From 57e5930179f0ac509a5ff59efd3568a1b16ee9f7 Mon Sep 17 00:00:00 2001
From: Daniel <daniel.guo@vivalabs.com.au>
Date: Mon, 8 Dec 2025 12:37:35 +1100
Subject: [PATCH 1/3] Refactor in DDD style

---
 docs/ddd_plan.md                              | 347 ++++++++++++++++
 .../application/dto/command/LoginCommand.java |   4 +
 .../dto/command/RefreshTokenCommand.java      |   4 +
 .../dto/command/RegisterCommand.java          |  11 +
 .../application/dto/response/AuthResult.java  |  14 +
 .../service/AuthApplicationService.java       | 221 ++++++++++
 .../auth/domain/event/UserLoggedInEvent.java  |  20 +
 .../domain/event/UserRegisteredEvent.java     |  22 +
 .../nkcoder/auth/domain/model/AuthRole.java   |   7 +
 .../nkcoder/auth/domain/model/AuthUser.java   |  87 ++++
 .../nkcoder/auth/domain/model/AuthUserId.java |  24 ++
 .../auth/domain/model/HashedPassword.java     |  18 +
 .../auth/domain/model/RefreshToken.java       |  83 ++++
 .../auth/domain/model/TokenFamily.java        |  26 ++
 .../nkcoder/auth/domain/model/TokenPair.java  |  12 +
 .../domain/repository/AuthUserRepository.java |  24 ++
 .../repository/RefreshTokenRepository.java    |  32 ++
 .../auth/domain/service/PasswordEncoder.java  |  16 +
 .../auth/domain/service/TokenGenerator.java   |  28 ++
 .../persistence/entity/AuthUserJpaEntity.java | 136 ++++++
 .../entity/RefreshTokenJpaEntity.java         | 125 ++++++
 .../mapper/AuthUserPersistenceMapper.java     |  39 ++
 .../mapper/RefreshTokenPersistenceMapper.java |  38 ++
 .../repository/AuthUserJpaRepository.java     |  24 ++
 .../repository/AuthUserRepositoryAdapter.java |  52 +++
 .../repository/RefreshTokenJpaRepository.java |  40 ++
 .../RefreshTokenRepositoryAdapter.java        |  62 +++
 .../BcryptPasswordEncoderAdapter.java         |  28 ++
 .../security/JwtTokenGeneratorAdapter.java    | 144 +++++++
 .../infrastructure/security}/JwtUtil.java     |  12 +-
 .../auth/interfaces/grpc/AuthGrpcService.java | 113 +++++
 .../auth/interfaces/grpc/GrpcAuthMapper.java  |  27 ++
 .../interfaces/rest}/AuthController.java      |  52 +--
 .../rest/mapper/AuthRequestMapper.java        |  26 ++
 .../interfaces/rest/request/LoginRequest.java |   8 +
 .../rest/request/RefreshTokenRequest.java     |   6 +
 .../rest/request/RegisterRequest.java         |  28 ++
 .../rest/response/AuthResponse.java           |  18 +
 .../nkcoder/controller/HealthController.java  |  22 -
 .../nkcoder/controller/UserController.java    |  96 -----
 .../org/nkcoder/dto/auth/AuthResponse.java    |   5 -
 .../java/org/nkcoder/dto/auth/AuthTokens.java |   3 -
 .../org/nkcoder/dto/auth/LoginRequest.java    |  12 -
 .../nkcoder/dto/auth/RefreshTokenRequest.java |   8 -
 .../org/nkcoder/dto/auth/RegisterRequest.java |  35 --
 .../dto/user/ChangePasswordRequest.java       |  20 -
 .../dto/user/UpdateProfileRequest.java        |  13 -
 .../org/nkcoder/dto/user/UserResponse.java    |  15 -
 .../java/org/nkcoder/entity/RefreshToken.java | 119 ------
 src/main/java/org/nkcoder/entity/User.java    | 191 ---------
 src/main/java/org/nkcoder/enums/Role.java     |   6 -
 .../exception/AuthenticationException.java    |  12 -
 .../exception/GlobalExceptionHandler.java     | 113 -----
 .../exception/ResourceNotFoundException.java  |  12 -
 .../exception/ValidationException.java        |  12 -
 .../org/nkcoder/grpc/AuthGrpcService.java     |  90 ----
 .../java/org/nkcoder/grpc/GrpcMapper.java     |  45 --
 .../config/CorsProperties.java                |   2 +-
 .../config/JpaAuditingConfig.java             |   2 +-
 .../config/JwtProperties.java                 |   2 +-
 .../config/ObservabilityConfig.java           |   2 +-
 .../config/OpenApiConfig.java                 |   2 +-
 .../config/SecurityConfig.java                |  27 +-
 .../config/WebConfig.java                     |   4 +-
 .../resolver/CurrentUserArgumentResolver.java |   6 +-
 .../security/JwtAuthenticationEntryPoint.java |   4 +-
 .../security/JwtAuthenticationFilter.java     |   8 +-
 .../java/org/nkcoder/mapper/UserMapper.java   |  33 --
 .../repository/RefreshTokenRepository.java    |  42 --
 .../nkcoder/repository/UserRepository.java    |  27 --
 .../java/org/nkcoder/service/AuthService.java | 213 ----------
 .../java/org/nkcoder/service/UserService.java | 128 ------
 .../kernel/domain/event/DomainEvent.java      |  16 +
 .../domain/event/DomainEventPublisher.java    |  11 +
 .../domain/valueobject/AggregateRoot.java     |  34 ++
 .../kernel/domain/valueobject/Email.java      |  27 ++
 .../exception/AuthenticationException.java    |  16 +
 .../kernel/exception/DomainException.java     |  16 +
 .../exception/ResourceNotFoundException.java  |  16 +
 .../kernel/exception/ValidationException.java |  16 +
 .../local}/annotation/CurrentUser.java        |   2 +-
 .../event/SpringDomainEventPublisher.java     |  25 ++
 .../local/rest}/ApiResponse.java              |   2 +-
 .../local/rest/GlobalExceptionHandler.java    |  75 ++++
 .../local}/validation/PasswordMatch.java      |   2 +-
 .../validation/PasswordMatchValidator.java    |   2 +-
 .../command/AdminResetPasswordCommand.java    |   6 +
 .../dto/command/AdminUpdateUserCommand.java   |   6 +
 .../dto/command/ChangePasswordCommand.java    |   6 +
 .../dto/command/UpdateProfileCommand.java     |   6 +
 .../application/dto/response/UserDto.java     |  29 ++
 .../eventhandler/AuthEventHandler.java        |  84 ++++
 .../application/port/AuthContextPort.java     |  27 ++
 .../service/UserCommandService.java           | 120 ++++++
 .../application/service/UserQueryService.java |  51 +++
 .../domain/event/UserProfileUpdatedEvent.java |  28 ++
 .../org/nkcoder/user/domain/model/User.java   | 139 +++++++
 .../org/nkcoder/user/domain/model/UserId.java |  29 ++
 .../nkcoder/user/domain/model/UserName.java   |  34 ++
 .../nkcoder/user/domain/model/UserRole.java   |  11 +
 .../domain/repository/UserRepository.java     |  32 ++
 .../adapter/AuthContextAdapter.java           |  56 +++
 .../persistence/entity/UserJpaEntity.java     | 151 +++++++
 .../mapper/UserPersistenceMapper.java         |  43 ++
 .../repository/UserJpaRepository.java         |  22 +
 .../repository/UserRepositoryAdapter.java     |  61 +++
 .../interfaces/rest/AdminUserController.java  |  84 ++++
 .../user/interfaces/rest/UserController.java  |  74 ++++
 .../rest/mapper/UserRequestMapper.java        |  33 ++
 .../request/AdminResetPasswordRequest.java    |  14 +
 .../rest/request/AdminUpdateUserRequest.java  |   9 +
 .../rest/request/ChangePasswordRequest.java   |  18 +
 .../rest/request/UpdateProfileRequest.java    |   8 +
 .../rest/response/UserResponse.java           |  29 ++
 .../validation/ValidationMessages.java        |  37 --
 .../controller/AuthControllerTest.java        | 356 ----------------
 .../controller/BaseControllerTest.java        |  21 -
 .../controller/UserControllerTest.java        | 265 ------------
 .../nkcoder/entity/RefreshTokenFactory.java   |  50 ---
 .../org/nkcoder/entity/UserTestFactory.java   |  73 ----
 .../config/DataJpaIntegrationTest.java        |   2 +-
 .../config/IntegrationTest.java               |   2 +-
 .../config/TestContainersConfiguration.java   |   2 +-
 .../AuthControllerIntegrationTest.java        |  63 ++-
 .../integration/AuthFlowIntegrationTest.java  |  62 +--
 .../RefreshTokenRepositoryTest.java           | 211 ----------
 .../repository/UserRepositoryTest.java        | 166 --------
 .../org/nkcoder/service/AuthServiceTest.java  | 392 ------------------
 .../org/nkcoder/service/UserServiceTest.java  | 295 -------------
 129 files changed, 3503 insertions(+), 3273 deletions(-)
 create mode 100644 docs/ddd_plan.md
 create mode 100644 src/main/java/org/nkcoder/auth/application/dto/command/LoginCommand.java
 create mode 100644 src/main/java/org/nkcoder/auth/application/dto/command/RefreshTokenCommand.java
 create mode 100644 src/main/java/org/nkcoder/auth/application/dto/command/RegisterCommand.java
 create mode 100644 src/main/java/org/nkcoder/auth/application/dto/response/AuthResult.java
 create mode 100644 src/main/java/org/nkcoder/auth/application/service/AuthApplicationService.java
 create mode 100644 src/main/java/org/nkcoder/auth/domain/event/UserLoggedInEvent.java
 create mode 100644 src/main/java/org/nkcoder/auth/domain/event/UserRegisteredEvent.java
 create mode 100644 src/main/java/org/nkcoder/auth/domain/model/AuthRole.java
 create mode 100644 src/main/java/org/nkcoder/auth/domain/model/AuthUser.java
 create mode 100644 src/main/java/org/nkcoder/auth/domain/model/AuthUserId.java
 create mode 100644 src/main/java/org/nkcoder/auth/domain/model/HashedPassword.java
 create mode 100644 src/main/java/org/nkcoder/auth/domain/model/RefreshToken.java
 create mode 100644 src/main/java/org/nkcoder/auth/domain/model/TokenFamily.java
 create mode 100644 src/main/java/org/nkcoder/auth/domain/model/TokenPair.java
 create mode 100644 src/main/java/org/nkcoder/auth/domain/repository/AuthUserRepository.java
 create mode 100644 src/main/java/org/nkcoder/auth/domain/repository/RefreshTokenRepository.java
 create mode 100644 src/main/java/org/nkcoder/auth/domain/service/PasswordEncoder.java
 create mode 100644 src/main/java/org/nkcoder/auth/domain/service/TokenGenerator.java
 create mode 100644 src/main/java/org/nkcoder/auth/infrastructure/persistence/entity/AuthUserJpaEntity.java
 create mode 100644 src/main/java/org/nkcoder/auth/infrastructure/persistence/entity/RefreshTokenJpaEntity.java
 create mode 100644 src/main/java/org/nkcoder/auth/infrastructure/persistence/mapper/AuthUserPersistenceMapper.java
 create mode 100644 src/main/java/org/nkcoder/auth/infrastructure/persistence/mapper/RefreshTokenPersistenceMapper.java
 create mode 100644 src/main/java/org/nkcoder/auth/infrastructure/persistence/repository/AuthUserJpaRepository.java
 create mode 100644 src/main/java/org/nkcoder/auth/infrastructure/persistence/repository/AuthUserRepositoryAdapter.java
 create mode 100644 src/main/java/org/nkcoder/auth/infrastructure/persistence/repository/RefreshTokenJpaRepository.java
 create mode 100644 src/main/java/org/nkcoder/auth/infrastructure/persistence/repository/RefreshTokenRepositoryAdapter.java
 create mode 100644 src/main/java/org/nkcoder/auth/infrastructure/security/BcryptPasswordEncoderAdapter.java
 create mode 100644 src/main/java/org/nkcoder/auth/infrastructure/security/JwtTokenGeneratorAdapter.java
 rename src/main/java/org/nkcoder/{util => auth/infrastructure/security}/JwtUtil.java (94%)
 create mode 100644 src/main/java/org/nkcoder/auth/interfaces/grpc/AuthGrpcService.java
 create mode 100644 src/main/java/org/nkcoder/auth/interfaces/grpc/GrpcAuthMapper.java
 rename src/main/java/org/nkcoder/{controller => auth/interfaces/rest}/AuthController.java (51%)
 create mode 100644 src/main/java/org/nkcoder/auth/interfaces/rest/mapper/AuthRequestMapper.java
 create mode 100644 src/main/java/org/nkcoder/auth/interfaces/rest/request/LoginRequest.java
 create mode 100644 src/main/java/org/nkcoder/auth/interfaces/rest/request/RefreshTokenRequest.java
 create mode 100644 src/main/java/org/nkcoder/auth/interfaces/rest/request/RegisterRequest.java
 create mode 100644 src/main/java/org/nkcoder/auth/interfaces/rest/response/AuthResponse.java
 delete mode 100644 src/main/java/org/nkcoder/controller/HealthController.java
 delete mode 100644 src/main/java/org/nkcoder/controller/UserController.java
 delete mode 100644 src/main/java/org/nkcoder/dto/auth/AuthResponse.java
 delete mode 100644 src/main/java/org/nkcoder/dto/auth/AuthTokens.java
 delete mode 100644 src/main/java/org/nkcoder/dto/auth/LoginRequest.java
 delete mode 100644 src/main/java/org/nkcoder/dto/auth/RefreshTokenRequest.java
 delete mode 100644 src/main/java/org/nkcoder/dto/auth/RegisterRequest.java
 delete mode 100644 src/main/java/org/nkcoder/dto/user/ChangePasswordRequest.java
 delete mode 100644 src/main/java/org/nkcoder/dto/user/UpdateProfileRequest.java
 delete mode 100644 src/main/java/org/nkcoder/dto/user/UserResponse.java
 delete mode 100644 src/main/java/org/nkcoder/entity/RefreshToken.java
 delete mode 100644 src/main/java/org/nkcoder/entity/User.java
 delete mode 100644 src/main/java/org/nkcoder/enums/Role.java
 delete mode 100644 src/main/java/org/nkcoder/exception/AuthenticationException.java
 delete mode 100644 src/main/java/org/nkcoder/exception/GlobalExceptionHandler.java
 delete mode 100644 src/main/java/org/nkcoder/exception/ResourceNotFoundException.java
 delete mode 100644 src/main/java/org/nkcoder/exception/ValidationException.java
 delete mode 100644 src/main/java/org/nkcoder/grpc/AuthGrpcService.java
 delete mode 100644 src/main/java/org/nkcoder/grpc/GrpcMapper.java
 rename src/main/java/org/nkcoder/{ => infrastructure}/config/CorsProperties.java (96%)
 rename src/main/java/org/nkcoder/{ => infrastructure}/config/JpaAuditingConfig.java (82%)
 rename src/main/java/org/nkcoder/{ => infrastructure}/config/JwtProperties.java (97%)
 rename src/main/java/org/nkcoder/{ => infrastructure}/config/ObservabilityConfig.java (96%)
 rename src/main/java/org/nkcoder/{ => infrastructure}/config/OpenApiConfig.java (97%)
 rename src/main/java/org/nkcoder/{ => infrastructure}/config/SecurityConfig.java (85%)
 rename src/main/java/org/nkcoder/{ => infrastructure}/config/WebConfig.java (85%)
 rename src/main/java/org/nkcoder/{ => infrastructure}/resolver/CurrentUserArgumentResolver.java (87%)
 rename src/main/java/org/nkcoder/{ => infrastructure}/security/JwtAuthenticationEntryPoint.java (95%)
 rename src/main/java/org/nkcoder/{ => infrastructure}/security/JwtAuthenticationFilter.java (95%)
 delete mode 100644 src/main/java/org/nkcoder/mapper/UserMapper.java
 delete mode 100644 src/main/java/org/nkcoder/repository/RefreshTokenRepository.java
 delete mode 100644 src/main/java/org/nkcoder/repository/UserRepository.java
 delete mode 100644 src/main/java/org/nkcoder/service/AuthService.java
 delete mode 100644 src/main/java/org/nkcoder/service/UserService.java
 create mode 100644 src/main/java/org/nkcoder/shared/kernel/domain/event/DomainEvent.java
 create mode 100644 src/main/java/org/nkcoder/shared/kernel/domain/event/DomainEventPublisher.java
 create mode 100644 src/main/java/org/nkcoder/shared/kernel/domain/valueobject/AggregateRoot.java
 create mode 100644 src/main/java/org/nkcoder/shared/kernel/domain/valueobject/Email.java
 create mode 100644 src/main/java/org/nkcoder/shared/kernel/exception/AuthenticationException.java
 create mode 100644 src/main/java/org/nkcoder/shared/kernel/exception/DomainException.java
 create mode 100644 src/main/java/org/nkcoder/shared/kernel/exception/ResourceNotFoundException.java
 create mode 100644 src/main/java/org/nkcoder/shared/kernel/exception/ValidationException.java
 rename src/main/java/org/nkcoder/{ => shared/local}/annotation/CurrentUser.java (94%)
 create mode 100644 src/main/java/org/nkcoder/shared/local/event/SpringDomainEventPublisher.java
 rename src/main/java/org/nkcoder/{dto/common => shared/local/rest}/ApiResponse.java (93%)
 create mode 100644 src/main/java/org/nkcoder/shared/local/rest/GlobalExceptionHandler.java
 rename src/main/java/org/nkcoder/{ => shared/local}/validation/PasswordMatch.java (92%)
 rename src/main/java/org/nkcoder/{ => shared/local}/validation/PasswordMatchValidator.java (97%)
 create mode 100644 src/main/java/org/nkcoder/user/application/dto/command/AdminResetPasswordCommand.java
 create mode 100644 src/main/java/org/nkcoder/user/application/dto/command/AdminUpdateUserCommand.java
 create mode 100644 src/main/java/org/nkcoder/user/application/dto/command/ChangePasswordCommand.java
 create mode 100644 src/main/java/org/nkcoder/user/application/dto/command/UpdateProfileCommand.java
 create mode 100644 src/main/java/org/nkcoder/user/application/dto/response/UserDto.java
 create mode 100644 src/main/java/org/nkcoder/user/application/eventhandler/AuthEventHandler.java
 create mode 100644 src/main/java/org/nkcoder/user/application/port/AuthContextPort.java
 create mode 100644 src/main/java/org/nkcoder/user/application/service/UserCommandService.java
 create mode 100644 src/main/java/org/nkcoder/user/application/service/UserQueryService.java
 create mode 100644 src/main/java/org/nkcoder/user/domain/event/UserProfileUpdatedEvent.java
 create mode 100644 src/main/java/org/nkcoder/user/domain/model/User.java
 create mode 100644 src/main/java/org/nkcoder/user/domain/model/UserId.java
 create mode 100644 src/main/java/org/nkcoder/user/domain/model/UserName.java
 create mode 100644 src/main/java/org/nkcoder/user/domain/model/UserRole.java
 create mode 100644 src/main/java/org/nkcoder/user/domain/repository/UserRepository.java
 create mode 100644 src/main/java/org/nkcoder/user/infrastructure/adapter/AuthContextAdapter.java
 create mode 100644 src/main/java/org/nkcoder/user/infrastructure/persistence/entity/UserJpaEntity.java
 create mode 100644 src/main/java/org/nkcoder/user/infrastructure/persistence/mapper/UserPersistenceMapper.java
 create mode 100644 src/main/java/org/nkcoder/user/infrastructure/persistence/repository/UserJpaRepository.java
 create mode 100644 src/main/java/org/nkcoder/user/infrastructure/persistence/repository/UserRepositoryAdapter.java
 create mode 100644 src/main/java/org/nkcoder/user/interfaces/rest/AdminUserController.java
 create mode 100644 src/main/java/org/nkcoder/user/interfaces/rest/UserController.java
 create mode 100644 src/main/java/org/nkcoder/user/interfaces/rest/mapper/UserRequestMapper.java
 create mode 100644 src/main/java/org/nkcoder/user/interfaces/rest/request/AdminResetPasswordRequest.java
 create mode 100644 src/main/java/org/nkcoder/user/interfaces/rest/request/AdminUpdateUserRequest.java
 create mode 100644 src/main/java/org/nkcoder/user/interfaces/rest/request/ChangePasswordRequest.java
 create mode 100644 src/main/java/org/nkcoder/user/interfaces/rest/request/UpdateProfileRequest.java
 create mode 100644 src/main/java/org/nkcoder/user/interfaces/rest/response/UserResponse.java
 delete mode 100644 src/main/java/org/nkcoder/validation/ValidationMessages.java
 delete mode 100644 src/test/java/org/nkcoder/controller/AuthControllerTest.java
 delete mode 100644 src/test/java/org/nkcoder/controller/BaseControllerTest.java
 delete mode 100644 src/test/java/org/nkcoder/controller/UserControllerTest.java
 delete mode 100644 src/test/java/org/nkcoder/entity/RefreshTokenFactory.java
 delete mode 100644 src/test/java/org/nkcoder/entity/UserTestFactory.java
 rename src/test/java/org/nkcoder/{ => infrastructure}/config/DataJpaIntegrationTest.java (95%)
 rename src/test/java/org/nkcoder/{ => infrastructure}/config/IntegrationTest.java (95%)
 rename src/test/java/org/nkcoder/{ => infrastructure}/config/TestContainersConfiguration.java (97%)
 delete mode 100644 src/test/java/org/nkcoder/repository/RefreshTokenRepositoryTest.java
 delete mode 100644 src/test/java/org/nkcoder/repository/UserRepositoryTest.java
 delete mode 100644 src/test/java/org/nkcoder/service/AuthServiceTest.java
 delete mode 100644 src/test/java/org/nkcoder/service/UserServiceTest.java

