@classytic/arc 1.1.0 → 2.1.2

package/dist/core/index.js

@@ -1,2786 +0,0 @@
-// src/types/index.ts
-function getUserId(user) {
-  if (!user) return void 0;
-  const id = user.id ?? user._id;
-  return id ? String(id) : void 0;
-}
-
-// src/hooks/HookSystem.ts
-var HookSystem = class {
-  hooks;
-  logger;
-  constructor(options) {
-    this.hooks = /* @__PURE__ */ new Map();
-    this.logger = options?.logger ?? { error: (...args) => console.error(...args) };
-  }
-  /**
-   * Generate hook key
-   */
-  getKey(resource, operation, phase) {
-    return `${resource}:${operation}:${phase}`;
-  }
-  /**
-   * Register a hook
-   * Supports both object parameter and positional arguments
-   */
-  register(resourceOrOptions, operation, phase, handler, priority = 10) {
-    let resource;
-    let finalOperation;
-    let finalPhase;
-    let finalHandler;
-    let finalPriority;
-    if (typeof resourceOrOptions === "object") {
-      resource = resourceOrOptions.resource;
-      finalOperation = resourceOrOptions.operation;
-      finalPhase = resourceOrOptions.phase;
-      finalHandler = resourceOrOptions.handler;
-      finalPriority = resourceOrOptions.priority ?? 10;
-    } else {
-      resource = resourceOrOptions;
-      finalOperation = operation;
-      finalPhase = phase;
-      finalHandler = handler;
-      finalPriority = priority;
-    }
-    const key = this.getKey(resource, finalOperation, finalPhase);
-    if (!this.hooks.has(key)) {
-      this.hooks.set(key, []);
-    }
-    const registration = {
-      resource,
-      operation: finalOperation,
-      phase: finalPhase,
-      handler: finalHandler,
-      priority: finalPriority
-    };
-    const hooks = this.hooks.get(key);
-    hooks.push(registration);
-    hooks.sort((a, b) => a.priority - b.priority);
-    return () => {
-      const idx = hooks.indexOf(registration);
-      if (idx !== -1) {
-        hooks.splice(idx, 1);
-      }
-    };
-  }
-  /**
-   * Register before hook
-   */
-  before(resource, operation, handler, priority = 10) {
-    return this.register(resource, operation, "before", handler, priority);
-  }
-  /**
-   * Register after hook
-   */
-  after(resource, operation, handler, priority = 10) {
-    return this.register(resource, operation, "after", handler, priority);
-  }
-  /**
-   * Execute hooks for a given context
-   */
-  async execute(ctx) {
-    const key = this.getKey(ctx.resource, ctx.operation, ctx.phase);
-    const hooks = this.hooks.get(key) ?? [];
-    const wildcardKey = this.getKey("*", ctx.operation, ctx.phase);
-    const wildcardHooks = this.hooks.get(wildcardKey) ?? [];
-    const allHooks = [...wildcardHooks, ...hooks];
-    allHooks.sort((a, b) => a.priority - b.priority);
-    let result = ctx.data;
-    for (const hook of allHooks) {
-      const handlerContext = {
-        resource: ctx.resource,
-        operation: ctx.operation,
-        phase: ctx.phase,
-        data: result,
-        result: ctx.result,
-        user: ctx.user,
-        context: ctx.context,
-        meta: ctx.meta
-      };
-      const hookResult = await hook.handler(handlerContext);
-      if (hookResult !== void 0 && hookResult !== null) {
-        result = hookResult;
-      }
-    }
-    return result;
-  }
-  /**
-   * Execute before hooks
-   */
-  async executeBefore(resource, operation, data, options) {
-    const result = await this.execute({
-      resource,
-      operation,
-      phase: "before",
-      data,
-      user: options?.user,
-      context: options?.context,
-      meta: options?.meta
-    });
-    return result ?? data;
-  }
-  /**
-   * Execute after hooks
-   * Errors in after hooks are logged but don't fail the request
-   */
-  async executeAfter(resource, operation, result, options) {
-    try {
-      await this.execute({
-        resource,
-        operation,
-        phase: "after",
-        result,
-        user: options?.user,
-        context: options?.context,
-        meta: options?.meta
-      });
-    } catch (error) {
-      this.logger.error(
-        `[HookSystem] Error in after hook for ${resource}:${operation}:`,
-        error
-      );
-    }
-  }
-  /**
-   * Get all registered hooks
-   */
-  getAll() {
-    const all = [];
-    for (const hooks of this.hooks.values()) {
-      all.push(...hooks);
-    }
-    return all;
-  }
-  /**
-   * Get hooks for a specific resource
-   */
-  getForResource(resource) {
-    const all = [];
-    for (const [key, hooks] of this.hooks.entries()) {
-      if (key.startsWith(`${resource}:`)) {
-        all.push(...hooks);
-      }
-    }
-    return all;
-  }
-  /**
-   * Clear all hooks
-   */
-  clear() {
-    this.hooks.clear();
-  }
-  /**
-   * Clear hooks for a specific resource
-   */
-  clearResource(resource) {
-    for (const key of this.hooks.keys()) {
-      if (key.startsWith(`${resource}:`)) {
-        this.hooks.delete(key);
-      }
-    }
-  }
-};
-var hookSystem = new HookSystem();
-
-// src/utils/queryParser.ts
-var DANGEROUS_REGEX_PATTERNS = /(\{[0-9,]+\}|\*\+|\+\+|\?\+|(\(.+\))\+|\(\?\:|\\[0-9]|(\[.+\]).+(\[.+\]))/;
-var MAX_REGEX_LENGTH = 500;
-var MAX_SEARCH_LENGTH = 200;
-var MAX_FILTER_DEPTH = 10;
-var MAX_LIMIT = 1e3;
-var DEFAULT_LIMIT = 20;
-var ArcQueryParser = class {
-  maxLimit;
-  defaultLimit;
-  maxRegexLength;
-  maxSearchLength;
-  maxFilterDepth;
-  /** Supported filter operators */
-  operators = {
-    eq: "$eq",
-    ne: "$ne",
-    gt: "$gt",
-    gte: "$gte",
-    lt: "$lt",
-    lte: "$lte",
-    in: "$in",
-    nin: "$nin",
-    like: "$regex",
-    contains: "$regex",
-    regex: "$regex",
-    exists: "$exists"
-  };
-  constructor(options = {}) {
-    this.maxLimit = options.maxLimit ?? MAX_LIMIT;
-    this.defaultLimit = options.defaultLimit ?? DEFAULT_LIMIT;
-    this.maxRegexLength = options.maxRegexLength ?? MAX_REGEX_LENGTH;
-    this.maxSearchLength = options.maxSearchLength ?? MAX_SEARCH_LENGTH;
-    this.maxFilterDepth = options.maxFilterDepth ?? MAX_FILTER_DEPTH;
-  }
-  /**
-   * Parse URL query parameters into structured query options
-   */
-  parse(query) {
-    const q = query ?? {};
-    const page = this.parseNumber(q.page, 1);
-    const limit = Math.min(this.parseNumber(q.limit, this.defaultLimit), this.maxLimit);
-    const after = this.parseString(q.after ?? q.cursor);
-    const sort = this.parseSort(q.sort);
-    const populate = this.parseString(q.populate);
-    const search = this.parseSearch(q.search);
-    const select = this.parseSelect(q.select);
-    const filters = this.parseFilters(q);
-    return {
-      filters,
-      limit,
-      sort,
-      populate,
-      search,
-      page: after ? void 0 : page,
-      after,
-      select
-    };
-  }
-  // ============================================================================
-  // Parse Helpers
-  // ============================================================================
-  parseNumber(value, defaultValue) {
-    if (value === void 0 || value === null) return defaultValue;
-    const num = parseInt(String(value), 10);
-    return Number.isNaN(num) ? defaultValue : Math.max(1, num);
-  }
-  parseString(value) {
-    if (value === void 0 || value === null) return void 0;
-    const str = String(value).trim();
-    return str.length > 0 ? str : void 0;
-  }
-  parseSort(value) {
-    if (!value) return void 0;
-    const sortStr = String(value);
-    const result = {};
-    for (const field of sortStr.split(",")) {
-      const trimmed = field.trim();
-      if (!trimmed) continue;
-      if (!/^-?[a-zA-Z_][a-zA-Z0-9_.]*$/.test(trimmed)) continue;
-      if (trimmed.startsWith("-")) {
-        result[trimmed.slice(1)] = -1;
-      } else {
-        result[trimmed] = 1;
-      }
-    }
-    return Object.keys(result).length > 0 ? result : void 0;
-  }
-  parseSearch(value) {
-    if (!value) return void 0;
-    const search = String(value).trim();
-    if (search.length === 0) return void 0;
-    if (search.length > this.maxSearchLength) {
-      return search.slice(0, this.maxSearchLength);
-    }
-    return search;
-  }
-  parseSelect(value) {
-    if (!value) return void 0;
-    const selectStr = String(value);
-    const result = {};
-    for (const field of selectStr.split(",")) {
-      const trimmed = field.trim();
-      if (!trimmed) continue;
-      if (!/^-?[a-zA-Z_][a-zA-Z0-9_.]*$/.test(trimmed)) continue;
-      if (trimmed.startsWith("-")) {
-        result[trimmed.slice(1)] = 0;
-      } else {
-        result[trimmed] = 1;
-      }
-    }
-    return Object.keys(result).length > 0 ? result : void 0;
-  }
-  parseFilters(query) {
-    const reservedKeys = /* @__PURE__ */ new Set([
-      "page",
-      "limit",
-      "sort",
-      "populate",
-      "search",
-      "select",
-      "after",
-      "cursor",
-      "lean",
-      "_policyFilters"
-    ]);
-    const filters = {};
-    for (const [key, value] of Object.entries(query)) {
-      if (reservedKeys.has(key)) continue;
-      if (value === void 0 || value === null) continue;
-      if (!/^[a-zA-Z_][a-zA-Z0-9_.]*$/.test(key)) continue;
-      if (typeof value === "object" && value !== null && !Array.isArray(value)) {
-        const operatorObj = value;
-        const operatorKeys = Object.keys(operatorObj);
-        const allOperators = operatorKeys.every((op) => this.operators[op]);
-        if (allOperators && operatorKeys.length > 0) {
-          const mongoFilters = {};
-          for (const [op, opValue] of Object.entries(operatorObj)) {
-            const mongoOp = this.operators[op];
-            if (mongoOp) {
-              mongoFilters[mongoOp] = this.parseFilterValue(opValue, op);
-            }
-          }
-          filters[key] = mongoFilters;
-          continue;
-        }
-      }
-      const match = key.match(/^([a-zA-Z_][a-zA-Z0-9_.]*)(?:\[([a-z]+)\])?$/);
-      if (!match) continue;
-      const [, fieldName, operator] = match;
-      if (!fieldName) continue;
-      if (operator && this.operators[operator]) {
-        const mongoOp = this.operators[operator];
-        const parsedValue = this.parseFilterValue(value, operator);
-        if (!filters[fieldName]) {
-          filters[fieldName] = {};
-        }
-        filters[fieldName][mongoOp] = parsedValue;
-      } else if (!operator) {
-        filters[fieldName] = this.parseFilterValue(value);
-      }
-    }
-    return filters;
-  }
-  parseFilterValue(value, operator) {
-    if (operator === "in" || operator === "nin") {
-      if (Array.isArray(value)) {
-        return value.map((v) => this.coerceValue(v));
-      }
-      if (typeof value === "string" && value.includes(",")) {
-        return value.split(",").map((v) => this.coerceValue(v.trim()));
-      }
-      return [this.coerceValue(value)];
-    }
-    if (operator === "like" || operator === "contains" || operator === "regex") {
-      return this.sanitizeRegex(String(value));
-    }
-    if (operator === "exists") {
-      const str = String(value).toLowerCase();
-      return str === "true" || str === "1";
-    }
-    return this.coerceValue(value);
-  }
-  coerceValue(value) {
