npm - @classytic/arc - Versions diffs - 2.10.3 → 2.10.8 - Mend

@classytic/arc 2.10.3 → 2.10.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (135) hide show

package/README.md +1 -1
package/dist/{BaseController-CbKKIflT.mjs → BaseController-DVNKvoX4.mjs} +151 -131
package/dist/actionPermissions-TUVR3uiZ.mjs +22 -0
package/dist/adapters/index.d.mts +2 -2
package/dist/audit/index.d.mts +2 -2
package/dist/audit/index.mjs +15 -17
package/dist/auth/index.d.mts +4 -4
package/dist/auth/index.mjs +5 -5
package/dist/auth/redis-session.d.mts +1 -1
package/dist/cache/index.d.mts +2 -2
package/dist/cache/index.mjs +3 -3
package/dist/cli/commands/docs.mjs +2 -2
package/dist/cli/commands/generate.mjs +1 -1
package/dist/cli/commands/init.mjs +1 -1
package/dist/cli/commands/introspect.mjs +1 -1
package/dist/context/index.d.mts +58 -0
package/dist/context/index.mjs +2 -0
package/dist/core/index.d.mts +2 -2
package/dist/core/index.mjs +2 -2
package/dist/{core-CcR01lup.mjs → core-3MWJosCH.mjs} +139 -91
package/dist/{createApp-BuvPma24.mjs → createApp-BwnEAO2h.mjs} +54 -20
package/dist/docs/index.d.mts +2 -2
package/dist/docs/index.mjs +2 -2
package/dist/{elevation-C7hgL_aI.mjs → elevation-Dci0AYLT.mjs} +2 -2
package/dist/errorHandler-2ii4RIYr.d.mts +114 -0
package/dist/{errorHandler-Bb49BvPD.mjs → errorHandler-CSxe7KIM.mjs} +1 -1
package/dist/{eventPlugin-DCUjuiQT.mjs → eventPlugin-ByU4Cv0e.mjs} +1 -1
package/dist/{eventPlugin-CxWgpd6K.d.mts → eventPlugin-D1ThQ1Pp.d.mts} +1 -1
package/dist/events/index.d.mts +4 -4
package/dist/events/index.mjs +69 -51
package/dist/events/transports/redis-stream-entry.d.mts +1 -1
package/dist/events/transports/redis.d.mts +1 -1
package/dist/factory/index.d.mts +1 -1
package/dist/factory/index.mjs +2 -2
package/dist/{fields-Lo1VUDpt.d.mts → fields-C8Y0XLAu.d.mts} +1 -1
package/dist/hooks/index.d.mts +1 -1
package/dist/hooks/index.mjs +1 -1
package/dist/idempotency/index.d.mts +3 -3
package/dist/idempotency/index.mjs +38 -27
package/dist/idempotency/redis.d.mts +1 -1
package/dist/{index-Cl0uoKd5.d.mts → index-BGbpGVyM.d.mts} +2362 -2155
package/dist/{index-DStwgFUK.d.mts → index-BziRPS4H.d.mts} +1 -1
package/dist/{index-ChIw3776.d.mts → index-C_Noptz-.d.mts} +3 -3
package/dist/{index-8qw4y6ff.d.mts → index-EqQN6p0W.d.mts} +3 -3
package/dist/index.d.mts +7 -219
package/dist/index.mjs +8 -128
package/dist/integrations/event-gateway.d.mts +1 -1
package/dist/integrations/event-gateway.mjs +1 -1
package/dist/integrations/index.d.mts +1 -1
package/dist/integrations/mcp/index.d.mts +2 -2
package/dist/integrations/mcp/index.mjs +1 -1
package/dist/integrations/mcp/testing.d.mts +1 -1
package/dist/integrations/mcp/testing.mjs +1 -1
package/dist/logger/index.d.mts +81 -0
package/dist/{logger-DLg8-Ueg.mjs → logger/index.mjs} +1 -6
package/dist/middleware/index.d.mts +109 -0
package/dist/middleware/index.mjs +70 -0
package/dist/multipartBody-CUQGVlM_.mjs +123 -0
package/dist/{openapi-B5F8AddX.mjs → openapi-DpNpqBmo.mjs} +9 -7
package/dist/org/index.d.mts +2 -2
package/dist/permissions/index.d.mts +2 -2
package/dist/permissions/index.mjs +3 -3
package/dist/{permissions-Dk6mshja.mjs → permissions-wkqRwicB.mjs} +2 -2
package/dist/pipe-CGJxqDGx.mjs +62 -0
package/dist/pipeline/index.d.mts +62 -0
package/dist/pipeline/index.mjs +53 -0
package/dist/plugins/index.d.mts +25 -5
package/dist/plugins/index.mjs +9 -9
package/dist/plugins/tracing-entry.d.mts +1 -1
package/dist/plugins/tracing-entry.mjs +1 -1
package/dist/presets/filesUpload.d.mts +4 -4
package/dist/presets/filesUpload.mjs +255 -1
package/dist/presets/index.d.mts +1 -1
package/dist/presets/index.mjs +2 -2
package/dist/presets/multiTenant.d.mts +1 -1
