@classytic/arc 2.11.2 → 2.11.4

package/LICENSE

@@ -1,21 +1,21 @@
-MIT License
-
-Copyright (c) 2025 Classytic
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+MIT License
+
+Copyright (c) 2025 Classytic
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,14 +1,19 @@
 # @classytic/arc
 
-Database-agnostic resource framework for Fastify. One `defineResource()` call → REST + auth + permissions + events + caching + OpenAPI + MCP tools — without boilerplate.
+Database-agnostic resource framework for Fastify. One `defineResource()` call → REST + auth + permissions + events + caching + OpenAPI + MCP tools.
 
-**v2.11** · Fastify 5+ · Node.js 22+ · ESM only
+Fastify 5+ · Node.js 22+ · ESM only
 
 ```bash
 npm install @classytic/arc fastify
-npm install @classytic/mongokit mongoose          # MongoDB (most common)
+
+# Security defaults createApp() loads (each opt-out via `cors: false` etc.)
+npm install @fastify/cors @fastify/helmet @fastify/rate-limit @fastify/under-pressure @fastify/sensible
+
+# Storage adapter — pick one
+npm install @classytic/mongokit mongoose          # MongoDB
 # OR @classytic/sqlitekit drizzle-orm better-sqlite3 (sqlite)
-# OR bring your own: implement RepositoryLike from @classytic/repo-core
+# OR implement RepositoryLike from @classytic/repo-core
 ```
 
 ---
@@ -18,7 +23,7 @@ npm install @classytic/mongokit mongoose          # MongoDB (most common)
 | | |
 |---|---|
 | **One call, full REST** | `defineResource({ name, adapter, presets, permissions })` → `GET /`, `GET /:id`, `POST /`, `PATCH /:id`, `DELETE /:id` + custom routes + actions |
-| **DB-agnostic** | Mongoose, Prisma, Drizzle, or any `RepositoryLike` impl. Swap backends without rewriting routes. |
+| **DB-agnostic** | Mongoose, Drizzle/sqlitekit, or any `RepositoryLike` impl — swap backends without rewriting routes. (Prisma adapter is experimental: implemented, no integration tests yet.) |
 | **Multi-tenant by default** | Tenant-field auto-injected, scope-aware queries, per-org cache keys, elevation events. |
 | **Tree-shakable subpaths** | `@classytic/arc/auth`, `/events`, `/cache`, `/mcp`, `/integrations/jobs` — pay only for what you import. |
 | **MCP tools, free** | Resources auto-generate Model Context Protocol tools for AI agents. Same permissions, same field rules. |
@@ -33,12 +38,19 @@ import { createApp, loadResources } from '@classytic/arc/factory';
 
 await mongoose.connect(process.env.DB_URI);
 
+// Fail fast on missing CORS env — silent `undefined` here drops to surprising
+// browser defaults. Browser apps: declare an explicit allowlist (below).
+// Server-to-server / API-key services: `cors: { origin: '*', credentials: false }`
+// or `cors: false` to disable entirely (CORS is a browser-only concern).
+const ALLOWED_ORIGINS = process.env.ALLOWED_ORIGINS;
+if (!ALLOWED_ORIGINS) throw new Error('ALLOWED_ORIGINS env is required');
+
 const app = await createApp({
   preset: 'production',
   resourcePrefix: '/api/v1',
   resources: await loadResources(import.meta.url),  // auto-discover *.resource.ts
   auth: { type: 'jwt', jwt: { secret: process.env.JWT_SECRET } },
-  cors: { origin: process.env.ALLOWED_ORIGINS?.split(',') },
+  cors: { origin: ALLOWED_ORIGINS.split(','), credentials: true },
 });
 
 await app.listen({ port: 8040, host: '0.0.0.0' });
@@ -60,7 +72,7 @@ resources: async () => {
 },
 ```
 
-`loadResources({ context })` (2.11.1+) threads engine handles into resources whose default export is `(ctx) => defineResource(...)`. No parallel factory files, no `exclude: [...]` bookkeeping.
+`loadResources({ context })` threads engine handles into resources whose default export is `(ctx) => defineResource(...)`. No parallel factory files, no `exclude: [...]` bookkeeping.