-    if (value === "true") return true;
-    if (value === "false") return false;
-    if (value === "null") return null;
-    if (typeof value === "string") {
-      const num = Number(value);
-      if (!Number.isNaN(num) && value.trim() !== "") {
-        return num;
-      }
-    }
-    return value;
-  }
-  sanitizeRegex(pattern) {
-    let sanitized = pattern.slice(0, this.maxRegexLength);
-    if (DANGEROUS_REGEX_PATTERNS.test(sanitized)) {
-      sanitized = sanitized.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-    }
-    return sanitized;
-  }
-};
-
-// src/core/BaseController.ts
-var defaultParser = new ArcQueryParser();
-function getDefaultQueryParser() {
-  return defaultParser;
-}
-var BaseController = class _BaseController {
-  repository;
-  schemaOptions;
-  queryParser;
-  maxLimit;
-  defaultLimit;
-  defaultSort;
-  resourceName;
-  disableEvents;
-  /** Preset field names for dynamic param reading */
-  _presetFields = {};
-  constructor(repository, options = {}) {
-    this.repository = repository;
-    this.schemaOptions = options.schemaOptions ?? {};
-    this.queryParser = options.queryParser ?? getDefaultQueryParser();
-    this.maxLimit = options.maxLimit ?? 100;
-    this.defaultLimit = options.defaultLimit ?? 20;
-    this.defaultSort = options.defaultSort ?? "-createdAt";
-    this.resourceName = options.resourceName;
-    this.disableEvents = options.disableEvents ?? false;
-    this.list = this.list.bind(this);
-    this.get = this.get.bind(this);
-    this.create = this.create.bind(this);
-    this.update = this.update.bind(this);
-    this.delete = this.delete.bind(this);
-  }
-  /**
-   * Inject resource options from defineResource
-   */
-  _setResourceOptions(options) {
-    if (options.schemaOptions) {
-      this.schemaOptions = { ...this.schemaOptions, ...options.schemaOptions };
-    }
-    if (options.presetFields) {
-      this._presetFields = { ...this._presetFields, ...options.presetFields };
-    }
-    if (options.resourceName) {
-      this.resourceName = options.resourceName;
-    }
-    if (options.queryParser) {
-      this.queryParser = options.queryParser;
-    }
-  }
-  // ============================================================================
-  // Context & Query Parsing
-  // ============================================================================
-  /**
-   * Build service context from IRequestContext
-   */
-  _buildContext(req) {
-    const parsed = this.queryParser.parse(req.query);
-    const arcContext = req.metadata;
-    const selectString = this._selectToString(parsed.select) ?? req.query?.select;
-    const sanitizedSelect = this._sanitizeSelect(selectString, this.schemaOptions);
-    return {
-      user: req.user,
-      organizationId: arcContext?.organizationId ?? req.organizationId ?? void 0,
-      select: sanitizedSelect ? sanitizedSelect.split(/\s+/) : void 0,
-      populate: this._sanitizePopulate(parsed.populate, this.schemaOptions),
-      lean: this._parseLean(req.query?.lean)
-    };
-  }
-  /**
-   * Parse query into QueryOptions using queryParser
-   */
-  _parseQueryOptions(req) {
-    const parsed = this.queryParser.parse(req.query);
-    const arcContext = req.metadata;
-    delete parsed.filters._policyFilters;
-    const limit = Math.min(Math.max(1, parsed.limit || this.defaultLimit), this.maxLimit);
-    const page = parsed.after ? void 0 : parsed.page ? Math.max(1, parsed.page) : 1;
-    const sortString = parsed.sort ? Object.entries(parsed.sort).map(([k, v]) => v === -1 ? `-${k}` : k).join(",") : this.defaultSort;
-    const selectString = this._selectToString(parsed.select) ?? req.query?.select;
-    return {
-      page,
-      limit,
-      sort: sortString,
-      select: this._sanitizeSelect(selectString, this.schemaOptions),
-      populate: this._sanitizePopulate(parsed.populate, this.schemaOptions),
-      // Advanced populate options from MongoKit QueryParser (takes precedence over simple populate)
-      populateOptions: parsed.populateOptions,
-      filters: parsed.filters,
-      // MongoKit features
-      search: parsed.search,
-      after: parsed.after,
-      user: req.user,
-      organizationId: arcContext?.organizationId ?? req.organizationId,
-      context: arcContext
-    };
-  }
-  /**
-   * Apply org and policy filters
-   */
-  _applyFilters(options, req) {
-    const filters = { ...options.filters };
-    const arcContext = req.metadata;
-    const policyFilters = arcContext?._policyFilters;
-    if (policyFilters) {
-      Object.assign(filters, policyFilters);
-    }
-    const orgId = arcContext?.organizationId ?? req.organizationId;
-    if (orgId) {
-      filters.organizationId = orgId;
-    }
-    return { ...options, filters };
-  }
-  /**
-   * Build filter for single-item operations (get/update/delete)
-   * Combines ID filter with policy/org filters for proper security enforcement
-   */
-  _buildIdFilter(id, req) {
-    const filter = { _id: id };
-    const arcContext = req.metadata;
-    const policyFilters = arcContext?._policyFilters;
-    if (policyFilters) {
-      Object.assign(filter, policyFilters);
-    }
-    const orgId = arcContext?.organizationId ?? req.organizationId;
-    if (orgId) {
-      filter.organizationId = orgId;
-    }
-    return filter;
-  }
-  /**
-   * Check if a value matches a MongoDB query operator
-   */
-  _matchesOperator(itemValue, operator, filterValue) {
-    switch (operator) {
-      case "$eq":
-        return itemValue === filterValue;
-      case "$ne":
-        return itemValue !== filterValue;
-      case "$gt":
-        return typeof itemValue === "number" && typeof filterValue === "number" && itemValue > filterValue;
-      case "$gte":
-        return typeof itemValue === "number" && typeof filterValue === "number" && itemValue >= filterValue;
-      case "$lt":
-        return typeof itemValue === "number" && typeof filterValue === "number" && itemValue < filterValue;
-      case "$lte":
-        return typeof itemValue === "number" && typeof filterValue === "number" && itemValue <= filterValue;
-      case "$in":
-        return Array.isArray(filterValue) && filterValue.includes(itemValue);
-      case "$nin":
-        return Array.isArray(filterValue) && !filterValue.includes(itemValue);
-      case "$exists":
-        return filterValue ? itemValue !== void 0 : itemValue === void 0;
-      case "$regex":
-        if (typeof itemValue === "string" && (typeof filterValue === "string" || filterValue instanceof RegExp)) {
-          const regex = typeof filterValue === "string" ? new RegExp(filterValue) : filterValue;
-          return regex.test(itemValue);
-        }
-        return false;
-      default:
-        return false;
-    }
-  }
-  /**
-   * Forbidden paths that could lead to prototype pollution
-   */
-  static FORBIDDEN_PATHS = ["__proto__", "constructor", "prototype"];
-  /**
-   * Get nested value from object using dot notation (e.g., "owner.id")
-   * Security: Validates path against forbidden patterns to prevent prototype pollution
-   */
-  _getNestedValue(obj, path) {
-    if (_BaseController.FORBIDDEN_PATHS.some((p) => path.toLowerCase().includes(p))) {
-      return void 0;
-    }
-    const keys = path.split(".");
-    let value = obj;
-    for (const key of keys) {
-      if (value == null) return void 0;
-      if (_BaseController.FORBIDDEN_PATHS.includes(key.toLowerCase())) {
-        return void 0;
-      }
-      value = value[key];
-    }
-    return value;
-  }
-  /**
-   * Check if item matches a single filter condition
-   * Supports nested paths (e.g., "owner.id", "metadata.status")
-   */
-  _matchesFilter(item, key, filterValue) {
-    const itemValue = key.includes(".") ? this._getNestedValue(item, key) : item[key];
-    if (filterValue && typeof filterValue === "object" && !Array.isArray(filterValue)) {
-      const operators = Object.keys(filterValue);
-      if (operators.some((op) => op.startsWith("$"))) {
-        for (const [operator, opValue] of Object.entries(filterValue)) {
-          if (!this._matchesOperator(itemValue, operator, opValue)) {
-            return false;
-          }
-        }
-        return true;
-      }
-    }
-    return String(itemValue) === String(filterValue);
-  }
-  /**
-   * Check if item matches policy filters (for get/update/delete operations)
-   * Validates that fetched item satisfies all policy constraints
-   * Supports MongoDB query operators: $eq, $ne, $gt, $gte, $lt, $lte, $in, $nin, $exists, $regex, $and, $or
-   */
-  _checkPolicyFilters(item, req) {
-    const arcContext = req.metadata;
-    const policyFilters = arcContext?._policyFilters;
-    if (!policyFilters) return true;
-    if (policyFilters.$and && Array.isArray(policyFilters.$and)) {
-      return policyFilters.$and.every((condition) => {
-        return Object.entries(condition).every(([key, value]) => {
-          return this._matchesFilter(item, key, value);
-        });
-      });
-    }
-    if (policyFilters.$or && Array.isArray(policyFilters.$or)) {
-      return policyFilters.$or.some((condition) => {
-        return Object.entries(condition).every(([key, value]) => {
-          return this._matchesFilter(item, key, value);
-        });
-      });
-    }
-    for (const [key, value] of Object.entries(policyFilters)) {
-      if (key.startsWith("$")) continue;
-      if (!this._matchesFilter(item, key, value)) {
-        return false;
-      }
-    }
-    return true;
-  }
-  // ============================================================================
-  // Sanitization Helpers
-  // ============================================================================
-  /** Parse lean option (default: true for performance) */
-  _parseLean(leanValue) {
-    if (typeof leanValue === "boolean") return leanValue;
-    if (typeof leanValue === "string") return leanValue.toLowerCase() !== "false";
-    return true;
-  }
-  /** Get blocked fields from schema options */
-  _getBlockedFields(schemaOptions) {
-    const fieldRules = schemaOptions.fieldRules ?? {};
-    return Object.entries(fieldRules).filter(([, rules]) => rules.systemManaged || rules.hidden).map(([field]) => field);
-  }
-  /**
-   * Convert parsed select object to string format
-   * Converts { name: 1, email: 1, password: 0 } → 'name email -password'
-   */
-  _selectToString(select) {
-    if (!select) return void 0;
-    if (typeof select === "string") return select;
-    if (Array.isArray(select)) return select.join(" ");
-    if (Object.keys(select).length === 0) return void 0;
-    return Object.entries(select).map(([field, include]) => include === 0 ? `-${field}` : field).join(" ");
-  }
-  /** Sanitize select fields */
-  _sanitizeSelect(select, schemaOptions) {
-    if (!select) return void 0;
-    const blockedFields = this._getBlockedFields(schemaOptions);
-    if (blockedFields.length === 0) return select;
-    const fields = select.split(/[\s,]+/).filter(Boolean);
-    const sanitized = fields.filter((f) => {
-      const fieldName = f.replace(/^-/, "");
