@classytic/arc 2.11.3 → 2.13.1

package/dist/cli/commands/init.mjs

@@ -28,6 +28,10 @@ async function init(options = {}) {
 	console.log(`\nCreating project: ${config.name}`);
 	console.log(`   Adapter: ${config.adapter === "mongokit" ? "MongoKit (MongoDB)" : "Custom / Drizzle-ready"}`);
 	console.log(`   Auth: ${config.auth === "better-auth" ? "Better Auth (recommended)" : "Arc JWT"}`);
+	if (config.auth === "better-auth") {
+		console.log(`   Session: ${config.session === "cookie" ? "Cookie" : config.session === "bearer" ? "Bearer token" : "Cookie + Bearer"}`);
+		if (config.apiKey) console.log(`   API keys: enabled (@better-auth/api-key)`);
+	}
 	console.log(`   Tenant: ${config.tenant === "multi" ? "Multi-tenant" : "Single-tenant"}`);
 	console.log(`   Language: ${config.typescript ? "TypeScript" : "JavaScript"}`);
 	console.log(`   Target: ${config.edge ? "Edge/Serverless" : "Node.js Server"}\n`);
@@ -87,42 +91,108 @@ function existsSync$1(filePath) {
 	}
 }
 /**
-* Install dependencies using the detected package manager
+* Single source of truth for scaffolded project dependencies.
+*
+* Versions are pinned to the floor each subsystem requires — peer-dep
+* minimums on Arc, kit minimums (mongokit ≥ 3.11, repo-core ≥ 0.2,
+* mongoose ≥ 9.4.1), and major-version stable for the rest. The carets
+* allow minor + patch upgrades without breaking arc's contract, while
+* preventing the silent breakage of `@latest` on a kit floor bump.
+*
+* Used by both `packageJsonTemplate` (declares the deps in the generated
+* `package.json` so `npm install` works without a pre-pass) and
+* `installDependencies` (runs the package manager's `install` against
+* the declared ranges). One source — no drift.
 */
-async function installDependencies(projectPath, config, pm) {
-	const deps = [
-		"@classytic/arc@latest",
-		"fastify@latest",
-		"@fastify/cors@latest",
-		"@fastify/helmet@latest",
-		"@fastify/rate-limit@latest",
-		"@fastify/sensible@latest",
-		"@fastify/under-pressure@latest",
-		"dotenv@latest"
-	];
-	if (config.auth === "better-auth") deps.push("better-auth@^1.6.0", "mongodb@latest");
-	else deps.push("@fastify/jwt@latest", "bcryptjs@latest");
-	if (config.adapter === "mongokit") deps.push("@classytic/mongokit@^3.11.0", "@classytic/repo-core@^0.2.0", "mongoose@^9.4.1");
-	const devDeps = ["vitest@latest", "pino-pretty@latest"];
-	if (config.typescript) devDeps.push("typescript@latest", "@types/node@latest", "tsx@latest");
-	const installCmd = getInstallCommand(pm, deps, false);
-	const installDevCmd = getInstallCommand(pm, devDeps, true);
+const SCAFFOLD_DEP_VERSIONS = {
+	core: {
+		"@classytic/arc": "^2.13.0",
+		"@classytic/primitives": "^0.3.0",
+		"@classytic/repo-core": "^0.4.0",
+		"@fastify/cors": "^11.2.0",
+		"@fastify/helmet": "^13.0.2",
+		"@fastify/rate-limit": "^10.3.0",
+		"@fastify/sensible": "^6.0.4",
+		"@fastify/under-pressure": "^9.0.3",
+		dotenv: "^17.4.2",
+		fastify: "^5.8.5"
+	},
+	authJwt: {
+		"@fastify/jwt": "^10.0.0",
+		bcryptjs: "^3.0.0"
+	},
+	authBetterAuth: {
+		"better-auth": "^1.6.9",
+		mongodb: "^7.1.0"
+	},
+	authBetterAuthApiKey: { "@better-auth/api-key": "^1.6.9" },
+	adapterMongokit: {
+		"@classytic/mongokit": "^3.13.0",
+		mongoose: "^9.6.1"
+	},
+	devCommon: {
+		"mongodb-memory-server": "^11.1.0",
+		"pino-pretty": "^13.0.0",
+		vitest: "^4.1.5"
+	},
+	devTypescript: {
+		"@types/node": "^22.10.0",
+		tsx: "^4.21.0",
+		typescript: "^5.7.2"
+	},
+	typesJwt: { "@types/bcryptjs": "^3.0.0" }
+};
+/**
+* Resolve the dependency manifest for a scaffold configuration.
+*
+* Returns sorted records (alphabetical by package name) so the generated
+* `package.json` is deterministic — diffs across re-runs stay clean.
+*/
+function resolveScaffoldDependencies(config) {
+	const dependencies = { ...SCAFFOLD_DEP_VERSIONS.core };
+	const devDependencies = { ...SCAFFOLD_DEP_VERSIONS.devCommon };
+	if (config.auth === "better-auth") {
+		Object.assign(dependencies, SCAFFOLD_DEP_VERSIONS.authBetterAuth);
+		if (config.apiKey) Object.assign(dependencies, SCAFFOLD_DEP_VERSIONS.authBetterAuthApiKey);
+	} else {
+		Object.assign(dependencies, SCAFFOLD_DEP_VERSIONS.authJwt);
+		if (config.typescript) Object.assign(devDependencies, SCAFFOLD_DEP_VERSIONS.typesJwt);
+	}
+	if (config.adapter === "mongokit") Object.assign(dependencies, SCAFFOLD_DEP_VERSIONS.adapterMongokit);
