@classytic/arc 2.11.2 → 2.11.4

package/dist/cli/commands/init.mjs

@@ -26,7 +26,7 @@ async function init(options = {}) {
 `);
 	const config = await gatherConfig(options);
 	console.log(`\nCreating project: ${config.name}`);
-	console.log(`   Adapter: ${config.adapter === "mongokit" ? "MongoKit (MongoDB)" : "Custom"}`);
+	console.log(`   Adapter: ${config.adapter === "mongokit" ? "MongoKit (MongoDB)" : "Custom / Drizzle-ready"}`);
 	console.log(`   Auth: ${config.auth === "better-auth" ? "Better Auth (recommended)" : "Arc JWT"}`);
 	console.log(`   Tenant: ${config.tenant === "multi" ? "Multi-tenant" : "Single-tenant"}`);
 	console.log(`   Language: ${config.typescript ? "TypeScript" : "JavaScript"}`);
@@ -87,42 +87,103 @@ function existsSync$1(filePath) {
 	}
 }
 /**
-* Install dependencies using the detected package manager
+* Single source of truth for scaffolded project dependencies.
+*
+* Versions are pinned to the floor each subsystem requires — peer-dep
+* minimums on Arc, kit minimums (mongokit ≥ 3.11, repo-core ≥ 0.2,
+* mongoose ≥ 9.4.1), and major-version stable for the rest. The carets
+* allow minor + patch upgrades without breaking arc's contract, while
+* preventing the silent breakage of `@latest` on a kit floor bump.
+*
+* Used by both `packageJsonTemplate` (declares the deps in the generated
+* `package.json` so `npm install` works without a pre-pass) and
+* `installDependencies` (runs the package manager's `install` against
+* the declared ranges). One source — no drift.
 */
-async function installDependencies(projectPath, config, pm) {
-	const deps = [
-		"@classytic/arc@latest",
-		"fastify@latest",
-		"@fastify/cors@latest",
-		"@fastify/helmet@latest",
-		"@fastify/rate-limit@latest",
-		"@fastify/sensible@latest",
-		"@fastify/under-pressure@latest",
-		"dotenv@latest"
-	];
-	if (config.auth === "better-auth") deps.push("better-auth@^1.6.0", "mongodb@latest");
-	else deps.push("@fastify/jwt@latest", "bcryptjs@latest");
-	if (config.adapter === "mongokit") deps.push("@classytic/mongokit@^3.11.0", "@classytic/repo-core@^0.2.0", "mongoose@^9.4.1");
-	const devDeps = ["vitest@latest", "pino-pretty@latest"];
-	if (config.typescript) devDeps.push("typescript@latest", "@types/node@latest", "tsx@latest");
-	const installCmd = getInstallCommand(pm, deps, false);
-	const installDevCmd = getInstallCommand(pm, devDeps, true);
+const SCAFFOLD_DEP_VERSIONS = {
+	core: {
+		"@classytic/arc": "^2.11.3",
+		"@fastify/cors": "^11.0.0",
+		"@fastify/helmet": "^13.0.0",
+		"@fastify/rate-limit": "^10.0.0",
+		"@fastify/sensible": "^6.0.0",
+		"@fastify/under-pressure": "^9.0.0",
+		dotenv: "^17.0.0",
+		fastify: "^5.8.0"
+	},
+	authJwt: {
+		"@fastify/jwt": "^10.0.0",
+		bcryptjs: "^3.0.0"
+	},
+	authBetterAuth: {
+		"better-auth": "^1.6.0",
+		mongodb: "^6.10.0"
+	},
+	adapterMongokit: {
+		"@classytic/mongokit": "^3.11.0",
+		"@classytic/repo-core": "^0.2.0",
+		mongoose: "^9.4.1"
+	},
+	devCommon: {
+		"pino-pretty": "^13.0.0",
+		vitest: "^4.0.0"
+	},
+	devTypescript: {
+		"@types/node": "^22.0.0",
+		tsx: "^4.21.0",
+		typescript: "^5.6.0"
+	},
+	typesJwt: { "@types/bcryptjs": "^3.0.0" }
+};
+/**
+* Resolve the dependency manifest for a scaffold configuration.
+*
+* Returns sorted records (alphabetical by package name) so the generated
+* `package.json` is deterministic — diffs across re-runs stay clean.
+*/
+function resolveScaffoldDependencies(config) {
+	const dependencies = { ...SCAFFOLD_DEP_VERSIONS.core };
+	const devDependencies = { ...SCAFFOLD_DEP_VERSIONS.devCommon };
+	if (config.auth === "better-auth") Object.assign(dependencies, SCAFFOLD_DEP_VERSIONS.authBetterAuth);
+	else {
+		Object.assign(dependencies, SCAFFOLD_DEP_VERSIONS.authJwt);
+		if (config.typescript) Object.assign(devDependencies, SCAFFOLD_DEP_VERSIONS.typesJwt);
+	}
+	if (config.adapter === "mongokit") Object.assign(dependencies, SCAFFOLD_DEP_VERSIONS.adapterMongokit);
+	if (config.typescript) Object.assign(devDependencies, SCAFFOLD_DEP_VERSIONS.devTypescript);
+	return {
+		dependencies: sortByKey(dependencies),
+		devDependencies: sortByKey(devDependencies)
+	};
+}
+/**
+* Sort a record alphabetically by key — package.json convention.
+*/
+function sortByKey(record) {
+	return Object.fromEntries(Object.entries(record).sort(([a], [b]) => a.localeCompare(b)));
+}
+/**
+* Install dependencies using the detected package manager.
+*
+* Dependencies are already declared in the generated `package.json` (see
