@classytic/arc 2.10.8 → 2.11.1

package/dist/testing/index.mjs

@@ -1,15 +1,255 @@
 import { t as CRUD_OPERATIONS } from "../constants-BhY1OHoH.mjs";
-import { n as applyFieldWritePermissions, t as applyFieldReadPermissions } from "../fields-CTMWOUDt.mjs";
 import { runStorageContract } from "./storageContract.mjs";
 import Fastify from "fastify";
-import mongoose from "mongoose";
-import { afterAll, afterEach, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
-//#region src/testing/authHelpers.ts
+import { afterAll, describe, expect, it, vi } from "vitest";
+//#region src/testing/assertions.ts
 /**
-* Safely parse a JSON response body.
-* Returns null if parsing fails.
+* expectArc — Arc-specific response assertions
+*
+* Wraps a Fastify `app.inject` response and exposes fluent assertions for
+* the arc response envelope. Replaces the ~6 patterns repeated hundreds of
+* times across the test suite:
+*
+*   expect(res.statusCode).toBe(200);
+*   expect(JSON.parse(res.body).success).toBe(true);
+*   expect(JSON.parse(res.body).data.password).toBeUndefined();
+*
+* becomes
+*
+*   expectArc(res).ok().hidesField('password');
+*
+* Every helper returns the assertion object so you can chain. `.body` /
+* `.data` are lazy accessors — they parse once and cache, so repeated access
+* is cheap.
+*
+* Assertions use `vitest`'s `expect` internally — import this only from
+* test files or modules that run under vitest.
+*/
+function parseBody(response) {
+	if (response.body === "" || response.body === void 0 || response.body === null) return {};
+	try {
+		return JSON.parse(response.body);
+	} catch (err) {
+		throw new Error(`expectArc: response body is not valid JSON (statusCode=${response.statusCode}): ${err.message}\nBody: ${response.body.slice(0, 200)}`);
+	}
+}
+function expectArc(response) {
+	let cachedBody = null;
+	const getBody = () => {
+		cachedBody ??= parseBody(response);
+		return cachedBody;
+	};
+	const assertion = {
+		response,
+		get body() {
+			return getBody();
+		},
+		get data() {
+			return getBody().data;
+		},
+		ok(status = 200) {
+			expect(response.statusCode, `expected 2xx (${status}) but got ${response.statusCode}. Body: ${response.body.slice(0, 200)}`).toBe(status);
+			expect(getBody().success).toBe(true);
+			return assertion;
+		},
+		failed(status) {
+			if (status !== void 0) expect(response.statusCode).toBe(status);
+			else expect(response.statusCode).toBeGreaterThanOrEqual(400);
+			expect(getBody().success).toBe(false);
+			return assertion;
+		},
+		unauthorized() {
+			return assertion.failed(401);
+		},
+		forbidden() {
+			return assertion.failed(403);
+		},
+		notFound() {
+			return assertion.failed(404);
+		},
+		validationError() {
+			return assertion.failed(400);
+		},
+		conflict() {
+			return assertion.failed(409);
+		},
+		hasData() {
+			expect(getBody().data, "expected body.data to be defined").toBeDefined();
+			return assertion;
+		},
+		hasStatus(status) {
+			expect(response.statusCode).toBe(status);
+			return assertion;
+		},
+		hidesField(field) {
+			const data = getBody().data;
+			expect(data, "expected body.data to be defined before field check").toBeDefined();
+			expect(data, `expected field '${field}' to be hidden from response.data`).not.toHaveProperty(field);
+			return assertion;
+		},
+		showsField(field) {
+			const data = getBody().data;
+			expect(data, "expected body.data to be defined before field check").toBeDefined();
+			expect(data, `expected field '${field}' on response.data`).toHaveProperty(field);
+			return assertion;
+		},
+		paginated(expected) {
+			const body = getBody();
+			expect(body.success).toBe(true);
+			const docs = body.docs ?? (Array.isArray(body.data) ? body.data : void 0);
+			expect(Array.isArray(docs), "expected `docs[]` (or `data[]`) on paginated response").toBe(true);
+			if (expected?.page !== void 0) expect(body.page).toBe(expected.page);
+			if (expected?.limit !== void 0) expect(body.limit).toBe(expected.limit);
+			if (expected?.total !== void 0) expect(body.total).toBe(expected.total);
+			if (expected?.hasNext !== void 0) expect(body.hasNext).toBe(expected.hasNext);
+			if (expected?.hasPrev !== void 0) expect(body.hasPrev).toBe(expected.hasPrev);
+			return assertion;
+		},
+		hasError(matcher) {
+			const body = getBody();
+			const errorField = body.error ?? body.message;
+			expect(errorField, "expected body.error or body.message to be set").toBeDefined();
+			if (typeof matcher === "string") expect(errorField).toBe(matcher);
+			else expect(errorField).toMatch(matcher);
+			return assertion;
+		},
+		hasMeta(key, value) {
+			const body = getBody();
+			const flat = body[key];
+			const nested = body.meta?.[key];
+			const resolved = flat !== void 0 ? flat : nested;
+			expect(resolved, `expected meta.${key} on body`).toBeDefined();
+			if (value !== void 0) expect(resolved).toEqual(value);
+			return assertion;
+		}
+	};
+	return assertion;
+}
+//#endregion
+//#region src/testing/authSession.ts
+function buildHeaders(token, orgId, extra) {
+	const headers = { authorization: `Bearer ${token}` };
+	if (orgId) headers["x-organization-id"] = orgId;
+	if (extra) Object.assign(headers, extra);
+	return headers;
+}
+function freezeSession(session) {
+	return Object.freeze({
+		...session,
+		headers: Object.freeze({ ...session.headers })
+	});
+}
+function createProvider(deps) {
+	const registry = /* @__PURE__ */ new Map();
+	const build = (role, config) => {
+		const token = deps.mintToken(role, config);
+		const orgId = config.orgId ?? deps.defaultOrgId;
+		const headers = buildHeaders(token, orgId, config.extraHeaders);
+		const withExtra = (extra) => freezeSession({
+			role,
+			token,
+			orgId,
+			user: config.user,
+			headers: {
+				...headers,
+				...extra
+			},
+			withExtra
+		});
+		return freezeSession({
+			role,
+			token,
+			orgId,
+			user: config.user,
+			headers,
+			withExtra
+		});
+	};
+	return {
+		register(role, config) {
+			if (!config.user && !config.token) throw new Error(`TestAuthProvider.register('${role}'): must supply either 'user' (JWT payload to sign) or 'token' (pre-signed bearer).`);
+			registry.set(role, config);
+		},
+		as(role) {
+			const config = registry.get(role);
+			if (!config) throw new Error(`TestAuthProvider.as('${role}'): unknown role. Registered: [${[...registry.keys()].join(", ") || "none"}]`);
+			return build(role, config);
+		},
+		anonymous() {
+			const withExtra = (extra) => freezeSession({
+				role: "anonymous",
+				token: "",
+				orgId: void 0,
+				user: void 0,
+				headers: { ...extra },
+				withExtra
+			});
+			return freezeSession({
+				role: "anonymous",
+				token: "",
+				orgId: void 0,
+				user: void 0,
+				headers: {},
+				withExtra
+			});
+		},
+		get roles() {
+			return [...registry.keys()];
+		}
+	};
+}
+/**
+* JWT provider — signs tokens on-the-fly using `app.jwt.sign()`.
+* Requires `@fastify/jwt` registered on the app.
+*
+* Accepts both `user` (payload to sign) and `token` (pre-signed) role configs,
+* so the same provider handles mixed flows in a single test.
+*/
+function createJwtAuthProvider(app, opts = {}) {
+	return createProvider({
+		defaultOrgId: opts.defaultOrgId,
+		mintToken(role, config) {
+			if (config.token) return config.token;
+			if (!config.user) throw new Error(`[jwt] role '${role}' has neither 'user' nor 'token'`);
+			const jwt = app.jwt;
+			if (!jwt?.sign) throw new Error(`[jwt] app.jwt.sign() is unavailable — register @fastify/jwt before calling createJwtAuthProvider.`);
+			return jwt.sign(config.user);
+		}
+	});
+}
+/**
+* Better Auth provider — uses pre-signed tokens (from signUp/signIn flows).
+* No signing: role configs MUST carry `token`. A `user` alone will throw.
+*/
+function createBetterAuthProvider(opts = {}) {
+	return createProvider({
+		defaultOrgId: opts.defaultOrgId,
+		mintToken(role, config) {
+			if (!config.token) throw new Error(`[better-auth] role '${role}' requires a pre-signed 'token' (from signUp/signIn). JWT payloads ('user') are not supported by this provider.`);
+			return config.token;
+		}
+	});
+}
+/**
+* Custom provider — plug in your own token minting logic. Useful for
+* mocked external issuers, session-cookie flows, or fixtures that pre-mint.
+*/
+function createCustomAuthProvider(mintToken, opts = {}) {
+	return createProvider({
+		defaultOrgId: opts.defaultOrgId,
+		mintToken
+	});
+}
+//#endregion
+//#region src/testing/betterAuth.ts
+const DEFAULT_BASE_PATH = "/api/auth";
+/**
+* Parse a JSON body safely. Returns null when empty or malformed — Better
+* Auth endpoints occasionally emit empty 204 bodies (e.g. set-active) and
+* tests shouldn't crash on the parse.
 */
 function safeParseBody(body) {
+	if (!body) return null;
 	try {
 		return JSON.parse(body);
 	} catch {
@@ -17,712 +257,397 @@ function safeParseBody(body) {
 	}
 }
 /**
-* Create stateless Better Auth test helpers.
-*
-* All methods take the app instance as a parameter, making them
-* safe to use across multiple test suites.
+* Extract a Better Auth session token from a response. Different versions
+* return it under different keys (`token`, `session.token`, `data.token`)
+* — check all three so the helper keeps working across minor-version
+* bumps without a coordinated update.
+*/
+function extractToken(body) {
+	if (!body || typeof body !== "object") return null;
+	const obj = body;
+	if (typeof obj.token === "string") return obj.token;
+	const session = obj.session;
+	if (session && typeof session.token === "string") return session.token;
+	const data = obj.data;
+	if (data && typeof data.token === "string") return data.token;
+	if (data?.session && typeof data.session.token === "string") return data.session.token;
+	return null;
+}
+/**
+* Extract the user id from a response. Same tolerance story as
+* `extractToken` — Better Auth has shuffled this field across versions.