+	if (config.typescript) Object.assign(devDependencies, SCAFFOLD_DEP_VERSIONS.devTypescript);
+	return {
+		dependencies: sortByKey(dependencies),
+		devDependencies: sortByKey(devDependencies)
+	};
+}
+/**
+* Sort a record alphabetically by key — package.json convention.
+*/
+function sortByKey(record) {
+	return Object.fromEntries(Object.entries(record).sort(([a], [b]) => a.localeCompare(b)));
+}
+/**
+* Install dependencies using the detected package manager.
+*
+* Dependencies are already declared in the generated `package.json` (see
+* `packageJsonTemplate`), so a single plain `install` resolves the full
+* tree. No two-pass `npm add` flow — the manifest is the source of truth.
+*/
+async function installDependencies(projectPath, _config, pm) {
 	console.log(`  Installing dependencies...`);
-	await runCommand(installCmd, projectPath);
-	console.log(`  Installing dev dependencies...`);
-	await runCommand(installDevCmd, projectPath);
+	await runCommand(getInstallCommand(pm), projectPath);
 	console.log(`\nDependencies installed successfully.`);
 }
 /**
-* Get the install command for a package manager
+* Get the plain `install` command for a package manager. Reads the declared
+* dependencies from the project's `package.json`.
 */
-function getInstallCommand(pm, packages, isDev) {
-	const pkgList = packages.join(" ");
+function getInstallCommand(pm) {
 	switch (pm) {
-		case "pnpm": return `pnpm add ${isDev ? "-D" : ""} ${pkgList}`;
-		case "yarn": return `yarn add ${isDev ? "-D" : ""} ${pkgList}`;
-		case "bun": return `bun add ${isDev ? "-d" : ""} ${pkgList}`;
-		default: return `npm install ${isDev ? "--save-dev" : ""} ${pkgList}`;
+		case "pnpm": return "pnpm install";
+		case "yarn": return "yarn install";
+		case "bun": return "bun install";
+		default: return "npm install";
 	}
 }
 /**
@@ -159,6 +229,15 @@ async function gatherConfig(options) {
 		if (!options.adapter && !nonInteractive) adapter = await question("Database adapter [1=MongoKit (recommended), 2=Custom / Drizzle-ready]: ") === "2" ? "custom" : "mongokit";
 		let auth = options.auth || "better-auth";
 		if (!options.auth && !nonInteractive) auth = await question("Auth strategy [1=Better Auth (recommended), 2=Arc JWT]: ") === "2" ? "jwt" : "better-auth";
+		let session = options.session ?? "cookie";
+		let apiKey = options.apiKey ?? false;
+		if (auth === "better-auth" && !nonInteractive) {
+			if (options.session === void 0) {
+				const sessionChoice = await question("Session strategy [1=Cookie (web app, default), 2=Bearer token (mobile/SPA), 3=Both]: ");
+				session = sessionChoice === "2" ? "bearer" : sessionChoice === "3" ? "both" : "cookie";
+			}
+			if (options.apiKey === void 0) apiKey = (await question("Enable API key plugin (machine-to-machine auth via @better-auth/api-key)? [y/N]: ")).toLowerCase() === "y";
+		}
 		let tenant = options.tenant || "single";
 		if (!options.tenant && !nonInteractive) tenant = await question("Tenant mode [1=Single-tenant, 2=Multi-tenant]: ") === "2" ? "multi" : "single";
 		let typescript = options.typescript ?? true;
@@ -176,7 +255,7 @@ async function gatherConfig(options) {
 			console.log("");
 			if ((await question("Continue with MongoKit? [y/N]: ")).toLowerCase() !== "y") {
 				adapter = "custom";
-				console.log("  Switched to custom adapter. Wire sqlitekit/Drizzle here; Prisma remains experimental.");
+				console.log("  Switched to custom adapter. Wire sqlitekit/Drizzle, prismakit, or any RepositoryLike-conforming repo.");
 			}
 		}
 		return {
@@ -184,6 +263,8 @@ async function gatherConfig(options) {
 			adapter,
 			auth,
 			tenant,
+			apiKey,
+			session,
 			typescript,
 			edge
 		};
@@ -267,6 +348,7 @@ async function createProjectStructure(projectPath, config) {
 	}
 }
 function packageJsonTemplate(config) {
+	const { dependencies, devDependencies } = resolveScaffoldDependencies(config);
 	const scripts = config.typescript ? config.edge ? {
 		dev: "tsx watch src/index.ts",
 		build: "tsc",
@@ -309,6 +391,8 @@ function packageJsonTemplate(config) {
 			"#utils/*": "./src/utils/*"
 		},
 		scripts,
+		dependencies,
+		devDependencies,
 		engines: { node: ">=22" }
 	}, null, 2);
 }
@@ -557,7 +641,7 @@ Short forms also supported: \`.env.prod\`, \`.env.dev\`, \`.env.test\`
 