+* `packageJsonTemplate`), so a single plain `install` resolves the full
+* tree. No two-pass `npm add` flow — the manifest is the source of truth.
+*/
+async function installDependencies(projectPath, _config, pm) {
 	console.log(`  Installing dependencies...`);
-	await runCommand(installCmd, projectPath);
-	console.log(`  Installing dev dependencies...`);
-	await runCommand(installDevCmd, projectPath);
+	await runCommand(getInstallCommand(pm), projectPath);
 	console.log(`\nDependencies installed successfully.`);
 }
 /**
-* Get the install command for a package manager
+* Get the plain `install` command for a package manager. Reads the declared
+* dependencies from the project's `package.json`.
 */
-function getInstallCommand(pm, packages, isDev) {
-	const pkgList = packages.join(" ");
+function getInstallCommand(pm) {
 	switch (pm) {
-		case "pnpm": return `pnpm add ${isDev ? "-D" : ""} ${pkgList}`;
-		case "yarn": return `yarn add ${isDev ? "-D" : ""} ${pkgList}`;
-		case "bun": return `bun add ${isDev ? "-d" : ""} ${pkgList}`;
-		default: return `npm install ${isDev ? "--save-dev" : ""} ${pkgList}`;
+		case "pnpm": return "pnpm install";
+		case "yarn": return "yarn install";
+		case "bun": return "bun install";
+		default: return "npm install";
 	}
 }
 /**
@@ -156,7 +217,7 @@ async function gatherConfig(options) {
 	try {
 		const name = options.name || await question("Project name: ") || "my-arc-app";
 		let adapter = options.adapter || "mongokit";
-		if (!options.adapter && !nonInteractive) adapter = await question("Database adapter [1=MongoKit (recommended), 2=Custom]: ") === "2" ? "custom" : "mongokit";
+		if (!options.adapter && !nonInteractive) adapter = await question("Database adapter [1=MongoKit (recommended), 2=Custom / Drizzle-ready]: ") === "2" ? "custom" : "mongokit";
 		let auth = options.auth || "better-auth";
 		if (!options.auth && !nonInteractive) auth = await question("Auth strategy [1=Better Auth (recommended), 2=Arc JWT]: ") === "2" ? "jwt" : "better-auth";
 		let tenant = options.tenant || "single";
@@ -171,12 +232,12 @@ async function gatherConfig(options) {
 			console.log("    MongoDB Atlas works with the raw driver (mongodb 6.15+ with nodejs_compat_v2),");
 			console.log("    but MongoKit depends on Mongoose. Options:");
 			console.log("    1. Use AWS Lambda / Vercel Serverless (Node.js) — Mongoose works normally");
-			console.log("    2. Use Cloudflare Hyperdrive + PostgreSQL (switch to Prisma/Drizzle adapter)");
+			console.log("    2. Use Cloudflare Hyperdrive + PostgreSQL (wire sqlitekit/Drizzle via custom adapter)");
 			console.log("    3. Continue with MongoKit — works on Lambda/Vercel, NOT on Cloudflare Workers");
 			console.log("");
 			if ((await question("Continue with MongoKit? [y/N]: ")).toLowerCase() !== "y") {
 				adapter = "custom";
-				console.log("  Switched to custom adapter. You can wire Drizzle, Prisma, or the raw MongoDB driver.");
+				console.log("  Switched to custom adapter. Wire sqlitekit/Drizzle here; Prisma remains experimental.");
 			}
 		}
 		return {
@@ -267,6 +328,7 @@ async function createProjectStructure(projectPath, config) {
 	}
 }
 function packageJsonTemplate(config) {
+	const { dependencies, devDependencies } = resolveScaffoldDependencies(config);
 	const scripts = config.typescript ? config.edge ? {
 		dev: "tsx watch src/index.ts",
 		build: "tsc",
@@ -309,6 +371,8 @@ function packageJsonTemplate(config) {
 			"#utils/*": "./src/utils/*"
 		},
 		scripts,
+		dependencies,
+		devDependencies,
 		engines: { node: ">=22" }
 	}, null, 2);
 }
@@ -465,7 +529,7 @@ src/
 │   ├── env.${ext}              # Env loader (import first!)
 │   └── index.${ext}            # App config
 ├── shared/                  # Shared utilities
-│   ├── adapter.${ext}          # ${config.adapter === "mongokit" ? "MongoKit adapter factory" : "Custom adapter"}
+│   ├── adapter.${ext}          # ${config.adapter === "mongokit" ? "MongoKit adapter factory" : "Custom / Drizzle-ready adapter"}
 │   ├── permissions.${ext}      # Permission helpers
 │   └── presets/             # ${config.tenant === "multi" ? "Multi-tenant presets" : "Standard presets"}
 ├── plugins/                 # App-specific plugins
@@ -995,29 +1059,31 @@ function customAdapterTemplate(config) {
 	return `/**
  * Custom Adapter Factory
  *
- * Implement your own database adapter here.
+ * Use this for sqlitekit/Drizzle, Prisma experiments, or any repository
+ * that satisfies Arc's RepositoryLike contract.
  */
 
