@classytic/arc 2.1.3 → 2.2.0

package/README.md

@@ -326,11 +326,12 @@ import { tracingPlugin } from '@classytic/arc/plugins/tracing';
 ## CLI
 
 ```bash
-arc init my-api --mongokit --better-auth --ts   # Scaffold project
-arc generate resource product                    # Generate resource files
-arc docs ./openapi.json --entry ./dist/index.js  # Export OpenAPI
-arc introspect --entry ./dist/index.js           # Show resources
-arc doctor                                        # Health check
+npx @classytic/arc init my-api --mongokit --better-auth --ts   # Scaffold project
+npx @classytic/arc generate resource product                    # Generate resource files
+npx @classytic/arc describe ./dist/index.js                     # Resource metadata (JSON)
+npx @classytic/arc docs ./openapi.json --entry ./dist/index.js  # Export OpenAPI
+npx @classytic/arc introspect --entry ./dist/index.js           # Show resources
+npx @classytic/arc doctor                                        # Health check
 ```
 
 ## Subpath Imports

package/bin/arc.js

@@ -221,6 +221,7 @@ function parseInitOptions(rawArgs) {
   const opts = {
     name: undefined,
     adapter: undefined,
+    auth: undefined,
     tenant: undefined,
     typescript: undefined,
     edge: undefined,

package/dist/adapters/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import { a as RepositoryLike, i as RelationMetadata, n as DataAdapter, o as SchemaMetadata, r as FieldMetadata, s as ValidationResult, t as AdapterFactory } from "../interface-e9XfSsUV.mjs";
+import { a as RepositoryLike, i as RelationMetadata, n as DataAdapter, o as SchemaMetadata, r as FieldMetadata, s as ValidationResult, t as AdapterFactory } from "../interface-Dm4-jnia.mjs";
 import "../types-RLkFVgaw.mjs";
-import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter } from "../prisma-C3iornoK.mjs";
+import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter } from "../prisma-Bi9nxirN.mjs";
 export { type AdapterFactory, type DataAdapter, type FieldMetadata, MongooseAdapter, type MongooseAdapterOptions, PrismaAdapter, type PrismaAdapterOptions, type PrismaQueryOptions, PrismaQueryParser, type PrismaQueryParserOptions, type RelationMetadata, type RepositoryLike, type SchemaMetadata, type ValidationResult, createMongooseAdapter, createPrismaAdapter };

package/dist/audit/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import "../interface-e9XfSsUV.mjs";
+import "../interface-Dm4-jnia.mjs";
 import "../types-RLkFVgaw.mjs";
 import { a as AuditContext, c as AuditStore, i as AuditAction, l as AuditStoreOptions, n as MongoAuditStoreOptions, o as AuditEntry, r as MongoConnection, s as AuditQueryOptions, u as createAuditEntry } from "../mongodb-ClykrfGo.mjs";
 import { FastifyPluginAsync } from "fastify";

package/dist/audit/mongodb.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import "../interface-e9XfSsUV.mjs";
+import "../interface-Dm4-jnia.mjs";
 import "../types-RLkFVgaw.mjs";
 import { n as MongoAuditStoreOptions, t as MongoAuditStore } from "../mongodb-ClykrfGo.mjs";
 export { MongoAuditStore, type MongoAuditStoreOptions };

package/dist/auth/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import "../interface-e9XfSsUV.mjs";
+import "../interface-Dm4-jnia.mjs";
 import { t as PermissionCheck } from "../types-RLkFVgaw.mjs";
 import { AuthHelpers, AuthPluginOptions } from "../types/index.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-SyPF2tgK.mjs";

package/dist/cli/commands/generate.d.mts

@@ -8,6 +8,11 @@
  * - src/resources/product/product.resource.ts
  * - src/resources/product/product.controller.ts
  * - src/resources/product/product.schemas.ts
+ *
+ * Handles kebab-case names: `arc g r org-profile` generates:
+ * - Class names: OrgProfile, OrgProfileRepository
+ * - Variable names: orgProfileSchema, orgProfileRepository
+ * - File names: org-profile.model.ts, org-profile.repository.ts
  */
 /**
  * Generate command handler

package/dist/cli/commands/generate.mjs

@@ -12,6 +12,11 @@ import { join } from "node:path";
 * - src/resources/product/product.resource.ts
 * - src/resources/product/product.controller.ts
 * - src/resources/product/product.schemas.ts
+*
+* Handles kebab-case names: `arc g r org-profile` generates:
+* - Class names: OrgProfile, OrgProfileRepository
+* - Variable names: orgProfileSchema, orgProfileRepository
+* - File names: org-profile.model.ts, org-profile.repository.ts
 */
 function readProjectConfig() {
 	try {
@@ -24,10 +29,25 @@ function readProjectConfig() {
 function isTypeScriptProject() {
 	return existsSync(join(process.cwd(), "tsconfig.json"));
 }
+/** Convert kebab-case to PascalCase: org-profile → OrgProfile */
+function toPascalCase(name) {
+	return name.split("-").map((part) => part.charAt(0).toUpperCase() + part.slice(1)).join("");
+}
+/** Convert PascalCase to camelCase: OrgProfile → orgProfile */
+function toCamelCase(pascalName) {
+	return pascalName.charAt(0).toLowerCase() + pascalName.slice(1);
+}
+/**
+* Template functions accept:
+* - name: PascalCase class name (e.g., OrgProfile)
+* - fileName: kebab-case for file paths (e.g., org-profile)
+*/
 function getTemplates(ts, config = {}) {
 	const isMultiTenant = config.tenant === "multi";
 	return {
-		model: (name) => `/**
+		model: (name, fileName) => {
+			const camel = toCamelCase(name);
+			return `/**
  * ${name} Model
  * Generated by Arc CLI
  */
@@ -44,7 +64,7 @@ export interface I${name} {
 
 export type ${name}Document = HydratedDocument<I${name}>;
 ` : ""}
-const ${name.toLowerCase()}Schema = new Schema${ts ? `<I${name}>` : ""}(
+const ${camel}Schema = new Schema${ts ? `<I${name}>` : ""}(
   {
     name: { type: String, required: true, trim: true },
     description: { type: String, trim: true },
@@ -54,13 +74,16 @@ const ${name.toLowerCase()}Schema = new Schema${ts ? `<I${name}>` : ""}(
 );
 
 // Indexes
-${name.toLowerCase()}Schema.index({ name: 1 });
-${name.toLowerCase()}Schema.index({ isActive: 1 });
+${camel}Schema.index({ name: 1 });
+${camel}Schema.index({ isActive: 1 });
 
-const ${name} = mongoose.models.${name} || mongoose.model('${name}', ${name.toLowerCase()}Schema);
+const ${name} = mongoose.models.${name} || mongoose.model('${name}', ${camel}Schema);
 export default ${name};
-`,
-		repository: (name) => `/**
+`;
+		},
+		repository: (name, fileName) => {
+			const camel = toCamelCase(name);
+			return `/**
  * ${name} Repository
  * Generated by Arc CLI
  */
@@ -71,7 +94,7 @@ import {
   softDeletePlugin,
   mongoOperationsPlugin,
 } from '@classytic/mongokit';
-import ${name} from './${name.toLowerCase()}.model.js';
+import ${name} from './${fileName}.model.js';
 
 class ${name}Repository extends Repository {
   constructor() {
@@ -90,11 +113,14 @@ class ${name}Repository extends Repository {
   }
 }
 