-      return !blockedFields.includes(fieldName);
-    });
-    return sanitized.length > 0 ? sanitized.join(" ") : void 0;
-  }
-  /** Sanitize populate fields */
-  _sanitizePopulate(populate, schemaOptions) {
-    if (!populate) return void 0;
-    const allowedPopulate = schemaOptions.query?.allowedPopulate;
-    const requested = typeof populate === "string" ? populate.split(",").map((p) => p.trim()) : Array.isArray(populate) ? populate.map(String) : [];
-    if (requested.length === 0) return void 0;
-    if (!allowedPopulate) return requested;
-    const sanitized = requested.filter((p) => allowedPopulate.includes(p));
-    return sanitized.length > 0 ? sanitized : void 0;
-  }
-  // ============================================================================
-  // Access Control Helpers
-  // ============================================================================
-  /** Check org scope for a document */
-  _checkOrgScope(item, arcContext) {
-    if (!item || !arcContext?.organizationId) return true;
-    const itemOrgId = item.organizationId;
-    if (!itemOrgId) return true;
-    return String(itemOrgId) === String(arcContext.organizationId);
-  }
-  /** Check ownership for update/delete (ownedByUser preset) */
-  _checkOwnership(item, req) {
-    const ownershipCheck = req.metadata?._ownershipCheck;
-    if (!item || !ownershipCheck) return true;
-    const { field, userId } = ownershipCheck;
-    const itemOwnerId = item[field];
-    if (!itemOwnerId) return true;
-    return String(itemOwnerId) === String(userId);
-  }
-  /**
-   * Get hook system from context (instance-scoped) or fall back to global singleton
-   * This allows proper isolation when running multiple app instances (e.g., in tests)
-   */
-  _getHooks(req) {
-    const arcMeta = req.metadata?.arc;
-    return arcMeta?.hooks ?? hookSystem;
-  }
-  // ============================================================================
-  // IController Implementation - CRUD Operations
-  // ============================================================================
-  /**
-   * List resources with filtering, pagination, sorting
-   * Implements IController.list()
-   */
-  async list(req) {
-    const options = this._parseQueryOptions(req);
-    const filteredOptions = this._applyFilters(options, req);
-    const result = await this.repository.getAll(filteredOptions);
-    if (Array.isArray(result)) {
-      return {
-        success: true,
-        data: {
-          docs: result,
-          page: 1,
-          limit: result.length,
-          total: result.length,
-          pages: 1,
-          hasNext: false,
-          hasPrev: false
-        },
-        status: 200
-      };
-    }
-    return {
-      success: true,
-      data: result,
-      status: 200
-    };
-  }
-  /**
-   * Get single resource by ID
-   * Implements IController.get()
-   */
-  async get(req) {
-    const id = req.params.id;
-    if (!id) {
-      return {
-        success: false,
-        error: "ID parameter is required",
-        status: 400
-      };
-    }
-    const options = this._parseQueryOptions(req);
-    const arcContext = req.metadata;
-    try {
-      const item = await this.repository.getById(id, options);
-      const hasItem = !!item;
-      const orgScopeOk = this._checkOrgScope(item, arcContext);
-      const policyFiltersOk = this._checkPolicyFilters(item, req);
-      if (!hasItem || !orgScopeOk || !policyFiltersOk) {
-        return {
-          success: false,
-          error: "Resource not found",
-          status: 404
-        };
-      }
-      return {
-        success: true,
-        data: item,
-        status: 200
-      };
-    } catch (error) {
-      if (error instanceof Error && error.message?.includes("not found")) {
-        return {
-          success: false,
-          error: "Resource not found",
-          status: 404
-        };
-      }
-      throw error;
-    }
-  }
-  /**
-   * Create new resource
-   * Implements IController.create()
-   */
-  async create(req) {
-    const data = { ...req.body };
-    const arcContext = req.metadata;
-    if (arcContext?.organizationId) {
-      data.organizationId = arcContext.organizationId;
-    }
-    const userId = getUserId(req.user);
-    if (userId) {
-      data.createdBy = userId;
-    }
-    const hooks = this._getHooks(req);
-    const user = req.user;
-    let processedData = data;
-    if (this.resourceName) {
-      processedData = await hooks.executeBefore(this.resourceName, "create", data, {
-        user,
-        context: arcContext
-      });
-    }
-    const item = await this.repository.create(processedData, {
-      user,
-      context: arcContext
-    });
-    if (this.resourceName) {
-      await hooks.executeAfter(this.resourceName, "create", item, {
-        user,
-        context: arcContext
-      });
-    }
-    return {
-      success: true,
-      data: item,
-      status: 201,
-      meta: { message: "Created successfully" }
-    };
-  }
-  /**
-   * Update existing resource
-   * Implements IController.update()
-   */
-  async update(req) {
-    const id = req.params.id;
-    if (!id) {
-      return {
-        success: false,
-        error: "ID parameter is required",
-        status: 400
-      };
-    }
-    const data = { ...req.body };
-    const arcContext = req.metadata;
-    const user = req.user;
-    const userId = getUserId(user);
-    if (userId) {
-      data.updatedBy = userId;
-    }
-    const existing = await this.repository.getById(id);
-    if (!existing) {
-      return {
-        success: false,
-        error: "Resource not found",
-        status: 404
-      };
-    }
-    if (!this._checkOrgScope(existing, arcContext) || !this._checkPolicyFilters(existing, req)) {
-      return {
-        success: false,
-        error: "Resource not found",
-        status: 404
-      };
-    }
-    if (!this._checkOwnership(existing, req)) {
-      return {
-        success: false,
-        error: "You do not have permission to modify this resource",
-        details: { code: "OWNERSHIP_DENIED" },
-        status: 403
-      };
-    }
-    const hooks = this._getHooks(req);
-    let processedData = data;
-    if (this.resourceName) {
-      processedData = await hooks.executeBefore(this.resourceName, "update", data, {
-        user,
-        context: arcContext,
-        meta: { id, existing }
-      });
-    }
-    const item = await this.repository.update(id, processedData, {
-      user,
-      context: arcContext
-    });
-    if (!item) {
-      return {
-        success: false,
-        error: "Resource not found",
-        status: 404
-      };
-    }
-    if (this.resourceName) {
-      await hooks.executeAfter(this.resourceName, "update", item, {
-        user,
-        context: arcContext,
-        meta: { id, existing }
-      });
-    }
-    return {
-      success: true,
-      data: item,
-      status: 200,
-      meta: { message: "Updated successfully" }
-    };
-  }
-  /**
-   * Delete resource
-   * Implements IController.delete()
-   */
-  async delete(req) {
-    const id = req.params.id;
-    if (!id) {
-      return {
-        success: false,
-        error: "ID parameter is required",
-        status: 400
-      };
-    }
-    const arcContext = req.metadata;
-    const user = req.user;
-    const existing = await this.repository.getById(id);
-    if (!existing) {
-      return {
-        success: false,
-        error: "Resource not found",
-        status: 404
-      };
-    }
-    if (!this._checkOrgScope(existing, arcContext) || !this._checkPolicyFilters(existing, req)) {
-      return {
-        success: false,
-        error: "Resource not found",
-        status: 404
-      };
-    }
-    if (!this._checkOwnership(existing, req)) {
-      return {
-        success: false,
-        error: "You do not have permission to delete this resource",
-        details: { code: "OWNERSHIP_DENIED" },
-        status: 403
-      };
-    }
-    const hooks = this._getHooks(req);
-    if (this.resourceName) {
-      await hooks.executeBefore(this.resourceName, "delete", existing, {
-        user,
-        context: arcContext,
-        meta: { id }
-      });
-    }
-    const result = await this.repository.delete(id, {
-      user,
-      context: arcContext
-    });
-    const deleteSuccess = typeof result === "object" ? result?.success : result;
-    if (!deleteSuccess) {
-      return {
-        success: false,
-        error: "Resource not found",
-        status: 404
-      };
-    }
-    if (this.resourceName) {
-      await hooks.executeAfter(this.resourceName, "delete", existing, {
-        user,
-        context: arcContext,
-        meta: { id }
-      });
-    }
-    return {
-      success: true,
-      data: { message: "Deleted successfully" },
-      status: 200
-    };
-  }
-  // ============================================================================
-  // Preset Methods (framework-agnostic versions)
-  // ============================================================================
-  /** Get resource by slug (slugLookup preset) */
-  async getBySlug(req) {
-    const repo = this.repository;
-    if (!repo.getBySlug) {
-      return {
-        success: false,
-        error: "Slug lookup not implemented",
-        status: 501
-      };
-    }
-    const slugField = this._presetFields.slugField ?? "slug";
-    const slug = req.params[slugField] ?? req.params.slug;
-    const options = this._parseQueryOptions(req);
-    const arcContext = req.metadata;
-    const item = await repo.getBySlug(slug, options);
-    if (!item || !this._checkOrgScope(item, arcContext)) {
-      return {
-        success: false,
-        error: "Resource not found",
-        status: 404
-      };
-    }
-    return {
-      success: true,
-      data: item,
-      status: 200
-    };
-  }
-  /** Get soft-deleted resources (softDelete preset) */
-  async getDeleted(req) {
-    const repo = this.repository;
-    if (!repo.getDeleted) {
-      return {
-        success: false,
-        error: "Soft delete not implemented",
-        status: 501
-      };
-    }
-    const options = this._parseQueryOptions(req);
-    const filteredOptions = this._applyFilters(options, req);
-    const result = await repo.getDeleted(filteredOptions);
-    if (Array.isArray(result)) {
-      return {
-        success: true,
-        data: {
-          docs: result,
-          page: 1,
-          limit: result.length,
-          total: result.length,
-          pages: 1,
-          hasNext: false,
-          hasPrev: false
-        },
-        status: 200
-      };
-    }
-    return {
-      success: true,
-      data: result,
-      status: 200
-    };
-  }
-  /** Restore soft-deleted resource (softDelete preset) */
-  async restore(req) {
-    const repo = this.repository;
-    if (!repo.restore) {
-      return {
-        success: false,
-        error: "Restore not implemented",
-        status: 501
-      };
-    }
-    const id = req.params.id;
-    if (!id) {
-      return {
-        success: false,
-        error: "ID parameter is required",
-        status: 400
