@classytic/arc 1.0.0 → 1.0.8

package/dist/cli/index.js

@@ -1,520 +1,3269 @@
-import * as fs from 'fs/promises';
+import fp from 'fastify-plugin';
+import { existsSync, mkdirSync, writeFileSync } from 'fs';
 import * as path from 'path';
+import { join } from 'path';
+import * as fs from 'fs/promises';
+import * as readline from 'readline';
+import { execSync, spawn } from 'child_process';
+
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/registry/ResourceRegistry.ts
+var ResourceRegistry, registryKey, globalScope, resourceRegistry;
+var init_ResourceRegistry = __esm({
+  "src/registry/ResourceRegistry.ts"() {
+    ResourceRegistry = class {
+      _resources;
+      _frozen;
+      constructor() {
+        this._resources = /* @__PURE__ */ new Map();
+        this._frozen = false;
+      }
+      /**
+       * Register a resource
+       */
+      register(resource, options = {}) {
+        if (this._frozen) {
+          throw new Error(
+            `Registry frozen. Cannot register '${resource.name}' after startup.`
+          );
+        }
+        if (this._resources.has(resource.name)) {
+          throw new Error(`Resource '${resource.name}' already registered.`);
+        }
+        const entry = {
+          name: resource.name,
+          displayName: resource.displayName,
+          tag: resource.tag,
+          prefix: resource.prefix,
+          module: options.module ?? void 0,
+          adapter: resource.adapter ? {
+            type: resource.adapter.type,
+            name: resource.adapter.name
+          } : null,
+          permissions: resource.permissions,
+          presets: resource._appliedPresets ?? [],
+          routes: [],
+          // Populated later by getIntrospection()
+          additionalRoutes: resource.additionalRoutes.map((r) => ({
+            method: r.method,
+            path: r.path,
+            handler: typeof r.handler === "string" ? r.handler : r.handler.name || "anonymous",
+            summary: r.summary,
+            description: r.description,
+            permissions: r.permissions,
+            wrapHandler: r.wrapHandler,
+            schema: r.schema
+            // Include schema for OpenAPI docs
+          })),
+          events: Object.keys(resource.events ?? {}),
+          registeredAt: (/* @__PURE__ */ new Date()).toISOString(),
+          disableDefaultRoutes: resource.disableDefaultRoutes,
+          openApiSchemas: options.openApiSchemas,
+          plugin: resource.toPlugin()
+          // Store plugin factory
+        };
+        this._resources.set(resource.name, entry);
+        return this;
+      }
+      /**
+       * Get resource by name
+       */
+      get(name) {
+        return this._resources.get(name);
+      }
+      /**
+       * Get all resources
+       */
+      getAll() {
+        return Array.from(this._resources.values());
+      }
+      /**
+       * Get resources by module
+       */
+      getByModule(moduleName) {
+        return this.getAll().filter((r) => r.module === moduleName);
+      }
+      /**
+       * Get resources by preset
+       */
+      getByPreset(presetName) {
+        return this.getAll().filter((r) => r.presets.includes(presetName));
+      }
+      /**
+       * Check if resource exists
+       */
+      has(name) {
+        return this._resources.has(name);
+      }
+      /**
+       * Get registry statistics
+       */
+      getStats() {
+        const resources = this.getAll();
+        const presetCounts = {};
+        for (const r of resources) {
+          for (const preset of r.presets) {
+            presetCounts[preset] = (presetCounts[preset] ?? 0) + 1;
+          }
+        }
+        return {
+          totalResources: resources.length,
+          byModule: this._groupBy(resources, "module"),
+          presetUsage: presetCounts,
+          totalRoutes: resources.reduce((sum, r) => {
+            const defaultRouteCount = r.disableDefaultRoutes ? 0 : 5;
+            return sum + (r.additionalRoutes?.length ?? 0) + defaultRouteCount;
+          }, 0),
+          totalEvents: resources.reduce((sum, r) => sum + (r.events?.length ?? 0), 0)
+        };
+      }
+      /**
+       * Get full introspection data
+       */
+      getIntrospection() {
+        return {
+          resources: this.getAll().map((r) => {
+            const defaultRoutes = r.disableDefaultRoutes ? [] : [
+              { method: "GET", path: r.prefix, operation: "list" },
+              { method: "GET", path: `${r.prefix}/:id`, operation: "get" },
+              { method: "POST", path: r.prefix, operation: "create" },
+              { method: "PATCH", path: `${r.prefix}/:id`, operation: "update" },
+              { method: "DELETE", path: `${r.prefix}/:id`, operation: "delete" }
+            ];
+            return {
+              name: r.name,
+              displayName: r.displayName,
+              prefix: r.prefix,
+              module: r.module,
+              presets: r.presets,
+              permissions: r.permissions,
+              routes: [
+                ...defaultRoutes,
+                ...r.additionalRoutes?.map((ar) => ({
+                  method: ar.method,
+                  path: `${r.prefix}${ar.path}`,
+                  operation: typeof ar.handler === "string" ? ar.handler : "custom",
+                  handler: typeof ar.handler === "string" ? ar.handler : void 0,
+                  summary: ar.summary
+                })) ?? []
+              ],
+              events: r.events
+            };
+          }),
+          stats: this.getStats(),
+          generatedAt: (/* @__PURE__ */ new Date()).toISOString()
+        };
+      }
+      /**
+       * Freeze registry (prevent further registrations)
+       */
+      freeze() {
+        this._frozen = true;
+      }
+      /**
+       * Check if frozen
+       */
+      isFrozen() {
+        return this._frozen;
+      }
+      /**
+       * Unfreeze registry (for testing)
+       */
+      _unfreeze() {
+        this._frozen = false;
+      }
+      /**
+       * Clear all resources (for testing)
+       */
+      _clear() {
+        this._resources.clear();
+        this._frozen = false;
+      }
+      /**
+       * Group by key
+       */
+      _groupBy(arr, key) {
+        const result = {};
+        for (const item of arr) {
+          const k = String(item[key] ?? "uncategorized");
+          result[k] = (result[k] ?? 0) + 1;
+        }
+        return result;
+      }
+    };
+    registryKey = /* @__PURE__ */ Symbol.for("arc.resourceRegistry");
+    globalScope = globalThis;
+    resourceRegistry = globalScope[registryKey] ?? new ResourceRegistry();
+    if (!globalScope[registryKey]) {
+      globalScope[registryKey] = resourceRegistry;
+    }
+  }
+});
+var introspectionPlugin, introspectionPlugin_default;
+var init_introspectionPlugin = __esm({
+  "src/registry/introspectionPlugin.ts"() {
+    init_ResourceRegistry();
+    introspectionPlugin = async (fastify, opts = {}) => {
+      const {
+        prefix = "/_resources",
+        authRoles = ["superadmin"],
+        enabled = process.env.NODE_ENV !== "production" || process.env.ENABLE_INTROSPECTION === "true"
+      } = opts;
+      if (!enabled) {
+        fastify.log?.info?.("Introspection plugin disabled");
+        return;
+      }
+      const typedFastify = fastify;
+      const authMiddleware = authRoles.length > 0 && typedFastify.authenticate ? [
+        typedFastify.authenticate,
+        typedFastify.authorize?.(...authRoles)
+      ].filter(Boolean) : [];
+      await fastify.register(async (instance) => {
+        instance.get(
+          "/",
+          {
+            preHandler: authMiddleware
+          },
+          async (_req, _reply) => {
+            return resourceRegistry.getIntrospection();
+          }
+        );
+        instance.get(
+          "/stats",
+          {
+            preHandler: authMiddleware
+          },
+          async (_req, _reply) => {
+            return resourceRegistry.getStats();
+          }
+        );
+        instance.get(
+          "/:name",
+          {
+            schema: {
+              params: {
+                type: "object",
+                properties: {
+                  name: { type: "string" }
+                },
+                required: ["name"]
+              }
+            },
+            preHandler: authMiddleware
+          },
+          async (req, reply) => {
+            const resource = resourceRegistry.get(req.params.name);
+            if (!resource) {
+              return reply.code(404).send({
+                error: `Resource '${req.params.name}' not found`
+              });
+            }
+            return resource;
+          }
+        );
+      }, { prefix });
+      fastify.log?.info?.(`Introspection API at ${prefix}`);
+    };
+    introspectionPlugin_default = fp(introspectionPlugin, { name: "arc-introspection" });
+  }
+});
+
+// src/registry/index.ts
+var registry_exports = {};
+__export(registry_exports, {
+  ResourceRegistry: () => ResourceRegistry,
+  introspectionPlugin: () => introspectionPlugin_default,
+  introspectionPluginFn: () => introspectionPlugin,
+  resourceRegistry: () => resourceRegistry
+});
+var init_registry = __esm({
+  "src/registry/index.ts"() {
+    init_ResourceRegistry();
+    init_introspectionPlugin();
+  }
+});
+function isTypeScriptProject() {
+  return existsSync(join(process.cwd(), "tsconfig.json"));
+}
+function getTemplates(ts) {
+  return {
+    model: (name) => `/**
+ * ${name} Model
+ * Generated by Arc CLI
+ */
+
+import mongoose${ts ? ", { type HydratedDocument }" : ""} from 'mongoose';
+
+const { Schema } = mongoose;
+${ts ? `
+type ${name} = {
+  name: string;
+  description?: string;
+  isActive: boolean;
+};
+
+export type ${name}Document = HydratedDocument<${name}>;
+` : ""}
+const ${name.toLowerCase()}Schema = new Schema${ts ? `<${name}>` : ""}(
+  {
+    name: { type: String, required: true, trim: true },
+    description: { type: String, trim: true },
+    isActive: { type: Boolean, default: true },
+  },
+  { timestamps: true }
+);
+
+// Indexes
+${name.toLowerCase()}Schema.index({ name: 1 });
+${name.toLowerCase()}Schema.index({ isActive: 1 });
+
+const ${name} = mongoose.models.${name}${ts ? ` as mongoose.Model<${name}>` : ""} || mongoose.model${ts ? `<${name}>` : ""}('${name}', ${name.toLowerCase()}Schema);
+export default ${name};
+`,
+    repository: (name) => `/**
+ * ${name} Repository
+ * Generated by Arc CLI
+ */
+
+import {
+  Repository,
+  methodRegistryPlugin,
+  softDeletePlugin,
+  mongoOperationsPlugin,
+} from '@classytic/mongokit';
+${ts ? `import type { ${name}Document } from './${name.toLowerCase()}.model.js';` : ""}
+import ${name} from './${name.toLowerCase()}.model.js';
+
+class ${name}Repository extends Repository${ts ? `<${name}Document>` : ""} {
+  constructor() {
+    super(${name}${ts ? " as any" : ""}, [
+      methodRegistryPlugin(),
+      softDeletePlugin(),
+      mongoOperationsPlugin(),
+    ]);
+  }
+
+  /**
+   * Find all active records
+   */
+  async findActive() {
+    return this.Model.find({ isActive: true, deletedAt: null }).lean();
+  }
+
+  // Add custom repository methods here
+}
+
+const ${name.toLowerCase()}Repository = new ${name}Repository();
+export default ${name.toLowerCase()}Repository;
+export { ${name}Repository };
+`,
+    controller: (name) => `/**
+ * ${name} Controller
+ * Generated by Arc CLI
+ */
+
+import { BaseController } from '@classytic/arc';
+import ${name.toLowerCase()}Repository from './${name.toLowerCase()}.repository.js';
+import { ${name.toLowerCase()}SchemaOptions } from './${name.toLowerCase()}.schemas.js';
+
+class ${name}Controller extends BaseController {
+  constructor() {
+    super(${name.toLowerCase()}Repository${ts ? " as any" : ""}, { schemaOptions: ${name.toLowerCase()}SchemaOptions });
+  }
+
+  // Add custom controller methods here
+}
+
+const ${name.toLowerCase()}Controller = new ${name}Controller();
+export default ${name.toLowerCase()}Controller;
+`,
+    schemas: (name) => `/**
+ * ${name} Schemas
+ * Generated by Arc CLI
+ */
+
+import ${name} from './${name.toLowerCase()}.model.js';
+import { buildCrudSchemasFromModel } from '@classytic/mongokit/utils';
+
+/**
+ * CRUD Schemas with Field Rules
+ */
+const crudSchemas = buildCrudSchemasFromModel(${name}, {
+  strictAdditionalProperties: true,
+  fieldRules: {
+    // Mark fields as system-managed (excluded from create/update)
+    // deletedAt: { systemManaged: true },
+  },
+  query: {
+    filterableFields: {
+      isActive: 'boolean',
+      createdAt: 'date',
+    },
+  },
+});
+
+// Schema options for controller
+export const ${name.toLowerCase()}SchemaOptions${ts ? ": any" : ""} = {
+  query: {
+    filterableFields: {
+      isActive: 'boolean',
+      createdAt: 'date',
+    },
+  },
+};
+
+export default crudSchemas;
+`,
+    resource: (name) => `/**
+ * ${name} Resource
+ * Generated by Arc CLI
+ */
+
+import { defineResource } from '@classytic/arc';
+import { createAdapter } from '#shared/adapter.js';
+import { publicReadPermissions } from '#shared/permissions.js';
+import ${name} from './${name.toLowerCase()}.model.js';
+import ${name.toLowerCase()}Repository from './${name.toLowerCase()}.repository.js';
+import ${name.toLowerCase()}Controller from './${name.toLowerCase()}.controller.js';
+
+const ${name.toLowerCase()}Resource = defineResource({
+  name: '${name.toLowerCase()}',
+  displayName: '${name}s',
+  prefix: '/${name.toLowerCase()}s',
+
+  adapter: createAdapter(${name}, ${name.toLowerCase()}Repository),
+  controller: ${name.toLowerCase()}Controller,
+
+  presets: ['softDelete'],
+
+  permissions: publicReadPermissions,
+
+  // Add custom routes here:
+  // additionalRoutes: [
+  //   {
+  //     method: 'GET',
+  //     path: '/custom',
+  //     summary: 'Custom endpoint',
+  //     handler: async (request, reply) => { ... },
+  //   },
+  // ],
+});
+
+export default ${name.toLowerCase()}Resource;
+`,
+    test: (name) => `/**
+ * ${name} Tests
+ * Generated by Arc CLI
+ */
+
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import mongoose from 'mongoose';
+import { createAppInstance } from '../src/app.js';
+${ts ? "import type { FastifyInstance } from 'fastify';\n" : ""}
+describe('${name} Resource', () => {
+  let app${ts ? ": FastifyInstance" : ""};
+
+  beforeAll(async () => {
+    const testDbUri = process.env.MONGODB_URI || 'mongodb://localhost:27017/test-${name.toLowerCase()}';
+    await mongoose.connect(testDbUri);
+    app = await createAppInstance();
+    await app.ready();
+  });
+
+  afterAll(async () => {
+    await app.close();
+    await mongoose.connection.close();
+  });
+
+  describe('GET /${name.toLowerCase()}s', () => {
+    it('should return a list', async () => {
+      const response = await app.inject({
+        method: 'GET',
+        url: '/${name.toLowerCase()}s',
+      });
+
+      expect(response.statusCode).toBe(200);
+      const body = JSON.parse(response.body);
+      expect(body).toHaveProperty('docs');
+    });
+  });
+});
+`
+  };
+}
+async function generate(type, args) {
+  if (!type) {
+    console.error("Error: Missing type argument");
+    console.log("Usage: arc generate <resource|controller|model|repository|schemas> <name>");
+    process.exit(1);
+  }
+  const [name] = args;
+  if (!name) {
+    console.error("Error: Missing name argument");
+    console.log("Usage: arc generate <type> <name>");
+    console.log("Example: arc generate resource product");
+    process.exit(1);
+  }
+  const capitalizedName = name.charAt(0).toUpperCase() + name.slice(1);
+  const lowerName = name.toLowerCase();
+  const ts = isTypeScriptProject();
+  const ext = ts ? "ts" : "js";
+  const templates = getTemplates(ts);
+  const resourcePath = join(process.cwd(), "src", "resources", lowerName);
+  switch (type) {
+    case "resource":
+    case "r":
+      await generateResource(capitalizedName, lowerName, resourcePath, templates, ext);
+      break;
+    case "controller":
+    case "c":
+      await generateFile(capitalizedName, lowerName, resourcePath, "controller", templates.controller, ext);
+      break;
+    case "model":
+    case "m":
+      await generateFile(capitalizedName, lowerName, resourcePath, "model", templates.model, ext);
+      break;
+    case "repository":
+    case "repo":
+      await generateFile(capitalizedName, lowerName, resourcePath, "repository", templates.repository, ext);
+      break;
+    case "schemas":
+    case "s":
+      await generateFile(capitalizedName, lowerName, resourcePath, "schemas", templates.schemas, ext);
+      break;
+    default:
+      console.error(`Unknown type: ${type}`);
+      console.log("Available types: resource, controller, model, repository, schemas");
+      process.exit(1);
+  }
+}
+async function generateResource(name, lowerName, resourcePath, templates, ext) {
+  console.log(`
+📦 Generating resource: ${name}...
+`);
+  if (!existsSync(resourcePath)) {
+    mkdirSync(resourcePath, { recursive: true });
+    console.log(`  📁 Created: src/resources/${lowerName}/`);
+  }
+  const files = {
+    [`${lowerName}.model.${ext}`]: templates.model(name),
+    [`${lowerName}.repository.${ext}`]: templates.repository(name),
+    [`${lowerName}.controller.${ext}`]: templates.controller(name),
+    [`${lowerName}.schemas.${ext}`]: templates.schemas(name),
+    [`${lowerName}.resource.${ext}`]: templates.resource(name)
+  };
+  for (const [filename, content] of Object.entries(files)) {
+    const filepath = join(resourcePath, filename);
+    if (existsSync(filepath)) {
+      console.warn(`  ⚠  Skipped: ${filename} (already exists)`);
+    } else {
+      writeFileSync(filepath, content);
+      console.log(`  ✅ Created: ${filename}`);
+    }
+  }
+  const testsDir = join(process.cwd(), "tests");
+  if (!existsSync(testsDir)) {
+    mkdirSync(testsDir, { recursive: true });
+  }
+  const testPath = join(testsDir, `${lowerName}.test.${ext}`);
+  if (!existsSync(testPath)) {
+    writeFileSync(testPath, templates.test(name));
+    console.log(`  ✅ Created: tests/${lowerName}.test.${ext}`);
+  }
+  console.log(`
+╔═══════════════════════════════════════════════════════════════╗
+║                    ✅ Resource Generated!                     ║
+╚═══════════════════════════════════════════════════════════════╝
+
+Next steps:
+
+1. Register in src/resources/index.${ext}:
+   import ${lowerName}Resource from './${lowerName}/${lowerName}.resource.js';
+
+   export const resources = [
+     // ... existing resources
+     ${lowerName}Resource,
+   ];
+
+2. Customize the model schema in:
+   src/resources/${lowerName}/${lowerName}.model.${ext}
+
+3. Run tests:
+   npm test
+`);
+}
+async function generateFile(name, lowerName, resourcePath, fileType, template, ext) {
+  console.log(`
+📦 Generating ${fileType}: ${name}...
+`);
+  if (!existsSync(resourcePath)) {
+    mkdirSync(resourcePath, { recursive: true });
+    console.log(`  📁 Created: src/resources/${lowerName}/`);
+  }
+  const filename = `${lowerName}.${fileType}.${ext}`;
+  const filepath = join(resourcePath, filename);
+  if (existsSync(filepath)) {
+    console.error(`  ❌ Error: ${filename} already exists`);
+    process.exit(1);
+  }
+  writeFileSync(filepath, template(name));
+  console.log(`  ✅ Created: ${filename}`);
+}
+async function init(options = {}) {
+  console.log(`
+╔═══════════════════════════════════════════════════════════════╗
+║                    🔥 Arc Project Setup                       ║
+║         Resource-Oriented Backend Framework                   ║
+╚═══════════════════════════════════════════════════════════════╝
+`);
+  const config = await gatherConfig(options);
+  console.log(`
+📦 Creating project: ${config.name}`);
+  console.log(`   Adapter: ${config.adapter === "mongokit" ? "MongoKit (MongoDB)" : "Custom"}`);
+  console.log(`   Tenant: ${config.tenant === "multi" ? "Multi-tenant" : "Single-tenant"}`);
+  console.log(`   Language: ${config.typescript ? "TypeScript" : "JavaScript"}
+`);
+  const projectPath = path.join(process.cwd(), config.name);
+  try {
+    await fs.access(projectPath);
+    if (!options.force) {
+      console.error(`❌ Directory "${config.name}" already exists. Use --force to overwrite.`);
+      process.exit(1);
+    }
+  } catch {
+  }
+  const packageManager = detectPackageManager();
+  console.log(`📦 Using package manager: ${packageManager}
+`);
+  await createProjectStructure(projectPath, config);
+  if (!options.skipInstall) {
+    console.log("\n📥 Installing dependencies...\n");
+    await installDependencies(projectPath, config, packageManager);
+  }
+  printSuccessMessage(config, options.skipInstall);
+}
+function detectPackageManager() {
+  try {
+    const cwd = process.cwd();
+    if (existsSync2(path.join(cwd, "pnpm-lock.yaml"))) return "pnpm";
+    if (existsSync2(path.join(cwd, "yarn.lock"))) return "yarn";
+    if (existsSync2(path.join(cwd, "bun.lockb"))) return "bun";