-const ${name.toLowerCase()}Repository = new ${name}Repository();
-export default ${name.toLowerCase()}Repository;
+const ${camel}Repository = new ${name}Repository();
+export default ${camel}Repository;
 export { ${name}Repository };
-`,
-		controller: (name) => `/**
+`;
+		},
+		controller: (name, fileName) => {
+			const camel = toCamelCase(name);
+			return `/**
  * ${name} Controller
  * Generated by Arc CLI
  *
@@ -103,27 +129,28 @@ export { ${name}Repository };
  */
 
 import { BaseController } from '@classytic/arc';
-import ${name.toLowerCase()}Repository from './${name.toLowerCase()}.repository.js';
+import ${camel}Repository from './${fileName}.repository.js';
 
 class ${name}Controller extends BaseController {
   constructor() {
-    super(${name.toLowerCase()}Repository, {
-      resourceName: '${name.toLowerCase()}',
+    super(${camel}Repository, {
+      resourceName: '${fileName}',
     });
   }
 
   // Add custom controller methods here
 }
 
-const ${name.toLowerCase()}Controller = new ${name}Controller();
-export default ${name.toLowerCase()}Controller;
-`,
-		schemas: (name) => `/**
+const ${camel}Controller = new ${name}Controller();
+export default ${camel}Controller;
+`;
+		},
+		schemas: (name, fileName) => `/**
  * ${name} Schemas
  * Generated by Arc CLI
  */
 
-import ${name} from './${name.toLowerCase()}.model.js';
+import ${name} from './${fileName}.model.js';
 import { buildCrudSchemasFromModel } from '@classytic/mongokit/utils';
 
 /**
@@ -145,7 +172,8 @@ const crudSchemas = buildCrudSchemasFromModel(${name}, {
 
 export default crudSchemas;
 `,
-		resource: (name) => {
+		resource: (name, fileName) => {
+			const camel = toCamelCase(name);
 			const useMongoKit = config.adapter === "mongokit" || !config.adapter;
 			const queryParserImport = useMongoKit ? `\nimport { QueryParser } from '@classytic/mongokit';\n\nconst queryParser = new QueryParser();\n` : "";
 			const queryParserConfig = useMongoKit ? `\n  queryParser,` : "";
@@ -155,24 +183,24 @@ export default crudSchemas;
  */
 
 import { defineResource, createMongooseAdapter } from '@classytic/arc';
-import { requireOrgMembership, requireOrgRole } from '@classytic/arc/permissions';
-import ${name}${ts ? `, { type I${name} }` : ""} from './${name.toLowerCase()}.model.js';
-import ${name.toLowerCase()}Repository from './${name.toLowerCase()}.repository.js';${queryParserImport}
+import { requireAuth, requireRoles } from '@classytic/arc/permissions';
+import ${name}${ts ? `, { type I${name} }` : ""} from './${fileName}.model.js';
+import ${camel}Repository from './${fileName}.repository.js';${queryParserImport}
 
-const ${name.toLowerCase()}Resource = defineResource${ts ? `<I${name}>` : ""}({
-  name: '${name.toLowerCase()}',
-  adapter: createMongooseAdapter(${name}, ${name.toLowerCase()}Repository),${queryParserConfig}
+const ${camel}Resource = defineResource${ts ? `<I${name}>` : ""}({
+  name: '${fileName}',
+  adapter: createMongooseAdapter(${name}, ${camel}Repository),${queryParserConfig}
   presets: ['softDelete'],
   permissions: {
-    list: requireOrgMembership(),
-    get: requireOrgMembership(),
-    create: requireOrgRole('admin'),
-    update: requireOrgRole('admin'),
-    delete: requireOrgRole('admin'),
+    list: requireAuth(),
+    get: requireAuth(),
+    create: requireRoles(['admin']),
+    update: requireRoles(['admin']),
+    delete: requireRoles(['admin']),
   },
 });
 
-export default ${name.toLowerCase()}Resource;
+export default ${camel}Resource;
 ` : `/**
  * ${name} Resource
  * Generated by Arc CLI
@@ -180,12 +208,12 @@ export default ${name.toLowerCase()}Resource;
 
 import { defineResource, createMongooseAdapter } from '@classytic/arc';
 import { requireAuth, requireRoles } from '@classytic/arc/permissions';
-import ${name}${ts ? `, { type I${name} }` : ""} from './${name.toLowerCase()}.model.js';
-import ${name.toLowerCase()}Repository from './${name.toLowerCase()}.repository.js';${queryParserImport}
+import ${name}${ts ? `, { type I${name} }` : ""} from './${fileName}.model.js';
+import ${camel}Repository from './${fileName}.repository.js';${queryParserImport}
 
-const ${name.toLowerCase()}Resource = defineResource${ts ? `<I${name}>` : ""}({
-  name: '${name.toLowerCase()}',
-  adapter: createMongooseAdapter(${name}, ${name.toLowerCase()}Repository),${queryParserConfig}
+const ${camel}Resource = defineResource${ts ? `<I${name}>` : ""}({
+  name: '${fileName}',
+  adapter: createMongooseAdapter(${name}, ${camel}Repository),${queryParserConfig}
   presets: ['softDelete'],
   permissions: {
     list: requireAuth(),
@@ -196,10 +224,12 @@ const ${name.toLowerCase()}Resource = defineResource${ts ? `<I${name}>` : ""}({
   },
 });
 
-export default ${name.toLowerCase()}Resource;
+export default ${camel}Resource;
 `;
 		},
-		test: (name) => `/**
+		test: (name, fileName) => {
+			const camel = toCamelCase(name);
+			return `/**
  * ${name} Tests
  * Generated by Arc CLI
  */
@@ -207,7 +237,7 @@ export default ${name.toLowerCase()}Resource;
 import { describe, it, expect, beforeAll, afterAll } from 'vitest';
 import mongoose from 'mongoose';
 import { createMinimalTestApp } from '@classytic/arc/testing';
-${ts ? "import type { FastifyInstance } from 'fastify';\n" : ""}import ${name.toLowerCase()}Resource from '../src/resources/${name.toLowerCase()}/${name.toLowerCase()}.resource.js';
+${ts ? "import type { FastifyInstance } from 'fastify';\n" : ""}import ${camel}Resource from '../src/resources/${fileName}/${fileName}.resource.js';
 
 describe('${name} Resource', () => {
   let app${ts ? ": FastifyInstance" : ""};
@@ -217,7 +247,7 @@ describe('${name} Resource', () => {
     await mongoose.connect(testDbUri);
 
     app = createMinimalTestApp();
-    await app.register(${name.toLowerCase()}Resource.toPlugin());
+    await app.register(${camel}Resource.toPlugin());
     await app.ready();
   });
 
@@ -226,11 +256,11 @@ describe('${name} Resource', () => {
     await mongoose.connection.close();
   });
 
-  describe('GET /${pluralize(name.toLowerCase())}', () => {
+  describe('GET /${pluralize(fileName)}', () => {
     it('should return a list', async () => {
       const response = await app.inject({
         method: 'GET',
-        url: '/${pluralize(name.toLowerCase())}',
+        url: '/${pluralize(fileName)}',
       });
 
