@atscript/moost-db 0.1.54 → 0.1.56

package/dist/index.cjs

@@ -4,70 +4,7 @@ let _moostjs_event_http = require("@moostjs/event-http");
 let moost = require("moost");
 let _uniqu_url = require("@uniqu/url");
 let _atscript_db = require("@atscript/db");
-//#region src/decorators.ts
-/**
-* DI token under which the {@link AtscriptDbReadable} instance
-* is exposed to the readable controller's constructor via `@Inject`.
-*/
-const READABLE_DEF = "__atscript_db_readable_def";
-/**
-* DI token under which the {@link AtscriptDbTable} instance
-* is exposed to the controller's constructor via `@Inject`.
-* Points to the same token as READABLE_DEF for backward compatibility.
-*/
-const TABLE_DEF = READABLE_DEF;
-/**
-* Combines the boilerplate needed to turn an {@link AsDbController}
-* subclass into a fully wired HTTP controller for a given `@db.table` model.
-*
-* Internally applies three decorators:
-* 1. **Provide** — registers the table instance under {@link TABLE_DEF}.
-* 2. **Controller** — registers the class as a Moost HTTP controller
-*    with an optional route prefix. Defaults to `table.tableName`.
-* 3. **Inherit** — copies metadata (routes, guards, etc.) from the
-*    parent class so they stay active in the derived controller.
-*
-* @param table  The {@link AtscriptDbTable} instance for this controller.
-* @param prefix Optional route prefix. Defaults to `table.tableName`.
-*
-* @example
-* ```ts
-* ‎@TableController(usersTable)
-* export class UsersController extends AsDbController<typeof UserModel> {}
-* ```
-*/
-const TableController = (table, prefix) => {
-	const resolvedPath = prefix || table.type.metadata.get("db.http.path");
-	return (0, moost.ApplyDecorators)((0, moost.Provide)(TABLE_DEF, () => table), (0, moost.Controller)(resolvedPath || table.tableName), (0, moost.Inherit)());
-};
-/**
-* Combines the boilerplate needed to turn an {@link AsDbReadableController}
-* subclass into a fully wired HTTP controller for a given `@db.view` or `@db.table` model.
-*
-* @param readable  The {@link AtscriptDbReadable} instance (table or view).
-* @param prefix    Optional route prefix. Defaults to `readable.tableName`.
-*
-* @example
-* ```ts
-* ‎@ReadableController(activeTasksView)
-* export class ActiveTasksController extends AsDbReadableController<typeof ActiveTasks> {}
-* ```
-*/
-const ReadableController = (readable, prefix) => {
-	const resolvedPath = prefix || readable.type.metadata.get("db.http.path");
-	return (0, moost.ApplyDecorators)((0, moost.Provide)(READABLE_DEF, () => readable), (0, moost.Controller)(resolvedPath || readable.tableName), (0, moost.Inherit)());
-};
-/**
-* Alias for {@link ReadableController} — use with view-backed controllers.
-*
-* @example
-* ```ts
-* ‎@ViewController(activeTasksView)
-* export class ActiveTasksController extends AsDbReadableController<typeof ActiveTasks> {}
-* ```
-*/
-const ViewController = ReadableController;
-//#endregion
+let _wooksjs_http_body = require("@wooksjs/http-body");
 //#region src/validation-interceptor.ts
 const dbErrorCodeToStatus = { CONFLICT: 409 };
 function transformValidationError(error, reply) {
@@ -178,16 +115,265 @@ var SelectControlDto = class {
 (0, _atscript_typescript_utils.defineAnnotatedType)("object", SortControlDto).propPattern(/./, (0, _atscript_typescript_utils.defineAnnotatedType)("union").item((0, _atscript_typescript_utils.defineAnnotatedType)().designType("number").value(1).$type).item((0, _atscript_typescript_utils.defineAnnotatedType)().designType("number").value(-1).$type).$type);
 (0, _atscript_typescript_utils.defineAnnotatedType)("object", SelectControlDto).propPattern(/./, (0, _atscript_typescript_utils.defineAnnotatedType)("union").item((0, _atscript_typescript_utils.defineAnnotatedType)().designType("number").value(1).$type).item((0, _atscript_typescript_utils.defineAnnotatedType)().designType("number").value(0).$type).$type);
 //#endregion
-//#region \0@oxc-project+runtime@0.120.0/helpers/decorateMetadata.js
-function __decorateMetadata(k, v) {
-	if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+//#region src/gate-utils.ts
+/**
+* Walks a Uniquery filter expression and returns the first field name that
+* fails the `isAllowed` predicate, or `undefined` if every leaf field is
+* allowed. Logical combinators (`$and`, `$or`, `$nor`, `$not`) are traversed;
+* other `$`-prefixed keys are skipped.
+*
+* Shared by the DB readable's `@db.column.filterable` gate and the value-help
+* controller's `@ui.dict.filterable` gate — only the predicate differs.
+*/
+function findFilterOffender(filter, isAllowed) {
+	if (!filter || typeof filter !== "object") return;
+	for (const [key, value] of Object.entries(filter)) {
+		if (key === "$and" || key === "$or" || key === "$nor") {
+			if (Array.isArray(value)) for (const sub of value) {
+				const inner = findFilterOffender(sub, isAllowed);
+				if (inner) return inner;
+			}
+			continue;
+		}
+		if (key === "$not") {
+			const inner = findFilterOffender(value, isAllowed);
+			if (inner) return inner;
+			continue;
+		}
+		if (key.startsWith("$")) continue;
+		if (!isAllowed(key)) return key;
+	}
+}
+/**
+* Walks a Uniquery `$sort` control (accepts string, string[], object, or
+* array-of-{field: dir}) and returns the first field name that fails the
+* `isAllowed` predicate, or `undefined` if every sort key is allowed.
+*
+* Shared by the DB readable's `@db.column.sortable` gate and the value-help
+* controller's `@ui.dict.sortable` gate.
+*/
+function findSortOffender(sort, isAllowed) {
+	if (!sort) return void 0;
+	const check = (name) => isAllowed(name) ? void 0 : name;
+	if (typeof sort === "string") {
+		for (const part of sort.split(",")) {
+			const name = part.trim().replace(/^[-+]/, "").split(":")[0];
+			if (name) {
+				const bad = check(name);
+				if (bad) return bad;
+			}
+		}
+		return;
+	}
+	if (Array.isArray(sort)) {
+		for (const entry of sort) if (typeof entry === "string") {
+			const bad = check(entry.replace(/^[-+]/, ""));
+			if (bad) return bad;
+		} else if (entry && typeof entry === "object") for (const name of Object.keys(entry)) {
+			const bad = check(name);
+			if (bad) return bad;
+		}
+		return;
+	}
+	if (typeof sort === "object") for (const name of Object.keys(sort)) {
+		const bad = check(name);
+		if (bad) return bad;
+	}
 }
 //#endregion
-//#region \0@oxc-project+runtime@0.120.0/helpers/decorateParam.js
-function __decorateParam(paramIndex, decorator) {
-	return function(target, key) {
-		decorator(target, key, paramIndex);
+//#region src/actions/keys.ts
+/** Method-level metadata key — written by `@DbAction(name, opts)`. */
+const MOOST_DB_ACTION = "atscript_db_action";
+/** Class-level metadata key — written by `@DbActions` and the level-pinned shortcuts. Stored as an array; decorators accumulate. */
+const MOOST_DB_ACTIONS = "atscript_db_actions";
+/** Param-level metadata key — written by `@DbActionPK()` / `@DbActionPKs()`. Drives level inference. */
+const MOOST_DB_ACTION_PARAM = "atscript_db_action_param";
+/**
+* Shared method-decorator update used by `@DbAction` and `@DbActionDefault`:
+* read the existing `MOOST_DB_ACTION` slot, merge the patch (later-applied
+* fields win), and write it back. `name` is empty until `@DbAction` provides
+* one — `discoverActions` warns and drops actions with no name.
