config/tests/config.test.ts
@@ -2585,12 +2585,13 @@ export default defineConfig({
         },
       },
       clerk: {
+        provider: ' admin ',
         admin: {
           publishableKey: ' pk_test ',
           secretKey: ' sk_test ',
-          jwtKey: ' jwt-key ',
           apiUrl: ' https://api.clerk.test ',
           frontendApi: ' https://clerk.test ',
+          redirectUri: ' https://app.test/auth/clerk/callback ',
           sessionCookie: ' __clerk_session ',
           authorizedParties: [' https://app.test ', 'https://admin.test'],
           guard: 'admin',
@@ -2663,13 +2664,14 @@ export default defineConfig({
         },
       },
       clerk: {
+        provider: 'admin',
         admin: {
           name: 'admin',
           publishableKey: 'pk_test',
           secretKey: 'sk_test',
-          jwtKey: 'jwt-key',
           apiUrl: 'https://api.clerk.test',
           frontendApi: 'https://clerk.test',
+          redirectUri: 'https://app.test/auth/clerk/callback',
           sessionCookie: '__clerk_session',
           authorizedParties: ['https://app.test', 'https://admin.test'],
           guard: 'admin',
@@ -2682,6 +2684,20 @@ export default defineConfig({
         guard: 'missing',
       },
     })).toThrow('default auth guard "missing" is not configured')
+    expect(() => normalizeAuthConfig({
+      clerk: {
+        app: {
+          redirectUri: 'not a url',
+        },
+      },
+    })).toThrow('Invalid redirectUri in Clerk provider "app": not a url')
+    expect(() => normalizeAuthConfig({
+      clerk: {
+        app: {
+          secretKey: 123 as never,
+        },
+      },
+    })).toThrow('Clerk provider "app" must be a Clerk provider config object.')
     expect(() => normalizeAuthConfig({
       defaults: {
         passwords: 'admins',
@@ -2805,6 +2821,34 @@ export default defineConfig({
         },
       },
     })).toThrow('references unknown provider "admins"')
+    expect(() => normalizeAuthConfig({
+      clerk: {
+        provider: 'missing',
+        app: {},
+      },
+    })).toThrow('Clerk provider "missing" is not configured')
+    expect(() => normalizeAuthConfig({
+      clerk: {
+        provider: 'app',
+      },
+    })).toThrow('Clerk provider "app" is not configured')
+    expect(normalizeAuthConfig({
+      clerk: {
+        provider: '   ',
+      },
+    }).clerk).toEqual(normalizeAuthConfig().clerk)
+    expect(() => normalizeAuthConfig({
+      clerk: {
+        provider: {
+          secretKey: 'sk_test',
+        },
+      } as never,
+    })).toThrow('Clerk provider key "provider" is reserved for the default provider name')
+    expect(() => normalizeAuthConfig({
+      clerk: {
+        app: 'invalid' as never,
+      },
+    })).toThrow('Clerk provider "app" must be a Clerk provider config object.')
     expect(() => normalizeAuthConfig({
       clerk: {
         admin: {
@@ -3000,9 +3044,9 @@ export default defineConfig({
         app: {
           publishableKey: ' pk ',
           secretKey: ' sk ',
-          jwtKey: ' jwt ',
           apiUrl: ' https://api.example.com ',
           frontendApi: ' https://clerk.example.com ',
+          redirectUri: ' https://example.com/clerk ',
           sessionCookie: ' custom-clerk ',
         },
       },
@@ -3046,9 +3090,9 @@ export default defineConfig({
         app: {
           publishableKey: 'pk',
           secretKey: 'sk',
-          jwtKey: 'jwt',
           apiUrl: 'https://api.example.com',
           frontendApi: 'https://clerk.example.com',
+          redirectUri: 'https://example.com/clerk',
           sessionCookie: 'custom-clerk',
         },
       },
@@ -3086,7 +3130,6 @@ export default defineConfig({
         app: {
           publishableKey: undefined,
           secretKey: undefined,
-          jwtKey: undefined,
           apiUrl: undefined,
           frontendApi: undefined,
           sessionCookie: '__session',
diff --git a/packages/core/package.json b/packages/core/package.json
index ae292ce..f99cf9f 100644
--- a/packages/core/package.json
+++ b/packages/core/package.json
@@ -28,22 +28,22 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/config": "^0.1.4",
-    "@holo-js/db": "^0.1.4",
-    "esbuild": "^0.27.4"
+    "@holo-js/config": "catalog:",
+    "@holo-js/db": "catalog:",
+    "esbuild": "catalog:"
   },
   "peerDependencies": {
-    "@holo-js/auth": "^0.1.4",
-    "@holo-js/auth-clerk": "^0.1.4",
-    "@holo-js/auth-social": "^0.1.4",
-    "@holo-js/auth-workos": "^0.1.4",
-    "@holo-js/authorization": "^0.1.4",
-    "@holo-js/mail": "^0.1.4",
-    "@holo-js/notifications": "^0.1.4",
-    "@holo-js/queue": "^0.1.4",
-    "@holo-js/security": "^0.1.4",
-    "@holo-js/session": "^0.1.4",
-    "@holo-js/storage": "^0.1.4"