+    if (existsSync2(path.join(cwd, "package-lock.json"))) return "npm";
+  } catch {
+  }
+  if (isCommandAvailable("pnpm")) return "pnpm";
+  if (isCommandAvailable("yarn")) return "yarn";
+  if (isCommandAvailable("bun")) return "bun";
+  return "npm";
+}
+function isCommandAvailable(command) {
+  try {
+    execSync(`${command} --version`, { stdio: "ignore" });
+    return true;
+  } catch {
+    return false;
+  }
+}
+function existsSync2(filePath) {
+  try {
+    __require("fs").accessSync(filePath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function installDependencies(projectPath, config, pm) {
+  const deps = [
+    "@classytic/arc@latest",
+    "fastify@latest",
+    "@fastify/cors@latest",
+    "@fastify/helmet@latest",
+    "@fastify/jwt@latest",
+    "@fastify/rate-limit@latest",
+    "@fastify/sensible@latest",
+    "@fastify/under-pressure@latest",
+    "bcryptjs@latest",
+    "dotenv@latest",
+    "jsonwebtoken@latest"
+  ];
+  if (config.adapter === "mongokit") {
+    deps.push("@classytic/mongokit@latest", "mongoose@latest");
+  }
+  const devDeps = [
+    "vitest@latest",
+    "pino-pretty@latest"
+  ];
+  if (config.typescript) {
+    devDeps.push(
+      "typescript@latest",
+      "@types/node@latest",
+      "@types/jsonwebtoken@latest",
+      "tsx@latest"
+    );
+  }
+  const installCmd = getInstallCommand(pm, deps, false);
+  const installDevCmd = getInstallCommand(pm, devDeps, true);
+  console.log(`  Installing dependencies...`);
+  await runCommand(installCmd, projectPath);
+  console.log(`  Installing dev dependencies...`);
+  await runCommand(installDevCmd, projectPath);
+  console.log(`
+✅ Dependencies installed successfully!`);
+}
+function getInstallCommand(pm, packages, isDev) {
+  const pkgList = packages.join(" ");
+  switch (pm) {
+    case "pnpm":
+      return `pnpm add ${isDev ? "-D" : ""} ${pkgList}`;
+    case "yarn":
+      return `yarn add ${isDev ? "-D" : ""} ${pkgList}`;
+    case "bun":
+      return `bun add ${isDev ? "-d" : ""} ${pkgList}`;
+    case "npm":
+    default:
+      return `npm install ${isDev ? "--save-dev" : ""} ${pkgList}`;
+  }
+}
+function runCommand(command, cwd) {
+  return new Promise((resolve, reject) => {
+    const isWindows = process.platform === "win32";
+    const shell = isWindows ? "cmd" : "/bin/sh";
+    const shellFlag = isWindows ? "/c" : "-c";
+    const child = spawn(shell, [shellFlag, command], {
+      cwd,
+      stdio: "inherit",
+      env: { ...process.env, FORCE_COLOR: "1" }
+    });
+    child.on("close", (code) => {
+      if (code === 0) {
+        resolve();
+      } else {
+        reject(new Error(`Command failed with exit code ${code}`));
+      }
+    });
+    child.on("error", reject);
+  });
+}
+async function gatherConfig(options) {
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+  const question = (prompt) => new Promise((resolve) => rl.question(prompt, resolve));
+  try {
+    const name = options.name || await question("📁 Project name: ") || "my-arc-app";
+    let adapter = options.adapter || "mongokit";
+    if (!options.adapter) {
+      const adapterChoice = await question("🗄️  Database adapter [1=MongoKit (recommended), 2=Custom]: ");
+      adapter = adapterChoice === "2" ? "custom" : "mongokit";
+    }
+    let tenant = options.tenant || "single";
+    if (!options.tenant) {
+      const tenantChoice = await question("🏢 Tenant mode [1=Single-tenant, 2=Multi-tenant]: ");
+      tenant = tenantChoice === "2" ? "multi" : "single";
+    }
+    let typescript = options.typescript ?? true;
+    if (options.typescript === void 0) {
+      const tsChoice = await question("�� Language [1=TypeScript (recommended), 2=JavaScript]: ");
+      typescript = tsChoice !== "2";
+    }
+    return { name, adapter, tenant, typescript };
+  } finally {
+    rl.close();
+  }
+}
+async function createProjectStructure(projectPath, config) {
+  const ext = config.typescript ? "ts" : "js";
+  const dirs = [
+    "",
+    "src",
+    "src/config",
+    // Config & env loading (import first!)
+    "src/shared",
+    // Shared utilities (adapters, presets, permissions)
+    "src/shared/presets",
+    // Preset definitions
+    "src/plugins",
+    // App-specific plugins
+    "src/resources",
+    // Resource definitions
+    "src/resources/user",
+    // User resource (user.model, user.repository, etc.)
+    "src/resources/auth",
+    // Auth resource (auth.resource, auth.handlers, etc.)
+    "src/resources/example",
+    // Example resource
+    "tests"
+  ];
+  for (const dir of dirs) {
+    await fs.mkdir(path.join(projectPath, dir), { recursive: true });
+    console.log(`  📁 Created: ${dir || "/"}`);
+  }
+  const files = {
+    "package.json": packageJsonTemplate(config),
+    ".gitignore": gitignoreTemplate(),
+    ".env.example": envExampleTemplate(config),
+    ".env.dev": envDevTemplate(config),
+    "README.md": readmeTemplate(config)
+  };
+  if (config.typescript) {
+    files["tsconfig.json"] = tsconfigTemplate();
+  }
+  files["vitest.config.ts"] = vitestConfigTemplate(config);
+  files[`src/config/env.${ext}`] = envLoaderTemplate(config);
+  files[`src/config/index.${ext}`] = configTemplate(config);
+  files[`src/app.${ext}`] = appTemplate(config);
+  files[`src/index.${ext}`] = indexTemplate(config);
+  files[`src/shared/index.${ext}`] = sharedIndexTemplate(config);
+  files[`src/shared/adapter.${ext}`] = config.adapter === "mongokit" ? createAdapterTemplate(config) : customAdapterTemplate(config);
+  files[`src/shared/permissions.${ext}`] = permissionsTemplate(config);
+  if (config.tenant === "multi") {
+    files[`src/shared/presets/index.${ext}`] = presetsMultiTenantTemplate(config);
+    files[`src/shared/presets/flexible-multi-tenant.${ext}`] = flexibleMultiTenantPresetTemplate(config);
+  } else {
+    files[`src/shared/presets/index.${ext}`] = presetsSingleTenantTemplate(config);
+  }
+  files[`src/plugins/index.${ext}`] = pluginsIndexTemplate(config);
+  files[`src/resources/index.${ext}`] = resourcesIndexTemplate(config);
+  files[`src/resources/user/user.model.${ext}`] = userModelTemplate(config);
+  files[`src/resources/user/user.repository.${ext}`] = userRepositoryTemplate(config);
+  files[`src/resources/user/user.controller.${ext}`] = userControllerTemplate(config);
+  files[`src/resources/auth/auth.resource.${ext}`] = authResourceTemplate(config);
+  files[`src/resources/auth/auth.handlers.${ext}`] = authHandlersTemplate(config);
+  files[`src/resources/auth/auth.schemas.${ext}`] = authSchemasTemplate();
+  files[`src/resources/example/example.model.${ext}`] = exampleModelTemplate(config);
+  files[`src/resources/example/example.repository.${ext}`] = exampleRepositoryTemplate(config);
+  files[`src/resources/example/example.resource.${ext}`] = exampleResourceTemplate(config);
+  files[`src/resources/example/example.controller.${ext}`] = exampleControllerTemplate(config);
+  files[`src/resources/example/example.schemas.${ext}`] = exampleSchemasTemplate(config);
+  files[`tests/example.test.${ext}`] = exampleTestTemplate(config);
+  files[`tests/auth.test.${ext}`] = authTestTemplate(config);
+  for (const [filePath, content] of Object.entries(files)) {
+    const fullPath = path.join(projectPath, filePath);
+    await fs.mkdir(path.dirname(fullPath), { recursive: true });
+    await fs.writeFile(fullPath, content);
+    console.log(`  ✅ Created: ${filePath}`);
+  }
+}
+function packageJsonTemplate(config) {
+  const scripts = config.typescript ? {
+    dev: "tsx watch src/index.ts",
+    build: "tsc",
+    start: "node dist/index.js",
+    test: "vitest run",
+    "test:watch": "vitest"
+  } : {
+    dev: "node --watch src/index.js",
+    start: "node src/index.js",
+    test: "vitest run",
+    "test:watch": "vitest"
+  };
+  const imports = config.typescript ? {
+    "#config/*": "./dist/config/*",
+    "#shared/*": "./dist/shared/*",
+    "#resources/*": "./dist/resources/*",
+    "#plugins/*": "./dist/plugins/*"
+  } : {
+    "#config/*": "./src/config/*",
+    "#shared/*": "./src/shared/*",
+    "#resources/*": "./src/resources/*",
+    "#plugins/*": "./src/plugins/*"
+  };
+  return JSON.stringify(
+    {
+      name: config.name,
+      version: "1.0.0",
+      type: "module",
+      main: config.typescript ? "dist/index.js" : "src/index.js",
+      imports,
+      scripts,
+      engines: {
+        node: ">=20"
+      }
+    },
+    null,
+    2
+  );
+}
+function tsconfigTemplate() {
+  return JSON.stringify(
+    {
+      compilerOptions: {
+        target: "ES2022",
+        module: "NodeNext",
+        moduleResolution: "NodeNext",
+        lib: ["ES2022"],
+        outDir: "./dist",
+        rootDir: "./src",
+        strict: true,
+        esModuleInterop: true,
+        skipLibCheck: true,
+        forceConsistentCasingInFileNames: true,
+        declaration: true,
+        declarationMap: true,
+        sourceMap: true,
+        resolveJsonModule: true,
+        paths: {
+          "#shared/*": ["./src/shared/*"],
+          "#resources/*": ["./src/resources/*"],
+          "#config/*": ["./src/config/*"],
+          "#plugins/*": ["./src/plugins/*"]
+        }
+      },
+      include: ["src/**/*"],
+      exclude: ["node_modules", "dist"]
+    },
+    null,
+    2
+  );
+}
+function vitestConfigTemplate(config) {
+  const srcDir = config.typescript ? "./src" : "./src";
+  return `import { defineConfig } from 'vitest/config';
+import { resolve } from 'path';
+
+export default defineConfig({
+  test: {
+    globals: true,
+    environment: 'node',
+  },
+  resolve: {
+    alias: {
+      '#config': resolve(__dirname, '${srcDir}/config'),
+      '#shared': resolve(__dirname, '${srcDir}/shared'),
+      '#resources': resolve(__dirname, '${srcDir}/resources'),
+      '#plugins': resolve(__dirname, '${srcDir}/plugins'),
+    },
+  },
+});
+`;
+}
+function gitignoreTemplate() {
+  return `# Dependencies
+node_modules/
+
+# Build
+dist/
+*.js.map
+
+# Environment
+.env
+.env.local
+.env.*.local
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Logs
+*.log
+npm-debug.log*
+
+# Test coverage
+coverage/
+`;
+}
+function envExampleTemplate(config) {
+  let content = `# Server
+PORT=8040
+HOST=0.0.0.0
+NODE_ENV=development
+
+# JWT
+JWT_SECRET=your-32-character-minimum-secret-here
+`;
+  if (config.adapter === "mongokit") {
+    content += `
+# MongoDB
+MONGODB_URI=mongodb://localhost:27017/${config.name}
+`;
+  }
+  if (config.tenant === "multi") {
+    content += `
+# Multi-tenant
+DEFAULT_ORG_ID=
+`;
+  }
+  return content;
+}
+function readmeTemplate(config) {
+  const ext = config.typescript ? "ts" : "js";
+  return `# ${config.name}
+
+Built with [Arc](https://github.com/classytic/arc) - Resource-Oriented Backend Framework
+
+## Quick Start
+
+\`\`\`bash
+# Install dependencies
+npm install
+
+# Start development server (uses .env.dev)
+npm run dev
+
+# Run tests
+npm test
+\`\`\`
+
+## Project Structure
+
+\`\`\`
+src/
+├── config/                  # Configuration (loaded first)
+│   ├── env.${ext}              # Env loader (import first!)
+│   └── index.${ext}            # App config
+├── shared/                  # Shared utilities
+│   ├── adapter.${ext}          # ${config.adapter === "mongokit" ? "MongoKit adapter factory" : "Custom adapter"}
+│   ├── permissions.${ext}      # Permission helpers
+│   └── presets/             # ${config.tenant === "multi" ? "Multi-tenant presets" : "Standard presets"}
+├── plugins/                 # App-specific plugins
+│   └── index.${ext}            # Plugin registry
+├── resources/               # API Resources
+│   ├── index.${ext}            # Resource registry
+│   └── example/             # Example resource
+│       ├── index.${ext}        # Resource definition
+│       ├── model.${ext}        # Mongoose schema
+│       └── repository.${ext}   # MongoKit repository
+├── app.${ext}                  # App factory (reusable)
+└── index.${ext}                # Server entry point
+tests/
+└── example.test.${ext}         # Example tests
+\`\`\`
+
+## Architecture
+
+### Entry Points
+
+- **\`src/index.${ext}\`** - HTTP server entry point
+- **\`src/app.${ext}\`** - App factory (import for workers/tests)
+
+\`\`\`${config.typescript ? "typescript" : "javascript"}
+// For workers or custom entry points:
+import { createAppInstance } from './app.js';
+
+const app = await createAppInstance();
+// Use app for your worker logic
+\`\`\`
+
+### Adding Resources
+
+1. Create a new folder in \`src/resources/\`:
+
+\`\`\`
+src/resources/product/
+├── index.${ext}      # Resource definition
+├── model.${ext}      # Mongoose schema
+└── repository.${ext} # MongoKit repository
+\`\`\`
+
+2. Register in \`src/resources/index.${ext}\`:
+
+\`\`\`${config.typescript ? "typescript" : "javascript"}
+import productResource from './product/index.js';
+
+export const resources = [
+  exampleResource,
+  productResource,  // Add here
+];
+\`\`\`
+
+### Adding Plugins
+
+Add custom plugins in \`src/plugins/index.${ext}\`:
+
+\`\`\`${config.typescript ? "typescript" : "javascript"}
+export async function registerPlugins(app, deps) {
+  const { config } = deps;  // Explicit dependency injection
+
+  await app.register(myCustomPlugin, { ...options });
+}
+\`\`\`
+
+## CLI Commands
+
+\`\`\`bash
+# Generate a new resource
+arc generate resource product
+
+# Introspect existing schema
+arc introspect
+
+# Generate API docs
+arc docs
+\`\`\`
+
+## Environment Files
+
+- \`.env.dev\` - Development (default)
+- \`.env.test\` - Testing
+- \`.env.prod\` - Production
+- \`.env\` - Fallback
+
+## API Documentation
+
+API documentation is available via Scalar UI:
+
+- **Interactive UI**: [http://localhost:8040/docs](http://localhost:8040/docs)
+- **OpenAPI Spec**: [http://localhost:8040/_docs/openapi.json](http://localhost:8040/_docs/openapi.json)
+
+## API Endpoints
+
+| Method | Endpoint | Description |
+|--------|----------|-------------|
+| GET | /docs | API documentation (Scalar UI) |
+| GET | /_docs/openapi.json | OpenAPI 3.0 spec |
+| GET | /examples | List all |
+| GET | /examples/:id | Get by ID |
+| POST | /examples | Create |
+| PATCH | /examples/:id | Update |
+| DELETE | /examples/:id | Delete |
+`;
+}
+function indexTemplate(config) {
+  const ts = config.typescript;
+  return `/**
+ * ${config.name} - Server Entry Point
+ * Generated by Arc CLI
+ *
+ * This file starts the HTTP server.
+ * For workers or other entry points, import createAppInstance from './app.js'
+ */
+
+// Load environment FIRST (before any other imports)
+import '#config/env.js';
+
+import config from '#config/index.js';
+${config.adapter === "mongokit" ? "import mongoose from 'mongoose';" : ""}
+import { createAppInstance } from './app.js';
+
+async function main()${ts ? ": Promise<void>" : ""} {
+  console.log(\`🔧 Environment: \${config.env}\`);
+${config.adapter === "mongokit" ? `
+  // Connect to MongoDB
+  await mongoose.connect(config.database.uri);
+  console.log('📦 Connected to MongoDB');
+` : ""}
+  // Create and configure app
+  const app = await createAppInstance();
+
+  // Start server
+  await app.listen({ port: config.server.port, host: config.server.host });
+  console.log(\`🚀 Server running at http://\${config.server.host}:\${config.server.port}\`);
+}
+
+main().catch((err) => {
+  console.error('❌ Failed to start server:', err);
+  process.exit(1);
+});
+`;
+}
+function appTemplate(config) {
+  const ts = config.typescript;
+  const typeImport = ts ? "import type { FastifyInstance } from 'fastify';\n" : "";
+  return `/**
+ * ${config.name} - App Factory
+ * Generated by Arc CLI
+ *
+ * Creates and configures the Fastify app instance.
+ * Can be imported by:
+ * - index.ts (HTTP server)
+ * - worker.ts (background workers)
+ * - tests (integration tests)
+ */
+
+${typeImport}import config from '#config/index.js';
+import { createApp } from '@classytic/arc/factory';
+
+// App-specific plugins
+import { registerPlugins } from '#plugins/index.js';
+
+// Resource registry
+import { registerResources } from '#resources/index.js';
+
+/**
+ * Create a fully configured app instance
+ *
+ * @returns Configured Fastify instance ready to use
+ */
+export async function createAppInstance()${ts ? ": Promise<FastifyInstance>" : ""} {
+  // Create Arc app with base configuration
+  const app = await createApp({
+    preset: config.env === 'production' ? 'production' : 'development',
+    auth: {
+      jwt: { secret: config.jwt.secret },
+    },
+    cors: {
+      origin: config.cors.origins,
+      methods: config.cors.methods,
+      allowedHeaders: config.cors.allowedHeaders,
+      credentials: config.cors.credentials,
+    },
+  });
+
+  // Register app-specific plugins (explicit dependency injection)
+  await registerPlugins(app, { config });
+
+  // Register all resources
+  await registerResources(app);
+
+  return app;
+}
+
+export default createAppInstance;
+`;
+}
+function envLoaderTemplate(config) {
+  const ts = config.typescript;
+  return `/**
+ * Environment Loader
+ *
+ * MUST be imported FIRST before any other imports.
+ * Loads .env files based on NODE_ENV.
+ *
+ * Usage:
+ *   import './config/env.js';  // First line of entry point
+ */
+
+import dotenv from 'dotenv';
+import { existsSync } from 'node:fs';
+import { resolve } from 'node:path';
+
+/**
+ * Normalize environment string to short form
+ */
+function normalizeEnv(env${ts ? ": string | undefined" : ""})${ts ? ": string" : ""} {
+  const normalized = (env || '').toLowerCase();
+  if (normalized === 'production' || normalized === 'prod') return 'prod';
+  if (normalized === 'test' || normalized === 'qa') return 'test';
+  return 'dev';
+}
+
+// Determine environment
+const env = normalizeEnv(process.env.NODE_ENV);
+
+// Load environment-specific .env file
+const envFile = resolve(process.cwd(), \`.env.\${env}\`);
+const defaultEnvFile = resolve(process.cwd(), '.env');
+
+if (existsSync(envFile)) {
+  dotenv.config({ path: envFile });
+  console.log(\`📄 Loaded: .env.\${env}\`);
+} else if (existsSync(defaultEnvFile)) {
+  dotenv.config({ path: defaultEnvFile });
+  console.log('📄 Loaded: .env');
+} else {
+  console.warn('⚠️  No .env file found');
+}
+
+// Export for reference
+export const ENV = env;
+`;
+}
+function envDevTemplate(config) {
+  let content = `# Development Environment
+NODE_ENV=development
+
+# Server
+PORT=8040
+HOST=0.0.0.0
+
+# JWT
+JWT_SECRET=dev-secret-change-in-production-min-32-chars
+JWT_EXPIRES_IN=7d
+
+# CORS - Allowed origins
+# Options:
+#   * = allow all origins (not recommended for production)
+#   Comma-separated list = specific origins only
+CORS_ORIGINS=http://localhost:3000,http://localhost:5173
+`;
+  if (config.adapter === "mongokit") {
+    content += `
+# MongoDB
+MONGODB_URI=mongodb://localhost:27017/${config.name}
+`;
+  }
+  if (config.tenant === "multi") {
+    content += `
+# Multi-tenant
+ORG_HEADER=x-organization-id
+`;
+  }
+  return content;
+}
+function pluginsIndexTemplate(config) {
+  const ts = config.typescript;
+  const typeImport = ts ? "import type { FastifyInstance } from 'fastify';\n" : "";
+  const configType = ts ? ": { config: AppConfig }" : "";
+  const appType = ts ? ": FastifyInstance" : "";
+  let content = `/**
+ * App Plugins Registry
+ *
+ * Register your app-specific plugins here.
+ * Dependencies are passed explicitly (no shims, no magic).
+ */
+
+${typeImport}${ts ? "import type { AppConfig } from '../config/index.js';\n" : ""}import { openApiPlugin, scalarPlugin } from '@classytic/arc/docs';
+`;
+  if (config.tenant === "multi") {
+    content += `import { orgScopePlugin } from '@classytic/arc/org';
+`;
+  }
+  content += `
+/**
+ * Register all app-specific plugins
+ *
+ * @param app - Fastify instance
+ * @param deps - Explicit dependencies (config, services, etc.)
+ */
+export async function registerPlugins(
+  app${appType},
+  deps${configType}
+)${ts ? ": Promise<void>" : ""} {
+  const { config } = deps;
+
+  // API Documentation (Scalar UI)
+  // OpenAPI spec: /_docs/openapi.json
+  // Scalar UI: /docs
+  await app.register(openApiPlugin, {
+    title: '${config.name} API',
+    version: '1.0.0',
+    description: 'API documentation for ${config.name}',
+  });
+  await app.register(scalarPlugin, {
+    routePrefix: '/docs',
+    theme: 'default',
+  });
+`;
+  if (config.tenant === "multi") {
+    content += `
+  // Multi-tenant org scope
+  await app.register(orgScopePlugin, {
+    header: config.org?.header || 'x-organization-id',
+    bypassRoles: ['superadmin', 'admin'],
+  });
+`;
+  }
+  content += `
+  // Add your custom plugins here:
+  // await app.register(myCustomPlugin, { ...options });
+}
+`;
+  return content;
+}
+function resourcesIndexTemplate(config) {
+  const ts = config.typescript;
+  const typeImport = ts ? "import type { FastifyInstance } from 'fastify';\n" : "";
+  const appType = ts ? ": FastifyInstance" : "";
+  return `/**
+ * Resources Registry
+ *
+ * Central registry for all API resources.