package/dist/presets/multiTenant.mjs +42 -8
package/dist/presets/search.d.mts +2 -2
package/dist/presets/search.mjs +1 -1
package/dist/{presets-fLJVXdVn.mjs → presets-CrwOvuXI.mjs} +1 -1
package/dist/{queryCachePlugin-DQCEfJis.mjs → queryCachePlugin-ChLNZvFT.mjs} +2 -2
package/dist/{queryCachePlugin-BKbWjgDG.d.mts → queryCachePlugin-Dumka73q.d.mts} +1 -1
package/dist/{queryParser-DBqBB6AC.mjs → queryParser-NR__Qiju.mjs} +68 -1
package/dist/{redis-DqyeggCa.d.mts → redis-MXLp1oOf.d.mts} +1 -1
package/dist/{redis-stream-CakIQmwR.d.mts → redis-stream-bkO88VHx.d.mts} +1 -1
package/dist/registry/index.d.mts +1 -1
package/dist/registry/index.mjs +2 -2
package/dist/{requestContext-xHIKedG6.mjs → requestContext-C38GskNt.mjs} +1 -1
package/dist/{resourceToTools-BElv3xPT.mjs → resourceToTools-BhF3JV5p.mjs} +8 -3
package/dist/scope/index.d.mts +2 -2
package/dist/scope/index.mjs +2 -2
package/dist/{sse-yBCgOLGu.mjs → sse-D8UeDwis.mjs} +1 -1
package/dist/{store-helpers-ZCSMJJAX.mjs → store-helpers-DYYUQbQN.mjs} +4 -0
package/dist/testing/index.d.mts +2 -2
package/dist/testing/index.mjs +11 -2
package/dist/testing/storageContract.d.mts +1 -1
package/dist/types/index.d.mts +4 -4
package/dist/types/index.mjs +1 -1
package/dist/types/storage.d.mts +1 -1
package/dist/{types-Btdda02s.d.mts → types-CVKBssX5.d.mts} +1 -1
package/dist/{types-Co8k3NyS.d.mts → types-CVdgPXBW.d.mts} +22 -9
package/dist/utils/index.d.mts +73 -3
package/dist/utils/index.mjs +4 -4
package/dist/{utils-B2fNOD_i.mjs → utils-LMwVidKy.mjs} +20 -2
package/dist/versioning-CeUXHfjw.d.mts +117 -0
package/package.json +22 -6
package/skills/arc/SKILL.md +1 -1
package/dist/errorHandler-DRQ3EqfL.d.mts +0 -218
package/dist/filesUpload-t21LS-py.mjs +0 -377
/package/dist/{EventTransport-CUw5NNWe.d.mts → EventTransport-CfVEGaEl.d.mts} +0 -0
/package/dist/{HookSystem-BNYKnrXF.mjs → HookSystem-BjFu7zf1.mjs} +0 -0
/package/dist/{ResourceRegistry-BPd6NQDm.mjs → ResourceRegistry-CcN2LVrc.mjs} +0 -0
/package/dist/{betterAuthOpenApi-BBRVhjQN.mjs → betterAuthOpenApi--rdY15Ld.mjs} +0 -0
/package/dist/{caching-CBpK_SCM.mjs → caching-3h93rkJM.mjs} +0 -0
/package/dist/{createActionRouter-Bp_5c_2b.mjs → createActionRouter-C8UUB3Px.mjs} +0 -0
/package/dist/{elevation-C5SwtkAn.d.mts → elevation-s5ykdNHr.d.mts} +0 -0
/package/dist/{errors-CCSsMpXE.d.mts → errors-BI8kEKsO.d.mts} +0 -0
/package/dist/{errors-D5c-5BJL.mjs → errors-BqdUDja_.mjs} +0 -0
/package/dist/{externalPaths-BQ8QijNH.d.mts → externalPaths-Bapitwvd.d.mts} +0 -0
/package/dist/{fields-bxkeltzz.mjs → fields-CTMWOUDt.mjs} +0 -0
/package/dist/{interface-CSbZdv_3.d.mts → interface-B-pe8fhj.d.mts} +0 -0
/package/dist/{interface-D218ikEo.d.mts → interface-yhyb_pLY.d.mts} +0 -0
/package/dist/{keys-qcD-TVJl.mjs → keys-nWQGUTu1.mjs} +0 -0
/package/dist/{loadResources-BAzJItAJ.mjs → loadResources-Bksk8ydA.mjs} +0 -0
/package/dist/{memory-B5Amv9A1.mjs → memory-DqI-449b.mjs} +0 -0
/package/dist/{metrics-DuhiSEZI.mjs → metrics-TuOmguhi.mjs} +0 -0
/package/dist/{pluralize-A0tWEl1K.mjs → pluralize-CWP6MB39.mjs} +0 -0
/package/dist/{registry-B3lRFBWo.mjs → registry-B0Wl7uVV.mjs} +0 -0
/package/dist/{replyHelpers-CXtJDAZ0.mjs → replyHelpers-BLojtuvR.mjs} +0 -0
/package/dist/{sessionManager-BkzVU8h2.d.mts → sessionManager-D-oNWHz3.d.mts} +0 -0
/package/dist/{storage-CVk_SEn2.d.mts → storage-BwGQXUpd.d.mts} +0 -0
/package/dist/{tracing-65B51Dw3.d.mts → tracing-xqXzWeaf.d.mts} +0 -0
/package/dist/{types-Csi3FLfq.mjs → types-CDnTEpga.mjs} +0 -0
/package/dist/{types-DV9WDfeg.mjs → types-D57iXYb8.mjs} +0 -0
/package/dist/{types-BD85MlEK.d.mts → types-tgR4Pt8F.d.mts} +0 -0
/package/dist/{versioning-C2U_bLY0.mjs → versioning-B6mimogM.mjs} +0 -0

