@classytic/arc 2.11.1 → 2.11.3

package/dist/{index-C_bgx9o4.d.mts → index-6u4_Gg6G.d.mts}

@@ -1776,6 +1776,40 @@ interface RouteSchemaOptions extends SchemaBuilderOptions {
    * post-kit by `mergeFieldRuleConstraints`.
    */
   fieldRules?: Record<string, ArcFieldRule>;
+  /**
+   * Query-time security whitelists + the kit's `filterableFields`.
+   *
+   * Extends repo-core's `SchemaBuilderOptions['query']` with arc-specific
+   * runtime features that `QueryResolver` reads at request time:
+   *
+   * - **`allowedPopulate`** — populate-path whitelist consumed by
+   *   `QueryResolver.sanitizePopulate` / `sanitizeAdvancedPopulate`.
+   *   When set, only paths in the list pass through; everything else is
+   *   stripped silently. Shrinks the auto-wired `?populate=` attack surface.
+   *
+   * - **`allowedLookups`** — lookup-collection whitelist consumed by
+   *   `QueryResolver.sanitizeLookups`. When set, only the listed
+   *   collections may be `$lookup`'d into the pipeline.
+   *
+   * Both are pre-2.11.2 runtime features — the type was missing them, so
+   * hosts wrote `as Record<string, unknown>` at every call site. Arc's own
+   * `QueryResolver` had to cast its own input via `as AnyRecord` for the
+   * same reason. Adding the type dropped both casts.
+   */
+  query?: SchemaBuilderOptions["query"] & {
+    /**
+     * Populate-path whitelist. When set, `QueryResolver.sanitizePopulate`
+     * strips any `?populate=<path>` not in this list. Omit to allow all
+     * paths the kit recognizes.
+     */
+    allowedPopulate?: string[];
+    /**
+     * Lookup-collection whitelist for `QueryResolver.sanitizeLookups`.
+     * When set, only the listed collections may be `$lookup`'d. Omit to
+     * disable the whitelist (kit-level rules still apply).
+     */
+    allowedLookups?: string[];
+  };
 }
 interface FieldRule$1 {
   field: string;

package/dist/{index-CvM1e09j.d.mts → index-BbMrcvGp.d.mts}

@@ -1,4 +1,4 @@
-import { $ as OpenApiSchemas, Dn as AdapterSchemaContext, Mn as SchemaMetadata, Nn as ValidationResult, On as DataAdapter, S as QueryParserInterface, b as ParsedQuery, ft as RouteSchemaOptions, jn as RepositoryLike } from "./index-C_bgx9o4.mjs";
+import { $ as OpenApiSchemas, Dn as AdapterSchemaContext, Mn as SchemaMetadata, Nn as ValidationResult, On as DataAdapter, S as QueryParserInterface, b as ParsedQuery, ft as RouteSchemaOptions, jn as RepositoryLike } from "./index-6u4_Gg6G.mjs";
 import { StandardRepo } from "@classytic/repo-core/repository";
 import { Model } from "mongoose";
 

package/dist/{index-pUczGjO0.d.mts → index-BdXnTPRj.d.mts}

@@ -1,4 +1,4 @@
-import { B as ResourceDefinition, C as RequestContext, F as FastifyWithDecorators, Pt as AnyRecord, T as CrudRouterOptions, _t as IControllerResponse, at as ResourceConfig, gt as IController, q as CrudController, vt as IRequestContext } from "./index-C_bgx9o4.mjs";
+import { B as ResourceDefinition, C as RequestContext, F as FastifyWithDecorators, Pt as AnyRecord, T as CrudRouterOptions, _t as IControllerResponse, at as ResourceConfig, gt as IController, q as CrudController, vt as IRequestContext } from "./index-6u4_Gg6G.mjs";
 import { r as RequestScope } from "./types-tgR4Pt8F.mjs";
 import { c as PermissionCheck } from "./fields-C8Y0XLAu.mjs";
 import { FastifyReply, FastifyRequest, RouteHandlerMethod } from "fastify";

package/dist/{index-smCAoA5W.d.mts → index-DdQ3O9Pg.d.mts}

@@ -1,4 +1,4 @@
-import { $ as OpenApiSchemas, Pt as AnyRecord, S as QueryParserInterface, at as ResourceConfig, b as ParsedQuery, zt as UserLike } from "./index-C_bgx9o4.mjs";
+import { $ as OpenApiSchemas, Pt as AnyRecord, S as QueryParserInterface, at as ResourceConfig, b as ParsedQuery, zt as UserLike } from "./index-6u4_Gg6G.mjs";
 import { n as ErrorMapper } from "./errorHandler-Co3lnVmJ.mjs";
 import { FastifyInstance, FastifyReply, FastifyRequest, RouteHandlerMethod } from "fastify";
 

