@classytic/arc 2.10.3 → 2.10.8

package/dist/context/index.d.mts

@@ -0,0 +1,58 @@
+import { AsyncLocalStorage } from "node:async_hooks";
+
+//#region src/context/requestContext.d.ts
+/**
+ * Shape of the request-scoped context store.
+ * Populated by Arc's onRequest hook in arcCorePlugin.
+ */
+interface RequestStore {
+  /** Unique request identifier */
+  requestId?: string;
+  /** Authenticated user (if any) */
+  user?: {
+    id?: string;
+    _id?: string;
+    roles?: string[];
+    [key: string]: unknown;
+  } | null;
+  /** Active organization ID (multi-tenant) */
+  organizationId?: string;
+  /** Active team ID (team-scoped resources) */
+  teamId?: string;
+  /** Current resource name (set by arcDecorator in CRUD routes) */
+  resourceName?: string;
+  /** Request start time (for timing) */
+  startTime: number;
+  /** Additional context — extensible by app */
+  [key: string]: unknown;
+}
+/**
+ * Request context API.
+ *
+ * - `get()` — returns current store or undefined if outside request scope
+ * - `run(store, fn)` — run a function with a specific store (used by Arc internals)
+ * - `getStore()` — alias for get() (matches Node.js API naming)
+ */
+declare const requestContext: {
+  /**
+   * Get the current request context.
+   * Returns undefined if called outside a request lifecycle.
+   */
+  get(): RequestStore | undefined;
+  /**
+   * Alias for get() — matches Node.js AsyncLocalStorage API naming.
+   */
+  getStore(): RequestStore | undefined;
+  /**
+   * Run a function within a specific request context.
+   * Used internally by Arc's onRequest hook.
+   */
+  run<T>(store: RequestStore, fn: () => T): T;
+  /**
+   * The underlying AsyncLocalStorage instance.
+   * Exposed for advanced use cases (testing, custom integrations).
+   */
+  storage: AsyncLocalStorage<RequestStore>;
+};
+//#endregion
+export { type RequestStore, requestContext };

package/dist/context/index.mjs

@@ -0,0 +1,2 @@
+import { t as requestContext } from "../requestContext-C38GskNt.mjs";
+export { requestContext };

package/dist/core/index.d.mts

@@ -1,3 +1,3 @@
-import { G as ResourceDefinition, K as defineResource, a as QueryResolverConfig, c as AccessControl, i as QueryResolver, l as AccessControlConfig, n as BaseController, o as BodySanitizer, r as BaseControllerOptions, s as BodySanitizerConfig } from "../index-Cl0uoKd5.mjs";
-import { C as MAX_REGEX_LENGTH, D as RESERVED_QUERY_PARAMS, E as MutationOperation, O as SYSTEM_FIELDS, S as MAX_FILTER_DEPTH, T as MUTATION_OPERATIONS, _ as DEFAULT_UPDATE_METHOD, a as getControllerScope, b as HookOperation, c as createCrudRouter, d as CrudOperation, f as DEFAULT_ID_FIELD, g as DEFAULT_TENANT_FIELD, h as DEFAULT_SORT, i as getControllerContext, l as createPermissionMiddleware, m as DEFAULT_MAX_LIMIT, n as createFastifyHandler, o as sendControllerResponse, p as DEFAULT_LIMIT, r as createRequestContext, s as defineResourceVariants, t as createCrudHandlers, u as CRUD_OPERATIONS, v as HOOK_OPERATIONS, w as MAX_SEARCH_LENGTH, x as HookPhase, y as HOOK_PHASES } from "../index-8qw4y6ff.mjs";
+import { B as ResourceDefinition, V as defineResource, an as BaseControllerOptions, cn as BodySanitizer, dn as AccessControlConfig, in as BaseController, ln as BodySanitizerConfig, on as QueryResolver, sn as QueryResolverConfig, un as AccessControl } from "../index-BGbpGVyM.mjs";
+import { C as MAX_REGEX_LENGTH, D as RESERVED_QUERY_PARAMS, E as MutationOperation, O as SYSTEM_FIELDS, S as MAX_FILTER_DEPTH, T as MUTATION_OPERATIONS, _ as DEFAULT_UPDATE_METHOD, a as getControllerScope, b as HookOperation, c as createCrudRouter, d as CrudOperation, f as DEFAULT_ID_FIELD, g as DEFAULT_TENANT_FIELD, h as DEFAULT_SORT, i as getControllerContext, l as createPermissionMiddleware, m as DEFAULT_MAX_LIMIT, n as createFastifyHandler, o as sendControllerResponse, p as DEFAULT_LIMIT, r as createRequestContext, s as defineResourceVariants, t as createCrudHandlers, u as CRUD_OPERATIONS, v as HOOK_OPERATIONS, w as MAX_SEARCH_LENGTH, x as HookPhase, y as HOOK_PHASES } from "../index-EqQN6p0W.mjs";
 export { AccessControl, AccessControlConfig, BaseController, BaseControllerOptions, BodySanitizer, BodySanitizerConfig, CRUD_OPERATIONS, CrudOperation, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, HookOperation, HookPhase, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MutationOperation, QueryResolver, QueryResolverConfig, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, defineResourceVariants, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/core/index.mjs