+*/
+function mergeActionMeta(current, patch) {
+	const existing = current[MOOST_DB_ACTION];
+	return {
+		name: patch.name ?? existing?.name ?? "",
+		opts: {
+			...existing?.opts,
+			...patch.opts
+		}
+	};
+}
+//#endregion
+//#region src/actions/discover.ts
+/** Optional fields shared between method opts and class-level entries. */
+const OPTIONAL_FIELDS = [
+	"icon",
+	"intent",
+	"description",
+	"order",
+	"default",
+	"promptText"
+];
+const WARN_PREFIX = "[moost-db actions]";
+const actionsCache = /* @__PURE__ */ new WeakMap();
+/**
+* Discover all actions declared on a controller and produce the `/meta` array.
+* Reads class + method metadata via `getMoostMate()` and resolves bound POST
+* paths through the Moost controller overview.
+*
+* Result is memoized per controller constructor — discovery walks every
+* handler entry and reads decorator metadata, which is wasted work to repeat
+* across instances.
+*/
+function discoverActions(controllerCtor, app, logger) {
+	const cached = actionsCache.get(controllerCtor);
+	if (cached) return cached;
+	const overview = app.getControllersOverview?.()?.find((o) => o.type === controllerCtor);
+	const out = [];
+	collectMethodActions(controllerCtor, overview, logger, out);
+	collectClassActions(controllerCtor, logger, out);
+	applyDefaultPerLevel(out, logger);
+	actionsCache.set(controllerCtor, out);
+	return out;
+}
+function collectMethodActions(ctor, overview, logger, out) {
+	if (!overview) return;
+	const byMethod = /* @__PURE__ */ new Map();
+	for (const h of overview.handlers) {
+		const list = byMethod.get(h.method);
+		if (list) list.push(h);
+		else byMethod.set(h.method, [h]);
+	}
+	for (const [methodName, handlers] of byMethod) {
+		const methodMeta = handlers[0].meta;
+		const action = methodMeta[MOOST_DB_ACTION];
+		if (!action) continue;
+		if (!action.name) {
+			logger.warn(`${WARN_PREFIX} method "${methodName}" has @DbActionDefault() but no @DbAction(name) — dropping`);
+			continue;
+		}
+		const levelInfer = inferMethodLevel(methodMeta.params ?? [], action.name, logger);
+		if (!levelInfer) continue;
+		if (levelInfer.bodyConflict) {
+			logger.warn(`${WARN_PREFIX} action "${action.name}" cannot mix @DbActionPK*/@DbActionPKs with @Body() — dropping`);
+			continue;
+		}
+		const postEntry = handlers.find((h) => h.handler.type === "HTTP" && h.handler.method === "POST");
+		if (!postEntry) {
+			logger.warn(`${WARN_PREFIX} action "${action.name}" requires @Post(...); no POST handler bound to ${methodName} — dropping`);
+			continue;
+		}
+		const path = postEntry.registeredAs[0]?.path;
+		if (!path) {
+			logger.warn(`${WARN_PREFIX} action "${action.name}" — POST handler ${methodName} has no registered path — dropping`);
+			continue;
+		}
+		const label = action.opts.label ?? methodMeta.label;
+		if (!label) {
+			logger.warn(`${WARN_PREFIX} action "${action.name}" requires a label (opts.label or @Label) — dropping`);
+			continue;
+		}
+		const info = {
+			name: action.name,
+			label,
+			level: levelInfer.level,
+			processor: "backend",
+			value: path
+		};
+		copyOptionalFields(info, action.opts);
+		out.push(info);
+	}
+}
+function inferMethodLevel(params, actionName, logger) {
+	let hasPk = false;
+	let hasPks = false;
+	let hasBody = false;
+	for (const p of params) {
+		const kind = p[MOOST_DB_ACTION_PARAM];
+		if (kind === "pk") hasPk = true;
+		else if (kind === "pks") hasPks = true;
+		if (p.paramSource === "BODY") hasBody = true;
+	}
+	if (hasPk && hasPks) {
+		logger.warn(`${WARN_PREFIX} action "${actionName}" has both @DbActionPK and @DbActionPKs — dropping`);
+		return null;
+	}
+	const level = hasPk ? "row" : hasPks ? "rows" : "table";
+	return {
+		level,
+		bodyConflict: hasBody && level !== "table"
+	};
+}
+function collectClassActions(ctor, logger, out) {
+	const list = (0, moost.getMoostMate)().read(ctor)?.[MOOST_DB_ACTIONS];
+	if (!list) return;
+	for (const { name, entry, forcedLevel } of list) {
+		const built = buildClassEntry(name, entry, forcedLevel, logger);
+		if (built) out.push(built);
+	}
+}
+function buildClassEntry(name, entry, forcedLevel, logger) {
+	const level = forcedLevel ?? entry.level;
+	if (!level) {
+		logger.warn(`${WARN_PREFIX} class-level action "${name}" requires a level — dropping. Use @DbTableActions/@DbRowActions/@DbRowsActions or set "level" explicitly.`);
+		return null;
+	}
+	if (!entry.label) {
+		logger.warn(`${WARN_PREFIX} class-level action "${name}" requires a label — dropping`);
+		return null;
+	}
+	const processor = entry.processor;
+	let value;
+	if (processor === "navigate" || processor === "backend") {
+		const v = entry.value;
+		if (typeof v !== "string" || v === "") {
+			logger.warn(`${WARN_PREFIX} class-level action "${name}" with processor "${processor}" requires a non-empty "value" — dropping`);
+			return null;
+		}
+		value = v;
+	} else if (processor === "custom") {
+		const v = entry.value;
+		if (v !== void 0 && v !== null) {
+			logger.warn(`${WARN_PREFIX} class-level action "${name}" with processor "custom" forbids "value" (always derived from the dict key) — dropping`);
+			return null;
+		}
+		value = name;
+	} else {
+		logger.warn(`${WARN_PREFIX} class-level action "${name}" has unknown processor "${String(processor)}" — dropping`);
+		return null;
+	}
+	const info = {
+		name,
+		label: entry.label,
+		level,
+		processor,
+		value
 	};
+	copyOptionalFields(info, entry);
+	return info;
+}
+function applyDefaultPerLevel(actions, logger) {
+	const winners = /* @__PURE__ */ new Map();
+	for (const a of actions) {
+		if (!a.default) continue;
+		const existing = winners.get(a.level);
+		if (existing) {
+			a.default = false;
+			logger.warn(`${WARN_PREFIX} duplicate default action at level "${a.level}": "${existing}" wins, "${a.name}" demoted`);
+		} else winners.set(a.level, a.name);
+	}
+}
+function copyOptionalFields(info, source) {
+	for (const key of OPTIONAL_FIELDS) {
+		const value = source[key];
+		if (value !== void 0) info[key] = value;
+	}
+}
+//#endregion
+//#region \0@oxc-project+runtime@0.120.0/helpers/decorateMetadata.js
+function __decorateMetadata(k, v) {
+	if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 }
 //#endregion
 //#region \0@oxc-project+runtime@0.120.0/helpers/decorate.js
@@ -198,24 +384,27 @@ function __decorate(decorators, target, key, desc) {