-import { createMongooseAdapter } from '@classytic/arc';
-${ts ? "import type { Model } from 'mongoose';" : ""}
+${ts ? "import type { DataAdapter, RepositoryLike } from '@classytic/arc/adapters';" : ""}
 
 /**
- * Create a custom adapter for a resource
+ * Create a custom adapter for a resource.
  *
- * Implement this based on your database choice:
- * - Prisma: Use @classytic/prismakit (coming soon)
- * - Drizzle: Create custom adapter
- * - Raw SQL: Create custom adapter
- */
-export function createAdapter${ts ? "<TDoc>" : ""}(
-  model${ts ? ": Model<TDoc>" : ""},
-  repository${ts ? ": any" : ""}
-)${ts ? ": ReturnType<typeof createMongooseAdapter>" : ""} {
-  // SCAFFOLD: Replace with your custom adapter implementation
-  return createMongooseAdapter({
-    model,
+ * Recommended SQL path:
+ * - sqlitekit repository + Arc's createDrizzleAdapter for Drizzle tables
+ *
+ * Experimental path:
+ * - Prisma can be wired with createPrismaAdapter, but keep it opt-in until
+ *   your app has integration coverage.
+ */
+export function createAdapter${ts ? "<TDoc = unknown>" : ""}(
+  _source${ts ? ": unknown" : ""},
+  repository${ts ? ": RepositoryLike<TDoc>" : ""}
+)${ts ? ": DataAdapter<TDoc>" : ""} {
+  return {
+    type: 'custom',
+    name: 'custom-repository',
     repository,
-  });
+  };
 }
 `;
 }
@@ -1806,8 +1872,10 @@ describe('Example Resource', () => {
       authMode: 'jwt',
 ${config.adapter === "mongokit" ? "      connectMongoose: true,\n" : ""}    });
 
+    // Arc's permission engine reads singular user.role — string,
+    // comma-separated string, or array all normalise via getUserRoles().
     ctx.auth${ts ? "!" : ""}.register('admin', {
-      user: { id: '1', roles: ['admin'] },
+      user: { id: '1', role: 'admin' },
       orgId: 'org-1',
     });
   });
@@ -1911,13 +1979,19 @@ userSchema.methods.removeOrganization = function(organizationId${ts ? ": Types.O
 userSchema.index({ 'organizations.organizationId': 1 });
 ` : "";
 	const userType = ts ? `
-type PlatformRole = 'user' | 'admin' | 'superadmin';
+const PLATFORM_ROLES = ['user', 'admin', 'superadmin'] as const;
+type PlatformRole = typeof PLATFORM_ROLES[number];
 
