@classytic/arc 1.1.0 → 2.1.3

package/dist/events/transports/redis.d.mts

@@ -0,0 +1,76 @@
+import { i as EventTransport, n as EventHandler, r as EventLogger, t as DomainEvent } from "../../EventTransport-BkUDYZEb.mjs";
+
+//#region src/events/transports/redis.d.ts
+interface RedisLike {
+  publish(channel: string, message: string): Promise<number>;
+  subscribe(...channels: string[]): Promise<unknown>;
+  psubscribe(...patterns: string[]): Promise<unknown>;
+  on(event: string, handler: (...args: unknown[]) => void): unknown;
+  duplicate(): RedisLike;
+  quit(): Promise<unknown>;
+}
+interface RedisEventTransportOptions {
+  /**
+   * Redis channel prefix for all events.
+   * Events are published to `<channel>:<event.type>`.
+   * @default 'arc-events'
+   */
+  channel?: string;
+  /**
+   * If `true`, the transport will NOT call `quit()` on the Redis clients when
+   * `close()` is called. Useful when you manage the Redis lifecycle externally.
+   * @default false
+   */
+  externalLifecycle?: boolean;
+  /**
+   * Logger for error messages (default: console).
+   * Pass `fastify.log` to integrate with your application logger.
+   */
+  logger?: EventLogger;
+}
+declare class RedisEventTransport implements EventTransport {
+  readonly name = "redis";
+  /** Publish-side client (the original client or a duplicate). */
+  private pub;
+  /** Subscribe-side client (always a duplicate — ioredis requires a dedicated connection for subscriptions). */
+  private sub;
+  /** Channel prefix. */
+  private channel;
+  /** Whether we own the Redis client lifecycle. */
+  private externalLifecycle;
+  /** Logger for error messages. */
+  private logger;
+  /** Registered handlers keyed by their *Redis* pattern (with channel prefix). */
+  private handlers;
+  /** Tracks whether the pmessage listener has been attached. */
+  private listenerAttached;
+  constructor(redis: RedisLike, options?: RedisEventTransportOptions);
+  publish(event: DomainEvent): Promise<void>;
+  subscribe(pattern: string, handler: EventHandler): Promise<() => void>;
+  close(): Promise<void>;
+  /**
+   * Attach the Redis message listeners exactly once.
+   */
+  private ensureListener;
+  /**
+   * Dispatch an incoming Redis message to all registered handlers.
+   */
+  private dispatch;
+  /**
+   * Convert an Arc event pattern to a Redis channel/pattern string.
+   *
+   * Arc patterns use `*` as a single-segment wildcard (e.g., `product.*`).
+   * Redis PSUBSCRIBE uses the same glob syntax, so we just prepend the
+   * channel prefix.
+   *
+   * Special case: bare `*` means "all events", which maps to
+   * `<channel>:*` in Redis.
+   */
+  private toRedisPattern;
+  /**
+   * Returns true if the pattern contains glob characters.
+   */
+  private isGlob;
+}
+//#endregion
+export { RedisEventTransport, RedisEventTransport as default, RedisEventTransportOptions, RedisLike };

