@classytic/arc 2.10.3 → 2.11.0

package/dist/{resourceToTools-BElv3xPT.mjs → resourceToTools--okX6QBr.mjs}

@@ -1,6 +1,10 @@
-import { t as BaseController } from "./BaseController-CbKKIflT.mjs";
-import { n as normalizePermissionResult } from "./applyPermissionResult-QhV1Pa-g.mjs";
-import { t as pluralize } from "./pluralize-A0tWEl1K.mjs";
+import { t as BaseController } from "./BaseController-JNV08qOT.mjs";
+import { A as normalizePermissionResult } from "./permissions-B4vU9L0Q.mjs";
+import { u as resolvePipelineSteps } from "./routerShared-DeESFp4a.mjs";
+import { t as executePipeline } from "./pipe-DVoIheVC.mjs";
+import { t as resolveActionPermission } from "./actionPermissions-C8YYU92K.mjs";
+import { i as shouldRejectAdditionalProperties, r as schemaIRToZodShape, t as normalizeSchemaIR } from "./schemaIR-BlG9bY7v.mjs";
+import { t as pluralize } from "./pluralize-BneOJkpi.mjs";
 import { z } from "zod";
 //#region src/integrations/mcp/createMcpServer.ts
 /**
@@ -373,6 +377,246 @@ function buildScope(auth) {
 	};
 }
 //#endregion
+//#region src/integrations/mcp/tool-helpers.ts
+/**
+* Evaluate a resource's permission check in MCP context.
+*
+* Returns the full normalized `PermissionResult` so the caller can honor
+* ALL side-effects (filters + scope) consistently with CRUD/action routes.
+* Returns `null` when no permission is defined (= allow, no side effects).
+*
+* Promoting booleans to `PermissionResult` via the shared
+* `normalizePermissionResult` helper keeps the contract aligned with the
+* rest of arc — one normalization path for every call site.
+*/
+async function evaluatePermission(check, session, resource, action, input) {
+	if (!check) return null;
+	const user = session ? {
+		id: session.userId,
+		_id: session.userId,
+		...session
+	} : null;
+	return normalizePermissionResult(await check({
+		user,
+		request: {
+			user,
+			headers: {},
+			params: {},
+			query: {},
+			body: input
+		},
+		resource,
+		action,
+		resourceId: typeof input.id === "string" ? input.id : void 0,
+		params: {},
+		data: input
+	}));
+}
+/**
+* Convert a controller response envelope into an MCP `CallToolResult`.
+* Carries `meta` into the serialized payload so consumers see pagination
+* totals, stripped-field arrays, etc.
+*/
+function toCallToolResult(result) {
+	if (!result.success) return {
+		content: [{
+			type: "text",
+			text: result.error ?? "Operation failed"
+		}],
+		isError: true
+	};
+	const output = result.meta ? {
+		data: result.data,
+		...result.meta
+	} : result.data;
+	return { content: [{
+		type: "text",
+		text: JSON.stringify(output, null, 2)
+	}] };
+}
+/**
+* Auto-create a BaseController from the resource's adapter for MCP use.
+* Called when the resource has an adapter but no controller
+* (e.g. `disableDefaultRoutes: true` skips controller creation in
+* `defineResource`).
+*/
+function createMcpController(resource) {
+	const repository = resource.adapter?.repository;
+	if (!repository) return void 0;
+	return new BaseController(repository, {
+		resourceName: resource.name,
+		schemaOptions: resource.schemaOptions,
+		tenantField: resource.tenantField,
+		idField: resource.idField,
+		matchesFilter: resource.adapter?.matchesFilter
+	});
+}
+//#endregion
+//#region src/integrations/mcp/action-tools.ts
+/**
+* Convert an action's `schema` field into a Zod shape for MCP input.
+*
+* Delegates to the shared schema IR ([../../core/schemaIR.ts]). Same
+* normalization path AJV sees on the HTTP side via `buildActionBodySchema`,
+* so authors get one schema declaration for both surfaces. If the author
+* declares `additionalProperties: false`, the flag is preserved on the IR;
+* the MCP tool handler enforces it at request time (MCP's flat-shape input
+* format can't express strict mode natively — see [./types.ts]).
+*/
+function convertActionSchemaToZod(raw) {
+	return schemaIRToZodShape(normalizeSchemaIR(raw));
+}
+/**
+* Build an MCP tool handler for a declarative action.
+*
+* Uses the SAME `evaluatePermission()` + `buildRequestContext()` as CRUD
+* tools — single code path for permission side effects, scope construction,
+* and request-context assembly. This eliminates the DRY/drift risk flagged
+* in the 2.10.8 review: REST and MCP action tools share identical
+* context-building machinery.
