@classytic/arc 2.10.8 → 2.11.1

package/dist/queryParser-NR__Qiju.mjs

@@ -1,419 +0,0 @@
-import { m as RESERVED_QUERY_PARAMS } from "./constants-BhY1OHoH.mjs";
-//#region src/utils/simpleEqualityMatcher.ts
-/**
-* `simpleEqualityMatcher` — a minimal, dialect-agnostic flat-key equality
-* matcher for `DataAdapter.matchesFilter` / `BaseController({ matchesFilter })`.
-*
-* **What it does:** for each `[key, expected]` in the filter, compares
-* `item[key]` to `expected` via string coercion (so Mongo `ObjectId` values
-* match their string representation) and returns `true` only if every
-* filter entry matches. Array item values are matched implicitly (contains).
-*
-* **What it does NOT do:**
-* - No `$eq` / `$ne` / `$in` / `$nin` / `$gt` / `$lt` / `$regex` / `$exists`
-* - No `$and` / `$or`
-* - No dot-path traversal (`"owner.id"`)
-* - No schema-specific coercion
-*
-* **Why it exists:** 95%+ of arc's `_policyFilters` are produced by built-in
-* permission helpers and are shaped like `{ ownerId: "u1" }` or
-* `{ organizationId: "org_x" }` — flat equality. For that common shape,
-* this helper is a safe, tested, 15-line defense-in-depth matcher that
-* hosts using minimal repos (no `getOne(compoundFilter)` DB path) can opt
-* into without arc shipping a full Mongo-syntax engine.
-*
-* **When to use:**
-* - Your adapter/repo doesn't natively filter on `getOne(compoundFilter)`
-* - Your `_policyFilters` are flat equality (from arc's built-in permission helpers)
-* - You want defense-in-depth on `validateItemAccess` / `fetchDetailed`'s `getById` fallback
-*
-* **When NOT to use:**
-* - Your `_policyFilters` use operators (`$in`, `$ne`, etc.) — supply a
-*   native matcher (mongokit's repo does the filter at the DB layer; for
-*   custom repos, wrap the kit's own predicate engine).
-* - You're a mongokit / sqlitekit / Prisma user — the DB-level filter
-*   applied by `getOne(compoundFilter)` already covers this.
-*
-* @example
-* ```ts
-* import { simpleEqualityMatcher } from '@classytic/arc/utils';
-*
-* // On a custom adapter
-* const adapter: DataAdapter = {
-*   repository,
-*   type: 'custom',
-*   name: 'in-memory',
-*   matchesFilter: simpleEqualityMatcher,
-* };
-*
-* // Or directly on BaseController for ad-hoc controllers
-* new BaseController(repo, { matchesFilter: simpleEqualityMatcher });
-* ```
-*/
-function simpleEqualityMatcher(item, filters) {
-	if (!item || typeof item !== "object") return false;
-	const obj = item;
-	for (const [key, expected] of Object.entries(filters)) {
-		if (expected && typeof expected === "object" && !Array.isArray(expected) && Object.getPrototypeOf(expected) === Object.prototype && Object.keys(expected).some((k) => k.startsWith("$"))) return false;
-		const actual = obj[key];
-		if (Array.isArray(actual)) {
-			const expectedStr = String(expected);
-			if (!actual.some((v) => String(v) === expectedStr)) return false;
-			continue;
-		}
-		if (String(actual) !== String(expected)) return false;
-	}
-	return true;
-}
-//#endregion
-//#region src/utils/queryParser.ts
-/**
-* Arc Query Parser - Default URL-to-Query Parser
-*
-* Framework-agnostic query parser that converts URL parameters to query options.
-* This is Arc's built-in parser; users can swap in MongoKit's QueryParser,
-* pgkit's parser, or any custom parser implementing QueryParserInterface.
-*
-* @example
-* // Use Arc default parser (auto-applied if no queryParser option)
-* defineResource({ name: 'product', adapter: ... });
-*
-* // Use MongoKit's QueryParser (recommended for MongoDB - has $lookup, aggregations, etc.)
-* import { QueryParser } from '@classytic/mongokit';
-* defineResource({
-*   name: 'product',
-*   adapter: ...,
-*   queryParser: new QueryParser(),
-* });
-*
-* // Use custom parser for SQL databases
-* defineResource({
-*   name: 'user',
-*   adapter: ...,
-*   queryParser: new PgQueryParser(),
-* });
-*/
-/**
-* Regex patterns that can cause catastrophic backtracking (ReDoS attacks)
-* Detects:
-* - Quantifiers: {n,m}
-* - Possessive quantifiers: *+, ++, ?+
-* - Nested quantifiers: (a+)+, (a*)*
-* - Backreferences: \1, \2, etc.