+*/
+function extractUserId(body) {
+	if (!body || typeof body !== "object") return null;
+	const obj = body;
+	const userLike = obj.user ?? obj.data ?? obj;
+	if (!userLike) return null;
+	if (typeof userLike.id === "string") return userLike.id;
+	if (typeof userLike.userId === "string") return userLike.userId;
+	const nestedUser = userLike.user;
+	if (nestedUser && typeof nestedUser.id === "string") return nestedUser.id;
+	return null;
+}
+/** Same shape-tolerance for org ids. */
+function extractOrgId(body) {
+	if (!body || typeof body !== "object") return null;
+	const obj = body;
+	if (typeof obj.id === "string") return obj.id;
+	const organization = obj.organization;
+	if (organization && typeof organization.id === "string") return organization.id;
+	const data = obj.data;
+	if (data && typeof data.id === "string") return data.id;
+	if (data) {
+		const nestedOrg = data.organization;
+		if (nestedOrg && typeof nestedOrg.id === "string") return nestedOrg.id;
+	}
+	return null;
+}
+/**
+* Stateless Better Auth helpers. Each function takes the app as a positional
+* argument, so a single helper instance works across multiple test apps in
+* the same suite.
 */
 function createBetterAuthTestHelpers(options = {}) {
-	const basePath = options.basePath ?? "/api/auth";
+	const basePath = options.basePath ?? DEFAULT_BASE_PATH;
 	return {
-		async signUp(app, data) {
+		async signUp(app, input) {
 			const res = await app.inject({
 				method: "POST",
 				url: `${basePath}/sign-up/email`,
-				payload: data
+				payload: input,
+				headers: { "content-type": "application/json" }
 			});
-			const token = res.headers["set-auth-token"];
 			const body = safeParseBody(res.body);
+			const token = extractToken(body) ?? "";
+			const userId = extractUserId(body) ?? "";
 			return {
 				statusCode: res.statusCode,
-				token: token || "",
-				user: body?.user || body,
+				token,
+				userId,
 				body
 			};
 		},
-		async signIn(app, data) {
+		async signIn(app, input) {
 			const res = await app.inject({
 				method: "POST",
 				url: `${basePath}/sign-in/email`,
-				payload: data
+				payload: input,
+				headers: { "content-type": "application/json" }
 			});
-			const token = res.headers["set-auth-token"];
 			const body = safeParseBody(res.body);
+			const token = extractToken(body) ?? "";
+			const userId = extractUserId(body) ?? "";
 			return {
 				statusCode: res.statusCode,
-				token: token || "",
-				user: body?.user || body,
+				token,
+				userId,
 				body
 			};
 		},
-		async createOrg(app, token, data) {
+		async createOrg(app, token, input) {
 			const res = await app.inject({
 				method: "POST",
 				url: `${basePath}/organization/create`,
-				headers: { authorization: `Bearer ${token}` },
-				payload: data
+				payload: input,
+				headers: {
+					"content-type": "application/json",
+					authorization: `Bearer ${token}`
+				}
 			});
 			const body = safeParseBody(res.body);
+			const orgId = extractOrgId(body) ?? "";
 			return {
 				statusCode: res.statusCode,
-				orgId: body?.id,
+				orgId,
 				body
 			};
 		},
 		async setActiveOrg(app, token, orgId) {
-			const res = await app.inject({
+			return app.inject({
 				method: "POST",
 				url: `${basePath}/organization/set-active`,
-				headers: { authorization: `Bearer ${token}` },
-				payload: { organizationId: orgId }
+				payload: { organizationId: orgId },
+				headers: {
+					"content-type": "application/json",
+					authorization: `Bearer ${token}`
+				}
 			});
-			return {
-				statusCode: res.statusCode,
-				body: safeParseBody(res.body)
-			};
 		},
 		authHeaders(token, orgId) {
-			const h = { authorization: `Bearer ${token}` };
-			if (orgId) h["x-organization-id"] = orgId;
-			return h;
+			const headers = { authorization: `Bearer ${token}` };
+			if (orgId) headers["x-organization-id"] = orgId;
+			return headers;
 		}
 	};
 }
 /**
-* Set up a complete test organization with users.
-*
-* Creates the app, signs up users, creates an org, adds members,
-* and returns a context object with tokens and a teardown function.
-*
-* @example
-* ```typescript
-* const ctx = await setupBetterAuthOrg({
-*   createApp: () => createAppInstance(),
-*   org: { name: 'Test Corp', slug: 'test-corp' },
-*   users: [
-*     { key: 'admin', email: 'admin@test.com', password: 'pass', name: 'Admin', role: 'admin', isCreator: true },
-*     { key: 'member', email: 'user@test.com', password: 'pass', name: 'User', role: 'member' },
-*   ],
-*   addMember: async (data) => {
-*     await auth.api.addMember({ body: data });
-*     return { statusCode: 200 };
-*   },
-* });
-*
-* // Use in tests:
-* const res = await ctx.app.inject({
-*   method: 'GET',
-*   url: '/api/products',
-*   headers: auth.authHeaders(ctx.users.admin.token, ctx.orgId),
-* });
-*
-* // Cleanup:
-* await ctx.teardown();
-* ```
+* Composite setup for Better Auth apps. Replaces the pre-v2.11
+* `setupBetterAuthOrg` with a tighter contract:
+*
+*   1. Accept an already-built `app` (caller owns its lifecycle — arc's
+*      `createTestApp` composes naturally, but any built Fastify works).
+*   2. Sign up every user in order.
+*   3. The creator user creates the org; orgId is captured.
+*   4. Every non-creator user is added via the caller-supplied `addMember`
+*      (Better Auth's org-member API is app-specific, so arc doesn't
+*      hardcode it).
+*   5. Set the active org on every user.
+*   6. Register each user into a fresh `TestAuthProvider` — the 2.11
+*      `.as(key).headers` pattern works out of the box on the result.
+*
+* Exactly one user must be `isCreator: true`. Throws if zero or multiple
+* creators are supplied (ambiguous ownership is a boot-time bug, not a
+* runtime one).
 */
-async function setupBetterAuthOrg(options) {
-	const { createApp, org, users: userConfigs, addMember, afterSetup, authHelpers: helpersOptions } = options;
-	const helpers = createBetterAuthTestHelpers(helpersOptions);
-	const creators = userConfigs.filter((u) => u.isCreator);
-	if (creators.length !== 1) throw new Error(`setupBetterAuthOrg: Exactly one user must have isCreator: true (found ${creators.length})`);
-	const app = await createApp();
-	await app.ready();
-	const signups = /* @__PURE__ */ new Map();
-	for (const userConfig of userConfigs) {
-		const signup = await helpers.signUp(app, {
-			email: userConfig.email,
-			password: userConfig.password,
-			name: userConfig.name
-		});
-		if (signup.statusCode !== 200) throw new Error(`setupBetterAuthOrg: Failed to sign up ${userConfig.email} (status ${signup.statusCode})`);
-		signups.set(userConfig.key, signup);
-	}
-	const creatorConfig = creators[0];
-	const creatorSignup = signups.get(creatorConfig.key);
-	const orgResult = await helpers.createOrg(app, creatorSignup.token, org);
-	if (orgResult.statusCode !== 200) throw new Error(`setupBetterAuthOrg: Failed to create org (status ${orgResult.statusCode})`);
-	const orgId = orgResult.orgId;
-	for (const userConfig of userConfigs) {
-		if (userConfig.isCreator) continue;
-		const result = await addMember({
-			organizationId: orgId,
-			userId: signups.get(userConfig.key).user?.id,
-			role: userConfig.role
+async function setupBetterAuthTestApp(input) {
+	const { app, org, users, addMember, basePath } = input;
+	const creators = users.filter((u) => u.isCreator === true);
+	if (creators.length !== 1) throw new Error(`[arc-testing] setupBetterAuthTestApp: expected exactly one user with 'isCreator: true', got ${creators.length}. Every composite setup needs a single org owner to resolve ambiguous org membership.`);
+	const helpers = createBetterAuthTestHelpers({ basePath });
+	const signedUp = {};
+	for (const u of users) {
+		const res = await helpers.signUp(app, {
+			email: u.email,
+			password: u.password,
+			name: u.name
 		});
-		if (result.statusCode !== 200) throw new Error(`setupBetterAuthOrg: Failed to add member ${userConfig.email} (status ${result.statusCode})`);
-	}
-	await helpers.setActiveOrg(app, creatorSignup.token, orgId);
-	const users = {};
-	for (const userConfig of userConfigs) if (userConfig.isCreator) {
-		const signup = signups.get(userConfig.key);
-		users[userConfig.key] = {
-			token: signup.token,
-			userId: signup.user?.id,
-			email: userConfig.email
+		if (res.statusCode >= 400 || !res.token || !res.userId) throw new Error(`[arc-testing] setupBetterAuthTestApp: signUp failed for '${u.key}' (${u.email}). statusCode=${res.statusCode}, token=${res.token ? "ok" : "missing"}, userId=${res.userId ? "ok" : "missing"}, body=${JSON.stringify(res.body).slice(0, 300)}`);
+		signedUp[u.key] = {
+			userId: res.userId,
+			token: res.token,
+			user: u
 		};
-	} else {
-		const login = await helpers.signIn(app, {
-			email: userConfig.email,
-			password: userConfig.password
+	}
+	const creatorRec = signedUp[creators[0].key];
+	const orgRes = await helpers.createOrg(app, creatorRec.token, org);
+	if (orgRes.statusCode >= 400 || !orgRes.orgId) throw new Error(`[arc-testing] setupBetterAuthTestApp: createOrg failed. statusCode=${orgRes.statusCode}, orgId=${orgRes.orgId ? "ok" : "missing"}, body=${JSON.stringify(orgRes.body).slice(0, 300)}`);
+	const orgId = orgRes.orgId;
+	for (const u of users) {
+		if (u.isCreator === true) continue;
+		if (!addMember) continue;
+		const rec = signedUp[u.key];
+		const res = await addMember({
+			app,
+			creatorToken: creatorRec.token,
+			orgId,
+			userId: rec.userId,
+			role: u.role ?? "member"
 		});
-		await helpers.setActiveOrg(app, login.token, orgId);
-		users[userConfig.key] = {
-			token: login.token,
-			userId: signups.get(userConfig.key)?.user?.id,
-			email: userConfig.email
-		};
+		if (res.statusCode >= 400) throw new Error(`[arc-testing] setupBetterAuthTestApp: addMember failed for '${u.key}'. statusCode=${res.statusCode}, body=${res.body.slice(0, 300)}`);
 	}
-	const ctx = {
+	for (const rec of Object.values(signedUp)) await helpers.setActiveOrg(app, rec.token, orgId);
+	const auth = createBetterAuthProvider({ defaultOrgId: orgId });
+	for (const [key, rec] of Object.entries(signedUp)) auth.register(key, {
+		token: rec.token,
+		orgId
+	});
+	return {
 		app,
 		orgId,
-		users,
+		users: Object.fromEntries(Object.entries(signedUp).map(([key, rec]) => [key, {
+			userId: rec.userId,
+			token: rec.token,
+			email: rec.user.email,
+			...rec.user.role ? { role: rec.user.role } : {}
+		}])),
+		auth,
 		async teardown() {
 			await app.close();
 		}
 	};
-	if (afterSetup) await afterSetup(ctx);
-	return ctx;
 }
 //#endregion
-//#region src/testing/dbHelpers.ts
-/**
-* Test database manager
-*/