+/**
+ * Comma-separated list of platform roles (Better Auth admin-plugin convention).
+ * Single role: 'admin'. Multiple: 'admin,trainer'. Arc's permission engine
+ * normalises both forms via getUserRoles() — see @classytic/arc/scope.
+ */
 type User = {
   name: string;
   email: string;
   password: string;
-  roles: PlatformRole[];${config.tenant === "multi" ? `
+  role: string;${config.tenant === "multi" ? `
   organizations: UserOrganization[];` : ""}
   resetPasswordToken?: string;
   resetPasswordExpires?: Date;
@@ -1956,11 +2030,21 @@ const userSchema = new Schema${ts ? "<User, UserModel, UserMethods>" : ""}(
     },
     password: { type: String, required: true },
 
-    // Platform roles
-    roles: {
-      type: [String],
-      enum: ['user', 'admin', 'superadmin'],
-      default: ['user'],
+    // Platform role — singular field, matches Arc's permission engine
+    // (req.user.role) and Better Auth's admin-plugin convention.
+    // Comma-separated for multi-role users (e.g. 'admin,trainer');
+    // getUserRoles() in @classytic/arc/scope normalises both forms.
+    role: {
+      type: String,
+      required: true,
+      default: 'user',
+      index: true,
+      validate: {
+        validator: (v${ts ? ": string" : ""}) =>
+          /^(user|admin|superadmin)(,(user|admin|superadmin))*$/.test(v),
+        message: (props${ts ? ": { value: string }" : ""}) =>
+          \`Invalid role "\${props.value}" — expected one or more of user|admin|superadmin\`,
+      },
     },
 ${orgSchema}
     // Password reset
@@ -2379,7 +2463,7 @@ export async function register(request${ts ? ": FastifyRequest" : ""}, reply${ts
     }
 
     // Create user
-    await userRepository.create({ name, email, password, roles: ['user'] });
+    await userRepository.create({ name, email, password, role: 'user' });
 
     return reply.code(201).send({ success: true, message: 'User registered successfully' });
   } catch (error) {
@@ -2504,10 +2588,10 @@ export async function updateUserProfile(request${ts ? ": FastifyRequest" : ""},
     const userId = (request${ts ? " as any" : ""}).user?._id || (request${ts ? " as any" : ""}).user?.id;
     const updates = { ...request.body${ts ? " as any" : ""} };
 
-    // Prevent updating protected fields
-    if ('password' in updates) delete updates.password;
-    if ('roles' in updates) delete updates.roles;
-    if ('organizations' in updates) delete updates.organizations;
+    // Prevent updating protected fields — auth-managed only
+    delete updates.password;
+    delete updates.role;
+    delete updates.organizations;
 
     const user = await userRepository.Model.findByIdAndUpdate(userId, updates, { new: true });
     return reply.send({ success: true, data: user });
@@ -2596,7 +2680,7 @@ export const loginResponse = {
         id: { type: 'string' },
         name: { type: 'string' },
         email: { type: 'string' },
-        roles: { type: 'array', items: { type: 'string' } },
+        role: { type: 'string' },
       },
     },
     accessToken: { type: 'string' },

package/dist/context/index.mjs

@@ -1,2 +1,2 @@
-import { t as requestContext } from "../requestContext-CfRkaxwf.mjs";
+import { t as requestContext } from "../requestContext-C5XeK3VA.mjs";
 export { requestContext };