diff --git a/docs/ddd_plan.md b/docs/ddd_plan.md
new file mode 100644
index 0000000..b840a81
--- /dev/null
+++ b/docs/ddd_plan.md
@@ -0,0 +1,347 @@
+## Summary
+
+This plan will refactor your application from a layered architecture to Domain-Driven Design with:
+
+1. Two bounded contexts: auth/ and user/ - each with full DDD layers (domain → application →
+   infrastructure → interfaces)
+2. Separate User representations:
+    - AuthUser in auth context: id, email, password, role (focused on authentication)
+    - User in user context: id, email, name, role, profile data (focused on management)
+    - Both map to the same users database table
+3. Clean architecture per context:
+    - Domain layer: Pure business logic, no framework dependencies
+    - Application layer: Use cases, commands/queries
+    - Infrastructure layer: JPA, external adapters
+    - Interfaces layer: REST controllers, gRPC
+4. 6 migration phases - incremental approach, tests run after each phase
+5. Test structure mirrors source - organized by domain and layer
+
+This structure makes it straightforward to extract each bounded context into a microservice later -
+just pull out the auth/ or user/ package with minimal changes.
+
+## DDD Refactoring Plan
+
+Overview
+
+Refactor from layered architecture to Domain-Driven Design with:
+
+- Full DDD tactical patterns (domain/application/infrastructure/interfaces layers)
+- Separate domain models per bounded context (Auth and User have their own User representations)
+- Mirrored test structure
+
+Target Package Structure
+
+org.nkcoder/
+├── auth/ # Auth Bounded Context
+│ ├── domain/
+│ │ ├── model/
+│ │ │ ├── AuthUser.java # Auth's user (id, email, password, role)
+│ │ │ ├── RefreshToken.java
+│ │ │ ├── TokenFamily.java # Value object
+│ │ │ └── TokenPair.java # Value object
+│ │ ├── repository/
+│ │ │ ├── AuthUserRepository.java # Port (interface)
+│ │ │ └── RefreshTokenRepository.java
+│ │ ├── service/
+│ │ │ ├── PasswordEncoder.java # Domain service interface
+│ │ │ └── TokenGenerator.java # Domain service interface
+│ │ └── event/
+│ │ ├── UserRegisteredEvent.java
+│ │ └── UserLoggedInEvent.java
+│ │
+│ ├── application/
+│ │ ├── service/
+│ │ │ └── AuthApplicationService.java
+│ │ ├── dto/
+│ │ │ ├── command/ # RegisterCommand, LoginCommand, etc.
+│ │ │ └── response/ # AuthResult, TokenResponse
+│ │ ├── mapper/
+│ │ │ └── AuthDtoMapper.java
+│ │ └── port/
+│ │ └── UserContextPort.java # Cross-context communication
+│ │
+│ ├── infrastructure/
+│ │ ├── persistence/
+│ │ │ ├── entity/AuthUserJpaEntity.java
+│ │ │ ├── repository/AuthUserJpaRepository.java
+│ │ │ ├── repository/AuthUserRepositoryAdapter.java
+│ │ │ └── mapper/AuthUserPersistenceMapper.java
+│ │ ├── security/
+│ │ │ ├── JwtTokenGenerator.java
+│ │ │ ├── BcryptPasswordEncoder.java
+│ │ │ └── JwtProperties.java
+│ │ └── adapter/
+│ │ └── UserContextAdapter.java
+│ │
+│ └── interfaces/
+│ ├── rest/
+│ │ ├── AuthController.java
+│ │ ├── request/ # RegisterRequest, LoginRequest
+│ │ └── response/AuthApiResponse.java
+│ └── grpc/
+│ ├── AuthGrpcService.java
+│ └── GrpcAuthMapper.java
+│
+├── user/ # User Bounded Context
+│ ├── domain/
+│ │ ├── model/
+│ │ │ ├── User.java # User's user (id, email, name, profile)
+│ │ │ ├── UserId.java
+│ │ │ ├── UserName.java # Value object
+│ │ │ └── UserRole.java
+│ │ ├── repository/
+│ │ │ └── UserRepository.java # Port (interface)
+│ │ └── event/
+│ │ └── UserProfileUpdatedEvent.java
+│ │
+│ ├── application/
+│ │ ├── service/
+│ │ │ ├── UserQueryService.java
+│ │ │ └── UserCommandService.java
+│ │ ├── dto/
+│ │ │ ├── command/ # UpdateProfileCommand, ChangePasswordCommand
+│ │ │ └── response/UserDto.java
+│ │ ├── mapper/
+│ │ │ └── UserDtoMapper.java
+│ │ └── port/
+│ │ └── AuthContextPort.java # For password operations
+│ │
+│ ├── infrastructure/
+│ │ ├── persistence/
+│ │ │ ├── entity/UserJpaEntity.java
+│ │ │ ├── repository/UserJpaRepository.java
+│ │ │ ├── repository/UserRepositoryAdapter.java
+│ │ │ └── mapper/UserPersistenceMapper.java
+│ │ └── adapter/
+│ │ └── AuthContextAdapter.java
+│ │
+│ └── interfaces/
+│ └── rest/
+│ ├── UserController.java
+│ ├── AdminUserController.java
+│ ├── request/ # UpdateProfileRequest, ChangePasswordRequest
+│ └── response/UserApiResponse.java
+│
+├── shared/ # Shared Kernel
+│ ├── domain/
+│ │ ├── valueobject/
+│ │ │ ├── Email.java # Shared value object
+│ │ │ └── AggregateRoot.java
+│ │ └── event/
+│ │ ├── DomainEvent.java
+│ │ └── DomainEventPublisher.java
+│ │
+│ ├── application/
+│ │ └── validation/
+│ │ ├── PasswordMatch.java
+│ │ └── PasswordMatchValidator.java
+│ │
+│ ├── infrastructure/
+│ │ └── event/
+│ │ └── SpringDomainEventPublisher.java
+│ │
+│ └── interfaces/
+│ └── rest/
+│ ├── ApiResponse.java
+│ ├── GlobalExceptionHandler.java
+│ └── HealthController.java
+│
+└── infrastructure/ # Cross-cutting
+├── config/
+│ ├── SecurityConfig.java
+│ ├── WebConfig.java
+│ ├── OpenApiConfig.java
+│ └── JpaAuditingConfig.java
+├── security/
+│ ├── JwtAuthenticationFilter.java
+│ └── JwtAuthenticationEntryPoint.java
+└── resolver/
+└── CurrentUserArgumentResolver.java
+
+## Domain Model Design
+
+Auth Domain - AuthUser (minimal for authentication)
+
+```java
+public class AuthUser {
+   private final AuthUserId id;
+   private final Email email;
+   private HashedPassword password;
+   private final AuthRole role;
+   private LocalDateTime lastLoginAt;
+}
+```
+
+User Domain - User (rich for profile management)
+
+```java
+public class User extends AggregateRoot<UserId> {
+   private final UserId id;
+   private Email email;
+   private UserName name;
+   private final UserRole role;
+   private boolean emailVerified;
+   private LocalDateTime lastLoginAt;
+   private final LocalDateTime createdAt;
+   private LocalDateTime updatedAt;
+}
+```
+
+Database Strategy
+
+- Single users table shared by both contexts
+- Auth reads: id, email, password, role, last_login_at
+- User reads: id, email, name, role, email_verified, timestamps
+- Each context has its own JPA entity mapping the same table
+
+Test Structure
+
+src/test/java/org/nkcoder/
+├── auth/
+│ ├── domain/model/ # AuthUserTest, RefreshTokenTest, EmailTest
+│ ├── application/service/ # AuthApplicationServiceTest
+│ ├── infrastructure/ # Repository adapter tests
+│ └── interfaces/rest/ # AuthControllerTest
+├── user/
+│ ├── domain/model/ # UserTest, UserNameTest
+│ ├── application/service/ # UserQueryServiceTest, UserCommandServiceTest
+│ ├── infrastructure/ # Repository adapter tests
+│ └── interfaces/rest/ # UserControllerTest, AdminUserControllerTest
+├── shared/
+│ └── domain/ # Value object tests
+├── integration/
+│ ├── AuthFlowIntegrationTest.java
+│ └── UserFlowIntegrationTest.java
+└── fixture/ # Test factories
+
+Migration Phases
+
+Phase 1: Foundation (No Breaking Changes)
+
+1. Create shared kernel:
+
+- shared/domain/valueobject/Email.java
+- shared/domain/valueobject/AggregateRoot.java
+- shared/domain/event/DomainEvent.java
+- shared/domain/event/DomainEventPublisher.java
+
+2. Create shared interfaces:
+
+- Move ApiResponse to shared/interfaces/rest/
+- Move GlobalExceptionHandler to shared/interfaces/rest/
+
+3. Run tests to verify
+
+Phase 2: Auth Domain
+
+1. Create auth domain model:
+
+- auth/domain/model/AuthUser.java
+- auth/domain/model/RefreshToken.java (move & refactor)
+- auth/domain/model/TokenFamily.java
+- auth/domain/repository/AuthUserRepository.java (interface)
+- auth/domain/repository/RefreshTokenRepository.java (interface)
+- auth/domain/service/PasswordEncoder.java (interface)
+- auth/domain/service/TokenGenerator.java (interface)
+
+2. Create auth application layer:
+
+- auth/application/service/AuthApplicationService.java
+- auth/application/dto/command/*
+- auth/application/dto/response/*
+
+3. Create auth infrastructure:
+
+- auth/infrastructure/persistence/entity/AuthUserJpaEntity.java
+- auth/infrastructure/persistence/repository/AuthUserRepositoryAdapter.java
+- auth/infrastructure/security/JwtTokenGenerator.java
+- auth/infrastructure/security/BcryptPasswordEncoder.java
+
+4. Move AuthController to auth/interfaces/rest/
+5. Move gRPC to auth/interfaces/grpc/
+6. Migrate auth tests
+
+Phase 3: User Domain
+
+1. Create user domain model:
+
+- user/domain/model/User.java
+- user/domain/model/UserId.java
+- user/domain/model/UserName.java
+- user/domain/repository/UserRepository.java (interface)
+
+2. Create user application layer:
+
+- user/application/service/UserQueryService.java
+- user/application/service/UserCommandService.java
+- user/application/dto/*
+
+3. Create user infrastructure:
+
+- user/infrastructure/persistence/entity/UserJpaEntity.java
+- user/infrastructure/persistence/repository/UserRepositoryAdapter.java
+
+4. Move UserController, AdminUserController to user/interfaces/rest/
+5. Migrate user tests
+
+Phase 4: Cross-Context Communication
+
+1. Implement ports and adapters for context communication:
+
+- auth/application/port/UserContextPort.java
+- auth/infrastructure/adapter/UserContextAdapter.java
+- user/application/port/AuthContextPort.java
+
+2. Add domain events:
+
+- auth/domain/event/UserRegisteredEvent.java
+- Event listeners in user context
+
+3. Integration tests for cross-context flows
+
+Phase 5: Infrastructure Consolidation
+
+1. Move configs to infrastructure/config/
+2. Move security filters to infrastructure/security/
+3. Move resolvers to infrastructure/resolver/
+
+Phase 6: Cleanup
+
+1. Delete old packages: controller/, service/, repository/, entity/, dto/, mapper/, util/,
+   validation/,
+   annotation/, enums/, exception/
+2. Update all imports
+3. Update CLAUDE.md documentation
+4. Full test suite verification
+
+Key Files to Modify/Create
+
+New Files (Core)
+
+- auth/domain/model/AuthUser.java
+- auth/domain/model/RefreshToken.java
+- auth/application/service/AuthApplicationService.java
+- auth/infrastructure/persistence/entity/AuthUserJpaEntity.java
+- user/domain/model/User.java
+- user/application/service/UserQueryService.java
+- user/application/service/UserCommandService.java
+- user/infrastructure/persistence/entity/UserJpaEntity.java
+- shared/domain/valueobject/Email.java
+- shared/domain/event/DomainEvent.java
+
+Files to Move & Refactor
+
+- entity/User.java → Split into AuthUser and User domain models
+- entity/RefreshToken.java → auth/domain/model/RefreshToken.java
+- service/AuthService.java → auth/application/service/AuthApplicationService.java
+- service/UserService.java → Split into UserQueryService + UserCommandService
+- repository/UserRepository.java → Split into domain ports + JPA adapters
+- controller/AuthController.java → auth/interfaces/rest/AuthController.java
+- controller/UserController.java → user/interfaces/rest/UserController.java
+- util/JwtUtil.java → auth/infrastructure/security/JwtTokenGenerator.java
+
+Files to Keep (with path changes)
+
+- config/* → infrastructure/config/*
+- security/* → infrastructure/security/*
+- exception/GlobalExceptionHandler.java → shared/interfaces/rest/
\ No newline at end of file
diff --git a/src/main/java/org/nkcoder/auth/application/dto/command/LoginCommand.java b/src/main/java/org/nkcoder/auth/application/dto/command/LoginCommand.java
new file mode 100644
index 0000000..5efcbef
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/application/dto/command/LoginCommand.java
@@ -0,0 +1,4 @@
+package org.nkcoder.auth.application.dto.command;
+
+/** Command for user login. */
+public record LoginCommand(String email, String password) {}
diff --git a/src/main/java/org/nkcoder/auth/application/dto/command/RefreshTokenCommand.java b/src/main/java/org/nkcoder/auth/application/dto/command/RefreshTokenCommand.java
new file mode 100644
index 0000000..abdcad8
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/application/dto/command/RefreshTokenCommand.java
@@ -0,0 +1,4 @@
+package org.nkcoder.auth.application.dto.command;
+
+/** Command for refreshing access tokens. */
+public record RefreshTokenCommand(String refreshToken) {}
diff --git a/src/main/java/org/nkcoder/auth/application/dto/command/RegisterCommand.java b/src/main/java/org/nkcoder/auth/application/dto/command/RegisterCommand.java
new file mode 100644
index 0000000..55fff07
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/application/dto/command/RegisterCommand.java
@@ -0,0 +1,11 @@
+package org.nkcoder.auth.application.dto.command;
+
+import org.nkcoder.auth.domain.model.AuthRole;
+
+/** Command for user registration. */
+public record RegisterCommand(String email, String password, String name, AuthRole role) {
+
+  public RegisterCommand(String email, String password, String name) {
+    this(email, password, name, AuthRole.MEMBER);
+  }
+}
diff --git a/src/main/java/org/nkcoder/auth/application/dto/response/AuthResult.java b/src/main/java/org/nkcoder/auth/application/dto/response/AuthResult.java
new file mode 100644
index 0000000..7c2379d
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/application/dto/response/AuthResult.java
@@ -0,0 +1,14 @@
+package org.nkcoder.auth.application.dto.response;
+
+import java.util.UUID;
+import org.nkcoder.auth.domain.model.AuthRole;
+import org.nkcoder.auth.domain.model.TokenPair;
+
+/** Result of authentication operations (register, login, refresh). */
+public record AuthResult(
+    UUID userId, String email, AuthRole role, String accessToken, String refreshToken) {
+
+  public static AuthResult of(UUID userId, String email, AuthRole role, TokenPair tokens) {
+    return new AuthResult(userId, email, role, tokens.accessToken(), tokens.refreshToken());
+  }
+}
diff --git a/src/main/java/org/nkcoder/auth/application/service/AuthApplicationService.java b/src/main/java/org/nkcoder/auth/application/service/AuthApplicationService.java
new file mode 100644
index 0000000..8bb9a6f
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/application/service/AuthApplicationService.java
@@ -0,0 +1,221 @@
+package org.nkcoder.auth.application.service;
+
+import org.nkcoder.auth.application.dto.command.LoginCommand;
+import org.nkcoder.auth.application.dto.command.RefreshTokenCommand;
+import org.nkcoder.auth.application.dto.command.RegisterCommand;
+import org.nkcoder.auth.application.dto.response.AuthResult;
+import org.nkcoder.auth.domain.event.UserLoggedInEvent;
+import org.nkcoder.auth.domain.event.UserRegisteredEvent;
+import org.nkcoder.auth.domain.model.AuthUser;
+import org.nkcoder.auth.domain.model.RefreshToken;
+import org.nkcoder.auth.domain.model.TokenFamily;
+import org.nkcoder.auth.domain.model.TokenPair;
+import org.nkcoder.auth.domain.repository.AuthUserRepository;
+import org.nkcoder.auth.domain.repository.RefreshTokenRepository;
+import org.nkcoder.auth.domain.service.PasswordEncoder;
+import org.nkcoder.auth.domain.service.TokenGenerator;
+import org.nkcoder.shared.kernel.domain.event.DomainEventPublisher;
+import org.nkcoder.shared.kernel.domain.valueobject.Email;
+import org.nkcoder.shared.kernel.exception.AuthenticationException;
+import org.nkcoder.shared.kernel.exception.ValidationException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Isolation;
+import org.springframework.transaction.annotation.Transactional;
+
+/**
+ * Application service for authentication use cases. Orchestrates domain objects and infrastructure
+ * services.
+ */
+@Service
+@Transactional
+public class AuthApplicationService {
+
+  private static final Logger logger = LoggerFactory.getLogger(AuthApplicationService.class);
+
+  public static final String USER_ALREADY_EXISTS = "User already exists";
+  public static final String INVALID_CREDENTIALS = "Invalid email or password";
+  public static final String INVALID_REFRESH_TOKEN = "Invalid refresh token";
+  public static final String REFRESH_TOKEN_EXPIRED = "Refresh token expired";
+  public static final String USER_NOT_FOUND = "User not found";
+
+  private final AuthUserRepository authUserRepository;
+  private final RefreshTokenRepository refreshTokenRepository;
+  private final PasswordEncoder passwordEncoder;
+  private final TokenGenerator tokenGenerator;
+  private final DomainEventPublisher eventPublisher;
+
+  public AuthApplicationService(
+      AuthUserRepository authUserRepository,
+      RefreshTokenRepository refreshTokenRepository,
+      PasswordEncoder passwordEncoder,
+      TokenGenerator tokenGenerator,
+      DomainEventPublisher eventPublisher) {
+    this.authUserRepository = authUserRepository;
+    this.refreshTokenRepository = refreshTokenRepository;
+    this.passwordEncoder = passwordEncoder;
+    this.tokenGenerator = tokenGenerator;
+    this.eventPublisher = eventPublisher;
+  }
+
+  public AuthResult register(RegisterCommand command) {
+    logger.debug("Registering new user with email: {}", command.email());
+
+    Email email = Email.of(command.email());
+
+    // Check if user already exists
+    if (authUserRepository.existsByEmail(email)) {
+      throw new ValidationException(USER_ALREADY_EXISTS);
+    }
+
+    // Create auth user
+    AuthUser authUser =
+        AuthUser.register(
+            email, passwordEncoder.encode(command.password()), command.name(), command.role());
+
+    authUser = authUserRepository.save(authUser);
+    logger.debug("Auth user registered with ID: {}", authUser.getId().value());
+
+    // Publish domain event (replaces direct UserContextPort call for decoupled communication)
+    eventPublisher.publish(
+        new UserRegisteredEvent(authUser.getId(), email, command.name(), authUser.getRole()));
+
+    // Generate tokens
+    TokenFamily tokenFamily = TokenFamily.generate();
+    TokenPair tokens =
+        tokenGenerator.generateTokenPair(authUser.getId(), email, authUser.getRole(), tokenFamily);
+
+    // Save refresh token
+    saveRefreshToken(tokens.refreshToken(), authUser, tokenFamily);
+
+    return AuthResult.of(
+        authUser.getId().value(), authUser.getEmail().value(), authUser.getRole(), tokens);
+  }
+
+  public AuthResult login(LoginCommand command) {
+    logger.debug("Logging in user with email: {}", command.email());
+
+    Email email = Email.of(command.email());
+
+    AuthUser authUser =
+        authUserRepository
+            .findByEmail(email)
+            .orElseThrow(() -> new AuthenticationException(INVALID_CREDENTIALS));
+
+    // Check password
+    if (!passwordEncoder.matches(command.password(), authUser.getPassword())) {
+      throw new AuthenticationException(INVALID_CREDENTIALS);
+    }
+
+    // Update last login
+    authUserRepository.updateLastLoginAt(authUser.getId(), java.time.LocalDateTime.now());
+
+    // Publish domain event
+    eventPublisher.publish(new UserLoggedInEvent(authUser.getId(), authUser.getEmail()));
+
+    // Generate tokens
+    TokenFamily tokenFamily = TokenFamily.generate();
+    TokenPair tokens =
+        tokenGenerator.generateTokenPair(authUser.getId(), email, authUser.getRole(), tokenFamily);
+
+    // Save refresh token
+    saveRefreshToken(tokens.refreshToken(), authUser, tokenFamily);
+
+    logger.debug("User logged in successfully: {}", authUser.getId().value());
+    return AuthResult.of(
+        authUser.getId().value(), authUser.getEmail().value(), authUser.getRole(), tokens);
+  }
+
+  @Transactional(isolation = Isolation.SERIALIZABLE)
+  public AuthResult refreshTokens(RefreshTokenCommand command) {
+    logger.debug("Refreshing tokens");
+
+    try {
+      // Validate refresh token
+      TokenGenerator.RefreshTokenClaims claims =
+          tokenGenerator.validateRefreshToken(command.refreshToken());
+
+      // Get stored refresh token with lock
+      RefreshToken storedToken =
+          refreshTokenRepository
+              .findByTokenForUpdate(command.refreshToken())
+              .orElseThrow(() -> new AuthenticationException(INVALID_REFRESH_TOKEN));
+
+      // Check if token is expired
+      if (storedToken.isExpired()) {
+        refreshTokenRepository.deleteByToken(command.refreshToken());
+        throw new AuthenticationException(REFRESH_TOKEN_EXPIRED);
+      }
+
+      AuthUser authUser =
+          authUserRepository
+              .findById(claims.userId())
+              .orElseThrow(() -> new AuthenticationException(USER_NOT_FOUND));
+
+      // Delete old token
+      refreshTokenRepository.deleteByToken(command.refreshToken());
+
+      // Generate new tokens with same token family
+      TokenPair tokens =
+          tokenGenerator.generateTokenPair(
+              authUser.getId(), authUser.getEmail(), authUser.getRole(), claims.tokenFamily());
+
+      // Save new refresh token
+      saveRefreshToken(tokens.refreshToken(), authUser, claims.tokenFamily());
+
+      logger.debug("Tokens refreshed successfully for user: {}", authUser.getId().value());
+      return AuthResult.of(
+          authUser.getId().value(), authUser.getEmail().value(), authUser.getRole(), tokens);
+
+    } catch (AuthenticationException e) {
+      throw e;
+    } catch (Exception e) {
+      logger.error("Invalid refresh token: {}", e.getMessage());
+
+      // If refresh token is invalid, try to delete the token family
+      refreshTokenRepository
+          .findByToken(command.refreshToken())
+          .ifPresent(
+              storedToken ->
+                  refreshTokenRepository.deleteByTokenFamily(storedToken.getTokenFamily()));
+
+      throw new AuthenticationException(INVALID_REFRESH_TOKEN);
+    }
+  }
+
+  public void logout(String refreshToken) {
+    logger.debug("Logging out user (all devices)");
+
+    refreshTokenRepository
+        .findByToken(refreshToken)
+        .ifPresent(
+            storedToken -> {
+              // Delete entire token family (logout from all devices)
+              refreshTokenRepository.deleteByTokenFamily(storedToken.getTokenFamily());
+              logger.debug(
+                  "Logged out from all devices for token family: {}",
+                  storedToken.getTokenFamily().value());
+            });
+  }
+
+  public void logoutSingle(String refreshToken) {
+    logger.debug("Logging out user (single device)");
+
+    // Delete only this refresh token (logout from current device)
+    refreshTokenRepository.deleteByToken(refreshToken);
+    logger.debug("Logged out from current device");
+  }
+
+  public void cleanupExpiredTokens() {
+    logger.debug("Cleaning up expired refresh tokens");
+    refreshTokenRepository.deleteExpiredTokens(java.time.LocalDateTime.now());
+  }
+
+  private void saveRefreshToken(String token, AuthUser authUser, TokenFamily tokenFamily) {
+    RefreshToken refreshToken =
+        RefreshToken.create(
+            token, tokenFamily, authUser.getId(), tokenGenerator.getRefreshTokenExpiry());
+    refreshTokenRepository.save(refreshToken);
+  }
+}
diff --git a/src/main/java/org/nkcoder/auth/domain/event/UserLoggedInEvent.java b/src/main/java/org/nkcoder/auth/domain/event/UserLoggedInEvent.java
new file mode 100644
index 0000000..8fb6649
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/domain/event/UserLoggedInEvent.java
@@ -0,0 +1,20 @@
+package org.nkcoder.auth.domain.event;
+
+import java.time.LocalDateTime;
+import org.nkcoder.auth.domain.model.AuthUserId;
+import org.nkcoder.shared.kernel.domain.event.DomainEvent;
+import org.nkcoder.shared.kernel.domain.valueobject.Email;
+
+/** Domain event published when a user logs in. */
+public record UserLoggedInEvent(AuthUserId userId, Email email, LocalDateTime occurredOn)
+    implements DomainEvent {
+
+  public UserLoggedInEvent(AuthUserId userId, Email email) {
+    this(userId, email, LocalDateTime.now());
+  }
+
+  @Override
+  public String eventType() {
+    return "auth.user.logged_in";
+  }
+}
diff --git a/src/main/java/org/nkcoder/auth/domain/event/UserRegisteredEvent.java b/src/main/java/org/nkcoder/auth/domain/event/UserRegisteredEvent.java
new file mode 100644
index 0000000..efa6139
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/domain/event/UserRegisteredEvent.java
@@ -0,0 +1,22 @@
+package org.nkcoder.auth.domain.event;
+
+import java.time.LocalDateTime;
+import org.nkcoder.auth.domain.model.AuthRole;
+import org.nkcoder.auth.domain.model.AuthUserId;
+import org.nkcoder.shared.kernel.domain.event.DomainEvent;
+import org.nkcoder.shared.kernel.domain.valueobject.Email;
+
+/** Domain event published when a new user registers. */
+public record UserRegisteredEvent(
+    AuthUserId userId, Email email, String name, AuthRole role, LocalDateTime occurredOn)
+    implements DomainEvent {
+
+  public UserRegisteredEvent(AuthUserId userId, Email email, String name, AuthRole role) {
+    this(userId, email, name, role, LocalDateTime.now());
+  }
+
+  @Override
+  public String eventType() {
+    return "auth.user.registered";
+  }
+}
diff --git a/src/main/java/org/nkcoder/auth/domain/model/AuthRole.java b/src/main/java/org/nkcoder/auth/domain/model/AuthRole.java
new file mode 100644
index 0000000..69aba84
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/domain/model/AuthRole.java
@@ -0,0 +1,7 @@
+package org.nkcoder.auth.domain.model;
+
+/** User roles for authorization in the Auth context. */
+public enum AuthRole {
+  MEMBER,
+  ADMIN
+}
diff --git a/src/main/java/org/nkcoder/auth/domain/model/AuthUser.java b/src/main/java/org/nkcoder/auth/domain/model/AuthUser.java
new file mode 100644
index 0000000..0beaa5f
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/domain/model/AuthUser.java
@@ -0,0 +1,87 @@
+package org.nkcoder.auth.domain.model;
+
+import java.time.LocalDateTime;
+import java.util.Objects;
+import org.nkcoder.shared.kernel.domain.valueobject.Email;
+
+/**
+ * Auth domain's representation of a user. Contains authentication-related data plus the name
+ * (required for DB constraint). This is separate from the User domain's richer user model.
+ */
+public class AuthUser {
+
+  private final AuthUserId id;
+  private final Email email;
+  private HashedPassword password;
+  private final String name;
+  private final AuthRole role;
+  private LocalDateTime lastLoginAt;
+
+  private AuthUser(
+      AuthUserId id,
+      Email email,
+      HashedPassword password,
+      String name,
+      AuthRole role,
+      LocalDateTime lastLoginAt) {
+    this.id = Objects.requireNonNull(id, "id cannot be null");
+    this.email = Objects.requireNonNull(email, "email cannot be null");
+    this.password = Objects.requireNonNull(password, "password cannot be null");
+    this.name = Objects.requireNonNull(name, "name cannot be null");
+    this.role = role != null ? role : AuthRole.MEMBER;
+    this.lastLoginAt = lastLoginAt;
+  }
+
+  /** Factory method for creating a new user during registration. */
+  public static AuthUser register(
+      Email email, HashedPassword password, String name, AuthRole role) {
+    return new AuthUser(AuthUserId.generate(), email, password, name, role, null);
+  }
+
+  /** Factory method for reconstituting from persistence. */
+  public static AuthUser reconstitute(
+      AuthUserId id,
+      Email email,
+      HashedPassword password,
+      String name,
+      AuthRole role,
+      LocalDateTime lastLoginAt) {
+    return new AuthUser(id, email, password, name, role, lastLoginAt);
+  }
+
+  /** Records the current time as the last login time. */
+  public void recordLogin() {
+    this.lastLoginAt = LocalDateTime.now();
+  }
+
+  /** Changes the password to a new hashed password. */
+  public void changePassword(HashedPassword newPassword) {
+    this.password = Objects.requireNonNull(newPassword, "new password cannot be null");
+  }
+
+  // Getters
+
+  public AuthUserId getId() {
+    return id;
+  }
+
+  public Email getEmail() {
+    return email;
+  }
+
+  public HashedPassword getPassword() {
+    return password;
+  }
+
+  public String getName() {
+    return name;
+  }
+
+  public AuthRole getRole() {
+    return role;
+  }
+
+  public LocalDateTime getLastLoginAt() {
+    return lastLoginAt;
+  }
+}
diff --git a/src/main/java/org/nkcoder/auth/domain/model/AuthUserId.java b/src/main/java/org/nkcoder/auth/domain/model/AuthUserId.java
new file mode 100644
index 0000000..7ed80f8
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/domain/model/AuthUserId.java
@@ -0,0 +1,24 @@
+package org.nkcoder.auth.domain.model;
+
+import java.util.Objects;
+import java.util.UUID;
+
+/** Value object representing a user's unique identifier in the Auth context. */
+public record AuthUserId(UUID value) {
+
+  public AuthUserId {
+    Objects.requireNonNull(value, "AuthUserId value cannot be null");
+  }
+
+  public static AuthUserId generate() {
+    return new AuthUserId(UUID.randomUUID());
+  }
+
+  public static AuthUserId of(UUID value) {
+    return new AuthUserId(value);
+  }
+
+  public static AuthUserId of(String value) {
+    return new AuthUserId(UUID.fromString(value));
+  }
+}
diff --git a/src/main/java/org/nkcoder/auth/domain/model/HashedPassword.java b/src/main/java/org/nkcoder/auth/domain/model/HashedPassword.java
new file mode 100644
index 0000000..3fed0ea
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/domain/model/HashedPassword.java
@@ -0,0 +1,18 @@
+package org.nkcoder.auth.domain.model;
+
+import java.util.Objects;
+
+/** Value object representing a hashed password. Never contains raw passwords. */
+public record HashedPassword(String value) {
+
+  public HashedPassword {
+    Objects.requireNonNull(value, "Hashed password cannot be null");
+    if (value.isBlank()) {
+      throw new IllegalArgumentException("Hashed password cannot be blank");
+    }
+  }
+
+  public static HashedPassword of(String hashedValue) {
+    return new HashedPassword(hashedValue);
+  }
+}
diff --git a/src/main/java/org/nkcoder/auth/domain/model/RefreshToken.java b/src/main/java/org/nkcoder/auth/domain/model/RefreshToken.java
new file mode 100644
index 0000000..c56931f
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/domain/model/RefreshToken.java
@@ -0,0 +1,83 @@
+package org.nkcoder.auth.domain.model;
+
+import java.time.LocalDateTime;
+import java.util.Objects;
+import java.util.UUID;
+
+/**
+ * Entity representing a refresh token. Refresh tokens are used to obtain new access tokens without
+ * re-authentication. They belong to a token family for multi-device logout support.
+ */
+public class RefreshToken {
+
+  private final UUID id;
+  private final String token;
+  private final TokenFamily tokenFamily;
+  private final AuthUserId userId;
+  private final LocalDateTime expiresAt;
+  private final LocalDateTime createdAt;
+
+  private RefreshToken(
+      UUID id,
+      String token,
+      TokenFamily tokenFamily,
+      AuthUserId userId,
+      LocalDateTime expiresAt,
+      LocalDateTime createdAt) {
+    this.id = Objects.requireNonNull(id, "id cannot be null");
+    this.token = Objects.requireNonNull(token, "token cannot be null");
+    this.tokenFamily = Objects.requireNonNull(tokenFamily, "tokenFamily cannot be null");
+    this.userId = Objects.requireNonNull(userId, "userId cannot be null");
+    this.expiresAt = Objects.requireNonNull(expiresAt, "expiresAt cannot be null");
+    this.createdAt = Objects.requireNonNull(createdAt, "createdAt cannot be null");
+  }
+
+  /** Factory method for creating a new refresh token. */
+  public static RefreshToken create(
+      String token, TokenFamily tokenFamily, AuthUserId userId, LocalDateTime expiresAt) {
+    return new RefreshToken(
+        UUID.randomUUID(), token, tokenFamily, userId, expiresAt, LocalDateTime.now());
+  }
+
+  /** Factory method for reconstituting from persistence. */
+  public static RefreshToken reconstitute(
+      UUID id,
+      String token,
+      TokenFamily tokenFamily,
+      AuthUserId userId,
+      LocalDateTime expiresAt,
+      LocalDateTime createdAt) {
+    return new RefreshToken(id, token, tokenFamily, userId, expiresAt, createdAt);
+  }
+
+  /** Checks if this token has expired. */
+  public boolean isExpired() {
+    return LocalDateTime.now().isAfter(expiresAt);
+  }
+
+  // Getters
+
+  public UUID getId() {
+    return id;
+  }
+
+  public String getToken() {
+    return token;
+  }
+
+  public TokenFamily getTokenFamily() {
+    return tokenFamily;
+  }
+
+  public AuthUserId getUserId() {
+    return userId;
+  }
+
+  public LocalDateTime getExpiresAt() {
+    return expiresAt;
+  }
+
+  public LocalDateTime getCreatedAt() {
+    return createdAt;
+  }
+}
diff --git a/src/main/java/org/nkcoder/auth/domain/model/TokenFamily.java b/src/main/java/org/nkcoder/auth/domain/model/TokenFamily.java
new file mode 100644
index 0000000..d45ddb8
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/domain/model/TokenFamily.java
@@ -0,0 +1,26 @@
+package org.nkcoder.auth.domain.model;
+
+import java.util.Objects;
+import java.util.UUID;
+
+/**
+ * Value object representing a token family. Token families are used to track related refresh tokens
+ * across rotations, enabling multi-device logout.
+ */
+public record TokenFamily(String value) {
+
+  public TokenFamily {
+    Objects.requireNonNull(value, "TokenFamily value cannot be null");
+    if (value.isBlank()) {
+      throw new IllegalArgumentException("TokenFamily value cannot be blank");
+    }
+  }
+
+  public static TokenFamily generate() {
+    return new TokenFamily(UUID.randomUUID().toString());
+  }
+
+  public static TokenFamily of(String value) {
+    return new TokenFamily(value);
+  }
+}
diff --git a/src/main/java/org/nkcoder/auth/domain/model/TokenPair.java b/src/main/java/org/nkcoder/auth/domain/model/TokenPair.java
new file mode 100644
index 0000000..ffcb54b
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/domain/model/TokenPair.java
@@ -0,0 +1,12 @@
+package org.nkcoder.auth.domain.model;
+
+import java.util.Objects;
+
+/** Value object representing a pair of access and refresh tokens. */
+public record TokenPair(String accessToken, String refreshToken) {
+
+  public TokenPair {
+    Objects.requireNonNull(accessToken, "Access token cannot be null");
+    Objects.requireNonNull(refreshToken, "Refresh token cannot be null");
+  }
+}
diff --git a/src/main/java/org/nkcoder/auth/domain/repository/AuthUserRepository.java b/src/main/java/org/nkcoder/auth/domain/repository/AuthUserRepository.java
new file mode 100644
index 0000000..a148295
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/domain/repository/AuthUserRepository.java
@@ -0,0 +1,24 @@
+package org.nkcoder.auth.domain.repository;
+
+import java.time.LocalDateTime;
+import java.util.Optional;
+import org.nkcoder.auth.domain.model.AuthUser;
+import org.nkcoder.auth.domain.model.AuthUserId;
+import org.nkcoder.shared.kernel.domain.valueobject.Email;
+
+/**
+ * Repository interface (port) for AuthUser persistence. Implementations are in the infrastructure
+ * layer.
+ */
+public interface AuthUserRepository {
+
+  Optional<AuthUser> findById(AuthUserId id);
+
+  Optional<AuthUser> findByEmail(Email email);
+
+  boolean existsByEmail(Email email);
+
+  AuthUser save(AuthUser authUser);
+
+  void updateLastLoginAt(AuthUserId id, LocalDateTime lastLoginAt);
+}
diff --git a/src/main/java/org/nkcoder/auth/domain/repository/RefreshTokenRepository.java b/src/main/java/org/nkcoder/auth/domain/repository/RefreshTokenRepository.java
new file mode 100644
index 0000000..38b2e9e
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/domain/repository/RefreshTokenRepository.java
@@ -0,0 +1,32 @@
+package org.nkcoder.auth.domain.repository;
+
+import java.time.LocalDateTime;
+import java.util.Optional;
+import org.nkcoder.auth.domain.model.AuthUserId;
+import org.nkcoder.auth.domain.model.RefreshToken;
+import org.nkcoder.auth.domain.model.TokenFamily;
+
+/**
+ * Repository interface (port) for RefreshToken persistence. Implementations are in the
+ * infrastructure layer.
+ */
+public interface RefreshTokenRepository {
+
+  Optional<RefreshToken> findByToken(String token);
+
+  /**
+   * Finds a refresh token by its value with a pessimistic lock for update. Used during token
+   * refresh to prevent race conditions.
+   */
+  Optional<RefreshToken> findByTokenForUpdate(String token);
+
+  RefreshToken save(RefreshToken refreshToken);
+
+  void deleteByToken(String token);
+
+  void deleteByTokenFamily(TokenFamily tokenFamily);
+
+  void deleteByUserId(AuthUserId userId);
+
+  void deleteExpiredTokens(LocalDateTime now);
+}
diff --git a/src/main/java/org/nkcoder/auth/domain/service/PasswordEncoder.java b/src/main/java/org/nkcoder/auth/domain/service/PasswordEncoder.java
new file mode 100644
index 0000000..d74898e
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/domain/service/PasswordEncoder.java
@@ -0,0 +1,16 @@
+package org.nkcoder.auth.domain.service;
+
+import org.nkcoder.auth.domain.model.HashedPassword;
+
+/**
+ * Domain service interface for password encoding and verification. Implementations are in the
+ * infrastructure layer.
+ */
+public interface PasswordEncoder {
+
+  /** Encodes a raw password into a hashed password. */
+  HashedPassword encode(String rawPassword);
+
+  /** Checks if a raw password matches a hashed password. */
+  boolean matches(String rawPassword, HashedPassword hashedPassword);
+}
diff --git a/src/main/java/org/nkcoder/auth/domain/service/TokenGenerator.java b/src/main/java/org/nkcoder/auth/domain/service/TokenGenerator.java
new file mode 100644
index 0000000..67c3ab6
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/domain/service/TokenGenerator.java
@@ -0,0 +1,28 @@
+package org.nkcoder.auth.domain.service;
+
+import java.time.LocalDateTime;
+import org.nkcoder.auth.domain.model.AuthRole;
+import org.nkcoder.auth.domain.model.AuthUserId;
+import org.nkcoder.auth.domain.model.TokenFamily;
+import org.nkcoder.auth.domain.model.TokenPair;
+import org.nkcoder.shared.kernel.domain.valueobject.Email;
+
+/**
+ * Domain service interface for JWT token generation and validation. Implementations are in the
+ * infrastructure layer.
+ */
+public interface TokenGenerator {
+
+  /** Generates an access and refresh token pair. */
+  TokenPair generateTokenPair(
+      AuthUserId userId, Email email, AuthRole role, TokenFamily tokenFamily);
+
+  /** Returns the expiry time for refresh tokens. */
+  LocalDateTime getRefreshTokenExpiry();
+
+  /** Validates a refresh token and returns its claims. */
+  RefreshTokenClaims validateRefreshToken(String token);
+
+  /** Claims extracted from a validated refresh token. */
+  record RefreshTokenClaims(AuthUserId userId, TokenFamily tokenFamily) {}
+}
diff --git a/src/main/java/org/nkcoder/auth/infrastructure/persistence/entity/AuthUserJpaEntity.java b/src/main/java/org/nkcoder/auth/infrastructure/persistence/entity/AuthUserJpaEntity.java
new file mode 100644
index 0000000..ac586df
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/infrastructure/persistence/entity/AuthUserJpaEntity.java
@@ -0,0 +1,136 @@
+package org.nkcoder.auth.infrastructure.persistence.entity;
+
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.EntityListeners;
+import jakarta.persistence.EnumType;
+import jakarta.persistence.Enumerated;
+import jakarta.persistence.Id;
+import jakarta.persistence.Index;
+import jakarta.persistence.Table;
+import jakarta.persistence.Transient;
+import java.time.LocalDateTime;
+import java.util.UUID;
+import org.nkcoder.auth.domain.model.AuthRole;
+import org.springframework.data.annotation.CreatedDate;
+import org.springframework.data.domain.Persistable;
+import org.springframework.data.jpa.domain.support.AuditingEntityListener;
+
+/**
+ * JPA entity for users table, mapped for Auth context. Contains only authentication-related fields.
+ * Implements Persistable to control new/existing entity detection since we provide our own UUID.
+ */
+@Entity
+@Table(
+    name = "users",
+    indexes = {@Index(name = "idx_users_email", columnList = "email")})
+@EntityListeners(AuditingEntityListener.class)
+public class AuthUserJpaEntity implements Persistable<UUID> {
+
+  @Id private UUID id;
+
+  @Column(nullable = false, unique = true)
+  private String email;
+
+  @Column(nullable = false)
+  private String password;
+
+  @Column(nullable = false)
+  private String name;
+
+  @Enumerated(EnumType.STRING)
+  @Column(nullable = false)
+  private AuthRole role;
+
+  @Column(name = "last_login_at")
+  private LocalDateTime lastLoginAt;
+
+  @CreatedDate
+  @Column(name = "created_at", nullable = false, updatable = false)
+  private LocalDateTime createdAt;
+
+  @Transient private boolean isNew = false;
+
+  // Required by JPA
+  protected AuthUserJpaEntity() {}
+
+  public AuthUserJpaEntity(
+      UUID id,
+      String email,
+      String password,
+      String name,
+      AuthRole role,
+      LocalDateTime lastLoginAt) {
+    this.id = id;
+    this.email = email;
+    this.password = password;
+    this.name = name;
+    this.role = role;
+    this.lastLoginAt = lastLoginAt;
+  }
+
+  // Getters and setters
+
+  public UUID getId() {
+    return id;
+  }
+
+  public void setId(UUID id) {
+    this.id = id;
+  }
+
+  public String getEmail() {
+    return email;
+  }
+
+  public void setEmail(String email) {
+    this.email = email;
+  }
+
+  public String getPassword() {
+    return password;
+  }
+
+  public void setPassword(String password) {
+    this.password = password;
+  }
+
+  public String getName() {
+    return name;
+  }
+
+  public void setName(String name) {
+    this.name = name;
+  }
+
+  public AuthRole getRole() {
+    return role;
+  }
+
+  public void setRole(AuthRole role) {
+    this.role = role;
+  }
+
+  public LocalDateTime getLastLoginAt() {
+    return lastLoginAt;
+  }
+
+  public void setLastLoginAt(LocalDateTime lastLoginAt) {
+    this.lastLoginAt = lastLoginAt;
+  }
+
+  public LocalDateTime getCreatedAt() {
+    return createdAt;
+  }
+
+  // Persistable implementation
+
+  @Override
+  public boolean isNew() {
+    return isNew;
+  }
+
+  public void markAsNew() {
+    this.isNew = true;
+  }
+}
diff --git a/src/main/java/org/nkcoder/auth/infrastructure/persistence/entity/RefreshTokenJpaEntity.java b/src/main/java/org/nkcoder/auth/infrastructure/persistence/entity/RefreshTokenJpaEntity.java
new file mode 100644
index 0000000..6d91871
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/infrastructure/persistence/entity/RefreshTokenJpaEntity.java
@@ -0,0 +1,125 @@
+package org.nkcoder.auth.infrastructure.persistence.entity;
+
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.EntityListeners;
+import jakarta.persistence.Id;
+import jakarta.persistence.Index;
+import jakarta.persistence.Table;
+import jakarta.persistence.Transient;
+import java.time.LocalDateTime;
+import java.util.UUID;
+import org.springframework.data.annotation.CreatedDate;
+import org.springframework.data.domain.Persistable;
+import org.springframework.data.jpa.domain.support.AuditingEntityListener;
+
+/**
+ * JPA entity for refresh_tokens table. Implements Persistable to control new/existing entity
+ * detection since we provide our own UUID.
+ */
+@Entity
+@Table(
+    name = "refresh_tokens",
+    indexes = {
+      @Index(name = "idx_refresh_tokens_token", columnList = "token"),
+      @Index(name = "idx_refresh_tokens_token_family", columnList = "token_family"),
+      @Index(name = "idx_refresh_tokens_user_id", columnList = "user_id")
+    })
+@EntityListeners(AuditingEntityListener.class)
+public class RefreshTokenJpaEntity implements Persistable<UUID> {
+
+  @Id private UUID id;
+
+  @Column(nullable = false, unique = true)
+  private String token;
+
+  @Column(name = "token_family", nullable = false)
+  private String tokenFamily;
+
+  @Column(name = "user_id", nullable = false)
+  private UUID userId;
+
+  @Column(name = "expires_at", nullable = false)
+  private LocalDateTime expiresAt;
+
+  @CreatedDate
+  @Column(name = "created_at", nullable = false, updatable = false)
+  private LocalDateTime createdAt;
+
+  @Transient private boolean isNew = false;
+
+  // Required by JPA
+  protected RefreshTokenJpaEntity() {}
+
+  public RefreshTokenJpaEntity(
+      UUID id,
+      String token,
+      String tokenFamily,
+      UUID userId,
+      LocalDateTime expiresAt,
+      LocalDateTime createdAt) {
+    this.id = id;
+    this.token = token;
+    this.tokenFamily = tokenFamily;
+    this.userId = userId;
+    this.expiresAt = expiresAt;
+    this.createdAt = createdAt;
+  }
+
+  // Getters and setters
+
+  public UUID getId() {
+    return id;
+  }
+
+  public void setId(UUID id) {
+    this.id = id;
+  }
+
+  public String getToken() {
+    return token;
+  }
+
+  public void setToken(String token) {
+    this.token = token;
+  }
+
+  public String getTokenFamily() {
+    return tokenFamily;
+  }
+
+  public void setTokenFamily(String tokenFamily) {
+    this.tokenFamily = tokenFamily;
+  }
+
+  public UUID getUserId() {
+    return userId;
+  }
+
+  public void setUserId(UUID userId) {
+    this.userId = userId;
+  }
+
+  public LocalDateTime getExpiresAt() {
+    return expiresAt;
+  }
+
+  public void setExpiresAt(LocalDateTime expiresAt) {
+    this.expiresAt = expiresAt;
+  }
+
+  public LocalDateTime getCreatedAt() {
+    return createdAt;
+  }
+
+  // Persistable implementation
+
+  @Override
+  public boolean isNew() {
+    return isNew;
+  }
+
+  public void markAsNew() {
+    this.isNew = true;
+  }
+}
diff --git a/src/main/java/org/nkcoder/auth/infrastructure/persistence/mapper/AuthUserPersistenceMapper.java b/src/main/java/org/nkcoder/auth/infrastructure/persistence/mapper/AuthUserPersistenceMapper.java
new file mode 100644
index 0000000..96db20c
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/infrastructure/persistence/mapper/AuthUserPersistenceMapper.java
@@ -0,0 +1,39 @@
+package org.nkcoder.auth.infrastructure.persistence.mapper;
+
+import org.nkcoder.auth.domain.model.AuthUser;
+import org.nkcoder.auth.domain.model.AuthUserId;
+import org.nkcoder.auth.domain.model.HashedPassword;
+import org.nkcoder.auth.infrastructure.persistence.entity.AuthUserJpaEntity;
+import org.nkcoder.shared.kernel.domain.valueobject.Email;
+import org.springframework.stereotype.Component;
+
+/** Mapper between AuthUser domain model and AuthUserJpaEntity. */
+@Component
+public class AuthUserPersistenceMapper {
+
+  public AuthUser toDomain(AuthUserJpaEntity entity) {
+    return AuthUser.reconstitute(
+        AuthUserId.of(entity.getId()),
+        Email.of(entity.getEmail()),
+        HashedPassword.of(entity.getPassword()),
+        entity.getName(),
+        entity.getRole(),
+        entity.getLastLoginAt());
+  }
+
+  public AuthUserJpaEntity toEntity(AuthUser domain) {
+    return new AuthUserJpaEntity(
+        domain.getId().value(),
+        domain.getEmail().value(),
+        domain.getPassword().value(),
+        domain.getName(),
+        domain.getRole(),
+        domain.getLastLoginAt());
+  }
+
+  public AuthUserJpaEntity toNewEntity(AuthUser domain) {
+    AuthUserJpaEntity entity = toEntity(domain);
+    entity.markAsNew();
+    return entity;
+  }
+}
diff --git a/src/main/java/org/nkcoder/auth/infrastructure/persistence/mapper/RefreshTokenPersistenceMapper.java b/src/main/java/org/nkcoder/auth/infrastructure/persistence/mapper/RefreshTokenPersistenceMapper.java
new file mode 100644
index 0000000..15fe8bc
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/infrastructure/persistence/mapper/RefreshTokenPersistenceMapper.java
@@ -0,0 +1,38 @@
+package org.nkcoder.auth.infrastructure.persistence.mapper;
+
+import org.nkcoder.auth.domain.model.AuthUserId;
+import org.nkcoder.auth.domain.model.RefreshToken;
+import org.nkcoder.auth.domain.model.TokenFamily;
+import org.nkcoder.auth.infrastructure.persistence.entity.RefreshTokenJpaEntity;
+import org.springframework.stereotype.Component;
+
+/** Mapper between RefreshToken domain model and RefreshTokenJpaEntity. */
+@Component
+public class RefreshTokenPersistenceMapper {
+
+  public RefreshToken toDomain(RefreshTokenJpaEntity entity) {
+    return RefreshToken.reconstitute(
+        entity.getId(),
+        entity.getToken(),
+        TokenFamily.of(entity.getTokenFamily()),
+        AuthUserId.of(entity.getUserId()),
+        entity.getExpiresAt(),
+        entity.getCreatedAt());
+  }
+
+  public RefreshTokenJpaEntity toEntity(RefreshToken domain) {
+    return new RefreshTokenJpaEntity(
+        domain.getId(),
+        domain.getToken(),
+        domain.getTokenFamily().value(),
+        domain.getUserId().value(),
+        domain.getExpiresAt(),
+        domain.getCreatedAt());
+  }
+
+  public RefreshTokenJpaEntity toNewEntity(RefreshToken domain) {
+    RefreshTokenJpaEntity entity = toEntity(domain);
+    entity.markAsNew();
+    return entity;
+  }
+}
diff --git a/src/main/java/org/nkcoder/auth/infrastructure/persistence/repository/AuthUserJpaRepository.java b/src/main/java/org/nkcoder/auth/infrastructure/persistence/repository/AuthUserJpaRepository.java
new file mode 100644
index 0000000..8025798
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/infrastructure/persistence/repository/AuthUserJpaRepository.java
@@ -0,0 +1,24 @@
+package org.nkcoder.auth.infrastructure.persistence.repository;
+
+import java.time.LocalDateTime;
+import java.util.Optional;
+import java.util.UUID;
+import org.nkcoder.auth.infrastructure.persistence.entity.AuthUserJpaEntity;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Modifying;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.data.repository.query.Param;
+import org.springframework.stereotype.Repository;
+
+/** Spring Data JPA repository for AuthUserJpaEntity. */
+@Repository
+public interface AuthUserJpaRepository extends JpaRepository<AuthUserJpaEntity, UUID> {
+
+  Optional<AuthUserJpaEntity> findByEmail(String email);
+
+  boolean existsByEmail(String email);
+
+  @Modifying
+  @Query("UPDATE AuthUserJpaEntity u SET u.lastLoginAt = :lastLoginAt WHERE u.id = :id")
+  void updateLastLoginAt(@Param("id") UUID id, @Param("lastLoginAt") LocalDateTime lastLoginAt);
+}
diff --git a/src/main/java/org/nkcoder/auth/infrastructure/persistence/repository/AuthUserRepositoryAdapter.java b/src/main/java/org/nkcoder/auth/infrastructure/persistence/repository/AuthUserRepositoryAdapter.java
new file mode 100644
index 0000000..3f80ef4
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/infrastructure/persistence/repository/AuthUserRepositoryAdapter.java
@@ -0,0 +1,52 @@
+package org.nkcoder.auth.infrastructure.persistence.repository;
+
+import java.time.LocalDateTime;
+import java.util.Optional;
+import org.nkcoder.auth.domain.model.AuthUser;
+import org.nkcoder.auth.domain.model.AuthUserId;
+import org.nkcoder.auth.domain.repository.AuthUserRepository;
+import org.nkcoder.auth.infrastructure.persistence.mapper.AuthUserPersistenceMapper;
+import org.nkcoder.shared.kernel.domain.valueobject.Email;
+import org.springframework.stereotype.Repository;
+
+/** Adapter implementing AuthUserRepository using Spring Data JPA. */
+@Repository
+public class AuthUserRepositoryAdapter implements AuthUserRepository {
+
+  private final AuthUserJpaRepository jpaRepository;
+  private final AuthUserPersistenceMapper mapper;
+
+  public AuthUserRepositoryAdapter(
+      AuthUserJpaRepository jpaRepository, AuthUserPersistenceMapper mapper) {
+    this.jpaRepository = jpaRepository;
+    this.mapper = mapper;
+  }
+
+  @Override
+  public Optional<AuthUser> findById(AuthUserId id) {
+    return jpaRepository.findById(id.value()).map(mapper::toDomain);
+  }
+
+  @Override
+  public Optional<AuthUser> findByEmail(Email email) {
+    return jpaRepository.findByEmail(email.value()).map(mapper::toDomain);
+  }
+
+  @Override
+  public boolean existsByEmail(Email email) {
+    return jpaRepository.existsByEmail(email.value());
+  }
+
+  @Override
+  public AuthUser save(AuthUser authUser) {
+    boolean exists = jpaRepository.existsById(authUser.getId().value());
+    var entity = exists ? mapper.toEntity(authUser) : mapper.toNewEntity(authUser);
+    var savedEntity = jpaRepository.save(entity);
+    return mapper.toDomain(savedEntity);
+  }
+
+  @Override
+  public void updateLastLoginAt(AuthUserId id, LocalDateTime lastLoginAt) {
+    jpaRepository.updateLastLoginAt(id.value(), lastLoginAt);
+  }
+}
diff --git a/src/main/java/org/nkcoder/auth/infrastructure/persistence/repository/RefreshTokenJpaRepository.java b/src/main/java/org/nkcoder/auth/infrastructure/persistence/repository/RefreshTokenJpaRepository.java
new file mode 100644
index 0000000..3966fd9
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/infrastructure/persistence/repository/RefreshTokenJpaRepository.java
@@ -0,0 +1,40 @@
+package org.nkcoder.auth.infrastructure.persistence.repository;
+
+import jakarta.persistence.LockModeType;
+import java.time.LocalDateTime;
+import java.util.Optional;
+import java.util.UUID;
+import org.nkcoder.auth.infrastructure.persistence.entity.RefreshTokenJpaEntity;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Lock;
+import org.springframework.data.jpa.repository.Modifying;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.data.repository.query.Param;
+import org.springframework.stereotype.Repository;
+
+/** Spring Data JPA repository for RefreshTokenJpaEntity. */
+@Repository
+public interface RefreshTokenJpaRepository extends JpaRepository<RefreshTokenJpaEntity, UUID> {
+
+  Optional<RefreshTokenJpaEntity> findByToken(String token);
+
+  @Lock(LockModeType.PESSIMISTIC_WRITE)
+  @Query("SELECT r FROM RefreshTokenJpaEntity r WHERE r.token = :token")
+  Optional<RefreshTokenJpaEntity> findByTokenForUpdate(@Param("token") String token);
+
+  @Modifying
+  @Query("DELETE FROM RefreshTokenJpaEntity r WHERE r.token = :token")
+  void deleteByToken(@Param("token") String token);
+
+  @Modifying
+  @Query("DELETE FROM RefreshTokenJpaEntity r WHERE r.tokenFamily = :tokenFamily")
+  void deleteByTokenFamily(@Param("tokenFamily") String tokenFamily);
+
+  @Modifying
+  @Query("DELETE FROM RefreshTokenJpaEntity r WHERE r.userId = :userId")
+  void deleteByUserId(@Param("userId") UUID userId);
+
+  @Modifying
+  @Query("DELETE FROM RefreshTokenJpaEntity r WHERE r.expiresAt < :now")
+  void deleteExpiredTokens(@Param("now") LocalDateTime now);
+}
diff --git a/src/main/java/org/nkcoder/auth/infrastructure/persistence/repository/RefreshTokenRepositoryAdapter.java b/src/main/java/org/nkcoder/auth/infrastructure/persistence/repository/RefreshTokenRepositoryAdapter.java
new file mode 100644
index 0000000..545adb9
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/infrastructure/persistence/repository/RefreshTokenRepositoryAdapter.java
@@ -0,0 +1,62 @@
+package org.nkcoder.auth.infrastructure.persistence.repository;
+
+import java.time.LocalDateTime;
+import java.util.Optional;
+import org.nkcoder.auth.domain.model.AuthUserId;
+import org.nkcoder.auth.domain.model.RefreshToken;
+import org.nkcoder.auth.domain.model.TokenFamily;
+import org.nkcoder.auth.domain.repository.RefreshTokenRepository;
+import org.nkcoder.auth.infrastructure.persistence.mapper.RefreshTokenPersistenceMapper;
+import org.springframework.stereotype.Repository;
+
+/** Adapter implementing RefreshTokenRepository using Spring Data JPA. */
+@Repository
+public class RefreshTokenRepositoryAdapter implements RefreshTokenRepository {
+
+  private final RefreshTokenJpaRepository jpaRepository;
+  private final RefreshTokenPersistenceMapper mapper;
+
+  public RefreshTokenRepositoryAdapter(
+      RefreshTokenJpaRepository jpaRepository, RefreshTokenPersistenceMapper mapper) {
+    this.jpaRepository = jpaRepository;
+    this.mapper = mapper;
+  }
+
+  @Override
+  public Optional<RefreshToken> findByToken(String token) {
+    return jpaRepository.findByToken(token).map(mapper::toDomain);
+  }
+
+  @Override
+  public Optional<RefreshToken> findByTokenForUpdate(String token) {
+    return jpaRepository.findByTokenForUpdate(token).map(mapper::toDomain);
+  }
+
+  @Override
+  public RefreshToken save(RefreshToken refreshToken) {
+    boolean exists = jpaRepository.existsById(refreshToken.getId());
+    var entity = exists ? mapper.toEntity(refreshToken) : mapper.toNewEntity(refreshToken);
+    var savedEntity = jpaRepository.save(entity);
+    return mapper.toDomain(savedEntity);
+  }
+
+  @Override
+  public void deleteByToken(String token) {
+    jpaRepository.deleteByToken(token);
+  }
+
+  @Override
+  public void deleteByTokenFamily(TokenFamily tokenFamily) {
+    jpaRepository.deleteByTokenFamily(tokenFamily.value());
+  }
+
+  @Override
+  public void deleteByUserId(AuthUserId userId) {
+    jpaRepository.deleteByUserId(userId.value());
+  }
+
+  @Override
+  public void deleteExpiredTokens(LocalDateTime now) {
+    jpaRepository.deleteExpiredTokens(now);
+  }
+}
diff --git a/src/main/java/org/nkcoder/auth/infrastructure/security/BcryptPasswordEncoderAdapter.java b/src/main/java/org/nkcoder/auth/infrastructure/security/BcryptPasswordEncoderAdapter.java
new file mode 100644
index 0000000..9ad834d
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/infrastructure/security/BcryptPasswordEncoderAdapter.java
@@ -0,0 +1,28 @@
+package org.nkcoder.auth.infrastructure.security;
+
+import org.nkcoder.auth.domain.model.HashedPassword;
+import org.nkcoder.auth.domain.service.PasswordEncoder;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.stereotype.Component;
+
+/** BCrypt implementation of the PasswordEncoder domain service. */
+@Component
+public class BcryptPasswordEncoderAdapter implements PasswordEncoder {
+
+  private static final int BCRYPT_STRENGTH = 12;
+  private final BCryptPasswordEncoder bCryptPasswordEncoder;
+
+  public BcryptPasswordEncoderAdapter() {
+    this.bCryptPasswordEncoder = new BCryptPasswordEncoder(BCRYPT_STRENGTH);
+  }
+
+  @Override
+  public HashedPassword encode(String rawPassword) {
+    return HashedPassword.of(bCryptPasswordEncoder.encode(rawPassword));
+  }
+
+  @Override
+  public boolean matches(String rawPassword, HashedPassword hashedPassword) {
+    return bCryptPasswordEncoder.matches(rawPassword, hashedPassword.value());
+  }
+}
diff --git a/src/main/java/org/nkcoder/auth/infrastructure/security/JwtTokenGeneratorAdapter.java b/src/main/java/org/nkcoder/auth/infrastructure/security/JwtTokenGeneratorAdapter.java
new file mode 100644
index 0000000..8406200
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/infrastructure/security/JwtTokenGeneratorAdapter.java
@@ -0,0 +1,144 @@
+package org.nkcoder.auth.infrastructure.security;
+
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.JwtException;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.security.Keys;
+import jakarta.annotation.PostConstruct;
+import java.time.Duration;
+import java.time.LocalDateTime;
+import java.util.Date;
+import java.util.UUID;
+import javax.crypto.SecretKey;
+import org.nkcoder.auth.domain.model.AuthRole;
+import org.nkcoder.auth.domain.model.AuthUserId;
+import org.nkcoder.auth.domain.model.TokenFamily;
+import org.nkcoder.auth.domain.model.TokenPair;
+import org.nkcoder.auth.domain.service.TokenGenerator;
+import org.nkcoder.infrastructure.config.JwtProperties;
+import org.nkcoder.shared.kernel.domain.valueobject.Email;
+import org.nkcoder.shared.kernel.exception.AuthenticationException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Component;
+
+/** JWT implementation of the TokenGenerator domain service. */
+@Component
+public class JwtTokenGeneratorAdapter implements TokenGenerator {
+
+  private static final Logger logger = LoggerFactory.getLogger(JwtTokenGeneratorAdapter.class);
+  private static final int MINIMUM_KEY_LENGTH_BYTES = 32;
+
+  private final JwtProperties jwtProperties;
+  private final SecretKey accessTokenKey;
+  private final SecretKey refreshTokenKey;
+
+  public JwtTokenGeneratorAdapter(JwtProperties jwtProperties) {
+    this.jwtProperties = jwtProperties;
+    this.accessTokenKey = Keys.hmacShaKeyFor(jwtProperties.secret().access().getBytes());
+    this.refreshTokenKey = Keys.hmacShaKeyFor(jwtProperties.secret().refresh().getBytes());
+  }
+
+  @PostConstruct
+  public void validateKeyStrength() {
+    validateSecretKeyStrength(jwtProperties.secret().access(), "access");
+    validateSecretKeyStrength(jwtProperties.secret().refresh(), "refresh");
+    logger.info("JWT secret key strength validation passed for all tokens");
+  }
+
+  private void validateSecretKeyStrength(String secret, String tokenType) {
+    if (secret == null || secret.getBytes().length < MINIMUM_KEY_LENGTH_BYTES) {
+      throw new IllegalStateException(
+          String.format(
+              "JWT %s secret key must be at least %d bytes. Current length: %d bytes",
+              tokenType, MINIMUM_KEY_LENGTH_BYTES, secret == null ? 0 : secret.getBytes().length));
+    }
+  }
+
+  @Override
+  public TokenPair generateTokenPair(
+      AuthUserId userId, Email email, AuthRole role, TokenFamily tokenFamily) {
+    String accessToken = generateAccessToken(userId, email, role);
+    String refreshToken = generateRefreshToken(userId, tokenFamily);
+    return new TokenPair(accessToken, refreshToken);
+  }
+
+  @Override
+  public LocalDateTime getRefreshTokenExpiry() {
+    Duration duration = parseDuration(jwtProperties.expiration().refresh());
+    return LocalDateTime.now().plus(duration);
+  }
+
+  @Override
+  public RefreshTokenClaims validateRefreshToken(String token) {
+    try {
+      Claims claims =
+          Jwts.parser()
+              .verifyWith(refreshTokenKey)
+              .requireIssuer(jwtProperties.issuer())
+              .build()
+              .parseSignedClaims(token)
+              .getPayload();
+
+      AuthUserId userId = AuthUserId.of(claims.getSubject());
+      TokenFamily tokenFamily = TokenFamily.of(claims.get("tokenFamily", String.class));
+
+      return new RefreshTokenClaims(userId, tokenFamily);
+    } catch (JwtException e) {
+      logger.error("Refresh token validation failed: {}", e.getMessage());
+      throw new AuthenticationException("Invalid refresh token");
+    }
+  }
+
+  private String generateAccessToken(AuthUserId userId, Email email, AuthRole role) {
+    Date now = new Date();
+    Duration duration = parseDuration(jwtProperties.expiration().access());
+    Date expiration = new Date(now.getTime() + duration.toMillis());
+
+    return Jwts.builder()
+        .subject(userId.value().toString())
+        .issuer(jwtProperties.issuer())
+        .issuedAt(now)
+        .expiration(expiration)
+        .claim("email", email.value())
+        .claim("role", role.name())
+        .claim("jti", UUID.randomUUID().toString())
+        .signWith(accessTokenKey, Jwts.SIG.HS512)
+        .compact();
+  }
+
+  private String generateRefreshToken(AuthUserId userId, TokenFamily tokenFamily) {
+    Date now = new Date();
+    Duration duration = parseDuration(jwtProperties.expiration().refresh());
+    Date expiration = new Date(now.getTime() + duration.toMillis());
+
+    return Jwts.builder()
+        .subject(userId.value().toString())
+        .issuer(jwtProperties.issuer())
+        .issuedAt(now)
+        .expiration(expiration)
+        .claim("tokenFamily", tokenFamily.value())
+        .claim("jti", UUID.randomUUID().toString())
+        .signWith(refreshTokenKey, Jwts.SIG.HS512)
+        .compact();
+  }
+
+  private Duration parseDuration(String durationString) {
+    if (durationString == null || durationString.isEmpty()) {
+      throw new IllegalArgumentException("Duration string cannot be null or empty");
+    }
+
+    String value = durationString.substring(0, durationString.length() - 1);
+    String unit = durationString.substring(durationString.length() - 1);
+
+    long amount = Long.parseLong(value);
+
+    return switch (unit) {
+      case "s" -> Duration.ofSeconds(amount);
+      case "m" -> Duration.ofMinutes(amount);
+      case "h" -> Duration.ofHours(amount);
+      case "d" -> Duration.ofDays(amount);
+      default -> throw new IllegalArgumentException("Invalid duration unit: " + unit);
+    };
+  }
+}
diff --git a/src/main/java/org/nkcoder/util/JwtUtil.java b/src/main/java/org/nkcoder/auth/infrastructure/security/JwtUtil.java
similarity index 94%
rename from src/main/java/org/nkcoder/util/JwtUtil.java
rename to src/main/java/org/nkcoder/auth/infrastructure/security/JwtUtil.java
index e41113b..87814d2 100644
--- a/src/main/java/org/nkcoder/util/JwtUtil.java
+++ b/src/main/java/org/nkcoder/auth/infrastructure/security/JwtUtil.java
@@ -1,4 +1,4 @@
-package org.nkcoder.util;
+package org.nkcoder.auth.infrastructure.security;
 