       expect(response.statusCode).toBe(200);
@@ -239,7 +269,8 @@ describe('${name} Resource', () => {
     });
   });
 });
-`
+`;
+		}
 	};
 }
 /**
@@ -249,7 +280,7 @@ async function generate(type, args) {
 	if (!type) throw new Error("Missing type argument\nUsage: arc generate <resource|controller|model|repository|schemas> <name>");
 	const [name] = args;
 	if (!name) throw new Error("Missing name argument\nUsage: arc generate <type> <name>\nExample: arc generate resource product");
-	const capitalizedName = name.charAt(0).toUpperCase() + name.slice(1);
+	const capitalizedName = toPascalCase(name);
 	const lowerName = name.toLowerCase();
 	const projectConfig = readProjectConfig();
 	const ts = projectConfig.typescript ?? isTypeScriptProject();
@@ -290,9 +321,9 @@ async function generateResource(name, lowerName, resourcePath, templates, ext) {
 		console.log(`  + Created: src/resources/${lowerName}/`);
 	}
 	const files = {
-		[`${lowerName}.model.${ext}`]: templates.model(name),
-		[`${lowerName}.repository.${ext}`]: templates.repository(name),
-		[`${lowerName}.resource.${ext}`]: templates.resource(name)
+		[`${lowerName}.model.${ext}`]: templates.model(name, lowerName),
+		[`${lowerName}.repository.${ext}`]: templates.repository(name, lowerName),
+		[`${lowerName}.resource.${ext}`]: templates.resource(name, lowerName)
 	};
 	for (const [filename, content] of Object.entries(files)) {
 		const filepath = join(resourcePath, filename);
@@ -306,9 +337,10 @@ async function generateResource(name, lowerName, resourcePath, templates, ext) {
 	if (!existsSync(testsDir)) mkdirSync(testsDir, { recursive: true });
 	const testPath = join(testsDir, `${lowerName}.test.${ext}`);
 	if (!existsSync(testPath)) {
-		writeFileSync(testPath, templates.test(name));
+		writeFileSync(testPath, templates.test(name, lowerName));
 		console.log(`  + Created: tests/${lowerName}.test.${ext}`);
 	}
+	const camel = toCamelCase(name);
 	const isMultiTenant = readProjectConfig().tenant === "multi";
 	console.log(`
 ╔═══════════════════════════════════════════════════════════════╗
@@ -318,19 +350,19 @@ async function generateResource(name, lowerName, resourcePath, templates, ext) {
 Next steps:
 
 1. Register in src/resources/index.${ext}:
-   import ${lowerName}Resource from './${lowerName}/${lowerName}.resource.js';
+   import ${camel}Resource from './${lowerName}/${lowerName}.resource.js';
 
    export const resources = [
      // ... existing resources
-     ${lowerName}Resource,
+     ${camel}Resource,
    ];
 
 2. Customize the model schema in:
    src/resources/${lowerName}/${lowerName}.model.${ext}
 
 3. Adjust permissions in ${lowerName}.resource.${ext}:
-${isMultiTenant ? `   - requireOrgMembership()  → any org member
-   - requireOrgRole('admin') → specific org roles` : `   - requireAuth()          → any authenticated user
+${isMultiTenant ? `   - requireAuth()          → any authenticated user
+   - requireRoles(['admin']) → specific platform roles` : `   - requireAuth()          → any authenticated user
    - requireRoles(['admin']) → specific platform roles`}
 
 4. Run tests:
@@ -349,7 +381,7 @@ async function generateFile(name, lowerName, resourcePath, fileType, template, e
 	const filename = `${lowerName}.${fileType}.${ext}`;
 	const filepath = join(resourcePath, filename);
 	if (existsSync(filepath)) throw new Error(`${filename} already exists. Remove it first or use a different name.`);
-	writeFileSync(filepath, template(name));
+	writeFileSync(filepath, template(name, lowerName));
 	console.log(`  + Created: ${filename}`);
 }
 

package/dist/cli/commands/init.mjs

@@ -260,23 +260,20 @@ function packageJsonTemplate(config) {
 		test: "vitest run",
 		"test:watch": "vitest"
 	};
-	const imports = config.typescript ? {
-		"#config/*": "./dist/config/*",
-		"#shared/*": "./dist/shared/*",
-		"#resources/*": "./dist/resources/*",
-		"#plugins/*": "./dist/plugins/*"
-	} : {
-		"#config/*": "./src/config/*",
-		"#shared/*": "./src/shared/*",
-		"#resources/*": "./src/resources/*",
-		"#plugins/*": "./src/plugins/*"
-	};
 	return JSON.stringify({
 		name: config.name,
 		version: "1.0.0",
 		type: "module",
 		main: config.typescript ? "dist/index.js" : "src/index.js",
-		imports,
+		imports: {
+			"#config/*": "./src/config/*",
+			"#shared/*": "./src/shared/*",
+			"#resources/*": "./src/resources/*",
+			"#plugins/*": "./src/plugins/*",
+			"#services/*": "./src/services/*",
+			"#lib/*": "./src/lib/*",
+			"#utils/*": "./src/utils/*"
+		},
 		scripts,
 		engines: { node: ">=20" }
 	}, null, 2);
@@ -2177,7 +2174,17 @@ ${orgPluginUsage}
         enabled: process.env.NODE_ENV === 'production',
       },
     });
-  }
+${config.adapter === "mongokit" ? `
+    // Register stub Mongoose models for Better Auth collections.
+    // BA uses the raw MongoDB driver, so no Mongoose models exist by default.
+    // These stubs (strict: false) enable populate() on refs like 'user', 'organization', etc.
+    const baCollections = ['user', 'organization', 'member', 'invitation', 'session', 'account'];
+    for (const name of baCollections) {
+      if (!mongoose.models[name]) {
+        mongoose.model(name, new mongoose.Schema({}, { strict: false, collection: name }));
+      }
+    }
+` : ""}  }
 
   return _auth;
 }

package/dist/core/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import { E as defineResource, T as ResourceDefinition, c as BaseController, d as QueryResolverConfig, f as BodySanitizer, h as AccessControlConfig, l as BaseControllerOptions, m as AccessControl, p as BodySanitizerConfig, u as QueryResolver } from "../interface-e9XfSsUV.mjs";
+import { E as defineResource, T as ResourceDefinition, c as BaseController, d as QueryResolverConfig, f as BodySanitizer, h as AccessControlConfig, l as BaseControllerOptions, m as AccessControl, p as BodySanitizerConfig, u as QueryResolver } from "../interface-Dm4-jnia.mjs";
 import "../types-RLkFVgaw.mjs";
-import { A as createCrudRouter, C as MutationOperation, D as ActionRouterConfig, E as ActionHandler, O as IdempotencyService, S as MUTATION_OPERATIONS, T as SYSTEM_FIELDS, _ as HookOperation, a as getControllerScope, b as MAX_REGEX_LENGTH, c as CrudOperation, d as DEFAULT_MAX_LIMIT, f as DEFAULT_SORT, g as HOOK_PHASES, h as HOOK_OPERATIONS, i as getControllerContext, j as createPermissionMiddleware, k as createActionRouter, l as DEFAULT_ID_FIELD, m as DEFAULT_UPDATE_METHOD, n as createFastifyHandler, o as sendControllerResponse, p as DEFAULT_TENANT_FIELD, r as createRequestContext, s as CRUD_OPERATIONS, t as createCrudHandlers, u as DEFAULT_LIMIT, v as HookPhase, w as RESERVED_QUERY_PARAMS, x as MAX_SEARCH_LENGTH, y as MAX_FILTER_DEPTH } from "../fastifyAdapter-C8DlE0YH.mjs";
+import { A as createCrudRouter, C as MutationOperation, D as ActionRouterConfig, E as ActionHandler, O as IdempotencyService, S as MUTATION_OPERATIONS, T as SYSTEM_FIELDS, _ as HookOperation, a as getControllerScope, b as MAX_REGEX_LENGTH, c as CrudOperation, d as DEFAULT_MAX_LIMIT, f as DEFAULT_SORT, g as HOOK_PHASES, h as HOOK_OPERATIONS, i as getControllerContext, j as createPermissionMiddleware, k as createActionRouter, l as DEFAULT_ID_FIELD, m as DEFAULT_UPDATE_METHOD, n as createFastifyHandler, o as sendControllerResponse, p as DEFAULT_TENANT_FIELD, r as createRequestContext, s as CRUD_OPERATIONS, t as createCrudHandlers, u as DEFAULT_LIMIT, v as HookPhase, w as RESERVED_QUERY_PARAMS, x as MAX_SEARCH_LENGTH, y as MAX_FILTER_DEPTH } from "../fastifyAdapter-DTOLNtjw.mjs";
 export { AccessControl, type AccessControlConfig, type ActionHandler, type ActionRouterConfig, BaseController, type BaseControllerOptions, BodySanitizer, type BodySanitizerConfig, CRUD_OPERATIONS, CrudOperation, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, HookOperation, HookPhase, type IdempotencyService, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MutationOperation, QueryResolver, type QueryResolverConfig, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createActionRouter, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/core/index.mjs