package/dist/core/index.d.mts

@@ -1,3 +1,3 @@
-import { B as ResourceDefinition, Gt as TreeMixin, Ht as SoftDeleteExt, Jt as BulkExt, Kt as SlugExt, Ut as SoftDeleteMixin, V as defineResource, Vt as BaseController, Wt as TreeExt, Yt as BulkMixin, an as QueryResolverConfig, cn as AccessControl, in as QueryResolver, ln as AccessControlConfig, nn as BaseCrudController, on as BodySanitizer, qt as SlugMixin, rn as ListResult, sn as BodySanitizerConfig, tn as BaseControllerOptions } from "../index-6u4_Gg6G.mjs";
-import { C as MAX_REGEX_LENGTH, D as RESERVED_QUERY_PARAMS, E as MutationOperation, O as SYSTEM_FIELDS, S as MAX_FILTER_DEPTH, T as MUTATION_OPERATIONS, _ as DEFAULT_UPDATE_METHOD, a as getControllerScope, b as HookOperation, c as createCrudRouter, d as CrudOperation, f as DEFAULT_ID_FIELD, g as DEFAULT_TENANT_FIELD, h as DEFAULT_SORT, i as getControllerContext, l as createPermissionMiddleware, m as DEFAULT_MAX_LIMIT, n as createFastifyHandler, o as sendControllerResponse, p as DEFAULT_LIMIT, r as createRequestContext, s as defineResourceVariants, t as createCrudHandlers, u as CRUD_OPERATIONS, v as HOOK_OPERATIONS, w as MAX_SEARCH_LENGTH, x as HookPhase, y as HOOK_PHASES } from "../index-BdXnTPRj.mjs";
+import { B as ResourceDefinition, Gt as TreeMixin, Ht as SoftDeleteExt, Jt as BulkExt, Kt as SlugExt, Ut as SoftDeleteMixin, V as defineResource, Vt as BaseController, Wt as TreeExt, Yt as BulkMixin, an as QueryResolverConfig, cn as AccessControl, in as QueryResolver, ln as AccessControlConfig, nn as BaseCrudController, on as BodySanitizer, qt as SlugMixin, rn as ListResult, sn as BodySanitizerConfig, tn as BaseControllerOptions } from "../index-CXXRbnf8.mjs";
+import { C as MAX_REGEX_LENGTH, D as RESERVED_QUERY_PARAMS, E as MutationOperation, O as SYSTEM_FIELDS, S as MAX_FILTER_DEPTH, T as MUTATION_OPERATIONS, _ as DEFAULT_UPDATE_METHOD, a as getControllerScope, b as HookOperation, c as createCrudRouter, d as CrudOperation, f as DEFAULT_ID_FIELD, g as DEFAULT_TENANT_FIELD, h as DEFAULT_SORT, i as getControllerContext, l as createPermissionMiddleware, m as DEFAULT_MAX_LIMIT, n as createFastifyHandler, o as sendControllerResponse, p as DEFAULT_LIMIT, r as createRequestContext, s as defineResourceVariants, t as createCrudHandlers, u as CRUD_OPERATIONS, v as HOOK_OPERATIONS, w as MAX_SEARCH_LENGTH, x as HookPhase, y as HOOK_PHASES } from "../index-m8mOOlFW.mjs";
 export { AccessControl, AccessControlConfig, BaseController, BaseControllerOptions, BaseCrudController, BodySanitizer, BodySanitizerConfig, BulkExt, BulkMixin, CRUD_OPERATIONS, CrudOperation, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, HookOperation, HookPhase, ListResult, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MutationOperation, QueryResolver, QueryResolverConfig, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, SlugExt, SlugMixin, SoftDeleteExt, SoftDeleteMixin, TreeExt, TreeMixin, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, defineResourceVariants, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/core/index.mjs

@@ -1,5 +1,5 @@
 import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "../constants-BhY1OHoH.mjs";
-import { a as BulkMixin, c as BodySanitizer, i as SlugMixin, l as AccessControl, n as TreeMixin, o as BaseCrudController, r as SoftDeleteMixin, s as QueryResolver, t as BaseController } from "../BaseController-JNV08qOT.mjs";
-import { _ as getControllerScope, g as getControllerContext, h as createRequestContext, m as createFastifyHandler, p as createCrudHandlers, v as sendControllerResponse } from "../routerShared-DeESFp4a.mjs";
-import { a as createPermissionMiddleware, i as createCrudRouter, n as ResourceDefinition, r as defineResource, t as defineResourceVariants } from "../core-DXdSSFW-.mjs";
+import { a as BulkMixin, c as BodySanitizer, i as SlugMixin, l as AccessControl, n as TreeMixin, o as BaseCrudController, r as SoftDeleteMixin, s as QueryResolver, t as BaseController } from "../BaseController-swXruJ2_.mjs";
+import { _ as getControllerContext, g as createRequestContext, h as createFastifyHandler, m as createCrudHandlers, v as getControllerScope, y as sendControllerResponse } from "../routerShared-BqLRb5l7.mjs";
+import { a as createPermissionMiddleware, i as createCrudRouter, n as ResourceDefinition, r as defineResource, t as defineResourceVariants } from "../core-CbcQRIch.mjs";
 export { AccessControl, BaseController, BaseCrudController, BodySanitizer, BulkMixin, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, QueryResolver, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, SlugMixin, SoftDeleteMixin, TreeMixin, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineResource, defineResourceVariants, getControllerContext, getControllerScope, sendControllerResponse };