+    "@holo-js/auth": "catalog:",
+    "@holo-js/auth-clerk": "catalog:",
+    "@holo-js/auth-social": "catalog:",
+    "@holo-js/auth-workos": "catalog:",
+    "@holo-js/authorization": "catalog:",
+    "@holo-js/mail": "catalog:",
+    "@holo-js/notifications": "catalog:",
+    "@holo-js/queue": "catalog:",
+    "@holo-js/security": "catalog:",
+    "@holo-js/session": "catalog:",
+    "@holo-js/storage": "catalog:"
   },
   "peerDependenciesMeta": {
     "@holo-js/auth": {
@@ -81,17 +81,17 @@
     }
   },
   "devDependencies": {
-    "@holo-js/auth": "^0.1.4",
-    "@holo-js/authorization": "^0.1.4",
-    "@holo-js/events": "^0.1.4",
-    "@holo-js/mail": "^0.1.4",
-    "@holo-js/notifications": "^0.1.4",
-    "@holo-js/queue-db": "^0.1.4",
-    "@holo-js/session": "^0.1.4",
-    "@holo-js/storage": "^0.1.4",
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@holo-js/auth": "catalog:",
+    "@holo-js/authorization": "catalog:",
+    "@holo-js/events": "catalog:",
+    "@holo-js/mail": "catalog:",
+    "@holo-js/notifications": "catalog:",
+    "@holo-js/queue-db": "catalog:",
+    "@holo-js/session": "catalog:",
+    "@holo-js/storage": "catalog:",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/core/src/portable/holo.ts b/packages/core/src/portable/holo.ts
index f1da252..f322c80 100644
--- a/packages/core/src/portable/holo.ts
+++ b/packages/core/src/portable/holo.ts
@@ -850,6 +850,7 @@ export interface CreateHoloOptions {
     readonly getCookie?: (name: string) => string | undefined | Promise<string | undefined>
     readonly getHeader?: (name: string) => string | undefined | Promise<string | undefined>
     readonly appendResponseCookie?: (cookie: string) => void | Promise<void>
+    readonly redirectResponse?: (url: string, status?: 301 | 302 | 303 | 307 | 308) => void | Promise<void>
   }
 }
 
@@ -1167,12 +1168,14 @@ function attachAuthRequestAccessors<TContext extends {
   getRequestCookie?(name: string): string | undefined | Promise<string | undefined>
   getRequestHeader?(name: string): string | undefined | Promise<string | undefined>
   appendResponseCookie?(cookie: string): void | Promise<void>
+  redirectResponse?(url: string, status?: 301 | 302 | 303 | 307 | 308): void | Promise<void>
 } {
   return Object.freeze({
     ...context,
     getRequestCookie: accessors.getCookie,
     getRequestHeader: accessors.getHeader,
     appendResponseCookie: accessors.appendResponseCookie,
+    redirectResponse: accessors.redirectResponse,
   })
 }
 
@@ -1193,6 +1196,7 @@ function createRequestAwareAuthContext<TContext extends {
   getRequestCookie?(name: string): string | undefined | Promise<string | undefined>
   getRequestHeader?(name: string): string | undefined | Promise<string | undefined>
   appendResponseCookie?(cookie: string): void | Promise<void>
+  redirectResponse?(url: string, status?: 301 | 302 | 303 | 307 | 308): void | Promise<void>
   setRequestAccessors(accessors?: CreateHoloOptions['authRequest']): void
 } {
   const requestAccessorStorage = new AsyncLocalStorage<{
@@ -1202,6 +1206,7 @@ function createRequestAwareAuthContext<TContext extends {
     getRequestCookie?(name: string): string | undefined | Promise<string | undefined>
     getRequestHeader?(name: string): string | undefined | Promise<string | undefined>
     appendResponseCookie?(cookie: string): void | Promise<void>
+    redirectResponse?(url: string, status?: 301 | 302 | 303 | 307 | 308): void | Promise<void>
   }
 
   const resolveRequestContext = (): RequestAccessContext => {
@@ -1224,6 +1229,9 @@ function createRequestAwareAuthContext<TContext extends {
     appendResponseCookie(cookie) {
       return resolveRequestContext().appendResponseCookie?.(cookie)
     },
+    redirectResponse(url, status) {
+      return resolveRequestContext().redirectResponse?.(url, status)
+    },
     setRequestAccessors(nextAccessors) {
       requestAccessorStorage.enterWith({
         accessors: nextAccessors,
diff --git a/packages/create-holo-js/package.json b/packages/create-holo-js/package.json
index 9db0c20..01cedf0 100644
--- a/packages/create-holo-js/package.json
+++ b/packages/create-holo-js/package.json
@@ -16,12 +16,12 @@
     "typecheck": "tsc -p tsconfig.json --noEmit"
   },
   "dependencies": {
-    "@holo-js/cli": "^0.1.4"
+    "@holo-js/cli": "catalog:"
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2"
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:"
   },
   "engines": {
     "node": ">=20.11.0"
diff --git a/packages/db-mysql/package.json b/packages/db-mysql/package.json
index 0b696c5..7606f1e 100644
--- a/packages/db-mysql/package.json
+++ b/packages/db-mysql/package.json
@@ -23,15 +23,15 @@
     "test": "vitest --run"
   },
   "peerDependencies": {
-    "@holo-js/db": "^0.1.4"