-      };
-    }
-    const item = await repo.restore(id);
-    if (!item) {
-      return {
-        success: false,
-        error: "Resource not found",
-        status: 404
-      };
-    }
-    return {
-      success: true,
-      data: item,
-      status: 200,
-      meta: { message: "Restored successfully" }
-    };
-  }
-  /** Get hierarchical tree (tree preset) */
-  async getTree(req) {
-    const repo = this.repository;
-    if (!repo.getTree) {
-      return {
-        success: false,
-        error: "Tree structure not implemented",
-        status: 501
-      };
-    }
-    const options = this._parseQueryOptions(req);
-    const filteredOptions = this._applyFilters(options, req);
-    const tree = await repo.getTree(filteredOptions);
-    return {
-      success: true,
-      data: tree,
-      status: 200
-    };
-  }
-  /** Get children of parent (tree preset) */
-  async getChildren(req) {
-    const repo = this.repository;
-    if (!repo.getChildren) {
-      return {
-        success: false,
-        error: "Tree structure not implemented",
-        status: 501
-      };
-    }
-    const parentField = this._presetFields.parentField ?? "parent";
-    const parentId = req.params[parentField] ?? req.params.parent ?? req.params.id;
-    const options = this._parseQueryOptions(req);
-    const filteredOptions = this._applyFilters(options, req);
-    const children = await repo.getChildren(parentId, filteredOptions);
-    return {
-      success: true,
-      data: children,
-      status: 200
-    };
-  }
-};
-
-// src/core/fastifyAdapter.ts
-function applyFieldMaskToObject(obj, fieldMask) {
-  if (!obj || typeof obj !== "object") return obj;
-  const { include, exclude } = fieldMask;
-  if (include && include.length > 0) {
-    const filtered = {};
-    for (const field of include) {
-      if (field in obj) {
-        filtered[field] = obj[field];
-      }
-    }
-    return filtered;
-  }
-  if (exclude && exclude.length > 0) {
-    const filtered = { ...obj };
-    for (const field of exclude) {
-      delete filtered[field];
-    }
-    return filtered;
-  }
-  return obj;
-}
-function applyFieldMask(data, fieldMask) {
-  if (!fieldMask) return data;
-  if (Array.isArray(data)) {
-    return data.map((item) => applyFieldMaskToObject(item, fieldMask));
-  }
-  if (data && typeof data === "object") {
-    return applyFieldMaskToObject(data, fieldMask);
-  }
-  return data;
-}
-function createRequestContext(req) {
-  const reqWithExtras = req;
-  return {
-    query: reqWithExtras.query ?? {},
-    body: reqWithExtras.body ?? {},
-    params: reqWithExtras.params ?? {},
-    headers: reqWithExtras.headers,
-    user: reqWithExtras.user ? (() => {
-      const user = reqWithExtras.user;
-      return {
-        ...user,
-        // Normalize ID for MongoDB compatibility
-        id: String(user._id ?? user.id),
-        _id: user._id ?? user.id
-        // Preserve original role/roles/permissions as-is
-        // Devs can define their own authorization structure
-      };
-    })() : void 0,
-    organizationId: reqWithExtras.organizationId,
-    metadata: {
-      ...reqWithExtras.context,
-      // Include Arc metadata for hook execution
-      arc: reqWithExtras.arc,
-      // Include ownership check for access control
-      _ownershipCheck: reqWithExtras._ownershipCheck,
-      // Merge policy filters - TRUSTED sources override user input
-      // Order matters: query (can be user-injected) FIRST, then trusted middleware LAST
-      _policyFilters: {
-        ...reqWithExtras.query?._policyFilters ?? {},
-        ...reqWithExtras._policyFilters ?? {}
-      },
-      // Include logger for logging
-      log: reqWithExtras.log
-    }
-  };
-}
-function sendControllerResponse(reply, response, request) {
-  const reqWithExtras = request;
-  const fieldMask = reqWithExtras?.fieldMask;
-  const fieldMaskConfig = fieldMask ? { include: fieldMask } : void 0;
-  if (response.success && response.data && typeof response.data === "object" && "docs" in response.data) {
-    const paginatedData = response.data;
-    const filteredDocs = fieldMaskConfig ? applyFieldMask(paginatedData.docs, fieldMaskConfig) : paginatedData.docs;
-    reply.code(response.status ?? 200).send({
-      success: true,
-      docs: filteredDocs,
-      page: paginatedData.page,
-      limit: paginatedData.limit,
-      total: paginatedData.total,
-      pages: paginatedData.pages,
-      hasNext: paginatedData.hasNext,
-      hasPrev: paginatedData.hasPrev,
-      ...response.meta ?? {}
-    });
-    return;
-  }
-  const filteredData = fieldMaskConfig ? applyFieldMask(response.data, fieldMaskConfig) : response.data;
-  reply.code(response.status ?? (response.success ? 200 : 400)).send({
-    success: response.success,
-    data: filteredData,
-    error: response.error,
-    details: response.details,
-    ...response.meta ?? {}
-  });
-}
-function createFastifyHandler(controllerMethod) {
-  return async (req, reply) => {
-    const requestContext = createRequestContext(req);
-    const response = await controllerMethod(requestContext);
-    sendControllerResponse(reply, response, req);
-  };
-}
-function createCrudHandlers(controller) {
-  return {
-    list: createFastifyHandler(controller.list.bind(controller)),
-    get: createFastifyHandler(controller.get.bind(controller)),
-    create: createFastifyHandler(controller.create.bind(controller)),
-    update: createFastifyHandler(controller.update.bind(controller)),
-    delete: createFastifyHandler(controller.delete.bind(controller))
-  };
-}
-
-// src/core/createCrudRouter.ts
-function requiresAuthentication(permission) {
-  if (!permission) return false;
-  return !permission._isPublic;
-}
-function buildAuthMiddleware(fastify, permission) {
-  if (!requiresAuthentication(permission)) return null;
-  if (!fastify.authenticate) return null;
-  return fastify.authenticate;
-}
-function buildPermissionMiddleware(permissionCheck, resourceName, action) {
-  if (!permissionCheck) return null;
-  return async (request, reply) => {
-    const reqWithExtras = request;
-    const context = {
-      user: reqWithExtras.user ?? null,
-      request,
-      resource: resourceName,
-      action,
-      resourceId: request.params?.id,
-      organizationId: reqWithExtras.organizationId,
-      data: request.body
-    };
-    const result = await permissionCheck(context);
-    if (typeof result === "boolean") {
-      if (!result) {
-        reply.code(context.user ? 403 : 401).send({
-          success: false,
-          error: context.user ? "Permission denied" : "Authentication required"
-        });
-        return;
-      }
-      return;
-    }
-    const permResult = result;
-    if (!permResult.granted) {
-      reply.code(context.user ? 403 : 401).send({
-        success: false,
-        error: permResult.reason ?? (context.user ? "Permission denied" : "Authentication required")
-      });
-      return;
-    }
-    if (permResult.filters) {
-      reqWithExtras._policyFilters = {
-        ...reqWithExtras._policyFilters ?? {},
-        ...permResult.filters
-      };
-    }
-  };
-}
-function buildOrgScopedMiddleware(fastify, orgScoped, globalOrgScoped) {
-  const shouldApplyOrgScoped = orgScoped ?? globalOrgScoped;
-  if (!shouldApplyOrgScoped) return [];
-  if (!fastify.organizationScoped) {
-    throw new Error(
-      "Organization scoping is enabled but fastify.organizationScoped decorator is not registered.\nRegister the org scope plugin before mounting resources:\nawait app.register(orgScopePlugin);\nDocs: https://github.com/classytic/arc#multi-tenant"
-    );
-  }
-  return [fastify.organizationScoped()];
-}
-function createAdditionalRoutes(fastify, routes, controller, options) {
-  const { tag, resourceName, orgMw, arcDecorator } = options;
-  for (const route of routes) {
-    let handler;
-    if (typeof route.handler === "string") {
-      if (!controller) {
-        throw new Error(
-          `Route ${route.method} ${route.path}: string handler '${route.handler}' requires a controller. Either provide a controller or use a function handler instead.`
-        );
-      }
-      const ctrl = controller;
-      const method = ctrl[route.handler];
-      if (typeof method !== "function") {
-        throw new Error(`Handler '${route.handler}' not found on controller`);
-      }
-      const boundMethod = method.bind(controller);
-      handler = route.wrapHandler ? createFastifyHandler(boundMethod) : boundMethod;
-    } else {
-      handler = route.wrapHandler ? createFastifyHandler(route.handler) : route.handler;
-    }
-    const routeTags = route.tags ?? (tag ? [tag] : void 0);
-    const schema = {
-      ...routeTags ? { tags: routeTags } : {},
-      ...route.summary ? { summary: route.summary } : {},
-      ...route.description ? { description: route.description } : {},
-      ...route.schema ?? {}
-    };
-    const authMw = buildAuthMiddleware(fastify, route.permissions);
-    const permissionMw = buildPermissionMiddleware(route.permissions, resourceName, route.method.toLowerCase());
-    const customPreHandlers = typeof route.preHandler === "function" ? route.preHandler(fastify) : route.preHandler ?? [];
-    const preHandler = [
-      arcDecorator,
-      authMw,
-      // Authenticate first (populates request.user)
-      permissionMw,
-      // Then check permissions
-      ...orgMw(),
-      ...customPreHandlers
-    ].filter(Boolean);
-    fastify.route({
-      method: route.method,
-      url: route.path,
-      schema,
-      // Fastify schema is flexible - allow any valid JSON schema
-      preHandler: preHandler.length > 0 ? preHandler : void 0,
-      handler
-    });
-  }
-}
-function createCrudRouter(fastify, controller, options = {}) {
-  const {
-    tag = "Resource",
-    schemas = {},
-    permissions = {},
-    middlewares = {},
-    additionalRoutes = [],
-    disableDefaultRoutes = false,
-    disabledRoutes = [],
-    organizationScoped = false,
-    resourceName = "unknown",
-    schemaOptions
-  } = options;
-  const orgMw = (orgScoped) => {
-    return buildOrgScopedMiddleware(fastify, orgScoped, organizationScoped);
-  };
-  const arcDecorator = async (req, _reply) => {
-    req.arc = {
-      resourceName,
-      schemaOptions,
-      permissions,
-      // Include instance-scoped hooks if available (for proper isolation)
-      hooks: fastify.arc?.hooks,
-      // Include events emitter if available
-      events: fastify.events
-    };
-  };
-  const mw = {
-    list: middlewares.list ?? [],
-    get: middlewares.get ?? [],
-    create: middlewares.create ?? [],
-    update: middlewares.update ?? [],
-    delete: middlewares.delete ?? []
-  };
-  const idParamsSchema = {
-    type: "object",
-    properties: { id: { type: "string" } },
-    required: ["id"]
-  };
-  let handlers;
-  if (!disableDefaultRoutes) {
-    if (!controller) {
-      throw new Error(
-        "Controller is required when disableDefaultRoutes is not true. Provide a controller or use defineResource which auto-creates BaseController."