@@ -1,4 +1,4 @@
 import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "../constants-BhY1OHoH.mjs";
-import { i as AccessControl, n as QueryResolver, r as BodySanitizer, t as BaseController } from "../BaseController-CbKKIflT.mjs";
-import { c as createPermissionMiddleware, d as createRequestContext, f as getControllerContext, l as createCrudHandlers, m as sendControllerResponse, n as ResourceDefinition, p as getControllerScope, r as defineResource, s as createCrudRouter, t as defineResourceVariants, u as createFastifyHandler } from "../core-CcR01lup.mjs";
+import { i as AccessControl, n as QueryResolver, r as BodySanitizer, t as BaseController } from "../BaseController-DVNKvoX4.mjs";
+import { c as createPermissionMiddleware, d as createRequestContext, f as getControllerContext, l as createCrudHandlers, m as sendControllerResponse, n as ResourceDefinition, p as getControllerScope, r as defineResource, s as createCrudRouter, t as defineResourceVariants, u as createFastifyHandler } from "../core-3MWJosCH.mjs";
 export { AccessControl, BaseController, BodySanitizer, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, QueryResolver, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, defineResourceVariants, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/{core-CcR01lup.mjs → core-3MWJosCH.mjs}

@@ -1,73 +1,29 @@
 import { s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS } from "./constants-BhY1OHoH.mjs";
-import { _ as isElevated, n as PUBLIC_SCOPE, v as isMember } from "./types-AOD8fxIw.mjs";
-import { t as BaseController } from "./BaseController-CbKKIflT.mjs";
-import { i as resolveEffectiveRoles, t as applyFieldReadPermissions } from "./fields-bxkeltzz.mjs";
-import { t as getUserRoles } from "./types-DV9WDfeg.mjs";
-import { r as ForbiddenError } from "./errors-D5c-5BJL.mjs";
-import { t as requestContext } from "./requestContext-xHIKedG6.mjs";
+import { _ as isElevated, n as PUBLIC_SCOPE, o as getOrgId, p as getUserId, v as isMember } from "./types-AOD8fxIw.mjs";
+import { t as BaseController } from "./BaseController-DVNKvoX4.mjs";
+import { i as resolveEffectiveRoles, t as applyFieldReadPermissions } from "./fields-CTMWOUDt.mjs";
+import { t as getUserRoles } from "./types-D57iXYb8.mjs";
+import { t as requestContext } from "./requestContext-C38GskNt.mjs";
 import { n as normalizePermissionResult, t as applyPermissionResult } from "./applyPermissionResult-QhV1Pa-g.mjs";
-import { i as getDefaultCrudSchemas } from "./utils-B2fNOD_i.mjs";
+import { i as getDefaultCrudSchemas } from "./utils-LMwVidKy.mjs";
 import { n as convertRouteSchema, t as convertOpenApiSchemas } from "./schemaConverter-BxFDdtXu.mjs";
 import { t as hasEvents } from "./typeGuards-Cj5Rgvlg.mjs";
-import { r as getAvailablePresets, t as applyPresets } from "./presets-fLJVXdVn.mjs";
-//#region src/pipeline/pipe.ts
+import { t as executePipeline } from "./pipe-CGJxqDGx.mjs";
+import { r as getAvailablePresets, t as applyPresets } from "./presets-CrwOvuXI.mjs";
+import { t as resolveActionPermission } from "./actionPermissions-TUVR3uiZ.mjs";
+//#region src/scope/projection.ts
 /**
-* Compose pipeline steps into an ordered array.
-* Accepts guards, transforms, and interceptors in any order.
+* Compute the request-scope projection. Returns `undefined` when no
+* scope is attached (public / unscoped routes) so hosts can idiomatically
+* write `ctx.scope?.organizationId` without a double-null check.
 */
-function pipe(...steps) {
-	return steps;
-}
-/**
-* Check if a step applies to the given operation.
-*/
-function appliesTo(step, operation) {
-	if (!step.operations || step.operations.length === 0) return true;
-	return step.operations.includes(operation);
-}
-/**
-* Execute a pipeline against a request context.
-*
-* This is the core runtime that createCrudRouter uses to execute pipelines.
-* External usage is not needed — this is wired automatically when `pipe` is set.
-*
-* @param steps - Pipeline steps to execute
-* @param ctx - The pipeline context (extends IRequestContext)
-* @param handler - The actual controller method to call
-* @param operation - The CRUD operation name
-* @returns The controller response (possibly modified by interceptors)
-*/
-async function executePipeline(steps, ctx, handler, operation) {
