@classytic/arc 1.1.0 → 2.1.2

package/dist/presets/index.mjs

@@ -0,0 +1,144 @@
+import { a as softDeletePreset, i as slugLookupPreset, n as treePreset, r as ownedByUserPreset, t as auditedPreset } from "../audited-C3T5DTUx.mjs";
+import multiTenantPreset from "./multiTenant.mjs";
+
+//#region src/presets/index.ts
+/**
+* Convenience alias for multiTenantPreset with public list/get routes
+* Equivalent to: multiTenantPreset({ allowPublic: ['list', 'get'] })
+*/
+const flexibleMultiTenantPreset = (options = {}) => multiTenantPreset({
+	...options,
+	allowPublic: ["list", "get"]
+});
+const presetRegistry = {
+	softDelete: softDeletePreset,
+	slugLookup: slugLookupPreset,
+	ownedByUser: ownedByUserPreset,
+	multiTenant: multiTenantPreset,
+	tree: treePreset,
+	audited: auditedPreset
+};
+/**
+* Get preset by name with options
+*/
+function getPreset(nameOrConfig) {
+	if (typeof nameOrConfig === "object" && nameOrConfig.name) {
+		const { name, ...options } = nameOrConfig;
+		return resolvePreset(name, options);
+	}
+	return resolvePreset(nameOrConfig);
+}
+/**
+* Resolve preset by name
+*/
+function resolvePreset(name, options = {}) {
+	const factory = presetRegistry[name];
+	if (!factory) {
+		const available = Object.keys(presetRegistry).join(", ");
+		throw new Error(`Unknown preset: '${name}'\nAvailable presets: ${available}\nDocs: https://github.com/classytic/arc#presets`);
+	}
+	return factory(options);
+}
+/**
+* Register a custom preset
+*/
+function registerPreset(name, factory, options) {
+	if (presetRegistry[name] && !options?.override) throw new Error(`Preset '${name}' already exists. Pass { override: true } to replace.`);
+	presetRegistry[name] = factory;
+}
+/**
+* Get all available preset names
+*/
+function getAvailablePresets() {
+	return Object.keys(presetRegistry);
+}
+/**
+* Validate that preset combinations don't conflict.
+* Detects route collisions (same method + path from different presets).
+*/
+function validatePresetCombination(presets) {
+	const conflicts = [];
+	const routeMap = /* @__PURE__ */ new Map();
+	for (const preset of presets) {
+		const name = preset.name ?? "unknown";
+		const routes = typeof preset.additionalRoutes === "function" ? preset.additionalRoutes({}) : preset.additionalRoutes ?? [];
+		for (const route of routes) {
+			const key = `${route.method} ${route.path}`;
+			const existing = routeMap.get(key);
+			if (existing) conflicts.push({
+				presets: [existing, name],
+				message: `Both '${existing}' and '${name}' define route ${key}`,
+				severity: "error"
+			});
+			routeMap.set(key, name);
+		}
+	}
+	return conflicts;
+}
+/**
+* Apply presets to resource config.
+* Validates preset combinations for conflicts before merging.
+*/
+function applyPresets(config, presets = []) {
+	let result = { ...config };
+	const resolved = presets.map(resolvePresetInput);
+	const errors = validatePresetCombination(resolved).filter((c) => c.severity === "error");
+	if (errors.length > 0) throw new Error(`[Arc] Resource '${config.name}' preset conflicts:\n` + errors.map((c) => `  - ${c.message}`).join("\n"));
+	for (const preset of resolved) result = mergePreset(result, preset);
+	return result;
+}
+/**
+* Resolve preset input to PresetResult
+*/
+function resolvePresetInput(preset) {
+	if (typeof preset === "object" && ("middlewares" in preset || "additionalRoutes" in preset)) return preset;
+	if (typeof preset === "object" && "name" in preset) {
+		const { name, ...options } = preset;
+		return resolvePreset(name, options);
+	}
+	return resolvePreset(preset);
+}
+/**
+* Merge preset into config
+*/
+function mergePreset(config, preset) {
+	const result = { ...config };
+	if (preset.additionalRoutes) {
+		const routes = typeof preset.additionalRoutes === "function" ? preset.additionalRoutes(config.permissions ?? {}) : preset.additionalRoutes;
+		result.additionalRoutes = [...result.additionalRoutes ?? [], ...routes];
+	}
+	if (preset.middlewares) {
+		result.middlewares = result.middlewares ?? {};
+		for (const [op, mws] of Object.entries(preset.middlewares)) {
+			const key = op;
+			result.middlewares[key] = [...result.middlewares[key] ?? [], ...mws ?? []];
+		}
+	}
+	if (preset.schemaOptions) result.schemaOptions = {
+		...result.schemaOptions,
+		...preset.schemaOptions,
+		fieldRules: {
+			...result.schemaOptions?.fieldRules,
+			...preset.schemaOptions?.fieldRules
+		}
+	};
+	if (preset.controllerOptions) result._controllerOptions = {
+		...result._controllerOptions,
+		...preset.controllerOptions
+	};
+	if (preset.hooks && preset.hooks.length > 0) {
+		result._hooks = result._hooks ?? [];
+		for (const hook of preset.hooks) result._hooks.push({
+			presetName: preset.name,
+			operation: hook.operation,
+			phase: hook.phase,
+			handler: hook.handler,
+			priority: hook.priority
+		});
+	}
+	return result;
+}
+
+//#endregion
+export { applyPresets, auditedPreset, flexibleMultiTenantPreset, getAvailablePresets, getPreset, multiTenantPreset, ownedByUserPreset, registerPreset, slugLookupPreset, softDeletePreset, treePreset };
+//# sourceMappingURL=index.mjs.map