 	return c > 3 && r && Object.defineProperty(target, key, r), r;
 }
 //#endregion
-//#region src/as-db-readable.controller.ts
-var _ref$1, _ref2$1;
-let AsDbReadableController = class AsDbReadableController {
-	/** Reference to the underlying readable (table or view). */
-	readable;
+//#region src/as-readable.controller.ts
+var _ref$4;
+let AsReadableController = class AsReadableController {
+	/** The Atscript interface this controller serves. */
+	boundType;
+	/** Short human-readable name for logging (usually the table/source name). */
+	controllerName;
 	/** Application-scoped logger. */
 	logger;
-	/** Cached serialized type definition (lazy, computed on first access). */
-	_serializedType;
 	/** Moost application instance. */
 	app;
+	/** Cached serialized type definition (lazy, computed on first access). */
+	_serializedType;
 	/** Cached full meta response (computed lazily on first meta() call). */
 	_metaResponse;
-	constructor(readable, app) {
-		this.readable = readable;
+	constructor(boundType, controllerName, app, kindTag = "readable") {
+		this.boundType = boundType;
+		this.controllerName = controllerName;
 		this.app = app;
-		this.logger = app.getLogger(`db [${readable.tableName}]`);
-		this.logger.info(`Initializing ${readable.isView ? "view" : "table"} controller`);
+		this.logger = app.getLogger(`db [${controllerName}]`);
+		this.logger.info(`Initializing ${kindTag} controller`);
 		this._resolveHttpPath();
 		try {
 			const p = this.init();
@@ -236,12 +425,12 @@ let AsDbReadableController = class AsDbReadableController {
 		if (!prefix) prefix = (this.app.getControllersOverview?.()?.find((o) => o.type === this.constructor))?.computedPrefix;
 		if (prefix) {
 			if (!prefix.startsWith("/")) prefix = `/${prefix}`;
-			this.readable.type.metadata.set("db.http.path", prefix);
+			this.boundType.metadata.set("db.http.path", prefix);
 		}
 	}
-	/** Lazily serializes the type (after all controllers have set their @db.http.path). */
+	/** Lazily serializes the bound type (after all controllers have set @db.http.path). */
 	getSerializedType() {
-		if (!this._serializedType) this._serializedType = (0, _atscript_typescript_utils.serializeAnnotatedType)(this.readable.type, this.getSerializeOptions());
+		if (!this._serializedType) this._serializedType = (0, _atscript_typescript_utils.serializeAnnotatedType)(this.boundType, this.getSerializeOptions());
 		return this._serializedType;
 	}
 	/**
@@ -250,13 +439,23 @@ let AsDbReadableController = class AsDbReadableController {
 	init() {}
 	/**
 	* Returns serialization options for the `/meta` endpoint's type field.
-	* Default: whitelist — keeps `meta.*`, `expect.*`, and `db.rel.*` annotations,
-	* strips all other `db.*` annotations (table, column, index, default, etc.).
-	* Override in subclass to customise what annotations are exposed to clients.
+	*
+	* `refDepth: 0.5` is intentionally static — independent of `@db.depth.limit`
+	* (which is a security guard on nested writes, not a serialization policy).
+	* The shallow shape emits `{ field, type: { id, metadata } }` for every FK,
+	* which carries the target's `db.http.path` so clients can resolve value-help
+	* URLs and lazy-fetch target `/meta` when deeper structure is needed. Nav
+	* props (`@db.rel.from` / `@db.rel.to` / `@db.rel.via`) are not `.ref` nodes
+	* and always expand fully regardless of `refDepth` — the write-payload shape
+	* clients need is unaffected.
+	*
+	* Annotation whitelist: keeps `meta.*`, `expect.*`, and `db.rel.*`; strips
+	* other `db.*` (table, column, index, default, etc.). Override in subclass
+	* to customise.
 	*/
 	getSerializeOptions() {
 		return {
-			refDepth: 1,
+			refDepth: .5,
 			processAnnotation: ({ key, value }) => {
 				if (key.startsWith("meta.") || key.startsWith("expect.") || key.startsWith("db.rel.")) return {
 					key,
@@ -276,7 +475,7 @@ let AsDbReadableController = class AsDbReadableController {
 	}
 	/**
 	* Whether this controller is read-only (no write endpoints).
-	* Returns `true` for readable/view controllers, overridden to `false` in AsDbController.
+	* Returns `true` by default; {@link AsDbController} overrides to `false`.
 	*/
 	_isReadOnly() {
 		return true;
@@ -303,7 +502,7 @@ let AsDbReadableController = class AsDbReadableController {
 	validateInsights(insights) {
 		for (const [key] of insights) {
 			if (key === "*") continue;
-			if (!this.readable.flatMap.has(key)) return `Unknown field "${key}"`;
+			if (!this.hasField(key)) return `Unknown field "${key}"`;
 		}
 	}
 	validateParsed(parsed, type) {
@@ -313,6 +512,201 @@ let AsDbReadableController = class AsDbReadableController {
 			const insightsError = this.validateInsights(parsed.insights);
 			if (insightsError) return new _moostjs_event_http.HttpError(400, insightsError);
 		}
+	}
+	/**
+	* Shared filter/sort/search gate check. Subclasses assemble a {@link ReadableGates}
+	* config per request (or once in the constructor when static) and call this to
+	* get a uniform HTTP 400 response for any offending field/control.
+	*/
+	checkGates(filter, controls, gates) {
+		if (gates.filter) {
+			const bad = findFilterOffender(filter, gates.filter.predicate);
+			if (bad) return new _moostjs_event_http.HttpError(400, `Filtering on field "${bad}" is not permitted — add ${gates.filter.annotation} to enable.`);
+		}
+		if (gates.sort) {
+			const bad = findSortOffender(controls.$sort, gates.sort.predicate);
+			if (bad) return new _moostjs_event_http.HttpError(400, `Sorting on field "${bad}" is not permitted — add ${gates.sort.annotation} to enable.`);
+		}
+		if (gates.search && controls.$search && !gates.search.allowed) return new _moostjs_event_http.HttpError(400, gates.search.rejectionMessage);
+	}
+	parseQueryString(url) {
+		const idx = url.indexOf("?");
+		return (0, _uniqu_url.parseUrl)(idx >= 0 ? url.slice(idx + 1) : "");
+	}
+	async returnOne(result) {
+		const item = await result;
+		if (!item) return new _moostjs_event_http.HttpError(404);
+		return item;
+	}
+	/**
+	* **GET /meta** — returns the bound interface's metadata envelope.
+	*
+	* Base implementation delegates to {@link buildMetaResponse}, which subclasses
+	* override to add source-specific fields (relations, searchable flags, etc.).
+	* The response is cached on the instance; async overrides must cache any
+	* extra enrichment themselves.