-var TestDatabase = class {
-	connection;
-	dbName;
-	constructor(dbName = `test_${Date.now()}`) {
-		this.dbName = dbName;
-	}
-	/**
-	* Connect to test database
-	*/
-	async connect(uri) {
-		const fullUri = `${uri || process.env.MONGO_TEST_URI || "mongodb://localhost:27017"}/${this.dbName}`;
-		this.connection = await mongoose.createConnection(fullUri).asPromise();
-		return this.connection;
-	}
-	/**
-	* Disconnect and cleanup
-	*/
-	async disconnect() {
-		if (this.connection) {
-			await this.connection.dropDatabase();
-			await this.connection.close();
-			this.connection = void 0;
-		}
-	}
-	/**
-	* Clear all collections
-	*/
-	async clear() {
-		if (!this.connection?.db) throw new Error("Database not connected");
-		const collections = await this.connection.db.collections();
-		await Promise.all(collections.map((collection) => collection.deleteMany({})));
-	}
-	/**
-	* Get connection
-	*/
-	getConnection() {
-		if (!this.connection) throw new Error("Database not connected");
-		return this.connection;
-	}
-};
-/**
-* Higher-order function to wrap tests with database setup/teardown
-*
-* @example
-* describe('Product Tests', () => {
-*   withTestDb(async (db) => {
-*     test('create product', async () => {
-*       const Product = db.getConnection().model('Product', schema);
-*       const product = await Product.create({ name: 'Test' });
-*       expect(product.name).toBe('Test');
-*     });
-*   });
-* });
-*/
-function withTestDb(tests, options = {}) {
-	const db = new TestDatabase(options.dbName);
-	beforeAll(async () => {
-		await db.connect(options.uri);
-	});
-	afterAll(async () => {
-		await db.disconnect();
-	});
-	afterEach(async () => {
-		await db.clear();
-	});
-	tests(db);
-}
-/**
-* Create test fixtures
-*
-* @example
-* const fixtures = new TestFixtures(connection);
-*
-* await fixtures.load('products', [
-*   { name: 'Product 1', price: 100 },
-*   { name: 'Product 2', price: 200 },
-* ]);
-*
-* const products = await fixtures.get('products');
-*/
-var TestFixtures = class {
-	fixtures = /* @__PURE__ */ new Map();
-	connection;
-	constructor(connection) {
-		this.connection = connection;
-	}
-	/**
-	* Load fixtures into a collection
-	*/
-	async load(collectionName, data) {
-		const result = await this.connection.collection(collectionName).insertMany(data);
-		const insertedDocs = Object.values(result.insertedIds).map((id, index) => ({
-			...data[index],
-			_id: id
-		}));
-		this.fixtures.set(collectionName, insertedDocs);
-		return insertedDocs;
-	}
-	/**
-	* Get loaded fixtures
-	*/
-	get(collectionName) {
-		return this.fixtures.get(collectionName) || [];
-	}
-	/**
-	* Get first fixture
-	*/
-	getFirst(collectionName) {
-		return this.get(collectionName)[0] || null;
-	}
-	/**
-	* Clear all fixtures
-	*/
-	async clear() {
-		for (const collectionName of this.fixtures.keys()) {
-			const collection = this.connection.collection(collectionName);
-			const ids = this.fixtures.get(collectionName)?.map((item) => item._id) || [];
-			await collection.deleteMany({ _id: { $in: ids } });
-		}
-		this.fixtures.clear();
-	}
-};
-/**
-* In-memory MongoDB for ultra-fast tests
-*
-* Requires: mongodb-memory-server
-*
-* @example
-* import { InMemoryDatabase } from '@classytic/arc/testing';
-*
-* describe('Fast Tests', () => {
-*   const memoryDb = new InMemoryDatabase();
-*
-*   beforeAll(async () => {
-*     await memoryDb.start();
-*   });
-*
-*   afterAll(async () => {
-*     await memoryDb.stop();
-*   });
-*
-*   test('create user', async () => {
-*     const uri = memoryDb.getUri();
-*     // Use uri for connection
-*   });
-* });
-*/
-var InMemoryDatabase = class {
-	mongod;
-	uri;
-	/**
-	* Start in-memory MongoDB
-	*/
-	async start() {
-		try {
-			const { MongoMemoryServer } = await import("mongodb-memory-server");
-			this.mongod = await MongoMemoryServer.create();
-			const uri = this.mongod.getUri();
-			this.uri = uri;
-			return uri;
-		} catch {
-			throw new Error("mongodb-memory-server not installed. Install with: npm install -D mongodb-memory-server");
-		}
-	}
-	/**
-	* Stop in-memory MongoDB
-	*/
-	async stop() {
-		if (this.mongod) {
-			await this.mongod.stop();
-			this.mongod = void 0;
-			this.uri = void 0;
-		}
-	}
-	/**
-	* Get connection URI
-	*/
-	getUri() {
-		if (!this.uri) throw new Error("In-memory database not started");
-		return this.uri;
-	}
-};
-/**
-* Database transaction helper for testing
-*/
-var TestTransaction = class {
-	session;
-	connection;
-	constructor(connection) {
-		this.connection = connection;
-	}
-	/**
-	* Start transaction
-	*/
-	async start() {
-		this.session = await this.connection.startSession();
-		this.session.startTransaction();
-	}
-	/**
-	* Commit transaction
-	*/
-	async commit() {
-		if (!this.session) throw new Error("Transaction not started");
-		await this.session.commitTransaction();
-		await this.session.endSession();
-		this.session = void 0;
-	}
-	/**
-	* Rollback transaction
-	*/
-	async rollback() {
-		if (!this.session) throw new Error("Transaction not started");
-		await this.session.abortTransaction();
-		await this.session.endSession();
-		this.session = void 0;
-	}
-	/**
-	* Get session
-	*/
-	getSession() {
-		if (!this.session) throw new Error("Transaction not started");
-		return this.session;
-	}
-};
-/**
-* Seed data helper
-*/
-var TestSeeder = class {
-	connection;
-	constructor(connection) {
-		this.connection = connection;
-	}
-	/**
-	* Seed collection with data
-	*/
-	async seed(collectionName, generator, count = 10) {
-		const data = Array.from({ length: count }, () => generator()).flat();
-		const result = await this.connection.collection(collectionName).insertMany(data);
-		return Object.values(result.insertedIds).map((id, index) => ({
-			...data[index],
-			_id: id
-		}));
-	}
-	/**
-	* Clear collection
-	*/
-	async clear(collectionName) {
-		await this.connection.collection(collectionName).deleteMany({});
-	}
-	/**
-	* Clear all collections
-	*/
-	async clearAll() {
-		if (!this.connection.db) throw new Error("Database not connected");
-		const collections = await this.connection.db.collections();
-		await Promise.all(collections.map((collection) => collection.deleteMany({})));
-	}
-};
-/**
-* Database snapshot helper for rollback testing
-*/
-var DatabaseSnapshot = class {
-	snapshots = /* @__PURE__ */ new Map();
-	connection;
-	constructor(connection) {
-		this.connection = connection;
-	}
-	/**
-	* Take snapshot of current database state
-	*/
-	async take() {
-		if (!this.connection.db) throw new Error("Database not connected");
-		const collections = await this.connection.db.collections();
-		for (const collection of collections) {
-			const data = await collection.find({}).toArray();
-			this.snapshots.set(collection.collectionName, data);
-		}
-	}
-	/**
-	* Restore database to snapshot
-	*/
-	async restore() {
-		if (!this.connection.db) throw new Error("Database not connected");
-		const collections = await this.connection.db.collections();
-		await Promise.all(collections.map((collection) => collection.deleteMany({})));
-		for (const [collectionName, data] of this.snapshots.entries()) if (data.length > 0) await this.connection.collection(collectionName).insertMany(data);
-	}
-	/**
-	* Clear snapshot
-	*/
-	clear() {
-		this.snapshots.clear();
-	}
-};
-//#endregion
-//#region src/testing/HttpTestHarness.ts
-/**
-* Create an auth provider for JWT-based apps.
-*
-* Generates JWT tokens on the fly using the app's JWT plugin.
-*
-* @example
-* ```typescript
-* const auth = createJwtAuthProvider({
-*   app,
-*   users: {
-*     admin: { payload: { id: '1', roles: ['admin'] }, organizationId: 'org1' },
-*     viewer: { payload: { id: '2', roles: ['viewer'] } },
-*   },
-*   adminRole: 'admin',
-* });
-* ```
-*/
-function createJwtAuthProvider(options) {
-	const { app, users, adminRole } = options;
+//#region src/testing/fixtures.ts
+function createTestFixtures() {
+	const registry = /* @__PURE__ */ new Map();
+	const tracked = [];
 	return {
-		getHeaders(role) {
-			const user = users[role];
-			if (!user) throw new Error(`createJwtAuthProvider: Unknown role '${role}'. Available: ${Object.keys(users).join(", ")}`);
-			const headers = { authorization: `Bearer ${app.jwt?.sign?.(user.payload) || "mock-token"}` };
-			if (user.organizationId) headers["x-organization-id"] = user.organizationId;
-			return headers;
+		register(name, factoryOrRegistration) {
+			const registration = typeof factoryOrRegistration === "function" ? { create: factoryOrRegistration } : factoryOrRegistration;
+			registry.set(name, registration);
 		},
-		availableRoles: Object.keys(users),
-		adminRole
-	};
-}
-/**
-* Create an auth provider for Better Auth apps.
-*
-* Uses pre-existing tokens (from signUp/signIn) rather than generating them.
-*
-* @example
-* ```typescript
-* const auth = createBetterAuthProvider({
-*   tokens: {
-*     admin: ctx.users.admin.token,
-*     member: ctx.users.member.token,
-*   },
-*   orgId: ctx.orgId,
-*   adminRole: 'admin',
-* });
-* ```
-*/
-function createBetterAuthProvider(options) {
-	const { tokens, orgId, adminRole } = options;
-	return {
-		getHeaders(role) {
-			const token = tokens[role];
-			if (!token) throw new Error(`createBetterAuthProvider: No token for role '${role}'. Available: ${Object.keys(tokens).join(", ")}`);
-			return {
-				authorization: `Bearer ${token}`,
-				"x-organization-id": orgId
-			};
+		async create(name, data) {
+			const reg = registry.get(name);
+			if (!reg) throw new Error(`TestFixtures.create('${name}'): unknown factory. Registered: [${[...registry.keys()].join(", ") || "none"}]`);
+			const record = await reg.create(data ?? {});
+			tracked.push({
+				name,
+				record,
+				destroy: reg.destroy
+			});
+			return record;
+		},
+		async createMany(name, count, template) {
+			if (count < 0) throw new Error(`TestFixtures.createMany: count must be >= 0, got ${count}`);
+			const results = [];
+			for (let i = 0; i < count; i++) {
+				const record = await this.create(name, template);
+				results.push(record);
+			}
+			return results;
 		},
-		availableRoles: Object.keys(tokens),
-		adminRole
+		async clear() {
+			for (let i = tracked.length - 1; i >= 0; i--) {
+				const entry = tracked[i];
+				if (entry.destroy) await entry.destroy(entry.record).catch(() => {});
+			}
+			tracked.length = 0;
+		},
+		all(name) {
+			return tracked.filter((t) => t.name === name).map((t) => t.record);
+		},
+		get names() {
+			return [...registry.keys()];
+		}
 	};
 }
+//#endregion
+//#region src/testing/HttpTestHarness.ts
 /**
-* HTTP-level test harness for Arc resources.
