@classytic/arc 1.1.0 → 2.1.3

package/dist/presets/index.mjs

@@ -0,0 +1,143 @@
+import { a as softDeletePreset, i as slugLookupPreset, n as treePreset, r as ownedByUserPreset, t as auditedPreset } from "../audited-CGdLiSlE.mjs";
+import multiTenantPreset from "./multiTenant.mjs";
+
+//#region src/presets/index.ts
+/**
+* Convenience alias for multiTenantPreset with public list/get routes
+* Equivalent to: multiTenantPreset({ allowPublic: ['list', 'get'] })
+*/
+const flexibleMultiTenantPreset = (options = {}) => multiTenantPreset({
+	...options,
+	allowPublic: ["list", "get"]
+});
+const presetRegistry = {
+	softDelete: softDeletePreset,
+	slugLookup: slugLookupPreset,
+	ownedByUser: ownedByUserPreset,
+	multiTenant: multiTenantPreset,
+	tree: treePreset,
+	audited: auditedPreset
+};
+/**
+* Get preset by name with options
+*/
+function getPreset(nameOrConfig) {
+	if (typeof nameOrConfig === "object" && nameOrConfig.name) {
+		const { name, ...options } = nameOrConfig;
+		return resolvePreset(name, options);
+	}
+	return resolvePreset(nameOrConfig);
+}
+/**
+* Resolve preset by name
+*/
+function resolvePreset(name, options = {}) {
+	const factory = presetRegistry[name];
+	if (!factory) {
+		const available = Object.keys(presetRegistry).join(", ");
+		throw new Error(`Unknown preset: '${name}'\nAvailable presets: ${available}\nDocs: https://github.com/classytic/arc#presets`);
+	}
+	return factory(options);
+}
+/**
+* Register a custom preset
+*/
+function registerPreset(name, factory, options) {
+	if (presetRegistry[name] && !options?.override) throw new Error(`Preset '${name}' already exists. Pass { override: true } to replace.`);
+	presetRegistry[name] = factory;
+}
+/**
+* Get all available preset names
+*/
+function getAvailablePresets() {
+	return Object.keys(presetRegistry);
+}
+/**
+* Validate that preset combinations don't conflict.
+* Detects route collisions (same method + path from different presets).
+*/
+function validatePresetCombination(presets) {
+	const conflicts = [];
+	const routeMap = /* @__PURE__ */ new Map();
+	for (const preset of presets) {
+		const name = preset.name ?? "unknown";
+		const routes = typeof preset.additionalRoutes === "function" ? preset.additionalRoutes({}) : preset.additionalRoutes ?? [];
+		for (const route of routes) {
+			const key = `${route.method} ${route.path}`;
+			const existing = routeMap.get(key);
+			if (existing) conflicts.push({
+				presets: [existing, name],
+				message: `Both '${existing}' and '${name}' define route ${key}`,
+				severity: "error"
+			});
+			routeMap.set(key, name);
+		}
+	}
+	return conflicts;
+}
+/**
+* Apply presets to resource config.
+* Validates preset combinations for conflicts before merging.
+*/
+function applyPresets(config, presets = []) {
+	let result = { ...config };
+	const resolved = presets.map(resolvePresetInput);
+	const errors = validatePresetCombination(resolved).filter((c) => c.severity === "error");
+	if (errors.length > 0) throw new Error(`[Arc] Resource '${config.name}' preset conflicts:\n` + errors.map((c) => `  - ${c.message}`).join("\n"));
+	for (const preset of resolved) result = mergePreset(result, preset);
+	return result;
+}
+/**
+* Resolve preset input to PresetResult
+*/
+function resolvePresetInput(preset) {
+	if (typeof preset === "object" && ("middlewares" in preset || "additionalRoutes" in preset)) return preset;
+	if (typeof preset === "object" && "name" in preset) {
+		const { name, ...options } = preset;
+		return resolvePreset(name, options);
+	}
+	return resolvePreset(preset);
+}
+/**
+* Merge preset into config
+*/
+function mergePreset(config, preset) {
+	const result = { ...config };
+	if (preset.additionalRoutes) {
+		const routes = typeof preset.additionalRoutes === "function" ? preset.additionalRoutes(config.permissions ?? {}) : preset.additionalRoutes;
+		result.additionalRoutes = [...result.additionalRoutes ?? [], ...routes];
+	}
+	if (preset.middlewares) {
+		result.middlewares = result.middlewares ?? {};
+		for (const [op, mws] of Object.entries(preset.middlewares)) {
+			const key = op;
+			result.middlewares[key] = [...result.middlewares[key] ?? [], ...mws ?? []];
+		}
+	}
+	if (preset.schemaOptions) result.schemaOptions = {
+		...result.schemaOptions,
+		...preset.schemaOptions,
+		fieldRules: {
+			...result.schemaOptions?.fieldRules,
+			...preset.schemaOptions?.fieldRules
+		}
+	};
+	if (preset.controllerOptions) result._controllerOptions = {
+		...result._controllerOptions,
+		...preset.controllerOptions
+	};
+	if (preset.hooks && preset.hooks.length > 0) {
+		result._hooks = result._hooks ?? [];
+		for (const hook of preset.hooks) result._hooks.push({
+			presetName: preset.name,
+			operation: hook.operation,
+			phase: hook.phase,
+			handler: hook.handler,
+			priority: hook.priority
+		});
+	}
+	return result;
+}
+
+//#endregion
+export { applyPresets, auditedPreset, flexibleMultiTenantPreset, getAvailablePresets, getPreset, multiTenantPreset, ownedByUserPreset, registerPreset, slugLookupPreset, softDeletePreset, treePreset };