 API documentation is available via Scalar UI:
 
-- **Interactive UI**: [http://localhost:8040/docs](http://localhost:8040/docs)
+- **Interactive UI**: [http://localhost:8040/docs](http://localhost:8040/data)
 - **OpenAPI Spec**: [http://localhost:8040/_docs/openapi.json](http://localhost:8040/_docs/openapi.json)
 
 ## API Endpoints
@@ -678,7 +762,10 @@ function appTemplate(config) {
 	const betterAuthImport = config.auth === "better-auth" ? `import { createBetterAuthAdapter } from '@classytic/arc/auth';
 import { getAuth } from './auth.js';
 ` : "";
-	const authConfig = config.auth === "better-auth" ? config.tenant === "multi" ? `auth: { type: 'betterAuth', betterAuth: createBetterAuthAdapter({ auth: getAuth(), orgContext: true }) },` : `auth: { type: 'betterAuth', betterAuth: createBetterAuthAdapter({ auth: getAuth() }) },` : `auth: {
+	const authConfig = config.auth === "better-auth" ? `auth: {
+      type: 'betterAuth',
+      betterAuth: createBetterAuthAdapter({ auth: getAuth(), orgContext: true }),
+    },` : `auth: {
       type: 'jwt',
       jwt: { secret: config.jwt.secret },
     },`;
@@ -708,10 +795,13 @@ import { resources, registerResources } from '#resources/index.js';
  * @returns Configured Fastify instance ready to use
  */
 export async function createAppInstance()${ts ? ": Promise<FastifyInstance>" : ""} {
-  // Create Arc app with resources and base configuration
+  // Create Arc app with resources and base configuration. \`resourcePrefix\`
+  // mounts every resource under \`/api\`, matching the \`apiPrefix\` the
+  // OpenAPI plugin advertises — keeps docs and routes in agreement.
   const app = await createApp({
     preset: config.env === 'production' ? (${config.edge ? "'edge'" : "'production'"}) : 'development',
     resources,
+    resourcePrefix: '/api',
     ${authConfig}
     cors: {
       origin: config.cors.origins,
@@ -952,7 +1042,8 @@ function sharedIndexTemplate(_config) {
 export { createAdapter } from './adapter.js';
 