-*/
-const DANGEROUS_REGEX_PATTERNS = /(\{[0-9,]+\}|\*\+|\+\+|\?\+|(\(.+\))\+|\(\?:|\\[0-9]|(\[.+\]).+(\[.+\]))/;
-/**
-* Arc's default query parser
-*
-* Converts URL query parameters to a structured query format:
-* - Pagination: ?page=1&limit=20
-* - Sorting: ?sort=-createdAt,name (- prefix = descending)
-* - Filtering: ?status=active&price[gte]=100&price[lte]=500
-* - Search: ?search=keyword
-* - Populate: ?populate=author,category
-* - Field selection: ?select=name,price,status
-* - Keyset pagination: ?after=cursor_value
-*
-* For advanced MongoDB features ($lookup, aggregations), use MongoKit's QueryParser.
-*/
-var ArcQueryParser = class {
-	maxLimit;
-	defaultLimit;
-	maxRegexLength;
-	maxSearchLength;
-	maxFilterDepth;
-	_allowedFilterFields;
-	_allowedSortFields;
-	_allowedOperators;
-	/** Allowed filter fields (used by MCP for auto-derive) */
-	allowedFilterFields;
-	/** Allowed sort fields (used by MCP for sort descriptions) */
-	allowedSortFields;
-	/** Allowed operators (used by MCP for operator descriptions) */
-	allowedOperators;
-	/** Supported filter operators */
-	operators = {
-		eq: "$eq",
-		ne: "$ne",
-		gt: "$gt",
-		gte: "$gte",
-		lt: "$lt",
-		lte: "$lte",
-		in: "$in",
-		nin: "$nin",
-		like: "$regex",
-		contains: "$regex",
-		regex: "$regex",
-		exists: "$exists"
-	};
-	constructor(options = {}) {
-		this.maxLimit = options.maxLimit ?? 1e3;
-		this.defaultLimit = options.defaultLimit ?? 20;
-		this.maxRegexLength = options.maxRegexLength ?? 200;
-		this.maxSearchLength = options.maxSearchLength ?? 200;
-		this.maxFilterDepth = options.maxFilterDepth ?? 10;
-		if (options.allowedFilterFields) {
-			this._allowedFilterFields = new Set(options.allowedFilterFields);
-			this.allowedFilterFields = options.allowedFilterFields;
-		}
-		if (options.allowedSortFields) {
-			this._allowedSortFields = new Set(options.allowedSortFields);
-			this.allowedSortFields = options.allowedSortFields;
-		}
-		if (options.allowedOperators) {
-			this._allowedOperators = new Set(options.allowedOperators);
-			this.allowedOperators = options.allowedOperators;
-		}
-	}
-	/**
-	* Parse URL query parameters into structured query options
-	*/
-	parse(query) {
-		const q = query ?? {};
-		const page = this.parseNumber(q.page, 1);
-		const limit = Math.min(this.parseNumber(q.limit, this.defaultLimit), this.maxLimit);
-		const after = this.parseString(q.after ?? q.cursor);
-		const sort = this.parseSort(q.sort);
-		const { populate, populateOptions } = this.parsePopulate(q.populate);
-		const search = this.parseSearch(q.search);
-		const select = this.parseSelect(q.select);
-		return {
-			filters: this.parseFilters(q),
-			limit,
-			sort,
-			populate,
-			populateOptions,
-			search,
-			page: after ? void 0 : page,
-			after,
-			select
-		};
-	}
-	parseNumber(value, defaultValue) {
-		if (value === void 0 || value === null) return defaultValue;
-		const num = parseInt(String(value), 10);
-		return Number.isNaN(num) ? defaultValue : Math.max(1, num);
-	}
-	parseString(value) {
-		if (value === void 0 || value === null) return void 0;
-		const str = String(value).trim();
-		return str.length > 0 ? str : void 0;
-	}
-	/**
-	* Parse populate parameter — handles both simple string and bracket notation.