@@ -1,4 +1,4 @@
 import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "../constants-DdXFXQtN.mjs";
-import { _ as QueryResolver, c as createPermissionMiddleware, d as createFastifyHandler, f as createRequestContext, g as BaseController, h as sendControllerResponse, m as getControllerScope, n as defineResource, o as createActionRouter, p as getControllerContext, s as createCrudRouter, t as ResourceDefinition, u as createCrudHandlers, v as BodySanitizer, y as AccessControl } from "../defineResource-PXzSJ15_.mjs";
+import { _ as QueryResolver, c as createPermissionMiddleware, d as createFastifyHandler, f as createRequestContext, g as BaseController, h as sendControllerResponse, m as getControllerScope, n as defineResource, o as createActionRouter, p as getControllerContext, s as createCrudRouter, t as ResourceDefinition, u as createCrudHandlers, v as BodySanitizer, y as AccessControl } from "../defineResource-Bq_fXZtm.mjs";
 
 export { AccessControl, BaseController, BodySanitizer, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, QueryResolver, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createActionRouter, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/{createApp-D2D5XXaV.mjs → createApp-BTHYuHNU.mjs}

@@ -50,7 +50,9 @@ const productionPreset = {
 		allowedHeaders: [
 			"Content-Type",
 			"Authorization",
-			"Accept"
+			"Accept",
+			"x-organization-id",
+			"x-request-id"
 		]
 	},
 	rateLimit: {
@@ -95,7 +97,9 @@ const developmentPreset = {
 		allowedHeaders: [
 			"Content-Type",
 			"Authorization",
-			"Accept"
+			"Accept",
+			"x-organization-id",
+			"x-request-id"
 		]
 	},
 	rateLimit: {
@@ -337,8 +341,9 @@ async function createApp(options) {
 	} else fastify.log.warn("Helmet disabled - security headers not applied");
 	if (config.cors !== false) {
 		const cors = await loadPlugin("cors");
-		const corsOptions = config.cors ?? {};
+		const corsOptions = { ...config.cors ?? {} };
 		if (config.preset === "production" && (!corsOptions || !("origin" in corsOptions))) throw new Error("CORS origin must be explicitly configured in production.\nSet cors.origin to allowed domains or set cors: false to disable.\nExample: cors: { origin: ['https://yourdomain.com'] }\nDocs: https://github.com/classytic/arc#security");
+		if (corsOptions.credentials && corsOptions.origin === "*") corsOptions.origin = true;
 		await fastify.register(cors, corsOptions);
 		fastify.log.debug("CORS enabled");
 	} else fastify.log.warn("CORS disabled");

package/dist/{defineResource-PXzSJ15_.mjs → defineResource-Bq_fXZtm.mjs}

@@ -41,7 +41,7 @@ var AccessControl = class AccessControl {
 		if (policyFilters) Object.assign(filter, policyFilters);
 		const scope = arcContext?._scope;
 		const orgId = scope ? getOrgId(scope) : void 0;
-		if (orgId && !policyFilters?.[this.tenantField]) filter[this.tenantField] = orgId;
+		if (this.tenantField && orgId && !policyFilters?.[this.tenantField]) filter[this.tenantField] = orgId;
 		return filter;
 	}
 	/**
@@ -65,6 +65,7 @@ var AccessControl = class AccessControl {
 	* unscoped records from leaking across tenants.
 	*/
 	checkOrgScope(item, arcContext) {
+		if (!this.tenantField) return true;
 		const scope = arcContext?._scope;
 		const orgId = scope ? getOrgId(scope) : void 0;
 		if (!item || !orgId) return true;
@@ -259,7 +260,7 @@ var QueryResolver = class {
 		this.defaultLimit = config.defaultLimit ?? DEFAULT_LIMIT;
 		this.defaultSort = config.defaultSort ?? DEFAULT_SORT;
 		this.schemaOptions = config.schemaOptions ?? {};
-		this.tenantField = config.tenantField ?? DEFAULT_TENANT_FIELD;
+		this.tenantField = config.tenantField !== void 0 ? config.tenantField : DEFAULT_TENANT_FIELD;
 	}
 	/**
 	* Resolve a request into parsed query options -- ONE parse per request.
@@ -278,7 +279,7 @@ var QueryResolver = class {
 		if (policyFilters) Object.assign(filters, policyFilters);
 		const scope = arcContext?._scope;
 		const orgId = scope ? getOrgId(scope) : void 0;
-		if (orgId && !policyFilters?.[this.tenantField]) filters[this.tenantField] = orgId;
+		if (this.tenantField && orgId && !policyFilters?.[this.tenantField]) filters[this.tenantField] = orgId;
 		return {
 			page,
 			limit,
@@ -371,7 +372,7 @@ var BaseController = class {
 		this.defaultLimit = options.defaultLimit ?? DEFAULT_LIMIT;
 		this.defaultSort = options.defaultSort ?? DEFAULT_SORT;
 		this.resourceName = options.resourceName;
-		this.tenantField = options.tenantField ?? DEFAULT_TENANT_FIELD;
+		this.tenantField = options.tenantField !== void 0 ? options.tenantField : DEFAULT_TENANT_FIELD;
 		this.idField = options.idField ?? DEFAULT_ID_FIELD;
 		this._matchesFilter = options.matchesFilter;
 		if (options.cache) this._cacheConfig = options.cache;
@@ -396,6 +397,16 @@ var BaseController = class {
 		this.update = this.update.bind(this);
 		this.delete = this.delete.bind(this);
 	}
+	/**
+	* Get the tenant field name if multi-tenant scoping is enabled.
+	* Returns `undefined` when `tenantField` is `false` (platform-universal mode).
+	*
+	* Use this in subclass overrides instead of accessing `this.tenantField` directly
+	* to avoid TypeScript indexing errors with `string | false`.
+	*/
+	getTenantField() {
+		return this.tenantField || void 0;
+	}
 	/** Extract typed Arc internal metadata from request */
 	meta(req) {
 		return req.metadata;
@@ -570,7 +581,7 @@ var BaseController = class {
 		const data = this.bodySanitizer.sanitize(req.body ?? {}, "create", req, arcContext);
 		const scope = arcContext?._scope;
 		const createOrgId = scope ? getOrgId(scope) : void 0;
-		if (createOrgId) data[this.tenantField] = createOrgId;
+		if (this.tenantField && createOrgId) data[this.tenantField] = createOrgId;
 		const userId = getUserId(req.user);
 		if (userId) data.createdBy = userId;
 		const hooks = this.getHooks(req);
@@ -1571,29 +1582,6 @@ function createActionRouter(fastify, config) {
 			type: "object",
 			properties: bodyProperties,
 			required: ["action"]
-		},
-		response: {
-			200: {
-				type: "object",
-				properties: {
-					success: { type: "boolean" },
-					data: { type: "object" }
-				}
-			},
-			400: {
-				type: "object",
-				properties: {
-					success: { type: "boolean" },
-					error: { type: "string" }
-				}
-			},
-			403: {
-				type: "object",
-				properties: {
-					success: { type: "boolean" },
-					error: { type: "string" }
-				}
-			}
 		}
 	};
 	const preHandler = [];

