@classytic/arc 2.10.3 → 2.10.8

package/README.md

@@ -602,7 +602,7 @@ await app.register(eventGatewayPlugin, {
 Functional composition for cross-cutting concerns:
 
 ```typescript
-import { pipe, guard, transform, intercept } from '@classytic/arc';
+import { pipe, guard, transform, intercept } from '@classytic/arc/pipeline';
 
 const isActive = guard('isActive', (ctx) => ctx.query?.filters?.isActive !== false);
 const slugify = transform('slugify', (ctx) => ({ ...ctx, body: { ...ctx.body, slug: toSlug(ctx.body.name) } }));

package/dist/{BaseController-CbKKIflT.mjs → BaseController-DVNKvoX4.mjs}

@@ -1,25 +1,26 @@
 import { h as SYSTEM_FIELDS, o as DEFAULT_TENANT_FIELD } from "./constants-BhY1OHoH.mjs";
+import { arcLog } from "./logger/index.mjs";
 import { _ as isElevated, n as PUBLIC_SCOPE, o as getOrgId, v as isMember } from "./types-AOD8fxIw.mjs";
-import { t as buildQueryKey } from "./keys-qcD-TVJl.mjs";
-import { n as getUserId } from "./types-Csi3FLfq.mjs";
-import { i as resolveEffectiveRoles, n as applyFieldWritePermissions } from "./fields-bxkeltzz.mjs";
-import { t as getUserRoles } from "./types-DV9WDfeg.mjs";
-import { r as ForbiddenError } from "./errors-D5c-5BJL.mjs";
-import { t as ArcQueryParser } from "./queryParser-DBqBB6AC.mjs";
+import { r as simpleEqualityMatcher, t as ArcQueryParser } from "./queryParser-NR__Qiju.mjs";
+import { t as buildQueryKey } from "./keys-nWQGUTu1.mjs";
+import { n as getUserId } from "./types-CDnTEpga.mjs";
+import { i as resolveEffectiveRoles, n as applyFieldWritePermissions } from "./fields-CTMWOUDt.mjs";
+import { t as getUserRoles } from "./types-D57iXYb8.mjs";
+import { r as ForbiddenError } from "./errors-BqdUDja_.mjs";
 //#region src/core/AccessControl.ts
-var AccessControl = class AccessControl {
+const log = arcLog("access-control");
+var AccessControl = class {
 	tenantField;
 	idField;
 	_adapterMatchesFilter;
-	/** Patterns that indicate dangerous regex (nested quantifiers, excessive backtracking).
-	*  Uses [^...] character classes instead of .+ to avoid backtracking in the detector itself. */
-	static DANGEROUS_REGEX = /(\{[0-9]+,\}[^{]*\{[0-9]+,\})|(\+[^+]*\+)|(\*[^*]*\*)|(\.\*){3,}|\\1/;
-	/** Forbidden paths that could lead to prototype pollution */
-	static FORBIDDEN_PATHS = [
-		"__proto__",
-		"constructor",
-		"prototype"
-	];
+	/**
+	* One-shot latch for the "adapter didn't supply matchesFilter, in-memory
+	* policy-filter re-check is skipped" warning. The primary fetch path
+	* (`getOne(compoundFilter)`) already applied filters at the DB layer;
+	* this warn only fires when `validateItemAccess` runs and the adapter
+	* hasn't provided a native matcher for the post-hoc re-check.
+	*/
+	_warnedNoMatcher = false;
 	constructor(config) {
 		this.tenantField = config.tenantField;
 		this.idField = config.idField;
@@ -40,17 +41,54 @@ var AccessControl = class AccessControl {
 		return filter;
 	}
 	/**
-	* Check if item matches policy filters (for get/update/delete operations)
-	* Validates that fetched item satisfies all policy constraints
+	* Check if a post-fetch item matches the request's `_policyFilters`.
+	*
+	* **When this runs:** only on paths where the primary fetch path did NOT
+	* apply policy filters at the DB layer — notably `validateItemAccess`
+	* (used by `getBySlug` and cache revalidation). The main `fetchDetailed`
+	* path builds a compound filter (`buildIdFilter`) and passes it to
+	* `repository.getOne(compoundFilter)`, so the DB has already enforced
+	* the filter and an in-memory re-check would be redundant.
+	*
+	* **Evaluation order (fail-closed):**
+	* 1. No `_policyFilters` set → `true` (nothing to enforce).
+	* 2. Adapter supplied `matchesFilter` → delegate to it verbatim. Adapters
+	*    are expected to handle every filter shape the host emits
+	*    (mongokit/sqlitekit evaluate at the DB layer; Prisma/custom engines
+	*    can wrap their own predicate engine).