 
 ---
 
@@ -199,7 +211,7 @@ const ctx = await createTestApp({
   authMode: 'jwt',
   connectMongoose: true,           // in-memory Mongo + Mongoose connect
 });
-ctx.auth.register('admin', { user: { id: '1', roles: ['admin'] }, orgId: 'org-1' });
+ctx.auth.register('admin', { user: { id: '1', role: 'admin' }, orgId: 'org-1' });
 
 const res = await ctx.app.inject({
   method: 'POST',
@@ -229,19 +241,6 @@ arc doctor                                       # diagnose env
 
 ---
 
-## Highlights from recent releases
-
-| Version | Headline |
-|---|---|
-| **2.11.2** | `RouteSchemaOptions['query']` types `allowedPopulate` + `allowedLookups` |
-| **2.11.1** | `loadResources({ context })` + factory exports; `ActionDefinition.schema` widened to `unknown`; `silent` removed in favor of `arcLog` fallback |
-| **2.11.0** | `BaseController` mixin split, testing surface rewrite (`createTestApp`, `TestAuthProvider`, `expectArc`), action-router parity, async resources factory |
-| **2.10** | Permissions split, `RepositoryLike` plugs into outbox/audit/idempotency, plugin onSend race fix |
-
-Full history: [`/changelog/v2.md`](changelog/v2.md).
-
----
-
 ## Documentation
 
 - **Skill** for AI agents: `npx skills add classytic/arc` — wires arc into Claude Code / agentic flows.

package/bin/arc.js

@@ -334,7 +334,7 @@ GLOBAL OPTIONS
 
 INIT OPTIONS
   --mongokit               Use MongoKit adapter (default, recommended)
-  --custom                 Use custom adapter (empty template)
+  --custom                 Use custom / Drizzle-ready adapter template
   --better-auth            Use Better Auth (default, recommended)
   --jwt                    Use Arc built-in JWT auth
   --multi-tenant, --multi  Multi-tenant mode (adds org scoping)
@@ -346,7 +346,7 @@ INIT OPTIONS
   --skip-install           Skip npm install after scaffolding
 
 GENERATE SUBCOMMANDS
-  resource, r       Generate full resource (model, repo, controller, schemas, resource)
+  resource, r       Generate resource-first scaffold (model, repo, resource, test)
   controller, c     Generate controller only
   model, m          Generate model only
   repository, repo  Generate repository only

package/dist/{BaseController-JNV08qOT.mjs → BaseController-swXruJ2_.mjs}

@@ -1,9 +1,9 @@
 import { h as SYSTEM_FIELDS, o as DEFAULT_TENANT_FIELD } from "./constants-BhY1OHoH.mjs";
 import { arcLog } from "./logger/index.mjs";
 import { _ as isElevated, n as PUBLIC_SCOPE, o as getOrgId, v as isMember } from "./types-AOD8fxIw.mjs";
-import { M as simpleEqualityMatcher, j as getUserId, k as ArcQueryParser } from "./utils-D3Yxnrwr.mjs";
+import { M as simpleEqualityMatcher, j as getUserId, k as ArcQueryParser } from "./utils-CcYTj09l.mjs";
 import { t as buildQueryKey } from "./keys-CARyUjiR.mjs";
-import { M as applyFieldWritePermissions, P as resolveEffectiveRoles } from "./permissions-B4vU9L0Q.mjs";
+import { M as applyFieldWritePermissions, P as resolveEffectiveRoles } from "./permissions-gd_aUWrR.mjs";
 import { t as getUserRoles } from "./types-DV9WDfeg.mjs";
 import { r as ForbiddenError } from "./errors-D5c-5BJL.mjs";
 //#region src/core/AccessControl.ts

package/dist/EventTransport-BFQjw9pB.mjs

@@ -0,0 +1,133 @@
+//#region src/events/EventTransport.ts
+/**
+* In-memory event transport (default)
+* Events are delivered synchronously within the process.
+* Not suitable for multi-instance deployments.