package/dist/presets/filesUpload.mjs CHANGED Viewed

@@ -1,2 +1,256 @@
-import { t as filesUploadPreset } from "../filesUpload-t21LS-py.mjs";
+import { o as getOrgId, p as getUserId } from "../types-AOD8fxIw.mjs";
+import { i as NotFoundError, u as ValidationError } from "../errors-BqdUDja_.mjs";
+import { C as requireAuth, y as allowPublic } from "../permissions-wkqRwicB.mjs";
+import { t as multipartBody } from "../multipartBody-CUQGVlM_.mjs";
+//#region src/presets/filesUpload.ts
+const DEFAULT_FIELD_NAME = "file";
+const DEFAULT_MAX_FILE_SIZE = 10 * 1024 * 1024;
+function defaultContextFrom(scope) {
+	if (!scope) return {};
+	const userId = getUserId(scope);
+	const organizationId = getOrgId(scope);
+	const ctx = {};
+	if (userId !== void 0) ctx.userId = userId;
+	if (organizationId !== void 0) ctx.organizationId = organizationId;
+	return ctx;
+}
+function buildStorageContext(request, contextFrom) {
+	const scope = request.scope;
+	return {
+		scope: contextFrom(scope),
+		requestId: request.id
+	};
+}
+/**
+* Parse a single-range `Range: bytes=start-end` header.
+*
+* Returns `undefined` when the header is missing or unparseable. Only
+* satisfiable single ranges are supported — multi-range requests fall through
+* to the full-object response (per RFC 7233 §4.1 a server MAY ignore ranges).
+*/
+function parseRangeHeader(header, totalSize) {
+	if (!header || !header.startsWith("bytes=")) return void 0;
+	const spec = header.slice(6).split(",")[0]?.trim();
+	if (!spec) return void 0;
+	const dashIndex = spec.indexOf("-");
+	if (dashIndex === -1) return void 0;
+	const startRaw = spec.slice(0, dashIndex);
+	const endRaw = spec.slice(dashIndex + 1);
+	if (startRaw === "") {
+		if (totalSize === void 0) return void 0;
+		const suffix = Number(endRaw);
+		if (!Number.isFinite(suffix) || suffix <= 0) return void 0;
+		return {
+			start: Math.max(0, totalSize - suffix),
+			end: totalSize - 1
+		};
+	}
+	const start = Number(startRaw);
+	if (!Number.isFinite(start) || start < 0) return void 0;
+	if (endRaw === "") {
+		if (totalSize === void 0) return void 0;
+		return {
+			start,
+			end: totalSize - 1
+		};
+	}
+	const end = Number(endRaw);
+	if (!Number.isFinite(end) || end < start) return void 0;
+	if (totalSize !== void 0 && end >= totalSize) return {
+		start,
+		end: totalSize - 1
+	};
+	return {
+		start,
+		end
+	};
+}
+/**
+* Strict policy — rejects filenames that could escape a storage root or
+* confuse a filesystem. Safe default for disk/S3 adapters that compose
+* `${prefix}/${filename}` or `path.join(root, filename)`.
+*/
+function strictFilenamePolicy(filename) {
+	if (filename.length === 0) throw new ValidationError("Upload filename is empty");
+	if (filename.length > 255) throw new ValidationError("Upload filename exceeds 255 characters");
+	if (filename.includes("\0")) throw new ValidationError("Upload filename contains a NUL byte");
+	if (filename.includes("/") || filename.includes("\\")) throw new ValidationError("Upload filename contains a path separator");
+	if (filename === "." || filename === "..") throw new ValidationError("Upload filename is a path traversal component");
+	return filename;
+}
+/** Resolve the user-supplied policy option into a concrete validator. */
+function resolveFilenamePolicy(policy) {
+	if (policy === void 0 || policy === true) return strictFilenamePolicy;
+	if (policy === false || policy === "*") return (f) => f;
+	if (typeof policy === "function") return (filename) => {
+		const result = policy(filename);
+		if (result === false) throw new ValidationError(`Upload filename rejected: ${filename}`);
+		if (typeof result === "string") return result;
+		return filename;
+	};
+	return strictFilenamePolicy;
+}
+function makeUploadHandler(deps) {
+	return async function uploadHandler(request, reply) {
+		const file = (request.body?._files)?.[deps.fieldName];
+		if (!file) throw new ValidationError(`Missing file field '${deps.fieldName}' in multipart body`);
+		const filename = deps.applyFilenamePolicy(file.filename);
+		const ctx = buildStorageContext(request, deps.contextFrom);
+		const result = await deps.storage.upload({
+			buffer: file.buffer,
+			filename,
+			mimeType: file.mimetype,
+			size: file.size
+		}, ctx);
+		return reply.code(201).send({
+			success: true,
+			data: toResponseFile(result)
+		});
+	};
+}
+function toResponseFile(file) {
+	const payload = {
+		id: file.id,
+		url: file.url,
+		pathname: file.pathname,
+		contentType: file.contentType,
+		bytes: file.bytes
+	};
+	if (file.metadata !== void 0) payload.metadata = file.metadata;
+	return payload;
+}
+function makeReadHandler(deps) {
+	return async function readHandler(request, reply) {
+		const { id } = request.params;
+		const ctx = buildStorageContext(request, deps.contextFrom);
+		reply.header("Accept-Ranges", "bytes");
+		const rangeHeader = request.headers.range;
+		let result;