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.JwtException;
@@ -10,8 +10,8 @@
 import java.util.Date;
 import java.util.UUID;
 import javax.crypto.SecretKey;
-import org.nkcoder.config.JwtProperties;
-import org.nkcoder.enums.Role;
+import org.nkcoder.auth.domain.model.AuthRole;
+import org.nkcoder.infrastructure.config.JwtProperties;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -50,7 +50,7 @@ private void validateSecretKeyStrength(String secret, String tokenType) {
     }
   }
 
-  public String generateAccessToken(UUID userId, String email, Role role) {
+  public String generateAccessToken(UUID userId, String email, AuthRole role) {
     Date now = new Date();
     Duration duration = parseDuration(jwtProperties.expiration().access());
     Date expiration = new Date(now.getTime() + duration.toMillis());
@@ -131,10 +131,10 @@ public String getEmailFromToken(String token) {
     return claims.get("email", String.class);
   }
 
-  public Role getRoleFromToken(String token) {
+  public AuthRole getRoleFromToken(String token) {
     Claims claims = validateAccessToken(token);
     String roleString = claims.get("role", String.class);
-    return Role.valueOf(roleString);
+    return AuthRole.valueOf(roleString);
   }
 
   public LocalDateTime getTokenExpiry(String durationString) {
diff --git a/src/main/java/org/nkcoder/auth/interfaces/grpc/AuthGrpcService.java b/src/main/java/org/nkcoder/auth/interfaces/grpc/AuthGrpcService.java
new file mode 100644
index 0000000..b75c995
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/interfaces/grpc/AuthGrpcService.java
@@ -0,0 +1,113 @@
+package org.nkcoder.auth.interfaces.grpc;
+
+import io.grpc.Status;
+import io.grpc.stub.StreamObserver;
+import net.devh.boot.grpc.server.service.GrpcService;
+import org.nkcoder.auth.application.dto.command.LoginCommand;
+import org.nkcoder.auth.application.dto.command.RegisterCommand;
+import org.nkcoder.auth.application.dto.response.AuthResult;
+import org.nkcoder.auth.application.service.AuthApplicationService;
+import org.nkcoder.auth.domain.model.AuthRole;
+import org.nkcoder.generated.grpc.AuthProto;
+import org.nkcoder.generated.grpc.AuthServiceGrpc;
+import org.nkcoder.shared.kernel.exception.AuthenticationException;
+import org.nkcoder.shared.kernel.exception.ValidationException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/** gRPC service for authentication operations. */
+@GrpcService
+public class AuthGrpcService extends AuthServiceGrpc.AuthServiceImplBase {
+
+  private static final Logger logger = LoggerFactory.getLogger(AuthGrpcService.class);
+
+  private final AuthApplicationService authService;
+  private final GrpcAuthMapper mapper;
+
+  public AuthGrpcService(AuthApplicationService authService, GrpcAuthMapper mapper) {
+    this.authService = authService;
+    this.mapper = mapper;
+  }
+
+  @Override
+  public void register(
+      AuthProto.RegisterRequest request, StreamObserver<AuthProto.ApiResponse> responseObserver) {
+    logger.info("Received gRPC registration request for email: {}", request.getEmail());
+
+    if (request.getEmail().isEmpty()
+        || request.getPassword().isEmpty()
+        || request.getName().isEmpty()) {
+      logger.error("Invalid registration request: email, password, and name must not be empty");
+      responseObserver.onError(
+          Status.INVALID_ARGUMENT
+              .withDescription("Email, password, and name must not be empty")
+              .asRuntimeException());
+      return;
+    }
+
+    try {
+      RegisterCommand command =
+          new RegisterCommand(
+              request.getEmail(), request.getPassword(), request.getName(), AuthRole.MEMBER);
+
+      AuthResult result = authService.register(command);
+
+      AuthProto.ApiResponse apiResponse =
+          AuthProto.ApiResponse.newBuilder()
+              .setMessage("User registered successfully")
+              .setData(mapper.toAuthResponse(result))
+              .build();
+
+      responseObserver.onNext(apiResponse);
+      responseObserver.onCompleted();
+
+    } catch (ValidationException e) {
+      logger.error("Registration validation error: {}", e.getMessage());
+      responseObserver.onError(
+          Status.ALREADY_EXISTS.withDescription(e.getMessage()).asRuntimeException());
+    } catch (Exception e) {
+      logger.error("Registration error: {}", e.getMessage(), e);
+      responseObserver.onError(
+          Status.INTERNAL.withDescription("Internal server error").asRuntimeException());
+    }
+  }
+
+  @Override
+  public void login(
+      AuthProto.LoginRequest request, StreamObserver<AuthProto.ApiResponse> responseObserver) {
+    logger.info("Received gRPC login request for email: {}", request.getEmail());
+
+    if (request.getEmail().isEmpty() || request.getPassword().isEmpty()) {
+      logger.error("Invalid login request: email and password must not be empty");
+      responseObserver.onError(
+          Status.INVALID_ARGUMENT
+              .withDescription("Email and password must not be empty")
+              .asRuntimeException());
+      return;
+    }
+
+    try {
+      LoginCommand command = new LoginCommand(request.getEmail(), request.getPassword());
+
+      AuthResult result = authService.login(command);
+
+      AuthProto.ApiResponse apiResponse =
+          AuthProto.ApiResponse.newBuilder()
+              .setMessage("User logged in successfully")
+              .setData(mapper.toAuthResponse(result))
+              .build();
+
+      responseObserver.onNext(apiResponse);
+      responseObserver.onCompleted();
+
+    } catch (AuthenticationException e) {
+      logger.error("Login authentication error: {}", e.getMessage());
+      responseObserver.onError(
+          Status.UNAUTHENTICATED.withDescription(e.getMessage()).asRuntimeException());
+    } catch (Exception e) {
+      logger.error("Login error: {}", e.getMessage(), e);
+      responseObserver.onError(
+          Status.INTERNAL.withDescription("Internal server error").asRuntimeException());
+    }
+  }
+}
diff --git a/src/main/java/org/nkcoder/auth/interfaces/grpc/GrpcAuthMapper.java b/src/main/java/org/nkcoder/auth/interfaces/grpc/GrpcAuthMapper.java
new file mode 100644
index 0000000..635aaee
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/interfaces/grpc/GrpcAuthMapper.java
@@ -0,0 +1,27 @@
+package org.nkcoder.auth.interfaces.grpc;
+
+import org.nkcoder.auth.application.dto.response.AuthResult;
+import org.nkcoder.generated.grpc.AuthProto;
+import org.springframework.stereotype.Component;
+
+/** Mapper between gRPC proto messages and application DTOs. */
+@Component
+public class GrpcAuthMapper {
+
+  public AuthProto.AuthResponse toAuthResponse(AuthResult result) {
+    AuthProto.User grpcUser =
+        AuthProto.User.newBuilder()
+            .setId(result.userId().toString())
+            .setEmail(result.email())
+            .setName("") // Name not available in AuthResult
+            .build();
+
+    AuthProto.AuthToken grpcTokens =
+        AuthProto.AuthToken.newBuilder()
+            .setAccessToken(result.accessToken())
+            .setRefreshToken(result.refreshToken())
+            .build();
+
+    return AuthProto.AuthResponse.newBuilder().setUser(grpcUser).setAuthToken(grpcTokens).build();
+  }
+}
diff --git a/src/main/java/org/nkcoder/controller/AuthController.java b/src/main/java/org/nkcoder/auth/interfaces/rest/AuthController.java
similarity index 51%
rename from src/main/java/org/nkcoder/controller/AuthController.java
rename to src/main/java/org/nkcoder/auth/interfaces/rest/AuthController.java
index 40ae9c6..86eee7f 100644
--- a/src/main/java/org/nkcoder/controller/AuthController.java
+++ b/src/main/java/org/nkcoder/auth/interfaces/rest/AuthController.java
@@ -1,15 +1,16 @@
-package org.nkcoder.controller;
+package org.nkcoder.auth.interfaces.rest;
 
 import jakarta.validation.Valid;
-import org.nkcoder.dto.auth.AuthResponse;
-import org.nkcoder.dto.auth.LoginRequest;
-import org.nkcoder.dto.auth.RefreshTokenRequest;
-import org.nkcoder.dto.auth.RegisterRequest;
-import org.nkcoder.dto.common.ApiResponse;
-import org.nkcoder.service.AuthService;
+import org.nkcoder.auth.application.dto.response.AuthResult;
+import org.nkcoder.auth.application.service.AuthApplicationService;
+import org.nkcoder.auth.interfaces.rest.mapper.AuthRequestMapper;
+import org.nkcoder.auth.interfaces.rest.request.LoginRequest;
+import org.nkcoder.auth.interfaces.rest.request.RefreshTokenRequest;
+import org.nkcoder.auth.interfaces.rest.request.RegisterRequest;
+import org.nkcoder.auth.interfaces.rest.response.AuthResponse;
+import org.nkcoder.shared.local.rest.ApiResponse;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -18,64 +19,65 @@
 import org.springframework.web.bind.annotation.RestController;
 
 @RestController
-@RequestMapping("/api/users/auth")
+@RequestMapping("/api/auth")
 public class AuthController {
 
   private static final Logger logger = LoggerFactory.getLogger(AuthController.class);
 
-  private final AuthService authService;
+  private final AuthApplicationService authService;
+  private final AuthRequestMapper requestMapper;
 
-  @Autowired
-  public AuthController(AuthService authService) {
+  public AuthController(AuthApplicationService authService, AuthRequestMapper requestMapper) {
     this.authService = authService;
+    this.requestMapper = requestMapper;
   }
 
   @PostMapping("/register")
   public ResponseEntity<ApiResponse<AuthResponse>> register(
       @Valid @RequestBody RegisterRequest request) {
-    logger.debug("Registration request received.");
+    logger.info("Register request for email: {}", request.email());
 
-    AuthResponse authResponse = authService.register(request);
+    AuthResult result = authService.register(requestMapper.toCommand(request));
 
     return ResponseEntity.status(HttpStatus.CREATED)
-        .body(ApiResponse.success("User registered successfully", authResponse));
+        .body(ApiResponse.success("User registered successfully", AuthResponse.from(result)));
   }
 
   @PostMapping("/login")
   public ResponseEntity<ApiResponse<AuthResponse>> login(@Valid @RequestBody LoginRequest request) {
-    logger.debug("Login request received.");
+    logger.info("Login request for email: {}", request.email());
 
-    AuthResponse authResponse = authService.login(request);
+    AuthResult result = authService.login(requestMapper.toCommand(request));
 
-    return ResponseEntity.ok(ApiResponse.success("Login successfully", authResponse));
+    return ResponseEntity.ok(ApiResponse.success("Login successful", AuthResponse.from(result)));
   }
 
   @PostMapping("/refresh")
   public ResponseEntity<ApiResponse<AuthResponse>> refreshTokens(
       @Valid @RequestBody RefreshTokenRequest request) {
-    logger.info("Token refresh request");
+    logger.debug("Token refresh request");
 
-    AuthResponse authResponse = authService.refreshTokens(request.refreshToken());
+    AuthResult result = authService.refreshTokens(requestMapper.toCommand(request));
 
-    return ResponseEntity.ok(ApiResponse.success("Tokens refreshed successfully", authResponse));
+    return ResponseEntity.ok(ApiResponse.success("Tokens refreshed", AuthResponse.from(result)));
   }
 
   @PostMapping("/logout")
   public ResponseEntity<ApiResponse<Void>> logout(@Valid @RequestBody RefreshTokenRequest request) {
-    logger.info("Logout request (all devices)");
+    logger.debug("Logout request (all devices)");
 
     authService.logout(request.refreshToken());
 
-    return ResponseEntity.ok(ApiResponse.success("Logout successful"));
+    return ResponseEntity.ok(ApiResponse.success("Logged out successfully"));
   }
 
   @PostMapping("/logout-single")
   public ResponseEntity<ApiResponse<Void>> logoutSingle(
       @Valid @RequestBody RefreshTokenRequest request) {
-    logger.info("Logout request (single device)");
+    logger.debug("Logout request (single device)");
 
     authService.logoutSingle(request.refreshToken());
 
-    return ResponseEntity.ok(ApiResponse.success("Logout from current device successful"));
+    return ResponseEntity.ok(ApiResponse.success("Logged out from current device"));
   }
 }
diff --git a/src/main/java/org/nkcoder/auth/interfaces/rest/mapper/AuthRequestMapper.java b/src/main/java/org/nkcoder/auth/interfaces/rest/mapper/AuthRequestMapper.java
new file mode 100644
index 0000000..c2f0698
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/interfaces/rest/mapper/AuthRequestMapper.java
@@ -0,0 +1,26 @@
+package org.nkcoder.auth.interfaces.rest.mapper;
+
+import org.nkcoder.auth.application.dto.command.LoginCommand;
+import org.nkcoder.auth.application.dto.command.RefreshTokenCommand;
+import org.nkcoder.auth.application.dto.command.RegisterCommand;
+import org.nkcoder.auth.interfaces.rest.request.LoginRequest;
+import org.nkcoder.auth.interfaces.rest.request.RefreshTokenRequest;
+import org.nkcoder.auth.interfaces.rest.request.RegisterRequest;
+import org.springframework.stereotype.Component;
+
+/** Mapper for converting REST requests to application commands. */
+@Component
+public class AuthRequestMapper {
+
+  public RegisterCommand toCommand(RegisterRequest request) {
+    return new RegisterCommand(request.email(), request.password(), request.name(), request.role());
+  }
+
+  public LoginCommand toCommand(LoginRequest request) {
+    return new LoginCommand(request.email(), request.password());
+  }
+
+  public RefreshTokenCommand toCommand(RefreshTokenRequest request) {
+    return new RefreshTokenCommand(request.refreshToken());
+  }
+}
diff --git a/src/main/java/org/nkcoder/auth/interfaces/rest/request/LoginRequest.java b/src/main/java/org/nkcoder/auth/interfaces/rest/request/LoginRequest.java
new file mode 100644
index 0000000..7595c73
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/interfaces/rest/request/LoginRequest.java
@@ -0,0 +1,8 @@
+package org.nkcoder.auth.interfaces.rest.request;
+
+import jakarta.validation.constraints.Email;
+import jakarta.validation.constraints.NotBlank;
+
+public record LoginRequest(
+    @NotBlank(message = "Email is required") @Email(message = "Please provide a valid email") String email,
+    @NotBlank(message = "Password is required") String password) {}
diff --git a/src/main/java/org/nkcoder/auth/interfaces/rest/request/RefreshTokenRequest.java b/src/main/java/org/nkcoder/auth/interfaces/rest/request/RefreshTokenRequest.java
new file mode 100644
index 0000000..5f38ffc
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/interfaces/rest/request/RefreshTokenRequest.java
@@ -0,0 +1,6 @@
+package org.nkcoder.auth.interfaces.rest.request;
+
+import jakarta.validation.constraints.NotBlank;
+
+public record RefreshTokenRequest(
+    @NotBlank(message = "Refresh token is required") String refreshToken) {}
diff --git a/src/main/java/org/nkcoder/auth/interfaces/rest/request/RegisterRequest.java b/src/main/java/org/nkcoder/auth/interfaces/rest/request/RegisterRequest.java
new file mode 100644
index 0000000..31e1340
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/interfaces/rest/request/RegisterRequest.java
@@ -0,0 +1,28 @@
+package org.nkcoder.auth.interfaces.rest.request;
+
+import jakarta.validation.constraints.Email;
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.Pattern;
+import jakarta.validation.constraints.Size;
+import org.nkcoder.auth.domain.model.AuthRole;
+
+public record RegisterRequest(
+    @NotBlank(message = "Email is required") @Email(message = "Please provide a valid email") String email,
+    @NotBlank(message = "Password is required") @Size(min = 8, message = "Password must be at least 8 characters long") @Pattern(
+            regexp = "^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d).+$",
+            message =
+                "Password must contain at least one lowercase letter, one uppercase letter, and one"
+                    + " number")
+        String password,
+    @NotBlank(message = "Name is required") @Size(min = 2, max = 50, message = "Name must be between 2 and 50 characters") String name,
+    AuthRole role) {
+
+  public RegisterRequest {
+    if (email != null) {
+      email = email.toLowerCase().trim();
+    }
+    if (name != null) {
+      name = name.trim();
+    }
+  }
+}
diff --git a/src/main/java/org/nkcoder/auth/interfaces/rest/response/AuthResponse.java b/src/main/java/org/nkcoder/auth/interfaces/rest/response/AuthResponse.java
new file mode 100644
index 0000000..0362675
--- /dev/null
+++ b/src/main/java/org/nkcoder/auth/interfaces/rest/response/AuthResponse.java
@@ -0,0 +1,18 @@
+package org.nkcoder.auth.interfaces.rest.response;
+
+import java.util.UUID;
+import org.nkcoder.auth.application.dto.response.AuthResult;
+
+/** REST API response for authentication operations. */
+public record AuthResponse(UserInfo user, TokenInfo tokens) {
+
+  public static AuthResponse from(AuthResult result) {
+    return new AuthResponse(
+        new UserInfo(result.userId(), result.email(), result.role().name()),
+        new TokenInfo(result.accessToken(), result.refreshToken()));
+  }
+
+  public record UserInfo(UUID id, String email, String role) {}
+
+  public record TokenInfo(String accessToken, String refreshToken) {}
+}
diff --git a/src/main/java/org/nkcoder/controller/HealthController.java b/src/main/java/org/nkcoder/controller/HealthController.java
deleted file mode 100644
index 2a7babd..0000000
--- a/src/main/java/org/nkcoder/controller/HealthController.java
+++ /dev/null
@@ -1,22 +0,0 @@
-package org.nkcoder.controller;
-
-import java.time.LocalDateTime;
-import java.util.Map;
-import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.RestController;
-
-@RestController
-public class HealthController {
-
-  @GetMapping("/health")
-  public ResponseEntity<Map<String, Object>> health() {
-    Map<String, Object> response =
-        Map.of(
-            "status", "ok",
-            "timestamp", LocalDateTime.now(),
-            "service", "user-service");
-
-    return ResponseEntity.ok(response);
-  }
-}
diff --git a/src/main/java/org/nkcoder/controller/UserController.java b/src/main/java/org/nkcoder/controller/UserController.java
deleted file mode 100644
index 96a2a6e..0000000
--- a/src/main/java/org/nkcoder/controller/UserController.java
+++ /dev/null
@@ -1,96 +0,0 @@
-package org.nkcoder.controller;
-
-import jakarta.validation.Valid;
-import java.util.UUID;
-import org.nkcoder.annotation.CurrentUser;
-import org.nkcoder.dto.common.ApiResponse;
-import org.nkcoder.dto.user.ChangePasswordRequest;
-import org.nkcoder.dto.user.UpdateProfileRequest;
-import org.nkcoder.dto.user.UserResponse;
-import org.nkcoder.service.UserService;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.http.ResponseEntity;
-import org.springframework.security.access.prepost.PreAuthorize;
-import org.springframework.web.bind.annotation.*;
-
-@RestController
-@RequestMapping("/api/users")
-public class UserController {
-
-  private static final Logger logger = LoggerFactory.getLogger(UserController.class);
-
-  private final UserService userService;
-
-  public UserController(UserService userService) {
-    this.userService = userService;
-  }
-
-  @GetMapping("/me")
-  public ResponseEntity<ApiResponse<UserResponse>> getMe(@CurrentUser UUID userId) {
-    logger.info("Get profile request for userId: {}", userId);
-
-    UserResponse userResponse = userService.findById(userId);
-
-    return ResponseEntity.ok(
-        ApiResponse.success("User profile retrieved successfully", userResponse));
-  }
-
-  @PatchMapping("/me")
-  public ResponseEntity<ApiResponse<UserResponse>> updateMe(
-      @CurrentUser UUID userId, @Valid @RequestBody UpdateProfileRequest request) {
-
-    logger.info("Update profile request for userId: {}", userId);
-
-    UserResponse userResponse = userService.updateProfile(userId, request);
-
-    return ResponseEntity.ok(ApiResponse.success("Profile updated successfully", userResponse));
-  }
-
-  @PatchMapping("/me/password")
-  public ResponseEntity<ApiResponse<Void>> changeMyPassword(
-      @CurrentUser UUID userId, @Valid @RequestBody ChangePasswordRequest request) {
-
-    logger.info("Change password request for userId: {}", userId);
-
-    userService.changePassword(userId, request);
-
-    return ResponseEntity.ok(ApiResponse.success("Password changed successfully"));
-  }
-
-  // Admin endpoints
-  @GetMapping("/{userId}")
-  @PreAuthorize("hasRole('ADMIN')")
-  public ResponseEntity<ApiResponse<UserResponse>> getUser(@PathVariable UUID userId) {
-    logger.info("Admin get user request for userId: {}", userId);
-
-    UserResponse userResponse = userService.findById(userId);
-
-    return ResponseEntity.ok(ApiResponse.success("User retrieved successfully", userResponse));
-  }
-
-  @PatchMapping("/{userId}")
-  @PreAuthorize("hasRole('ADMIN')")
-  public ResponseEntity<ApiResponse<UserResponse>> updateUser(
-      @PathVariable UUID userId, @Valid @RequestBody UpdateProfileRequest request) {
-
-    logger.info("Admin update user request for userId: {}", userId);
-
-    UserResponse userResponse = userService.updateProfile(userId, request);
-
-    return ResponseEntity.ok(ApiResponse.success("User updated successfully", userResponse));
-  }
-
-  @PatchMapping("/{userId}/password")
-  @PreAuthorize("hasRole('ADMIN')")
-  public ResponseEntity<ApiResponse<Void>> changeUserPassword(
-      @PathVariable UUID userId, @Valid @RequestBody ChangePasswordRequest request) {
-
-    logger.info("Admin change password request for userId: {}", userId);
-
-    // For admin, we only use the newPassword field
-    userService.changeUserPassword(userId, request.newPassword());
-
-    return ResponseEntity.ok(ApiResponse.success("Password changed successfully"));
-  }
-}
diff --git a/src/main/java/org/nkcoder/dto/auth/AuthResponse.java b/src/main/java/org/nkcoder/dto/auth/AuthResponse.java
deleted file mode 100644
index 45e0064..0000000
--- a/src/main/java/org/nkcoder/dto/auth/AuthResponse.java
+++ /dev/null
@@ -1,5 +0,0 @@
-package org.nkcoder.dto.auth;
-
-import org.nkcoder.dto.user.UserResponse;
-
-public record AuthResponse(UserResponse user, AuthTokens tokens) {}
diff --git a/src/main/java/org/nkcoder/dto/auth/AuthTokens.java b/src/main/java/org/nkcoder/dto/auth/AuthTokens.java
deleted file mode 100644
index a5de4a2..0000000
--- a/src/main/java/org/nkcoder/dto/auth/AuthTokens.java
+++ /dev/null
@@ -1,3 +0,0 @@
-package org.nkcoder.dto.auth;
-
-public record AuthTokens(String accessToken, String refreshToken) {}
diff --git a/src/main/java/org/nkcoder/dto/auth/LoginRequest.java b/src/main/java/org/nkcoder/dto/auth/LoginRequest.java
deleted file mode 100644
index f3f0225..0000000
--- a/src/main/java/org/nkcoder/dto/auth/LoginRequest.java
+++ /dev/null
@@ -1,12 +0,0 @@
-package org.nkcoder.dto.auth;
-
-import static org.nkcoder.validation.ValidationMessages.EMAIL_INVALID;
-import static org.nkcoder.validation.ValidationMessages.EMAIL_REQUIRED;
-import static org.nkcoder.validation.ValidationMessages.PASSWORD_REQUIRED;
-
-import jakarta.validation.constraints.Email;
-import jakarta.validation.constraints.NotBlank;
-
-public record LoginRequest(
-    @NotBlank(message = EMAIL_REQUIRED) @Email(message = EMAIL_INVALID) String email,
-    @NotBlank(message = PASSWORD_REQUIRED) String password) {}
diff --git a/src/main/java/org/nkcoder/dto/auth/RefreshTokenRequest.java b/src/main/java/org/nkcoder/dto/auth/RefreshTokenRequest.java
deleted file mode 100644
index c43994d..0000000
--- a/src/main/java/org/nkcoder/dto/auth/RefreshTokenRequest.java
+++ /dev/null
@@ -1,8 +0,0 @@
-package org.nkcoder.dto.auth;
-
-import static org.nkcoder.validation.ValidationMessages.REFRESH_TOKEN_REQUIRED;
-
-import jakarta.validation.constraints.NotBlank;
-
-public record RefreshTokenRequest(
-    @NotBlank(message = REFRESH_TOKEN_REQUIRED) String refreshToken) {}
diff --git a/src/main/java/org/nkcoder/dto/auth/RegisterRequest.java b/src/main/java/org/nkcoder/dto/auth/RegisterRequest.java
deleted file mode 100644
index a994651..0000000
--- a/src/main/java/org/nkcoder/dto/auth/RegisterRequest.java
+++ /dev/null
@@ -1,35 +0,0 @@
-package org.nkcoder.dto.auth;
-
-import static org.nkcoder.validation.ValidationMessages.EMAIL_INVALID;
-import static org.nkcoder.validation.ValidationMessages.EMAIL_REQUIRED;
-import static org.nkcoder.validation.ValidationMessages.NAME_MAX_LENGTH;
-import static org.nkcoder.validation.ValidationMessages.NAME_MIN_LENGTH;
-import static org.nkcoder.validation.ValidationMessages.NAME_REQUIRED;
-import static org.nkcoder.validation.ValidationMessages.NAME_SIZE;
-import static org.nkcoder.validation.ValidationMessages.PASSWORD_COMPLEXITY;
-import static org.nkcoder.validation.ValidationMessages.PASSWORD_COMPLEXITY_PATTERN;
-import static org.nkcoder.validation.ValidationMessages.PASSWORD_MIN_LENGTH;
-import static org.nkcoder.validation.ValidationMessages.PASSWORD_REQUIRED;
-import static org.nkcoder.validation.ValidationMessages.PASSWORD_SIZE;
-
-import jakarta.validation.constraints.Email;
-import jakarta.validation.constraints.NotBlank;
-import jakarta.validation.constraints.Pattern;
-import jakarta.validation.constraints.Size;
-import org.nkcoder.enums.Role;
-
-public record RegisterRequest(
-    @NotBlank(message = EMAIL_REQUIRED) @Email(message = EMAIL_INVALID) String email,
-    @NotBlank(message = PASSWORD_REQUIRED) @Size(min = PASSWORD_MIN_LENGTH, message = PASSWORD_SIZE) @Pattern(regexp = PASSWORD_COMPLEXITY_PATTERN, message = PASSWORD_COMPLEXITY) String password,
-    @NotBlank(message = NAME_REQUIRED) @Size(min = NAME_MIN_LENGTH, max = NAME_MAX_LENGTH, message = NAME_SIZE) String name,
-    Role role) {
-  // Compact constructor that normalizes email to lowercase
-  public RegisterRequest {
-    if (email != null) {
-      email = email.toLowerCase().trim();
-    }
-    if (name != null) {
-      name = name.trim();
-    }
-  }
-}
diff --git a/src/main/java/org/nkcoder/dto/user/ChangePasswordRequest.java b/src/main/java/org/nkcoder/dto/user/ChangePasswordRequest.java
deleted file mode 100644
index 6831a1b..0000000
--- a/src/main/java/org/nkcoder/dto/user/ChangePasswordRequest.java
+++ /dev/null
@@ -1,20 +0,0 @@
-package org.nkcoder.dto.user;
-
-import static org.nkcoder.validation.ValidationMessages.CONFIRM_PASSWORD_REQUIRED;
-import static org.nkcoder.validation.ValidationMessages.CURRENT_PASSWORD_REQUIRED;
-import static org.nkcoder.validation.ValidationMessages.PASSWORD_COMPLEXITY;
-import static org.nkcoder.validation.ValidationMessages.PASSWORD_COMPLEXITY_PATTERN;
-import static org.nkcoder.validation.ValidationMessages.PASSWORD_MIN_LENGTH;
-import static org.nkcoder.validation.ValidationMessages.PASSWORD_REQUIRED;
-import static org.nkcoder.validation.ValidationMessages.PASSWORD_SIZE;
-
-import jakarta.validation.constraints.NotBlank;
-import jakarta.validation.constraints.Pattern;
-import jakarta.validation.constraints.Size;
-import org.nkcoder.validation.PasswordMatch;
-
-@PasswordMatch
-public record ChangePasswordRequest(
-    @NotBlank(message = CURRENT_PASSWORD_REQUIRED) String currentPassword,
-    @NotBlank(message = PASSWORD_REQUIRED) @Size(min = PASSWORD_MIN_LENGTH, message = PASSWORD_SIZE) @Pattern(regexp = PASSWORD_COMPLEXITY_PATTERN, message = PASSWORD_COMPLEXITY) String newPassword,
-    @NotBlank(message = CONFIRM_PASSWORD_REQUIRED) String confirmPassword) {}
diff --git a/src/main/java/org/nkcoder/dto/user/UpdateProfileRequest.java b/src/main/java/org/nkcoder/dto/user/UpdateProfileRequest.java
deleted file mode 100644
index d05b82e..0000000
--- a/src/main/java/org/nkcoder/dto/user/UpdateProfileRequest.java
+++ /dev/null
@@ -1,13 +0,0 @@
-package org.nkcoder.dto.user;
-
-import static org.nkcoder.validation.ValidationMessages.EMAIL_INVALID;
-import static org.nkcoder.validation.ValidationMessages.NAME_MAX_LENGTH;
-import static org.nkcoder.validation.ValidationMessages.NAME_MIN_LENGTH;
-import static org.nkcoder.validation.ValidationMessages.NAME_SIZE;
-
-import jakarta.validation.constraints.Email;
-import jakarta.validation.constraints.Size;
-
-public record UpdateProfileRequest(
-    @Email(message = EMAIL_INVALID) String email,
-    @Size(min = NAME_MIN_LENGTH, max = NAME_MAX_LENGTH, message = NAME_SIZE) String name) {}
diff --git a/src/main/java/org/nkcoder/dto/user/UserResponse.java b/src/main/java/org/nkcoder/dto/user/UserResponse.java
deleted file mode 100644
index 4cb1d0a..0000000
--- a/src/main/java/org/nkcoder/dto/user/UserResponse.java
+++ /dev/null
@@ -1,15 +0,0 @@
-package org.nkcoder.dto.user;
-
-import java.time.LocalDateTime;
-import java.util.UUID;
-import org.nkcoder.enums.Role;
-
-public record UserResponse(
-    UUID id,
-    String email,
-    String name,
-    Role role,
-    Boolean isEmailVerified,
-    LocalDateTime lastLoginAt,
-    LocalDateTime createdAt,
-    LocalDateTime updatedAt) {}
diff --git a/src/main/java/org/nkcoder/entity/RefreshToken.java b/src/main/java/org/nkcoder/entity/RefreshToken.java
deleted file mode 100644
index a7ff780..0000000
--- a/src/main/java/org/nkcoder/entity/RefreshToken.java
+++ /dev/null
@@ -1,119 +0,0 @@
-package org.nkcoder.entity;
-
-import jakarta.persistence.*;
-import java.time.LocalDateTime;
-import java.util.Objects;
-import java.util.UUID;
-import org.springframework.data.annotation.CreatedDate;
-import org.springframework.data.jpa.domain.support.AuditingEntityListener;
-
-@Entity
-@Table(
-    name = "refresh_tokens",
-    indexes = {
-      @Index(name = "idx_refresh_tokens_token", columnList = "token"),
-      @Index(name = "idx_refresh_tokens_token_family", columnList = "token_family"),
-      @Index(name = "idx_refresh_tokens_user_id", columnList = "user_id")
-    })
-@EntityListeners(AuditingEntityListener.class)
-public class RefreshToken {
-
-  @Id
-  @GeneratedValue(strategy = GenerationType.UUID)
-  private UUID id;
-
-  @Column(nullable = false, unique = true)
-  private final String token;
-
-  @Column(name = "token_family", nullable = false)
-  private final String tokenFamily;
-
-  @Column(name = "user_id", nullable = false)
-  private final UUID userId;
-
-  @Column(name = "expires_at", nullable = false)
-  private final LocalDateTime expiresAt;
-
-  @CreatedDate
-  @Column(name = "created_at", nullable = false, updatable = false)
-  private LocalDateTime createdAt;
-
-  @ManyToOne(fetch = FetchType.LAZY)
-  @JoinColumn(name = "user_id", insertable = false, updatable = false)
-  private User user;
-
-  // JPA requires a no-arg constructor, but we need to initialize the final fields
-  // `protected` signals this is for JPA only, not application code, we initialize to null because
-  // JPA will override via reflection.
-  // This is a standard JPA pattern for immutable entities
-  protected RefreshToken() {
-    this.token = null;
-    this.tokenFamily = null;
-    this.userId = null;
-    this.expiresAt = null;
-  }
-
-  public RefreshToken(String token, String tokenFamily, UUID userId, LocalDateTime expiresAt) {
-    this.token = Objects.requireNonNull(token, "token must not be null");
-    this.tokenFamily = Objects.requireNonNull(tokenFamily, "tokenFamily must not be null");
-    this.userId = Objects.requireNonNull(userId, "userId must not be null");
-    this.expiresAt = Objects.requireNonNull(expiresAt, "expiresAt must not be null");
-  }
-
-  // Getters and Setters
-  public UUID getId() {
-    return id;
-  }
-
-  public String getToken() {
-    return token;
-  }
-
-  public String getTokenFamily() {
-    return tokenFamily;
-  }
-
-  public UUID getUserId() {
-    return userId;
-  }
-
-  public LocalDateTime getExpiresAt() {
-    return expiresAt;
-  }
-
-  public LocalDateTime getCreatedAt() {
-    return createdAt;
-  }
-
-  public User getUser() {
-    return user;
-  }
-
-  public boolean isExpired() {
-    return LocalDateTime.now().isAfter(expiresAt);
-  }
-
-  @Override
-  public String toString() {
-    String maskedToken =
-        token != null && token.length() > 8
-            ? token.substring(0, 4) + "..." + token.substring(token.length() - 4)
-            : "****";
-    return "RefreshToken{"
-        + "id="
-        + id
-        + ", token='"
-        + maskedToken
-        + '\''
-        + ", tokenFamily='"
-        + tokenFamily
-        + '\''
-        + ", userId="
-        + userId
-        + ", expiresAt="
-        + expiresAt
-        + ", createdAt="
-        + createdAt
-        + '}';
-  }
-}
diff --git a/src/main/java/org/nkcoder/entity/User.java b/src/main/java/org/nkcoder/entity/User.java
deleted file mode 100644
index 8c25096..0000000
--- a/src/main/java/org/nkcoder/entity/User.java
+++ /dev/null
@@ -1,191 +0,0 @@
-package org.nkcoder.entity;
-
-import jakarta.persistence.CascadeType;
-import jakarta.persistence.Column;
-import jakarta.persistence.Entity;
-import jakarta.persistence.EntityListeners;
-import jakarta.persistence.EnumType;
-import jakarta.persistence.Enumerated;
-import jakarta.persistence.FetchType;
-import jakarta.persistence.GeneratedValue;
-import jakarta.persistence.GenerationType;
-import jakarta.persistence.Id;
-import jakarta.persistence.Index;
-import jakarta.persistence.OneToMany;
-import jakarta.persistence.Table;
-import java.time.LocalDateTime;
-import java.util.*;
-import org.nkcoder.enums.Role;
-import org.springframework.data.annotation.CreatedDate;
-import org.springframework.data.annotation.LastModifiedDate;
-import org.springframework.data.jpa.domain.support.AuditingEntityListener;
-
-@Entity
-@Table(
-    name = "users",
-    indexes = {@Index(name = "idx_users_email", columnList = "email")})
-@EntityListeners(AuditingEntityListener.class)
-public class User {
-
-  // Not final - JPA generates after persist
-  @Id
-  @GeneratedValue(strategy = GenerationType.UUID)
-  private UUID id;
-
-  // Mutable via updateEmail()
-  @Column(nullable = false, unique = true)
-  private String email;
-
-  // Mutable via changePassword()
-  @Column(nullable = false)
-  private String password;
-
-  // Mutable via updateName()
-  @Column(nullable = false)
-  private String name;
-
-  @Enumerated(EnumType.STRING)
-  @Column(nullable = false)
-  private final Role role;
-
-  // mutable via markEmailVerified()
-  @Column(name = "is_email_verified", nullable = false)
-  private Boolean emailVerified;
-
-  // mutable via recordLogin()
-  @Column(name = "last_login_at")
-  private LocalDateTime lastLoginAt;
-
-  // Set by JPA auditing
-  @CreatedDate
-  @Column(name = "created_at", nullable = false, updatable = false)
-  private LocalDateTime createdAt;
-
-  // Set by JPA auditing
-  @LastModifiedDate
-  @Column(name = "updated_at", nullable = false)
-  private LocalDateTime updatedAt;
-
-  // Final list, mutable contents
-  @OneToMany(mappedBy = "user", cascade = CascadeType.ALL, fetch = FetchType.LAZY)
-  private final List<RefreshToken> refreshTokens = new ArrayList<>();
-
-  // Constructors
-  public User() {
-    // Required by JPA
-    this.role = Role.MEMBER;
-  }
-
-  public User(String email, String password, String name, Role role, Boolean emailVerified) {
-    this.email = Objects.requireNonNull(email, "email must not be null").toLowerCase();
-    this.password = Objects.requireNonNull(password, "password must not be null");
-    this.name = Objects.requireNonNull(name, "name must not be null");
-    this.role = role != null ? role : Role.MEMBER;
-    this.emailVerified = emailVerified;
-  }
-
-  // package level constructor (used by testings)
-  User(UUID id, String email, String password, String name, Role role, Boolean emailVerified) {
-    this.id = id;
-    this.email = Objects.requireNonNull(email, "email must not be null").toLowerCase();
-    this.password = Objects.requireNonNull(password, "password must not be null");
-    this.name = Objects.requireNonNull(name, "name must not be null");
-    this.role = role != null ? role : Role.MEMBER;
-    this.emailVerified = emailVerified;
-  }
-
-  // Getters and Setters
-  public UUID getId() {
-    return id;
-  }
-
-  public String getEmail() {
-    return email;
-  }
-
-  public String getPassword() {
-    return password;
-  }
-
-  public String getName() {
-    return name;
-  }
-
-  public Role getRole() {
-    return role;
-  }
-
-  public Boolean emailVerified() {
-    return emailVerified;
-  }
-
-  public LocalDateTime getLastLoginAt() {
-    return lastLoginAt;
-  }
-
-  public LocalDateTime getCreatedAt() {
-    return createdAt;
-  }
-
-  public LocalDateTime getUpdatedAt() {
-    return updatedAt;
-  }
-
-  // Business methods
-  public void updateEmail(String newEmail) {
-    this.email = Objects.requireNonNull(newEmail, "email must not be null").toLowerCase();
-  }
-
-  public void updateName(String newName) {
-    this.name = Objects.requireNonNull(newName, "name must not be null");
-  }
-
-  public void changePassword(String encodedPassword) {
-    this.password = Objects.requireNonNull(encodedPassword, "password must not be null");
-  }
-
-  public void markEmailVerified() {
-    this.emailVerified = true;
-  }
-
-  public void recordLastLogin() {
-    this.lastLoginAt = LocalDateTime.now();
-  }
-
-  // Returns an unmodifiable view of the refresh tokens
-  public List<RefreshToken> getRefreshTokens() {
-    return Collections.unmodifiableList(refreshTokens);
-  }
-
-  public void addRefreshToken(RefreshToken token) {
-    refreshTokens.add(Objects.requireNonNull(token, "refreshToken must not be null"));
-  }
-
-  public void removeRefreshToken(RefreshToken token) {
-    refreshTokens.remove(token);
-  }
-
-  @Override
-  public String toString() {
-    return "User{"
-        + "id="
-        + id
-        + ", email='"
-        + email
-        + '\''
-        + ", name='"
-        + name
-        + '\''
-        + ", role="
-        + role
-        + ", emailVerified="
-        + emailVerified
-        + ", lastLoginAt="
-        + lastLoginAt
-        + ", createdAt="
-        + createdAt
-        + ", updatedAt="
-        + updatedAt
-        + '}';
-  }
-}
diff --git a/src/main/java/org/nkcoder/enums/Role.java b/src/main/java/org/nkcoder/enums/Role.java
deleted file mode 100644
index 80a913b..0000000
--- a/src/main/java/org/nkcoder/enums/Role.java
+++ /dev/null
@@ -1,6 +0,0 @@
-package org.nkcoder.enums;
-
-public enum Role {
-  MEMBER,
-  ADMIN
-}
diff --git a/src/main/java/org/nkcoder/exception/AuthenticationException.java b/src/main/java/org/nkcoder/exception/AuthenticationException.java
deleted file mode 100644
index 1be9121..0000000
--- a/src/main/java/org/nkcoder/exception/AuthenticationException.java
+++ /dev/null
@@ -1,12 +0,0 @@
-package org.nkcoder.exception;
-
-public class AuthenticationException extends RuntimeException {
-
-  public AuthenticationException(String message) {
-    super(message);
-  }
-
-  public AuthenticationException(String message, Throwable cause) {
-    super(message, cause);
-  }
-}
diff --git a/src/main/java/org/nkcoder/exception/GlobalExceptionHandler.java b/src/main/java/org/nkcoder/exception/GlobalExceptionHandler.java
deleted file mode 100644
index ecd6f91..0000000
--- a/src/main/java/org/nkcoder/exception/GlobalExceptionHandler.java
+++ /dev/null
@@ -1,113 +0,0 @@
-package org.nkcoder.exception;
-
-import com.fasterxml.jackson.core.JsonParseException;
-import java.time.LocalDateTime;
-import java.util.Map;
-import java.util.stream.Collectors;
-import org.nkcoder.dto.common.ApiResponse;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.http.HttpStatus;
-import org.springframework.http.ResponseEntity;
-import org.springframework.http.converter.HttpMessageNotReadableException;
-import org.springframework.security.access.AccessDeniedException;
-import org.springframework.validation.FieldError;
-import org.springframework.web.HttpMediaTypeNotSupportedException;
-import org.springframework.web.HttpRequestMethodNotSupportedException;
-import org.springframework.web.bind.MethodArgumentNotValidException;
-import org.springframework.web.bind.annotation.ExceptionHandler;
-import org.springframework.web.bind.annotation.RestControllerAdvice;
-
-@RestControllerAdvice
-public class GlobalExceptionHandler {
-
-  private static final Logger logger = LoggerFactory.getLogger(GlobalExceptionHandler.class);
-
-  @ExceptionHandler(ValidationException.class)
-  public ResponseEntity<ApiResponse<Object>> handleValidationException(ValidationException e) {
-    logger.error("Validation error: {}", e.getMessage());
-    return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(ApiResponse.error(e.getMessage()));
-  }
-
-  @ExceptionHandler(ResourceNotFoundException.class)
-  public ResponseEntity<ApiResponse<Object>> handleResourceNotFoundException(
-      ResourceNotFoundException e) {
-    logger.error("Resource not found: {}", e.getMessage());
-    return ResponseEntity.status(HttpStatus.NOT_FOUND).body(ApiResponse.error(e.getMessage()));
-  }
-
-  @ExceptionHandler(AuthenticationException.class)
-  public ResponseEntity<ApiResponse<Object>> handleAuthenticationException(
-      AuthenticationException e) {
-    logger.error("Authentication error: {}", e.getMessage());
-    return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body(ApiResponse.error(e.getMessage()));
-  }
-
-  @ExceptionHandler(AccessDeniedException.class)
-  public ResponseEntity<ApiResponse<Object>> handleAccessDeniedException(AccessDeniedException e) {
-    logger.error("Access denied: {}", e.getMessage());
-    return ResponseEntity.status(HttpStatus.FORBIDDEN).body(ApiResponse.error("Access denied"));
-  }
-
-  @ExceptionHandler(MethodArgumentNotValidException.class)
-  public ResponseEntity<ApiResponse<Object>> handleValidationExceptions(
-      MethodArgumentNotValidException e) {
-    logger.debug("Validation error: {} field(s) failed", e.getBindingResult().getErrorCount());
-
-    Map<String, String> errors =
-        e.getBindingResult().getFieldErrors().stream()
-            .collect(
-                Collectors.toMap(
-                    FieldError::getField,
-                    fieldError ->
-                        fieldError.getDefaultMessage() != null
-                            ? fieldError.getDefaultMessage()
-                            : "Invalid value",
-                    (existing, replacement) -> existing));
-
-    return ResponseEntity.status(HttpStatus.BAD_REQUEST)
-        .body(new ApiResponse<>("Validation failed", errors, LocalDateTime.now()));
-  }
-
-  @ExceptionHandler(HttpRequestMethodNotSupportedException.class)
-  public ResponseEntity<ApiResponse<Object>> handleRequestMethodNotSupportedException(
-      org.springframework.web.HttpRequestMethodNotSupportedException e) {
-    logger.error("Method not allowed: {}", e.getMessage());
-    return ResponseEntity.status(HttpStatus.METHOD_NOT_ALLOWED)
-        .body(ApiResponse.error("Method not allowed: " + e.getMessage()));
-  }
-
-  @ExceptionHandler(HttpMessageNotReadableException.class)
-  public ResponseEntity<ApiResponse<Object>> handleHttpMessageNotReadableException(
-      HttpMessageNotReadableException e) {
-    logger.debug("Message not readable: {}", e.getMostSpecificCause().getMessage());
-
-    String message = "Malformed JSON request";
-    Throwable cause = e.getCause();
-    if (cause instanceof JsonParseException) {
-      message = "Invalid JSON format: " + cause.getMessage();
-    }
-
-    return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(ApiResponse.error(message));
-  }
-
-  @ExceptionHandler(HttpMediaTypeNotSupportedException.class)
-  public ResponseEntity<ApiResponse<Object>> handleHttpMediaTypeNotSupportedException(
-      HttpMediaTypeNotSupportedException e) {
-    logger.debug("Unsupported media type: {}", e.getContentType());
-
-    String message =
-        String.format(
-            "Content type '%s' is not supported. Use 'application/json'", e.getContentType());
-    return ResponseEntity.status(HttpStatus.UNSUPPORTED_MEDIA_TYPE)
-        .body(ApiResponse.error(message));
-  }
-
-  @ExceptionHandler(Exception.class)
-  public ResponseEntity<ApiResponse<Object>> handleGenericException(Exception e) {
-    logger.error("Unexpected error: {}", e.getMessage(), e);
-
-    return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)
-        .body(ApiResponse.error("An unexpected error occurred. Please try again later."));
-  }
-}
diff --git a/src/main/java/org/nkcoder/exception/ResourceNotFoundException.java b/src/main/java/org/nkcoder/exception/ResourceNotFoundException.java
deleted file mode 100644
index 82739e6..0000000
--- a/src/main/java/org/nkcoder/exception/ResourceNotFoundException.java
+++ /dev/null
@@ -1,12 +0,0 @@
-package org.nkcoder.exception;
-
-public class ResourceNotFoundException extends RuntimeException {
-
-  public ResourceNotFoundException(String message) {
-    super(message);
-  }
-
-  public ResourceNotFoundException(String message, Throwable cause) {
-    super(message, cause);
-  }
-}
diff --git a/src/main/java/org/nkcoder/exception/ValidationException.java b/src/main/java/org/nkcoder/exception/ValidationException.java
deleted file mode 100644
index dade666..0000000
--- a/src/main/java/org/nkcoder/exception/ValidationException.java
+++ /dev/null
@@ -1,12 +0,0 @@
-package org.nkcoder.exception;
-
-public class ValidationException extends RuntimeException {
-
-  public ValidationException(String message) {
-    super(message);
-  }
-
-  public ValidationException(String message, Throwable cause) {
-    super(message, cause);
-  }
-}
diff --git a/src/main/java/org/nkcoder/grpc/AuthGrpcService.java b/src/main/java/org/nkcoder/grpc/AuthGrpcService.java
deleted file mode 100644
index 25f783d..0000000
--- a/src/main/java/org/nkcoder/grpc/AuthGrpcService.java
+++ /dev/null
@@ -1,90 +0,0 @@
-package org.nkcoder.grpc;
-
-import io.grpc.Status;
-import io.grpc.stub.StreamObserver;
-import net.devh.boot.grpc.server.service.GrpcService;
-import org.nkcoder.dto.auth.AuthResponse;
-import org.nkcoder.dto.auth.LoginRequest;
-import org.nkcoder.dto.auth.RegisterRequest;
-import org.nkcoder.enums.Role;
-import org.nkcoder.generated.grpc.AuthProto;
-import org.nkcoder.generated.grpc.AuthProto.ApiResponse;
-import org.nkcoder.generated.grpc.AuthServiceGrpc;
-import org.nkcoder.service.AuthService;
-import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
-
-@GrpcService
-public class AuthGrpcService extends AuthServiceGrpc.AuthServiceImplBase {
-  private static final org.slf4j.Logger logger = LoggerFactory.getLogger(AuthGrpcService.class);
-
-  private final AuthService authService;
-
-  @Autowired
-  public AuthGrpcService(AuthService authService) {
-    this.authService = authService;
-  }
-
-  @Override
-  public void register(
-      AuthProto.RegisterRequest request, StreamObserver<AuthProto.ApiResponse> responseObserver) {
-    logger.info("Received registration request for email: {}", request.getEmail());
-
-    if (request.getEmail().isEmpty()
-        || request.getPassword().isEmpty()
-        || request.getName().isEmpty()) {
-      logger.error("Invalid registration request: email, password, and username must not be empty");
-      responseObserver.onError(
-          Status.INVALID_ARGUMENT
-              .withDescription("Email, password, and username must not be empty")
-              .asRuntimeException());
-      return;
-    }
-
-    RegisterRequest registerRequest =
-        new RegisterRequest(
-            request.getEmail(), request.getPassword(), request.getName(), Role.MEMBER);
-
-    AuthResponse response = authService.register(registerRequest);
-
-    logger.info("auth response: {}", response);
-
-    AuthProto.AuthResponse grpcResponse = GrpcMapper.toAuthResponse(response);
-    ApiResponse apiResponse =
-        AuthProto.ApiResponse.newBuilder()
-            .setMessage("User registered successfully")
-            .setData(grpcResponse)
-            .build();
-
-    responseObserver.onNext(apiResponse);
-    responseObserver.onCompleted();
-  }
-
-  @Override
-  public void login(
-      AuthProto.LoginRequest request, StreamObserver<AuthProto.ApiResponse> responseObserver) {
-    logger.info("Received login request for email: {}", request.getEmail());
-
-    if (request.getEmail().isEmpty() || request.getPassword().isEmpty()) {
-      logger.error("Invalid login request: email and password must not be empty");
-      responseObserver.onError(
-          Status.INVALID_ARGUMENT
-              .withDescription("Email and password must not be empty")
-              .asRuntimeException());
-      return;
-    }
-
-    LoginRequest loginRequest = new LoginRequest(request.getEmail(), request.getPassword());
-    AuthResponse response = authService.login(loginRequest);
-
-    AuthProto.AuthResponse grpcResponse = GrpcMapper.toAuthResponse(response);
-    ApiResponse apiResponse =
-        AuthProto.ApiResponse.newBuilder()
-            .setMessage("User logged in successfully")
-            .setData(grpcResponse)
-            .build();
-
-    responseObserver.onNext(apiResponse);
-    responseObserver.onCompleted();
-  }
-}
diff --git a/src/main/java/org/nkcoder/grpc/GrpcMapper.java b/src/main/java/org/nkcoder/grpc/GrpcMapper.java
deleted file mode 100644
index 612d61e..0000000
--- a/src/main/java/org/nkcoder/grpc/GrpcMapper.java
+++ /dev/null
@@ -1,45 +0,0 @@
-package org.nkcoder.grpc;
-
-import com.google.protobuf.Timestamp;
-import java.time.Instant;
-import java.time.LocalDateTime;
-import java.time.ZoneOffset;
-import org.nkcoder.dto.auth.AuthResponse;
-import org.nkcoder.dto.auth.AuthTokens;
-import org.nkcoder.dto.user.UserResponse;
-import org.nkcoder.generated.grpc.AuthProto;
-
-public class GrpcMapper {
-  public static AuthProto.AuthResponse toAuthResponse(AuthResponse authResponse) {
-    UserResponse user = authResponse.user();
-    AuthTokens tokens = authResponse.tokens();
-
-    AuthProto.User grpcUser =
-        AuthProto.User.newBuilder()
-            .setId(user.id().toString())
-            .setEmail(user.email())
-            .setName(user.name())
-            .setLastLoginAt(toTimestamp(user.lastLoginAt()))
-            .build();
-
-    AuthProto.AuthToken grpcTokens =
-        AuthProto.AuthToken.newBuilder()
-            .setAccessToken(tokens.accessToken())
-            .setRefreshToken(tokens.refreshToken())
-            .build();
-
-    return AuthProto.AuthResponse.newBuilder().setUser(grpcUser).setAuthToken(grpcTokens).build();
-  }
-
-  public static Timestamp toTimestamp(LocalDateTime dateTime) {
-    if (dateTime == null) {
-      return Timestamp.getDefaultInstance();
-    }
-    Instant instant = dateTime.toInstant(ZoneOffset.UTC);
-
-    return Timestamp.newBuilder()
-        .setSeconds(instant.getEpochSecond())
-        .setNanos(instant.getNano())
-        .build();
-  }
-}
diff --git a/src/main/java/org/nkcoder/config/CorsProperties.java b/src/main/java/org/nkcoder/infrastructure/config/CorsProperties.java
similarity index 96%
rename from src/main/java/org/nkcoder/config/CorsProperties.java
rename to src/main/java/org/nkcoder/infrastructure/config/CorsProperties.java
index 2c57619..ccb3257 100644
--- a/src/main/java/org/nkcoder/config/CorsProperties.java
+++ b/src/main/java/org/nkcoder/infrastructure/config/CorsProperties.java
@@ -1,4 +1,4 @@
-package org.nkcoder.config;
+package org.nkcoder.infrastructure.config;
 