+	* 3. No adapter matcher → fall back to `simpleEqualityMatcher` — arc's
+	*    built-in flat-key equality helper. This is defense-in-depth for the
+	*    common case: arc's own permission helpers emit flat filters
+	*    (`{userId: …}`, `{organizationId: …}`), which this matcher evaluates
+	*    correctly. Operator-shaped filters (`$in`, `$ne`, `$regex`, `$and`,
+	*    `$or`) are **rejected** (the matcher returns `false`) — fail-closed
+	*    rather than fail-open. A one-shot warn flags the gap so adapter
+	*    authors can wire a richer matcher.
 	*
-	* Delegates to adapter-provided matchesFilter if available (for SQL, etc.),
-	* otherwise falls back to built-in MongoDB-style matching.
+	* Arc deliberately does NOT ship a full MongoDB-syntax matcher:
+	* re-implementing Mongo in JS was dead code for mongokit users (the DB
+	* did it) and silently wrong for non-Mongo adapters. The flat-equality
+	* fallback is small (~20 LOC), correct in both dialects, and closes the
+	* previous `getBySlug`-style policy-bypass path.
 	*/
 	checkPolicyFilters(item, req) {
 		const policyFilters = this._meta(req)?._policyFilters;
-		if (!policyFilters) return true;
+		if (!policyFilters || Object.keys(policyFilters).length === 0) return true;
 		if (this._adapterMatchesFilter) return this._adapterMatchesFilter(item, policyFilters);
-		return this.defaultMatchesPolicyFilters(item, policyFilters);
+		if (Object.values(policyFilters).some((v) => v !== null && typeof v === "object" && !Array.isArray(v) && Object.getPrototypeOf(v) === Object.prototype && Object.keys(v).some((k) => k.startsWith("$")))) this._warnNoMatcher(policyFilters);
+		return simpleEqualityMatcher(item, policyFilters);
+	}
+	/**
+	* Emit a one-shot warn when policy filters contain operators (`$in`,
+	* `$ne`, `$regex`, etc.) and no `DataAdapter.matchesFilter` is wired —
+	* arc's flat-equality fallback fail-closes on operators, so the host
+	* sees 404s on docs that should match. Latched on `_warnedNoMatcher`
+	* so subsequent requests stay quiet.
+	*/
+	_warnNoMatcher(policyFilters) {
+		if (this._warnedNoMatcher) return;
+		this._warnedNoMatcher = true;
+		log.warn("`_policyFilters` contains operator-shaped entries (e.g. `$in`, `$ne`, `$regex`) but `DataAdapter.matchesFilter` is not set. Arc's flat-equality fallback cannot evaluate operators and will reject these items on non-compound fetches (`validateItemAccess`, `getBySlug`, cache revalidation). Wire up `matchesFilter` on your adapter — use `matchFilter` from `@classytic/repo-core/filter` for IR-based adapters, or your DB's native predicate engine.", { policyFilterKeys: Object.keys(policyFilters) });
 	}
 	/**
 	* Check org/tenant scope for a document — uses configurable tenantField.
@@ -64,7 +102,6 @@ var AccessControl = class AccessControl {
 		const scope = arcContext?._scope;
 		const orgId = scope ? getOrgId(scope) : void 0;
 		if (!item || !orgId) return true;
-		if (scope && isElevated(scope) && !orgId) return true;
 		const itemOrgId = item[this.tenantField];
 		if (!itemOrgId) return false;
 		return String(itemOrgId) === String(orgId);
@@ -122,7 +159,25 @@ var AccessControl = class AccessControl {
 				};
 				if (hasCompoundFilters) {
 					const idOnly = { [this.idField]: id };
-					const rawDoc = await repository.getOne(idOnly);
+					const rawGetOne = repository.getOne.bind(repository);
+					let rawDoc = null;
+					try {
+						rawDoc = await rawGetOne(idOnly);
+					} catch (unscopedErr) {
+						if (translateStatus404(unscopedErr)) return {
+							doc: null,
+							reason: "NOT_FOUND"
+						};
+						try {
+							rawDoc = await rawGetOne(idOnly, queryOptions);
+						} catch (scopedErr) {
+							if (translateStatus404(scopedErr)) return {
+								doc: null,
+								reason: "NOT_FOUND"
+							};
+							throw scopedErr;
+						}
+					}
 					if (rawDoc) {
 						const arcContext = this._meta(req);
 						if (!this.checkOrgScope(rawDoc, arcContext)) return {
@@ -183,101 +238,6 @@ var AccessControl = class AccessControl {
 	_meta(req) {