+    "@holo-js/db": "catalog:"
   },
   "dependencies": {
-    "mysql2": "^3.17.1"
+    "mysql2": "catalog:"
   },
   "devDependencies": {
-    "@holo-js/db": "workspace:*",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@holo-js/db": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/db-postgres/package.json b/packages/db-postgres/package.json
index 6c94e64..aabb341 100644
--- a/packages/db-postgres/package.json
+++ b/packages/db-postgres/package.json
@@ -23,16 +23,16 @@
     "test": "vitest --run"
   },
   "peerDependencies": {
-    "@holo-js/db": "^0.1.4"
+    "@holo-js/db": "catalog:"
   },
   "dependencies": {
-    "pg": "^8.13.0"
+    "pg": "catalog:"
   },
   "devDependencies": {
-    "@holo-js/db": "workspace:*",
-    "@types/pg": "^8.11.0",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@holo-js/db": "catalog:",
+    "@types/pg": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/db-sqlite/package.json b/packages/db-sqlite/package.json
index a580a78..2f93dc9 100644
--- a/packages/db-sqlite/package.json
+++ b/packages/db-sqlite/package.json
@@ -23,16 +23,16 @@
     "test": "vitest --run"
   },
   "peerDependencies": {
-    "@holo-js/db": "^0.1.4"
+    "@holo-js/db": "catalog:"
   },
   "dependencies": {
-    "better-sqlite3": "^11.7.0"
+    "better-sqlite3": "catalog:"
   },
   "devDependencies": {
-    "@holo-js/db": "workspace:*",
-    "@types/better-sqlite3": "^7.6.12",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@holo-js/db": "catalog:",
+    "@types/better-sqlite3": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/db/package.json b/packages/db/package.json
index d57cbc7..e46e3e9 100644
--- a/packages/db/package.json
+++ b/packages/db/package.json
@@ -28,9 +28,9 @@
     "uuid": "catalog:"
   },
   "peerDependencies": {
-    "@holo-js/db-mysql": "^0.1.4",
-    "@holo-js/db-postgres": "^0.1.4",
-    "@holo-js/db-sqlite": "^0.1.4"
+    "@holo-js/db-mysql": "catalog:",
+    "@holo-js/db-postgres": "catalog:",
+    "@holo-js/db-sqlite": "catalog:"
   },
   "peerDependenciesMeta": {
     "@holo-js/db-mysql": {
@@ -44,12 +44,12 @@
     }
   },
   "devDependencies": {
-    "@holo-js/db-mysql": "workspace:*",
-    "@holo-js/db-postgres": "workspace:*",
-    "@holo-js/db-sqlite": "workspace:*",
-    "@types/better-sqlite3": "^7.6.12",
-    "@types/pg": "^8.11.0",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2"
+    "@holo-js/db-mysql": "catalog:",
+    "@holo-js/db-postgres": "catalog:",
+    "@holo-js/db-sqlite": "catalog:",
+    "@types/better-sqlite3": "catalog:",
+    "@types/pg": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:"
   }
 }
diff --git a/packages/events/package.json b/packages/events/package.json
index 7464cfe..d824ecd 100644
--- a/packages/events/package.json
+++ b/packages/events/package.json
@@ -23,10 +23,10 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/db": "^0.1.4"
+    "@holo-js/db": "catalog:"
   },
   "peerDependencies": {
-    "@holo-js/queue": "^0.1.4"
+    "@holo-js/queue": "catalog:"
   },
   "peerDependenciesMeta": {
     "@holo-js/queue": {
@@ -34,9 +34,9 @@
     }
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/flux-react/package.json b/packages/flux-react/package.json
index ba513e3..c252425 100644
--- a/packages/flux-react/package.json
+++ b/packages/flux-react/package.json
@@ -23,20 +23,20 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/broadcast": "^0.1.4",
-    "@holo-js/flux": "^0.1.4"
+    "@holo-js/broadcast": "catalog:",
+    "@holo-js/flux": "catalog:"
   },
   "peerDependencies": {
-    "react": "^18.3.1 || ^19.0.0"
+    "react": "catalog:"
   },
   "devDependencies": {
-    "@types/react": "^18.3.12",
-    "@types/react-test-renderer": "^18.3.1",
-    "@types/node": "^22.10.2",
-    "react": "^18.3.1",
-    "react-test-renderer": "^18.3.1",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@types/react": "catalog:",
+    "@types/react-test-renderer": "catalog:",
+    "@types/node": "catalog:",
+    "react": "catalog:",
+    "react-test-renderer": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/flux-react/tests/package.test.ts b/packages/flux-react/tests/package.test.ts
index b65e467..8f74fd9 100644
--- a/packages/flux-react/tests/package.test.ts
+++ b/packages/flux-react/tests/package.test.ts
@@ -234,11 +234,14 @@ describe('@holo-js/flux-react package surface', () => {
 
     await act(async () => {
       await client.connect()
+    })
+    expect(statusSnapshots).toContain('connected')
+
+    await act(async () => {
       await client.disconnect()
     })
     expect(statusChanges).toEqual(['connecting', 'connected', 'disconnected'])
     expect(statusHandler).toHaveBeenCalledTimes(3)
-    expect(statusSnapshots).toContain('connected')