+*/
+function createActionToolHandler(actionName, handler, permissions, resourceName, _resourcePermissions, rawSchema) {
+	const ir = rawSchema ? normalizeSchemaIR(rawSchema) : void 0;
+	const allowedKeys = (ir ? shouldRejectAdditionalProperties(ir) : false) && ir ? new Set(["id", ...Object.keys(ir.properties)]) : void 0;
+	return async (input, ctx) => {
+		const session = ctx.session;
+		if (allowedKeys) {
+			const extras = Object.keys(input).filter((k) => !allowedKeys.has(k));
+			if (extras.length > 0) return {
+				content: [{
+					type: "text",
+					text: JSON.stringify({
+						success: false,
+						error: `Unknown properties not allowed: ${extras.join(", ")}`,
+						details: {
+							action: actionName,
+							unexpected: extras
+						}
+					})
+				}],
+				isError: true
+			};
+		}
+		const permResult = await evaluatePermission(permissions, session, resourceName, actionName, input);
+		if (permResult && !permResult.granted) return {
+			content: [{
+				type: "text",
+				text: JSON.stringify({
+					success: false,
+					error: permResult.reason ?? `Permission denied for action '${actionName}'`
+				})
+			}],
+			isError: true
+		};
+		const reqCtx = buildRequestContext({
+			...input,
+			action: actionName
+		}, session, "action", permResult?.filters, permResult?.scope);
+		const id = typeof input.id === "string" ? input.id : "";
+		const { id: _discardId, ...data } = input;
+		try {
+			const result = await handler(id, data, reqCtx);
+			return { content: [{
+				type: "text",
+				text: JSON.stringify({
+					success: true,
+					data: result
+				})
+			}] };
+		} catch (err) {
+			return {
+				content: [{
+					type: "text",
+					text: `Error: ${err instanceof Error ? err.message : String(err)}`
+				}],
+				isError: true
+			};
+		}
+	};
+}
+//#endregion
+//#region src/integrations/mcp/crud-tools.ts
+const ALL_CRUD_OPS = [
+	"list",
+	"get",
+	"create",
+	"update",
+	"delete"
+];
+const CRUD_ANNOTATIONS = {
+	list: { readOnlyHint: true },
+	get: { readOnlyHint: true },
+	create: { destructiveHint: false },
+	update: {
+		destructiveHint: true,
+		idempotentHint: true
+	},
+	delete: {
+		destructiveHint: true,
+		idempotentHint: true
+	}
+};
+/**
+* Build a handler that dispatches to the controller method for `op`,
+* passing through arc's MCP → IRequestContext adapter. Permission check
+* runs first and short-circuits with a structured tool error on denial.
+*/
+function createCrudHandler(op, controller, resourceName, permissions) {
+	const ctrl = controller;
+	return async (input, ctx) => {
+		try {
+			const method = ctrl[op];
+			if (typeof method !== "function") return {
+				content: [{
+					type: "text",
+					text: `Operation "${op}" not available on ${resourceName}`
+				}],
+				isError: true
+			};
+			const permResult = await evaluatePermission(permissions?.[op], ctx.session, resourceName, op, input);
+			if (permResult && !permResult.granted) return {
+				content: [{
+					type: "text",
+					text: `Permission denied: ${op} on ${resourceName}${permResult.reason ? ` — ${permResult.reason}` : ""}`
+				}],
+				isError: true
+			};
+			return toCallToolResult(await method(buildRequestContext(input, ctx.session, op, permResult?.filters, permResult?.scope)));
+		} catch (err) {
+			const msg = err instanceof Error ? err.message : String(err);
+			ctx.log("error", `${resourceName}.${op}: ${msg}`).catch(() => {});
+			return {
+				content: [{
+					type: "text",
+					text: `Error: ${msg}`
+				}],
+				isError: true
+			};
+		}
+	};
+}
+/**
+* Default description for a CRUD tool. Enriches list descriptions with the
+* configured filter/sort metadata so MCP clients can see what's queryable
+* without reading the resource source.
+*/
+function defaultCrudDescription(op, displayName, softDelete, queryMeta) {
+	const name = displayName.toLowerCase();
+	switch (op) {
+		case "list": {
+			const parts = [`List ${pluralize(name)} with optional filters and pagination.`];
+			if (queryMeta?.filterableFields?.length) parts.push(`Filterable fields: ${queryMeta.filterableFields.join(", ")}.`);
+			if (queryMeta?.allowedOperators?.length) parts.push(`Filter operators: ${queryMeta.allowedOperators.join(", ")} (use field[op]=value syntax).`);
+			if (queryMeta?.sortableFields?.length) parts.push(`Sortable fields: ${queryMeta.sortableFields.join(", ")}.`);
+			return parts.join(" ");
+		}
+		case "get": return `Get a single ${name} by ID`;
+		case "create": return `Create a new ${name}`;
+		case "update": return `Update an existing ${name} by ID`;
+		case "delete": return softDelete ? `Delete a ${name} by ID (soft delete — marks as deleted, not permanently removed)` : `Delete a ${name} by ID`;
+	}
+}
+//#endregion
 //#region src/integrations/mcp/jsonSchemaToZod.ts
 /**
 * @classytic/arc — JSON Schema → Zod shape converter
@@ -513,195 +757,61 @@ function applyDescription(zodType, prop) {
 	return zodType;
 }
 //#endregion
-//#region src/integrations/mcp/resourceToTools.ts
+//#region src/integrations/mcp/input-schema.ts
 /**
-* @classytic/arc — Resource → MCP Tools Generator
+* MCP tool input schema generation.
 *
-* Converts a ResourceDefinition into an array of ToolDefinitions.
-* Core auto-generation logic that powers Level 1 (mcpPlugin).