+*/
+var MemoryEventTransport = class {
+	name = "memory";
+	handlers = /* @__PURE__ */ new Map();
+	logger;
+	constructor(options) {
+		this.logger = options?.logger ?? console;
+	}
+	async publish(event) {
+		const exactHandlers = this.handlers.get(event.type) ?? /* @__PURE__ */ new Set();
+		const wildcardHandlers = this.handlers.get("*") ?? /* @__PURE__ */ new Set();
+		const patternHandlers = /* @__PURE__ */ new Set();
+		for (const [pattern, handlers] of this.handlers.entries()) if (pattern.endsWith(".*")) {
+			const prefix = pattern.slice(0, -2);
+			if (event.type.startsWith(`${prefix}.`)) for (const h of handlers) patternHandlers.add(h);
+		}
+		const allHandlers = new Set([
+			...exactHandlers,
+			...wildcardHandlers,
+			...patternHandlers
+		]);
+		for (const handler of allHandlers) try {
+			await handler(event);
+		} catch (err) {
+			this.logger.error(`[EventTransport] Handler error for ${event.type}:`, err);
+		}
+	}
+	/**
+	* Reference `publishMany` implementation — delegates to `publish()` in order.
+	*
+	* Production transports (Kafka, Redis pipeline, SQS batch) should override
+	* this with a single batched network call. Memory transport has nothing to
+	* batch, so we just loop — the loop still returns a proper result map so
+	* `EventOutbox.relay` can exercise the batched code path in tests.
+	*/
+	async publishMany(events) {
+		const results = /* @__PURE__ */ new Map();
+		for (const event of events) try {
+			await this.publish(event);
+			results.set(event.meta.id, null);
+		} catch (err) {
+			results.set(event.meta.id, err instanceof Error ? err : new Error(String(err)));
+		}
+		return results;
+	}
+	async subscribe(pattern, handler) {
+		if (!this.handlers.has(pattern)) this.handlers.set(pattern, /* @__PURE__ */ new Set());
+		this.handlers.get(pattern)?.add(handler);
+		return () => {
+			const set = this.handlers.get(pattern);
+			if (set) {
+				set.delete(handler);
+				if (set.size === 0) this.handlers.delete(pattern);
+			}
+		};
+	}
+	async close() {
+		this.handlers.clear();
+	}
+};
+/**
+* Create a domain event with auto-generated metadata.
+*
+* `id` and `timestamp` are filled in; everything else is caller-controlled.
+* Set `schemaVersion` explicitly for any event type you plan to evolve.
+*/
+function createEvent(type, payload, meta) {
+	return {
+		type,
+		payload,
+		meta: {
+			id: crypto.randomUUID(),
+			timestamp: /* @__PURE__ */ new Date(),
+			...meta
+		}
+	};
+}
+/**
+* Create a child event that chains causation from a parent event.
+*
+* Rules:
+*  - `causationId` is set to the parent's `id` (direct cause)
+*  - `correlationId` is inherited from the parent if set, else falls back
+*    to the parent's `id` (root correlation)
+*  - `userId` / `organizationId` are inherited when not overridden so the
+*    whole chain stays scoped to the originating principal/tenant
+*
+* Caller-supplied `meta` wins over inherited fields — pass `{ userId: newActor }`
+* to override when a subsystem acts on behalf of a different principal.