     expect(statusSnapshots.at(-1)).toBe('disconnected')
     presenceControls!.leave()
     presenceControls!.leaveChannel()
diff --git a/packages/flux-svelte/package.json b/packages/flux-svelte/package.json
index 83aa2cf..bb05770 100644
--- a/packages/flux-svelte/package.json
+++ b/packages/flux-svelte/package.json
@@ -23,17 +23,17 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/broadcast": "^0.1.4",
-    "@holo-js/flux": "^0.1.4"
+    "@holo-js/broadcast": "catalog:",
+    "@holo-js/flux": "catalog:"
   },
   "peerDependencies": {
-    "svelte": "^5.16.0"
+    "svelte": "catalog:"
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "svelte": "^5.16.0",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@types/node": "catalog:",
+    "svelte": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/flux-vue/package.json b/packages/flux-vue/package.json
index 10fce27..e69b3c8 100644
--- a/packages/flux-vue/package.json
+++ b/packages/flux-vue/package.json
@@ -23,17 +23,17 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/broadcast": "^0.1.4",
-    "@holo-js/flux": "^0.1.4"
+    "@holo-js/broadcast": "catalog:",
+    "@holo-js/flux": "catalog:"
   },
   "peerDependencies": {
-    "vue": "^3.5.13"
+    "vue": "catalog:"
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
-    "vue": "^3.5.13",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
+    "vue": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/flux/package.json b/packages/flux/package.json
index 1d567c5..bbec464 100644
--- a/packages/flux/package.json
+++ b/packages/flux/package.json
@@ -23,12 +23,12 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/broadcast": "^0.1.4"
+    "@holo-js/broadcast": "catalog:"
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/forms/package.json b/packages/forms/package.json
index daac752..d58fc94 100644
--- a/packages/forms/package.json
+++ b/packages/forms/package.json
@@ -33,10 +33,10 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/validation": "^0.1.4"
+    "@holo-js/validation": "catalog:"
   },
   "peerDependencies": {
-    "@holo-js/security": "^0.1.4"
+    "@holo-js/security": "catalog:"
   },
   "peerDependenciesMeta": {
     "@holo-js/security": {
@@ -44,9 +44,9 @@
     }
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/forms/tests/contracts.test.ts b/packages/forms/tests/contracts.test.ts
index c8e2ba4..5fa5986 100644
--- a/packages/forms/tests/contracts.test.ts
+++ b/packages/forms/tests/contracts.test.ts
@@ -1126,7 +1126,7 @@ describe('@holo-js/forms contracts', () => {
     expect(packageJson.exports).toHaveProperty('./internal/client')
     expect(Object.keys(packageJson.devDependencies ?? {})).not.toContain('next')
     expect(Object.keys(packageJson.devDependencies ?? {})).not.toContain('nuxt')
-    expect(packageJson.peerDependencies?.['@holo-js/security']).toBe(`^${packageJson.version}`)
+    expect(packageJson.peerDependencies?.['@holo-js/security']).toBe('catalog:')
     expect(packageJson.peerDependenciesMeta?.['@holo-js/security']?.optional).toBe(true)
   })
 })
diff --git a/packages/mail/package.json b/packages/mail/package.json
index 4802f49..49cb672 100644
--- a/packages/mail/package.json
+++ b/packages/mail/package.json
@@ -28,12 +28,12 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/config": "^0.1.4",
-    "nodemailer": "^6.10.1"
+    "@holo-js/config": "catalog:",
+    "nodemailer": "catalog:"
   },
   "peerDependencies": {
-    "@holo-js/queue": "^0.1.4",
-    "@holo-js/storage": "^0.1.4"
+    "@holo-js/queue": "catalog:",
+    "@holo-js/storage": "catalog:"
   },
   "peerDependenciesMeta": {
     "@holo-js/queue": {
@@ -44,9 +44,9 @@
     }
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/media/package.json b/packages/media/package.json
index 6c15fce..fd7bb10 100644
--- a/packages/media/package.json
+++ b/packages/media/package.json
@@ -22,14 +22,14 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/db": "^0.1.4",
-    "@holo-js/queue": "^0.1.4",
-    "@holo-js/storage": "^0.1.4",
-    "sharp": "^0.34.4"
+    "@holo-js/db": "catalog:",
+    "@holo-js/queue": "catalog:",
+    "@holo-js/storage": "catalog:",
+    "sharp": "catalog:"
   },
   "devDependencies": {
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/notifications/package.json b/packages/notifications/package.json
index 39b6fd0..d8edb15 100644
--- a/packages/notifications/package.json
+++ b/packages/notifications/package.json
@@ -28,10 +28,10 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/config": "^0.1.4"
+    "@holo-js/config": "catalog:"
   },
   "peerDependencies": {
-    "@holo-js/queue": "^0.1.4"
+    "@holo-js/queue": "catalog:"
   },
   "peerDependenciesMeta": {
     "@holo-js/queue": {
@@ -39,9 +39,9 @@
     }