package/dist/docs/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import "../interface-e9XfSsUV.mjs";
+import "../interface-Dm4-jnia.mjs";
 import "../types-RLkFVgaw.mjs";
 import { RegistryEntry } from "../types/index.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-SyPF2tgK.mjs";

package/dist/factory/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import "../interface-e9XfSsUV.mjs";
+import "../interface-Dm4-jnia.mjs";
 import "../types-RLkFVgaw.mjs";
 import "../queryCachePlugin-Q6SYuHZ6.mjs";
 import "../eventPlugin-H6wDDjGO.mjs";

package/dist/factory/index.mjs

@@ -1,3 +1,3 @@
-import { a as getPreset, i as developmentPreset, n as createApp, o as productionPreset, s as testingPreset, t as ArcFactory } from "../createApp-D2D5XXaV.mjs";
+import { a as getPreset, i as developmentPreset, n as createApp, o as productionPreset, s as testingPreset, t as ArcFactory } from "../createApp-BTHYuHNU.mjs";
 
 export { ArcFactory, createApp, developmentPreset, getPreset, productionPreset, testingPreset };

package/dist/{fastifyAdapter-C8DlE0YH.d.mts → fastifyAdapter-DTOLNtjw.d.mts}

@@ -1,5 +1,5 @@
 import { s as RequestScope } from "./elevation-DGo5shaX.mjs";
-import { b as IControllerResponse, x as IRequestContext, y as IController } from "./interface-e9XfSsUV.mjs";
+import { b as IControllerResponse, x as IRequestContext, y as IController } from "./interface-Dm4-jnia.mjs";
 import { t as PermissionCheck } from "./types-RLkFVgaw.mjs";
 import { CrudController, CrudRouterOptions, FastifyWithDecorators, RequestContext, RequestWithExtras } from "./types/index.mjs";
 import { FastifyInstance, FastifyReply, FastifyRequest, RouteHandlerMethod } from "fastify";

package/dist/hooks/index.d.mts

@@ -1,4 +1,4 @@
 import "../elevation-DGo5shaX.mjs";
-import { $ as beforeUpdate, B as DefineHookOptions, G as HookRegistration, H as HookHandler, J as afterCreate, K as HookSystem, Q as beforeDelete, U as HookOperation, V as HookContext, W as HookPhase, X as afterUpdate, Y as afterDelete, Z as beforeCreate, et as createHookSystem, q as HookSystemOptions, tt as defineHook } from "../interface-e9XfSsUV.mjs";
+import { $ as beforeUpdate, B as DefineHookOptions, G as HookRegistration, H as HookHandler, J as afterCreate, K as HookSystem, Q as beforeDelete, U as HookOperation, V as HookContext, W as HookPhase, X as afterUpdate, Y as afterDelete, Z as beforeCreate, et as createHookSystem, q as HookSystemOptions, tt as defineHook } from "../interface-Dm4-jnia.mjs";
 import "../types-RLkFVgaw.mjs";
 export { type DefineHookOptions, type HookContext, type HookHandler, type HookOperation, type HookPhase, type HookRegistration, HookSystem, type HookSystemOptions, afterCreate, afterDelete, afterUpdate, beforeCreate, beforeDelete, beforeUpdate, createHookSystem, defineHook };

package/dist/index.d.mts

@@ -1,11 +1,11 @@
 import "./elevation-DGo5shaX.mjs";
-import { D as CrudRepository, E as defineResource, F as OperationFilter, I as PipelineConfig, L as PipelineContext, M as Guard, N as Interceptor, P as NextFunction, R as PipelineStep, S as RouteHandler, T as ResourceDefinition, _ as ControllerLike, a as RepositoryLike, b as IControllerResponse, c as BaseController, i as RelationMetadata, j as QueryOptions, k as PaginatedResult, l as BaseControllerOptions, n as DataAdapter, o as SchemaMetadata, r as FieldMetadata, s as ValidationResult, x as IRequestContext, y as IController, z as Transform } from "./interface-e9XfSsUV.mjs";
+import { D as CrudRepository, E as defineResource, F as OperationFilter, I as PipelineConfig, L as PipelineContext, M as Guard, N as Interceptor, P as NextFunction, R as PipelineStep, S as RouteHandler, T as ResourceDefinition, _ as ControllerLike, a as RepositoryLike, b as IControllerResponse, c as BaseController, i as RelationMetadata, j as QueryOptions, k as PaginatedResult, l as BaseControllerOptions, n as DataAdapter, o as SchemaMetadata, r as FieldMetadata, s as ValidationResult, x as IRequestContext, y as IController, z as Transform } from "./interface-Dm4-jnia.mjs";
 import { a as applyFieldWritePermissions, i as applyFieldReadPermissions, n as FieldPermissionMap, o as fields, t as FieldPermission } from "./fields-Bi_AVKSo.mjs";
 import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "./types-RLkFVgaw.mjs";
 import { AdditionalRoute, AnyRecord, ApiResponse, ArcInternalMetadata, AuthPluginOptions, ConfigError, CrudController, CrudRouteKey, CrudRouterOptions, CrudSchemas, EventDefinition, FastifyRequestExtras, FastifyWithAuth, FastifyWithDecorators, FieldRule, GracefulShutdownOptions, HealthCheck, HealthOptions, InferAdapterDoc, InferDocType, InferResourceDoc, IntrospectionData, IntrospectionPluginOptions, JWTPayload, MiddlewareConfig, MiddlewareHandler, OwnershipCheck, PresetFunction, PresetResult, RateLimitConfig, RegistryEntry, RegistryStats, RequestContext, RequestIdOptions, RequestWithExtras, ResourceConfig, ResourceMetadata, RouteHandlerMethod, RouteSchemaOptions, ServiceContext, TypedController, TypedRepository, TypedResourceConfig, UserOrganization, ValidateOptions, ValidationResult as ValidationResult$1 } from "./types/index.mjs";
-import { c as MongooseAdapterOptions, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, s as MongooseAdapter, t as PrismaAdapter } from "./prisma-C3iornoK.mjs";
+import { c as MongooseAdapterOptions, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, s as MongooseAdapter, t as PrismaAdapter } from "./prisma-Bi9nxirN.mjs";
 import "./adapters/index.mjs";
-import { C as MutationOperation, S as MUTATION_OPERATIONS, T as SYSTEM_FIELDS, _ as HookOperation, a as getControllerScope, b as MAX_REGEX_LENGTH, c as CrudOperation, d as DEFAULT_MAX_LIMIT, f as DEFAULT_SORT, g as HOOK_PHASES, h as HOOK_OPERATIONS, l as DEFAULT_ID_FIELD, m as DEFAULT_UPDATE_METHOD, p as DEFAULT_TENANT_FIELD, s as CRUD_OPERATIONS, u as DEFAULT_LIMIT, v as HookPhase, w as RESERVED_QUERY_PARAMS, x as MAX_SEARCH_LENGTH, y as MAX_FILTER_DEPTH } from "./fastifyAdapter-C8DlE0YH.mjs";
+import { C as MutationOperation, S as MUTATION_OPERATIONS, T as SYSTEM_FIELDS, _ as HookOperation, a as getControllerScope, b as MAX_REGEX_LENGTH, c as CrudOperation, d as DEFAULT_MAX_LIMIT, f as DEFAULT_SORT, g as HOOK_PHASES, h as HOOK_OPERATIONS, l as DEFAULT_ID_FIELD, m as DEFAULT_UPDATE_METHOD, p as DEFAULT_TENANT_FIELD, s as CRUD_OPERATIONS, u as DEFAULT_LIMIT, v as HookPhase, w as RESERVED_QUERY_PARAMS, x as MAX_SEARCH_LENGTH, y as MAX_FILTER_DEPTH } from "./fastifyAdapter-DTOLNtjw.mjs";
 import "./core/index.mjs";
 import { a as NotFoundError, d as ValidationError, i as ForbiddenError, t as ArcError, u as UnauthorizedError } from "./errors-DAWRdiYP.mjs";
 import { a as presets_d_exports, c as readOnly, i as ownerWithAdminBypass, n as authenticated, o as publicRead, r as fullPublic, s as publicReadAdminWrite, t as adminOnly } from "./presets-BTeYbw7h.mjs";

