@classytic/arc 2.10.8 → 2.11.0

package/dist/core-3MWJosCH.mjs

@@ -1,1459 +0,0 @@
-import { s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS } from "./constants-BhY1OHoH.mjs";
-import { _ as isElevated, n as PUBLIC_SCOPE, o as getOrgId, p as getUserId, v as isMember } from "./types-AOD8fxIw.mjs";
-import { t as BaseController } from "./BaseController-DVNKvoX4.mjs";
-import { i as resolveEffectiveRoles, t as applyFieldReadPermissions } from "./fields-CTMWOUDt.mjs";
-import { t as getUserRoles } from "./types-D57iXYb8.mjs";
-import { t as requestContext } from "./requestContext-C38GskNt.mjs";
-import { n as normalizePermissionResult, t as applyPermissionResult } from "./applyPermissionResult-QhV1Pa-g.mjs";
-import { i as getDefaultCrudSchemas } from "./utils-LMwVidKy.mjs";
-import { n as convertRouteSchema, t as convertOpenApiSchemas } from "./schemaConverter-BxFDdtXu.mjs";
-import { t as hasEvents } from "./typeGuards-Cj5Rgvlg.mjs";
-import { t as executePipeline } from "./pipe-CGJxqDGx.mjs";
-import { r as getAvailablePresets, t as applyPresets } from "./presets-CrwOvuXI.mjs";
-import { t as resolveActionPermission } from "./actionPermissions-TUVR3uiZ.mjs";
-//#region src/scope/projection.ts
-/**
-* Compute the request-scope projection. Returns `undefined` when no
-* scope is attached (public / unscoped routes) so hosts can idiomatically
-* write `ctx.scope?.organizationId` without a double-null check.
-*/
-function buildRequestScopeProjection(scope) {
-	if (!scope) return void 0;
-	return {
-		organizationId: getOrgId(scope),
-		userId: getUserId(scope),
-		orgRoles: isMember(scope) ? scope.orgRoles : void 0
-	};
-}
-//#endregion
-//#region src/core/fastifyAdapter.ts
-/** Type guard for Mongoose-like documents with toObject() */
-function isMongooseDoc(obj) {
-	return !!obj && typeof obj === "object" && "toObject" in obj && typeof obj.toObject === "function";
-}
-/**
-* Apply field mask to a single object
-* Filters fields based on include/exclude rules
-*/
-function applyFieldMaskToObject(obj, fieldMask) {
-	if (!obj || typeof obj !== "object") return obj;
-	const plain = isMongooseDoc(obj) ? obj.toObject() : obj;
-	const { include, exclude } = fieldMask;
-	if (include && include.length > 0) {
-		const filtered = {};
-		for (const field of include) if (field in plain) filtered[field] = plain[field];
-		return filtered;
-	}
-	if (exclude && exclude.length > 0) {
-		const filtered = { ...plain };
-		for (const field of exclude) delete filtered[field];
-		return filtered;
-	}
-	return plain;
-}
-/**
-* Apply field mask to response data (handles both objects and arrays)
-*/
-function applyFieldMask(data, fieldMask) {
-	if (!fieldMask) return data;
-	if (Array.isArray(data)) return data.map((item) => applyFieldMaskToObject(item, fieldMask));
-	if (data && typeof data === "object") return applyFieldMaskToObject(data, fieldMask);
-	return data;
-}
-/**
-* Create IRequestContext from Fastify request
-*
-* Extracts framework-agnostic context from Fastify-specific request object
-*/
-function createRequestContext(req) {
-	const reqWithExtras = req;
-	const requestContext = reqWithExtras.context ?? {};
-	const srv = req.server;
-	const serverAccessor = {
-		events: srv && "events" in srv ? srv.events : void 0,
-		audit: srv && "audit" in srv ? srv.audit : void 0,
-		queryCache: srv && "queryCache" in srv ? srv.queryCache : void 0,
-		log: req.log
-	};
-	const rawScope = reqWithExtras.scope;
-	const scopeProjection = buildRequestScopeProjection(rawScope);
-	return {
-		query: reqWithExtras.query ?? {},
-		body: reqWithExtras.body ?? {},
-		params: reqWithExtras.params ?? {},
-		headers: reqWithExtras.headers,
-		user: reqWithExtras.user ? (() => {
-			const user = reqWithExtras.user;
-			const rawId = user._id ?? user.id;
-			const normalizedId = rawId ? String(rawId) : void 0;
-			return {
-				...user,
-				id: normalizedId,
-				_id: normalizedId
-			};
-		})() : null,
-		context: requestContext,
-		scope: scopeProjection,
-		metadata: {
-			...reqWithExtras.context,
-			arc: reqWithExtras.arc,
-			_scope: rawScope,
-			_ownershipCheck: reqWithExtras._ownershipCheck,
-			_policyFilters: reqWithExtras._policyFilters ?? {},
-			log: reqWithExtras.log
-		},
-		server: serverAccessor
-	};
-}
-/**
-* Get typed auth context from an IRequestContext.
-* Use this in controller overrides to access request context.
-*
-* For org scope, use `getControllerScope(req)` instead.
-*/
-function getControllerContext(req) {
-	return req.context ?? req.metadata ?? {};
-}
-/**
-* Get request scope from an IRequestContext.
-* Returns the RequestScope set by auth adapters.
-*/
-function getControllerScope(req) {
-	return req.metadata?._scope ?? PUBLIC_SCOPE;
-}
-/**
-* Compute per-field capability metadata for the current user.
-* Only includes fields that have restrictions — unrestricted fields
-* are omitted (frontend defaults to { readable: true, writable: true }).