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/queue-db/package.json b/packages/queue-db/package.json
index c622ad7..573489f 100644
--- a/packages/queue-db/package.json
+++ b/packages/queue-db/package.json
@@ -23,13 +23,13 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/db": "^0.1.4",
-    "@holo-js/queue": "^0.1.4"
+    "@holo-js/db": "catalog:",
+    "@holo-js/queue": "catalog:"
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/queue-redis/package.json b/packages/queue-redis/package.json
index 1ace02b..a161b0b 100644
--- a/packages/queue-redis/package.json
+++ b/packages/queue-redis/package.json
@@ -23,18 +23,18 @@
     "test": "vitest --run"
   },
   "peerDependencies": {
-    "@holo-js/queue": "^0.1.4"
+    "@holo-js/queue": "catalog:"
   },
   "dependencies": {
-    "bullmq": "^5.71.0",
+    "bullmq": "catalog:",
     "ioredis": "catalog:",
-    "tslib": "^2.8.1"
+    "tslib": "catalog:"
   },
   "devDependencies": {
-    "@holo-js/queue": "workspace:*",
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@holo-js/queue": "catalog:",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/queue/package.json b/packages/queue/package.json
index 7e29254..7d0f7fc 100644
--- a/packages/queue/package.json
+++ b/packages/queue/package.json
@@ -23,7 +23,7 @@
     "test": "vitest --run"
   },
   "peerDependencies": {
-    "@holo-js/queue-redis": "^0.1.4"
+    "@holo-js/queue-redis": "catalog:"
   },
   "peerDependenciesMeta": {
     "@holo-js/queue-redis": {
@@ -31,10 +31,10 @@
     }
   },
   "devDependencies": {
-    "@holo-js/queue-redis": "workspace:*",
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@holo-js/queue-redis": "catalog:",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/security/package.json b/packages/security/package.json
index 11c6665..bb4cdcc 100644
--- a/packages/security/package.json
+++ b/packages/security/package.json
@@ -38,7 +38,7 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/config": "^0.1.4"
+    "@holo-js/config": "catalog:"
   },
   "peerDependencies": {
     "ioredis": "catalog:"
@@ -49,10 +49,10 @@
     }
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
+    "@types/node": "catalog:",
     "ioredis": "catalog:",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/session/package.json b/packages/session/package.json
index fa2fbee..b56a534 100644
--- a/packages/session/package.json
+++ b/packages/session/package.json
@@ -28,7 +28,7 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/config": "^0.1.4"
+    "@holo-js/config": "catalog:"
   },
   "peerDependencies": {
     "ioredis": "catalog:"
@@ -39,10 +39,10 @@
     }
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
+    "@types/node": "catalog:",
     "ioredis": "catalog:",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/storage-s3/package.json b/packages/storage-s3/package.json
index a552b25..01b2151 100644
--- a/packages/storage-s3/package.json
+++ b/packages/storage-s3/package.json
@@ -23,9 +23,9 @@
     "test": "vitest --run"
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/storage/package.json b/packages/storage/package.json
index ee26b88..b3cfde0 100644
--- a/packages/storage/package.json
+++ b/packages/storage/package.json
@@ -33,10 +33,10 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/config": "^0.1.4"
+    "@holo-js/config": "catalog:"
   },
   "peerDependencies": {
-    "@holo-js/storage-s3": "^0.1.4"
+    "@holo-js/storage-s3": "catalog:"
   },
   "peerDependenciesMeta": {
     "@holo-js/storage-s3": {
@@ -44,10 +44,10 @@
     }
   },
   "devDependencies": {
-    "@holo-js/storage-s3": "workspace:*",
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@holo-js/storage-s3": "catalog:",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/packages/validation/package.json b/packages/validation/package.json
index f88b4fe..86b5374 100644
--- a/packages/validation/package.json
+++ b/packages/validation/package.json
@@ -23,12 +23,12 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "valibot": "^1.1.0"
+    "valibot": "catalog:"
   },
   "devDependencies": {
-    "@types/node": "^22.10.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.7.2",
+    "@types/node": "catalog:",
+    "tsup": "catalog:",
+    "typescript": "catalog:",
     "vitest": "catalog:"
   }
 }
diff --git a/scripts/publish-with-resolved-catalogs.mjs b/scripts/publish-with-resolved-catalogs.mjs
new file mode 100644
index 0000000..b550fc2
--- /dev/null
+++ b/scripts/publish-with-resolved-catalogs.mjs
@@ -0,0 +1,133 @@
+import { spawnSync } from 'node:child_process'
+import { access, readdir, readFile, writeFile } from 'node:fs/promises'
+import { dirname, join, resolve } from 'node:path'
+import { fileURLToPath } from 'node:url'
+
+const repoRoot = resolve(dirname(fileURLToPath(import.meta.url)), '..')