-*
-* Generates tests that exercise the full HTTP lifecycle:
-* routes, auth, permissions, pipeline, and response envelope.
-*
-* Supports deferred options via a getter function, which is essential
-* when the app instance comes from async `beforeAll()` setup.
+* An op is "protected" (should 401 without a token) unless the resource
+* explicitly wired `allowPublic()` — that's the same rule arc's router uses
+* via `requiresAuthentication`. Treats absent permission as public (matches
+* the router's behaviour for historical reasons); the harness only emits the
+* unauthenticated 401 assertion when the op is actually protected.
 */
+function opRequiresAuth(resource, op) {
+	const check = resource.permissions?.[op];
+	if (!check) return false;
+	return check._isPublic !== true;
+}
 var HttpTestHarness = class {
 	resource;
 	optionsOrGetter;
-	eagerBaseUrl;
 	enabledRoutes;
-	updateMethod;
+	/**
+	* Update verbs exercised by this harness instance. One entry for single-method
+	* resources (`"PATCH"` or `"PUT"`), two for `updateMethod: "both"` so both
+	* verbs are covered — the framework mounts both, and the harness should
+	* probe both.
+	*/
+	updateMethods;
 	constructor(resource, optionsOrGetter) {
 		this.resource = resource;
 		this.optionsOrGetter = optionsOrGetter;
-		if (typeof optionsOrGetter === "function") this.eagerBaseUrl = null;
-		else {
-			const apiPrefix = optionsOrGetter.apiPrefix ?? "/api";
-			this.eagerBaseUrl = `${apiPrefix}${resource.prefix}`;
-		}
 		const disabled = new Set(resource.disabledRoutes ?? []);
 		this.enabledRoutes = new Set(resource.disableDefaultRoutes ? [] : CRUD_OPERATIONS.filter((op) => !disabled.has(op)));
-		this.updateMethod = resource.updateMethod === "PUT" ? "PUT" : "PATCH";
+		const um = resource.updateMethod;
+		this.updateMethods = um === "both" ? ["PATCH", "PUT"] : um === "PUT" ? ["PUT"] : ["PATCH"];
 	}
-	/** Resolve options (supports both direct and deferred) */
 	getOptions() {
 		return typeof this.optionsOrGetter === "function" ? this.optionsOrGetter() : this.optionsOrGetter;
 	}
-	/**
-	* Resolve the base URL for requests.
-	*
-	* - Eager mode: uses pre-computed baseUrl from constructor
-	* - Deferred mode: reads apiPrefix from the getter options at runtime
-	*
-	* Must only be called inside it()/afterAll() callbacks (after beforeAll has run).
-	*/
 	getBaseUrl() {
-		if (this.eagerBaseUrl !== null) return this.eagerBaseUrl;
 		return `${this.getOptions().apiPrefix ?? ""}${this.resource.prefix}`;
 	}
-	/**
-	* Run all test suites: CRUD + permissions + validation
-	*/
+	adminHeaders() {
+		const opts = this.getOptions();
+		return { ...opts.auth.as(opts.adminRole).headers };
+	}
 	runAll() {
 		this.runCrud();
 		this.runPermissions();
 		this.runValidation();
 	}
-	/**
-	* Run HTTP-level CRUD tests.
-	*
-	* Tests each enabled CRUD operation through app.inject():
-	* - POST (create) → 200/201 with { success: true, data }
-	* - GET (list) → 200 with array or paginated response
-	* - GET /:id → 200 with { success: true, data }
-	* - PATCH/PUT /:id → 200 with { success: true, data }
-	* - DELETE /:id → 200
-	* - GET /:id with non-existent ID → 404
-	*/
 	runCrud() {
-		const { resource, enabledRoutes, updateMethod } = this;
+		const { resource, enabledRoutes, updateMethods } = this;
 		let createdId = null;
 		describe(`${resource.displayName} HTTP CRUD`, () => {
 			afterAll(async () => {
 				if (createdId && enabledRoutes.has("delete")) {
-					const { app, auth } = this.getOptions();
-					const baseUrl = this.getBaseUrl();
+					const { app } = this.getOptions();
 					await app.inject({
 						method: "DELETE",
-						url: `${baseUrl}/${createdId}`,
-						headers: auth.getHeaders(auth.adminRole)
+						url: `${this.getBaseUrl()}/${createdId}`,
+						headers: this.adminHeaders()
 					});
 				}
 			});
 			if (enabledRoutes.has("create")) it("POST should create a resource", async () => {
-				const { app, auth, fixtures } = this.getOptions();
-				const baseUrl = this.getBaseUrl();
-				const adminHeaders = auth.getHeaders(auth.adminRole);
+				const { app, fixtures } = this.getOptions();
 				const res = await app.inject({
 					method: "POST",
-					url: baseUrl,
-					headers: adminHeaders,
+					url: this.getBaseUrl(),
+					headers: this.adminHeaders(),
 					payload: fixtures.valid
 				});
 				expect(res.statusCode).toBeLessThan(300);
 				const body = JSON.parse(res.body);
 				expect(body.success).toBe(true);
-				expect(body.data).toBeDefined();
-				expect(body.data._id).toBeDefined();
+				expect(body.data?._id).toBeDefined();
 				createdId = body.data._id;
 			});
 			if (enabledRoutes.has("list")) it("GET should list resources", async () => {
-				const { app, auth } = this.getOptions();
-				const baseUrl = this.getBaseUrl();
+				const { app } = this.getOptions();
 				const res = await app.inject({
 					method: "GET",
-					url: baseUrl,
-					headers: auth.getHeaders(auth.adminRole)
+					url: this.getBaseUrl(),
+					headers: this.adminHeaders()
 				});
 				expect(res.statusCode).toBe(200);
 				const body = JSON.parse(res.body);
 				expect(body.success).toBe(true);
 				const list = body.data ?? body.docs;
-				expect(list).toBeDefined();
 				expect(Array.isArray(list)).toBe(true);
 			});
 			if (enabledRoutes.has("get")) {
 				it("GET /:id should return the resource", async () => {
 					if (!createdId) return;
-					const { app, auth } = this.getOptions();
-					const baseUrl = this.getBaseUrl();
+					const { app } = this.getOptions();
 					const res = await app.inject({
 						method: "GET",
-						url: `${baseUrl}/${createdId}`,
-						headers: auth.getHeaders(auth.adminRole)
+						url: `${this.getBaseUrl()}/${createdId}`,
+						headers: this.adminHeaders()
 					});
 					expect(res.statusCode).toBe(200);
-					const body = JSON.parse(res.body);
-					expect(body.success).toBe(true);
-					expect(body.data).toBeDefined();
-					expect(body.data._id).toBe(createdId);
+					expect(JSON.parse(res.body).data?._id).toBe(createdId);
 				});
 				it("GET /:id with non-existent ID should return 404", async () => {
-					const { app, auth } = this.getOptions();
-					const baseUrl = this.getBaseUrl();
+					const { app } = this.getOptions();
 					const res = await app.inject({
 						method: "GET",
-						url: `${baseUrl}/000000000000000000000000`,
-						headers: auth.getHeaders(auth.adminRole)
+						url: `${this.getBaseUrl()}/000000000000000000000000`,
+						headers: this.adminHeaders()
 					});
 					expect(res.statusCode).toBe(404);
 					expect(JSON.parse(res.body).success).toBe(false);
 				});
 			}
-			if (enabledRoutes.has("update")) {
-				it(`${updateMethod} /:id should update the resource`, async () => {
+			if (enabledRoutes.has("update")) for (const verb of updateMethods) {
+				it(`${verb} /:id should update the resource`, async () => {
 					if (!createdId) return;
-					const { app, auth, fixtures } = this.getOptions();
-					const baseUrl = this.getBaseUrl();
-					const updatePayload = fixtures.update || fixtures.valid;
+					const { app, fixtures } = this.getOptions();
+					const payload = fixtures.update ?? fixtures.valid;
 					const res = await app.inject({
-						method: updateMethod,
-						url: `${baseUrl}/${createdId}`,
-						headers: auth.getHeaders(auth.adminRole),
-						payload: updatePayload
+						method: verb,
+						url: `${this.getBaseUrl()}/${createdId}`,
+						headers: this.adminHeaders(),
+						payload
 					});
 					expect(res.statusCode).toBe(200);
-					const body = JSON.parse(res.body);
-					expect(body.success).toBe(true);
-					expect(body.data).toBeDefined();
+					expect(JSON.parse(res.body).success).toBe(true);
 				});
-				it(`${updateMethod} /:id with non-existent ID should return 404`, async () => {
-					const { app, auth, fixtures } = this.getOptions();
-					const baseUrl = this.getBaseUrl();
+				it(`${verb} /:id with non-existent ID should return 404`, async () => {
+					const { app, fixtures } = this.getOptions();
+					const payload = fixtures.update ?? fixtures.valid;
 					expect((await app.inject({
-						method: updateMethod,
-						url: `${baseUrl}/000000000000000000000000`,
-						headers: auth.getHeaders(auth.adminRole),
-						payload: fixtures.update || fixtures.valid
+						method: verb,
+						url: `${this.getBaseUrl()}/000000000000000000000000`,
+						headers: this.adminHeaders(),
+						payload
 					})).statusCode).toBe(404);
 				});
 			}
 			if (enabledRoutes.has("delete")) {
 				it("DELETE /:id should delete the resource", async () => {
-					const { app, auth, fixtures } = this.getOptions();
-					const baseUrl = this.getBaseUrl();
-					const adminHeaders = auth.getHeaders(auth.adminRole);
+					const { app, fixtures } = this.getOptions();
 					let deleteId;
 					if (enabledRoutes.has("create")) {
 						const createRes = await app.inject({
 							method: "POST",
-							url: baseUrl,
-							headers: adminHeaders,
+							url: this.getBaseUrl(),
+							headers: this.adminHeaders(),
 							payload: fixtures.valid
 						});
 						deleteId = JSON.parse(createRes.body).data?._id;
@@ -730,124 +655,111 @@ var HttpTestHarness = class {
 					if (!deleteId) return;
 					expect((await app.inject({
 						method: "DELETE",
-						url: `${baseUrl}/${deleteId}`,
-						headers: adminHeaders
+						url: `${this.getBaseUrl()}/${deleteId}`,
+						headers: this.adminHeaders()
 					})).statusCode).toBe(200);
 					if (enabledRoutes.has("get")) expect((await app.inject({
 						method: "GET",
-						url: `${baseUrl}/${deleteId}`,
-						headers: adminHeaders
+						url: `${this.getBaseUrl()}/${deleteId}`,
+						headers: this.adminHeaders()
 					})).statusCode).toBe(404);
 				});
 				it("DELETE /:id with non-existent ID should return 404", async () => {
-					const { app, auth } = this.getOptions();
-					const baseUrl = this.getBaseUrl();
+					const { app } = this.getOptions();
 					expect((await app.inject({
 						method: "DELETE",
-						url: `${baseUrl}/000000000000000000000000`,
-						headers: auth.getHeaders(auth.adminRole)
+						url: `${this.getBaseUrl()}/000000000000000000000000`,
+						headers: this.adminHeaders()
 					})).statusCode).toBe(404);
 				});
 			}
 		});
 	}
-	/**
-	* Run permission tests.