 		return req.metadata;
 	}
-	/**
-	* Check if a value matches a MongoDB query operator
-	*/
-	matchesOperator(itemValue, operator, filterValue) {
-		const equalsByValue = (a, b) => String(a) === String(b);
-		switch (operator) {
-			case "$eq": return equalsByValue(itemValue, filterValue);
-			case "$ne": return !equalsByValue(itemValue, filterValue);
-			case "$gt": return typeof itemValue === "number" && typeof filterValue === "number" && itemValue > filterValue;
-			case "$gte": return typeof itemValue === "number" && typeof filterValue === "number" && itemValue >= filterValue;
-			case "$lt": return typeof itemValue === "number" && typeof filterValue === "number" && itemValue < filterValue;
-			case "$lte": return typeof itemValue === "number" && typeof filterValue === "number" && itemValue <= filterValue;
-			case "$in":
-				if (!Array.isArray(filterValue)) return false;
-				if (Array.isArray(itemValue)) return itemValue.some((v) => filterValue.some((fv) => equalsByValue(v, fv)));
-				return filterValue.some((fv) => equalsByValue(itemValue, fv));
-			case "$nin":
-				if (!Array.isArray(filterValue)) return false;
-				if (Array.isArray(itemValue)) return itemValue.every((v) => filterValue.every((fv) => !equalsByValue(v, fv)));
-				return filterValue.every((fv) => !equalsByValue(itemValue, fv));
-			case "$exists": return filterValue ? itemValue !== void 0 : itemValue === void 0;
-			case "$regex":
-				if (typeof itemValue === "string" && (typeof filterValue === "string" || filterValue instanceof RegExp)) return (typeof filterValue === "string" ? AccessControl.safeRegex(filterValue) : filterValue)?.test(itemValue) ?? false;
-				return false;
-			default: return false;
-		}
-	}
-	/**
-	* Check if item matches a single filter condition
-	* Supports nested paths (e.g., "owner.id", "metadata.status")
-	*/
-	matchesFilter(item, key, filterValue) {
-		const itemValue = key.includes(".") ? this.getNestedValue(item, key) : item[key];
-		if (filterValue && typeof filterValue === "object" && !Array.isArray(filterValue)) {
-			if (Object.keys(filterValue).some((op) => op.startsWith("$"))) {
-				for (const [operator, opValue] of Object.entries(filterValue)) if (!this.matchesOperator(itemValue, operator, opValue)) return false;
-				return true;
-			}
-		}
-		if (Array.isArray(itemValue)) return itemValue.some((v) => String(v) === String(filterValue));
-		return String(itemValue) === String(filterValue);
-	}
-	/**
-	* Built-in MongoDB-style policy filter matching.
-	* Supports: $eq, $ne, $gt, $gte, $lt, $lte, $in, $nin, $exists, $regex, $and, $or
-	*/
-	defaultMatchesPolicyFilters(item, policyFilters) {
-		if (policyFilters.$and && Array.isArray(policyFilters.$and)) {
-			if (!policyFilters.$and.every((condition) => {
-				return Object.entries(condition).every(([key, value]) => {
-					return this.matchesFilter(item, key, value);
-				});
-			})) return false;
-		}
-		if (policyFilters.$or && Array.isArray(policyFilters.$or)) {
-			if (!policyFilters.$or.some((condition) => {
-				return Object.entries(condition).every(([key, value]) => {
-					return this.matchesFilter(item, key, value);
-				});
-			})) return false;
-		}
-		for (const [key, value] of Object.entries(policyFilters)) {
-			if (key.startsWith("$")) continue;
-			if (!this.matchesFilter(item, key, value)) return false;
-		}
-		return true;
-	}
-	/**
-	* Get nested value from object using dot notation (e.g., "owner.id")
-	* Security: Validates path against forbidden patterns to prevent prototype pollution
-	*/
-	getNestedValue(obj, path) {
-		if (AccessControl.FORBIDDEN_PATHS.some((p) => path.toLowerCase().includes(p))) return;
-		const keys = path.split(".");
-		let value = obj;
-		for (const key of keys) {
-			if (value == null) return void 0;
-			if (AccessControl.FORBIDDEN_PATHS.includes(key.toLowerCase())) return;
-			value = value[key];
-		}
-		return value;
-	}
-	/**
-	* Create a safe RegExp from a string, guarding against ReDoS.
-	* Returns null if the pattern is invalid or dangerous.