-      );
-    }
-    handlers = createCrudHandlers(controller);
-  }
-  if (!disableDefaultRoutes && handlers) {
-    if (!disabledRoutes.includes("list")) {
-      const authMw = buildAuthMiddleware(fastify, permissions.list);
-      const permMw = buildPermissionMiddleware(permissions.list, resourceName, "list");
-      const listPreHandler = [arcDecorator, authMw, permMw, ...orgMw(), ...mw.list].filter(Boolean);
-      fastify.route({
-        method: "GET",
-        url: "/",
-        schema: {
-          tags: [tag],
-          summary: `List ${tag}`,
-          ...schemas.list ?? {}
-        },
-        preHandler: listPreHandler.length > 0 ? listPreHandler : void 0,
-        handler: handlers.list
-      });
-    }
-    if (!disabledRoutes.includes("get")) {
-      const authMw = buildAuthMiddleware(fastify, permissions.get);
-      const permMw = buildPermissionMiddleware(permissions.get, resourceName, "get");
-      const getPreHandler = [arcDecorator, authMw, permMw, ...orgMw(), ...mw.get].filter(Boolean);
-      fastify.route({
-        method: "GET",
-        url: "/:id",
-        schema: {
-          tags: [tag],
-          summary: `Get ${tag} by ID`,
-          params: idParamsSchema,
-          ...schemas.get ?? {}
-        },
-        preHandler: getPreHandler.length > 0 ? getPreHandler : void 0,
-        handler: handlers.get
-      });
-    }
-    if (!disabledRoutes.includes("create")) {
-      const authMw = buildAuthMiddleware(fastify, permissions.create);
-      const permMw = buildPermissionMiddleware(permissions.create, resourceName, "create");
-      const createPreHandler = [arcDecorator, authMw, permMw, ...orgMw(), ...mw.create].filter(Boolean);
-      fastify.route({
-        method: "POST",
-        url: "/",
-        schema: {
-          tags: [tag],
-          summary: `Create ${tag}`,
-          ...schemas.create ?? {}
-        },
-        preHandler: createPreHandler.length > 0 ? createPreHandler : void 0,
-        handler: handlers.create
-      });
-    }
-    if (!disabledRoutes.includes("update")) {
-      const authMw = buildAuthMiddleware(fastify, permissions.update);
-      const permMw = buildPermissionMiddleware(permissions.update, resourceName, "update");
-      const updatePreHandler = [arcDecorator, authMw, permMw, ...orgMw(), ...mw.update].filter(Boolean);
-      fastify.route({
-        method: "PATCH",
-        url: "/:id",
-        schema: {
-          tags: [tag],
-          summary: `Update ${tag}`,
-          params: idParamsSchema,
-          ...schemas.update ?? {}
-        },
-        preHandler: updatePreHandler.length > 0 ? updatePreHandler : void 0,
-        handler: handlers.update
-      });
-    }
-    if (!disabledRoutes.includes("delete")) {
-      const authMw = buildAuthMiddleware(fastify, permissions.delete);
-      const permMw = buildPermissionMiddleware(permissions.delete, resourceName, "delete");
-      const deletePreHandler = [arcDecorator, authMw, permMw, ...orgMw(), ...mw.delete].filter(Boolean);
-      fastify.route({
-        method: "DELETE",
-        url: "/:id",
-        schema: {
-          tags: [tag],
-          summary: `Delete ${tag}`,
-          params: idParamsSchema,
-          ...schemas.delete ?? {}
-        },
-        preHandler: deletePreHandler.length > 0 ? deletePreHandler : void 0,
-        handler: handlers.delete
-      });
-    }
-  }
-  if (additionalRoutes.length > 0) {
-    createAdditionalRoutes(fastify, additionalRoutes, controller, { tag, resourceName, orgMw, arcDecorator });
-  }
-}
-function createOrgScopedMiddleware(instance) {
-  return instance.organizationScoped ? [instance.organizationScoped()] : [];
-}
-function createPermissionMiddleware(permission, resourceName, action) {
-  return buildPermissionMiddleware(permission, resourceName, action);
-}
-
-// src/core/createActionRouter.ts
-function createActionRouter(fastify, config) {
-  const {
-    tag,
-    actions,
-    actionPermissions = {},
-    actionSchemas = {},
-    globalAuth,
-    idempotencyService,
-    onError
-  } = config;
-  const actionEnum = Object.keys(actions);
-  if (actionEnum.length === 0) {
-    fastify.log.warn("[createActionRouter] No actions defined, skipping route creation");
-    return;
-  }
-  const bodyProperties = {
-    action: {
-      type: "string",
-      enum: actionEnum,
-      description: `Action to perform: ${actionEnum.join(" | ")}`
-    }
-  };
-  Object.entries(actionSchemas).forEach(([actionName, schema]) => {
-    if (schema && typeof schema === "object") {
-      Object.entries(schema).forEach(([propName, propSchema]) => {
-        bodyProperties[propName] = {
-          ...propSchema,
-          description: `${propSchema.description || ""} (for ${actionName} action)`.trim()
-        };
-      });
-    }
-  });
-  const routeSchema = {
-    tags: tag ? [tag] : void 0,
-    summary: `Perform action (${actionEnum.join("/")})`,
-    description: buildActionDescription(actions, actionPermissions),
-    params: {
-      type: "object",
-      properties: {
-        id: { type: "string", description: "Resource ID" }
-      },
-      required: ["id"]
-    },
-    body: {
-      type: "object",
-      properties: bodyProperties,
-      required: ["action"]
-    },
-    response: {
-      200: {
-        type: "object",
-        properties: {
-          success: { type: "boolean" },
-          data: { type: "object" }
-        }
-      },
-      400: {
-        type: "object",
-        properties: {
-          success: { type: "boolean" },
-          error: { type: "string" }
-        }
-      },
-      403: {
-        type: "object",
-        properties: {
-          success: { type: "boolean" },
-          error: { type: "string" }
-        }
-      }
-    }
-  };
-  const preHandler = [];
-  const allPermissions = Object.values(actionPermissions);
-  const needsAuth = allPermissions.some(
-    (p) => !p?._isPublic
-  ) || globalAuth && !globalAuth?._isPublic;
-  if (needsAuth && fastify.authenticate) {
-    preHandler.push(fastify.authenticate);
-  }
-  fastify.post(
-    "/:id/action",
-    {
-      schema: routeSchema,
-      preHandler: preHandler.length ? preHandler : void 0
-    },
-    async (req, reply) => {
-      const { action, ...data } = req.body;
-      const { id } = req.params;
-      const rawIdempotencyKey = req.headers["idempotency-key"];
-      const idempotencyKey = Array.isArray(rawIdempotencyKey) ? rawIdempotencyKey[0] : rawIdempotencyKey;
-      const handler = actions[action];
-      if (!handler) {
-        return reply.code(400).send({
-          success: false,
-          error: `Invalid action '${action}'. Valid actions: ${actionEnum.join(", ")}`,
-          validActions: actionEnum
-        });
-      }
-      const permissionCheck = actionPermissions[action] ?? globalAuth;
-      if (permissionCheck) {
-        const reqWithExtras = req;
-        const context = {
-          user: reqWithExtras.user ?? null,
-          request: req,
-          resource: tag ?? "action",
-          action,
-          resourceId: id,
-          data
-        };
-        const result = await permissionCheck(context);
-        if (typeof result === "boolean") {
-          if (!result) {
-            return reply.code(context.user ? 403 : 401).send({
-              success: false,
-              error: context.user ? `Permission denied for '${action}'` : "Authentication required"
-            });
-          }
-        } else {
-          const permResult = result;
-          if (!permResult.granted) {
-            return reply.code(context.user ? 403 : 401).send({
-              success: false,
-              error: permResult.reason ?? (context.user ? `Permission denied for '${action}'` : "Authentication required")
-            });
-          }
-        }
-      }
-      try {
-        if (idempotencyKey && idempotencyService) {
-          const user = req.user;
-          const payloadForHash = {
-            action,
-            id,
-            data,
-            userId: user?._id?.toString?.() || user?.id || null
-          };
-          const { isNew, existingResult } = await idempotencyService.check(
-            idempotencyKey,
-            payloadForHash
-          );
-          if (!isNew && existingResult) {
-            return reply.send({
-              success: true,
-              data: existingResult,
-              cached: true
-            });
-          }
-        }
-        const result = await handler(id, data, req);
-        if (idempotencyService) {
-          await idempotencyService.complete(idempotencyKey, result);
-        }
-        return reply.send({
-          success: true,
-          data: result
-        });
-      } catch (error) {
-        if (idempotencyService) {
-          await idempotencyService.fail(idempotencyKey, error);
-        }
-        if (onError) {
-          const { statusCode: statusCode2, error: errorMsg, code } = onError(error, action, id);
-          return reply.code(statusCode2).send({
-            success: false,
-            error: errorMsg,
-            code
-          });
-        }
-        const err = error;
-        const statusCode = err.statusCode || err.status || 500;
-        const errorCode = err.code || "ACTION_FAILED";
-        if (statusCode >= 500) {
-          req.log.error({ err: error, action, id }, "Action handler error");
-        }
-        return reply.code(statusCode).send({
-          success: false,
-          error: err.message || `Failed to execute '${action}' action`,
-          code: errorCode
-        });
-      }
-    }
-  );
-  fastify.log.info(
-    { actions: actionEnum, tag },
-    "[createActionRouter] Registered action endpoint: POST /:id/action"
-  );
-}
-function buildActionDescription(actions, actionPermissions) {
-  const lines = ["Unified action endpoint for state transitions.\n\n**Available actions:**"];
-  Object.keys(actions).forEach((action) => {
-    const perm = actionPermissions[action];
-    const roles = perm?._roles;
-    const roleStr = roles?.length ? ` (requires: ${roles.join(" or ")})` : "";
-    lines.push(`- \`${action}\`${roleStr}`);
-  });
-  return lines.join("\n");
-}
-
-// src/permissions/index.ts
-function allowPublic() {
-  const check = () => true;
-  check._isPublic = true;
-  return check;
-}
-function requireRoles(roles, options) {
-  const check = (ctx) => {
-    if (!ctx.user) {
-      return { granted: false, reason: "Authentication required" };
-    }
-    const userRoles = ctx.user.roles ?? [];
-    if (roles.some((r) => userRoles.includes(r))) {
-      return true;
-    }
-    return {
-      granted: false,
-      reason: `Required roles: ${roles.join(", ")}`
-    };
-  };
-  check._roles = roles;
-  return check;
-}
-
-// src/presets/softDelete.ts
-function softDeletePreset(options = {}) {
-  const { deletedField: _deletedField = "deletedAt" } = options;
-  return {
-    name: "softDelete",
-    additionalRoutes: (permissions) => [
-      {
-        method: "GET",
-        path: "/deleted",
-        handler: "getDeleted",
-        summary: "Get soft-deleted items",
-        permissions: permissions.list ?? requireRoles(["admin"]),
-        wrapHandler: true
-      },
-      {
-        method: "POST",
-        path: "/:id/restore",
-        handler: "restore",
-        summary: "Restore soft-deleted item",
-        permissions: permissions.update ?? requireRoles(["admin"]),
-        wrapHandler: true
-      }
-    ]
-  };
-}
-
-// src/presets/slugLookup.ts
-function slugLookupPreset(options = {}) {
-  const { slugField = "slug" } = options;
-  return {
-    name: "slugLookup",
-    additionalRoutes: (permissions) => [
-      {
-        method: "GET",
-        path: `/slug/:${slugField}`,
-        handler: "getBySlug",
-        summary: "Get by slug",
-        permissions: permissions.get ?? allowPublic(),
-        wrapHandler: true
-        // Handler is a ControllerHandler
-      }
-    ],
-    // Pass to controller so it knows which param to read