 import jakarta.validation.constraints.NotEmpty;
 import jakarta.validation.constraints.NotNull;
diff --git a/src/main/java/org/nkcoder/config/JpaAuditingConfig.java b/src/main/java/org/nkcoder/infrastructure/config/JpaAuditingConfig.java
similarity index 82%
rename from src/main/java/org/nkcoder/config/JpaAuditingConfig.java
rename to src/main/java/org/nkcoder/infrastructure/config/JpaAuditingConfig.java
index 076d5cf..924eebb 100644
--- a/src/main/java/org/nkcoder/config/JpaAuditingConfig.java
+++ b/src/main/java/org/nkcoder/infrastructure/config/JpaAuditingConfig.java
@@ -1,4 +1,4 @@
-package org.nkcoder.config;
+package org.nkcoder.infrastructure.config;
 
 import org.springframework.context.annotation.Configuration;
 import org.springframework.data.jpa.repository.config.EnableJpaAuditing;
diff --git a/src/main/java/org/nkcoder/config/JwtProperties.java b/src/main/java/org/nkcoder/infrastructure/config/JwtProperties.java
similarity index 97%
rename from src/main/java/org/nkcoder/config/JwtProperties.java
rename to src/main/java/org/nkcoder/infrastructure/config/JwtProperties.java
index e6b1b10..50c24ce 100644
--- a/src/main/java/org/nkcoder/config/JwtProperties.java
+++ b/src/main/java/org/nkcoder/infrastructure/config/JwtProperties.java
@@ -1,4 +1,4 @@
-package org.nkcoder.config;
+package org.nkcoder.infrastructure.config;
 
 import jakarta.validation.Valid;
 import jakarta.validation.constraints.NotBlank;
diff --git a/src/main/java/org/nkcoder/config/ObservabilityConfig.java b/src/main/java/org/nkcoder/infrastructure/config/ObservabilityConfig.java
similarity index 96%
rename from src/main/java/org/nkcoder/config/ObservabilityConfig.java
rename to src/main/java/org/nkcoder/infrastructure/config/ObservabilityConfig.java
index 9f1bcb0..5111eda 100644
--- a/src/main/java/org/nkcoder/config/ObservabilityConfig.java
+++ b/src/main/java/org/nkcoder/infrastructure/config/ObservabilityConfig.java
@@ -1,4 +1,4 @@
-package org.nkcoder.config;
+package org.nkcoder.infrastructure.config;
 
 import io.micrometer.core.aop.TimedAspect;
 import io.micrometer.core.instrument.MeterRegistry;
diff --git a/src/main/java/org/nkcoder/config/OpenApiConfig.java b/src/main/java/org/nkcoder/infrastructure/config/OpenApiConfig.java
similarity index 97%
rename from src/main/java/org/nkcoder/config/OpenApiConfig.java
rename to src/main/java/org/nkcoder/infrastructure/config/OpenApiConfig.java
index 6f86c02..5686485 100644
--- a/src/main/java/org/nkcoder/config/OpenApiConfig.java
+++ b/src/main/java/org/nkcoder/infrastructure/config/OpenApiConfig.java
@@ -1,4 +1,4 @@
-package org.nkcoder.config;
+package org.nkcoder.infrastructure.config;
 
 import io.swagger.v3.oas.models.OpenAPI;
 import io.swagger.v3.oas.models.info.Contact;
diff --git a/src/main/java/org/nkcoder/config/SecurityConfig.java b/src/main/java/org/nkcoder/infrastructure/config/SecurityConfig.java
similarity index 85%
rename from src/main/java/org/nkcoder/config/SecurityConfig.java
rename to src/main/java/org/nkcoder/infrastructure/config/SecurityConfig.java
index e9b6d7a..47bd3ab 100644
--- a/src/main/java/org/nkcoder/config/SecurityConfig.java
+++ b/src/main/java/org/nkcoder/infrastructure/config/SecurityConfig.java
@@ -1,7 +1,7 @@
-package org.nkcoder.config;
+package org.nkcoder.infrastructure.config;
 
-import org.nkcoder.security.JwtAuthenticationEntryPoint;
-import org.nkcoder.security.JwtAuthenticationFilter;
+import org.nkcoder.infrastructure.security.JwtAuthenticationEntryPoint;
+import org.nkcoder.infrastructure.security.JwtAuthenticationFilter;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -61,30 +61,29 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         .authorizeHttpRequests(
             auth ->
                 auth
-                    // Public endpoints
-                    .requestMatchers(
-                        "/api/users/auth/register",
-                        "/api/users/auth/login",
-                        "/api/users/auth/refresh")
+                    // Public auth endpoints
+                    .requestMatchers("/api/auth/register", "/api/auth/login", "/api/auth/refresh")
                     .permitAll()
+                    // Actuator and health endpoints
                     .requestMatchers("/actuator/health", "/actuator/info")
                     .permitAll()
                     .requestMatchers("/health")
                     .permitAll()
+                    // Swagger/OpenAPI endpoints
                     .requestMatchers(
                         "/swagger-ui/**", "/v3/api-docs/**", "/swagger-ui.html", "/api-docs/**")
                     .permitAll()
 
-                    // Logout endpoints require authentication
-                    .requestMatchers("/api/users/auth/logout", "/api/users/auth/logout-single")
+                    // Authenticated logout endpoints
+                    .requestMatchers("/api/auth/logout", "/api/auth/logout-single")
                     .authenticated()
 
-                    // Protected endpoints
+                    // Protected user profile endpoints
                     .requestMatchers("/api/users/me", "/api/users/me/**")
                     .authenticated()
-                    .requestMatchers("/api/users/{userId}")
-                    .hasRole("ADMIN")
-                    .requestMatchers("/api/users/{userId}/**")
+
+                    // Admin endpoints
+                    .requestMatchers("/api/admin/users/**")
                     .hasRole("ADMIN")
 
                     // All other requests require authentication
diff --git a/src/main/java/org/nkcoder/config/WebConfig.java b/src/main/java/org/nkcoder/infrastructure/config/WebConfig.java
similarity index 85%
rename from src/main/java/org/nkcoder/config/WebConfig.java
rename to src/main/java/org/nkcoder/infrastructure/config/WebConfig.java
index 1b52982..8546c25 100644
--- a/src/main/java/org/nkcoder/config/WebConfig.java
+++ b/src/main/java/org/nkcoder/infrastructure/config/WebConfig.java
@@ -1,7 +1,7 @@
-package org.nkcoder.config;
+package org.nkcoder.infrastructure.config;
 
 import java.util.List;
-import org.nkcoder.resolver.CurrentUserArgumentResolver;
+import org.nkcoder.infrastructure.resolver.CurrentUserArgumentResolver;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.method.support.HandlerMethodArgumentResolver;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
diff --git a/src/main/java/org/nkcoder/resolver/CurrentUserArgumentResolver.java b/src/main/java/org/nkcoder/infrastructure/resolver/CurrentUserArgumentResolver.java
similarity index 87%
rename from src/main/java/org/nkcoder/resolver/CurrentUserArgumentResolver.java
rename to src/main/java/org/nkcoder/infrastructure/resolver/CurrentUserArgumentResolver.java
index b40560a..1e65c02 100644
--- a/src/main/java/org/nkcoder/resolver/CurrentUserArgumentResolver.java
+++ b/src/main/java/org/nkcoder/infrastructure/resolver/CurrentUserArgumentResolver.java
@@ -1,9 +1,9 @@
-package org.nkcoder.resolver;
+package org.nkcoder.infrastructure.resolver;
 
 import jakarta.servlet.http.HttpServletRequest;
 import java.util.UUID;
 import org.jetbrains.annotations.NotNull;
-import org.nkcoder.annotation.CurrentUser;
+import org.nkcoder.shared.local.annotation.CurrentUser;
 import org.springframework.core.MethodParameter;
 import org.springframework.stereotype.Component;
 import org.springframework.web.bind.support.WebDataBinderFactory;
@@ -13,7 +13,7 @@
 
 /**
  * Resolves method parameters annotated with {@link CurrentUser} by extracting the user ID from
- * request attributes set by {@link org.nkcoder.security.JwtAuthenticationFilter}
+ * request attributes set by {@link org.nkcoder.infrastructure.security.JwtAuthenticationFilter}
  */
 @Component
 public class CurrentUserArgumentResolver implements HandlerMethodArgumentResolver {
diff --git a/src/main/java/org/nkcoder/security/JwtAuthenticationEntryPoint.java b/src/main/java/org/nkcoder/infrastructure/security/JwtAuthenticationEntryPoint.java
similarity index 95%
rename from src/main/java/org/nkcoder/security/JwtAuthenticationEntryPoint.java
rename to src/main/java/org/nkcoder/infrastructure/security/JwtAuthenticationEntryPoint.java
index 4be99fe..771dbe4 100644
--- a/src/main/java/org/nkcoder/security/JwtAuthenticationEntryPoint.java
+++ b/src/main/java/org/nkcoder/infrastructure/security/JwtAuthenticationEntryPoint.java
@@ -1,4 +1,4 @@
-package org.nkcoder.security;
+package org.nkcoder.infrastructure.security;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import io.jsonwebtoken.ExpiredJwtException;
@@ -6,7 +6,7 @@
 import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import org.apache.logging.log4j.util.Strings;
-import org.nkcoder.dto.common.ApiResponse;
+import org.nkcoder.shared.local.rest.ApiResponse;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
diff --git a/src/main/java/org/nkcoder/security/JwtAuthenticationFilter.java b/src/main/java/org/nkcoder/infrastructure/security/JwtAuthenticationFilter.java
similarity index 95%
rename from src/main/java/org/nkcoder/security/JwtAuthenticationFilter.java
rename to src/main/java/org/nkcoder/infrastructure/security/JwtAuthenticationFilter.java
index 37f9988..7fd753b 100644
--- a/src/main/java/org/nkcoder/security/JwtAuthenticationFilter.java
+++ b/src/main/java/org/nkcoder/infrastructure/security/JwtAuthenticationFilter.java
@@ -1,4 +1,4 @@
-package org.nkcoder.security;
+package org.nkcoder.infrastructure.security;
 
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.ExpiredJwtException;
@@ -13,8 +13,8 @@
 import java.util.Optional;
 import java.util.UUID;
 import org.jetbrains.annotations.NotNull;
-import org.nkcoder.enums.Role;
-import org.nkcoder.util.JwtUtil;
+import org.nkcoder.auth.domain.model.AuthRole;
+import org.nkcoder.auth.infrastructure.security.JwtUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -64,7 +64,7 @@ protected void doFilterInternal(
                 UUID userId = UUID.fromString(claims.getSubject());
                 String email = claims.get("email", String.class);
                 String roleString = claims.get("role", String.class);
-                Role role = Role.valueOf(roleString);
+                AuthRole role = AuthRole.valueOf(roleString);
 
                 // Create authorities
                 List<GrantedAuthority> authorities =
diff --git a/src/main/java/org/nkcoder/mapper/UserMapper.java b/src/main/java/org/nkcoder/mapper/UserMapper.java
deleted file mode 100644
index dbeb3a4..0000000
--- a/src/main/java/org/nkcoder/mapper/UserMapper.java
+++ /dev/null
@@ -1,33 +0,0 @@
-package org.nkcoder.mapper;
-
-import java.util.Objects;
-import java.util.Optional;
-import org.nkcoder.dto.user.UserResponse;
-import org.nkcoder.entity.User;
-import org.springframework.stereotype.Component;
-
-@Component
-public class UserMapper {
-
-  /** Converts a User entity to UserResponse, returning Optional.empty() is user is null. */
-  public Optional<UserResponse> toResponse(User user) {
-    return Optional.ofNullable(user).map(this::mapToResponse);
-  }
-
-  public UserResponse toResponseOrThrow(User user) {
-    Objects.requireNonNull(user, "User must not be null");
-    return mapToResponse(user);
-  }
-
-  private UserResponse mapToResponse(User user) {
-    return new UserResponse(
-        user.getId(),
-        user.getEmail(),
-        user.getName(),
-        user.getRole(),
-        user.emailVerified(),
-        user.getLastLoginAt(),
-        user.getCreatedAt(),
-        user.getUpdatedAt());
-  }
-}
diff --git a/src/main/java/org/nkcoder/repository/RefreshTokenRepository.java b/src/main/java/org/nkcoder/repository/RefreshTokenRepository.java
deleted file mode 100644
index 906d08d..0000000
--- a/src/main/java/org/nkcoder/repository/RefreshTokenRepository.java
+++ /dev/null
@@ -1,42 +0,0 @@
-package org.nkcoder.repository;
-
-import jakarta.persistence.LockModeType;
-import java.time.LocalDateTime;
-import java.util.Optional;
-import java.util.UUID;
-import org.nkcoder.entity.RefreshToken;
-import org.springframework.data.jpa.repository.JpaRepository;
-import org.springframework.data.jpa.repository.Lock;
-import org.springframework.data.jpa.repository.Modifying;
-import org.springframework.data.jpa.repository.Query;
-import org.springframework.data.repository.query.Param;
-import org.springframework.stereotype.Repository;
-
-@Repository
-public interface RefreshTokenRepository extends JpaRepository<RefreshToken, UUID> {
-  Optional<RefreshToken> findByToken(@Param("token") String token);
-
-  /**
-   * Prevents concurrent refresh attempts from succeeding Find token with pessimistic write lock for
-   * safe token rotation.
-   */
-  @Lock(LockModeType.PESSIMISTIC_WRITE)
-  @Query("SELECT rt FROM RefreshToken rt WHERE rt.token = :token")
-  Optional<RefreshToken> findByTokenForUpdate(@Param("token") String token);
-
-  @Modifying
-  @Query("DELETE FROM RefreshToken rt WHERE rt.token = :token")
-  int deleteByToken(@Param("token") String token);
-
-  @Modifying
-  @Query("DELETE FROM RefreshToken rt WHERE rt.tokenFamily = :tokenFamily")
-  int deleteByTokenFamily(@Param("tokenFamily") String tokenFamily);
-
-  @Modifying
-  @Query("DELETE FROM RefreshToken rt WHERE rt.userId = :userId")
-  int deleteByUserId(@Param("userId") UUID userId);
-
-  @Modifying
-  @Query("DELETE FROM RefreshToken rt WHERE rt.expiresAt < :now")
-  int deleteExpiredTokens(@Param("now") LocalDateTime now);
-}
diff --git a/src/main/java/org/nkcoder/repository/UserRepository.java b/src/main/java/org/nkcoder/repository/UserRepository.java
deleted file mode 100644
index 8c50c74..0000000
--- a/src/main/java/org/nkcoder/repository/UserRepository.java
+++ /dev/null
@@ -1,27 +0,0 @@
-package org.nkcoder.repository;
-
-import java.time.LocalDateTime;
-import java.util.Optional;
-import java.util.UUID;
-import org.nkcoder.entity.User;
-import org.springframework.data.jpa.repository.JpaRepository;
-import org.springframework.data.jpa.repository.Modifying;
-import org.springframework.data.jpa.repository.Query;
-import org.springframework.data.repository.query.Param;
-import org.springframework.stereotype.Repository;
-
-@Repository
-public interface UserRepository extends JpaRepository<User, UUID> {
-
-  Optional<User> findByEmail(String email);
-
-  boolean existsByEmail(String email);
-
-  @Modifying
-  @Query("UPDATE User u SET u.lastLoginAt = :lastLoginAt WHERE u.id = :id")
-  int updateLastLoginAt(@Param("id") UUID id, @Param("lastLoginAt") LocalDateTime lastLoginAt);
-
-  @Query("SELECT u FROM User u WHERE u.email = :email AND u.id != :excludeId")
-  Optional<User> findByEmailExcludingId(
-      @Param("email") String email, @Param("excludeId") UUID excludeId);
-}
diff --git a/src/main/java/org/nkcoder/service/AuthService.java b/src/main/java/org/nkcoder/service/AuthService.java
deleted file mode 100644
index aff4093..0000000
--- a/src/main/java/org/nkcoder/service/AuthService.java
+++ /dev/null
@@ -1,213 +0,0 @@
-package org.nkcoder.service;
-
-import io.jsonwebtoken.Claims;
-import io.jsonwebtoken.JwtException;
-import java.time.LocalDateTime;
-import java.util.UUID;
-import org.nkcoder.config.JwtProperties;
-import org.nkcoder.dto.auth.AuthResponse;
-import org.nkcoder.dto.auth.AuthTokens;
-import org.nkcoder.dto.auth.LoginRequest;
-import org.nkcoder.dto.auth.RegisterRequest;
-import org.nkcoder.entity.RefreshToken;
-import org.nkcoder.entity.User;
-import org.nkcoder.exception.AuthenticationException;
-import org.nkcoder.exception.ValidationException;
-import org.nkcoder.mapper.UserMapper;
-import org.nkcoder.repository.RefreshTokenRepository;
-import org.nkcoder.repository.UserRepository;
-import org.nkcoder.util.JwtUtil;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.crypto.password.PasswordEncoder;
-import org.springframework.stereotype.Service;
-import org.springframework.transaction.annotation.Isolation;
-import org.springframework.transaction.annotation.Transactional;
-
-@Service
-public class AuthService {
-
-  private static final Logger logger = LoggerFactory.getLogger(AuthService.class);
-
-  public static final String USER_ALREADY_EXISTS = "User already exists";
-  public static final String INVALID_CREDENTIALS = "Invalid email or password";
-  public static final String INVALID_REFRESH_TOKEN = "Invalid refresh token";
-  public static final String REFRESH_TOKEN_EXPIRED = "Refresh token expired";
-  public static final String USER_NOT_FOUND = "User not found";
-
-  private final UserRepository userRepository;
-  private final RefreshTokenRepository refreshTokenRepository;
-  private final PasswordEncoder passwordEncoder;
-  private final JwtUtil jwtUtil;
-  private final JwtProperties jwtProperties;
-  private final UserMapper userMapper;
-
-  @Autowired
-  public AuthService(
-      UserRepository userRepository,
-      RefreshTokenRepository refreshTokenRepository,
-      PasswordEncoder passwordEncoder,
-      JwtUtil jwtUtil,
-      JwtProperties jwtProperties,
-      UserMapper userMapper) {
-    this.userRepository = userRepository;
-    this.refreshTokenRepository = refreshTokenRepository;
-    this.passwordEncoder = passwordEncoder;
-    this.jwtUtil = jwtUtil;
-    this.jwtProperties = jwtProperties;
-    this.userMapper = userMapper;
-  }
-
-  @Transactional
-  public AuthResponse register(RegisterRequest request) {
-    logger.debug("Registering new user with email: {}", request.email());
-
-    // Check if user already exists
-    if (userRepository.existsByEmail(request.email().toLowerCase())) {
-      throw new ValidationException(USER_ALREADY_EXISTS);
-    }
-
-    // Create new user
-    User user =
-        new User(
-            request.email().toLowerCase(),
-            passwordEncoder.encode(request.password()),
-            request.name(),
-            request.role(),
-            false);
-
-    User savedUser = userRepository.save(user);
-    logger.debug("User registered successfully with ID: {}", savedUser.getId());
-
-    // Generate tokens
-    String tokenFamily = UUID.randomUUID().toString();
-    AuthTokens tokens = generateAuthTokens(savedUser, tokenFamily);
-
-    // Save refresh token
-    saveRefreshToken(tokens.refreshToken(), savedUser.getId(), tokenFamily);
-
-    return new AuthResponse(userMapper.toResponseOrThrow(savedUser), tokens);
-  }
-
-  @Transactional
-  public AuthResponse login(LoginRequest request) {
-    logger.debug("Logging in user with email: {}", request.email());
-
-    // Find user by email
-    User user =
-        userRepository
-            .findByEmail(request.email().toLowerCase())
-            .orElseThrow(() -> new AuthenticationException(INVALID_CREDENTIALS));
-
-    // Check password
-    if (!passwordEncoder.matches(request.password(), user.getPassword())) {
-      throw new AuthenticationException(INVALID_CREDENTIALS);
-    }
-
-    // Update last login
-    userRepository.updateLastLoginAt(user.getId(), LocalDateTime.now());
-
-    // Generate tokens
-    String tokenFamily = UUID.randomUUID().toString();
-    AuthTokens tokens = generateAuthTokens(user, tokenFamily);
-
-    // Save refresh token
-    saveRefreshToken(tokens.refreshToken(), user.getId(), tokenFamily);
-
-    logger.debug("User logged in successfully: {}", user.getId());
-    return new AuthResponse(userMapper.toResponseOrThrow(user), tokens);
-  }
-
-  @Transactional(isolation = Isolation.SERIALIZABLE)
-  public AuthResponse refreshTokens(String refreshToken) {
-    logger.debug("Refreshing tokens");
-
-    try {
-      // Validate refresh token
-      Claims claims = jwtUtil.validateRefreshToken(refreshToken);
-      UUID userId = UUID.fromString(claims.getSubject());
-      String tokenFamily = claims.get("tokenFamily", String.class);
-
-      // Get stored refresh token
-      RefreshToken storedToken =
-          refreshTokenRepository
-              .findByTokenForUpdate(refreshToken)
-              .orElseThrow(() -> new AuthenticationException(INVALID_REFRESH_TOKEN));
-
-      // Check if token is expired
-      if (storedToken.isExpired()) {
-        refreshTokenRepository.deleteByToken(refreshToken);
-        throw new AuthenticationException(REFRESH_TOKEN_EXPIRED);
-      }
-
-      User user =
-          userRepository
-              .findById(userId)
-              .orElseThrow(() -> new AuthenticationException(USER_NOT_FOUND));
-
-      refreshTokenRepository.deleteByToken(refreshToken);
-
-      // Generate new tokens with same token family
-      AuthTokens tokens = generateAuthTokens(user, tokenFamily);
-
-      saveRefreshToken(tokens.refreshToken(), user.getId(), tokenFamily);
-
-      logger.debug("Tokens refreshed successfully for user: {}", userId);
-      return new AuthResponse(userMapper.toResponseOrThrow(user), tokens);
-    } catch (JwtException e) {
-      logger.error("Invalid refresh token: {}", e.getMessage());
-
-      // If refresh token is invalid, try to delete the token family
-      refreshTokenRepository
-          .findByToken(refreshToken)
-          .ifPresent(
-              storedToken ->
-                  refreshTokenRepository.deleteByTokenFamily(storedToken.getTokenFamily()));
-
-      throw new AuthenticationException(INVALID_REFRESH_TOKEN);
-    }
-  }
-
-  @Transactional
-  public void logout(String refreshToken) {
-    logger.debug("Logging out user (all devices)");
-
-    refreshTokenRepository
-        .findByToken(refreshToken)
-        .ifPresent(
-            storedToken -> {
-              // Delete entire token family (logout from all devices)
-              refreshTokenRepository.deleteByTokenFamily(storedToken.getTokenFamily());
-              logger.debug(
-                  "Logged out from all devices for token family: {}", storedToken.getTokenFamily());
-            });
-  }
-
-  @Transactional
-  public void logoutSingle(String refreshToken) {
-    logger.debug("Logging out user (single device)");
-
-    // Delete only this refresh token (logout from current device)
-    refreshTokenRepository.deleteByToken(refreshToken);
-    logger.debug("Logged out from current device");
-  }
-
-  private AuthTokens generateAuthTokens(User user, String tokenFamily) {
-    String accessToken = jwtUtil.generateAccessToken(user.getId(), user.getEmail(), user.getRole());
-    String refreshToken = jwtUtil.generateRefreshToken(user.getId(), tokenFamily);
-    return new AuthTokens(accessToken, refreshToken);
-  }
-
-  private void saveRefreshToken(String token, UUID userId, String tokenFamily) {
-    LocalDateTime expiresAt = jwtUtil.getTokenExpiry(jwtProperties.expiration().refresh());
-    RefreshToken refreshToken = new RefreshToken(token, tokenFamily, userId, expiresAt);
-    refreshTokenRepository.save(refreshToken);
-  }
-
-  @Transactional
-  public void cleanupExpiredTokens() {
-    logger.debug("Cleaning up expired refresh tokens");
-    refreshTokenRepository.deleteExpiredTokens(LocalDateTime.now());
-  }
-}
diff --git a/src/main/java/org/nkcoder/service/UserService.java b/src/main/java/org/nkcoder/service/UserService.java
deleted file mode 100644
index 3920a96..0000000
--- a/src/main/java/org/nkcoder/service/UserService.java
+++ /dev/null
@@ -1,128 +0,0 @@
-package org.nkcoder.service;
-
-import java.time.LocalDateTime;
-import java.util.Optional;
-import java.util.UUID;
-import org.nkcoder.dto.user.ChangePasswordRequest;
-import org.nkcoder.dto.user.UpdateProfileRequest;
-import org.nkcoder.dto.user.UserResponse;
-import org.nkcoder.entity.User;
-import org.nkcoder.exception.ResourceNotFoundException;
-import org.nkcoder.exception.ValidationException;
-import org.nkcoder.mapper.UserMapper;
-import org.nkcoder.repository.UserRepository;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.crypto.password.PasswordEncoder;
-import org.springframework.stereotype.Service;
-import org.springframework.transaction.annotation.Transactional;
-import org.springframework.util.StringUtils;
-
-@Service
-public class UserService {
-
-  private static final Logger logger = LoggerFactory.getLogger(UserService.class);
-
-  public static final String USER_NOT_FOUND_ID = "User not found with id: ";
-  public static final String USER_NOT_FOUND_EMAIL = "User not found with email";
-  public static final String EMAIL_ALREADY_EXISTS = "Email already exists";
-  public static final String CURRENT_PASSWORD_INCORRECT = "Current password is incorrect";
-
-  private final UserRepository userRepository;
-  private final PasswordEncoder passwordEncoder;
-  private final UserMapper userMapper;
-
-  @Autowired
-  public UserService(
-      UserRepository userRepository, PasswordEncoder passwordEncoder, UserMapper userMapper) {
-    this.userRepository = userRepository;
-    this.passwordEncoder = passwordEncoder;
-    this.userMapper = userMapper;
-  }
-
-  @Transactional(readOnly = true)
-  public UserResponse findById(UUID id) {
-    logger.debug("Finding user by ID: {}", id);
-    return userRepository
-        .findById(id)
-        .flatMap(userMapper::toResponse)
-        .orElseThrow(() -> new ResourceNotFoundException(USER_NOT_FOUND_ID + id));
-  }
-
-  @Transactional(readOnly = true)
-  public UserResponse findByEmail(String email) {
-    logger.debug("Finding user by email: {}", email);
-    return userRepository
-        .findByEmail(email.toLowerCase())
-        .flatMap(userMapper::toResponse)
-        .orElseThrow(() -> new ResourceNotFoundException(USER_NOT_FOUND_EMAIL + email));
-  }
-
-  @Transactional
-  public UserResponse updateProfile(UUID userId, UpdateProfileRequest request) {
-    logger.debug("Updating profile for user: {}", userId);
-
-    User user =
-        userRepository
-            .findById(userId)
-            .orElseThrow(() -> new ResourceNotFoundException(USER_NOT_FOUND_ID + userId));
-
-    Optional.ofNullable(request.email())
-        .filter(StringUtils::hasText)
-        .filter(email -> !email.equals(user.getEmail()))
-        .ifPresent(
-            email -> {
-              if (userRepository.existsByEmail(email.toLowerCase())) {
-                throw new ValidationException(EMAIL_ALREADY_EXISTS);
-              }
-              user.updateEmail(email);
-            });
-
-    Optional.ofNullable(request.name()).filter(StringUtils::hasText).ifPresent(user::updateName);
-
-    User updatedUser = userRepository.save(user);
-    logger.debug("Profile updated successfully for user: {}", userId);
-
-    return userMapper.toResponseOrThrow(updatedUser);
-  }
-
-  @Transactional
-  public void changePassword(UUID userId, ChangePasswordRequest request) {
-    logger.debug("Changing password for user: {}", userId);
-
-    User user =
-        userRepository
-            .findById(userId)
-            .orElseThrow(() -> new ResourceNotFoundException(USER_NOT_FOUND_ID + userId));
-
-    // Password confirmation if now validated by @PasswordMatch annotation
-
-    if (!passwordEncoder.matches(request.currentPassword(), user.getPassword())) {
-      throw new ValidationException(CURRENT_PASSWORD_INCORRECT);
-    }
-
-    user.changePassword(passwordEncoder.encode(request.newPassword()));
-    userRepository.save(user);
-
-    logger.debug("Password changed successfully for user: {}", userId);
-  }
-
-  @Transactional
-  public void updateLastLogin(UUID userId) {
-    logger.debug("Updating last login for user: {}", userId);
-    userRepository.updateLastLoginAt(userId, LocalDateTime.now());
-  }
-
-  @Transactional
-  public void changeUserPassword(UUID userId, String newPassword) {
-    User user =
-        userRepository
-            .findById(userId)
-            .orElseThrow(() -> new ResourceNotFoundException(USER_NOT_FOUND_ID + userId));
-
-    // Update password
-    user.changePassword(passwordEncoder.encode(newPassword));
-    userRepository.save(user);
-  }
-}
diff --git a/src/main/java/org/nkcoder/shared/kernel/domain/event/DomainEvent.java b/src/main/java/org/nkcoder/shared/kernel/domain/event/DomainEvent.java
new file mode 100644
index 0000000..136634b
--- /dev/null
+++ b/src/main/java/org/nkcoder/shared/kernel/domain/event/DomainEvent.java
@@ -0,0 +1,16 @@
+package org.nkcoder.shared.kernel.domain.event;
+
+import java.time.LocalDateTime;
+
+/**
+ * Base interface for all domain events. Domain events represent something significant that happened
+ * in the domain.
+ */
+public interface DomainEvent {
+
+  /** Returns the timestamp when the event occurred. */
+  LocalDateTime occurredOn();
+
+  /** Returns the type identifier for this event. */
+  String eventType();
+}
diff --git a/src/main/java/org/nkcoder/shared/kernel/domain/event/DomainEventPublisher.java b/src/main/java/org/nkcoder/shared/kernel/domain/event/DomainEventPublisher.java
new file mode 100644
index 0000000..79036a9
--- /dev/null
+++ b/src/main/java/org/nkcoder/shared/kernel/domain/event/DomainEventPublisher.java
@@ -0,0 +1,11 @@
+package org.nkcoder.shared.kernel.domain.event;
+
+/**
+ * Interface for publishing domain events. Implementations may use Spring's
+ * ApplicationEventPublisher, a message queue, or other mechanisms.
+ */
+public interface DomainEventPublisher {
+
+  /** Publishes a domain event. */
+  void publish(DomainEvent event);
+}
diff --git a/src/main/java/org/nkcoder/shared/kernel/domain/valueobject/AggregateRoot.java b/src/main/java/org/nkcoder/shared/kernel/domain/valueobject/AggregateRoot.java
new file mode 100644
index 0000000..4bb66ee
--- /dev/null
+++ b/src/main/java/org/nkcoder/shared/kernel/domain/valueobject/AggregateRoot.java
@@ -0,0 +1,34 @@
+package org.nkcoder.shared.kernel.domain.valueobject;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import org.nkcoder.shared.kernel.domain.event.DomainEvent;
+
+/**
+ * Base class for aggregate roots. Provides domain event registration and retrieval.
+ *
+ * @param <ID> The type of the aggregate root's identifier
+ */
+public abstract class AggregateRoot<ID> {
+
+  private final List<DomainEvent> domainEvents = new ArrayList<>();
+
+  /** Returns the unique identifier of this aggregate root. */
+  public abstract ID getId();
+
+  /** Registers a domain event to be published after the aggregate is persisted. */
+  protected void registerEvent(DomainEvent event) {
+    domainEvents.add(event);
+  }
+
+  /** Returns an unmodifiable view of the registered domain events. */
+  public List<DomainEvent> getDomainEvents() {
+    return Collections.unmodifiableList(domainEvents);
+  }
+
+  /** Clears all registered domain events. Should be called after events are published. */
+  public void clearDomainEvents() {
+    domainEvents.clear();
+  }
+}
diff --git a/src/main/java/org/nkcoder/shared/kernel/domain/valueobject/Email.java b/src/main/java/org/nkcoder/shared/kernel/domain/valueobject/Email.java
new file mode 100644
index 0000000..25be919
--- /dev/null
+++ b/src/main/java/org/nkcoder/shared/kernel/domain/valueobject/Email.java
@@ -0,0 +1,27 @@
+package org.nkcoder.shared.kernel.domain.valueobject;
+
+import java.util.Objects;
+import java.util.regex.Pattern;
+
+/** Email value object with validation. Immutable and self-validating. */
+public record Email(String value) {
+
+  private static final Pattern EMAIL_PATTERN =
+      Pattern.compile("^[\\w-\\.]+@([\\w-]+\\.)+[\\w-]{2,4}$");
+
+  public Email {
+    Objects.requireNonNull(value, "Email cannot be null");
+    value = value.toLowerCase().trim();
+    if (!isValid(value)) {
+      throw new IllegalArgumentException("Invalid email format: " + value);
+    }
+  }
+
+  public static Email of(String value) {
+    return new Email(value);
+  }
+
+  public static boolean isValid(String email) {
+    return email != null && EMAIL_PATTERN.matcher(email).matches();
+  }
+}
diff --git a/src/main/java/org/nkcoder/shared/kernel/exception/AuthenticationException.java b/src/main/java/org/nkcoder/shared/kernel/exception/AuthenticationException.java
new file mode 100644
index 0000000..66bf261
--- /dev/null
+++ b/src/main/java/org/nkcoder/shared/kernel/exception/AuthenticationException.java
@@ -0,0 +1,16 @@
+package org.nkcoder.shared.kernel.exception;
+
+/**
+ * Exception thrown when authentication fails. Examples: invalid credentials, expired token, invalid
+ * token.
+ */
+public class AuthenticationException extends DomainException {
+
+  public AuthenticationException(String message) {
+    super(message);
+  }
+
+  public AuthenticationException(String message, Throwable cause) {
+    super(message, cause);
+  }
+}
diff --git a/src/main/java/org/nkcoder/shared/kernel/exception/DomainException.java b/src/main/java/org/nkcoder/shared/kernel/exception/DomainException.java
new file mode 100644
index 0000000..048c0f1
--- /dev/null
+++ b/src/main/java/org/nkcoder/shared/kernel/exception/DomainException.java
@@ -0,0 +1,16 @@
+package org.nkcoder.shared.kernel.exception;
+
+/**
+ * Base exception for all domain-level exceptions. Provides a common hierarchy for exception
+ * handling across bounded contexts.
+ */
+public abstract class DomainException extends RuntimeException {
+
+  protected DomainException(String message) {
+    super(message);
+  }
+
+  protected DomainException(String message, Throwable cause) {
+    super(message, cause);
+  }
+}
diff --git a/src/main/java/org/nkcoder/shared/kernel/exception/ResourceNotFoundException.java b/src/main/java/org/nkcoder/shared/kernel/exception/ResourceNotFoundException.java
new file mode 100644
index 0000000..4c612ad
--- /dev/null
+++ b/src/main/java/org/nkcoder/shared/kernel/exception/ResourceNotFoundException.java
@@ -0,0 +1,16 @@
+package org.nkcoder.shared.kernel.exception;
+
+/**
+ * Exception thrown when a requested resource cannot be found. Examples: user not found, token not
+ * found.
+ */
+public class ResourceNotFoundException extends DomainException {
+
+  public ResourceNotFoundException(String message) {
+    super(message);
+  }
+
+  public ResourceNotFoundException(String message, Throwable cause) {
+    super(message, cause);
+  }
+}
diff --git a/src/main/java/org/nkcoder/shared/kernel/exception/ValidationException.java b/src/main/java/org/nkcoder/shared/kernel/exception/ValidationException.java
new file mode 100644
index 0000000..817bc84
--- /dev/null
+++ b/src/main/java/org/nkcoder/shared/kernel/exception/ValidationException.java
@@ -0,0 +1,16 @@
+package org.nkcoder.shared.kernel.exception;
+
+/**
+ * Exception thrown when business validation fails. Examples: duplicate email, password mismatch,
+ * invalid state transitions.
+ */
+public class ValidationException extends DomainException {
+
+  public ValidationException(String message) {
+    super(message);
+  }
+
+  public ValidationException(String message, Throwable cause) {
+    super(message, cause);
+  }
+}
diff --git a/src/main/java/org/nkcoder/annotation/CurrentUser.java b/src/main/java/org/nkcoder/shared/local/annotation/CurrentUser.java
similarity index 94%
rename from src/main/java/org/nkcoder/annotation/CurrentUser.java
rename to src/main/java/org/nkcoder/shared/local/annotation/CurrentUser.java
index 1cf34b7..ad953ae 100644
--- a/src/main/java/org/nkcoder/annotation/CurrentUser.java
+++ b/src/main/java/org/nkcoder/shared/local/annotation/CurrentUser.java
@@ -1,4 +1,4 @@
-package org.nkcoder.annotation;
+package org.nkcoder.shared.local.annotation;
 
