@classytic/arc 2.11.4 → 2.13.1

package/dist/{permissions-gd_aUWrR.mjs → permissions-ohQyv50e.mjs}

@@ -1,175 +1,8 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
-import { _ as isElevated, b as isService, c as getRequestScope, d as getServiceScopes, f as getTeamId, h as hasOrgAccess, l as getScopeContext, p as getUserId, u as getScopeContextMap, v as isMember, y as isOrgInScope } from "./types-AOD8fxIw.mjs";
-import { t as getUserRoles } from "./types-DV9WDfeg.mjs";
-import { t as MemoryCacheStore } from "./memory-DikHSvWa.mjs";
+import { S as isService, _ as hasOrgAccess, a as getDPoPJkt, b as isMember, d as getScopeContext, f as getScopeContextMap, h as getUserId, m as getTeamId, o as getMandate, p as getServiceScopes, u as getRequestScope, x as isOrgInScope, y as isElevated } from "./types-C_s5moIu.mjs";
+import { t as getUserRoles } from "./types-D57iXYb8.mjs";
+import { t as MemoryCacheStore } from "./memory-UBydS5ku.mjs";
 import { randomUUID } from "node:crypto";
-//#region src/permissions/fields.ts
-/**
-* Field-Level Permissions
-*
-* Control field visibility and writability per role.
-* Integrated into the response path (read) and sanitization path (write).
-*
-* @example
-* ```typescript
-* import { fields, defineResource } from '@classytic/arc';
-*
-* const userResource = defineResource({
-*   name: 'user',
-*   adapter: userAdapter,
-*   fields: {
-*     salary: fields.visibleTo(['admin', 'hr']),
-*     internalNotes: fields.writableBy(['admin']),
-*     email: fields.redactFor(['viewer']),
-*     password: fields.hidden(),
-*   },
-* });
-* ```
-*/
-/** Type guard for Mongoose-like documents with toObject() */
-function isMongooseDoc(obj) {
-	return !!obj && typeof obj === "object" && "toObject" in obj && typeof obj.toObject === "function";
-}
-const fields = {
-	/**
-	* Field is never included in responses. Not writable via API.
-	*
-	* @example
-	* ```typescript
-	* fields: { password: fields.hidden() }
-	* ```
-	*/
-	hidden() {
-		return { _type: "hidden" };
-	},
-	/**
-	* Field is only visible to users with specified roles.
-	* Other users don't see the field at all.
-	*
-	* @example
-	* ```typescript
-	* fields: { salary: fields.visibleTo(['admin', 'hr']) }
-	* ```
-	*/
-	visibleTo(roles) {
-		return {
-			_type: "visibleTo",
-			roles
-		};
-	},
-	/**
-	* Field is only writable by users with specified roles.
-	* All users can still read the field. Users without the role
-	* have the field silently stripped from write operations.
-	*
-	* @example
-	* ```typescript
-	* fields: { role: fields.writableBy(['admin']) }
-	* ```
-	*/
-	writableBy(roles) {
-		return {
-			_type: "writableBy",
-			roles
-		};
-	},
-	/**
-	* Field is redacted (replaced with a placeholder) for specified roles.
-	* Other users see the real value.
-	*
-	* @param roles - Roles that see the redacted value
-	* @param redactValue - Replacement value (default: '***')
-	*
-	* @example
-	* ```typescript
-	* fields: {
-	*   email: fields.redactFor(['viewer']),
-	*   ssn: fields.redactFor(['basic'], '***-**-****'),
-	* }
-	* ```
-	*/
-	redactFor(roles, redactValue = "***") {
-		return {
-			_type: "redactFor",
-			roles,
-			redactValue
-		};
-	}
-};
-/**
-* Apply field-level READ permissions to a response object.
-* Strips hidden fields, enforces visibility, and applies redaction.
-*
-* @param data - The response object (mutated in place for performance)
-* @param fieldPermissions - Field permission map from resource config
-* @param userRoles - Current user's roles (empty array for unauthenticated)
-* @returns The filtered object
-*/
-function applyFieldReadPermissions(data, fieldPermissions, userRoles) {
-	if (!data || typeof data !== "object") return data;
-	const result = { ...isMongooseDoc(data) ? data.toObject() : data };
-	for (const [field, perm] of Object.entries(fieldPermissions)) switch (perm._type) {
-		case "hidden":
-			delete result[field];
-			break;
-		case "visibleTo":
-			if (!perm.roles?.some((r) => userRoles.includes(r))) delete result[field];
-			break;
-		case "redactFor":
-			if (perm.roles?.some((r) => userRoles.includes(r))) result[field] = perm.redactValue ?? "***";
-			break;
-		case "writableBy": break;
-	}
-	return result;
-}
-/**
-* Apply field-level WRITE permissions to request body.