 // Core Arc exports
-export { createMongooseAdapter, defineResource } from '@classytic/arc';
+export { defineResource } from '@classytic/arc';
+export { createMongooseAdapter } from '@classytic/mongokit/adapter';
 
 // Permission helpers (core + application-level)
 export * from './permissions.js';
@@ -970,14 +1061,17 @@ function createAdapterTemplate(config) {
  * The repository handles query parsing via MongoKit's built-in QueryParser.
  */
 
-import { createMongooseAdapter } from '@classytic/arc';
+import { createMongooseAdapter } from '@classytic/mongokit/adapter';
+import { buildCrudSchemasFromModel } from '@classytic/mongokit';
 ${ts ? "import type { Model } from 'mongoose';\nimport type { Repository } from '@classytic/mongokit';" : ""}
 
 /**
- * Create a MongoKit-powered adapter for a resource
+ * Create a MongoKit-powered adapter for a resource.
  *
  * Note: Query parsing is handled by MongoKit's Repository class.
- * Just pass the model and repository - Arc handles the rest.
+ * \`buildCrudSchemasFromModel\` is the canonical OpenAPI schema generator
+ * for arc + Mongoose (arc 2.12+ no longer ships a built-in fallback —
+ * passing it explicitly is required for OpenAPI auto-generation).
  */
 export function createAdapter${ts ? "<TDoc = any>" : ""}(
   model${ts ? ": Model<TDoc>" : ""},
@@ -986,6 +1080,7 @@ export function createAdapter${ts ? "<TDoc = any>" : ""}(
   return createMongooseAdapter({
     model,
     repository,
+    schemaGenerator: buildCrudSchemasFromModel,
   });
 }
 `;
@@ -995,21 +1090,21 @@ function customAdapterTemplate(config) {
 	return `/**
  * Custom Adapter Factory
  *
- * Use this for sqlitekit/Drizzle, Prisma experiments, or any repository
- * that satisfies Arc's RepositoryLike contract.
+ * Use this for the bring-your-own-repository path — any object that
+ * satisfies the \`RepositoryLike\` contract from
+ * \`@classytic/repo-core/adapter\` plugs in here. Each classytic kit
+ * also ships its own \`/adapter\` subpath; if one of those fits, import
+ * its factory directly instead.
  */
 
-${ts ? "import type { DataAdapter, RepositoryLike } from '@classytic/arc/adapters';" : ""}
+${ts ? "import type { DataAdapter, RepositoryLike } from '@classytic/repo-core/adapter';" : ""}
 
 /**
  * Create a custom adapter for a resource.
  *
- * Recommended SQL path:
- * - sqlitekit repository + Arc's createDrizzleAdapter for Drizzle tables
- *
- * Experimental path:
- * - Prisma can be wired with createPrismaAdapter, but keep it opt-in until
- *   your app has integration coverage.
+ * Pass any object satisfying \`RepositoryLike<TDoc>\` (a 5-method floor:
+ * \`getAll\` / \`getById\` / \`create\` / \`update\` / \`delete\`, plus any
+ * optional \`StandardRepo\` methods you implement).
  */
 export function createAdapter${ts ? "<TDoc = unknown>" : ""}(
   _source${ts ? ": unknown" : ""},
@@ -1222,9 +1317,8 @@ function createTenantInjection(tenantField${ts ? ": string" : ""}) {
     // Fail-closed: Require orgId for create operations
     if (!orgId) {
       return reply.code(403).send({
-        success: false,
-        error: 'Forbidden',
-        message: 'Organization context required to create resources',
+        error: 'Organization context required to create resources',
+        code: 'arc.org_required',
       });
     }
 