-	const guards = [];
-	const transforms = [];
-	const interceptors = [];
-	for (const step of steps) {
-		if (!appliesTo(step, operation)) continue;
-		switch (step._type) {
-			case "guard":
-				guards.push(step);
-				break;
-			case "transform":
-				transforms.push(step);
-				break;
-			case "interceptor":
-				interceptors.push(step);
-				break;
-		}
-	}
-	for (const g of guards) if (!await g.handler(ctx)) throw new ForbiddenError(`Guard '${g.name}' denied access`);
-	let currentCtx = ctx;
-	for (const t of transforms) {
-		const result = await t.handler(currentCtx);
-		if (result) currentCtx = result;
-	}
-	let chain = () => handler(currentCtx);
-	for (let i = interceptors.length - 1; i >= 0; i--) {
-		const interceptor = interceptors[i];
-		const next = chain;
-		chain = () => interceptor.handler(currentCtx, next);
-	}
-	return chain();
+function buildRequestScopeProjection(scope) {
+	if (!scope) return void 0;
+	return {
+		organizationId: getOrgId(scope),
+		userId: getUserId(scope),
+		orgRoles: isMember(scope) ? scope.orgRoles : void 0
+	};
 }
 //#endregion
 //#region src/core/fastifyAdapter.ts
@@ -119,6 +75,8 @@ function createRequestContext(req) {
 		queryCache: srv && "queryCache" in srv ? srv.queryCache : void 0,
 		log: req.log
 	};
+	const rawScope = reqWithExtras.scope;
+	const scopeProjection = buildRequestScopeProjection(rawScope);
 	return {
 		query: reqWithExtras.query ?? {},
 		body: reqWithExtras.body ?? {},
@@ -135,10 +93,11 @@ function createRequestContext(req) {
 			};
 		})() : null,
 		context: requestContext,
+		scope: scopeProjection,
 		metadata: {
 			...reqWithExtras.context,
 			arc: reqWithExtras.arc,
-			_scope: reqWithExtras.scope,
+			_scope: rawScope,
 			_ownershipCheck: reqWithExtras._ownershipCheck,
 			_policyFilters: reqWithExtras._policyFilters ?? {},
 			log: reqWithExtras.log
@@ -667,6 +626,52 @@ function createPermissionMiddleware(permission, resourceName, action) {
 	return buildPermissionMiddleware(permission, resourceName, action);
 }
 //#endregion
+//#region src/core/schemaOptions.ts
+/**
+* Inject the tenant-scoping field rule into `schemaOptions.fieldRules`:
+*
+*   { [tenantField]: { systemManaged: true, preserveForElevated: true } }
+*
+* Why both flags: `systemManaged` tells `BodySanitizer` to strip the
+* field from inbound bodies (so member clients can't forge a target
+* tenant). `preserveForElevated` exempts elevated-admin scopes from the
+* strip, so platform admins without a pinned org can still pick a target
+* org via the request body (the only channel they have —
+* `BaseController.create` can't re-stamp from scope when scope has no
+* orgId).
+*
+* **Returns a new `RouteSchemaOptions`** — the input is never mutated.
+* Callers should assign the return value to whatever config slot they
+* read from downstream (always the `resolvedConfig`, never raw `config`).
+*
+* **No-op when:**
+* - `tenantField` is `false` (platform-universal resource)
+* - `tenantField` is undefined
+* - The caller already declared `fieldRules[tenantField].systemManaged`
+*   (even as `false`) — explicit opt-outs are respected
+*
+* `preserveForElevated` defaults to `true` but is preserved verbatim
+* when the caller set it explicitly.
+*/
+function autoInjectTenantFieldRules(schemaOptions, tenantField) {
+	if (tenantField === false || tenantField === void 0) return schemaOptions;
+	const fieldName = tenantField || "organizationId";
+	const existing = schemaOptions?.fieldRules ?? {};
+	const existingRule = existing[fieldName];
+	if (existingRule && existingRule.systemManaged !== void 0) return schemaOptions;
+	return {
+		...schemaOptions ?? {},
+		fieldRules: {
+			...existing,
+			[fieldName]: {
+				...existingRule ?? {},
+				systemManaged: true,
+				preserveForElevated: existingRule?.preserveForElevated ?? true
+			}
+		}
+	};
+}
+//#endregion
 //#region src/core/validateResourceConfig.ts
 /**
 * Resource Configuration Validator
@@ -926,6 +931,7 @@ function defineResource(config) {
 	const originalPresets = (config.presets ?? []).map((p) => typeof p === "string" ? p : p.name);
 	const resolvedConfig = config.presets?.length ? applyPresets(config, config.presets) : config;