-	*/
-	static safeRegex(pattern) {
-		if (pattern.length > 200) return null;
-		if (AccessControl.DANGEROUS_REGEX.test(pattern)) return null;
-		try {
-			return new RegExp(pattern);
-		} catch {
-			return null;
-		}
-	}
 };
 var BodySanitizer = class {
 	schemaOptions;
@@ -296,10 +256,13 @@ var BodySanitizer = class {
 	sanitize(body, _operation, req, meta) {
 		let sanitized = { ...body };
 		for (const field of SYSTEM_FIELDS) delete sanitized[field];
+		const scopeForRules = req ? (meta ?? req.metadata)?._scope ?? PUBLIC_SCOPE : void 0;
+		const scopeIsElevated = scopeForRules ? isElevated(scopeForRules) : false;
 		const fieldRules = this.schemaOptions.fieldRules ?? {};
 		for (const [field, rules] of Object.entries(fieldRules)) {
-			if (rules.systemManaged || rules.readonly) delete sanitized[field];
-			if (_operation === "update" && (rules.immutable || rules.immutableAfterCreate)) delete sanitized[field];
+			const bypass = Boolean(rules.preserveForElevated) && scopeIsElevated;
+			if ((rules.systemManaged || rules.readonly) && !bypass) delete sanitized[field];
+			if (_operation === "update" && (rules.immutable || rules.immutableAfterCreate) && !bypass) delete sanitized[field];
 		}
 		if (req) {
 			const arcContext = meta ?? req.metadata;
@@ -336,6 +299,7 @@ var QueryResolver = class {
 	queryParser;
 	maxLimit;
 	defaultLimit;
+	/** `undefined` means "no default sort" (caller passed `false`). */
 	defaultSort;
 	schemaOptions;
 	tenantField;
@@ -343,7 +307,7 @@ var QueryResolver = class {
 		this.queryParser = config.queryParser ?? getDefaultQueryParser();
 		this.maxLimit = config.maxLimit ?? 100;
 		this.defaultLimit = config.defaultLimit ?? 20;
-		this.defaultSort = config.defaultSort ?? "-createdAt";
+		this.defaultSort = config.defaultSort === false ? void 0 : config.defaultSort ?? "-createdAt";
 		this.schemaOptions = config.schemaOptions ?? {};
 		this.tenantField = config.tenantField !== void 0 ? config.tenantField : DEFAULT_TENANT_FIELD;
 	}
@@ -474,6 +438,7 @@ var BaseController = class {
 	queryParser;
 	maxLimit;
 	defaultLimit;
+	/** `undefined` means "no default sort" (caller passed `false`). */
 	defaultSort;
 	resourceName;
 	tenantField;
@@ -493,7 +458,7 @@ var BaseController = class {
 		this.queryParser = options.queryParser ?? getDefaultQueryParser();
 		this.maxLimit = options.maxLimit ?? 100;
 		this.defaultLimit = options.defaultLimit ?? 20;
-		this.defaultSort = options.defaultSort ?? "-createdAt";
+		this.defaultSort = options.defaultSort === false ? void 0 : options.defaultSort ?? "-createdAt";
 		this.resourceName = options.resourceName;
 		this.tenantField = options.tenantField !== void 0 ? options.tenantField : DEFAULT_TENANT_FIELD;
 		this.idField = options.idField ?? repository?.idField ?? "_id";
@@ -513,7 +478,7 @@ var BaseController = class {
 			queryParser: this.queryParser,
 			maxLimit: this.maxLimit,
 			defaultLimit: this.defaultLimit,
-			defaultSort: this.defaultSort,
+			defaultSort: options.defaultSort,
 			schemaOptions: this.schemaOptions,
 			tenantField: this.tenantField
 		});
@@ -533,6 +498,48 @@ var BaseController = class {
 	getTenantField() {
 		return this.tenantField || void 0;
 	}
+	/**
+	* Build top-level tenant options to thread into the repository call.
+	*
+	* **Why this exists:** repo plugins (e.g. `@classytic/mongokit`'s
+	* `multiTenantPlugin`) read tenant scope from the TOP of the repository
+	* operation context — `context.organizationId`, not `context.data.organizationId`
+	* or `context.context.organizationId`. Without this stamping, a tenant-scoped
+	* repository throws `Missing 'organizationId' in context for '<op>'` even
+	* though arc already injected the tenant into the request body.
+	*
+	* **What this returns:**
+	* - `{ [tenantField]: orgId }` when the resource is tenant-scoped and the
+	*   caller's scope carries an org ID (member, service key bound to an org,
+	*   elevated admin impersonating an org).
+	* - `{}` otherwise — platform-universal resources (`tenantField: false`),
+	*   public/anonymous reads, elevated admins without an org target.
+	*
+	* **Call sites:** every `this.repository.*` CRUD entry — `create`, `update`,
+	* `delete`, `getAll` (via list), plus merged into `QueryOptions` for the
+	* access-controlled read path (`accessControl.fetchDetailed` → `getById`/`getOne`).
+	*
+	* **Name of the field:** uses the instance's own `tenantField` configuration
+	* (default `organizationId`). Matches mongokit's `multiTenantPlugin` default
+	* `contextKey` so host apps don't need to override either side.
