@classytic/arc 2.11.4 → 2.14.0

package/dist/{types-AOD8fxIw.mjs → types-C_s5moIu.mjs}

@@ -1,4 +1,25 @@
+import { l as UnauthorizedError, o as OrgRequiredError } from "./errors-j4aJm1Wg.mjs";
 //#region src/scope/types.ts
+/**
+* Request Scope — The One Standard
+*
+* Discriminated union representing the access context of every request.
+* Replaces scattered orgScope/orgRoles/organizationId/bypassRoles.
+*
+* Set once by auth adapters, read everywhere by permissions/presets/guards.
+*
+* @example
+* ```typescript
+* // In a permission check
+* const scope = request.scope;
+* if (isElevated(scope)) return true;
+* if (isMember(scope) && scope.orgRoles.includes('admin')) return true;
+*
+* // Get user identity from scope
+* const userId = getUserId(scope);
+* const globalRoles = getUserRoles(scope);
+* ```
+*/
 /** Check if scope is `member` kind */
 function isMember(scope) {
 	return scope.kind === "member";
@@ -51,6 +72,41 @@ function getServiceScopes(scope) {
 	if (scope.kind === "service") return scope.scopes ?? [];
 	return [];
 }
+/**
+* Get the capability mandate from a service scope (when present).
+*
+* Returns the `Mandate` populated by your authenticate function on
+* mandate-bound requests (AP2 / x402 / MCP authorization), or `undefined`
+* for any non-service scope or non-mandate-bound service request.
+*
+* Use directly when you need the full mandate for custom logic; use
+* `requireMandate(capability)` for the canonical permission-check path.
+*
+* @example
+* ```typescript
+* import { getMandate } from '@classytic/arc/scope';
+*
+* const mandate = getMandate(request.scope);
+* if (mandate?.audience !== `invoice:${request.params.id}`) {
+*   throw new ForbiddenError('Mandate is bound to a different resource');
+* }
+* ```
+*/
+function getMandate(scope) {
+	if (scope.kind === "service") return scope.mandate;
+}
+/**
+* Get the DPoP key thumbprint (RFC 7638) from a service scope.
+*
+* When non-empty, the inbound credential is sender-constrained — replaying
+* it from a different keypair must fail. Set by your authenticate function
+* after a successful `jose.dpop.verify()` (or equivalent) call. Read via
+* `requireDPoP()` permission helper or directly when implementing custom
+* binding checks.
+*/
+function getDPoPJkt(scope) {
+	if (scope.kind === "service") return scope.dpopJkt;
+}
 /** Get org roles from scope (empty array if not a member) */
 function getOrgRoles(scope) {
 	if (scope.kind === "member") return scope.orgRoles;
@@ -155,6 +211,66 @@ function getUserId(scope) {
 	return scope.userId;
 }
 /**
+* Throwing variant of `getOrgId`. Returns the organization id when the
+* scope carries one (`member` / `service` / `elevated`); throws
+* `OrgRequiredError` (HTTP 403, code `ORG_SELECTION_REQUIRED`) otherwise.
+*
+* Use whenever a handler/service path REQUIRES an org id — `requireOrgId`
+* eliminates the `if (!orgId) throw …` boilerplate that drifts across
+* handlers, and ensures every "missing org" produces the same error shape.
+*
+* @param hint Optional context for the error message (e.g. route name) —
+*   surfaces in the response body and in logs, so the failing path is
+*   visible without grepping for the throw site.
+* @example