package/dist/index.d.mts

@@ -1,9 +1,9 @@
-import { $t as ArcListResult, A as RequestIdOptions, An as RelationMetadata, B as ResourceDefinition, Bt as UserOrganization, C as RequestContext, D as HealthCheck, E as GracefulShutdownOptions, F as FastifyWithDecorators, Ft as ApiResponse, Gt as TreeMixin, Ht as SoftDeleteExt, It as ArcRequest, J as CrudRouteKey, Jt as BulkExt, Kt as SlugExt, L as RequestWithExtras, Lt as JWTPayload, Mn as SchemaMetadata, N as FastifyRequestExtras, Nn as ValidationResult, O as HealthOptions, On as DataAdapter, P as FastifyWithAuth, Pt as AnyRecord, Q as MiddlewareConfig, Qt as ArcGetResult, S as QueryParserInterface, T as CrudRouterOptions, Ut as SoftDeleteMixin, V as defineResource, Vt as BaseController, Wt as TreeExt, X as EventDefinition, Xt as ArcCreateResult, Y as CrudSchemas, Yt as BulkMixin, Z as FieldRule, Zt as ArcDeleteResult, _t as IControllerResponse, a as InferAdapterDoc, at as ResourceConfig, c as TypedController, d as PaginationResult, en as ArcUpdateResult, et as PresetFunction, f as IntrospectionData, ft as RouteSchemaOptions, g as ArcInternalMetadata, gt as IController, h as ResourceMetadata, i as ValidationResult$1, jn as RepositoryLike, k as IntrospectionPluginOptions, kn as FieldMetadata, kt as AuthPluginOptions, l as TypedRepository, m as RegistryStats, mt as ControllerLike, n as ConfigError, nn as BaseCrudController, nt as PresetResult, o as InferDocType, p as RegistryEntry, q as CrudController, qt as SlugMixin, r as ValidateOptions, rn as ListResult, rt as RateLimitConfig, s as InferResourceDoc, t as RouteHandlerMethod, tn as BaseControllerOptions, u as TypedResourceConfig, vt as IRequestContext, w as ServiceContext, y as OwnershipCheck, yt as RouteHandler } from "./index-C_bgx9o4.mjs";
+import { $t as ArcListResult, A as RequestIdOptions, An as RelationMetadata, B as ResourceDefinition, Bt as UserOrganization, C as RequestContext, D as HealthCheck, E as GracefulShutdownOptions, F as FastifyWithDecorators, Ft as ApiResponse, Gt as TreeMixin, Ht as SoftDeleteExt, It as ArcRequest, J as CrudRouteKey, Jt as BulkExt, Kt as SlugExt, L as RequestWithExtras, Lt as JWTPayload, Mn as SchemaMetadata, N as FastifyRequestExtras, Nn as ValidationResult, O as HealthOptions, On as DataAdapter, P as FastifyWithAuth, Pt as AnyRecord, Q as MiddlewareConfig, Qt as ArcGetResult, S as QueryParserInterface, T as CrudRouterOptions, Ut as SoftDeleteMixin, V as defineResource, Vt as BaseController, Wt as TreeExt, X as EventDefinition, Xt as ArcCreateResult, Y as CrudSchemas, Yt as BulkMixin, Z as FieldRule, Zt as ArcDeleteResult, _t as IControllerResponse, a as InferAdapterDoc, at as ResourceConfig, c as TypedController, d as PaginationResult, en as ArcUpdateResult, et as PresetFunction, f as IntrospectionData, ft as RouteSchemaOptions, g as ArcInternalMetadata, gt as IController, h as ResourceMetadata, i as ValidationResult$1, jn as RepositoryLike, k as IntrospectionPluginOptions, kn as FieldMetadata, kt as AuthPluginOptions, l as TypedRepository, m as RegistryStats, mt as ControllerLike, n as ConfigError, nn as BaseCrudController, nt as PresetResult, o as InferDocType, p as RegistryEntry, q as CrudController, qt as SlugMixin, r as ValidateOptions, rn as ListResult, rt as RateLimitConfig, s as InferResourceDoc, t as RouteHandlerMethod, tn as BaseControllerOptions, u as TypedResourceConfig, vt as IRequestContext, w as ServiceContext, y as OwnershipCheck, yt as RouteHandler } from "./index-6u4_Gg6G.mjs";
 import { a as applyFieldWritePermissions, c as PermissionCheck, d as UserBase, i as applyFieldReadPermissions, l as PermissionContext, n as FieldPermissionMap, o as fields, t as FieldPermission, u as PermissionResult } from "./fields-C8Y0XLAu.mjs";
-import { l as createMongooseAdapter, o as createPrismaAdapter, s as MongooseAdapter, t as PrismaAdapter } from "./index-CvM1e09j.mjs";
-import { C as MAX_REGEX_LENGTH, D as RESERVED_QUERY_PARAMS, E as MutationOperation, O as SYSTEM_FIELDS, S as MAX_FILTER_DEPTH, T as MUTATION_OPERATIONS, _ as DEFAULT_UPDATE_METHOD, a as getControllerScope, b as HookOperation, d as CrudOperation, f as DEFAULT_ID_FIELD, g as DEFAULT_TENANT_FIELD, h as DEFAULT_SORT, m as DEFAULT_MAX_LIMIT, p as DEFAULT_LIMIT, s as defineResourceVariants, u as CRUD_OPERATIONS, v as HOOK_OPERATIONS, w as MAX_SEARCH_LENGTH, x as HookPhase, y as HOOK_PHASES } from "./index-pUczGjO0.mjs";
+import { l as createMongooseAdapter, o as createPrismaAdapter, s as MongooseAdapter, t as PrismaAdapter } from "./index-BbMrcvGp.mjs";
+import { C as MAX_REGEX_LENGTH, D as RESERVED_QUERY_PARAMS, E as MutationOperation, O as SYSTEM_FIELDS, S as MAX_FILTER_DEPTH, T as MUTATION_OPERATIONS, _ as DEFAULT_UPDATE_METHOD, a as getControllerScope, b as HookOperation, d as CrudOperation, f as DEFAULT_ID_FIELD, g as DEFAULT_TENANT_FIELD, h as DEFAULT_SORT, m as DEFAULT_MAX_LIMIT, p as DEFAULT_LIMIT, s as defineResourceVariants, u as CRUD_OPERATIONS, v as HOOK_OPERATIONS, w as MAX_SEARCH_LENGTH, x as HookPhase, y as HOOK_PHASES } from "./index-BdXnTPRj.mjs";
 import { A as requireRoles, C as allOf, E as denyAll, M as when, O as requireAuth, S as createOrgPermissions, T as anyOf, a as presets_d_exports, c as readOnly, d as requireOrgRole, f as requireScopeContext, i as ownerWithAdminBypass, k as requireOwnership, l as requireOrgInScope, m as requireTeamMembership, n as authenticated, o as publicRead, p as requireServiceScope, r as fullPublic, s as publicReadAdminWrite, t as adminOnly, u as requireOrgMembership, v as DynamicPermissionMatrix, w as allowPublic, x as createDynamicPermissionMatrix, y as DynamicPermissionMatrixConfig } from "./index-BYCqHCVu.mjs";
-import { ft as UnauthorizedError, j as envelope, mt as createDomainError, ot as ForbiddenError, pt as ValidationError, rt as ArcError, st as NotFoundError, t as getUserId } from "./index-smCAoA5W.mjs";
+import { ft as UnauthorizedError, j as envelope, mt as createDomainError, ot as ForbiddenError, pt as ValidationError, rt as ArcError, st as NotFoundError, t as getUserId } from "./index-DdQ3O9Pg.mjs";
 
 //#region src/index.d.ts
 declare const version: string;

package/dist/index.mjs

@@ -1,12 +1,12 @@
 import { a as createMongooseAdapter, i as MongooseAdapter, r as createPrismaAdapter, t as PrismaAdapter } from "./adapters-D0tT2Tyo.mjs";
 import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "./constants-BhY1OHoH.mjs";
-import { j as getUserId, r as envelope } from "./utils-D3Yxnrwr.mjs";
-import { a as BulkMixin, i as SlugMixin, n as TreeMixin, o as BaseCrudController, r as SoftDeleteMixin, t as BaseController } from "./BaseController-JNV08qOT.mjs";
-import { C as requireAuth, D as when, M as applyFieldWritePermissions, N as fields, T as requireRoles, _ as requireTeamMembership, a as presets_exports, b as anyOf, c as readOnly, d as createOrgPermissions, f as requireOrgInScope, g as requireServiceScope, h as requireScopeContext, i as ownerWithAdminBypass, j as applyFieldReadPermissions, m as requireOrgRole, n as authenticated, o as publicRead, p as requireOrgMembership, r as fullPublic, s as publicReadAdminWrite, t as adminOnly, u as createDynamicPermissionMatrix, v as allOf, w as requireOwnership, x as denyAll, y as allowPublic } from "./permissions-B4vU9L0Q.mjs";
+import { j as getUserId, r as envelope } from "./utils-CcYTj09l.mjs";
+import { a as BulkMixin, i as SlugMixin, n as TreeMixin, o as BaseCrudController, r as SoftDeleteMixin, t as BaseController } from "./BaseController-swXruJ2_.mjs";
+import { C as requireAuth, D as when, M as applyFieldWritePermissions, N as fields, T as requireRoles, _ as requireTeamMembership, a as presets_exports, b as anyOf, c as readOnly, d as createOrgPermissions, f as requireOrgInScope, g as requireServiceScope, h as requireScopeContext, i as ownerWithAdminBypass, j as applyFieldReadPermissions, m as requireOrgRole, n as authenticated, o as publicRead, p as requireOrgMembership, r as fullPublic, s as publicReadAdminWrite, t as adminOnly, u as createDynamicPermissionMatrix, v as allOf, w as requireOwnership, x as denyAll, y as allowPublic } from "./permissions-gd_aUWrR.mjs";
 import { d as createDomainError, i as NotFoundError, l as UnauthorizedError, r as ForbiddenError, t as ArcError, u as ValidationError } from "./errors-D5c-5BJL.mjs";
-import { _ as getControllerScope } from "./routerShared-DeESFp4a.mjs";
-import { n as ResourceDefinition, r as defineResource, t as defineResourceVariants } from "./core-DXdSSFW-.mjs";
+import { v as getControllerScope } from "./routerShared-BqLRb5l7.mjs";
+import { n as ResourceDefinition, r as defineResource, t as defineResourceVariants } from "./core-DnUsRpuX.mjs";
 //#region src/index.ts
-const version = "2.11.1";
+const version = "2.11.3";
 //#endregion
 export { ArcError, BaseController, BaseCrudController, BulkMixin, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, ForbiddenError, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MongooseAdapter, NotFoundError, PrismaAdapter, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, SlugMixin, SoftDeleteMixin, TreeMixin, UnauthorizedError, ValidationError, adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, authenticated, createDomainError, createDynamicPermissionMatrix, createMongooseAdapter, createOrgPermissions, createPrismaAdapter, defineResource, defineResourceVariants, denyAll, envelope, fields, fullPublic, getControllerScope, getUserId, ownerWithAdminBypass, presets_exports as permissions, publicRead, publicReadAdminWrite, readOnly, requireAuth, requireOrgInScope, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireScopeContext, requireServiceScope, requireTeamMembership, version, when };