package/dist/events/transports/redis.mjs

@@ -0,0 +1,124 @@
+//#region src/events/transports/redis.ts
+/**
+* DomainEvent contains a `Date` in `meta.timestamp`.  We serialize it as an
+* ISO string and revive it on the other end so subscribers always receive a
+* proper Date object.
+*/
+function serialize(event) {
+	return JSON.stringify(event, (_key, value) => {
+		if (value instanceof Date) return value.toISOString();
+		return value;
+	});
+}
+function deserialize(raw) {
+	return JSON.parse(raw, (key, value) => {
+		if (key === "timestamp" && typeof value === "string") return new Date(value);
+		return value;
+	});
+}
+var RedisEventTransport = class {
+	name = "redis";
+	/** Publish-side client (the original client or a duplicate). */
+	pub;
+	/** Subscribe-side client (always a duplicate — ioredis requires a dedicated connection for subscriptions). */
+	sub;
+	/** Channel prefix. */
+	channel;
+	/** Whether we own the Redis client lifecycle. */
+	externalLifecycle;
+	/** Logger for error messages. */
+	logger;
+	/** Registered handlers keyed by their *Redis* pattern (with channel prefix). */
+	handlers = /* @__PURE__ */ new Map();
+	/** Tracks whether the pmessage listener has been attached. */
+	listenerAttached = false;
+	constructor(redis, options = {}) {
+		const { channel = "arc-events", externalLifecycle = false, logger = console } = options;
+		this.channel = channel;
+		this.externalLifecycle = externalLifecycle;
+		this.logger = logger;
+		this.pub = redis;
+		this.sub = redis.duplicate();
+	}
+	async publish(event) {
+		const redisChannel = `${this.channel}:${event.type}`;
+		await this.pub.publish(redisChannel, serialize(event));
+	}
+	async subscribe(pattern, handler) {
+		this.ensureListener();
+		const redisPattern = this.toRedisPattern(pattern);
+		if (!this.handlers.has(redisPattern)) {
+			this.handlers.set(redisPattern, /* @__PURE__ */ new Set());
+			if (this.isGlob(redisPattern)) await this.sub.psubscribe(redisPattern);
+			else await this.sub.subscribe(redisPattern);
+		}
+		this.handlers.get(redisPattern).add(handler);
+		return () => {
+			const set = this.handlers.get(redisPattern);
+			if (set) set.delete(handler);
+		};
+	}
+	async close() {
+		this.handlers.clear();
+		if (!this.externalLifecycle) await Promise.all([this.sub.quit(), this.pub.quit()]);
+		else await this.sub.quit();
+	}
+	/**
+	* Attach the Redis message listeners exactly once.
+	*/
+	ensureListener() {
+		if (this.listenerAttached) return;
+		this.listenerAttached = true;
+		this.sub.on("pmessage", (...args) => {
+			const [redisPattern, , message] = args;
+			this.dispatch(redisPattern, message);
+		});
+		this.sub.on("message", (...args) => {
+			const [channel, message] = args;
+			this.dispatch(channel, message);
+		});
+	}
+	/**
+	* Dispatch an incoming Redis message to all registered handlers.
+	*/
+	dispatch(redisPatternOrChannel, raw) {
+		const handlers = this.handlers.get(redisPatternOrChannel);
+		if (!handlers || handlers.size === 0) return;
+		let event;
+		try {
+			event = deserialize(raw);
+		} catch {
+			return;
+		}
+		for (const handler of handlers) try {
+			const result = handler(event);
+			if (result && typeof result.catch === "function") result.catch((err) => {
+				this.logger.error(`[RedisEventTransport] Handler error for ${event.type}:`, err);
+			});
+		} catch (err) {
+			this.logger.error(`[RedisEventTransport] Handler error for ${event.type}:`, err);
+		}
+	}
+	/**
+	* Convert an Arc event pattern to a Redis channel/pattern string.
+	*
+	* Arc patterns use `*` as a single-segment wildcard (e.g., `product.*`).
+	* Redis PSUBSCRIBE uses the same glob syntax, so we just prepend the
+	* channel prefix.
+	*
+	* Special case: bare `*` means "all events", which maps to
+	* `<channel>:*` in Redis.
+	*/
+	toRedisPattern(pattern) {
+		return `${this.channel}:${pattern}`;
+	}
+	/**
+	* Returns true if the pattern contains glob characters.
+	*/
+	isGlob(pattern) {
+		return pattern.includes("*") || pattern.includes("?") || pattern.includes("[");
+	}
+};
+
+//#endregion
+export { RedisEventTransport, RedisEventTransport as default };