 	resolvedConfig._appliedPresets = originalPresets;
+	resolvedConfig.schemaOptions = autoInjectTenantFieldRules(resolvedConfig.schemaOptions, resolvedConfig.tenantField);
 	let controller = resolvedConfig.controller;
 	if (!controller && hasCrudRoutes && repository) {
 		const qp = resolvedConfig.queryParser;
@@ -941,6 +947,7 @@ function defineResource(config) {
 			maxLimit: maxLimitFromParser,
 			tenantField: resolvedConfig.tenantField,
 			idField: resolvedConfig.idField,
+			...resolvedConfig.defaultSort !== void 0 ? { defaultSort: resolvedConfig.defaultSort } : {},
 			matchesFilter: config.adapter?.matchesFilter,
 			cache: resolvedConfig.cache,
 			onFieldWriteDenied: resolvedConfig.onFieldWriteDenied,
@@ -965,11 +972,17 @@ function defineResource(config) {
 	if (config.hooks) {
 		const h = config.hooks;
 		const inlineHooks = [];
-		const toCtx = (ctx) => ({
-			data: ctx.data ?? ctx.result ?? {},
-			user: ctx.user,
-			meta: ctx.meta
-		});
+		const toCtx = (ctx) => {
+			const context = ctx.context;
+			const rawScope = context?._scope;
+			return {
+				data: ctx.data ?? ctx.result ?? {},
+				user: ctx.user,
+				context,
+				scope: buildRequestScopeProjection(rawScope),
+				meta: ctx.meta
+			};
+		};
 		if (h.beforeCreate) {
 			const fn = h.beforeCreate;
 			inlineHooks.push({
@@ -1028,15 +1041,15 @@ function defineResource(config) {
 	}
 	if (!config.skipRegistry) try {
 		let openApiSchemas;
-		if (config.adapter?.generateSchemas) {
+		if (resolvedConfig.adapter?.generateSchemas) {
 			const adapterContext = {
-				idField: config.idField,
-				resourceName: config.name
+				idField: resolvedConfig.idField,
+				resourceName: resolvedConfig.name
 			};
-			const generated = config.adapter.generateSchemas(config.schemaOptions, adapterContext);
+			const generated = resolvedConfig.adapter.generateSchemas(resolvedConfig.schemaOptions, adapterContext);
 			if (generated) openApiSchemas = generated;
 		}
-		if (config.idField && config.idField !== "_id" && openApiSchemas?.params && typeof openApiSchemas.params === "object") {
+		if (resolvedConfig.idField && resolvedConfig.idField !== "_id" && openApiSchemas?.params && typeof openApiSchemas.params === "object") {
 			const params = openApiSchemas.params;
 			const properties = params.properties;
 			const idProp = properties?.id;
@@ -1047,7 +1060,7 @@ function defineResource(config) {
 					delete cleanedId.pattern;
 					delete cleanedId.minLength;
 					delete cleanedId.maxLength;
-					if (!cleanedId.description) cleanedId.description = `${config.idField} (custom ID field)`;
+					if (!cleanedId.description) cleanedId.description = `${resolvedConfig.idField} (custom ID field)`;
 					openApiSchemas = {
 						...openApiSchemas,
 						params: {
@@ -1061,7 +1074,7 @@ function defineResource(config) {
 				}
 			}
 		}
-		const queryParser = config.queryParser;
+		const queryParser = resolvedConfig.queryParser;
 		if (queryParser?.getQuerySchema) {
 			const querySchema = queryParser.getQuerySchema();
 			if (querySchema) openApiSchemas = {
@@ -1069,13 +1082,13 @@ function defineResource(config) {
 				listQuery: querySchema
 			};
 		}
-		if (config.openApiSchemas) openApiSchemas = {
+		if (resolvedConfig.openApiSchemas) openApiSchemas = {
 			...openApiSchemas,
-			...config.openApiSchemas
+			...resolvedConfig.openApiSchemas
 		};
 		if (openApiSchemas) openApiSchemas = convertOpenApiSchemas(openApiSchemas);
 		resource._registryMeta = {
-			module: config.module,
+			module: resolvedConfig.module,
 			openApiSchemas
 		};
 	} catch {}
@@ -1287,8 +1300,8 @@ var ResourceDefinition = class {
 					fields: self.fields
 				});
 				if (self.actions && Object.keys(self.actions).length > 0) {
-					const { createActionRouter } = await import("./createActionRouter-Bp_5c_2b.mjs").then((n) => n.n);
-					createActionRouter(instance, normalizeActionsToRouterConfig(self.actions, self.actionPermissions, self.tag));
+					const { createActionRouter } = await import("./createActionRouter-C8UUB3Px.mjs").then((n) => n.n);
+					createActionRouter(instance, normalizeActionsToRouterConfig(self.actions, self.actionPermissions, self.tag, self.permissions, self.name, typedInstance.log));
 				}