-	*
-	* Tests that:
-	* - Unauthenticated requests return 401
-	* - Admin role gets 2xx for all operations
-	*/
 	runPermissions() {
-		const { resource, enabledRoutes, updateMethod } = this;
+		const { resource, enabledRoutes, updateMethods } = this;
+		const protectedOps = {
+			list: opRequiresAuth(resource, "list"),
+			get: opRequiresAuth(resource, "get"),
+			create: opRequiresAuth(resource, "create"),
+			update: opRequiresAuth(resource, "update"),
+			delete: opRequiresAuth(resource, "delete")
+		};
 		describe(`${resource.displayName} HTTP Permissions`, () => {
-			if (enabledRoutes.has("list")) it("GET list without auth should return 401", async () => {
+			if (enabledRoutes.has("list") && protectedOps.list) it("GET list without auth should return 401", async () => {
 				const { app } = this.getOptions();
-				const baseUrl = this.getBaseUrl();
 				expect((await app.inject({
 					method: "GET",
-					url: baseUrl
+					url: this.getBaseUrl()
 				})).statusCode).toBe(401);
 			});
-			if (enabledRoutes.has("get")) it("GET get without auth should return 401", async () => {
+			if (enabledRoutes.has("get") && protectedOps.get) it("GET /:id without auth should return 401", async () => {
 				const { app } = this.getOptions();
-				const baseUrl = this.getBaseUrl();
 				expect((await app.inject({
 					method: "GET",
-					url: `${baseUrl}/000000000000000000000000`
+					url: `${this.getBaseUrl()}/000000000000000000000000`
 				})).statusCode).toBe(401);
 			});
-			if (enabledRoutes.has("create")) it("POST create without auth should return 401", async () => {
+			if (enabledRoutes.has("create") && protectedOps.create) it("POST without auth should return 401", async () => {
 				const { app, fixtures } = this.getOptions();
-				const baseUrl = this.getBaseUrl();
 				expect((await app.inject({
 					method: "POST",
-					url: baseUrl,
+					url: this.getBaseUrl(),
 					payload: fixtures.valid
 				})).statusCode).toBe(401);
 			});
-			if (enabledRoutes.has("update")) it(`${updateMethod} update without auth should return 401`, async () => {
+			if (enabledRoutes.has("update") && protectedOps.update) for (const verb of updateMethods) it(`${verb} without auth should return 401`, async () => {
 				const { app, fixtures } = this.getOptions();
-				const baseUrl = this.getBaseUrl();
+				const payload = fixtures.update ?? fixtures.valid;
 				expect((await app.inject({
-					method: updateMethod,
-					url: `${baseUrl}/000000000000000000000000`,
-					payload: fixtures.update || fixtures.valid
+					method: verb,
+					url: `${this.getBaseUrl()}/000000000000000000000000`,
+					payload
 				})).statusCode).toBe(401);
 			});
-			if (enabledRoutes.has("delete")) it("DELETE delete without auth should return 401", async () => {
+			if (enabledRoutes.has("delete") && protectedOps.delete) it("DELETE without auth should return 401", async () => {
 				const { app } = this.getOptions();
-				const baseUrl = this.getBaseUrl();
 				expect((await app.inject({
 					method: "DELETE",
-					url: `${baseUrl}/000000000000000000000000`
+					url: `${this.getBaseUrl()}/000000000000000000000000`
 				})).statusCode).toBe(401);
 			});
 			if (enabledRoutes.has("list")) it("admin should access list endpoint", async () => {
-				const { app, auth } = this.getOptions();
-				const baseUrl = this.getBaseUrl();
+				const { app } = this.getOptions();
 				expect((await app.inject({
 					method: "GET",
-					url: baseUrl,
-					headers: auth.getHeaders(auth.adminRole)
+					url: this.getBaseUrl(),
+					headers: this.adminHeaders()
 				})).statusCode).toBeLessThan(400);
 			});
 			if (enabledRoutes.has("create")) it("admin should access create endpoint", async () => {
-				const { app, auth, fixtures } = this.getOptions();
-				const baseUrl = this.getBaseUrl();
+				const { app, fixtures } = this.getOptions();
 				const res = await app.inject({
 					method: "POST",
-					url: baseUrl,
-					headers: auth.getHeaders(auth.adminRole),
+					url: this.getBaseUrl(),
+					headers: this.adminHeaders(),
 					payload: fixtures.valid
 				});
 				expect(res.statusCode).toBeLessThan(400);
 				const body = JSON.parse(res.body);
 				if (body.data?._id && enabledRoutes.has("delete")) await app.inject({
 					method: "DELETE",
-					url: `${baseUrl}/${body.data._id}`,
-					headers: auth.getHeaders(auth.adminRole)
+					url: `${this.getBaseUrl()}/${body.data._id}`,
+					headers: this.adminHeaders()
 				});
 			});
 		});
 	}
-	/**
-	* Run validation tests.
-	*
-	* Tests that invalid payloads return 400.
-	*/
 	runValidation() {
 		const { resource, enabledRoutes } = this;
 		if (!enabledRoutes.has("create")) return;
 		describe(`${resource.displayName} HTTP Validation`, () => {
-			it("POST with invalid payload should not return 2xx", async () => {
-				const { app, auth, fixtures } = this.getOptions();
-				const baseUrl = this.getBaseUrl();
+			it("POST with invalid payload should be rejected", async () => {
+				const { app, fixtures } = this.getOptions();
 				if (!fixtures.invalid) return;
 				const res = await app.inject({
 					method: "POST",
-					url: baseUrl,
-					headers: auth.getHeaders(auth.adminRole),
+					url: this.getBaseUrl(),
+					headers: this.adminHeaders(),
 					payload: fixtures.invalid
 				});
 				expect(res.statusCode).toBeGreaterThanOrEqual(400);
@@ -857,22 +769,8 @@ var HttpTestHarness = class {
 	}
 };
 /**
-* Create an HTTP test harness for an Arc resource.
-*
-* Accepts options directly or as a getter function for deferred resolution.
-*
-* @example Deferred (recommended for async setup)
-* ```typescript
-* let ctx: TestContext;
-* beforeAll(async () => { ctx = await setupTestOrg(); });
-*
-* createHttpTestHarness(jobResource, () => ({
-*   app: ctx.app,
-*   apiPrefix: '',
-*   fixtures: { valid: { title: 'Test' } },
-*   auth: createBetterAuthProvider({ ... }),
-* })).runAll();
-* ```
+* Create an HTTP test harness. `optionsOrGetter` may be a plain object
+* (for eager app setup) or a getter function (for async `beforeAll` apps).
 */
 function createHttpTestHarness(resource, optionsOrGetter) {
 	return new HttpTestHarness(resource, optionsOrGetter);
@@ -1118,682 +1016,133 @@ function pickResource(value) {
 	for (const c of candidates) if (c && typeof c === "object" && typeof c.toPlugin === "function") return c;
 }
 //#endregion
-//#region src/testing/TestHarness.ts
+//#region src/testing/testApp.ts
 /**
-* Resource Test Harness
-*
-* Generates baseline tests for Arc resources automatically.
-* Tests CRUD operations + preset routes with minimal configuration.
+* createTestApp — test app factory for arc
 *
-* @example
-* import { createTestHarness } from '@classytic/arc/testing';
-* import productResource from './product.resource.js';
+* One call spins up a Fastify instance with arc's standard test defaults,
+* an in-memory MongoDB (optional), an auth provider (JWT / Better Auth / none),
+* and a fixture tracker attached to the result. Every piece is optional —
+* tests that just need a vanilla app skip the extras.
 *
-* const harness = createTestHarness(productResource, {
-*   fixtures: {
-*     valid: { name: 'Test Product', price: 100 },
-*     update: { name: 'Updated Product' },
-*   },
-* });
-*
-* // Run all baseline tests (50+ auto-generated)
-* harness.runAll();
-*
-* // Or run specific test suites
-* harness.runPresets();
-* harness.runValidation();
+*   const ctx = await createTestApp({
+*     resources: [jobResource],
+*     authMode: 'jwt',
+*   });
 *
-* // For HTTP-level CRUD coverage (auth, permissions, routes), use
-* // `HttpTestHarness` from `@classytic/arc/testing`.
+*   ctx.auth.register('admin', { user: { id: '1', roles: ['admin'] } });
+*   const admin = ctx.auth.as('admin');
+*   const res = await ctx.app.inject({ url: '/jobs', headers: admin.headers });
+*
+*   afterAll(() => ctx.close());
+*
+* Scope — what this factory does AND doesn't do:
+*   ✓ Starts in-memory Mongo (when `db: 'in-memory'`) and exposes `dbUri`
+*   ✓ Optionally connects Mongoose to that URI via `connectMongoose: true`
+*   ✓ Applies arc's standard test defaults for the Fastify instance
+*   ✓ Applies the matching auth plugin for the chosen `authMode`
+*   ✓ Registers every resource as a plugin (under its own `prefix`)
+*   ✓ Tears everything down in the right order on `close()`
+*   ✗ Does NOT thread `dbUri` into your resource adapters — adapter wiring
+*     (mongokit/prisma/sqlitekit/custom) is app-level concern. Call
+*     `mongoose.connect(ctx.dbUri)` (or use `connectMongoose: true`) before
+*     importing resources whose models need the connection.