+* One of four internal units extracted from `resourceToTools.ts` in
+* v2.11.0. Owns the translation from arc's fieldRules / adapter-generated
+* body schemas into the Zod shapes MCP tools expect.
 *
-* All tool handlers call BaseController methods — same pipeline as REST.
+* Exports:
+* - `buildInputSchema` — the switch on CRUD op that picks between the
+*   fieldRules path and the high-fidelity adapter-body path.
+* - `getAdapterBodies` — pulls `createBody` / `updateBody` from the
+*   adapter once so callers can reuse them for both paths.
+* - `deriveFieldRulesFromAdapter` — fallback FieldRules derivation for
+*   the list/filter path when the host didn't supply explicit rules.
 */
-const ALL_CRUD_OPS = [
-	"list",
-	"get",
-	"create",
-	"update",
-	"delete"
-];
-const ANNOTATIONS = {
-	list: { readOnlyHint: true },
-	get: { readOnlyHint: true },
-	create: { destructiveHint: false },
-	update: {
-		destructiveHint: true,
-		idempotentHint: true
-	},
-	delete: {
-		destructiveHint: true,
-		idempotentHint: true
+function buildInputSchema(op, fieldRules, opts) {
+	switch (op) {
+		case "list": return fieldRulesToZod(fieldRules, {
+			mode: "list",
+			...opts
+		});
+		case "get": return getIdShape();
+		case "create":
+			if (!fieldRules && opts.adapterBodies?.createBody) {
+				const shape = jsonSchemaToZodShape(opts.adapterBodies.createBody, "create");
+				if (shape) return shape;
+			}
+			return fieldRulesToZod(fieldRules, {
+				mode: "create",
+				...opts
+			});
+		case "update": {
+			const idShape = getIdShape();
+			if (!fieldRules && opts.adapterBodies?.updateBody) {
+				const shape = jsonSchemaToZodShape(opts.adapterBodies.updateBody, "update");
+				if (shape) return {
+					...idShape,
+					...shape
+				};
+			}
+			return {
+				...idShape,
+				...fieldRulesToZod(fieldRules, {
+					mode: "update",
+					...opts
+				})
+			};
+		}
+		case "delete": return getIdShape();
 	}
-};
-/**
-* Convert a ResourceDefinition into MCP ToolDefinitions.
-*
-* MCP tools call BaseController directly — they bypass HTTP routes entirely.
-* Therefore `disableDefaultRoutes` does NOT affect MCP tool generation;
-* only `disabledRoutes` (the per-operation array) controls which ops are skipped.
-*
-* If the resource has an adapter but no controller (e.g. `disableDefaultRoutes: true`),
-* a lightweight BaseController is auto-created from the adapter for MCP use.
-*
-* @param resource - Arc resource definition
-* @param config - Optional overrides (operations, descriptions, hideFields, prefix, names)
-*/
-function resourceToTools(resource, config = {}) {
-	const controller = resource.controller ?? (resource.adapter ? createMcpController(resource) : void 0);
-	const explicitFieldRules = resource.schemaOptions?.fieldRules;
-	const hiddenFields = resource.schemaOptions?.hiddenFields;
-	const readonlyFields = resource.schemaOptions?.readonlyFields;
-	const adapterBodies = explicitFieldRules ? void 0 : getAdapterBodies(resource);
-	const fieldRules = explicitFieldRules ?? deriveFieldRulesFromAdapter(resource);
-	const filterableFields = resource.schemaOptions?.filterableFields ?? resource.queryParser?.allowedFilterFields;
-	const sortableFields = resource.queryParser?.allowedSortFields;
-	const allowedOperators = resource.queryParser?.allowedOperators;
-	const hasSoftDelete = resource._appliedPresets?.includes("softDelete") ?? false;
-	const tools = [];
-	const prefix = config.toolNamePrefix;
-	if (controller) {
-		let ops = ALL_CRUD_OPS.filter((op) => {
-			if (resource.disabledRoutes?.includes(op)) return false;
-			return true;
-		});
-		if (config.operations) ops = ops.filter((op) => config.operations?.includes(op));
-		for (const op of ops) {
-			const name = config.names?.[op] ?? (op === "list" ? `${prefix ? `${prefix}_` : ""}list_${pluralize(resource.name)}` : `${prefix ? `${prefix}_` : ""}${op}_${resource.name}`);
-			tools.push({
-				name,
-				description: config.descriptions?.[op] ?? defaultDescription(op, resource.displayName, hasSoftDelete, {
-					filterableFields,
-					allowedOperators,
-					sortableFields
-				}),
-				annotations: ANNOTATIONS[op],
-				inputSchema: buildInputSchema(op, fieldRules, {
-					hiddenFields,
-					readonlyFields,
-					extraHideFields: config.hideFields,
-					filterableFields,
-					allowedOperators,
-					adapterBodies
-				}),
-				handler: createHandler(op, controller, resource.name, resource.permissions)
