@classytic/arc 2.10.3 → 2.10.8

package/dist/middleware/index.d.mts

@@ -0,0 +1,109 @@
+import { I as MiddlewareHandler, L as RequestWithExtras, pt as MiddlewareConfig } from "../index-BGbpGVyM.mjs";
+import { RouteHandlerMethod } from "fastify";
+
+//#region src/middleware/middleware.d.ts
+interface NamedMiddleware {
+  /** Unique name for debugging/introspection */
+  readonly name: string;
+  /** Operations this middleware applies to (default: all) */
+  readonly operations?: Array<"list" | "get" | "create" | "update" | "delete" | string>;
+  /** Priority — lower numbers run first (default: 10) */
+  readonly priority: number;
+  /** Conditional execution — return true to run, false to skip */
+  readonly when?: (request: RequestWithExtras) => boolean | Promise<boolean>;
+  /** The middleware handler */
+  readonly handler: MiddlewareHandler;
+}
+interface MiddlewareOptions {
+  operations?: NamedMiddleware["operations"];
+  priority?: number;
+  when?: NamedMiddleware["when"];
+  handler: MiddlewareHandler;
+}
+/**
+ * Create a named middleware with priority and conditions.
+ */
+declare function middleware(name: string, options: MiddlewareOptions): NamedMiddleware;
+/**
+ * Sort named middlewares by priority (ascending — lower runs first).
+ * Returns a MiddlewareConfig map keyed by operation, ready to pass to `defineResource()`.
+ */
+declare function sortMiddlewares(middlewares: NamedMiddleware[]): MiddlewareConfig;
+//#endregion
+//#region src/middleware/multipartBody.d.ts
+/** Parsed file from multipart form-data */
+interface ParsedFile {
+  /** Original filename */
+  filename: string;
+  /** MIME type */
+  mimetype: string;
+  /** File contents as Buffer */
+  buffer: Buffer;
+  /** File size in bytes */
+  size: number;
+  /** Form field name */
+  fieldname: string;
+}
+interface MultipartBodyOptions {
+  /**
+   * Maximum file size in bytes (default: 10MB).
+   * Files exceeding this are rejected with 413.
+   */
+  maxFileSize?: number;
+  /**
+   * Maximum number of files (default: 5).
+   * Extra files are silently ignored.
+   */
+  maxFiles?: number;
+  /**
+   * Allowed MIME types (default: all).
+   * Files with disallowed types are rejected with 415.
+   *
+   * Supports three forms in a single list:
+   *   - Exact: `image/png`
+   *   - Subtype wildcard: `image/\*` — any `image/…`
+   *   - Any:   `\*` or `\*\/\*` — equivalent to omitting the option
+   *
+   * @example ['image/jpeg', 'image/png', 'application/pdf']
+   * @example ['image/*', 'application/pdf']
+   * @example ['*']   // accept any type explicitly
+   */
+  allowedMimeTypes?: string[];
+  /**
+   * Key on `req.body` where parsed files are attached (default: '_files').
+   * Set to a custom key if '_files' conflicts with your schema.
+   *
+   * Note: this is the **destination** key — it controls where parsed files
+   * land on `req.body`, not which form fields are required. To enforce that
+   * a specific file field must be present in the request, use `requiredFields`.
+   */
+  filesKey?: string;
+  /**
+   * Multipart form field names that MUST be present in the request.
+   * Returns 400 with `{ success: false, error, code: 'MISSING_FILE_FIELDS' }`
+   * when any listed field is absent from the uploaded files.
+   *
+   * Only enforced when the request IS multipart — JSON requests still pass
+   * through as no-ops so the same middleware stays safe to add to shared
+   * create/update routes that accept both content types.
+   *
+   * @example ['file']                  // single-field upload (OCR, classify)
+   * @example ['avatar', 'cover']       // multi-field upload (profile editor)
+   */
+  requiredFields?: string[];
+}
+/**
+ * Create a multipart body parsing middleware.
+ *
+ * When a request has `content-type: multipart/form-data`, this middleware:
+ * 1. Reads all parts (fields + files)
+ * 2. Sets text fields on `req.body` as a plain object
+ * 3. Attaches file buffers to `req.body[filesKey]` (default: `req.body._files`)
+ *
+ * For non-multipart requests (regular JSON), this is a no-op — the request
+ * passes through unchanged. This makes it safe to add to create/update
+ * middlewares without breaking JSON clients.
+ */
+declare function multipartBody(options?: MultipartBodyOptions): RouteHandlerMethod;
+//#endregion
+export { type MultipartBodyOptions, type NamedMiddleware, type ParsedFile, middleware, multipartBody, sortMiddlewares };