-    controllerOptions: {
-      slugField
-    }
-  };
-}
-
-// src/presets/ownedByUser.ts
-function createOwnershipCheck(ownerField, bypassRoles) {
-  return async (request, _reply) => {
-    const user = request.user;
-    if (!user) return;
-    const userWithRoles = user;
-    if (userWithRoles.roles && bypassRoles.some((r) => userWithRoles.roles.includes(r))) return;
-    const userWithId = user;
-    const userId = userWithId._id ?? userWithId.id;
-    if (userId) {
-      request._ownershipCheck = {
-        field: ownerField,
-        userId
-      };
-    }
-  };
-}
-function ownedByUserPreset(options = {}) {
-  const {
-    ownerField = "userId",
-    bypassRoles = ["admin", "superadmin"]
-  } = options;
-  const ownershipMiddleware = createOwnershipCheck(ownerField, bypassRoles);
-  return {
-    name: "ownedByUser",
-    middlewares: {
-      update: [ownershipMiddleware],
-      delete: [ownershipMiddleware]
-    }
-  };
-}
-
-// src/presets/multiTenant.ts
-function defaultExtractOrganizationId(request) {
-  const context = request.context;
-  if (context?.organizationId) {
-    return context.organizationId;
-  }
-  const user = request.user;
-  if (user?.organizationId) {
-    return user.organizationId;
-  }
-  if (user?.organization) {
-    const org = user.organization;
-    return org._id || org.id || org;
-  }
-  return null;
-}
-function createTenantFilter(tenantField, bypassRoles, extractOrganizationId) {
-  return async (request, reply) => {
-    const user = request.user;
-    if (!user) {
-      reply.code(401).send({
-        success: false,
-        error: "Unauthorized",
-        message: "Authentication required for multi-tenant resources"
-      });
-      return;
-    }
-    const userWithRoles = user;
-    if (userWithRoles.roles && bypassRoles.some((r) => userWithRoles.roles.includes(r))) return;
-    const orgId = extractOrganizationId(request);
-    if (!orgId) {
-      reply.code(403).send({
-        success: false,
-        error: "Forbidden",
-        message: "Organization context required for this operation"
-      });
-      return;
-    }
-    request.query = request.query ?? {};
-    request.query._policyFilters = {
-      ...request.query._policyFilters ?? {},
-      [tenantField]: orgId
-    };
-  };
-}
-function createFlexibleTenantFilter(tenantField, bypassRoles, extractOrganizationId) {
-  return async (request, reply) => {
-    const user = request.user;
-    const orgId = extractOrganizationId(request);
-    if (!orgId) {
-      return;
-    }
-    if (!user) {
-      reply.code(401).send({
-        success: false,
-        error: "Unauthorized",
-        message: "Authentication required for organization-scoped data"
-      });
-      return;
-    }
-    const userWithRoles = user;
-    if (userWithRoles.roles && bypassRoles.some((r) => userWithRoles.roles.includes(r))) {
-      return;
-    }
-    request.query = request.query ?? {};
-    request.query._policyFilters = {
-      ...request.query._policyFilters ?? {},
-      [tenantField]: orgId
-    };
-  };
-}
-function createTenantInjection(tenantField, extractOrganizationId) {
-  return async (request, reply) => {
-    const orgId = extractOrganizationId(request);
-    if (!orgId) {
-      reply.code(403).send({
-        success: false,
-        error: "Forbidden",
-        message: "Organization context required to create resources"
-      });
-      return;
-    }
-    if (request.body) {
-      request.body[tenantField] = orgId;
-    }
-  };
-}
-function multiTenantPreset(options = {}) {
-  const {
-    tenantField = "organizationId",
-    bypassRoles = ["superadmin"],
-    extractOrganizationId = defaultExtractOrganizationId,
-    allowPublic: allowPublic2 = []
-  } = options;
-  const strictTenantFilter = createTenantFilter(tenantField, bypassRoles, extractOrganizationId);
-  const flexibleTenantFilter = createFlexibleTenantFilter(tenantField, bypassRoles, extractOrganizationId);
-  const tenantInjection = createTenantInjection(tenantField, extractOrganizationId);
-  const getFilter = (route) => allowPublic2.includes(route) ? flexibleTenantFilter : strictTenantFilter;
-  return {
-    name: "multiTenant",
-    middlewares: {
-      list: [getFilter("list")],
-      get: [getFilter("get")],
-      create: [tenantInjection],
-      update: [getFilter("update")],
-      delete: [getFilter("delete")]
-    }
-  };
-}
-
-// src/presets/tree.ts
-function treePreset(options = {}) {
-  const { parentField = "parent" } = options;
-  return {
-    name: "tree",
-    additionalRoutes: (permissions) => [
-      {
-        method: "GET",
-        path: "/tree",
-        handler: "getTree",
-        summary: "Get hierarchical tree",
-        permissions: permissions.list ?? allowPublic(),
-        wrapHandler: true
-      },
-      {
-        method: "GET",
-        path: `/:${parentField}/children`,
-        handler: "getChildren",
-        summary: "Get children of parent",
-        permissions: permissions.list ?? allowPublic(),
-        wrapHandler: true
-      }
-    ],
-    // Pass to controller so it knows which param to read
-    controllerOptions: {
-      parentField
-    }
-  };
-}
-
-// src/presets/audited.ts
-function auditedPreset(options = {}) {
-  const { createdByField = "createdBy", updatedByField = "updatedBy" } = options;
-  const injectCreatedBy = async (request, _reply) => {
-    const userWithId = request.user;
-    if (userWithId?._id || userWithId?.id) {
-      const userId = userWithId._id ?? userWithId.id;
-      request.body[createdByField] = userId;
-      request.body[updatedByField] = userId;
-    }
-    return void 0;
-  };
-  const injectUpdatedBy = async (request, _reply) => {
-    const userWithId = request.user;
-    if (userWithId?._id || userWithId?.id) {
-      request.body[updatedByField] = userWithId._id ?? userWithId.id;
-    }
-    return void 0;
-  };
-  return {
-    name: "audited",
-    schemaOptions: {
-      fieldRules: {
-        [createdByField]: { systemManaged: true },
-        [updatedByField]: { systemManaged: true },
-        createdAt: { systemManaged: true },
-        updatedAt: { systemManaged: true }
-      }
-    },
-    middlewares: {
-      create: [injectCreatedBy],
-      update: [injectUpdatedBy]
-    }
-  };
-}
-
-// src/presets/index.ts
-var presetRegistry = {
-  softDelete: softDeletePreset,
-  slugLookup: slugLookupPreset,
-  ownedByUser: ownedByUserPreset,
-  multiTenant: multiTenantPreset,
-  tree: treePreset,
-  audited: auditedPreset
-};
-function resolvePreset(name, options = {}) {
-  const factory = presetRegistry[name];
-  if (!factory) {
-    const available = Object.keys(presetRegistry).join(", ");
-    throw new Error(
-      `Unknown preset: '${name}'
-Available presets: ${available}
-Docs: https://github.com/classytic/arc#presets`
-    );
-  }
-  return factory(options);
-}
-function getAvailablePresets() {
-  return Object.keys(presetRegistry);
-}
-function applyPresets(config, presets = []) {
-  let result = { ...config };
-  for (const preset of presets) {
-    const resolved = resolvePresetInput(preset);
-    result = mergePreset(result, resolved);
-  }
-  return result;
-}
-function resolvePresetInput(preset) {
-  if (typeof preset === "object" && ("middlewares" in preset || "additionalRoutes" in preset)) {
-    return preset;
-  }
-  if (typeof preset === "object" && "name" in preset) {
-    const { name, ...options } = preset;
-    return resolvePreset(name, options);
-  }
-  return resolvePreset(preset);
-}
-function mergePreset(config, preset) {
-  const result = { ...config };
-  if (preset.additionalRoutes) {
-    const routes = typeof preset.additionalRoutes === "function" ? preset.additionalRoutes(config.permissions ?? {}) : preset.additionalRoutes;
-    result.additionalRoutes = [
-      ...result.additionalRoutes ?? [],
-      ...routes
-    ];
-  }
-  if (preset.middlewares) {
-    result.middlewares = result.middlewares ?? {};
-    for (const [op, mws] of Object.entries(preset.middlewares)) {
-      const key = op;
-      result.middlewares[key] = [
-        ...result.middlewares[key] ?? [],
-        ...mws ?? []
-      ];
-    }
-  }
-  if (preset.schemaOptions) {
-    result.schemaOptions = {
-      ...result.schemaOptions,
-      ...preset.schemaOptions
-    };
-  }
-  if (preset.controllerOptions) {
-    result._controllerOptions = {
-      ...result._controllerOptions,
-      ...preset.controllerOptions
-    };
-  }
-  if (preset.hooks && preset.hooks.length > 0) {
-    result._hooks = result._hooks ?? [];
-    for (const hook of preset.hooks) {
-      result._hooks.push({
-        presetName: preset.name,
-        operation: hook.operation,
-        phase: hook.phase,
-        handler: hook.handler,
-        priority: hook.priority
-      });
-    }
-  }
-  return result;
-}
-
-// src/registry/ResourceRegistry.ts
-var ResourceRegistry = class {
-  _resources;
-  _frozen;
-  constructor() {
-    this._resources = /* @__PURE__ */ new Map();
-    this._frozen = false;
-  }
-  /**
-   * Register a resource
-   */
-  register(resource, options = {}) {
-    if (this._frozen) {
-      throw new Error(
-        `Registry frozen. Cannot register '${resource.name}' after startup.`
-      );
-    }
-    if (this._resources.has(resource.name)) {
-      throw new Error(`Resource '${resource.name}' already registered.`);
-    }
-    const entry = {
-      name: resource.name,
-      displayName: resource.displayName,
-      tag: resource.tag,
-      prefix: resource.prefix,
-      module: options.module ?? void 0,
-      adapter: resource.adapter ? {
-        type: resource.adapter.type,
-        name: resource.adapter.name
-      } : null,
-      permissions: resource.permissions,
-      presets: resource._appliedPresets ?? [],
-      routes: [],
-      // Populated later by getIntrospection()
-      additionalRoutes: resource.additionalRoutes.map((r) => ({
-        method: r.method,
-        path: r.path,
-        handler: typeof r.handler === "string" ? r.handler : r.handler.name || "anonymous",
-        summary: r.summary,
-        description: r.description,
-        permissions: r.permissions,
-        wrapHandler: r.wrapHandler,
-        schema: r.schema
-        // Include schema for OpenAPI docs
-      })),
-      events: Object.keys(resource.events ?? {}),
-      registeredAt: (/* @__PURE__ */ new Date()).toISOString(),
-      disableDefaultRoutes: resource.disableDefaultRoutes,
-      openApiSchemas: options.openApiSchemas,
-      plugin: resource.toPlugin()
-      // Store plugin factory
-    };
-    this._resources.set(resource.name, entry);
-    return this;
-  }
-  /**
-   * Get resource by name
-   */
-  get(name) {
-    return this._resources.get(name);
-  }
-  /**
-   * Get all resources
-   */
-  getAll() {
-    return Array.from(this._resources.values());
-  }
-  /**
-   * Get resources by module
-   */
-  getByModule(moduleName) {
-    return this.getAll().filter((r) => r.module === moduleName);
-  }
-  /**
-   * Get resources by preset
-   */
-  getByPreset(presetName) {
-    return this.getAll().filter((r) => r.presets.includes(presetName));
-  }
-  /**
-   * Check if resource exists
-   */
-  has(name) {
-    return this._resources.has(name);
-  }
-  /**
-   * Get registry statistics
-   */
-  getStats() {
-    const resources = this.getAll();
-    const presetCounts = {};
-    for (const r of resources) {
-      for (const preset of r.presets) {
-        presetCounts[preset] = (presetCounts[preset] ?? 0) + 1;
-      }
-    }
-    return {
-      totalResources: resources.length,
-      byModule: this._groupBy(resources, "module"),
-      presetUsage: presetCounts,
-      totalRoutes: resources.reduce((sum, r) => {
-        const defaultRouteCount = r.disableDefaultRoutes ? 0 : 5;
-        return sum + (r.additionalRoutes?.length ?? 0) + defaultRouteCount;
-      }, 0),
-      totalEvents: resources.reduce((sum, r) => sum + (r.events?.length ?? 0), 0)
-    };
-  }
-  /**
-   * Get full introspection data