-*/
-function computeFieldCapabilities(fieldPerms, effectiveRoles) {
-	const caps = {};
-	for (const [field, perm] of Object.entries(fieldPerms)) {
-		let readable = true;
-		let writable = true;
-		switch (perm._type) {
-			case "hidden":
-				readable = false;
-				writable = false;
-				break;
-			case "visibleTo":
-				readable = perm.roles?.some((r) => effectiveRoles.includes(r)) ?? false;
-				break;
-			case "writableBy":
-				writable = perm.roles?.some((r) => effectiveRoles.includes(r)) ?? false;
-				break;
-		}
-		caps[field] = {
-			readable,
-			writable
-		};
-	}
-	return caps;
-}
-/**
-* Send IControllerResponse via Fastify reply
-*
-* Converts framework-agnostic response to Fastify response
-* Applies field masking if specified in request
-*/
-function sendControllerResponse(reply, response, request) {
-	const reqWithExtras = request;
-	const fieldMaskConfig = reqWithExtras?.fieldMask;
-	const arcMeta = reqWithExtras?.arc;
-	const scope = reqWithExtras?.scope ?? PUBLIC_SCOPE;
-	const fieldPerms = isElevated(scope) ? void 0 : arcMeta?.fields;
-	const effectiveRoles = fieldPerms ? resolveEffectiveRoles(getUserRoles(reqWithExtras?.user), isMember(scope) ? scope.orgRoles : []) : [];
-	const fieldCaps = fieldPerms ? computeFieldCapabilities(fieldPerms, effectiveRoles) : void 0;
-	const hasFieldRestrictions = !!(fieldMaskConfig || fieldPerms);
-	/** Apply both field mask and field-level permissions to a data item */
-	const applyPermissions = (data) => {
-		let result = fieldMaskConfig ? applyFieldMask(data, fieldMaskConfig) : data;
-		if (fieldPerms && result && typeof result === "object") if (Array.isArray(result)) result = result.map((item) => applyFieldReadPermissions(item, fieldPerms, effectiveRoles));
-		else result = applyFieldReadPermissions(result, fieldPerms, effectiveRoles);
-		return result;
-	};
-	if (response.headers) for (const [key, value] of Object.entries(response.headers)) reply.header(key, value);
-	if (response.success && response.data && typeof response.data === "object" && "docs" in response.data) {
-		const paginatedData = response.data;
-		const filteredDocs = hasFieldRestrictions ? applyPermissions(paginatedData.docs) : paginatedData.docs;
-		reply.code(response.status ?? 200).send({
-			success: true,
-			docs: filteredDocs,
-			page: paginatedData.page,
-			limit: paginatedData.limit,
-			total: paginatedData.total,
-			pages: paginatedData.pages,
-			hasNext: paginatedData.hasNext,
-			hasPrev: paginatedData.hasPrev,
-			...response.meta ?? {},
-			...fieldCaps ? { fieldPermissions: fieldCaps } : {}
-		});
-		return;
-	}
-	const filteredData = hasFieldRestrictions ? applyPermissions(response.data) : response.data;
-	reply.code(response.status ?? (response.success ? 200 : 400)).send({
-		success: response.success,
-		data: filteredData,
-		error: response.error,
-		details: response.details,
-		...response.meta ?? {},
-		...fieldCaps ? { fieldPermissions: fieldCaps } : {}
-	});
-}
-/**
-* Create Fastify route handler from IController method
-*
-* Wraps framework-agnostic controller method in Fastify-specific handler
-*
-* @example
-* ```typescript
-* const controller = new BaseController(repository);
-*
-* // Create Fastify handler
-* const listHandler = createFastifyHandler(controller.list.bind(controller));
-*
-* // Register route
-* fastify.get('/products', listHandler);
-* ```
-*/
-function createFastifyHandler(controllerMethod) {
-	return async (req, reply) => {
-		sendControllerResponse(reply, await controllerMethod(createRequestContext(req)), req);
-	};
-}
-/**
-* Create Fastify adapters for all CRUD methods of an IController
-*
-* Returns Fastify-compatible handlers for each CRUD operation
-*
-* @example
-* ```typescript
-* const controller = new BaseController(repository);
-* const handlers = createCrudHandlers(controller);
-*
-* fastify.get('/', handlers.list);
-* fastify.get('/:id', handlers.get);
-* fastify.post('/', handlers.create);
-* fastify.patch('/:id', handlers.update);
-* fastify.delete('/:id', handlers.delete);
-* ```
-*/
-function createCrudHandlers(controller) {
-	return {
-		list: createFastifyHandler(controller.list.bind(controller)),
-		get: createFastifyHandler(controller.get.bind(controller)),
-		create: createFastifyHandler(controller.create.bind(controller)),
-		update: createFastifyHandler(controller.update.bind(controller)),
-		delete: createFastifyHandler(controller.delete.bind(controller))
-	};
-}
-//#endregion
-//#region src/core/createCrudRouter.ts
-/**
-* Build per-route rate limit config object.
-*
-* Returns a `config` object suitable for Fastify's `route()` options,
-* or `undefined` if no rate limit is configured for this resource.
-*
-* - `RateLimitConfig` object  -> apply that limit to the route
-* - `false`                   -> explicitly disable rate limiting for the route
-* - `undefined`               -> no override (inherits instance-level config)
-*/
-function buildRateLimitConfig(rateLimit) {
-	if (rateLimit === void 0) return void 0;
-	if (rateLimit === false) return { rateLimit: false };
-	return { rateLimit: {
-		max: rateLimit.max,
-		timeWindow: rateLimit.timeWindow
-	} };
-}
-/**
-* Check if a permission requires authentication
-*
-* A permission requires auth if:
-* - It exists AND
-* - It doesn't have _isPublic flag set to true
-*
-* This is used to automatically add fastify.authenticate
-* to the preHandler chain for non-public routes.
-*/
-function requiresAuthentication(permission) {
-	if (!permission) return false;
-	return !permission._isPublic;
-}
-/**
-* Build authentication middleware
-*
-* - Protected routes (requireAuth, requireRoles, etc.): uses fastify.authenticate (fails without token)
-* - Public routes (allowPublic): uses fastify.optionalAuthenticate (parses token if present, doesn't fail)
-*
-* This ensures request.user is populated on public routes when a Bearer token is sent,
-* enabling downstream middleware (e.g. multiTenant flexible filter) to apply org-scoped queries.
-*/
-function buildAuthMiddleware(fastify, permission) {
-	if (requiresAuthentication(permission)) return fastify.authenticate ?? null;
-	return fastify.optionalAuthenticate ?? null;
-}
-/**
-* Build permission middleware from PermissionCheck function
-*
-* Creates a Fastify preHandler that:
-* 1. Executes the permission check
-* 2. Returns 401 if authentication required but user absent
-* 3. Returns 403 if permission denied
-* 4. Applies query filters from PermissionResult if present
-*/
-function buildPermissionMiddleware(permissionCheck, resourceName, action) {
-	if (!permissionCheck) return null;
-	return async (request, reply) => {
-		const reqWithExtras = request;
-		const params = request.params;
-		const context = {
-			user: reqWithExtras.user ?? null,
-			request,
-			resource: resourceName,
-			action,
-			resourceId: params?.id,
-			params,
-			data: request.body
-		};
-		let result;
-		try {
-			result = await permissionCheck(context);
-		} catch (err) {
-			request.log?.warn?.({
-				err,
-				resource: resourceName,
-				action
-			}, "Permission check threw");
-			reply.code(403).send({
-				success: false,
-				error: "Permission denied"
-			});
-			return;
-		}
-		const permResult = normalizePermissionResult(result);
-		if (!permResult.granted) {
-			const defaultMsg = context.user ? "Permission denied" : "Authentication required";
-			const reason = permResult.reason && permResult.reason.length <= 100 ? permResult.reason : defaultMsg;
-			reply.code(context.user ? 403 : 401).send({
-				success: false,
-				error: reason
-			});
-			return;
-		}
-		applyPermissionResult(permResult, request);
-	};
-}
-/**
-* Mount custom routes (from presets or user-defined `routes`) on Fastify.
-* `wrapHandler` is derived inline from `!route.raw`.