+	*
+	* Multi-field tenancy (via `multiTenantPreset({ tenantFields: [...] })`)
+	* resolves additional fields at middleware time and stashes them on
+	* `_tenantFields` — {@link tenantRepoOptions} merges those in too.
+	*/
+	tenantRepoOptions(req) {
+		const out = {};
+		if (this.tenantField) {
+			const scope = this.meta(req)?._scope;
+			const orgId = scope ? getOrgId(scope) : void 0;
+			if (orgId) out[this.tenantField] = orgId;
+		}
+		const presetFields = req._tenantFields;
+		if (presetFields && typeof presetFields === "object") {
+			for (const [key, value] of Object.entries(presetFields)) if (value != null && out[key] == null) out[key] = value;
+		}
+		return out;
+	}
 	/** Extract typed Arc internal metadata from request */
 	meta(req) {
 		return req.metadata;
@@ -655,7 +662,11 @@ var BaseController = class {
 	/** Execute list query through hooks (extracted for cache revalidation) */
 	async executeListQuery(options, req) {
 		const hooks = this.getHooks(req);
-		const repoGetAll = async () => this.repository.getAll(options);
+		const getAllParams = {
+			...options,
+			...this.tenantRepoOptions(req)
+		};
+		const repoGetAll = async () => this.repository.getAll(getAllParams);
 		return hooks && this.resourceName ? await hooks.executeAround(this.resourceName, "list", options, repoGetAll, {
 			user: req.user,
 			context: this.meta(req)
@@ -668,7 +679,10 @@ var BaseController = class {
 			error: "ID parameter is required",
 			status: 400
 		};
-		const options = this.queryResolver.resolve(req, this.meta(req));
+		const options = {
+			...this.queryResolver.resolve(req, this.meta(req)),
+			...this.tenantRepoOptions(req)
+		};
 		const cacheConfig = this.resolveCacheConfig("byId");
 		const qc = req.server?.queryCache;
 		if (cacheConfig && qc) {
@@ -764,7 +778,8 @@ var BaseController = class {
 		}
 		const repoCreate = async () => this.repository.create(processedData, {
 			user,
-			context: arcContext
+			context: arcContext,
+			...this.tenantRepoOptions(req)
 		});
 		let item;
 		if (hooks && this.resourceName) {
@@ -796,7 +811,7 @@ var BaseController = class {
 		const user = req.user;
 		const userId = getUserId(user);
 		if (userId) data.updatedBy = userId;
-		const { doc: existing, reason: updateReason } = await this.accessControl.fetchDetailed(id, req, this.repository);
+		const { doc: existing, reason: updateReason } = await this.accessControl.fetchDetailed(id, req, this.repository, this.tenantRepoOptions(req));
 		if (!existing) return this.notFoundResponse(updateReason);
 		if (!this.accessControl.checkOwnership(existing, req)) return {
 			success: false,
@@ -829,7 +844,8 @@ var BaseController = class {
 		}
 		const repoUpdate = async () => this.repository.update(repoId, processedData, {
 			user,
-			context: arcContext
+			context: arcContext,
+			...this.tenantRepoOptions(req)
 		});
 		let item;
 		if (hooks && this.resourceName) {
@@ -867,7 +883,7 @@ var BaseController = class {
 		};
 		const arcContext = this.meta(req);
 		const user = req.user;
-		const { doc: existing, reason: deleteReason } = await this.accessControl.fetchDetailed(id, req, this.repository);
+		const { doc: existing, reason: deleteReason } = await this.accessControl.fetchDetailed(id, req, this.repository, this.tenantRepoOptions(req));
 		if (!existing) return this.notFoundResponse(deleteReason);
 		if (!this.accessControl.checkOwnership(existing, req)) return {
 			success: false,
@@ -898,6 +914,7 @@ var BaseController = class {
 		const repoDelete = async () => this.repository.delete(repoId, {
 			user,
 			context: arcContext,
+			...this.tenantRepoOptions(req),
 			...deleteMode ? { mode: deleteMode } : {}
 		});
 		let result;
@@ -933,7 +950,10 @@ var BaseController = class {
 	async getBySlug(req) {
 		const slugField = this._presetFields.slugField ?? "slug";
 		const slug = req.params[slugField] ?? req.params.slug;
-		const options = this.queryResolver.resolve(req, this.meta(req));
+		const options = {
+			...this.queryResolver.resolve(req, this.meta(req)),
+			...this.tenantRepoOptions(req)
+		};
 		const repo = this.repository;
 		let item = null;
 		if (repo.getBySlug) item = await repo.getBySlug(slug, options);

package/dist/actionPermissions-TUVR3uiZ.mjs

@@ -0,0 +1,22 @@
+//#region src/core/actionPermissions.ts
+/**
+* Return the effective `PermissionCheck` for a single action, or `undefined`
+* when the resource declares no gate at any level.