package/dist/presets/multiTenant.d.mts

@@ -0,0 +1,24 @@
+import "../elevation-DGo5shaX.mjs";
+import "../interface-e9XfSsUV.mjs";
+import "../types-RLkFVgaw.mjs";
+import { CrudRouteKey, PresetResult } from "../types/index.mjs";
+
+//#region src/presets/multiTenant.d.ts
+interface MultiTenantOptions {
+  /** Field name in database (default: 'organizationId') */
+  tenantField?: string;
+  /**
+   * Routes that allow public access (no auth required)
+   * When a route is in this array:
+   * - If no org context: allow through without filtering (public data)
+   * - If org context present: require auth and apply filter
+   *
+   * @default [] (strict mode - all routes require auth)
+   * @example
+   * multiTenantPreset({ allowPublic: ['list', 'get'] })
+   */
+  allowPublic?: CrudRouteKey[];
+}
+declare function multiTenantPreset(options?: MultiTenantOptions): PresetResult;
+//#endregion
+export { MultiTenantOptions, multiTenantPreset as default, multiTenantPreset };

package/dist/presets/multiTenant.mjs

@@ -0,0 +1,113 @@
+import { o as DEFAULT_TENANT_FIELD } from "../constants-DdXFXQtN.mjs";
+import { c as isElevated, l as isMember, n as PUBLIC_SCOPE, r as getOrgId } from "../types-Beqn1Un7.mjs";
+
+//#region src/presets/multiTenant.ts
+/** Read request.scope safely */
+function getScope(request) {
+	return request.scope ?? PUBLIC_SCOPE;
+}
+/**
+* Create tenant filter middleware
+* Adds tenant filter to query for list/get operations.
+* Reads `request.scope` for org context and elevation bypass.
+*/
+function createTenantFilter(tenantField) {
+	return async (request, reply) => {
+		const scope = getScope(request);
+		if (isElevated(scope)) {
+			const orgId = getOrgId(scope);
+			if (orgId) request._policyFilters = {
+				...request._policyFilters ?? {},
+				[tenantField]: orgId
+			};
+			return;
+		}
+		if (isMember(scope)) {
+			request._policyFilters = {
+				...request._policyFilters ?? {},
+				[tenantField]: scope.organizationId
+			};
+			return;
+		}
+		if (scope.kind === "public") {
+			reply.code(401).send({
+				success: false,
+				error: "Unauthorized",
+				message: "Authentication required for multi-tenant resources"
+			});
+			return;
+		}
+		reply.code(403).send({
+			success: false,
+			error: "Forbidden",
+			message: "Organization context required for this operation"
+		});
+	};
+}
+/**
+* Create flexible tenant filter middleware
+* For routes in allowPublic: only filter when org context is present
+* No org context = allow through (public data)
+* Org context present = require auth and apply filter
+*/
+function createFlexibleTenantFilter(tenantField) {
+	return async (request, reply) => {
+		const scope = getScope(request);
+		if (isElevated(scope)) {
+			const orgId = getOrgId(scope);
+			if (orgId) request._policyFilters = {
+				...request._policyFilters ?? {},
+				[tenantField]: orgId
+			};
+			return;
+		}
+		if (isMember(scope)) {
+			request._policyFilters = {
+				...request._policyFilters ?? {},
+				[tenantField]: scope.organizationId
+			};
+			return;
+		}
+	};
+}
+/**
+* Create tenant injection middleware
+* Injects tenant ID into request body on create.
+* Reads `request.scope` for org context.
+*/
+function createTenantInjection(tenantField) {
+	return async (request, reply) => {
+		const scope = getScope(request);
+		const orgId = getOrgId(scope);
+		if (isElevated(scope) && !orgId) return;
+		if (!orgId) {
+			reply.code(403).send({
+				success: false,
+				error: "Forbidden",
+				message: "Organization context required to create resources"
+			});
+			return;
+		}
+		if (request.body) request.body[tenantField] = orgId;
+	};
+}
+function multiTenantPreset(options = {}) {
+	const { tenantField = DEFAULT_TENANT_FIELD, allowPublic = [] } = options;
+	const strictTenantFilter = createTenantFilter(tenantField);
+	const flexibleTenantFilter = createFlexibleTenantFilter(tenantField);
+	const tenantInjection = createTenantInjection(tenantField);
+	const getFilter = (route) => allowPublic.includes(route) ? flexibleTenantFilter : strictTenantFilter;
+	return {
+		name: "multiTenant",
+		middlewares: {
+			list: [getFilter("list")],
+			get: [getFilter("get")],
+			create: [tenantInjection],
+			update: [getFilter("update")],
+			delete: [getFilter("delete")]
+		}
+	};
+}
+
+//#endregion
+export { multiTenantPreset as default, multiTenantPreset };