package/dist/integrations/index.d.mts

@@ -1,7 +1,7 @@
 import { a as WebSocketMessage, i as WebSocketClient, o as WebSocketPluginOptions } from "../websocket-CyJ1VIFI.mjs";
 import { EventGatewayOptions } from "./event-gateway.mjs";
 import { JobDefinition, JobDispatchOptions, JobDispatcher, JobMeta, JobsPluginOptions, QueueStats } from "./jobs.mjs";
-import { c as McpResourceConfig, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler } from "../types-Bh_gEJBi.mjs";
+import { c as McpResourceConfig, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler } from "../types-9beEMe25.mjs";
 import { StreamlinePluginOptions, WorkflowLike, WorkflowRunLike } from "./streamline.mjs";
 import { WebhookDeliveryRecord, WebhookManager, WebhookPluginOptions, WebhookStore, WebhookSubscription } from "./webhooks.mjs";
 export { type BetterAuthHandler, type CallToolResult, type CreateMcpServerConfig, type CrudOperation, type EventGatewayOptions, type JobDefinition, type JobDispatchOptions, type JobDispatcher, type JobMeta, type JobsPluginOptions, type McpAuthResult, type McpPluginOptions, type McpResourceConfig, type PromptDefinition, type QueueStats, type StreamlinePluginOptions, type ToolAnnotations, type ToolContext, type ToolDefinition, type WebSocketClient, type WebSocketMessage, type WebSocketPluginOptions, type WebhookDeliveryRecord, type WebhookManager, type WebhookPluginOptions, type WebhookStore, type WebhookSubscription, type WorkflowLike, type WorkflowRunLike };

package/dist/integrations/mcp/index.d.mts

@@ -1,5 +1,5 @@
-import { B as ResourceDefinition } from "../../index-C_bgx9o4.mjs";
-import { a as McpAuthResolver, c as McpResourceConfig, d as SessionEntry, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler, u as PromptResult } from "../../types-Bh_gEJBi.mjs";
+import { B as ResourceDefinition } from "../../index-6u4_Gg6G.mjs";
+import { a as McpAuthResolver, c as McpResourceConfig, d as SessionEntry, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler, u as PromptResult } from "../../types-9beEMe25.mjs";
 import { FastifyPluginAsync } from "fastify";
 import { z } from "zod";
 

package/dist/integrations/mcp/index.mjs

@@ -1,4 +1,4 @@
-import { n as fieldRulesToZod, r as createMcpServer, t as resourceToTools } from "../../resourceToTools--okX6QBr.mjs";
+import { n as fieldRulesToZod, r as createMcpServer, t as resourceToTools } from "../../resourceToTools-ByZpgjeH.mjs";
 import { createHash, randomUUID } from "node:crypto";
 import fp from "fastify-plugin";
 //#region src/integrations/mcp/defineTool.ts

package/dist/integrations/mcp/testing.d.mts

@@ -1,4 +1,4 @@
-import { o as McpAuthResult, s as McpPluginOptions } from "../../types-Bh_gEJBi.mjs";
+import { o as McpAuthResult, s as McpPluginOptions } from "../../types-9beEMe25.mjs";
 
 //#region src/integrations/mcp/testing.d.ts
 interface TestMcpClientOptions {

package/dist/integrations/mcp/testing.mjs

@@ -1,4 +1,4 @@
-import { r as createMcpServer, t as resourceToTools } from "../../resourceToTools--okX6QBr.mjs";
+import { r as createMcpServer, t as resourceToTools } from "../../resourceToTools-ByZpgjeH.mjs";
 //#region src/integrations/mcp/testing.ts
 /**
 * @classytic/arc/mcp/testing — MCP Test Utilities

package/dist/middleware/index.d.mts

@@ -1,4 +1,4 @@
-import { I as MiddlewareHandler, L as RequestWithExtras, Q as MiddlewareConfig } from "../index-C_bgx9o4.mjs";
+import { I as MiddlewareHandler, L as RequestWithExtras, Q as MiddlewareConfig } from "../index-6u4_Gg6G.mjs";
 import { RouteHandlerMethod } from "fastify";
 
 //#region src/middleware/middleware.d.ts

package/dist/{openapi-C0L9ar7m.mjs → openapi-BGUn7Ki1.mjs}

@@ -1,7 +1,7 @@
 import { t as getUserRoles } from "./types-DV9WDfeg.mjs";
 import { n as convertRouteSchema } from "./schemaConverter-B0oKLuqI.mjs";
-import { t as resolveActionPermission } from "./actionPermissions-C8YYU92K.mjs";
-import { t as buildActionBodySchema } from "./createActionRouter-BwaSM0No.mjs";
+import { t as resolveActionPermission } from "./actionPermissions-sUUKDhtP.mjs";
+import { t as buildActionBodySchema } from "./createActionRouter-u3ql2EDo.mjs";
 import fp from "fastify-plugin";
 //#region src/docs/openapi.ts
 const openApiPlugin = async (fastify, opts = {}) => {

package/dist/org/index.d.mts

@@ -1,4 +1,4 @@
-import { yt as RouteHandler } from "../index-C_bgx9o4.mjs";
+import { yt as RouteHandler } from "../index-6u4_Gg6G.mjs";
 import { d as UserBase } from "../fields-C8Y0XLAu.mjs";
 import { InvitationAdapter, InvitationDoc, MemberDoc, OrgAdapter, OrgDoc, OrgPermissionStatement, OrgRole, OrganizationPluginOptions } from "./types.mjs";
 import { FastifyPluginAsync, RouteHandlerMethod } from "fastify";