-   */
-  getIntrospection() {
-    return {
-      resources: this.getAll().map((r) => {
-        const defaultRoutes = r.disableDefaultRoutes ? [] : [
-          { method: "GET", path: r.prefix, operation: "list" },
-          { method: "GET", path: `${r.prefix}/:id`, operation: "get" },
-          { method: "POST", path: r.prefix, operation: "create" },
-          { method: "PATCH", path: `${r.prefix}/:id`, operation: "update" },
-          { method: "DELETE", path: `${r.prefix}/:id`, operation: "delete" }
-        ];
-        return {
-          name: r.name,
-          displayName: r.displayName,
-          prefix: r.prefix,
-          module: r.module,
-          presets: r.presets,
-          permissions: r.permissions,
-          routes: [
-            ...defaultRoutes,
-            ...r.additionalRoutes?.map((ar) => ({
-              method: ar.method,
-              path: `${r.prefix}${ar.path}`,
-              operation: typeof ar.handler === "string" ? ar.handler : "custom",
-              handler: typeof ar.handler === "string" ? ar.handler : void 0,
-              summary: ar.summary
-            })) ?? []
-          ],
-          events: r.events
-        };
-      }),
-      stats: this.getStats(),
-      generatedAt: (/* @__PURE__ */ new Date()).toISOString()
-    };
-  }
-  /**
-   * Freeze registry (prevent further registrations)
-   */
-  freeze() {
-    this._frozen = true;
-  }
-  /**
-   * Check if frozen
-   */
-  isFrozen() {
-    return this._frozen;
-  }
-  /**
-   * Unfreeze registry (for testing)
-   */
-  _unfreeze() {
-    this._frozen = false;
-  }
-  /**
-   * Clear all resources (for testing)
-   */
-  _clear() {
-    this._resources.clear();
-    this._frozen = false;
-  }
-  /**
-   * Group by key
-   */
-  _groupBy(arr, key) {
-    const result = {};
-    for (const item of arr) {
-      const k = String(item[key] ?? "uncategorized");
-      result[k] = (result[k] ?? 0) + 1;
-    }
-    return result;
-  }
-};
-var registryKey = /* @__PURE__ */ Symbol.for("arc.resourceRegistry");
-var globalScope = globalThis;
-var resourceRegistry = globalScope[registryKey] ?? new ResourceRegistry();
-if (!globalScope[registryKey]) {
-  globalScope[registryKey] = resourceRegistry;
-}
-
-// src/core/validateResourceConfig.ts
-function validateResourceConfig(config, options = {}) {
-  const errors = [];
-  const warnings = [];
-  if (!config.name) {
-    errors.push({
-      field: "name",
-      message: "Resource name is required",
-      suggestion: 'Add a unique resource name (e.g., "product", "user")'
-    });
-  } else if (!/^[a-z][a-z0-9-]*$/i.test(config.name)) {
-    errors.push({
-      field: "name",
-      message: `Invalid resource name "${config.name}"`,
-      suggestion: "Use alphanumeric characters and hyphens, starting with a letter"
-    });
-  }
-  const crudRoutes = ["list", "get", "create", "update", "delete"];
-  const disabledRoutes = new Set(config.disabledRoutes ?? []);
-  const enabledCrudRoutes = crudRoutes.filter((route) => !disabledRoutes.has(route));
-  const hasCrudRoutes = !config.disableDefaultRoutes && enabledCrudRoutes.length > 0;
-  if (hasCrudRoutes) {
-    if (!config.adapter) {
-      errors.push({
-        field: "adapter",
-        message: "Data adapter is required when CRUD routes are enabled",
-        suggestion: "Provide an adapter: createMongooseAdapter({ model, repository })"
-      });
-    } else if (!config.adapter.repository) {
-      errors.push({
-        field: "adapter.repository",
-        message: "Adapter must provide a repository",
-        suggestion: "Ensure your adapter returns a valid CrudRepository"
-      });
-    }
-    if (!config.controller) {
-      warnings.push({
-        field: "controller",
-        message: "No controller provided, will auto-create BaseController"
-      });
-    }
-  } else {
-    if (!config.adapter && !config.additionalRoutes?.length) {
-      warnings.push({
-        field: "config",
-        message: "Resource has no adapter and no additionalRoutes",
-        suggestion: "Provide either adapter for CRUD or additionalRoutes for custom logic"
-      });
-    }
-  }
-  if (config.controller && !options.skipControllerCheck && !config.disableDefaultRoutes) {
-    const ctrl = config.controller;
-    const requiredMethods = ["list", "get", "create", "update", "delete"];
-    for (const method of requiredMethods) {
-      if (typeof ctrl[method] !== "function") {
-        errors.push({
-          field: `controller.${method}`,
-          message: `Missing required CRUD method "${method}"`,
-          suggestion: "Extend BaseController which implements IController interface"
-        });
-      }
-    }
-  }
-  if (config.controller && config.additionalRoutes) {
-    validateAdditionalRouteHandlers(config.controller, config.additionalRoutes, errors);
-  }
-  if (config.permissions) {
-    validatePermissionKeys(config, options, errors, warnings);
-  }
-  if (config.presets && !options.allowUnknownPresets) {
-    validatePresets(config.presets, errors, warnings);
-  }
-  if (config.prefix) {
-    if (!config.prefix.startsWith("/")) {
-      errors.push({
-        field: "prefix",
-        message: `Prefix must start with "/" (got "${config.prefix}")`,
-        suggestion: `Change to "/${config.prefix}"`
-      });
-    }
-    if (config.prefix.endsWith("/") && config.prefix !== "/") {
-      warnings.push({
-        field: "prefix",
-        message: `Prefix should not end with "/" (got "${config.prefix}")`,
-        suggestion: `Change to "${config.prefix.slice(0, -1)}"`
-      });
-    }
-  }
-  if (config.additionalRoutes) {
-    validateAdditionalRoutes(config.additionalRoutes, errors);
-  }
-  return {
-    valid: errors.length === 0,
-    errors,
-    warnings
-  };
-}
-function validateAdditionalRouteHandlers(controller, routes, errors) {
-  const ctrl = controller;
-  for (const route of routes) {
-    if (typeof route.handler === "string") {
-      if (typeof ctrl[route.handler] !== "function") {
-        errors.push({
-          field: `additionalRoutes[${route.method} ${route.path}]`,
-          message: `Handler "${route.handler}" not found on controller`,
-          suggestion: `Add method "${route.handler}" to controller or use a function handler`
-        });
-      }
-    }
-  }
-}
-function validatePermissionKeys(config, options, errors, warnings) {
-  const validKeys = /* @__PURE__ */ new Set([
-    "list",
-    "get",
-    "create",
-    "update",
-    "delete",
-    ...options.additionalPermissionKeys ?? []
-  ]);
-  for (const route of config.additionalRoutes ?? []) {
-    if (typeof route.handler === "string") {
-      validKeys.add(route.handler);
-    }
-  }
-  for (const preset of config.presets ?? []) {
-    const presetName = typeof preset === "string" ? preset : preset.name;
-    if (presetName === "softDelete") {
-      validKeys.add("deleted");
-      validKeys.add("restore");
-    }
-    if (presetName === "slugLookup") {
-      validKeys.add("getBySlug");
-    }
-    if (presetName === "tree") {
-      validKeys.add("tree");
-      validKeys.add("children");
-      validKeys.add("getTree");
-      validKeys.add("getChildren");
-    }
-  }
-  for (const key of Object.keys(config.permissions ?? {})) {
-    if (!validKeys.has(key)) {
-      warnings.push({
-        field: `permissions.${key}`,
-        message: `Unknown permission key "${key}"`,
-        suggestion: `Valid keys: ${Array.from(validKeys).join(", ")}`
-      });
-    }
-  }
-}
-function validatePresets(presets, errors, warnings) {
-  const availablePresets = getAvailablePresets();
-  for (const preset of presets) {
-    if (typeof preset === "object" && ("middlewares" in preset || "additionalRoutes" in preset)) {
-      continue;
-    }
-    const presetName = typeof preset === "string" ? preset : preset.name;
-    if (!availablePresets.includes(presetName)) {
-      errors.push({
-        field: "presets",
-        message: `Unknown preset "${presetName}"`,
-        suggestion: `Available presets: ${availablePresets.join(", ")}`
-      });
-    }
-    if (typeof preset === "object") {
-      validatePresetOptions(preset, warnings);
-    }
-  }
-}
-function validatePresetOptions(preset, warnings) {
-  const knownOptions = {
-    slugLookup: ["slugField"],
-    tree: ["parentField"],
-    softDelete: ["deletedField"],
-    ownedByUser: ["ownerField", "bypassRoles"],
-    multiTenant: ["tenantField", "bypassRoles"]
-  };
-  const validOptions = knownOptions[preset.name] ?? [];
-  const providedOptions = Object.keys(preset).filter((k) => k !== "name");
-  for (const opt of providedOptions) {
-    if (!validOptions.includes(opt)) {
-      warnings.push({
-        field: `presets[${preset.name}].${opt}`,
-        message: `Unknown option "${opt}" for preset "${preset.name}"`,
-        suggestion: validOptions.length > 0 ? `Valid options: ${validOptions.join(", ")}` : `Preset "${preset.name}" has no configurable options`
-      });
-    }
-  }
-}
-function validateAdditionalRoutes(routes, errors) {
-  const validMethods = ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS", "HEAD"];
-  const seenRoutes = /* @__PURE__ */ new Set();
-  for (const [i, route] of routes.entries()) {
-    if (!validMethods.includes(route.method)) {
-      errors.push({
-        field: `additionalRoutes[${i}].method`,
-        message: `Invalid HTTP method "${route.method}"`,
-        suggestion: `Valid methods: ${validMethods.join(", ")}`
-      });
-    }
-    if (!route.path) {
-      errors.push({
-        field: `additionalRoutes[${i}].path`,
-        message: "Route path is required"
-      });
-    } else if (!route.path.startsWith("/")) {
-      errors.push({
-        field: `additionalRoutes[${i}].path`,
-        message: `Route path must start with "/" (got "${route.path}")`,
-        suggestion: `Change to "/${route.path}"`
-      });
-    }
-    if (!route.handler) {
-      errors.push({
-        field: `additionalRoutes[${i}].handler`,
-        message: "Route handler is required"
-      });
-    }
-    const routeKey = `${route.method} ${route.path}`;
-    if (seenRoutes.has(routeKey)) {
-      errors.push({
-        field: `additionalRoutes[${i}]`,
-        message: `Duplicate route "${routeKey}"`
-      });
-    }
-    seenRoutes.add(routeKey);
-  }
-}
-function formatValidationErrors(resourceName, result) {
-  const lines = [];
-  if (result.errors.length > 0) {
-    lines.push(`Resource "${resourceName}" validation failed:`);
-    lines.push("");
-    lines.push("ERRORS:");
-    for (const err of result.errors) {
-      lines.push(`  ✗ ${err.field}: ${err.message}`);
-      if (err.suggestion) {
-        lines.push(`    → ${err.suggestion}`);
-      }
-    }
-  }
-  if (result.warnings.length > 0) {
-    if (lines.length > 0) lines.push("");
-    lines.push("WARNINGS:");
-    for (const warn of result.warnings) {
-      lines.push(`  ⚠ ${warn.field}: ${warn.message}`);
-      if (warn.suggestion) {
-        lines.push(`    → ${warn.suggestion}`);
-      }
-    }
-  }
-  return lines.join("\n");
-}
-function assertValidConfig(config, options) {
-  const result = validateResourceConfig(config, options);
-  if (!result.valid) {
-    const errorMsg = formatValidationErrors(config.name ?? "unknown", result);
-    throw new Error(errorMsg);
-  }
-  if (result.warnings.length > 0 && process.env.NODE_ENV !== "production") {
-    console.warn(formatValidationErrors(config.name ?? "unknown", {
-      errors: [],
-      warnings: result.warnings
-    }));
-  }
-}
-
-// src/core/defineResource.ts
-function defineResource(config) {
-  if (!config.skipValidation) {
-    assertValidConfig(config, { skipControllerCheck: true });
-    if (config.permissions) {
-      for (const [key, value] of Object.entries(config.permissions)) {
-        if (value !== void 0 && typeof value !== "function") {
-          throw new Error(
-            `[Arc] Resource '${config.name}': permissions.${key} must be a PermissionCheck function.