-			});
-		}
-	}
-	for (const route of resource.routes ?? []) {
-		if (route.mcp === false) continue;
-		const mcpHandler = route.mcpHandler;
-		if (!!route.raw && !mcpHandler) continue;
-		if (!mcpHandler && ![
-			"POST",
-			"PUT",
-			"PATCH",
-			"DELETE"
-		].includes(route.method)) continue;
-		if (!mcpHandler && typeof route.handler === "string" && !controller) continue;
-		const opName = route.operation ?? slugifyRoute(route.method, route.path);
-		const hasId = route.path.includes(":id");
-		const mcpConfig = typeof route.mcp === "object" && route.mcp !== null ? route.mcp : void 0;
-		const toolDescription = mcpConfig?.description ?? route.summary ?? route.description ?? `${opName} on ${resource.displayName}`;
-		const toolAnnotations = mcpConfig?.annotations ? { ...mcpConfig.annotations } : { openWorldHint: true };
-		const inputShape = {};
-		if (hasId) inputShape.id = z.string().describe("Resource ID");
-		if (mcpHandler) tools.push({
-			name: prefix ? `${prefix}_${opName}_${resource.name}` : `${opName}_${resource.name}`,
-			description: toolDescription,
-			annotations: toolAnnotations,
-			inputSchema: inputShape,
-			handler: async (input, _ctx) => {
-				try {
-					return await mcpHandler(input);
-				} catch (err) {
-					return {
-						content: [{
-							type: "text",
-							text: `Error: ${err instanceof Error ? err.message : String(err)}`
-						}],
-						isError: true
-					};
-				}
-			}
-		});
-		else tools.push({
-			name: prefix ? `${prefix}_${opName}_${resource.name}` : `${opName}_${resource.name}`,
-			description: toolDescription,
-			annotations: toolAnnotations,
-			inputSchema: inputShape,
-			handler: createCustomRouteHandler(route, controller, hasId)
-		});
-	}
-	if (resource.actions) for (const [actionName, entry] of Object.entries(resource.actions)) {
-		const def = typeof entry === "function" ? { handler: entry } : entry;
-		if (typeof def !== "function" && "mcp" in def && def.mcp === false) continue;
-		const mcpCfg = typeof def !== "function" && typeof def.mcp === "object" ? def.mcp : void 0;
-		const description = mcpCfg?.description ?? (typeof def !== "function" ? def.description : void 0) ?? `${actionName} action on ${resource.displayName}`;
-		const annotations = mcpCfg?.annotations ? { ...mcpCfg.annotations } : { destructiveHint: true };
-		const inputShape = { id: z.string().describe("Resource ID") };
-		const rawSchema = typeof def !== "function" ? def.schema : void 0;
-		if (rawSchema && typeof rawSchema === "object") {
-			const converted = convertActionSchemaToZod(rawSchema);
-			for (const [key, val] of Object.entries(converted)) inputShape[key] = val;
-		}
-		const toolName = prefix ? `${prefix}_${actionName}_${resource.name}` : `${actionName}_${resource.name}`;
-		const handler = typeof entry === "function" ? entry : def.handler;
-		const actionPerms = (typeof def !== "function" ? def.permissions : void 0) ?? resource.actionPermissions;
-		tools.push({
-			name: toolName,
-			description: String(description),
-			annotations,
-			inputSchema: inputShape,
-			handler: createActionToolHandler(actionName, handler, actionPerms, resource.name, resource.permissions)
-		});
-	}
-	return tools;
-}
-function buildInputSchema(op, fieldRules, opts) {
-	switch (op) {
-		case "list": return fieldRulesToZod(fieldRules, {
-			mode: "list",
-			...opts
-		});
-		case "get": return { id: z.string().describe("Resource ID") };
-		case "create":
-			if (!fieldRules && opts.adapterBodies?.createBody) {
-				const shape = jsonSchemaToZodShape(opts.adapterBodies.createBody, "create");
-				if (shape) return shape;
-			}
-			return fieldRulesToZod(fieldRules, {
-				mode: "create",
-				...opts
-			});
-		case "update": {
-			const idShape = { id: z.string().describe("Resource ID") };
-			if (!fieldRules && opts.adapterBodies?.updateBody) {
-				const shape = jsonSchemaToZodShape(opts.adapterBodies.updateBody, "update");
-				if (shape) return {
-					...idShape,
-					...shape
-				};
-			}
-			return {
-				...idShape,
-				...fieldRulesToZod(fieldRules, {
-					mode: "update",
-					...opts
-				})
-			};
-		}
-		case "delete": return { id: z.string().describe("Resource ID") };
-	}
-}
+}
+function getIdShape() {
+	return { id: z.string().describe("Resource ID") };
+}
 /**
 * Pull the adapter's `createBody` / `updateBody` schemas, if any.
 * Returns `undefined` when the adapter doesn't generate schemas or throws.