 import java.lang.annotation.Documented;
 import java.lang.annotation.ElementType;
diff --git a/src/main/java/org/nkcoder/shared/local/event/SpringDomainEventPublisher.java b/src/main/java/org/nkcoder/shared/local/event/SpringDomainEventPublisher.java
new file mode 100644
index 0000000..6054456
--- /dev/null
+++ b/src/main/java/org/nkcoder/shared/local/event/SpringDomainEventPublisher.java
@@ -0,0 +1,25 @@
+package org.nkcoder.shared.local.event;
+
+import org.nkcoder.shared.kernel.domain.event.DomainEvent;
+import org.nkcoder.shared.kernel.domain.event.DomainEventPublisher;
+import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.stereotype.Component;
+
+/**
+ * Spring-based implementation of DomainEventPublisher. Uses Spring's ApplicationEventPublisher to
+ * broadcast domain events within the application.
+ */
+@Component
+public class SpringDomainEventPublisher implements DomainEventPublisher {
+
+  private final ApplicationEventPublisher applicationEventPublisher;
+
+  public SpringDomainEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
+    this.applicationEventPublisher = applicationEventPublisher;
+  }
+
+  @Override
+  public void publish(DomainEvent event) {
+    applicationEventPublisher.publishEvent(event);
+  }
+}
diff --git a/src/main/java/org/nkcoder/dto/common/ApiResponse.java b/src/main/java/org/nkcoder/shared/local/rest/ApiResponse.java
similarity index 93%
rename from src/main/java/org/nkcoder/dto/common/ApiResponse.java
rename to src/main/java/org/nkcoder/shared/local/rest/ApiResponse.java
index 2c7eec1..0896087 100644
--- a/src/main/java/org/nkcoder/dto/common/ApiResponse.java
+++ b/src/main/java/org/nkcoder/shared/local/rest/ApiResponse.java
@@ -1,4 +1,4 @@
-package org.nkcoder.dto.common;
+package org.nkcoder.shared.local.rest;
 
 import java.time.LocalDateTime;
 
diff --git a/src/main/java/org/nkcoder/shared/local/rest/GlobalExceptionHandler.java b/src/main/java/org/nkcoder/shared/local/rest/GlobalExceptionHandler.java
new file mode 100644
index 0000000..108d00a
--- /dev/null
+++ b/src/main/java/org/nkcoder/shared/local/rest/GlobalExceptionHandler.java
@@ -0,0 +1,75 @@
+package org.nkcoder.shared.local.rest;
+
+import java.util.HashMap;
+import java.util.Map;
+import org.nkcoder.shared.kernel.exception.AuthenticationException;
+import org.nkcoder.shared.kernel.exception.ResourceNotFoundException;
+import org.nkcoder.shared.kernel.exception.ValidationException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.validation.FieldError;
+import org.springframework.web.bind.MethodArgumentNotValidException;
+import org.springframework.web.bind.annotation.ExceptionHandler;
+import org.springframework.web.bind.annotation.RestControllerAdvice;
+
+/** Global exception handler for REST API. */
+@RestControllerAdvice
+public class GlobalExceptionHandler {
+
+  private static final Logger logger = LoggerFactory.getLogger(GlobalExceptionHandler.class);
+
+  @ExceptionHandler(ValidationException.class)
+  public ResponseEntity<ApiResponse<Void>> handleValidationException(ValidationException ex) {
+    logger.debug("Validation error: {}", ex.getMessage());
+    return ResponseEntity.badRequest().body(ApiResponse.error(ex.getMessage()));
+  }
+
+  @ExceptionHandler(AuthenticationException.class)
+  public ResponseEntity<ApiResponse<Void>> handleAuthenticationException(
+      AuthenticationException ex) {
+    logger.debug("Authentication error: {}", ex.getMessage());
+    return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body(ApiResponse.error(ex.getMessage()));
+  }
+
+  @ExceptionHandler(ResourceNotFoundException.class)
+  public ResponseEntity<ApiResponse<Void>> handleResourceNotFoundException(
+      ResourceNotFoundException ex) {
+    logger.debug("Resource not found: {}", ex.getMessage());
+    return ResponseEntity.status(HttpStatus.NOT_FOUND).body(ApiResponse.error(ex.getMessage()));
+  }
+
+  @ExceptionHandler(AccessDeniedException.class)
+  public ResponseEntity<ApiResponse<Void>> handleAccessDeniedException(AccessDeniedException ex) {
+    logger.debug("Access denied: {}", ex.getMessage());
+    return ResponseEntity.status(HttpStatus.FORBIDDEN).body(ApiResponse.error("Access denied"));
+  }
+
+  @ExceptionHandler(MethodArgumentNotValidException.class)
+  public ResponseEntity<ApiResponse<Map<String, String>>> handleMethodArgumentNotValid(
+      MethodArgumentNotValidException ex) {
+    logger.debug("Validation failed: {}", ex.getMessage());
+    Map<String, String> errors = new HashMap<>();
+    ex.getBindingResult()
+        .getAllErrors()
+        .forEach(
+            error -> {
+              String fieldName =
+                  error instanceof FieldError
+                      ? ((FieldError) error).getField()
+                      : error.getObjectName();
+              String errorMessage = error.getDefaultMessage();
+              errors.put(fieldName, errorMessage);
+            });
+    return ResponseEntity.badRequest().body(new ApiResponse<>("Validation failed", errors, null));
+  }
+
+  @ExceptionHandler(Exception.class)
+  public ResponseEntity<ApiResponse<Void>> handleGenericException(Exception ex) {
+    logger.error("Unexpected error: {}", ex.getMessage(), ex);
+    return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)
+        .body(ApiResponse.error("An unexpected error occurred"));
+  }
+}
diff --git a/src/main/java/org/nkcoder/validation/PasswordMatch.java b/src/main/java/org/nkcoder/shared/local/validation/PasswordMatch.java
similarity index 92%
rename from src/main/java/org/nkcoder/validation/PasswordMatch.java
rename to src/main/java/org/nkcoder/shared/local/validation/PasswordMatch.java
index 528f30b..a627214 100644
--- a/src/main/java/org/nkcoder/validation/PasswordMatch.java
+++ b/src/main/java/org/nkcoder/shared/local/validation/PasswordMatch.java
@@ -1,4 +1,4 @@
-package org.nkcoder.validation;
+package org.nkcoder.shared.local.validation;
 
 import jakarta.validation.Constraint;
 import jakarta.validation.Payload;
diff --git a/src/main/java/org/nkcoder/validation/PasswordMatchValidator.java b/src/main/java/org/nkcoder/shared/local/validation/PasswordMatchValidator.java
similarity index 97%
rename from src/main/java/org/nkcoder/validation/PasswordMatchValidator.java
rename to src/main/java/org/nkcoder/shared/local/validation/PasswordMatchValidator.java
index ada286c..057580b 100644
--- a/src/main/java/org/nkcoder/validation/PasswordMatchValidator.java
+++ b/src/main/java/org/nkcoder/shared/local/validation/PasswordMatchValidator.java
@@ -1,4 +1,4 @@
-package org.nkcoder.validation;
+package org.nkcoder.shared.local.validation;
 