+*
+* @example
+* ```typescript
+* const orderPlaced = createEvent('order.placed', { orderId: 'o1' }, {
+*   correlationId: req.id, userId: user.id,
+* });
+* await events.publish(orderPlaced);
+*
+* // Downstream handler emits a child event:
+* const reserved = createChildEvent(orderPlaced, 'inventory.reserved', {
+*   orderId: 'o1', skus: ['sku-1', 'sku-2'],
+* });
+* // reserved.meta.causationId   === orderPlaced.meta.id
+* // reserved.meta.correlationId === orderPlaced.meta.correlationId
+* // reserved.meta.userId        === user.id   (inherited)
+* ```
+*/
+function createChildEvent(parent, type, payload, meta) {
+	const inherited = {
+		correlationId: parent.meta.correlationId ?? parent.meta.id,
+		causationId: parent.meta.id
+	};
+	if (parent.meta.userId !== void 0) inherited.userId = parent.meta.userId;
+	if (parent.meta.organizationId !== void 0) inherited.organizationId = parent.meta.organizationId;
+	if (parent.meta.source !== void 0) inherited.source = parent.meta.source;
+	if (parent.meta.idempotencyKey !== void 0) inherited.idempotencyKey = parent.meta.idempotencyKey;
+	return {
+		type,
+		payload,
+		meta: {
+			id: crypto.randomUUID(),
+			timestamp: /* @__PURE__ */ new Date(),
+			...inherited,
+			...meta
+		}
+	};
+}
+//#endregion
+export { createChildEvent as n, createEvent as r, MemoryEventTransport as t };

package/dist/{QueryCache-DOBNHBE0.d.mts → QueryCache-D41bfdBB.d.mts}

@@ -1,4 +1,4 @@
-import { r as CacheStore } from "./interface-Da0r7Lna.mjs";
+import { r as CacheStore } from "./interface-beEtJyWM.mjs";
 
 //#region src/cache/QueryCache.d.ts
 /** Metadata wrapper stored in CacheStore */

package/dist/{actionPermissions-C8YYU92K.mjs → actionPermissions-sUUKDhtP.mjs}

@@ -5,8 +5,10 @@
 *
 * Callers decide what "no gate" means:
 *   - HTTP: boot-time throw in `normalizeActionsToRouterConfig`.
-*   - MCP: treated as allow (legacy) — but the HTTP fallback now fills the
-*     gap when `permissions.update` is set, so the MCP hole closes too.
+*   - MCP: tool-generation throw in `resourceToTools` (mirrors HTTP — the
+*     two surfaces fail closed identically so MCP can't expose an
+*     unauthenticated mutating tool when the HTTP plugin lifecycle hasn't
+*     run).
 *   - OpenAPI: docs advertise the endpoint as unauthenticated.
 */
 function resolveActionPermission(input) {

package/dist/adapters/index.d.mts

@@ -1,3 +1,3 @@
-import { An as RelationMetadata, En as AdapterFactory, Mn as SchemaMetadata, Nn as ValidationResult, On as DataAdapter, jn as RepositoryLike, kn as FieldMetadata } from "../index-6u4_Gg6G.mjs";
-import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, d as DrizzleAdapterOptions, f as createDrizzleAdapter, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter, u as DrizzleAdapter } from "../index-BbMrcvGp.mjs";
-export { AdapterFactory, DataAdapter, DrizzleAdapter, DrizzleAdapterOptions, FieldMetadata, MongooseAdapter, MongooseAdapterOptions, PrismaAdapter, PrismaAdapterOptions, PrismaQueryOptions, PrismaQueryParser, PrismaQueryParserOptions, RelationMetadata, RepositoryLike, SchemaMetadata, ValidationResult, createDrizzleAdapter, createMongooseAdapter, createPrismaAdapter };
+import { An as FieldMetadata, Dn as AdapterRepositoryInput, En as AdapterFactory, Fn as asRepositoryLike, Mn as RepositoryLike, Nn as SchemaMetadata, Pn as ValidationResult, jn as RelationMetadata, kn as DataAdapter } from "../index-CXXRbnf8.mjs";
+import { a as PrismaQueryParserOptions, c as MongooseAdapterOptions, d as DrizzleAdapterOptions, f as createDrizzleAdapter, i as PrismaQueryParser, l as createMongooseAdapter, n as PrismaAdapterOptions, o as createPrismaAdapter, r as PrismaQueryOptions, s as MongooseAdapter, t as PrismaAdapter, u as DrizzleAdapter } from "../index-Rg8axYPz.mjs";