+* ```typescript
+* import { requireOrgId } from '@classytic/arc/scope';
+*
+* const orgId = requireOrgId(req.scope, 'POST /orders');
+* await orderRepo.create({ ...req.body, organizationId: orgId });
+* ```
+*/
+function requireOrgId(scope, hint) {
+	const id = getOrgId(scope);
+	if (!id) throw new OrgRequiredError(hint ? `Organization context required: ${hint}` : "Organization context required");
+	return id;
+}
+/**
+* Throwing variant of `getUserId`. Returns the user id when the scope is
+* `authenticated` / `member` / `elevated` and carries one; throws
+* `UnauthorizedError` (HTTP 401) otherwise.
+*
+* @param hint Optional route/context tag for the error message.
+*/
+function requireUserId(scope, hint) {
+	const id = getUserId(scope);
+	if (!id) throw new UnauthorizedError(hint ? `User authentication required: ${hint}` : "User authentication required");
+	return id;
+}
+/**
+* Throwing variant of `getClientId`. Returns the service-account `clientId`
+* when the scope kind is `service`; throws `UnauthorizedError` (HTTP 401)
+* otherwise. Use for routes that are service-account-only.
+*/
+function requireClientId(scope, hint) {
+	const id = getClientId(scope);
+	if (!id) throw new UnauthorizedError(hint ? `Service client required: ${hint}` : "Service client required");
+	return id;
+}
+/**
+* Throwing variant of `getTeamId`. Returns the team id when the scope is
+* `member` and carries one; throws `OrgRequiredError` (HTTP 403) otherwise.
+*
+* Uses the org-context error class (not a separate `TeamRequiredError`)
+* because the failure mode is the same shape as missing-org: the request
+* lacks a tenancy dimension the route requires.
+*/
+function requireTeamId(scope, hint) {
+	const id = getTeamId(scope);
+	if (!id) throw new OrgRequiredError(hint ? `Team context required: ${hint}` : "Team context required");
+	return id;
+}
+/**
 * Get global user roles from scope (available on authenticated and member).
 * These are user-level roles (e.g. superadmin, finance-admin) distinct from
 * org-level roles (scope.orgRoles).
@@ -226,4 +342,4 @@ const PUBLIC_SCOPE = Object.freeze({ kind: "public" });
 /** Default authenticated scope — used when user is logged in but no org */
 const AUTHENTICATED_SCOPE = Object.freeze({ kind: "authenticated" });
 //#endregion
-export { isElevated as _, getOrgContext as a, isService as b, getRequestScope as c, getServiceScopes as d, getTeamId as f, isAuthenticated as g, hasOrgAccess as h, getClientId as i, getScopeContext as l, getUserRoles as m, PUBLIC_SCOPE as n, getOrgId as o, getUserId as p, getAncestorOrgIds as r, getOrgRoles as s, AUTHENTICATED_SCOPE as t, getScopeContextMap as u, isMember as v, isOrgInScope as y };
+export { requireClientId as C, requireUserId as E, isService as S, requireTeamId as T, hasOrgAccess as _, getDPoPJkt as a, isMember as b, getOrgId as c, getScopeContext as d, getScopeContextMap as f, getUserRoles as g, getUserId as h, getClientId as i, getOrgRoles as l, getTeamId as m, PUBLIC_SCOPE as n, getMandate as o, getServiceScopes as p, getAncestorOrgIds as r, getOrgContext as s, AUTHENTICATED_SCOPE as t, getRequestScope as u, isAuthenticated as v, requireOrgId as w, isOrgInScope as x, isElevated as y };

package/dist/{types-BQ9TJQNy.d.mts → types-DQHFc8PM.d.mts}

@@ -1,4 +1,4 @@
-import { B as ResourceDefinition } from "./index-CXXRbnf8.mjs";
+import { V as ResourceDefinition } from "./index-BtW7qYwa.mjs";
 import { z } from "zod";
 
 //#region src/integrations/mcp/types.d.ts

package/dist/utils/index.d.mts

@@ -1,2 +1,2 @@
-import { $ as ValidationResult, A as handleRaw, B as CompensationStep, C as queryParams, D as ArcQueryParser, E as wrapResponse, F as defineErrorMapper, G as CircuitBreakerOptions, H as withCompensation, I as CompensationDefinition, J as CircuitState, K as CircuitBreakerRegistry, L as CompensationError, M as Guard, N as GuardConfig, O as ArcQueryParserOptions, P as defineGuard, Q as ValidateOptions, R as CompensationHooks, S as paginationSchema, T as successResponseSchema, U as CircuitBreaker, V as defineCompensation, W as CircuitBreakerError, X as createCircuitBreakerRegistry, Y as createCircuitBreaker, Z as ConfigError, _ as getDefaultCrudSchemas, a as TransitionConfig, at as ErrorDetails, b as listResponse, c as JsonSchemaTarget, ct as OrgAccessDeniedError, d as isJsonSchema, dt as ServiceUnavailableError, et as assertValidConfig, f as isZodSchema, ft as UnauthorizedError, g as errorResponseSchema, gt as isArcError, h as deleteResponse, ht as createError, i as StateMachine, it as ConflictError, j as envelope, k as createQueryParser, l as convertOpenApiSchemas, lt as OrgRequiredError, m as JsonSchema, mt as createDomainError, n as EventsDecorator, nt as validateResourceConfig, o as createStateMachine, ot as ForbiddenError, p as toJsonSchema, pt as ValidationError, q as CircuitBreakerStats, r as hasEvents, rt as ArcError, s as simpleEqualityMatcher, st as NotFoundError, t as getUserId, tt as formatValidationErrors, u as convertRouteSchema, ut as RateLimitError, v as getListQueryParams, w as responses, x as mutationResponse, y as itemResponse, z as CompensationResult } from "../index-D9t1KNaB.mjs";
-export { ArcError, ArcQueryParser, ArcQueryParserOptions, CircuitBreaker, CircuitBreakerError, CircuitBreakerOptions, CircuitBreakerRegistry, CircuitBreakerStats, CircuitState, CompensationDefinition, CompensationError, CompensationHooks, CompensationResult, CompensationStep, ConfigError, ConflictError, ErrorDetails, EventsDecorator, ForbiddenError, Guard, GuardConfig, JsonSchema, JsonSchemaTarget, NotFoundError, OrgAccessDeniedError, OrgRequiredError, RateLimitError, ServiceUnavailableError, StateMachine, TransitionConfig, UnauthorizedError, ValidateOptions, ValidationError, ValidationResult, assertValidConfig, convertOpenApiSchemas, convertRouteSchema, createCircuitBreaker, createCircuitBreakerRegistry, createDomainError, createError, createQueryParser, createStateMachine, defineCompensation, defineErrorMapper, defineGuard, deleteResponse, envelope, errorResponseSchema, formatValidationErrors, getDefaultCrudSchemas, getListQueryParams, getUserId, handleRaw, hasEvents, isArcError, isJsonSchema, isZodSchema, itemResponse, listResponse, mutationResponse, paginationSchema, queryParams, responses, simpleEqualityMatcher, successResponseSchema, toJsonSchema, validateResourceConfig, withCompensation, wrapResponse };
+import { $ as ValidateOptions, A as ArcQueryParserOptions, B as CompensationResult, C as keysetListResponse, D as queryParams, E as paginationSchema, F as defineGuard, G as CircuitBreakerError, H as defineCompensation, I as defineErrorMapper, J as CircuitBreakerStats, K as CircuitBreakerOptions, L as CompensationDefinition, M as handleRaw, N as Guard, O as responses, P as GuardConfig, Q as ConfigError, R as CompensationError, S as getListQueryParams, T as offsetListResponse, U as withCompensation, V as CompensationStep, W as CircuitBreaker, X as createCircuitBreaker, Y as CircuitState, Z as createCircuitBreakerRegistry, _ as bareListResponse, _t as isArcError, a as TransitionConfig, at as ConflictError, b as errorDetailSchema, c as JsonSchemaTarget, ct as NotFoundError, d as isJsonSchema, dt as RateLimitError, et as ValidationResult, f as isZodSchema, ft as ServiceUnavailableError, g as aggregateListResponse, gt as createError, h as JsonSchema, ht as createDomainError, i as StateMachine, it as ArcError, j as createQueryParser, k as ArcQueryParser, l as convertOpenApiSchemas, lt as OrgAccessDeniedError, m as scheduleBackground, mt as ValidationError, n as EventsDecorator, nt as formatValidationErrors, o as createStateMachine, ot as ErrorOptions, p as toJsonSchema, pt as UnauthorizedError, q as CircuitBreakerRegistry, r as hasEvents, rt as validateResourceConfig, s as simpleEqualityMatcher, st as ForbiddenError, t as getUserId, tt as assertValidConfig, u as convertRouteSchema, ut as OrgRequiredError, v as deleteResponse, w as listResponse, x as getDefaultCrudSchemas, y as errorContractSchema, z as CompensationHooks } from "../index-Dz5IKsrE.mjs";
+export { ArcError, ArcQueryParser, ArcQueryParserOptions, CircuitBreaker, CircuitBreakerError, CircuitBreakerOptions, CircuitBreakerRegistry, CircuitBreakerStats, CircuitState, CompensationDefinition, CompensationError, CompensationHooks, CompensationResult, CompensationStep, ConfigError, ConflictError, ErrorOptions, EventsDecorator, ForbiddenError, Guard, GuardConfig, JsonSchema, JsonSchemaTarget, NotFoundError, OrgAccessDeniedError, OrgRequiredError, RateLimitError, ServiceUnavailableError, StateMachine, TransitionConfig, UnauthorizedError, ValidateOptions, ValidationError, ValidationResult, aggregateListResponse, assertValidConfig, bareListResponse, convertOpenApiSchemas, convertRouteSchema, createCircuitBreaker, createCircuitBreakerRegistry, createDomainError, createError, createQueryParser, createStateMachine, defineCompensation, defineErrorMapper, defineGuard, deleteResponse, errorContractSchema, errorDetailSchema, formatValidationErrors, getDefaultCrudSchemas, getListQueryParams, getUserId, handleRaw, hasEvents, isArcError, isJsonSchema, isZodSchema, keysetListResponse, listResponse, offsetListResponse, paginationSchema, queryParams, responses, scheduleBackground, simpleEqualityMatcher, toJsonSchema, validateResourceConfig, withCompensation };