 				if (self.events && Object.keys(self.events).length > 0) typedInstance.log?.debug?.(`Resource '${self.name}' defined ${Object.keys(self.events).length} events`);
 			}, { prefix: self.prefix });
@@ -1354,18 +1367,53 @@ function capitalize(str) {
 	return str.charAt(0).toUpperCase() + str.slice(1);
 }
 /**
-* Normalize ActionsMap into the ActionRouterConfig shape that createActionRouter expects.
+* Normalize `ActionsMap` into the `ActionRouterConfig` shape that
+* `createActionRouter` expects.
+*
+* **Permission fallback chain (fail-closed, v2.10.5):**
+* Actions mutate state, so "no permission declared" historically meant
+* "authenticated users can call it" — a silent authz hole for apps using
+* the function shorthand `actions: { send: async (id, data, req) => ... }`.
+*
+* The chain is now:
+*   1. `ActionDefinition.permissions` — explicit per-action check.
+*   2. Resource-level `actionPermissions` — explicit global-for-actions.
+*   3. Resource-level `permissions.update` — sensible default (actions mutate).
+*   4. Boot-time error — forces the author to pick an explicit gate.
+*
+* When step 3 fires, we log a warning (not a throw) so upgrading apps
+* aren't bricked by the behavior change, but the gap is visible. Apps
+* that genuinely want public actions must declare `allowPublic()`
+* explicitly — auth-by-accident is no longer a supported state.
 */
-function normalizeActionsToRouterConfig(actions, globalAuth, tag) {
+function normalizeActionsToRouterConfig(actions, globalAuth, tag, resourcePermissions, resourceName, log) {
 	const handlers = {};
 	const permissions = {};
 	const schemas = {};
-	for (const [name, entry] of Object.entries(actions)) if (typeof entry === "function") handlers[name] = entry;
-	else {
-		const def = entry;
-		handlers[name] = def.handler;
-		if (def.permissions) permissions[name] = def.permissions;
-		if (def.schema) schemas[name] = def.schema;
+	for (const [name, entry] of Object.entries(actions)) {
+		const explicit = typeof entry !== "function" && entry.permissions ? entry.permissions : void 0;
+		if (typeof entry === "function") handlers[name] = entry;
+		else {
+			const def = entry;
+			handlers[name] = def.handler;
+			if (def.permissions) permissions[name] = def.permissions;
+			if (def.schema) schemas[name] = def.schema;
+		}
+		const effective = resolveActionPermission({
+			action: entry,
+			resourcePermissions,
+			resourceActionPermissions: void 0,
+			globalAuth
+		});
+		if (!explicit && !globalAuth && effective && effective === resourcePermissions?.update) {
+			permissions[name] = effective;
+			log?.warn?.({
+				resource: resourceName,
+				action: name,
+				fallback: "permissions.update"
+			}, `[Arc] Action '${resourceName}.${name}' has no explicit permission — falling back to the resource's \`permissions.update\` gate. Declare \`actions.${name}.permissions\` (or resource \`actionPermissions\`) to silence this.`);
+		}
+		if (!effective) throw new Error(`[Arc] Resource '${resourceName}': action '${name}' has no permission gate and the resource defines no \`permissions.update\` fallback. Declare one of:\n  - \`actions.${name}.permissions: <PermissionCheck>\` (per-action)\n  - \`actionPermissions: <PermissionCheck>\` (resource-wide)\n  - \`permissions.update: <PermissionCheck>\` (inherited by actions)\nUse \`allowPublic()\` if you genuinely want the action unauthenticated.`);
 	}
 	return {
 		tag,
@@ -1408,4 +1456,4 @@ function defineResourceVariants(base, variants) {
 	return out;
 }
 //#endregion
-export { formatValidationErrors as a, createPermissionMiddleware as c, createRequestContext as d, getControllerContext as f, pipe as h, assertValidConfig as i, createCrudHandlers as l, sendControllerResponse as m, ResourceDefinition as n, validateResourceConfig as o, getControllerScope as p, defineResource as r, createCrudRouter as s, defineResourceVariants as t, createFastifyHandler as u };
+export { formatValidationErrors as a, createPermissionMiddleware as c, createRequestContext as d, getControllerContext as f, assertValidConfig as i, createCrudHandlers as l, sendControllerResponse as m, ResourceDefinition as n, validateResourceConfig as o, getControllerScope as p, defineResource as r, createCrudRouter as s, defineResourceVariants as t, createFastifyHandler as u };