package/dist/presets/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","names":[],"sources":["../../src/presets/index.ts"],"sourcesContent":["/**\n * Presets Module\n *\n * Reusable resource configurations that add routes, middlewares, and schema options.\n *\n * @example\n * import { defineResource } from '@classytic/arc';\n *\n * // Using preset strings (resolved internally)\n * defineResource({\n *   presets: ['softDelete', 'slugLookup'],\n * });\n *\n * // Using preset functions with options\n * import { softDeletePreset, treePreset } from '@classytic/arc/presets';\n *\n * defineResource({\n *   presets: [\n *     softDeletePreset(),\n *     treePreset({ parentField: 'parentSlug' }),\n *   ],\n * });\n */\n\nimport type {\n  AdditionalRoute,\n  AnyRecord,\n  MiddlewareConfig,\n  PresetResult,\n  ResourceConfig,\n  RouteSchemaOptions,\n} from '../types/index.js';\n\n// Export preset functions\nexport { softDeletePreset } from './softDelete.js';\n\n\nexport { slugLookupPreset } from './slugLookup.js';\nexport type { SlugLookupOptions } from './slugLookup.js';\n\nexport { ownedByUserPreset } from './ownedByUser.js';\nexport type { OwnedByUserOptions } from './ownedByUser.js';\n\nexport { multiTenantPreset } from './multiTenant.js';\nexport type { MultiTenantOptions } from './multiTenant.js';\n\n/**\n * Convenience alias for multiTenantPreset with public list/get routes\n * Equivalent to: multiTenantPreset({ allowPublic: ['list', 'get'] })\n */\nexport const flexibleMultiTenantPreset = (\n  options: Omit<import('./multiTenant.js').MultiTenantOptions, 'allowPublic'> = {}\n) => multiTenantPreset({ ...options, allowPublic: ['list', 'get'] });\n\nexport { treePreset } from './tree.js';\nexport type { TreeOptions } from './tree.js';\n\nexport { auditedPreset } from './audited.js';\nexport type { AuditedPresetOptions } from './audited.js';\n\n// Export preset type interfaces for type safety\nexport type {\n  ISoftDeleteController,\n  ISlugLookupController,\n  ITreeController,\n  IOwnedByUserPreset,\n  IMultiTenantPreset,\n  IAuditedPreset,\n  IPresetController,\n} from './types.js';\n\n// Import preset implementations for sync resolution\nimport { softDeletePreset } from './softDelete.js';\nimport { slugLookupPreset } from './slugLookup.js';\nimport { ownedByUserPreset } from './ownedByUser.js';\nimport { multiTenantPreset } from './multiTenant.js';\nimport { treePreset } from './tree.js';\nimport { auditedPreset } from './audited.js';\n\n// ============================================================================\n// Preset Registry\n// ============================================================================\n\ntype PresetFactory = (options?: AnyRecord) => PresetResult;\n\nconst presetRegistry: Record<string, PresetFactory> = {\n  softDelete: softDeletePreset,\n  slugLookup: slugLookupPreset,\n  ownedByUser: ownedByUserPreset,\n  multiTenant: multiTenantPreset,\n  tree: treePreset,\n  audited: auditedPreset,\n};\n\n/**\n * Get preset by name with options\n */\nexport function getPreset(nameOrConfig: string | { name: string; [key: string]: unknown }): PresetResult {\n  if (typeof nameOrConfig === 'object' && nameOrConfig.name) {\n    const { name, ...options } = nameOrConfig;\n    return resolvePreset(name, options);\n  }\n\n  return resolvePreset(nameOrConfig as string);\n}\n\n/**\n * Resolve preset by name\n */\nfunction resolvePreset(name: string, options: AnyRecord = {}): PresetResult {\n  const factory = presetRegistry[name];\n\n  if (!factory) {\n    const available = Object.keys(presetRegistry).join(', ');\n    throw new Error(\n      `Unknown preset: '${name}'\\n` +\n      `Available presets: ${available}\\n` +\n      `Docs: https://github.com/classytic/arc#presets`\n    );\n  }\n\n  return factory(options);\n}\n\n/**\n * Register a custom preset\n */\nexport function registerPreset(\n  name: string,\n  factory: PresetFactory,\n  options?: { override?: boolean },\n): void {\n  if (presetRegistry[name] && !options?.override) {\n    throw new Error(\n      `Preset '${name}' already exists. Pass { override: true } to replace.`,\n    );\n  }\n  presetRegistry[name] = factory;\n}\n\n/**\n * Get all available preset names\n */\nexport function getAvailablePresets(): string[] {\n  return Object.keys(presetRegistry);\n}\n\n// ============================================================================\n// Apply Presets\n// ============================================================================\n\ntype PresetInput = string | PresetResult | { name: string; [key: string]: unknown };\n\n// ============================================================================\n// Preset Conflict Detection\n// ============================================================================\n\ninterface PresetConflict {\n  presets: [string, string];\n  message: string;\n  severity: 'error' | 'warning';\n}\n\n/**\n * Validate that preset combinations don't conflict.\n * Detects route collisions (same method + path from different presets).\n */\nfunction validatePresetCombination(presets: PresetResult[]): PresetConflict[] {\n  const conflicts: PresetConflict[] = [];\n  const routeMap = new Map<string, string>(); // \"METHOD /path\" -> preset name\n\n  for (const preset of presets) {\n    const name = preset.name ?? 'unknown';\n    const routes: AdditionalRoute[] = typeof preset.additionalRoutes === 'function'\n      ? preset.additionalRoutes({})\n      : (preset.additionalRoutes ?? []);\n\n    for (const route of routes) {\n      const key = `${route.method} ${route.path}`;\n      const existing = routeMap.get(key);\n      if (existing) {\n        conflicts.push({\n          presets: [existing, name],\n          message: `Both '${existing}' and '${name}' define route ${key}`,\n          severity: 'error',\n        });\n      }\n      routeMap.set(key, name);\n    }\n  }\n\n  return conflicts;\n}\n\n/**\n * Apply presets to resource config.\n * Validates preset combinations for conflicts before merging.