package/dist/middleware/index.mjs

@@ -0,0 +1,70 @@
+import { t as CRUD_OPERATIONS } from "../constants-BhY1OHoH.mjs";
+import { t as multipartBody } from "../multipartBody-CUQGVlM_.mjs";
+//#region src/middleware/middleware.ts
+/**
+* Named Middleware — Priority-based, conditional middleware execution.
+*
+* Named middleware replaces flat arrays with structured, inspectable middleware
+* that runs in priority order and supports conditional execution.
+*
+* @example
+* ```typescript
+* import { middleware } from '@classytic/arc/middleware';
+*
+* const verifyEmail = middleware('verifyEmail', {
+*   operations: ['create', 'update'],
+*   priority: 5,
+*   when: (req) => !req.user?.emailVerified,
+*   handler: async (req, reply) => {
+*     reply.code(403).send({ error: 'Email verification required' });
+*   },
+* });
+*
+* const rateLimit = middleware('rateLimit', {
+*   priority: 1,
+*   handler: async (req, reply) => {
+*     // rate limit logic
+*   },
+* });
+*
+* const productResource = defineResource({
+*   name: 'product',
+*   adapter,
+*   middlewares: sortMiddlewares([verifyEmail, rateLimit]),
+* });
+* ```
+*/
+/**
+* Create a named middleware with priority and conditions.
+*/
+function middleware(name, options) {
+	return {
+		name,
+		operations: options.operations,
+		priority: options.priority ?? 10,
+		when: options.when,
+		handler: options.handler
+	};
+}
+/**
+* Sort named middlewares by priority (ascending — lower runs first).
+* Returns a MiddlewareConfig map keyed by operation, ready to pass to `defineResource()`.
+*/
+function sortMiddlewares(middlewares) {
+	const sorted = [...middlewares].sort((a, b) => a.priority - b.priority);
+	const operations = CRUD_OPERATIONS;
+	const result = {};
+	for (const op of operations) {
+		const applicable = sorted.filter((m) => !m.operations || m.operations.length === 0 || m.operations.includes(op));
+		if (applicable.length > 0) result[op] = applicable.map((m) => {
+			if (!m.when) return m.handler;
+			const wrapped = async (request, reply) => {
+				if (await m.when?.(request)) return m.handler(request, reply);
+			};
+			return wrapped;
+		});
+	}
+	return result;
+}
+//#endregion
+export { middleware, multipartBody, sortMiddlewares };