-*/
-function createCustomRoutes(fastify, routes, controller, options) {
-	const { tag, resourceName, arcDecorator, rateLimitConfig, cacheMw, idempotencyMw, pipeline, routeGuards } = options;
-	for (const route of routes) {
-		const opName = route.operation ?? (typeof route.handler === "string" ? route.handler : `${route.method.toLowerCase()}${route.path.replace(/[/:]/g, "_")}`);
-		const wrapHandler = !route.raw;
-		let handler;
-		if (typeof route.handler === "string") {
-			if (!controller) throw new Error(`Route ${route.method} ${route.path}: string handler '${route.handler}' requires a controller. Either provide a controller or use a function handler instead.`);
-			const method = controller[route.handler];
-			if (typeof method !== "function") throw new Error(`Handler '${route.handler}' not found on controller`);
-			const boundMethod = method.bind(controller);
-			if (wrapHandler) {
-				const steps = pipeline ? resolvePipelineSteps(pipeline, opName) : [];
-				if (steps.length > 0) handler = createPipelineHandler(boundMethod, steps, opName, resourceName);
-				else handler = createFastifyHandler(boundMethod);
-			} else handler = boundMethod;
-		} else if (wrapHandler) {
-			const steps = pipeline ? resolvePipelineSteps(pipeline, opName) : [];
-			if (steps.length > 0) handler = createPipelineHandler(route.handler, steps, opName, resourceName);
-			else handler = createFastifyHandler(route.handler);
-		} else handler = route.handler;
-		const routeTags = route.tags ?? (tag ? [tag] : void 0);
-		const convertedSchema = route.schema ? convertRouteSchema(route.schema) : void 0;
-		const schema = {
-			...routeTags ? { tags: routeTags } : {},
-			...route.summary ? { summary: route.summary } : {},
-			...route.description ? { description: route.description } : {},
-			...convertedSchema ?? {}
-		};
-		const authMw = buildAuthMiddleware(fastify, route.permissions);
-		const permissionMw = buildPermissionMiddleware(route.permissions, resourceName, opName);
-		const customPreHandlers = typeof route.preHandler === "function" ? route.preHandler(fastify) : route.preHandler ?? [];
-		const pluginMw = route.method === "GET" ? cacheMw : [
-			"POST",
-			"PUT",
-			"PATCH"
-		].includes(route.method) ? idempotencyMw : null;
-		const preHandler = [
-			...route.preAuth ?? [],
-			arcDecorator,
-			authMw,
-			permissionMw,
-			pluginMw,
-			...routeGuards,
-			...customPreHandlers
-		].filter(Boolean);
-		const isStream = route.streamResponse === true;
-		fastify.route({
-			method: route.method,
-			url: route.path,
-			schema,
-			preHandler: preHandler.length > 0 ? preHandler : void 0,
-			handler: isStream ? async (request, reply) => {
-				reply.raw.setHeader("Content-Type", "text/event-stream");
-				reply.raw.setHeader("Cache-Control", "no-cache");
-				reply.raw.setHeader("Connection", "keep-alive");
-				return handler(request, reply);
-			} : handler,
-			...rateLimitConfig ? { config: rateLimitConfig } : {}
-		});
-	}
-}
-/**
-* Resolve pipeline steps for a specific operation.
-* If pipeline is a flat array, all steps are returned.
-* If it's a per-operation map, only matching steps are returned.
-*/
-function resolvePipelineSteps(pipeline, operation) {
-	if (!pipeline) return [];
-	if (Array.isArray(pipeline)) return pipeline;
-	return pipeline[operation] ?? [];
-}
-/**
-* Create a Fastify handler that wraps a controller method with pipeline execution.
-*/
-function createPipelineHandler(controllerMethod, steps, operation, resourceName) {
-	return async (req, reply) => {
-		sendControllerResponse(reply, await executePipeline(steps, {
-			...createRequestContext(req),
-			resource: resourceName,
-			operation
-		}, (ctx) => controllerMethod(ctx), operation), req);
-	};
-}
-/**
-* Create CRUD routes for a controller
-*
-* @param fastify - Fastify instance with Arc decorators
-* @param controller - CRUD controller with handler methods
-* @param options - Router configuration
-*/
-function createCrudRouter(fastify, controller, options = {}) {
-	const { tag = "Resource", schemas = {}, permissions = {}, middlewares = {}, routeGuards = [], routes: customRoutes = [], disableDefaultRoutes = false, disabledRoutes = [], resourceName = "unknown", schemaOptions, rateLimit, pipe: pipeline, fields: fieldPermissions, updateMethod = DEFAULT_UPDATE_METHOD } = options;
-	const rateLimitConfig = buildRateLimitConfig(rateLimit);
-	const cacheMw = !(fastify.hasDecorator("queryCache") && controller && typeof controller._cacheConfig !== "undefined" && controller._cacheConfig !== void 0) && fastify.hasDecorator("responseCache") ? fastify.responseCache.middleware : null;
-	const idempotencyMw = fastify.hasDecorator("idempotency") ? fastify.idempotency.middleware : null;
-	const arcMeta = Object.freeze({
-		resourceName,
-		schemaOptions,
-		permissions,
-		hooks: fastify.arc?.hooks,
-		events: fastify.events,
-		fields: fieldPermissions
-	});
-	const arcDecorator = async (req, _reply) => {
-		req.arc = arcMeta;
-		const store = requestContext.get();
-		if (store) store.resourceName = resourceName;
-	};
-	const mw = {
-		list: middlewares.list ?? [],
-		get: middlewares.get ?? [],
-		create: middlewares.create ?? [],
-		update: middlewares.update ?? [],
-		delete: middlewares.delete ?? []
-	};
-	const idParamsSchema = {
-		type: "object",
-		properties: { id: { type: "string" } },
-		required: ["id"]
-	};
-	const defaultSchemas = getDefaultCrudSchemas();
-	/**
-	* Build route schema by merging: base (tags/summary) → defaults (response/querystring) → user overrides.
-	* User-provided schemas always take precedence. Defaults enable fast-json-stringify when no user schema is set.
-	*/
-	const buildSchema = (base, defaults, userSchema) => ({
-		...defaults,
-		...base,
-		...userSchema ?? {}
-	});
-	let handlers;
-	if (!disableDefaultRoutes) {
-		if (!controller) throw new Error("Controller is required when disableDefaultRoutes is not true. Provide a controller or use defineResource which auto-creates BaseController.");
-		const ctrl = controller;
-		if (pipeline) {
-			const ops = CRUD_OPERATIONS;
-			const wrapped = {};
-			for (const op of ops) {
-				const steps = resolvePipelineSteps(pipeline, op);
-				if (steps.length > 0) wrapped[op] = createPipelineHandler(ctrl[op].bind(ctrl), steps, op, resourceName);
-			}
-			handlers = {
-				...createCrudHandlers(ctrl),
-				...wrapped
-			};
-		} else handlers = createCrudHandlers(ctrl);
-	}
-	if (!disableDefaultRoutes && handlers) {
-		if (!disabledRoutes.includes("list")) {
-			const listPreHandler = [
-				arcDecorator,
-				buildAuthMiddleware(fastify, permissions.list),
-				buildPermissionMiddleware(permissions.list, resourceName, "list"),
-				cacheMw,
-				...routeGuards,
-				...mw.list
-			].filter(Boolean);
-			fastify.route({
-				method: "GET",
-				url: "/",
-				schema: buildSchema({