+		try {
+			const parsed = rangeHeader ? parseRangeHeader(rangeHeader, void 0) : void 0;
+			result = await deps.storage.read(id, ctx, parsed);
+		} catch (err) {
+			throw toNotFound(err, "File", id);
+		}
+		if (result.kind === "buffer") return sendBuffer(reply, result, rangeHeader);
+		return sendStream(reply, result, rangeHeader);
+	};
+}
+function sendBuffer(reply, result, rangeHeader) {
+	reply.type(result.contentType);
+	const total = result.totalBytes ?? result.buffer.length;
+	if (result.range) {
+		const { start, end } = result.range;
+		reply.code(206);
+		reply.header("Content-Range", `bytes ${start}-${end}/${total}`);
+		reply.header("Content-Length", String(result.buffer.length));
+		return reply.send(result.buffer);
+	}
+	if (rangeHeader) {
+		const parsed = parseRangeHeader(rangeHeader, total);
+		if (parsed) {
+			const slice = result.buffer.subarray(parsed.start, parsed.end + 1);
+			reply.code(206);
+			reply.header("Content-Range", `bytes ${parsed.start}-${parsed.end}/${total}`);
+			reply.header("Content-Length", String(slice.length));
+			return reply.send(slice);
+		}
+	}
+	reply.header("Content-Length", String(result.buffer.length));
+	return reply.send(result.buffer);
+}
+function sendStream(reply, result, rangeHeader) {
+	reply.type(result.contentType);
+	if (result.range && result.bytes !== void 0) {
+		const { start, end } = result.range;
+		reply.code(206);
+		reply.header("Content-Range", `bytes ${start}-${end}/${result.bytes}`);
+		reply.header("Content-Length", String(end - start + 1));
+	} else if (result.bytes !== void 0) {
+		reply.header("Content-Length", String(result.bytes));
+		if (rangeHeader) reply.request.log.debug({ url: reply.request.url }, "filesUploadPreset: adapter returned unsliced stream for a range request — sending full object");
+	}
+	return reply.send(result.stream);
+}
+function makeDeleteHandler(deps) {
+	return async function deleteHandler(request, reply) {
+		const { id } = request.params;
+		const ctx = buildStorageContext(request, deps.contextFrom);
+		if (!await deps.storage.delete(id, ctx)) throw new NotFoundError("File", id);
+		return reply.code(204).send();
+	};
+}
+function toNotFound(err, resource, id) {
+	if (err instanceof NotFoundError) return err;
+	const maybe = err;
+	if (maybe?.statusCode === 404 || maybe?.code === "NOT_FOUND") return new NotFoundError(resource, id);
+	if (typeof maybe?.message === "string" && /not\s*found/i.test(maybe.message)) return new NotFoundError(resource, id);
+	return err;
+}
+/**
+* Create a files-upload preset bound to a `Storage` adapter.
+*
+* The preset uses `raw: true` routes so binary responses bypass arc's JSON
+* envelope. Upload still returns the standard `{ success: true, data }`
+* envelope manually because the response is structured metadata, not bytes.
+*/
+function filesUploadPreset(options) {
+	if (!options?.storage) throw new Error("filesUploadPreset: `storage` is required");
+	const deps = {
+		storage: options.storage,
+		fieldName: options.fieldName ?? DEFAULT_FIELD_NAME,
+		contextFrom: options.contextFrom ?? defaultContextFrom,
+		applyFilenamePolicy: resolveFilenamePolicy(options.sanitizeFilename)
+	};
+	const maxFileSize = options.maxFileSize ?? DEFAULT_MAX_FILE_SIZE;
+	const allowedMimeTypes = options.allowedMimeTypes;
+	const includeRoutes = {
+		upload: options.includeRoutes?.upload ?? true,
+		read: options.includeRoutes?.read ?? true,
+		delete: options.includeRoutes?.delete ?? true
+	};
+	return {
+		name: "filesUpload",
+		routes: (permissions) => {
+			const routes = [];
+			if (includeRoutes.upload) routes.push({
+				method: "POST",
+				path: "/upload",
+				operation: "filesUpload.upload",
+				summary: "Upload a file",
+				description: "Accepts a multipart/form-data request and persists the bytes via the configured Storage adapter.",
+				permissions: options.permissions?.upload ?? permissions.create ?? requireAuth(),
+				preHandler: [multipartBody({
+					maxFileSize,
+					allowedMimeTypes,
+					requiredFields: [deps.fieldName]
+				})],
+				raw: true,
+				handler: makeUploadHandler(deps)
+			});
+			if (includeRoutes.read) routes.push({
+				method: "GET",
+				path: "/:id",
+				operation: "filesUpload.read",
+				summary: "Download a file",
+				description: "Streams the stored bytes. Supports single-range `Range: bytes=start-end`.",
+				permissions: options.permissions?.read ?? permissions.get ?? allowPublic(),
+				raw: true,
+				handler: makeReadHandler(deps),
+				mcp: false
+			});
+			if (includeRoutes.delete) routes.push({
+				method: "DELETE",
+				path: "/:id",
+				operation: "filesUpload.delete",
+				summary: "Delete a file",
+				permissions: options.permissions?.delete ?? permissions.delete ?? requireAuth(),
+				raw: true,
+				handler: makeDeleteHandler(deps)
+			});
+			return routes;
+		}
+	};
+}
+//#endregion
 export { filesUploadPreset };