package/dist/multipartBody-CUQGVlM_.mjs

@@ -0,0 +1,123 @@
+//#region src/middleware/multipartBody.ts
+const DEFAULT_MAX_FILE_SIZE = 10 * 1024 * 1024;
+const DEFAULT_MAX_FILES = 5;
+const DEFAULT_FILES_KEY = "_files";
+/**
+* Build a matcher for MIME allow-lists that supports exact (e.g. `image/png`),
+* subtype wildcards (e.g. `image/\*`), and total wildcards (`\*` or `\*\/\*`).
+*
+* Returns `undefined` when no filter is needed — either because the option
+* was omitted or because a total wildcard was present.
+*/
+function buildMimeMatcher(allowed) {
+	if (!allowed || allowed.length === 0) return void 0;
+	const exact = /* @__PURE__ */ new Set();
+	const prefixes = [];
+	for (const entry of allowed) {
+		const value = entry.trim().toLowerCase();
+		if (!value) continue;
+		if (value === "*" || value === "*/*") return void 0;
+		if (value.endsWith("/*")) prefixes.push(value.slice(0, -1));
+		else exact.add(value);
+	}
+	if (exact.size === 0 && prefixes.length === 0) return void 0;
+	return {
+		matches(mime) {
+			const m = mime.toLowerCase();
+			if (exact.has(m)) return true;
+			for (const p of prefixes) if (m.startsWith(p)) return true;
+			return false;
+		},
+		describe() {
+			return [...exact, ...prefixes.map((p) => `${p}*`)].join(", ");
+		}
+	};
+}
+/**
+* Create a multipart body parsing middleware.
+*
+* When a request has `content-type: multipart/form-data`, this middleware:
+* 1. Reads all parts (fields + files)
+* 2. Sets text fields on `req.body` as a plain object
+* 3. Attaches file buffers to `req.body[filesKey]` (default: `req.body._files`)
+*
+* For non-multipart requests (regular JSON), this is a no-op — the request
+* passes through unchanged. This makes it safe to add to create/update
+* middlewares without breaking JSON clients.
+*/
+function multipartBody(options = {}) {
+	const maxFileSize = options.maxFileSize ?? DEFAULT_MAX_FILE_SIZE;
+	const maxFiles = options.maxFiles ?? DEFAULT_MAX_FILES;
+	const mimeMatcher = buildMimeMatcher(options.allowedMimeTypes);
+	const filesKey = options.filesKey ?? DEFAULT_FILES_KEY;
+	const requiredFields = options.requiredFields && options.requiredFields.length > 0 ? options.requiredFields : void 0;
+	return async function parseMultipartBody(request, reply) {
+		if (!(request.headers["content-type"] ?? "").includes("multipart/form-data")) return;
+		if (typeof request.parts !== "function") {
+			request.log.warn("multipartBody middleware: @fastify/multipart not registered. Ensure createApp() has multipart enabled (default) or install @fastify/multipart.");
+			return;
+		}
+		const body = {};
+		const files = {};
+		let fileCount = 0;
+		try {
+			const parts = request.parts();
+			for await (const part of parts) if (part.type === "file") {
+				if (fileCount >= maxFiles) continue;
+				if (mimeMatcher && !mimeMatcher.matches(part.mimetype)) return reply.code(415).send({
+					success: false,
+					error: `File type '${part.mimetype}' not allowed. Accepted: ${mimeMatcher.describe()}`
+				});
+				const buffer = await part.toBuffer();
+				if (buffer.length > maxFileSize) return reply.code(413).send({
+					success: false,
+					error: `File '${part.filename}' exceeds maximum size of ${Math.round(maxFileSize / 1024 / 1024)}MB`
+				});
+				files[part.fieldname] = {
+					filename: part.filename,
+					mimetype: part.mimetype,
+					buffer,
+					size: buffer.length,
+					fieldname: part.fieldname
+				};
+				fileCount++;
+			} else body[part.fieldname] = tryParseValue(part.value);
+		} catch (err) {
+			request.log.error({ err }, "multipartBody: failed to parse multipart form");
+			return reply.code(400).send({
+				success: false,
+				error: "Failed to parse multipart form data"
+			});
+		}
+		if (requiredFields) {
+			const missing = requiredFields.filter((name) => !(name in files));
+			if (missing.length > 0) return reply.code(400).send({
+				success: false,
+				error: `Missing required file field${missing.length > 1 ? "s" : ""}: ${missing.join(", ")}`,
+				code: "MISSING_FILE_FIELDS",
+				details: { missing }
+			});
+		}
+		if (fileCount > 0) body[filesKey] = files;
+		request.body = body;
+	};
+}
+/**
+* Try to parse a form field value as JSON, number, or boolean.
+* Falls back to the raw string if parsing fails.
+*/
+function tryParseValue(value) {
+	if (value === "true") return true;
+	if (value === "false") return false;
+	if (value === "null") return null;
+	if (/^-?\d+(\.\d+)?$/.test(value) && value.length < 16) {
+		const num = Number(value);
+		if (Number.isFinite(num)) return num;
+	}
+	if (value.startsWith("{") && value.endsWith("}") || value.startsWith("[") && value.endsWith("]")) try {
+		return JSON.parse(value);
+	} catch {}
+	return value;
+}
+//#endregion
+export { multipartBody as t };

package/dist/{openapi-B5F8AddX.mjs → openapi-DpNpqBmo.mjs}

@@ -1,6 +1,7 @@
-import { t as getUserRoles } from "./types-DV9WDfeg.mjs";
+import { t as getUserRoles } from "./types-D57iXYb8.mjs";
 import { n as convertRouteSchema } from "./schemaConverter-BxFDdtXu.mjs";
-import { t as buildActionBodySchema } from "./createActionRouter-Bp_5c_2b.mjs";
+import { t as resolveActionPermission } from "./actionPermissions-TUVR3uiZ.mjs";
+import { t as buildActionBodySchema } from "./createActionRouter-C8UUB3Px.mjs";
 import fp from "fastify-plugin";
 //#region src/docs/openapi.ts
 const openApiPlugin = async (fastify, opts = {}) => {
@@ -327,12 +328,13 @@ function generateResourcePaths(resource, apiPrefix = "", additionalSecurity = []
 			const descStr = a.description ? ` — ${a.description}` : "";
 			descLines.push(`- \`${a.name}\`${roleStr}${descStr}`);
 		}
-		const fallbackPerm = resource.actionPermissions;
-		const fallbackRequiresAuth = typeof fallbackPerm === "function" && !fallbackPerm._isPublic;
 		const anyAuthRequired = resource.actions.some((a) => {
-			const p = a.permissions;
-			if (typeof p === "function") return !p._isPublic;
-			return fallbackRequiresAuth;
+			const effective = resolveActionPermission({
+				action: { permissions: a.permissions },
+				resourcePermissions: resource.permissions,
+				resourceActionPermissions: resource.actionPermissions
+			});
+			return typeof effective === "function" && !effective._isPublic;
 		});
 		if (!paths[actionPath]) paths[actionPath] = {};
 		paths[actionPath].post = createOperation(resource, "action", `Perform action (${actionEnum.join(" / ")})`, {