-					tags: [tag],
-					summary: `List ${tag}`
-				}, defaultSchemas.list, schemas.list),
-				preHandler: listPreHandler.length > 0 ? listPreHandler : void 0,
-				handler: handlers.list,
-				...rateLimitConfig ? { config: rateLimitConfig } : {}
-			});
-		}
-		if (!disabledRoutes.includes("get")) {
-			const getPreHandler = [
-				arcDecorator,
-				buildAuthMiddleware(fastify, permissions.get),
-				buildPermissionMiddleware(permissions.get, resourceName, "get"),
-				cacheMw,
-				...routeGuards,
-				...mw.get
-			].filter(Boolean);
-			fastify.route({
-				method: "GET",
-				url: "/:id",
-				schema: buildSchema({
-					tags: [tag],
-					summary: `Get ${tag} by ID`,
-					params: idParamsSchema
-				}, defaultSchemas.get, schemas.get),
-				preHandler: getPreHandler.length > 0 ? getPreHandler : void 0,
-				handler: handlers.get,
-				...rateLimitConfig ? { config: rateLimitConfig } : {}
-			});
-		}
-		if (!disabledRoutes.includes("create")) {
-			const createPreHandler = [
-				arcDecorator,
-				buildAuthMiddleware(fastify, permissions.create),
-				buildPermissionMiddleware(permissions.create, resourceName, "create"),
-				idempotencyMw,
-				...routeGuards,
-				...mw.create
-			].filter(Boolean);
-			fastify.route({
-				method: "POST",
-				url: "/",
-				schema: buildSchema({
-					tags: [tag],
-					summary: `Create ${tag}`
-				}, defaultSchemas.create, schemas.create),
-				preHandler: createPreHandler.length > 0 ? createPreHandler : void 0,
-				handler: handlers.create,
-				...rateLimitConfig ? { config: rateLimitConfig } : {}
-			});
-		}
-		if (!disabledRoutes.includes("update")) {
-			const updateMethods = updateMethod === "both" ? ["PUT", "PATCH"] : [updateMethod];
-			const updatePreHandler = [
-				arcDecorator,
-				buildAuthMiddleware(fastify, permissions.update),
-				buildPermissionMiddleware(permissions.update, resourceName, "update"),
-				idempotencyMw,
-				...routeGuards,
-				...mw.update
-			].filter(Boolean);
-			for (const method of updateMethods) fastify.route({
-				method,
-				url: "/:id",
-				schema: buildSchema({
-					tags: [tag],
-					summary: `${method === "PUT" ? "Replace" : "Update"} ${tag}`,
-					params: idParamsSchema
-				}, defaultSchemas.update, schemas.update),
-				preHandler: updatePreHandler.length > 0 ? updatePreHandler : void 0,
-				handler: handlers.update,
-				...rateLimitConfig ? { config: rateLimitConfig } : {}
-			});
-		}
-		if (!disabledRoutes.includes("delete")) {
-			const deletePreHandler = [
-				arcDecorator,
-				buildAuthMiddleware(fastify, permissions.delete),
-				buildPermissionMiddleware(permissions.delete, resourceName, "delete"),
-				...routeGuards,
-				...mw.delete
-			].filter(Boolean);
-			fastify.route({
-				method: "DELETE",
-				url: "/:id",
-				schema: buildSchema({
-					tags: [tag],
-					summary: `Delete ${tag}`,
-					params: idParamsSchema
-				}, defaultSchemas.delete, schemas.delete),
-				preHandler: deletePreHandler.length > 0 ? deletePreHandler : void 0,
-				handler: handlers.delete,
-				...rateLimitConfig ? { config: rateLimitConfig } : {}
-			});
-		}
-	}
-	if (customRoutes.length > 0) createCustomRoutes(fastify, customRoutes, controller, {
-		tag,
-		resourceName,
-		arcDecorator,
-		rateLimitConfig,
-		cacheMw,
-		idempotencyMw,
-		pipeline,
-		routeGuards
-	});
-}
-/**
-* Create permission middleware from PermissionCheck
-* Useful for custom route registration
-*/
-function createPermissionMiddleware(permission, resourceName, action) {
-	return buildPermissionMiddleware(permission, resourceName, action);
-}
-//#endregion
-//#region src/core/schemaOptions.ts
-/**
-* Inject the tenant-scoping field rule into `schemaOptions.fieldRules`:
-*
-*   { [tenantField]: { systemManaged: true, preserveForElevated: true } }
-*
-* Why both flags: `systemManaged` tells `BodySanitizer` to strip the
-* field from inbound bodies (so member clients can't forge a target
-* tenant). `preserveForElevated` exempts elevated-admin scopes from the
-* strip, so platform admins without a pinned org can still pick a target
-* org via the request body (the only channel they have —
-* `BaseController.create` can't re-stamp from scope when scope has no
-* orgId).
-*
-* **Returns a new `RouteSchemaOptions`** — the input is never mutated.
-* Callers should assign the return value to whatever config slot they
-* read from downstream (always the `resolvedConfig`, never raw `config`).
-*
-* **No-op when:**
-* - `tenantField` is `false` (platform-universal resource)
-* - `tenantField` is undefined
-* - The caller already declared `fieldRules[tenantField].systemManaged`
-*   (even as `false`) — explicit opt-outs are respected
-*
-* `preserveForElevated` defaults to `true` but is preserved verbatim
-* when the caller set it explicitly.
-*/
-function autoInjectTenantFieldRules(schemaOptions, tenantField) {
-	if (tenantField === false || tenantField === void 0) return schemaOptions;
-	const fieldName = tenantField || "organizationId";
-	const existing = schemaOptions?.fieldRules ?? {};
-	const existingRule = existing[fieldName];
-	if (existingRule && existingRule.systemManaged !== void 0) return schemaOptions;
-	return {
-		...schemaOptions ?? {},
-		fieldRules: {
-			...existing,
-			[fieldName]: {
-				...existingRule ?? {},
-				systemManaged: true,
-				preserveForElevated: existingRule?.preserveForElevated ?? true
-			}
-		}
-	};
-}
-//#endregion
-//#region src/core/validateResourceConfig.ts
-/**
-* Resource Configuration Validator
-*
-* Fail-fast validation at definition time.
-* Invalid configs throw immediately with clear, actionable errors.
-*
-* @example
-* const result = validateResourceConfig(config);
-* if (!result.valid) {
-*   console.error(formatValidationErrors(result.errors));
-* }
-*/
-/**
-* Validate a resource configuration
-*/
-function validateResourceConfig(config, options = {}) {
-	const errors = [];
-	const warnings = [];
-	if (!config.name) errors.push({
-		field: "name",
-		message: "Resource name is required",
-		suggestion: "Add a unique resource name (e.g., \"product\", \"user\")"
-	});
-	else if (!/^[a-z][a-z0-9-]*$/i.test(config.name)) errors.push({
-		field: "name",
-		message: `Invalid resource name "${config.name}"`,
-		suggestion: "Use alphanumeric characters and hyphens, starting with a letter"
-	});
-	const crudRoutes = CRUD_OPERATIONS;
-	const disabledRoutes = new Set(config.disabledRoutes ?? []);
-	const enabledCrudRoutes = crudRoutes.filter((route) => !disabledRoutes.has(route));
-	if (!config.disableDefaultRoutes && enabledCrudRoutes.length > 0) {
-		if (!config.adapter) errors.push({
-			field: "adapter",
-			message: "Data adapter is required when CRUD routes are enabled",
-			suggestion: "Provide an adapter: createMongooseAdapter({ model, repository })"
-		});
-		else if (!config.adapter.repository) errors.push({