\n */\nexport function applyPresets<TDoc = AnyRecord>(\n  config: ResourceConfig<TDoc>,\n  presets: PresetInput[] = []\n): ResourceConfig<TDoc> {\n  let result = { ...config };\n\n  // Resolve all presets first for validation\n  const resolved = presets.map(resolvePresetInput);\n\n  // Validate combinations — fail-fast on route collisions\n  const conflicts = validatePresetCombination(resolved);\n  const errors = conflicts.filter((c) => c.severity === 'error');\n  if (errors.length > 0) {\n    throw new Error(\n      `[Arc] Resource '${config.name}' preset conflicts:\\n` +\n      errors.map((c) => `  - ${c.message}`).join('\\n'),\n    );\n  }\n\n  for (const preset of resolved) {\n    result = mergePreset(result, preset) as ResourceConfig<TDoc>;\n  }\n\n  return result;\n}\n\n/**\n * Resolve preset input to PresetResult\n */\nfunction resolvePresetInput(preset: PresetInput): PresetResult {\n  // Check if already a fully-resolved PresetResult (has middlewares or additionalRoutes)\n  // This allows custom presets to be passed directly without registry lookup\n  if (typeof preset === 'object' && ('middlewares' in preset || 'additionalRoutes' in preset)) {\n    return preset as PresetResult;\n  }\n\n  // Object with name and options (for registry lookup)\n  if (typeof preset === 'object' && 'name' in preset) {\n    const { name, ...options } = preset as { name: string; [key: string]: unknown };\n    return resolvePreset(name, options);\n  }\n\n  // String preset name\n  return resolvePreset(preset);\n}\n\n/** Extended config with internal fields */\ninterface ExtendedResourceConfig<TDoc = AnyRecord> extends ResourceConfig<TDoc> {\n  _controllerOptions?: {\n    slugField?: string;\n    parentField?: string;\n    [key: string]: unknown;\n  };\n  _hooks?: Array<{\n    presetName: string;\n    operation: 'create' | 'update' | 'delete' | 'read' | 'list';\n    phase: 'before' | 'after';\n    handler: (ctx: {\n      resource: string;\n      operation: string;\n      phase: string;\n      data?: AnyRecord;\n      result?: AnyRecord | AnyRecord[];\n      user?: { id: string; email: string; [key: string]: unknown };\n      context?: { organizationId?: string | null; [key: string]: unknown };\n      meta?: AnyRecord;\n    }) => void | Promise<void> | AnyRecord | Promise<AnyRecord>;\n    priority?: number;\n  }>;\n}\n\n/**\n * Merge preset into config\n */\nfunction mergePreset<TDoc = AnyRecord>(\n  config: ResourceConfig<TDoc>,\n  preset: PresetResult\n): ResourceConfig<TDoc> {\n  const result = { ...config } as ExtendedResourceConfig<TDoc>;\n\n  // Merge additional routes\n  if (preset.additionalRoutes) {\n    const routes: AdditionalRoute[] = typeof preset.additionalRoutes === 'function'\n      ? preset.additionalRoutes(config.permissions ?? {})\n      : preset.additionalRoutes;\n\n    result.additionalRoutes = [\n      ...(result.additionalRoutes ?? []),\n      ...routes,\n    ];\n  }\n\n  // Merge middlewares\n  if (preset.middlewares) {\n    result.middlewares = result.middlewares ?? {};\n    for (const [op, mws] of Object.entries(preset.middlewares)) {\n      const key = op as keyof MiddlewareConfig;\n      result.middlewares[key] = [\n        ...(result.middlewares[key] ?? []),\n        ...(mws ?? []),\n      ];\n    }\n  }\n\n  // Merge schema options (deep-merge fieldRules so presets accumulate rules)\n  if (preset.schemaOptions) {\n    result.schemaOptions = {\n      ...result.schemaOptions,\n      ...preset.schemaOptions,\n      fieldRules: {\n        ...result.schemaOptions?.fieldRules,\n        ...preset.schemaOptions?.fieldRules,\n      },\n    } as RouteSchemaOptions;\n  }\n\n  // Merge controller options (slugField, parentField, etc.)\n  if (preset.controllerOptions) {\n    result._controllerOptions = {\n      ...result._controllerOptions,\n      ...preset.controllerOptions,\n    };\n  }\n\n  // Collect hooks from preset\n  if (preset.hooks && preset.hooks.length > 0) {\n    result._hooks = result._hooks ?? [];\n    for (const hook of preset.hooks) {\n      result._hooks.push({\n        presetName: preset.name,\n        operation: hook.operation,\n        phase: hook.phase,\n        handler: hook.handler,\n        priority: hook.priority,\n      });\n    }\n  }\n\n  return result;\n}\n"],"mappings":";;;;;;;;AAkDA,MAAa,6BACX,UAA8E,EAAE,KAC7E,kBAAkB;CAAE,GAAG;CAAS,aAAa,CAAC,QAAQ,MAAM;CAAE,CAAC;AAiCpE,MAAM,iBAAgD;CACpD,YAAY;CACZ,YAAY;CACZ,aAAa;CACb,aAAa;CACb,MAAM;CACN,SAAS;CACV;;;;AAKD,SAAgB,UAAU,cAA+E;AACvG,KAAI,OAAO,iBAAiB,YAAY,aAAa,MAAM;EACzD,MAAM,EAAE,MAAM,GAAG,YAAY;AAC7B,SAAO,cAAc,MAAM,QAAQ;;AAGrC,QAAO,cAAc,aAAuB;;;;;AAM9C,SAAS,cAAc,MAAc,UAAqB,EAAE,EAAgB;CAC1E,MAAM,UAAU,eAAe;AAE/B,KAAI,CAAC,SAAS;EACZ,MAAM,YAAY,OAAO,KAAK,eAAe,CAAC,KAAK,KAAK;AACxD,QAAM,IAAI,MACR,oBAAoB,KAAK,wBACH,UAAU,kDAEjC;;AAGH,QAAO,QAAQ,QAAQ;;;;;AAMzB,SAAgB,eACd,MACA,SACA,SACM;AACN,KAAI,eAAe,SAAS,CAAC,SAAS,SACpC,OAAM,IAAI,MACR,WAAW,KAAK,uDACjB;AAEH,gBAAe,QAAQ;;;;;AAMzB,SAAgB,sBAAgC;AAC9C,QAAO,OAAO,KAAK,eAAe;;;;;;AAuBpC,SAAS,0BAA0B,SAA2C;CAC5E,MAAM,YAA8B,EAAE;CACtC,MAAM,2BAAW,IAAI,KAAqB;AAE1C,MAAK,MAAM,UAAU,SAAS;EAC5B,MAAM,OAAO,OAAO,QAAQ;EAC5B,MAAM,SAA4B,OAAO,OAAO,qBAAqB,aACjE,OAAO,iBAAiB,EAAE,CAAC,GAC1B,OAAO,oBAAoB,EAAE;AAElC,OAAK,MAAM,SAAS,QAAQ;GAC1B,MAAM,MAAM,GAAG,MAAM,OAAO,GAAG,MAAM;GACrC,MAAM,WAAW,SAAS,IAAI,IAAI;AAClC,OAAI,SACF,WAAU,KAAK;IACb,SAAS,CAAC,UAAU,KAAK;IACzB,SAAS,SAAS,SAAS,SAAS,KAAK,iBAAiB;IAC1D,UAAU;IACX,CAAC;AAEJ,YAAS,IAAI,KAAK,KAAK;;;AAI3B,QAAO;;;;;;AAOT,SAAgB,aACd,QACA,UAAyB,EAAE,EACL;CACtB,IAAI,SAAS,EAAE,GAAG,QAAQ;CAG1B,MAAM,WAAW,QAAQ,IAAI,mBAAmB;CAIhD,MAAM,SADY,0BAA0B,SAAS,CAC5B,QAAQ,MAAM,EAAE,aAAa,QAAQ;AAC9D,KAAI,OAAO,SAAS,EAClB,OAAM,IAAI,MACR,mBAAmB,OAAO,KAAK,yBAC/B,OAAO,KAAK,MAAM,OAAO,EAAE,UAAU,CAAC,KAAK,KAAK,CACjD;AAGH,MAAK,MAAM,UAAU,SACnB,UAAS,YAAY,QAAQ,OAAO;AAGtC,QAAO;;;;;AAMT,SAAS,mBAAmB,QAAmC;AAG7D,KAAI,OAAO,WAAW,aAAa,iBAAiB,UAAU,sBAAsB,QAClF,QAAO;AAIT,KAAI,OAAO,WAAW,YAAY,UAAU,QAAQ;EAClD,MAAM,EAAE,MAAM,GAAG,YAAY;AAC7B,SAAO,cAAc,MAAM,QAAQ;;AAIrC,QAAO,cAAc,OAAO;;;;;AA+B9B,SAAS,YACP,QACA,QACsB;CACtB,MAAM,SAAS,EAAE,GAAG,QAAQ;AAG5B,KAAI,OAAO,kBAAkB;EAC3B,MAAM,SAA4B,OAAO,OAAO,qBAAqB,aACjE,OAAO,iBAAiB,OAAO,eAAe,EAAE,CAAC,GACjD,OAAO;AAEX,SAAO,mBAAmB,CACxB,GAAI,OAAO,oBAAoB,EAAE,EACjC,GAAG,OACJ;;AAIH,KAAI,OAAO,aAAa;AACtB,SAAO,cAAc,OAAO,eAAe,EAAE;AAC7C,OAAK,MAAM,CAAC,IAAI,QAAQ,OAAO,QAAQ,OAAO,YAAY,EAAE;GAC1D,MAAM,MAAM;AACZ,UAAO,YAAY,OAAO,CACxB,GAAI,OAAO,YAAY,QAAQ,EAAE,EACjC,GAAI,OAAO,EAAE,CACd;;;AAKL,KAAI,OAAO,cACT,QAAO,gBAAgB;EACrB,GAAG,OAAO;EACV,GAAG,OAAO;EACV,YAAY;GACV,GAAG,OAAO,eAAe;GACzB,GAAG,OAAO,eAAe;GAC1B;EACF;AAIH,KAAI,OAAO,kBACT,QAAO,qBAAqB;EAC1B,GAAG,OAAO;EACV,GAAG,OAAO;EACX;AAIH,KAAI,OAAO,SAAS,OAAO,MAAM,SAAS,GAAG;AAC3C,SAAO,SAAS,OAAO,UAAU,EAAE;AACnC,OAAK,MAAM,QAAQ,OAAO,MACxB,QAAO,OAAO,KAAK;GACjB,YAAY,OAAO;GACnB,WAAW,KAAK;GAChB,OAAO,KAAK;GACZ,SAAS,KAAK;GACd,UAAU,KAAK;GAChB,CAAC;;AAIN,QAAO"}