+*
+* Callers decide what "no gate" means:
+*   - HTTP: boot-time throw in `normalizeActionsToRouterConfig`.
+*   - MCP: treated as allow (legacy) — but the HTTP fallback now fills the
+*     gap when `permissions.update` is set, so the MCP hole closes too.
+*   - OpenAPI: docs advertise the endpoint as unauthenticated.
+*/
+function resolveActionPermission(input) {
+	const { action, resourcePermissions, resourceActionPermissions, globalAuth } = input;
+	const explicit = typeof action !== "function" && action.permissions ? action.permissions : void 0;
+	if (explicit) return explicit;
+	if (resourceActionPermissions) return resourceActionPermissions;
+	if (globalAuth) return globalAuth;
+	const updateFallback = resourcePermissions?.update;
+	if (updateFallback) return updateFallback;
+}
+//#endregion
+export { resolveActionPermission as t };

package/dist/adapters/index.d.mts

@@ -1,3 +1,3 @@
-import { At as SchemaMetadata, Dt as FieldMetadata, Et as DataAdapter, Ot as RelationMetadata, jt as ValidationResult, kt as RepositoryLike, wt as AdapterFactory } from "../index-Cl0uoKd5.mjs";
-import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, d as DrizzleAdapterOptions, f as createDrizzleAdapter, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter, u as DrizzleAdapter } from "../index-DStwgFUK.mjs";
+import { _n as RepositoryLike, fn as AdapterFactory, gn as RelationMetadata, hn as FieldMetadata, mn as DataAdapter, vn as SchemaMetadata, yn as ValidationResult } from "../index-BGbpGVyM.mjs";
+import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, d as DrizzleAdapterOptions, f as createDrizzleAdapter, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter, u as DrizzleAdapter } from "../index-BziRPS4H.mjs";
 export { AdapterFactory, DataAdapter, DrizzleAdapter, DrizzleAdapterOptions, FieldMetadata, MongooseAdapter, MongooseAdapterOptions, PrismaAdapter, PrismaAdapterOptions, PrismaQueryOptions, PrismaQueryParser, PrismaQueryParserOptions, RelationMetadata, RepositoryLike, SchemaMetadata, ValidationResult, createDrizzleAdapter, createMongooseAdapter, createPrismaAdapter };

package/dist/audit/index.d.mts

@@ -1,5 +1,5 @@
-import { d as UserBase } from "../fields-Lo1VUDpt.mjs";
-import { kt as RepositoryLike } from "../index-Cl0uoKd5.mjs";
+import { _n as RepositoryLike } from "../index-BGbpGVyM.mjs";
+import { d as UserBase } from "../fields-C8Y0XLAu.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/audit/stores/interface.d.ts

package/dist/audit/index.mjs

@@ -1,12 +1,13 @@
 import fp from "fastify-plugin";
+import { and, anyOf, eq, gte, lt, lte } from "@classytic/repo-core/filter";
 //#region src/audit/repository-audit-adapter.ts
 function repositoryAsAuditStore(repository) {
+	const idField = repository.idField ?? "_id";
 	return {
 		name: "repository",
 		async log(entry) {
 			const doc = {
-				_id: entry.id,
-				id: entry.id,
+				[idField]: entry.id,
 				resource: entry.resource,
 				documentId: entry.documentId,
 				action: entry.action,
@@ -25,35 +26,32 @@ function repositoryAsAuditStore(repository) {
 		},
 		async purgeOlderThan(cutoff) {
 			if (!repository.deleteMany) return 0;
-			return (await repository.deleteMany({ timestamp: { $lt: cutoff } })).deletedCount ?? 0;
+			return (await repository.deleteMany(lt("timestamp", cutoff))).deletedCount ?? 0;
 		},
 		async query(opts = {}) {
 			if (!repository.getAll) throw new Error("auditPlugin: repository.getAll is required for query(). It's on repo-core's MinimalRepo floor — every kit (mongokit, sqlitekit, custom) implements it.");
-			const filter = {};
-			if (opts.resource) filter.resource = opts.resource;
-			if (opts.documentId) filter.documentId = opts.documentId;
-			if (opts.userId) filter.userId = opts.userId;
-			if (opts.organizationId) filter.organizationId = opts.organizationId;
+			const clauses = [];