@@ -1808,8 +1902,10 @@ describe('Example Resource', () => {
       authMode: 'jwt',
 ${config.adapter === "mongokit" ? "      connectMongoose: true,\n" : ""}    });
 
+    // Arc's permission engine reads singular user.role — string,
+    // comma-separated string, or array all normalise via getUserRoles().
     ctx.auth${ts ? "!" : ""}.register('admin', {
-      user: { id: '1', roles: ['admin'] },
+      user: { id: '1', role: 'admin' },
       orgId: 'org-1',
     });
   });
@@ -1913,13 +2009,19 @@ userSchema.methods.removeOrganization = function(organizationId${ts ? ": Types.O
 userSchema.index({ 'organizations.organizationId': 1 });
 ` : "";
 	const userType = ts ? `
-type PlatformRole = 'user' | 'admin' | 'superadmin';
+const PLATFORM_ROLES = ['user', 'admin', 'superadmin'] as const;
+type PlatformRole = typeof PLATFORM_ROLES[number];
 
+/**
+ * Comma-separated list of platform roles (Better Auth admin-plugin convention).
+ * Single role: 'admin'. Multiple: 'admin,trainer'. Arc's permission engine
+ * normalises both forms via getUserRoles() — see @classytic/arc/scope.
+ */
 type User = {
   name: string;
   email: string;
   password: string;
-  roles: PlatformRole[];${config.tenant === "multi" ? `
+  role: string;${config.tenant === "multi" ? `
   organizations: UserOrganization[];` : ""}
   resetPasswordToken?: string;
   resetPasswordExpires?: Date;
@@ -1958,11 +2060,21 @@ const userSchema = new Schema${ts ? "<User, UserModel, UserMethods>" : ""}(
     },
     password: { type: String, required: true },
 
-    // Platform roles
-    roles: {
-      type: [String],
-      enum: ['user', 'admin', 'superadmin'],
-      default: ['user'],
+    // Platform role — singular field, matches Arc's permission engine
+    // (req.user.role) and Better Auth's admin-plugin convention.
+    // Comma-separated for multi-role users (e.g. 'admin,trainer');
+    // getUserRoles() in @classytic/arc/scope normalises both forms.
+    role: {
+      type: String,
+      required: true,
+      default: 'user',
+      index: true,
+      validate: {
+        validator: (v${ts ? ": string" : ""}) =>
+          /^(user|admin|superadmin)(,(user|admin|superadmin))*$/.test(v),
+        message: (props${ts ? ": { value: string }" : ""}) =>
+          \`Invalid role "\${props.value}" — expected one or more of user|admin|superadmin\`,
+      },
     },
 ${orgSchema}
     // Password reset
@@ -2237,39 +2349,58 @@ export default authResource;
 }
 function betterAuthSetupTemplate(config) {
 	const ts = config.typescript;
-	const mongoImport = config.adapter === "mongokit" ? `import mongoose from 'mongoose';
-import { mongodbAdapter } from 'better-auth/adapters/mongodb';` : "";
-	const dbAdapter = config.adapter === "mongokit" ? config.typescript ? `database: mongodbAdapter(mongoose.connection.getClient().db() as any),` : `database: mongodbAdapter(mongoose.connection.getClient().db()),` : `// Configure your database adapter here
+	const useMongo = config.adapter === "mongokit";
+	const useStubs = useMongo;
+	const useOrg = config.tenant === "multi";
+	const useBearer = config.session === "bearer" || config.session === "both";
+	const useApiKey = config.apiKey;
+	const mongoImport = useMongo ? `import mongoose from 'mongoose';
+import { mongodbAdapter } from '@better-auth/mongo-adapter';` : "";
+	const stubsImport = useStubs ? `import { registerBetterAuthStubs } from '@classytic/mongokit/better-auth';` : "";
+	const pluginImports = [
+		useOrg ? `import { organization } from 'better-auth/plugins';` : "",
+		useBearer ? `import { bearer } from 'better-auth/plugins';` : "",
+		useApiKey ? `import { apiKey } from '@better-auth/api-key';` : ""
+	].filter(Boolean).join("\n");
+	const dbAdapter = useMongo ? config.typescript ? `database: mongodbAdapter(mongoose.connection.getClient().db() as any),` : `database: mongodbAdapter(mongoose.connection.getClient().db()),` : `// Configure your database adapter here
     // See: https://www.better-auth.com/docs/concepts/database`;
-	const orgPlugin = config.tenant === "multi" ? `
-import { organization } from 'better-auth/plugins/organization';
-import { bearer } from 'better-auth/plugins/bearer';` : "";
-	const orgPluginUsage = config.tenant === "multi" ? `
-      plugins: [
-        bearer(),
-        organization({
+	const pluginEntries = [
+		useBearer ? `        bearer(),` : "",
+		useApiKey ? `        apiKey({
+          enableMetadata: true,
+          rateLimit: { enabled: true, timeWindow: 1000 * 60 * 60 * 24, maxRequests: 10 },
+        }),` : "",
+		useOrg ? `        organization({
           allowUserToCreateOrganization: true,
           creatorRole: 'owner',
-          teams: {
-            enabled: true,
-          },
-        }),
+          teams: { enabled: true },
+        }),` : ""
+	].filter(Boolean);
+	const orgPluginUsage = pluginEntries.length > 0 ? `
+      plugins: [
+${pluginEntries.join("\n")}
       ],` : "";
+	const stubPluginsList = [useOrg ? `'organization'` : ""].filter(Boolean).join(", ");
+	const stubExtras = useApiKey ? `, extraCollections: ['apikey']` : "";
 	return `/**
  * Better Auth Configuration
  * Generated by Arc CLI
  *
- * Authentication is handled entirely by Better Auth.
- * Routes are registered automatically at /api/auth/*
+ * Better Auth owns auth flows + writes its own tables. Arc reads them as
+ * resources via \`@classytic/mongokit/better-auth\`'s overlay (full pagination,
+ * queryparser, OpenAPI, audit) without re-implementing CRUD.
  *
- * Better Auth manages these collections:
- * - user, session, account${config.tenant === "multi" ? ", organization, member, invitation, team, teamMember" : ""}
+ * BA-managed tables: user, session, account, verification${useOrg ? ", organization, member, invitation, team, teamMember" : ""}${useApiKey ? ", apikey" : ""}
  *
  * @see https://www.better-auth.com/docs
  */
 
