@classytic/arc 1.0.5 → 1.1.0

package/dist/{createApp-9q_I1la4.d.ts → createApp-Ce9wl8W9.d.ts}

@@ -1,5 +1,5 @@
 import { FastifyInstance } from 'fastify';
-import { C as CreateAppOptions } from './types-EBZBXrg-.js';
+import { C as CreateAppOptions } from './types-BvckRbs2.js';
 
 /**
  * ArcFactory - Production-ready Fastify application factory

package/dist/factory/index.d.ts

@@ -1,11 +1,11 @@
-export { A as ArcFactory, c as createApp } from '../createApp-9q_I1la4.js';
-import { C as CreateAppOptions } from '../types-EBZBXrg-.js';
-export { M as MultipartOptions, R as RawBodyOptions, U as UnderPressureOptions } from '../types-EBZBXrg-.js';
+export { A as ArcFactory, c as createApp } from '../createApp-Ce9wl8W9.js';
+import { C as CreateAppOptions } from '../types-BvckRbs2.js';
+export { M as MultipartOptions, R as RawBodyOptions, U as UnderPressureOptions } from '../types-BvckRbs2.js';
 import 'fastify';
 import '@fastify/cors';
 import '@fastify/helmet';
 import '@fastify/rate-limit';
-import '../index-WBEvhmWM.js';
+import '../index-B4t03KQ0.js';
 import 'mongoose';
 import '../types-B99TBmFV.js';
 

package/dist/factory/index.js

@@ -2,6 +2,7 @@ import fp from 'fastify-plugin';
 import { randomUUID } from 'crypto';
 import { createRequire } from 'module';
 import Fastify from 'fastify';
+import qs from 'qs';
 
 var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
@@ -1507,6 +1508,10 @@ async function createApp(options) {
   const fastify = Fastify({
     logger: config.logger ?? true,
     trustProxy: config.trustProxy ?? false,
+    // Use qs parser to support nested bracket notation in query strings
+    // e.g., ?populate[author][select]=name,email → { populate: { author: { select: 'name,email' } } }
+    // This is required for MongoKit's advanced populate options to work
+    querystringParser: (str) => qs.parse(str),
     ajv: {
       customOptions: {
         coerceTypes: true,

package/dist/hooks/index.d.ts

@@ -1,4 +1,4 @@
-export { ac as HookContext, ad as HookHandler, aH as HookOperation, aG as HookPhase, aI as HookRegistration, H as HookSystem, aJ as HookSystemOptions, aB as afterCreate, aF as afterDelete, aD as afterUpdate, aA as beforeCreate, aE as beforeDelete, aC as beforeUpdate, az as createHookSystem, ab as hookSystem } from '../index-WBEvhmWM.js';
+export { ac as HookContext, ad as HookHandler, aI as HookOperation, aH as HookPhase, aJ as HookRegistration, H as HookSystem, aK as HookSystemOptions, aC as afterCreate, aG as afterDelete, aE as afterUpdate, aB as beforeCreate, aF as beforeDelete, aD as beforeUpdate, aA as createHookSystem, ab as hookSystem } from '../index-B4t03KQ0.js';
 import 'mongoose';
 import 'fastify';
 import '../types-B99TBmFV.js';

package/dist/{index-WBEvhmWM.d.ts → index-B4t03KQ0.d.ts}

@@ -553,7 +553,13 @@ interface ControllerQueryOptions {
     page?: number;
     limit?: number;
     sort?: string | Record<string, 1 | -1>;
+    /** Simple populate (comma-separated string or array) */
     populate?: string | string[] | Record<string, unknown>;
+    /**
+     * Advanced populate options (Mongoose-compatible)
+     * When set, takes precedence over simple `populate`
+     */
+    populateOptions?: PopulateOption[];
     select?: string | string[] | Record<string, 0 | 1>;
     filters?: Record<string, unknown>;
     search?: string;
@@ -565,19 +571,57 @@ interface ControllerQueryOptions {
     /** Allow additional options */
     [key: string]: unknown;
 }
+/**
+ * Mongoose-compatible populate option for advanced field selection
+ * Used when you need to select specific fields from populated documents
+ *
+ * @example
+ * ```typescript
+ * // URL: ?populate[author][select]=name,email
+ * // Generates: { path: 'author', select: 'name email' }
+ * ```
+ */
+interface PopulateOption {
+    /** Field path to populate */
+    path: string;
+    /** Fields to select (space-separated) */
+    select?: string;
+    /** Filter conditions for populated documents */
+    match?: Record<string, unknown>;
+    /** Query options (limit, sort, skip) */
+    options?: {
+        limit?: number;
+        sort?: Record<string, 1 | -1>;
+        skip?: number;
+    };
+    /** Nested populate configuration */
+    populate?: PopulateOption;
+}
 /**
  * Parsed query result from QueryParser
  * Includes pagination, sorting, filtering, etc.
+ *
+ * The index signature allows custom query parsers (like MongoKit's QueryParser)
+ * to add additional fields without breaking Arc's type system.
  */
 interface ParsedQuery {
     filters?: Record<string, unknown>;
     limit?: number;
     sort?: string | Record<string, 1 | -1>;
+    /** Simple populate (comma-separated string or array) */
     populate?: string | string[] | Record<string, unknown>;
+    /**
+     * Advanced populate options (Mongoose-compatible)
+     * When set, takes precedence over simple `populate`
+     * @example [{ path: 'author', select: 'name email' }]
+     */
+    populateOptions?: PopulateOption[];
     search?: string;
     page?: number;
     after?: string;
     select?: string | string[] | Record<string, 0 | 1>;
+    /** Allow additional fields from custom query parsers */
+    [key: string]: unknown;
 }
 /**
  * Query Parser Interface
@@ -1319,4 +1363,4 @@ interface ValidationResult {
 }
 type AdapterFactory<TDoc> = (config: unknown) => DataAdapter<TDoc>;
 