package/dist/externalPaths-SyPF2tgK.d.mts

@@ -0,0 +1,50 @@
+//#region src/docs/externalPaths.d.ts
+/**
+ * External OpenAPI Path Provider
+ *
+ * Generic interface for injecting non-resource paths into the OpenAPI spec.
+ * Used by auth adapters (Better Auth, custom auth), third-party integrations,
+ * or any system that registers routes outside Arc's resource registry.
+ *
+ * @example
+ * ```typescript
+ * import type { ExternalOpenApiPaths } from '@classytic/arc/docs';
+ *
+ * const authPaths: ExternalOpenApiPaths = {
+ *   paths: {
+ *     '/api/auth/sign-in': {
+ *       post: { summary: 'Sign in', requestBody: { ... } },
+ *     },
+ *   },
+ *   securitySchemes: {
+ *     cookieAuth: { type: 'apiKey', in: 'cookie', name: 'session_token' },
+ *   },
+ *   tags: [{ name: 'Authentication' }],
+ * };
+ * ```
+ */
+/** Pre-built OpenAPI path fragments ready to merge into a spec */
+interface ExternalOpenApiPaths {
+  /** OpenAPI path items keyed by path (e.g. '/api/auth/sign-in') */
+  paths: Record<string, Record<string, unknown>>;
+  /** Additional component schemas to merge into components.schemas */
+  schemas?: Record<string, Record<string, unknown>>;
+  /** Additional security scheme definitions to merge into components.securitySchemes */
+  securitySchemes?: Record<string, Record<string, unknown>>;
+  /** Additional tags for grouping operations */
+  tags?: Array<{
+    name: string;
+    description?: string;
+  }>;
+  /**
+   * Additional security alternatives for Arc resource paths.
+   * Each item is OR'd with bearerAuth. Keys within the same object are AND'd.
+   *
+   * @example
+   * // "bearer OR (api-key AND org-header)"
+   * resourceSecurity: [{ apiKeyAuth: [], orgHeader: [] }]
+   */
+  resourceSecurity?: Array<Record<string, string[]>>;
+}
+//#endregion
+export { ExternalOpenApiPaths as t };

package/dist/factory/index.d.mts

@@ -0,0 +1,63 @@
+import "../elevation-DGo5shaX.mjs";
+import "../interface-e9XfSsUV.mjs";
+import "../types-RLkFVgaw.mjs";
+import "../queryCachePlugin-Q6SYuHZ6.mjs";
+import "../eventPlugin-H6wDDjGO.mjs";
+import "../errorHandler-CW3OOeYq.mjs";
+import { a as CustomPluginAuthOption, c as RawBodyOptions, i as CustomAuthenticatorOption, l as UnderPressureOptions, n as BetterAuthOption, o as JwtAuthOption, r as CreateAppOptions, s as MultipartOptions, t as AuthOption } from "../types-B0dhNrnd.mjs";
+import { FastifyInstance } from "fastify";
+
+//#region src/factory/createApp.d.ts
+/**
+ * Create a production-ready Fastify application with Arc framework
+ *
+ * Security plugins are enabled by default (opt-out):
+ * - helmet (security headers)
+ * - cors (cross-origin requests)
+ * - rateLimit (DDoS protection)
+ * - underPressure (health monitoring)
+ *
+ * Note: Compression is not included due to known Fastify 5 issues.
+ * Use a reverse proxy (Nginx, Caddy) or CDN for compression.
+ *
+ * @param options - Application configuration
+ * @returns Configured Fastify instance
+ */
+declare function createApp(options: CreateAppOptions): Promise<FastifyInstance>;
+/**
+ * Quick factory for common scenarios
+ */
+declare const ArcFactory: {
+  /**
+   * Create production app with strict security
+   */
+  production(options: Omit<CreateAppOptions, "preset">): Promise<FastifyInstance>;
+  /**
+   * Create development app with relaxed security
+   */
+  development(options: Omit<CreateAppOptions, "preset">): Promise<FastifyInstance>;
+  /**
+   * Create testing app with minimal setup
+   */
+  testing(options: Omit<CreateAppOptions, "preset">): Promise<FastifyInstance>;
+};
+//#endregion
+//#region src/factory/presets.d.ts
+/**
+ * Production preset - strict security, performance optimized
+ */
+declare const productionPreset: Partial<CreateAppOptions>;
+/**
+ * Development preset - relaxed security, verbose logging
+ */
+declare const developmentPreset: Partial<CreateAppOptions>;
+/**
+ * Testing preset - minimal setup, fast startup
+ */
+declare const testingPreset: Partial<CreateAppOptions>;
+/**
+ * Get preset by name
+ */
+declare function getPreset(name: 'production' | 'development' | 'testing' | 'edge'): Partial<CreateAppOptions>;
+//#endregion
+export { ArcFactory, type AuthOption, type BetterAuthOption, type CreateAppOptions, type CustomAuthenticatorOption, type CustomPluginAuthOption, type JwtAuthOption, type MultipartOptions, type RawBodyOptions, type UnderPressureOptions, createApp, developmentPreset, getPreset, productionPreset, testingPreset };