package/dist/org/index.d.mts

@@ -1,5 +1,5 @@
-import { d as UserBase } from "../fields-Lo1VUDpt.mjs";
-import { Ct as RouteHandler } from "../index-Cl0uoKd5.mjs";
+import { Pt as RouteHandler } from "../index-BGbpGVyM.mjs";
+import { d as UserBase } from "../fields-C8Y0XLAu.mjs";
 import { InvitationAdapter, InvitationDoc, MemberDoc, OrgAdapter, OrgDoc, OrgPermissionStatement, OrgRole, OrganizationPluginOptions } from "./types.mjs";
 import { FastifyPluginAsync, RouteHandlerMethod } from "fastify";
 

package/dist/permissions/index.d.mts

@@ -1,3 +1,3 @@
-import { a as applyFieldWritePermissions, c as PermissionCheck, d as UserBase, f as getUserRoles, i as applyFieldReadPermissions, l as PermissionContext, n as FieldPermissionMap, o as fields, p as normalizeRoles, r as FieldPermissionType, s as resolveEffectiveRoles, t as FieldPermission, u as PermissionResult } from "../fields-Lo1VUDpt.mjs";
-import { A as requireRoles, C as allOf, D as not, E as denyAll, M as when, N as applyPermissionResult, O as requireAuth, P as normalizePermissionResult, S as createOrgPermissions, T as anyOf, _ as ConnectEventsOptions, a as presets_d_exports, b as PermissionEventBus, c as readOnly, d as requireOrgRole, f as requireScopeContext, g as createRoleHierarchy, h as RoleHierarchy, i as ownerWithAdminBypass, j as roles, k as requireOwnership, l as requireOrgInScope, m as requireTeamMembership, n as authenticated, o as publicRead, p as requireServiceScope, r as fullPublic, s as publicReadAdminWrite, t as adminOnly, u as requireOrgMembership, v as DynamicPermissionMatrix, w as allowPublic, x as createDynamicPermissionMatrix, y as DynamicPermissionMatrixConfig } from "../index-ChIw3776.mjs";
+import { a as applyFieldWritePermissions, c as PermissionCheck, d as UserBase, f as getUserRoles, i as applyFieldReadPermissions, l as PermissionContext, n as FieldPermissionMap, o as fields, p as normalizeRoles, r as FieldPermissionType, s as resolveEffectiveRoles, t as FieldPermission, u as PermissionResult } from "../fields-C8Y0XLAu.mjs";
+import { A as requireRoles, C as allOf, D as not, E as denyAll, M as when, N as applyPermissionResult, O as requireAuth, P as normalizePermissionResult, S as createOrgPermissions, T as anyOf, _ as ConnectEventsOptions, a as presets_d_exports, b as PermissionEventBus, c as readOnly, d as requireOrgRole, f as requireScopeContext, g as createRoleHierarchy, h as RoleHierarchy, i as ownerWithAdminBypass, j as roles, k as requireOwnership, l as requireOrgInScope, m as requireTeamMembership, n as authenticated, o as publicRead, p as requireServiceScope, r as fullPublic, s as publicReadAdminWrite, t as adminOnly, u as requireOrgMembership, v as DynamicPermissionMatrix, w as allowPublic, x as createDynamicPermissionMatrix, y as DynamicPermissionMatrixConfig } from "../index-C_Noptz-.mjs";
 export { ConnectEventsOptions, DynamicPermissionMatrix, DynamicPermissionMatrixConfig, FieldPermission, FieldPermissionMap, FieldPermissionType, PermissionCheck, PermissionContext, PermissionEventBus, PermissionResult, RoleHierarchy, UserBase, adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, applyPermissionResult, authenticated, createDynamicPermissionMatrix, createOrgPermissions, createRoleHierarchy, denyAll, fields, fullPublic, getUserRoles, normalizePermissionResult, normalizeRoles, not, ownerWithAdminBypass, presets_d_exports as permissions, publicRead, publicReadAdminWrite, readOnly, requireAuth, requireOrgInScope, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireScopeContext, requireServiceScope, requireTeamMembership, resolveEffectiveRoles, roles, when };