-export { type InferDocType as $, type AuthHelpers as A, type CrudController as B, type CrudRouteKey as C, type DataAdapter as D, type FieldRule as E, type FieldMetadata as F, type CrudSchemas as G, HookSystem as H, type IntrospectionPluginOptions as I, type JWTPayload as J, type AdditionalRoute as K, type PresetFunction as L, type MiddlewareConfig as M, type EventDefinition as N, type OwnershipCheck as O, type PresetResult as P, type QueryParserInterface as Q, type RequestWithExtras as R, type ServiceContext as S, type ResourceMetadata as T, type UserOrganization as U, type ValidationResult as V, type RegistryEntry as W, type RegistryStats as X, type IntrospectionData as Y, type OrgScopeOptions as Z, type CrudRouterOptions as _, type AuthPluginOptions as a, type InferResourceDoc as a0, type TypedResourceConfig as a1, type TypedController as a2, type TypedRepository as a3, type ConfigError as a4, type ValidationResult$1 as a5, type ValidateOptions as a6, type HealthCheck as a7, type HealthOptions as a8, type GracefulShutdownOptions as a9, beforeCreate as aA, afterCreate as aB, beforeUpdate as aC, afterUpdate as aD, beforeDelete as aE, afterDelete as aF, type HookPhase as aG, type HookOperation as aH, type HookRegistration as aI, type HookSystemOptions as aJ, type RequestIdOptions as aa, hookSystem as ab, type HookContext as ac, type HookHandler as ad, type ParsedQuery as ae, type OpenApiSchemas as af, type AdapterFactory as ag, type ObjectId as ah, type UserLike as ai, getUserId as aj, type ArcDecorator as ak, type EventsDecorator as al, type ResourcePermissions as am, type ResourceHooks as an, type MiddlewareHandler as ao, type JwtContext as ap, type AuthenticatorContext as aq, type Authenticator as ar, type TokenPair as as, type PresetHook as at, type BaseControllerOptions as au, type PaginationParams as av, type InferDoc as aw, type ControllerHandler as ax, type FastifyHandler as ay, createHookSystem as az, ResourceRegistry as b, type RegisterOptions as c, type AnyRecord as d, type IController as e, type RouteSchemaOptions as f, type IRequestContext as g, type ControllerQueryOptions as h, type RequestContext as i, type IControllerResponse as j, type PaginatedResult as k, type ResourceConfig as l, type SchemaMetadata as m, type RelationMetadata as n, type RepositoryLike as o, defineResource as p, ResourceDefinition as q, resourceRegistry as r, type ApiResponse as s, type ControllerLike as t, type FastifyRequestExtras as u, type FastifyWithAuth as v, type FastifyWithDecorators as w, type QueryOptions as x, type CrudRepository as y, type RouteHandler as z };
+export { type InferDocType as $, type AnyRecord as A, type CrudController as B, type ControllerQueryOptions as C, type DataAdapter as D, type FieldRule as E, type FieldMetadata as F, type CrudSchemas as G, HookSystem as H, type IController as I, type JWTPayload as J, type AdditionalRoute as K, type PresetFunction as L, type MiddlewareConfig as M, type EventDefinition as N, type OwnershipCheck as O, type PaginatedResult as P, type QueryParserInterface as Q, type RouteSchemaOptions as R, type ServiceContext as S, type ResourceMetadata as T, type UserOrganization as U, type ValidationResult as V, type RegistryEntry as W, type RegistryStats as X, type IntrospectionData as Y, type OrgScopeOptions as Z, type CrudRouterOptions as _, type IRequestContext as a, type InferResourceDoc as a0, type TypedResourceConfig as a1, type TypedController as a2, type TypedRepository as a3, type ConfigError as a4, type ValidationResult$1 as a5, type ValidateOptions as a6, type HealthCheck as a7, type HealthOptions as a8, type GracefulShutdownOptions as a9, createHookSystem as aA, beforeCreate as aB, afterCreate as aC, beforeUpdate as aD, afterUpdate as aE, beforeDelete as aF, afterDelete as aG, type HookPhase as aH, type HookOperation as aI, type HookRegistration as aJ, type HookSystemOptions as aK, type RequestIdOptions as aa, hookSystem as ab, type HookContext as ac, type HookHandler as ad, type ParsedQuery as ae, type OpenApiSchemas as af, type AdapterFactory as ag, type ObjectId as ah, type UserLike as ai, getUserId as aj, type PopulateOption as ak, type ArcDecorator as al, type EventsDecorator as am, type ResourcePermissions as an, type ResourceHooks as ao, type MiddlewareHandler as ap, type JwtContext as aq, type AuthenticatorContext as ar, type Authenticator as as, type TokenPair as at, type PresetHook as au, type BaseControllerOptions as av, type PaginationParams as aw, type InferDoc as ax, type ControllerHandler as ay, type FastifyHandler as az, type RequestContext as b, type IControllerResponse as c, type RequestWithExtras as d, type CrudRouteKey as e, type PresetResult as f, type AuthHelpers as g, type AuthPluginOptions as h, type IntrospectionPluginOptions as i, ResourceRegistry as j, type RegisterOptions as k, type ResourceConfig as l, type SchemaMetadata as m, type RelationMetadata as n, type RepositoryLike as o, defineResource as p, ResourceDefinition as q, resourceRegistry as r, type ApiResponse as s, type ControllerLike as t, type FastifyRequestExtras as u, type FastifyWithAuth as v, type FastifyWithDecorators as w, type QueryOptions as x, type CrudRepository as y, type RouteHandler as z };