package/dist/presets/index.d.mts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { St as IRequestContext, dn as AnyRecord, lt as ResourceConfig, ot as PresetResult, u as PaginationResult, xt as IControllerResponse } from "../index-Cl0uoKd5.mjs";
+import { Mt as IControllerResponse, Nt as IRequestContext, Yt as AnyRecord, _t as PresetResult, bt as ResourceConfig, d as PaginationResult } from "../index-BGbpGVyM.mjs";
 import { FilesUploadPresetOptions, FilesUploadPresetPermissions, FilesUploadPresetRoutes, filesUploadPreset } from "./filesUpload.mjs";
 import { MultiTenantOptions, TenantFieldSpec, multiTenantPreset } from "./multiTenant.mjs";
 import { SearchHandler, SearchPresetOptions, SearchRouteConfig, searchPreset } from "./search.mjs";

package/dist/presets/index.mjs CHANGED Viewed

@@ -1,5 +1,5 @@
 import { multiTenantPreset } from "./multiTenant.mjs";
-import { a as registerPreset, c as auditedPreset, d as ownedByUserPreset, i as getPreset, l as softDeletePreset, n as flexibleMultiTenantPreset, o as treePreset, r as getAvailablePresets, s as bulkPreset, t as applyPresets, u as slugLookupPreset } from "../presets-fLJVXdVn.mjs";
-import { t as filesUploadPreset } from "../filesUpload-t21LS-py.mjs";
+import { a as registerPreset, c as auditedPreset, d as ownedByUserPreset, i as getPreset, l as softDeletePreset, n as flexibleMultiTenantPreset, o as treePreset, r as getAvailablePresets, s as bulkPreset, t as applyPresets, u as slugLookupPreset } from "../presets-CrwOvuXI.mjs";
+import { filesUploadPreset } from "./filesUpload.mjs";
 import { searchPreset } from "./search.mjs";
 export { applyPresets, auditedPreset, bulkPreset, filesUploadPreset, flexibleMultiTenantPreset, getAvailablePresets, getPreset, multiTenantPreset, ownedByUserPreset, registerPreset, searchPreset, slugLookupPreset, softDeletePreset, treePreset };

package/dist/presets/multiTenant.d.mts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { Q as CrudRouteKey, ot as PresetResult } from "../index-Cl0uoKd5.mjs";
+import { _t as PresetResult, lt as CrudRouteKey } from "../index-BGbpGVyM.mjs";
 //#region src/presets/multiTenant.d.ts
 /**

package/dist/presets/multiTenant.mjs CHANGED Viewed

@@ -10,6 +10,20 @@ function resolveSpec(scope, spec) {
 	if (spec.type === "org") return getOrgId(scope);
 	if (spec.type === "team") return getTeamId(scope);
 }
+/**
+* Stash the resolved tenant field map on the request so `BaseController`
+* can forward it to the repository layer as top-level options. Needed by
+* plugin-scoped repos (mongokit's `multiTenantPlugin`) that read tenant
+* from `context.<field>` rather than from filter/query/data stamping.
+*/
+function stashTenantFields(request, resolved) {
+	if (Object.keys(resolved).length === 0) return;
+	const target = request;
+	target._tenantFields = {
+		...target._tenantFields ?? {},
+		...resolved
+	};
+}
 /** Resolve every spec — returns the partial map of fields that have a value. */
 function resolveAll(scope, specs) {
 	const resolved = {};
@@ -34,10 +48,13 @@ function createTenantFilter(specs) {
 		const scope = getRequestScope(request);
 		if (isElevated(scope)) {
 			const { resolved } = resolveAll(scope, specs);
-			if (Object.keys(resolved).length > 0) request._policyFilters = {
-				...request._policyFilters ?? {},
-				...resolved
-			};
+			if (Object.keys(resolved).length > 0) {
+				request._policyFilters = {
+					...request._policyFilters ?? {},
+					...resolved
+				};
+				stashTenantFields(request, resolved);
+			}
 			return;
 		}
 		if (hasOrgAccess(scope)) {
@@ -47,6 +64,7 @@ function createTenantFilter(specs) {
 					...request._policyFilters ?? {},
 					...resolved
 				};
+				stashTenantFields(request, resolved);
 				return;
 			}
 			reply.code(403).send({
@@ -81,10 +99,13 @@ function createFlexibleTenantFilter(specs) {
 		const scope = getRequestScope(request);
 		if (isElevated(scope)) {
 			const { resolved } = resolveAll(scope, specs);
-			if (Object.keys(resolved).length > 0) request._policyFilters = {
-				...request._policyFilters ?? {},
-				...resolved
-			};
+			if (Object.keys(resolved).length > 0) {
+				request._policyFilters = {
+					...request._policyFilters ?? {},
+					...resolved
+				};
+				stashTenantFields(request, resolved);
+			}
 			return;
 		}
 		if (hasOrgAccess(scope)) {
@@ -94,6 +115,7 @@ function createFlexibleTenantFilter(specs) {
 					...request._policyFilters ?? {},
 					...resolved
 				};
+				stashTenantFields(request, resolved);
 				return;
 			}
 			reply.code(403).send({
@@ -109,6 +131,14 @@ function createFlexibleTenantFilter(specs) {
 * Create tenant injection middleware.
 * Walks the configured tenant fields and writes each into the request body.
 * Fails closed if any required dimension is missing for non-elevated callers.
+*
+* Also stashes the resolved fields on `request._tenantFields` so
+* `BaseController.tenantRepoOptions()` can forward them to the repo layer
+* as top-level options — needed by plugin-scoped repos like mongokit's
+* `multiTenantPlugin`, which reads tenant from `context.<field>` rather
+* than from `data.<field>`. Without this forwarding, multi-field preset
+* writes (update/delete) work only when the plugin's `allowDataInjection`
+* fallback covers the operation's policy key, which is write-only.
 */
 function createTenantInjection(specs) {
 	return async (request, reply) => {
@@ -124,6 +154,10 @@ function createTenantInjection(specs) {
 			return;
 		}
 		if (request.body) Object.assign(request.body, resolved);
+		request._tenantFields = {
+			...request._tenantFields ?? {},
+			...resolved
+		};
 	};
 }
 function multiTenantPreset(options = {}) {