package/dist/permissions/index.mjs

@@ -1,5 +1,5 @@
-import { i as resolveEffectiveRoles, n as applyFieldWritePermissions, r as fields, t as applyFieldReadPermissions } from "../fields-bxkeltzz.mjs";
-import { n as normalizeRoles, t as getUserRoles } from "../types-DV9WDfeg.mjs";
+import { i as resolveEffectiveRoles, n as applyFieldWritePermissions, r as fields, t as applyFieldReadPermissions } from "../fields-CTMWOUDt.mjs";
+import { n as normalizeRoles, t as getUserRoles } from "../types-D57iXYb8.mjs";
 import { n as normalizePermissionResult, t as applyPermissionResult } from "../applyPermissionResult-QhV1Pa-g.mjs";
-import { C as requireAuth, D as when, E as roles, S as not, T as requireRoles, _ as requireTeamMembership, a as presets_exports, b as anyOf, c as readOnly, d as createOrgPermissions, f as requireOrgInScope, g as requireServiceScope, h as requireScopeContext, i as ownerWithAdminBypass, l as createRoleHierarchy, m as requireOrgRole, n as authenticated, o as publicRead, p as requireOrgMembership, r as fullPublic, s as publicReadAdminWrite, t as adminOnly, u as createDynamicPermissionMatrix, v as allOf, w as requireOwnership, x as denyAll, y as allowPublic } from "../permissions-Dk6mshja.mjs";
+import { C as requireAuth, D as when, E as roles, S as not, T as requireRoles, _ as requireTeamMembership, a as presets_exports, b as anyOf, c as readOnly, d as createOrgPermissions, f as requireOrgInScope, g as requireServiceScope, h as requireScopeContext, i as ownerWithAdminBypass, l as createRoleHierarchy, m as requireOrgRole, n as authenticated, o as publicRead, p as requireOrgMembership, r as fullPublic, s as publicReadAdminWrite, t as adminOnly, u as createDynamicPermissionMatrix, v as allOf, w as requireOwnership, x as denyAll, y as allowPublic } from "../permissions-wkqRwicB.mjs";
 export { adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, applyPermissionResult, authenticated, createDynamicPermissionMatrix, createOrgPermissions, createRoleHierarchy, denyAll, fields, fullPublic, getUserRoles, normalizePermissionResult, normalizeRoles, not, ownerWithAdminBypass, presets_exports as permissions, publicRead, publicReadAdminWrite, readOnly, requireAuth, requireOrgInScope, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireScopeContext, requireServiceScope, requireTeamMembership, resolveEffectiveRoles, roles, when };

package/dist/{permissions-Dk6mshja.mjs → permissions-wkqRwicB.mjs}

@@ -1,7 +1,7 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
 import { _ as isElevated, b as isService, c as getRequestScope, d as getServiceScopes, f as getTeamId, h as hasOrgAccess, l as getScopeContext, p as getUserId, u as getScopeContextMap, v as isMember, y as isOrgInScope } from "./types-AOD8fxIw.mjs";
-import { t as getUserRoles } from "./types-DV9WDfeg.mjs";
-import { t as MemoryCacheStore } from "./memory-B5Amv9A1.mjs";
+import { t as getUserRoles } from "./types-D57iXYb8.mjs";
+import { t as MemoryCacheStore } from "./memory-DqI-449b.mjs";
 import { randomUUID } from "node:crypto";
 //#region src/permissions/core.ts
 /**

package/dist/pipe-CGJxqDGx.mjs

@@ -0,0 +1,62 @@
+import { r as ForbiddenError } from "./errors-BqdUDja_.mjs";
+//#region src/pipeline/pipe.ts
+/**
+* Compose pipeline steps into an ordered array.
+* Accepts guards, transforms, and interceptors in any order.
+*/
+function pipe(...steps) {
+	return steps;
+}
+/**
+* Check if a step applies to the given operation.
+*/
+function appliesTo(step, operation) {
+	if (!step.operations || step.operations.length === 0) return true;
+	return step.operations.includes(operation);
+}
+/**
+* Execute a pipeline against a request context.
+*
+* This is the core runtime that createCrudRouter uses to execute pipelines.
+* External usage is not needed — this is wired automatically when `pipe` is set.
+*
+* @param steps - Pipeline steps to execute
+* @param ctx - The pipeline context (extends IRequestContext)
+* @param handler - The actual controller method to call
+* @param operation - The CRUD operation name
+* @returns The controller response (possibly modified by interceptors)
+*/
+async function executePipeline(steps, ctx, handler, operation) {
+	const guards = [];
+	const transforms = [];
+	const interceptors = [];
+	for (const step of steps) {
+		if (!appliesTo(step, operation)) continue;
+		switch (step._type) {
+			case "guard":
+				guards.push(step);
+				break;
+			case "transform":
+				transforms.push(step);
+				break;
+			case "interceptor":
+				interceptors.push(step);
+				break;
+		}
+	}
+	for (const g of guards) if (!await g.handler(ctx)) throw new ForbiddenError(`Guard '${g.name}' denied access`);
+	let currentCtx = ctx;
+	for (const t of transforms) {
+		const result = await t.handler(currentCtx);
+		if (result) currentCtx = result;
+	}
+	let chain = () => handler(currentCtx);
+	for (let i = interceptors.length - 1; i >= 0; i--) {
+		const interceptor = interceptors[i];
+		const next = chain;
+		chain = () => interceptor.handler(currentCtx, next);
+	}
+	return chain();
+}
+//#endregion
+export { pipe as n, executePipeline as t };