package/dist/index.d.ts

@@ -1,249 +1,20 @@
-import { d as AnyRecord, e as IController, f as RouteSchemaOptions, Q as QueryParserInterface, g as IRequestContext, S as ServiceContext, h as ControllerQueryOptions, i as RequestContext, H as HookSystem, j as IControllerResponse, k as PaginatedResult, l as ResourceConfig } from './index-WBEvhmWM.js';
-export { V as AdapterValidationResult, K as AdditionalRoute, s as ApiResponse, a as AuthPluginOptions, a4 as ConfigError, t as ControllerLike, B as CrudController, y as CrudRepository, C as CrudRouteKey, _ as CrudRouterOptions, G as CrudSchemas, D as DataAdapter, N as EventDefinition, u as FastifyRequestExtras, v as FastifyWithAuth, w as FastifyWithDecorators, F as FieldMetadata, E as FieldRule, a9 as GracefulShutdownOptions, a7 as HealthCheck, a8 as HealthOptions, ac as HookContext, ad as HookHandler, $ as InferDocType, a0 as InferResourceDoc, Y as IntrospectionData, I as IntrospectionPluginOptions, J as JWTPayload, M as MiddlewareConfig, Z as OrgScopeOptions, O as OwnershipCheck, L as PresetFunction, P as PresetResult, x as QueryOptions, W as RegistryEntry, X as RegistryStats, n as RelationMetadata, o as RepositoryLike, aa as RequestIdOptions, R as RequestWithExtras, q as ResourceDefinition, T as ResourceMetadata, z as RouteHandler, m as SchemaMetadata, a2 as TypedController, a3 as TypedRepository, a1 as TypedResourceConfig, U as UserOrganization, a6 as ValidateOptions, a5 as ValidationResult, p as defineResource, ab as hookSystem, r as resourceRegistry } from './index-WBEvhmWM.js';
+import { l as ResourceConfig } from './index-B4t03KQ0.js';
+export { V as AdapterValidationResult, K as AdditionalRoute, A as AnyRecord, s as ApiResponse, h as AuthPluginOptions, a4 as ConfigError, t as ControllerLike, B as CrudController, y as CrudRepository, e as CrudRouteKey, _ as CrudRouterOptions, G as CrudSchemas, D as DataAdapter, N as EventDefinition, u as FastifyRequestExtras, v as FastifyWithAuth, w as FastifyWithDecorators, F as FieldMetadata, E as FieldRule, a9 as GracefulShutdownOptions, a7 as HealthCheck, a8 as HealthOptions, ac as HookContext, ad as HookHandler, H as HookSystem, I as IController, c as IControllerResponse, a as IRequestContext, $ as InferDocType, a0 as InferResourceDoc, Y as IntrospectionData, i as IntrospectionPluginOptions, J as JWTPayload, M as MiddlewareConfig, Z as OrgScopeOptions, O as OwnershipCheck, P as PaginatedResult, L as PresetFunction, f as PresetResult, x as QueryOptions, W as RegistryEntry, X as RegistryStats, n as RelationMetadata, o as RepositoryLike, b as RequestContext, aa as RequestIdOptions, d as RequestWithExtras, q as ResourceDefinition, T as ResourceMetadata, z as RouteHandler, R as RouteSchemaOptions, m as SchemaMetadata, S as ServiceContext, a2 as TypedController, a3 as TypedRepository, a1 as TypedResourceConfig, U as UserOrganization, a6 as ValidateOptions, a5 as ValidationResult, p as defineResource, ab as hookSystem, r as resourceRegistry } from './index-B4t03KQ0.js';
 export { MongooseAdapter, MongooseAdapterOptions, PrismaAdapter, PrismaAdapterOptions, createMongooseAdapter, createPrismaAdapter } from './adapters/index.js';
+export { B as BaseController, a as BaseControllerOptions } from './BaseController-DVAiHxEQ.js';
 export { RouteHandlerMethod } from 'fastify';
 export { P as PermissionCheck, a as PermissionContext, b as PermissionResult, U as UserBase } from './types-B99TBmFV.js';
 export { A as ArcError, F as ForbiddenError, N as NotFoundError, U as UnauthorizedError, V as ValidationError } from './errors-8WIxGS_6.js';
-export { e as gracefulShutdownPlugin, a as healthPlugin, _ as requestIdPlugin } from './arcCorePlugin-Cqi7j5-_.js';
+export { e as gracefulShutdownPlugin, a as healthPlugin, _ as requestIdPlugin } from './arcCorePlugin-CsShQdyP.js';
 export { DomainEvent, EventHandler, eventPlugin } from './events/index.js';
 export { allOf, allowPublic, anyOf, denyAll, requireAuth, requireOwnership, requireRoles, when } from './permissions/index.js';
-export { A as ArcFactory, c as createApp } from './createApp-9q_I1la4.js';
-export { C as CreateAppOptions } from './types-EBZBXrg-.js';
+export { A as ArcFactory, c as createApp } from './createApp-Ce9wl8W9.js';
+export { C as CreateAppOptions } from './types-BvckRbs2.js';
 import 'mongoose';
 import '@fastify/cors';
 import '@fastify/helmet';
 import '@fastify/rate-limit';
 