+ * Flat structure - no barrels, direct imports.
+ */
+
+${typeImport}
+// Auth resources (register, login, /users/me)
+import { authResource, userProfileResource } from './auth/auth.resource.js';
+
+// App resources
+import exampleResource from './example/example.resource.js';
+
+// Add more resources here:
+// import productResource from './product/product.resource.js';
+
+/**
+ * All registered resources
+ */
+export const resources = [
+  authResource,
+  userProfileResource,
+  exampleResource,
+]${ts ? " as const" : ""};
+
+/**
+ * Register all resources with the app
+ */
+export async function registerResources(app${appType})${ts ? ": Promise<void>" : ""} {
+  for (const resource of resources) {
+    await app.register(resource.toPlugin());
+  }
+}
+`;
+}
+function sharedIndexTemplate(config) {
+  const ts = config.typescript;
+  return `/**
+ * Shared Utilities
+ *
+ * Central exports for resource definitions.
+ * Import from here for clean, consistent code.
+ */
+
+// Adapter factory
+export { createAdapter } from './adapter.js';
+
+// Core Arc exports
+export { createMongooseAdapter, defineResource } from '@classytic/arc';
+
+// Permission helpers
+export {
+  allowPublic,
+  requireAuth,
+  requireRoles,
+  requireOwnership,
+  allOf,
+  anyOf,
+  denyAll,
+  when,${ts ? "\n  type PermissionCheck," : ""}
+} from '@classytic/arc/permissions';
+
+// Application permissions
+export * from './permissions.js';
+
+// Presets
+export * from './presets/index.js';
+`;
+}
+function createAdapterTemplate(config) {
+  const ts = config.typescript;
+  return `/**
+ * MongoKit Adapter Factory
+ *
+ * Creates Arc adapters using MongoKit repositories.
+ * The repository handles query parsing via MongoKit's built-in QueryParser.
+ */
+
+import { createMongooseAdapter } from '@classytic/arc';
+${ts ? "import type { Model } from 'mongoose';\nimport type { Repository } from '@classytic/mongokit';" : ""}
+
+/**
+ * Create a MongoKit-powered adapter for a resource
+ *
+ * Note: Query parsing is handled by MongoKit's Repository class.
+ * Just pass the model and repository - Arc handles the rest.
+ */
+export function createAdapter${ts ? "<TDoc, TRepo extends Repository<TDoc>>" : ""}(
+  model${ts ? ": Model<TDoc>" : ""},
+  repository${ts ? ": TRepo" : ""}
+)${ts ? ": ReturnType<typeof createMongooseAdapter>" : ""} {
+  return createMongooseAdapter({
+    model,
+    repository,
+  });
+}
+`;
+}
+function customAdapterTemplate(config) {
+  const ts = config.typescript;
+  return `/**
+ * Custom Adapter Factory
+ *
+ * Implement your own database adapter here.
+ */
+
+import { createMongooseAdapter } from '@classytic/arc';
+${ts ? "import type { Model } from 'mongoose';" : ""}
+
+/**
+ * Create a custom adapter for a resource
+ *
+ * Implement this based on your database choice:
+ * - Prisma: Use @classytic/prismakit (coming soon)
+ * - Drizzle: Create custom adapter
+ * - Raw SQL: Create custom adapter
+ */
+export function createAdapter${ts ? "<TDoc>" : ""}(
+  model${ts ? ": Model<TDoc>" : ""},
+  repository${ts ? ": any" : ""}
+)${ts ? ": ReturnType<typeof createMongooseAdapter>" : ""} {
+  // TODO: Implement your custom adapter
+  return createMongooseAdapter({
+    model,
+    repository,
+  });
+}
+`;
+}
+function presetsMultiTenantTemplate(config) {
+  const ts = config.typescript;
+  return `/**
+ * Arc Presets - Multi-Tenant Configuration
+ *
+ * Pre-configured presets for multi-tenant applications.
+ * Includes both strict and flexible tenant isolation options.
+ */
+
+import {
+  multiTenantPreset,
+  ownedByUserPreset,
+  softDeletePreset,
+  slugLookupPreset,
+} from '@classytic/arc/presets';
+
+// Flexible preset for mixed public/private routes
+export { flexibleMultiTenantPreset } from './flexible-multi-tenant.js';
+
+/**
+ * Organization-scoped preset (STRICT)
+ * Always requires auth, always filters by organizationId.
+ * Use for admin-only resources.
+ */
+export const orgScoped = multiTenantPreset({
+  tenantField: 'organizationId',
+  bypassRoles: ['superadmin', 'admin'],
+});
+
+/**
+ * Owned by creator preset
+ * Filters queries by createdBy field.
+ */
+export const ownedByCreator = ownedByUserPreset({
+  ownerField: 'createdBy',
+});
+
+/**
+ * Owned by user preset
+ * For resources where userId references the owner.
+ */
+export const ownedByUser = ownedByUserPreset({
+  ownerField: 'userId',
+});
+
+/**
+ * Soft delete preset
+ * Adds deletedAt filtering and restore endpoint.
+ */
+export const softDelete = softDeletePreset();
+
+/**
+ * Slug lookup preset
+ * Enables GET by slug in addition to ID.
+ */
+export const slugLookup = slugLookupPreset();
+
+// Export all presets
+export const presets = {
+  orgScoped,
+  ownedByCreator,
+  ownedByUser,
+  softDelete,
+  slugLookup,
+}${ts ? " as const" : ""};
+
+export default presets;
+`;
+}
+function presetsSingleTenantTemplate(config) {
+  const ts = config.typescript;
+  return `/**
+ * Arc Presets - Single-Tenant Configuration
+ *
+ * Pre-configured presets for single-tenant applications.
+ */
+
+import {
+  ownedByUserPreset,
+  softDeletePreset,
+  slugLookupPreset,
+} from '@classytic/arc/presets';
+
+/**
+ * Owned by creator preset
+ * Filters queries by createdBy field.
+ */
+export const ownedByCreator = ownedByUserPreset({
+  ownerField: 'createdBy',
+});
+
+/**
+ * Owned by user preset
+ * For resources where userId references the owner.
+ */
+export const ownedByUser = ownedByUserPreset({
+  ownerField: 'userId',
+});
+
+/**
+ * Soft delete preset
+ * Adds deletedAt filtering and restore endpoint.
+ */
+export const softDelete = softDeletePreset();
+
+/**
+ * Slug lookup preset
+ * Enables GET by slug in addition to ID.
+ */
+export const slugLookup = slugLookupPreset();
+
+// Export all presets
+export const presets = {
+  ownedByCreator,
+  ownedByUser,
+  softDelete,
+  slugLookup,
+}${ts ? " as const" : ""};
+
+export default presets;
+`;
+}
+function flexibleMultiTenantPresetTemplate(config) {
+  const ts = config.typescript;
+  const typeAnnotations = ts ? `
+interface FlexibleMultiTenantOptions {
+  tenantField?: string;
+  bypassRoles?: string[];
+  extractOrganizationId?: (request: any) => string | null;
+}
+
+interface PresetMiddlewares {
+  list: ((request: any, reply: any) => Promise<void>)[];
+  get: ((request: any, reply: any) => Promise<void>)[];
+  create: ((request: any, reply: any) => Promise<void>)[];
+  update: ((request: any, reply: any) => Promise<void>)[];
+  delete: ((request: any, reply: any) => Promise<void>)[];
+}
+
+interface Preset {
+  [key: string]: unknown;
+  name: string;
+  middlewares: PresetMiddlewares;
+}
+` : "";
+  return `/**
+ * Flexible Multi-Tenant Preset
+ *
+ * Smarter tenant filtering that works with public + authenticated routes.
+ *
+ * Philosophy:
+ * - No org header → No filtering (public data, all orgs)
+ * - Org header present → Require auth, filter by org
+ *
+ * This differs from Arc's strict multiTenant which always requires auth.
+ */
+${typeAnnotations}
+/**
+ * Default organization ID extractor
+ * Tries multiple sources in order of priority
+ */
+function defaultExtractOrganizationId(request${ts ? ": any" : ""})${ts ? ": string | null" : ""} {
+  // Priority 1: Explicit context (set by org-scope plugin)
+  if (request.context?.organizationId) {
+    return String(request.context.organizationId);
+  }
+
+  // Priority 2: User's organizationId field
+  if (request.user?.organizationId) {
+    return String(request.user.organizationId);
+  }
+
+  // Priority 3: User's organization object (nested)
+  if (request.user?.organization) {
+    const org = request.user.organization;
+    return String(org._id || org.id || org);
+  }
+
+  return null;
+}
+
+/**
+ * Create flexible tenant filter middleware
+ * Only filters when org context is present
+ */
+function createFlexibleTenantFilter(
+  tenantField${ts ? ": string" : ""},
+  bypassRoles${ts ? ": string[]" : ""},
+  extractOrganizationId${ts ? ": (request: any) => string | null" : ""}
+) {
+  return async (request${ts ? ": any" : ""}, reply${ts ? ": any" : ""}) => {
+    const user = request.user;
+    const orgId = extractOrganizationId(request);
+
+    // No org context - allow through (public data, no filtering)
+    if (!orgId) {
+      request.log?.debug?.({ msg: 'No org context - showing all data' });
+      return;
+    }
+
+    // Org context present - auth should already be handled by org-scope plugin
+    // But double-check for safety
+    if (!user) {
+      request.log?.warn?.({ msg: 'Org context present but no user - should not happen' });
+      return reply.code(401).send({
+        success: false,
+        error: 'Unauthorized',
+        message: 'Authentication required for organization-scoped data',
+      });
+    }
+
+    // Bypass roles skip filter (superadmin sees all)
+    const userRoles = Array.isArray(user.roles) ? user.roles : [];
+    if (bypassRoles.some((r${ts ? ": string" : ""}) => userRoles.includes(r))) {
+      request.log?.debug?.({ msg: 'Bypass role - no tenant filter' });
+      return;
+    }
+
+    // Apply tenant filter to query
+    request.query = request.query ?? {};
+    request.query._policyFilters = {
+      ...(request.query._policyFilters ?? {}),
+      [tenantField]: orgId,
+    };
+
+    request.log?.debug?.({ msg: 'Tenant filter applied', orgId, tenantField });
+  };
+}
+
+/**
+ * Create tenant injection middleware
+ * Injects tenant ID into request body on create
+ */
+function createTenantInjection(
+  tenantField${ts ? ": string" : ""},
+  extractOrganizationId${ts ? ": (request: any) => string | null" : ""}
+) {
+  return async (request${ts ? ": any" : ""}, reply${ts ? ": any" : ""}) => {
+    const orgId = extractOrganizationId(request);
+
+    // Fail-closed: Require orgId for create operations
+    if (!orgId) {
+      return reply.code(403).send({
+        success: false,
+        error: 'Forbidden',
+        message: 'Organization context required to create resources',
+      });
+    }
+
+    if (request.body) {
+      request.body[tenantField] = orgId;
+    }
+  };
+}
+
+/**
+ * Flexible Multi-Tenant Preset
+ *
+ * @param options.tenantField - Field name in database (default: 'organizationId')
+ * @param options.bypassRoles - Roles that bypass tenant isolation (default: ['superadmin'])
+ * @param options.extractOrganizationId - Custom org ID extractor function
+ */
+export function flexibleMultiTenantPreset(options${ts ? ": FlexibleMultiTenantOptions = {}" : " = {}"})${ts ? ": Preset" : ""} {
+  const {
+    tenantField = 'organizationId',
+    bypassRoles = ['superadmin'],
+    extractOrganizationId = defaultExtractOrganizationId,
+  } = options;
+
+  const tenantFilter = createFlexibleTenantFilter(tenantField, bypassRoles, extractOrganizationId);
+  const tenantInjection = createTenantInjection(tenantField, extractOrganizationId);
+
+  return {
+    name: 'flexibleMultiTenant',
+    middlewares: {
+      list: [tenantFilter],
+      get: [tenantFilter],
+      create: [tenantInjection],
+      update: [tenantFilter],
+      delete: [tenantFilter],
+    },
+  };
+}
+
+export default flexibleMultiTenantPreset;
+`;
+}
+function permissionsTemplate(config) {
+  const ts = config.typescript;
+  const typeImport = ts ? ",\n  type PermissionCheck," : "";
+  const returnType = ts ? ": PermissionCheck" : "";
+  let content = `/**
+ * Permission Helpers
+ *
+ * Clean, type-safe permission definitions for resources.
+ */
+
+import {
+  requireAuth,
+  requireRoles,
+  requireOwnership,
+  allowPublic,
+  anyOf,
+  allOf,
+  denyAll,
+  when${typeImport}
+} from '@classytic/arc/permissions';
+
+// Re-export core helpers
+export {
+  allowPublic,
+  requireAuth,
+  requireRoles,
+  requireOwnership,
+  allOf,
+  anyOf,
+  denyAll,
+  when,
+};
+
+// ============================================================================
+// Permission Helpers
+// ============================================================================
+
+/**
+ * Require any authenticated user
+ */
+export const requireAuthenticated = ()${returnType} =>
+  requireRoles(['user', 'admin', 'superadmin']);
+
+/**
+ * Require admin or superadmin
+ */
+export const requireAdmin = ()${returnType} =>
+  requireRoles(['admin', 'superadmin']);
+
+/**
+ * Require superadmin only
+ */
+export const requireSuperadmin = ()${returnType} =>
+  requireRoles(['superadmin']);
+`;
+  if (config.tenant === "multi") {
+    content += `
+/**
+ * Require organization owner
+ */
+export const requireOrgOwner = ()${returnType} =>
+  requireRoles(['owner'], { bypassRoles: ['admin', 'superadmin'] });
+
+/**
+ * Require organization manager or higher
+ */
+export const requireOrgManager = ()${returnType} =>
+  requireRoles(['owner', 'manager'], { bypassRoles: ['admin', 'superadmin'] });
+
+/**
+ * Require organization staff (any org member)
+ */
+export const requireOrgStaff = ()${returnType} =>
+  requireRoles(['owner', 'manager', 'staff'], { bypassRoles: ['admin', 'superadmin'] });
+`;
+  }
+  content += `
+// ============================================================================
+// Standard Permission Sets
+// ============================================================================
+
+/**
+ * Public read, authenticated write (default for most resources)
+ */
+export const publicReadPermissions = {
+  list: allowPublic(),
+  get: allowPublic(),
+  create: requireAuthenticated(),
+  update: requireAuthenticated(),
+  delete: requireAuthenticated(),
+};
+
+/**
+ * All operations require authentication
+ */
+export const authenticatedPermissions = {
+  list: requireAuth(),
+  get: requireAuth(),
+  create: requireAuth(),
+  update: requireAuth(),
+  delete: requireAuth(),
+};
+
+/**
+ * Admin only permissions
+ */
+export const adminPermissions = {
+  list: requireAdmin(),
+  get: requireAdmin(),
+  create: requireSuperadmin(),
+  update: requireSuperadmin(),
+  delete: requireSuperadmin(),
+};
+`;
+  if (config.tenant === "multi") {
+    content += `
+/**
+ * Organization staff permissions
+ */
+export const orgStaffPermissions = {
+  list: requireOrgStaff(),
+  get: requireOrgStaff(),
+  create: requireOrgManager(),
+  update: requireOrgManager(),
+  delete: requireOrgOwner(),
+};
+`;
+  }
+  return content;
+}
+function configTemplate(config) {
+  const ts = config.typescript;
+  let typeDefinition = "";
+  if (ts) {
+    typeDefinition = `
+export interface AppConfig {
+  env: string;
+  server: {
+    port: number;
+    host: string;
+  };
+  jwt: {
+    secret: string;
+    expiresIn: string;
+  };
+  cors: {
+    origins: string[] | boolean;  // true = allow all ('*')
+    methods: string[];
+    allowedHeaders: string[];
+    credentials: boolean;
+  };${config.adapter === "mongokit" ? `
+  database: {
+    uri: string;
+  };` : ""}${config.tenant === "multi" ? `
+  org?: {
+    header: string;
+  };` : ""}
+}
+`;
+  }
+  return `/**
+ * Application Configuration
+ *
+ * All config is loaded from environment variables.
+ * ENV file is loaded by config/env.ts (imported first in entry points).
+ */
+${typeDefinition}
+const config${ts ? ": AppConfig" : ""} = {
+  env: process.env.NODE_ENV || 'development',
+
+  server: {
+    port: parseInt(process.env.PORT || '8040', 10),
+    host: process.env.HOST || '0.0.0.0',
+  },
+
+  jwt: {
+    secret: process.env.JWT_SECRET || 'dev-secret-change-in-production-min-32',
+    expiresIn: process.env.JWT_EXPIRES_IN || '7d',
+  },
+
+  cors: {
+    // '*' = allow all origins (true), otherwise comma-separated list
+    origins:
+      process.env.CORS_ORIGINS === '*'
+        ? true
+        : (process.env.CORS_ORIGINS || 'http://localhost:3000').split(','),
+    methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
+    allowedHeaders: ['Content-Type', 'Authorization', 'x-organization-id', 'x-request-id'],
+    credentials: true,
+  },
+${config.adapter === "mongokit" ? `
+  database: {
+    uri: process.env.MONGODB_URI || 'mongodb://localhost:27017/${config.name}',
+  },
+` : ""}${config.tenant === "multi" ? `
+  org: {
+    header: process.env.ORG_HEADER || 'x-organization-id',
+  },
+` : ""}};
+
+export default config;
+`;
+}
+function exampleModelTemplate(config) {
+  const ts = config.typescript;
+  const typeExport = ts ? `
+export type ExampleDocument = mongoose.InferSchemaType<typeof exampleSchema>;
+export type ExampleModel = mongoose.Model<ExampleDocument>;
+` : "";
+  return `/**
+ * Example Model
+ * Generated by Arc CLI
+ */
+
+import mongoose from 'mongoose';
+
+const exampleSchema = new mongoose.Schema(
+  {
+    name: { type: String, required: true, trim: true },
+    description: { type: String, trim: true },
+    isActive: { type: Boolean, default: true, index: true },
+${config.tenant === "multi" ? "    organizationId: { type: mongoose.Schema.Types.ObjectId, ref: 'Organization', required: true, index: true },\n" : ""}    createdBy: { type: mongoose.Schema.Types.ObjectId, ref: 'User', index: true },
+    deletedAt: { type: Date, default: null, index: true },
+  },
+  {
+    timestamps: true,
+    toJSON: { virtuals: true },
+    toObject: { virtuals: true },
+  }
+);
+
+// Indexes for common queries
+exampleSchema.index({ name: 1 });
+exampleSchema.index({ deletedAt: 1, isActive: 1 });
+${config.tenant === "multi" ? "exampleSchema.index({ organizationId: 1, deletedAt: 1 });\n" : ""}${typeExport}
+const Example = mongoose.model${ts ? "<ExampleDocument>" : ""}('Example', exampleSchema);
+
+export default Example;
+`;
+}
+function exampleRepositoryTemplate(config) {
+  const ts = config.typescript;
+  const typeImport = ts ? "import type { ExampleDocument } from './example.model.js';\n" : "";
+  const generic = ts ? "<ExampleDocument>" : "";
+  return `/**
+ * Example Repository
+ * Generated by Arc CLI
+ *
+ * MongoKit repository with plugins for:
+ * - Soft delete (deletedAt filtering)
+ * - Custom business logic methods
+ */
+
+import {
+  Repository,
+  softDeletePlugin,
+  methodRegistryPlugin,
+} from '@classytic/mongokit';
+${typeImport}import Example from './example.model.js';
+
+class ExampleRepository extends Repository${generic} {
+  constructor() {
+    super(Example, [
+      methodRegistryPlugin(),  // Required for plugin method registration
+      softDeletePlugin(),      // Soft delete support
+    ]);
+  }
+
+  /**
+   * Find all active (non-deleted) records
+   */
+  async findActive() {
+    return this.Model.find({ isActive: true, deletedAt: null }).lean();
+  }
+${config.tenant === "multi" ? `
+  /**
+   * Find active records for an organization
+   */
+  async findActiveByOrg(organizationId${ts ? ": string" : ""}) {
+    return this.Model.find({
+      organizationId,
+      isActive: true,
+      deletedAt: null,
+    }).lean();
+  }
+` : ""}
+  // Note: softDeletePlugin provides restore() and getDeleted() methods automatically
+}
+
+const exampleRepository = new ExampleRepository();
+
+export default exampleRepository;
+export { ExampleRepository };
+`;
+}
+function exampleResourceTemplate(config) {
+  config.typescript;
+  config.tenant === "multi" ? "['softDelete', 'flexibleMultiTenant']" : "['softDelete']";
+  return `/**
+ * Example Resource
+ * Generated by Arc CLI
+ *
+ * A complete resource with:
+ * - Model (Mongoose schema)
+ * - Repository (MongoKit with plugins)
+ * - Permissions (role-based access)
+ * - Presets (soft delete${config.tenant === "multi" ? ", multi-tenant" : ""})
+ */
+
+import { defineResource } from '@classytic/arc';
+import { createAdapter } from '#shared/adapter.js';
+import { publicReadPermissions } from '#shared/permissions.js';
+${config.tenant === "multi" ? "import { flexibleMultiTenantPreset } from '#shared/presets/flexible-multi-tenant.js';\n" : ""}import Example from './example.model.js';
+import exampleRepository from './example.repository.js';
+import exampleController from './example.controller.js';
+
+const exampleResource = defineResource({
+  name: 'example',
+  displayName: 'Examples',
+  prefix: '/examples',
+
+  adapter: createAdapter(Example, exampleRepository),
+  controller: exampleController,
+
+  presets: [
+    'softDelete',${config.tenant === "multi" ? `
+    flexibleMultiTenantPreset({ tenantField: 'organizationId' }),` : ""}
+  ],
+
+  permissions: publicReadPermissions,
+
+  // Add custom routes here:
+  // additionalRoutes: [
+  //   {
+  //     method: 'GET',
+  //     path: '/custom',
+  //     summary: 'Custom endpoint',
+  //     handler: async (request, reply) => { ... },
+  //   },
+  // ],
+});
+
+export default exampleResource;
+`;
+}
+function exampleControllerTemplate(config) {
+  const ts = config.typescript;
+  return `/**
+ * Example Controller
+ * Generated by Arc CLI
+ *
+ * BaseController provides CRUD operations with:
+ * - Automatic pagination
+ * - Query parsing
+ * - Validation
+ */
+
+import { BaseController } from '@classytic/arc';
+import exampleRepository from './example.repository.js';
+import { exampleSchemaOptions } from './example.schemas.js';
 