@@ -724,115 +834,6 @@ function getAdapterBodies(resource) {
 		return;
 	}
 }
-function createHandler(op, controller, resourceName, permissions) {
-	const ctrl = controller;
-	return async (input, ctx) => {
-		try {
-			const method = ctrl[op];
-			if (typeof method !== "function") return {
-				content: [{
-					type: "text",
-					text: `Operation "${op}" not available on ${resourceName}`
-				}],
-				isError: true
-			};
-			const permResult = await evaluatePermission(permissions?.[op], ctx.session, resourceName, op, input);
-			if (permResult && !permResult.granted) return {
-				content: [{
-					type: "text",
-					text: `Permission denied: ${op} on ${resourceName}${permResult.reason ? ` — ${permResult.reason}` : ""}`
-				}],
-				isError: true
-			};
-			return toCallToolResult(await method(buildRequestContext(input, ctx.session, op, permResult?.filters, permResult?.scope)));
-		} catch (err) {
-			const msg = err instanceof Error ? err.message : String(err);
-			ctx.log("error", `${resourceName}.${op}: ${msg}`).catch(() => {});
-			return {
-				content: [{
-					type: "text",
-					text: `Error: ${msg}`
-				}],
-				isError: true
-			};
-		}
-	};
-}
-function createCustomRouteHandler(route, controller, hasId) {
-	const ctrl = controller;
-	const handlerName = typeof route.handler === "string" ? route.handler : route.operation ?? slugifyRoute(route.method, route.path);
-	return async (input, ctx) => {
-		try {
-			if (typeof route.handler === "function") {
-				const reqCtx = buildRequestContext(input, ctx.session, hasId ? "update" : "create");
-				const fn = route.handler;
-				const out = await fn(reqCtx);
-				return toCallToolResult(out !== null && typeof out === "object" && "success" in out ? out : {
-					success: true,
-					data: out
-				});
-			}
-			if (!ctrl) return {
-				content: [{
-					type: "text",
-					text: `Handler "${handlerName}" has no controller available`
-				}],
-				isError: true
-			};
-			const method = ctrl[handlerName];
-			if (typeof method !== "function") return {
-				content: [{
-					type: "text",
-					text: `Handler "${handlerName}" not found on controller`
-				}],
-				isError: true
-			};
-			return toCallToolResult(await method(buildRequestContext(input, ctx.session, hasId ? "update" : "create")));
-		} catch (err) {
-			return {
-				content: [{
-					type: "text",
-					text: `Error: ${err instanceof Error ? err.message : String(err)}`
-				}],
-				isError: true
-			};
-		}
-	};
-}
-/**
-* Evaluate a resource's permission check in MCP context.
-*
-* Returns the full normalized `PermissionResult` so the caller can honor
-* ALL side-effects (filters + scope) consistently with CRUD/action routes.
-* Returns `null` when no permission is defined (= allow, no side effects).
-*
-* Promoting booleans to `PermissionResult` via the shared `normalizePermissionResult`
-* helper keeps the contract aligned with the rest of Arc — there is a single
-* normalization path for every call site.
-*/
-async function evaluatePermission(check, session, resource, action, input) {
-	if (!check) return null;
-	const user = session ? {
-		id: session.userId,
-		_id: session.userId,
-		...session
-	} : null;
-	return normalizePermissionResult(await check({
-		user,
-		request: {
-			user,
-			headers: {},
-			params: {},
-			query: {},
-			body: input
-		},
-		resource,
-		action,
-		resourceId: typeof input.id === "string" ? input.id : void 0,
-		params: {},
-		data: input
-	}));
-}
 /**
 * Derive a fieldRules-shaped object from the adapter's auto-generated body
 * schemas. Used as a fallback when the resource doesn't supply explicit
@@ -890,141 +891,90 @@ function mapJsonSchemaTypeToArcType(jsonType) {
 		default: return "string";
 	}
 }
-function toCallToolResult(result) {
-	if (!result.success) return {
-		content: [{
-			type: "text",
-			text: result.error ?? "Operation failed"
-		}],
-		isError: true
-	};
-	const output = result.meta ? {
-		data: result.data,
-		...result.meta
-	} : result.data;
-	return { content: [{
-		type: "text",
-		text: JSON.stringify(output, null, 2)
-	}] };
-}
-function defaultDescription(op, displayName, softDelete, queryMeta) {
-	const name = displayName.toLowerCase();
-	switch (op) {
-		case "list": {
-			const parts = [`List ${pluralize(name)} with optional filters and pagination.`];
-			if (queryMeta?.filterableFields?.length) parts.push(`Filterable fields: ${queryMeta.filterableFields.join(", ")}.`);
-			if (queryMeta?.allowedOperators?.length) parts.push(`Filter operators: ${queryMeta.allowedOperators.join(", ")} (use field[op]=value syntax).`);
-			if (queryMeta?.sortableFields?.length) parts.push(`Sortable fields: ${queryMeta.sortableFields.join(", ")}.`);
-			return parts.join(" ");
-		}
-		case "get": return `Get a single ${name} by ID`;
-		case "create": return `Create a new ${name}`;
-		case "update": return `Update an existing ${name} by ID`;
-		case "delete": return softDelete ? `Delete a ${name} by ID (soft delete — marks as deleted, not permanently removed)` : `Delete a ${name} by ID`;
-	}
-}
-function slugifyRoute(method, path) {
-	const clean = path.replace(/:[^/]+/g, "").replace(/^\/+|\/+$/g, "").replace(/\//g, "_");
-	return clean ? `${method.toLowerCase()}_${clean}` : method.toLowerCase();
-}
-/**
-* Auto-create a BaseController from the resource's adapter for MCP use.
-* Called when the resource has an adapter but no controller
-* (e.g. `disableDefaultRoutes: true` skips controller creation in defineResource).