package/dist/presets-BTeYbw7h.d.mts

@@ -0,0 +1,57 @@
+import { t as PermissionCheck } from "./types-RLkFVgaw.mjs";
+
+//#region src/permissions/presets.d.ts
+declare namespace presets_d_exports {
+  export { adminOnly, authenticated, fullPublic, ownerWithAdminBypass, publicRead, publicReadAdminWrite, readOnly };
+}
+/**
+ * ResourcePermissions shape — matches the type in types/index.ts
+ */
+interface ResourcePermissions<TDoc = any> {
+  list?: PermissionCheck<TDoc>;
+  get?: PermissionCheck<TDoc>;
+  create?: PermissionCheck<TDoc>;
+  update?: PermissionCheck<TDoc>;
+  delete?: PermissionCheck<TDoc>;
+}
+type PermissionOverrides<TDoc = any> = Partial<ResourcePermissions<TDoc>>;
+/**
+ * Public read, authenticated write.
+ * list + get = allowPublic(), create + update + delete = requireAuth()
+ */
+declare function publicRead<TDoc = any>(overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
+/**
+ * Public read, admin write.
+ * list + get = allowPublic(), create + update + delete = requireRoles(['admin'])
+ */
+declare function publicReadAdminWrite<TDoc = any>(roles?: readonly string[], overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
+/**
+ * All operations require authentication.
+ */
+declare function authenticated<TDoc = any>(overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
+/**
+ * All operations require specific roles.
+ * @param roles - Required roles (user needs at least one). Default: ['admin']
+ */
+declare function adminOnly<TDoc = any>(roles?: readonly string[], overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
+/**
+ * Owner-scoped with admin bypass.
+ * list = auth (scoped to owner), get = auth, create = auth,
+ * update + delete = ownership check with admin bypass.
+ *
+ * @param ownerField - Field containing owner ID (default: 'userId')
+ * @param bypassRoles - Roles that bypass ownership check (default: ['admin'])
+ */
+declare function ownerWithAdminBypass<TDoc = any>(ownerField?: Extract<keyof TDoc, string> | string, bypassRoles?: readonly string[], overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
+/**
+ * Full public access — no auth required for any operation.
+ * Use sparingly (dev/testing, truly public APIs).
+ */
+declare function fullPublic<TDoc = any>(overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
+/**
+ * Read-only: list + get authenticated, write operations denied.
+ * Useful for computed/derived resources.
+ */
+declare function readOnly<TDoc = any>(overrides?: PermissionOverrides<TDoc>): ResourcePermissions<TDoc>;
+//#endregion
+export { presets_d_exports as a, readOnly as c, ownerWithAdminBypass as i, authenticated as n, publicRead as o, fullPublic as r, publicReadAdminWrite as s, adminOnly as t };