+const dependencySections = [
+  'dependencies',
+  'devDependencies',
+  'peerDependencies',
+  'optionalDependencies',
+]
+
+function isObject(value) {
+  return value !== null && typeof value === 'object' && !Array.isArray(value)
+}
+
+async function readJson(filePath) {
+  return JSON.parse(await readFile(filePath, 'utf8'))
+}
+
+async function listPackageManifestPaths(root = repoRoot) {
+  const packageDirectory = join(root, 'packages')
+  const entries = await readdir(packageDirectory, { withFileTypes: true })
+  const manifestPaths = await Promise.all(entries
+    .filter(entry => entry.isDirectory())
+    .map(async (entry) => {
+      const manifestPath = join(packageDirectory, entry.name, 'package.json')
+      try {
+        await access(manifestPath)
+        return manifestPath
+      } catch {
+        return null
+      }
+    }))
+
+  return manifestPaths.filter(manifestPath => typeof manifestPath === 'string')
+}
+
+export function resolveCatalogRangesInManifest(manifest, catalog) {
+  const resolvedManifest = structuredClone(manifest)
+
+  for (const sectionName of dependencySections) {
+    const section = resolvedManifest[sectionName]
+    if (!isObject(section)) {
+      continue
+    }
+
+    for (const [packageName, version] of Object.entries(section)) {
+      if (version !== 'catalog:') {
+        continue
+      }
+
+      const resolvedVersion = catalog[packageName]
+      if (typeof resolvedVersion !== 'string') {
+        throw new Error(`Cannot resolve catalog range for ${sectionName}.${packageName}.`)
+      }
+
+      section[packageName] = resolvedVersion
+    }
+  }
+
+  return resolvedManifest
+}
+
+export async function withResolvedCatalogManifests(callback, root = repoRoot) {
+  const rootManifest = await readJson(join(root, 'package.json'))
+  const catalog = rootManifest.workspaces?.catalog
+  if (!isObject(catalog)) {
+    throw new Error('Root package.json is missing workspaces.catalog.')
+  }
+
+  const packageManifestPaths = await listPackageManifestPaths(root)
+  const originalManifests = new Map()
+  let callbackError
+
+  try {
+    for (const manifestPath of packageManifestPaths) {
+      const original = await readFile(manifestPath, 'utf8')
+      originalManifests.set(manifestPath, original)
+      const resolved = resolveCatalogRangesInManifest(JSON.parse(original), catalog)
+      await writeFile(manifestPath, `${JSON.stringify(resolved, null, 2)}\n`)
+    }
+
+    await callback()
+  } catch (error) {
+    callbackError = error
+  }
+
+  const manifestEntries = [...originalManifests]
+  const restoreResults = await Promise.allSettled(manifestEntries.map(([manifestPath, contents]) => (
+    writeFile(manifestPath, contents)
+  )))
+  const restoreFailures = restoreResults.flatMap((result, index) => {
+    if (result.status === 'fulfilled') {
+      return []
+    }
+
+    const manifestPath = manifestEntries[index]?.[0] ?? '<unknown>'
+    const reason = result.reason instanceof Error ? result.reason.message : String(result.reason)
+    return [`${manifestPath}: ${reason}`]
+  })
+  if (restoreFailures.length > 0) {
+    throw new Error(`Failed to restore ${restoreFailures.length} package manifest(s): ${restoreFailures.join('; ')}`)
+  }
+  if (callbackError) {
+    throw callbackError
+  }
+}
+
+async function publishWithResolvedCatalogs() {
+  let publishStatus = 0
+
+  await withResolvedCatalogManifests(async () => {
+    const changesetBinary = join(repoRoot, 'node_modules', '.bin', process.platform === 'win32' ? 'changeset.cmd' : 'changeset')
+    const result = spawnSync(changesetBinary, ['publish'], {
+      cwd: repoRoot,
+      stdio: 'inherit',
+    })
+
+    if (result.error) {
+      throw result.error
+    }
+
+    publishStatus = result.status ?? 1
+  })
+
+  return publishStatus
+}
+
+if (process.argv[1] === fileURLToPath(import.meta.url)) {
+  process.exit(await publishWithResolvedCatalogs())
+}
diff --git a/scripts/publish-with-resolved-catalogs.test.mjs b/scripts/publish-with-resolved-catalogs.test.mjs
new file mode 100644
index 0000000..1015785
--- /dev/null
+++ b/scripts/publish-with-resolved-catalogs.test.mjs
@@ -0,0 +1,138 @@
+import assert from 'node:assert/strict'
+import { mkdir, mkdtemp, readFile, rm, writeFile } from 'node:fs/promises'
+import { tmpdir } from 'node:os'
+import { dirname, join } from 'node:path'
+import { afterEach, test } from 'node:test'
+import {
+  resolveCatalogRangesInManifest,
+  withResolvedCatalogManifests,
+} from './publish-with-resolved-catalogs.mjs'
+
+const tempRoots = []
+
+afterEach(async () => {
+  await Promise.all(tempRoots.splice(0).map(repoRoot => rm(repoRoot, {
+    recursive: true,
+    force: true,
+  })))
+})
+