package/dist/presets/search.d.mts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { c as PermissionCheck } from "../fields-Lo1VUDpt.mjs";
-import { _t as ControllerHandler, mt as RouteMcpConfig, ot as PresetResult, pt as RouteDefinition } from "../index-Cl0uoKd5.mjs";
+import { Ot as ControllerHandler, Tt as RouteMcpConfig, _t as PresetResult, wt as RouteDefinition } from "../index-BGbpGVyM.mjs";
+import { c as PermissionCheck } from "../fields-C8Y0XLAu.mjs";
 //#region src/presets/search.d.ts
 /**

package/dist/presets/search.mjs CHANGED Viewed

@@ -1,4 +1,4 @@
-import { C as requireAuth, y as allowPublic } from "../permissions-Dk6mshja.mjs";
+import { C as requireAuth, y as allowPublic } from "../permissions-wkqRwicB.mjs";
 //#region src/presets/search.ts
 const BUILTINS = [
 	{

package/dist/{presets-fLJVXdVn.mjs → presets-CrwOvuXI.mjs} RENAMED Viewed

@@ -1,6 +1,6 @@
 import { _ as isElevated, n as PUBLIC_SCOPE } from "./types-AOD8fxIw.mjs";
 import { multiTenantPreset } from "./presets/multiTenant.mjs";
-import { C as requireAuth, T as requireRoles, y as allowPublic } from "./permissions-Dk6mshja.mjs";
+import { C as requireAuth, T as requireRoles, y as allowPublic } from "./permissions-wkqRwicB.mjs";
 //#region src/presets/ownedByUser.ts
 /**
 * Create ownership check middleware.

package/dist/{queryCachePlugin-DQCEfJis.mjs → queryCachePlugin-ChLNZvFT.mjs} RENAMED Viewed

@@ -1,7 +1,7 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
-import { i as versionKey, r as tagVersionKey } from "./keys-qcD-TVJl.mjs";
+import { i as versionKey, r as tagVersionKey } from "./keys-nWQGUTu1.mjs";
 import { t as hasEvents } from "./typeGuards-Cj5Rgvlg.mjs";
-import { t as MemoryCacheStore } from "./memory-B5Amv9A1.mjs";
+import { t as MemoryCacheStore } from "./memory-DqI-449b.mjs";
 import fp from "fastify-plugin";
 //#region src/cache/QueryCache.ts
 var QueryCache = class {

package/dist/{queryCachePlugin-BKbWjgDG.d.mts → queryCachePlugin-Dumka73q.d.mts} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { r as CacheStore } from "./interface-D218ikEo.mjs";
+import { r as CacheStore } from "./interface-yhyb_pLY.mjs";
 import { FastifyPluginAsync } from "fastify";
 //#region src/cache/QueryCache.d.ts

package/dist/{queryParser-DBqBB6AC.mjs → queryParser-NR__Qiju.mjs} RENAMED Viewed

@@ -1,4 +1,71 @@
 import { m as RESERVED_QUERY_PARAMS } from "./constants-BhY1OHoH.mjs";
+//#region src/utils/simpleEqualityMatcher.ts
+/**
+* `simpleEqualityMatcher` — a minimal, dialect-agnostic flat-key equality
+* matcher for `DataAdapter.matchesFilter` / `BaseController({ matchesFilter })`.
+*
+* **What it does:** for each `[key, expected]` in the filter, compares
+* `item[key]` to `expected` via string coercion (so Mongo `ObjectId` values
+* match their string representation) and returns `true` only if every
+* filter entry matches. Array item values are matched implicitly (contains).
+*
+* **What it does NOT do:**
+* - No `$eq` / `$ne` / `$in` / `$nin` / `$gt` / `$lt` / `$regex` / `$exists`
+* - No `$and` / `$or`
+* - No dot-path traversal (`"owner.id"`)
+* - No schema-specific coercion
+*
+* **Why it exists:** 95%+ of arc's `_policyFilters` are produced by built-in
+* permission helpers and are shaped like `{ ownerId: "u1" }` or
+* `{ organizationId: "org_x" }` — flat equality. For that common shape,
+* this helper is a safe, tested, 15-line defense-in-depth matcher that
+* hosts using minimal repos (no `getOne(compoundFilter)` DB path) can opt
+* into without arc shipping a full Mongo-syntax engine.
+*
+* **When to use:**
+* - Your adapter/repo doesn't natively filter on `getOne(compoundFilter)`
+* - Your `_policyFilters` are flat equality (from arc's built-in permission helpers)
+* - You want defense-in-depth on `validateItemAccess` / `fetchDetailed`'s `getById` fallback
+*
+* **When NOT to use:**
+* - Your `_policyFilters` use operators (`$in`, `$ne`, etc.) — supply a
+*   native matcher (mongokit's repo does the filter at the DB layer; for
+*   custom repos, wrap the kit's own predicate engine).
+* - You're a mongokit / sqlitekit / Prisma user — the DB-level filter
+*   applied by `getOne(compoundFilter)` already covers this.
+*
+* @example
+* ```ts
+* import { simpleEqualityMatcher } from '@classytic/arc/utils';
+*
+* // On a custom adapter
+* const adapter: DataAdapter = {
+*   repository,
+*   type: 'custom',
+*   name: 'in-memory',
+*   matchesFilter: simpleEqualityMatcher,
+* };
+*
+* // Or directly on BaseController for ad-hoc controllers
+* new BaseController(repo, { matchesFilter: simpleEqualityMatcher });
+* ```
+*/
+function simpleEqualityMatcher(item, filters) {
+	if (!item || typeof item !== "object") return false;
+	const obj = item;
+	for (const [key, expected] of Object.entries(filters)) {
+		if (expected && typeof expected === "object" && !Array.isArray(expected) && Object.getPrototypeOf(expected) === Object.prototype && Object.keys(expected).some((k) => k.startsWith("$"))) return false;
+		const actual = obj[key];
+		if (Array.isArray(actual)) {
+			const expectedStr = String(expected);
+			if (!actual.some((v) => String(v) === expectedStr)) return false;
+			continue;
+		}
+		if (String(actual) !== String(expected)) return false;
+	}
+	return true;
+}
+//#endregion
 //#region src/utils/queryParser.ts
 /**
 * Arc Query Parser - Default URL-to-Query Parser
@@ -349,4 +416,4 @@ function createQueryParser(options) {
 	return new ArcQueryParser(options);
 }
 //#endregion
-export { createQueryParser as n, ArcQueryParser as t };
+export { createQueryParser as n, simpleEqualityMatcher as r, ArcQueryParser as t };