package/dist/permissions/index.mjs

@@ -1,3 +1,3 @@
-import { A as normalizePermissionResult, C as requireAuth, D as when, E as roles, M as applyFieldWritePermissions, N as fields, O as applyPermissionResult, P as resolveEffectiveRoles, S as not, T as requireRoles, _ as requireTeamMembership, a as presets_exports, b as anyOf, c as readOnly, d as createOrgPermissions, f as requireOrgInScope, g as requireServiceScope, h as requireScopeContext, i as ownerWithAdminBypass, j as applyFieldReadPermissions, l as createRoleHierarchy, m as requireOrgRole, n as authenticated, o as publicRead, p as requireOrgMembership, r as fullPublic, s as publicReadAdminWrite, t as adminOnly, u as createDynamicPermissionMatrix, v as allOf, w as requireOwnership, x as denyAll, y as allowPublic } from "../permissions-B4vU9L0Q.mjs";
+import { A as normalizePermissionResult, C as requireAuth, D as when, E as roles, M as applyFieldWritePermissions, N as fields, O as applyPermissionResult, P as resolveEffectiveRoles, S as not, T as requireRoles, _ as requireTeamMembership, a as presets_exports, b as anyOf, c as readOnly, d as createOrgPermissions, f as requireOrgInScope, g as requireServiceScope, h as requireScopeContext, i as ownerWithAdminBypass, j as applyFieldReadPermissions, l as createRoleHierarchy, m as requireOrgRole, n as authenticated, o as publicRead, p as requireOrgMembership, r as fullPublic, s as publicReadAdminWrite, t as adminOnly, u as createDynamicPermissionMatrix, v as allOf, w as requireOwnership, x as denyAll, y as allowPublic } from "../permissions-gd_aUWrR.mjs";
 import { n as normalizeRoles, t as getUserRoles } from "../types-DV9WDfeg.mjs";
 export { adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, applyPermissionResult, authenticated, createDynamicPermissionMatrix, createOrgPermissions, createRoleHierarchy, denyAll, fields, fullPublic, getUserRoles, normalizePermissionResult, normalizeRoles, not, ownerWithAdminBypass, presets_exports as permissions, publicRead, publicReadAdminWrite, readOnly, requireAuth, requireOrgInScope, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireScopeContext, requireServiceScope, requireTeamMembership, resolveEffectiveRoles, roles, when };

package/dist/{permissions-B4vU9L0Q.mjs → permissions-gd_aUWrR.mjs}

@@ -31,21 +31,63 @@ function isMongooseDoc(obj) {
 	return !!obj && typeof obj === "object" && "toObject" in obj && typeof obj.toObject === "function";
 }
 const fields = {
+	/**
+	* Field is never included in responses. Not writable via API.
+	*
+	* @example
+	* ```typescript
+	* fields: { password: fields.hidden() }
+	* ```
+	*/
 	hidden() {
 		return { _type: "hidden" };
 	},
+	/**
+	* Field is only visible to users with specified roles.
+	* Other users don't see the field at all.
+	*
+	* @example
+	* ```typescript
+	* fields: { salary: fields.visibleTo(['admin', 'hr']) }
+	* ```
+	*/
 	visibleTo(roles) {
 		return {
 			_type: "visibleTo",
 			roles
 		};
 	},
+	/**
+	* Field is only writable by users with specified roles.
+	* All users can still read the field. Users without the role
+	* have the field silently stripped from write operations.
+	*
+	* @example
+	* ```typescript
+	* fields: { role: fields.writableBy(['admin']) }
+	* ```
+	*/
 	writableBy(roles) {
 		return {
 			_type: "writableBy",
 			roles
 		};
 	},
+	/**
+	* Field is redacted (replaced with a placeholder) for specified roles.
+	* Other users see the real value.
+	*
+	* @param roles - Roles that see the redacted value
+	* @param redactValue - Replacement value (default: '***')
+	*
+	* @example
+	* ```typescript
+	* fields: {
+	*   email: fields.redactFor(['viewer']),
+	*   ssn: fields.redactFor(['basic'], '***-**-****'),
+	* }
+	* ```
+	*/
 	redactFor(roles, redactValue = "***") {
 		return {
 			_type: "redactFor",

package/dist/pipeline/index.d.mts

@@ -1,4 +1,4 @@
-import { Ct as OperationFilter, Dt as Transform, Et as PipelineStep, St as NextFunction, Tt as PipelineContext, _t as IControllerResponse, bt as Guard, wt as PipelineConfig, xt as Interceptor } from "../index-C_bgx9o4.mjs";
+import { Ct as OperationFilter, Dt as Transform, Et as PipelineStep, St as NextFunction, Tt as PipelineContext, _t as IControllerResponse, bt as Guard, wt as PipelineConfig, xt as Interceptor } from "../index-6u4_Gg6G.mjs";
 
 //#region src/pipeline/guard.d.ts
 interface GuardOptions {

package/dist/plugins/index.d.mts

@@ -1,4 +1,4 @@
-import { Pt as AnyRecord, Q as MiddlewareConfig, ft as RouteSchemaOptions, gn as HookSystem, lt as RouteDefinition, tt as PresetHook, z as ResourceRegistry } from "../index-C_bgx9o4.mjs";
+import { Pt as AnyRecord, Q as MiddlewareConfig, ft as RouteSchemaOptions, gn as HookSystem, lt as RouteDefinition, tt as PresetHook, z as ResourceRegistry } from "../index-6u4_Gg6G.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-Bapitwvd.mjs";
 import { a as MetricsCollector, c as metricsPlugin, d as ssePlugin, f as CachingOptions, h as cachingPlugin, i as MetricEntry, l as SSEOptions, m as _default$1, n as _default$7, o as MetricsOptions, p as CachingRule, r as versioningPlugin, s as _default$4, t as VersioningOptions, u as _default$6 } from "../versioning-M9lNLhO8.mjs";
 import { i as errorHandlerPlugin, n as ErrorMapper, r as defaultIsDuplicateKeyError, t as ErrorHandlerOptions } from "../errorHandler-Co3lnVmJ.mjs";

package/dist/plugins/index.mjs

@@ -1,6 +1,6 @@
 import { p as MUTATION_OPERATIONS } from "../constants-BhY1OHoH.mjs";
 import { o as getOrgId } from "../types-AOD8fxIw.mjs";
-import { t as requestContext } from "../requestContext-CfRkaxwf.mjs";
+import { t as requestContext } from "../requestContext-C5XeK3VA.mjs";
 import { t as hasEvents } from "../typeGuards-CcFZXgU7.mjs";
 import { t as HookSystem } from "../HookSystem-CGsMd6oK.mjs";
 import { t as ResourceRegistry } from "../ResourceRegistry-DkAeAuTX.mjs";

package/dist/plugins/tracing-entry.mjs

@@ -58,7 +58,7 @@ try {
 function createTracerProvider(options) {
 	if (!isAvailable || !NodeTracerProvider || !BatchSpanProcessor || !OTLPTraceExporter) return null;
 	const { serviceName = "@classytic/arc", serviceVersion, exporterUrl = "http://localhost:4318/v1/traces" } = options;
-	const resolvedVersion = serviceVersion ?? "2.11.1";
+	const resolvedVersion = serviceVersion ?? "2.11.3";
 	const exporter = new OTLPTraceExporter({ url: exporterUrl });
 	const provider = new NodeTracerProvider({ resource: { attributes: {
 		"service.name": serviceName,

package/dist/presets/filesUpload.d.mts

@@ -1,4 +1,4 @@
-import { nt as PresetResult } from "../index-C_bgx9o4.mjs";
+import { nt as PresetResult } from "../index-6u4_Gg6G.mjs";
 import { r as RequestScope } from "../types-tgR4Pt8F.mjs";
 import { c as PermissionCheck } from "../fields-C8Y0XLAu.mjs";
 import { a as StorageReadResult, i as StorageReadRange, n as StorageContext, o as StorageUploadInput, r as StorageFile, t as Storage } from "../storage-BwGQXUpd.mjs";