+async function createTempRepo(files) {
+  const repoRoot = await mkdtemp(join(tmpdir(), 'holo-publish-catalogs-'))
+  tempRoots.push(repoRoot)
+
+  for (const [filePath, contents] of Object.entries(files)) {
+    const targetPath = join(repoRoot, filePath)
+    await mkdir(dirname(targetPath), { recursive: true })
+    await writeFile(targetPath, contents.join('\n'), 'utf8')
+  }
+
+  return repoRoot
+}
+
+test('catalog resolver replaces package dependency ranges from the root catalog', () => {
+  const resolved = resolveCatalogRangesInManifest({
+    dependencies: {
+      '@holo-js/core': 'catalog:',
+    },
+    peerDependencies: {
+      react: 'catalog:',
+    },
+  }, {
+    '@holo-js/core': '^0.1.4',
+    react: '^19.0.0',
+  })
+
+  assert.deepEqual(resolved.dependencies, {
+    '@holo-js/core': '^0.1.4',
+  })
+  assert.deepEqual(resolved.peerDependencies, {
+    react: '^19.0.0',
+  })
+})
+
+test('catalog resolver rejects catalog dependencies missing from the root catalog', () => {
+  assert.throws(
+    () => resolveCatalogRangesInManifest({
+      dependencies: {
+        '@holo-js/newpkg': 'catalog:',
+      },
+    }, {
+      '@holo-js/core': '^0.1.4',
+    }),
+    /Cannot resolve catalog range for dependencies\.@holo-js\/newpkg\./,
+  )
+})
+
+test('catalog resolver restores package manifests after publishing fails', async () => {
+  const originalManifest = [
+    '{',
+    '  "name": "@holo-js/example",',
+    '  "version": "0.1.4",',
+    '  "dependencies": {',
+    '    "@holo-js/core": "catalog:"',
+    '  }',
+    '}',
+    '',
+  ].join('\n')
+
+  const repoRoot = await createTempRepo({
+    'package.json': [
+      '{',
+      '  "workspaces": {',
+      '    "catalog": {',
+      '      "@holo-js/core": "^0.1.4"',
+      '    }',
+      '  }',
+      '}',
+      '',
+    ],
+    'packages/example/package.json': originalManifest.split('\n'),
+  })
+
+  await assert.rejects(
+    withResolvedCatalogManifests(async () => {
+      const resolvedManifest = JSON.parse(await readFile(join(repoRoot, 'packages/example/package.json'), 'utf8'))
+      assert.equal(resolvedManifest.dependencies['@holo-js/core'], '^0.1.4')
+      throw new Error('publish failed')
+    }, repoRoot),
+    /publish failed/,
+  )
+
+  assert.equal(await readFile(join(repoRoot, 'packages/example/package.json'), 'utf8'), originalManifest)
+})
+
+test('catalog manifest publishing skips package directories without package manifests', async () => {
+  const originalManifest = [
+    '{',
+    '  "name": "@holo-js/example",',
+    '  "version": "0.1.4",',
+    '  "dependencies": {',
+    '    "@holo-js/core": "catalog:"',
+    '  }',
+    '}',
+    '',
+  ].join('\n')
+
+  const repoRoot = await createTempRepo({
+    'package.json': [
+      '{',
+      '  "workspaces": {',
+      '    "catalog": {',
+      '      "@holo-js/core": "^0.1.4"',
+      '    }',
+      '  }',
+      '}',
+      '',
+    ],
+    'packages/example/package.json': originalManifest.split('\n'),
+    'packages/not-a-package/.keep': [''],
+  })
+
+  await withResolvedCatalogManifests(async () => {
+    const resolvedManifest = JSON.parse(await readFile(join(repoRoot, 'packages/example/package.json'), 'utf8'))
+    assert.equal(resolvedManifest.dependencies['@holo-js/core'], '^0.1.4')
+  }, repoRoot)
+
+  assert.equal(await readFile(join(repoRoot, 'packages/example/package.json'), 'utf8'), originalManifest)
+})
diff --git a/scripts/validate-dependency-version-policy.mjs b/scripts/validate-dependency-version-policy.mjs
index e06c54f..89a2325 100644
--- a/scripts/validate-dependency-version-policy.mjs
+++ b/scripts/validate-dependency-version-policy.mjs
@@ -1,5 +1,5 @@
 import { execFile } from 'node:child_process'
-import { readFile } from 'node:fs/promises'
+import { access, readdir, readFile } from 'node:fs/promises'
 import { dirname, join, resolve } from 'node:path'
 import { promisify } from 'node:util'
 import { fileURLToPath, pathToFileURL } from 'node:url'
@@ -37,6 +37,38 @@ export async function listTrackedAppManifests(root = repoRoot) {
     .map(filePath => join(root, filePath))
 }
 
+export async function listTrackedPackageManifests(root = repoRoot) {
+  try {
+    const { stdout } = await execFileAsync('git', ['ls-files', 'packages/*/package.json'], {
+      cwd: root,
+    })
+
+    return stdout
+      .split('\n')
+      .filter(Boolean)
+      .map(filePath => join(root, filePath))
+  } catch {
+    const packageDirectory = join(root, 'packages')
+    const entries = await readdir(packageDirectory, { withFileTypes: true })
+
+    const manifests = entries
+      .filter(entry => entry.isDirectory())
+      .map(entry => join(packageDirectory, entry.name, 'package.json'))
+