+export { AdapterFactory, AdapterRepositoryInput, DataAdapter, DrizzleAdapter, DrizzleAdapterOptions, FieldMetadata, MongooseAdapter, MongooseAdapterOptions, PrismaAdapter, PrismaAdapterOptions, PrismaQueryOptions, PrismaQueryParser, PrismaQueryParserOptions, RelationMetadata, RepositoryLike, SchemaMetadata, ValidationResult, asRepositoryLike, createDrizzleAdapter, createMongooseAdapter, createPrismaAdapter };

package/dist/adapters/index.mjs

@@ -1,2 +1,2 @@
-import { a as createMongooseAdapter, i as MongooseAdapter, n as PrismaQueryParser, o as DrizzleAdapter, r as createPrismaAdapter, s as createDrizzleAdapter, t as PrismaAdapter } from "../adapters-D0tT2Tyo.mjs";
-export { DrizzleAdapter, MongooseAdapter, PrismaAdapter, PrismaQueryParser, createDrizzleAdapter, createMongooseAdapter, createPrismaAdapter };
+import { a as createMongooseAdapter, c as createDrizzleAdapter, i as MongooseAdapter, n as PrismaQueryParser, o as asRepositoryLike, r as createPrismaAdapter, s as DrizzleAdapter, t as PrismaAdapter } from "../adapters-DUUiiimH.mjs";
+export { DrizzleAdapter, MongooseAdapter, PrismaAdapter, PrismaQueryParser, asRepositoryLike, createDrizzleAdapter, createMongooseAdapter, createPrismaAdapter };

package/dist/{adapters-D0tT2Tyo.mjs → adapters-DUUiiimH.mjs}

@@ -264,6 +264,21 @@ function createDrizzleAdapter(options) {
 	return new DrizzleAdapter(options);
 }
 //#endregion
+//#region src/adapters/interface.ts
+/**
+* Widen a permissive `AdapterRepositoryInput<TDoc>` to arc's strict
+* `RepositoryLike<TDoc>` view. Single-source escape hatch for the
+* filter-IR drift documented on `AdapterRepositoryInput`.
+*
+* Arc internals (audit / outbox / idempotency, BaseController) still see
+* the IR-aware `RepositoryLike`; only the call paths arc exercises are
+* shared between the two views, and those use the narrower
+* `Record<string, unknown>` filter shape both sides agree on.
+*/
+function asRepositoryLike(input) {
+	return input;
+}
+//#endregion
 //#region src/adapters/mongoose.ts
 /**
 * Mongoose data adapter with proper type safety
@@ -280,7 +295,7 @@ var MongooseAdapter = class {
 		if (!isMongooseModel(options.model)) throw new TypeError("MongooseAdapter: Invalid model. Expected Mongoose Model instance.\nUsage: createMongooseAdapter({ model: YourModel, repository: yourRepo })");
 		if (!isRepository(options.repository)) throw new TypeError("MongooseAdapter: Invalid repository. Expected StandardRepo instance.\nUsage: createMongooseAdapter({ model: YourModel, repository: yourRepo })");
 		this.model = options.model;
-		this.repository = options.repository;
+		this.repository = asRepositoryLike(options.repository);
 		this.schemaGenerator = options.schemaGenerator;
 		this.name = `MongooseAdapter<${options.model.modelName}>`;
 	}
@@ -946,4 +961,4 @@ function createPrismaAdapter(options) {
 	return new PrismaAdapter(options);
 }
 //#endregion
-export { createMongooseAdapter as a, MongooseAdapter as i, PrismaQueryParser as n, DrizzleAdapter as o, createPrismaAdapter as r, createDrizzleAdapter as s, PrismaAdapter as t };
+export { createMongooseAdapter as a, createDrizzleAdapter as c, MongooseAdapter as i, PrismaQueryParser as n, asRepositoryLike as o, createPrismaAdapter as r, DrizzleAdapter as s, PrismaAdapter as t };

package/dist/audit/index.d.mts

@@ -1,5 +1,5 @@
-import { jn as RepositoryLike } from "../index-6u4_Gg6G.mjs";
-import { d as UserBase } from "../fields-C8Y0XLAu.mjs";
+import { Mn as RepositoryLike } from "../index-CXXRbnf8.mjs";
+import { d as UserBase } from "../fields-BRjxOAFp.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/audit/stores/interface.d.ts

package/dist/auth/index.d.mts

@@ -1,7 +1,7 @@
-import { Ot as AuthHelpers, kt as AuthPluginOptions } from "../index-6u4_Gg6G.mjs";