-Use allowPublic(), requireAuth(), or requireRoles(['role']) from @classytic/arc/permissions.`
-          );
-        }
-      }
-    }
-    for (const route of config.additionalRoutes ?? []) {
-      if (typeof route.permissions !== "function") {
-        throw new Error(
-          `[Arc] Resource '${config.name}' route ${route.method} ${route.path}: permissions is required and must be a PermissionCheck function.
-Use allowPublic() or requireAuth() from @classytic/arc/permissions.`
-        );
-      }
-      if (typeof route.wrapHandler !== "boolean") {
-        throw new Error(
-          `[Arc] Resource '${config.name}' route ${route.method} ${route.path}: wrapHandler is required.
-Set true for ControllerHandler (context object) or false for FastifyHandler (req, reply).`
-        );
-      }
-    }
-  }
-  const repository = config.adapter?.repository;
-  const crudRoutes = ["list", "get", "create", "update", "delete"];
-  const disabledRoutes = new Set(config.disabledRoutes ?? []);
-  const hasCrudRoutes = !config.disableDefaultRoutes && crudRoutes.some((route) => !disabledRoutes.has(route));
-  let controller = config.controller;
-  if (!controller && hasCrudRoutes && repository) {
-    controller = new BaseController(repository, {
-      resourceName: config.name,
-      schemaOptions: config.schemaOptions,
-      queryParser: config.queryParser
-    });
-  }
-  const originalPresets = (config.presets ?? []).map(
-    (p) => typeof p === "string" ? p : p.name
-  );
-  const resolvedConfig = config.presets?.length ? applyPresets(config, config.presets) : config;
-  resolvedConfig._appliedPresets = originalPresets;
-  if (controller) {
-    const ctrl = controller;
-    if (typeof ctrl._setResourceOptions === "function") {
-      ctrl._setResourceOptions({
-        schemaOptions: resolvedConfig.schemaOptions,
-        presetFields: resolvedConfig._controllerOptions ? {
-          slugField: resolvedConfig._controllerOptions.slugField,
-          parentField: resolvedConfig._controllerOptions.parentField
-        } : void 0,
-        resourceName: resolvedConfig.name,
-        queryParser: resolvedConfig.queryParser
-      });
-    }
-  }
-  const resource = new ResourceDefinition({
-    ...resolvedConfig,
-    adapter: config.adapter,
-    controller
-  });
-  if (!config.skipValidation && controller) {
-    resource._validateControllerMethods();
-  }
-  if (resolvedConfig._hooks?.length) {
-    for (const hook of resolvedConfig._hooks) {
-      hookSystem.register({
-        resource: resolvedConfig.name,
-        operation: hook.operation,
-        phase: hook.phase,
-        handler: hook.handler,
-        priority: hook.priority ?? 10
-      });
-    }
-  }
-  if (!config.skipRegistry) {
-    try {
-      let openApiSchemas = config.openApiSchemas;
-      if (!openApiSchemas && config.adapter?.generateSchemas) {
-        const generated = config.adapter.generateSchemas(config.schemaOptions);
-        if (generated) {
-          openApiSchemas = generated;
-        }
-      }
-      const queryParser = config.queryParser;
-      if (!openApiSchemas?.listQuery && queryParser?.getQuerySchema) {
-        const querySchema = queryParser.getQuerySchema();
-        if (querySchema) {
-          openApiSchemas = {
-            ...openApiSchemas,
-            listQuery: querySchema
-          };
-        }
-      }
-      resourceRegistry.register(resource, {
-        module: config.module,
-        openApiSchemas
-      });
-    } catch {
-    }
-  }
-  return resource;
-}
-var ResourceDefinition = class {
-  // Identity
-  name;
-  displayName;
-  tag;
-  prefix;
-  // Adapter (database abstraction) - optional for service resources
-  adapter;
-  // Controller
-  controller;
-  // Schema & Validation
-  schemaOptions;
-  customSchemas;
-  // Security
-  permissions;
-  // Customization
-  additionalRoutes;
-  middlewares;
-  disableDefaultRoutes;
-  disabledRoutes;
-  organizationScoped;
-  // Events
-  events;
-  // Presets tracking
-  _appliedPresets;
-  constructor(config) {
-    this.name = config.name;
-    this.displayName = config.displayName ?? capitalize(config.name) + "s";
-    this.tag = config.tag ?? this.displayName;
-    this.prefix = config.prefix ?? `/${config.name}s`;
-    this.adapter = config.adapter;
-    this.controller = config.controller;
-    this.schemaOptions = config.schemaOptions ?? {};
-    this.customSchemas = config.customSchemas ?? {};
-    this.permissions = config.permissions ?? {};
-    this.additionalRoutes = config.additionalRoutes ?? [];
-    this.middlewares = config.middlewares ?? {};
-    this.disableDefaultRoutes = config.disableDefaultRoutes ?? false;
-    this.disabledRoutes = config.disabledRoutes ?? [];
-    this.organizationScoped = config.organizationScoped ?? false;
-    this.events = config.events ?? {};
-    this._appliedPresets = config._appliedPresets ?? [];
-  }
-  /** Get repository from adapter (if available) */
-  get repository() {
-    return this.adapter?.repository;
-  }
-  /** Get model from adapter (if available) */
-  get model() {
-    if (!this.adapter) return void 0;
-    return this.adapter.getSchemaMetadata?.() ? this.adapter.model : void 0;
-  }
-  _validateControllerMethods() {
-    const errors = [];
-    const crudRoutes = ["list", "get", "create", "update", "delete"];
-    const disabledRoutes = new Set(this.disabledRoutes ?? []);
-    const enabledCrudRoutes = crudRoutes.filter((route) => !disabledRoutes.has(route));
-    const hasCrudRoutes = !this.disableDefaultRoutes && enabledCrudRoutes.length > 0;
-    if (hasCrudRoutes) {
-      if (!this.controller) {
-        errors.push("Controller is required when CRUD routes are enabled");
-      } else {
-        const ctrl = this.controller;
-        for (const method of enabledCrudRoutes) {
-          if (typeof ctrl[method] !== "function") {
-            errors.push(`CRUD method '${method}' not found on controller`);
-          }
-        }
-      }
-    }
-    for (const route of this.additionalRoutes) {
-      if (typeof route.handler === "string") {
-        if (!this.controller) {
-          errors.push(
-            `Route ${route.method} ${route.path}: string handler '${route.handler}' requires a controller`
-          );
-        } else {
-          const ctrl = this.controller;
-          if (typeof ctrl[route.handler] !== "function") {
-            errors.push(
-              `Route ${route.method} ${route.path}: handler '${route.handler}' not found`
-            );
-          }
-        }
-      }
-    }
-    if (errors.length > 0) {
-      const errorMsg = [
-        `Resource '${this.name}' validation failed:`,
-        ...errors.map((e) => `  - ${e}`),
-        "",
-        "Ensure controller implements IController<TDoc> interface.",
-        "For preset routes (softDelete, tree), add corresponding methods to controller."
-      ].join("\n");
-      throw new Error(errorMsg);
-    }
-  }
-  toPlugin() {
-    const self = this;
-    return async function resourcePlugin(fastify, _opts) {
-      await fastify.register(async (instance) => {
-        const typedInstance = instance;
-        let schemas = null;
-        if (self.adapter) {
-          const metadata = self.adapter.getSchemaMetadata?.();
-          if (metadata && typedInstance.generateSchemas) {
-            const model = self.adapter.model;
-            if (model && typeof typedInstance.generateSchemas === "function") {
-              schemas = typedInstance.generateSchemas(model, self.schemaOptions);
-            }
-          }
-        }
-        if (self.customSchemas && Object.keys(self.customSchemas).length > 0) {
-          schemas = schemas ?? {};
-          for (const [op, customSchema] of Object.entries(self.customSchemas)) {
-            const key = op;
-            schemas[key] = schemas[key] ? deepMergeSchemas(schemas[key], customSchema) : customSchema;
-          }
-        }
-        const resolvedRoutes = self.additionalRoutes;
-        createCrudRouter(typedInstance, self.controller, {
-          tag: self.tag,
-          schemas: schemas ?? void 0,
-          permissions: self.permissions,
-          middlewares: self.middlewares,
-          additionalRoutes: resolvedRoutes,
-          disableDefaultRoutes: self.disableDefaultRoutes,
-          disabledRoutes: self.disabledRoutes,
-          organizationScoped: self.organizationScoped,
-          resourceName: self.name,
-          schemaOptions: self.schemaOptions
-        });
-        if (self.events && Object.keys(self.events).length > 0) {
-          typedInstance.log?.info?.(
-            `Resource '${self.name}' defined ${Object.keys(self.events).length} events`
-          );
-        }
-      }, { prefix: self.prefix });
-    };
-  }
-  /**
-   * Get event definitions for registry
-   */
-  getEvents() {
-    return Object.entries(this.events).map(([action, meta]) => ({
-      name: `${this.name}:${action}`,
-      module: this.name,
-      schema: meta.schema,
-      description: meta.description
-    }));
-  }
-  /**
-   * Get resource metadata
-   */
-  getMetadata() {
-    return {
-      name: this.name,
-      displayName: this.displayName,
-      tag: this.tag,
-      prefix: this.prefix,
-      presets: this._appliedPresets,
-      permissions: this.permissions,
-      additionalRoutes: this.additionalRoutes,
-      routes: [],
-      // Populated at runtime during registration
-      events: Object.keys(this.events)
-    };
-  }
-};
-function deepMergeSchemas(base, override) {
-  if (!override) return base;
-  if (!base) return override;
-  const result = { ...base };
-  for (const [key, value] of Object.entries(override)) {
-    if (value && typeof value === "object" && !Array.isArray(value)) {
-      result[key] = deepMergeSchemas(result[key], value);
-    } else {
-      result[key] = value;
-    }
-  }
-  return result;
-}
-function capitalize(str) {
-  if (!str) return "";
-  return str.charAt(0).toUpperCase() + str.slice(1);
-}
-
-export { BaseController, ResourceDefinition, createActionRouter, createCrudHandlers, createCrudRouter, createFastifyHandler, createOrgScopedMiddleware, createPermissionMiddleware, createRequestContext, defineResource, sendControllerResponse };