-/**
- * Base Controller - Framework-Agnostic CRUD Operations
- *
- * Implements IController interface for framework portability.
- * Works with Fastify, Express, Next.js, or any framework via adapter pattern.
- *
- * @example
- * import { BaseController } from '@classytic/arc';
- *
- * // Use Arc's default query parser (works out of the box)
- * class ProductController extends BaseController {
- *   constructor(repository: CrudRepository) {
- *     super(repository);
- *   }
- * }
- *
- * // Or use MongoKit's parser for advanced MongoDB features ($lookup, aggregations)
- * import { QueryParser } from '@classytic/mongokit';
- * defineResource({
- *   name: 'product',
- *   queryParser: new QueryParser(),
- *   // ...
- * });
- *
- * // Or use a custom parser for SQL databases
- * defineResource({
- *   name: 'user',
- *   queryParser: new PgQueryParser(),
- *   // ...
- * });
- */
-
-/**
- * Flexible repository interface that accepts any repository shape
- * Core CRUD methods use flexible signatures to work with any implementation
- * Custom methods can be added via the index signature
- *
- * @example
- * // MongoKit repository with custom methods
- * interface MyRepository extends FlexibleRepository {
- *   findByEmail(email: string): Promise<User>;
- *   customMethod(): Promise<void>;
- * }
- */
-interface FlexibleRepository {
-    getAll(...args: any[]): Promise<any>;
-    getById(...args: any[]): Promise<any>;
-    create(...args: any[]): Promise<any>;
-    update(...args: any[]): Promise<any>;
-    delete(...args: any[]): Promise<any>;
-    [key: string]: any;
-}
-interface BaseControllerOptions {
-    /** Schema options for field sanitization */
-    schemaOptions?: RouteSchemaOptions;
-    /**
-     * Query parser instance
-     * Default: Arc built-in query parser (adapter-agnostic).
-     * You can swap in MongoKit QueryParser, pgkit parser, etc.
-     */
-    queryParser?: QueryParserInterface;
-    /** Maximum limit for pagination (default: 100) */
-    maxLimit?: number;
-    /** Default limit for pagination (default: 20) */
-    defaultLimit?: number;
-    /** Default sort field (default: '-createdAt') */
-    defaultSort?: string;
-    /** Resource name for hook execution (e.g., 'product' → 'product.created') */
-    resourceName?: string;
-    /** Disable automatic event emission (default: false) */
-    disableEvents?: boolean;
-}
-/**
- * Framework-agnostic base controller implementing MongoKit's IController
- *
- * @template TDoc - The document type
- * @template TRepository - The repository type (defaults to CrudRepository<TDoc>, preserves custom methods when specified)
- *
- * Use with Fastify adapter for Fastify integration (see createFastifyAdapter in createCrudRouter)
- *
- * @example
- * // Without custom repository type (backward compatible)
- * class SimpleController extends BaseController<Product> {
- *   constructor(repository: CrudRepository<Product>) {
- *     super(repository);
- *   }
- * }
- *
- * @example
- * // With custom repository type (type-safe access to custom methods)
- * class ProductController extends BaseController<Product, ProductRepository> {
- *   constructor(repository: ProductRepository) {
- *     super(repository);
- *   }
- *
- *   async customMethod(context: IRequestContext) {
- *     // TypeScript knows about ProductRepository's custom methods
- *     return await this.repository.findByCategory(...);
- *   }
- * }
- */
-declare class BaseController<TDoc = AnyRecord, TRepository extends FlexibleRepository = FlexibleRepository> implements IController<TDoc> {
-    protected repository: TRepository;
-    protected schemaOptions: RouteSchemaOptions;
-    protected queryParser: QueryParserInterface;
-    protected maxLimit: number;
-    protected defaultLimit: number;
-    protected defaultSort: string;
-    protected resourceName?: string;
-    protected disableEvents: boolean;
-    /** Preset field names for dynamic param reading */
-    protected _presetFields: {
-        slugField?: string;
-        parentField?: string;
-    };
-    constructor(repository: TRepository, options?: BaseControllerOptions);
-    /**
-     * Inject resource options from defineResource
-     */
-    _setResourceOptions(options: {
-        schemaOptions?: RouteSchemaOptions;
-        presetFields?: {
-            slugField?: string;
-            parentField?: string;
-        };
-        resourceName?: string;
-        queryParser?: QueryParserInterface;
-    }): void;
-    /**
-     * Build service context from IRequestContext
-     */
-    protected _buildContext(req: IRequestContext): ServiceContext;
-    /**
-     * Parse query into QueryOptions using queryParser
-     */