-*/
-function createMcpController(resource) {
-	const repository = resource.adapter?.repository;
-	if (!repository) return void 0;
-	return new BaseController(repository, {
-		resourceName: resource.name,
-		schemaOptions: resource.schemaOptions,
-		tenantField: resource.tenantField,
-		idField: resource.idField,
-		matchesFilter: resource.adapter?.matchesFilter
-	});
-}
+//#endregion
+//#region src/integrations/mcp/route-tools.ts
 /**
-* Convert an action schema (JSON Schema, Zod, or legacy field map) to a Zod
-* shape for MCP tool input. This mirrors `normalizeActionSchema` in
-* `createActionRouter.ts` but produces Zod types for the MCP SDK.
+* Custom-route → MCP tool generation.
+*
+* Converts arc's `routes[]` entries (declared via `defineResource({
+* routes: [...] })`) into MCP tools. Three handler shapes are supported:
+*
+* 1. `mcpHandler` (full bypass) — caller-supplied function owns the whole
+*    tool result; pipeline is not invoked.
+* 2. Function handler with `raw: false/undefined` — arc's pipeline wrapper
+*    runs normally, and the envelope is serialized into the tool result.
+* 3. String handler — looks up a method on the controller by name.
 */
-function convertActionSchemaToZod(raw) {
-	if ("_zod" in raw && typeof raw.shape === "object") return { ...raw.shape };
-	if ((raw.type === "object" || "properties" in raw) && typeof raw.properties === "object" && raw.properties !== null) {
-		const props = raw.properties;
-		return jsonSchemaPropsToZod(props, new Set(Array.isArray(raw.required) ? raw.required : []));
-	}
-	const result = {};
-	for (const [fieldName, fieldSchema] of Object.entries(raw)) {
-		if (fieldName === "type" || fieldName === "properties" || fieldName === "required") continue;
-		if (!fieldSchema || typeof fieldSchema !== "object") continue;
-		const fs = fieldSchema;
-		const desc = typeof fs.description === "string" ? fs.description : `${fieldName} field`;
-		const isOptional = fs.required === false;
-		const base = jsonSchemaTypeToZod(fs);
-		result[fieldName] = isOptional ? base.optional().describe(desc) : base.describe(desc);
-	}
-	return result;
-}
-function jsonSchemaPropsToZod(props, requiredSet) {
-	const result = {};
-	for (const [name, schema] of Object.entries(props)) {
-		const desc = typeof schema.description === "string" ? schema.description : name;
-		const base = jsonSchemaTypeToZod(schema);
-		result[name] = requiredSet.has(name) ? base.describe(desc) : base.optional().describe(desc);
-	}
-	return result;
-}
-function jsonSchemaTypeToZod(schema) {
-	const type = typeof schema.type === "string" ? schema.type : "string";
-	if (Array.isArray(schema.enum) && schema.enum.length > 0) return z.enum(schema.enum);
-	switch (type) {
-		case "number":
-		case "integer": return z.number();
-		case "boolean": return z.boolean();
-		case "array": return z.array(z.unknown());
-		case "object": return z.record(z.string(), z.unknown());
-		default: return z.string();
-	}
-}
 /**
-* Create an MCP tool handler for a declarative action.
+* Build an MCP tool handler for a custom route.
+*
+* Enforces the same contract as the REST route:
+*   1. **Permission evaluation** via the shared `evaluatePermission` — the
+*      exact path CRUD and action MCP tools use. Filters and scope from a
+*      `PermissionResult` thread through `buildRequestContext`.
+*   2. **Pipeline integration** — function handlers run inside
+*      `executePipeline` with the same steps the HTTP path resolves.
+*   3. **Controller dispatch** for string handlers.
 *
-* Uses the SAME `evaluatePermission()` and `buildRequestContext()` as
-* CRUD tools — single code path for permission side effects, scope
-* construction, and request context assembly. This eliminates the
-* DRY/drift risk flagged in the review: REST and MCP action tools now
-* share identical context-building machinery.
+* `hasId` signals whether the route path uses `:id`, which determines
+* whether we treat the call as an update-shaped or create-shaped request
+* when hydrating the request context.