package/dist/presets/multiTenant.d.mts

@@ -0,0 +1,25 @@
+import "../elevation-B_2dRLVP.mjs";
+import "../interface-Ch8HU9uM.mjs";
+import "../types-aYB4V7uN.mjs";
+import { CrudRouteKey, PresetResult } from "../types/index.mjs";
+
+//#region src/presets/multiTenant.d.ts
+interface MultiTenantOptions {
+  /** Field name in database (default: 'organizationId') */
+  tenantField?: string;
+  /**
+   * Routes that allow public access (no auth required)
+   * When a route is in this array:
+   * - If no org context: allow through without filtering (public data)
+   * - If org context present: require auth and apply filter
+   *
+   * @default [] (strict mode - all routes require auth)
+   * @example
+   * multiTenantPreset({ allowPublic: ['list', 'get'] })
+   */
+  allowPublic?: CrudRouteKey[];
+}
+declare function multiTenantPreset(options?: MultiTenantOptions): PresetResult;
+//#endregion
+export { MultiTenantOptions, multiTenantPreset as default, multiTenantPreset };
+//# sourceMappingURL=multiTenant.d.mts.map

package/dist/presets/multiTenant.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"multiTenant.d.mts","names":[],"sources":["../../src/presets/multiTenant.ts"],"mappings":";;;;;;UAmBiB,kBAAA;EAAkB;EAEjC,WAAA;EAY0B;;;;;;AA6H5B;;;;EA7HE,WAAA,GAAc,YAAA;AAAA;AAAA,iBA6HA,iBAAA,CAAkB,OAAA,GAAS,kBAAA,GAA0B,YAAA"}

package/dist/presets/multiTenant.mjs

@@ -0,0 +1,114 @@
+import { o as DEFAULT_TENANT_FIELD } from "../constants-DdXFXQtN.mjs";
+import { c as isElevated, l as isMember, n as PUBLIC_SCOPE, r as getOrgId } from "../types-Beqn1Un7.mjs";
+
+//#region src/presets/multiTenant.ts
+/** Read request.scope safely */
+function getScope(request) {
+	return request.scope ?? PUBLIC_SCOPE;
+}
+/**
+* Create tenant filter middleware
+* Adds tenant filter to query for list/get operations.
+* Reads `request.scope` for org context and elevation bypass.
+*/
+function createTenantFilter(tenantField) {
+	return async (request, reply) => {
+		const scope = getScope(request);
+		if (isElevated(scope)) {
+			const orgId = getOrgId(scope);
+			if (orgId) request._policyFilters = {
+				...request._policyFilters ?? {},
+				[tenantField]: orgId
+			};
+			return;
+		}
+		if (isMember(scope)) {
+			request._policyFilters = {
+				...request._policyFilters ?? {},
+				[tenantField]: scope.organizationId
+			};
+			return;
+		}
+		if (scope.kind === "public") {
+			reply.code(401).send({
+				success: false,
+				error: "Unauthorized",
+				message: "Authentication required for multi-tenant resources"
+			});
+			return;
+		}
+		reply.code(403).send({
+			success: false,
+			error: "Forbidden",
+			message: "Organization context required for this operation"
+		});
+	};
+}
+/**
+* Create flexible tenant filter middleware
+* For routes in allowPublic: only filter when org context is present
+* No org context = allow through (public data)
+* Org context present = require auth and apply filter
+*/
+function createFlexibleTenantFilter(tenantField) {
+	return async (request, reply) => {
+		const scope = getScope(request);
+		if (isElevated(scope)) {
+			const orgId = getOrgId(scope);
+			if (orgId) request._policyFilters = {
+				...request._policyFilters ?? {},
+				[tenantField]: orgId
+			};
+			return;
+		}
+		if (isMember(scope)) {
+			request._policyFilters = {
+				...request._policyFilters ?? {},
+				[tenantField]: scope.organizationId
+			};
+			return;
+		}
+	};
+}
+/**
+* Create tenant injection middleware
+* Injects tenant ID into request body on create.
+* Reads `request.scope` for org context.
+*/
+function createTenantInjection(tenantField) {
+	return async (request, reply) => {
+		const scope = getScope(request);
+		const orgId = getOrgId(scope);
+		if (isElevated(scope) && !orgId) return;
+		if (!orgId) {
+			reply.code(403).send({
+				success: false,
+				error: "Forbidden",
+				message: "Organization context required to create resources"
+			});
+			return;
+		}
+		if (request.body) request.body[tenantField] = orgId;
+	};
+}
+function multiTenantPreset(options = {}) {
+	const { tenantField = DEFAULT_TENANT_FIELD, allowPublic = [] } = options;
+	const strictTenantFilter = createTenantFilter(tenantField);
+	const flexibleTenantFilter = createFlexibleTenantFilter(tenantField);
+	const tenantInjection = createTenantInjection(tenantField);
+	const getFilter = (route) => allowPublic.includes(route) ? flexibleTenantFilter : strictTenantFilter;
+	return {
+		name: "multiTenant",
+		middlewares: {
+			list: [getFilter("list")],
+			get: [getFilter("get")],
+			create: [tenantInjection],
+			update: [getFilter("update")],
+			delete: [getFilter("delete")]
+		}
+	};
+}
+
+//#endregion
+export { multiTenantPreset as default, multiTenantPreset };
+//# sourceMappingURL=multiTenant.mjs.map

package/dist/presets/multiTenant.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"multiTenant.mjs","names":[],"sources":["../../src/presets/multiTenant.ts"],"sourcesContent":["/**\n * Multi-Tenant Preset\n *\n * Adds tenant (organization) filtering and injection middlewares.\n */\n\nimport type { FastifyReply, FastifyRequest } from 'fastify';\nimport type {\n  AnyRecord,\n  CrudRouteKey,\n  MiddlewareConfig,\n  PresetResult,\n  RequestWithExtras,\n  RouteHandler,\n} from '../types/index.js';\nimport { DEFAULT_TENANT_FIELD } from '../constants.js';\nimport type { RequestScope } from '../scope/types.js';\nimport { isMember, isElevated, getOrgId, PUBLIC_SCOPE } from '../scope/types.js';\n\nexport interface MultiTenantOptions {\n  /** Field name in database (default: 'organizationId') */\n  tenantField?: string;\n\n  /**\n   * Routes that allow public access (no auth required)\n   * When a route is in this array:\n   * - If no org context: allow through without filtering (public data)\n   * - If org context present: require auth and apply filter\n   *\n   * @default [] (strict mode - all routes require auth)\n   * @example\n   * multiTenantPreset({ allowPublic: ['list', 'get'] })\n   */\n  allowPublic?: CrudRouteKey[];\n}\n\n/** Read request.scope safely */\nfunction getScope(request: FastifyRequest): RequestScope {\n  return request.scope ?? PUBLIC_SCOPE;\n}\n\n/**\n * Create tenant filter middleware\n * Adds tenant filter to query for list/get operations.\n * Reads `request.scope` for org context and elevation bypass.\n */\nfunction createTenantFilter(tenantField: string): RouteHandler {\n  return async (request: RequestWithExtras, reply: FastifyReply): Promise<void> => {\n    const scope = getScope(request);\n\n    // Elevated without org → no filter (admin viewing all)\n    // Elevated with org → filter by that org\n    if (isElevated(scope)) {\n      const orgId = getOrgId(scope);\n      if (orgId) {\n        request._policyFilters = {\n          ...(request._policyFilters ?? {}),\n          [tenantField]: orgId,\n        };\n      }\n      return;\n    }\n\n    // Member → filter by scope.organizationId\n    if (isMember(scope)) {\n      request._policyFilters = {\n        ...(request._policyFilters ?? {}),\n        [tenantField]: scope.organizationId,\n      };\n      return;\n    }\n\n    // authenticated / public → 403 (multi-tenant requires org context)\n    if (scope.kind === 'public') {\n      reply.code(401).send({\n        success: false,\n        error: 'Unauthorized',\n        message: 'Authentication required for multi-tenant resources',\n      });\n      return;\n    }\n\n    // authenticated but no org → 403\n    reply.code(403).send({\n      success: false,\n      error: 'Forbidden',\n      message: 'Organization context required for this operation',\n    });\n  };\n}\n\n/**\n * Create flexible tenant filter middleware\n * For routes in allowPublic: only filter when org context is present\n * No org context = allow through (public data)\n * Org context present = require auth and apply filter\n */\nfunction createFlexibleTenantFilter(tenantField: string): RouteHandler {\n  return async (request: RequestWithExtras, reply: FastifyReply): Promise<void> => {\n    const scope = getScope(request);\n\n    // Elevated without org → no filter (admin viewing all)\n    if (isElevated(scope)) {\n      const orgId = getOrgId(scope);\n      if (orgId) {\n        request._policyFilters = {\n          ...(request._policyFilters ?? {}),\n          [tenantField]: orgId,\n        };\n      }\n      return;\n    }\n\n    // Member → filter by scope.organizationId\n    if (isMember(scope)) {\n      request._policyFilters = {\n        ...(request._policyFilters ?? {}),\n        [tenantField]: scope.organizationId,\n      };\n      return;\n    }\n\n    // authenticated / public with no org context → allow through (public data)\n    return;\n  };\n}\n\n/**\n * Create tenant injection middleware\n * Injects tenant ID into request body on create.\n * Reads `request.scope` for org context.\n */\nfunction createTenantInjection(tenantField: string): RouteHandler {\n  return async (request: RequestWithExtras, reply: FastifyReply): Promise<void> => {\n    const scope = getScope(request);\n    const orgId = getOrgId(scope);\n\n    // Elevated without org → skip injection (admin cross-org operation)\n    if (isElevated(scope) && !orgId) {\n      return;\n    }\n\n    // Fail-closed: Require orgId to prevent orphaned data\n    if (!orgId) {\n      reply.code(403).send({\n        success: false,\n        error: 'Forbidden',\n        message: 'Organization context required to create resources',\n      });\n      return;\n    }\n\n    if (request.body) {\n      (request.body as AnyRecord)[tenantField] = orgId;\n    }\n  };\n}\n\nexport function multiTenantPreset(options: MultiTenantOptions = {}): PresetResult {\n  const {\n    tenantField = DEFAULT_TENANT_FIELD,\n    allowPublic = [],\n  } = options;\n\n  // Create middleware variants\n  const strictTenantFilter = createTenantFilter(tenantField);\n  const flexibleTenantFilter = createFlexibleTenantFilter(tenantField);\n  const tenantInjection = createTenantInjection(tenantField);\n\n  // Helper to select appropriate filter based on allowPublic\n  const getFilter = (route: CrudRouteKey): RouteHandler =>\n    allowPublic.includes(route) ? flexibleTenantFilter : strictTenantFilter;\n\n  return {\n    name: 'multiTenant',\n    middlewares: {\n      list: [getFilter('list')],\n      get: [getFilter('get')],\n      create: [tenantInjection],\n      update: [getFilter('update')],\n      delete: [getFilter('delete')],\n    } as MiddlewareConfig,\n  };\n}\n\nexport default multiTenantPreset;\n"],"mappings":";;;;;AAqCA,SAAS,SAAS,SAAuC;AACvD,QAAO,QAAQ,SAAS;;;;;;;AAQ1B,SAAS,mBAAmB,aAAmC;AAC7D,QAAO,OAAO,SAA4B,UAAuC;EAC/E,MAAM,QAAQ,SAAS,QAAQ;AAI/B,MAAI,WAAW,MAAM,EAAE;GACrB,MAAM,QAAQ,SAAS,MAAM;AAC7B,OAAI,MACF,SAAQ,iBAAiB;IACvB,GAAI,QAAQ,kBAAkB,EAAE;KAC/B,cAAc;IAChB;AAEH;;AAIF,MAAI,SAAS,MAAM,EAAE;AACnB,WAAQ,iBAAiB;IACvB,GAAI,QAAQ,kBAAkB,EAAE;KAC/B,cAAc,MAAM;IACtB;AACD;;AAIF,MAAI,MAAM,SAAS,UAAU;AAC3B,SAAM,KAAK,IAAI,CAAC,KAAK;IACnB,SAAS;IACT,OAAO;IACP,SAAS;IACV,CAAC;AACF;;AAIF,QAAM,KAAK,IAAI,CAAC,KAAK;GACnB,SAAS;GACT,OAAO;GACP,SAAS;GACV,CAAC;;;;;;;;;AAUN,SAAS,2BAA2B,aAAmC;AACrE,QAAO,OAAO,SAA4B,UAAuC;EAC/E,MAAM,QAAQ,SAAS,QAAQ;AAG/B,MAAI,WAAW,MAAM,EAAE;GACrB,MAAM,QAAQ,SAAS,MAAM;AAC7B,OAAI,MACF,SAAQ,iBAAiB;IACvB,GAAI,QAAQ,kBAAkB,EAAE;KAC/B,cAAc;IAChB;AAEH;;AAIF,MAAI,SAAS,MAAM,EAAE;AACnB,WAAQ,iBAAiB;IACvB,GAAI,QAAQ,kBAAkB,EAAE;KAC/B,cAAc,MAAM;IACtB;AACD;;;;;;;;;AAaN,SAAS,sBAAsB,aAAmC;AAChE,QAAO,OAAO,SAA4B,UAAuC;EAC/E,MAAM,QAAQ,SAAS,QAAQ;EAC/B,MAAM,QAAQ,SAAS,MAAM;AAG7B,MAAI,WAAW,MAAM,IAAI,CAAC,MACxB;AAIF,MAAI,CAAC,OAAO;AACV,SAAM,KAAK,IAAI,CAAC,KAAK;IACnB,SAAS;IACT,OAAO;IACP,SAAS;IACV,CAAC;AACF;;AAGF,MAAI,QAAQ,KACV,CAAC,QAAQ,KAAmB,eAAe;;;AAKjD,SAAgB,kBAAkB,UAA8B,EAAE,EAAgB;CAChF,MAAM,EACJ,cAAc,sBACd,cAAc,EAAE,KACd;CAGJ,MAAM,qBAAqB,mBAAmB,YAAY;CAC1D,MAAM,uBAAuB,2BAA2B,YAAY;CACpE,MAAM,kBAAkB,sBAAsB,YAAY;CAG1D,MAAM,aAAa,UACjB,YAAY,SAAS,MAAM,GAAG,uBAAuB;AAEvD,QAAO;EACL,MAAM;EACN,aAAa;GACX,MAAM,CAAC,UAAU,OAAO,CAAC;GACzB,KAAK,CAAC,UAAU,MAAM,CAAC;GACvB,QAAQ,CAAC,gBAAgB;GACzB,QAAQ,CAAC,UAAU,SAAS,CAAC;GAC7B,QAAQ,CAAC,UAAU,SAAS,CAAC;GAC9B;EACF"}

package/dist/presets-BITljm96.mjs

@@ -0,0 +1,120 @@
+import { t as __exportAll } from "./chunk-C7Uep-_p.mjs";
+import { allowPublic, anyOf, requireAuth, requireOwnership, requireRoles } from "./permissions/index.mjs";
+
+//#region src/permissions/presets.ts
+var presets_exports = /* @__PURE__ */ __exportAll({
+	adminOnly: () => adminOnly,
+	authenticated: () => authenticated,
+	fullPublic: () => fullPublic,
+	ownerWithAdminBypass: () => ownerWithAdminBypass,
+	publicRead: () => publicRead,
+	publicReadAdminWrite: () => publicReadAdminWrite,
+	readOnly: () => readOnly
+});
+/**
+* Merge a base preset with user overrides.
+* Overrides replace individual operations — undefined values don't clear them.
+*/
+function withOverrides(base, overrides) {
+	if (!overrides) return base;
+	const filtered = Object.fromEntries(Object.entries(overrides).filter(([, v]) => v !== void 0));
+	return {
+		...base,
+		...filtered
+	};
+}
+/**
+* Public read, authenticated write.
+* list + get = allowPublic(), create + update + delete = requireAuth()
+*/
+function publicRead(overrides) {
+	return withOverrides({
+		list: allowPublic(),
+		get: allowPublic(),
+		create: requireAuth(),
+		update: requireAuth(),
+		delete: requireAuth()
+	}, overrides);
+}
+/**
+* Public read, admin write.
+* list + get = allowPublic(), create + update + delete = requireRoles(['admin'])
+*/
+function publicReadAdminWrite(roles = ["admin"], overrides) {
+	return withOverrides({
+		list: allowPublic(),
+		get: allowPublic(),
+		create: requireRoles(roles),
+		update: requireRoles(roles),
+		delete: requireRoles(roles)
+	}, overrides);
+}
+/**
+* All operations require authentication.
+*/
+function authenticated(overrides) {
+	return withOverrides({
+		list: requireAuth(),
+		get: requireAuth(),
+		create: requireAuth(),
+		update: requireAuth(),
+		delete: requireAuth()
+	}, overrides);
+}
+/**
+* All operations require specific roles.
+* @param roles - Required roles (user needs at least one). Default: ['admin']
+*/
+function adminOnly(roles = ["admin"], overrides) {
+	return withOverrides({
+		list: requireRoles(roles),
+		get: requireRoles(roles),
+		create: requireRoles(roles),
+		update: requireRoles(roles),
+		delete: requireRoles(roles)
+	}, overrides);
+}
+/**
+* Owner-scoped with admin bypass.
+* list = auth (scoped to owner), get = auth, create = auth,
+* update + delete = ownership check with admin bypass.
+*
+* @param ownerField - Field containing owner ID (default: 'userId')
+* @param bypassRoles - Roles that bypass ownership check (default: ['admin'])
+*/
+function ownerWithAdminBypass(ownerField = "userId", bypassRoles = ["admin"], overrides) {
+	return withOverrides({
+		list: requireAuth(),
+		get: requireAuth(),
+		create: requireAuth(),
+		update: anyOf(requireRoles(bypassRoles), requireOwnership(ownerField)),
+		delete: anyOf(requireRoles(bypassRoles), requireOwnership(ownerField))
+	}, overrides);
+}
+/**
+* Full public access — no auth required for any operation.
+* Use sparingly (dev/testing, truly public APIs).
+*/
+function fullPublic(overrides) {
+	return withOverrides({
+		list: allowPublic(),
+		get: allowPublic(),
+		create: allowPublic(),
+		update: allowPublic(),
+		delete: allowPublic()
+	}, overrides);
+}
+/**
+* Read-only: list + get authenticated, write operations denied.
+* Useful for computed/derived resources.
+*/
+function readOnly(overrides) {
+	return withOverrides({
+		list: requireAuth(),
+		get: requireAuth()
+	}, overrides);
+}
+
+//#endregion
+export { presets_exports as a, readOnly as c, ownerWithAdminBypass as i, authenticated as n, publicRead as o, fullPublic as r, publicReadAdminWrite as s, adminOnly as t };
+//# sourceMappingURL=presets-BITljm96.mjs.map

package/dist/presets-BITljm96.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"presets-BITljm96.mjs","names":[],"sources":["../src/permissions/presets.ts"],"sourcesContent":["/**\n * Permission Presets — Common permission patterns in one call.\n *\n * Reduces 5 lines of permission declarations to 1.\n * Each preset returns a ResourcePermissions object that can be\n * spread or overridden per-operation.\n *\n * @example\n * ```typescript\n * import { permissions } from '@classytic/arc';\n *\n * // Public read, authenticated write\n * defineResource({ name: 'product', permissions: permissions.publicRead() });\n *\n * // Override specific operations\n * defineResource({\n *   name: 'product',\n *   permissions: permissions.publicRead({ delete: requireRoles(['superadmin']) }),\n * });\n * ```\n */\n\nimport type { PermissionCheck } from \"./types.js\";\nimport {\n  allowPublic,\n  requireAuth,\n  requireRoles,\n  requireOwnership,\n  anyOf,\n} from \"./index.js\";\n\n/**\n * ResourcePermissions shape — matches the type in types/index.ts\n */\ninterface ResourcePermissions<TDoc = any> {\n  list?: PermissionCheck<TDoc>;\n  get?: PermissionCheck<TDoc>;\n  create?: PermissionCheck<TDoc>;\n  update?: PermissionCheck<TDoc>;\n  delete?: PermissionCheck<TDoc>;\n}\n\ntype PermissionOverrides<TDoc = any> = Partial<ResourcePermissions<TDoc>>;\n\n/**\n * Merge a base preset with user overrides.\n * Overrides replace individual operations — undefined values don't clear them.\n */\nfunction withOverrides<TDoc = any>(\n  base: ResourcePermissions<TDoc>,\n  overrides?: PermissionOverrides<TDoc>,\n): ResourcePermissions<TDoc> {\n  if (!overrides) return base;\n  const filtered = Object.fromEntries(\n    Object.entries(overrides).filter(([, v]) => v !== undefined),\n  );\n  return { ...base, ...filtered };\n}\n\n/**\n * Public read, authenticated write.\n * list + get = allowPublic(), create + update + delete = requireAuth()\n */\nexport function publicRead<TDoc = any>(\n  overrides?: PermissionOverrides<TDoc>,\n): ResourcePermissions<TDoc> {\n  return withOverrides(\n    {\n      list: allowPublic(),\n      get: allowPublic(),\n      create: requireAuth(),\n      update: requireAuth(),\n      delete: requireAuth(),\n    },\n    overrides,\n  );\n}\n\n/**\n * Public read, admin write.\n * list + get = allowPublic(), create + update + delete = requireRoles(['admin'])\n */\nexport function publicReadAdminWrite<TDoc = any>(\n  roles: readonly string[] = [\"admin\"],\n  overrides?: PermissionOverrides<TDoc>,\n): ResourcePermissions<TDoc> {\n  return withOverrides(\n    {\n      list: allowPublic(),\n      get: allowPublic(),\n      create: requireRoles(roles),\n      update: requireRoles(roles),\n      delete: requireRoles(roles),\n    },\n    overrides,\n  );\n}\n\n/**\n * All operations require authentication.\n */\nexport function authenticated<TDoc = any>(\n  overrides?: PermissionOverrides<TDoc>,\n): ResourcePermissions<TDoc> {\n  return withOverrides(\n    {\n      list: requireAuth(),\n      get: requireAuth(),\n      create: requireAuth(),\n      update: requireAuth(),\n      delete: requireAuth(),\n    },\n    overrides,\n  );\n}\n\n/**\n * All operations require specific roles.\n * @param roles - Required roles (user needs at least one). Default: ['admin']\n */\nexport function adminOnly<TDoc = any>(\n  roles: readonly string[] = [\"admin\"],\n  overrides?: PermissionOverrides<TDoc>,\n): ResourcePermissions<TDoc> {\n  return withOverrides(\n    {\n      list: requireRoles(roles),\n      get: requireRoles(roles),\n      create: requireRoles(roles),\n      update: requireRoles(roles),\n      delete: requireRoles(roles),\n    },\n    overrides,\n  );\n}\n\n/**\n * Owner-scoped with admin bypass.\n * list = auth (scoped to owner), get = auth, create = auth,\n * update + delete = ownership check with admin bypass.\n *\n * @param ownerField - Field containing owner ID (default: 'userId')\n * @param bypassRoles - Roles that bypass ownership check (default: ['admin'])\n */\nexport function ownerWithAdminBypass<TDoc = any>(\n  ownerField: Extract<keyof TDoc, string> | string = \"userId\",\n  bypassRoles: readonly string[] = [\"admin\"],\n  overrides?: PermissionOverrides<TDoc>,\n): ResourcePermissions<TDoc> {\n  return withOverrides(\n    {\n      list: requireAuth(),\n      get: requireAuth(),\n      create: requireAuth(),\n      update: anyOf(requireRoles(bypassRoles), requireOwnership(ownerField)),\n      delete: anyOf(requireRoles(bypassRoles), requireOwnership(ownerField)),\n    },\n    overrides,\n  );\n}\n\n/**\n * Full public access — no auth required for any operation.\n * Use sparingly (dev/testing, truly public APIs).\n */\nexport function fullPublic<TDoc = any>(\n  overrides?: PermissionOverrides<TDoc>,\n): ResourcePermissions<TDoc> {\n  return withOverrides(\n    {\n      list: allowPublic(),\n      get: allowPublic(),\n      create: allowPublic(),\n      update: allowPublic(),\n      delete: allowPublic(),\n    },\n    overrides,\n  );\n}\n\n/**\n * Read-only: list + get authenticated, write operations denied.\n * Useful for computed/derived resources.\n */\nexport function readOnly<TDoc = any>(\n  overrides?: PermissionOverrides<TDoc>,\n): ResourcePermissions<TDoc> {\n  return withOverrides(\n    {\n      list: requireAuth(),\n      get: requireAuth(),\n    },\n    overrides,\n  );\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AAgDA,SAAS,cACP,MACA,WAC2B;AAC3B,KAAI,CAAC,UAAW,QAAO;CACvB,MAAM,WAAW,OAAO,YACtB,OAAO,QAAQ,UAAU,CAAC,QAAQ,GAAG,OAAO,MAAM,OAAU,CAC7D;AACD,QAAO;EAAE,GAAG;EAAM,GAAG;EAAU;;;;;;AAOjC,SAAgB,WACd,WAC2B;AAC3B,QAAO,cACL;EACE,MAAM,aAAa;EACnB,KAAK,aAAa;EAClB,QAAQ,aAAa;EACrB,QAAQ,aAAa;EACrB,QAAQ,aAAa;EACtB,EACD,UACD;;;;;;AAOH,SAAgB,qBACd,QAA2B,CAAC,QAAQ,EACpC,WAC2B;AAC3B,QAAO,cACL;EACE,MAAM,aAAa;EACnB,KAAK,aAAa;EAClB,QAAQ,aAAa,MAAM;EAC3B,QAAQ,aAAa,MAAM;EAC3B,QAAQ,aAAa,MAAM;EAC5B,EACD,UACD;;;;;AAMH,SAAgB,cACd,WAC2B;AAC3B,QAAO,cACL;EACE,MAAM,aAAa;EACnB,KAAK,aAAa;EAClB,QAAQ,aAAa;EACrB,QAAQ,aAAa;EACrB,QAAQ,aAAa;EACtB,EACD,UACD;;;;;;AAOH,SAAgB,UACd,QAA2B,CAAC,QAAQ,EACpC,WAC2B;AAC3B,QAAO,cACL;EACE,MAAM,aAAa,MAAM;EACzB,KAAK,aAAa,MAAM;EACxB,QAAQ,aAAa,MAAM;EAC3B,QAAQ,aAAa,MAAM;EAC3B,QAAQ,aAAa,MAAM;EAC5B,EACD,UACD;;;;;;;;;;AAWH,SAAgB,qBACd,aAAmD,UACnD,cAAiC,CAAC,QAAQ,EAC1C,WAC2B;AAC3B,QAAO,cACL;EACE,MAAM,aAAa;EACnB,KAAK,aAAa;EAClB,QAAQ,aAAa;EACrB,QAAQ,MAAM,aAAa,YAAY,EAAE,iBAAiB,WAAW,CAAC;EACtE,QAAQ,MAAM,aAAa,YAAY,EAAE,iBAAiB,WAAW,CAAC;EACvE,EACD,UACD;;;;;;AAOH,SAAgB,WACd,WAC2B;AAC3B,QAAO,cACL;EACE,MAAM,aAAa;EACnB,KAAK,aAAa;EAClB,QAAQ,aAAa;EACrB,QAAQ,aAAa;EACrB,QAAQ,aAAa;EACtB,EACD,UACD;;;;;;AAOH,SAAgB,SACd,WAC2B;AAC3B,QAAO,cACL;EACE,MAAM,aAAa;EACnB,KAAK,aAAa;EACnB,EACD,UACD"}

package/dist/presets-DzSMwlKj.d.mts

@@ -0,0 +1,58 @@
+import { t as PermissionCheck } from "./types-aYB4V7uN.mjs";
+
+//#region src/permissions/presets.d.ts
+declare namespace presets_d_exports {
+  export { adminOnly, authenticated, fullPublic, ownerWithAdminBypass, publicRead, publicReadAdminWrite, readOnly };
+}
+/**
+ * ResourcePermissions shape — matches the type in types/index.ts
+ */
+interface ResourcePermissions<TDoc = any> {
+  list?: PermissionCheck<TDoc>;
+  get?: PermissionCheck<TDoc>;
+  create?: PermissionCheck<TDoc>;
+  update?: PermissionCheck<TDoc>;
+  delete?: PermissionCheck<TDoc>;
+}
+type PermissionOverrides<TDoc = any> = Partial<ResourcePermissions<TDoc>>;
+/**
+ * Public read, authenticated write.
+ * list + get = allowPublic(), create + update + delete = requireAuth()
+ */
+declare function publicRead<TDoc = any>(overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
+/**
+ * Public read, admin write.
+ * list + get = allowPublic(), create + update + delete = requireRoles(['admin'])
+ */
+declare function publicReadAdminWrite<TDoc = any>(roles?: readonly string[], overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
+/**
+ * All operations require authentication.
+ */
+declare function authenticated<TDoc = any>(overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
+/**
+ * All operations require specific roles.
+ * @param roles - Required roles (user needs at least one). Default: ['admin']
+ */
+declare function adminOnly<TDoc = any>(roles?: readonly string[], overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
+/**
+ * Owner-scoped with admin bypass.
+ * list = auth (scoped to owner), get = auth, create = auth,
+ * update + delete = ownership check with admin bypass.
+ *
+ * @param ownerField - Field containing owner ID (default: 'userId')
+ * @param bypassRoles - Roles that bypass ownership check (default: ['admin'])
+ */
+declare function ownerWithAdminBypass<TDoc = any>(ownerField?: Extract<keyof TDoc, string> | string, bypassRoles?: readonly string[], overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
+/**
+ * Full public access — no auth required for any operation.
+ * Use sparingly (dev/testing, truly public APIs).
+ */
+declare function fullPublic<TDoc = any>(overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
+/**
+ * Read-only: list + get authenticated, write operations denied.
+ * Useful for computed/derived resources.
+ */
+declare function readOnly<TDoc = any>(overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
+//#endregion
+export { presets_d_exports as a, readOnly as c, ownerWithAdminBypass as i, authenticated as n, publicRead as o, fullPublic as r, publicReadAdminWrite as s, adminOnly as t };
+//# sourceMappingURL=presets-DzSMwlKj.d.mts.map

package/dist/presets-DzSMwlKj.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"presets-DzSMwlKj.d.mts","names":[],"sources":["../src/permissions/presets.ts"],"mappings":";;;;;;;;;UAkCU,mBAAA;EACR,IAAA,GAAO,eAAA,CAAgB,IAAA;EACvB,GAAA,GAAM,eAAA,CAAgB,IAAA;EACtB,MAAA,GAAS,eAAA,CAAgB,IAAA;EACzB,MAAA,GAAS,eAAA,CAAgB,IAAA;EACzB,MAAA,GAAS,eAAA,CAAgB,IAAA;AAAA;AAAA,KAGtB,mBAAA,eAAkC,OAAA,CAAQ,mBAAA,CAAoB,IAAA;;;;;iBAqBnD,UAAA,YAAA,CACd,SAAA,GAAY,mBAAA,CAAoB,IAAA,IAC/B,mBAAA,CAAoB,IAAA;;;;;iBAiBP,oBAAA,YAAA,CACd,KAAA,sBACA,SAAA,GAAY,mBAAA,CAAoB,IAAA,IAC/B,mBAAA,CAAoB,IAAA;;;;iBAgBP,aAAA,YAAA,CACd,SAAA,GAAY,mBAAA,CAAoB,IAAA,IAC/B,mBAAA,CAAoB,IAAA;;;;;iBAiBP,SAAA,YAAA,CACd,KAAA,sBACA,SAAA,GAAY,mBAAA,CAAoB,IAAA,IAC/B,mBAAA,CAAoB,IAAA;;;;;;;;;iBAqBP,oBAAA,YAAA,CACd,UAAA,GAAY,OAAA,OAAc,IAAA,oBAC1B,WAAA,sBACA,SAAA,GAAY,mBAAA,CAAoB,IAAA,IAC/B,mBAAA,CAAoB,IAAA;;;;;iBAiBP,UAAA,YAAA,CACd,SAAA,GAAY,mBAAA,CAAoB,IAAA,IAC/B,mBAAA,CAAoB,IAAA;;;;;iBAiBP,QAAA,YAAA,CACd,SAAA,GAAY,mBAAA,CAAoB,IAAA,IAC/B,mBAAA,CAAoB,IAAA"}