-			field: "adapter.repository",
-			message: "Adapter must provide a repository",
-			suggestion: "Ensure your adapter returns a valid StandardRepo (see @classytic/repo-core)"
-		});
-	} else if (!config.adapter && !config.routes?.length) warnings.push({
-		field: "config",
-		message: "Resource has no adapter and no routes",
-		suggestion: "Provide either adapter for CRUD or routes for custom logic"
-	});
-	if (config.controller && !options.skipControllerCheck && !config.disableDefaultRoutes) {
-		const ctrl = config.controller;
-		const requiredMethods = CRUD_OPERATIONS;
-		for (const method of requiredMethods) if (typeof ctrl[method] !== "function") errors.push({
-			field: `controller.${method}`,
-			message: `Missing required CRUD method "${method}"`,
-			suggestion: "Extend BaseController which implements IController interface"
-		});
-	}
-	if (config.controller && config.routes) validateRouteHandlers(config.controller, config.routes, errors);
-	if (config.permissions) validatePermissionKeys(config, options, errors, warnings);
-	if (config.presets && !options.allowUnknownPresets) validatePresets(config.presets, errors, warnings);
-	if (config.prefix) {
-		if (!config.prefix.startsWith("/")) errors.push({
-			field: "prefix",
-			message: `Prefix must start with "/" (got "${config.prefix}")`,
-			suggestion: `Change to "/${config.prefix}"`
-		});
-		if (config.prefix.endsWith("/") && config.prefix !== "/") warnings.push({
-			field: "prefix",
-			message: `Prefix should not end with "/" (got "${config.prefix}")`,
-			suggestion: `Change to "${config.prefix.slice(0, -1)}"`
-		});
-	}
-	if (config.routes) validateRoutes(config.routes, errors);
-	return {
-		valid: errors.length === 0,
-		errors,
-		warnings
-	};
-}
-function validateRouteHandlers(controller, routes, errors) {
-	const ctrl = controller;
-	for (const route of routes) if (typeof route.handler === "string") {
-		if (typeof ctrl[route.handler] !== "function") errors.push({
-			field: `routes[${route.method} ${route.path}]`,
-			message: `Handler "${route.handler}" not found on controller`,
-			suggestion: `Add method "${route.handler}" to controller or use a function handler`
-		});
-	}
-}
-function validatePermissionKeys(config, options, _errors, warnings) {
-	const validKeys = new Set([...CRUD_OPERATIONS, ...options.additionalPermissionKeys ?? []]);
-	for (const route of config.routes ?? []) if (typeof route.handler === "string") validKeys.add(route.handler);
-	for (const preset of config.presets ?? []) {
-		const presetName = typeof preset === "string" ? preset : preset.name;
-		if (presetName === "softDelete") {
-			validKeys.add("deleted");
-			validKeys.add("restore");
-		}
-		if (presetName === "slugLookup") validKeys.add("getBySlug");
-		if (presetName === "tree") {
-			validKeys.add("tree");
-			validKeys.add("children");
-			validKeys.add("getTree");
-			validKeys.add("getChildren");
-		}
-	}
-	for (const key of Object.keys(config.permissions ?? {})) if (!validKeys.has(key)) warnings.push({
-		field: `permissions.${key}`,
-		message: `Unknown permission key "${key}"`,
-		suggestion: `Valid keys: ${Array.from(validKeys).join(", ")}`
-	});
-}
-function validatePresets(presets, errors, warnings) {
-	const availablePresets = getAvailablePresets();
-	for (const preset of presets) {
-		if (typeof preset === "object" && ("middlewares" in preset || "routes" in preset)) continue;
-		const presetName = typeof preset === "string" ? preset : preset.name;
-		if (!availablePresets.includes(presetName)) errors.push({
-			field: "presets",
-			message: `Unknown preset "${presetName}"`,
-			suggestion: `Available presets: ${availablePresets.join(", ")}`
-		});
-		if (typeof preset === "object") validatePresetOptions(preset, warnings);
-	}
-}
-function validatePresetOptions(preset, warnings) {
-	const validOptions = {
-		slugLookup: ["slugField"],
-		tree: ["parentField"],
-		softDelete: ["deletedField"],
-		ownedByUser: ["ownerField"],
-		multiTenant: ["tenantField", "allowPublic"]
-	}[preset.name] ?? [];
-	const providedOptions = Object.keys(preset).filter((k) => k !== "name");
-	for (const opt of providedOptions) if (!validOptions.includes(opt)) warnings.push({
-		field: `presets[${preset.name}].${opt}`,
-		message: `Unknown option "${opt}" for preset "${preset.name}"`,
-		suggestion: validOptions.length > 0 ? `Valid options: ${validOptions.join(", ")}` : `Preset "${preset.name}" has no configurable options`
-	});
-}
-function validateRoutes(routes, errors) {
-	const validMethods = [
-		"GET",
-		"POST",
-		"PUT",
-		"PATCH",
-		"DELETE",
-		"OPTIONS",
-		"HEAD"
-	];
-	const seenRoutes = /* @__PURE__ */ new Set();
-	for (const [i, route] of routes.entries()) {
-		if (!validMethods.includes(route.method)) errors.push({
-			field: `routes[${i}].method`,
-			message: `Invalid HTTP method "${route.method}"`,
-			suggestion: `Valid methods: ${validMethods.join(", ")}`
-		});
-		if (!route.path) errors.push({
-			field: `routes[${i}].path`,
-			message: "Route path is required"
-		});
-		else if (!route.path.startsWith("/")) errors.push({
-			field: `routes[${i}].path`,
-			message: `Route path must start with "/" (got "${route.path}")`,
-			suggestion: `Change to "/${route.path}"`
-		});
-		if (!route.handler) errors.push({
-			field: `routes[${i}].handler`,
-			message: "Route handler is required"
-		});
-		const routeKey = `${route.method} ${route.path}`;
-		if (seenRoutes.has(routeKey)) errors.push({
-			field: `routes[${i}]`,
-			message: `Duplicate route "${routeKey}"`
-		});
-		seenRoutes.add(routeKey);
-	}
-}
-/**
-* Format validation errors for display
-*/
-function formatValidationErrors(resourceName, result) {
-	const lines = [];
-	if (result.errors.length > 0) {
-		lines.push(`Resource "${resourceName}" validation failed:`);
-		lines.push("");
-		lines.push("ERRORS:");
-		for (const err of result.errors) {
-			lines.push(`  ✗ ${err.field}: ${err.message}`);
-			if (err.suggestion) lines.push(`    → ${err.suggestion}`);
-		}
-	}
-	if (result.warnings.length > 0) {
-		if (lines.length > 0) lines.push("");
-		lines.push("WARNINGS:");
-		for (const warn of result.warnings) {
-			lines.push(`  ⚠ ${warn.field}: ${warn.message}`);
-			if (warn.suggestion) lines.push(`    → ${warn.suggestion}`);
-		}
-	}
-	return lines.join("\n");
-}
-/**
-* Validate and throw if invalid
-*/
-function assertValidConfig(config, options) {
-	const result = validateResourceConfig(config, options);
-	if (!result.valid) {
-		const errorMsg = formatValidationErrors(config.name ?? "unknown", result);
-		throw new Error(errorMsg);
-	}
-}
-//#endregion
-//#region src/core/defineResource.ts
-/**
-* Define a resource with database adapter
-*
-* This is the MAIN entry point for creating Arc resources.
-* The adapter provides both repository and schema metadata.