package/dist/factory/index.mjs

@@ -0,0 +1,3 @@
+import { a as getPreset, i as developmentPreset, n as createApp, o as productionPreset, s as testingPreset, t as ArcFactory } from "../createApp-D2D5XXaV.mjs";
+
+export { ArcFactory, createApp, developmentPreset, getPreset, productionPreset, testingPreset };

package/dist/fastifyAdapter-C8DlE0YH.d.mts

@@ -0,0 +1,216 @@
+import { s as RequestScope } from "./elevation-DGo5shaX.mjs";
+import { b as IControllerResponse, x as IRequestContext, y as IController } from "./interface-e9XfSsUV.mjs";
+import { t as PermissionCheck } from "./types-RLkFVgaw.mjs";
+import { CrudController, CrudRouterOptions, FastifyWithDecorators, RequestContext, RequestWithExtras } from "./types/index.mjs";
+import { FastifyInstance, FastifyReply, FastifyRequest, RouteHandlerMethod } from "fastify";
+
+//#region src/core/createCrudRouter.d.ts
+/**
+ * Create CRUD routes for a controller
+ *
+ * @param fastify - Fastify instance with Arc decorators
+ * @param controller - CRUD controller with handler methods
+ * @param options - Router configuration
+ */
+declare function createCrudRouter<TDoc = unknown>(fastify: FastifyWithDecorators, controller: CrudController<TDoc> | undefined, options?: CrudRouterOptions): void;
+/**
+ * Create permission middleware from PermissionCheck
+ * Useful for custom route registration
+ */
+declare function createPermissionMiddleware(permission: PermissionCheck, resourceName: string, action: string): RouteHandlerMethod | null;
+//#endregion
+//#region src/core/createActionRouter.d.ts
+/**
+ * Action handler function
+ * @param id - Resource ID
+ * @param data - Action-specific data from request body
+ * @param req - Full Fastify request object
+ * @returns Action result (will be wrapped in success response)
+ */
+type ActionHandler<TData = any, TResult = any> = (id: string, data: TData, req: RequestWithExtras) => Promise<TResult>;
+/**
+ * Action router configuration
+ */
+interface ActionRouterConfig {
+  /**
+   * OpenAPI tag for grouping routes
+   */
+  tag?: string;
+  /**
+   * Action handlers map
+   * @example { approve: (id, data, req) => service.approve(id), ... }
+   */
+  actions: Record<string, ActionHandler>;
+  /**
+   * Per-action permission checks (PermissionCheck functions)
+   * @example { approve: requireRoles(['admin', 'manager']), cancel: requireRoles(['admin']) }
+   */
+  actionPermissions?: Record<string, PermissionCheck>;
+  /**
+   * Per-action JSON schema for body validation
+   * @example { dispatch: { transport: { type: 'object' } } }
+   */
+  actionSchemas?: Record<string, Record<string, any>>;
+  /**
+   * Global permission check applied to all actions (if action-specific not defined)
+   */
+  globalAuth?: PermissionCheck;
+  /**
+   * Optional idempotency service
+   * If provided, will handle idempotency-key header
+   */
+  idempotencyService?: IdempotencyService;
+  /**
+   * Custom error handler for action execution failures
+   * @param error - The error thrown by action handler
+   * @param action - The action that failed
+   * @param id - The resource ID
+   * @returns Status code and error response
+   */
+  onError?: (error: Error, action: string, id: string) => {