-import { c as PermissionCheck } from "../fields-C8Y0XLAu.mjs";
-import { t as ExternalOpenApiPaths } from "../externalPaths-Bapitwvd.mjs";
-import { a as SessionManagerOptions, c as createSessionManager, i as SessionData, n as MemorySessionStoreOptions, o as SessionManagerResult, r as SessionCookieOptions, s as SessionStore, t as MemorySessionStore } from "../sessionManager-D-oNWHz3.mjs";
+import { Ot as AuthHelpers, kt as AuthPluginOptions } from "../index-CXXRbnf8.mjs";
+import { c as PermissionCheck } from "../fields-BRjxOAFp.mjs";
+import { t as ExternalOpenApiPaths } from "../externalPaths-BD5nw6St.mjs";
+import { a as SessionManagerOptions, c as createSessionManager, i as SessionData, n as MemorySessionStoreOptions, o as SessionManagerResult, r as SessionCookieOptions, s as SessionStore, t as MemorySessionStore } from "../sessionManager-C4Le_UB3.mjs";
 import { FastifyPluginAsync, FastifyReply as FastifyReply$1, FastifyRequest } from "fastify";
 
 //#region src/auth/authPlugin.d.ts

package/dist/auth/index.mjs

@@ -1,4 +1,4 @@
-import { _ as requireTeamMembership, m as requireOrgRole, p as requireOrgMembership } from "../permissions-B4vU9L0Q.mjs";
+import { _ as requireTeamMembership, m as requireOrgRole, p as requireOrgMembership } from "../permissions-gd_aUWrR.mjs";
 import { n as normalizeRoles, t as getUserRoles } from "../types-DV9WDfeg.mjs";
 import { t as ArcError } from "../errors-D5c-5BJL.mjs";
 import { n as extractBetterAuthOpenApi } from "../betterAuthOpenApi-DwxtK3uG.mjs";

package/dist/auth/redis-session.d.mts

@@ -1,4 +1,4 @@
-import { i as SessionData, s as SessionStore } from "../sessionManager-D-oNWHz3.mjs";
+import { i as SessionData, s as SessionStore } from "../sessionManager-C4Le_UB3.mjs";
 
 //#region src/auth/redis-session.d.ts
 /** Minimal Redis client interface — compatible with ioredis */

package/dist/cache/index.d.mts

@@ -1,6 +1,6 @@
-import { n as CacheStats, r as CacheStore, t as CacheLogger } from "../interface-Da0r7Lna.mjs";
-import { a as QueryCacheConfig, i as QueryCache, n as CacheResult, r as CacheStatus, t as CacheEnvelope } from "../QueryCache-DOBNHBE0.mjs";
-import { i as queryCachePlugin, n as QueryCacheDefaults, r as QueryCachePluginOptions, t as CrossResourceRule } from "../queryCachePlugin-BUXBSm4F.mjs";
+import { n as CacheStats, r as CacheStore, t as CacheLogger } from "../interface-beEtJyWM.mjs";
+import { a as QueryCacheConfig, i as QueryCache, n as CacheResult, r as CacheStatus, t as CacheEnvelope } from "../QueryCache-D41bfdBB.mjs";
+import { i as queryCachePlugin, n as QueryCacheDefaults, r as QueryCachePluginOptions, t as CrossResourceRule } from "../queryCachePlugin-CqMdLI2-.mjs";
 
 //#region src/cache/keys.d.ts
 /**

package/dist/cli/commands/docs.mjs

@@ -1,5 +1,5 @@
 import { t as ResourceRegistry } from "../../ResourceRegistry-DkAeAuTX.mjs";
-import { t as buildOpenApiSpec } from "../../openapi-C0L9ar7m.mjs";
+import { t as buildOpenApiSpec } from "../../openapi-D7G1V7ex.mjs";
 import { dirname, resolve } from "node:path";
 import { pathToFileURL } from "node:url";
 import { mkdirSync, writeFileSync } from "node:fs";

package/dist/cli/commands/generate.d.mts

@@ -6,8 +6,6 @@
  * - src/resources/product/product.model.ts
  * - src/resources/product/product.repository.ts
  * - src/resources/product/product.resource.ts
- * - src/resources/product/product.controller.ts
- * - src/resources/product/product.schemas.ts
  *
  * Handles kebab-case names: `arc g r org-profile` generates:
  * - Class names: OrgProfile, OrgProfileRepository

package/dist/cli/commands/generate.mjs

@@ -1,4 +1,4 @@
-import { t as pluralize } from "../../pluralize-BneOJkpi.mjs";
+import { t as pluralize } from "../../pluralize-CWP6MB39.mjs";
 import { join } from "node:path";