-    protected _parseQueryOptions(req: IRequestContext): ControllerQueryOptions;
-    /**
-     * Apply org and policy filters
-     */
-    protected _applyFilters(options: ControllerQueryOptions, req: IRequestContext): ControllerQueryOptions;
-    /**
-     * Build filter for single-item operations (get/update/delete)
-     * Combines ID filter with policy/org filters for proper security enforcement
-     */
-    protected _buildIdFilter(id: string, req: IRequestContext): AnyRecord;
-    /**
-     * Check if a value matches a MongoDB query operator
-     */
-    protected _matchesOperator(itemValue: unknown, operator: string, filterValue: unknown): boolean;
-    /**
-     * Forbidden paths that could lead to prototype pollution
-     */
-    private static readonly FORBIDDEN_PATHS;
-    /**
-     * Get nested value from object using dot notation (e.g., "owner.id")
-     * Security: Validates path against forbidden patterns to prevent prototype pollution
-     */
-    protected _getNestedValue(obj: AnyRecord, path: string): unknown;
-    /**
-     * Check if item matches a single filter condition
-     * Supports nested paths (e.g., "owner.id", "metadata.status")
-     */
-    protected _matchesFilter(item: AnyRecord, key: string, filterValue: unknown): boolean;
-    /**
-     * Check if item matches policy filters (for get/update/delete operations)
-     * Validates that fetched item satisfies all policy constraints
-     * Supports MongoDB query operators: $eq, $ne, $gt, $gte, $lt, $lte, $in, $nin, $exists, $regex, $and, $or
-     */
-    protected _checkPolicyFilters(item: AnyRecord, req: IRequestContext): boolean;
-    /** Parse lean option (default: true for performance) */
-    protected _parseLean(leanValue: unknown): boolean;
-    /** Get blocked fields from schema options */
-    protected _getBlockedFields(schemaOptions: RouteSchemaOptions): string[];
-    /**
-     * Convert parsed select object to string format
-     * Converts { name: 1, email: 1, password: 0 } → 'name email -password'
-     */
-    protected _selectToString(select: string | string[] | Record<string, 0 | 1> | undefined): string | undefined;
-    /** Sanitize select fields */
-    protected _sanitizeSelect(select: string | undefined, schemaOptions: RouteSchemaOptions): string | undefined;
-    /** Sanitize populate fields */
-    protected _sanitizePopulate(populate: unknown, schemaOptions: RouteSchemaOptions): string[] | undefined;
-    /** Check org scope for a document */
-    protected _checkOrgScope(item: AnyRecord | null, arcContext: RequestContext | undefined): boolean;
-    /** Check ownership for update/delete (ownedByUser preset) */
-    protected _checkOwnership(item: AnyRecord | null, req: IRequestContext): boolean;
-    /**
-     * Get hook system from context (instance-scoped) or fall back to global singleton
-     * This allows proper isolation when running multiple app instances (e.g., in tests)
-     */
-    protected _getHooks(req: IRequestContext): HookSystem;
-    /**
-     * List resources with filtering, pagination, sorting
-     * Implements IController.list()
-     */
-    list(req: IRequestContext): Promise<IControllerResponse<PaginatedResult<TDoc>>>;
-    /**
-     * Get single resource by ID
-     * Implements IController.get()
-     */
-    get(req: IRequestContext): Promise<IControllerResponse<TDoc>>;
-    /**
-     * Create new resource
-     * Implements IController.create()
-     */
-    create(req: IRequestContext): Promise<IControllerResponse<TDoc>>;
-    /**
-     * Update existing resource
-     * Implements IController.update()
-     */
-    update(req: IRequestContext): Promise<IControllerResponse<TDoc>>;
-    /**
-     * Delete resource
-     * Implements IController.delete()
-     */
-    delete(req: IRequestContext): Promise<IControllerResponse<{
-        message: string;
-    }>>;
-    /** Get resource by slug (slugLookup preset) */
-    getBySlug(req: IRequestContext): Promise<IControllerResponse<TDoc>>;
-    /** Get soft-deleted resources (softDelete preset) */
-    getDeleted(req: IRequestContext): Promise<IControllerResponse<PaginatedResult<TDoc>>>;
-    /** Restore soft-deleted resource (softDelete preset) */
-    restore(req: IRequestContext): Promise<IControllerResponse<TDoc>>;
-    /** Get hierarchical tree (tree preset) */
-    getTree(req: IRequestContext): Promise<IControllerResponse<TDoc[]>>;
-    /** Get children of parent (tree preset) */
-    getChildren(req: IRequestContext): Promise<IControllerResponse<TDoc[]>>;
-}
-
 /**
  * Resource Configuration Validator
  *
@@ -361,4 +132,4 @@ declare function assertValidConfig(config: ResourceConfig, options?: ValidateOpt
 
 declare const version = "1.0.0";
 
-export { AnyRecord, BaseController, type BaseControllerOptions, HookSystem, IController, IControllerResponse, IRequestContext, PaginatedResult, RequestContext, ResourceConfig, RouteSchemaOptions, ServiceContext, assertValidConfig, formatValidationErrors, validateResourceConfig, version };
+export { ResourceConfig, assertValidConfig, formatValidationErrors, validateResourceConfig, version };

package/dist/index.js

@@ -2,6 +2,7 @@ import fp from 'fastify-plugin';
 import { randomUUID } from 'crypto';
 import { createRequire } from 'module';
 import Fastify from 'fastify';
+import qs from 'qs';
 
 var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
@@ -2175,6 +2176,23 @@ var ArcQueryParser = class {
     for (const [key, value] of Object.entries(query)) {
       if (reservedKeys.has(key)) continue;
       if (value === void 0 || value === null) continue;
+      if (!/^[a-zA-Z_][a-zA-Z0-9_.]*$/.test(key)) continue;
+      if (typeof value === "object" && value !== null && !Array.isArray(value)) {
+        const operatorObj = value;
+        const operatorKeys = Object.keys(operatorObj);
+        const allOperators = operatorKeys.every((op) => this.operators[op]);
+        if (allOperators && operatorKeys.length > 0) {
+          const mongoFilters = {};
+          for (const [op, opValue] of Object.entries(operatorObj)) {
+            const mongoOp = this.operators[op];
+            if (mongoOp) {
+              mongoFilters[mongoOp] = this.parseFilterValue(opValue, op);
+            }
+          }
+          filters[key] = mongoFilters;
+          continue;
+        }
+      }
       const match = key.match(/^([a-zA-Z_][a-zA-Z0-9_.]*)(?:\[([a-z]+)\])?$/);
       if (!match) continue;
       const [, fieldName, operator] = match;
@@ -2316,6 +2334,8 @@ var BaseController = class _BaseController {
       sort: sortString,
       select: this._sanitizeSelect(selectString, this.schemaOptions),
       populate: this._sanitizePopulate(parsed.populate, this.schemaOptions),
+      // Advanced populate options from MongoKit QueryParser (takes precedence over simple populate)
+      populateOptions: parsed.populateOptions,
       filters: parsed.filters,
       // MongoKit features
       search: parsed.search,
@@ -2431,7 +2451,7 @@ var BaseController = class _BaseController {
         return true;
       }
     }
-    return itemValue === filterValue;
+    return String(itemValue) === String(filterValue);
   }
   /**
    * Check if item matches policy filters (for get/update/delete operations)
@@ -2587,7 +2607,10 @@ var BaseController = class _BaseController {
     const arcContext = req.metadata;
     try {
       const item = await this.repository.getById(id, options);
-      if (!item || !this._checkOrgScope(item, arcContext) || !this._checkPolicyFilters(item, req)) {
+      const hasItem = !!item;
+      const orgScopeOk = this._checkOrgScope(item, arcContext);
+      const policyFiltersOk = this._checkPolicyFilters(item, req);
+      if (!hasItem || !orgScopeOk || !policyFiltersOk) {
         return {
           success: false,
           error: "Resource not found",
@@ -3306,15 +3329,16 @@ function allowPublic() {
   return check;
 }
 function requireAuth() {
-  return (ctx) => {
+  const check = (ctx) => {
     if (!ctx.user) {
       return { granted: false, reason: "Authentication required" };
     }
     return true;
   };
+  return check;
 }
 function requireRoles(roles, options) {
-  return (ctx) => {
+  const check = (ctx) => {
     if (!ctx.user) {
       return { granted: false, reason: "Authentication required" };
     }
@@ -3330,6 +3354,8 @@ function requireRoles(roles, options) {
       reason: `Required roles: ${roles.join(", ")}`
     };
   };
+  check._roles = roles;
+  return check;
 }
 function requireOwnership(ownerField = "userId", options) {
   return (ctx) => {
@@ -4583,6 +4609,10 @@ async function createApp(options) {
   const fastify = Fastify({
     logger: config.logger ?? true,
     trustProxy: config.trustProxy ?? false,
+    // Use qs parser to support nested bracket notation in query strings
+    // e.g., ?populate[author][select]=name,email → { populate: { author: { select: 'name,email' } } }
+    // This is required for MongoKit's advanced populate options to work
+    querystringParser: (str) => qs.parse(str),
     ajv: {
       customOptions: {
         coerceTypes: true,

package/dist/org/index.d.ts

@@ -1,5 +1,5 @@
 import { RouteHandlerMethod, FastifyPluginAsync } from 'fastify';
-import { i as RequestContext, Z as OrgScopeOptions, z as RouteHandler } from '../index-WBEvhmWM.js';
+import { b as RequestContext, Z as OrgScopeOptions, z as RouteHandler } from '../index-B4t03KQ0.js';
 import { U as UserBase } from '../types-B99TBmFV.js';
 import 'mongoose';
 

package/dist/permissions/index.js

@@ -5,15 +5,16 @@ function allowPublic() {
   return check;
 }
 function requireAuth() {
-  return (ctx) => {
+  const check = (ctx) => {
     if (!ctx.user) {
       return { granted: false, reason: "Authentication required" };
     }
     return true;
   };
+  return check;
 }
 function requireRoles(roles, options) {
-  return (ctx) => {
+  const check = (ctx) => {
     if (!ctx.user) {
       return { granted: false, reason: "Authentication required" };
     }
@@ -29,6 +30,8 @@ function requireRoles(roles, options) {
       reason: `Required roles: ${roles.join(", ")}`
     };
   };
+  check._roles = roles;
+  return check;
 }
 function requireOwnership(ownerField = "userId", options) {
   return (ctx) => {

package/dist/plugins/index.d.ts

@@ -1,6 +1,6 @@
-export { k as ArcCore, A as ArcCorePluginOptions, G as GracefulShutdownOptions, b as HealthCheck, H as HealthOptions, R as RequestIdOptions, T as TracingOptions, f as arcCorePlugin, j as arcCorePluginFn, d as createSpan, e as gracefulShutdownPlugin, g as gracefulShutdownPluginFn, a as healthPlugin, h as healthPluginFn, i as isTracingAvailable, _ as requestIdPlugin, r as requestIdPluginFn, t as traced, c as tracingPlugin } from '../arcCorePlugin-Cqi7j5-_.js';
+export { k as ArcCore, A as ArcCorePluginOptions, G as GracefulShutdownOptions, b as HealthCheck, H as HealthOptions, R as RequestIdOptions, T as TracingOptions, f as arcCorePlugin, j as arcCorePluginFn, d as createSpan, e as gracefulShutdownPlugin, g as gracefulShutdownPluginFn, a as healthPlugin, h as healthPluginFn, i as isTracingAvailable, _ as requestIdPlugin, r as requestIdPluginFn, t as traced, c as tracingPlugin } from '../arcCorePlugin-CsShQdyP.js';
 import { FastifyInstance, FastifyRequest } from 'fastify';
-import '../index-WBEvhmWM.js';
+import '../index-B4t03KQ0.js';
 import 'mongoose';
 import '../types-B99TBmFV.js';
 

package/dist/presets/index.d.ts

@@ -1,6 +1,6 @@
 import { MultiTenantOptions } from './multiTenant.js';
 export { default as multiTenantPreset } from './multiTenant.js';
-import { P as PresetResult, g as IRequestContext, j as IControllerResponse, k as PaginatedResult, d as AnyRecord, l as ResourceConfig } from '../index-WBEvhmWM.js';
+import { f as PresetResult, a as IRequestContext, c as IControllerResponse, P as PaginatedResult, A as AnyRecord, l as ResourceConfig } from '../index-B4t03KQ0.js';
 import 'mongoose';
 import 'fastify';
 import '../types-B99TBmFV.js';

package/dist/presets/index.js

@@ -5,7 +5,7 @@ function allowPublic() {
   return check;
 }
 function requireRoles(roles, options) {
-  return (ctx) => {
+  const check = (ctx) => {
     if (!ctx.user) {
       return { granted: false, reason: "Authentication required" };
     }
@@ -18,6 +18,8 @@ function requireRoles(roles, options) {
       reason: `Required roles: ${roles.join(", ")}`
     };
   };
+  check._roles = roles;
+  return check;
 }
 
 // src/presets/softDelete.ts

package/dist/presets/multiTenant.d.ts

@@ -1,4 +1,4 @@
-import { R as RequestWithExtras, C as CrudRouteKey, P as PresetResult } from '../index-WBEvhmWM.js';
+import { d as RequestWithExtras, e as CrudRouteKey, f as PresetResult } from '../index-B4t03KQ0.js';
 import 'mongoose';
 import 'fastify';
 import '../types-B99TBmFV.js';

package/dist/registry/index.d.ts

@@ -1,5 +1,5 @@
-import { I as IntrospectionPluginOptions } from '../index-WBEvhmWM.js';
-export { c as RegisterOptions, b as ResourceRegistry, r as resourceRegistry } from '../index-WBEvhmWM.js';
+import { i as IntrospectionPluginOptions } from '../index-B4t03KQ0.js';
+export { k as RegisterOptions, j as ResourceRegistry, r as resourceRegistry } from '../index-B4t03KQ0.js';
 import { FastifyPluginAsync } from 'fastify';
 import 'mongoose';
 import '../types-B99TBmFV.js';

package/dist/testing/index.d.ts

@@ -1,6 +1,6 @@
-import { q as ResourceDefinition, d as AnyRecord, y as CrudRepository } from '../index-WBEvhmWM.js';
+import { q as ResourceDefinition, A as AnyRecord, y as CrudRepository } from '../index-B4t03KQ0.js';
 import Fastify, { FastifyInstance } from 'fastify';
-import { C as CreateAppOptions } from '../types-EBZBXrg-.js';
+import { C as CreateAppOptions } from '../types-BvckRbs2.js';
 import { Mock } from 'vitest';
 import { Connection } from 'mongoose';
 import '../types-B99TBmFV.js';

package/dist/testing/index.js

@@ -2,6 +2,7 @@ import fp from 'fastify-plugin';
 import { randomUUID } from 'crypto';
 import { createRequire } from 'module';
 import Fastify from 'fastify';
+import qs from 'qs';
 import { describe, beforeAll, afterAll, it, expect, beforeEach, afterEach, vi } from 'vitest';
 import mongoose from 'mongoose';
 