-// src/cli/index.ts
-async function generate(type, name, options = {}) {
-  const validTypes = ["resource", "controller", "model"];
-  if (!validTypes.includes(type)) {
-    throw new Error(`Unknown generation type: ${type}. Valid types: ${validTypes.join(", ")}`);
-  }
-  const {
-    module: moduleName,
-    presets = [],
-    parentField = "parent",
-    withTests = true,
-    dryRun = false,
-    force = false,
-    outputDir = process.cwd(),
-    typescript = true
-  } = options;
-  const SAFE_NAME_PATTERN = /^[a-zA-Z][a-zA-Z0-9-]*$/;
-  if (!SAFE_NAME_PATTERN.test(name)) {
-    throw new Error(`Invalid resource name: "${name}". Use only letters, numbers, and hyphens (must start with letter).`);
-  }
-  if (moduleName && !SAFE_NAME_PATTERN.test(moduleName)) {
-    throw new Error(`Invalid module name: "${moduleName}". Use only letters, numbers, and hyphens (must start with letter).`);
-  }
-  const ext = typescript ? "ts" : "js";
-  const kebab = kebabCase(name);
-  const dirPath = moduleName ? path.join(outputDir, "modules", moduleName, kebab) : path.join(outputDir, "modules", kebab);
-  let files;
-  switch (type) {
-    case "resource":
-      files = generateResourceFiles(name, { presets, parentField, module: moduleName, withTests, typescript });
-      break;
-    case "controller":
-      files = [{ name: `${kebab}.controller.${ext}`, content: controllerTemplate(name, { presets, typescript }) }];
-      break;
-    case "model":
-      files = [{ name: `${kebab}.model.${ext}`, content: modelTemplate(name, { presets, parentField, typescript }) }];
-      break;
-    default:
-      throw new Error(`Unknown type: ${type}`);
+class ExampleController extends BaseController {
+  constructor() {
+    super(exampleRepository${ts ? " as any" : ""}, { schemaOptions: exampleSchemaOptions });
   }
-  console.log(`
-📦 Generating ${type}: ${pascalCase(name)}`);
-  console.log(`📁 Directory: ${dirPath}`);
-  console.log(`🔧 Presets: ${presets.length ? presets.join(", ") : "none"}`);
-  console.log(`📝 Language: ${typescript ? "TypeScript" : "JavaScript"}`);
-  if (dryRun) {
-    console.log("\n🏃 DRY RUN - No files created\n");
-    for (const file of files) {
-      console.log(`  Would create: ${file.name}`);
-    }
-    return { files, dirPath };
-  }
-  await fs.mkdir(dirPath, { recursive: true });
-  let created = 0;
-  let skipped = 0;
-  for (const file of files) {
-    const filePath = path.join(dirPath, file.name);
-    try {
-      await fs.access(filePath);
-      if (!force) {
-        console.log(`  ⏭️  Skipped: ${file.name} (exists)`);
-        skipped++;
-        continue;
-      }
-    } catch {
-    }
-    await fs.writeFile(filePath, file.content);
-    console.log(`  ✅ Created: ${file.name}`);
-    created++;
+
+  // Add custom controller methods here:
+  // async customAction(request, reply) {
+  //   // Custom logic
+  // }
+}
+
+const exampleController = new ExampleController();
+export default exampleController;
+`;
+}
+function exampleSchemasTemplate(config) {
+  const ts = config.typescript;
+  const multiTenantFields = config.tenant === "multi";
+  return `/**
+ * Example Schemas
+ * Generated by Arc CLI
+ *
+ * Schema options for controller validation and query parsing
+ */
+
+import Example from './example.model.js';
+import { buildCrudSchemasFromModel } from '@classytic/mongokit/utils';
+
+/**
+ * CRUD Schemas with Field Rules
+ * Auto-generated from Mongoose model
+ */
+const crudSchemas = buildCrudSchemasFromModel(Example, {
+  strictAdditionalProperties: true,
+  fieldRules: {
+    // Mark fields as system-managed (excluded from create/update)
+    // deletedAt: { systemManaged: true },
+  },
+  query: {
+    filterableFields: {
+      isActive: 'boolean',${multiTenantFields ? `
+      organizationId: 'ObjectId',` : ""}
+      createdAt: 'date',
+    },
+  },
+});
+
+// Schema options for controller
+export const exampleSchemaOptions${ts ? ": any" : ""} = {
+  query: {${multiTenantFields ? `
+    allowedPopulate: ['organizationId'],` : ""}
+    filterableFields: {
+      isActive: 'boolean',${multiTenantFields ? `
+      organizationId: 'ObjectId',` : ""}
+      createdAt: 'date',
+    },
+  },
+};
+
+export default crudSchemas;
+`;
+}
+function exampleTestTemplate(config) {
+  const ts = config.typescript;
+  return `/**
+ * Example Resource Tests
+ * Generated by Arc CLI
+ *
+ * Run tests: npm test
+ * Watch mode: npm run test:watch
+ */
+
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+${config.adapter === "mongokit" ? "import mongoose from 'mongoose';\n" : ""}import { createAppInstance } from '../src/app.js';
+${ts ? "import type { FastifyInstance } from 'fastify';\n" : ""}
+describe('Example Resource', () => {
+  let app${ts ? ": FastifyInstance" : ""};
+
+  beforeAll(async () => {
+${config.adapter === "mongokit" ? `    // Connect to test database
+    const testDbUri = process.env.MONGODB_URI || 'mongodb://localhost:27017/${config.name}-test';
+    await mongoose.connect(testDbUri);
+` : ""}
+    // Create app instance
+    app = await createAppInstance();
+    await app.ready();
+  });
+
+  afterAll(async () => {
+    await app.close();
+${config.adapter === "mongokit" ? "    await mongoose.connection.close();" : ""}
+  });
+
+  describe('GET /examples', () => {
+    it('should return a list of examples', async () => {
+      const response = await app.inject({
+        method: 'GET',
+        url: '/examples',
+      });
+
+      expect(response.statusCode).toBe(200);
+      const body = JSON.parse(response.body);
+      expect(body).toHaveProperty('docs');
+      expect(Array.isArray(body.docs)).toBe(true);
+    });
+  });
+
+  describe('POST /examples', () => {
+    it('should require authentication', async () => {
+      const response = await app.inject({
+        method: 'POST',
+        url: '/examples',
+        payload: { name: 'Test Example' },
+      });
+
+      // Should fail without auth token
+      expect(response.statusCode).toBe(401);
+    });
+  });
+
+  // Add more tests as needed:
+  // - GET /examples/:id
+  // - PATCH /examples/:id
+  // - DELETE /examples/:id
+  // - Custom endpoints
+});
+`;
+}
+function userModelTemplate(config) {
+  const ts = config.typescript;
+  const orgRoles = config.tenant === "multi" ? `
+// Organization roles (for multi-tenant)
+const ORG_ROLES = ['owner', 'manager', 'hr', 'staff', 'contractor'] as const;
+type OrgRole = typeof ORG_ROLES[number];
+` : "";
+  const orgInterface = config.tenant === "multi" ? `
+type UserOrganization = {
+  organizationId: Types.ObjectId;
+  organizationName: string;
+  roles: OrgRole[];
+  joinedAt: Date;
+};
+` : "";
+  const orgSchema = config.tenant === "multi" ? `
+    // Multi-org support
+    organizations: [{
+      organizationId: { type: Schema.Types.ObjectId, ref: 'Organization', required: true },
+      organizationName: { type: String, required: true },
+      roles: { type: [String], enum: ORG_ROLES, default: [] },
+      joinedAt: { type: Date, default: () => new Date() },
+    }],
+` : "";
+  const orgMethods = config.tenant === "multi" ? `
+// Organization methods
+userSchema.methods.getOrgRoles = function(orgId${ts ? ": Types.ObjectId | string" : ""}) {
+  const org = this.organizations.find(o => o.organizationId.toString() === orgId.toString());
+  return org?.roles || [];
+};
+
+userSchema.methods.hasOrgAccess = function(orgId${ts ? ": Types.ObjectId | string" : ""}) {
+  return this.organizations.some(o => o.organizationId.toString() === orgId.toString());
+};
+
+userSchema.methods.addOrganization = function(
+  organizationId${ts ? ": Types.ObjectId" : ""},
+  organizationName${ts ? ": string" : ""},
+  roles${ts ? ": OrgRole[]" : ""} = []
+) {
+  const existing = this.organizations.find(o => o.organizationId.toString() === organizationId.toString());
+  if (existing) {
+    existing.organizationName = organizationName;
+    existing.roles = [...new Set([...existing.roles, ...roles])];
+  } else {
+    this.organizations.push({ organizationId, organizationName, roles, joinedAt: new Date() });
   }
-  console.log(`
-🎉 Done! Created ${created} file(s), skipped ${skipped}
-`);
-  if (type === "resource") {
-    printNextSteps(name, moduleName);
-  }
-  return { files, dirPath };
-}
-function generateResourceFiles(name, options) {
-  const { presets, parentField, module: moduleName, withTests, typescript } = options;
-  const kebab = kebabCase(name);
-  const ext = typescript ? "ts" : "js";
-  const files = [
-    { name: `${kebab}.model.${ext}`, content: modelTemplate(name, { presets, parentField, typescript }) },
-    { name: `${kebab}.repository.${ext}`, content: repositoryTemplate(name, { presets, parentField, typescript }) },
-    { name: `${kebab}.controller.${ext}`, content: controllerTemplate(name, { presets, typescript }) },
-    { name: `${kebab}.resource.${ext}`, content: resourceTemplate(name, { presets, parentField, module: moduleName}) },
-    { name: `routes.${ext}`, content: routesTemplate(name) }
-  ];
-  if (withTests) {
-    files.push({ name: `${kebab}.test.${ext}`, content: testTemplate(name, { presets, typescript }) });
-  }
-  return files;
-}
-function modelTemplate(name, opts) {
-  const pascal = pascalCase(name);
-  const camel = camelCase(name);
-  const { presets = [], parentField = "parent", typescript = true } = opts;
-  const hasSlug = presets.includes("slugLookup");
-  const hasSoftDelete = presets.includes("softDelete");
-  const hasTree = presets.includes("tree");
-  const hasMultiTenant = presets.includes("multiTenant");
-  const hasOwned = presets.includes("ownedByUser");
-  const hasAudited = presets.includes("audited");
+  return this;
+};
+
+userSchema.methods.removeOrganization = function(organizationId${ts ? ": Types.ObjectId" : ""}) {
+  this.organizations = this.organizations.filter(o => o.organizationId.toString() !== organizationId.toString());
+  return this;
+};
+
+// Index for org queries
+userSchema.index({ 'organizations.organizationId': 1 });
+` : "";
+  const userType = ts ? `
+type PlatformRole = 'user' | 'admin' | 'superadmin';
+
+type User = {
+  name: string;
+  email: string;
+  password: string;
+  roles: PlatformRole[];${config.tenant === "multi" ? `
+  organizations: UserOrganization[];` : ""}
+  resetPasswordToken?: string;
+  resetPasswordExpires?: Date;
+};
+
+type UserMethods = {
+  matchPassword: (enteredPassword: string) => Promise<boolean>;${config.tenant === "multi" ? `
+  getOrgRoles: (orgId: Types.ObjectId | string) => OrgRole[];
+  hasOrgAccess: (orgId: Types.ObjectId | string) => boolean;
+  addOrganization: (orgId: Types.ObjectId, name: string, roles?: OrgRole[]) => UserDocument;
+  removeOrganization: (orgId: Types.ObjectId) => UserDocument;` : ""}
+};
+
+export type UserDocument = HydratedDocument<User, UserMethods>;
+export type UserModel = Model<User, {}, UserMethods>;
+` : "";
   return `/**
- * ${pascal} Model
- * @generated by Arc CLI
+ * User Model
+ * Generated by Arc CLI
  */
 