+			if (opts.resource) clauses.push(eq("resource", opts.resource));
+			if (opts.documentId) clauses.push(eq("documentId", opts.documentId));
+			if (opts.userId) clauses.push(eq("userId", opts.userId));
+			if (opts.organizationId) clauses.push(eq("organizationId", opts.organizationId));
 			if (opts.action) {
 				const actions = Array.isArray(opts.action) ? opts.action : [opts.action];
-				filter.action = actions.length === 1 ? actions[0] : { $in: actions };
-			}
-			if (opts.from || opts.to) {
-				const range = {};
-				if (opts.from) range.$gte = opts.from;
-				if (opts.to) range.$lte = opts.to;
-				filter.timestamp = range;
+				clauses.push(actions.length === 1 ? eq("action", actions[0]) : anyOf("action", actions));
 			}
+			if (opts.from) clauses.push(gte("timestamp", opts.from));
+			if (opts.to) clauses.push(lte("timestamp", opts.to));
+			const filters = clauses.length > 0 ? and(...clauses) : void 0;
 			const limit = opts.limit ?? 100;
 			const page = Math.floor((opts.offset ?? 0) / limit) + 1;
 			const result = await repository.getAll({
-				filters: filter,
+				...filters ? { filters } : {},
 				sort: { timestamp: -1 },
 				page,
 				limit
 			});
 			return (Array.isArray(result) ? result : result.docs ?? []).map((d) => ({
-				id: String(d._id ?? d.id ?? ""),
+				id: String(d[idField] ?? ""),
 				resource: d.resource ?? "",
 				documentId: d.documentId ?? "",
 				action: d.action ?? "create",

package/dist/auth/index.d.mts

@@ -1,7 +1,7 @@
-import { c as PermissionCheck } from "../fields-Lo1VUDpt.mjs";
-import { A as AuthHelpers, j as AuthPluginOptions } from "../index-Cl0uoKd5.mjs";
-import { t as ExternalOpenApiPaths } from "../externalPaths-BQ8QijNH.mjs";
-import { a as SessionManagerOptions, c as createSessionManager, i as SessionData, n as MemorySessionStoreOptions, o as SessionManagerResult, r as SessionCookieOptions, s as SessionStore, t as MemorySessionStore } from "../sessionManager-BkzVU8h2.mjs";
+import { Ut as AuthHelpers, Wt as AuthPluginOptions } from "../index-BGbpGVyM.mjs";
+import { c as PermissionCheck } from "../fields-C8Y0XLAu.mjs";
+import { t as ExternalOpenApiPaths } from "../externalPaths-Bapitwvd.mjs";
+import { a as SessionManagerOptions, c as createSessionManager, i as SessionData, n as MemorySessionStoreOptions, o as SessionManagerResult, r as SessionCookieOptions, s as SessionStore, t as MemorySessionStore } from "../sessionManager-D-oNWHz3.mjs";
 import { FastifyPluginAsync, FastifyReply as FastifyReply$1, FastifyRequest } from "fastify";
 
 //#region src/auth/authPlugin.d.ts

package/dist/auth/index.mjs

@@ -1,7 +1,7 @@
-import { n as normalizeRoles, t as getUserRoles } from "../types-DV9WDfeg.mjs";
-import { t as ArcError } from "../errors-D5c-5BJL.mjs";
-import { _ as requireTeamMembership, m as requireOrgRole, p as requireOrgMembership } from "../permissions-Dk6mshja.mjs";
-import { n as extractBetterAuthOpenApi } from "../betterAuthOpenApi-BBRVhjQN.mjs";
+import { n as normalizeRoles, t as getUserRoles } from "../types-D57iXYb8.mjs";
+import { t as ArcError } from "../errors-BqdUDja_.mjs";
+import { _ as requireTeamMembership, m as requireOrgRole, p as requireOrgMembership } from "../permissions-wkqRwicB.mjs";
+import { n as extractBetterAuthOpenApi } from "../betterAuthOpenApi--rdY15Ld.mjs";
 import { createHmac, randomUUID, timingSafeEqual } from "node:crypto";
 import fp from "fastify-plugin";
 //#region src/auth/authPlugin.ts
@@ -684,7 +684,7 @@ function createBetterAuthAdapter(options) {
 		if (!fastify.hasDecorator("authenticate")) fastify.decorate("authenticate", authenticate);
 		if (!fastify.hasDecorator("optionalAuthenticate")) fastify.decorate("optionalAuthenticate", optionalAuthenticate);
 		if (!extractedOpenApi && openapiOpt !== false && auth.api && typeof auth.api === "object") {
-			const { extractBetterAuthOpenApi } = await import("../betterAuthOpenApi-BBRVhjQN.mjs").then((n) => n.t);