package/dist/{core-DXdSSFW-.mjs → core-CbcQRIch.mjs}

@@ -1,12 +1,12 @@
 import { s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS } from "./constants-BhY1OHoH.mjs";
 import { arcLog } from "./logger/index.mjs";
-import { m as assertValidConfig, y as getDefaultCrudSchemas } from "./utils-D3Yxnrwr.mjs";
-import { t as BaseController } from "./BaseController-JNV08qOT.mjs";
+import { m as assertValidConfig, y as getDefaultCrudSchemas } from "./utils-CcYTj09l.mjs";
+import { t as BaseController } from "./BaseController-swXruJ2_.mjs";
 import { n as convertRouteSchema, t as convertOpenApiSchemas } from "./schemaConverter-B0oKLuqI.mjs";
-import { c as buildPreHandlerChain, d as resolveRouterPluginMw, f as selectPluginMw, i as buildAuthMiddleware, l as buildRateLimitConfig, m as createFastifyHandler, o as buildCrudPermissionMw, p as createCrudHandlers, r as buildArcDecorator, s as buildPipelineHandler, u as resolvePipelineSteps, y as buildRequestScopeProjection } from "./routerShared-DeESFp4a.mjs";
-import { t as applyPresets } from "./presets-k604Lj99.mjs";
+import { b as buildRequestScopeProjection, c as buildPreHandlerChain, d as resolveRoutePreHandlers, f as resolveRouterPluginMw, h as createFastifyHandler, i as buildAuthMiddleware, l as buildRateLimitConfig, m as createCrudHandlers, o as buildCrudPermissionMw, p as selectPluginMw, r as buildArcDecorator, s as buildPipelineHandler, u as resolvePipelineSteps } from "./routerShared-BqLRb5l7.mjs";
+import { t as applyPresets } from "./presets-Z7P5w4gF.mjs";
 import { t as hasEvents } from "./typeGuards-CcFZXgU7.mjs";
-import { t as resolveActionPermission } from "./actionPermissions-C8YYU92K.mjs";
+import { t as resolveActionPermission } from "./actionPermissions-sUUKDhtP.mjs";
 //#region src/core/createCrudRouter.ts
 /**
 * Mount custom routes (from presets or user-defined `routes`) on Fastify.
@@ -39,7 +39,7 @@ function createCustomRoutes(fastify, routes, controller, options) {
 			...route.description ? { description: route.description } : {},
 			...convertedSchema ?? {}
 		};
-		const customPreHandlers = typeof route.preHandler === "function" ? route.preHandler(fastify) : route.preHandler ?? [];
+		const customPreHandlers = resolveRoutePreHandlers(route.preHandler, fastify, `${route.method} ${route.path}`);
 		const preHandler = buildPreHandlerChain({
 			preAuth: route.preAuth ?? [],
 			arcDecorator,
@@ -469,7 +469,24 @@ function resolveOrAutoCreateController(resolvedConfig, adapter, repository, hasC
 		if (typeof ctrl.setQueryParser === "function") ctrl.setQueryParser(resolvedConfig.queryParser);
 		else arcLog("defineResource").warn(`Resource "${resolvedConfig.name}" declares a custom \`queryParser\` but its controller does not expose \`setQueryParser(qp)\`. The parser will NOT be threaded into the controller's query resolution — operator filters (\`[contains]\`, \`[like]\`, etc.) may fall back to the controller's internal default. Extend \`BaseController\` / \`BaseCrudController\` (both implement \`setQueryParser\`) OR add the method to your custom controller to honor the resource-level parser.`);
 	}
-	if (controller || !hasCrudRoutes || !repository) return controller;
+	if (controller) {
+		const authorOptions = [];
+		if (resolvedConfig.tenantField !== void 0) authorOptions.push("tenantField");
+		if (resolvedConfig.schemaOptions !== void 0 && Object.keys(resolvedConfig.schemaOptions).length > 0) authorOptions.push("schemaOptions");
+		if (resolvedConfig.idField !== void 0) authorOptions.push("idField");
+		if (resolvedConfig.defaultSort !== void 0) authorOptions.push("defaultSort");
+		if (resolvedConfig.cache !== void 0) authorOptions.push("cache");
+		if (resolvedConfig.onFieldWriteDenied !== void 0) authorOptions.push("onFieldWriteDenied");
+		if (authorOptions.length > 0) arcLog("defineResource").warn(`Resource "${resolvedConfig.name}" declares a custom controller AND resource-level option(s) [${authorOptions.join(", ")}]. Arc only threads these when it auto-builds the controller — when you pass your own, they are dropped silently and the controller falls back to its own defaults (e.g. tenantField → 'organizationId'). Forward them to your controller's \`super(repo, { ... })\` call. Same root cause as the \`queryParser\` warn above.`);
+		if (resolvedConfig._controllerOptions !== void 0) {
+			const presetFields = [];
+			if (resolvedConfig._controllerOptions.slugField) presetFields.push("slugField");
+			if (resolvedConfig._controllerOptions.parentField) presetFields.push("parentField");
+			arcLog("defineResource").warn(`Resource "${resolvedConfig.name}" applies a preset that injects controller field(s) [${presetFields.join(", ") || "preset metadata"}] (e.g. slugLookup / softDelete / parent), but the resource also declares a custom controller. Preset metadata only reaches arc's auto-built BaseController — your custom controller will not see \`slugField\`/\`parentField\`/etc. Either (a) drop the preset on this resource (\`presets: [...]\` without it), or (b) extend \`BaseController\` / \`BaseCrudController\` so arc auto-builds the controller and threads the preset fields automatically.`);
+		}
+		return controller;
+	}
+	if (!hasCrudRoutes || !repository) return controller;
 	const qp = resolvedConfig.queryParser;
 	let maxLimitFromParser;
 	if (qp?.getQuerySchema) {
@@ -869,7 +886,7 @@ var ResourceDefinition = class {
 					fields: self.fields
 				});
 				if (self.actions && Object.keys(self.actions).length > 0) {
-					const { createActionRouter } = await import("./createActionRouter-BwaSM0No.mjs").then((n) => n.n);
+					const { createActionRouter } = await import("./createActionRouter-CIKOcNA7.mjs").then((n) => n.n);
 					createActionRouter(typedInstance, {
 						...normalizeActionsToRouterConfig(self.actions, self.actionPermissions, self.tag, self.permissions, self.name, typedInstance.log),
 						resourceName: self.name,