-*/
-function defineResource(config) {
-	if (!config.skipValidation) {
-		assertValidConfig(config, { skipControllerCheck: true });
-		if (config.permissions) {
-			for (const [key, value] of Object.entries(config.permissions)) if (value !== void 0 && typeof value !== "function") throw new Error(`[Arc] Resource '${config.name}': permissions.${key} must be a PermissionCheck function.\nUse allowPublic(), requireAuth(), or requireRoles(['role']) from @classytic/arc/permissions.`);
-		}
-		for (const route of config.routes ?? []) if (typeof route.permissions !== "function") throw new Error(`[Arc] Resource '${config.name}' route ${route.method} ${route.path}: permissions is required and must be a PermissionCheck function.`);
-		if (config.actions) {
-			const CRUD_OPS = new Set([
-				"create",
-				"update",
-				"delete",
-				"list",
-				"get"
-			]);
-			for (const [name, entry] of Object.entries(config.actions)) {
-				if (CRUD_OPS.has(name)) throw new Error(`[Arc] Resource '${config.name}': action '${name}' conflicts with CRUD operation.\nUse a different name (e.g., '${name}_item', 'do_${name}').`);
-				if (typeof entry !== "function") {
-					const def = entry;
-					if (typeof def.handler !== "function") throw new Error(`[Arc] Resource '${config.name}': actions.${name}.handler must be a function.`);
-					if (def.permissions !== void 0 && typeof def.permissions !== "function") throw new Error(`[Arc] Resource '${config.name}': actions.${name}.permissions must be a PermissionCheck function.`);
-				}
-			}
-		}
-	}
-	const repository = config.adapter?.repository;
-	if (config.idField === void 0 && repository) {
-		const repoIdField = repository.idField;
-		if (typeof repoIdField === "string" && repoIdField !== "_id") config = {
-			...config,
-			idField: repoIdField
-		};
-	}
-	const crudRoutes = CRUD_OPERATIONS;
-	const disabledRoutes = new Set(config.disabledRoutes ?? []);
-	const hasCrudRoutes = !config.disableDefaultRoutes && crudRoutes.some((route) => !disabledRoutes.has(route));
-	const originalPresets = (config.presets ?? []).map((p) => typeof p === "string" ? p : p.name);
-	const resolvedConfig = config.presets?.length ? applyPresets(config, config.presets) : config;
-	resolvedConfig._appliedPresets = originalPresets;
-	resolvedConfig.schemaOptions = autoInjectTenantFieldRules(resolvedConfig.schemaOptions, resolvedConfig.tenantField);
-	let controller = resolvedConfig.controller;
-	if (!controller && hasCrudRoutes && repository) {
-		const qp = resolvedConfig.queryParser;
-		let maxLimitFromParser;
-		if (qp?.getQuerySchema) {
-			const limitProp = qp.getQuerySchema()?.properties?.limit;
-			if (limitProp?.maximum) maxLimitFromParser = limitProp.maximum;
-		}
-		controller = new BaseController(repository, {
-			resourceName: resolvedConfig.name,
-			schemaOptions: resolvedConfig.schemaOptions,
-			queryParser: resolvedConfig.queryParser,
-			maxLimit: maxLimitFromParser,
-			tenantField: resolvedConfig.tenantField,
-			idField: resolvedConfig.idField,
-			...resolvedConfig.defaultSort !== void 0 ? { defaultSort: resolvedConfig.defaultSort } : {},
-			matchesFilter: config.adapter?.matchesFilter,
-			cache: resolvedConfig.cache,
-			onFieldWriteDenied: resolvedConfig.onFieldWriteDenied,
-			presetFields: resolvedConfig._controllerOptions ? {
-				slugField: resolvedConfig._controllerOptions.slugField,
-				parentField: resolvedConfig._controllerOptions.parentField
-			} : void 0
-		});
-	}
-	const resource = new ResourceDefinition({
-		...resolvedConfig,
-		adapter: config.adapter,
-		controller
-	});
-	if (!config.skipValidation && controller) resource._validateControllerMethods();
-	if (resolvedConfig._hooks?.length) resource._pendingHooks.push(...resolvedConfig._hooks.map((hook) => ({
-		operation: hook.operation,
-		phase: hook.phase,
-		handler: hook.handler,
-		priority: hook.priority ?? 10
-	})));
-	if (config.hooks) {
-		const h = config.hooks;
-		const inlineHooks = [];
-		const toCtx = (ctx) => {
-			const context = ctx.context;
-			const rawScope = context?._scope;
-			return {
-				data: ctx.data ?? ctx.result ?? {},
-				user: ctx.user,
-				context,
-				scope: buildRequestScopeProjection(rawScope),
-				meta: ctx.meta
-			};
-		};
-		if (h.beforeCreate) {
-			const fn = h.beforeCreate;
-			inlineHooks.push({
-				operation: "create",
-				phase: "before",
-				priority: 10,
-				handler: (ctx) => fn(toCtx(ctx))
-			});
-		}
-		if (h.afterCreate) {
-			const fn = h.afterCreate;
-			inlineHooks.push({
-				operation: "create",
-				phase: "after",
-				priority: 10,
-				handler: (ctx) => fn(toCtx(ctx))
-			});
-		}
-		if (h.beforeUpdate) {
-			const fn = h.beforeUpdate;
-			inlineHooks.push({
-				operation: "update",
-				phase: "before",
-				priority: 10,
-				handler: (ctx) => fn(toCtx(ctx))
-			});
-		}
-		if (h.afterUpdate) {
-			const fn = h.afterUpdate;
-			inlineHooks.push({
-				operation: "update",
-				phase: "after",
-				priority: 10,
-				handler: (ctx) => fn(toCtx(ctx))
-			});
-		}
-		if (h.beforeDelete) {
-			const fn = h.beforeDelete;
-			inlineHooks.push({
-				operation: "delete",
-				phase: "before",
-				priority: 10,
-				handler: (ctx) => fn(toCtx(ctx))
-			});
-		}
-		if (h.afterDelete) {
-			const fn = h.afterDelete;
-			inlineHooks.push({
-				operation: "delete",
-				phase: "after",
-				priority: 10,
-				handler: (ctx) => fn(toCtx(ctx))
-			});
-		}
-		resource._pendingHooks.push(...inlineHooks);
-	}
-	if (!config.skipRegistry) try {
-		let openApiSchemas;
-		if (resolvedConfig.adapter?.generateSchemas) {
-			const adapterContext = {
-				idField: resolvedConfig.idField,
-				resourceName: resolvedConfig.name
-			};
-			const generated = resolvedConfig.adapter.generateSchemas(resolvedConfig.schemaOptions, adapterContext);
-			if (generated) openApiSchemas = generated;
-		}
-		if (resolvedConfig.idField && resolvedConfig.idField !== "_id" && openApiSchemas?.params && typeof openApiSchemas.params === "object") {
-			const params = openApiSchemas.params;
-			const properties = params.properties;
-			const idProp = properties?.id;
-			if (idProp && typeof idProp === "object") {
-				const pattern = idProp.pattern;
-				if (typeof pattern === "string" && (pattern === "^[0-9a-fA-F]{24}$" || pattern === "^[a-f\\d]{24}$" || pattern === "^[a-fA-F0-9]{24}$" || /^\^\[[a-fA-F0-9\\d]+\]\{24\}\$$/.test(pattern))) {
-					const cleanedId = { ...idProp };
-					delete cleanedId.pattern;
-					delete cleanedId.minLength;
-					delete cleanedId.maxLength;
-					if (!cleanedId.description) cleanedId.description = `${resolvedConfig.idField} (custom ID field)`;
-					openApiSchemas = {
-						...openApiSchemas,
-						params: {
-							...params,
-							properties: {
-								...properties,
-								id: cleanedId
-							}
-						}
-					};
-				}
-			}
-		}
-		const queryParser = resolvedConfig.queryParser;
-		if (queryParser?.getQuerySchema) {
-			const querySchema = queryParser.getQuerySchema();
-			if (querySchema) openApiSchemas = {
-				...openApiSchemas,
-				listQuery: querySchema
-			};
-		}
-		if (resolvedConfig.openApiSchemas) openApiSchemas = {
-			...openApiSchemas,
-			...resolvedConfig.openApiSchemas