+	*/
+	async meta() {
+		if (this._metaResponse) return this._metaResponse;
+		const response = await this.buildMetaResponse();
+		this._metaResponse = response;
+		return response;
+	}
+	/**
+	* Builds the `/meta` payload. Override in subclasses to populate source-specific
+	* fields. Defaults return a minimal envelope with the serialized type and the
+	* read-only flag; value-help dicts populate their capability hints here.
+	* Subclasses that fully replace the envelope must call {@link buildActions}
+	* directly so `@DbAction*` decorators still surface.
+	*/
+	async buildMetaResponse() {
+		return {
+			searchable: false,
+			vectorSearchable: false,
+			searchIndexes: [],
+			primaryKeys: [],
+			readOnly: this._isReadOnly(),
+			relations: [],
+			fields: {},
+			type: this.getSerializedType(),
+			actions: this.buildActions()
+		};
+	}
+	/**
+	* Discovers `@DbAction*` and `@DbActions`-style class metadata on this
+	* controller and produces the `actions` array. Returns `[]` for value-help
+	* controllers — see {@link AsValueHelpController#buildMetaResponse}.
+	*/
+	buildActions() {
+		return discoverActions(this.constructor, this.app, this.logger);
+	}
+};
+__decorate([
+	(0, _moostjs_event_http.Get)("meta"),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", []),
+	__decorateMetadata("design:returntype", Promise)
+], AsReadableController.prototype, "meta", null);
+AsReadableController = __decorate([UseValidationErrorTransform(), __decorateMetadata("design:paramtypes", [
+	Object,
+	String,
+	typeof (_ref$4 = typeof moost.Moost !== "undefined" && moost.Moost) === "function" ? _ref$4 : Object,
+	Object
+])], AsReadableController);
+//#endregion
+//#region src/decorators.ts
+/**
+* DI token under which the {@link AtscriptDbReadable} instance
+* is exposed to the readable controller's constructor via `@Inject`.
+*/
+const READABLE_DEF = "__atscript_db_readable_def";
+/**
+* DI token under which the {@link AtscriptDbTable} instance
+* is exposed to the controller's constructor via `@Inject`.
+* Points to the same token as READABLE_DEF for backward compatibility.
+*/
+const TABLE_DEF = READABLE_DEF;
+/**
+* Combines the boilerplate needed to turn an {@link AsDbController}
+* subclass into a fully wired HTTP controller for a given `@db.table` model.
+*
+* Internally applies three decorators:
+* 1. **Provide** — registers the table instance under {@link TABLE_DEF}.
+* 2. **Controller** — registers the class as a Moost HTTP controller
+*    with an optional route prefix. Defaults to `table.tableName`.
+* 3. **Inherit** — copies metadata (routes, guards, etc.) from the
+*    parent class so they stay active in the derived controller.
+*
+* @param table  The {@link AtscriptDbTable} instance for this controller.
+* @param prefix Optional route prefix. Defaults to `table.tableName`.
+*
+* @example
+* ```ts
+* ‎@TableController(usersTable)
+* export class UsersController extends AsDbController<typeof UserModel> {}
+* ```
+*/
+const TableController = (table, prefix) => {
+	const resolvedPath = prefix || table.type.metadata.get("db.http.path");
+	return (0, moost.ApplyDecorators)((0, moost.Provide)(TABLE_DEF, () => table), (0, moost.Controller)(resolvedPath || table.tableName), (0, moost.Inherit)());
+};
+/**
+* Combines the boilerplate needed to turn an {@link AsDbReadableController}
+* subclass into a fully wired HTTP controller for a given `@db.view` or `@db.table` model.
+*
+* @param readable  The {@link AtscriptDbReadable} instance (table or view).
+* @param prefix    Optional route prefix. Defaults to `readable.tableName`.
+*
+* @example
+* ```ts
+* ‎@ReadableController(activeTasksView)
+* export class ActiveTasksController extends AsDbReadableController<typeof ActiveTasks> {}
+* ```
+*/
+const ReadableController = (readable, prefix) => {
+	const resolvedPath = prefix || readable.type.metadata.get("db.http.path");
+	return (0, moost.ApplyDecorators)((0, moost.Provide)(READABLE_DEF, () => readable), (0, moost.Controller)(resolvedPath || readable.tableName), (0, moost.Inherit)());
+};
+/**
+* Alias for {@link ReadableController} — use with view-backed controllers.
+*
+* @example
+* ```ts
+* ‎@ViewController(activeTasksView)
+* export class ActiveTasksController extends AsDbReadableController<typeof ActiveTasks> {}
+* ```
+*/
+const ViewController = ReadableController;
+//#endregion
+//#region \0@oxc-project+runtime@0.120.0/helpers/decorateParam.js
+function __decorateParam(paramIndex, decorator) {
+	return function(target, key) {
+		decorator(target, key, paramIndex);
+	};
+}
+//#endregion
+//#region src/as-db-readable.controller.ts
+var _ref$3, _ref2$2;
+let AsDbReadableController = class AsDbReadableController extends AsReadableController {
+	/** Reference to the underlying readable (table or view). */
+	readable;
+	_gates;
+	constructor(readable, app) {
+		super(readable.type, readable.tableName, app, readable.isView ? "view" : "table");
+		this.readable = readable;
+		this._gates = this._buildGates();
+	}
+	_buildGates() {
+		const meta = this.readable.type.metadata;
+		const gates = {};
+		if (meta.get("db.table.filterable") === "manual") {
+			const allowed = this._collectAnnotated("db.column.filterable");
+			gates.filter = {
+				predicate: (f) => allowed.has(f),
+				annotation: "@db.column.filterable"
+			};
+		}
+		if (meta.get("db.table.sortable") === "manual") {
+			const allowed = this._collectAnnotated("db.column.sortable");
+			gates.sort = {
+				predicate: (f) => allowed.has(f),
+				annotation: "@db.column.sortable"
+			};
+		}
+		return gates;
+	}
+	_collectAnnotated(annotation) {
+		const out = /* @__PURE__ */ new Set();
+		for (const [path, entry] of this.readable.flatMap) if (entry.metadata.has(annotation)) out.add(path);
+		return out;
+	}
+	hasField(path) {
+		return this.readable.flatMap.has(path);
+	}
+	/** Validates $with relations against the readable. */
+	validateParsed(parsed, type) {
+		const baseError = super.validateParsed(parsed, type);
+		if (baseError) return baseError;
 		const withRelations = parsed.controls.$with;
 		if (withRelations?.length) {
 			const relations = this.readable.relations;
@@ -348,15 +742,6 @@ let AsDbReadableController = class AsDbReadableController {
 	transformProjection(projection) {
 		return projection;
 	}
-	parseQueryString(url) {
-		const idx = url.indexOf("?");
-		return (0, _uniqu_url.parseUrl)(idx >= 0 ? url.slice(idx + 1) : "");
-	}
-	async returnOne(result) {
-		const item = await result;
-		if (!item) return new _moostjs_event_http.HttpError(404);
-		return item;
-	}
 	/**
 	* Extracts a composite identifier object from query params.
 	* Tries composite primary key first, then compound unique indexes.