 import jakarta.validation.ConstraintValidator;
 import jakarta.validation.ConstraintValidatorContext;
diff --git a/src/main/java/org/nkcoder/user/application/dto/command/AdminResetPasswordCommand.java b/src/main/java/org/nkcoder/user/application/dto/command/AdminResetPasswordCommand.java
new file mode 100644
index 0000000..6da9f29
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/application/dto/command/AdminResetPasswordCommand.java
@@ -0,0 +1,6 @@
+package org.nkcoder.user.application.dto.command;
+
+import java.util.UUID;
+
+/** Command for admin resetting a user's password. */
+public record AdminResetPasswordCommand(UUID targetUserId, String newPassword) {}
diff --git a/src/main/java/org/nkcoder/user/application/dto/command/AdminUpdateUserCommand.java b/src/main/java/org/nkcoder/user/application/dto/command/AdminUpdateUserCommand.java
new file mode 100644
index 0000000..5cb7f71
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/application/dto/command/AdminUpdateUserCommand.java
@@ -0,0 +1,6 @@
+package org.nkcoder.user.application.dto.command;
+
+import java.util.UUID;
+
+/** Command for admin updating a user's information. */
+public record AdminUpdateUserCommand(UUID targetUserId, String name, String email) {}
diff --git a/src/main/java/org/nkcoder/user/application/dto/command/ChangePasswordCommand.java b/src/main/java/org/nkcoder/user/application/dto/command/ChangePasswordCommand.java
new file mode 100644
index 0000000..b62a7ee
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/application/dto/command/ChangePasswordCommand.java
@@ -0,0 +1,6 @@
+package org.nkcoder.user.application.dto.command;
+
+import java.util.UUID;
+
+/** Command for changing a user's password. */
+public record ChangePasswordCommand(UUID userId, String currentPassword, String newPassword) {}
diff --git a/src/main/java/org/nkcoder/user/application/dto/command/UpdateProfileCommand.java b/src/main/java/org/nkcoder/user/application/dto/command/UpdateProfileCommand.java
new file mode 100644
index 0000000..94a2e51
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/application/dto/command/UpdateProfileCommand.java
@@ -0,0 +1,6 @@
+package org.nkcoder.user.application.dto.command;
+
+import java.util.UUID;
+
+/** Command for updating a user's profile. */
+public record UpdateProfileCommand(UUID userId, String name) {}
diff --git a/src/main/java/org/nkcoder/user/application/dto/response/UserDto.java b/src/main/java/org/nkcoder/user/application/dto/response/UserDto.java
new file mode 100644
index 0000000..48c488d
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/application/dto/response/UserDto.java
@@ -0,0 +1,29 @@
+package org.nkcoder.user.application.dto.response;
+
+import java.time.LocalDateTime;
+import java.util.UUID;
+import org.nkcoder.user.domain.model.User;
+
+/** DTO representing user information. */
+public record UserDto(
+    UUID id,
+    String email,
+    String name,
+    String role,
+    boolean emailVerified,
+    LocalDateTime lastLoginAt,
+    LocalDateTime createdAt,
+    LocalDateTime updatedAt) {
+
+  public static UserDto from(User user) {
+    return new UserDto(
+        user.getId().value(),
+        user.getEmail().value(),
+        user.getName().value(),
+        user.getRole().name(),
+        user.isEmailVerified(),
+        user.getLastLoginAt(),
+        user.getCreatedAt(),
+        user.getUpdatedAt());
+  }
+}
diff --git a/src/main/java/org/nkcoder/user/application/eventhandler/AuthEventHandler.java b/src/main/java/org/nkcoder/user/application/eventhandler/AuthEventHandler.java
new file mode 100644
index 0000000..4a01b5b
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/application/eventhandler/AuthEventHandler.java
@@ -0,0 +1,84 @@
+package org.nkcoder.user.application.eventhandler;
+
+import org.nkcoder.auth.domain.event.UserLoggedInEvent;
+import org.nkcoder.auth.domain.event.UserRegisteredEvent;
+import org.nkcoder.user.domain.model.User;
+import org.nkcoder.user.domain.model.UserId;
+import org.nkcoder.user.domain.model.UserName;
+import org.nkcoder.user.domain.model.UserRole;
+import org.nkcoder.user.domain.repository.UserRepository;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Component;
+import org.springframework.transaction.annotation.Propagation;
+import org.springframework.transaction.annotation.Transactional;
+import org.springframework.transaction.event.TransactionPhase;
+import org.springframework.transaction.event.TransactionalEventListener;
+
+/**
+ * Event handler for events from the Auth bounded context. Creates/updates User records in response
+ * to Auth domain events.
+ */
+@Component
+public class AuthEventHandler {
+
+  private static final Logger logger = LoggerFactory.getLogger(AuthEventHandler.class);
+
+  private final UserRepository userRepository;
+
+  public AuthEventHandler(UserRepository userRepository) {
+    this.userRepository = userRepository;
+  }
+
+  /**
+   * Handles user registration events from Auth context. Creates a corresponding User record in the
+   * User bounded context. Uses AFTER_COMMIT to run in a new transaction after Auth context commits,
+   * avoiding entity conflicts when both contexts map the same table.
+   */
+  @TransactionalEventListener(phase = TransactionPhase.AFTER_COMMIT)
+  @Transactional(propagation = Propagation.REQUIRES_NEW)
+  public void handleUserRegistered(UserRegisteredEvent event) {
+    logger.info("Handling user registered event for user: {}", event.userId().value());
+
+    UserId userId = UserId.of(event.userId().value());
+
+    if (userRepository.existsById(userId)) {
+      logger.warn("User already exists, skipping creation: {}", userId);
+      return;
+    }
+
+    UserRole role = mapRole(event.role());
+    User user = User.create(userId, event.email(), UserName.of(event.name()), role);
+
+    userRepository.save(user);
+    logger.info("User created in User context: {}", userId);
+  }
+
+  /**
+   * Handles user login events from Auth context. Updates the last login timestamp in the User
+   * bounded context. Uses AFTER_COMMIT to run after Auth context commits.
+   */
+  @TransactionalEventListener(phase = TransactionPhase.AFTER_COMMIT)
+  @Transactional(propagation = Propagation.REQUIRES_NEW)
+  public void handleUserLoggedIn(UserLoggedInEvent event) {
+    logger.debug("Handling user logged in event for user: {}", event.userId().value());
+
+    UserId userId = UserId.of(event.userId().value());
+
+    userRepository
+        .findById(userId)
+        .ifPresent(
+            user -> {
+              user.recordLogin();
+              userRepository.save(user);
+              logger.debug("Updated last login for user: {}", userId);
+            });
+  }
+
+  private UserRole mapRole(org.nkcoder.auth.domain.model.AuthRole authRole) {
+    return switch (authRole) {
+      case ADMIN -> UserRole.ADMIN;
+      case MEMBER -> UserRole.MEMBER;
+    };
+  }
+}
diff --git a/src/main/java/org/nkcoder/user/application/port/AuthContextPort.java b/src/main/java/org/nkcoder/user/application/port/AuthContextPort.java
new file mode 100644
index 0000000..c25e301
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/application/port/AuthContextPort.java
@@ -0,0 +1,27 @@
+package org.nkcoder.user.application.port;
+
+import java.util.UUID;
+
+/**
+ * Port for communicating with the Auth bounded context. Used for password-related operations that
+ * are owned by Auth.
+ */
+public interface AuthContextPort {
+
+  /**
+   * Verifies a user's current password.
+   *
+   * @param userId the user's ID
+   * @param password the password to verify
+   * @return true if the password matches
+   */
+  boolean verifyPassword(UUID userId, String password);
+
+  /**
+   * Changes a user's password.
+   *
+   * @param userId the user's ID
+   * @param newPassword the new password to set
+   */
+  void changePassword(UUID userId, String newPassword);
+}
diff --git a/src/main/java/org/nkcoder/user/application/service/UserCommandService.java b/src/main/java/org/nkcoder/user/application/service/UserCommandService.java
new file mode 100644
index 0000000..dbad186
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/application/service/UserCommandService.java
@@ -0,0 +1,120 @@
+package org.nkcoder.user.application.service;
+
+import java.util.UUID;
+import org.nkcoder.shared.kernel.domain.event.DomainEventPublisher;
+import org.nkcoder.shared.kernel.domain.valueobject.Email;
+import org.nkcoder.shared.kernel.exception.ResourceNotFoundException;
+import org.nkcoder.shared.kernel.exception.ValidationException;
+import org.nkcoder.user.application.dto.command.AdminResetPasswordCommand;
+import org.nkcoder.user.application.dto.command.AdminUpdateUserCommand;
+import org.nkcoder.user.application.dto.command.ChangePasswordCommand;
+import org.nkcoder.user.application.dto.command.UpdateProfileCommand;
+import org.nkcoder.user.application.dto.response.UserDto;
+import org.nkcoder.user.application.port.AuthContextPort;
+import org.nkcoder.user.domain.event.UserProfileUpdatedEvent;
+import org.nkcoder.user.domain.model.User;
+import org.nkcoder.user.domain.model.UserId;
+import org.nkcoder.user.domain.model.UserName;
+import org.nkcoder.user.domain.repository.UserRepository;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+/** Application service for user command operations. */
+@Service
+@Transactional
+public class UserCommandService {
+
+  private static final Logger logger = LoggerFactory.getLogger(UserCommandService.class);
+
+  private final UserRepository userRepository;
+  private final AuthContextPort authContextPort;
+  private final DomainEventPublisher eventPublisher;
+
+  public UserCommandService(
+      UserRepository userRepository,
+      AuthContextPort authContextPort,
+      DomainEventPublisher eventPublisher) {
+    this.userRepository = userRepository;
+    this.authContextPort = authContextPort;
+    this.eventPublisher = eventPublisher;
+  }
+
+  /** Updates a user's profile. */
+  public UserDto updateProfile(UpdateProfileCommand command) {
+    logger.info("Updating profile for user: {}", command.userId());
+
+    User user = findUserOrThrow(command.userId());
+
+    UserProfileUpdatedEvent event = user.updateProfile(UserName.of(command.name()));
+
+    User savedUser = userRepository.save(user);
+    eventPublisher.publish(event);
+
+    logger.info("Profile updated for user: {}", command.userId());
+    return UserDto.from(savedUser);
+  }
+
+  /** Changes a user's password. */
+  public void changePassword(ChangePasswordCommand command) {
+    logger.info("Changing password for user: {}", command.userId());
+
+    if (!userRepository.existsById(UserId.of(command.userId()))) {
+      throw new ResourceNotFoundException("User not found: " + command.userId());
+    }
+
+    if (!authContextPort.verifyPassword(command.userId(), command.currentPassword())) {
+      throw new ValidationException("Current password is incorrect");
+    }
+
+    authContextPort.changePassword(command.userId(), command.newPassword());
+
+    logger.info("Password changed for user: {}", command.userId());
+  }
+
+  /** Admin operation: Updates a user's information. */
+  public UserDto adminUpdateUser(AdminUpdateUserCommand command) {
+    logger.info("Admin updating user: {}", command.targetUserId());
+
+    User user = findUserOrThrow(command.targetUserId());
+
+    if (command.name() != null && !command.name().isBlank()) {
+      user.updateProfile(UserName.of(command.name()));
+    }
+
+    if (command.email() != null && !command.email().isBlank()) {
+      Email newEmail = Email.of(command.email());
+
+      if (userRepository.existsByEmailExcludingId(newEmail, user.getId())) {
+        throw new ValidationException("Email already in use");
+      }
+
+      user.updateEmail(newEmail);
+    }
+
+    User savedUser = userRepository.save(user);
+
+    logger.info("Admin updated user: {}", command.targetUserId());
+    return UserDto.from(savedUser);
+  }
+
+  /** Admin operation: Resets a user's password. */
+  public void adminResetPassword(AdminResetPasswordCommand command) {
+    logger.info("Admin resetting password for user: {}", command.targetUserId());
+
+    if (!userRepository.existsById(UserId.of(command.targetUserId()))) {
+      throw new ResourceNotFoundException("User not found: " + command.targetUserId());
+    }
+
+    authContextPort.changePassword(command.targetUserId(), command.newPassword());
+
+    logger.info("Admin reset password for user: {}", command.targetUserId());
+  }
+
+  private User findUserOrThrow(UUID userId) {
+    return userRepository
+        .findById(UserId.of(userId))
+        .orElseThrow(() -> new ResourceNotFoundException("User not found: " + userId));
+  }
+}
diff --git a/src/main/java/org/nkcoder/user/application/service/UserQueryService.java b/src/main/java/org/nkcoder/user/application/service/UserQueryService.java
new file mode 100644
index 0000000..da5ee03
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/application/service/UserQueryService.java
@@ -0,0 +1,51 @@
+package org.nkcoder.user.application.service;
+
+import java.util.List;
+import java.util.UUID;
+import org.nkcoder.shared.kernel.exception.ResourceNotFoundException;
+import org.nkcoder.user.application.dto.response.UserDto;
+import org.nkcoder.user.domain.model.User;
+import org.nkcoder.user.domain.model.UserId;
+import org.nkcoder.user.domain.repository.UserRepository;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+/** Application service for user query operations. */
+@Service
+@Transactional(readOnly = true)
+public class UserQueryService {
+
+  private static final Logger logger = LoggerFactory.getLogger(UserQueryService.class);
+
+  private final UserRepository userRepository;
+
+  public UserQueryService(UserRepository userRepository) {
+    this.userRepository = userRepository;
+  }
+
+  /** Gets a user by their ID. */
+  public UserDto getUserById(UUID userId) {
+    logger.debug("Getting user by ID: {}", userId);
+
+    User user =
+        userRepository
+            .findById(UserId.of(userId))
+            .orElseThrow(() -> new ResourceNotFoundException("User not found: " + userId));
+
+    return UserDto.from(user);
+  }
+
+  /** Gets all users (admin operation). */
+  public List<UserDto> getAllUsers() {
+    logger.debug("Getting all users");
+
+    return userRepository.findAll().stream().map(UserDto::from).toList();
+  }
+
+  /** Checks if a user exists. */
+  public boolean userExists(UUID userId) {
+    return userRepository.existsById(UserId.of(userId));
+  }
+}
diff --git a/src/main/java/org/nkcoder/user/domain/event/UserProfileUpdatedEvent.java b/src/main/java/org/nkcoder/user/domain/event/UserProfileUpdatedEvent.java
new file mode 100644
index 0000000..c1a4084
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/domain/event/UserProfileUpdatedEvent.java
@@ -0,0 +1,28 @@
+package org.nkcoder.user.domain.event;
+
+import java.time.LocalDateTime;
+import org.nkcoder.shared.kernel.domain.event.DomainEvent;
+import org.nkcoder.user.domain.model.UserId;
+import org.nkcoder.user.domain.model.UserName;
+
+/** Domain event published when a user's profile is updated. */
+public record UserProfileUpdatedEvent(
+    LocalDateTime occurredOn, UserId userId, UserName oldName, UserName newName)
+    implements DomainEvent {
+
+  private static final String EVENT_TYPE = "user.profile.updated";
+
+  public UserProfileUpdatedEvent(UserId userId, UserName oldName, UserName newName) {
+    this(LocalDateTime.now(), userId, oldName, newName);
+  }
+
+  @Override
+  public LocalDateTime occurredOn() {
+    return occurredOn;
+  }
+
+  @Override
+  public String eventType() {
+    return EVENT_TYPE;
+  }
+}
diff --git a/src/main/java/org/nkcoder/user/domain/model/User.java b/src/main/java/org/nkcoder/user/domain/model/User.java
new file mode 100644
index 0000000..b5a6661
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/domain/model/User.java
@@ -0,0 +1,139 @@
+package org.nkcoder.user.domain.model;
+
+import java.time.LocalDateTime;
+import java.util.Objects;
+import org.nkcoder.shared.kernel.domain.valueobject.Email;
+import org.nkcoder.user.domain.event.UserProfileUpdatedEvent;
+
+/**
+ * User aggregate root in the User bounded context. Represents a user's profile and identity
+ * information.
+ */
+public class User {
+
+  private final UserId id;
+  private Email email;
+  private UserName name;
+  private final UserRole role;
+  private boolean emailVerified;
+  private LocalDateTime lastLoginAt;
+  private final LocalDateTime createdAt;
+  private LocalDateTime updatedAt;
+
+  private User(
+      UserId id,
+      Email email,
+      UserName name,
+      UserRole role,
+      boolean emailVerified,
+      LocalDateTime lastLoginAt,
+      LocalDateTime createdAt,
+      LocalDateTime updatedAt) {
+    this.id = Objects.requireNonNull(id, "User ID cannot be null");
+    this.email = Objects.requireNonNull(email, "Email cannot be null");
+    this.name = Objects.requireNonNull(name, "Name cannot be null");
+    this.role = Objects.requireNonNull(role, "Role cannot be null");
+    this.emailVerified = emailVerified;
+    this.lastLoginAt = lastLoginAt;
+    this.createdAt = createdAt;
+    this.updatedAt = updatedAt;
+  }
+
+  /** Creates a new user (typically from registration in Auth context). */
+  public static User create(UserId id, Email email, UserName name, UserRole role) {
+    LocalDateTime now = LocalDateTime.now();
+    return new User(id, email, name, role, false, null, now, now);
+  }
+
+  /** Reconstitutes a User from persistence. */
+  public static User reconstitute(
+      UserId id,
+      Email email,
+      UserName name,
+      UserRole role,
+      boolean emailVerified,
+      LocalDateTime lastLoginAt,
+      LocalDateTime createdAt,
+      LocalDateTime updatedAt) {
+    return new User(id, email, name, role, emailVerified, lastLoginAt, createdAt, updatedAt);
+  }
+
+  /** Updates the user's profile information. */
+  public UserProfileUpdatedEvent updateProfile(UserName newName) {
+    UserName oldName = this.name;
+    this.name = Objects.requireNonNull(newName, "Name cannot be null");
+    this.updatedAt = LocalDateTime.now();
+
+    return new UserProfileUpdatedEvent(this.id, oldName, newName);
+  }
+
+  /** Updates the user's email address. */
+  public void updateEmail(Email newEmail) {
+    this.email = Objects.requireNonNull(newEmail, "Email cannot be null");
+    this.emailVerified = false;
+    this.updatedAt = LocalDateTime.now();
+  }
+
+  /** Marks the email as verified. */
+  public void verifyEmail() {
+    this.emailVerified = true;
+    this.updatedAt = LocalDateTime.now();
+  }
+
+  /** Records a login event (called when Auth context notifies of login). */
+  public void recordLogin() {
+    this.lastLoginAt = LocalDateTime.now();
+    this.updatedAt = LocalDateTime.now();
+  }
+
+  // Getters
+
+  public UserId getId() {
+    return id;
+  }
+
+  public Email getEmail() {
+    return email;
+  }
+
+  public UserName getName() {
+    return name;
+  }
+
+  public UserRole getRole() {
+    return role;
+  }
+
+  public boolean isEmailVerified() {
+    return emailVerified;
+  }
+
+  public LocalDateTime getLastLoginAt() {
+    return lastLoginAt;
+  }
+
+  public LocalDateTime getCreatedAt() {
+    return createdAt;
+  }
+
+  public LocalDateTime getUpdatedAt() {
+    return updatedAt;
+  }
+
+  public boolean isAdmin() {
+    return role == UserRole.ADMIN;
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) return true;
+    if (o == null || getClass() != o.getClass()) return false;
+    User user = (User) o;
+    return Objects.equals(id, user.id);
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hash(id);
+  }
+}
diff --git a/src/main/java/org/nkcoder/user/domain/model/UserId.java b/src/main/java/org/nkcoder/user/domain/model/UserId.java
new file mode 100644
index 0000000..2a9fb33
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/domain/model/UserId.java
@@ -0,0 +1,29 @@
+package org.nkcoder.user.domain.model;
+
+import java.util.Objects;
+import java.util.UUID;
+
+/** Value object representing a User's unique identifier. */
+public record UserId(UUID value) {
+
+  public UserId {
+    Objects.requireNonNull(value, "User ID cannot be null");
+  }
+
+  public static UserId generate() {
+    return new UserId(UUID.randomUUID());
+  }
+
+  public static UserId of(UUID value) {
+    return new UserId(value);
+  }
+
+  public static UserId of(String value) {
+    return new UserId(UUID.fromString(value));
+  }
+
+  @Override
+  public String toString() {
+    return value.toString();
+  }
+}
diff --git a/src/main/java/org/nkcoder/user/domain/model/UserName.java b/src/main/java/org/nkcoder/user/domain/model/UserName.java
new file mode 100644
index 0000000..ba16a1a
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/domain/model/UserName.java
@@ -0,0 +1,34 @@
+package org.nkcoder.user.domain.model;
+
+import java.util.Objects;
+import org.nkcoder.shared.kernel.exception.ValidationException;
+
+/** Value object representing a user's display name. */
+public record UserName(String value) {
+
+  private static final int MIN_LENGTH = 1;
+  private static final int MAX_LENGTH = 100;
+
+  public UserName {
+    Objects.requireNonNull(value, "Name cannot be null");
+    String trimmed = value.trim();
+    if (trimmed.length() < MIN_LENGTH || trimmed.length() > MAX_LENGTH) {
+      throw new ValidationException(
+          String.format("Name must be between %d and %d characters", MIN_LENGTH, MAX_LENGTH));
+    }
+  }
+
+  public static UserName of(String value) {
+    return new UserName(value.trim());
+  }
+
+  @Override
+  public String value() {
+    return value.trim();
+  }
+
+  @Override
+  public String toString() {
+    return value();
+  }
+}
diff --git a/src/main/java/org/nkcoder/user/domain/model/UserRole.java b/src/main/java/org/nkcoder/user/domain/model/UserRole.java
new file mode 100644
index 0000000..c4656cf
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/domain/model/UserRole.java
@@ -0,0 +1,11 @@
+package org.nkcoder.user.domain.model;
+
+/** User roles in the User bounded context. */
+public enum UserRole {
+  MEMBER,
+  ADMIN;
+
+  public String toAuthority() {
+    return "ROLE_" + this.name();
+  }
+}
diff --git a/src/main/java/org/nkcoder/user/domain/repository/UserRepository.java b/src/main/java/org/nkcoder/user/domain/repository/UserRepository.java
new file mode 100644
index 0000000..59e7988
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/domain/repository/UserRepository.java
@@ -0,0 +1,32 @@
+package org.nkcoder.user.domain.repository;
+
+import java.util.List;
+import java.util.Optional;
+import org.nkcoder.shared.kernel.domain.valueobject.Email;
+import org.nkcoder.user.domain.model.User;
+import org.nkcoder.user.domain.model.UserId;
+
+/** Repository interface (port) for User aggregate. */
+public interface UserRepository {
+
+  /** Saves a user (create or update). */
+  User save(User user);
+
+  /** Finds a user by their ID. */
+  Optional<User> findById(UserId id);
+
+  /** Finds a user by their email address. */
+  Optional<User> findByEmail(Email email);
+
+  /** Checks if an email is already in use by another user. */
+  boolean existsByEmailExcludingId(Email email, UserId excludeId);
+
+  /** Finds all users (for admin operations). */
+  List<User> findAll();
+
+  /** Deletes a user by ID. */
+  void deleteById(UserId id);
+
+  /** Checks if a user exists by ID. */
+  boolean existsById(UserId id);
+}
diff --git a/src/main/java/org/nkcoder/user/infrastructure/adapter/AuthContextAdapter.java b/src/main/java/org/nkcoder/user/infrastructure/adapter/AuthContextAdapter.java
new file mode 100644
index 0000000..f4efc9e
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/infrastructure/adapter/AuthContextAdapter.java
@@ -0,0 +1,56 @@
+package org.nkcoder.user.infrastructure.adapter;
+
+import java.util.UUID;
+import org.nkcoder.auth.domain.model.AuthUserId;
+import org.nkcoder.auth.domain.model.HashedPassword;
+import org.nkcoder.auth.domain.repository.AuthUserRepository;
+import org.nkcoder.auth.domain.service.PasswordEncoder;
+import org.nkcoder.shared.kernel.exception.ResourceNotFoundException;
+import org.nkcoder.user.application.port.AuthContextPort;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Component;
+
+/** Adapter for communicating with the Auth bounded context. */
+@Component
+public class AuthContextAdapter implements AuthContextPort {
+
+  private static final Logger logger = LoggerFactory.getLogger(AuthContextAdapter.class);
+
+  private final AuthUserRepository authUserRepository;
+  private final PasswordEncoder passwordEncoder;
+
+  public AuthContextAdapter(
+      AuthUserRepository authUserRepository, PasswordEncoder passwordEncoder) {
+    this.authUserRepository = authUserRepository;
+    this.passwordEncoder = passwordEncoder;
+  }
+
+  @Override
+  public boolean verifyPassword(UUID userId, String password) {
+    logger.debug("Verifying password for user: {}", userId);
+
+    var authUser =
+        authUserRepository
+            .findById(AuthUserId.of(userId))
+            .orElseThrow(() -> new ResourceNotFoundException("User not found: " + userId));
+
+    return passwordEncoder.matches(password, authUser.getPassword());
+  }
+
+  @Override
+  public void changePassword(UUID userId, String newPassword) {
+    logger.debug("Changing password for user: {}", userId);
+
+    var authUser =
+        authUserRepository
+            .findById(AuthUserId.of(userId))
+            .orElseThrow(() -> new ResourceNotFoundException("User not found: " + userId));
+
+    HashedPassword encodedPassword = passwordEncoder.encode(newPassword);
+    authUser.changePassword(encodedPassword);
+
+    authUserRepository.save(authUser);
+    logger.info("Password changed for user: {}", userId);
+  }
+}
diff --git a/src/main/java/org/nkcoder/user/infrastructure/persistence/entity/UserJpaEntity.java b/src/main/java/org/nkcoder/user/infrastructure/persistence/entity/UserJpaEntity.java
new file mode 100644
index 0000000..67a7644
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/infrastructure/persistence/entity/UserJpaEntity.java
@@ -0,0 +1,151 @@
+package org.nkcoder.user.infrastructure.persistence.entity;
+
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.EnumType;
+import jakarta.persistence.Enumerated;
+import jakarta.persistence.Id;
+import jakarta.persistence.Table;
+import jakarta.persistence.Transient;
+import java.time.LocalDateTime;
+import java.util.UUID;
+import org.nkcoder.user.domain.model.UserRole;
+import org.springframework.data.annotation.CreatedDate;
+import org.springframework.data.annotation.LastModifiedDate;
+import org.springframework.data.domain.Persistable;
+
+/**
+ * JPA entity for User in the User bounded context. Maps to the same 'users' table as
+ * AuthUserJpaEntity but with different field focus. Implements Persistable to control new/existing
+ * entity detection since the row may already exist (created by Auth context).
+ */
+@Entity
+@Table(name = "users")
+public class UserJpaEntity implements Persistable<UUID> {
+
+  @Id private UUID id;
+
+  @Transient private boolean isNew = false;
+
+  @Column(nullable = false, unique = true)
+  private String email;
+
+  @Column(nullable = false)
+  private String name;
+
+  @Enumerated(EnumType.STRING)
+  @Column(nullable = false)
+  private UserRole role;
+
+  @Column(name = "is_email_verified")
+  private boolean emailVerified;
+
+  @Column(name = "last_login_at")
+  private LocalDateTime lastLoginAt;
+
+  @CreatedDate
+  @Column(name = "created_at", nullable = false, updatable = false)
+  private LocalDateTime createdAt;
+
+  @LastModifiedDate
+  @Column(name = "updated_at", nullable = false)
+  private LocalDateTime updatedAt;
+
+  protected UserJpaEntity() {}
+
+  public UserJpaEntity(
+      UUID id,
+      String email,
+      String name,
+      UserRole role,
+      boolean emailVerified,
+      LocalDateTime lastLoginAt,
+      LocalDateTime createdAt,
+      LocalDateTime updatedAt) {
+    this.id = id;
+    this.email = email;
+    this.name = name;
+    this.role = role;
+    this.emailVerified = emailVerified;
+    this.lastLoginAt = lastLoginAt;
+    this.createdAt = createdAt;
+    this.updatedAt = updatedAt;
+  }
+
+  // Getters and setters
+
+  public UUID getId() {
+    return id;
+  }
+
+  public void setId(UUID id) {
+    this.id = id;
+  }
+
+  public String getEmail() {
+    return email;
+  }
+
+  public void setEmail(String email) {
+    this.email = email;
+  }
+
+  public String getName() {
+    return name;
+  }
+
+  public void setName(String name) {
+    this.name = name;
+  }
+
+  public UserRole getRole() {
+    return role;
+  }
+
+  public void setRole(UserRole role) {
+    this.role = role;
+  }
+
+  public boolean isEmailVerified() {
+    return emailVerified;
+  }
+
+  public void setEmailVerified(boolean emailVerified) {
+    this.emailVerified = emailVerified;
+  }
+
+  public LocalDateTime getLastLoginAt() {
+    return lastLoginAt;
+  }
+
+  public void setLastLoginAt(LocalDateTime lastLoginAt) {
+    this.lastLoginAt = lastLoginAt;
+  }
+
+  public LocalDateTime getCreatedAt() {
+    return createdAt;
+  }
+
+  public void setCreatedAt(LocalDateTime createdAt) {
+    this.createdAt = createdAt;
+  }
+
+  public LocalDateTime getUpdatedAt() {
+    return updatedAt;
+  }
+
+  public void setUpdatedAt(LocalDateTime updatedAt) {
+    this.updatedAt = updatedAt;
+  }
+
+  // Persistable implementation
+
+  @Override
+  public boolean isNew() {
+    return isNew;
+  }
+
+  public void markAsNew() {
+    this.isNew = true;
+  }
+}
diff --git a/src/main/java/org/nkcoder/user/infrastructure/persistence/mapper/UserPersistenceMapper.java b/src/main/java/org/nkcoder/user/infrastructure/persistence/mapper/UserPersistenceMapper.java
new file mode 100644
index 0000000..5704526
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/infrastructure/persistence/mapper/UserPersistenceMapper.java
@@ -0,0 +1,43 @@
+package org.nkcoder.user.infrastructure.persistence.mapper;
+
+import org.nkcoder.shared.kernel.domain.valueobject.Email;
+import org.nkcoder.user.domain.model.User;
+import org.nkcoder.user.domain.model.UserId;
+import org.nkcoder.user.domain.model.UserName;
+import org.nkcoder.user.infrastructure.persistence.entity.UserJpaEntity;
+import org.springframework.stereotype.Component;
+
+/** Mapper between User domain model and UserJpaEntity. */
+@Component
+public class UserPersistenceMapper {
+
+  public User toDomain(UserJpaEntity entity) {
+    return User.reconstitute(
+        UserId.of(entity.getId()),
+        Email.of(entity.getEmail()),
+        UserName.of(entity.getName()),
+        entity.getRole(),
+        entity.isEmailVerified(),
+        entity.getLastLoginAt(),
+        entity.getCreatedAt(),
+        entity.getUpdatedAt());
+  }
+
+  public UserJpaEntity toEntity(User user) {
+    return new UserJpaEntity(
+        user.getId().value(),
+        user.getEmail().value(),
+        user.getName().value(),
+        user.getRole(),
+        user.isEmailVerified(),
+        user.getLastLoginAt(),
+        user.getCreatedAt(),
+        user.getUpdatedAt());
+  }
+
+  public UserJpaEntity toNewEntity(User user) {
+    UserJpaEntity entity = toEntity(user);
+    entity.markAsNew();
+    return entity;
+  }
+}
diff --git a/src/main/java/org/nkcoder/user/infrastructure/persistence/repository/UserJpaRepository.java b/src/main/java/org/nkcoder/user/infrastructure/persistence/repository/UserJpaRepository.java
new file mode 100644
index 0000000..6ea4cb8
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/infrastructure/persistence/repository/UserJpaRepository.java
@@ -0,0 +1,22 @@
+package org.nkcoder.user.infrastructure.persistence.repository;
+
+import java.util.Optional;
+import java.util.UUID;
+import org.nkcoder.user.infrastructure.persistence.entity.UserJpaEntity;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.data.repository.query.Param;
+import org.springframework.stereotype.Repository;
+
+/** Spring Data JPA repository for UserJpaEntity. */
+@Repository
+public interface UserJpaRepository extends JpaRepository<UserJpaEntity, UUID> {
+
+  Optional<UserJpaEntity> findByEmail(String email);
+
+  @Query("SELECT COUNT(u) > 0 FROM UserJpaEntity u WHERE u.email = :email AND u.id != :excludeId")
+  boolean existsByEmailExcludingId(
+      @Param("email") String email, @Param("excludeId") UUID excludeId);
+
+  boolean existsByEmail(String email);
+}
diff --git a/src/main/java/org/nkcoder/user/infrastructure/persistence/repository/UserRepositoryAdapter.java b/src/main/java/org/nkcoder/user/infrastructure/persistence/repository/UserRepositoryAdapter.java
new file mode 100644
index 0000000..7403066
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/infrastructure/persistence/repository/UserRepositoryAdapter.java
@@ -0,0 +1,61 @@
+package org.nkcoder.user.infrastructure.persistence.repository;
+
+import java.util.List;
+import java.util.Optional;
+import org.nkcoder.shared.kernel.domain.valueobject.Email;
+import org.nkcoder.user.domain.model.User;
+import org.nkcoder.user.domain.model.UserId;
+import org.nkcoder.user.domain.repository.UserRepository;
+import org.nkcoder.user.infrastructure.persistence.mapper.UserPersistenceMapper;
+import org.springframework.stereotype.Repository;
+
+/** Adapter implementing UserRepository port using JPA. */
+@Repository
+public class UserRepositoryAdapter implements UserRepository {
+
+  private final UserJpaRepository jpaRepository;
+  private final UserPersistenceMapper mapper;
+
+  public UserRepositoryAdapter(UserJpaRepository jpaRepository, UserPersistenceMapper mapper) {
+    this.jpaRepository = jpaRepository;
+    this.mapper = mapper;
+  }
+
+  @Override
+  public User save(User user) {
+    boolean exists = jpaRepository.existsById(user.getId().value());
+    var entity = exists ? mapper.toEntity(user) : mapper.toNewEntity(user);
+    var savedEntity = jpaRepository.save(entity);
+    return mapper.toDomain(savedEntity);
+  }
+
+  @Override
+  public Optional<User> findById(UserId id) {
+    return jpaRepository.findById(id.value()).map(mapper::toDomain);
+  }
+
+  @Override
+  public Optional<User> findByEmail(Email email) {
+    return jpaRepository.findByEmail(email.value()).map(mapper::toDomain);
+  }
+
+  @Override
+  public boolean existsByEmailExcludingId(Email email, UserId excludeId) {
+    return jpaRepository.existsByEmailExcludingId(email.value(), excludeId.value());
+  }
+
+  @Override
+  public List<User> findAll() {
+    return jpaRepository.findAll().stream().map(mapper::toDomain).toList();
+  }
+
+  @Override
+  public void deleteById(UserId id) {
+    jpaRepository.deleteById(id.value());
+  }
+
+  @Override
+  public boolean existsById(UserId id) {
+    return jpaRepository.existsById(id.value());
+  }
+}
diff --git a/src/main/java/org/nkcoder/user/interfaces/rest/AdminUserController.java b/src/main/java/org/nkcoder/user/interfaces/rest/AdminUserController.java
new file mode 100644
index 0000000..1804bcf
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/interfaces/rest/AdminUserController.java
@@ -0,0 +1,84 @@
+package org.nkcoder.user.interfaces.rest;
+
+import jakarta.validation.Valid;
+import java.util.List;
+import java.util.UUID;
+import org.nkcoder.shared.local.rest.ApiResponse;
+import org.nkcoder.user.application.dto.response.UserDto;
+import org.nkcoder.user.application.service.UserCommandService;
+import org.nkcoder.user.application.service.UserQueryService;
+import org.nkcoder.user.interfaces.rest.mapper.UserRequestMapper;
+import org.nkcoder.user.interfaces.rest.request.AdminResetPasswordRequest;
+import org.nkcoder.user.interfaces.rest.request.AdminUpdateUserRequest;
+import org.nkcoder.user.interfaces.rest.response.UserResponse;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PatchMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+/** REST controller for admin user management operations. */
+@RestController
+@RequestMapping("/api/admin/users")
+@PreAuthorize("hasRole('ADMIN')")
+public class AdminUserController {
+
+  private static final Logger logger = LoggerFactory.getLogger(AdminUserController.class);
+
+  private final UserQueryService queryService;
+  private final UserCommandService commandService;
+  private final UserRequestMapper requestMapper;
+
+  public AdminUserController(
+      UserQueryService queryService,
+      UserCommandService commandService,
+      UserRequestMapper requestMapper) {
+    this.queryService = queryService;
+    this.commandService = commandService;
+    this.requestMapper = requestMapper;
+  }
+
+  @GetMapping
+  public ResponseEntity<ApiResponse<List<UserResponse>>> getAllUsers() {
+    logger.debug("Admin getting all users");
+
+    List<UserResponse> users = queryService.getAllUsers().stream().map(UserResponse::from).toList();
+
+    return ResponseEntity.ok(ApiResponse.success("Users retrieved", users));
+  }
+
+  @GetMapping("/{userId}")
+  public ResponseEntity<ApiResponse<UserResponse>> getUserById(@PathVariable UUID userId) {
+    logger.debug("Admin getting user: {}", userId);
+
+    UserDto user = queryService.getUserById(userId);
+
+    return ResponseEntity.ok(ApiResponse.success("User retrieved", UserResponse.from(user)));
+  }
+
+  @PatchMapping("/{userId}")
+  public ResponseEntity<ApiResponse<UserResponse>> updateUser(
+      @PathVariable UUID userId, @Valid @RequestBody AdminUpdateUserRequest request) {
+    logger.info("Admin updating user: {}", userId);
+
+    UserDto user = commandService.adminUpdateUser(requestMapper.toCommand(userId, request));
+
+    return ResponseEntity.ok(
+        ApiResponse.success("User updated successfully", UserResponse.from(user)));
+  }
+
+  @PatchMapping("/{userId}/password")
+  public ResponseEntity<ApiResponse<Void>> resetPassword(
+      @PathVariable UUID userId, @Valid @RequestBody AdminResetPasswordRequest request) {
+    logger.info("Admin resetting password for user: {}", userId);
+
+    commandService.adminResetPassword(requestMapper.toCommand(userId, request));
+
+    return ResponseEntity.ok(ApiResponse.success("Password reset successfully"));
+  }
+}
diff --git a/src/main/java/org/nkcoder/user/interfaces/rest/UserController.java b/src/main/java/org/nkcoder/user/interfaces/rest/UserController.java
new file mode 100644
index 0000000..9dc08f8
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/interfaces/rest/UserController.java
@@ -0,0 +1,74 @@
+package org.nkcoder.user.interfaces.rest;
+
+import jakarta.validation.Valid;
+import java.util.UUID;
+import org.nkcoder.shared.local.rest.ApiResponse;
+import org.nkcoder.user.application.dto.response.UserDto;
+import org.nkcoder.user.application.service.UserCommandService;
+import org.nkcoder.user.application.service.UserQueryService;
+import org.nkcoder.user.interfaces.rest.mapper.UserRequestMapper;
+import org.nkcoder.user.interfaces.rest.request.ChangePasswordRequest;
+import org.nkcoder.user.interfaces.rest.request.UpdateProfileRequest;
+import org.nkcoder.user.interfaces.rest.response.UserResponse;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PatchMapping;
+import org.springframework.web.bind.annotation.RequestAttribute;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+/** REST controller for user profile operations. */
+@RestController
+@RequestMapping("/api/users/me")
+public class UserController {
+
+  private static final Logger logger = LoggerFactory.getLogger(UserController.class);
+
+  private final UserQueryService queryService;
+  private final UserCommandService commandService;
+  private final UserRequestMapper requestMapper;
+
+  public UserController(
+      UserQueryService queryService,
+      UserCommandService commandService,
+      UserRequestMapper requestMapper) {
+    this.queryService = queryService;
+    this.commandService = commandService;
+    this.requestMapper = requestMapper;
+  }
+
+  @GetMapping
+  public ResponseEntity<ApiResponse<UserResponse>> getCurrentUser(
+      @RequestAttribute("userId") UUID userId) {
+    logger.debug("Getting current user profile");
+
+    UserDto user = queryService.getUserById(userId);
+
+    return ResponseEntity.ok(
+        ApiResponse.success("User profile retrieved", UserResponse.from(user)));
+  }
+
+  @PatchMapping
+  public ResponseEntity<ApiResponse<UserResponse>> updateProfile(
+      @RequestAttribute("userId") UUID userId, @Valid @RequestBody UpdateProfileRequest request) {
+    logger.info("Updating profile for user: {}", userId);
+
+    UserDto user = commandService.updateProfile(requestMapper.toCommand(userId, request));
+
+    return ResponseEntity.ok(
+        ApiResponse.success("Profile updated successfully", UserResponse.from(user)));
+  }
+
+  @PatchMapping("/password")
+  public ResponseEntity<ApiResponse<Void>> changePassword(
+      @RequestAttribute("userId") UUID userId, @Valid @RequestBody ChangePasswordRequest request) {
+    logger.info("Changing password for user: {}", userId);
+
+    commandService.changePassword(requestMapper.toCommand(userId, request));
+
+    return ResponseEntity.ok(ApiResponse.success("Password changed successfully"));
+  }
+}
diff --git a/src/main/java/org/nkcoder/user/interfaces/rest/mapper/UserRequestMapper.java b/src/main/java/org/nkcoder/user/interfaces/rest/mapper/UserRequestMapper.java
new file mode 100644
index 0000000..251df47
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/interfaces/rest/mapper/UserRequestMapper.java
@@ -0,0 +1,33 @@
+package org.nkcoder.user.interfaces.rest.mapper;
+
+import java.util.UUID;
+import org.nkcoder.user.application.dto.command.AdminResetPasswordCommand;
+import org.nkcoder.user.application.dto.command.AdminUpdateUserCommand;
+import org.nkcoder.user.application.dto.command.ChangePasswordCommand;
+import org.nkcoder.user.application.dto.command.UpdateProfileCommand;
+import org.nkcoder.user.interfaces.rest.request.AdminResetPasswordRequest;
+import org.nkcoder.user.interfaces.rest.request.AdminUpdateUserRequest;
+import org.nkcoder.user.interfaces.rest.request.ChangePasswordRequest;
+import org.nkcoder.user.interfaces.rest.request.UpdateProfileRequest;
+import org.springframework.stereotype.Component;
+
+/** Mapper for converting REST requests to application commands. */
+@Component
+public class UserRequestMapper {
+
+  public UpdateProfileCommand toCommand(UUID userId, UpdateProfileRequest request) {
+    return new UpdateProfileCommand(userId, request.name());
+  }
+
+  public ChangePasswordCommand toCommand(UUID userId, ChangePasswordRequest request) {
+    return new ChangePasswordCommand(userId, request.currentPassword(), request.newPassword());
+  }
+
+  public AdminUpdateUserCommand toCommand(UUID targetUserId, AdminUpdateUserRequest request) {
+    return new AdminUpdateUserCommand(targetUserId, request.name(), request.email());
+  }
+
+  public AdminResetPasswordCommand toCommand(UUID targetUserId, AdminResetPasswordRequest request) {
+    return new AdminResetPasswordCommand(targetUserId, request.newPassword());
+  }
+}
diff --git a/src/main/java/org/nkcoder/user/interfaces/rest/request/AdminResetPasswordRequest.java b/src/main/java/org/nkcoder/user/interfaces/rest/request/AdminResetPasswordRequest.java
new file mode 100644
index 0000000..66a3699
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/interfaces/rest/request/AdminResetPasswordRequest.java
@@ -0,0 +1,14 @@
+package org.nkcoder.user.interfaces.rest.request;
+
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.Pattern;
+import jakarta.validation.constraints.Size;
+
+/** Request for admin resetting a user's password. */
+public record AdminResetPasswordRequest(
+    @NotBlank(message = "New password is required") @Size(min = 8, max = 100, message = "Password must be between 8 and 100 characters") @Pattern(
+            regexp = "^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d).+$",
+            message =
+                "Password must contain at least one lowercase letter, one uppercase letter, and one"
+                    + " digit")
+        String newPassword) {}
diff --git a/src/main/java/org/nkcoder/user/interfaces/rest/request/AdminUpdateUserRequest.java b/src/main/java/org/nkcoder/user/interfaces/rest/request/AdminUpdateUserRequest.java
new file mode 100644
index 0000000..3ecd924
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/interfaces/rest/request/AdminUpdateUserRequest.java
@@ -0,0 +1,9 @@
+package org.nkcoder.user.interfaces.rest.request;
+
+import jakarta.validation.constraints.Email;
+import jakarta.validation.constraints.Size;
+
+/** Request for admin updating a user. */
+public record AdminUpdateUserRequest(
+    @Size(min = 1, max = 100, message = "Name must be between 1 and 100 characters") String name,
+    @Email(message = "Invalid email format") String email) {}
diff --git a/src/main/java/org/nkcoder/user/interfaces/rest/request/ChangePasswordRequest.java b/src/main/java/org/nkcoder/user/interfaces/rest/request/ChangePasswordRequest.java
new file mode 100644
index 0000000..f24e19a
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/interfaces/rest/request/ChangePasswordRequest.java
@@ -0,0 +1,18 @@
+package org.nkcoder.user.interfaces.rest.request;
+
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.Pattern;
+import jakarta.validation.constraints.Size;
+import org.nkcoder.shared.local.validation.PasswordMatch;
+
+/** Request for changing user's password. */
+@PasswordMatch
+public record ChangePasswordRequest(
+    @NotBlank(message = "Current password is required") String currentPassword,
+    @NotBlank(message = "New password is required") @Size(min = 8, max = 100, message = "Password must be between 8 and 100 characters") @Pattern(
+            regexp = "^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d).+$",
+            message =
+                "Password must contain at least one lowercase letter, one uppercase letter, and one"
+                    + " digit")
+        String newPassword,
+    @NotBlank(message = "Password confirmation is required") String confirmPassword) {}
diff --git a/src/main/java/org/nkcoder/user/interfaces/rest/request/UpdateProfileRequest.java b/src/main/java/org/nkcoder/user/interfaces/rest/request/UpdateProfileRequest.java
new file mode 100644
index 0000000..a74b54f
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/interfaces/rest/request/UpdateProfileRequest.java
@@ -0,0 +1,8 @@
+package org.nkcoder.user.interfaces.rest.request;
+
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.Size;
+
+/** Request for updating user profile. */
+public record UpdateProfileRequest(
+    @NotBlank(message = "Name is required") @Size(min = 1, max = 100, message = "Name must be between 1 and 100 characters") String name) {}
diff --git a/src/main/java/org/nkcoder/user/interfaces/rest/response/UserResponse.java b/src/main/java/org/nkcoder/user/interfaces/rest/response/UserResponse.java
new file mode 100644
index 0000000..db7d184
--- /dev/null
+++ b/src/main/java/org/nkcoder/user/interfaces/rest/response/UserResponse.java
@@ -0,0 +1,29 @@
+package org.nkcoder.user.interfaces.rest.response;
+
+import java.time.LocalDateTime;
+import java.util.UUID;
+import org.nkcoder.user.application.dto.response.UserDto;
+
+/** REST API response for user information. */
+public record UserResponse(
+    UUID id,
+    String email,
+    String name,
+    String role,
+    boolean emailVerified,
+    LocalDateTime lastLoginAt,
+    LocalDateTime createdAt,
+    LocalDateTime updatedAt) {
+
+  public static UserResponse from(UserDto dto) {
+    return new UserResponse(
+        dto.id(),
+        dto.email(),
+        dto.name(),
+        dto.role(),
+        dto.emailVerified(),
+        dto.lastLoginAt(),
+        dto.createdAt(),
+        dto.updatedAt());
+  }
+}
diff --git a/src/main/java/org/nkcoder/validation/ValidationMessages.java b/src/main/java/org/nkcoder/validation/ValidationMessages.java
deleted file mode 100644
index f0607b4..0000000
--- a/src/main/java/org/nkcoder/validation/ValidationMessages.java
+++ /dev/null
@@ -1,37 +0,0 @@
-package org.nkcoder.validation;
-
-public class ValidationMessages {
-  private ValidationMessages() {
-    // Utility class - prevent instantiation
-  }
-
-  /**
-   * Regex requiring at least one lowercase, one uppercase, and one digit. Pattern breakdown: -
-   * (?=.*[a-z]) - at least one lowercase letter - (?=.*[A-Z]) - at least one uppercase letter -
-   * (?=.*\d) - at least one digit - .+ - at least one character (combined with lookaheads)
-   */
-  public static final int PASSWORD_MIN_LENGTH = 8;
-
-  public static final String PASSWORD_COMPLEXITY_PATTERN = "^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d).+$";
-  public static final String PASSWORD_REQUIRED = "Password is required.";
-  public static final String PASSWORD_SIZE =
-      "Password must be at least " + PASSWORD_MIN_LENGTH + " characters long";
-  public static final String PASSWORD_COMPLEXITY =
-      "Password must contain at least one lowercase letter, one uppercase letter, and one number";
-  public static final String CURRENT_PASSWORD_REQUIRED = "Current password is required";
-  public static final String CONFIRM_PASSWORD_REQUIRED = "Password confirmation is required";
-
-  // ===== Email Validation =====
-  public static final String EMAIL_REQUIRED = "Email is required";
-  public static final String EMAIL_INVALID = "Please provide a valid email";
-
-  // ===== Name Validation =====
-  public static final int NAME_MIN_LENGTH = 2;
-  public static final int NAME_MAX_LENGTH = 50;
-  public static final String NAME_REQUIRED = "Name is required";
-  public static final String NAME_SIZE =
-      "Name must be between " + NAME_MIN_LENGTH + " and " + NAME_MAX_LENGTH + " characters";
-
-  // ===== Token Validation =====
-  public static final String REFRESH_TOKEN_REQUIRED = "Refresh token is required";
-}
diff --git a/src/test/java/org/nkcoder/controller/AuthControllerTest.java b/src/test/java/org/nkcoder/controller/AuthControllerTest.java
deleted file mode 100644
index 178aef4..0000000
--- a/src/test/java/org/nkcoder/controller/AuthControllerTest.java
+++ /dev/null
@@ -1,356 +0,0 @@
-package org.nkcoder.controller;
-
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.ArgumentMatchers.anyString;
-import static org.mockito.BDDMockito.given;
-import static org.mockito.Mockito.verify;
-import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-
-import java.time.LocalDateTime;
-import java.util.UUID;
-import org.junit.jupiter.api.DisplayName;
-import org.junit.jupiter.api.Nested;
-import org.junit.jupiter.api.Test;
-import org.mockito.ArgumentCaptor;
-import org.nkcoder.dto.auth.*;
-import org.nkcoder.dto.user.UserResponse;
-import org.nkcoder.enums.Role;
-import org.nkcoder.security.JwtAuthenticationFilter;
-import org.nkcoder.service.AuthService;
-import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
-import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
-import org.springframework.context.annotation.ComponentScan;
-import org.springframework.context.annotation.FilterType;
-import org.springframework.http.MediaType;
-import org.springframework.test.context.bean.override.mockito.MockitoBean;
-
-@DisplayName("AuthController tests")
-@WebMvcTest(
-    controllers = AuthController.class,
-    excludeAutoConfiguration = {SecurityAutoConfiguration.class},
-    excludeFilters = {
-      @ComponentScan.Filter(
-          type = FilterType.ASSIGNABLE_TYPE,
-          classes = {JwtAuthenticationFilter.class})
-    })
-class AuthControllerTest extends BaseControllerTest {
-  @MockitoBean private AuthService authService;
-
-  @Nested
-  @DisplayName("Registration Tests")
-  class RegistrationTests {
-
-    @Test
-    @DisplayName("Should register user successfully with valid request")
-    void shouldRegisterUserSuccessfully() throws Exception {
-      // Given
-      RegisterRequest request =
-          new RegisterRequest("test@example.com", "Password@123!", "John Doe", Role.MEMBER);
-
-      AuthResponse authResponse =
-          new AuthResponse(
-              new UserResponse(
-                  UUID.randomUUID(),
-                  "test@example.com",
-                  "John Doe",
-                  Role.MEMBER,
-                  false,
-                  LocalDateTime.now(),
-                  LocalDateTime.now(),
-                  LocalDateTime.now()),
-              new AuthTokens("test-access-token", "test-refresh-token"));
-
-      given(authService.register(any(RegisterRequest.class))).willReturn(authResponse);
-
-      // When & Then
-      mockMvc
-          .perform(
-              post("/api/users/auth/register")
-                  .contentType(MediaType.APPLICATION_JSON)
-                  .content(objectMapper.writeValueAsString(request)))
-          .andExpect(status().isCreated())
-          .andExpect(jsonPath("$.message").value("User registered successfully"))
-          .andExpect(jsonPath("$.data.tokens.accessToken").value("test-access-token"))
-          .andExpect(jsonPath("$.data.tokens.refreshToken").value("test-refresh-token"))
-          .andExpect(jsonPath("$.data.user.id").exists());
-
-      verify(authService).register(any(RegisterRequest.class));
-    }
-
-    @Test
-    @DisplayName("Should return 400 when register request is invalid")
-    void shouldReturnBadRequestWhenRegisterRequestIsInvalid() throws Exception {
-      // Given
-      RegisterRequest request = new RegisterRequest(null, "test-pass", "John Doe", Role.MEMBER);
-      // Missing required fields
-
-      // When & Then
-      mockMvc
-          .perform(
-              post("/api/users/auth/register")
-                  .contentType(MediaType.APPLICATION_JSON)
-                  .content(objectMapper.writeValueAsString(request)))
-          .andExpect(status().isBadRequest());
-    }
-
-    @Test
-    @DisplayName("Should pass correct request to service")
-    void shouldPassCorrectRequestToService() throws Exception {
-      // Given
-      RegisterRequest request =
-          new RegisterRequest("test@example.com", "Password@123!", "John Doe", Role.MEMBER);
-
-      AuthResponse authResponse =
-          new AuthResponse(
-              new UserResponse(
-                  UUID.randomUUID(),
-                  "test@example.com",
-                  "test",
-                  Role.MEMBER,
-                  true,
-                  LocalDateTime.now(),
-                  LocalDateTime.now(),
-                  LocalDateTime.now()),
-              new AuthTokens("test-access-token", "test-refresh-token"));
-
-      given(authService.register(any(RegisterRequest.class))).willReturn(authResponse);
-
-      // When
-      mockMvc
-          .perform(
-              post("/api/users/auth/register")
-                  .contentType(MediaType.APPLICATION_JSON)
-                  .content(objectMapper.writeValueAsString(request)))
-          .andExpect(status().isCreated());
-
-      // Then
-      ArgumentCaptor<RegisterRequest> captor = ArgumentCaptor.forClass(RegisterRequest.class);
-      verify(authService).register(captor.capture());
-
-      RegisterRequest capturedRequest = captor.getValue();
-      assertThat(capturedRequest.email()).isEqualTo("test@example.com");
-      assertThat(capturedRequest.password()).isEqualTo("Password@123!");
-      assertThat(capturedRequest.name()).isEqualTo("John Doe");
-    }
-  }
-
-  @Nested
-  @DisplayName("Login Tests")
-  class LoginTests {
-
-    @Test
-    @DisplayName("Should login user successfully with valid credentials")
-    void shouldLoginUserSuccessfully() throws Exception {
-      // Given
-      LoginRequest request = new LoginRequest("test@example.com", "password123");
-
-      AuthResponse authResponse =
-          new AuthResponse(
-              new UserResponse(
-                  UUID.randomUUID(),
-                  "test@test.com",
-                  "Test User",
-                  Role.MEMBER,
-                  true,
-                  LocalDateTime.now(),
-                  LocalDateTime.now(),
-                  LocalDateTime.now()),
-              new AuthTokens("access-token", "refresh-token"));
-
-      given(authService.login(any(LoginRequest.class))).willReturn(authResponse);
-
-      // When & Then
-      mockMvc
-          .perform(
-              post("/api/users/auth/login")
-                  .contentType(MediaType.APPLICATION_JSON)
-                  .content(objectMapper.writeValueAsString(request)))
-          .andExpect(status().isOk())
-          .andExpect(jsonPath("$.message").value("Login successfully"))
-          .andExpect(jsonPath("$.data.tokens.accessToken").value("access-token"))
-          .andExpect(jsonPath("$.data.tokens.refreshToken").value("refresh-token"))
-          .andExpect(jsonPath("$.data.user.id").exists());
-
-      verify(authService).login(any(LoginRequest.class));
-    }
-
-    @Test
-    @DisplayName("Should return 400 when login request is invalid")
-    void shouldReturnBadRequestWhenLoginRequestIsInvalid() throws Exception {
-      // Given
-      LoginRequest request = new LoginRequest(null, "password123");
-      // Missing required fields
-
-      // When & Then
-      mockMvc
-          .perform(
-              post("/api/users/auth/login")
-                  .contentType(MediaType.APPLICATION_JSON)
-                  .content(objectMapper.writeValueAsString(request)))
-          .andExpect(status().isBadRequest());
-    }
-  }
-
-  @Nested
-  @DisplayName("Token Refresh Tests")
-  class TokenRefreshTests {
-
-    @Test
-    @DisplayName("Should refresh tokens successfully")
-    void shouldRefreshTokensSuccessfully() throws Exception {
-      // Given
-      RefreshTokenRequest request = new RefreshTokenRequest("refresh-token");
-
-      AuthResponse authResponse =
-          new AuthResponse(
-              new UserResponse(
-                  UUID.randomUUID(),
-                  "test@email.com",
-                  "Test User",
-                  Role.MEMBER,
-                  false,
-                  LocalDateTime.now(),
-                  LocalDateTime.now(),
-                  LocalDateTime.now()),
-              new AuthTokens("new-access-token", "new-refresh-token"));
-
-      given(authService.refreshTokens(anyString())).willReturn(authResponse);
-
-      // When & Then
-      mockMvc
-          .perform(
-              post("/api/users/auth/refresh")
-                  .contentType(MediaType.APPLICATION_JSON)
-                  .content(objectMapper.writeValueAsString(request)))
-          .andExpect(status().isOk())
-          .andExpect(jsonPath("$.message").value("Tokens refreshed successfully"))
-          .andExpect(jsonPath("$.data.tokens.accessToken").value("new-access-token"))
-          .andExpect(jsonPath("$.data.tokens.refreshToken").value("new-refresh-token"));
-
-      verify(authService).refreshTokens("refresh-token");
-    }
-
-    @Test
-    @DisplayName("Should return 400 when refresh token is missing")
-    void shouldReturnBadRequestWhenRefreshTokenIsMissing() throws Exception {
-      // Given
-      RefreshTokenRequest request = new RefreshTokenRequest(null);
-      // Missing refresh token
-
-      // When & Then
-      mockMvc
-          .perform(
-              post("/api/users/auth/refresh")
-                  .contentType(MediaType.APPLICATION_JSON)
-                  .content(objectMapper.writeValueAsString(request)))
-          .andExpect(status().isBadRequest());
-    }
-  }
-
-  @Nested
-  @DisplayName("Logout Tests")
-  class LogoutTests {
-
-    @Test
-    @DisplayName("Should logout from all devices successfully")
-    void shouldLogoutFromAllDevicesSuccessfully() throws Exception {
-      // Given
-      RefreshTokenRequest request = new RefreshTokenRequest("refresh-token");
-
-      // When & Then
-      mockMvc
-          .perform(
-              post("/api/users/auth/logout")
-                  .contentType(MediaType.APPLICATION_JSON)
-                  .content(objectMapper.writeValueAsString(request)))
-          .andExpect(status().isOk())
-          .andExpect(jsonPath("$.message").value("Logout successful"))
-          .andExpect(jsonPath("$.data").doesNotExist());
-
-      verify(authService).logout("refresh-token");
-    }
-
-    @Test
-    @DisplayName("Should logout from single device successfully")
-    void shouldLogoutFromSingleDeviceSuccessfully() throws Exception {
-      // Given
-      RefreshTokenRequest request = new RefreshTokenRequest("refresh-token");
-
-      // When & Then
-      mockMvc
-          .perform(
-              post("/api/users/auth/logout-single")
-                  .contentType(MediaType.APPLICATION_JSON)
-                  .content(objectMapper.writeValueAsString(request)))
-          .andExpect(status().isOk())
-          .andExpect(jsonPath("$.message").value("Logout from current device successful"))
-          .andExpect(jsonPath("$.data").doesNotExist());
-
-      verify(authService).logoutSingle("refresh-token");
-    }
-
-    @Test
-    @DisplayName("Should return 400 when logout request is invalid")
-    void shouldReturnBadRequestWhenLogoutRequestIsInvalid() throws Exception {
-      // Given
-      RefreshTokenRequest request = new RefreshTokenRequest("");
-      // Missing refresh token
-
-      // When & Then
-      mockMvc
-          .perform(
-              post("/api/users/auth/logout")
-                  .contentType(MediaType.APPLICATION_JSON)
-                  .content(objectMapper.writeValueAsString(request)))
-          .andExpect(status().isBadRequest());
-    }
-  }
-
-  @Nested
-  @DisplayName("Error Handling Tests")
-  class ErrorHandlingTests {
-
-    @Test
-    @DisplayName("Should handle service exceptions properly")
-    void shouldHandleServiceExceptionsProperly() throws Exception {
-      // Given
-      LoginRequest request = new LoginRequest("test@example.com", "wrong-password");
-
-      given(authService.login(any(LoginRequest.class)))
-          .willThrow(new RuntimeException("Invalid credentials"));
-
-      // When & Then
-      mockMvc
-          .perform(
-              post("/api/users/auth/login")
-                  .contentType(MediaType.APPLICATION_JSON)
-                  .content(objectMapper.writeValueAsString(request)))
-          .andExpect(status().isInternalServerError());
-    }
-
-    @Test
-    @DisplayName("Should return 400 for malformed JSON")
-    void shouldReturnBadRequestForMalformedJson() throws Exception {
-      // When & Then
-      mockMvc
-          .perform(
-              post("/api/users/auth/login")
-                  .contentType(MediaType.APPLICATION_JSON)
-                  .content("{invalid json"))
-          .andExpect(status().isBadRequest());
-    }
-
-    @Test
-    @DisplayName("Should return 415 for unsupported media type")
-    void shouldReturnUnsupportedMediaTypeForWrongContentType() throws Exception {
-      // When & Then
-      mockMvc
-          .perform(
-              post("/api/users/auth/login").contentType(MediaType.TEXT_PLAIN).content("some text"))
-          .andExpect(status().isUnsupportedMediaType());
-    }
-  }
-}
diff --git a/src/test/java/org/nkcoder/controller/BaseControllerTest.java b/src/test/java/org/nkcoder/controller/BaseControllerTest.java
deleted file mode 100644
index f0c96b7..0000000
--- a/src/test/java/org/nkcoder/controller/BaseControllerTest.java
+++ /dev/null
@@ -1,21 +0,0 @@
-package org.nkcoder.controller;
-
-import com.fasterxml.jackson.databind.ObjectMapper;
-import org.nkcoder.config.JpaAuditingConfig;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.autoconfigure.ImportAutoConfiguration;
-import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
-import org.springframework.test.web.servlet.MockMvc;
-
-/** Base class for controller slice tests. */
-@ImportAutoConfiguration(exclude = {JpaAuditingConfig.class})
-@WebMvcTest
-public class BaseControllerTest {
-  @Autowired protected ObjectMapper objectMapper;
-
-  @Autowired protected MockMvc mockMvc;
-
-  protected String toJson(Object object) throws Exception {
-    return objectMapper.writeValueAsString(object);
-  }
-}
diff --git a/src/test/java/org/nkcoder/controller/UserControllerTest.java b/src/test/java/org/nkcoder/controller/UserControllerTest.java
deleted file mode 100644
index 7b9c130..0000000
--- a/src/test/java/org/nkcoder/controller/UserControllerTest.java
+++ /dev/null
@@ -1,265 +0,0 @@
-package org.nkcoder.controller;
-
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.ArgumentMatchers.eq;
-import static org.mockito.BDDMockito.given;
-import static org.mockito.Mockito.doNothing;
-import static org.mockito.Mockito.verify;
-import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
-import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.patch;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-
-import java.time.LocalDateTime;
-import java.util.UUID;
-import org.junit.jupiter.api.DisplayName;
-import org.junit.jupiter.api.Nested;
-import org.junit.jupiter.api.Test;
-import org.nkcoder.dto.user.ChangePasswordRequest;
-import org.nkcoder.dto.user.UpdateProfileRequest;
-import org.nkcoder.dto.user.UserResponse;
-import org.nkcoder.enums.Role;
-import org.nkcoder.security.JwtAuthenticationFilter;
-import org.nkcoder.service.UserService;
-import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
-import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
-import org.springframework.context.annotation.ComponentScan;
-import org.springframework.context.annotation.FilterType;
-import org.springframework.http.MediaType;
-import org.springframework.security.test.context.support.WithMockUser;
-import org.springframework.test.context.bean.override.mockito.MockitoBean;
-
-@DisplayName("UserController tests")
-@WebMvcTest(
-    controllers = UserController.class,
-    excludeAutoConfiguration = {SecurityAutoConfiguration.class},
-    excludeFilters = {
-      @ComponentScan.Filter(
-          type = FilterType.ASSIGNABLE_TYPE,
-          classes = {JwtAuthenticationFilter.class})
-    })
-class UserControllerTest extends BaseControllerTest {
-
-  @MockitoBean private UserService userService;
-
-  private final UUID testUserId = UUID.randomUUID();
-  private final String testEmail = "test@example.com";
-
-  private UserResponse createTestUserResponse(UUID userId, String email, String name) {
-    return new UserResponse(
-        userId,
-        email,
-        name,
-        Role.MEMBER,
-        true,
-        LocalDateTime.now(),
-        LocalDateTime.now(),
-        LocalDateTime.now());
-  }
-
-  @Nested
-  @DisplayName("User Profile Tests")
-  @WithMockUser
-  class UserProfileTests {
-
-    @Test
-    @DisplayName("Should get user profile successfully")
-    void shouldGetUserProfileSuccessfully() throws Exception {
-      // Given
-      UserResponse userResponse = createTestUserResponse(testUserId, testEmail, "John Doe");
-      given(userService.findById(testUserId)).willReturn(userResponse);
-
-      // When & Then
-      mockMvc
-          .perform(
-              get("/api/users/me")
-                  .requestAttr("userId", testUserId)
-                  .requestAttr("email", testEmail))
-          .andExpect(status().isOk())
-          .andExpect(jsonPath("$.message").value("User profile retrieved successfully"))
-          .andExpect(jsonPath("$.data.id").value(testUserId.toString()))
-          .andExpect(jsonPath("$.data.email").value(testEmail))
-          .andExpect(jsonPath("$.data.name").value("John Doe"));
-
-      verify(userService).findById(testUserId);
-    }
-
-    @Test
-    @DisplayName("Should update user profile successfully")
-    //    @WithMockUser
-    void shouldUpdateUserProfileSuccessfully() throws Exception {
-      // Given
-      UpdateProfileRequest request = new UpdateProfileRequest("newemail@example.com", "Jane Doe");
-      UserResponse updatedResponse =
-          createTestUserResponse(testUserId, "newemail@example.com", "Jane Doe");
-
-      given(userService.updateProfile(eq(testUserId), any(UpdateProfileRequest.class)))
-          .willReturn(updatedResponse);
-
-      // When & Then
-      mockMvc
-          .perform(
-              patch("/api/users/me")
-                  .requestAttr("userId", testUserId)
-                  .requestAttr("email", testEmail)
-                  .contentType(MediaType.APPLICATION_JSON)
-                  .content(toJson(request)))
-          .andExpect(status().isOk())
-          .andExpect(jsonPath("$.message").value("Profile updated successfully"))
-          .andExpect(jsonPath("$.data.email").value("newemail@example.com"))
-          .andExpect(jsonPath("$.data.name").value("Jane Doe"));
-
-      verify(userService).updateProfile(eq(testUserId), any(UpdateProfileRequest.class));
-    }
-
-    @Test
-    @DisplayName("Should return 400 when update profile request is invalid")
-    //    @WithMockUser
-    void shouldReturnBadRequestWhenUpdateProfileRequestIsInvalid() throws Exception {
-      // Given
-      UpdateProfileRequest request =
-          new UpdateProfileRequest("invalid-email", "A"); // Invalid email and name too short
-
-      // When & Then
-      mockMvc
-          .perform(
-              patch("/api/users/me")
-                  .requestAttr("userId", testUserId)
-                  .requestAttr("email", testEmail)
-                  .contentType(MediaType.APPLICATION_JSON)
-                  .content(toJson(request)))
-          .andExpect(status().isBadRequest());
-    }
-
-    @Test
-    @DisplayName("Should change password successfully")
-    @WithMockUser
-    void shouldChangePasswordSuccessfully() throws Exception {
-      // Given
-      ChangePasswordRequest request =
-          new ChangePasswordRequest("OldPassword123!", "NewPassword123!", "NewPassword123!");
-      doNothing()
-          .when(userService)
-          .changePassword(eq(testUserId), any(ChangePasswordRequest.class));
-
-      // When & Then
-      mockMvc
-          .perform(
-              patch("/api/users/me/password")
-                  .requestAttr("userId", testUserId)
-                  .requestAttr("email", testEmail)
-                  .contentType(MediaType.APPLICATION_JSON)
-                  .content(toJson(request)))
-          .andExpect(status().isOk())
-          .andExpect(jsonPath("$.message").value("Password changed successfully"));
-
-      verify(userService).changePassword(eq(testUserId), any(ChangePasswordRequest.class));
-    }
-
-    @Test
-    @DisplayName("Should return 400 when change password request is invalid")
-    void shouldReturnBadRequestWhenChangePasswordRequestIsInvalid() throws Exception {
-      // Given
-      ChangePasswordRequest request =
-          new ChangePasswordRequest("", "weak", "weak"); // Invalid password
-
-      // When & Then
-      mockMvc
-          .perform(
-              patch("/api/users/me/password")
-                  .requestAttr("userId", testUserId)
-                  .requestAttr("email", testEmail)
-                  .contentType(MediaType.APPLICATION_JSON)
-                  .content(toJson(request)))
-          .andExpect(status().isBadRequest());
-    }
-  }
-
-  @Nested
-  @DisplayName("Admin User Management Tests")
-  @WithMockUser(roles = "ADMIN")
-  class AdminUserManagementTests {
-
-    @Test
-    @DisplayName("Should get user by ID as admin")
-    void shouldGetUserByIdAsAdmin() throws Exception {
-      // Given
-      UserResponse userResponse = createTestUserResponse(testUserId, testEmail, "Admin User");
-      given(userService.findById(testUserId)).willReturn(userResponse);
-
-      // When & Then
-      mockMvc
-          .perform(get("/api/users/{userId}", testUserId))
-          .andExpect(status().isOk())
-          .andExpect(jsonPath("$.message").value("User retrieved successfully"))
-          .andExpect(jsonPath("$.data.id").value(testUserId.toString()))
-          .andExpect(jsonPath("$.data.email").value(testEmail));
-
-      verify(userService).findById(testUserId);
-    }
-
-    @Test
-    @DisplayName("Should update user as admin")
-    void shouldUpdateUserAsAdmin() throws Exception {
-      // Given
-      UpdateProfileRequest request = new UpdateProfileRequest("admin@example.com", "Admin Updated");
-      UserResponse updatedResponse =
-          createTestUserResponse(testUserId, "admin@example.com", "Admin Updated");
-
-      given(userService.updateProfile(eq(testUserId), any(UpdateProfileRequest.class)))
-          .willReturn(updatedResponse);
-
-      // When & Then
-      mockMvc
-          .perform(
-              patch("/api/users/{userId}", testUserId)
-                  .contentType(MediaType.APPLICATION_JSON)
-                  .content(toJson(request)))
-          .andExpect(status().isOk())
-          .andExpect(jsonPath("$.message").value("User updated successfully"))
-          .andExpect(jsonPath("$.data.email").value("admin@example.com"))
-          .andExpect(jsonPath("$.data.name").value("Admin Updated"));
-
-      verify(userService).updateProfile(eq(testUserId), any(UpdateProfileRequest.class));
-    }
-
-    @Test
-    @DisplayName("Should change user password as admin")
-    void shouldChangeUserPasswordAsAdmin() throws Exception {
-      // Given
-      ChangePasswordRequest request =
-          new ChangePasswordRequest(
-              "OldPassword123!",
-              "NewAdminPassword123!",
-              "NewAdminPassword123!"); // Only newPassword is used for admin
-      doNothing().when(userService).changeUserPassword(testUserId, "NewAdminPassword123!");
-
-      // When & Then
-      mockMvc
-          .perform(
-              patch("/api/users/{userId}/password", testUserId)
-                  .contentType(MediaType.APPLICATION_JSON)
-                  .content(toJson(request)))
-          .andExpect(status().isOk())
-          .andExpect(jsonPath("$.message").value("Password changed successfully"));
-
-      verify(userService).changeUserPassword(testUserId, "NewAdminPassword123!");
-    }
-
-    @Test
-    @DisplayName("Should return 400 when admin update request is invalid")
-    void shouldReturnBadRequestWhenAdminUpdateRequestIsInvalid() throws Exception {
-      // Given
-      UpdateProfileRequest request =
-          new UpdateProfileRequest("invalid-email", ""); // Invalid email and empty name
-
-      // When & Then
-      mockMvc
-          .perform(
-              patch("/api/users/{userId}", testUserId)
-                  .contentType(MediaType.APPLICATION_JSON)
-                  .content(toJson(request)))
-          .andExpect(status().isBadRequest());
-    }
-  }
-}
diff --git a/src/test/java/org/nkcoder/entity/RefreshTokenFactory.java b/src/test/java/org/nkcoder/entity/RefreshTokenFactory.java
deleted file mode 100644
index 35767a2..0000000
--- a/src/test/java/org/nkcoder/entity/RefreshTokenFactory.java
+++ /dev/null
@@ -1,50 +0,0 @@
-package org.nkcoder.entity;
-
-import java.time.LocalDateTime;
-import java.util.UUID;
-
-public class RefreshTokenFactory {
-
-  private RefreshTokenFactory() {}
-
-  public static RefreshTokenBuilder aToken() {
-    return new RefreshTokenBuilder();
-  }
-
-  public static RefreshTokenBuilder anExpiredToken() {
-    return new RefreshTokenBuilder().withExpiresAt(LocalDateTime.now().minusDays(1));
-  }
-
-  public static final class RefreshTokenBuilder {
-    private String token = "test-token-" + UUID.randomUUID();
-    private String tokenFamily = UUID.randomUUID().toString();
-    private UUID userId = UUID.randomUUID();
-    private LocalDateTime expiresAt = LocalDateTime.now().plusDays(7);
-
-    private RefreshTokenBuilder() {}
-
-    public RefreshTokenBuilder withToken(String token) {
-      this.token = token;
-      return this;
-    }
-
-    public RefreshTokenBuilder withTokenFamily(String tokenFamily) {
-      this.tokenFamily = tokenFamily;
-      return this;
-    }
-
-    public RefreshTokenBuilder forUser(UUID userId) {
-      this.userId = userId;
-      return this;
-    }
-
-    public RefreshTokenBuilder withExpiresAt(LocalDateTime expiresAt) {
-      this.expiresAt = expiresAt;
-      return this;
-    }
-
-    public RefreshToken build() {
-      return new RefreshToken(token, tokenFamily, userId, expiresAt);
-    }
-  }
-}
diff --git a/src/test/java/org/nkcoder/entity/UserTestFactory.java b/src/test/java/org/nkcoder/entity/UserTestFactory.java
deleted file mode 100644
index 1c02f9a..0000000
--- a/src/test/java/org/nkcoder/entity/UserTestFactory.java
+++ /dev/null
@@ -1,73 +0,0 @@
-package org.nkcoder.entity;
-
-import java.util.UUID;
-import org.nkcoder.enums.Role;
-
-public class UserTestFactory {
-  private UserTestFactory() {}
-
-  // backward compatibility
-  public static User createWithId(
-      UUID id, String email, String password, String name, Role role, Boolean emailVerified) {
-    return new User(id, email, password, name, role, emailVerified);
-  }
-
-  public static UserBuilder aUser() {
-    return new UserBuilder();
-  }
-
-  public static UserBuilder anAdmin() {
-    return aUser().withRole(Role.ADMIN);
-  }
-
-  public static UserBuilder aVerifiedUser() {
-    return aUser().withEmailVerified(true);
-  }
-
-  // Builder Class
-  public static final class UserBuilder {
-    private UUID id = UUID.randomUUID();
-    private String email = "test-" + UUID.randomUUID().toString().substring(0, 8) + "@example.com";
-    private String password = "encoded-password";
-    private String name = "Test User";
-    private Role role = Role.MEMBER;
-    private boolean emailVerified = false;
-
-    private UserBuilder() {}
-
-    public UserBuilder withId(UUID id) {
-      this.id = id;
-      return this;
-    }
-
-    public UserBuilder withEmail(String email) {
-      this.email = email;
-      return this;
-    }
-
-    public UserBuilder withPassword(String password) {
-      this.password = password;
-      return this;
-    }
-
-    public UserBuilder withName(String name) {
-      this.name = name;
-      return this;
-    }
-
-    public UserBuilder withRole(Role role) {
-      this.role = role;
-      return this;
-    }
-
-    public UserBuilder withEmailVerified(boolean emailVerified) {
-      this.emailVerified = emailVerified;
-      return this;
-    }
-
-    /** Builds the User using the package-private test constructor. */
-    public User build() {
-      return new User(id, email, password, name, role, emailVerified);
-    }
-  }
-}
diff --git a/src/test/java/org/nkcoder/config/DataJpaIntegrationTest.java b/src/test/java/org/nkcoder/infrastructure/config/DataJpaIntegrationTest.java
similarity index 95%
rename from src/test/java/org/nkcoder/config/DataJpaIntegrationTest.java
rename to src/test/java/org/nkcoder/infrastructure/config/DataJpaIntegrationTest.java
index 8fd8cc9..9995873 100644
--- a/src/test/java/org/nkcoder/config/DataJpaIntegrationTest.java
+++ b/src/test/java/org/nkcoder/infrastructure/config/DataJpaIntegrationTest.java
@@ -1,4 +1,4 @@
-package org.nkcoder.config;
+package org.nkcoder.infrastructure.config;
 