-import mongoose from 'mongoose';
-${hasSlug ? "import slugPlugin from '@classytic/mongoose-slug-plugin';\n" : ""}
-const ${camel}Schema = new mongoose.Schema(
+import bcrypt from 'bcryptjs';
+import mongoose${ts ? ", { type HydratedDocument, type Model, type Types }" : ""} from 'mongoose';
+${orgRoles}
+const { Schema } = mongoose;
+${orgInterface}${userType}
+const userSchema = new Schema${ts ? "<User, UserModel, UserMethods>" : ""}(
   {
     name: { type: String, required: true, trim: true },
-${hasSlug ? "    slug: { type: String, unique: true, sparse: true, index: true },\n" : ""}${hasTree ? `    ${parentField}: { type: mongoose.Schema.Types.ObjectId, ref: '${pascal}', default: null, index: true },
-    displayOrder: { type: Number, default: 0 },
-` : ""}${hasMultiTenant ? "    organizationId: { type: mongoose.Schema.Types.ObjectId, ref: 'Organization', required: true, index: true },\n" : ""}${hasOwned ? "    createdBy: { type: mongoose.Schema.Types.ObjectId, ref: 'User', index: true },\n" : ""}    description: { type: String, trim: true },
-    isActive: { type: Boolean, default: true, index: true },
-${hasSoftDelete ? "    deletedAt: { type: Date, default: null, index: true },\n" : ""}${hasAudited ? `    lastModifiedBy: { type: mongoose.Schema.Types.ObjectId, ref: 'User' },
-` : ""}  },
-  {
-    timestamps: true,
-    toJSON: { virtuals: true },
-    toObject: { virtuals: true },
-  }
+    email: {
+      type: String,
+      required: true,
+      unique: true,
+      lowercase: true,
+      trim: true,
+    },
+    password: { type: String, required: true },
+
+    // Platform roles
+    roles: {
+      type: [String],
+      enum: ['user', 'admin', 'superadmin'],
+      default: ['user'],
+    },
+${orgSchema}
+    // Password reset
+    resetPasswordToken: String,
+    resetPasswordExpires: Date,
+  },
+  { timestamps: true }
 );
 