@@ -411,6 +796,8 @@ let AsDbReadableController = class AsDbReadableController {
 		}
 		const error = this.validateParsed(parsed, "query");
 		if (error) return error;
+		const gateError = this.checkGates(parsed.filter, controls, this._gates);
+		if (gateError) return gateError;
 		const [filter, select] = await Promise.all([this.transformFilter(parsed.filter), this.transformProjection(controls.$select)]);
 		if (controls.$count) return this.readable.count({
 			filter,
@@ -448,6 +835,8 @@ let AsDbReadableController = class AsDbReadableController {
 		const error = this.validateParsed(parsed, "pages");
 		if (error) return error;
 		const controls = parsed.controls;
+		const gateError = this.checkGates(parsed.filter, controls, this._gates);
+		if (gateError) return gateError;
 		const page = Math.max(Number(controls.$page || 1), 1);
 		const size = Math.max(Number(controls.$size || 10), 1);
 		const skip = (page - 1) * size;
@@ -514,28 +903,31 @@ let AsDbReadableController = class AsDbReadableController {
 	/**
 	* **GET /meta** — returns table/view metadata for UI.
 	*
-	* The return type includes `Promise<...>` so subclasses can override with an
-	* async implementation (e.g. to enrich the payload from an external source).
-	* The base cache only covers the base payload — async overrides must cache
-	* their own enrichment if needed.
+	* Overrides the base's minimal envelope to add relations, searchable flags,
+	* vector-searchable flags, field-descriptor-derived filter/sort hints, and
+	* the configured primary keys.
 	*/
-	meta() {
-		if (this._metaResponse) return this._metaResponse;
+	async buildMetaResponse() {
 		const relations = [];
 		for (const [name, rel] of this.readable.relations) relations.push({
 			name,
 			direction: rel.direction,
 			isArray: rel.isArray
 		});
+		const filterableMode = this.readable.type.metadata.get("db.table.filterable") === "manual";
+		const sortableMode = this.readable.type.metadata.get("db.table.sortable") === "manual";
 		const fields = {};
 		for (const fd of this.readable.fieldDescriptors) {
 			if (fd.ignored) continue;
+			const annotations = fd.type?.metadata;
+			const annotatedFilterable = annotations?.has("db.column.filterable") ?? false;
+			const annotatedSortable = annotations?.has("db.column.sortable") ?? false;
 			fields[fd.path] = {
-				sortable: !!fd.isIndexed,
-				filterable: true
+				sortable: sortableMode ? annotatedSortable : !!fd.isIndexed,
+				filterable: filterableMode ? annotatedFilterable : true
 			};
 		}
-		const response = {
+		return {
 			searchable: this.readable.isSearchable(),
 			vectorSearchable: this.readable.isVectorSearchable(),
 			searchIndexes: this.readable.getSearchIndexes(),
@@ -543,10 +935,9 @@ let AsDbReadableController = class AsDbReadableController {
 			readOnly: this._isReadOnly(),
 			relations,
 			fields,
-			type: this.getSerializedType()
+			type: this.getSerializedType(),
+			actions: this.buildActions()
 		};
-		this._metaResponse = response;
-		return response;
 	}
 };
 __decorate([
@@ -576,23 +967,17 @@ __decorate([
 	__decorateParam(0, (0, _moostjs_event_http.Query)()),
 	__decorateParam(1, (0, _moostjs_event_http.Url)()),
 	__decorateMetadata("design:type", Function),
-	__decorateMetadata("design:paramtypes", [typeof (_ref2$1 = typeof Record !== "undefined" && Record) === "function" ? _ref2$1 : Object, String]),
+	__decorateMetadata("design:paramtypes", [typeof (_ref2$2 = typeof Record !== "undefined" && Record) === "function" ? _ref2$2 : Object, String]),
 	__decorateMetadata("design:returntype", Promise)
 ], AsDbReadableController.prototype, "getOneComposite", null);
-__decorate([
-	(0, _moostjs_event_http.Get)("meta"),
-	__decorateMetadata("design:type", Function),
-	__decorateMetadata("design:paramtypes", []),
-	__decorateMetadata("design:returntype", Object)
-], AsDbReadableController.prototype, "meta", null);
 AsDbReadableController = __decorate([
-	UseValidationErrorTransform(),
+	(0, moost.Inherit)(),
 	__decorateParam(0, (0, moost.Inject)(READABLE_DEF)),
-	__decorateMetadata("design:paramtypes", [Object, typeof (_ref$1 = typeof moost.Moost !== "undefined" && moost.Moost) === "function" ? _ref$1 : Object])
+	__decorateMetadata("design:paramtypes", [Object, typeof (_ref$3 = typeof moost.Moost !== "undefined" && moost.Moost) === "function" ? _ref$3 : Object])
 ], AsDbReadableController);
 //#endregion
 //#region src/as-db.controller.ts
-var _ref, _ref2;
+var _ref$2, _ref2$1;
 let AsDbController = class AsDbController extends AsDbReadableController {
 	/** Reference to the underlying table (typed for write access). */
 	get table() {
@@ -713,15 +1098,575 @@ __decorate([
 	(0, _moostjs_event_http.Delete)(""),
 	__decorateParam(0, (0, _moostjs_event_http.Query)()),
 	__decorateMetadata("design:type", Function),
-	__decorateMetadata("design:paramtypes", [typeof (_ref2 = typeof Record !== "undefined" && Record) === "function" ? _ref2 : Object]),
+	__decorateMetadata("design:paramtypes", [typeof (_ref2$1 = typeof Record !== "undefined" && Record) === "function" ? _ref2$1 : Object]),
 	__decorateMetadata("design:returntype", Promise)
 ], AsDbController.prototype, "removeComposite", null);
 AsDbController = __decorate([
 	(0, moost.Inherit)(),
 	__decorateParam(0, (0, moost.Inject)(TABLE_DEF)),
-	__decorateMetadata("design:paramtypes", [Object, typeof (_ref = typeof moost.Moost !== "undefined" && moost.Moost) === "function" ? _ref : Object])
+	__decorateMetadata("design:paramtypes", [Object, typeof (_ref$2 = typeof moost.Moost !== "undefined" && moost.Moost) === "function" ? _ref$2 : Object])
 ], AsDbController);
 //#endregion
+//#region src/as-value-help.controller.ts
+var _ref$1, _ref2;
+let AsValueHelpController = class AsValueHelpController extends AsReadableController {
+	/** Per-prop metadata map of the bound interface; eagerly built once. */
+	fieldMeta;
+	/**
+	* Fields that participate in `$search` by default. Populated from
+	* `@ui.dict.searchable`:
+	* - If any prop carries `@ui.dict.searchable`, only those props are here.
+	* - Else if the interface carries `@ui.dict.searchable`, every `string`-typed prop is here.
+	* - Else every `string`-typed prop is here (hint is absent — default to all strings).
+	*/
+	searchableFields;
+	/** The `@meta.id` field name on the bound interface, if any. */
+	primaryKey;
+	constructor(boundType, controllerName, app) {
+		super(boundType, controllerName, app, "value-help");
+		const fieldMeta = /* @__PURE__ */ new Map();
+		const explicitlySearchable = [];
+		const stringProps = [];
+		let primaryKey;
+		const interfaceSearchable = boundType.metadata.has("ui.dict.searchable");
+		const asObj = boundType.type;
+		if (asObj?.props) for (const [name, prop] of asObj.props) {
+			const meta = prop.metadata;
+			fieldMeta.set(name, meta);
+			if (!primaryKey && meta.has("meta.id")) primaryKey = name;
+			if (prop.type.designType === "string") stringProps.push(name);
+			if (meta.has("ui.dict.searchable")) explicitlySearchable.push(name);
+		}
+		this.fieldMeta = fieldMeta;
+		this.primaryKey = primaryKey;
+		this.searchableFields = explicitlySearchable.length > 0 ? explicitlySearchable : interfaceSearchable ? stringProps : stringProps;
+	}
+	hasField(path) {
+		return this.fieldMeta.has(path);
+	}
+	/**
+	* **GET /query** — returns an array of matched rows (up to `$limit`).