package/dist/{createActionRouter-BwaSM0No.mjs → createActionRouter-CIKOcNA7.mjs}

@@ -1,6 +1,6 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
-import { a as buildAuthMiddlewareForPermissions, c as buildPreHandlerChain, d as resolveRouterPluginMw, f as selectPluginMw, l as buildRateLimitConfig, n as buildActionPipelineHandler, r as buildArcDecorator, t as buildActionPermissionMw, u as resolvePipelineSteps, v as sendControllerResponse } from "./routerShared-DeESFp4a.mjs";
-import { n as schemaIRToJsonSchemaBranch, t as normalizeSchemaIR } from "./schemaIR-BlG9bY7v.mjs";
+import { a as buildAuthMiddlewareForPermissions, c as buildPreHandlerChain, f as resolveRouterPluginMw, l as buildRateLimitConfig, n as buildActionPipelineHandler, p as selectPluginMw, r as buildArcDecorator, t as buildActionPermissionMw, u as resolvePipelineSteps, y as sendControllerResponse } from "./routerShared-BqLRb5l7.mjs";
+import { n as schemaIRToJsonSchemaBranch, t as normalizeSchemaIR } from "./schemaIR-Dy2p4MxS.mjs";
 //#region src/core/createActionRouter.ts
 var createActionRouter_exports = /* @__PURE__ */ __exportAll({
 	buildActionBodySchema: () => buildActionBodySchema,
@@ -118,34 +118,94 @@ function createActionRouter(fastify, config) {
 * {
 *   "type": "object",
 *   "required": ["action"],
+*   "properties": {
+*     "action": { "type": "string", "enum": ["dispatch", "approve"] },
+*     "carrier": { "type": "string" }
+*   },
 *   "oneOf": [
-*     { "properties": { "action": { "const": "dispatch" }, "carrier": {...} }, "required": ["action", "carrier"] },
-*     { "properties": { "action": { "const": "approve"  } }, "required": ["action"] }
+*     {
+*       "properties": {
+*         "action": { "const": "dispatch" },
+*         "carrier": { "type": "string" }       // ← every branch lists the union
+*       },
+*       "required": ["action", "carrier"]
+*     },
+*     {
+*       "properties": {
+*         "action": { "const": "approve" },
+*         "carrier": { "type": "string" }       // ← even though approve doesn't use it
+*       },
+*       "required": ["action"]
+*     }
 *   ]
 * }
 * ```
 *
-* AJV validates this natively, so an action call missing required fields is
-* rejected with HTTP 400 before the handler ever runs.
+* **Why every branch carries the full property union.** AJV's
+* `removeAdditional: 'all'` (Fastify's framework default) interacts badly
+* with `oneOf`: when a branch's `properties` lacks a field, AJV strips it
+* from the body during that branch's evaluation — *even if a different
+* branch would have allowed it*. The strip mutates the body before
+* `oneOf` finishes discriminating, so by the time the matching branch
+* wins, the body has already lost fields. Concretely: `actions: { verify:
+* {}, hold: { schema: z.object({ amount, reason }.optional()) } }` +
+* `POST { action: 'hold', amount: 1, reason }` lands at the handler as
+* `{ action: 'hold' }`. Empirically reproduced and locked at
+* [tests/core/action-discriminator-strip.test.ts](../../tests/core/action-discriminator-strip.test.ts).
+*
+* Listing every action's properties on every branch makes per-branch
+* removeAdditional walks see every caller field as "in this branch's
+* properties," so nothing gets stripped during oneOf evaluation. The
+* `required` array stays per-action, so the handler still gets called
+* only when the matching branch's required-field contract is satisfied.
+* Per-branch `additionalProperties: false` (Zod v4 default) carries
+* through but, under host removeAdditional: 'all', it can no longer
+* reject sibling-action fields — those become silently stripped at top