 */
-var TestHarness = class {
-	resource;
-	Model;
-	fixtures;
-	setupFn;
-	teardownFn;
-	mongoUri;
-	_createdIds = [];
-	constructor(resource, options) {
-		this.resource = resource;
-		this.fixtures = options.fixtures;
-		this.setupFn = options.setupFn;
-		this.teardownFn = options.teardownFn;
-		this.mongoUri = options.mongoUri || process.env.MONGO_URI || "mongodb://localhost:27017/test";
-		if (!resource.adapter) throw new Error(`TestHarness requires a resource with a database adapter`);
-		if (resource.adapter.type !== "mongoose") throw new Error(`TestHarness currently only supports Mongoose adapters`);
-		const model = resource.adapter.model;
-		if (!model) throw new Error(`Mongoose adapter for ${resource.name} does not have a model`);
-		this.Model = model;
-	}
-	/**
-	* Run all baseline tests (schema, presets, field permissions, pipeline, events).
-	*
-	* For HTTP-level CRUD coverage (routes, auth, permissions), use
-	* {@link HttpTestHarness} instead.
-	*/
-	runAll() {
-		this.runValidation();
-		this.runPresets();
-		this.runFieldPermissions();
-		this.runPipeline();
-		this.runEvents();
-	}
-	/**
-	* Run validation tests
-	*
-	* Tests schema validation, required fields, etc.
-	*/
-	runValidation() {
-		const { resource, fixtures, Model } = this;
-		describe(`${resource.displayName} Validation`, () => {
-			beforeAll(async () => {
-				await mongoose.connect(this.mongoUri);
-			});
-			afterAll(async () => {
-				await mongoose.disconnect();
-			});
-			it("should reject empty document", async () => {
-				await expect(Model.create({})).rejects.toThrow();
-			});
-			if (fixtures.invalid) it("should reject invalid data", async () => {
-				await expect(Model.create(fixtures.invalid)).rejects.toThrow();
-			});
-		});
-	}
-	/**
-	* Run preset-specific tests
-	*
-	* Auto-detects applied presets and tests their functionality:
-	* - softDelete: deletedAt field, soft delete/restore
-	* - slugLookup: slug generation
-	* - tree: parent references, displayOrder
-	* - multiTenant: organizationId requirement
-	* - ownedByUser: userId requirement
-	*/
-	runPresets() {
-		const { resource, fixtures, Model } = this;
-		const presets = resource._appliedPresets || [];
-		if (presets.length === 0) return;
-		describe(`${resource.displayName} Preset Tests`, () => {
-			beforeAll(async () => {
-				await mongoose.connect(this.mongoUri);
-			});
-			afterAll(async () => {
-				await mongoose.disconnect();
-			});
-			if (presets.includes("softDelete")) describe("Soft Delete", () => {
-				let testDoc;
-				beforeEach(async () => {
-					testDoc = await Model.create(fixtures.valid);
-					this._createdIds.push(testDoc._id);
-				});
-				it("should have deletedAt field", () => {
-					expect(testDoc.deletedAt).toBeDefined();
-					expect(testDoc.deletedAt).toBeNull();
-				});
-				it("should soft delete (set deletedAt)", async () => {
-					await Model.findByIdAndUpdate(testDoc._id, { deletedAt: /* @__PURE__ */ new Date() });
-					expect((await Model.findById(testDoc._id))?.deletedAt).not.toBeNull();
-				});
-				it("should restore (clear deletedAt)", async () => {
-					await Model.findByIdAndUpdate(testDoc._id, { deletedAt: /* @__PURE__ */ new Date() });
-					await Model.findByIdAndUpdate(testDoc._id, { deletedAt: null });
-					expect((await Model.findById(testDoc._id))?.deletedAt).toBeNull();
-				});
-			});
-			if (presets.includes("slugLookup")) describe("Slug Lookup", () => {
-				it("should have slug field", async () => {
-					const doc = await Model.create(fixtures.valid);
-					this._createdIds.push(doc._id);
-					expect(doc.slug).toBeDefined();
-				});
-				it("should generate slug from name", async () => {
-					const doc = await Model.create({
-						...fixtures.valid,
-						name: "Test Slug Name"
-					});
-					this._createdIds.push(doc._id);
-					expect(doc.slug).toMatch(/test-slug-name/i);
-				});
-			});
-			if (presets.includes("tree")) describe("Tree Structure", () => {
-				it("should allow parent reference", async () => {
-					const parent = await Model.create(fixtures.valid);
-					this._createdIds.push(parent._id);
-					const child = await Model.create({
-						...fixtures.valid,
-						parent: parent._id
-					});
-					this._createdIds.push(child._id);
-					expect(String(child.parent)).toEqual(String(parent._id));
-				});
-				it("should support displayOrder", async () => {
-					const doc = await Model.create({
-						...fixtures.valid,
-						displayOrder: 5
-					});
-					this._createdIds.push(doc._id);
-					expect(doc.displayOrder).toEqual(5);
-				});
-			});
-			if (presets.includes("multiTenant")) describe("Multi-Tenant", () => {
-				it("should require organizationId", async () => {
-					const docWithoutOrg = { ...fixtures.valid };
-					delete docWithoutOrg.organizationId;
-					await expect(Model.create(docWithoutOrg)).rejects.toThrow();
-				});
-			});
-			if (presets.includes("ownedByUser")) describe("Owned By User", () => {
-				it("should require userId", async () => {
-					const docWithoutUser = { ...fixtures.valid };
-					delete docWithoutUser.userId;
-					await expect(Model.create(docWithoutUser)).rejects.toThrow();
-				});
-			});
-		});
-	}
-	/**
-	* Run field-level permission tests
-	*
-	* Auto-generates tests for each field permission:
-	* - hidden: field is stripped from responses
-	* - visibleTo: field only shown to specified roles
-	* - writableBy: field stripped from writes by non-privileged users
-	* - redactFor: field shows redacted value for specified roles
-	*/
-	runFieldPermissions() {
-		const { resource } = this;
-		const fieldPerms = resource.fields;
-		if (!fieldPerms || Object.keys(fieldPerms).length === 0) return;
-		describe(`${resource.displayName} Field Permissions`, () => {
-			for (const [field, rawPerm] of Object.entries(fieldPerms)) {
-				const perm = rawPerm;
-				switch (perm._type) {
-					case "hidden":
-						it(`should always hide field '${field}'`, () => {
-							const result = applyFieldReadPermissions({
-								[field]: "secret",
-								otherField: "visible"
-							}, fieldPerms, []);
-							expect(result[field]).toBeUndefined();
-							expect(result.otherField).toBe("visible");
-						});
-						it(`should strip hidden field '${field}' from writes`, () => {
-							const { body: result } = applyFieldWritePermissions({
-								[field]: "attempt",
-								name: "test"
-							}, fieldPerms, []);
-							expect(result[field]).toBeUndefined();
-							expect(result.name).toBe("test");
-						});
-						break;
-					case "visibleTo":
-						it(`should hide field '${field}' from non-privileged users`, () => {
-							expect(applyFieldReadPermissions({ [field]: "sensitive" }, fieldPerms, ["viewer"])[field]).toBeUndefined();
-						});
-						if (perm.roles && perm.roles.length > 0) {
-							const allowedRole = perm.roles[0];
-							it(`should show field '${field}' to roles: ${[...perm.roles].join(", ")}`, () => {
-								expect(applyFieldReadPermissions({ [field]: "sensitive" }, fieldPerms, [allowedRole])[field]).toBe("sensitive");
-							});
-						}
-						break;
-					case "writableBy":
-						it(`should strip field '${field}' from writes by non-privileged users`, () => {
-							const { body: result } = applyFieldWritePermissions({
-								[field]: "new-value",
-								name: "test"
-							}, fieldPerms, ["viewer"]);
-							expect(result[field]).toBeUndefined();
-							expect(result.name).toBe("test");
-						});
-						if (perm.roles && perm.roles.length > 0) {
-							const writeRole = perm.roles[0];
-							it(`should allow writing field '${field}' by roles: ${[...perm.roles].join(", ")}`, () => {
-								const { body: result } = applyFieldWritePermissions({ [field]: "new-value" }, fieldPerms, [writeRole]);
-								expect(result[field]).toBe("new-value");
-							});
-						}
-						break;
-					case "redactFor":
-						if (perm.roles && perm.roles.length > 0) {
-							const redactRole = perm.roles[0];
-							it(`should redact field '${field}' for roles: ${[...perm.roles].join(", ")}`, () => {
-								expect(applyFieldReadPermissions({ [field]: "real-value" }, fieldPerms, [redactRole])[field]).toBe(perm.redactValue ?? "***");
-							});
-						}
-						it(`should show real value of field '${field}' to non-redacted roles`, () => {
-							expect(applyFieldReadPermissions({ [field]: "real-value" }, fieldPerms, ["unrelated-role"])[field]).toBe("real-value");
-						});
-						break;
-				}
-			}
-		});
-	}
-	/**
-	* Run pipeline configuration tests
-	*
-	* Validates that pipeline steps are properly configured:
-	* - All steps have names
-	* - All steps have valid _type discriminants
-	* - Operation filters (if set) use valid CRUD operation names
-	*/
-	runPipeline() {
-		const { resource } = this;
-		const pipe = resource.pipe;
-		if (!pipe) return;
-		const validOps = new Set(CRUD_OPERATIONS);
-		describe(`${resource.displayName} Pipeline`, () => {
-			const steps = collectPipelineSteps(pipe);
-			it("should have at least one pipeline step", () => {
-				expect(steps.length).toBeGreaterThan(0);
-			});
-			for (const step of steps) {
-				it(`${step._type} '${step.name}' should have a valid type`, () => {
-					expect([
-						"guard",
-						"transform",
-						"interceptor"
-					]).toContain(step._type);
-				});
-				it(`${step._type} '${step.name}' should have a name`, () => {
-					expect(step.name).toBeTruthy();
-					expect(typeof step.name).toBe("string");
-				});
-				it(`${step._type} '${step.name}' should have a handler function`, () => {
-					expect(typeof step.handler).toBe("function");
-				});
-				if (step.operations?.length) it(`${step._type} '${step.name}' should target valid operations`, () => {
-					for (const op of step.operations) expect(validOps.has(op)).toBe(true);
-				});
-			}
-		});
-	}
-	/**
-	* Run event definition tests
-	*
-	* Validates that events are properly defined:
-	* - All events have handler functions
-	* - Event names follow resource:action convention
-	* - Schema definitions (if present) are valid objects
-	*/
-	runEvents() {
-		const { resource } = this;
-		const events = resource.events;
-		if (!events || Object.keys(events).length === 0) return;
-		describe(`${resource.displayName} Events`, () => {
-			for (const [action, rawDef] of Object.entries(events)) {
-				const def = rawDef;
-				it(`event '${resource.name}:${action}' should have a handler function`, () => {
-					expect(typeof def.handler).toBe("function");
-				});
-				it(`event '${resource.name}:${action}' should have a name`, () => {
-					expect(def.name).toBeTruthy();
-					expect(typeof def.name).toBe("string");
-				});
-				if (def.schema) it(`event '${resource.name}:${action}' schema should be an object`, () => {
-					expect(typeof def.schema).toBe("object");
-					expect(def.schema).not.toBeNull();
-				});
+async function startInMemoryMongo() {
+	try {
+		const { MongoMemoryServer } = await import("mongodb-memory-server");
+		const mongod = await MongoMemoryServer.create();
+		return {
+			uri: mongod.getUri(),
+			async stop() {
+				await mongod.stop();
 			}
-		});
-	}
-};
-/**
-* Collect all pipeline steps from a PipelineConfig (flat array or per-operation map)
-*/
-function collectPipelineSteps(pipe) {
-	if (Array.isArray(pipe)) return pipe;
-	const seen = /* @__PURE__ */ new Set();
-	const steps = [];
-	for (const opSteps of Object.values(pipe)) if (Array.isArray(opSteps)) for (const step of opSteps) {
-		const key = `${step._type}:${step.name}`;
-		if (!seen.has(key)) {
-			seen.add(key);
-			steps.push(step);
-		}
+		};
+	} catch (err) {
+		throw new Error(`createTestApp({ db: 'in-memory' }): mongodb-memory-server is required. Install with \`npm i -D mongodb-memory-server\`. Root cause: ${err.message}`);
 	}
-	return steps;
-}
-/**
-* Create a test harness for an Arc resource
-*
-* @param resource - The Arc resource definition to test
-* @param options - Test harness configuration
-* @returns Test harness instance
-*
-* @example
-* import { createTestHarness } from '@classytic/arc/testing';
-*
-* const harness = createTestHarness(productResource, {
-*   fixtures: {
-*     valid: { name: 'Product', price: 100 },
-*     update: { name: 'Updated' },
-*   },
-* });
-*
-* harness.runAll(); // Generates 50+ baseline tests
-*/
-function createTestHarness(resource, options) {
-	return new TestHarness(resource, options);
 }
-/**
-* Generate test file content for a resource
-*
-* Useful for scaffolding new resource tests via CLI
-*
-* @param resourceName - Resource name in kebab-case (e.g., 'product')
-* @param options - Generation options
-* @returns Complete test file content as string
-*
-* @example
-* const testContent = generateTestFile('product', {
-*   presets: ['softDelete'],
-*   modulePath: './modules/catalog',
-* });
-* fs.writeFileSync('product.test.js', testContent);
-*/
-function generateTestFile(resourceName, options = {}) {
-	const { presets = [], modulePath = "." } = options;
-	const className = resourceName.split("-").map((s) => s.charAt(0).toUpperCase() + s.slice(1)).join("");
-	const varName = className.charAt(0).toLowerCase() + className.slice(1);
-	return `/**
- * ${className} Resource Tests
- *
- * Auto-generated baseline tests. Customize as needed.