package/dist/presets/filesUpload.mjs

@@ -1,5 +1,5 @@
 import { o as getOrgId, p as getUserId } from "../types-AOD8fxIw.mjs";
-import { C as requireAuth, y as allowPublic } from "../permissions-B4vU9L0Q.mjs";
+import { C as requireAuth, y as allowPublic } from "../permissions-gd_aUWrR.mjs";
 import { i as NotFoundError, u as ValidationError } from "../errors-D5c-5BJL.mjs";
 import { t as multipartBody } from "../multipartBody-CvTR1Un6.mjs";
 //#region src/presets/filesUpload.ts

package/dist/presets/index.d.mts

@@ -1,4 +1,4 @@
-import { Pt as AnyRecord, _t as IControllerResponse, at as ResourceConfig, d as PaginationResult, nt as PresetResult, vt as IRequestContext } from "../index-C_bgx9o4.mjs";
+import { Pt as AnyRecord, _t as IControllerResponse, at as ResourceConfig, d as PaginationResult, nt as PresetResult, vt as IRequestContext } from "../index-6u4_Gg6G.mjs";
 import { FilesUploadPresetOptions, FilesUploadPresetPermissions, FilesUploadPresetRoutes, filesUploadPreset } from "./filesUpload.mjs";
 import { MultiTenantOptions, TenantFieldSpec, multiTenantPreset } from "./multiTenant.mjs";
 import { SearchHandler, SearchPresetOptions, SearchRouteConfig, searchPreset } from "./search.mjs";

package/dist/presets/index.mjs

@@ -1,5 +1,5 @@
 import { multiTenantPreset } from "./multiTenant.mjs";
-import { a as registerPreset, c as auditedPreset, d as ownedByUserPreset, i as getPreset, l as softDeletePreset, n as flexibleMultiTenantPreset, o as treePreset, r as getAvailablePresets, s as bulkPreset, t as applyPresets, u as slugLookupPreset } from "../presets-k604Lj99.mjs";
+import { a as registerPreset, c as auditedPreset, d as ownedByUserPreset, i as getPreset, l as softDeletePreset, n as flexibleMultiTenantPreset, o as treePreset, r as getAvailablePresets, s as bulkPreset, t as applyPresets, u as slugLookupPreset } from "../presets-Z7P5w4gF.mjs";
 import { filesUploadPreset } from "./filesUpload.mjs";
 import { searchPreset } from "./search.mjs";
 export { applyPresets, auditedPreset, bulkPreset, filesUploadPreset, flexibleMultiTenantPreset, getAvailablePresets, getPreset, multiTenantPreset, ownedByUserPreset, registerPreset, searchPreset, slugLookupPreset, softDeletePreset, treePreset };

package/dist/presets/multiTenant.d.mts

@@ -1,4 +1,4 @@
-import { J as CrudRouteKey, nt as PresetResult } from "../index-C_bgx9o4.mjs";
+import { J as CrudRouteKey, nt as PresetResult } from "../index-6u4_Gg6G.mjs";
 
 //#region src/presets/multiTenant.d.ts
 /**

package/dist/presets/search.d.mts

@@ -1,4 +1,4 @@
-import { lt as RouteDefinition, nt as PresetResult, pt as ControllerHandler, ut as RouteMcpConfig } from "../index-C_bgx9o4.mjs";
+import { lt as RouteDefinition, nt as PresetResult, pt as ControllerHandler, ut as RouteMcpConfig } from "../index-6u4_Gg6G.mjs";
 import { c as PermissionCheck } from "../fields-C8Y0XLAu.mjs";
 
 //#region src/presets/search.d.ts

package/dist/presets/search.mjs

@@ -1,4 +1,4 @@
-import { C as requireAuth, y as allowPublic } from "../permissions-B4vU9L0Q.mjs";
+import { C as requireAuth, y as allowPublic } from "../permissions-gd_aUWrR.mjs";
 //#region src/presets/search.ts
 const BUILTINS = [
 	{

package/dist/{presets-k604Lj99.mjs → presets-Z7P5w4gF.mjs}

@@ -1,5 +1,5 @@
 import { _ as isElevated, n as PUBLIC_SCOPE } from "./types-AOD8fxIw.mjs";
-import { C as requireAuth, T as requireRoles, y as allowPublic } from "./permissions-B4vU9L0Q.mjs";
+import { C as requireAuth, T as requireRoles, y as allowPublic } from "./permissions-gd_aUWrR.mjs";
 import { multiTenantPreset } from "./presets/multiTenant.mjs";
 //#region src/presets/ownedByUser.ts
 /**

package/dist/registry/index.d.mts

@@ -1,4 +1,4 @@
-import { R as RegisterOptions, k as IntrospectionPluginOptions, z as ResourceRegistry } from "../index-C_bgx9o4.mjs";
+import { R as RegisterOptions, k as IntrospectionPluginOptions, z as ResourceRegistry } from "../index-6u4_Gg6G.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/registry/introspectionPlugin.d.ts

package/dist/{requestContext-CfRkaxwf.mjs → requestContext-C5XeK3VA.mjs}

@@ -38,15 +38,30 @@ const storage = new AsyncLocalStorage();
 * - `getStore()` — alias for get() (matches Node.js API naming)
 */
 const requestContext = {
+	/**
+	* Get the current request context.
+	* Returns undefined if called outside a request lifecycle.
+	*/
 	get() {
 		return storage.getStore();
 	},
+	/**
+	* Alias for get() — matches Node.js AsyncLocalStorage API naming.
+	*/
 	getStore() {
 		return storage.getStore();
 	},
+	/**
+	* Run a function within a specific request context.
+	* Used internally by Arc's onRequest hook.
+	*/
 	run(store, fn) {
 		return storage.run(store, fn);
 	},
+	/**
+	* The underlying AsyncLocalStorage instance.
+	* Exposed for advanced use cases (testing, custom integrations).
+	*/
 	storage
 };
 //#endregion

package/dist/{resourceToTools--okX6QBr.mjs → resourceToTools-ByZpgjeH.mjs}

@@ -1,8 +1,8 @@
-import { t as BaseController } from "./BaseController-JNV08qOT.mjs";
-import { A as normalizePermissionResult } from "./permissions-B4vU9L0Q.mjs";
-import { u as resolvePipelineSteps } from "./routerShared-DeESFp4a.mjs";
+import { t as BaseController } from "./BaseController-swXruJ2_.mjs";
+import { A as normalizePermissionResult } from "./permissions-gd_aUWrR.mjs";
+import { u as resolvePipelineSteps } from "./routerShared-BqLRb5l7.mjs";
 import { t as executePipeline } from "./pipe-DVoIheVC.mjs";
-import { t as resolveActionPermission } from "./actionPermissions-C8YYU92K.mjs";
+import { t as resolveActionPermission } from "./actionPermissions-sUUKDhtP.mjs";
 import { i as shouldRejectAdditionalProperties, r as schemaIRToZodShape, t as normalizeSchemaIR } from "./schemaIR-BlG9bY7v.mjs";
 import { t as pluralize } from "./pluralize-BneOJkpi.mjs";
 import { z } from "zod";
@@ -1145,6 +1145,7 @@ function resourceToTools(resource, config = {}) {
 			resourcePermissions: resource.permissions,
 			resourceActionPermissions: resource.actionPermissions
 		});
+		if (!actionPerms) throw new Error(`[Arc/MCP] Resource '${resource.name}': action '${actionName}' has no permission gate and the resource defines no \`permissions.update\` fallback. Declare one of:\n  - \`actions.${actionName}.permissions: <PermissionCheck>\` (per-action)\n  - \`actionPermissions: <PermissionCheck>\` (resource-wide)\n  - \`permissions.update: <PermissionCheck>\` (inherited by actions)\nUse \`allowPublic()\` if you genuinely want the action unauthenticated.`);
 		tools.push({
 			name: toolName,
 			description: String(description),