 import { betterAuth } from 'better-auth';
-${mongoImport}${orgPlugin}
+${[
+		mongoImport,
+		pluginImports,
+		stubsImport
+	].filter(Boolean).join("\n")}
 import config from '#config/index.js';
 
 let _auth${ts ? ": ReturnType<typeof betterAuth> | null" : ""} = null;
@@ -2333,16 +2464,11 @@ ${orgPluginUsage}
         enabled: process.env.NODE_ENV === 'production',
       },
     });
-${config.adapter === "mongokit" ? `
-    // Register stub Mongoose models for Better Auth collections.
-    // BA uses the raw MongoDB driver, so no Mongoose models exist by default.
-    // These stubs (strict: false) enable populate() on refs like 'user', 'organization', etc.
-    const baCollections = ['user', 'organization', 'member', 'invitation', 'session', 'account'];
-    for (const name of baCollections) {
-      if (!mongoose.models[name]) {
-        mongoose.model(name, new mongoose.Schema({}, { strict: false, collection: name }));
-      }
-    }
+${useStubs ? `
+    // Register stub Mongoose models for Better Auth's collections so
+    // \`.populate('user')\` / \`ref: 'organization'\` resolve against BA-owned
+    // documents app-wide. Idempotent, strict:false, plugin-aware.
+    registerBetterAuthStubs(mongoose, {${stubPluginsList ? ` plugins: [${stubPluginsList}]` : ""}${stubExtras} });
 ` : ""}  }
 
   return _auth;
@@ -2377,16 +2503,16 @@ export async function register(request${ts ? ": FastifyRequest" : ""}, reply${ts
 
     // Check if email exists
     if (await userRepository.emailExists(email)) {
-      return reply.code(400).send({ success: false, message: 'Email already registered' });
+      return reply.code(400).send({ error: 'Email already registered', code: 'arc.email_exists' });
     }
 