 */
-function createActionToolHandler(actionName, handler, permissions, resourceName, _resourcePermissions) {
-	return async (input, ctx) => {
-		const session = ctx.session;
-		const permResult = await evaluatePermission(permissions, session, resourceName, actionName, input);
+function createCustomRouteHandler(route, controller, hasId, options) {
+	const ctrl = controller;
+	const handlerName = typeof route.handler === "string" ? route.handler : route.operation ?? slugifyRoute(route.method, route.path);
+	const { resourceName, operationName, permissions, pipeline } = options;
+	const pipelineSteps = resolvePipelineSteps(pipeline, operationName);
+	return async (input, _ctx) => {
+		const session = _ctx.session;
+		const permResult = await evaluatePermission(permissions, session, resourceName, operationName, input);
 		if (permResult && !permResult.granted) return {
 			content: [{
 				type: "text",
 				text: JSON.stringify({
 					success: false,
-					error: permResult.reason ?? `Permission denied for action '${actionName}'`
+					error: permResult.reason ?? (session ? `Permission denied for '${operationName}'` : "Authentication required")
 				})
 			}],
 			isError: true
 		};
-		const reqCtx = buildRequestContext({
-			...input,
-			action: actionName
-		}, session, "action", permResult?.filters, permResult?.scope);
-		const id = typeof input.id === "string" ? input.id : "";
-		const { id: _discardId, ...data } = input;
 		try {
-			const result = await handler(id, data, reqCtx);
-			return { content: [{
-				type: "text",
-				text: JSON.stringify({
+			const reqCtx = buildRequestContext(input, session, hasId ? "update" : "create", permResult?.filters, permResult?.scope);
+			if (typeof route.handler === "function") {
+				const fn = route.handler;
+				if (pipelineSteps.length > 0) return toCallToolResult(await executePipeline(pipelineSteps, {
+					...reqCtx,
+					resource: resourceName,
+					operation: operationName
+				}, async (ctx) => {
+					const raw = await fn(ctx);
+					return raw !== null && typeof raw === "object" && "success" in raw ? raw : {
+						success: true,
+						data: raw
+					};
+				}, operationName));
+				const out = await fn(reqCtx);
+				return toCallToolResult(out !== null && typeof out === "object" && "success" in out ? out : {
 					success: true,
-					data: result
-				})
-			}] };
+					data: out
+				});
+			}
+			if (!ctrl) return {
+				content: [{
+					type: "text",
+					text: `Handler "${handlerName}" has no controller available`
+				}],
+				isError: true
+			};
+			const method = ctrl[handlerName];
+			if (typeof method !== "function") return {
+				content: [{
+					type: "text",
+					text: `Handler "${handlerName}" not found on controller`
+				}],
+				isError: true
+			};
+			return toCallToolResult(await method(reqCtx));
 		} catch (err) {
 			return {
 				content: [{
@@ -1036,5 +986,174 @@ function createActionToolHandler(actionName, handler, permissions, resourceName,
 		}
 	};
 }
+/**
+* Build an MCP tool handler around a caller-supplied `mcpHandler` — no
+* pipeline, no envelope translation, the function owns the whole
+* `CallToolResult`. Only surfaces errors as tool-error results.
+*/
+function createMcpHandlerPassthrough(mcpHandler) {
+	return async (input) => {
+		try {
+			return await mcpHandler(input);
+		} catch (err) {
+			return {
+				content: [{
+					type: "text",
+					text: `Error: ${err instanceof Error ? err.message : String(err)}`
+				}],
+				isError: true
+			};
+		}
+	};
+}
+/**
+* Slugify `{method, path}` into a readable tool-operation name when the
+* route definition doesn't supply an explicit `operation`.
+*/
+function slugifyRoute(method, path) {
+	const clean = path.replace(/:[^/]+/g, "").replace(/^\/+|\/+$/g, "").replace(/\//g, "_");
+	return clean ? `${method.toLowerCase()}_${clean}` : method.toLowerCase();
+}
+//#endregion
+//#region src/integrations/mcp/resourceToTools.ts
+/**
+* @classytic/arc — Resource → MCP Tools orchestrator.
+*
+* Top-level entry point for generating `ToolDefinition[]` from a
+* `ResourceDefinition`. Delegates the heavy lifting to four focused
+* internal units (v2.11.0 split):
+*
+* - [input-schema.ts](./input-schema.ts)   — CRUD input-shape generation
+* - [crud-tools.ts](./crud-tools.ts)       — CRUD handler + annotations + descriptions
+* - [route-tools.ts](./route-tools.ts)     — custom-route → tool translation
+* - [action-tools.ts](./action-tools.ts)   — declarative-action → tool translation
+*
+* This file's job is purely orchestration: pick the controller, gather
+* field rules once, and loop over CRUD / routes / actions delegating
+* each tool's construction to the matching unit.
+*
+* All tool handlers call BaseController methods — same pipeline as REST.
+*/
+/**
+* Convert a ResourceDefinition into MCP ToolDefinitions.
+*
+* MCP tools call BaseController directly — they bypass HTTP routes entirely.
+* Therefore `disableDefaultRoutes` does NOT affect MCP tool generation;
+* only `disabledRoutes` (the per-operation array) controls which ops are skipped.
+*
+* If the resource has an adapter but no controller (e.g. `disableDefaultRoutes: true`),
+* a lightweight BaseController is auto-created from the adapter for MCP use.