@@ -46964,6 +46965,10 @@ async function createApp(options2) {
   const fastify = Fastify({
     logger: config.logger ?? true,
     trustProxy: config.trustProxy ?? false,
+    // Use qs parser to support nested bracket notation in query strings
+    // e.g., ?populate[author][select]=name,email → { populate: { author: { select: 'name,email' } } }
+    // This is required for MongoKit's advanced populate options to work
+    querystringParser: (str) => qs.parse(str),
     ajv: {
       customOptions: {
         coerceTypes: true,

package/dist/types/index.d.ts

@@ -1,4 +1,4 @@
-export { K as AdditionalRoute, d as AnyRecord, s as ApiResponse, ak as ArcDecorator, A as AuthHelpers, a as AuthPluginOptions, ar as Authenticator, aq as AuthenticatorContext, au as BaseControllerOptions, a4 as ConfigError, ax as ControllerHandler, t as ControllerLike, h as ControllerQueryOptions, B as CrudController, y as CrudRepository, C as CrudRouteKey, _ as CrudRouterOptions, G as CrudSchemas, N as EventDefinition, al as EventsDecorator, ay as FastifyHandler, u as FastifyRequestExtras, v as FastifyWithAuth, w as FastifyWithDecorators, E as FieldRule, a9 as GracefulShutdownOptions, a7 as HealthCheck, a8 as HealthOptions, e as IController, j as IControllerResponse, g as IRequestContext, aw as InferDoc, $ as InferDocType, a0 as InferResourceDoc, Y as IntrospectionData, I as IntrospectionPluginOptions, J as JWTPayload, ap as JwtContext, M as MiddlewareConfig, ao as MiddlewareHandler, ah as ObjectId, af as OpenApiSchemas, Z as OrgScopeOptions, O as OwnershipCheck, k as PaginatedResult, av as PaginationParams, ae as ParsedQuery, L as PresetFunction, at as PresetHook, P as PresetResult, x as QueryOptions, Q as QueryParserInterface, W as RegistryEntry, X as RegistryStats, i as RequestContext, aa as RequestIdOptions, R as RequestWithExtras, l as ResourceConfig, an as ResourceHooks, T as ResourceMetadata, am as ResourcePermissions, z as RouteHandler, f as RouteSchemaOptions, S as ServiceContext, as as TokenPair, a2 as TypedController, a3 as TypedRepository, a1 as TypedResourceConfig, ai as UserLike, U as UserOrganization, a6 as ValidateOptions, a5 as ValidationResult, aj as getUserId } from '../index-WBEvhmWM.js';
+export { K as AdditionalRoute, A as AnyRecord, s as ApiResponse, al as ArcDecorator, g as AuthHelpers, h as AuthPluginOptions, as as Authenticator, ar as AuthenticatorContext, av as BaseControllerOptions, a4 as ConfigError, ay as ControllerHandler, t as ControllerLike, C as ControllerQueryOptions, B as CrudController, y as CrudRepository, e as CrudRouteKey, _ as CrudRouterOptions, G as CrudSchemas, N as EventDefinition, am as EventsDecorator, az as FastifyHandler, u as FastifyRequestExtras, v as FastifyWithAuth, w as FastifyWithDecorators, E as FieldRule, a9 as GracefulShutdownOptions, a7 as HealthCheck, a8 as HealthOptions, I as IController, c as IControllerResponse, a as IRequestContext, ax as InferDoc, $ as InferDocType, a0 as InferResourceDoc, Y as IntrospectionData, i as IntrospectionPluginOptions, J as JWTPayload, aq as JwtContext, M as MiddlewareConfig, ap as MiddlewareHandler, ah as ObjectId, af as OpenApiSchemas, Z as OrgScopeOptions, O as OwnershipCheck, P as PaginatedResult, aw as PaginationParams, ae as ParsedQuery, ak as PopulateOption, L as PresetFunction, au as PresetHook, f as PresetResult, x as QueryOptions, Q as QueryParserInterface, W as RegistryEntry, X as RegistryStats, b as RequestContext, aa as RequestIdOptions, d as RequestWithExtras, l as ResourceConfig, ao as ResourceHooks, T as ResourceMetadata, an as ResourcePermissions, z as RouteHandler, R as RouteSchemaOptions, S as ServiceContext, at as TokenPair, a2 as TypedController, a3 as TypedRepository, a1 as TypedResourceConfig, ai as UserLike, U as UserOrganization, a6 as ValidateOptions, a5 as ValidationResult, aj as getUserId } from '../index-B4t03KQ0.js';
 export { RouteHandlerMethod } from 'fastify';
 export { Document, Model } from 'mongoose';
 export { P as PermissionCheck, a as PermissionContext, b as PermissionResult, U as UserBase } from '../types-B99TBmFV.js';

package/dist/{types-EBZBXrg-.d.ts → types-BvckRbs2.d.ts}

@@ -2,7 +2,7 @@ import { FastifyServerOptions } from 'fastify';
 import { FastifyCorsOptions } from '@fastify/cors';
 import { FastifyHelmetOptions } from '@fastify/helmet';
 import { RateLimitOptions } from '@fastify/rate-limit';
-import { a as AuthPluginOptions } from './index-WBEvhmWM.js';
+import { h as AuthPluginOptions } from './index-B4t03KQ0.js';
 
 /**
  * Types for createApp factory