package/dist/{redis-DqyeggCa.d.mts → redis-MXLp1oOf.d.mts} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { n as IdempotencyResult, r as IdempotencyStore } from "./interface-CSbZdv_3.mjs";
+import { n as IdempotencyResult, r as IdempotencyStore } from "./interface-B-pe8fhj.mjs";
 //#region src/idempotency/stores/redis.d.ts
 interface RedisClient {

package/dist/{redis-stream-CakIQmwR.d.mts → redis-stream-bkO88VHx.d.mts} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { i as EventLogger, n as DomainEvent, o as EventTransport, r as EventHandler } from "./EventTransport-CUw5NNWe.mjs";
+import { i as EventLogger, n as DomainEvent, o as EventTransport, r as EventHandler } from "./EventTransport-CfVEGaEl.mjs";
 //#region src/events/transports/redis-stream.d.ts
 interface RedisStreamLike {

package/dist/registry/index.d.mts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { O as IntrospectionPluginOptions, U as RegisterOptions, W as ResourceRegistry } from "../index-Cl0uoKd5.mjs";
+import { R as RegisterOptions, k as IntrospectionPluginOptions, z as ResourceRegistry } from "../index-BGbpGVyM.mjs";
 import { FastifyPluginAsync } from "fastify";
 //#region src/registry/introspectionPlugin.d.ts

package/dist/registry/index.mjs CHANGED Viewed

@@ -1,3 +1,3 @@
-import { n as introspectionPlugin_default, t as introspectionPlugin } from "../registry-B3lRFBWo.mjs";
-import { t as ResourceRegistry } from "../ResourceRegistry-BPd6NQDm.mjs";
+import { n as introspectionPlugin_default, t as introspectionPlugin } from "../registry-B0Wl7uVV.mjs";
+import { t as ResourceRegistry } from "../ResourceRegistry-CcN2LVrc.mjs";
 export { ResourceRegistry, introspectionPlugin_default as introspectionPlugin, introspectionPlugin as introspectionPluginFn };

package/dist/{requestContext-xHIKedG6.mjs → requestContext-C38GskNt.mjs} RENAMED Viewed