+    const existingManifests = []
+    for (const manifestPath of manifests) {
+      try {
+        await access(manifestPath)
+        existingManifests.push(manifestPath)
+      } catch {
+        continue
+      }
+    }
+
+    return existingManifests
+  }
+}
+
 export async function collectAppManifestFailures(root = repoRoot) {
   const catalogPackages = await readWorkspaceCatalog(root)
   const manifestPaths = await listTrackedAppManifests(root)
@@ -67,6 +99,45 @@ export async function collectAppManifestFailures(root = repoRoot) {
   return failures
 }
 
+export async function collectPackageManifestFailures(root = repoRoot) {
+  const manifestPaths = await listTrackedPackageManifests(root)
+  const failures = []
+
+  for (const manifestPath of manifestPaths) {
+    const manifest = JSON.parse(await readFile(manifestPath, 'utf8'))
+
+    for (const sectionName of dependencySections) {
+      const section = manifest[sectionName]
+      if (!isObject(section)) {
+        continue
+      }
+
+      for (const [packageName, version] of Object.entries(section)) {
+        if (version !== 'catalog:') {
+          failures.push(`${manifestPath}: ${sectionName}.${packageName} must use "catalog:" in package manifests, found "${version}".`)
+        }
+      }
+    }
+  }
+
+  return failures
+}
+
+export async function collectCatalogPackageCoverageFailures(root = repoRoot) {
+  const catalogPackages = await readWorkspaceCatalog(root)
+  const manifestPaths = await listTrackedPackageManifests(root)
+  const failures = []
+
+  for (const manifestPath of manifestPaths) {
+    const manifest = JSON.parse(await readFile(manifestPath, 'utf8'))
+    if (typeof manifest.name === 'string' && !catalogPackages.has(manifest.name)) {
+      failures.push(`${manifestPath}: root workspace catalog must include package "${manifest.name}".`)
+    }
+  }
+
+  return failures
+}
+
 function collectImportBindings(source) {
   const bindings = new Map()
   const importPattern = /import\s+([\s\S]*?)\s+from\s*['"]([^'"]+)['"]/g
@@ -335,6 +406,8 @@ export async function collectScaffoldSourceFailures(root = repoRoot) {
 export async function runDependencyVersionPolicyValidation(root = repoRoot) {
   const failures = [
     ...(await collectAppManifestFailures(root)),
+    ...(await collectPackageManifestFailures(root)),
+    ...(await collectCatalogPackageCoverageFailures(root)),
     ...(await collectScaffoldSourceFailures(root)),
   ]
 
diff --git a/scripts/validate-dependency-version-policy.test.mjs b/scripts/validate-dependency-version-policy.test.mjs
index a2a3296..2907283 100644
--- a/scripts/validate-dependency-version-policy.test.mjs
+++ b/scripts/validate-dependency-version-policy.test.mjs
@@ -3,7 +3,11 @@ import { mkdir, mkdtemp, rm, writeFile } from 'node:fs/promises'
 import { tmpdir } from 'node:os'
 import { dirname, join } from 'node:path'
 import { afterEach, test } from 'node:test'
-import { collectScaffoldSourceFailures } from './validate-dependency-version-policy.mjs'
+import {
+  collectCatalogPackageCoverageFailures,
+  collectPackageManifestFailures,
+  collectScaffoldSourceFailures,
+} from './validate-dependency-version-policy.mjs'
 
 const tempRoots = []
 
@@ -134,3 +138,55 @@ test('dependency policy validator allows valid semver ranges', async () => {
 
   assert.equal(failures.length, 0)
 })
+
+test('dependency policy validator requires package manifests to use catalog ranges', async () => {
+  const repoRoot = await createTestScaffold({
+    'packages/example/package.json': [
+      '{',
+      '  "name": "@holo-js/example",',
+      '  "version": "0.1.4",',
+      '  "dependencies": {',
+      '    "@holo-js/core": "^0.1.4",',
+      '    "typescript": "catalog:"',
+      '  }',
+      '}',
+      '',
+    ],
+  })
+
+  const failures = await collectPackageManifestFailures(repoRoot)
+
+  assert.equal(failures.length, 1)
+  assert.match(failures[0], /@holo-js\/core/)
+  assert.match(failures[0], /catalog:/)
+})
+
+test('dependency policy validator requires the catalog to include every package', async () => {
+  const repoRoot = await createTestScaffold({
+    'package.json': [
+      '{',
+      '  "workspaces": {',
+      '    "catalog": {',
+      '      "@holo-js/core": "^0.1.4"',
+      '    }',
+      '  }',
+      '}',
+      '',
+    ],
+    'packages/example/package.json': [
+      '{',
+      '  "name": "@holo-js/example",',
+      '  "version": "0.1.4",',
+      '  "dependencies": {',
+      '    "@holo-js/core": "catalog:"',
+      '  }',
+      '}',
+      '',
+    ],
+  })
+
+  const failures = await collectCatalogPackageCoverageFailures(repoRoot)
+
+  assert.equal(failures.length, 1)
+  assert.match(failures[0], /@holo-js\/example/)
+})