+	*/
+	async runQuery(url) {
+		const parsed = this.parseQueryString(url);
+		const validateError = this.validateParsed(parsed, "query");
+		if (validateError) return validateError;
+		return (await this.query({
+			filter: parsed.filter,
+			controls: parsed.controls
+		})).data;
+	}
+	/**
+	* **GET /pages** — paginated row window plus total count.
+	*/
+	async runPages(url) {
+		const parsed = this.parseQueryString(url);
+		const validateError = this.validateParsed(parsed, "pages");
+		if (validateError) return validateError;
+		const controls = parsed.controls;
+		const page = Math.max(Number(controls.$page || 1), 1);
+		const size = Math.max(Number(controls.$size || 10), 1);
+		const skip = (page - 1) * size;
+		const result = await this.query({
+			filter: parsed.filter,
+			controls: {
+				...controls,
+				$skip: skip,
+				$limit: size
+			}
+		});
+		return {
+			data: result.data,
+			page,
+			itemsPerPage: size,
+			pages: Math.ceil(result.count / size),
+			count: result.count
+		};
+	}
+	/**
+	* **GET /one/:id** — retrieves a single row by primary key.
+	*/
+	async runGetOne(id) {
+		return this.returnOne(this.getOne(id));
+	}
+	/**
+	* **GET /one?<pk>=<val>** — retrieves a single row by PK query param (fallback).
+	*/
+	async runGetOneComposite(query) {
+		const pk = this.primaryKey;
+		if (!pk) return new _moostjs_event_http.HttpError(400, "No primary key (@meta.id) on value-help interface");
+		const id = query[pk];
+		if (id === void 0) return new _moostjs_event_http.HttpError(400, `Missing PK field "${pk}"`);
+		return this.returnOne(this.getOne(id));
+	}
+	/**
+	* Meta response surfaces `@ui.dict.*` annotations as **hints** for the
+	* client picker UI (which controls to render); the server does not enforce
+	* these flags at request time.
+	*/
+	async buildMetaResponse() {
+		const fields = {};
+		for (const [path, meta] of this.fieldMeta) fields[path] = {
+			sortable: meta.has("ui.dict.sortable"),
+			filterable: meta.has("ui.dict.filterable")
+		};
+		return {
+			searchable: this.searchableFields.length > 0,
+			vectorSearchable: false,
+			searchIndexes: [],
+			primaryKeys: this.primaryKey ? [this.primaryKey] : [],
+			readOnly: this._isReadOnly(),
+			relations: [],
+			fields,
+			type: this.getSerializedType(),
+			actions: []
+		};
+	}
+	buildActions() {
+		return [];
+	}
+};
+__decorate([
+	(0, _moostjs_event_http.Get)("query"),
+	__decorateParam(0, (0, _moostjs_event_http.Url)()),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [String]),
+	__decorateMetadata("design:returntype", Promise)
+], AsValueHelpController.prototype, "runQuery", null);
+__decorate([
+	(0, _moostjs_event_http.Get)("pages"),
+	__decorateParam(0, (0, _moostjs_event_http.Url)()),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [String]),
+	__decorateMetadata("design:returntype", Promise)
+], AsValueHelpController.prototype, "runPages", null);
+__decorate([
+	(0, _moostjs_event_http.Get)("one/:id"),
+	__decorateParam(0, (0, moost.Param)("id")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [String]),
+	__decorateMetadata("design:returntype", Promise)
+], AsValueHelpController.prototype, "runGetOne", null);
+__decorate([
+	(0, _moostjs_event_http.Get)("one"),
+	__decorateParam(0, (0, _moostjs_event_http.Query)()),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [typeof (_ref2 = typeof Record !== "undefined" && Record) === "function" ? _ref2 : Object]),
+	__decorateMetadata("design:returntype", Promise)
+], AsValueHelpController.prototype, "runGetOneComposite", null);
+AsValueHelpController = __decorate([(0, moost.Inherit)(), __decorateMetadata("design:paramtypes", [
+	Object,
+	String,
+	typeof (_ref$1 = typeof moost.Moost !== "undefined" && moost.Moost) === "function" ? _ref$1 : Object
+])], AsValueHelpController);
+//#endregion
+//#region src/as-json-value-help.controller.ts
+var _ref;
+let AsJsonValueHelpController = class AsJsonValueHelpController extends AsValueHelpController {
+	rows;
+	_pkIndex;
+	constructor(boundType, rows, app, controllerName) {
+		const name = controllerName || boundType.metadata.get("db.table") || "value-help";
+		super(boundType, name, app);
+		this.rows = rows;
+		if (this.primaryKey) {
+			const pk = this.primaryKey;
+			const index = /* @__PURE__ */ new Map();
+			for (const row of rows) index.set(String(row[pk]), row);
+			this._pkIndex = index;
+		}
+	}
+	async query(controls) {
+		let rows = this.rows;
+		if (controls.filter && Object.keys(controls.filter).length > 0) rows = rows.filter((row) => matchFilter(row, controls.filter));
+		const search = controls.controls.$search;
+		if (search) {
+			const needle = search.toLowerCase();
+			const fields = this.searchableFields;
+			rows = rows.filter((row) => {
+				for (const field of fields) {
+					const v = row[field];
+					if (typeof v === "string" && v.toLowerCase().includes(needle)) return true;
+				}
+				return false;
+			});
+		}
+		if (controls.controls.$sort) rows = sortRows(rows, controls.controls.$sort);
+		const total = rows.length;
+		const skip = Math.max(0, Number(controls.controls.$skip ?? 0));
+		const limit = Math.max(0, Number(controls.controls.$limit ?? total - skip));
+		return {
+			data: applySelect(rows.slice(skip, skip + limit), controls.controls.$select),
+			count: total
+		};
+	}
+	async getOne(id) {
+		return this._pkIndex?.get(String(id)) ?? null;
+	}
+};
+AsJsonValueHelpController = __decorate([(0, moost.Inherit)(), __decorateMetadata("design:paramtypes", [
+	Object,
+	Array,
+	typeof (_ref = typeof moost.Moost !== "undefined" && moost.Moost) === "function" ? _ref : Object,
+	String
+])], AsJsonValueHelpController);
+function matchFilter(row, filter) {
+	if (!filter || typeof filter !== "object") return true;
+	for (const [key, value] of Object.entries(filter)) {
+		if (key === "$and") {
+			if (!Array.isArray(value)) continue;
+			if (!value.every((clause) => matchFilter(row, clause))) return false;
+			continue;
+		}
+		if (key === "$or") {
+			if (!Array.isArray(value)) continue;
+			if (!value.some((clause) => matchFilter(row, clause))) return false;
+			continue;
+		}
+		if (key === "$nor") {
+			if (!Array.isArray(value)) continue;
+			if (value.some((clause) => matchFilter(row, clause))) return false;
+			continue;
+		}
+		if (key === "$not") {
+			if (matchFilter(row, value)) return false;
+			continue;
+		}
+		if (key.startsWith("$")) continue;
+		const fieldValue = row[key];
+		if (!matchFieldPredicate(fieldValue, value)) return false;
+	}