-// Indexes
-${camel}Schema.index({ name: 1 });
-${hasSoftDelete ? `${camel}Schema.index({ deletedAt: 1, isActive: 1 });
-` : ""}${hasSlug ? `
-${camel}Schema.plugin(slugPlugin, { sourceField: 'name' });
-` : ""}
-${typescript ? `export type ${pascal}Document = mongoose.InferSchemaType<typeof ${camel}Schema>;
-` : ""}
-export const ${pascal} = mongoose.model${typescript ? `<${pascal}Document>` : ""}('${pascal}', ${camel}Schema);
-export default ${pascal};
-`;
-}
-function repositoryTemplate(name, opts) {
-  const pascal = pascalCase(name);
-  const camel = camelCase(name);
-  const kebab = kebabCase(name);
-  const { presets = [], parentField = "parent", typescript = true } = opts;
-  const hasSoftDelete = presets.includes("softDelete");
-  const hasSlug = presets.includes("slugLookup");
-  const hasTree = presets.includes("tree");
-  const typeImport = typescript ? `
-import type { ${pascal}Document } from './${kebab}.model.js';` : "";
-  const repoGeneric = typescript ? `<${pascal}Document>` : "";
-  const returnType = (t) => typescript ? `: Promise<${t}>` : "";
+// Password hashing
+userSchema.pre('save', async function() {
+  if (!this.isModified('password')) return;
+  const salt = await bcrypt.genSalt(10);
+  this.password = await bcrypt.hash(this.password, salt);
+});
+
+// Password comparison
+userSchema.methods.matchPassword = async function(enteredPassword${ts ? ": string" : ""}) {
+  return bcrypt.compare(enteredPassword, this.password);
+};
+${orgMethods}
+// Exclude password in JSON
+userSchema.set('toJSON', {
+  transform: (_doc, ret${ts ? ": any" : ""}) => {
+    delete ret.password;
+    delete ret.resetPasswordToken;
+    delete ret.resetPasswordExpires;
+    return ret;
+  },
+});
+
+const User = mongoose.models.User${ts ? " as UserModel" : ""} || mongoose.model${ts ? "<User, UserModel>" : ""}('User', userSchema);
+export default User;
+`;
+}
+function userRepositoryTemplate(config) {
+  const ts = config.typescript;
+  const typeImport = ts ? "import type { UserDocument } from './user.model.js';\nimport type { ClientSession, Types } from 'mongoose';\n" : "";
   return `/**
- * ${pascal} Repository
- * @generated by Arc CLI
+ * User Repository
+ * Generated by Arc CLI
+ *
+ * MongoKit repository with plugins for common operations
  */
 
-import { Repository${hasSoftDelete ? ", softDeletePlugin" : ""} } from '@classytic/mongokit';
-import { ${pascal} } from './${kebab}.model.js';${typeImport}
+import {
+  Repository,
+  methodRegistryPlugin,
+  mongoOperationsPlugin,
+} from '@classytic/mongokit';
+${typeImport}import User from './user.model.js';
 
-class ${pascal}Repository extends Repository${repoGeneric} {
+${ts ? "type ID = string | Types.ObjectId;\n" : ""}
+class UserRepository extends Repository${ts ? "<UserDocument>" : ""} {
   constructor() {
-    super(${pascal}${hasSoftDelete ? ", [softDeletePlugin()]" : ""});
+    super(User${ts ? " as any" : ""}, [
+      methodRegistryPlugin(),
+      mongoOperationsPlugin(),
+    ]);
   }
 
-  /** Find all active records */
-  async findActive()${returnType(`${pascal}Document[]`)} {
-    return this.Model.find({ isActive: true${hasSoftDelete ? ", deletedAt: null" : ""} }).lean();
-  }
-${hasSlug ? `
-  /** Find by slug */
-  async getBySlug(slug${typescript ? ": string" : ""})${returnType(`${pascal}Document | null`)} {
-    return this.Model.findOne({ slug: slug.toLowerCase()${hasSoftDelete ? ", deletedAt: null" : ""} }).lean();
-  }
-` : ""}${hasSoftDelete ? `
-  /** Get soft-deleted records */
-  async getDeleted()${returnType(`${pascal}Document[]`)} {
-    return this.Model.find({ deletedAt: { $ne: null } }).sort({ deletedAt: -1 }).lean();
+  /**
+   * Find user by email
+   */
+  async findByEmail(email${ts ? ": string" : ""}) {
+    return this.Model.findOne({ email: email.toLowerCase().trim() });
   }
 
-  /** Restore a soft-deleted record */
-  async restore(id${typescript ? ": string" : ""})${returnType(`${pascal}Document | null`)} {
-    return this.Model.findByIdAndUpdate(id, { deletedAt: null }, { new: true }).lean();
+  /**
+   * Find user by reset token
+   */
+  async findByResetToken(token${ts ? ": string" : ""}) {
+    return this.Model.findOne({
+      resetPasswordToken: token,
+      resetPasswordExpires: { $gt: Date.now() },
+    });
   }
-` : ""}${hasTree ? `
-  /** Get hierarchical tree structure */
-  async getTree()${returnType(`${pascal}Document[]`)} {
-    const all = await this.Model.find({ isActive: true${hasSoftDelete ? ", deletedAt: null" : ""} })
-      .sort({ displayOrder: 1 })
-      .lean();
 
-    const map = new Map${typescript ? `<string, ${pascal}Document & { children: ${pascal}Document[] }>` : ""}();
-    const roots${typescript ? `: (${pascal}Document & { children: ${pascal}Document[] })[]` : ""} = [];
-
-    for (const item of all) {
-      map.set(item._id.toString(), { ...item, children: [] });
-    }
+  /**
+   * Check if email exists
+   */
+  async emailExists(email${ts ? ": string" : ""})${ts ? ": Promise<boolean>" : ""} {
+    const result = await this.Model.exists({ email: email.toLowerCase().trim() });
+    return !!result;
+  }
 
-    for (const item of all) {
-      const node = map.get(item._id.toString())!;
-      const parentId = (item${typescript ? " as any" : ""}).${parentField};
-      if (parentId && map.has(parentId.toString())) {
-        map.get(parentId.toString())!.children.push(node);
-      } else {
-        roots.push(node);
-      }
-    }
+  /**
+   * Update user password (triggers hash middleware)
+   */
+  async updatePassword(userId${ts ? ": ID" : ""}, newPassword${ts ? ": string" : ""}, options${ts ? ": { session?: ClientSession }" : ""} = {}) {
+    const user = await this.Model.findById(userId).session(options.session ?? null);
+    if (!user) throw new Error('User not found');
 
-    return roots;
+    user.password = newPassword;
+    user.resetPasswordToken = undefined;
+    user.resetPasswordExpires = undefined;
+    await user.save({ session: options.session ?? undefined });
+    return user;
   }
 
-  /** Get direct children of a parent */
-  async getChildren(parentId${typescript ? ": string" : ""})${returnType(`${pascal}Document[]`)} {
-    return this.Model.find({
-      ${parentField}: parentId,
-      isActive: true${hasSoftDelete ? ",\n      deletedAt: null" : ""},
-    }).sort({ displayOrder: 1 }).lean();
+  /**
+   * Set reset token
+   */
+  async setResetToken(userId${ts ? ": ID" : ""}, token${ts ? ": string" : ""}, expiresAt${ts ? ": Date" : ""}) {
+    return this.Model.findByIdAndUpdate(
+      userId,
+      { resetPasswordToken: token, resetPasswordExpires: expiresAt },
+      { new: true }
+    );
+  }
+${config.tenant === "multi" ? `
+  /**
+   * Find users by organization
+   */
+  async findByOrganization(organizationId${ts ? ": ID" : ""}) {
+    return this.Model.find({ 'organizations.organizationId': organizationId })
+      .select('-password -resetPasswordToken -resetPasswordExpires')
+      .lean();
   }
-` : ""}}
+` : ""}
+}
 
-export const ${camel}Repository = new ${pascal}Repository();
-export default ${camel}Repository;
+const userRepository = new UserRepository();
+export default userRepository;
+export { UserRepository };
 `;
 }
-function controllerTemplate(name, opts) {
-  const pascal = pascalCase(name);
-  const camel = camelCase(name);
-  const kebab = kebabCase(name);
-  const { presets = [], typescript = true } = opts;
-  const hasSoftDelete = presets.includes("softDelete");
-  const hasSlug = presets.includes("slugLookup");
-  const hasTree = presets.includes("tree");
+function userControllerTemplate(config) {
+  const ts = config.typescript;
   return `/**
- * ${pascal} Controller
- * @generated by Arc CLI
+ * User Controller
+ * Generated by Arc CLI
  *
- * Extends BaseController for built-in security:
- * - Organization scoping (multi-tenant isolation)
- * - Ownership checks (user data protection)
- * - Policy-based filtering
+ * BaseController for user management operations.
+ * Used by auth resource for /users/me endpoints.
  */
 
 import { BaseController } from '@classytic/arc';
-${typescript ? "import type { IRequestContext, IControllerResponse } from '@classytic/arc';\n" : ""}import { ${camel}Repository } from './${kebab}.repository.js';
+import userRepository from './user.repository.js';
 