-	*
-	* Simple: ?populate=author,category → { populate: 'author,category' }
-	* Bracket: ?populate[author][select]=name,email → { populateOptions: [{ path: 'author', select: 'name email' }] }
-	*/
-	parsePopulate(value) {
-		if (value === void 0 || value === null) return {};
-		if (typeof value === "string") {
-			const trimmed = value.trim();
-			return trimmed.length > 0 ? { populate: trimmed } : {};
-		}
-		if (typeof value === "object" && !Array.isArray(value)) {
-			const obj = value;
-			const keys = Object.keys(obj);
-			if (keys.length === 0) return {};
-			const options = [];
-			for (const path of keys) {
-				if (!/^[a-zA-Z_][a-zA-Z0-9_.]*$/.test(path)) continue;
-				const config = obj[path];
-				if (typeof config === "object" && config !== null && !Array.isArray(config)) {
-					const cfg = config;
-					const option = { path };
-					if (typeof cfg.select === "string") option.select = cfg.select.split(",").map((s) => s.trim()).filter(Boolean).join(" ");
-					if (typeof cfg.match === "object" && cfg.match !== null) option.match = cfg.match;
-					options.push(option);
-				} else options.push({ path });
-			}
-			return options.length > 0 ? { populateOptions: options } : {};
-		}
-		return {};
-	}
-	parseSort(value) {
-		if (!value) return void 0;
-		const sortStr = String(value);
-		const result = {};
-		for (const field of sortStr.split(",")) {
-			const trimmed = field.trim();
-			if (!trimmed) continue;
-			if (!/^-?[a-zA-Z_][a-zA-Z0-9_.]*$/.test(trimmed)) continue;
-			const fieldName = trimmed.startsWith("-") ? trimmed.slice(1) : trimmed;
-			if (this._allowedSortFields && !this._allowedSortFields.has(fieldName)) continue;
-			if (trimmed.startsWith("-")) result[fieldName] = -1;
-			else result[fieldName] = 1;
-		}
-		return Object.keys(result).length > 0 ? result : void 0;
-	}
-	parseSearch(value) {
-		if (!value) return void 0;
-		const search = String(value).trim();
-		if (search.length === 0) return void 0;
-		if (search.length > this.maxSearchLength) return search.slice(0, this.maxSearchLength);
-		return search;
-	}
-	parseSelect(value) {
-		if (!value) return void 0;
-		const selectStr = String(value);
-		const result = {};
-		for (const field of selectStr.split(",")) {
-			const trimmed = field.trim();
-			if (!trimmed) continue;
-			if (!/^-?[a-zA-Z_][a-zA-Z0-9_.]*$/.test(trimmed)) continue;
-			if (trimmed.startsWith("-")) result[trimmed.slice(1)] = 0;
-			else result[trimmed] = 1;
-		}
-		return Object.keys(result).length > 0 ? result : void 0;
-	}
-	/**
-	* Check if a value exceeds the maximum nesting depth.
-	* Prevents filter bombs where deeply nested objects consume excessive memory/CPU.
-	*/
-	exceedsDepth(obj, currentDepth = 0) {
-		if (currentDepth > this.maxFilterDepth) return true;
-		if (obj === null || obj === void 0) return false;
-		if (Array.isArray(obj)) return obj.some((v) => this.exceedsDepth(v, currentDepth));
-		if (typeof obj !== "object") return false;
-		return Object.values(obj).some((v) => this.exceedsDepth(v, currentDepth + 1));
-	}
-	parseFilters(query) {
-		const filters = {};
-		for (const [key, value] of Object.entries(query)) {
-			if (RESERVED_QUERY_PARAMS.has(key)) continue;
-			if (value === void 0 || value === null) continue;
-			if (!/^[a-zA-Z_][a-zA-Z0-9_.]*$/.test(key)) continue;
-			if (this._allowedFilterFields && !this._allowedFilterFields.has(key)) continue;
-			if (this.exceedsDepth(value)) continue;
-			if (typeof value === "object" && value !== null && !Array.isArray(value)) {
-				const operatorObj = value;
-				const operatorKeys = Object.keys(operatorObj);
-				const allOperators = operatorKeys.every((op) => this.operators[op] && (!this._allowedOperators || this._allowedOperators.has(op)));
-				const allKnownOperators = operatorKeys.every((op) => this.operators[op]);
-				if (allOperators && operatorKeys.length > 0) {
-					const mongoFilters = {};
-					for (const [op, opValue] of Object.entries(operatorObj)) {
-						const mongoOp = this.operators[op];
-						if (mongoOp) mongoFilters[mongoOp] = this.parseFilterValue(opValue, op);
-					}
-					filters[key] = mongoFilters;
-					continue;
-				}
-				if (allKnownOperators && this._allowedOperators) continue;
-			}
-			const match = key.match(/^([a-zA-Z_][a-zA-Z0-9_.]*)(?:\[([a-z]+)\])?$/);
-			if (!match) continue;
-			const [, fieldName, operator] = match;
-			if (!fieldName) continue;
-			if (operator && this.operators[operator] && (!this._allowedOperators || this._allowedOperators.has(operator))) {
-				const mongoOp = this.operators[operator];
-				const parsedValue = this.parseFilterValue(value, operator);
-				if (!filters[fieldName]) filters[fieldName] = {};
-				filters[fieldName][mongoOp] = parsedValue;
-			} else if (!operator) filters[fieldName] = this.parseFilterValue(value);
-		}
-		return filters;
-	}
-	parseFilterValue(value, operator) {
-		if (operator === "in" || operator === "nin") {
-			if (Array.isArray(value)) return value.map((v) => this.coerceValue(v));
-			if (typeof value === "string" && value.includes(",")) return value.split(",").map((v) => this.coerceValue(v.trim()));
-			return [this.coerceValue(value)];
-		}
-		if (operator === "like" || operator === "contains" || operator === "regex") return this.sanitizeRegex(String(value));
-		if (operator === "exists") {
-			const str = String(value).toLowerCase();
-			return str === "true" || str === "1";
-		}
-		return this.coerceValue(value);
-	}
-	coerceValue(value) {
-		if (value === "true") return true;
-		if (value === "false") return false;
-		if (value === "null") return null;
-		if (typeof value === "string") {
-			const num = Number(value);
-			if (!Number.isNaN(num) && value.trim() !== "") return num;
-		}
-		return value;
-	}
-	/**
-	* Generate OpenAPI-compatible JSON Schema for query parameters.