+	return true;
+}
+function matchFieldPredicate(fieldValue, predicate) {
+	if (predicate === null || typeof predicate !== "object" || Array.isArray(predicate)) return fieldValue === predicate;
+	for (const [op, operand] of Object.entries(predicate)) switch (op) {
+		case "$eq":
+			if (fieldValue !== operand) return false;
+			break;
+		case "$ne":
+			if (fieldValue === operand) return false;
+			break;
+		case "$in":
+			if (!Array.isArray(operand) || !operand.includes(fieldValue)) return false;
+			break;
+		case "$nin":
+			if (!Array.isArray(operand) || operand.includes(fieldValue)) return false;
+			break;
+		case "$gt":
+			if (!(fieldValue > operand)) return false;
+			break;
+		case "$gte":
+			if (!(fieldValue >= operand)) return false;
+			break;
+		case "$lt":
+			if (!(fieldValue < operand)) return false;
+			break;
+		case "$lte":
+			if (!(fieldValue <= operand)) return false;
+			break;
+		case "$regex": {
+			const re = operand instanceof RegExp ? operand : new RegExp(String(operand));
+			if (typeof fieldValue !== "string" || !re.test(fieldValue)) return false;
+			break;
+		}
+		default: if (fieldValue !== operand) return false;
+	}
+	return true;
+}
+function sortRows(rows, sort) {
+	const keys = [];
+	const push = (name, explicit) => {
+		const clean = name.replace(/^[-+]/, "");
+		const dir = explicit ?? (name.startsWith("-") ? -1 : 1);
+		if (clean) keys.push({
+			name: clean,
+			dir
+		});
+	};
+	if (typeof sort === "string") for (const part of sort.split(",")) {
+		const trimmed = part.trim();
+		if (!trimmed) continue;
+		const [name, dir] = trimmed.split(":");
+		push(name, dir === "desc" ? -1 : dir === "asc" ? 1 : void 0);
+	}
+	else if (Array.isArray(sort)) {
+		for (const entry of sort) if (typeof entry === "string") push(entry);
+		else if (entry && typeof entry === "object") for (const [name, d] of Object.entries(entry)) push(name, d === "desc" || d === -1 ? -1 : 1);
+	} else if (sort && typeof sort === "object") for (const [name, d] of Object.entries(sort)) push(name, d === "desc" || d === -1 ? -1 : 1);
+	if (keys.length === 0) return rows;
+	const out = rows.slice();
+	out.sort((a, b) => {
+		for (const { name, dir } of keys) {
+			const av = a[name];
+			const bv = b[name];
+			if (av === bv) continue;
+			if (av === void 0 || av === null) return -1 * dir;
+			if (bv === void 0 || bv === null) return 1 * dir;
+			if (av < bv) return -1 * dir;
+			if (av > bv) return 1 * dir;
+		}
+		return 0;
+	});
+	return out;
+}
+function applySelect(rows, select) {
+	if (!select?.length) return rows;
+	return rows.map((row) => {
+		const out = {};
+		for (const key of select) out[key] = row[key];
+		return out;
+	});
+}
+//#endregion
+//#region src/actions/db-action.decorator.ts
+/**
+* Mark a controller method as a database action surfaced via `/meta`.
+*
+* Metadata-only — pair with `@Post(...)` for Moost to bind the route. The
+* meta builder reads this metadata plus the bound POST path lazily and
+* emits the action with `processor: 'backend'`. Order vs.
+* `@DbActionDefault()` does not matter — both merge into the same slot.
+*
+* @example
+* ```ts
+* @Post('actions/block')
+* @DbAction('block', { label: 'Block', icon: 'i-as-block', intent: 'negative' })
+* async blockUser(@DbActionPK() id: string) { ... }
+* ```
+*/
+function DbAction(name, opts = {}) {
+	return (0, moost.getMoostMate)().decorate((current) => {
+		const meta = current;
+		return {
+			...current,
+			[MOOST_DB_ACTION]: mergeActionMeta(meta, {
+				name,
+				opts
+			})
+		};
+	});
+}
+//#endregion
+//#region src/actions/db-action-default.decorator.ts
+/**
+* Sugar that flips `default: true` on the same method's `@DbAction` metadata.
+* Equivalent to passing `opts.default = true`. Decorator order does not matter.
+*/
+function DbActionDefault() {
+	return (0, moost.getMoostMate)().decorate((current) => {
+		const meta = current;
+		return {
+			...current,
+			[MOOST_DB_ACTION]: mergeActionMeta(meta, { opts: { default: true } })
+		};
+	});
+}
+//#endregion
+//#region src/actions/pk-source.ts
+/**
+* Extract the PK validation source from a controller instance. Looks for
+* `readable` (set by {@link AsDbReadableController}) or `table` (set by
+* {@link AsDbController}).
+*
+* If the controller has no typed table attached (e.g. a value-help
+* controller, or a plain Moost controller without `@TableController`),
+* throws an HTTP 500 — this is a **server misconfiguration**, not a client
+* error. The body parser has nothing to validate against, so the request
+* cannot proceed. Use `@Body()` and parse the PK manually if you need to
+* accept PK-shaped bodies on a controller without an attached table.
+*/
+function resolvePkSource(controller) {
+	const c = controller;
+	const candidate = c.readable ?? c.table;
+	if (!isPkValidationSource(candidate)) throw new _moostjs_event_http.HttpError(500, "@DbActionPK/@DbActionPKs requires a controller with an attached table (via @TableController / @ReadableController). Use @Body() instead if your controller has no typed table.");
+	return candidate;
+}
+function isPkValidationSource(value) {
+	if (!value || typeof value !== "object") return false;
+	const v = value;
+	return Array.isArray(v.primaryKeys) && Array.isArray(v.fieldDescriptors);
+}
+/**
+* Build a parameter decorator that parses the JSON request body, validates
+* it against the bound table's PK schema with `validate`, and tags the param
+* so {@link discoverActions} can infer the action's `level`.
+*/
+function createPkParamDecorator(kind, validate, resolverName) {
+	return (0, moost.ApplyDecorators)((0, moost.getMoostMate)().decorate(MOOST_DB_ACTION_PARAM, kind), (0, moost.Resolve)(async () => {
+		const body = await (0, _wooksjs_http_body.useBody)().parseBody();
+		validate(body, resolvePkSource((0, moost.useControllerContext)().getController()));
+		return body;
+	}, resolverName));
+}
+//#endregion
+//#region src/actions/pk-validation.ts
+/**
+* Validate a JSON-decoded body against a single-row PK shape (scalar or
+* composite). Throws {@link ValidatorError} with structured `errors` so the
+* existing validation interceptor returns HTTP 400.
+*/
+function validateSinglePk(body, source, path = "") {
+	const errors = collectPkErrors(body, source, path);
+	if (errors.length > 0) throw new _atscript_typescript_utils.ValidatorError(errors);
+}
+/**
+* Validate a JSON-decoded body against an array of PK shapes (`@DbActionPKs`).
+* The body MUST be an array; each element is validated against the PK schema.