     // Create user
-    await userRepository.create({ name, email, password, roles: ['user'] });
+    await userRepository.create({ name, email, password, role: 'user' });
 
-    return reply.code(201).send({ success: true, message: 'User registered successfully' });
+    return reply.code(201).send({ message: 'User registered successfully' });
   } catch (error) {
     request.log.error({ err: error }, 'Register error');
-    return reply.code(500).send({ success: false, message: 'Registration failed' });
+    return reply.code(500).send({ error: 'Registration failed', code: 'arc.internal' });
   }
 }
 
@@ -2399,19 +2525,18 @@ export async function login(request${ts ? ": FastifyRequest" : ""}, reply${ts ?
 
     const user = await userRepository.findByEmail(email);
     if (!user || !(await user.matchPassword(password))) {
-      return reply.code(401).send({ success: false, message: 'Invalid credentials' });
+      return reply.code(401).send({ error: 'Invalid credentials', code: 'arc.unauthorized' });
     }
 
     const tokens = request.server.auth.issueTokens({ id: user._id.toString(), role: user.role });
 
     return reply.send({
-      success: true,
       user: { id: user._id, name: user.name, email: user.email, role: user.role },
       ...tokens,
     });
   } catch (error) {
     request.log.error({ err: error }, 'Login error');
-    return reply.code(500).send({ success: false, message: 'Login failed' });
+    return reply.code(500).send({ error: 'Login failed', code: 'arc.internal' });
   }
 }
 
@@ -2422,15 +2547,15 @@ export async function refreshToken(request${ts ? ": FastifyRequest" : ""}, reply
   try {
     const { token } = request.body${ts ? " as any" : ""};
     if (!token) {
-      return reply.code(401).send({ success: false, message: 'Refresh token required' });
+      return reply.code(401).send({ error: 'Refresh token required', code: 'arc.unauthorized' });
     }
 
     const decoded = request.server.auth.verifyRefreshToken(token)${ts ? " as { id: string }" : ""};
     const tokens = request.server.auth.issueTokens({ id: decoded.id });
 
-    return reply.send({ success: true, ...tokens });
+    return reply.send(tokens);
   } catch {
-    return reply.code(401).send({ success: false, message: 'Invalid refresh token' });
+    return reply.code(401).send({ error: 'Invalid refresh token', code: 'arc.unauthorized' });
   }
 }
 
@@ -2451,11 +2576,11 @@ export async function forgotPassword(request${ts ? ": FastifyRequest" : ""}, rep
       request.log.info(\`Password reset requested for \${email}\`);
     }
 
-    // Always return success to prevent email enumeration
-    return reply.send({ success: true, message: 'If email exists, reset link sent' });
+    // Always 200 to prevent email enumeration
+    return reply.send({ message: 'If email exists, reset link sent' });
   } catch (error) {
     request.log.error({ err: error }, 'Forgot password error');
-    return reply.code(500).send({ success: false, message: 'Failed to process request' });
+    return reply.code(500).send({ error: 'Failed to process request', code: 'arc.internal' });
   }
 }
 
@@ -2468,14 +2593,14 @@ export async function resetPassword(request${ts ? ": FastifyRequest" : ""}, repl
     const user = await userRepository.findByResetToken(token);
 
     if (!user) {
-      return reply.code(400).send({ success: false, message: 'Invalid or expired token' });
+      return reply.code(400).send({ error: 'Invalid or expired token', code: 'arc.bad_request' });
     }
 
     await userRepository.updatePassword(user._id, newPassword);
-    return reply.send({ success: true, message: 'Password has been reset' });
+    return reply.send({ message: 'Password has been reset' });
   } catch (error) {
     request.log.error({ err: error }, 'Reset password error');
-    return reply.code(500).send({ success: false, message: 'Failed to reset password' });
+    return reply.code(500).send({ error: 'Failed to reset password', code: 'arc.internal' });
   }
 }
 
@@ -2488,13 +2613,13 @@ export async function getUserProfile(request${ts ? ": FastifyRequest" : ""}, rep
     const user = await userRepository.getById(userId);
 
     if (!user) {
-      return reply.code(404).send({ success: false, message: 'User not found' });
+      return reply.code(404).send({ error: 'User not found', code: 'arc.not_found' });
     }
 