+    statusCode: number;
+    error: string;
+    code?: string;
+  };
+}
+/**
+ * Idempotency service interface
+ * Apps can provide their own implementation
+ */
+interface IdempotencyService {
+  check(key: string, payload: any): Promise<{
+    isNew: boolean;
+    existingResult?: any;
+  }>;
+  complete(key: string | undefined, result: any): Promise<void>;
+  fail(key: string | undefined, error: Error): Promise<void>;
+}
+/**
+ * Create action-based state transition endpoint
+ *
+ * Registers: POST /:id/action
+ * Body: { action: string, ...actionData }
+ *
+ * @param fastify - Fastify instance
+ * @param config - Action router configuration
+ */
+declare function createActionRouter(fastify: FastifyInstance, config: ActionRouterConfig): void;
+//#endregion
+//#region src/constants.d.ts
+/**
+ * Arc Framework Constants — Single Source of Truth
+ *
+ * Every default value, magic string, and framework constant lives here.
+ * Import from this module instead of hard-coding values inline.
+ *
+ * All exported values are deeply frozen (Object.freeze) to prevent
+ * accidental mutation at runtime — inspired by Go's const blocks
+ * and Rust's immutable-by-default philosophy.
+ */
+/** Standard CRUD operation names */
+declare const CRUD_OPERATIONS: readonly ["list", "get", "create", "update", "delete"];
+type CrudOperation = (typeof CRUD_OPERATIONS)[number];
+/** Mutation operations that emit events */
+declare const MUTATION_OPERATIONS: readonly ["create", "update", "delete"];
+type MutationOperation = (typeof MUTATION_OPERATIONS)[number];
+/** Lifecycle hook phases */
+declare const HOOK_PHASES: readonly ["before", "around", "after"];
+type HookPhase = (typeof HOOK_PHASES)[number];
+/** Hook operations (superset of CRUD — includes 'read' alias for 'get') */
+declare const HOOK_OPERATIONS: readonly ["create", "update", "delete", "read", "list"];
+type HookOperation = (typeof HOOK_OPERATIONS)[number];
+/** Default items per page */
+declare const DEFAULT_LIMIT: 20;
+/** Maximum items per page (framework-wide ceiling) */
+declare const DEFAULT_MAX_LIMIT: 1000;
+/** Default sort field (descending creation date) */
+declare const DEFAULT_SORT: "-createdAt";
+/** Default primary key field name */
+declare const DEFAULT_ID_FIELD: "_id";
+/** Default multi-tenant scoping field */
+declare const DEFAULT_TENANT_FIELD: "organizationId";
+/** Default HTTP method for update routes */
+declare const DEFAULT_UPDATE_METHOD: "PATCH";
+/** System-managed fields that cannot be set via request body */
+declare const SYSTEM_FIELDS: readonly ["_id", "__v", "createdAt", "updatedAt", "deletedAt"];
+/** Maximum regex pattern length (ReDoS mitigation) */
+declare const MAX_REGEX_LENGTH: 200;
+/** Maximum search query length */
+declare const MAX_SEARCH_LENGTH: 200;
+/** Maximum filter nesting depth (prevents filter bombs) */
+declare const MAX_FILTER_DEPTH: 10;
+/**
+ * Query parameters consumed by the framework — never treated as filters.
+ * Shared by all query parsers (Arc built-in, Prisma, custom).
+ */
+declare const RESERVED_QUERY_PARAMS: Readonly<Set<string>>;
+//#endregion
+//#region src/core/fastifyAdapter.d.ts
+/**
+ * Create IRequestContext from Fastify request
+ *