+*/
+function validateMultiPk(body, source) {
+	if (!Array.isArray(body)) throw new _atscript_typescript_utils.ValidatorError([{
+		path: "",
+		message: "Expected JSON array of primary keys",
+		details: []
+	}]);
+	const errors = [];
+	for (let i = 0; i < body.length; i++) errors.push(...collectPkErrors(body[i], source, `[${i}]`));
+	if (errors.length > 0) throw new _atscript_typescript_utils.ValidatorError(errors);
+}
+function collectPkErrors(value, source, pathPrefix) {
+	const pkFields = source.primaryKeys;
+	if (pkFields.length === 0) return [{
+		path: pathPrefix,
+		message: "Table has no primary key configured",
+		details: []
+	}];
+	const errors = [];
+	if (pkFields.length === 1) {
+		const err = checkScalar(value, findFieldDescriptor(source, pkFields[0]), pathPrefix);
+		if (err) errors.push(err);
+		return errors;
+	}
+	if (!isPlainObject(value)) {
+		errors.push({
+			path: pathPrefix,
+			message: "Expected JSON object for composite primary key",
+			details: []
+		});
+		return errors;
+	}
+	for (const fieldName of pkFields) {
+		const sub = pathPrefix ? `${pathPrefix}.${fieldName}` : fieldName;
+		if (!(fieldName in value)) {
+			errors.push({
+				path: sub,
+				message: `Missing primary-key field "${fieldName}"`,
+				details: []
+			});
+			continue;
+		}
+		const fd = findFieldDescriptor(source, fieldName);
+		const err = checkScalar(value[fieldName], fd, sub);
+		if (err) errors.push(err);
+	}
+	return errors;
+}
+function findFieldDescriptor(source, name) {
+	for (const fd of source.fieldDescriptors) if (fd.path === name) return fd;
+}
+function checkScalar(value, fd, path) {
+	const expected = fd?.designType ?? "string";
+	if (expected === "string" && typeof value !== "string") return scalarMismatch(path, expected, value);
+	if (expected === "number" && typeof value !== "number") return scalarMismatch(path, expected, value);
+	if (expected === "boolean" && typeof value !== "boolean") return scalarMismatch(path, expected, value);
+}
+function scalarMismatch(path, expected, value) {
+	return {
+		path,
+		message: `Expected primary-key value to be ${expected}, got ${describe(value)}`,
+		details: []
+	};
+}
+function describe(value) {
+	if (value === null) return "null";
+	if (Array.isArray(value)) return "array";
+	return typeof value;
+}
+function isPlainObject(value) {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+//#endregion
+//#region src/actions/db-action-pk.decorator.ts
+/**
+* Parameter resolver that reads the primary key from the JSON request body
+* and validates it against the bound table's PK schema.
+*
+* - Single-field PK → JSON-encoded scalar (`"abc"`, `42`, `true`).
+* - Composite PK → JSON object with all PK fields.
+*
+* Validation is strict — no type coercion. Mismatches throw a
+* `ValidatorError` which the existing validation interceptor surfaces as
+* HTTP 400 with the same envelope as DTO failures.
+*
+* Marks the param so {@link discoverActions} can infer the action's `level`
+* as `'row'`.
+*/
+function DbActionPK() {
+	return createPkParamDecorator("pk", validateSinglePk, "dbActionPk");
+}
+//#endregion
+//#region src/actions/db-action-pks.decorator.ts
+/**
+* Parameter resolver that reads a JSON array of primary keys from the request
+* body and validates each entry against the bound table's PK schema.
+*
+* - Scalar PK → JSON array of scalars (`["a","b","c"]`).
+* - Composite PK → JSON array of objects.
+*
+* Validation is strict — no type coercion. Marks the param so
+* {@link discoverActions} can infer the action's `level` as `'rows'`.
+*/
+function DbActionPKs() {
+	return createPkParamDecorator("pks", validateMultiPk, "dbActionPks");
+}
+//#endregion
+//#region src/actions/db-actions.decorator.ts
+/**
+* Declare class-level actions on a controller. Entries are flat dicts with
+* `processor: 'navigate' | 'custom' | 'backend'` matching the `/meta` wire
+* shape (see {@link TDbActionsEntry}). Each entry MUST specify `level`. Use
+* the level-pinned shortcuts (`@DbTableActions`, `@DbRowActions`,
+* `@DbRowsActions`) to avoid repeating `level`.
+*
+* The dictionary key serves as the action `name`. Entries do NOT bind any
+* HTTP route — the meta builder surfaces them in `/meta` only. For
+* `processor: 'backend'`, the dev-supplied `value` MUST point to a real
+* `@Post`-bound endpoint accepting the level-determined body shape.
+*
+* Multiple `@DbActions` (and shortcut) decorators on the same class
+* accumulate.
+*/
+function DbActions(dict) {
+	return classLevelActions(dict);
+}
+/** Sugar for `@DbActions` with `level: 'table'` injected into each entry. */
+function DbTableActions(dict) {
+	return classLevelActions(dict, "table");
+}
+/** Sugar for `@DbActions` with `level: 'row'` injected into each entry. */
+function DbRowActions(dict) {
+	return classLevelActions(dict, "row");
+}
+/** Sugar for `@DbActions` with `level: 'rows'` injected into each entry. */
+function DbRowsActions(dict) {
+	return classLevelActions(dict, "rows");
+}
+function classLevelActions(dict, forcedLevel) {
+	const entries = [];
+	for (const [name, entry] of Object.entries(dict)) entries.push({
+		name,
+		entry,
+		forcedLevel
+	});
+	return (0, moost.getMoostMate)().decorate((current) => {
+		const existing = current["atscript_db_actions"] ?? [];
+		return {
+			...current,
+			[MOOST_DB_ACTIONS]: [...existing, ...entries]
+		};
+	});
+}
+//#endregion
 Object.defineProperty(exports, "AsDbController", {
 	enumerable: true,
 	get: function() {
@@ -734,10 +1679,37 @@ Object.defineProperty(exports, "AsDbReadableController", {
 		return AsDbReadableController;
 	}
 });
+Object.defineProperty(exports, "AsJsonValueHelpController", {
+	enumerable: true,
+	get: function() {
+		return AsJsonValueHelpController;
+	}
+});
+Object.defineProperty(exports, "AsReadableController", {
+	enumerable: true,
+	get: function() {
+		return AsReadableController;
+	}
+});
+Object.defineProperty(exports, "AsValueHelpController", {
+	enumerable: true,
+	get: function() {
+		return AsValueHelpController;
+	}
+});
+exports.DbAction = DbAction;
+exports.DbActionDefault = DbActionDefault;
+exports.DbActionPK = DbActionPK;
+exports.DbActionPKs = DbActionPKs;
+exports.DbActions = DbActions;
+exports.DbRowActions = DbRowActions;
+exports.DbRowsActions = DbRowsActions;
+exports.DbTableActions = DbTableActions;
 exports.READABLE_DEF = READABLE_DEF;
 exports.ReadableController = ReadableController;
 exports.TABLE_DEF = TABLE_DEF;
 exports.TableController = TableController;
 exports.UseValidationErrorTransform = UseValidationErrorTransform;
 exports.ViewController = ViewController;
+exports.discoverActions = discoverActions;
 exports.validationErrorTransform = validationErrorTransform;