package/dist/pipeline/index.d.mts

@@ -0,0 +1,62 @@
+import { Bt as PipelineContext, Ft as Guard, Ht as Transform, It as Interceptor, Lt as NextFunction, Mt as IControllerResponse, Rt as OperationFilter, Vt as PipelineStep, zt as PipelineConfig } from "../index-BGbpGVyM.mjs";
+
+//#region src/pipeline/guard.d.ts
+interface GuardOptions {
+  operations?: OperationFilter;
+  handler: (ctx: PipelineContext) => boolean | Promise<boolean>;
+}
+/**
+ * Create a named guard.
+ *
+ * @param name - Guard name (for debugging/introspection)
+ * @param handlerOrOptions - Handler function or options object
+ */
+declare function guard(name: string, handlerOrOptions: ((ctx: PipelineContext) => boolean | Promise<boolean>) | GuardOptions): Guard;
+//#endregion
+//#region src/pipeline/intercept.d.ts
+interface InterceptOptions {
+  operations?: OperationFilter;
+  handler: (ctx: PipelineContext, next: NextFunction) => Promise<IControllerResponse<unknown>>;
+}
+/**
+ * Create a named interceptor.
+ *
+ * @param name - Interceptor name (for debugging/introspection)
+ * @param handlerOrOptions - Handler function or options object
+ */
+declare function intercept(name: string, handlerOrOptions: ((ctx: PipelineContext, next: NextFunction) => Promise<IControllerResponse<unknown>>) | InterceptOptions): Interceptor;
+//#endregion
+//#region src/pipeline/pipe.d.ts
+/**
+ * Compose pipeline steps into an ordered array.
+ * Accepts guards, transforms, and interceptors in any order.
+ */
+declare function pipe(...steps: PipelineStep[]): PipelineStep[];
+/**
+ * Execute a pipeline against a request context.
+ *
+ * This is the core runtime that createCrudRouter uses to execute pipelines.
+ * External usage is not needed — this is wired automatically when `pipe` is set.
+ *
+ * @param steps - Pipeline steps to execute
+ * @param ctx - The pipeline context (extends IRequestContext)
+ * @param handler - The actual controller method to call
+ * @param operation - The CRUD operation name
+ * @returns The controller response (possibly modified by interceptors)
+ */
+declare function executePipeline(steps: PipelineStep[], ctx: PipelineContext, handler: (ctx: PipelineContext) => Promise<IControllerResponse<unknown>>, operation: string): Promise<IControllerResponse<unknown>>;
+//#endregion
+//#region src/pipeline/transform.d.ts
+interface TransformOptions {
+  operations?: OperationFilter;
+  handler: (ctx: PipelineContext) => PipelineContext | undefined | Promise<PipelineContext | undefined>;
+}
+/**
+ * Create a named transform.
+ *
+ * @param name - Transform name (for debugging/introspection)
+ * @param handlerOrOptions - Handler function or options object
+ */
+declare function transform(name: string, handlerOrOptions: ((ctx: PipelineContext) => PipelineContext | undefined | Promise<PipelineContext | undefined>) | TransformOptions): Transform;
+//#endregion
+export { type Guard, type Interceptor, type NextFunction, type OperationFilter, type PipelineConfig, type PipelineContext, type PipelineStep, type Transform, executePipeline, guard, intercept, pipe, transform };