+*
+* @param resource - Arc resource definition
+* @param config - Optional overrides (operations, descriptions, hideFields, prefix, names)
+*/
+function resourceToTools(resource, config = {}) {
+	const controller = resource.controller ?? (resource.adapter ? createMcpController(resource) : void 0);
+	const explicitFieldRules = resource.schemaOptions?.fieldRules;
+	const hiddenFields = resource.schemaOptions?.hiddenFields;
+	const readonlyFields = resource.schemaOptions?.readonlyFields;
+	const adapterBodies = explicitFieldRules ? void 0 : getAdapterBodies(resource);
+	const fieldRules = explicitFieldRules ?? deriveFieldRulesFromAdapter(resource);
+	const filterableFields = resource.schemaOptions?.filterableFields ?? resource.queryParser?.allowedFilterFields;
+	const sortableFields = resource.queryParser?.allowedSortFields;
+	const allowedOperators = resource.queryParser?.allowedOperators;
+	const hasSoftDelete = resource._appliedPresets?.includes("softDelete") ?? false;
+	const tools = [];
+	const prefix = config.toolNamePrefix;
+	if (controller) {
+		let ops = ALL_CRUD_OPS.filter((op) => !resource.disabledRoutes?.includes(op));
+		if (config.operations) ops = ops.filter((op) => config.operations?.includes(op));
+		for (const op of ops) {
+			const name = config.names?.[op] ?? (op === "list" ? `${prefix ? `${prefix}_` : ""}list_${pluralize(resource.name)}` : `${prefix ? `${prefix}_` : ""}${op}_${resource.name}`);
+			tools.push({
+				name,
+				description: config.descriptions?.[op] ?? defaultCrudDescription(op, resource.displayName, hasSoftDelete, {
+					filterableFields,
+					allowedOperators,
+					sortableFields
+				}),
+				annotations: CRUD_ANNOTATIONS[op],
+				inputSchema: buildInputSchema(op, fieldRules, {
+					hiddenFields,
+					readonlyFields,
+					extraHideFields: config.hideFields,
+					filterableFields,
+					allowedOperators,
+					adapterBodies
+				}),
+				handler: createCrudHandler(op, controller, resource.name, resource.permissions)
+			});
+		}
+	}
+	for (const route of resource.routes ?? []) {
+		if (route.mcp === false) continue;
+		const mcpHandler = route.mcpHandler;
+		if (!!route.raw && !mcpHandler) continue;
+		if (!mcpHandler && ![
+			"POST",
+			"PUT",
+			"PATCH",
+			"DELETE"
+		].includes(route.method)) continue;
+		if (!mcpHandler && typeof route.handler === "string" && !controller) continue;
+		const opName = route.operation ?? slugifyRoute(route.method, route.path);
+		const hasId = route.path.includes(":id");
+		const mcpConfig = typeof route.mcp === "object" && route.mcp !== null ? route.mcp : void 0;
+		const toolDescription = mcpConfig?.description ?? route.summary ?? route.description ?? `${opName} on ${resource.displayName}`;
+		const toolAnnotations = mcpConfig?.annotations ? { ...mcpConfig.annotations } : { openWorldHint: true };
+		const inputShape = {};
+		if (hasId) inputShape.id = z.string().describe("Resource ID");
+		const routeSchema = route.schema;
+		if (routeSchema?.body) {
+			const ir = normalizeSchemaIR(routeSchema.body);
+			for (const [key, val] of Object.entries(schemaIRToZodShape(ir))) inputShape[key] = val;
+		}
+		if (routeSchema?.querystring) {
+			const ir = normalizeSchemaIR(routeSchema.querystring);
+			for (const [key, val] of Object.entries(schemaIRToZodShape(ir))) if (!(key in inputShape)) inputShape[key] = val;
+		}
+		const toolName = prefix ? `${prefix}_${opName}_${resource.name}` : `${opName}_${resource.name}`;
+		tools.push({
+			name: toolName,
+			description: toolDescription,
+			annotations: toolAnnotations,
+			inputSchema: inputShape,
+			handler: mcpHandler ? createMcpHandlerPassthrough(mcpHandler) : createCustomRouteHandler(route, controller, hasId, {
+				resourceName: resource.name,
+				operationName: opName,
+				permissions: route.permissions,
+				pipeline: resource.pipe
+			})
+		});
+	}
+	if (resource.actions) for (const [actionName, entry] of Object.entries(resource.actions)) {
+		const def = typeof entry === "function" ? { handler: entry } : entry;
+		if (typeof def !== "function" && "mcp" in def && def.mcp === false) continue;
+		const mcpCfg = typeof def !== "function" && typeof def.mcp === "object" ? def.mcp : void 0;
+		const description = mcpCfg?.description ?? (typeof def !== "function" ? def.description : void 0) ?? `${actionName} action on ${resource.displayName}`;
+		const annotations = mcpCfg?.annotations ? { ...mcpCfg.annotations } : { destructiveHint: true };
+		const inputShape = { id: z.string().describe("Resource ID") };
+		const rawSchema = typeof def !== "function" ? def.schema : void 0;
+		if (rawSchema && typeof rawSchema === "object") {
+			const converted = convertActionSchemaToZod(rawSchema);
+			for (const [key, val] of Object.entries(converted)) inputShape[key] = val;
+		}
+		const toolName = prefix ? `${prefix}_${actionName}_${resource.name}` : `${actionName}_${resource.name}`;
+		const handler = typeof entry === "function" ? entry : def.handler;
+		const actionPerms = resolveActionPermission({
+			action: entry,
+			resourcePermissions: resource.permissions,
+			resourceActionPermissions: resource.actionPermissions
+		});
+		tools.push({
+			name: toolName,
+			description: String(description),
+			annotations,
+			inputSchema: inputShape,
+			handler: createActionToolHandler(actionName, handler, actionPerms, resource.name, resource.permissions, rawSchema)
+		});
+	}
+	return tools;
+}
 //#endregion
 export { fieldRulesToZod as n, createMcpServer as r, resourceToTools as t };