-		};
-		if (openApiSchemas) openApiSchemas = convertOpenApiSchemas(openApiSchemas);
-		resource._registryMeta = {
-			module: resolvedConfig.module,
-			openApiSchemas
-		};
-	} catch {}
-	return resource;
-}
-var ResourceDefinition = class {
-	name;
-	displayName;
-	tag;
-	prefix;
-	adapter;
-	controller;
-	schemaOptions;
-	customSchemas;
-	permissions;
-	routes;
-	middlewares;
-	routeGuards;
-	disableDefaultRoutes;
-	disabledRoutes;
-	actions;
-	actionPermissions;
-	events;
-	rateLimit;
-	audit;
-	updateMethod;
-	pipe;
-	fields;
-	cache;
-	skipGlobalPrefix;
-	tenantField;
-	idField;
-	queryParser;
-	_appliedPresets;
-	_pendingHooks;
-	_registryMeta;
-	constructor(config) {
-		this.name = config.name;
-		this.displayName = config.displayName ?? `${capitalize(config.name)}s`;
-		this.tag = config.tag ?? this.displayName;
-		this.prefix = config.prefix ?? `/${config.name}s`;
-		this.skipGlobalPrefix = config.skipGlobalPrefix ?? false;
-		this.adapter = config.adapter;
-		this.controller = config.controller;
-		this.schemaOptions = config.schemaOptions ?? {};
-		this.customSchemas = config.customSchemas ?? {};
-		this.permissions = config.permissions ?? {};
-		this.routes = config.routes ?? [];
-		this.middlewares = config.middlewares ?? {};
-		this.routeGuards = config.routeGuards;
-		this.disableDefaultRoutes = config.disableDefaultRoutes ?? false;
-		this.disabledRoutes = config.disabledRoutes ?? [];
-		this.actions = config.actions;
-		this.actionPermissions = config.actionPermissions;
-		this.events = config.events ?? {};
-		this.rateLimit = config.rateLimit;
-		this.audit = config.audit;
-		this.updateMethod = config.updateMethod;
-		this.pipe = config.pipe;
-		this.fields = config.fields;
-		this.cache = config.cache;
-		this.tenantField = config.tenantField;
-		this.idField = config.idField;
-		this.queryParser = config.queryParser;
-		this._appliedPresets = config._appliedPresets ?? [];
-		this._pendingHooks = config._pendingHooks ?? [];
-	}
-	/** Get repository from adapter (if available) */
-	get repository() {
-		return this.adapter?.repository;
-	}
-	_validateControllerMethods() {
-		const errors = [];
-		const crudRoutes = CRUD_OPERATIONS;
-		const disabledRoutes = new Set(this.disabledRoutes ?? []);
-		const enabledCrudRoutes = crudRoutes.filter((route) => !disabledRoutes.has(route));
-		if (!this.disableDefaultRoutes && enabledCrudRoutes.length > 0) if (!this.controller) errors.push("Controller is required when CRUD routes are enabled");
-		else {
-			const ctrl = this.controller;
-			for (const method of enabledCrudRoutes) if (typeof ctrl[method] !== "function") errors.push(`CRUD method '${method}' not found on controller`);
-		}
-		for (const route of this.routes) if (typeof route.handler === "string") {
-			if (!this.controller) errors.push(`Route ${route.method} ${route.path}: string handler '${route.handler}' requires a controller`);
-			else if (typeof this.controller[route.handler] !== "function") errors.push(`Route ${route.method} ${route.path}: handler '${route.handler}' not found`);
-		}
-		if (errors.length > 0) {
-			const errorMsg = [
-				`Resource '${this.name}' validation failed:`,
-				...errors.map((e) => `  - ${e}`),
-				"",
-				"Ensure controller implements IController<TDoc> interface.",
-				"For preset routes (softDelete, tree), add corresponding methods to controller."
-			].join("\n");
-			throw new Error(errorMsg);
-		}
-	}
-	toPlugin() {
-		const self = this;
-		return async function resourcePlugin(fastify, _opts) {
-			const arc = fastify.arc;
-			if (arc?.registry && self._registryMeta) try {
-				arc.registry.register(self, self._registryMeta);
-			} catch (err) {
-				fastify.log?.warn?.(`Failed to register resource '${self.name}' in registry: ${err instanceof Error ? err.message : err}`);
-			}
-			if (self._pendingHooks.length > 0) {
-				const arc = fastify.arc;
-				if (arc?.hooks) for (const hook of self._pendingHooks) arc.hooks.register({
-					resource: self.name,
-					operation: hook.operation,
-					phase: hook.phase,
-					handler: hook.handler,
-					priority: hook.priority
-				});
-			}
-			const registerRule = fastify.registerCacheInvalidationRule;
-			if (self.cache?.invalidateOn && typeof registerRule === "function") for (const [pattern, tags] of Object.entries(self.cache.invalidateOn)) registerRule({
-				pattern,
-				tags
-			});
-			await fastify.register(async (instance) => {
-				const typedInstance = instance;
-				let schemas = null;
-				const openApi = self._registryMeta?.openApiSchemas;
-				if (openApi && (!self.customSchemas || Object.keys(self.customSchemas).length === 0)) {
-					const generated = {};
-					const { createBody, updateBody, params } = openApi;
-					const safeBody = (schema) => {
-						if (schema && typeof schema === "object" && schema.type === "object") return {
-							additionalProperties: true,
-							...schema
-						};
-						return schema;
-					};
-					if (createBody) generated.create = { body: safeBody(createBody) };
-					if (updateBody) {
-						const patchBody = { ...updateBody };
-						delete patchBody.required;
-						generated.update = { body: safeBody(patchBody) };
-						if (params) generated.update.params = params;
-					}
-					if (params) {
-						generated.get = { params };
-						generated.delete = { params };
-						if (!generated.update) generated.update = { params };
-						else if (!generated.update.params) generated.update.params = params;
-					}
-					if (Object.keys(generated).length > 0) schemas = generated;
-				}
-				if (self.customSchemas && Object.keys(self.customSchemas).length > 0) {
-					schemas = schemas ?? {};
-					for (const [op, customSchema] of Object.entries(self.customSchemas)) {
-						const key = op;
-						const converted = convertRouteSchema(customSchema);
-						schemas[key] = schemas[key] ? deepMergeSchemas(schemas[key], converted) : converted;
-					}
-				}
-				const listQuerySchema = self._registryMeta?.openApiSchemas?.listQuery;
-				if (listQuerySchema) {
-					const NORMALIZED_PROPS = {
-						page: {
-							type: "integer",
-							minimum: 1
-						},
-						limit: {
-							type: "integer",
-							minimum: 1
-						},
-						sort: {},
-						search: {},
-						select: {},
-						after: {},
-						populate: {},
-						lookup: {},
-						aggregate: {}
-					};
-					const props = listQuerySchema.properties;
-					const normalizedProps = props ? { ...props } : void 0;
-					if (normalizedProps) {
-						const originalLimit = normalizedProps.limit;
-						if (originalLimit?.maximum) NORMALIZED_PROPS.limit = {
-							...NORMALIZED_PROPS.limit,
-							maximum: originalLimit.maximum
-						};
-						for (const key of Object.keys(normalizedProps)) normalizedProps[key] = NORMALIZED_PROPS[key] ?? {};
-					}
-					const normalizedSchema = {
-						...listQuerySchema,
-						...normalizedProps ? { properties: normalizedProps } : {},
-						additionalProperties: listQuerySchema.additionalProperties ?? true
-					};
-					schemas = schemas ?? {};
-					schemas.list = schemas.list ? deepMergeSchemas({ querystring: normalizedSchema }, schemas.list) : { querystring: normalizedSchema };
-				}