package/dist/{routerShared-DeESFp4a.mjs → routerShared-BqLRb5l7.mjs}

@@ -1,7 +1,7 @@
 import { _ as isElevated, n as PUBLIC_SCOPE, o as getOrgId, p as getUserId, v as isMember } from "./types-AOD8fxIw.mjs";
-import { P as resolveEffectiveRoles, j as applyFieldReadPermissions, k as evaluateAndApplyPermission } from "./permissions-B4vU9L0Q.mjs";
+import { P as resolveEffectiveRoles, j as applyFieldReadPermissions, k as evaluateAndApplyPermission } from "./permissions-gd_aUWrR.mjs";
 import { t as getUserRoles } from "./types-DV9WDfeg.mjs";
-import { t as requestContext } from "./requestContext-CfRkaxwf.mjs";
+import { t as requestContext } from "./requestContext-C5XeK3VA.mjs";
 import { t as executePipeline } from "./pipe-DVoIheVC.mjs";
 //#region src/scope/projection.ts
 /**
@@ -511,5 +511,62 @@ function buildPreHandlerChain(parts) {
 		...parts.customMws ?? []
 	].filter(Boolean);
 }
+/**
+* `RouteDefinition.preHandler` accepts two shapes:
+*
+*   1. **Array form** — `RouteHandlerMethod[]`. Used directly.
+*   2. **Factory form** — `(fastify) => RouteHandlerMethod[]`. Called once at
+*      route-registration time with the Fastify instance, so handlers can
+*      capture decorators (`fastify.authenticate`, `fastify.events`, etc.)
+*      that aren't on the request.
+*
+* The two forms are equally idiomatic, but the discrimination is by
+* `typeof preHandler === "function"`. Single-function shapes such as
+* `multipartBody({...})` (a `RouteHandlerMethod`) **structurally satisfy
+* the factory branch** at the call site, then fail with a cryptic
+* `Cannot read properties of undefined (reading 'content-type')` once the
+* handler runs with `fastify` in the request slot.
+*
+* This resolver:
+*   1. Distinguishes the two valid shapes.
+*   2. Validates the factory's RETURN — must be an array of functions.
+*   3. Throws an actionable error pointing at the route + the fix when
+*      a single `RouteHandlerMethod` was passed instead of an array, OR
+*      when a factory returned the wrong shape.
+*
+* The error message names the route (`{method} {path}`) and the
+* canonical fix (`preHandler: [yourHandler]`) so the failure mode is
+* obvious instead of debug-archaeology.
+*
+* @param preHandler  The `route.preHandler` value (any of the valid shapes
+*                    plus the common bare-handler mistake).
+* @param fastify     Passed to factory-form preHandlers.
+* @param routeId     `"GET /todos/:id/attach"` (or similar) — used in the
+*                    error message so a multi-route file points at the
+*                    actual offender.
+*/
+function resolveRoutePreHandlers(preHandler, fastify, routeId) {
+	if (preHandler === void 0 || preHandler === null) return [];
+	if (Array.isArray(preHandler)) return preHandler.filter((h) => typeof h === "function");
+	if (typeof preHandler === "function") {
+		let result;
+		try {
+			result = preHandler(fastify);
+		} catch (err) {
+			const msg = err instanceof Error ? err.message : String(err);
+			throw new TypeError(`Route ${routeId}: preHandler factory threw during route registration: ${msg}.\nIf you intended to pass a single handler (e.g. \`multipartBody({...})\`), wrap it in an array: \`preHandler: [yourHandler]\`. The factory form is \`(fastify) => RouteHandlerMethod[]\` — it must return an array.`, { cause: err instanceof Error ? err : void 0 });
+		}
+		if (!Array.isArray(result)) throw new TypeError(`Route ${routeId}: preHandler factory must return an array of handlers, got ${describeValue(result)}.\nCommon cause: passing a single \`RouteHandlerMethod\` (e.g. \`multipartBody({...})\`) where an array was expected. Wrap it: \`preHandler: [yourHandler]\`. The factory form \`(fastify) => RouteHandlerMethod[]\` is for cases that need the Fastify instance — e.g. \`(fastify) => [fastify.authenticate, myHandler]\`.`);
+		return result.filter((h) => typeof h === "function");
+	}
+	throw new TypeError(`Route ${routeId}: preHandler must be an array of handlers OR a factory \`(fastify) => RouteHandlerMethod[]\`. Got ${describeValue(preHandler)}.`);
+}
+function describeValue(v) {
+	if (v === null) return "null";
+	if (v === void 0) return "undefined";
+	if (typeof v === "function") return "a function (single handler — wrap in array)";
+	if (Array.isArray(v)) return `an array of length ${v.length}`;
+	return `${typeof v} (${JSON.stringify(v).slice(0, 80)})`;
+}
 //#endregion
-export { getControllerScope as _, buildAuthMiddlewareForPermissions as a, buildPreHandlerChain as c, resolveRouterPluginMw as d, selectPluginMw as f, getControllerContext as g, createRequestContext as h, buildAuthMiddleware as i, buildRateLimitConfig as l, createFastifyHandler as m, buildActionPipelineHandler as n, buildCrudPermissionMw as o, createCrudHandlers as p, buildArcDecorator as r, buildPipelineHandler as s, buildActionPermissionMw as t, resolvePipelineSteps as u, sendControllerResponse as v, buildRequestScopeProjection as y };
+export { getControllerContext as _, buildAuthMiddlewareForPermissions as a, buildRequestScopeProjection as b, buildPreHandlerChain as c, resolveRoutePreHandlers as d, resolveRouterPluginMw as f, createRequestContext as g, createFastifyHandler as h, buildAuthMiddleware as i, buildRateLimitConfig as l, createCrudHandlers as m, buildActionPipelineHandler as n, buildCrudPermissionMw as o, selectPluginMw as p, buildArcDecorator as r, buildPipelineHandler as s, buildActionPermissionMw as t, resolvePipelineSteps as u, getControllerScope as v, sendControllerResponse as y };

package/dist/testing/index.d.mts

@@ -1,5 +1,5 @@
-import { B as ResourceDefinition, Pt as AnyRecord } from "../index-C_bgx9o4.mjs";
-import { d as ResourceLike, r as CreateAppOptions } from "../types-BdA4uMBV.mjs";
+import { B as ResourceDefinition, Pt as AnyRecord } from "../index-6u4_Gg6G.mjs";
+import { d as ResourceLike, r as CreateAppOptions } from "../types-BH7dEGvU.mjs";
 import { StorageContractSetup, StorageContractSetupResult, runStorageContract } from "./storageContract.mjs";
 import { FastifyInstance, FastifyServerOptions } from "fastify";
 import { Mock } from "vitest";