+ * Extracts framework-agnostic context from Fastify-specific request object
+ */
+declare function createRequestContext(req: FastifyRequest): IRequestContext;
+/**
+ * Get typed auth context from an IRequestContext.
+ * Use this in controller overrides to access request context.
+ *
+ * For org scope, use `getControllerScope(req)` instead.
+ */
+declare function getControllerContext(req: IRequestContext): RequestContext;
+/**
+ * Get request scope from an IRequestContext.
+ * Returns the RequestScope set by auth adapters.
+ */
+declare function getControllerScope(req: IRequestContext): RequestScope;
+/**
+ * Send IControllerResponse via Fastify reply
+ *
+ * Converts framework-agnostic response to Fastify response
+ * Applies field masking if specified in request
+ */
+declare function sendControllerResponse<T>(reply: FastifyReply, response: IControllerResponse<T>, request?: FastifyRequest): void;
+/**
+ * Create Fastify route handler from IController method
+ *
+ * Wraps framework-agnostic controller method in Fastify-specific handler
+ *
+ * @example
+ * ```typescript
+ * const controller = new BaseController(repository);
+ *
+ * // Create Fastify handler
+ * const listHandler = createFastifyHandler(controller.list.bind(controller));
+ *
+ * // Register route
+ * fastify.get('/products', listHandler);
+ * ```
+ */
+declare function createFastifyHandler<T>(controllerMethod: (req: IRequestContext) => Promise<IControllerResponse<T>>): (req: FastifyRequest, reply: FastifyReply) => Promise<void>;
+/**
+ * Create Fastify adapters for all CRUD methods of an IController
+ *
+ * Returns Fastify-compatible handlers for each CRUD operation
+ *
+ * @example
+ * ```typescript
+ * const controller = new BaseController(repository);
+ * const handlers = createCrudHandlers(controller);
+ *
+ * fastify.get('/', handlers.list);
+ * fastify.get('/:id', handlers.get);
+ * fastify.post('/', handlers.create);
+ * fastify.patch('/:id', handlers.update);
+ * fastify.delete('/:id', handlers.delete);
+ * ```
+ */
+declare function createCrudHandlers<TDoc>(controller: IController<TDoc>): {
+  list: (req: FastifyRequest, reply: FastifyReply) => Promise<void>;
+  get: (req: FastifyRequest, reply: FastifyReply) => Promise<void>;
+  create: (req: FastifyRequest, reply: FastifyReply) => Promise<void>;
+  update: (req: FastifyRequest, reply: FastifyReply) => Promise<void>;
+  delete: (req: FastifyRequest, reply: FastifyReply) => Promise<void>;
+};
+//#endregion
+export { createCrudRouter as A, MutationOperation as C, ActionRouterConfig as D, ActionHandler as E, IdempotencyService as O, MUTATION_OPERATIONS as S, SYSTEM_FIELDS as T, HookOperation as _, getControllerScope as a, MAX_REGEX_LENGTH as b, CrudOperation as c, DEFAULT_MAX_LIMIT as d, DEFAULT_SORT as f, HOOK_PHASES as g, HOOK_OPERATIONS as h, getControllerContext as i, createPermissionMiddleware as j, createActionRouter as k, DEFAULT_ID_FIELD as l, DEFAULT_UPDATE_METHOD as m, createFastifyHandler as n, sendControllerResponse as o, DEFAULT_TENANT_FIELD as p, createRequestContext as r, CRUD_OPERATIONS as s, createCrudHandlers as t, DEFAULT_LIMIT as u, HookPhase as v, RESERVED_QUERY_PARAMS as w, MAX_SEARCH_LENGTH as x, MAX_FILTER_DEPTH as y };