package/dist/pipeline/index.mjs

@@ -0,0 +1,53 @@
+import { n as pipe, t as executePipeline } from "../pipe-CGJxqDGx.mjs";
+//#region src/pipeline/guard.ts
+/**
+* Create a named guard.
+*
+* @param name - Guard name (for debugging/introspection)
+* @param handlerOrOptions - Handler function or options object
+*/
+function guard(name, handlerOrOptions) {
+	const opts = typeof handlerOrOptions === "function" ? { handler: handlerOrOptions } : handlerOrOptions;
+	return {
+		_type: "guard",
+		name,
+		operations: opts.operations,
+		handler: opts.handler
+	};
+}
+//#endregion
+//#region src/pipeline/intercept.ts
+/**
+* Create a named interceptor.
+*
+* @param name - Interceptor name (for debugging/introspection)
+* @param handlerOrOptions - Handler function or options object
+*/
+function intercept(name, handlerOrOptions) {
+	const opts = typeof handlerOrOptions === "function" ? { handler: handlerOrOptions } : handlerOrOptions;
+	return {
+		_type: "interceptor",
+		name,
+		operations: opts.operations,
+		handler: opts.handler
+	};
+}
+//#endregion
+//#region src/pipeline/transform.ts
+/**
+* Create a named transform.
+*
+* @param name - Transform name (for debugging/introspection)
+* @param handlerOrOptions - Handler function or options object
+*/
+function transform(name, handlerOrOptions) {
+	const opts = typeof handlerOrOptions === "function" ? { handler: handlerOrOptions } : handlerOrOptions;
+	return {
+		_type: "transform",
+		name,
+		operations: opts.operations,
+		handler: opts.handler
+	};
+}
+//#endregion
+export { executePipeline, guard, intercept, pipe, transform };

package/dist/plugins/index.d.mts

@@ -1,7 +1,8 @@
-import { W as ResourceRegistry, at as PresetHook, dn as AnyRecord, gt as RouteSchemaOptions, nt as MiddlewareConfig, pt as RouteDefinition, tn as HookSystem } from "../index-Cl0uoKd5.mjs";
-import { t as ExternalOpenApiPaths } from "../externalPaths-BQ8QijNH.mjs";
-import { _ as CachingRule, a as VersioningOptions, c as MetricEntry, d as _default$4, f as metricsPlugin, g as CachingOptions, h as ssePlugin, i as errorHandlerPlugin, l as MetricsCollector, m as _default$6, n as ErrorMapper, o as _default$7, p as SSEOptions, r as defaultIsDuplicateKeyError, s as versioningPlugin, t as ErrorHandlerOptions, u as MetricsOptions, v as _default$1, y as cachingPlugin } from "../errorHandler-DRQ3EqfL.mjs";
-import { t as TracingOptions } from "../tracing-65B51Dw3.mjs";
+import { Dt as RouteSchemaOptions, J as HookSystem, Yt as AnyRecord, gt as PresetHook, pt as MiddlewareConfig, wt as RouteDefinition, z as ResourceRegistry } from "../index-BGbpGVyM.mjs";
+import { t as ExternalOpenApiPaths } from "../externalPaths-Bapitwvd.mjs";
+import { a as MetricsCollector, c as metricsPlugin, d as ssePlugin, f as CachingOptions, h as cachingPlugin, i as MetricEntry, l as SSEOptions, m as _default$1, n as _default$7, o as MetricsOptions, p as CachingRule, r as versioningPlugin, s as _default$4, t as VersioningOptions, u as _default$6 } from "../versioning-CeUXHfjw.mjs";
+import { i as errorHandlerPlugin, n as ErrorMapper, r as defaultIsDuplicateKeyError, t as ErrorHandlerOptions } from "../errorHandler-2ii4RIYr.mjs";
+import { t as TracingOptions } from "../tracing-xqXzWeaf.mjs";
 import { FastifyInstance, FastifyPluginAsync } from "fastify";
 import * as _$node_stream0 from "node:stream";
 
@@ -34,7 +35,26 @@ interface ArcCore {
 }
 declare module "fastify" {
   interface FastifyInstance {
-    arc: ArcCore;
+    /**
+     * Arc core decorator. Optional because:
+     *
+     * 1. Consumers who import any `@classytic/arc/*` subpath get this module
+     *    augmentation merged into every `FastifyInstance` they see — even
+     *    instances on apps that never register {@link arcCorePlugin}. Making
+     *    it required would force those apps to assert or guard every
+     *    property access.
+     * 2. Hosts that extend `FastifyInstance` to narrow `arc` to their own
+     *    type (`interface X extends FastifyInstance { arc?: MyArc }`) were
+     *    previously blocked because non-optional `arc: ArcCore` conflicts
+     *    with the re-declaration. An optional field lets hosts re-declare
+     *    with a compatible subtype without fighting TS.
+     *
+     * Inside Arc's own code, any call site that runs *after* `arcCorePlugin`
+     * has registered treats this as non-null — see the call sites in
+     * `factory/registerAuth.ts` and `factory/createApp.ts` which assert
+     * with `fastify.arc!` or narrow explicitly.
+     */
+    arc?: ArcCore;
   }
 }
 declare const arcCorePlugin: FastifyPluginAsync<ArcCorePluginOptions>;