-class ${pascal}Controller extends BaseController {
+class UserController extends BaseController {
   constructor() {
-    super(${camel}Repository);
-
-    // Bind methods (required for route handler context)
-${hasSlug ? "    this.getBySlug = this.getBySlug.bind(this);\n" : ""}${hasSoftDelete ? `    this.getDeleted = this.getDeleted.bind(this);
-    this.restore = this.restore.bind(this);
-` : ""}${hasTree ? `    this.getTree = this.getTree.bind(this);
-    this.getChildren = this.getChildren.bind(this);
-` : ""}  }
-
-  // ========================================
-  // Custom Methods (add your own below)
-  // ========================================
-
-  // Example: Custom search endpoint
-  // async search(ctx${typescript ? ": IRequestContext" : ""})${typescript ? ": Promise<IControllerResponse>" : ""} {
-  //   const { query } = ctx.query${typescript ? " as { query: string }" : ""};
-  //   const results = await this.repository.Model.find({
-  //     name: { $regex: query, $options: 'i' },
-  //   }).lean();
-  //   return { success: true, data: results, status: 200 };
-  // }
+    super(userRepository${ts ? " as any" : ""});
+  }
+
+  // Custom user operations can be added here
 }
 
-export const ${camel}Controller = new ${pascal}Controller();
-export default ${camel}Controller;
+const userController = new UserController();
+export default userController;
 `;
 }
-function resourceTemplate(name, opts) {
-  const pascal = pascalCase(name);
-  const camel = camelCase(name);
-  const kebab = kebabCase(name);
-  const { presets = [], parentField = "parent", module: moduleName} = opts;
-  const presetsStr = presets.length > 0 ? presets.map((p) => {
-    if (p === "tree" && parentField !== "parent") {
-      return `{ name: 'tree', parentField: '${parentField}' }`;
-    }
-    return `'${p}'`;
-  }).join(",\n      ") : "";
+function authResourceTemplate(config) {
+  const ts = config.typescript;
   return `/**
- * ${pascal} Resource Definition
- * @generated by Arc CLI
+ * Auth Resource
+ * Generated by Arc CLI
+ *
+ * Combined auth + user profile endpoints:
+ * - POST /auth/register
+ * - POST /auth/login
+ * - POST /auth/refresh
+ * - POST /auth/forgot-password
+ * - POST /auth/reset-password
+ * - GET /users/me
+ * - PATCH /users/me
  */
 
-import { defineResource, createMongooseAdapter } from '@classytic/arc';
-import { ${pascal} } from './${kebab}.model.js';
-import { ${camel}Repository } from './${kebab}.repository.js';
+import { defineResource } from '@classytic/arc';
+import { allowPublic, requireAuth } from '@classytic/arc/permissions';
+import { createAdapter } from '#shared/adapter.js';
+import User from '../user/user.model.js';
+import userRepository from '../user/user.repository.js';
+import * as handlers from './auth.handlers.js';
+import * as schemas from './auth.schemas.js';
 
-export default defineResource({
-  name: '${kebab}',
-  displayName: '${pascal}s',
-${moduleName ? `  module: '${moduleName}',
-` : ""}
-  adapter: createMongooseAdapter({
-    model: ${pascal},
-    repository: ${camel}Repository,
-  }),
-${presetsStr ? `
-  presets: [
-      ${presetsStr},
-    ],
-` : ""}
-  permissions: {
-    list: [],
-    get: [],
-    create: ['admin'],
-    update: ['admin'],
-    delete: ['admin'],
-  },
+/**
+ * Auth Resource - handles authentication
+ */
+export const authResource = defineResource({
+  name: 'auth',
+  displayName: 'Authentication',
+  tag: 'Authentication',
+  prefix: '/auth',
 
-  additionalRoutes: [],
+  adapter: createAdapter(User${ts ? " as any" : ""}, userRepository${ts ? " as any" : ""}),
+  disableDefaultRoutes: true,
 
-  events: {
-    created: { description: '${pascal} created' },
-    updated: { description: '${pascal} updated' },
-    deleted: { description: '${pascal} deleted' },
-  },
+  additionalRoutes: [
+    {
+      method: 'POST',
+      path: '/register',
+      summary: 'Register new user',
+      permissions: allowPublic(),
+      handler: handlers.register,
+      wrapHandler: false,
+      schema: { body: schemas.registerBody },
+    },
+    {
+      method: 'POST',
+      path: '/login',
+      summary: 'User login',
+      permissions: allowPublic(),
+      handler: handlers.login,
+      wrapHandler: false,
+      schema: { body: schemas.loginBody },
+    },
+    {
+      method: 'POST',
+      path: '/refresh',
+      summary: 'Refresh access token',
+      permissions: allowPublic(),
+      handler: handlers.refreshToken,
+      wrapHandler: false,
+      schema: { body: schemas.refreshBody },
+    },
+    {
+      method: 'POST',
+      path: '/forgot-password',
+      summary: 'Request password reset',
+      permissions: allowPublic(),
+      handler: handlers.forgotPassword,
+      wrapHandler: false,
+      schema: { body: schemas.forgotBody },
+    },
+    {
+      method: 'POST',
+      path: '/reset-password',
+      summary: 'Reset password with token',
+      permissions: allowPublic(),
+      handler: handlers.resetPassword,
+      wrapHandler: false,
+      schema: { body: schemas.resetBody },
+    },
+  ],
+});
+
+/**
+ * User Profile Resource - handles /users/me
+ */
+export const userProfileResource = defineResource({
+  name: 'user-profile',
+  displayName: 'User Profile',
+  tag: 'User Profile',
+  prefix: '/users',
+
+  adapter: createAdapter(User${ts ? " as any" : ""}, userRepository${ts ? " as any" : ""}),
+  disableDefaultRoutes: true,
+
+  additionalRoutes: [
+    {
+      method: 'GET',
+      path: '/me',
+      summary: 'Get current user profile',
+      permissions: requireAuth(),
+      handler: handlers.getUserProfile,
+      wrapHandler: false,
+    },
+    {
+      method: 'PATCH',
+      path: '/me',
+      summary: 'Update current user profile',
+      permissions: requireAuth(),
+      handler: handlers.updateUserProfile,
+      wrapHandler: false,
+      schema: { body: schemas.updateUserBody },
+    },
+  ],
 });
+
+export default authResource;
 `;
 }
-function routesTemplate(name, opts) {
-  const camel = camelCase(name);
-  const kebab = kebabCase(name);
+function authHandlersTemplate(config) {
+  const ts = config.typescript;
+  const typeAnnotations = ts ? `
+import type { FastifyRequest, FastifyReply } from 'fastify';
+` : "";
   return `/**
- * ${pascalCase(name)} Routes
- * @generated by Arc CLI
- *
- * Register this plugin in your app:
- *   await fastify.register(${camel}Routes);
+ * Auth Handlers
+ * Generated by Arc CLI
+ */
+
+import jwt from 'jsonwebtoken';
+import config from '#config/index.js';
+import userRepository from '../user/user.repository.js';
+${typeAnnotations}
+// Token helpers
+function generateTokens(userId${ts ? ": string" : ""}) {
+  const accessToken = jwt.sign({ id: userId }, config.jwt.secret, { expiresIn: '15m' });
+  const refreshToken = jwt.sign({ id: userId }, config.jwt.secret, { expiresIn: '7d' });
+  return { accessToken, refreshToken };
+}
+
+/**
+ * Register new user
+ */
+export async function register(request${ts ? ": FastifyRequest" : ""}, reply${ts ? ": FastifyReply" : ""}) {
+  try {
+    const { name, email, password } = request.body${ts ? " as any" : ""};
+
+    // Check if email exists
+    if (await userRepository.emailExists(email)) {
+      return reply.code(400).send({ success: false, message: 'Email already registered' });
+    }
+
+    // Create user
+    await userRepository.create({ name, email, password, roles: ['user'] });
+
+    return reply.code(201).send({ success: true, message: 'User registered successfully' });
+  } catch (error) {
+    request.log.error({ err: error }, 'Register error');
+    return reply.code(500).send({ success: false, message: 'Registration failed' });
+  }
+}
+
+/**
+ * Login user
+ */
+export async function login(request${ts ? ": FastifyRequest" : ""}, reply${ts ? ": FastifyReply" : ""}) {
+  try {
+    const { email, password } = request.body${ts ? " as any" : ""};
+
+    const user = await userRepository.findByEmail(email);
+    if (!user || !(await user.matchPassword(password))) {
+      return reply.code(401).send({ success: false, message: 'Invalid credentials' });
+    }
+
+    const tokens = generateTokens(user._id.toString());
+
+    return reply.send({
+      success: true,
+      user: { id: user._id, name: user.name, email: user.email, roles: user.roles },
+      ...tokens,
+    });
+  } catch (error) {
+    request.log.error({ err: error }, 'Login error');
+    return reply.code(500).send({ success: false, message: 'Login failed' });
+  }
+}
+
+/**
+ * Refresh access token
+ */
+export async function refreshToken(request${ts ? ": FastifyRequest" : ""}, reply${ts ? ": FastifyReply" : ""}) {
+  try {
+    const { token } = request.body${ts ? " as any" : ""};
+    if (!token) {
+      return reply.code(401).send({ success: false, message: 'Refresh token required' });
+    }
+
+    const decoded = jwt.verify(token, config.jwt.secret)${ts ? " as { id: string }" : ""};
+    const tokens = generateTokens(decoded.id);
+
+    return reply.send({ success: true, ...tokens });
+  } catch {
+    return reply.code(401).send({ success: false, message: 'Invalid refresh token' });
+  }
+}
+
+/**
+ * Forgot password
+ */
+export async function forgotPassword(request${ts ? ": FastifyRequest" : ""}, reply${ts ? ": FastifyReply" : ""}) {
+  try {
+    const { email } = request.body${ts ? " as any" : ""};
+    const user = await userRepository.findByEmail(email);
+
+    if (user) {
+      const token = Math.random().toString(36).slice(2) + Date.now().toString(36);
+      const expires = new Date(Date.now() + 3600000); // 1 hour
+      await userRepository.setResetToken(user._id, token, expires);
+      // TODO: Send email with reset link
+      request.log.info(\`Password reset token for \${email}: \${token}\`);
+    }
+
+    // Always return success to prevent email enumeration
+    return reply.send({ success: true, message: 'If email exists, reset link sent' });
+  } catch (error) {
+    request.log.error({ err: error }, 'Forgot password error');
+    return reply.code(500).send({ success: false, message: 'Failed to process request' });
+  }
+}
+
+/**
+ * Reset password
+ */
+export async function resetPassword(request${ts ? ": FastifyRequest" : ""}, reply${ts ? ": FastifyReply" : ""}) {
+  try {
+    const { token, newPassword } = request.body${ts ? " as any" : ""};
+    const user = await userRepository.findByResetToken(token);
+
+    if (!user) {
+      return reply.code(400).send({ success: false, message: 'Invalid or expired token' });
+    }
+
+    await userRepository.updatePassword(user._id, newPassword);
+    return reply.send({ success: true, message: 'Password has been reset' });
+  } catch (error) {
+    request.log.error({ err: error }, 'Reset password error');
+    return reply.code(500).send({ success: false, message: 'Failed to reset password' });
+  }
+}
+
+/**
+ * Get current user profile
+ */
+export async function getUserProfile(request${ts ? ": FastifyRequest" : ""}, reply${ts ? ": FastifyReply" : ""}) {
+  try {
+    const userId = (request${ts ? " as any" : ""}).user?._id || (request${ts ? " as any" : ""}).user?.id;
+    const user = await userRepository.getById(userId);
+
+    if (!user) {
+      return reply.code(404).send({ success: false, message: 'User not found' });
+    }
+
+    return reply.send({ success: true, data: user });
+  } catch (error) {
+    request.log.error({ err: error }, 'Get profile error');
+    return reply.code(500).send({ success: false, message: 'Failed to get profile' });
+  }
+}
+
+/**
+ * Update current user profile
  */
+export async function updateUserProfile(request${ts ? ": FastifyRequest" : ""}, reply${ts ? ": FastifyReply" : ""}) {
+  try {
+    const userId = (request${ts ? " as any" : ""}).user?._id || (request${ts ? " as any" : ""}).user?.id;
+    const updates = { ...request.body${ts ? " as any" : ""} };
 
-import ${camel}Resource from './${kebab}.resource.js';
+    // Prevent updating protected fields
+    if ('password' in updates) delete updates.password;
+    if ('roles' in updates) delete updates.roles;
+    if ('organizations' in updates) delete updates.organizations;
 
-export default ${camel}Resource.toPlugin();
+    const user = await userRepository.Model.findByIdAndUpdate(userId, updates, { new: true });
+    return reply.send({ success: true, data: user });
+  } catch (error) {
+    request.log.error({ err: error }, 'Update profile error');
+    return reply.code(500).send({ success: false, message: 'Failed to update profile' });
+  }
+}
 `;
 }
-function testTemplate(name, opts) {
-  const pascal = pascalCase(name);
-  const kebab = kebabCase(name);
-  const { presets = [], typescript = true } = opts;
-  const hasSoftDelete = presets.includes("softDelete");
-  const hasSlug = presets.includes("slugLookup");
+function authSchemasTemplate(config) {
   return `/**
- * ${pascal} Tests
- * @generated by Arc CLI
+ * Auth Schemas
+ * Generated by Arc CLI
  */
 
-import { describe, it, expect, beforeAll, afterAll } from 'vitest';
-${typescript ? "import type { FastifyInstance } from 'fastify';\n" : ""}import { createTestApp } from '@classytic/arc/testing';
+export const registerBody = {
+  type: 'object',
+  required: ['name', 'email', 'password'],
+  properties: {
+    name: { type: 'string', minLength: 2 },
+    email: { type: 'string', format: 'email' },
+    password: { type: 'string', minLength: 6 },
+  },
+};
+
+export const loginBody = {
+  type: 'object',
+  required: ['email', 'password'],
+  properties: {
+    email: { type: 'string', format: 'email' },
+    password: { type: 'string' },
+  },
+};
+
+export const refreshBody = {
+  type: 'object',
+  required: ['token'],
+  properties: {
+    token: { type: 'string' },
+  },
+};
+
+export const forgotBody = {
+  type: 'object',
+  required: ['email'],
+  properties: {
+    email: { type: 'string', format: 'email' },
+  },
+};
 