package/dist/index.mjs

@@ -1,6 +1,6 @@
 import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "./constants-DdXFXQtN.mjs";
 import { a as createMongooseAdapter, i as MongooseAdapter, r as createPrismaAdapter, t as PrismaAdapter } from "./prisma-DJbMt3yf.mjs";
-import { a as validateResourceConfig, g as BaseController, i as formatValidationErrors, l as pipe, m as getControllerScope, n as defineResource, r as assertValidConfig, t as ResourceDefinition } from "./defineResource-PXzSJ15_.mjs";
+import { a as validateResourceConfig, g as BaseController, i as formatValidationErrors, l as pipe, m as getControllerScope, n as defineResource, r as assertValidConfig, t as ResourceDefinition } from "./defineResource-Bq_fXZtm.mjs";
 import { n as applyFieldWritePermissions, r as fields, t as applyFieldReadPermissions } from "./fields-CTd_CrKr.mjs";
 import { i as NotFoundError, l as UnauthorizedError, r as ForbiddenError, t as ArcError, u as ValidationError } from "./errors-DBANPbGr.mjs";
 import { t as requestContext } from "./requestContext-xi6OKBL-.mjs";

package/dist/{interface-e9XfSsUV.d.mts → interface-Dm4-jnia.d.mts}

@@ -759,8 +759,8 @@ interface ControllerLike {
 //#endregion
 //#region src/core/AccessControl.d.ts
 interface AccessControlConfig {
-  /** Field name used for multi-tenant scoping (default: 'organizationId') */
-  tenantField: string;
+  /** Field name used for multi-tenant scoping (default: 'organizationId'). Set to `false` to disable org filtering. */
+  tenantField: string | false;
   /** Primary key field name (default: '_id') */
   idField: string;
   /**
@@ -876,8 +876,8 @@ interface QueryResolverConfig {
   defaultSort?: string;
   /** Schema options for field sanitization */
   schemaOptions?: RouteSchemaOptions;
-  /** Field name used for multi-tenant scoping (default: 'organizationId') */
-  tenantField?: string;
+  /** Field name used for multi-tenant scoping (default: 'organizationId'). Set to `false` to disable. */
+  tenantField?: string | false;
 }
 declare class QueryResolver {
   private queryParser;
@@ -926,8 +926,9 @@ interface BaseControllerOptions {
   /**
    * Field name used for multi-tenant scoping (default: 'organizationId').
    * Override to match your schema: 'workspaceId', 'tenantId', 'teamId', etc.
+   * Set to `false` to disable org filtering for platform-universal resources.
    */
-  tenantField?: string;
+  tenantField?: string | false;
   /**
    * Primary key field name (default: '_id').
    * Override for non-MongoDB adapters (e.g., 'id' for SQL databases).
@@ -965,7 +966,7 @@ declare class BaseController<TDoc = AnyRecord, TRepository extends RepositoryLik
   protected defaultLimit: number;
   protected defaultSort: string;
   protected resourceName?: string;
-  protected tenantField: string;
+  protected tenantField: string | false;
   protected idField: string;
   /** Composable access control (ID filtering, policy checks, org scope, ownership) */
   readonly accessControl: AccessControl;
@@ -977,6 +978,14 @@ declare class BaseController<TDoc = AnyRecord, TRepository extends RepositoryLik
   private _presetFields;
   private _cacheConfig?;
   constructor(repository: TRepository, options?: BaseControllerOptions);
+  /**
+   * Get the tenant field name if multi-tenant scoping is enabled.
+   * Returns `undefined` when `tenantField` is `false` (platform-universal mode).
+   *
+   * Use this in subclass overrides instead of accessing `this.tenantField` directly
+   * to avoid TypeScript indexing errors with `string | false`.
+   */
+  protected getTenantField(): string | undefined;
   /** Extract typed Arc internal metadata from request */
   private meta;
   /** Get hook system from request context (instance-scoped) */

package/dist/org/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import { S as RouteHandler } from "../interface-e9XfSsUV.mjs";
+import { S as RouteHandler } from "../interface-Dm4-jnia.mjs";
 import { i as UserBase } from "../types-RLkFVgaw.mjs";
 import "../types/index.mjs";
 import { InvitationAdapter, InvitationDoc, MemberDoc, OrgAdapter, OrgDoc, OrgPermissionStatement, OrgRole, OrganizationPluginOptions } from "./types.mjs";

package/dist/plugins/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import { K as HookSystem, w as ResourceRegistry } from "../interface-e9XfSsUV.mjs";
+import { K as HookSystem, w as ResourceRegistry } from "../interface-Dm4-jnia.mjs";
 import "../types-RLkFVgaw.mjs";
 import { AdditionalRoute, AnyRecord, MiddlewareConfig, PresetHook, RouteSchemaOptions } from "../types/index.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-SyPF2tgK.mjs";

package/dist/presets/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import { b as IControllerResponse, k as PaginatedResult, x as IRequestContext } from "../interface-e9XfSsUV.mjs";
+import { b as IControllerResponse, k as PaginatedResult, x as IRequestContext } from "../interface-Dm4-jnia.mjs";
 import "../types-RLkFVgaw.mjs";
 import { AnyRecord, PresetResult, ResourceConfig } from "../types/index.mjs";
 import multiTenantPreset, { MultiTenantOptions } from "./multiTenant.mjs";

package/dist/presets/multiTenant.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import "../interface-e9XfSsUV.mjs";
+import "../interface-Dm4-jnia.mjs";
 import "../types-RLkFVgaw.mjs";
 import { CrudRouteKey, PresetResult } from "../types/index.mjs";
 

package/dist/{prisma-C3iornoK.d.mts → prisma-Bi9nxirN.d.mts}

@@ -1,4 +1,4 @@
-import { D as CrudRepository, a as RepositoryLike, n as DataAdapter, o as SchemaMetadata, s as ValidationResult } from "./interface-e9XfSsUV.mjs";
+import { D as CrudRepository, a as RepositoryLike, n as DataAdapter, o as SchemaMetadata, s as ValidationResult } from "./interface-Dm4-jnia.mjs";
 import { OpenApiSchemas, ParsedQuery, QueryParserInterface, RouteSchemaOptions } from "./types/index.mjs";
 import { Model } from "mongoose";
 

package/dist/registry/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import { C as RegisterOptions, w as ResourceRegistry } from "../interface-e9XfSsUV.mjs";
+import { C as RegisterOptions, w as ResourceRegistry } from "../interface-Dm4-jnia.mjs";
 import "../types-RLkFVgaw.mjs";
 import { IntrospectionPluginOptions } from "../types/index.mjs";
 import { FastifyPluginAsync } from "fastify";