-    return reply.send({ success: true, data: user });
+    return reply.send(user);
   } catch (error) {
     request.log.error({ err: error }, 'Get profile error');
-    return reply.code(500).send({ success: false, message: 'Failed to get profile' });
+    return reply.code(500).send({ error: 'Failed to get profile', code: 'arc.internal' });
   }
 }
 
@@ -2506,16 +2631,16 @@ export async function updateUserProfile(request${ts ? ": FastifyRequest" : ""},
     const userId = (request${ts ? " as any" : ""}).user?._id || (request${ts ? " as any" : ""}).user?.id;
     const updates = { ...request.body${ts ? " as any" : ""} };
 
-    // Prevent updating protected fields
-    if ('password' in updates) delete updates.password;
-    if ('roles' in updates) delete updates.roles;
-    if ('organizations' in updates) delete updates.organizations;
+    // Prevent updating protected fields — auth-managed only
+    delete updates.password;
+    delete updates.role;
+    delete updates.organizations;
 
     const user = await userRepository.Model.findByIdAndUpdate(userId, updates, { new: true });
-    return reply.send({ success: true, data: user });
+    return reply.send(user);
   } catch (error) {
     request.log.error({ err: error }, 'Update profile error');
-    return reply.code(500).send({ success: false, message: 'Failed to update profile' });
+    return reply.code(500).send({ error: 'Failed to update profile', code: 'arc.internal' });
   }
 }
 `;
@@ -2598,7 +2723,7 @@ export const loginResponse = {
         id: { type: 'string' },
         name: { type: 'string' },
         email: { type: 'string' },
-        roles: { type: 'array', items: { type: 'string' } },
+        role: { type: 'string' },
       },
     },
     accessToken: { type: 'string' },

package/dist/cli/commands/introspect.mjs

@@ -1,4 +1,4 @@
-import { t as ResourceRegistry } from "../../ResourceRegistry-DkAeAuTX.mjs";
+import { t as ResourceRegistry } from "../../ResourceRegistry-CTERg_2x.mjs";
 import { resolve } from "node:path";
 import { pathToFileURL } from "node:url";
 //#region src/cli/commands/introspect.ts
@@ -57,6 +57,11 @@ async function introspect(args) {
 			}
 			if (resource.presets && resource.presets.length > 0) console.log(`   Presets: ${resource.presets.join(", ")}`);
 			if (resource.customRoutes && resource.customRoutes.length > 0) console.log(`   Additional Routes: ${resource.customRoutes.length}`);
+			if (resource.actions && resource.actions.length > 0) {
+				const fallback = resource.actionPermissions ? ` (fallback: ${describePermission(resource.actionPermissions)})` : "";
+				console.log(`   Actions: ${resource.actions.map((a) => a.name).join(", ")}${fallback}`);
+			}
+			if (resource.aggregations && resource.aggregations.length > 0) console.log(`   Aggregations: ${resource.aggregations.map((a) => a.name).join(", ")}`);
 			console.log("");
 		});
 		const stats = registry.getStats();
@@ -64,6 +69,8 @@ async function introspect(args) {
 		console.log(`  Total Resources: ${stats.totalResources}`);
 		console.log(`  With Presets: ${resources.filter((r) => r.presets?.length > 0).length}`);
 		console.log(`  With Custom Routes: ${resources.filter((r) => r.customRoutes && r.customRoutes.length > 0).length}`);
+		console.log(`  With Actions: ${resources.filter((r) => r.actions && r.actions.length > 0).length}`);
+		console.log(`  With Aggregations: ${resources.filter((r) => r.aggregations && r.aggregations.length > 0).length}`);
 	} catch (error) {
 		if (error instanceof Error) throw error;
 		throw new Error(String(error));

package/dist/context/index.mjs

@@ -1,2 +1,2 @@
-import { t as requestContext } from "../requestContext-C5XeK3VA.mjs";
+import { t as requestContext } from "../requestContext-SSaaTgW8.mjs";
 export { requestContext };