-describe('${pascal} API', () => {
-  let app${typescript ? ": FastifyInstance" : ""};
+export const resetBody = {
+  type: 'object',
+  required: ['token', 'newPassword'],
+  properties: {
+    token: { type: 'string' },
+    newPassword: { type: 'string', minLength: 6 },
+  },
+};
+
+export const updateUserBody = {
+  type: 'object',
+  properties: {
+    name: { type: 'string', minLength: 2 },
+    email: { type: 'string', format: 'email' },
+  },
+};
+`;
+}
+function authTestTemplate(config) {
+  const ts = config.typescript;
+  return `/**
+ * Auth Tests
+ * Generated by Arc CLI
+ */
+
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+${config.adapter === "mongokit" ? "import mongoose from 'mongoose';\n" : ""}import { createAppInstance } from '../src/app.js';
+${ts ? "import type { FastifyInstance } from 'fastify';\n" : ""}
+describe('Auth', () => {
+  let app${ts ? ": FastifyInstance" : ""};
+  const testUser = {
+    name: 'Test User',
+    email: 'test@example.com',
+    password: 'password123',
+  };
 
   beforeAll(async () => {
-    app = await createTestApp({
-      auth: { jwt: { secret: 'test-secret-32-chars-minimum-len' } },
-    });
+${config.adapter === "mongokit" ? `    const testDbUri = process.env.MONGODB_URI || 'mongodb://localhost:27017/${config.name}-test';
+    await mongoose.connect(testDbUri);
+    // Clean up test data
+    await mongoose.connection.collection('users').deleteMany({ email: testUser.email });
+` : ""}
+    app = await createAppInstance();
+    await app.ready();
   });
 
   afterAll(async () => {
-    await app?.close();
+${config.adapter === "mongokit" ? `    await mongoose.connection.collection('users').deleteMany({ email: testUser.email });
+    await mongoose.connection.close();
+` : ""}    await app.close();
   });
 
-  describe('CRUD Operations', () => {
-    let createdId${typescript ? ": string" : ""};
-
-    it('should create a ${kebab}', async () => {
+  describe('POST /auth/register', () => {
+    it('should register a new user', async () => {
       const response = await app.inject({
         method: 'POST',
-        url: '/${kebab}s',
-        payload: { name: 'Test ${pascal}' },
+        url: '/auth/register',
+        payload: testUser,
       });
 
       expect(response.statusCode).toBe(201);
-      const body = response.json();
-      expect(body.success).toBe(true);
-      expect(body.data.name).toBe('Test ${pascal}');
-      createdId = body.data._id;
-    });
-
-    it('should list ${kebab}s', async () => {
-      const response = await app.inject({
-        method: 'GET',
-        url: '/${kebab}s',
-      });
-
-      expect(response.statusCode).toBe(200);
-      const body = response.json();
+      const body = JSON.parse(response.body);
       expect(body.success).toBe(true);
-      expect(Array.isArray(body.docs || body.data)).toBe(true);
     });
 
-    it('should get ${kebab} by id', async () => {
+    it('should reject duplicate email', async () => {
       const response = await app.inject({
-        method: 'GET',
-        url: \`/${kebab}s/\${createdId}\`,
+        method: 'POST',
+        url: '/auth/register',
+        payload: testUser,
       });
 
-      expect(response.statusCode).toBe(200);
-      expect(response.json().data._id).toBe(createdId);
+      expect(response.statusCode).toBe(400);
     });
+  });
 
-    it('should update ${kebab}', async () => {
+  describe('POST /auth/login', () => {
+    it('should login with valid credentials', async () => {
       const response = await app.inject({
-        method: 'PATCH',
-        url: \`/${kebab}s/\${createdId}\`,
-        payload: { name: 'Updated ${pascal}' },
+        method: 'POST',
+        url: '/auth/login',
+        payload: { email: testUser.email, password: testUser.password },
       });
 
       expect(response.statusCode).toBe(200);
-      expect(response.json().data.name).toBe('Updated ${pascal}');
+      const body = JSON.parse(response.body);
+      expect(body.success).toBe(true);
+      expect(body.accessToken).toBeDefined();
+      expect(body.refreshToken).toBeDefined();
     });
 
-    it('should delete ${kebab}', async () => {
+    it('should reject invalid credentials', async () => {
       const response = await app.inject({
-        method: 'DELETE',
-        url: \`/${kebab}s/\${createdId}\`,
+        method: 'POST',
+        url: '/auth/login',
+        payload: { email: testUser.email, password: 'wrongpassword' },
       });
 
-      expect(response.statusCode).toBe(200);
-      expect(response.json().success).toBe(true);
+      expect(response.statusCode).toBe(401);
     });
   });
-${hasSlug ? `
-  describe('Slug Lookup', () => {
-    it('should get by slug', async () => {
-      // Create with auto-generated slug
-      const createRes = await app.inject({
-        method: 'POST',
-        url: '/${kebab}s',
-        payload: { name: 'Slug Test Item' },
-      });
-      const slug = createRes.json().data.slug;
 
+  describe('GET /users/me', () => {
+    it('should require authentication', async () => {
       const response = await app.inject({
         method: 'GET',
-        url: \`/${kebab}s/slug/\${slug}\`,
+        url: '/users/me',
       });
 
-      expect(response.statusCode).toBe(200);
-      expect(response.json().data.slug).toBe(slug);
+      expect(response.statusCode).toBe(401);
     });
   });
-` : ""}${hasSoftDelete ? `
-  describe('Soft Delete', () => {
-    it('should soft delete and restore', async () => {
-      // Create
-      const createRes = await app.inject({
-        method: 'POST',
-        url: '/${kebab}s',
-        payload: { name: 'Soft Delete Test' },
-      });
-      const id = createRes.json().data._id;
+});
+`;
+}
+function printSuccessMessage(config, skipInstall) {
+  const installStep = skipInstall ? `  npm install
+` : "";
+  console.log(`
+╔═══════════════════════════════════════════════════════════════╗
+║                    ✅ Project Created!                        ║
+╚═══════════════════════════════════════════════════════════════╝
 
-      // Delete (soft)
-      await app.inject({
-        method: 'DELETE',
-        url: \`/${kebab}s/\${id}\`,
-      });
+Next steps:
 
-      // Verify in deleted list
-      const deletedRes = await app.inject({
-        method: 'GET',
-        url: '/${kebab}s/deleted',
-      });
-      expect(deletedRes.json().data.some((d${typescript ? ": any" : ""}) => d._id === id)).toBe(true);
+  cd ${config.name}
+${installStep}  npm run dev         # Uses .env.dev automatically
 
-      // Restore
-      const restoreRes = await app.inject({
-        method: 'POST',
-        url: \`/${kebab}s/\${id}/restore\`,
-      });
-      expect(restoreRes.statusCode).toBe(200);
-    });
-  });
-` : ""}});
-`;
-}
-function printNextSteps(name, moduleName) {
-  const kebab = kebabCase(name);
-  const camel = camelCase(name);
-  const modulePath = moduleName ? `${moduleName}/${kebab}` : kebab;
-  console.log(`📋 Next Steps:
+API Documentation:
+
+  http://localhost:8040/docs           # Scalar UI
+  http://localhost:8040/_docs/openapi.json  # OpenAPI spec
+
+Run tests:
 
-1. Register the route in your app:
-   ${`import ${camel}Routes from '#modules/${modulePath}/routes.js';
-   await fastify.register(${camel}Routes);`}
+  npm test            # Run once
+  npm run test:watch  # Watch mode
 
-2. Run tests:
-   npm test -- ${kebab}
+Add resources:
 
-3. Access your API:
-   GET    /${kebab}s          List all
-   GET    /${kebab}s/:id      Get by ID
-   POST   /${kebab}s          Create
-   PATCH  /${kebab}s/:id      Update
-   DELETE /${kebab}s/:id      Delete
+  1. Create folder: src/resources/product/
+  2. Add: index.${config.typescript ? "ts" : "js"}, model.${config.typescript ? "ts" : "js"}, repository.${config.typescript ? "ts" : "js"}
+  3. Register in src/resources/index.${config.typescript ? "ts" : "js"}
+
+Project structure:
+
+  src/
+  ├── app.${config.typescript ? "ts" : "js"}        # App factory (for workers/tests)
+  ├── index.${config.typescript ? "ts" : "js"}      # Server entry
+  ├── config/       # Configuration
+  ├── shared/       # Adapters, presets, permissions
+  ├── plugins/      # App plugins (DI pattern)
+  └── resources/    # API resources
+
+Documentation:
+  https://github.com/classytic/arc
 `);
 }
-function pascalCase(str) {
-  return str.split(/[-_\s]+/).map((s) => s.charAt(0).toUpperCase() + s.slice(1).toLowerCase()).join("");
-}
-function camelCase(str) {
-  const pascal = pascalCase(str);
-  return pascal.charAt(0).toLowerCase() + pascal.slice(1);
+
+// src/cli/commands/introspect.ts
+async function introspect(args) {
+  console.log("Introspecting Arc resources...\n");
+  try {
+    const { resourceRegistry: resourceRegistry2 } = await Promise.resolve().then(() => (init_registry(), registry_exports));
+    const resources = resourceRegistry2.getAll();
+    if (resources.length === 0) {
+      console.log("⚠️  No resources registered.");
+      console.log("\nTo introspect resources, you need to load them first:");
+      console.log("  arc introspect --entry ./index.js");
+      console.log("\nWhere index.js imports all your resource definitions.");
+      return;
+    }
+    console.log(`Found ${resources.length} resource(s):
+`);
+    resources.forEach((resource, index) => {
+      console.log(`${index + 1}. ${resource.name}`);
+      console.log(`   Display Name: ${resource.displayName}`);
+      console.log(`   Prefix: ${resource.prefix}`);
+      console.log(`   Module: ${resource.module || "none"}`);
+      if (resource.permissions) {
+        console.log(`   Permissions:`);
+        Object.entries(resource.permissions).forEach(([op, roles]) => {
+          console.log(`     ${op}: [${roles.join(", ")}]`);
+        });
+      }
+      if (resource.presets && resource.presets.length > 0) {
+        console.log(`   Presets: ${resource.presets.join(", ")}`);
+      }
+      if (resource.additionalRoutes && resource.additionalRoutes.length > 0) {
+        console.log(`   Additional Routes: ${resource.additionalRoutes.length}`);
+      }
+      console.log("");
+    });
+    const stats = resourceRegistry2.getStats();
+    console.log("Summary:");
+    console.log(`  Total Resources: ${stats.totalResources}`);
+    console.log(`  With Presets: ${resources.filter((r) => r.presets?.length > 0).length}`);
+    console.log(
+      `  With Custom Routes: ${resources.filter((r) => r.additionalRoutes && r.additionalRoutes.length > 0).length}`
+    );
+  } catch (error) {
+    console.error("Error:", error.message);
+    console.log("\nTip: Run this command after starting your application.");
+    process.exit(1);
+  }
 }
-function kebabCase(str) {
-  return str.replace(/([a-z])([A-Z])/g, "$1-$2").replace(/[\s_]+/g, "-").toLowerCase();
+async function exportDocs(args) {
+  const [outputPath = "./openapi.json"] = args;
+  console.log("Exporting OpenAPI specification...\n");
+  try {
+    const { resourceRegistry: resourceRegistry2 } = await Promise.resolve().then(() => (init_registry(), registry_exports));
+    const resources = resourceRegistry2.getAll();
+    if (resources.length === 0) {
+      console.warn("⚠️  No resources registered.");
+      console.log("\nTo export docs, you need to load your resources first:");
+      console.log("  arc docs ./openapi.json --entry ./index.js");
+      console.log("\nWhere index.js imports all your resource definitions.");
+      process.exit(1);
+    }
+    const spec = {
+      openapi: "3.0.0",
+      info: {
+        title: "Arc API",
+        version: "1.0.0",
+        description: "Auto-generated from Arc resources"
+      },
+      servers: [
+        {
+          url: "http://localhost:8040/api/v1",
+          description: "Development server"
+        }
+      ],
+      paths: {},
+      components: {
+        schemas: {},
+        securitySchemes: {
+          bearerAuth: {
+            type: "http",
+            scheme: "bearer",
+            bearerFormat: "JWT"
+          }
+        }
+      }
+    };
+    resources.forEach((resource) => {
+      const basePath = resource.prefix || `/${resource.name}s`;
+      spec.paths[basePath] = {
+        get: {
+          tags: [resource.name],
+          summary: `List ${resource.name}s`,
+          security: resource.permissions?.list ? [{ bearerAuth: [] }] : [],
+          parameters: [
+            {
+              name: "page",
+              in: "query",
+              schema: { type: "integer", default: 1 }
+            },
+            {
+              name: "limit",
+              in: "query",
+              schema: { type: "integer", default: 20 }
+            }
+          ],
+          responses: {
+            200: {
+              description: "Successful response",
+              content: {
+                "application/json": {
+                  schema: {
+                    type: "object",
+                    properties: {
+                      success: { type: "boolean" },
+                      data: {
+                        type: "array",
+                        items: { $ref: `#/components/schemas/${resource.name}` }
+                      },
+                      total: { type: "integer" },
+                      page: { type: "integer" }
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        post: {
+          tags: [resource.name],
+          summary: `Create ${resource.name}`,
+          security: resource.permissions?.create ? [{ bearerAuth: [] }] : [],
+          requestBody: {
+            required: true,
+            content: {
+              "application/json": {
+                schema: { $ref: `#/components/schemas/${resource.name}` }
+              }
+            }
+          },
+          responses: {
+            201: {
+              description: "Created successfully"
+            }
+          }
+        }
+      };
+      spec.paths[`${basePath}/{id}`] = {
+        get: {
+          tags: [resource.name],
+          summary: `Get ${resource.name} by ID`,
+          security: resource.permissions?.get ? [{ bearerAuth: [] }] : [],
+          parameters: [
+            {
+              name: "id",
+              in: "path",
+              required: true,
+              schema: { type: "string" }
+            }
+          ],
+          responses: {
+            200: {
+              description: "Successful response"
+            }
+          }
+        },
+        patch: {
+          tags: [resource.name],
+          summary: `Update ${resource.name}`,
+          security: resource.permissions?.update ? [{ bearerAuth: [] }] : [],
+          parameters: [
+            {
+              name: "id",
+              in: "path",
+              required: true,
+              schema: { type: "string" }
+            }
+          ],
+          requestBody: {
+            required: true,
+            content: {
+              "application/json": {
+                schema: { $ref: `#/components/schemas/${resource.name}` }
+              }
+            }
+          },
+          responses: {
+            200: {
+              description: "Updated successfully"
+            }
+          }
+        },
+        delete: {
+          tags: [resource.name],
+          summary: `Delete ${resource.name}`,
+          security: resource.permissions?.delete ? [{ bearerAuth: [] }] : [],
+          parameters: [
+            {
+              name: "id",
+              in: "path",
+              required: true,
+              schema: { type: "string" }
+            }
+          ],
+          responses: {
+            200: {
+              description: "Deleted successfully"
+            }
+          }
+        }
+      };
+      spec.components.schemas[resource.name] = {
+        type: "object",
+        properties: {
+          _id: { type: "string" },
+          createdAt: { type: "string", format: "date-time" },
+          updatedAt: { type: "string", format: "date-time" }
+        }
+      };
+    });
+    const fullPath = join(process.cwd(), outputPath);
+    writeFileSync(fullPath, JSON.stringify(spec, null, 2));
+    console.log(`✅ OpenAPI spec exported to: ${fullPath}`);
+    console.log(`
+Resources included: ${resources.length}`);
+    console.log(`Total endpoints: ${Object.keys(spec.paths).length}`);
+  } catch (error) {
+    console.error("Error:", error.message);
+    process.exit(1);
+  }
 }
-var cli_default = { generate };
 
-export { cli_default as default, generate };
+export { exportDocs, generate, init, introspect };