- */
-
-import { describe, it, expect, beforeAll, afterAll } from 'vitest';
-import mongoose from 'mongoose';
-import { createTestHarness } from '@classytic/arc/testing';
-import ${varName}Resource from '${modulePath}/${resourceName}.resource.js';
-import ${className} from '${modulePath}/${resourceName}.model.js';
-
-const MONGO_URI = process.env.MONGO_TEST_URI || 'mongodb://localhost:27017/${resourceName}-test';
-
-// Test fixtures
-const fixtures = {
-  valid: {
-    name: 'Test ${className}',
-    // Add required fields here
-  },
-  update: {
-    name: 'Updated ${className}',
-  },
-  invalid: {
-    // Empty or invalid data
-  },
-};
-
-// Create test harness
-const harness = createTestHarness(${varName}Resource, {
-  fixtures,
-  mongoUri: MONGO_URI,
-});
-
-// Run all baseline tests
-harness.runAll();
-
-// Custom tests
-describe('${className} Custom Tests', () => {
-  let testId;
-
-  beforeAll(async () => {
-    await mongoose.connect(MONGO_URI);
-  });
-
-  afterAll(async () => {
-    if (testId) {
-      await ${className}.findByIdAndDelete(testId);
-    }
-    await mongoose.disconnect();
-  });
-
-  // Add your custom tests here
-  it('should pass custom validation', async () => {
-    // Example: const doc = await ${className}.create(fixtures.valid);
-    // testId = doc._id;
-    // expect(doc.someField).toBe('expectedValue');
-    expect(true).toBe(true);
-  });
-});
-`;
-}
-/**
-* Run config-level tests for a resource (no DB required)
-*
-* Tests field permissions, pipeline configuration, and event definitions.
-* Works with any adapter — no Mongoose dependency.
-*
-* @param resource - The Arc resource definition to test
-*
-* @example
-* ```typescript
-* import { createConfigTestSuite } from '@classytic/arc/testing';
-* import productResource from './product.resource.js';
-*
-* // Generates field permission, pipeline, and event tests
-* createConfigTestSuite(productResource);
-* ```
-*/
-function createConfigTestSuite(resource) {
-	const fieldPerms = resource.fields;
-	const pipe = resource.pipe;
-	const events = resource.events;
-	if (fieldPerms && Object.keys(fieldPerms).length > 0) runFieldPermissionTests(resource.displayName, fieldPerms);
-	if (pipe) runPipelineTests(resource.displayName, pipe);
-	if (events && Object.keys(events).length > 0) runEventTests(resource.name, resource.displayName, events);
-	if (resource.permissions && Object.keys(resource.permissions).length > 0) describe(`${resource.displayName} Permission Config`, () => {
-		for (const op of CRUD_OPERATIONS) {
-			const check = resource.permissions[op];
-			if (check) it(`${op} permission should be a function`, () => {
-				expect(typeof check).toBe("function");
-			});
-		}
-	});
-}
-function runFieldPermissionTests(displayName, fieldPerms) {
-	describe(`${displayName} Field Permissions`, () => {
-		for (const [field, perm] of Object.entries(fieldPerms)) switch (perm._type) {
-			case "hidden":
-				it(`should always hide field '${field}'`, () => {
-					expect(applyFieldReadPermissions({
-						[field]: "secret",
-						other: "visible"
-					}, fieldPerms, [])[field]).toBeUndefined();
-				});
-				it(`should strip hidden field '${field}' from writes`, () => {
-					const { body: result } = applyFieldWritePermissions({
-						[field]: "attempt",
-						name: "test"
-					}, fieldPerms, []);
-					expect(result[field]).toBeUndefined();
-				});
-				break;
-			case "visibleTo":
-				it(`should hide field '${field}' from non-privileged users`, () => {
-					expect(applyFieldReadPermissions({ [field]: "sensitive" }, fieldPerms, ["_no_role_"])[field]).toBeUndefined();
-				});
-				if (perm.roles && perm.roles.length > 0) {
-					const allowedRole = perm.roles[0];
-					it(`should show field '${field}' to roles: ${[...perm.roles].join(", ")}`, () => {
-						expect(applyFieldReadPermissions({ [field]: "sensitive" }, fieldPerms, [allowedRole])[field]).toBe("sensitive");
-					});
-				}
-				break;
-			case "writableBy":
-				it(`should strip field '${field}' from writes by non-privileged users`, () => {
-					const { body: result } = applyFieldWritePermissions({
-						[field]: "v",
-						name: "test"
-					}, fieldPerms, ["_no_role_"]);
-					expect(result[field]).toBeUndefined();
-				});
-				if (perm.roles && perm.roles.length > 0) {
-					const writeRole = perm.roles[0];
-					it(`should allow writing field '${field}' by roles: ${[...perm.roles].join(", ")}`, () => {
-						const { body: result } = applyFieldWritePermissions({ [field]: "v" }, fieldPerms, [writeRole]);
-						expect(result[field]).toBe("v");
-					});
-				}
-				break;
-			case "redactFor":
-				if (perm.roles && perm.roles.length > 0) {
-					const redactRole = perm.roles[0];
-					it(`should redact field '${field}' for roles: ${[...perm.roles].join(", ")}`, () => {
-						expect(applyFieldReadPermissions({ [field]: "real" }, fieldPerms, [redactRole])[field]).toBe(perm.redactValue ?? "***");
-					});
-				}
-				it(`should show real value of field '${field}' to non-redacted roles`, () => {
-					expect(applyFieldReadPermissions({ [field]: "real" }, fieldPerms, ["_other_"])[field]).toBe("real");
-				});
-				break;
-		}
-	});
-}
-function runPipelineTests(displayName, pipe) {
-	const steps = collectPipelineSteps(pipe);
-	if (steps.length === 0) return;
-	const validOps = new Set(CRUD_OPERATIONS);
-	describe(`${displayName} Pipeline`, () => {
-		it("should have at least one pipeline step", () => {
-			expect(steps.length).toBeGreaterThan(0);
-		});
-		for (const step of steps) {
-			it(`${step._type} '${step.name}' should have a valid type`, () => {
-				expect([
-					"guard",
-					"transform",
-					"interceptor"
-				]).toContain(step._type);
-			});
-			it(`${step._type} '${step.name}' should have a handler function`, () => {
-				expect(typeof step.handler).toBe("function");
-			});
-			if (step.operations?.length) it(`${step._type} '${step.name}' should target valid operations`, () => {
-				for (const op of step.operations) expect(validOps.has(op)).toBe(true);
-			});
-		}
-	});
-}
-function runEventTests(resourceName, displayName, events) {
-	describe(`${displayName} Events`, () => {
-		for (const [action, def] of Object.entries(events)) {
-			it(`event '${resourceName}:${action}' should have a handler function`, () => {
-				expect(typeof def.handler).toBe("function");
-			});
-			it(`event '${resourceName}:${action}' should have a name`, () => {
-				expect(def.name).toBeTruthy();
-			});
-			if (def.schema) it(`event '${resourceName}:${action}' schema should be an object`, () => {
-				expect(typeof def.schema).toBe("object");
-				expect(def.schema).not.toBeNull();
-			});
-		}
-	});
+async function connectMongooseToUri(uri) {
+	try {
+		const mongoose = (await import("mongoose")).default;
+		await mongoose.connect(uri);
+		return { async disconnect() {
+			await mongoose.disconnect();
+		} };
+	} catch (err) {
+		throw new Error(`createTestApp({ connectMongoose: true }): failed to connect Mongoose to ${uri}. Root cause: ${err.message}`);
+	}
 }
-//#endregion
-//#region src/testing/testFactory.ts
-/**
-* Testing Utilities - Test App Factory
-*
-* Create Fastify test instances with Arc configuration
-*/
-/**
-* Create a test application instance with optional in-memory MongoDB
-*
-* **Performance Boost**: Uses in-memory MongoDB by default for 10x faster tests.