package/dist/fields-Bi_AVKSo.d.mts

@@ -0,0 +1,109 @@
+//#region src/permissions/fields.d.ts
+/**
+ * Field-Level Permissions
+ *
+ * Control field visibility and writability per role.
+ * Integrated into the response path (read) and sanitization path (write).
+ *
+ * @example
+ * ```typescript
+ * import { fields, defineResource } from '@classytic/arc';
+ *
+ * const userResource = defineResource({
+ *   name: 'user',
+ *   adapter: userAdapter,
+ *   fields: {
+ *     salary: fields.visibleTo(['admin', 'hr']),
+ *     internalNotes: fields.writableBy(['admin']),
+ *     email: fields.redactFor(['viewer']),
+ *     password: fields.hidden(),
+ *   },
+ * });
+ * ```
+ */
+type FieldPermissionType = 'hidden' | 'visibleTo' | 'writableBy' | 'redactFor';
+interface FieldPermission {
+  readonly _type: FieldPermissionType;
+  readonly roles?: readonly string[];
+  readonly redactValue?: unknown;
+}
+type FieldPermissionMap = Record<string, FieldPermission>;
+declare const fields: {
+  /**
+   * Field is never included in responses. Not writable via API.
+   *
+   * @example
+   * ```typescript
+   * fields: { password: fields.hidden() }
+   * ```
+   */
+  hidden(): FieldPermission;
+  /**
+   * Field is only visible to users with specified roles.
+   * Other users don't see the field at all.
+   *
+   * @example
+   * ```typescript
+   * fields: { salary: fields.visibleTo(['admin', 'hr']) }
+   * ```
+   */
+  visibleTo(roles: readonly string[]): FieldPermission;
+  /**
+   * Field is only writable by users with specified roles.
+   * All users can still read the field. Users without the role
+   * have the field silently stripped from write operations.
+   *
+   * @example
+   * ```typescript
+   * fields: { role: fields.writableBy(['admin']) }
+   * ```
+   */
+  writableBy(roles: readonly string[]): FieldPermission;
+  /**
+   * Field is redacted (replaced with a placeholder) for specified roles.
+   * Other users see the real value.
+   *
+   * @param roles - Roles that see the redacted value
+   * @param redactValue - Replacement value (default: '***')
+   *
+   * @example
+   * ```typescript
+   * fields: {
+   *   email: fields.redactFor(['viewer']),
+   *   ssn: fields.redactFor(['basic'], '***-**-****'),
+   * }
+   * ```
+   */
+  redactFor(roles: readonly string[], redactValue?: unknown): FieldPermission;
+};
+/**
+ * Apply field-level READ permissions to a response object.
+ * Strips hidden fields, enforces visibility, and applies redaction.
+ *
+ * @param data - The response object (mutated in place for performance)
+ * @param fieldPermissions - Field permission map from resource config
+ * @param userRoles - Current user's roles (empty array for unauthenticated)
+ * @returns The filtered object
+ */
+declare function applyFieldReadPermissions<T extends Record<string, unknown>>(data: T, fieldPermissions: FieldPermissionMap, userRoles: readonly string[]): T;
+/**
+ * Apply field-level WRITE permissions to request body.
+ * Strips fields that the user doesn't have permission to write.
+ *
+ * @param body - The request body (returns a new filtered copy)
+ * @param fieldPermissions - Field permission map from resource config
+ * @param userRoles - Current user's roles
+ * @returns Filtered body
+ */
+declare function applyFieldWritePermissions<T extends Record<string, unknown>>(body: T, fieldPermissions: FieldPermissionMap, userRoles: readonly string[]): T;
+/**
+ * Resolve effective roles by merging global user roles with org-level roles.
+ *
+ * Global roles come from `req.user.role` (normalized via getUserRoles()).
+ * Org roles come from `req.context.orgRoles` (set by BA adapter's org bridge).
+ *
+ * When no org context exists, returns global roles only — backward compatible.
+ */
+declare function resolveEffectiveRoles(userRoles: readonly string[], orgRoles: readonly string[]): string[];
+//#endregion
+export { applyFieldWritePermissions as a, applyFieldReadPermissions as i, FieldPermissionMap as n, fields as o, FieldPermissionType as r, resolveEffectiveRoles as s, FieldPermission as t };