package/dist/testing/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import { D as CrudRepository, T as ResourceDefinition } from "../interface-e9XfSsUV.mjs";
+import { D as CrudRepository, T as ResourceDefinition } from "../interface-Dm4-jnia.mjs";
 import "../types-RLkFVgaw.mjs";
 import { AnyRecord } from "../types/index.mjs";
 import "../queryCachePlugin-Q6SYuHZ6.mjs";
@@ -649,7 +649,7 @@ interface HttpTestHarnessOptions<T = unknown> {
   };
   /** Auth provider for generating request headers */
   auth: AuthProvider;
-  /** API path prefix (default: '/api') */
+  /** API path prefix (default: '/api' for eager, '' for deferred) */
   apiPrefix?: string;
 }
 /** Options can be passed directly or as a getter for deferred resolution */
@@ -666,12 +666,21 @@ type OptionsOrGetter<T> = HttpTestHarnessOptions<T> | (() => HttpTestHarnessOpti
 declare class HttpTestHarness<T = unknown> {
   private resource;
   private optionsOrGetter;
-  private baseUrl;
+  private eagerBaseUrl;
   private enabledRoutes;
   private updateMethod;
   constructor(resource: ResourceDefinition<unknown>, optionsOrGetter: OptionsOrGetter<T>);
   /** Resolve options (supports both direct and deferred) */
   private getOptions;
+  /**
+   * Resolve the base URL for requests.
+   *
+   * - Eager mode: uses pre-computed baseUrl from constructor
+   * - Deferred mode: reads apiPrefix from the getter options at runtime
+   *
+   * Must only be called inside it()/afterAll() callbacks (after beforeAll has run).
+   */
+  private getBaseUrl;
   /**
    * Run all test suites: CRUD + permissions + validation
    */
@@ -715,6 +724,7 @@ declare class HttpTestHarness<T = unknown> {
  *
  * createHttpTestHarness(jobResource, () => ({
  *   app: ctx.app,
+ *   apiPrefix: '',
  *   fixtures: { valid: { title: 'Test' } },
  *   auth: createBetterAuthProvider({ ... }),
  * })).runAll();