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
diff --git a/src/test/java/org/nkcoder/config/IntegrationTest.java b/src/test/java/org/nkcoder/infrastructure/config/IntegrationTest.java
similarity index 95%
rename from src/test/java/org/nkcoder/config/IntegrationTest.java
rename to src/test/java/org/nkcoder/infrastructure/config/IntegrationTest.java
index b52e3e2..42a61a2 100644
--- a/src/test/java/org/nkcoder/config/IntegrationTest.java
+++ b/src/test/java/org/nkcoder/infrastructure/config/IntegrationTest.java
@@ -1,4 +1,4 @@
-package org.nkcoder.config;
+package org.nkcoder.infrastructure.config;
 
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
diff --git a/src/test/java/org/nkcoder/config/TestContainersConfiguration.java b/src/test/java/org/nkcoder/infrastructure/config/TestContainersConfiguration.java
similarity index 97%
rename from src/test/java/org/nkcoder/config/TestContainersConfiguration.java
rename to src/test/java/org/nkcoder/infrastructure/config/TestContainersConfiguration.java
index 2f633d4..4f2c3d4 100644
--- a/src/test/java/org/nkcoder/config/TestContainersConfiguration.java
+++ b/src/test/java/org/nkcoder/infrastructure/config/TestContainersConfiguration.java
@@ -1,4 +1,4 @@
-package org.nkcoder.config;
+package org.nkcoder.infrastructure.config;
 
 import org.springframework.boot.test.context.TestConfiguration;
 import org.springframework.boot.testcontainers.service.connection.ServiceConnection;
diff --git a/src/test/java/org/nkcoder/integration/AuthControllerIntegrationTest.java b/src/test/java/org/nkcoder/integration/AuthControllerIntegrationTest.java
index f56ec22..50b683f 100644
--- a/src/test/java/org/nkcoder/integration/AuthControllerIntegrationTest.java
+++ b/src/test/java/org/nkcoder/integration/AuthControllerIntegrationTest.java
@@ -7,19 +7,17 @@
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
-import java.time.LocalDateTime;
 import java.util.UUID;
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
-import org.nkcoder.config.IntegrationTest;
-import org.nkcoder.dto.auth.AuthResponse;
-import org.nkcoder.dto.auth.AuthTokens;
-import org.nkcoder.dto.user.UserResponse;
-import org.nkcoder.enums.Role;
-import org.nkcoder.service.AuthService;
-import org.nkcoder.service.UserService;
-import org.nkcoder.util.JwtUtil;
+import org.nkcoder.auth.application.dto.response.AuthResult;
+import org.nkcoder.auth.application.service.AuthApplicationService;
+import org.nkcoder.auth.domain.model.AuthRole;
+import org.nkcoder.auth.infrastructure.security.JwtUtil;
+import org.nkcoder.infrastructure.config.IntegrationTest;
+import org.nkcoder.user.application.service.UserCommandService;
+import org.nkcoder.user.application.service.UserQueryService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.http.MediaType;
@@ -37,9 +35,11 @@ public class AuthControllerIntegrationTest {
 
   @Autowired private MockMvc mockMvc;
 
-  @MockitoBean private AuthService authService;
+  @MockitoBean private AuthApplicationService authService;
 
-  @MockitoBean private UserService userService;
+  @MockitoBean private UserQueryService userQueryService;
+
+  @MockitoBean private UserCommandService userCommandService;
 
   @MockitoBean private JwtUtil jwtUtil;
 
@@ -50,12 +50,12 @@ class PublicEndpoints {
     @Test
     @DisplayName("register endpoint is accessible without authentication")
     void registerIsPublic() throws Exception {
-      AuthResponse authResponse = createAuthResponse();
-      given(authService.register(any())).willReturn(authResponse);
+      AuthResult authResult = createAuthResult();
+      given(authService.register(any())).willReturn(authResult);
 
       mockMvc
           .perform(
-              post("/api/users/auth/register")
+              post("/api/auth/register")
                   .contentType(MediaType.APPLICATION_JSON)
                   .content(
                       """
@@ -72,12 +72,12 @@ void registerIsPublic() throws Exception {
     @Test
     @DisplayName("login endpoint is accessible without authentication")
     void loginIsPublic() throws Exception {
-      AuthResponse response = createAuthResponse();
-      given(authService.login(any())).willReturn(response);
+      AuthResult authResult = createAuthResult();
+      given(authService.login(any())).willReturn(authResult);
 
       mockMvc
           .perform(
-              post("/api/users/auth/login")
+              post("/api/auth/login")
                   .contentType(MediaType.APPLICATION_JSON)
                   .content(
                       """
@@ -92,12 +92,12 @@ void loginIsPublic() throws Exception {
     @Test
     @DisplayName("refresh endpoint is accessible without authentication")
     void refreshIsPublic() throws Exception {
-      AuthResponse response = createAuthResponse();
-      given(authService.refreshTokens(any())).willReturn(response);
+      AuthResult authResult = createAuthResult();
+      given(authService.refreshTokens(any())).willReturn(authResult);
 
       mockMvc
           .perform(
-              post("/api/users/auth/refresh")
+              post("/api/auth/refresh")
                   .contentType(MediaType.APPLICATION_JSON)
                   .content(
                       """
@@ -157,19 +157,19 @@ void changePasswordRequiresAuth() throws Exception {
   class AdminEndpoints {
 
     @Test
-    @DisplayName("GET /api/users/{id} returns 401 without token")
+    @DisplayName("GET /api/admin/users/{id} returns 401 without token")
     void getUserByIdRequiresAuth() throws Exception {
       mockMvc
-          .perform(get("/api/users/{userId}", UUID.randomUUID()))
+          .perform(get("/api/admin/users/{userId}", UUID.randomUUID()))
           .andExpect(status().isUnauthorized());
     }
 
     @Test
-    @DisplayName("PATCH /api/users/{id} returns 401 without token")
+    @DisplayName("PATCH /api/admin/users/{id} returns 401 without token")
     void updateUserRequiresAuth() throws Exception {
       mockMvc
           .perform(
-              patch("/api/users/{userId}", UUID.randomUUID())
+              patch("/api/admin/users/{userId}", UUID.randomUUID())
                   .contentType(MediaType.APPLICATION_JSON)
                   .content(
                       """
@@ -179,17 +179,8 @@ void updateUserRequiresAuth() throws Exception {
     }
   }
 
-  private AuthResponse createAuthResponse() {
-    return new AuthResponse(
-        new UserResponse(
-            UUID.randomUUID(),
-            "test@example.com",
-            "Test User",
-            Role.MEMBER,
-            false,
-            LocalDateTime.now(),
-            LocalDateTime.now(),
-            LocalDateTime.now()),
-        new AuthTokens("access-token", "refresh-token"));
+  private AuthResult createAuthResult() {
+    return new AuthResult(
+        UUID.randomUUID(), "test@example.com", AuthRole.MEMBER, "access-token", "refresh-token");
   }
 }
diff --git a/src/test/java/org/nkcoder/integration/AuthFlowIntegrationTest.java b/src/test/java/org/nkcoder/integration/AuthFlowIntegrationTest.java
index 5f8d133..9422c94 100644
--- a/src/test/java/org/nkcoder/integration/AuthFlowIntegrationTest.java
+++ b/src/test/java/org/nkcoder/integration/AuthFlowIntegrationTest.java
@@ -10,10 +10,16 @@
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
-import org.nkcoder.config.IntegrationTest;
+import org.nkcoder.infrastructure.config.TestContainersConfiguration;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.context.SpringBootTest.WebEnvironment;
 import org.springframework.boot.test.web.server.LocalServerPort;
+import org.springframework.context.annotation.Import;
+import org.springframework.test.context.ActiveProfiles;
 
-@IntegrationTest
+@SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT)
+@Import(TestContainersConfiguration.class)
+@ActiveProfiles("test")
 @DisplayName("Auth Flow Integration Tests")
 class AuthFlowIntegrationTest {
 
@@ -22,7 +28,7 @@ class AuthFlowIntegrationTest {
   @BeforeEach
   void setupRestAssured() {
     RestAssured.port = port;
-    RestAssured.basePath = "/api/users";
+    RestAssured.basePath = "";
   }
 
   @Nested
@@ -46,7 +52,7 @@ void fullAuthenticationFlow() {
                   }
                   """)
               .when()
-              .post("/auth/register")
+              .post("/api/auth/register")
               .then()
               .statusCode(anyOf(is(200), is(201)))
               .body("data.user.email", equalTo("flow@example.com"))
@@ -62,7 +68,7 @@ void fullAuthenticationFlow() {
       given()
           .header("Authorization", "Bearer " + accessToken)
           .when()
-          .get("/me")
+          .get("/api/users/me")
           .then()
           .statusCode(200)
           .body("data.email", equalTo("flow@example.com"))
@@ -80,7 +86,7 @@ void fullAuthenticationFlow() {
                   """
                       .formatted(refreshToken))
               .when()
-              .post("/auth/refresh")
+              .post("/api/auth/refresh")
               .then()
               .statusCode(200)
               .body("data.tokens.accessToken", notNullValue())
@@ -91,10 +97,6 @@ void fullAuthenticationFlow() {
       String newAccessToken = refreshResponse.jsonPath().getString("data.tokens.accessToken");
       String newRefreshToken = refreshResponse.jsonPath().getString("data.tokens.refreshToken");
 
-      // Verify tokens rotated
-      //      assertThat(newAccessToken).isNotEqualTo(accessToken);
-      //      assertThat(newRefreshToken).isNotEqualTo(refreshToken);
-
       // Step 4: Old refresh token should be invalid
       given()
           .contentType(ContentType.JSON)
@@ -106,7 +108,7 @@ void fullAuthenticationFlow() {
               """
                   .formatted(refreshToken))
           .when()
-          .post("/auth/refresh")
+          .post("/api/auth/refresh")
           .then()
           .statusCode(401);
 
@@ -114,7 +116,7 @@ void fullAuthenticationFlow() {
       given()
           .header("Authorization", "Bearer " + newAccessToken)
           .when()
-          .get("/me")
+          .get("/api/users/me")
           .then()
           .statusCode(200);
 
@@ -130,7 +132,7 @@ void fullAuthenticationFlow() {
               """
                   .formatted(newRefreshToken))
           .when()
-          .post("/auth/logout")
+          .post("/api/auth/logout")
           .then()
           .statusCode(200);
 
@@ -145,7 +147,7 @@ void fullAuthenticationFlow() {
               """
                   .formatted(newRefreshToken))
           .when()
-          .post("/auth/refresh")
+          .post("/api/auth/refresh")
           .then()
           .statusCode(401);
     }
@@ -170,12 +172,10 @@ void registersNewUser() {
               }
               """)
           .when()
-          .post("/auth/register")
+          .post("/api/auth/register")
           .then()
           .statusCode(anyOf(is(200), is(201)))
           .body("data.user.email", equalTo("newuser@example.com"))
-          .body("data.user.name", equalTo("New User"))
-          .body("data.user.role", equalTo("MEMBER"))
           .body("data.tokens.accessToken", notNullValue())
           .body("data.tokens.refreshToken", notNullValue());
     }
@@ -196,7 +196,7 @@ void rejectsDuplicateEmail() {
               }
               """)
           .when()
-          .post("/auth/register")
+          .post("/api/auth/register")
           .then()
           .statusCode(anyOf(is(200), is(201)));
 
@@ -213,7 +213,7 @@ void rejectsDuplicateEmail() {
               }
               """)
           .when()
-          .post("/auth/register")
+          .post("/api/auth/register")
           .then()
           .statusCode(400)
           .body("message", equalTo("User already exists"));
@@ -234,7 +234,7 @@ void normalizesEmail() {
               }
               """)
           .when()
-          .post("/auth/register")
+          .post("/api/auth/register")
           .then()
           .statusCode(anyOf(is(200), is(201)))
           .body("data.user.email", equalTo("uppercase@example.com"));
@@ -262,7 +262,7 @@ void logsInSuccessfully() {
               }
               """)
           .when()
-          .post("/auth/login")
+          .post("/api/auth/login")
           .then()
           .statusCode(200)
           .body("data.user.email", equalTo("login@example.com"))
@@ -284,7 +284,7 @@ void rejectsWrongPassword() {
               }
               """)
           .when()
-          .post("/auth/login")
+          .post("/api/auth/login")
           .then()
           .statusCode(401)
           .body("message", equalTo("Invalid email or password"));
@@ -303,7 +303,7 @@ void rejectsNonExistentEmail() {
               }
               """)
           .when()
-          .post("/auth/login")
+          .post("/api/auth/login")
           .then()
           .statusCode(401)
           .body("message", equalTo("Invalid email or password"));
@@ -330,7 +330,7 @@ void updatesProfile() {
               }
               """)
           .when()
-          .patch("/me")
+          .patch("/api/users/me")
           .then()
           .statusCode(200)
           .body("data.name", equalTo("Updated Name"));
@@ -355,7 +355,7 @@ void changesPassword() {
               }
               """)
           .when()
-          .patch("/me/password")
+          .patch("/api/users/me/password")
           .then()
           .statusCode(200);
 
@@ -370,7 +370,7 @@ void changesPassword() {
               }
               """)
           .when()
-          .post("/auth/login")
+          .post("/api/auth/login")
           .then()
           .statusCode(200);
 
@@ -385,7 +385,7 @@ void changesPassword() {
               }
               """)
           .when()
-          .post("/auth/login")
+          .post("/api/auth/login")
           .then()
           .statusCode(401);
     }
@@ -401,7 +401,7 @@ void rejectsInvalidToken() {
       given()
           .header("Authorization", "Bearer invalid.token.here")
           .when()
-          .get("/me")
+          .get("/api/users/me")
           .then()
           .statusCode(401);
     }
@@ -409,7 +409,7 @@ void rejectsInvalidToken() {
     @Test
     @DisplayName("rejects request without token")
     void rejectsNoToken() {
-      given().when().get("/me").then().statusCode(401);
+      given().when().get("/api/users/me").then().statusCode(401);
     }
   }
 
@@ -428,7 +428,7 @@ private void registerUser(String email, String password, String name) {
             """
                 .formatted(email, password, name))
         .when()
-        .post("/auth/register")
+        .post("/api/auth/register")
         .then()
         .statusCode(anyOf(is(200), is(201)));
   }
@@ -448,7 +448,7 @@ private String registerAndGetToken(String email, String password, String name) {
                 """
                     .formatted(email, password, name))
             .when()
-            .post("/auth/register")
+            .post("/api/auth/register")
             .then()
             .statusCode(anyOf(is(200), is(201)))
             .extract()
diff --git a/src/test/java/org/nkcoder/repository/RefreshTokenRepositoryTest.java b/src/test/java/org/nkcoder/repository/RefreshTokenRepositoryTest.java
deleted file mode 100644
index 4e89a6b..0000000
--- a/src/test/java/org/nkcoder/repository/RefreshTokenRepositoryTest.java
+++ /dev/null
@@ -1,211 +0,0 @@
-package org.nkcoder.repository;
-
-import static org.assertj.core.api.Assertions.assertThat;
-
-import java.time.LocalDateTime;
-import java.util.Optional;
-import java.util.UUID;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.DisplayName;
-import org.junit.jupiter.api.Nested;
-import org.junit.jupiter.api.Test;
-import org.nkcoder.config.DataJpaIntegrationTest;
-import org.nkcoder.entity.RefreshToken;
-import org.nkcoder.entity.User;
-import org.nkcoder.enums.Role;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.orm.jpa.TestEntityManager;
-
-@DataJpaIntegrationTest
-@DisplayName("RefreshTokenRepository")
-class RefreshTokenRepositoryTest {
-  @Autowired private RefreshTokenRepository refreshTokenRepository;
-
-  @Autowired private UserRepository userRepository;
-
-  @Autowired private TestEntityManager entityManager;
-
-  private User testUser;
-  private final String tokenFamily = UUID.randomUUID().toString();
-
-  @BeforeEach
-  void setUp() {
-    refreshTokenRepository.deleteAll();
-    userRepository.deleteAll();
-    entityManager.flush();
-    entityManager.clear();
-
-    testUser = new User("test@example.com", "encoded-password", "Test User", Role.MEMBER, false);
-    testUser = entityManager.persistAndFlush(testUser);
-    entityManager.clear();
-  }
-
-  @Nested
-  @DisplayName("findByToken")
-  class FindByToken {
-
-    @Test
-    @DisplayName("returns token when exists")
-    void returnsTokenWhenExists() {
-      RefreshToken token =
-          new RefreshToken(
-              "valid-token", tokenFamily, testUser.getId(), LocalDateTime.now().plusDays(7));
-      entityManager.persistAndFlush(token);
-      entityManager.clear();
-
-      Optional<RefreshToken> found = refreshTokenRepository.findByToken("valid-token");
-
-      assertThat(found).isPresent();
-      assertThat(found.get().getTokenFamily()).isEqualTo(tokenFamily);
-    }
-
-    @Test
-    @DisplayName("returns empty when token does not exist")
-    void returnsEmptyWhenNotExists() {
-      Optional<RefreshToken> found = refreshTokenRepository.findByToken("nonexistent");
-
-      assertThat(found).isEmpty();
-    }
-  }
-
-  @Nested
-  @DisplayName("findByTokenForUpdate (pessimistic lock)")
-  class FindByTokenForUpdate {
-
-    @Test
-    @DisplayName("returns token with lock when exists")
-    void returnsTokenWithLock() {
-      RefreshToken token =
-          new RefreshToken(
-              "locked-token", tokenFamily, testUser.getId(), LocalDateTime.now().plusDays(7));
-      entityManager.persistAndFlush(token);
-      entityManager.clear();
-
-      // This executes SELECT ... FOR UPDATE
-      Optional<RefreshToken> found = refreshTokenRepository.findByTokenForUpdate("locked-token");
-
-      assertThat(found).isPresent();
-      assertThat(found.get().getToken()).isEqualTo("locked-token");
-    }
-
-    @Test
-    @DisplayName("returns empty when token does not exist")
-    void returnsEmptyWhenNotExists() {
-      Optional<RefreshToken> found = refreshTokenRepository.findByTokenForUpdate("nonexistent");
-
-      assertThat(found).isEmpty();
-    }
-  }
-
-  @Nested
-  @DisplayName("deleteByTokenFamily")
-  class DeleteByTokenFamily {
-
-    @Test
-    @DisplayName("deletes all tokens in family")
-    void deletesAllTokensInFamily() {
-      // Create multiple tokens in same family (simulating refresh rotations)
-      RefreshToken token1 =
-          new RefreshToken(
-              "token-1", tokenFamily, testUser.getId(), LocalDateTime.now().plusDays(7));
-      RefreshToken token2 =
-          new RefreshToken(
-              "token-2", tokenFamily, testUser.getId(), LocalDateTime.now().plusDays(7));
-      entityManager.persist(token1);
-      entityManager.persist(token2);
-      entityManager.flush();
-      entityManager.clear();
-
-      int deleted = refreshTokenRepository.deleteByTokenFamily(tokenFamily);
-
-      assertThat(deleted).isEqualTo(2);
-      assertThat(refreshTokenRepository.findByToken("token-1")).isEmpty();
-      assertThat(refreshTokenRepository.findByToken("token-2")).isEmpty();
-    }
-
-    @Test
-    @DisplayName("does not delete tokens from other families")
-    void doesNotDeleteOtherFamilies() {
-      String otherFamily = UUID.randomUUID().toString();
-
-      RefreshToken token1 =
-          new RefreshToken(
-              "token-1", tokenFamily, testUser.getId(), LocalDateTime.now().plusDays(7));
-      RefreshToken token2 =
-          new RefreshToken(
-              "token-2", otherFamily, testUser.getId(), LocalDateTime.now().plusDays(7));
-      entityManager.persist(token1);
-      entityManager.persist(token2);
-      entityManager.flush();
-      entityManager.clear();
-
-      refreshTokenRepository.deleteByTokenFamily(tokenFamily);
-
-      assertThat(refreshTokenRepository.findByToken("token-1")).isEmpty();
-      assertThat(refreshTokenRepository.findByToken("token-2")).isPresent(); // Still exists
-    }
-  }
-
-  @Nested
-  @DisplayName("deleteExpiredTokens")
-  class DeleteExpiredTokens {
-
-    @Test
-    @DisplayName("deletes tokens expired before cutoff")
-    void deletesExpiredTokens() {
-      LocalDateTime now = LocalDateTime.now();
-
-      // Expired token (expired yesterday)
-      RefreshToken expired =
-          new RefreshToken("expired-token", tokenFamily, testUser.getId(), now.minusDays(1));
-      // Valid token (expires in 7 days)
-      RefreshToken valid =
-          new RefreshToken(
-              "valid-token", UUID.randomUUID().toString(), testUser.getId(), now.plusDays(7));
-
-      entityManager.persist(expired);
-      entityManager.persist(valid);
-      entityManager.flush();
-      entityManager.clear();
-
-      int deleted = refreshTokenRepository.deleteExpiredTokens(now);
-
-      assertThat(deleted).isEqualTo(1);
-      assertThat(refreshTokenRepository.findByToken("expired-token")).isEmpty();
-      assertThat(refreshTokenRepository.findByToken("valid-token")).isPresent();
-    }
-
-    @Test
-    @DisplayName("returns zero when no expired tokens")
-    void returnsZeroWhenNoneExpired() {
-      RefreshToken valid =
-          new RefreshToken(
-              "valid-token", tokenFamily, testUser.getId(), LocalDateTime.now().plusDays(7));
-      entityManager.persistAndFlush(valid);
-
-      int deleted = refreshTokenRepository.deleteExpiredTokens(LocalDateTime.now());
-
-      assertThat(deleted).isEqualTo(0);
-    }
-  }
-
-  @Nested
-  @DisplayName("deleteByToken")
-  class DeleteByToken {
-
-    @Test
-    @DisplayName("deletes single token")
-    void deletesSingleToken() {
-      RefreshToken token =
-          new RefreshToken(
-              "to-delete", tokenFamily, testUser.getId(), LocalDateTime.now().plusDays(7));
-      entityManager.persistAndFlush(token);
-      entityManager.clear();
-
-      int deleted = refreshTokenRepository.deleteByToken("to-delete");
-
-      assertThat(deleted).isEqualTo(1);
-      assertThat(refreshTokenRepository.findByToken("to-delete")).isEmpty();
-    }
-  }
-}
diff --git a/src/test/java/org/nkcoder/repository/UserRepositoryTest.java b/src/test/java/org/nkcoder/repository/UserRepositoryTest.java
deleted file mode 100644
index dcf1bbc..0000000
--- a/src/test/java/org/nkcoder/repository/UserRepositoryTest.java
+++ /dev/null
@@ -1,166 +0,0 @@
-package org.nkcoder.repository;
-
-import static org.assertj.core.api.Assertions.assertThat;
-
-import java.time.LocalDateTime;
-import java.time.temporal.ChronoUnit;
-import java.util.Optional;
-import java.util.UUID;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.DisplayName;
-import org.junit.jupiter.api.Nested;
-import org.junit.jupiter.api.Test;
-import org.nkcoder.config.DataJpaIntegrationTest;
-import org.nkcoder.entity.User;
-import org.nkcoder.enums.Role;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.orm.jpa.TestEntityManager;
-
-@DataJpaIntegrationTest
-@DisplayName("UserRepository")
-public class UserRepositoryTest {
-  @Autowired private UserRepository userRepository;
-  // JPA-aware test utility for persist/flush/clear operations
-  @Autowired private TestEntityManager entityManager;
-
-  private User testUser;
-
-  @BeforeEach
-  void setUp() {
-    // Clean slate for each test
-    userRepository.deleteAll();
-    entityManager.flush();
-    entityManager.clear();
-
-    // Create a fresh test user
-    testUser = new User("test@example.com", "encoded-password", "Test User", Role.MEMBER, false);
-    entityManager.persist(testUser);
-  }
-
-  @Nested
-  @DisplayName("findByEmail")
-  class FindByEmail {
-
-    @Test
-    @DisplayName("returns user when email exists")
-    void returnsUsersWhenExists() {
-      Optional<User> found = userRepository.findByEmail("test@example.com");
-
-      assertThat(found).isPresent();
-      assertThat(found.get().getEmail()).isEqualTo("test@example.com");
-      assertThat(found.get().getName()).isEqualTo("Test User");
-    }
-
-    @Test
-    @DisplayName("returns empty when email does not exist")
-    void returnsEmptyWhenNotExists() {
-      Optional<User> found = userRepository.findByEmail("nonexistent@example.com");
-
-      assertThat(found).isEmpty();
-    }
-
-    @Test
-    @DisplayName("is case-sensitive")
-    void isCaseSensitive() {
-      // Email was stored as lowercase
-      Optional<User> found = userRepository.findByEmail("TEST@EXAMPLE.COM");
-
-      // JPA query is case-sensitive by default
-      assertThat(found).isEmpty();
-    }
-  }
-
-  @Nested
-  @DisplayName("existsByEmail")
-  class ExistsByEmail {
-
-    @Test
-    @DisplayName("returns true when email exists")
-    void returnsTrueWhenExists() {
-      boolean exists = userRepository.existsByEmail("test@example.com");
-
-      assertThat(exists).isTrue();
-    }
-
-    @Test
-    @DisplayName("returns false when email does not exist")
-    void returnsFalseWhenNotExists() {
-      boolean exists = userRepository.existsByEmail("nonexistent@example.com");
-
-      assertThat(exists).isFalse();
-    }
-  }
-
-  @Nested
-  @DisplayName("findByEmailExcludingId")
-  class FindByEmailExcludingId {
-
-    @Test
-    @DisplayName("returns empty when email belongs to same user")
-    void returnsEmptyForSameUser() {
-      Optional<User> found =
-          userRepository.findByEmailExcludingId("test@example.com", testUser.getId());
-
-      // Should NOT find because we're excluding this user's ID
-      assertThat(found).isEmpty();
-    }
-
-    @Test
-    @DisplayName("returns user when email belongs to different user")
-    void returnsUserForDifferentUser() {
-      // Create another user with different email
-      User anotherUser =
-          new User("another@example.com", "password", "Another User", Role.MEMBER, false);
-      entityManager.persistAndFlush(anotherUser);
-
-      // Search for another's email, excluding testUser's ID
-      Optional<User> found =
-          userRepository.findByEmailExcludingId("another@example.com", testUser.getId());
-
-      assertThat(found).isPresent();
-      assertThat(found.get().getEmail()).isEqualTo("another@example.com");
-    }
-
-    @Test
-    @DisplayName("returns empty when email does not exist")
-    void returnsEmptyWhenNotExists() {
-      Optional<User> found =
-          userRepository.findByEmailExcludingId("nonexistent@example.com", testUser.getId());
-
-      assertThat(found).isEmpty();
-    }
-  }
-
-  @Nested
-  @DisplayName("updateLastLoginAt")
-  class UpdateLastLoginAt {
-
-    @Test
-    @DisplayName("updates last login timestamp")
-    void updatesTimestamp() {
-
-      // There is a timestamp precision issue in Java/PostgreSQL tests
-      // PostgreSQL's timestamp type stores microsecond precision, but Java's LocalDateTime.now()
-      // has nanosecond precision. The nanoseconds get truncated when stored, causing isEqualTo()
-      // to fail.
-      LocalDateTime loginTime = LocalDateTime.now().truncatedTo(ChronoUnit.MICROS);
-
-      int updated = userRepository.updateLastLoginAt(testUser.getId(), loginTime);
-
-      assertThat(updated).isEqualTo(1);
-
-      // Verify the update
-      entityManager.clear(); // Clear cache to force fresh read
-      User refreshed = userRepository.findById(testUser.getId()).orElseThrow();
-      assertThat(refreshed.getLastLoginAt()).isEqualTo(loginTime);
-    }
-
-    @Test
-    @DisplayName("returns zero for non-existent user")
-    void returnsZeroForNonExistentUser() {
-      int updated = userRepository.updateLastLoginAt(UUID.randomUUID(), LocalDateTime.now());
-
-      assertThat(updated).isEqualTo(0);
-    }
-  }
-}
diff --git a/src/test/java/org/nkcoder/service/AuthServiceTest.java b/src/test/java/org/nkcoder/service/AuthServiceTest.java
deleted file mode 100644
index 67a32cf..0000000
--- a/src/test/java/org/nkcoder/service/AuthServiceTest.java
+++ /dev/null
@@ -1,392 +0,0 @@
-package org.nkcoder.service;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.ArgumentMatchers.anyString;
-import static org.mockito.ArgumentMatchers.argThat;
-import static org.mockito.ArgumentMatchers.eq;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.never;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-import io.jsonwebtoken.Claims;
-import io.jsonwebtoken.JwtException;
-import java.time.LocalDateTime;
-import java.util.Optional;
-import java.util.UUID;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.mockito.*;
-import org.nkcoder.config.JwtProperties;
-import org.nkcoder.dto.auth.AuthResponse;
-import org.nkcoder.dto.auth.LoginRequest;
-import org.nkcoder.dto.auth.RegisterRequest;
-import org.nkcoder.dto.user.UserResponse;
-import org.nkcoder.entity.RefreshToken;
-import org.nkcoder.entity.User;
-import org.nkcoder.entity.UserTestFactory;
-import org.nkcoder.enums.Role;
-import org.nkcoder.exception.AuthenticationException;
-import org.nkcoder.exception.ValidationException;
-import org.nkcoder.mapper.UserMapper;
-import org.nkcoder.repository.RefreshTokenRepository;
-import org.nkcoder.repository.UserRepository;
-import org.nkcoder.util.JwtUtil;
-import org.springframework.security.crypto.password.PasswordEncoder;
-
-class AuthServiceTest {
-
-  @Mock private UserRepository userRepository;
-
-  @Mock private RefreshTokenRepository refreshTokenRepository;
-
-  @Mock private PasswordEncoder passwordEncoder;
-
-  @Mock private JwtUtil jwtUtil;
-
-  @Mock private JwtProperties jwtProperties;
-
-  @Mock private UserMapper userMapper;
-
-  @InjectMocks private AuthService authService;
-
-  @Captor private ArgumentCaptor<RefreshToken> refreshTokenCaptor;
-
-  private final UUID userId = UUID.randomUUID();
-  private final String email = "test@example.com";
-  private final String password = "password";
-  private final String encodedPassword = "encodedPassword";
-  private final String name = "Test User";
-  private final Role role = Role.MEMBER;
-  private final String accessToken = "access.token";
-  private final String refreshToken = "refresh.token";
-  private final String tokenFamily = "token-family";
-  private final LocalDateTime expiresAt = LocalDateTime.now().plusDays(7);
-  private final LocalDateTime now = LocalDateTime.now();
-
-  @BeforeEach
-  void setUp() {
-    MockitoAnnotations.openMocks(this);
-    JwtProperties.Expiration expiration = new JwtProperties.Expiration("7m", "30m");
-    when(jwtProperties.expiration()).thenReturn(expiration);
-    when(jwtUtil.getTokenExpiry(anyString())).thenReturn(expiresAt);
-  }
-
-  @Test
-  void register_success() {
-    RegisterRequest request = new RegisterRequest(email, password, name, role);
-    User user =
-        UserTestFactory.aUser()
-            .withId(userId)
-            .withEmail(email)
-            .withPassword(encodedPassword)
-            .withName(name)
-            .withRole(role)
-            .build();
-    UserResponse userResponse = new UserResponse(userId, email, name, role, false, now, now, now);
-
-    when(userRepository.existsByEmail(email.toLowerCase())).thenReturn(false);
-    when(passwordEncoder.encode(password)).thenReturn(encodedPassword);
-    when(userRepository.save(any(User.class))).thenReturn(user);
-    when(jwtUtil.generateAccessToken(userId, email, role)).thenReturn(accessToken);
-    when(jwtUtil.generateRefreshToken(eq(userId), anyString())).thenReturn(refreshToken);
-    when(userMapper.toResponseOrThrow(user)).thenReturn(userResponse);
-
-    AuthResponse response = authService.register(request);
-
-    assertEquals(userResponse, response.user());
-    assertEquals(accessToken, response.tokens().accessToken());
-    assertEquals(refreshToken, response.tokens().refreshToken());
-    verify(refreshTokenRepository).save(any(RefreshToken.class));
-    verify(userRepository)
-        .save(
-            argThat(
-                u ->
-                    u.getEmail().equals(email.toLowerCase())
-                        && u.getName().equals(name)
-                        && u.getRole().equals(role)));
-  }
-
-  @Test
-  void register_userAlreadyExists_throws() {
-    RegisterRequest request = new RegisterRequest(email, password, name, role);
-    when(userRepository.existsByEmail(email.toLowerCase())).thenReturn(true);
-
-    ValidationException exception =
-        assertThrows(ValidationException.class, () -> authService.register(request));
-
-    assertEquals("User already exists", exception.getMessage());
-    verify(userRepository, never()).save(any());
-    verify(refreshTokenRepository, never()).save(any());
-  }
-
-  @Test
-  void login_success() {
-    LoginRequest request = new LoginRequest(email, password);
-    User user =
-        UserTestFactory.aUser()
-            .withId(userId)
-            .withEmail(email)
-            .withPassword(encodedPassword)
-            .withName(name)
-            .withRole(role)
-            .build();
-    UserResponse userResponse = new UserResponse(userId, email, name, role, false, now, now, now);
-
-    when(userRepository.findByEmail(email.toLowerCase())).thenReturn(Optional.of(user));
-    when(passwordEncoder.matches(password, encodedPassword)).thenReturn(true);
-    when(jwtUtil.generateAccessToken(userId, email, role)).thenReturn(accessToken);
-    when(jwtUtil.generateRefreshToken(eq(userId), anyString())).thenReturn(refreshToken);
-    when(userMapper.toResponseOrThrow(user)).thenReturn(userResponse);
-
-    AuthResponse response = authService.login(request);
-
-    assertEquals(userResponse, response.user());
-    assertEquals(accessToken, response.tokens().accessToken());
-    assertEquals(refreshToken, response.tokens().refreshToken());
-    verify(refreshTokenRepository).save(any(RefreshToken.class));
-  }
-
-  @Test
-  void login_invalidEmail_throws() {
-    LoginRequest request = new LoginRequest(email, password);
-    when(userRepository.findByEmail(email.toLowerCase())).thenReturn(Optional.empty());
-
-    AuthenticationException exception =
-        assertThrows(AuthenticationException.class, () -> authService.login(request));
-
-    assertEquals("Invalid email or password", exception.getMessage());
-    verify(userRepository, never()).updateLastLoginAt(any(), any());
-  }
-
-  @Test
-  void login_invalidPassword_throws() {
-    LoginRequest request = new LoginRequest(email, password);
-    User user =
-        UserTestFactory.aUser()
-            .withEmail(email)
-            .withPassword(password)
-            .withName(name)
-            .withRole(role)
-            .build();
-
-    when(userRepository.findByEmail(email.toLowerCase())).thenReturn(Optional.of(user));
-    when(passwordEncoder.matches(password, encodedPassword)).thenReturn(false);
-
-    AuthenticationException exception =
-        assertThrows(AuthenticationException.class, () -> authService.login(request));
-
-    assertEquals("Invalid email or password", exception.getMessage());
-    verify(userRepository, never()).updateLastLoginAt(any(), any());
-  }
-
-  @Test
-  void refreshTokens_success() {
-    Claims claims = mock(Claims.class);
-    when(claims.getSubject()).thenReturn(userId.toString());
-    when(claims.get("tokenFamily", String.class)).thenReturn(tokenFamily);
-
-    when(jwtUtil.validateRefreshToken(refreshToken)).thenReturn(claims);
-
-    RefreshToken storedToken = mock(RefreshToken.class);
-    when(refreshTokenRepository.findByTokenForUpdate(refreshToken))
-        .thenReturn(Optional.of(storedToken));
-    when(storedToken.isExpired()).thenReturn(false);
-    when(storedToken.getTokenFamily()).thenReturn(tokenFamily);
-
-    User user =
-        UserTestFactory.aUser()
-            .withId(userId)
-            .withEmail(email)
-            .withPassword(encodedPassword)
-            .withName(name)
-            .withRole(role)
-            .build();
-    when(userRepository.findById(userId)).thenReturn(Optional.of(user));
-    when(jwtUtil.generateAccessToken(userId, email, role)).thenReturn(accessToken);
-    when(jwtUtil.generateRefreshToken(userId, tokenFamily)).thenReturn("new.refresh.token");
-    UserResponse userResponse = new UserResponse(userId, email, name, role, false, now, now, now);
-    when(userMapper.toResponseOrThrow(user)).thenReturn(userResponse);
-
-    AuthResponse response = authService.refreshTokens(refreshToken);
-
-    assertEquals(userResponse, response.user());
-    assertEquals(accessToken, response.tokens().accessToken());
-    assertEquals("new.refresh.token", response.tokens().refreshToken());
-    verify(refreshTokenRepository).deleteByToken(refreshToken);
-    verify(refreshTokenRepository).save(any(RefreshToken.class));
-  }
-
-  @Test
-  void refreshTokens_expiredToken_throws() {
-    Claims claims = mock(Claims.class);
-    when(claims.getSubject()).thenReturn(userId.toString());
-    when(claims.get("tokenFamily", String.class)).thenReturn(tokenFamily);
-
-    when(jwtUtil.validateRefreshToken(refreshToken)).thenReturn(claims);
-
-    RefreshToken storedToken = mock(RefreshToken.class);
-    when(refreshTokenRepository.findByTokenForUpdate(refreshToken))
-        .thenReturn(Optional.of(storedToken));
-    when(storedToken.isExpired()).thenReturn(true);
-
-    AuthenticationException exception =
-        assertThrows(AuthenticationException.class, () -> authService.refreshTokens(refreshToken));
-
-    assertEquals("Refresh token expired", exception.getMessage());
-    verify(refreshTokenRepository).deleteByToken(refreshToken);
-    verify(refreshTokenRepository, never()).save(any());
-  }
-
-  @Test
-  void refreshTokens_invalidToken_throwsAndDeletesFamily() {
-    when(jwtUtil.validateRefreshToken(refreshToken)).thenThrow(new JwtException("Invalid token"));
-    RefreshToken storedToken = new RefreshToken(refreshToken, tokenFamily, userId, expiresAt);
-    when(refreshTokenRepository.findByToken(refreshToken)).thenReturn(Optional.of(storedToken));
-
-    AuthenticationException exception =
-        assertThrows(AuthenticationException.class, () -> authService.refreshTokens(refreshToken));
-
-    assertEquals("Invalid refresh token", exception.getMessage());
-    verify(refreshTokenRepository).deleteByTokenFamily(tokenFamily);
-  }
-
-  @Test
-  void refreshTokens_invalidToken_noStoredToken_throws() {
-    when(jwtUtil.validateRefreshToken(refreshToken)).thenThrow(new JwtException("Invalid token"));
-    when(refreshTokenRepository.findByToken(refreshToken)).thenReturn(Optional.empty());
-
-    AuthenticationException exception =
-        assertThrows(AuthenticationException.class, () -> authService.refreshTokens(refreshToken));
-
-    assertEquals("Invalid refresh token", exception.getMessage());
-    verify(refreshTokenRepository, never()).deleteByTokenFamily(any());
-  }
-
-  @Test
-  void refreshTokens_tokenNotFound_throws() {
-    Claims claims = mock(Claims.class);
-    when(claims.getSubject()).thenReturn(userId.toString());
-    when(claims.get("tokenFamily", String.class)).thenReturn(tokenFamily);
-
-    when(jwtUtil.validateRefreshToken(refreshToken)).thenReturn(claims);
-    when(refreshTokenRepository.findByTokenForUpdate(refreshToken)).thenReturn(Optional.empty());
-
-    AuthenticationException exception =
-        assertThrows(AuthenticationException.class, () -> authService.refreshTokens(refreshToken));
-
-    assertEquals("Invalid refresh token", exception.getMessage());
-    verify(refreshTokenRepository, never()).save(any());
-  }
-
-  @Test
-  void refreshTokens_userNotFound_throws() {
-    Claims claims = mock(Claims.class);
-    when(claims.getSubject()).thenReturn(userId.toString());
-    when(claims.get("tokenFamily", String.class)).thenReturn(tokenFamily);
-
-    when(jwtUtil.validateRefreshToken(refreshToken)).thenReturn(claims);
-
-    RefreshToken storedToken = mock(RefreshToken.class);
-    when(refreshTokenRepository.findByTokenForUpdate(refreshToken))
-        .thenReturn(Optional.of(storedToken));
-    when(storedToken.isExpired()).thenReturn(false);
-
-    when(userRepository.findById(userId)).thenReturn(Optional.empty());
-
-    AuthenticationException exception =
-        assertThrows(AuthenticationException.class, () -> authService.refreshTokens(refreshToken));
-
-    assertEquals("User not found", exception.getMessage());
-  }
-
-  @Test
-  void logout_deletesTokenFamily() {
-    RefreshToken storedToken = new RefreshToken(refreshToken, tokenFamily, userId, expiresAt);
-    when(refreshTokenRepository.findByToken(refreshToken)).thenReturn(Optional.of(storedToken));
-
-    authService.logout(refreshToken);
-
-    verify(refreshTokenRepository).deleteByTokenFamily(tokenFamily);
-  }
-
-  @Test
-  void logout_noToken_noop() {
-    when(refreshTokenRepository.findByToken(refreshToken)).thenReturn(Optional.empty());
-
-    authService.logout(refreshToken);
-
-    verify(refreshTokenRepository, never()).deleteByTokenFamily(any());
-  }
-
-  @Test
-  void logoutSingle_deletesSingleToken() {
-    authService.logoutSingle(refreshToken);
-    verify(refreshTokenRepository).deleteByToken(refreshToken);
-  }
-
-  @Test
-  void cleanupExpiredTokens_deletesExpired() {
-    authService.cleanupExpiredTokens();
-    verify(refreshTokenRepository).deleteExpiredTokens(any(LocalDateTime.class));
-  }
-
-  @Test
-  void login_caseInsensitiveEmail() {
-    String upperCaseEmail = "TEST@EXAMPLE.COM";
-    LoginRequest request = new LoginRequest(upperCaseEmail, password);
-    User user =
-        UserTestFactory.aUser()
-            .withId(userId)
-            .withEmail(email.toLowerCase())
-            .withPassword(encodedPassword)
-            .withName(name)
-            .withRole(role)
-            .build();
-    UserResponse userResponse =
-        new UserResponse(userId, email.toLowerCase(), name, role, false, now, now, now);
-
-    when(userRepository.findByEmail(email.toLowerCase())).thenReturn(Optional.of(user));
-    when(passwordEncoder.matches(password, encodedPassword)).thenReturn(true);
-    when(jwtUtil.generateAccessToken(userId, email.toLowerCase(), role)).thenReturn(accessToken);
-    when(jwtUtil.generateRefreshToken(eq(userId), anyString())).thenReturn(refreshToken);
-    when(userMapper.toResponse(user)).thenReturn(Optional.of(userResponse));
-
-    AuthResponse response = authService.login(request);
-
-    assertNotNull(response);
-    verify(userRepository).findByEmail(email.toLowerCase());
-  }
-
-  @Test
-  void register_caseInsensitiveEmail() {
-    String upperCaseEmail = "TEST@EXAMPLE.COM";
-    RegisterRequest request = new RegisterRequest(upperCaseEmail, password, name, role);
-    User user =
-        UserTestFactory.aUser()
-            .withId(userId)
-            .withEmail(email.toLowerCase())
-            .withPassword(encodedPassword)
-            .withName(name)
-            .withRole(role)
-            .build();
-    UserResponse userResponse =
-        new UserResponse(userId, email.toLowerCase(), name, role, false, now, now, now);
-
-    when(userRepository.existsByEmail(email.toLowerCase())).thenReturn(false);
-    when(passwordEncoder.encode(password)).thenReturn(encodedPassword);
-    when(userRepository.save(any(User.class))).thenReturn(user);
-    when(jwtUtil.generateAccessToken(userId, email.toLowerCase(), role)).thenReturn(accessToken);
-    when(jwtUtil.generateRefreshToken(eq(userId), anyString())).thenReturn(refreshToken);
-    when(userMapper.toResponse(user)).thenReturn(Optional.of(userResponse));
-
-    AuthResponse response = authService.register(request);
-
-    assertNotNull(response);
-    verify(userRepository).existsByEmail(email.toLowerCase());
-    verify(userRepository).save(argThat(u -> u.getEmail().equals(email.toLowerCase())));
-  }
-}
diff --git a/src/test/java/org/nkcoder/service/UserServiceTest.java b/src/test/java/org/nkcoder/service/UserServiceTest.java
deleted file mode 100644
index 0e28a1d..0000000
--- a/src/test/java/org/nkcoder/service/UserServiceTest.java
+++ /dev/null
@@ -1,295 +0,0 @@
-package org.nkcoder.service;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.ArgumentMatchers.argThat;
-import static org.mockito.ArgumentMatchers.eq;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-import java.time.LocalDateTime;
-import java.util.Optional;
-import java.util.UUID;
-import org.junit.jupiter.api.AfterEach;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.mockito.InjectMocks;
-import org.mockito.Mock;
-import org.mockito.MockitoAnnotations;
-import org.nkcoder.dto.user.ChangePasswordRequest;
-import org.nkcoder.dto.user.UpdateProfileRequest;
-import org.nkcoder.dto.user.UserResponse;
-import org.nkcoder.entity.User;
-import org.nkcoder.entity.UserTestFactory;
-import org.nkcoder.enums.Role;
-import org.nkcoder.exception.ResourceNotFoundException;
-import org.nkcoder.exception.ValidationException;
-import org.nkcoder.mapper.UserMapper;
-import org.nkcoder.repository.UserRepository;
-import org.springframework.security.crypto.password.PasswordEncoder;
-
-class UserServiceTest {
-
-  @Mock private UserRepository userRepository;
-
-  @Mock private PasswordEncoder passwordEncoder;
-
-  @Mock private UserMapper userMapper;
-
-  @InjectMocks private UserService userService;
-
-  private final UUID userId = UUID.randomUUID();
-  private final String email = "user@example.com";
-  private final String name = "User Name";
-  private final String encodedPassword = "encodedPassword";
-  private final Role role = Role.MEMBER;
-  private final LocalDateTime now = LocalDateTime.now();
-
-  AutoCloseable closeable;
-
-  @BeforeEach
-  void setUp() {
-    closeable = MockitoAnnotations.openMocks(this);
-  }
-
-  @AfterEach
-  void tearDown() throws Exception {
-    closeable.close();
-  }
-
-  @Test
-  void findById_success() {
-    User user =
-        UserTestFactory.aUser()
-            .withEmail(email)
-            .withPassword(encodedPassword)
-            .withName(name)
-            .withRole(role)
-            .build();
-    UserResponse userResponse = new UserResponse(userId, email, name, role, false, now, now, now);
-
-    when(userRepository.findById(userId)).thenReturn(Optional.of(user));
-    when(userMapper.toResponse(user)).thenReturn(Optional.of(userResponse));
-
-    UserResponse result = userService.findById(userId);
-
-    assertEquals(userResponse, result);
-    verify(userRepository).findById(userId);
-    verify(userMapper).toResponse(user);
-  }
-
-  @Test
-  void findById_notFound_throws() {
-    when(userRepository.findById(userId)).thenReturn(Optional.empty());
-    assertThrows(ResourceNotFoundException.class, () -> userService.findById(userId));
-  }
-
-  @Test
-  void findByEmail_success() {
-    User user =
-        UserTestFactory.aUser()
-            .withEmail(email)
-            .withPassword(encodedPassword)
-            .withName(name)
-            .withRole(role)
-            .build();
-    UserResponse userResponse = new UserResponse(userId, email, name, role, false, now, now, now);
-
-    when(userRepository.findByEmail(email.toLowerCase())).thenReturn(Optional.of(user));
-    when(userMapper.toResponse(user)).thenReturn(Optional.of(userResponse));
-
-    UserResponse result = userService.findByEmail(email);
-
-    assertEquals(userResponse, result);
-    verify(userRepository).findByEmail(email.toLowerCase());
-    verify(userMapper).toResponse(user);
-  }
-
-  @Test
-  void findByEmail_notFound_throws() {
-    when(userRepository.findByEmail(email.toLowerCase())).thenReturn(Optional.empty());
-    assertThrows(ResourceNotFoundException.class, () -> userService.findByEmail(email));
-  }
-
-  @Test
-  void updateProfile_success_updateNameAndEmail() {
-    User user =
-        UserTestFactory.aUser()
-            .withEmail(email)
-            .withPassword(encodedPassword)
-            .withName(name)
-            .withRole(role)
-            .build();
-    UpdateProfileRequest request = new UpdateProfileRequest("new@example.com", "New Name");
-    User updatedUser =
-        UserTestFactory.aUser()
-            .withEmail("new@example.com")
-            .withPassword(encodedPassword)
-            .withName("New Name")
-            .withRole(role)
-            .build();
-    UserResponse userResponse =
-        new UserResponse(userId, "new@example.com", "New Name", role, false, now, now, now);
-
-    when(userRepository.findById(userId)).thenReturn(Optional.of(user));
-    when(userRepository.existsByEmail("new@example.com")).thenReturn(false);
-    when(userRepository.save(any(User.class))).thenReturn(updatedUser);
-    when(userMapper.toResponseOrThrow(updatedUser)).thenReturn(userResponse);
-
-    UserResponse result = userService.updateProfile(userId, request);
-
-    assertEquals(userResponse, result);
-    verify(userRepository).findById(userId);
-    verify(userRepository).existsByEmail("new@example.com");
-    verify(userRepository).save(any(User.class));
-    verify(userMapper).toResponseOrThrow(updatedUser);
-  }
-
-  @Test
-  void updateProfile_emailExists_throws() {
-    User user =
-        UserTestFactory.aUser()
-            .withEmail(email)
-            .withPassword(encodedPassword)
-            .withName(name)
-            .withRole(role)
-            .build();
-    UpdateProfileRequest request = new UpdateProfileRequest("existing@example.com", "New Name");
-
-    when(userRepository.findById(userId)).thenReturn(Optional.of(user));
-    when(userRepository.existsByEmail("existing@example.com")).thenReturn(true);
-
-    assertThrows(ValidationException.class, () -> userService.updateProfile(userId, request));
-  }
-
-  @Test
-  void updateProfile_updateNameOnly() {
-    User user =
-        UserTestFactory.aUser()
-            .withEmail(email)
-            .withPassword(encodedPassword)
-            .withName(name)
-            .withRole(role)
-            .build();
-    UpdateProfileRequest request = new UpdateProfileRequest(null, "Updated Name");
-    User updatedUser =
-        UserTestFactory.aUser()
-            .withEmail(email)
-            .withPassword(encodedPassword)
-            .withName("Updated Name")
-            .withRole(role)
-            .build();
-    UserResponse userResponse =
-        new UserResponse(userId, email, "Updated Name", role, false, now, now, now);
-
-    when(userRepository.findById(userId)).thenReturn(Optional.of(user));
-    when(userRepository.save(any(User.class))).thenReturn(updatedUser);
-    when(userMapper.toResponseOrThrow(updatedUser)).thenReturn(userResponse);
-
-    UserResponse result = userService.updateProfile(userId, request);
-
-    assertEquals(userResponse, result);
-    verify(userRepository).save(any(User.class));
-    verify(userMapper).toResponseOrThrow(updatedUser);
-  }
-
-  @Test
-  void updateProfile_userNotFound_throws() {
-    UpdateProfileRequest request = new UpdateProfileRequest("new@example.com", "New Name");
-    when(userRepository.findById(userId)).thenReturn(Optional.empty());
-    assertThrows(ResourceNotFoundException.class, () -> userService.updateProfile(userId, request));
-  }
-
-  @Test
-  void changePassword_success() {
-    ChangePasswordRequest request = new ChangePasswordRequest("oldPass", "newPass", "newPass");
-    User user =
-        UserTestFactory.aUser()
-            .withEmail(email)
-            .withPassword(encodedPassword)
-            .withName(name)
-            .withRole(role)
-            .build();
-
-    when(userRepository.findById(userId)).thenReturn(Optional.of(user));
-    when(passwordEncoder.matches("oldPass", encodedPassword)).thenReturn(true);
-    when(passwordEncoder.encode("newPass")).thenReturn("encodedNewPass");
-
-    userService.changePassword(userId, request);
-
-    verify(userRepository).save(argThat(u -> u.getPassword().equals("encodedNewPass")));
-  }
-
-  @Test
-  void changePassword_currentPasswordsDoNotMatch_throws() {
-    User user =
-        UserTestFactory.aUser()
-            .withEmail(email)
-            .withPassword(encodedPassword)
-            .withName(name)
-            .withRole(role)
-            .build();
-    when(userRepository.findById(userId)).thenReturn(Optional.of(user));
-
-    ChangePasswordRequest request = new ChangePasswordRequest("oldPass", "newPass", "different");
-    assertThrows(ValidationException.class, () -> userService.changePassword(userId, request));
-  }
-
-  @Test
-  void changePassword_userNotFound_throws() {
-    ChangePasswordRequest request = new ChangePasswordRequest("oldPass", "newPass", "newPass");
-    when(userRepository.findById(userId)).thenReturn(Optional.empty());
-    assertThrows(
-        ResourceNotFoundException.class, () -> userService.changePassword(userId, request));
-  }
-
-  @Test
-  void changePassword_currentPasswordIncorrect_throws() {
-    ChangePasswordRequest request = new ChangePasswordRequest("oldPass", "newPass", "newPass");
-    User user =
-        UserTestFactory.aUser()
-            .withEmail(email)
-            .withPassword(encodedPassword)
-            .withName(name)
-            .withRole(role)
-            .build();
-
-    when(userRepository.findById(userId)).thenReturn(Optional.of(user));
-    when(passwordEncoder.matches("oldPass", encodedPassword)).thenReturn(false);
-
-    assertThrows(ValidationException.class, () -> userService.changePassword(userId, request));
-  }
-
-  @Test
-  void updateLastLogin_success() {
-    userService.updateLastLogin(userId);
-    verify(userRepository).updateLastLoginAt(eq(userId), any(LocalDateTime.class));
-  }
-
-  @Test
-  void changeUserPassword_success() {
-    User user =
-        UserTestFactory.aUser()
-            .withEmail(email)
-            .withPassword(encodedPassword)
-            .withName(name)
-            .withRole(role)
-            .build();
-
-    when(userRepository.findById(userId)).thenReturn(Optional.of(user));
-    when(passwordEncoder.encode("adminNewPass")).thenReturn("encodedAdminPass");
-
-    userService.changeUserPassword(userId, "adminNewPass");
-
-    verify(userRepository).save(argThat(u -> u.getPassword().equals("encodedAdminPass")));
-  }
-
-  @Test
-  void changeUserPassword_userNotFound_throws() {
-    when(userRepository.findById(userId)).thenReturn(Optional.empty());
-    assertThrows(
-        ResourceNotFoundException.class,
-        () -> userService.changeUserPassword(userId, "adminNewPass"));
-  }
-}