package/dist/{createApp-BuvPma24.mjs → createApp-BwnEAO2h.mjs}

@@ -116,10 +116,7 @@ const developmentPreset = {
 			"x-request-id"
 		]
 	},
-	rateLimit: {
-		max: 1e3,
-		timeWindow: "1 minute"
-	},
+	rateLimit: false,
 	underPressure: {
 		exposeStatusRoute: true,
 		maxEventLoopDelay: 5e3
@@ -207,7 +204,7 @@ async function registerArcCore(fastify, config, trackPlugin) {
 	await fastify.register(arcCorePlugin, { emitEvents: config.arcPlugins?.emitEvents !== false });
 	trackPlugin("arc-core");
 	if (config.arcPlugins?.events !== false) {
-		const { default: eventPlugin } = await import("./eventPlugin-DCUjuiQT.mjs").then((n) => n.n);
+		const { default: eventPlugin } = await import("./eventPlugin-ByU4Cv0e.mjs").then((n) => n.n);
 		const eventOpts = typeof config.arcPlugins?.events === "object" ? config.arcPlugins.events : {};
 		await fastify.register(eventPlugin, {
 			...eventOpts,
@@ -243,15 +240,15 @@ async function registerArcPlugins(fastify, config, trackPlugin, modules) {
 		trackPlugin("arc-graceful-shutdown");
 	}
 	if (config.arcPlugins?.caching) {
-		const { default: cachingPlugin } = await import("./caching-CBpK_SCM.mjs").then((n) => n.r);
+		const { default: cachingPlugin } = await import("./caching-3h93rkJM.mjs").then((n) => n.r);
 		const opts = config.arcPlugins.caching === true ? {} : config.arcPlugins.caching;
 		await fastify.register(cachingPlugin, opts);
 		trackPlugin("arc-caching", opts);
 	}
 	if (config.arcPlugins?.queryCache) {
-		const { queryCachePlugin } = await import("./queryCachePlugin-DQCEfJis.mjs").then((n) => n.n);
+		const { queryCachePlugin } = await import("./queryCachePlugin-ChLNZvFT.mjs").then((n) => n.n);
 		const opts = config.arcPlugins.queryCache === true ? {} : config.arcPlugins.queryCache;
-		const store = config.stores?.queryCache ?? new (await (import("./memory-B5Amv9A1.mjs").then((n) => n.n))).MemoryCacheStore();
+		const store = config.stores?.queryCache ?? new (await (import("./memory-DqI-449b.mjs").then((n) => n.n))).MemoryCacheStore();
 		await fastify.register(queryCachePlugin, {
 			store,
 			...opts
@@ -260,19 +257,19 @@ async function registerArcPlugins(fastify, config, trackPlugin, modules) {
 	}
 	if (config.arcPlugins?.sse) if (config.arcPlugins?.events === false) fastify.log.warn("SSE plugin requires events plugin (arcPlugins.events). SSE disabled.");
 	else {
-		const { default: ssePlugin } = await import("./sse-yBCgOLGu.mjs").then((n) => n.r);
+		const { default: ssePlugin } = await import("./sse-D8UeDwis.mjs").then((n) => n.r);
 		const opts = config.arcPlugins.sse === true ? {} : config.arcPlugins.sse;
 		await fastify.register(ssePlugin, opts);
 		trackPlugin("arc-sse", opts);
 	}
 	if (config.arcPlugins?.metrics) {
-		const { default: metricsPlugin } = await import("./metrics-DuhiSEZI.mjs").then((n) => n.r);
+		const { default: metricsPlugin } = await import("./metrics-TuOmguhi.mjs").then((n) => n.r);
 		const opts = config.arcPlugins.metrics === true ? {} : config.arcPlugins.metrics;
 		await fastify.register(metricsPlugin, opts);
 		trackPlugin("arc-metrics", opts);
 	}
 	if (config.arcPlugins?.versioning) {
-		const { default: versioningPlugin } = await import("./versioning-C2U_bLY0.mjs").then((n) => n.r);
+		const { default: versioningPlugin } = await import("./versioning-B6mimogM.mjs").then((n) => n.r);
 		await fastify.register(versioningPlugin, config.arcPlugins.versioning);
 		trackPlugin("arc-versioning", config.arcPlugins.versioning);
 	}
@@ -303,7 +300,8 @@ async function registerAuth(fastify, config, trackPlugin) {
 			const { plugin, openapi } = authConfig.betterAuth;
 			await fastify.register(plugin);
 			trackPlugin("auth-better-auth");
-			if (openapi && !fastify.arc.externalOpenApiPaths.includes(openapi)) fastify.arc.externalOpenApiPaths.push(openapi);
+			const arc = fastify.arc;
+			if (arc && openapi && !arc.externalOpenApiPaths.includes(openapi)) arc.externalOpenApiPaths.push(openapi);
 			fastify.log.debug("Better Auth authentication enabled");
 			break;
 		}
@@ -340,7 +338,7 @@ async function registerAuth(fastify, config, trackPlugin) {
 */
 async function registerElevation(fastify, config, trackPlugin) {
 	if (!config.elevation) return;
-	const { elevationPlugin } = await import("./elevation-C7hgL_aI.mjs").then((n) => n.r);
+	const { elevationPlugin } = await import("./elevation-Dci0AYLT.mjs").then((n) => n.r);
 	await fastify.register(elevationPlugin, config.elevation);
 	trackPlugin("arc-elevation", config.elevation);
 	fastify.log.debug("Elevation plugin enabled");