-				createCrudRouter(typedInstance, self.controller, {
-					tag: self.tag,
-					schemas: schemas ?? void 0,
-					permissions: self.permissions,
-					middlewares: self.middlewares,
-					routeGuards: self.routeGuards,
-					routes: self.routes,
-					disableDefaultRoutes: self.disableDefaultRoutes,
-					disabledRoutes: self.disabledRoutes,
-					resourceName: self.name,
-					schemaOptions: self.schemaOptions,
-					rateLimit: self.rateLimit,
-					updateMethod: self.updateMethod,
-					pipe: self.pipe,
-					fields: self.fields
-				});
-				if (self.actions && Object.keys(self.actions).length > 0) {
-					const { createActionRouter } = await import("./createActionRouter-C8UUB3Px.mjs").then((n) => n.n);
-					createActionRouter(instance, normalizeActionsToRouterConfig(self.actions, self.actionPermissions, self.tag, self.permissions, self.name, typedInstance.log));
-				}
-				if (self.events && Object.keys(self.events).length > 0) typedInstance.log?.debug?.(`Resource '${self.name}' defined ${Object.keys(self.events).length} events`);
-			}, { prefix: self.prefix });
-			if (hasEvents(fastify)) try {
-				await fastify.events.publish("arc.resource.registered", {
-					resource: self.name,
-					prefix: self.prefix,
-					presets: self._appliedPresets,
-					timestamp: (/* @__PURE__ */ new Date()).toISOString()
-				});
-			} catch {}
-		};
-	}
-	/**
-	* Get event definitions for registry
-	*/
-	getEvents() {
-		return Object.entries(this.events).map(([action, meta]) => ({
-			name: `${this.name}:${action}`,
-			module: this.name,
-			schema: meta.schema,
-			description: meta.description
-		}));
-	}
-	/**
-	* Get resource metadata
-	*/
-	getMetadata() {
-		return {
-			name: this.name,
-			displayName: this.displayName,
-			tag: this.tag,
-			prefix: this.prefix,
-			presets: this._appliedPresets,
-			permissions: this.permissions,
-			customRoutes: (this.routes ?? []).map((r) => ({
-				method: r.method,
-				path: r.path,
-				handler: typeof r.handler === "string" ? r.handler : r.handler.name || "anonymous",
-				operation: r.operation,
-				summary: r.summary,
-				description: r.description,
-				permissions: r.permissions,
-				raw: r.raw,
-				schema: r.schema
-			})),
-			routes: [],
-			events: Object.keys(this.events)
-		};
-	}
-};
-function deepMergeSchemas(base, override) {
-	if (!override) return base;
-	if (!base) return override;
-	const result = { ...base };
-	for (const [key, value] of Object.entries(override)) if (Array.isArray(value) && Array.isArray(result[key])) result[key] = [...new Set([...result[key], ...value])];
-	else if (value && typeof value === "object" && !Array.isArray(value)) result[key] = deepMergeSchemas(result[key], value);
-	else result[key] = value;
-	return result;
-}
-function capitalize(str) {
-	if (!str) return "";
-	return str.charAt(0).toUpperCase() + str.slice(1);
-}
-/**
-* Normalize `ActionsMap` into the `ActionRouterConfig` shape that
-* `createActionRouter` expects.
-*
-* **Permission fallback chain (fail-closed, v2.10.5):**
-* Actions mutate state, so "no permission declared" historically meant
-* "authenticated users can call it" — a silent authz hole for apps using
-* the function shorthand `actions: { send: async (id, data, req) => ... }`.
-*
-* The chain is now:
-*   1. `ActionDefinition.permissions` — explicit per-action check.
-*   2. Resource-level `actionPermissions` — explicit global-for-actions.
-*   3. Resource-level `permissions.update` — sensible default (actions mutate).
-*   4. Boot-time error — forces the author to pick an explicit gate.
-*
-* When step 3 fires, we log a warning (not a throw) so upgrading apps
-* aren't bricked by the behavior change, but the gap is visible. Apps
-* that genuinely want public actions must declare `allowPublic()`
-* explicitly — auth-by-accident is no longer a supported state.
-*/
-function normalizeActionsToRouterConfig(actions, globalAuth, tag, resourcePermissions, resourceName, log) {
-	const handlers = {};
-	const permissions = {};
-	const schemas = {};
-	for (const [name, entry] of Object.entries(actions)) {
-		const explicit = typeof entry !== "function" && entry.permissions ? entry.permissions : void 0;
-		if (typeof entry === "function") handlers[name] = entry;
-		else {
-			const def = entry;
-			handlers[name] = def.handler;
-			if (def.permissions) permissions[name] = def.permissions;
-			if (def.schema) schemas[name] = def.schema;
-		}
-		const effective = resolveActionPermission({
-			action: entry,
-			resourcePermissions,
-			resourceActionPermissions: void 0,
-			globalAuth
-		});
-		if (!explicit && !globalAuth && effective && effective === resourcePermissions?.update) {
-			permissions[name] = effective;
-			log?.warn?.({
-				resource: resourceName,
-				action: name,
-				fallback: "permissions.update"
-			}, `[Arc] Action '${resourceName}.${name}' has no explicit permission — falling back to the resource's \`permissions.update\` gate. Declare \`actions.${name}.permissions\` (or resource \`actionPermissions\`) to silence this.`);
-		}
-		if (!effective) throw new Error(`[Arc] Resource '${resourceName}': action '${name}' has no permission gate and the resource defines no \`permissions.update\` fallback. Declare one of:\n  - \`actions.${name}.permissions: <PermissionCheck>\` (per-action)\n  - \`actionPermissions: <PermissionCheck>\` (resource-wide)\n  - \`permissions.update: <PermissionCheck>\` (inherited by actions)\nUse \`allowPublic()\` if you genuinely want the action unauthenticated.`);
-	}
-	return {
-		tag,
-		actions: handlers,
-		actionPermissions: permissions,
-		actionSchemas: schemas,
-		globalAuth
-	};
-}
-//#endregion
-//#region src/core/defineResourceVariants.ts
-/**
-* Define multiple resources from a shared base config and per-variant overrides.
-*
-* Each variant is independently passed through `defineResource()` — the
-* returned `ResourceDefinition`s are real, fully-registered resources.
-* Register each one's plugin in your app:
-*
-* ```typescript
-* await app.register(articlePublic.toPlugin());
-* await app.register(articleAdmin.toPlugin());
-* ```
-*
-* @param base    Shared config — adapter, queryParser, schemaOptions, hooks, etc.
-*                Must NOT include `name` or `prefix` (those are per-variant).
-* @param variants  Map of variant key → override. Each variant must declare
-*                  its own `name` and `prefix`. Other fields override the base.
-* @returns A record where each key from `variants` maps to a real
-*          `ResourceDefinition` ready for `.toPlugin()` registration.
-*/
-function defineResourceVariants(base, variants) {
-	const out = {};
-	for (const key of Object.keys(variants)) {
-		const override = variants[key];
-		out[key] = defineResource({
-			...base,
-			...override
-		});
-	}
-	return out;
-}
-//#endregion
-export { formatValidationErrors as a, createPermissionMiddleware as c, createRequestContext as d, getControllerContext as f, assertValidConfig as i, createCrudHandlers as l, sendControllerResponse as m, ResourceDefinition as n, validateResourceConfig as o, getControllerScope as p, defineResource as r, createCrudRouter as s, defineResourceVariants as t, createFastifyHandler as u };