package/dist/presets-CeFtfDR8.mjs

@@ -0,0 +1,119 @@
+import { t as __exportAll } from "./chunk-C7Uep-_p.mjs";
+import { allowPublic, anyOf, requireAuth, requireOwnership, requireRoles } from "./permissions/index.mjs";
+
+//#region src/permissions/presets.ts
+var presets_exports = /* @__PURE__ */ __exportAll({
+	adminOnly: () => adminOnly,
+	authenticated: () => authenticated,
+	fullPublic: () => fullPublic,
+	ownerWithAdminBypass: () => ownerWithAdminBypass,
+	publicRead: () => publicRead,
+	publicReadAdminWrite: () => publicReadAdminWrite,
+	readOnly: () => readOnly
+});
+/**
+* Merge a base preset with user overrides.
+* Overrides replace individual operations — undefined values don't clear them.
+*/
+function withOverrides(base, overrides) {
+	if (!overrides) return base;
+	const filtered = Object.fromEntries(Object.entries(overrides).filter(([, v]) => v !== void 0));
+	return {
+		...base,
+		...filtered
+	};
+}
+/**
+* Public read, authenticated write.
+* list + get = allowPublic(), create + update + delete = requireAuth()
+*/
+function publicRead(overrides) {
+	return withOverrides({
+		list: allowPublic(),
+		get: allowPublic(),
+		create: requireAuth(),
+		update: requireAuth(),
+		delete: requireAuth()
+	}, overrides);
+}
+/**
+* Public read, admin write.
+* list + get = allowPublic(), create + update + delete = requireRoles(['admin'])
+*/
+function publicReadAdminWrite(roles = ["admin"], overrides) {
+	return withOverrides({
+		list: allowPublic(),
+		get: allowPublic(),
+		create: requireRoles(roles),
+		update: requireRoles(roles),
+		delete: requireRoles(roles)
+	}, overrides);
+}
+/**
+* All operations require authentication.
+*/
+function authenticated(overrides) {
+	return withOverrides({
+		list: requireAuth(),
+		get: requireAuth(),
+		create: requireAuth(),
+		update: requireAuth(),
+		delete: requireAuth()
+	}, overrides);
+}
+/**
+* All operations require specific roles.
+* @param roles - Required roles (user needs at least one). Default: ['admin']
+*/
+function adminOnly(roles = ["admin"], overrides) {
+	return withOverrides({
+		list: requireRoles(roles),
+		get: requireRoles(roles),
+		create: requireRoles(roles),
+		update: requireRoles(roles),
+		delete: requireRoles(roles)
+	}, overrides);
+}
+/**
+* Owner-scoped with admin bypass.
+* list = auth (scoped to owner), get = auth, create = auth,
+* update + delete = ownership check with admin bypass.
+*
+* @param ownerField - Field containing owner ID (default: 'userId')
+* @param bypassRoles - Roles that bypass ownership check (default: ['admin'])
+*/
+function ownerWithAdminBypass(ownerField = "userId", bypassRoles = ["admin"], overrides) {
+	return withOverrides({
+		list: requireAuth(),
+		get: requireAuth(),
+		create: requireAuth(),
+		update: anyOf(requireRoles(bypassRoles), requireOwnership(ownerField)),
+		delete: anyOf(requireRoles(bypassRoles), requireOwnership(ownerField))
+	}, overrides);
+}
+/**
+* Full public access — no auth required for any operation.
+* Use sparingly (dev/testing, truly public APIs).
+*/
+function fullPublic(overrides) {
+	return withOverrides({
+		list: allowPublic(),
+		get: allowPublic(),
+		create: allowPublic(),
+		update: allowPublic(),
+		delete: allowPublic()
+	}, overrides);
+}
+/**
+* Read-only: list + get authenticated, write operations denied.
+* Useful for computed/derived resources.
+*/
+function readOnly(overrides) {
+	return withOverrides({
+		list: requireAuth(),
+		get: requireAuth()
+	}, overrides);
+}
+
+//#endregion
+export { presets_exports as a, readOnly as c, ownerWithAdminBypass as i, authenticated as n, publicRead as o, fullPublic as r, publicReadAdminWrite as s, adminOnly as t };