package/dist/testing/index.mjs

@@ -1081,7 +1081,7 @@ function pickDefaultAuth(authMode, callerAuth) {
 	};
 }
 async function createTestApp(options = {}) {
-	const { createApp } = await import("../createApp-P1d6rjPy.mjs").then((n) => n.r);
+	const { createApp } = await import("../createApp-BFxtdKy6.mjs").then((n) => n.r);
 	const { resources = [], db = "in-memory", connectMongoose = false, authMode = "jwt", defaultOrgId, plugins, auth: callerAuth, ...appOptions } = options;
 	let dbHandle;
 	let dbUri;

package/dist/types/index.d.mts

@@ -1,4 +1,4 @@
-import { $ as OpenApiSchemas, A as RequestIdOptions, At as Authenticator, Bt as UserOrganization, C as RequestContext, D as HealthCheck, E as GracefulShutdownOptions, F as FastifyWithDecorators, Ft as ApiResponse, G as ActionsMap, H as ActionDefinition, I as MiddlewareHandler, It as ArcRequest, J as CrudRouteKey, K as ArcFieldRule, L as RequestWithExtras, Lt as JWTPayload, M as EventsDecorator, Mt as JwtContext, N as FastifyRequestExtras, Nt as TokenPair, O as HealthOptions, Ot as AuthHelpers, P as FastifyWithAuth, Pt as AnyRecord, Q as MiddlewareConfig, Rt as ObjectId, S as QueryParserInterface, T as CrudRouterOptions, U as ActionEntry, W as ActionHandlerFn, X as EventDefinition, Y as CrudSchemas, Z as FieldRule, _ as ControllerQueryOptions, _t as IControllerResponse, a as InferAdapterDoc, at as ResourceConfig, b as ParsedQuery, c as TypedController, ct as ResourcePermissions, d as PaginationResult, dt as RouteMethod, et as PresetFunction, f as IntrospectionData, ft as RouteSchemaOptions, g as ArcInternalMetadata, gt as IController, h as ResourceMetadata, ht as FastifyHandler, i as ValidationResult, it as ResourceCacheConfig, j as ArcDecorator, jt as AuthenticatorContext, k as IntrospectionPluginOptions, kt as AuthPluginOptions, l as TypedRepository, lt as RouteDefinition, m as RegistryStats, mt as ControllerLike, n as ConfigError, nt as PresetResult, o as InferDocType, ot as ResourceHookContext, p as RegistryEntry, pt as ControllerHandler, q as CrudController, r as ValidateOptions, rt as RateLimitConfig, s as InferResourceDoc, st as ResourceHooks, t as RouteHandlerMethod, tn as BaseControllerOptions, tt as PresetHook, u as TypedResourceConfig, ut as RouteMcpConfig, v as LookupOption, vt as IRequestContext, w as ServiceContext, x as PopulateOption, y as OwnershipCheck, yt as RouteHandler, zt as UserLike } from "../index-C_bgx9o4.mjs";
+import { $ as OpenApiSchemas, A as RequestIdOptions, At as Authenticator, Bt as UserOrganization, C as RequestContext, D as HealthCheck, E as GracefulShutdownOptions, F as FastifyWithDecorators, Ft as ApiResponse, G as ActionsMap, H as ActionDefinition, I as MiddlewareHandler, It as ArcRequest, J as CrudRouteKey, K as ArcFieldRule, L as RequestWithExtras, Lt as JWTPayload, M as EventsDecorator, Mt as JwtContext, N as FastifyRequestExtras, Nt as TokenPair, O as HealthOptions, Ot as AuthHelpers, P as FastifyWithAuth, Pt as AnyRecord, Q as MiddlewareConfig, Rt as ObjectId, S as QueryParserInterface, T as CrudRouterOptions, U as ActionEntry, W as ActionHandlerFn, X as EventDefinition, Y as CrudSchemas, Z as FieldRule, _ as ControllerQueryOptions, _t as IControllerResponse, a as InferAdapterDoc, at as ResourceConfig, b as ParsedQuery, c as TypedController, ct as ResourcePermissions, d as PaginationResult, dt as RouteMethod, et as PresetFunction, f as IntrospectionData, ft as RouteSchemaOptions, g as ArcInternalMetadata, gt as IController, h as ResourceMetadata, ht as FastifyHandler, i as ValidationResult, it as ResourceCacheConfig, j as ArcDecorator, jt as AuthenticatorContext, k as IntrospectionPluginOptions, kt as AuthPluginOptions, l as TypedRepository, lt as RouteDefinition, m as RegistryStats, mt as ControllerLike, n as ConfigError, nt as PresetResult, o as InferDocType, ot as ResourceHookContext, p as RegistryEntry, pt as ControllerHandler, q as CrudController, r as ValidateOptions, rt as RateLimitConfig, s as InferResourceDoc, st as ResourceHooks, t as RouteHandlerMethod, tn as BaseControllerOptions, tt as PresetHook, u as TypedResourceConfig, ut as RouteMcpConfig, v as LookupOption, vt as IRequestContext, w as ServiceContext, x as PopulateOption, y as OwnershipCheck, yt as RouteHandler, zt as UserLike } from "../index-6u4_Gg6G.mjs";
 import { r as RequestScope } from "../types-tgR4Pt8F.mjs";
 import { c as PermissionCheck, d as UserBase, l as PermissionContext, u as PermissionResult } from "../fields-C8Y0XLAu.mjs";
 import { n as ElevationOptions, t as ElevationEvent } from "../elevation-s5ykdNHr.mjs";

package/dist/{types-Bh_gEJBi.d.mts → types-9beEMe25.d.mts}

@@ -1,4 +1,4 @@
-import { B as ResourceDefinition } from "./index-C_bgx9o4.mjs";
+import { B as ResourceDefinition } from "./index-6u4_Gg6G.mjs";
 import { z } from "zod";
 
 //#region src/integrations/mcp/types.d.ts

package/dist/{types-BdA4uMBV.d.mts → types-BH7dEGvU.d.mts}

@@ -1,4 +1,4 @@
-import { At as Authenticator } from "./index-C_bgx9o4.mjs";
+import { At as Authenticator } from "./index-6u4_Gg6G.mjs";
 import { r as CacheStore } from "./interface-Da0r7Lna.mjs";
 import { n as ElevationOptions } from "./elevation-s5ykdNHr.mjs";
 import { o as EventTransport } from "./EventTransport-CfVEGaEl.mjs";