-*
-* Returns both the filtered body and the list of denied fields. Callers are
-* expected to reject the request when `deniedFields.length > 0` — silently
-* stripping fields hides misconfigurations and real attacks. See
-* `BodySanitizer` for the default policy.
-*
-* @param body - The request body (returns a new filtered copy)
-* @param fieldPermissions - Field permission map from resource config
-* @param userRoles - Current user's roles
-*/
-function applyFieldWritePermissions(body, fieldPermissions, userRoles) {
-	const result = { ...body };
-	const deniedFields = [];
-	for (const [field, perm] of Object.entries(fieldPermissions)) switch (perm._type) {
-		case "hidden":
-			if (field in result) {
-				deniedFields.push(field);
-				delete result[field];
-			}
-			break;
-		case "writableBy":
-			if (field in result && !perm.roles?.some((r) => userRoles.includes(r))) {
-				deniedFields.push(field);
-				delete result[field];
-			}
-			break;
-	}
-	return {
-		body: result,
-		deniedFields
-	};
-}
-/**
-* Resolve effective roles by merging global user roles with org-level roles.
-*
-* Global roles come from `req.user.role` (normalized via getUserRoles()).
-* Org roles come from `req.context.orgRoles` (set by BA adapter's org bridge).
-*
-* When no org context exists, returns global roles only — backward compatible.
-*/
-function resolveEffectiveRoles(userRoles, orgRoles) {
-	if (orgRoles.length === 0) return [...userRoles];
-	if (userRoles.length === 0) return [...orgRoles];
-	return [...new Set([...userRoles, ...orgRoles])];
-}
-//#endregion
 //#region src/permissions/applyPermissionResult.ts
 /**
 * Normalize a permission check return value (`boolean | PermissionResult`)
@@ -244,8 +77,9 @@ async function evaluateAndApplyPermission(check, context, request, reply, opts)
 			action: context.action
 		}, "Permission check threw");
 		reply.code(403).send({
-			success: false,
-			error: "Permission denied"
+			code: "arc.forbidden",
+			message: "Permission denied",
+			status: 403
 		});
 		return false;
 	}
@@ -253,9 +87,11 @@ async function evaluateAndApplyPermission(check, context, request, reply, opts)
 	if (!permResult.granted) {
 		const defaultMsg = opts?.defaultDenialMessage?.(context.user) ?? (context.user ? "Permission denied" : "Authentication required");
 		const reason = permResult.reason && permResult.reason.length <= MAX_DENIAL_REASON_LENGTH ? permResult.reason : defaultMsg;
-		reply.code(context.user ? 403 : 401).send({
-			success: false,
-			error: reason
+		const status = context.user ? 403 : 401;
+		reply.code(status).send({
+			code: context.user ? "arc.forbidden" : "arc.unauthorized",
+			message: reason,
+			status
 		});
 		return false;
 	}
@@ -263,6 +99,231 @@ async function evaluateAndApplyPermission(check, context, request, reply, opts)
 	return true;
 }
 //#endregion
+//#region src/permissions/agent.ts
+/**
+* Agent-Auth Permission Helpers — DPoP + capability mandates for AI-agent flows
+*
+* Three checks for the 2025 agent-authorization stack (AP2 / Stripe x402 /
+* MCP authorization / RFC 9700 / RFC 9449 / RFC 9728):
+*
+* - `requireDPoP()`           — token must be sender-constrained (RFC 9449)
+* - `requireMandate(cap, …)`  — capability mandate must authorize this action
+* - `requireAgentScope(opts)` — composite gate: service identity + mandate + DPoP
+*
+* Arc reads `request.scope.mandate` and `request.scope.dpopJkt` populated by
+* your `authenticate` callback. Arc does **not** parse mandate JWTs/VCs or
+* verify DPoP proofs — that's a 1-2 line `jose` call in your authenticator.
+* Arc validates *what's already proved* against the action being attempted.
+*
+* @example
+* ```typescript
+* import { requireDPoP, requireMandate, requireAgentScope } from '@classytic/arc/permissions';
+*
+* defineResource({
+*   name: 'invoice',
+*   permissions: {
+*     pay: requireAgentScope({
+*       capability: 'payment.charge',
+*       requireDPoP: true,
+*       validateAmount: (ctx, mandate) =>
+*         typeof ctx.data?.amount === 'number' && ctx.data.amount <= (mandate.cap ?? 0),
+*       audience: (ctx) => `invoice:${ctx.params?.id}`,
+*     }),
+*   },
+* });
+* ```
+*/
+/** Default grace window for mandate `expiresAt` — accommodates clock skew. */
+const DEFAULT_TTL_GRACE_MS = 3e4;
+/**
+* Require a sender-constrained credential — the inbound token MUST carry a
+* DPoP proof (RFC 9449) bound to a known key. Arc reads `scope.dpopJkt` (the
+* JWK SHA-256 thumbprint per RFC 7638); your `authenticate` function performs
+* the cryptographic `jose.dpop.verify(...)` and sets the field on success.
+*
+* **Pass behavior:**
+* - `service` scope where `dpopJkt` is set → grant
+* - `elevated` scope → grant (platform admin bypass)
+* - Anything else → deny with a clear reason
+*
+* Use for high-value endpoints where bearer-token replay must be impossible:
+* payment charges, data exports, account-takeover-class admin actions.
+*
+* @example
+* ```typescript
+* permissions: { charge: allOf(requireServiceScope('payment.write'), requireDPoP()) }
+* ```
+*/
+function requireDPoP() {
+	const check = (ctx) => {
+		const scope = getRequestScope(ctx.request);
+		if (isElevated(scope)) return true;
+		if (!isService(scope)) return {
+			granted: false,
+			reason: "DPoP-bound service identity required. Configure your authenticate callback to set scope.dpopJkt after verifying the DPoP proof header (RFC 9449)."
+		};
+		if (!getDPoPJkt(scope)) return {
+			granted: false,
+			reason: "Sender-constrained credential required (DPoP). Inbound token is bearer; replay-resistance is mandatory on this endpoint."
+		};
+		return true;
+	};
+	check._dpopRequired = true;
+	return check;
+}
+/**
+* Require a capability mandate (AP2 / x402 / MCP authorization) that
+* authorizes the action being attempted.
+*
+* The mandate is set on `request.scope.mandate` by your authenticate function
+* after verifying the inbound mandate JWT/VC. This check validates that the
+* presented mandate covers the requested capability, hasn't expired, is bound
+* to the right resource (when `audience` opt is set), and respects the
+* mandate's numeric ceiling (when `validateAmount` opt is set).
+*
+* **Pass behavior:**
+* - `elevated` scope → grant unless `noElevatedBypass: true`
+* - `service` scope with mandate matching `capability`, not expired, and
+*   passing `validateAmount` + `audience` checks → grant
+* - Anything else → deny with a precise reason
+*
+* Pair with `requireDPoP()` for replay-resistance, or use the bundled
+* `requireAgentScope(...)` to declare both at once.
+*
+* @example
+* ```typescript
+* // Single payment charge — amount must fit the mandate's cap
+* permissions: {
+*   pay: requireMandate('payment.charge', {
+*     validateAmount: (ctx, m) => (ctx.data as { amount: number }).amount <= (m.cap ?? 0),
+*     audience: (ctx) => `invoice:${ctx.params?.id}`,
+*   }),
+* }
+*
+* // Boolean capability — presence of mandate is the gate
+* permissions: {
+*   exportData: requireMandate('data.export'),
+* }
+* ```
+*/
+function requireMandate(capability, opts = {}) {
+	if (!capability || typeof capability !== "string") throw new Error("requireMandate(capability) requires a non-empty capability string (e.g. 'payment.charge')");
+	const ttlGrace = opts.ttlGraceMs ?? DEFAULT_TTL_GRACE_MS;
+	const noElevatedBypass = opts.noElevatedBypass === true;
+	const check = (ctx) => {
+		const scope = getRequestScope(ctx.request);
+		if (isElevated(scope) && !noElevatedBypass) return true;
+		const mandate = getMandate(scope);
+		if (!mandate) return {
+			granted: false,
+			reason: `Capability mandate required (${capability}). Configure your authenticate callback to populate request.scope.mandate after verifying the mandate JWT/VC.`
+		};
+		if (mandate.capability !== capability) return {
+			granted: false,
+			reason: `Mandate authorizes "${mandate.capability}", not "${capability}"`
+		};
+		if (mandate.expiresAt !== void 0 && Date.now() > mandate.expiresAt + ttlGrace) return {
+			granted: false,
+			reason: `Mandate expired at ${new Date(mandate.expiresAt).toISOString()}`
+		};
+		if (opts.audience) {
+			const required = typeof opts.audience === "function" ? opts.audience(ctx) : opts.audience;
+			if (required && mandate.audience && mandate.audience !== required) return {
+				granted: false,
+				reason: `Mandate is bound to "${mandate.audience}", not "${required}"`
+			};
+			if (required && !mandate.audience) return {
+				granted: false,
+				reason: `Mandate must be bound to "${required}" (no audience claim)`
+			};
+		}
+		if (opts.validateAmount) {
+			const result = opts.validateAmount(ctx, mandate);
+			if (result !== true) return {
+				granted: false,
+				reason: typeof result === "string" ? result : `Action exceeds mandate cap ${mandate.cap}${mandate.currency ? ` ${mandate.currency}` : ""}`
+			};
+		}
+		return true;
+	};
+	check._mandateCapability = capability;
+	return check;
+}
+/**
+* Composite gate for AI-agent / M2M flows on protected resources.
+*
+* Bundles the three things every high-value agent endpoint needs:
+* 1. **Service identity** — `scope.kind === 'service'` with `clientId`
+* 2. **Capability mandate** — narrows what *this request* may do
+* 3. **DPoP binding** — credential cannot be replayed from a different key
+*
+* Use this instead of hand-composing `allOf(requireServiceScope(...),
+* requireMandate(...), requireDPoP())` — fewer ways to misconfigure, one
+* meta-tag downstream tools (audit, MCP, OpenAPI) can read.
+*
+* @example
+* ```typescript
+* import { requireAgentScope } from '@classytic/arc/permissions';
+*
+* defineResource({
+*   name: 'invoice',
+*   actions: {
+*     pay: {
+*       handler: payInvoice,
+*       permissions: requireAgentScope({
+*         capability: 'payment.charge',
+*         scopes: ['payment.write'],
+*         requireDPoP: true,
+*         audience: (ctx) => `invoice:${ctx.params?.id}`,
+*         validateAmount: (ctx, m) => (ctx.data as { amount: number }).amount <= (m.cap ?? 0),
+*       }),
+*     },
+*   },
+* });
+* ```
+*/
+function requireAgentScope(opts) {
+	const { capability, scopes, requireDPoP: needsDPoP = true, ...mandateOpts } = opts;
+	if (!capability) throw new Error("requireAgentScope({ capability }) is required");
+	const mandateCheck = requireMandate(capability, mandateOpts);
+	const dpopCheck = needsDPoP ? requireDPoP() : null;
+	const requiredScopes = scopes && scopes.length > 0 ? [...scopes] : null;
+	const check = async (ctx) => {
+		const scope = getRequestScope(ctx.request);
+		if (isElevated(scope) && !mandateOpts.noElevatedBypass) return true;
+		if (!isService(scope)) return {
+			granted: false,
+			reason: "Service identity required (machine principal). Agent flows must authenticate as a service, not a logged-in user."
+		};
+		if (requiredScopes) {
+			const granted = scope.scopes ?? [];
+			if (!requiredScopes.some((s) => granted.includes(s))) return {
+				granted: false,
+				reason: `Service identity is missing required OAuth scope(s): ${requiredScopes.join(", ")}`
+			};
+		}
+		const mandateResult = await mandateCheck(ctx);
+		if (mandateResult !== true) return typeof mandateResult === "object" ? mandateResult : {
+			granted: false,
+			reason: "Mandate check failed"
+		};
+		if (dpopCheck) {
+			const dpopResult = await dpopCheck(ctx);
+			if (dpopResult !== true) return typeof dpopResult === "object" ? dpopResult : {
+				granted: false,
+				reason: "DPoP binding required"
+			};
+		}
+		return true;
+	};
+	check._agentScope = {
+		capability,
+		scopes: requiredScopes ?? void 0,
+		dpop: needsDPoP
+	};
+	return check;
+}
+//#endregion
 //#region src/permissions/core.ts
 /**
 * Normalize a `string | [readonly string[]]` rest-args tuple into a single
@@ -1087,6 +1148,173 @@ function createDynamicPermissionMatrix(config) {
 	};
 }
 //#endregion
+//#region src/permissions/fields.ts
+/**
+* Field-Level Permissions
+*
+* Control field visibility and writability per role.
+* Integrated into the response path (read) and sanitization path (write).
+*
+* @example
+* ```typescript
+* import { fields, defineResource } from '@classytic/arc';
+*
+* const userResource = defineResource({
+*   name: 'user',
+*   adapter: userAdapter,
+*   fields: {
+*     salary: fields.visibleTo(['admin', 'hr']),
+*     internalNotes: fields.writableBy(['admin']),
+*     email: fields.redactFor(['viewer']),
+*     password: fields.hidden(),
+*   },
+* });
+* ```
+*/
+/** Type guard for Mongoose-like documents with toObject() */
+function isMongooseDoc(obj) {
+	return !!obj && typeof obj === "object" && "toObject" in obj && typeof obj.toObject === "function";
+}
+const fields = {
+	/**
+	* Field is never included in responses. Not writable via API.
+	*
+	* @example
+	* ```typescript
+	* fields: { password: fields.hidden() }
+	* ```
+	*/
+	hidden() {
+		return { _type: "hidden" };
+	},
+	/**
+	* Field is only visible to users with specified roles.
+	* Other users don't see the field at all.
+	*
+	* @example
+	* ```typescript
+	* fields: { salary: fields.visibleTo(['admin', 'hr']) }
+	* ```
+	*/
+	visibleTo(roles) {
+		return {
+			_type: "visibleTo",
+			roles
+		};
+	},
+	/**
+	* Field is only writable by users with specified roles.
+	* All users can still read the field. Users without the role
+	* have the field silently stripped from write operations.
+	*
+	* @example
+	* ```typescript
+	* fields: { role: fields.writableBy(['admin']) }
+	* ```
+	*/
+	writableBy(roles) {
+		return {
+			_type: "writableBy",
+			roles
+		};
+	},
+	/**
+	* Field is redacted (replaced with a placeholder) for specified roles.
+	* Other users see the real value.
+	*
+	* @param roles - Roles that see the redacted value
+	* @param redactValue - Replacement value (default: '***')
+	*
+	* @example
+	* ```typescript
+	* fields: {
+	*   email: fields.redactFor(['viewer']),
+	*   ssn: fields.redactFor(['basic'], '***-**-****'),
+	* }
+	* ```
+	*/
+	redactFor(roles, redactValue = "***") {
+		return {
+			_type: "redactFor",
+			roles,
+			redactValue
+		};
+	}
+};
+/**
+* Apply field-level READ permissions to a response object.
+* Strips hidden fields, enforces visibility, and applies redaction.
+*
+* @param data - The response object (mutated in place for performance)
+* @param fieldPermissions - Field permission map from resource config
+* @param userRoles - Current user's roles (empty array for unauthenticated)
+* @returns The filtered object
+*/
+function applyFieldReadPermissions(data, fieldPermissions, userRoles) {
+	if (!data || typeof data !== "object") return data;
+	const result = { ...isMongooseDoc(data) ? data.toObject() : data };
+	for (const [field, perm] of Object.entries(fieldPermissions)) switch (perm._type) {
+		case "hidden":
+			delete result[field];
+			break;
+		case "visibleTo":
+			if (!perm.roles?.some((r) => userRoles.includes(r))) delete result[field];
+			break;
+		case "redactFor":
+			if (perm.roles?.some((r) => userRoles.includes(r))) result[field] = perm.redactValue ?? "***";
+			break;
+		case "writableBy": break;
+	}
+	return result;
+}
+/**
+* Apply field-level WRITE permissions to request body.
+*
+* Returns both the filtered body and the list of denied fields. Callers are
+* expected to reject the request when `deniedFields.length > 0` — silently
+* stripping fields hides misconfigurations and real attacks. See
+* `BodySanitizer` for the default policy.
+*
+* @param body - The request body (returns a new filtered copy)
+* @param fieldPermissions - Field permission map from resource config
+* @param userRoles - Current user's roles
+*/
+function applyFieldWritePermissions(body, fieldPermissions, userRoles) {
+	const result = { ...body };
+	const deniedFields = [];
+	for (const [field, perm] of Object.entries(fieldPermissions)) switch (perm._type) {
+		case "hidden":
+			if (field in result) {
+				deniedFields.push(field);
+				delete result[field];
+			}
+			break;
+		case "writableBy":
+			if (field in result && !perm.roles?.some((r) => userRoles.includes(r))) {
+				deniedFields.push(field);
+				delete result[field];
+			}
+			break;
+	}
+	return {
+		body: result,
+		deniedFields
+	};
+}
+/**
+* Resolve effective roles by merging global user roles with org-level roles.
+*
+* Global roles come from `req.user.role` (normalized via getUserRoles()).
+* Org roles come from `req.context.orgRoles` (set by BA adapter's org bridge).
+*
+* When no org context exists, returns global roles only — backward compatible.
+*/
+function resolveEffectiveRoles(userRoles, orgRoles) {
+	if (orgRoles.length === 0) return [...userRoles];
+	if (userRoles.length === 0) return [...orgRoles];
+	return [...new Set([...userRoles, ...orgRoles])];
+}
+//#endregion
 //#region src/permissions/roleHierarchy.ts
 /**
 * Create a role hierarchy from a parent → children map.
@@ -1262,4 +1490,4 @@ function readOnly(overrides) {
 	}, overrides);
 }
 //#endregion
-export { normalizePermissionResult as A, requireAuth as C, when as D, roles as E, applyFieldWritePermissions as M, fields as N, applyPermissionResult as O, resolveEffectiveRoles as P, not as S, requireRoles as T, requireTeamMembership as _, presets_exports as a, anyOf as b, readOnly as c, createOrgPermissions as d, requireOrgInScope as f, requireServiceScope as g, requireScopeContext as h, ownerWithAdminBypass as i, applyFieldReadPermissions as j, evaluateAndApplyPermission as k, createRoleHierarchy as l, requireOrgRole as m, authenticated as n, publicRead as o, requireOrgMembership as p, fullPublic as r, publicReadAdminWrite as s, adminOnly as t, createDynamicPermissionMatrix as u, allOf as v, requireOwnership as w, denyAll as x, allowPublic as y };
+export { roles as A, allowPublic as C, requireAuth as D, not as E, applyPermissionResult as F, evaluateAndApplyPermission as I, normalizePermissionResult as L, requireAgentScope as M, requireDPoP as N, requireOwnership as O, requireMandate as P, allOf as S, denyAll as T, requireOrgMembership as _, presets_exports as a, requireServiceScope as b, readOnly as c, applyFieldWritePermissions as d, fields as f, requireOrgInScope as g, createOrgPermissions as h, ownerWithAdminBypass as i, when as j, requireRoles as k, createRoleHierarchy as l, createDynamicPermissionMatrix as m, authenticated as n, publicRead as o, resolveEffectiveRoles as p, fullPublic as r, publicReadAdminWrite as s, adminOnly as t, applyFieldReadPermissions as u, requireOrgRole as v, anyOf as w, requireTeamMembership as x, requireScopeContext as y };

package/dist/{pipe-DVoIheVC.mjs → pipe-Zr0KXjQe.mjs}

@@ -1,4 +1,4 @@
-import { r as ForbiddenError } from "./errors-D5c-5BJL.mjs";
+import { r as ForbiddenError } from "./errors-j4aJm1Wg.mjs";
 //#region src/pipeline/pipe.ts
 /**
 * Compose pipeline steps into an ordered array.

package/dist/pipeline/index.d.mts

@@ -1,4 +1,4 @@
-import { Ct as OperationFilter, Dt as Transform, Et as PipelineStep, St as NextFunction, Tt as PipelineContext, _t as IControllerResponse, bt as Guard, wt as PipelineConfig, xt as Interceptor } from "../index-CXXRbnf8.mjs";
+import { At as Guard, Ft as PipelineContext, It as PipelineStep, Lt as Transform, Mt as NextFunction, Nt as OperationFilter, Pt as PipelineConfig, _t as IControllerResponse, jt as Interceptor } from "../index-BtW7qYwa.mjs";
 
 //#region src/pipeline/guard.d.ts
 interface GuardOptions {

package/dist/pipeline/index.mjs

@@ -1,4 +1,4 @@
-import { n as pipe, t as executePipeline } from "../pipe-DVoIheVC.mjs";
+import { n as pipe, t as executePipeline } from "../pipe-Zr0KXjQe.mjs";
 //#region src/pipeline/guard.ts
 /**
 * Create a named guard.