package/dist/plugins/index.mjs

@@ -1,15 +1,15 @@
 import { p as MUTATION_OPERATIONS } from "../constants-BhY1OHoH.mjs";
 import { o as getOrgId } from "../types-AOD8fxIw.mjs";
-import { t as requestContext } from "../requestContext-xHIKedG6.mjs";
+import { t as requestContext } from "../requestContext-C38GskNt.mjs";
 import { t as hasEvents } from "../typeGuards-Cj5Rgvlg.mjs";
-import { t as HookSystem } from "../HookSystem-BNYKnrXF.mjs";
-import { t as ResourceRegistry } from "../ResourceRegistry-BPd6NQDm.mjs";
-import { n as caching_default, t as cachingPlugin } from "../caching-CBpK_SCM.mjs";
-import { n as errorHandlerPlugin, t as defaultIsDuplicateKeyError } from "../errorHandler-Bb49BvPD.mjs";
-import { n as metrics_default, t as metricsPlugin } from "../metrics-DuhiSEZI.mjs";
-import { t as replyHelpersPlugin } from "../replyHelpers-CXtJDAZ0.mjs";
-import { n as sse_default, t as ssePlugin } from "../sse-yBCgOLGu.mjs";
-import { n as versioning_default, t as versioningPlugin } from "../versioning-C2U_bLY0.mjs";
+import { t as HookSystem } from "../HookSystem-BjFu7zf1.mjs";
+import { t as ResourceRegistry } from "../ResourceRegistry-CcN2LVrc.mjs";
+import { n as caching_default, t as cachingPlugin } from "../caching-3h93rkJM.mjs";
+import { n as errorHandlerPlugin, t as defaultIsDuplicateKeyError } from "../errorHandler-CSxe7KIM.mjs";
+import { n as metrics_default, t as metricsPlugin } from "../metrics-TuOmguhi.mjs";
+import { t as replyHelpersPlugin } from "../replyHelpers-BLojtuvR.mjs";
+import { n as sse_default, t as ssePlugin } from "../sse-D8UeDwis.mjs";
+import { n as versioning_default, t as versioningPlugin } from "../versioning-B6mimogM.mjs";
 import { randomUUID } from "node:crypto";
 import fp from "fastify-plugin";
 //#region src/core/arcCorePlugin.ts

package/dist/plugins/tracing-entry.d.mts

@@ -1,2 +1,2 @@
-import { a as traced, i as isTracingAvailable, n as _default, r as createSpan, t as TracingOptions } from "../tracing-65B51Dw3.mjs";
+import { a as traced, i as isTracingAvailable, n as _default, r as createSpan, t as TracingOptions } from "../tracing-xqXzWeaf.mjs";
 export { type TracingOptions, createSpan, isTracingAvailable, traced, _default as tracingPlugin };

package/dist/plugins/tracing-entry.mjs

@@ -44,7 +44,7 @@ try {
 function createTracerProvider(options) {
 	if (!isAvailable) return null;
 	const { serviceName = "@classytic/arc", serviceVersion, exporterUrl = "http://localhost:4318/v1/traces" } = options;
-	const resolvedVersion = serviceVersion ?? "2.10.3";
+	const resolvedVersion = serviceVersion ?? "2.10.8";
 	const exporter = new OTLPTraceExporter({ url: exporterUrl });
 	const provider = new NodeTracerProvider({ resource: { attributes: {
 		"service.name": serviceName,

package/dist/presets/filesUpload.d.mts

@@ -1,7 +1,7 @@
-import { r as RequestScope } from "../types-BD85MlEK.mjs";
-import { c as PermissionCheck } from "../fields-Lo1VUDpt.mjs";
-import { ot as PresetResult } from "../index-Cl0uoKd5.mjs";
-import { a as StorageReadResult, i as StorageReadRange, n as StorageContext, o as StorageUploadInput, r as StorageFile, t as Storage } from "../storage-CVk_SEn2.mjs";
+import { _t as PresetResult } from "../index-BGbpGVyM.mjs";
+import { r as RequestScope } from "../types-tgR4Pt8F.mjs";
+import { c as PermissionCheck } from "../fields-C8Y0XLAu.mjs";
+import { a as StorageReadResult, i as StorageReadRange, n as StorageContext, o as StorageUploadInput, r as StorageFile, t as Storage } from "../storage-BwGQXUpd.mjs";
 
 //#region src/presets/filesUpload.d.ts
 interface FilesUploadPresetRoutes {