From 0ca33d41f832f74c7df276fa7dfa2efbe897950f Mon Sep 17 00:00:00 2001
From: Daniel <daniel.guo@vivalabs.com.au>
Date: Mon, 8 Dec 2025 12:43:36 +1100
Subject: [PATCH 2/3] Fix test coverage

---
 auto/test                                     |   2 +-
 build.gradle.kts                              |  63 +++-
 .../service/UserCommandServiceTest.java       | 274 ++++++++++++++++++
 .../service/UserQueryServiceTest.java         | 145 +++++++++
 4 files changed, 470 insertions(+), 14 deletions(-)
 create mode 100644 src/test/java/org/nkcoder/user/application/service/UserCommandServiceTest.java
 create mode 100644 src/test/java/org/nkcoder/user/application/service/UserQueryServiceTest.java

diff --git a/auto/test b/auto/test
index dbd8523..9f8b76f 100755
--- a/auto/test
+++ b/auto/test
@@ -1,4 +1,4 @@
 #!/usr/bin/env sh
 
 export SPRING_PROFILES_ACTIVE=test
-./gradlew test --stacktrace
\ No newline at end of file
+./gradlew test --stacktrace jacocoTestCoverageVerification
\ No newline at end of file
diff --git a/build.gradle.kts b/build.gradle.kts
index b62207b..2dca9f2 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -201,14 +201,31 @@ tasks.jacocoTestReport {
         files(classDirectories.files.map {
             fileTree(it) {
                 exclude(
-                    "**/config/**",
+                    // Infrastructure - config and cross-cutting concerns
+                    "**/infrastructure/config/**",
+                    "**/infrastructure/security/**",
+                    "**/infrastructure/resolver/**",
+                    "**/infrastructure/persistence/**",
+                    "**/infrastructure/adapter/**",
+                    // DTOs, requests, responses, mappers (data carriers)
                     "**/dto/**",
-                    "**/enums/**",
-                    "**/exceptions/**",
+                    "**/request/**",
+                    "**/response/**",
+                    "**/mapper/**",
+                    // Domain value objects and events
+                    "**/domain/model/*Id.class",
+                    "**/domain/model/*Name.class",
+                    "**/domain/model/*Role.class",
+                    "**/domain/event/**",
+                    // Shared kernel and local utilities
+                    "**/shared/**",
+                    // Interfaces layer (controllers, REST)
+                    "**/interfaces/rest/**",
+                    "**/interfaces/grpc/**",
+                    // Application entry point
                     "**/*Application*",
-                    // gRPC generated code exclusions
-                    "**/grpc/**",
-                    "**/proto/**",              // Proto-related generated classes
+                    // Generated code
+                    "**/proto/**",
                     "**/generated/**"
                 )
             }
@@ -225,24 +242,44 @@ tasks.jacocoTestCoverageVerification {
         }
         rule {
             element = "CLASS"
-            includes = listOf("org.nkcoder.service.*")
+            includes = listOf(
+                "org.nkcoder.auth.application.service.*",
+                "org.nkcoder.user.application.service.*"
+            )
             limit {
                 minimum = "0.80".toBigDecimal()
             }
         }
         classDirectories.setFrom(
-            // Same exclusions for verification
+            // Same exclusions as jacocoTestReport
             files(classDirectories.files.map {
                 fileTree(it) {
                     exclude(
-                        "**/config/**",
+                        // Infrastructure - config and cross-cutting concerns
+                        "**/infrastructure/config/**",
+                        "**/infrastructure/security/**",
+                        "**/infrastructure/resolver/**",
+                        "**/infrastructure/persistence/**",
+                        "**/infrastructure/adapter/**",
+                        // DTOs, requests, responses, mappers (data carriers)
                         "**/dto/**",
-                        "**/enums/**",
-                        "**/exception/**",
+                        "**/request/**",
+                        "**/response/**",
+                        "**/mapper/**",
+                        // Domain value objects and events
+                        "**/domain/model/*Id.class",
+                        "**/domain/model/*Name.class",
+                        "**/domain/model/*Role.class",
+                        "**/domain/event/**",
+                        // Shared kernel and local utilities
+                        "**/shared/**",
+                        // Interfaces layer (controllers, REST)
+                        "**/interfaces/rest/**",
+                        "**/interfaces/grpc/**",
+                        // Application entry point
                         "**/*Application*",
-
+                        // Generated code
                         "**/proto/**",
-                        "**/grpc/**",
                         "**/generated/**"
                     )
                 }
diff --git a/src/test/java/org/nkcoder/user/application/service/UserCommandServiceTest.java b/src/test/java/org/nkcoder/user/application/service/UserCommandServiceTest.java
new file mode 100644
index 0000000..a7b6087
--- /dev/null
+++ b/src/test/java/org/nkcoder/user/application/service/UserCommandServiceTest.java
@@ -0,0 +1,274 @@
+package org.nkcoder.user.application.service;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+
+import java.time.LocalDateTime;
+import java.util.Optional;
+import java.util.UUID;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.nkcoder.shared.kernel.domain.event.DomainEventPublisher;
+import org.nkcoder.shared.kernel.domain.valueobject.Email;
+import org.nkcoder.shared.kernel.exception.ResourceNotFoundException;
+import org.nkcoder.shared.kernel.exception.ValidationException;
+import org.nkcoder.user.application.dto.command.AdminResetPasswordCommand;
+import org.nkcoder.user.application.dto.command.AdminUpdateUserCommand;
+import org.nkcoder.user.application.dto.command.ChangePasswordCommand;
+import org.nkcoder.user.application.dto.command.UpdateProfileCommand;
+import org.nkcoder.user.application.dto.response.UserDto;
+import org.nkcoder.user.application.port.AuthContextPort;
+import org.nkcoder.user.domain.event.UserProfileUpdatedEvent;
+import org.nkcoder.user.domain.model.User;
+import org.nkcoder.user.domain.model.UserId;
+import org.nkcoder.user.domain.model.UserName;
+import org.nkcoder.user.domain.model.UserRole;
+import org.nkcoder.user.domain.repository.UserRepository;
+
+@ExtendWith(MockitoExtension.class)
+@DisplayName("UserCommandService")
+class UserCommandServiceTest {
+
+  @Mock private UserRepository userRepository;
+  @Mock private AuthContextPort authContextPort;
+  @Mock private DomainEventPublisher eventPublisher;
+
+  private UserCommandService userCommandService;
+
+  @BeforeEach
+  void setUp() {
+    userCommandService = new UserCommandService(userRepository, authContextPort, eventPublisher);
+  }
+
+  private User createTestUser(UUID userId, String email, String name) {
+    return User.reconstitute(
+        UserId.of(userId),
+        Email.of(email),
+        UserName.of(name),
+        UserRole.MEMBER,
+        false,
+        LocalDateTime.now(),
+        LocalDateTime.now(),
+        LocalDateTime.now());
+  }
+
+  @Nested
+  @DisplayName("updateProfile")
+  class UpdateProfile {
+
+    @Test
+    @DisplayName("updates profile successfully")
+    void updatesProfileSuccessfully() {
+      UUID userId = UUID.randomUUID();
+      User user = createTestUser(userId, "test@example.com", "Old Name");
+      UpdateProfileCommand command = new UpdateProfileCommand(userId, "New Name");
+
+      given(userRepository.findById(any(UserId.class))).willReturn(Optional.of(user));
+      given(userRepository.save(any(User.class))).willReturn(user);
+
+      UserDto result = userCommandService.updateProfile(command);
+
+      assertThat(result.name()).isEqualTo("New Name");
+      verify(eventPublisher).publish(any(UserProfileUpdatedEvent.class));
+    }
+
+    @Test
+    @DisplayName("throws ResourceNotFoundException when user not found")
+    void throwsWhenUserNotFound() {
+      UUID userId = UUID.randomUUID();
+      UpdateProfileCommand command = new UpdateProfileCommand(userId, "New Name");
+
+      given(userRepository.findById(any(UserId.class))).willReturn(Optional.empty());
+
+      assertThatThrownBy(() -> userCommandService.updateProfile(command))
+          .isInstanceOf(ResourceNotFoundException.class)
+          .hasMessageContaining("User not found");
+    }
+  }
+
+  @Nested
+  @DisplayName("changePassword")
+  class ChangePassword {
+
+    @Test
+    @DisplayName("changes password successfully")
+    void changesPasswordSuccessfully() {
+      UUID userId = UUID.randomUUID();
+      ChangePasswordCommand command = new ChangePasswordCommand(userId, "oldPass", "newPass");
+
+      given(userRepository.existsById(any(UserId.class))).willReturn(true);
+      given(authContextPort.verifyPassword(eq(userId), eq("oldPass"))).willReturn(true);
+
+      userCommandService.changePassword(command);
+
+      verify(authContextPort).changePassword(eq(userId), eq("newPass"));
+    }
+
+    @Test
+    @DisplayName("throws ResourceNotFoundException when user not found")
+    void throwsWhenUserNotFound() {
+      UUID userId = UUID.randomUUID();
+      ChangePasswordCommand command = new ChangePasswordCommand(userId, "oldPass", "newPass");
+
+      given(userRepository.existsById(any(UserId.class))).willReturn(false);
+
+      assertThatThrownBy(() -> userCommandService.changePassword(command))
+          .isInstanceOf(ResourceNotFoundException.class)
+          .hasMessageContaining("User not found");
+    }
+
+    @Test
+    @DisplayName("throws ValidationException when current password is incorrect")
+    void throwsWhenCurrentPasswordIncorrect() {
+      UUID userId = UUID.randomUUID();
+      ChangePasswordCommand command = new ChangePasswordCommand(userId, "wrongPass", "newPass");
+
+      given(userRepository.existsById(any(UserId.class))).willReturn(true);
+      given(authContextPort.verifyPassword(eq(userId), eq("wrongPass"))).willReturn(false);
+
+      assertThatThrownBy(() -> userCommandService.changePassword(command))
+          .isInstanceOf(ValidationException.class)
+          .hasMessageContaining("Current password is incorrect");
+
+      verify(authContextPort, never()).changePassword(any(), any());
+    }
+  }
+
+  @Nested
+  @DisplayName("adminUpdateUser")
+  class AdminUpdateUser {
+
+    @Test
+    @DisplayName("updates user name successfully")
+    void updatesUserNameSuccessfully() {
+      UUID userId = UUID.randomUUID();
+      User user = createTestUser(userId, "test@example.com", "Old Name");
+      AdminUpdateUserCommand command = new AdminUpdateUserCommand(userId, "New Name", null);
+
+      given(userRepository.findById(any(UserId.class))).willReturn(Optional.of(user));
+      given(userRepository.save(any(User.class))).willReturn(user);
+
+      UserDto result = userCommandService.adminUpdateUser(command);
+
+      assertThat(result.name()).isEqualTo("New Name");
+    }
+
+    @Test
+    @DisplayName("updates user email successfully")
+    void updatesUserEmailSuccessfully() {
+      UUID userId = UUID.randomUUID();
+      User user = createTestUser(userId, "old@example.com", "Test User");
+      AdminUpdateUserCommand command = new AdminUpdateUserCommand(userId, null, "new@example.com");
+
+      given(userRepository.findById(any(UserId.class))).willReturn(Optional.of(user));
+      given(userRepository.existsByEmailExcludingId(any(Email.class), any(UserId.class)))
+          .willReturn(false);
+      given(userRepository.save(any(User.class))).willReturn(user);
+
+      UserDto result = userCommandService.adminUpdateUser(command);
+
+      assertThat(result.email()).isEqualTo("new@example.com");
+    }
+
+    @Test
+    @DisplayName("throws ValidationException when email already in use")
+    void throwsWhenEmailAlreadyInUse() {
+      UUID userId = UUID.randomUUID();
+      User user = createTestUser(userId, "old@example.com", "Test User");
+      AdminUpdateUserCommand command =
+          new AdminUpdateUserCommand(userId, null, "taken@example.com");
+
+      given(userRepository.findById(any(UserId.class))).willReturn(Optional.of(user));
+      given(userRepository.existsByEmailExcludingId(any(Email.class), any(UserId.class)))
+          .willReturn(true);
+
+      assertThatThrownBy(() -> userCommandService.adminUpdateUser(command))
+          .isInstanceOf(ValidationException.class)
+          .hasMessageContaining("Email already in use");
+    }
+
+    @Test
+    @DisplayName("throws ResourceNotFoundException when user not found")
+    void throwsWhenUserNotFound() {
+      UUID userId = UUID.randomUUID();
+      AdminUpdateUserCommand command = new AdminUpdateUserCommand(userId, "Name", null);
+
+      given(userRepository.findById(any(UserId.class))).willReturn(Optional.empty());
+
+      assertThatThrownBy(() -> userCommandService.adminUpdateUser(command))
+          .isInstanceOf(ResourceNotFoundException.class)
+          .hasMessageContaining("User not found");
+    }
+
+    @Test
+    @DisplayName("skips name update when name is blank")
+    void skipsNameUpdateWhenBlank() {
+      UUID userId = UUID.randomUUID();
+      User user = createTestUser(userId, "test@example.com", "Original Name");
+      AdminUpdateUserCommand command = new AdminUpdateUserCommand(userId, "  ", null);
+
+      given(userRepository.findById(any(UserId.class))).willReturn(Optional.of(user));
+      given(userRepository.save(any(User.class))).willReturn(user);
+
+      UserDto result = userCommandService.adminUpdateUser(command);
+
+      assertThat(result.name()).isEqualTo("Original Name");
+    }
+
+    @Test
+    @DisplayName("skips email update when email is blank")
+    void skipsEmailUpdateWhenBlank() {
+      UUID userId = UUID.randomUUID();
+      User user = createTestUser(userId, "original@example.com", "Test User");
+      AdminUpdateUserCommand command = new AdminUpdateUserCommand(userId, null, "  ");
+
+      given(userRepository.findById(any(UserId.class))).willReturn(Optional.of(user));
+      given(userRepository.save(any(User.class))).willReturn(user);
+
+      UserDto result = userCommandService.adminUpdateUser(command);
+
+      assertThat(result.email()).isEqualTo("original@example.com");
+    }
+  }
+
+  @Nested
+  @DisplayName("adminResetPassword")
+  class AdminResetPassword {
+
+    @Test
+    @DisplayName("resets password successfully")
+    void resetsPasswordSuccessfully() {
+      UUID userId = UUID.randomUUID();
+      AdminResetPasswordCommand command = new AdminResetPasswordCommand(userId, "newPassword");
+
+      given(userRepository.existsById(any(UserId.class))).willReturn(true);
+
+      userCommandService.adminResetPassword(command);
+
+      verify(authContextPort).changePassword(eq(userId), eq("newPassword"));
+    }
+
+    @Test
+    @DisplayName("throws ResourceNotFoundException when user not found")
+    void throwsWhenUserNotFound() {
+      UUID userId = UUID.randomUUID();
+      AdminResetPasswordCommand command = new AdminResetPasswordCommand(userId, "newPassword");
+
+      given(userRepository.existsById(any(UserId.class))).willReturn(false);
+
+      assertThatThrownBy(() -> userCommandService.adminResetPassword(command))
+          .isInstanceOf(ResourceNotFoundException.class)
+          .hasMessageContaining("User not found");
+    }
+  }
+}
diff --git a/src/test/java/org/nkcoder/user/application/service/UserQueryServiceTest.java b/src/test/java/org/nkcoder/user/application/service/UserQueryServiceTest.java
new file mode 100644
index 0000000..7d84793
--- /dev/null
+++ b/src/test/java/org/nkcoder/user/application/service/UserQueryServiceTest.java
@@ -0,0 +1,145 @@
+package org.nkcoder.user.application.service;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.BDDMockito.given;
+
+import java.time.LocalDateTime;
+import java.util.List;
+import java.util.Optional;
+import java.util.UUID;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.nkcoder.shared.kernel.domain.valueobject.Email;
+import org.nkcoder.shared.kernel.exception.ResourceNotFoundException;
+import org.nkcoder.user.application.dto.response.UserDto;
+import org.nkcoder.user.domain.model.User;
+import org.nkcoder.user.domain.model.UserId;
+import org.nkcoder.user.domain.model.UserName;
+import org.nkcoder.user.domain.model.UserRole;
+import org.nkcoder.user.domain.repository.UserRepository;
+
+@ExtendWith(MockitoExtension.class)
+@DisplayName("UserQueryService")
+class UserQueryServiceTest {
+
+  @Mock private UserRepository userRepository;
+
+  private UserQueryService userQueryService;
+
+  @BeforeEach
+  void setUp() {
+    userQueryService = new UserQueryService(userRepository);
+  }
+
+  private User createTestUser(UUID userId, String email, String name) {
+    return User.reconstitute(
+        UserId.of(userId),
+        Email.of(email),
+        UserName.of(name),
+        UserRole.MEMBER,
+        false,
+        LocalDateTime.now(),
+        LocalDateTime.now(),
+        LocalDateTime.now());
+  }
+
+  @Nested
+  @DisplayName("getUserById")
+  class GetUserById {
+
+    @Test
+    @DisplayName("returns user when found")
+    void returnsUserWhenFound() {
+      UUID userId = UUID.randomUUID();
+      User user = createTestUser(userId, "test@example.com", "Test User");
+
+      given(userRepository.findById(any(UserId.class))).willReturn(Optional.of(user));
+
+      UserDto result = userQueryService.getUserById(userId);
+
+      assertThat(result.id()).isEqualTo(userId);
+      assertThat(result.email()).isEqualTo("test@example.com");
+      assertThat(result.name()).isEqualTo("Test User");
+      assertThat(result.role()).isEqualTo("MEMBER");
+    }
+
+    @Test
+    @DisplayName("throws ResourceNotFoundException when user not found")
+    void throwsWhenUserNotFound() {
+      UUID userId = UUID.randomUUID();
+
+      given(userRepository.findById(any(UserId.class))).willReturn(Optional.empty());
+
+      assertThatThrownBy(() -> userQueryService.getUserById(userId))
+          .isInstanceOf(ResourceNotFoundException.class)
+          .hasMessageContaining("User not found");
+    }
+  }
+
+  @Nested
+  @DisplayName("getAllUsers")
+  class GetAllUsers {
+
+    @Test
+    @DisplayName("returns all users")
+    void returnsAllUsers() {
+      User user1 = createTestUser(UUID.randomUUID(), "user1@example.com", "User One");
+      User user2 = createTestUser(UUID.randomUUID(), "user2@example.com", "User Two");
+
+      given(userRepository.findAll()).willReturn(List.of(user1, user2));
+
+      List<UserDto> result = userQueryService.getAllUsers();
+
+      assertThat(result).hasSize(2);
+      assertThat(result)
+          .extracting(UserDto::email)
+          .containsExactly("user1@example.com", "user2@example.com");
+    }
+
+    @Test
+    @DisplayName("returns empty list when no users")
+    void returnsEmptyListWhenNoUsers() {
+      given(userRepository.findAll()).willReturn(List.of());
+
+      List<UserDto> result = userQueryService.getAllUsers();
+
+      assertThat(result).isEmpty();
+    }
+  }
+
+  @Nested
+  @DisplayName("userExists")
+  class UserExists {
+
+    @Test
+    @DisplayName("returns true when user exists")
+    void returnsTrueWhenUserExists() {
+      UUID userId = UUID.randomUUID();
+
+      given(userRepository.existsById(any(UserId.class))).willReturn(true);
+
+      boolean result = userQueryService.userExists(userId);
+
+      assertThat(result).isTrue();
+    }
+
+    @Test
+    @DisplayName("returns false when user does not exist")
+    void returnsFalseWhenUserDoesNotExist() {
+      UUID userId = UUID.randomUUID();
+
+      given(userRepository.existsById(any(UserId.class))).willReturn(false);
+
+      boolean result = userQueryService.userExists(userId);
+
+      assertThat(result).isFalse();
+    }
+  }
+}

From 76ff072f88ee1f23a5ba12af517bec4a7be4da5a Mon Sep 17 00:00:00 2001
From: Daniel <daniel.guo@vivalabs.com.au>
Date: Mon, 8 Dec 2025 12:57:07 +1100
Subject: [PATCH 3/3] Resolve conflicts

---
 .../controller/AdminUserControllerTest.java   | 147 ------------------
 1 file changed, 147 deletions(-)
 delete mode 100644 src/test/java/org/nkcoder/controller/AdminUserControllerTest.java

diff --git a/src/test/java/org/nkcoder/controller/AdminUserControllerTest.java b/src/test/java/org/nkcoder/controller/AdminUserControllerTest.java
deleted file mode 100644
index e84aa87..0000000
--- a/src/test/java/org/nkcoder/controller/AdminUserControllerTest.java
+++ /dev/null
@@ -1,147 +0,0 @@
-package org.nkcoder.controller;
-
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.ArgumentMatchers.eq;
-import static org.mockito.BDDMockito.given;
-import static org.mockito.Mockito.doNothing;
-import static org.mockito.Mockito.verify;
-import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
-import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.patch;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-
-import java.time.LocalDateTime;
-import java.util.UUID;
-import org.junit.jupiter.api.DisplayName;
-import org.junit.jupiter.api.Nested;
-import org.junit.jupiter.api.Test;
-import org.nkcoder.dto.user.ChangePasswordRequest;
-import org.nkcoder.dto.user.UpdateProfileRequest;
-import org.nkcoder.dto.user.UserResponse;
-import org.nkcoder.enums.Role;
-import org.nkcoder.security.JwtAuthenticationFilter;
-import org.nkcoder.service.UserService;
-import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
-import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
-import org.springframework.context.annotation.ComponentScan;
-import org.springframework.context.annotation.FilterType;
-import org.springframework.http.MediaType;
-import org.springframework.security.test.context.support.WithMockUser;
-import org.springframework.test.context.bean.override.mockito.MockitoBean;
-
-@DisplayName("AdminUserController tests")
-@WebMvcTest(
-    controllers = AdminUserController.class,
-    excludeAutoConfiguration = {SecurityAutoConfiguration.class},
-    excludeFilters = {
-      @ComponentScan.Filter(
-          type = FilterType.ASSIGNABLE_TYPE,
-          classes = {JwtAuthenticationFilter.class})
-    })
-class AdminUserControllerTest extends BaseControllerTest {
-
-  @MockitoBean private UserService userService;
-
-  private final UUID testUserId = UUID.randomUUID();
-  private final String testEmail = "test@example.com";
-
-  private UserResponse createTestUserResponse(UUID userId, String email, String name) {
-    return new UserResponse(
-        userId,
-        email,
-        name,
-        Role.MEMBER,
-        true,
-        LocalDateTime.now(),
-        LocalDateTime.now(),
-        LocalDateTime.now());
-  }
-
-  @Nested
-  @DisplayName("Admin User Management Tests")
-  @WithMockUser(roles = "ADMIN")
-  class AdminUserManagementTests {
-
-    @Test
-    @DisplayName("Should get user by ID as admin")
-    void shouldGetUserByIdAsAdmin() throws Exception {
-      // Given
-      UserResponse userResponse = createTestUserResponse(testUserId, testEmail, "Admin User");
-      given(userService.findById(testUserId)).willReturn(userResponse);
-
-      // When & Then
-      mockMvc
-          .perform(get("/api/admin/users/{userId}", testUserId))
-          .andExpect(status().isOk())
-          .andExpect(jsonPath("$.message").value("User retrieved successfully"))
-          .andExpect(jsonPath("$.data.id").value(testUserId.toString()))
-          .andExpect(jsonPath("$.data.email").value(testEmail));
-
-      verify(userService).findById(testUserId);
-    }
-
-    @Test
-    @DisplayName("Should update user as admin")
-    void shouldUpdateUserAsAdmin() throws Exception {
-      // Given
-      UpdateProfileRequest request = new UpdateProfileRequest("admin@example.com", "Admin Updated");
-      UserResponse updatedResponse =
-          createTestUserResponse(testUserId, "admin@example.com", "Admin Updated");
-
-      given(userService.updateProfile(eq(testUserId), any(UpdateProfileRequest.class)))
-          .willReturn(updatedResponse);
-
-      // When & Then
-      mockMvc
-          .perform(
-              patch("/api/admin/users/{userId}", testUserId)
-                  .contentType(MediaType.APPLICATION_JSON)
-                  .content(toJson(request)))
-          .andExpect(status().isOk())
-          .andExpect(jsonPath("$.message").value("User updated successfully"))
-          .andExpect(jsonPath("$.data.email").value("admin@example.com"))
-          .andExpect(jsonPath("$.data.name").value("Admin Updated"));
-
-      verify(userService).updateProfile(eq(testUserId), any(UpdateProfileRequest.class));
-    }
-
-    @Test
-    @DisplayName("Should change user password as admin")
-    void shouldChangeUserPasswordAsAdmin() throws Exception {
-      // Given
-      ChangePasswordRequest request =
-          new ChangePasswordRequest(
-              "OldPassword123!",
-              "NewAdminPassword123!",
-              "NewAdminPassword123!"); // Only newPassword is used for admin
-      doNothing().when(userService).changeUserPassword(testUserId, "NewAdminPassword123!");
-
-      // When & Then
-      mockMvc
-          .perform(
-              patch("/api/admin/users/{userId}/password", testUserId)
-                  .contentType(MediaType.APPLICATION_JSON)
-                  .content(toJson(request)))
-          .andExpect(status().isOk())
-          .andExpect(jsonPath("$.message").value("Password changed successfully"));
-
-      verify(userService).changeUserPassword(testUserId, "NewAdminPassword123!");
-    }
-
-    @Test
-    @DisplayName("Should return 400 when admin update request is invalid")
-    void shouldReturnBadRequestWhenAdminUpdateRequestIsInvalid() throws Exception {
-      // Given
-      UpdateProfileRequest request =
-          new UpdateProfileRequest("invalid-email", ""); // Invalid email and empty name
-
-      // When & Then
-      mockMvc
-          .perform(
-              patch("/api/admin/users/{userId}", testUserId)
-                  .contentType(MediaType.APPLICATION_JSON)
-                  .content(toJson(request)))
-          .andExpect(status().isBadRequest());
-    }
-  }
-}