+* level instead. That's the host's opt-in to stripping; arc's job is to
+* stop accidentally losing the action's *own* declared fields.
+*
+* Under arc's own `createApp` (`removeAdditional: false`), strict-mode
+* rejection still functions normally — see
+* [tests/core/action-strict-schema-parity.test.ts](../../tests/core/action-strict-schema-parity.test.ts).
 *
 * Exported so OpenAPI generation and MCP tool generation can reuse the same
 * schema shape (single source of truth).
 */
 function buildActionBodySchema(actionEnum, actionSchemas = {}) {
-	const branches = [];
+	const unionProperties = {};
+	const irs = [];
 	for (const actionName of actionEnum) {
 		const ir = normalizeSchemaIR(actionSchemas[actionName]);
-		branches.push(schemaIRToJsonSchemaBranch(ir, {
-			properties: { action: {
-				type: "string",
-				const: actionName
-			} },
-			required: ["action"]
-		}));
+		irs.push({
+			name: actionName,
+			ir
+		});
+		for (const [key, val] of Object.entries(ir.properties)) unionProperties[key] = val;
 	}
+	const branches = [];
+	for (const { name, ir } of irs) branches.push(schemaIRToJsonSchemaBranch({
+		...ir,
+		properties: {
+			...unionProperties,
+			...ir.properties
+		}
+	}, {
+		properties: { action: {
+			type: "string",
+			const: name
+		} },
+		required: ["action"]
+	}));
 	return {
 		type: "object",
 		required: ["action"],
+		properties: {
+			action: {
+				type: "string",
+				enum: [...actionEnum]
+			},
+			...unionProperties
+		},
 		oneOf: branches
 	};
 }

package/dist/{createApp-P1d6rjPy.mjs → createApp-C9bRrqlX.mjs}

@@ -117,10 +117,7 @@ const developmentPreset = {
 		]
 	},
 	rateLimit: false,
-	underPressure: {
-		exposeStatusRoute: true,
-		maxEventLoopDelay: 5e3
-	}
+	underPressure: false
 };
 /**
 * Testing preset - minimal setup, fast startup
@@ -204,7 +201,7 @@ async function registerArcCore(fastify, config, trackPlugin) {
 	await fastify.register(arcCorePlugin, { emitEvents: config.arcPlugins?.emitEvents !== false });
 	trackPlugin("arc-core");
 	if (config.arcPlugins?.events !== false) {
-		const { default: eventPlugin } = await import("./eventPlugin--5HIkdPU.mjs").then((n) => n.n);
+		const { default: eventPlugin } = await import("./eventPlugin-Cts2-Tfj.mjs").then((n) => n.n);
 		const eventOpts = typeof config.arcPlugins?.events === "object" ? config.arcPlugins.events : {};
 		await fastify.register(eventPlugin, {
 			...eventOpts,
@@ -605,7 +602,8 @@ async function registerSecurityPlugins(fastify, config) {
 	if (config.cors !== false) {
 		const cors = await loadPlugin("cors");
 		const corsOptions = { ...config.cors ?? {} };
-		if (config.preset === "production" && corsOptions && !("origin" in corsOptions)) fastify.log.warn("CORS origin is not explicitly configured in production. Set cors.origin to allowed domains, cors: { origin: '*' }, or cors: false to disable.");
+		const originDeclared = "origin" in corsOptions && corsOptions.origin !== void 0;
+		if (config.preset === "production" && !originDeclared) fastify.log.warn("CORS origin is not explicitly configured in production. Browser apps: set cors.origin to allowed domains (e.g. ['https://app.example.com']) with credentials: true. Server-to-server / API-key services: cors: { origin: '*', credentials: false } OR cors: false to disable. Tip: when wiring cors.origin from an env var, fail fast on missing (`if (!process.env.ALLOWED_ORIGINS) throw ...`) instead of letting `undefined` slip through.");
 		if (corsOptions.credentials && corsOptions.origin === "*") corsOptions.origin = true;
 		await fastify.register(cors, corsOptions);
 		fastify.log.debug("CORS enabled");