@@ -350,7 +348,7 @@ async function registerElevation(fastify, config, trackPlugin) {
 */
 async function registerErrorHandler(fastify, config, trackPlugin) {
 	if (config.errorHandler === false) return;
-	const { errorHandlerPlugin } = await import("./errorHandler-Bb49BvPD.mjs").then((n) => n.r);
+	const { errorHandlerPlugin } = await import("./errorHandler-CSxe7KIM.mjs").then((n) => n.r);
 	const errorOpts = typeof config.errorHandler === "object" ? config.errorHandler : { includeStack: config.preset !== "production" };
 	await fastify.register(errorHandlerPlugin, errorOpts);
 	trackPlugin("arc-error-handler", errorOpts);
@@ -417,7 +415,7 @@ async function registerResources(fastify, config) {
 		fastify.log.debug(`${config.bootstrap.length} bootstrap function(s) executed`);
 	}
 	if (!config.resources?.length && config.resourceDir) {
-		const { loadResources } = await import("./loadResources-BAzJItAJ.mjs").then((n) => n.n);
+		const { loadResources } = await import("./loadResources-Bksk8ydA.mjs").then((n) => n.n);
 		const { resolve } = await import("node:path");
 		const dir = resolve(config.resourceDir);
 		config = {
@@ -463,6 +461,40 @@ async function registerResources(fastify, config) {
 }
 //#endregion
 //#region src/factory/registerSecurity.ts
+/**
+* Translate `skipPaths` sugar into a `@fastify/rate-limit` `allowList`
+* function. A user-supplied `allowList` (array of IPs or function) is
+* preserved and OR-ed with the path match.
+*/
+function buildRateLimitOpts(input) {
+	const { skipPaths, allowList, ...rest } = input;
+	if (!skipPaths || skipPaths.length === 0) return allowList === void 0 ? rest : {
+		...rest,
+		allowList
+	};
+	const matchesPath = compilePathMatcher(skipPaths);
+	const combined = async (req, key) => {
+		if (matchesPath((req.url ?? "").split("?", 1)[0] ?? "")) return true;
+		if (typeof allowList === "function") return await allowList(req, key);
+		if (Array.isArray(allowList)) return allowList.includes(key);
+		return false;
+	};
+	return {
+		...rest,
+		allowList: combined
+	};
+}
+function compilePathMatcher(patterns) {
+	const prefixes = [];
+	const exact = /* @__PURE__ */ new Set();
+	for (const p of patterns) if (p.endsWith("*")) prefixes.push(p.slice(0, -1));
+	else exact.add(p);
+	return (path) => {
+		if (exact.has(path)) return true;
+		for (const pre of prefixes) if (path.startsWith(pre)) return true;
+		return false;
+	};
+}
 const PLUGIN_REGISTRY = {
 	cors: {
 		package: "@fastify/cors",
@@ -532,10 +564,10 @@ async function registerSecurityPlugins(fastify, config) {
 	} else fastify.log.warn("CORS disabled");
 	if (config.rateLimit !== false) {
 		const rateLimit = await loadPlugin("rateLimit");
-		const rateLimitOpts = config.rateLimit ?? {
+		const rateLimitOpts = buildRateLimitOpts(config.rateLimit ?? {
 			max: 100,
 			timeWindow: "1 minute"
-		};
+		});
 		await fastify.register(rateLimit, rateLimitOpts);
 		if (!(typeof rateLimitOpts === "object" && "store" in rateLimitOpts)) {
 			if (config.runtime === "distributed") throw new Error("[Arc] runtime: 'distributed' with rate limiting requires a shared store.\nProvide rateLimit: { store: new RedisStore({ ... }) } or disable rate limiting: rateLimit: false");
@@ -676,7 +708,7 @@ function validateDistributedRuntime(options) {
 */
 async function createApp(options) {
 	if (options.debug !== void 0 && options.debug !== false) {
-		const { configureArcLogger } = await import("./logger-DLg8-Ueg.mjs").then((n) => n.r);
+		const { configureArcLogger } = await import("./logger/index.mjs");
 		configureArcLogger({ debug: options.debug });
 	}
 	validateAuthOptions(options);
@@ -717,7 +749,9 @@ async function createApp(options) {
 	await registerSecurityPlugins(fastify, config);
 	await registerUtilityPlugins(fastify, config);
 	const trackPlugin = (name, opts) => {
-		fastify.arc.plugins.set(name, {
+		const arc = fastify.arc;
+		if (!arc) return;
+		arc.plugins.set(name, {
 			name,
 			options: opts,
 			registeredAt: (/* @__PURE__ */ new Date()).toISOString()
@@ -730,7 +764,7 @@ async function createApp(options) {
 	await registerErrorHandler(fastify, config, trackPlugin);
 	await registerResources(fastify, config);
 	if (config.replyHelpers) {
-		const { replyHelpersPlugin } = await import("./replyHelpers-CXtJDAZ0.mjs").then((n) => n.n);
+		const { replyHelpersPlugin } = await import("./replyHelpers-BLojtuvR.mjs").then((n) => n.n);
 		await fastify.register(replyHelpersPlugin);
 	}
 	if (config.serializeBigInt) fastify.addHook("preSerialization", async (_request, _reply, payload) => {

package/dist/docs/index.d.mts

@@ -1,5 +1,5 @@
-import { x as RegistryEntry } from "../index-Cl0uoKd5.mjs";
-import { t as ExternalOpenApiPaths } from "../externalPaths-BQ8QijNH.mjs";
+import { p as RegistryEntry } from "../index-BGbpGVyM.mjs";
+import { t as ExternalOpenApiPaths } from "../externalPaths-Bapitwvd.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/docs/openapi.d.ts

package/dist/docs/index.mjs

@@ -1,5 +1,5 @@
-import { t as getUserRoles } from "../types-DV9WDfeg.mjs";
-import { n as openApiPlugin, r as openapi_default, t as buildOpenApiSpec } from "../openapi-B5F8AddX.mjs";
+import { t as getUserRoles } from "../types-D57iXYb8.mjs";
+import { n as openApiPlugin, r as openapi_default, t as buildOpenApiSpec } from "../openapi-DpNpqBmo.mjs";
 import fp from "fastify-plugin";
 //#region src/docs/scalar.ts
 const scalarPlugin = async (fastify, opts = {}) => {

package/dist/{elevation-C7hgL_aI.mjs → elevation-Dci0AYLT.mjs}

@@ -1,6 +1,6 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
-import { t as getUserRoles } from "./types-DV9WDfeg.mjs";
-import { t as arcLog } from "./logger-DLg8-Ueg.mjs";
+import { arcLog } from "./logger/index.mjs";
+import { t as getUserRoles } from "./types-D57iXYb8.mjs";
 import fp from "fastify-plugin";
 //#region src/scope/elevation.ts
 var elevation_exports = /* @__PURE__ */ __exportAll({