+			const { extractBetterAuthOpenApi } = await import("../betterAuthOpenApi--rdY15Ld.mjs").then((n) => n.t);
 			extractedOpenApi = extractBetterAuthOpenApi(auth.api, {
 				basePath,
 				userFields

package/dist/auth/redis-session.d.mts

@@ -1,4 +1,4 @@
-import { i as SessionData, s as SessionStore } from "../sessionManager-BkzVU8h2.mjs";
+import { i as SessionData, s as SessionStore } from "../sessionManager-D-oNWHz3.mjs";
 
 //#region src/auth/redis-session.d.ts
 /** Minimal Redis client interface — compatible with ioredis */

package/dist/cache/index.d.mts

@@ -1,5 +1,5 @@
-import { n as CacheStats, r as CacheStore, t as CacheLogger } from "../interface-D218ikEo.mjs";
-import { a as CacheEnvelope, c as QueryCache, i as queryCachePlugin, l as QueryCacheConfig, n as QueryCacheDefaults, o as CacheResult, r as QueryCachePluginOptions, s as CacheStatus, t as CrossResourceRule } from "../queryCachePlugin-BKbWjgDG.mjs";
+import { n as CacheStats, r as CacheStore, t as CacheLogger } from "../interface-yhyb_pLY.mjs";
+import { a as CacheEnvelope, c as QueryCache, i as queryCachePlugin, l as QueryCacheConfig, n as QueryCacheDefaults, o as CacheResult, r as QueryCachePluginOptions, s as CacheStatus, t as CrossResourceRule } from "../queryCachePlugin-Dumka73q.mjs";
 
 //#region src/cache/keys.d.ts
 /**

package/dist/cache/index.mjs

@@ -1,6 +1,6 @@
-import { i as versionKey, n as hashParams, r as tagVersionKey, t as buildQueryKey } from "../keys-qcD-TVJl.mjs";
-import { t as MemoryCacheStore } from "../memory-B5Amv9A1.mjs";
-import { r as QueryCache, t as queryCachePlugin } from "../queryCachePlugin-DQCEfJis.mjs";
+import { i as versionKey, n as hashParams, r as tagVersionKey, t as buildQueryKey } from "../keys-nWQGUTu1.mjs";
+import { t as MemoryCacheStore } from "../memory-DqI-449b.mjs";
+import { r as QueryCache, t as queryCachePlugin } from "../queryCachePlugin-ChLNZvFT.mjs";
 //#region src/cache/redis.ts
 /**
 * Redis-backed cache store.

package/dist/cli/commands/docs.mjs

@@ -1,5 +1,5 @@
-import { t as ResourceRegistry } from "../../ResourceRegistry-BPd6NQDm.mjs";
-import { t as buildOpenApiSpec } from "../../openapi-B5F8AddX.mjs";
+import { t as ResourceRegistry } from "../../ResourceRegistry-CcN2LVrc.mjs";
+import { t as buildOpenApiSpec } from "../../openapi-DpNpqBmo.mjs";
 import { dirname, resolve } from "node:path";
 import { pathToFileURL } from "node:url";
 import { mkdirSync, writeFileSync } from "node:fs";

package/dist/cli/commands/generate.mjs

@@ -1,4 +1,4 @@
-import { t as pluralize } from "../../pluralize-A0tWEl1K.mjs";
+import { t as pluralize } from "../../pluralize-CWP6MB39.mjs";
 import { join } from "node:path";
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 //#region src/cli/commands/generate.ts

package/dist/cli/commands/init.mjs

@@ -102,7 +102,7 @@ async function installDependencies(projectPath, config, pm) {
 	];
 	if (config.auth === "better-auth") deps.push("better-auth@^1.6.0", "mongodb@latest");
 	else deps.push("@fastify/jwt@latest", "bcryptjs@latest");
-	if (config.adapter === "mongokit") deps.push("@classytic/mongokit@^3.10.2", "@classytic/repo-core@^0.1.0", "mongoose@^9.4.1");
+	if (config.adapter === "mongokit") deps.push("@classytic/mongokit@^3.11.0", "@classytic/repo-core@^0.2.0", "mongoose@^9.4.1");
 	const devDeps = ["vitest@latest", "pino-pretty@latest"];
 	if (config.typescript) devDeps.push("typescript@latest", "@types/node@latest", "tsx@latest");
 	const installCmd = getInstallCommand(pm, deps, false);

package/dist/cli/commands/introspect.mjs

@@ -1,4 +1,4 @@
-import { t as ResourceRegistry } from "../../ResourceRegistry-BPd6NQDm.mjs";
+import { t as ResourceRegistry } from "../../ResourceRegistry-CcN2LVrc.mjs";
 import { resolve } from "node:path";
 import { pathToFileURL } from "node:url";
 //#region src/cli/commands/introspect.ts