-*
-* @example Basic usage with in-memory DB
-* ```typescript
-* import { createTestApp } from '@classytic/arc/testing';
-*
-* describe('API Tests', () => {
-*   let testApp: TestAppResult;
-*
-*   beforeAll(async () => {
-*     testApp = await createTestApp({
-*       auth: { type: 'jwt', jwt: { secret: 'test-secret' } },
-*     });
-*   });
-*
-*   afterAll(async () => {
-*     await testApp.close(); // Cleans up DB and disconnects
-*   });
-*
-*   test('GET /health', async () => {
-*     const response = await testApp.app.inject({
-*       method: 'GET',
-*       url: '/health',
-*     });
-*     expect(response.statusCode).toBe(200);
-*   });
-* });
-* ```
-*
-* @example Using external MongoDB
-* ```typescript
-* const testApp = await createTestApp({
-*   auth: { type: 'jwt', jwt: { secret: 'test-secret' } },
-*   useInMemoryDb: false,
-*   mongoUri: 'mongodb://localhost:27017/test-db',
-* });
-* ```
-*
-* @example Accessing MongoDB URI for model connections
-* ```typescript
-* const testApp = await createTestApp({
-*   auth: { type: 'jwt', jwt: { secret: 'test-secret' } },
-* });
-* await mongoose.connect(testApp.mongoUri); // Connect your models
-* ```
-*/
-async function createTestApp(options = {}) {
-	const { createApp } = await import("../createApp-BwnEAO2h.mjs").then((n) => n.r);
-	const { useInMemoryDb = true, mongoUri: providedMongoUri, ...appOptions } = options;
-	const defaultAuth = {
+function pickDefaultAuth(authMode, callerAuth) {
+	if (callerAuth !== void 0) return callerAuth;
+	if (authMode === "jwt") return {
 		type: "jwt",
 		jwt: { secret: "test-secret-32-chars-minimum-len" }
 	};
-	let inMemoryDb = null;
-	let mongoUri = providedMongoUri;
-	if (useInMemoryDb && !providedMongoUri) try {
-		inMemoryDb = new InMemoryDatabase();
-		mongoUri = await inMemoryDb.start();
-	} catch (err) {
-		console.warn("[createTestApp] Failed to start in-memory MongoDB:", err.message, "\nFalling back to external MongoDB or no DB connection.");
+}
+async function createTestApp(options = {}) {
+	const { createApp } = await import("../createApp-P1d6rjPy.mjs").then((n) => n.r);
+	const { resources = [], db = "in-memory", connectMongoose = false, authMode = "jwt", defaultOrgId, plugins, auth: callerAuth, ...appOptions } = options;
+	let dbHandle;
+	let dbUri;
+	if (db === "in-memory") {
+		dbHandle = await startInMemoryMongo();
+		dbUri = dbHandle.uri;
+	} else if (db && typeof db === "object" && "uri" in db) dbUri = db.uri;
+	let mongooseHandle;
+	if (connectMongoose) {
+		if (!dbUri) throw new Error(`createTestApp({ connectMongoose: true }): requires db: 'in-memory' or { uri }. Got db: ${JSON.stringify(db)}`);
+		mongooseHandle = await connectMongooseToUri(dbUri);
 	}
-	const app = await createApp({
+	if (authMode === "better-auth" && callerAuth === void 0) {
+		if (dbHandle) await dbHandle.stop();
+		if (mongooseHandle) await mongooseHandle.disconnect();
+		throw new Error("createTestApp({ authMode: 'better-auth' }): you must also pass `auth: { type: 'better-auth', ... }`. Without it the app has no auth plugin registered and tests would silently bypass Better Auth middleware.");
+	}
+	const resolvedAuth = pickDefaultAuth(authMode, callerAuth);
+	const testDefaults = {
 		preset: "testing",
 		logger: false,
 		helmet: false,
 		cors: false,
 		rateLimit: false,
 		underPressure: false,
-		auth: defaultAuth,
-		...appOptions
+		...resolvedAuth ? { auth: resolvedAuth } : {}
+	};
+	const mergedPlugins = async (fastify) => {
+		if (plugins) await plugins(fastify);
+		for (const resource of resources) await fastify.register(resource.toPlugin());
+	};
+	const app = await createApp({
+		...testDefaults,
+		...appOptions,
+		plugins: mergedPlugins
 	});
+	let auth;
+	if (authMode === "jwt") auth = createJwtAuthProvider(app, { defaultOrgId });
+	else if (authMode === "better-auth") auth = createBetterAuthProvider({ defaultOrgId });
+	const fixtures = createTestFixtures();
+	let closed = false;
+	const close = async () => {
+		if (closed) return;
+		closed = true;
+		await fixtures.clear().catch(() => {});
+		await app.close();
+		if (mongooseHandle) await mongooseHandle.disconnect();
+		if (dbHandle) await dbHandle.stop();
+	};
 	return {
 		app,
-		mongoUri,
-		async close() {
-			await app.close();
-			if (inMemoryDb) await inMemoryDb.stop();
-		}
+		auth,
+		fixtures,
+		dbUri,
+		close
 	};
 }
 /**
-* Create a minimal Fastify instance for unit tests
-*
-* Use when you don't need Arc's full plugin stack
-*
-* @example
-* const app = createMinimalTestApp();
-* app.get('/test', async () => ({ success: true }));
-*
-* const response = await app.inject({ method: 'GET', url: '/test' });
-* expect(response.json()).toEqual({ success: true });
+* Minimal Fastify instance — no arc plugins, no auth, no db. Use when a test
+* needs bare Fastify (e.g. plugin unit tests that manually register their
+* dependencies).
 */
 function createMinimalTestApp(options = {}) {
 	return Fastify({
@@ -1801,151 +1150,5 @@ function createMinimalTestApp(options = {}) {
 		...options
 	});
 }
-/**
-* Test request builder for cleaner tests
-*
-* @example
-* const request = new TestRequestBuilder(app)
-*   .get('/products')
-*   .withAuth(mockUser)
-*   .withQuery({ page: 1, limit: 10 });
-*
-* const response = await request.send();
-* expect(response.statusCode).toBe(200);
-*/
-var TestRequestBuilder = class {
-	method = "GET";
-	url = "/";
-	body;
-	query;
-	headers = {};
-	app;
-	constructor(app) {
-		this.app = app;
-	}
-	get(url) {
-		this.method = "GET";
-		this.url = url;
-		return this;
-	}
-	post(url) {
-		this.method = "POST";
-		this.url = url;
-		return this;
-	}
-	put(url) {
-		this.method = "PUT";
-		this.url = url;
-		return this;
-	}
-	patch(url) {
-		this.method = "PATCH";
-		this.url = url;
-		return this;
-	}
-	delete(url) {
-		this.method = "DELETE";
-		this.url = url;
-		return this;
-	}
-	withBody(body) {
-		this.body = body;
-		return this;
-	}
-	withQuery(query) {
-		this.query = query;
-		return this;
-	}
-	withHeader(key, value) {
-		this.headers[key] = value;
-		return this;
-	}
-	withAuth(userOrHeaders) {
-		if ("authorization" in userOrHeaders || "Authorization" in userOrHeaders) {
-			for (const [key, value] of Object.entries(userOrHeaders)) if (typeof value === "string") this.headers[key] = value;
-		} else {
-			const token = this.app.jwt?.sign?.(userOrHeaders) || "mock-token";
-			this.headers.Authorization = `Bearer ${token}`;
-		}
-		return this;
-	}
-	withContentType(type) {
-		this.headers["Content-Type"] = type;
-		return this;
-	}
-	async send() {
-		return this.app.inject({
-			method: this.method,
-			url: this.url,
-			payload: this.body,
-			query: this.query,
-			headers: this.headers
-		});
-	}
-};
-/**
-* Helper to create a test request builder
-*/
-function request(app) {
-	return new TestRequestBuilder(app);
-}
-/**
-* Test helper for authentication
-*/
-function createTestAuth(app) {
-	return {
-		generateToken(user) {
-			if (!app.jwt) throw new Error("JWT plugin not registered");
-			return app.jwt.sign(user);
-		},
-		decodeToken(token) {
-			if (!app.jwt) throw new Error("JWT plugin not registered");
-			return app.jwt.decode(token);
-		},
-		async verifyToken(token) {
-			if (!app.jwt) throw new Error("JWT plugin not registered");
-			return app.jwt.verify(token);
-		}
-	};
-}
-/**
-* Snapshot testing helper for API responses
-*/
-function createSnapshotMatcher() {
-	return { matchStructure(response, expected) {
-		if (typeof response !== typeof expected) return false;
-		if (Array.isArray(response) && Array.isArray(expected)) return response.length === expected.length;
-		if (typeof response === "object" && response !== null && typeof expected === "object" && expected !== null) {
-			const r = response;
-			const e = expected;
-			const responseKeys = Object.keys(r).sort();
-			const expectedKeys = Object.keys(e).sort();
-			if (JSON.stringify(responseKeys) !== JSON.stringify(expectedKeys)) return false;
-			for (const key of responseKeys) if (!this.matchStructure(r[key], e[key])) return false;
-			return true;
-		}
-		return true;
-	} };
-}
-/**
-* Bulk test data loader
-*/
-var TestDataLoader = class {
-	data = /* @__PURE__ */ new Map();
-	/**
-	* Load test data into database
-	*/
-	async load(collection, items) {
-		this.data.set(collection, items);
-		return items;
-	}
-	/**
-	* Clear all loaded test data
-	*/
-	async cleanup() {
-		for (const [_collection, _items] of this.data.entries());
-		this.data.clear();
-	}
-};
 //#endregion
-export { DatabaseSnapshot, TestFixtures as DbTestFixtures, HttpTestHarness, InMemoryDatabase, TestDataLoader, TestDatabase, TestHarness, TestRequestBuilder, TestSeeder, TestTransaction, createBetterAuthProvider, createBetterAuthTestHelpers, createConfigTestSuite, createDataFactory, createHttpTestHarness, createJwtAuthProvider, createMinimalTestApp, createMockController, createMockReply, createMockRepository, createMockRequest, createMockUser, createSnapshotMatcher, createSpy, createTestApp, createTestAuth, createTestHarness, createTestTimer, generateTestFile, preloadResources, preloadResourcesAsync, request, runStorageContract, safeParseBody, setupBetterAuthOrg, waitFor, withTestDb };
+export { HttpTestHarness, createBetterAuthProvider, createBetterAuthTestHelpers, createCustomAuthProvider, createDataFactory, createHttpTestHarness, createJwtAuthProvider, createMinimalTestApp, createMockController, createMockReply, createMockRepository, createMockRequest, createMockUser, createSpy, createTestApp, createTestFixtures, createTestTimer, expectArc, preloadResources, preloadResourcesAsync, runStorageContract, safeParseBody, setupBetterAuthTestApp, waitFor };