package/dist/utils/index.d.mts

@@ -1,2 +1,2 @@
-import { $ as ValidationResult, A as handleRaw, B as CompensationStep, C as queryParams, D as ArcQueryParser, E as wrapResponse, F as defineErrorMapper, G as CircuitBreakerOptions, H as withCompensation, I as CompensationDefinition, J as CircuitState, K as CircuitBreakerRegistry, L as CompensationError, M as Guard, N as GuardConfig, O as ArcQueryParserOptions, P as defineGuard, Q as ValidateOptions, R as CompensationHooks, S as paginationSchema, T as successResponseSchema, U as CircuitBreaker, V as defineCompensation, W as CircuitBreakerError, X as createCircuitBreakerRegistry, Y as createCircuitBreaker, Z as ConfigError, _ as getDefaultCrudSchemas, a as TransitionConfig, at as ErrorDetails, b as listResponse, c as JsonSchemaTarget, ct as OrgAccessDeniedError, d as isJsonSchema, dt as ServiceUnavailableError, et as assertValidConfig, f as isZodSchema, ft as UnauthorizedError, g as errorResponseSchema, gt as isArcError, h as deleteResponse, ht as createError, i as StateMachine, it as ConflictError, j as envelope, k as createQueryParser, l as convertOpenApiSchemas, lt as OrgRequiredError, m as JsonSchema, mt as createDomainError, n as EventsDecorator, nt as validateResourceConfig, o as createStateMachine, ot as ForbiddenError, p as toJsonSchema, pt as ValidationError, q as CircuitBreakerStats, r as hasEvents, rt as ArcError, s as simpleEqualityMatcher, st as NotFoundError, t as getUserId, tt as formatValidationErrors, u as convertRouteSchema, ut as RateLimitError, v as getListQueryParams, w as responses, x as mutationResponse, y as itemResponse, z as CompensationResult } from "../index-smCAoA5W.mjs";
+import { $ as ValidationResult, A as handleRaw, B as CompensationStep, C as queryParams, D as ArcQueryParser, E as wrapResponse, F as defineErrorMapper, G as CircuitBreakerOptions, H as withCompensation, I as CompensationDefinition, J as CircuitState, K as CircuitBreakerRegistry, L as CompensationError, M as Guard, N as GuardConfig, O as ArcQueryParserOptions, P as defineGuard, Q as ValidateOptions, R as CompensationHooks, S as paginationSchema, T as successResponseSchema, U as CircuitBreaker, V as defineCompensation, W as CircuitBreakerError, X as createCircuitBreakerRegistry, Y as createCircuitBreaker, Z as ConfigError, _ as getDefaultCrudSchemas, a as TransitionConfig, at as ErrorDetails, b as listResponse, c as JsonSchemaTarget, ct as OrgAccessDeniedError, d as isJsonSchema, dt as ServiceUnavailableError, et as assertValidConfig, f as isZodSchema, ft as UnauthorizedError, g as errorResponseSchema, gt as isArcError, h as deleteResponse, ht as createError, i as StateMachine, it as ConflictError, j as envelope, k as createQueryParser, l as convertOpenApiSchemas, lt as OrgRequiredError, m as JsonSchema, mt as createDomainError, n as EventsDecorator, nt as validateResourceConfig, o as createStateMachine, ot as ForbiddenError, p as toJsonSchema, pt as ValidationError, q as CircuitBreakerStats, r as hasEvents, rt as ArcError, s as simpleEqualityMatcher, st as NotFoundError, t as getUserId, tt as formatValidationErrors, u as convertRouteSchema, ut as RateLimitError, v as getListQueryParams, w as responses, x as mutationResponse, y as itemResponse, z as CompensationResult } from "../index-DdQ3O9Pg.mjs";
 export { ArcError, ArcQueryParser, ArcQueryParserOptions, CircuitBreaker, CircuitBreakerError, CircuitBreakerOptions, CircuitBreakerRegistry, CircuitBreakerStats, CircuitState, CompensationDefinition, CompensationError, CompensationHooks, CompensationResult, CompensationStep, ConfigError, ConflictError, ErrorDetails, EventsDecorator, ForbiddenError, Guard, GuardConfig, JsonSchema, JsonSchemaTarget, NotFoundError, OrgAccessDeniedError, OrgRequiredError, RateLimitError, ServiceUnavailableError, StateMachine, TransitionConfig, UnauthorizedError, ValidateOptions, ValidationError, ValidationResult, assertValidConfig, convertOpenApiSchemas, convertRouteSchema, createCircuitBreaker, createCircuitBreakerRegistry, createDomainError, createError, createQueryParser, createStateMachine, defineCompensation, defineErrorMapper, defineGuard, deleteResponse, envelope, errorResponseSchema, formatValidationErrors, getDefaultCrudSchemas, getListQueryParams, getUserId, handleRaw, hasEvents, isArcError, isJsonSchema, isZodSchema, itemResponse, listResponse, mutationResponse, paginationSchema, queryParams, responses, simpleEqualityMatcher, successResponseSchema, toJsonSchema, validateResourceConfig, withCompensation, wrapResponse };

package/dist/utils/index.mjs

@@ -1,4 +1,4 @@
-import { A as createQueryParser, C as mutationResponse, D as successResponseSchema, E as responses, M as simpleEqualityMatcher, O as wrapResponse, S as listResponse, T as queryParams, _ as deleteResponse, a as defineErrorMapper, b as getListQueryParams, c as CircuitBreaker, d as CircuitState, f as createCircuitBreaker, g as validateResourceConfig, h as formatValidationErrors, i as defineGuard, j as getUserId, k as ArcQueryParser, l as CircuitBreakerError, m as assertValidConfig, n as handleRaw, o as defineCompensation, p as createCircuitBreakerRegistry, r as envelope, s as withCompensation, t as createStateMachine, u as CircuitBreakerRegistry, v as errorResponseSchema, w as paginationSchema, x as itemResponse, y as getDefaultCrudSchemas } from "../utils-D3Yxnrwr.mjs";
+import { A as createQueryParser, C as mutationResponse, D as successResponseSchema, E as responses, M as simpleEqualityMatcher, O as wrapResponse, S as listResponse, T as queryParams, _ as deleteResponse, a as defineErrorMapper, b as getListQueryParams, c as CircuitBreaker, d as CircuitState, f as createCircuitBreaker, g as validateResourceConfig, h as formatValidationErrors, i as defineGuard, j as getUserId, k as ArcQueryParser, l as CircuitBreakerError, m as assertValidConfig, n as handleRaw, o as defineCompensation, p as createCircuitBreakerRegistry, r as envelope, s as withCompensation, t as createStateMachine, u as CircuitBreakerRegistry, v as errorResponseSchema, w as paginationSchema, x as itemResponse, y as getDefaultCrudSchemas } from "../utils-CcYTj09l.mjs";
 import { a as OrgAccessDeniedError, c as ServiceUnavailableError, d as createDomainError, f as createError, i as NotFoundError, l as UnauthorizedError, n as ConflictError, o as OrgRequiredError, p as isArcError, r as ForbiddenError, s as RateLimitError, t as ArcError, u as ValidationError } from "../errors-D5c-5BJL.mjs";
 import { a as toJsonSchema, i as isZodSchema, n as convertRouteSchema, r as isJsonSchema, t as convertOpenApiSchemas } from "../schemaConverter-B0oKLuqI.mjs";
 import { t as hasEvents } from "../typeGuards-CcFZXgU7.mjs";

package/dist/{utils-D3Yxnrwr.mjs → utils-CcYTj09l.mjs}

@@ -1,7 +1,7 @@
 import { m as RESERVED_QUERY_PARAMS, t as CRUD_OPERATIONS } from "./constants-BhY1OHoH.mjs";
 import { arcLog } from "./logger/index.mjs";
 import { t as ArcError } from "./errors-D5c-5BJL.mjs";
-import { r as getAvailablePresets } from "./presets-k604Lj99.mjs";
+import { r as getAvailablePresets } from "./presets-Z7P5w4gF.mjs";
 //#region src/utils/simpleEqualityMatcher.ts
 /**
 * `simpleEqualityMatcher` — a minimal, dialect-agnostic flat-key equality