@@ -11,7 +11,7 @@ import { AsyncLocalStorage } from "node:async_hooks";
 *
 * @example
 * ```typescript
-* import { requestContext } from '@classytic/arc';
+* import { requestContext } from '@classytic/arc/context';
 *
 * // Anywhere in the call stack — no parameter passing needed
 * async function auditAction(action: string) {

package/dist/{resourceToTools-BElv3xPT.mjs → resourceToTools-BhF3JV5p.mjs} RENAMED Viewed

@@ -1,6 +1,7 @@
-import { t as BaseController } from "./BaseController-CbKKIflT.mjs";
+import { t as BaseController } from "./BaseController-DVNKvoX4.mjs";
 import { n as normalizePermissionResult } from "./applyPermissionResult-QhV1Pa-g.mjs";
-import { t as pluralize } from "./pluralize-A0tWEl1K.mjs";
+import { t as resolveActionPermission } from "./actionPermissions-TUVR3uiZ.mjs";
+import { t as pluralize } from "./pluralize-CWP6MB39.mjs";
 import { z } from "zod";
 //#region src/integrations/mcp/createMcpServer.ts
 /**
@@ -655,7 +656,11 @@ function resourceToTools(resource, config = {}) {
 		}
 		const toolName = prefix ? `${prefix}_${actionName}_${resource.name}` : `${actionName}_${resource.name}`;
 		const handler = typeof entry === "function" ? entry : def.handler;
-		const actionPerms = (typeof def !== "function" ? def.permissions : void 0) ?? resource.actionPermissions;
+		const actionPerms = resolveActionPermission({
+			action: entry,
+			resourcePermissions: resource.permissions,
+			resourceActionPermissions: resource.actionPermissions
+		});
 		tools.push({
 			name: toolName,
 			description: String(description),

package/dist/scope/index.d.mts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { i as elevationPlugin, n as ElevationOptions, r as _default, t as ElevationEvent } from "../elevation-C5SwtkAn.mjs";
-import { _ as isAuthenticated, a as getClientId, b as isOrgInScope, c as getOrgRoles, d as getScopeContextMap, f as getServiceScopes, g as hasOrgAccess, h as getUserRoles, i as getAncestorOrgIds, l as getRequestScope, m as getUserId, n as PUBLIC_SCOPE, o as getOrgContext, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, u as getScopeContext, v as isElevated, x as isService, y as isMember } from "../types-BD85MlEK.mjs";
+import { _ as isAuthenticated, a as getClientId, b as isOrgInScope, c as getOrgRoles, d as getScopeContextMap, f as getServiceScopes, g as hasOrgAccess, h as getUserRoles, i as getAncestorOrgIds, l as getRequestScope, m as getUserId, n as PUBLIC_SCOPE, o as getOrgContext, p as getTeamId, r as RequestScope, s as getOrgId, t as AUTHENTICATED_SCOPE, u as getScopeContext, v as isElevated, x as isService, y as isMember } from "../types-tgR4Pt8F.mjs";
+import { i as elevationPlugin, n as ElevationOptions, r as _default, t as ElevationEvent } from "../elevation-s5ykdNHr.mjs";
 import { FastifyReply, FastifyRequest } from "fastify";
 //#region src/scope/rateLimitKey.d.ts

package/dist/scope/index.mjs CHANGED Viewed

@@ -1,6 +1,6 @@
 import { _ as isElevated, a as getOrgContext, b as isService, c as getRequestScope, d as getServiceScopes, f as getTeamId, g as isAuthenticated, h as hasOrgAccess, i as getClientId, l as getScopeContext, m as getUserRoles, n as PUBLIC_SCOPE, o as getOrgId, p as getUserId, r as getAncestorOrgIds, s as getOrgRoles, t as AUTHENTICATED_SCOPE, u as getScopeContextMap, v as isMember, y as isOrgInScope } from "../types-AOD8fxIw.mjs";
-import { n as normalizeRoles } from "../types-DV9WDfeg.mjs";
-import { n as elevation_default, t as elevationPlugin } from "../elevation-C7hgL_aI.mjs";
+import { n as normalizeRoles } from "../types-D57iXYb8.mjs";
+import { n as elevation_default, t as elevationPlugin } from "../elevation-Dci0AYLT.mjs";
 //#region src/scope/rateLimitKey.ts
 function createTenantKeyGenerator(opts) {
 	if (opts?.strategy) return opts.strategy;

package/dist/{sse-yBCgOLGu.mjs → sse-D8UeDwis.mjs} RENAMED Viewed

@@ -1,6 +1,6 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
+import { arcLog } from "./logger/index.mjs";
 import { n as PUBLIC_SCOPE, o as getOrgId } from "./types-AOD8fxIw.mjs";
-import { t as arcLog } from "./logger-DLg8-Ueg.mjs";
 import fp from "fastify-plugin";
 //#region src/plugins/sse.ts
 var sse_exports = /* @__PURE__ */ __exportAll({

package/dist/{store-helpers-ZCSMJJAX.mjs → store-helpers-DYYUQbQN.mjs} RENAMED Viewed

@@ -18,6 +18,10 @@ function isNotFoundError(err) {
 * Build a `safeGetOne(filter)` that papers over the throw-vs-null split
 * in kit implementations. Real errors propagate; miss returns `null`.
 * Throws if the repository lacks `getOne` — callers must check.
+*
+* Accepts `FilterInput` (the repo-core union) so callers can compose
+* portable Filter IR (`and(eq(...), gt(...))`) OR pass a flat kit-native
+* record. Both forms reach the kit's `getOne` unchanged — kits dispatch.
 */
 function createSafeGetOne(repository) {
 	if (typeof repository.getOne !== "function") throw new Error("createSafeGetOne: repository.getOne is required");

package/dist/testing/index.d.mts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { G as ResourceDefinition, dn as AnyRecord } from "../index-Cl0uoKd5.mjs";
-import { d as ResourceLike, r as CreateAppOptions } from "../types-Co8k3NyS.mjs";
+import { B as ResourceDefinition, Yt as AnyRecord } from "../index-BGbpGVyM.mjs";
+import { d as ResourceLike, r as CreateAppOptions } from "../types-CVdgPXBW.mjs";
 import { StorageContractSetup, StorageContractSetupResult, runStorageContract } from "./storageContract.mjs";
 import Fastify, { FastifyInstance, FastifyServerOptions } from "fastify";
 import { Connection } from "mongoose";

package/dist/testing/index.mjs CHANGED Viewed

@@ -1,5 +1,5 @@
 import { t as CRUD_OPERATIONS } from "../constants-BhY1OHoH.mjs";
-import { n as applyFieldWritePermissions, t as applyFieldReadPermissions } from "../fields-bxkeltzz.mjs";
+import { n as applyFieldWritePermissions, t as applyFieldReadPermissions } from "../fields-CTMWOUDt.mjs";
 import { runStorageContract } from "./storageContract.mjs";
 import Fastify from "fastify";
 import mongoose from "mongoose";
@@ -915,6 +915,15 @@ function createMockRepository(overrides = {}) {
 			success: true,
 			message: "Deleted"
 		}),
+		updateMany: vi.fn().mockResolvedValue({
+			acknowledged: true,
+			matchedCount: 0,
+			modifiedCount: 0
+		}),
+		deleteMany: vi.fn().mockResolvedValue({
+			acknowledged: true,
+			deletedCount: 0
+		}),
 		getBySlug: vi.fn().mockResolvedValue(null),
 		getDeleted: vi.fn().mockResolvedValue([]),
 		restore: vi.fn().mockResolvedValue(null),
@@ -1741,7 +1750,7 @@ function runEventTests(resourceName, displayName, events) {
 * ```
 */
 async function createTestApp(options = {}) {
-	const { createApp } = await import("../createApp-BuvPma24.mjs").then((n) => n.r);
+	const { createApp } = await import("../createApp-BwnEAO2h.mjs").then((n) => n.r);
 	const { useInMemoryDb = true, mongoUri: providedMongoUri, ...appOptions } = options;
 	const defaultAuth = {
 		type: "jwt",

package/dist/testing/storageContract.d.mts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { t as Storage } from "../storage-CVk_SEn2.mjs";
+import { t as Storage } from "../storage-BwGQXUpd.mjs";
 //#region src/testing/storageContract.d.ts
 interface StorageContractSetupResult {