package/dist/testing/index.mjs

@@ -1000,7 +1000,7 @@ var DatabaseSnapshot = class {
 * ```
 */
 async function createTestApp(options = {}) {
-	const { createApp } = await import("../createApp-D2D5XXaV.mjs").then((n) => n.r);
+	const { createApp } = await import("../createApp-BTHYuHNU.mjs").then((n) => n.r);
 	const { useInMemoryDb = true, mongoUri: providedMongoUri, ...appOptions } = options;
 	const defaultAuth = {
 		type: "jwt",
@@ -1606,6 +1606,7 @@ async function setupBetterAuthOrg(options) {
 *
 * const harness = createHttpTestHarness(jobResource, () => ({
 *   app: ctx.app,
+*   apiPrefix: '',
 *   fixtures: { valid: { title: 'Test' } },
 *   auth: createBetterAuthProvider({ tokens: { admin: ctx.users.admin.token }, orgId: ctx.orgId, adminRole: 'admin' }),
 * }));
@@ -1687,13 +1688,14 @@ function createBetterAuthProvider(options) {
 var HttpTestHarness = class {
 	resource;
 	optionsOrGetter;
-	baseUrl;
+	eagerBaseUrl;
 	enabledRoutes;
 	updateMethod;
 	constructor(resource, optionsOrGetter) {
 		this.resource = resource;
 		this.optionsOrGetter = optionsOrGetter;
-		this.baseUrl = `${typeof optionsOrGetter === "function" ? "/api" : optionsOrGetter.apiPrefix ?? "/api"}${resource.prefix}`;
+		if (typeof optionsOrGetter === "function") this.eagerBaseUrl = null;
+		else this.eagerBaseUrl = `${optionsOrGetter.apiPrefix ?? "/api"}${resource.prefix}`;
 		const disabled = new Set(resource.disabledRoutes ?? []);
 		this.enabledRoutes = new Set(resource.disableDefaultRoutes ? [] : CRUD_OPERATIONS.filter((op) => !disabled.has(op)));
 		this.updateMethod = resource.updateMethod === "PUT" ? "PUT" : "PATCH";
@@ -1703,6 +1705,18 @@ var HttpTestHarness = class {
 		return typeof this.optionsOrGetter === "function" ? this.optionsOrGetter() : this.optionsOrGetter;
 	}
 	/**
+	* Resolve the base URL for requests.
+	*
+	* - Eager mode: uses pre-computed baseUrl from constructor
+	* - Deferred mode: reads apiPrefix from the getter options at runtime
+	*
+	* Must only be called inside it()/afterAll() callbacks (after beforeAll has run).
+	*/
+	getBaseUrl() {
+		if (this.eagerBaseUrl !== null) return this.eagerBaseUrl;
+		return `${this.getOptions().apiPrefix ?? ""}${this.resource.prefix}`;
+	}
+	/**
 	* Run all test suites: CRUD + permissions + validation
 	*/
 	runAll() {
@@ -1722,12 +1736,13 @@ var HttpTestHarness = class {
 	* - GET /:id with non-existent ID → 404
 	*/
 	runCrud() {
-		const { resource, baseUrl, enabledRoutes, updateMethod } = this;
+		const { resource, enabledRoutes, updateMethod } = this;
 		let createdId = null;
 		describe(`${resource.displayName} HTTP CRUD`, () => {
 			afterAll(async () => {
 				if (createdId && enabledRoutes.has("delete")) {
 					const { app, auth } = this.getOptions();
+					const baseUrl = this.getBaseUrl();
 					await app.inject({
 						method: "DELETE",
 						url: `${baseUrl}/${createdId}`,
@@ -1737,6 +1752,7 @@ var HttpTestHarness = class {
 			});
 			if (enabledRoutes.has("create")) it("POST should create a resource", async () => {
 				const { app, auth, fixtures } = this.getOptions();
+				const baseUrl = this.getBaseUrl();
 				const adminHeaders = auth.getHeaders(auth.adminRole);
 				const res = await app.inject({
 					method: "POST",
@@ -1753,6 +1769,7 @@ var HttpTestHarness = class {
 			});
 			if (enabledRoutes.has("list")) it("GET should list resources", async () => {
 				const { app, auth } = this.getOptions();
+				const baseUrl = this.getBaseUrl();
 				const res = await app.inject({
 					method: "GET",
 					url: baseUrl,
@@ -1769,6 +1786,7 @@ var HttpTestHarness = class {
 				it("GET /:id should return the resource", async () => {
 					if (!createdId) return;
 					const { app, auth } = this.getOptions();
+					const baseUrl = this.getBaseUrl();
 					const res = await app.inject({
 						method: "GET",
 						url: `${baseUrl}/${createdId}`,
@@ -1782,6 +1800,7 @@ var HttpTestHarness = class {
 				});
 				it("GET /:id with non-existent ID should return 404", async () => {
 					const { app, auth } = this.getOptions();
+					const baseUrl = this.getBaseUrl();
 					const res = await app.inject({
 						method: "GET",
 						url: `${baseUrl}/000000000000000000000000`,
@@ -1795,6 +1814,7 @@ var HttpTestHarness = class {
 				it(`${updateMethod} /:id should update the resource`, async () => {
 					if (!createdId) return;
 					const { app, auth, fixtures } = this.getOptions();
+					const baseUrl = this.getBaseUrl();
 					const updatePayload = fixtures.update || fixtures.valid;
 					const res = await app.inject({
 						method: updateMethod,
@@ -1809,6 +1829,7 @@ var HttpTestHarness = class {
 				});
 				it(`${updateMethod} /:id with non-existent ID should return 404`, async () => {
 					const { app, auth, fixtures } = this.getOptions();
+					const baseUrl = this.getBaseUrl();
 					expect((await app.inject({
 						method: updateMethod,
 						url: `${baseUrl}/000000000000000000000000`,
@@ -1820,6 +1841,7 @@ var HttpTestHarness = class {
 			if (enabledRoutes.has("delete")) {
 				it("DELETE /:id should delete the resource", async () => {
 					const { app, auth, fixtures } = this.getOptions();
+					const baseUrl = this.getBaseUrl();
 					const adminHeaders = auth.getHeaders(auth.adminRole);
 					let deleteId;
 					if (enabledRoutes.has("create")) {
@@ -1845,6 +1867,7 @@ var HttpTestHarness = class {
 				});
 				it("DELETE /:id with non-existent ID should return 404", async () => {
 					const { app, auth } = this.getOptions();
+					const baseUrl = this.getBaseUrl();
 					expect((await app.inject({
 						method: "DELETE",
 						url: `${baseUrl}/000000000000000000000000`,
@@ -1862,10 +1885,11 @@ var HttpTestHarness = class {
 	* - Admin role gets 2xx for all operations
 	*/
 	runPermissions() {
-		const { resource, baseUrl, enabledRoutes, updateMethod } = this;
+		const { resource, enabledRoutes, updateMethod } = this;
 		describe(`${resource.displayName} HTTP Permissions`, () => {
 			if (enabledRoutes.has("list")) it("GET list without auth should return 401", async () => {
 				const { app } = this.getOptions();
+				const baseUrl = this.getBaseUrl();
 				expect((await app.inject({
 					method: "GET",
 					url: baseUrl
@@ -1873,6 +1897,7 @@ var HttpTestHarness = class {
 			});
 			if (enabledRoutes.has("get")) it("GET get without auth should return 401", async () => {
 				const { app } = this.getOptions();
+				const baseUrl = this.getBaseUrl();
 				expect((await app.inject({
 					method: "GET",
 					url: `${baseUrl}/000000000000000000000000`
@@ -1880,6 +1905,7 @@ var HttpTestHarness = class {
 			});
 			if (enabledRoutes.has("create")) it("POST create without auth should return 401", async () => {
 				const { app, fixtures } = this.getOptions();
+				const baseUrl = this.getBaseUrl();
 				expect((await app.inject({
 					method: "POST",
 					url: baseUrl,
@@ -1888,6 +1914,7 @@ var HttpTestHarness = class {
 			});
 			if (enabledRoutes.has("update")) it(`${updateMethod} update without auth should return 401`, async () => {
 				const { app, fixtures } = this.getOptions();
+				const baseUrl = this.getBaseUrl();
 				expect((await app.inject({
 					method: updateMethod,
 					url: `${baseUrl}/000000000000000000000000`,
@@ -1896,6 +1923,7 @@ var HttpTestHarness = class {
 			});
 			if (enabledRoutes.has("delete")) it("DELETE delete without auth should return 401", async () => {
 				const { app } = this.getOptions();
+				const baseUrl = this.getBaseUrl();
 				expect((await app.inject({
 					method: "DELETE",
 					url: `${baseUrl}/000000000000000000000000`
@@ -1903,6 +1931,7 @@ var HttpTestHarness = class {
 			});
 			if (enabledRoutes.has("list")) it("admin should access list endpoint", async () => {
 				const { app, auth } = this.getOptions();
+				const baseUrl = this.getBaseUrl();
 				expect((await app.inject({
 					method: "GET",
 					url: baseUrl,
@@ -1911,6 +1940,7 @@ var HttpTestHarness = class {
 			});
 			if (enabledRoutes.has("create")) it("admin should access create endpoint", async () => {
 				const { app, auth, fixtures } = this.getOptions();
+				const baseUrl = this.getBaseUrl();
 				const res = await app.inject({
 					method: "POST",
 					url: baseUrl,
@@ -1933,11 +1963,12 @@ var HttpTestHarness = class {
 	* Tests that invalid payloads return 400.
 	*/
 	runValidation() {
-		const { resource, baseUrl, enabledRoutes } = this;
+		const { resource, enabledRoutes } = this;
 		if (!enabledRoutes.has("create")) return;
 		describe(`${resource.displayName} HTTP Validation`, () => {
 			it("POST with invalid payload should not return 2xx", async () => {
 				const { app, auth, fixtures } = this.getOptions();
+				const baseUrl = this.getBaseUrl();
 				if (!fixtures.invalid) return;
 				const res = await app.inject({
 					method: "POST",
@@ -1963,6 +1994,7 @@ var HttpTestHarness = class {
 *
 * createHttpTestHarness(jobResource, () => ({
 *   app: ctx.app,
+*   apiPrefix: '',
 *   fixtures: { valid: { title: 'Test' } },
 *   auth: createBetterAuthProvider({ ... }),
 * })).runAll();

package/dist/types/index.d.mts

@@ -1,5 +1,5 @@
 import { a as AUTHENTICATED_SCOPE, c as getOrgId, d as hasOrgAccess, f as isAuthenticated, l as getOrgRoles, m as isMember, n as ElevationOptions, o as PUBLIC_SCOPE, p as isElevated, s as RequestScope, t as ElevationEvent, u as getTeamId } from "../elevation-DGo5shaX.mjs";
-import { A as PaginationParams, D as CrudRepository, I as PipelineConfig, K as HookSystem, O as InferDoc, S as RouteHandler, _ as ControllerLike, b as IControllerResponse, g as ControllerHandler, j as QueryOptions, k as PaginatedResult, l as BaseControllerOptions, n as DataAdapter, v as FastifyHandler, w as ResourceRegistry, x as IRequestContext, y as IController } from "../interface-e9XfSsUV.mjs";
+import { A as PaginationParams, D as CrudRepository, I as PipelineConfig, K as HookSystem, O as InferDoc, S as RouteHandler, _ as ControllerLike, b as IControllerResponse, g as ControllerHandler, j as QueryOptions, k as PaginatedResult, l as BaseControllerOptions, n as DataAdapter, v as FastifyHandler, w as ResourceRegistry, x as IRequestContext, y as IController } from "../interface-Dm4-jnia.mjs";
 import { n as FieldPermissionMap } from "../fields-Bi_AVKSo.mjs";
 import { i as UserBase, n as PermissionContext, r as PermissionResult, t as PermissionCheck } from "../types-RLkFVgaw.mjs";
 import { FastifyInstance, FastifyReply, FastifyRequest, RouteHandlerMethod, RouteHandlerMethod as RouteHandlerMethod$1 } from "fastify";
@@ -363,7 +363,7 @@ interface ResourceConfig<TDoc = AnyRecord> {
    * Override to match your schema: 'workspaceId', 'tenantId', 'teamId', etc.
    * Takes effect when org context is present (via multiTenant preset).
    */
-  tenantField?: string;
+  tenantField?: string | false;
   /**
    * Primary key field name (default: '_id').
    * Override for non-MongoDB adapters (e.g., 'id' for SQL databases).

package/dist/utils/index.d.mts

@@ -1,5 +1,5 @@
 import "../elevation-DGo5shaX.mjs";
-import "../interface-e9XfSsUV.mjs";
+import "../interface-Dm4-jnia.mjs";
 import "../types-RLkFVgaw.mjs";
 import { AnyRecord, OpenApiSchemas, ParsedQuery, QueryParserInterface } from "../types/index.mjs";
 import { a as NotFoundError, c as RateLimitError, d as ValidationError, f as createError, i as ForbiddenError, l as ServiceUnavailableError, n as ConflictError, o as OrgAccessDeniedError, p as isArcError, r as ErrorDetails, s as OrgRequiredError, t as ArcError, u as UnauthorizedError } from "../errors-DAWRdiYP.mjs";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@classytic/arc",
-  "version": "2.1.3",
+  "version": "2.2.0",
   "description": "Resource-oriented backend framework for Fastify — clean, minimal, powerful, tree-shakable",
   "type": "module",
   "exports": {
@@ -191,7 +191,7 @@
     "node": ">=22"
   },
   "peerDependencies": {
-    "@classytic/mongokit": "^3.2.3",
+    "@classytic/mongokit": "^3.2.4",
     "@classytic/streamline": ">=1.0.0",
     "@fastify/cors": "^11.0.0",
     "@fastify/helmet": "^13.0.0",