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 //#region src/cli/commands/generate.ts
@@ -9,8 +9,6 @@ import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 * - src/resources/product/product.model.ts
 * - src/resources/product/product.repository.ts
 * - src/resources/product/product.resource.ts
-* - src/resources/product/product.controller.ts
-* - src/resources/product/product.schemas.ts
 *
 * Handles kebab-case names: `arc g r org-profile` generates:
 * - Class names: OrgProfile, OrgProfileRepository
@@ -58,7 +56,7 @@ ${ts ? `
 export interface I${name} {
   name: string;
   description?: string;
-  isActive: boolean;
+  ${isMultiTenant ? "organizationId: string;\n  " : ""}isActive: boolean;
 }
 
 export type ${name}Document = HydratedDocument<I${name}>;
@@ -67,14 +65,14 @@ const ${camel}Schema = new Schema${ts ? `<I${name}>` : ""}(
   {
     name: { type: String, required: true, trim: true },
     description: { type: String, trim: true },
-    isActive: { type: Boolean, default: true },
+    ${isMultiTenant ? "organizationId: { type: String, required: true, index: true },\n    " : ""}isActive: { type: Boolean, default: true },
   },
   { timestamps: true }
 );
 
 // Indexes
 ${camel}Schema.index({ name: 1 });
-${camel}Schema.index({ isActive: 1 });
+${isMultiTenant ? `${camel}Schema.index({ organizationId: 1, isActive: 1 });\n` : ""}${camel}Schema.index({ isActive: 1 });
 
 const ${name} = mongoose.models.${name} || mongoose.model('${name}', ${camel}Schema);
 export default ${name};
@@ -193,20 +191,21 @@ export default crudSchemas;
  */
 
 import { defineResource, createMongooseAdapter } from '@classytic/arc';
-import { requireAuth, requireRoles } from '@classytic/arc/permissions';
+import { allOf, requireOrgMembership, requireRoles } from '@classytic/arc/permissions';
+import { multiTenantPreset } from '@classytic/arc/presets';
 import ${name}${ts ? `, { type I${name} }` : ""} from './${fileName}.model.js';
 import ${camel}Repository from './${fileName}.repository.js';${queryParserImport}
 
 const ${camel}Resource = defineResource${ts ? `<I${name}>` : ""}({
   name: '${fileName}',
   adapter: createMongooseAdapter({ model: ${name}, repository: ${camel}Repository }),${queryParserConfig}
-  presets: ['softDelete'],
+  presets: ['softDelete', multiTenantPreset({ tenantField: 'organizationId' })],
   permissions: {
-    list: requireAuth(),
-    get: requireAuth(),
-    create: requireRoles(['admin']),
-    update: requireRoles(['admin']),
-    delete: requireRoles(['admin']),
+    list: requireOrgMembership(),
+    get: requireOrgMembership(),
+    create: allOf(requireOrgMembership(), requireRoles(['admin'])),
+    update: allOf(requireOrgMembership(), requireRoles(['admin'])),
+    delete: allOf(requireOrgMembership(), requireRoles(['admin'])),
   },
 });
 
@@ -367,7 +366,7 @@ async function generate(type, args) {
 	}
 }
 /**
-* Generate a full resource
+* Generate a resource-first scaffold
 */
 async function generateResource(name, lowerName, resourcePath, templates, ext, includeMcp = false) {
 	console.log(`\nGenerating resource: ${name}...\n`);
@@ -417,8 +416,9 @@ Next steps:
    src/resources/${lowerName}/${lowerName}.model.${ext}
 
 3. Adjust permissions in ${lowerName}.resource.${ext}:
-${isMultiTenant ? `   - requireAuth()          → any authenticated user
-   - requireRoles(['admin']) → specific platform roles` : `   - requireAuth()          → any authenticated user
+${isMultiTenant ? `   - requireOrgMembership() → member of the current organization
+   - multiTenantPreset()    → injects and filters organizationId
+   - requireRoles(['admin']) → admin writes inside the org scope` : `   - requireAuth()          → any authenticated user
    - requireRoles(['admin']) → specific platform roles`}
 
 4. Run tests: