@classytic/arc 1.1.0 → 2.1.2

package/dist/audit/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","names":[],"sources":["../../src/audit/stores/interface.ts","../../src/audit/stores/memory.ts","../../src/audit/auditPlugin.ts"],"sourcesContent":["/**\n * Audit Store Interface\n *\n * Pluggable storage backend for audit logs.\n * Implementations: memory (dev), mongodb, event (emit only)\n */\n\nimport type { UserBase } from '../../types/index.js';\n\nexport type AuditAction = 'create' | 'update' | 'delete' | 'restore' | 'custom';\n\nexport interface AuditEntry {\n  /** Unique audit log ID */\n  id: string;\n  /** Resource name (e.g., 'product', 'user') */\n  resource: string;\n  /** Document/entity ID */\n  documentId: string;\n  /** Action performed */\n  action: AuditAction;\n  /** User who performed the action */\n  userId?: string;\n  /** Organization context */\n  organizationId?: string;\n  /** Previous state (for updates) */\n  before?: Record<string, unknown>;\n  /** New state (for creates/updates) */\n  after?: Record<string, unknown>;\n  /** Changed fields (for updates) */\n  changes?: string[];\n  /** Request ID for tracing */\n  requestId?: string;\n  /** IP address */\n  ipAddress?: string;\n  /** User agent */\n  userAgent?: string;\n  /** Custom metadata */\n  metadata?: Record<string, unknown>;\n  /** When the action occurred */\n  timestamp: Date;\n}\n\nexport interface AuditContext {\n  user?: UserBase;\n  organizationId?: string;\n  requestId?: string;\n  ipAddress?: string;\n  userAgent?: string;\n  /** HTTP method + route pattern (e.g., 'PATCH /api/products/:id') */\n  endpoint?: string;\n  /** Request duration in milliseconds */\n  duration?: number;\n}\n\nexport interface AuditStoreOptions {\n  /** Store name for logging */\n  name: string;\n}\n\n/**\n * Abstract audit store interface\n */\nexport interface AuditStore {\n  /** Store name */\n  readonly name: string;\n\n  /** Log an audit entry */\n  log(entry: AuditEntry): Promise<void>;\n\n  /** Query audit logs (optional - not all stores support querying) */\n  query?(options: AuditQueryOptions): Promise<AuditEntry[]>;\n\n  /** Close/cleanup (optional) */\n  close?(): Promise<void>;\n}\n\nexport interface AuditQueryOptions {\n  resource?: string;\n  documentId?: string;\n  userId?: string;\n  organizationId?: string;\n  action?: AuditAction | AuditAction[];\n  from?: Date;\n  to?: Date;\n  limit?: number;\n  offset?: number;\n}\n\n/**\n * Create audit entry from context\n */\nexport function createAuditEntry(\n  resource: string,\n  documentId: string,\n  action: AuditAction,\n  context: AuditContext,\n  data?: {\n    before?: Record<string, unknown>;\n    after?: Record<string, unknown>;\n    metadata?: Record<string, unknown>;\n  }\n): AuditEntry {\n  const changes = data?.before && data?.after\n    ? detectChanges(data.before, data.after)\n    : undefined;\n\n  return {\n    id: generateAuditId(),\n    resource,\n    documentId,\n    action,\n    userId: context.user?._id?.toString() ?? context.user?.id,\n    organizationId: context.organizationId,\n    before: data?.before,\n    after: data?.after,\n    changes,\n    requestId: context.requestId,\n    ipAddress: context.ipAddress,\n    userAgent: context.userAgent,\n    metadata: data?.metadata,\n    timestamp: new Date(),\n  };\n}\n\n/**\n * Detect changed fields between two objects\n */\nfunction detectChanges(\n  before: Record<string, unknown>,\n  after: Record<string, unknown>\n): string[] {\n  const changes: string[] = [];\n  const allKeys = new Set([...Object.keys(before), ...Object.keys(after)]);\n\n  for (const key of allKeys) {\n    // Skip internal fields\n    if (key.startsWith('_') || key === 'updatedAt') continue;\n\n    const oldVal = JSON.stringify(before[key]);\n    const newVal = JSON.stringify(after[key]);\n\n    if (oldVal !== newVal) {\n      changes.push(key);\n    }\n  }\n\n  return changes;\n}\n\n/**\n * Generate unique audit ID\n */\nfunction generateAuditId(): string {\n  const timestamp = Date.now().toString(36);\n  const random = Math.random().toString(36).substring(2, 10);\n  return `aud_${timestamp}${random}`;\n}\n","/**\n * In-Memory Audit Store\n *\n * For development and testing. Not suitable for production.\n * Logs are lost on restart.\n */\n\nimport type { AuditEntry, AuditQueryOptions, AuditStore } from './interface.js';\n\nexport interface MemoryAuditStoreOptions {\n  /** Maximum entries to keep (default: 1000) */\n  maxEntries?: number;\n}\n\nexport class MemoryAuditStore implements AuditStore {\n  readonly name = 'memory';\n  private entries: AuditEntry[] = [];\n  private maxEntries: number;\n\n  constructor(options: MemoryAuditStoreOptions = {}) {\n    this.maxEntries = options.maxEntries ?? 1000;\n  }\n\n  async log(entry: AuditEntry): Promise<void> {\n    this.entries.unshift(entry);\n\n    // Trim to max size\n    if (this.entries.length > this.maxEntries) {\n      this.entries = this.entries.slice(0, this.maxEntries);\n    }\n  }\n\n  async query(options: AuditQueryOptions = {}): Promise<AuditEntry[]> {\n    let results = [...this.entries];\n\n    if (options.resource) {\n      results = results.filter((e) => e.resource === options.resource);\n    }\n\n    if (options.documentId) {\n      results = results.filter((e) => e.documentId === options.documentId);\n    }\n\n    if (options.userId) {\n      results = results.filter((e) => e.userId === options.userId);\n    }\n\n    if (options.organizationId) {\n      results = results.filter((e) => e.organizationId === options.organizationId);\n    }\n\n    if (options.action) {\n      const actions = Array.isArray(options.action) ? options.action : [options.action];\n      results = results.filter((e) => actions.includes(e.action));\n    }\n\n    if (options.from) {\n      results = results.filter((e) => e.timestamp >= options.from!);\n    }\n\n    if (options.to) {\n      results = results.filter((e) => e.timestamp <= options.to!);\n    }\n\n    // Pagination\n    const offset = options.offset ?? 0;\n    const limit = options.limit ?? 100;\n    results = results.slice(offset, offset + limit);\n\n    return results;\n  }\n\n  async close(): Promise<void> {\n    this.entries = [];\n  }\n\n  /** Get all entries (for testing) */\n  getAll(): AuditEntry[] {\n    return [...this.entries];\n  }\n\n  /** Clear all entries (for testing) */\n  clear(): void {\n    this.entries = [];\n  }\n}\n\nexport default MemoryAuditStore;\n","/**\n * Audit Plugin\n *\n * Optional audit trail with flexible storage options.\n * Disabled by default - enable explicitly for enterprise use cases.\n *\n * @example\n * import { auditPlugin } from '@classytic/arc/audit';\n *\n * // Development: in-memory\n * await fastify.register(auditPlugin, {\n *   enabled: true,\n *   stores: ['memory'],\n * });\n *\n * // Production: MongoDB with TTL\n * await fastify.register(auditPlugin, {\n *   enabled: true,\n *   stores: ['mongodb'],\n *   mongoConnection: mongoose.connection,\n *   ttlDays: 90,\n * });\n */\n\nimport fp from 'fastify-plugin';\nimport type { FastifyInstance, FastifyPluginAsync, FastifyRequest } from 'fastify';\nimport type { AuditContext, AuditEntry, AuditStore } from './stores/interface.js';\nimport { createAuditEntry } from './stores/interface.js';\nimport { MemoryAuditStore } from './stores/memory.js';\nimport { MongoAuditStore, type MongoConnection } from './stores/mongodb.js';\nimport type { UserBase, RequestContext } from '../types/index.js';\n\nexport interface AuditPluginOptions {\n  /** Enable audit logging (default: false) */\n  enabled?: boolean;\n  /** Storage backends to use */\n  stores?: ('memory' | 'mongodb')[];\n  /** MongoDB connection (required if using mongodb store) */\n  mongoConnection?: MongoConnection;\n  /** MongoDB collection name (default: 'audit_logs') */\n  mongoCollection?: string;\n  /** TTL in days for MongoDB (default: 90) */\n  ttlDays?: number;\n  /** Custom stores (advanced) */\n  customStores?: AuditStore[];\n  /**\n   * Automatically audit CRUD operations via the hook system (default: true when enabled).\n   * When enabled, create/update/delete operations are auto-logged without manual calls.\n   *\n   * - `true`: Auto-audit all CRUD operations on all resources\n   * - `{ operations: ['create', 'delete'] }`: Only auto-audit specific operations\n   * - `{ exclude: ['health', 'metrics'] }`: Skip specific resources\n   * - `false`: Disable auto-audit (manual calls only)\n   */\n  autoAudit?: boolean | {\n    operations?: ('create' | 'update' | 'delete')[];\n    exclude?: string[];\n  };\n}\n\ndeclare module 'fastify' {\n  interface FastifyInstance {\n    /** Log an audit entry */\n    audit: AuditLogger;\n  }\n\n  interface FastifyRequest {\n    /** Audit context for current request */\n    auditContext?: AuditContext;\n  }\n}\n\nexport interface AuditLogger {\n  /** Log a create action */\n  create: (\n    resource: string,\n    documentId: string,\n    data: Record<string, unknown>,\n    context?: AuditContext\n  ) => Promise<void>;\n\n  /** Log an update action */\n  update: (\n    resource: string,\n    documentId: string,\n    before: Record<string, unknown>,\n    after: Record<string, unknown>,\n    context?: AuditContext\n  ) => Promise<void>;\n\n  /** Log a delete action */\n  delete: (\n    resource: string,\n    documentId: string,\n    data: Record<string, unknown>,\n    context?: AuditContext\n  ) => Promise<void>;\n\n  /** Log a restore action (soft delete undo) */\n  restore: (\n    resource: string,\n    documentId: string,\n    data: Record<string, unknown>,\n    context?: AuditContext\n  ) => Promise<void>;\n\n  /** Log a custom action */\n  custom: (\n    resource: string,\n    documentId: string,\n    action: string,\n    data?: Record<string, unknown>,\n    context?: AuditContext\n  ) => Promise<void>;\n\n  /** Query audit logs (if stores support it) */\n  query: (options: import('./stores/interface.js').AuditQueryOptions) => Promise<AuditEntry[]>;\n}\n\nconst auditPlugin: FastifyPluginAsync<AuditPluginOptions> = async (\n  fastify: FastifyInstance,\n  opts: AuditPluginOptions = {}\n) => {\n  const {\n    enabled = false,\n    stores: storeTypes = ['memory'],\n    mongoConnection,\n    mongoCollection = 'audit_logs',\n    ttlDays = 90,\n    customStores = [],\n  } = opts;\n\n  // Skip if not enabled\n  if (!enabled) {\n    // Provide no-op audit methods\n    fastify.decorate('audit', createNoopLogger());\n    fastify.decorateRequest('auditContext', undefined);\n    fastify.log?.debug?.('Audit plugin disabled');\n    return;\n  }\n\n  // Initialize stores\n  const stores: AuditStore[] = [...customStores];\n\n  for (const type of storeTypes) {\n    switch (type) {\n      case 'memory':\n        stores.push(new MemoryAuditStore());\n        break;\n      case 'mongodb':\n        if (!mongoConnection) {\n          throw new Error('Audit: mongoConnection required for mongodb store');\n        }\n        stores.push(new MongoAuditStore({\n          connection: mongoConnection,\n          collection: mongoCollection,\n          ttlDays,\n        }));\n        break;\n    }\n  }\n\n  if (stores.length === 0) {\n    throw new Error('Audit: at least one store must be configured');\n  }\n\n  // Log to all stores\n  async function logToStores(entry: AuditEntry): Promise<void> {\n    await Promise.all(stores.map((store) => store.log(entry)));\n  }\n\n  // Create audit logger\n  const audit: AuditLogger = {\n    async create(resource, documentId, data, context) {\n      const entry = createAuditEntry(resource, documentId, 'create', context ?? {}, {\n        after: data,\n      });\n      await logToStores(entry);\n    },\n\n    async update(resource, documentId, before, after, context) {\n      const entry = createAuditEntry(resource, documentId, 'update', context ?? {}, {\n        before,\n        after,\n      });\n      await logToStores(entry);\n    },\n\n    async delete(resource, documentId, data, context) {\n      const entry = createAuditEntry(resource, documentId, 'delete', context ?? {}, {\n        before: data,\n      });\n      await logToStores(entry);\n    },\n\n    async restore(resource, documentId, data, context) {\n      const entry = createAuditEntry(resource, documentId, 'restore', context ?? {}, {\n        after: data,\n      });\n      await logToStores(entry);\n    },\n\n    async custom(resource, documentId, action, data, context) {\n      const entry = createAuditEntry(resource, documentId, 'custom', context ?? {}, {\n        metadata: { customAction: action, ...data },\n      });\n      await logToStores(entry);\n    },\n\n    async query(options) {\n      // Use first store that supports querying\n      for (const store of stores) {\n        if (store.query) {\n          return store.query(options);\n        }\n      }\n      return [];\n    },\n  };\n\n  fastify.decorate('audit', audit);\n\n  // Extract audit context from request\n  fastify.decorateRequest('auditContext', undefined);\n\n  fastify.addHook('onRequest', async (request) => {\n    const user = (request as FastifyRequest & { user?: UserBase }).user;\n    const context = (request as FastifyRequest & { context?: RequestContext }).context;\n\n    // Derive org ID from request.scope (set by auth adapters)\n    const scope = request.scope;\n    const auditOrgId = scope?.kind === 'member' ? scope.organizationId\n      : scope?.kind === 'elevated' ? scope.organizationId\n      : undefined;\n\n    request.auditContext = {\n      user,\n      organizationId: auditOrgId,\n      requestId: request.id,\n      ipAddress: request.ip,\n      userAgent: request.headers['user-agent'],\n      endpoint: undefined,\n      duration: undefined,\n    };\n  });\n\n  // Populate endpoint and duration after response is sent\n  fastify.addHook('onResponse', async (request, reply) => {\n    if (request.auditContext) {\n      request.auditContext.endpoint = `${request.method} ${request.routeOptions?.url ?? request.url}`;\n      request.auditContext.duration = Math.round(reply.elapsedTime);\n    }\n  });\n\n  // Cleanup on close\n  fastify.addHook('onClose', async () => {\n    await Promise.all(stores.map((store) => store.close?.()));\n  });\n\n  // Auto-audit CRUD operations via hook system\n  const autoAuditConfig = opts.autoAudit ?? true;\n  if (autoAuditConfig !== false) {\n    const defaultOps = ['create', 'update', 'delete'] as const;\n    const ops = typeof autoAuditConfig === 'object'\n      ? autoAuditConfig.operations ?? defaultOps\n      : defaultOps;\n    const excludeResources = new Set(\n      typeof autoAuditConfig === 'object' ? autoAuditConfig.exclude ?? [] : [],\n    );\n\n    // Wire hooks after all plugins are registered (onReady) so arc-core is available\n    fastify.addHook('onReady', async () => {\n      // fastify.arc is declared via module augmentation in arcCorePlugin.ts\n      const arc = 'arc' in fastify ? fastify.arc : undefined;\n      if (!arc?.hooks) {\n        fastify.log?.debug?.('Auto-audit skipped: arc-core plugin not registered');\n        return;\n      }\n\n      for (const op of ops) {\n        arc.hooks.after('*', op, async (ctx) => {\n          if (excludeResources.has(ctx.resource)) return;\n\n          const docId = autoAuditExtractId(ctx.result);\n          const scope = (ctx.context as Record<string, unknown> | undefined)?._scope;\n          const auditCtx: AuditContext = {\n            user: ctx.user,\n            organizationId: scope ? autoAuditGetOrgId(scope) : undefined,\n          };\n\n          try {\n            if (op === 'create') {\n              await audit.create(ctx.resource, docId, autoAuditToPlain(ctx.result), auditCtx);\n            } else if (op === 'update') {\n              await audit.update(\n                ctx.resource,\n                docId,\n                autoAuditToPlain(ctx.meta?.existing),\n                autoAuditToPlain(ctx.result),\n                auditCtx,\n              );\n            } else if (op === 'delete') {\n              await audit.delete(ctx.resource, docId, autoAuditToPlain(ctx.result), auditCtx);\n            }\n          } catch (err) {\n            fastify.log?.warn?.(\n              { resource: ctx.resource, op, err },\n              'Auto-audit failed',\n            );\n          }\n        }, 90); // Priority 90 — after user hooks, before event hooks at 100\n      }\n\n      fastify.log?.debug?.({ ops, exclude: [...excludeResources] }, 'Auto-audit hooks registered');\n    });\n  }\n\n  fastify.log?.debug?.({ stores: storeTypes }, 'Audit plugin enabled');\n};\n\n/** Extract document ID from a result */\nfunction autoAuditExtractId(doc: unknown): string {\n  if (!doc || typeof doc !== 'object') return '';\n  const d = doc as Record<string, unknown>;\n  const rawId = d._id ?? d.id;\n  return rawId != null ? String(rawId) : '';\n}\n\n/** Convert Mongoose doc or plain object to plain object */\nfunction autoAuditToPlain(doc: unknown): Record<string, unknown> {\n  if (!doc || typeof doc !== 'object') return {};\n  if (typeof (doc as Record<string, unknown>).toObject === 'function') {\n    return (doc as { toObject: () => Record<string, unknown> }).toObject();\n  }\n  return doc as Record<string, unknown>;\n}\n\n/** Extract org ID from scope (avoids importing scope module to prevent circular deps) */\nfunction autoAuditGetOrgId(scope: unknown): string | undefined {\n  if (!scope || typeof scope !== 'object') return undefined;\n  const s = scope as Record<string, unknown>;\n  if (s.kind === 'member' || s.kind === 'elevated') {\n    return s.organizationId as string | undefined;\n  }\n  return undefined;\n}\n\n/**\n * Create no-op logger for when audit is disabled\n */\nfunction createNoopLogger(): AuditLogger {\n  const noop = async () => {};\n  return {\n    create: noop,\n    update: noop,\n    delete: noop,\n    restore: noop,\n    custom: noop,\n    query: async () => [],\n  };\n}\n\nexport default fp(auditPlugin, {\n  name: 'arc-audit',\n  fastify: '5.x',\n  dependencies: ['arc-core'],\n});\n\nexport { auditPlugin };\n"],"mappings":";;;;;;;AA2FA,SAAgB,iBACd,UACA,YACA,QACA,SACA,MAKY;CACZ,MAAM,UAAU,MAAM,UAAU,MAAM,QAClC,cAAc,KAAK,QAAQ,KAAK,MAAM,GACtC;AAEJ,QAAO;EACL,IAAI,iBAAiB;EACrB;EACA;EACA;EACA,QAAQ,QAAQ,MAAM,KAAK,UAAU,IAAI,QAAQ,MAAM;EACvD,gBAAgB,QAAQ;EACxB,QAAQ,MAAM;EACd,OAAO,MAAM;EACb;EACA,WAAW,QAAQ;EACnB,WAAW,QAAQ;EACnB,WAAW,QAAQ;EACnB,UAAU,MAAM;EAChB,2BAAW,IAAI,MAAM;EACtB;;;;;AAMH,SAAS,cACP,QACA,OACU;CACV,MAAM,UAAoB,EAAE;CAC5B,MAAM,UAAU,IAAI,IAAI,CAAC,GAAG,OAAO,KAAK,OAAO,EAAE,GAAG,OAAO,KAAK,MAAM,CAAC,CAAC;AAExE,MAAK,MAAM,OAAO,SAAS;AAEzB,MAAI,IAAI,WAAW,IAAI,IAAI,QAAQ,YAAa;AAKhD,MAHe,KAAK,UAAU,OAAO,KAAK,KAC3B,KAAK,UAAU,MAAM,KAAK,CAGvC,SAAQ,KAAK,IAAI;;AAIrB,QAAO;;;;;AAMT,SAAS,kBAA0B;AAGjC,QAAO,OAFW,KAAK,KAAK,CAAC,SAAS,GAAG,GAC1B,KAAK,QAAQ,CAAC,SAAS,GAAG,CAAC,UAAU,GAAG,GAAG;;;;;AC5I5D,IAAa,mBAAb,MAAoD;CAClD,AAAS,OAAO;CAChB,AAAQ,UAAwB,EAAE;CAClC,AAAQ;CAER,YAAY,UAAmC,EAAE,EAAE;AACjD,OAAK,aAAa,QAAQ,cAAc;;CAG1C,MAAM,IAAI,OAAkC;AAC1C,OAAK,QAAQ,QAAQ,MAAM;AAG3B,MAAI,KAAK,QAAQ,SAAS,KAAK,WAC7B,MAAK,UAAU,KAAK,QAAQ,MAAM,GAAG,KAAK,WAAW;;CAIzD,MAAM,MAAM,UAA6B,EAAE,EAAyB;EAClE,IAAI,UAAU,CAAC,GAAG,KAAK,QAAQ;AAE/B,MAAI,QAAQ,SACV,WAAU,QAAQ,QAAQ,MAAM,EAAE,aAAa,QAAQ,SAAS;AAGlE,MAAI,QAAQ,WACV,WAAU,QAAQ,QAAQ,MAAM,EAAE,eAAe,QAAQ,WAAW;AAGtE,MAAI,QAAQ,OACV,WAAU,QAAQ,QAAQ,MAAM,EAAE,WAAW,QAAQ,OAAO;AAG9D,MAAI,QAAQ,eACV,WAAU,QAAQ,QAAQ,MAAM,EAAE,mBAAmB,QAAQ,eAAe;AAG9E,MAAI,QAAQ,QAAQ;GAClB,MAAM,UAAU,MAAM,QAAQ,QAAQ,OAAO,GAAG,QAAQ,SAAS,CAAC,QAAQ,OAAO;AACjF,aAAU,QAAQ,QAAQ,MAAM,QAAQ,SAAS,EAAE,OAAO,CAAC;;AAG7D,MAAI,QAAQ,KACV,WAAU,QAAQ,QAAQ,MAAM,EAAE,aAAa,QAAQ,KAAM;AAG/D,MAAI,QAAQ,GACV,WAAU,QAAQ,QAAQ,MAAM,EAAE,aAAa,QAAQ,GAAI;EAI7D,MAAM,SAAS,QAAQ,UAAU;EACjC,MAAM,QAAQ,QAAQ,SAAS;AAC/B,YAAU,QAAQ,MAAM,QAAQ,SAAS,MAAM;AAE/C,SAAO;;CAGT,MAAM,QAAuB;AAC3B,OAAK,UAAU,EAAE;;;CAInB,SAAuB;AACrB,SAAO,CAAC,GAAG,KAAK,QAAQ;;;CAI1B,QAAc;AACZ,OAAK,UAAU,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACoCrB,MAAM,cAAsD,OAC1D,SACA,OAA2B,EAAE,KAC1B;CACH,MAAM,EACJ,UAAU,OACV,QAAQ,aAAa,CAAC,SAAS,EAC/B,iBACA,kBAAkB,cAClB,UAAU,IACV,eAAe,EAAE,KACf;AAGJ,KAAI,CAAC,SAAS;AAEZ,UAAQ,SAAS,SAAS,kBAAkB,CAAC;AAC7C,UAAQ,gBAAgB,gBAAgB,OAAU;AAClD,UAAQ,KAAK,QAAQ,wBAAwB;AAC7C;;CAIF,MAAM,SAAuB,CAAC,GAAG,aAAa;AAE9C,MAAK,MAAM,QAAQ,WACjB,SAAQ,MAAR;EACE,KAAK;AACH,UAAO,KAAK,IAAI,kBAAkB,CAAC;AACnC;EACF,KAAK;AACH,OAAI,CAAC,gBACH,OAAM,IAAI,MAAM,oDAAoD;AAEtE,UAAO,KAAK,IAAI,gBAAgB;IAC9B,YAAY;IACZ,YAAY;IACZ;IACD,CAAC,CAAC;AACH;;AAIN,KAAI,OAAO,WAAW,EACpB,OAAM,IAAI,MAAM,+CAA+C;CAIjE,eAAe,YAAY,OAAkC;AAC3D,QAAM,QAAQ,IAAI,OAAO,KAAK,UAAU,MAAM,IAAI,MAAM,CAAC,CAAC;;CAI5D,MAAM,QAAqB;EACzB,MAAM,OAAO,UAAU,YAAY,MAAM,SAAS;AAIhD,SAAM,YAHQ,iBAAiB,UAAU,YAAY,UAAU,WAAW,EAAE,EAAE,EAC5E,OAAO,MACR,CAAC,CACsB;;EAG1B,MAAM,OAAO,UAAU,YAAY,QAAQ,OAAO,SAAS;AAKzD,SAAM,YAJQ,iBAAiB,UAAU,YAAY,UAAU,WAAW,EAAE,EAAE;IAC5E;IACA;IACD,CAAC,CACsB;;EAG1B,MAAM,OAAO,UAAU,YAAY,MAAM,SAAS;AAIhD,SAAM,YAHQ,iBAAiB,UAAU,YAAY,UAAU,WAAW,EAAE,EAAE,EAC5E,QAAQ,MACT,CAAC,CACsB;;EAG1B,MAAM,QAAQ,UAAU,YAAY,MAAM,SAAS;AAIjD,SAAM,YAHQ,iBAAiB,UAAU,YAAY,WAAW,WAAW,EAAE,EAAE,EAC7E,OAAO,MACR,CAAC,CACsB;;EAG1B,MAAM,OAAO,UAAU,YAAY,QAAQ,MAAM,SAAS;AAIxD,SAAM,YAHQ,iBAAiB,UAAU,YAAY,UAAU,WAAW,EAAE,EAAE,EAC5E,UAAU;IAAE,cAAc;IAAQ,GAAG;IAAM,EAC5C,CAAC,CACsB;;EAG1B,MAAM,MAAM,SAAS;AAEnB,QAAK,MAAM,SAAS,OAClB,KAAI,MAAM,MACR,QAAO,MAAM,MAAM,QAAQ;AAG/B,UAAO,EAAE;;EAEZ;AAED,SAAQ,SAAS,SAAS,MAAM;AAGhC,SAAQ,gBAAgB,gBAAgB,OAAU;AAElD,SAAQ,QAAQ,aAAa,OAAO,YAAY;EAC9C,MAAM,OAAQ,QAAiD;AAC/C,EAAC,QAA0D;EAG3E,MAAM,QAAQ,QAAQ;AAKtB,UAAQ,eAAe;GACrB;GACA,gBANiB,OAAO,SAAS,WAAW,MAAM,iBAChD,OAAO,SAAS,aAAa,MAAM,iBACnC;GAKF,WAAW,QAAQ;GACnB,WAAW,QAAQ;GACnB,WAAW,QAAQ,QAAQ;GAC3B,UAAU;GACV,UAAU;GACX;GACD;AAGF,SAAQ,QAAQ,cAAc,OAAO,SAAS,UAAU;AACtD,MAAI,QAAQ,cAAc;AACxB,WAAQ,aAAa,WAAW,GAAG,QAAQ,OAAO,GAAG,QAAQ,cAAc,OAAO,QAAQ;AAC1F,WAAQ,aAAa,WAAW,KAAK,MAAM,MAAM,YAAY;;GAE/D;AAGF,SAAQ,QAAQ,WAAW,YAAY;AACrC,QAAM,QAAQ,IAAI,OAAO,KAAK,UAAU,MAAM,SAAS,CAAC,CAAC;GACzD;CAGF,MAAM,kBAAkB,KAAK,aAAa;AAC1C,KAAI,oBAAoB,OAAO;EAC7B,MAAM,aAAa;GAAC;GAAU;GAAU;GAAS;EACjD,MAAM,MAAM,OAAO,oBAAoB,WACnC,gBAAgB,cAAc,aAC9B;EACJ,MAAM,mBAAmB,IAAI,IAC3B,OAAO,oBAAoB,WAAW,gBAAgB,WAAW,EAAE,GAAG,EAAE,CACzE;AAGD,UAAQ,QAAQ,WAAW,YAAY;GAErC,MAAM,MAAM,SAAS,UAAU,QAAQ,MAAM;AAC7C,OAAI,CAAC,KAAK,OAAO;AACf,YAAQ,KAAK,QAAQ,qDAAqD;AAC1E;;AAGF,QAAK,MAAM,MAAM,IACf,KAAI,MAAM,MAAM,KAAK,IAAI,OAAO,QAAQ;AACtC,QAAI,iBAAiB,IAAI,IAAI,SAAS,CAAE;IAExC,MAAM,QAAQ,mBAAmB,IAAI,OAAO;IAC5C,MAAM,QAAS,IAAI,SAAiD;IACpE,MAAM,WAAyB;KAC7B,MAAM,IAAI;KACV,gBAAgB,QAAQ,kBAAkB,MAAM,GAAG;KACpD;AAED,QAAI;AACF,SAAI,OAAO,SACT,OAAM,MAAM,OAAO,IAAI,UAAU,OAAO,iBAAiB,IAAI,OAAO,EAAE,SAAS;cACtE,OAAO,SAChB,OAAM,MAAM,OACV,IAAI,UACJ,OACA,iBAAiB,IAAI,MAAM,SAAS,EACpC,iBAAiB,IAAI,OAAO,EAC5B,SACD;cACQ,OAAO,SAChB,OAAM,MAAM,OAAO,IAAI,UAAU,OAAO,iBAAiB,IAAI,OAAO,EAAE,SAAS;aAE1E,KAAK;AACZ,aAAQ,KAAK,OACX;MAAE,UAAU,IAAI;MAAU;MAAI;MAAK,EACnC,oBACD;;MAEF,GAAG;AAGR,WAAQ,KAAK,QAAQ;IAAE;IAAK,SAAS,CAAC,GAAG,iBAAiB;IAAE,EAAE,8BAA8B;IAC5F;;AAGJ,SAAQ,KAAK,QAAQ,EAAE,QAAQ,YAAY,EAAE,uBAAuB;;;AAItE,SAAS,mBAAmB,KAAsB;AAChD,KAAI,CAAC,OAAO,OAAO,QAAQ,SAAU,QAAO;CAC5C,MAAM,IAAI;CACV,MAAM,QAAQ,EAAE,OAAO,EAAE;AACzB,QAAO,SAAS,OAAO,OAAO,MAAM,GAAG;;;AAIzC,SAAS,iBAAiB,KAAuC;AAC/D,KAAI,CAAC,OAAO,OAAO,QAAQ,SAAU,QAAO,EAAE;AAC9C,KAAI,OAAQ,IAAgC,aAAa,WACvD,QAAQ,IAAoD,UAAU;AAExE,QAAO;;;AAIT,SAAS,kBAAkB,OAAoC;AAC7D,KAAI,CAAC,SAAS,OAAO,UAAU,SAAU,QAAO;CAChD,MAAM,IAAI;AACV,KAAI,EAAE,SAAS,YAAY,EAAE,SAAS,WACpC,QAAO,EAAE;;;;;AAQb,SAAS,mBAAgC;CACvC,MAAM,OAAO,YAAY;AACzB,QAAO;EACL,QAAQ;EACR,QAAQ;EACR,QAAQ;EACR,SAAS;EACT,QAAQ;EACR,OAAO,YAAY,EAAE;EACtB;;AAGH,0BAAe,GAAG,aAAa;CAC7B,MAAM;CACN,SAAS;CACT,cAAc,CAAC,WAAW;CAC3B,CAAC"}

package/dist/audit/mongodb.d.mts

@@ -0,0 +1,5 @@
+import "../elevation-B_2dRLVP.mjs";
+import "../interface-Ch8HU9uM.mjs";
+import "../types-aYB4V7uN.mjs";
+import { n as MongoAuditStoreOptions, t as MongoAuditStore } from "../mongodb-CGzRbfAK.mjs";
+export { MongoAuditStore, type MongoAuditStoreOptions };

package/dist/audit/mongodb.mjs

@@ -0,0 +1,3 @@
+import { t as MongoAuditStore } from "../mongodb-BfJVlUJH.mjs";
+
+export { MongoAuditStore };

package/dist/audited-C3T5DTUx.mjs

@@ -0,0 +1,141 @@
+import { c as isElevated, n as PUBLIC_SCOPE } from "./types-Beqn1Un7.mjs";
+import { allowPublic, requireRoles } from "./permissions/index.mjs";
+
+//#region src/presets/softDelete.ts
+function softDeletePreset() {
+	return {
+		name: "softDelete",
+		additionalRoutes: (permissions) => [{
+			method: "GET",
+			path: "/deleted",
+			handler: "getDeleted",
+			summary: "Get soft-deleted items",
+			permissions: permissions.list ?? requireRoles(["admin"]),
+			wrapHandler: true,
+			operation: "listDeleted"
+		}, {
+			method: "POST",
+			path: "/:id/restore",
+			handler: "restore",
+			summary: "Restore soft-deleted item",
+			permissions: permissions.update ?? requireRoles(["admin"]),
+			wrapHandler: true,
+			operation: "restore"
+		}]
+	};
+}
+
+//#endregion
+//#region src/presets/slugLookup.ts
+function slugLookupPreset(options = {}) {
+	const { slugField = "slug" } = options;
+	return {
+		name: "slugLookup",
+		additionalRoutes: (permissions) => [{
+			method: "GET",
+			path: `/slug/:${slugField}`,
+			handler: "getBySlug",
+			summary: "Get by slug",
+			permissions: permissions.get ?? allowPublic(),
+			wrapHandler: true,
+			operation: "getBySlug"
+		}],
+		controllerOptions: { slugField }
+	};
+}
+
+//#endregion
+//#region src/presets/ownedByUser.ts
+/**
+* Create ownership check middleware.
+* Elevated scope (platform admin) bypasses ownership checks.
+*/
+function createOwnershipCheck(ownerField) {
+	return async (request, _reply) => {
+		const user = request.user;
+		if (!user) return;
+		if (isElevated(request.scope ?? PUBLIC_SCOPE)) return;
+		const userWithId = user;
+		const userId = userWithId._id ?? userWithId.id;
+		if (userId) request._ownershipCheck = {
+			field: ownerField,
+			userId
+		};
+	};
+}
+function ownedByUserPreset(options = {}) {
+	const { ownerField = "userId" } = options;
+	const ownershipMiddleware = createOwnershipCheck(ownerField);
+	return {
+		name: "ownedByUser",
+		middlewares: {
+			update: [ownershipMiddleware],
+			delete: [ownershipMiddleware]
+		}
+	};
+}
+
+//#endregion
+//#region src/presets/tree.ts
+function treePreset(options = {}) {
+	const { parentField = "parent" } = options;
+	return {
+		name: "tree",
+		additionalRoutes: (permissions) => [{
+			method: "GET",
+			path: "/tree",
+			handler: "getTree",
+			summary: "Get hierarchical tree",
+			permissions: permissions.list ?? allowPublic(),
+			wrapHandler: true,
+			operation: "getTree"
+		}, {
+			method: "GET",
+			path: `/:${parentField}/children`,
+			handler: "getChildren",
+			summary: "Get children of parent",
+			permissions: permissions.list ?? allowPublic(),
+			wrapHandler: true,
+			operation: "getChildren"
+		}],
+		controllerOptions: { parentField }
+	};
+}
+
+//#endregion
+//#region src/presets/audited.ts
+/**
+* Audited preset - adds createdBy/updatedBy tracking
+*/
+function auditedPreset(options = {}) {
+	const { createdByField = "createdBy", updatedByField = "updatedBy" } = options;
+	const injectCreatedBy = async (request, _reply) => {
+		const userWithId = request.user;
+		if (userWithId?._id || userWithId?.id) {
+			const userId = userWithId._id ?? userWithId.id;
+			request.body[createdByField] = userId;
+			request.body[updatedByField] = userId;
+		}
+	};
+	const injectUpdatedBy = async (request, _reply) => {
+		const userWithId = request.user;
+		if (userWithId?._id || userWithId?.id) request.body[updatedByField] = userWithId._id ?? userWithId.id;
+	};
+	return {
+		name: "audited",
+		schemaOptions: { fieldRules: {
+			[createdByField]: { systemManaged: true },
+			[updatedByField]: { systemManaged: true },
+			createdAt: { systemManaged: true },
+			updatedAt: { systemManaged: true }
+		} },
+		middlewares: {
+			create: [injectCreatedBy],
+			update: [injectUpdatedBy]
+		}
+	};
+}
+
+//#endregion
+export { softDeletePreset as a, slugLookupPreset as i, treePreset as n, ownedByUserPreset as r, auditedPreset as t };
+//# sourceMappingURL=audited-C3T5DTUx.mjs.map

package/dist/audited-C3T5DTUx.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"audited-C3T5DTUx.mjs","names":[],"sources":["../src/presets/softDelete.ts","../src/presets/slugLookup.ts","../src/presets/ownedByUser.ts","../src/presets/tree.ts","../src/presets/audited.ts"],"sourcesContent":["/**\n * Soft Delete Preset\n *\n * Adds routes for listing deleted items and restoring them.\n * The actual soft-delete behavior (deletedAt field, query filtering)\n * is handled by the repository/adapter layer (e.g., MongoKit's softDelete plugin).\n */\n\nimport type { AdditionalRoute, PresetResult, ResourcePermissions } from '../types/index.js';\nimport { requireRoles } from '../permissions/index.js';\n\nexport function softDeletePreset(): PresetResult {\n  return {\n    name: 'softDelete',\n    additionalRoutes: (permissions: ResourcePermissions): AdditionalRoute[] => [\n      {\n        method: 'GET',\n        path: '/deleted',\n        handler: 'getDeleted',\n        summary: 'Get soft-deleted items',\n        permissions: permissions.list ?? requireRoles(['admin']),\n        wrapHandler: true,\n        operation: 'listDeleted',\n      },\n      {\n        method: 'POST',\n        path: '/:id/restore',\n        handler: 'restore',\n        summary: 'Restore soft-deleted item',\n        permissions: permissions.update ?? requireRoles(['admin']),\n        wrapHandler: true,\n        operation: 'restore',\n      },\n    ],\n  };\n}\n\nexport default softDeletePreset;\n","/**\n * Slug Lookup Preset\n *\n * Adds a route to get resource by slug.\n */\n\nimport type { AdditionalRoute, ResourcePermissions, PresetResult } from '../types/index.js';\nimport { allowPublic } from '../permissions/index.js';\n\nexport interface SlugLookupOptions {\n  slugField?: string;\n}\n\nexport function slugLookupPreset(options: SlugLookupOptions = {}): PresetResult {\n  const { slugField = 'slug' } = options;\n\n  return {\n    name: 'slugLookup',\n    additionalRoutes: (permissions: ResourcePermissions): AdditionalRoute[] => [\n      {\n        method: 'GET',\n        path: `/slug/:${slugField}`,\n        handler: 'getBySlug',\n        summary: 'Get by slug',\n        permissions: permissions.get ?? allowPublic(),\n        wrapHandler: true,\n        operation: 'getBySlug',\n      },\n    ],\n    // Pass to controller so it knows which param to read\n    controllerOptions: {\n      slugField,\n    },\n  };\n}\n\nexport default slugLookupPreset;\n","/**\n * Owned By User Preset\n *\n * Adds ownership validation for update/delete operations.\n *\n * BEHAVIOR:\n * - On update/remove, sets _ownershipCheck on request\n * - BaseController enforces ownership before mutation\n * - Users can only modify resources where ownerField matches their ID\n *\n * BYPASS:\n * - Users with bypassRoles (default: ['admin', 'superadmin']) skip check\n * - Resources without the ownerField are not checked\n *\n * @example\n * defineResource({\n *   name: 'post',\n *   presets: [{ name: 'ownedByUser', ownerField: 'authorId' }],\n * });\n *\n * // User A cannot update/delete User B's posts\n * // Admins can modify any post\n */\n\nimport type { FastifyReply } from 'fastify';\nimport type {\n  MiddlewareConfig,\n  PresetResult,\n  RequestWithExtras,\n  RouteHandler,\n} from '../types/index.js';\nimport { isElevated, PUBLIC_SCOPE } from '../scope/types.js';\nimport type { RequestScope } from '../scope/types.js';\n\nexport interface OwnedByUserOptions {\n  ownerField?: string;\n}\n\n/**\n * Create ownership check middleware.\n * Elevated scope (platform admin) bypasses ownership checks.\n */\nfunction createOwnershipCheck(ownerField: string): RouteHandler {\n  return async (request: RequestWithExtras, _reply: FastifyReply): Promise<void> => {\n    const user = request.user;\n    if (!user) return;\n\n    // Elevated scope bypasses ownership check\n    const scope = request.scope ?? PUBLIC_SCOPE;\n    if (isElevated(scope)) return;\n\n    // Set ownership check for controller to validate\n    const userWithId = user as { _id?: string; id?: string };\n    const userId = userWithId._id ?? userWithId.id;\n    if (userId) {\n      request._ownershipCheck = {\n        field: ownerField,\n        userId,\n      };\n    }\n  };\n}\n\nexport function ownedByUserPreset(options: OwnedByUserOptions = {}): PresetResult {\n  const { ownerField = 'userId' } = options;\n\n  const ownershipMiddleware = createOwnershipCheck(ownerField);\n\n  return {\n    name: 'ownedByUser',\n    middlewares: {\n      update: [ownershipMiddleware],\n      delete: [ownershipMiddleware],\n    } as MiddlewareConfig,\n  };\n}\n\nexport default ownedByUserPreset;\n","/**\n * Tree Preset\n *\n * Adds routes for hierarchical tree structures.\n */\n\nimport type { AdditionalRoute, ResourcePermissions, PresetResult } from '../types/index.js';\nimport { allowPublic } from '../permissions/index.js';\n\nexport interface TreeOptions {\n  parentField?: string;\n}\n\nexport function treePreset(options: TreeOptions = {}): PresetResult {\n  const { parentField = 'parent' } = options;\n\n  return {\n    name: 'tree',\n    additionalRoutes: (permissions: ResourcePermissions): AdditionalRoute[] => [\n      {\n        method: 'GET',\n        path: '/tree',\n        handler: 'getTree',\n        summary: 'Get hierarchical tree',\n        permissions: permissions.list ?? allowPublic(),\n        wrapHandler: true,\n        operation: 'getTree',\n      },\n      {\n        method: 'GET',\n        path: `/:${parentField}/children`,\n        handler: 'getChildren',\n        summary: 'Get children of parent',\n        permissions: permissions.list ?? allowPublic(),\n        wrapHandler: true,\n        operation: 'getChildren',\n      },\n    ],\n    // Pass to controller so it knows which param to read\n    controllerOptions: {\n      parentField,\n    },\n  };\n}\n\nexport default treePreset;\n","/**\n * Audited Preset\n *\n * Adds createdBy/updatedBy tracking to resources.\n * Works with the audit plugin for full change tracking.\n *\n * @example\n * defineResource({\n *   name: 'product',\n *   presets: ['audited'],\n *   // Fields createdBy, updatedBy auto-populated from user context\n * });\n */\n\nimport type { FastifyReply } from 'fastify';\nimport type { PresetResult, RequestWithExtras, MiddlewareHandler } from '../types/index.js';\n\nexport interface AuditedPresetOptions {\n  /** Field name for creator (default: 'createdBy') */\n  createdByField?: string;\n  /** Field name for updater (default: 'updatedBy') */\n  updatedByField?: string;\n}\n\n/**\n * Audited preset - adds createdBy/updatedBy tracking\n */\nexport function auditedPreset(options: AuditedPresetOptions = {}): PresetResult {\n  const { createdByField = 'createdBy', updatedByField = 'updatedBy' } = options;\n\n  const injectCreatedBy: MiddlewareHandler = async (\n    request: RequestWithExtras,\n    _reply: FastifyReply\n  ): Promise<unknown> => {\n    const userWithId = request.user as { _id?: string; id?: string };\n    if (userWithId?._id || userWithId?.id) {\n      const userId = userWithId._id ?? userWithId.id;\n      (request.body as Record<string, unknown>)[createdByField] = userId;\n      (request.body as Record<string, unknown>)[updatedByField] = userId;\n    }\n    return undefined;\n  };\n\n  const injectUpdatedBy: MiddlewareHandler = async (\n    request: RequestWithExtras,\n    _reply: FastifyReply\n  ): Promise<unknown> => {\n    const userWithId = request.user as { _id?: string; id?: string };\n    if (userWithId?._id || userWithId?.id) {\n      (request.body as Record<string, unknown>)[updatedByField] = userWithId._id ?? userWithId.id;\n    }\n    return undefined;\n  };\n\n  return {\n    name: 'audited',\n    schemaOptions: {\n      fieldRules: {\n        [createdByField]: { systemManaged: true },\n        [updatedByField]: { systemManaged: true },\n        createdAt: { systemManaged: true },\n        updatedAt: { systemManaged: true },\n      },\n    },\n    middlewares: {\n      create: [injectCreatedBy],\n      update: [injectUpdatedBy],\n    },\n  };\n}\n\nexport default auditedPreset;\n"],"mappings":";;;;AAWA,SAAgB,mBAAiC;AAC/C,QAAO;EACL,MAAM;EACN,mBAAmB,gBAAwD,CACzE;GACE,QAAQ;GACR,MAAM;GACN,SAAS;GACT,SAAS;GACT,aAAa,YAAY,QAAQ,aAAa,CAAC,QAAQ,CAAC;GACxD,aAAa;GACb,WAAW;GACZ,EACD;GACE,QAAQ;GACR,MAAM;GACN,SAAS;GACT,SAAS;GACT,aAAa,YAAY,UAAU,aAAa,CAAC,QAAQ,CAAC;GAC1D,aAAa;GACb,WAAW;GACZ,CACF;EACF;;;;;ACrBH,SAAgB,iBAAiB,UAA6B,EAAE,EAAgB;CAC9E,MAAM,EAAE,YAAY,WAAW;AAE/B,QAAO;EACL,MAAM;EACN,mBAAmB,gBAAwD,CACzE;GACE,QAAQ;GACR,MAAM,UAAU;GAChB,SAAS;GACT,SAAS;GACT,aAAa,YAAY,OAAO,aAAa;GAC7C,aAAa;GACb,WAAW;GACZ,CACF;EAED,mBAAmB,EACjB,WACD;EACF;;;;;;;;;ACSH,SAAS,qBAAqB,YAAkC;AAC9D,QAAO,OAAO,SAA4B,WAAwC;EAChF,MAAM,OAAO,QAAQ;AACrB,MAAI,CAAC,KAAM;AAIX,MAAI,WADU,QAAQ,SAAS,aACV,CAAE;EAGvB,MAAM,aAAa;EACnB,MAAM,SAAS,WAAW,OAAO,WAAW;AAC5C,MAAI,OACF,SAAQ,kBAAkB;GACxB,OAAO;GACP;GACD;;;AAKP,SAAgB,kBAAkB,UAA8B,EAAE,EAAgB;CAChF,MAAM,EAAE,aAAa,aAAa;CAElC,MAAM,sBAAsB,qBAAqB,WAAW;AAE5D,QAAO;EACL,MAAM;EACN,aAAa;GACX,QAAQ,CAAC,oBAAoB;GAC7B,QAAQ,CAAC,oBAAoB;GAC9B;EACF;;;;;AC7DH,SAAgB,WAAW,UAAuB,EAAE,EAAgB;CAClE,MAAM,EAAE,cAAc,aAAa;AAEnC,QAAO;EACL,MAAM;EACN,mBAAmB,gBAAwD,CACzE;GACE,QAAQ;GACR,MAAM;GACN,SAAS;GACT,SAAS;GACT,aAAa,YAAY,QAAQ,aAAa;GAC9C,aAAa;GACb,WAAW;GACZ,EACD;GACE,QAAQ;GACR,MAAM,KAAK,YAAY;GACvB,SAAS;GACT,SAAS;GACT,aAAa,YAAY,QAAQ,aAAa;GAC9C,aAAa;GACb,WAAW;GACZ,CACF;EAED,mBAAmB,EACjB,aACD;EACF;;;;;;;;ACfH,SAAgB,cAAc,UAAgC,EAAE,EAAgB;CAC9E,MAAM,EAAE,iBAAiB,aAAa,iBAAiB,gBAAgB;CAEvE,MAAM,kBAAqC,OACzC,SACA,WACqB;EACrB,MAAM,aAAa,QAAQ;AAC3B,MAAI,YAAY,OAAO,YAAY,IAAI;GACrC,MAAM,SAAS,WAAW,OAAO,WAAW;AAC5C,GAAC,QAAQ,KAAiC,kBAAkB;AAC5D,GAAC,QAAQ,KAAiC,kBAAkB;;;CAKhE,MAAM,kBAAqC,OACzC,SACA,WACqB;EACrB,MAAM,aAAa,QAAQ;AAC3B,MAAI,YAAY,OAAO,YAAY,GACjC,CAAC,QAAQ,KAAiC,kBAAkB,WAAW,OAAO,WAAW;;AAK7F,QAAO;EACL,MAAM;EACN,eAAe,EACb,YAAY;IACT,iBAAiB,EAAE,eAAe,MAAM;IACxC,iBAAiB,EAAE,eAAe,MAAM;GACzC,WAAW,EAAE,eAAe,MAAM;GAClC,WAAW,EAAE,eAAe,MAAM;GACnC,EACF;EACD,aAAa;GACX,QAAQ,CAAC,gBAAgB;GACzB,QAAQ,CAAC,gBAAgB;GAC1B;EACF"}

package/dist/auth/index.d.mts

@@ -0,0 +1,189 @@
+import "../elevation-B_2dRLVP.mjs";
+import "../interface-Ch8HU9uM.mjs";
+import { t as PermissionCheck } from "../types-aYB4V7uN.mjs";
+import { AuthHelpers, AuthPluginOptions } from "../types/index.mjs";
+import { t as ExternalOpenApiPaths } from "../externalPaths-DlINfKbP.mjs";
+import { a as SessionManagerOptions, c as createSessionManager, i as SessionData, n as MemorySessionStoreOptions, o as SessionManagerResult, r as SessionCookieOptions, s as SessionStore, t as MemorySessionStore } from "../sessionManager-jPKLbHE0.mjs";
+import { FastifyPluginAsync, FastifyReply as FastifyReply$1, FastifyRequest as FastifyRequest$1 } from "fastify";
+
+//#region src/auth/authPlugin.d.ts
+declare module 'fastify' {
+  interface FastifyInstance {
+    /** Authenticate middleware - use in preHandler for protected routes */
+    authenticate: (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+    /** Optional authenticate - parses JWT if present, doesn't fail if absent */
+    optionalAuthenticate: (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+    /** Authorize middleware factory - checks if user has required roles */
+    authorize: (...roles: string[]) => (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+    /** Auth helpers - issueTokens, jwt utilities */
+    auth: AuthHelpers;
+  }
+}
+declare const authPlugin: FastifyPluginAsync<AuthPluginOptions>;
+declare const _default: FastifyPluginAsync<AuthPluginOptions>;
+//#endregion
+//#region src/auth/betterAuth.d.ts
+declare module 'fastify' {
+  interface FastifyRequest {
+    /** Raw request body (from @fastify/raw-body plugin, if registered) */
+    rawBody?: Buffer | string;
+  }
+}
+/**
+ * Minimal interface for a Better Auth instance.
+ * We only require the `handler` method -- the full Better Auth type
+ * comes from the user's `better-auth` installation.
+ */
+interface BetterAuthHandler {
+  handler: (request: Request) => Promise<Response>;
+  /** The API endpoint map — each value has .path and .options. Used for OpenAPI docs extraction. */
+  api?: Record<string, unknown>;
+}
+interface BetterAuthAdapterOptions {
+  /** Better Auth instance (from betterAuth() in user's app) */
+  auth: BetterAuthHandler;
+  /** Base path for auth routes (default: '/api/auth') */
+  basePath?: string;
+  /**
+   * Enable org context extraction from Better Auth's organization plugin.
+   * When enabled, the adapter will look up the user's active organization
+   * membership and populate `request.scope` with org roles.
+   *
+   * @default false
+   */
+  orgContext?: boolean;
+  /**
+   * OpenAPI documentation for auth endpoints.
+   * - `true` (default): auto-extract from auth.api if available
+   * - `false`: disable (auth routes won't appear in OpenAPI docs)
+   * - `ExternalOpenApiPaths`: manual spec override
+   */
+  openapi?: boolean | ExternalOpenApiPaths;
+  /**
+   * Additional user fields from Better Auth config.
+   * These get merged into signUpEmail/updateUser request body schemas
+   * and the User component schema in OpenAPI docs.
+   *
+   * Fields with `input: false` are excluded from request bodies
+   * but still appear in the User component schema (output-only).
+   *
+   * @example
+   * ```typescript
+   * userFields: {
+   *   department: { type: 'string', description: 'Department', required: true },
+   *   roles: { type: 'array', description: 'User roles', input: false },
+   * }
+   * ```
+   */
+  userFields?: Record<string, {
+    type: string;
+    description?: string;
+    required?: boolean;
+    input?: boolean;
+  }>;
+  /**
+   * Expose detailed auth error messages in 401 responses.
+   * When false (default), returns generic "Authentication required".
+   * When true, includes the actual error message for debugging.
+   */
+  exposeAuthErrors?: boolean;
+}
+interface BetterAuthAdapterResult {
+  /** Fastify plugin that registers catch-all auth routes */
+  plugin: FastifyPluginAsync;
+  /** Authenticate preHandler -- validates session via Better Auth */
+  authenticate: (request: FastifyRequest$1, reply: FastifyReply$1) => Promise<void>;
+  /** Optional authenticate -- resolves session silently, continues as unauthenticated on failure */
+  optionalAuthenticate: (request: FastifyRequest$1, reply: FastifyReply$1) => Promise<void>;
+  /** Permission helpers bound to this auth adapter (available when orgContext is enabled) */
+  permissions: {
+    requireOrgRole: (...roles: string[]) => PermissionCheck;
+    requireOrgMembership: () => PermissionCheck;
+    requireTeamMembership: () => PermissionCheck;
+  };
+  /** OpenAPI paths extracted from Better Auth endpoints (undefined if openapi: false) */
+  openapi?: ExternalOpenApiPaths;
+}
+declare module 'fastify' {
+  interface FastifyInstance {
+    /**
+     * Authenticate middleware (Better Auth variant).
+     * Validates session by calling Better Auth's session endpoint internally.
+     * Set by the Better Auth adapter plugin.
+     */
+    authenticate: (request: FastifyRequest$1, reply: FastifyReply$1) => Promise<void>;
+    /**
+     * Optional authenticate middleware (Better Auth variant).
+     * Tries to resolve session silently — populates request.user if valid,
+     * continues as unauthenticated if no session or invalid session.
+     * Used on allowPublic() routes so downstream middleware can apply
+     * org-scoped queries when a user IS authenticated.
+     */
+    optionalAuthenticate: (request: FastifyRequest$1, reply: FastifyReply$1) => Promise<void>;
+  }
+}
+/**
+ * Create a Better Auth adapter for Arc/Fastify.
+ *
+ * Returns a Fastify plugin (registers catch-all auth routes) and an
+ * `authenticate` preHandler that validates sessions via Better Auth.
+ *
+ * @example
+ * ```typescript
+ * import { betterAuth } from 'better-auth';
+ * import { createBetterAuthAdapter } from '@classytic/arc/auth';
+ *
+ * const auth = betterAuth({
+ *   database: ...,
+ *   emailAndPassword: { enabled: true },
+ * });
+ *
+ * const { plugin, authenticate } = createBetterAuthAdapter({ auth });
+ *
+ * // Register the plugin (catch-all auth routes)
+ * await fastify.register(plugin);
+ *
+ * // Use authenticate as a preHandler on protected routes
+ * fastify.get('/me', { preHandler: [authenticate] }, handler);
+ * ```
+ */
+declare function createBetterAuthAdapter(options: BetterAuthAdapterOptions): BetterAuthAdapterResult;
+//#endregion
+//#region src/auth/betterAuthOpenApi.d.ts
+interface BetterAuthOpenApiOptions {
+  /** Base path prefix for auth routes (default: '/api/auth') */
+  basePath?: string;
+  /** Tag name for auth routes in OpenAPI (default: 'Authentication') */
+  tagName?: string;
+  /** Tag description */
+  tagDescription?: string;
+  /** Exclude specific paths from the spec (e.g. ['/ok', '/error']) */
+  excludePaths?: string[];
+  /** Exclude SERVER_ONLY endpoints (default: true) */
+  excludeServerOnly?: boolean;
+  /**
+   * Additional user fields from Better Auth config.
+   * These get merged into signUpEmail/updateUser request body schemas
+   * and the User component schema for $ref resolution.
+   *
+   * Fields with `input: false` are excluded from request bodies
+   * but still appear in the User component schema (output-only).
+   */
+  userFields?: Record<string, {
+    type: string;
+    description?: string; /** Whether this field is required in sign-up (default: false) */
+    required?: boolean; /** Whether this field is accepted in request body (default: true). Set false for output-only fields. */
+    input?: boolean;
+  }>;
+}
+/**
+ * Extract OpenAPI paths from a Better Auth instance's API object.
+ *
+ * Walks `authApi` (the `auth.api` object from Better Auth), discovers
+ * endpoints, converts their Zod schemas to JSON Schema via `z.toJSONSchema()`,
+ * and returns a complete `ExternalOpenApiPaths` object ready for Arc's spec builder.
+ */
+declare function extractBetterAuthOpenApi(authApi: Record<string, unknown>, options?: BetterAuthOpenApiOptions): ExternalOpenApiPaths;
+//#endregion
+export { type AuthPluginOptions, type BetterAuthAdapterOptions, type BetterAuthAdapterResult, type BetterAuthHandler, type BetterAuthOpenApiOptions, MemorySessionStore, type MemorySessionStoreOptions, type SessionCookieOptions, type SessionData, type SessionManagerOptions, type SessionManagerResult, type SessionStore, _default as authPlugin, authPlugin as authPluginFn, createBetterAuthAdapter, createSessionManager, extractBetterAuthOpenApi };
+//# sourceMappingURL=index.d.mts.map

package/dist/auth/index.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.mts","names":[],"sources":["../../src/auth/authPlugin.ts","../../src/auth/betterAuth.ts","../../src/auth/betterAuthOpenApi.ts"],"mappings":";;;;;;;;;;YA6CY,eAAA;IAIR;IAFA,YAAA,GAAe,OAAA,EAAS,cAAA,EAAgB,KAAA,EAAO,YAAA,KAAiB,OAAA;IAEzC;IAAvB,oBAAA,GAAuB,OAAA,EAAS,cAAA,EAAgB,KAAA,EAAO,YAAA,KAAiB,OAAA;IAAxB;IAEhD,SAAA,MAAe,KAAA,gBAAqB,OAAA,EAAS,cAAA,EAAgB,KAAA,EAAO,YAAA,KAAiB,OAAA;IAArF;IAEA,IAAA,EAAM,WAAA;EAAA;AAAA;AAAA,cAsCJ,UAAA,EAAY,kBAAA,CAAmB,iBAAA;AAAA,cAAiB,QAAA;;;;YChE1C,cAAA;IDwB6E;ICtBrF,OAAA,GAAU,MAAA;EAAA;AAAA;;;;;;UAaG,iBAAA;EACf,OAAA,GAAU,OAAA,EAAS,OAAA,KAAY,OAAA,CAAQ,QAAA;EDMrC;ECJF,GAAA,GAAM,MAAA;AAAA;AAAA,UAGS,wBAAA;EDCmC;ECClD,IAAA,EAAM,iBAAA;EDCJ;ECCF,QAAA;EDD+C;;;;;;;ECS/C,UAAA;EDPmB;;AAAA;;;;ECcnB,OAAA,aAAoB,oBAAA;EDwBgC;;;;;;;;ACvEe;;;;;;;;EAgEnE,UAAA,GAAa,MAAA;IACX,IAAA;IACA,WAAA;IACA,QAAA;IACA,KAAA;EAAA;EA7CqC;;;;;EAoDvC,gBAAA;AAAA;AAAA,UAGe,uBAAA;EAvDgB;EAyD/B,MAAA,EAAQ,kBAAA;EAvDR;EAyDA,YAAA,GAAe,OAAA,EAAS,gBAAA,EAAgB,KAAA,EAAO,cAAA,KAAiB,OAAA;EAzDpD;EA2DZ,oBAAA,GAAuB,OAAA,EAAS,gBAAA,EAAgB,KAAA,EAAO,cAAA,KAAiB,OAAA;EAxDzD;EA0Df,WAAA;IACE,cAAA,MAAoB,KAAA,eAHyD,eAAA;IAI7E,oBAAA,QADyF,eAAA;IAEzF,qBAAA,QAD6E,eAAA;EAAA;EAxB5D;EA4BnB,OAAA,GAAU,oBAAA;AAAA;AAAA;EAAA,UAQA,eAAA;IA5DV;;;;;IAkEE,YAAA,GAAe,OAAA,EAAS,gBAAA,EAAgB,KAAA,EAAO,cAAA,KAAiB,OAAA;IAxChE;;;;;;AAYJ;IAoCI,oBAAA,GAAuB,OAAA,EAAS,gBAAA,EAAgB,KAAA,EAAO,cAAA,KAAiB,OAAA;EAAA;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;iBAuX5D,uBAAA,CACd,OAAA,EAAS,wBAAA,GACR,uBAAA;;;UCrec,wBAAA;EFyBwE;EEvBvF,QAAA;EFyBmB;EEvBnB,OAAA;EFeU;EEbV,cAAA;EFe0B;EEb1B,YAAA;EFaiD;EEXjD,iBAAA;EFWkE;;;;;;;;EEFlE,UAAA,GAAa,MAAA;IACX,IAAA;IACA,WAAA,WFIoE;IEFpE,QAAA,YFEqF;IEArF,KAAA;EAAA;AAAA;;;AFEiB;;;;;iBE8EL,wBAAA,CACd,OAAA,EAAS,MAAA,mBACT,OAAA,GAAS,wBAAA,GACR,oBAAA"}