package/dist/utils/index.mjs

@@ -1,5 +1,5 @@
-import { A as createQueryParser, C as mutationResponse, D as successResponseSchema, E as responses, M as simpleEqualityMatcher, O as wrapResponse, S as listResponse, T as queryParams, _ as deleteResponse, a as defineErrorMapper, b as getListQueryParams, c as CircuitBreaker, d as CircuitState, f as createCircuitBreaker, g as validateResourceConfig, h as formatValidationErrors, i as defineGuard, j as getUserId, k as ArcQueryParser, l as CircuitBreakerError, m as assertValidConfig, n as handleRaw, o as defineCompensation, p as createCircuitBreakerRegistry, r as envelope, s as withCompensation, t as createStateMachine, u as CircuitBreakerRegistry, v as errorResponseSchema, w as paginationSchema, x as itemResponse, y as getDefaultCrudSchemas } from "../utils-CcYTj09l.mjs";
-import { a as OrgAccessDeniedError, c as ServiceUnavailableError, d as createDomainError, f as createError, i as NotFoundError, l as UnauthorizedError, n as ConflictError, o as OrgRequiredError, p as isArcError, r as ForbiddenError, s as RateLimitError, t as ArcError, u as ValidationError } from "../errors-D5c-5BJL.mjs";
-import { a as toJsonSchema, i as isZodSchema, n as convertRouteSchema, r as isJsonSchema, t as convertOpenApiSchemas } from "../schemaConverter-B0oKLuqI.mjs";
-import { t as hasEvents } from "../typeGuards-CcFZXgU7.mjs";
-export { ArcError, ArcQueryParser, CircuitBreaker, CircuitBreakerError, CircuitBreakerRegistry, CircuitState, ConflictError, ForbiddenError, NotFoundError, OrgAccessDeniedError, OrgRequiredError, RateLimitError, ServiceUnavailableError, UnauthorizedError, ValidationError, assertValidConfig, convertOpenApiSchemas, convertRouteSchema, createCircuitBreaker, createCircuitBreakerRegistry, createDomainError, createError, createQueryParser, createStateMachine, defineCompensation, defineErrorMapper, defineGuard, deleteResponse, envelope, errorResponseSchema, formatValidationErrors, getDefaultCrudSchemas, getListQueryParams, getUserId, handleRaw, hasEvents, isArcError, isJsonSchema, isZodSchema, itemResponse, listResponse, mutationResponse, paginationSchema, queryParams, responses, simpleEqualityMatcher, successResponseSchema, toJsonSchema, validateResourceConfig, withCompensation, wrapResponse };
+import { a as OrgAccessDeniedError, c as ServiceUnavailableError, d as createDomainError, f as createError, i as NotFoundError, l as UnauthorizedError, n as ConflictError, o as OrgRequiredError, p as isArcError, r as ForbiddenError, s as RateLimitError, t as ArcError, u as ValidationError } from "../errors-j4aJm1Wg.mjs";
+import { A as assertValidConfig, C as withCompensation, D as CircuitState, E as CircuitBreakerRegistry, M as validateResourceConfig, N as simpleEqualityMatcher, O as createCircuitBreaker, S as defineCompensation, T as CircuitBreakerError, _ as ArcQueryParser, a as bareListResponse, b as defineGuard, c as errorDetailSchema, d as keysetListResponse, f as listResponse, g as responses, h as queryParams, i as aggregateListResponse, j as formatValidationErrors, k as createCircuitBreakerRegistry, l as getDefaultCrudSchemas, m as paginationSchema, n as createStateMachine, o as deleteResponse, p as offsetListResponse, r as scheduleBackground, s as errorContractSchema, t as getUserId, u as getListQueryParams, v as createQueryParser, w as CircuitBreaker, x as defineErrorMapper, y as handleRaw } from "../utils-_h9B3c57.mjs";
+import { a as toJsonSchema, i as isZodSchema, n as convertRouteSchema, r as isJsonSchema, t as convertOpenApiSchemas } from "../schemaConverter-De34B1ZG.mjs";
+import { t as hasEvents } from "../typeGuards-BzkXkvVv.mjs";
+export { ArcError, ArcQueryParser, CircuitBreaker, CircuitBreakerError, CircuitBreakerRegistry, CircuitState, ConflictError, ForbiddenError, NotFoundError, OrgAccessDeniedError, OrgRequiredError, RateLimitError, ServiceUnavailableError, UnauthorizedError, ValidationError, aggregateListResponse, assertValidConfig, bareListResponse, convertOpenApiSchemas, convertRouteSchema, createCircuitBreaker, createCircuitBreakerRegistry, createDomainError, createError, createQueryParser, createStateMachine, defineCompensation, defineErrorMapper, defineGuard, deleteResponse, errorContractSchema, errorDetailSchema, formatValidationErrors, getDefaultCrudSchemas, getListQueryParams, getUserId, handleRaw, hasEvents, isArcError, isJsonSchema, isZodSchema, keysetListResponse, listResponse, offsetListResponse, paginationSchema, queryParams, responses, scheduleBackground, simpleEqualityMatcher, toJsonSchema, validateResourceConfig, withCompensation };