-	* Arc's defineResource() auto-detects this method and uses it
-	* to document list endpoint query parameters in OpenAPI/Swagger.
-	*/
-	getQuerySchema() {
-		const operatorLines = Object.entries(this.operators).map(([op, mongoOp]) => {
-			return `  ${op} → ${mongoOp}: ${{
-				eq: "Equal (default when no operator specified)",
-				ne: "Not equal",
-				gt: "Greater than",
-				gte: "Greater than or equal",
-				lt: "Less than",
-				lte: "Less than or equal",
-				in: "In list (comma-separated values)",
-				nin: "Not in list",
-				like: "Pattern match (case-insensitive)",
-				contains: "Contains substring (case-insensitive)",
-				regex: "Regex pattern",
-				exists: "Field exists (true/false)"
-			}[op] || op}`;
-		});
-		return {
-			type: "object",
-			properties: {
-				page: {
-					type: "integer",
-					description: "Page number for offset pagination",
-					default: 1,
-					minimum: 1
-				},
-				limit: {
-					type: "integer",
-					description: "Number of items per page",
-					default: this.defaultLimit,
-					minimum: 1,
-					maximum: this.maxLimit
-				},
-				sort: {
-					type: "string",
-					description: "Sort fields (comma-separated). Prefix with - for descending. Example: -createdAt,name"
-				},
-				search: {
-					type: "string",
-					description: "Full-text search query",
-					maxLength: this.maxSearchLength
-				},
-				select: {
-					type: "string",
-					description: "Fields to include/exclude (comma-separated). Prefix with - to exclude. Example: name,email,-password"
-				},
-				populate: {
-					type: "string",
-					description: "Fields to populate/join (comma-separated). Example: author,category"
-				},
-				after: {
-					type: "string",
-					description: "Cursor value for keyset pagination"
-				},
-				_filterOperators: {
-					type: "string",
-					description: ["Available filter operators (use as field[operator]=value):", ...operatorLines].join("\n")
-				}
-			}
-		};
-	}
-	sanitizeRegex(pattern) {
-		let sanitized = pattern.slice(0, this.maxRegexLength);
-		if (DANGEROUS_REGEX_PATTERNS.test(sanitized)) sanitized = sanitized.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-		return sanitized;
-	}
-};
-/**
-* Create a new ArcQueryParser instance
-*/
-function createQueryParser(options) {
-	return new ArcQueryParser(options);
-}
-//#endregion
-export { createQueryParser as n, simpleEqualityMatcher as r, ArcQueryParser as t };

package/dist/types-CDnTEpga.mjs

@@ -1,27 +0,0 @@
-//#region src/types/base.ts
-/** Extract user ID from a user object (supports both id and _id). */
-function getUserId(user) {
-	if (!user) return void 0;
-	const id = user.id ?? user._id;
-	return id ? String(id) : void 0;
-}
-/**
-* Wrap data in Arc's standard `{ success: true, data }` envelope.
-*
-* @example
-* ```typescript
-* handler: async (req, reply) => {
-*   const data = await getResults();
-*   return envelope(data);  // → { success: true, data }
-* }
-* ```
-*/
-function envelope(data, meta) {
-	return {
-		success: true,
-		data,
-		...meta
-	};
-}
-//#endregion
-export { getUserId as n, envelope as t };