npm - @classytic/arc - Versions diffs - 2.11.4 → 2.14.0 - Mend

@classytic/arc 2.11.4 → 2.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (167) hide show

package/README.md +16 -12
package/dist/{BaseController-swXruJ2_.mjs → BaseController-DX_T-bDB.mjs} +388 -423
package/dist/EventTransport-CT_52aWU.d.mts +34 -0
package/dist/EventTransport-DLWoUMHy.mjs +103 -0
package/dist/{ResourceRegistry-DkAeAuTX.mjs → ResourceRegistry-CTERg_2x.mjs} +139 -66
package/dist/audit/index.d.mts +2 -2
package/dist/audit/index.mjs +1 -1
package/dist/auth/audit.d.mts +199 -0
package/dist/auth/audit.mjs +288 -0
package/dist/auth/index.d.mts +3 -3
package/dist/auth/index.mjs +117 -191
package/dist/{betterAuthOpenApi-DwxtK3uG.mjs → betterAuthOpenApi--M_i87dQ.mjs} +1 -1
package/dist/buildHandler-olo-gt94.mjs +610 -0
package/dist/cache/index.mjs +3 -3
package/dist/cli/commands/describe.d.mts +89 -13
package/dist/cli/commands/describe.mjs +56 -2
package/dist/cli/commands/docs.mjs +2 -2
package/dist/cli/commands/generate.mjs +147 -48
package/dist/cli/commands/init.d.mts +13 -0
package/dist/cli/commands/init.mjs +130 -87
package/dist/cli/commands/introspect.mjs +8 -1
package/dist/context/index.mjs +1 -1
package/dist/core/index.d.mts +3 -3
package/dist/core/index.mjs +5 -5
package/dist/core-DECn6zaU.mjs +1399 -0
package/dist/{createActionRouter-CIKOcNA7.mjs → createActionRouter-CBxLLbn3.mjs} +7 -20
package/dist/createAggregationRouter-CRIBv4sC.mjs +114 -0
package/dist/{createApp-C9bRrqlX.mjs → createApp-XX2-N0Yd.mjs} +28 -22
package/dist/{defineEvent-D1Ky9M1D.mjs → defineEvent-D5h7EvAx.mjs} +1 -1
package/dist/docs/index.d.mts +24 -11
package/dist/docs/index.mjs +2 -2
package/dist/{elevation-DOFoxoDs.mjs → elevation-DgoeTyfX.mjs} +1 -1
package/dist/errorHandler-Bk-AGhkU.mjs +174 -0
package/dist/errorHandler-DFr45ZG4.d.mts +45 -0
package/dist/errors-j4aJm1Wg.mjs +184 -0
package/dist/{eventPlugin-Cts2-Tfj.mjs → eventPlugin-CaKTYkYM.mjs} +28 -4
package/dist/{eventPlugin-DDJoNEPL.d.mts → eventPlugin-qXpqTebY.d.mts} +24 -1
package/dist/events/index.d.mts +6 -6
package/dist/events/index.mjs +11 -35
package/dist/events/transports/redis-stream-entry.d.mts +1 -1
package/dist/events/transports/redis.d.mts +1 -1
package/dist/factory/index.d.mts +2 -2
package/dist/factory/index.mjs +2 -2
package/dist/{fields-BRjxOAFp.d.mts → fields-COhcH3fk.d.mts} +23 -2
package/dist/hooks/index.d.mts +1 -1
package/dist/hooks/index.mjs +1 -1
package/dist/idempotency/index.d.mts +1 -1
package/dist/idempotency/index.mjs +1 -20
package/dist/idempotency/redis.mjs +1 -1
package/dist/{index-rHjXmJar.d.mts → index-BTqLEvhu.d.mts} +163 -3
package/dist/{index-CXXRbnf8.d.mts → index-BtW7qYwa.d.mts} +660 -326
package/dist/{index-m8mOOlFW.d.mts → index-Ds61mrJE.d.mts} +50 -4
package/dist/{index-D9t1KNaB.d.mts → index-Dz5IKsrE.d.mts} +360 -219
package/dist/index.d.mts +6 -7
package/dist/index.mjs +9 -10
package/dist/integrations/event-gateway.d.mts +1 -1
package/dist/integrations/event-gateway.mjs +1 -1
package/dist/integrations/index.d.mts +1 -1
package/dist/integrations/mcp/index.d.mts +2 -2
package/dist/integrations/mcp/index.mjs +1 -1
package/dist/integrations/mcp/testing.d.mts +1 -1
package/dist/integrations/mcp/testing.mjs +1 -1
package/dist/integrations/streamline.d.mts +60 -11
package/dist/integrations/streamline.mjs +75 -85
package/dist/integrations/websocket.mjs +2 -8
package/dist/middleware/index.d.mts +1 -1
package/dist/middleware/index.mjs +2 -2
package/dist/migrations/index.d.mts +23 -3
package/dist/migrations/index.mjs +0 -7
package/dist/{multipartBody-CvTR1Un6.mjs → multipartBody-BOvVSVCD.mjs} +11 -8
package/dist/openapi-noXno2CV.mjs +968 -0
package/dist/org/index.d.mts +2 -2
package/dist/org/index.mjs +1 -1
package/dist/permissions/index.d.mts +3 -3
package/dist/permissions/index.mjs +3 -3
package/dist/{permissions-gd_aUWrR.mjs → permissions-ohQyv50e.mjs} +404 -176
package/dist/{pipe-DVoIheVC.mjs → pipe-Zr0KXjQe.mjs} +1 -1
package/dist/pipeline/index.d.mts +1 -1
package/dist/pipeline/index.mjs +1 -1
package/dist/plugins/index.d.mts +16 -31
package/dist/plugins/index.mjs +33 -13
package/dist/plugins/response-cache.mjs +1 -1
package/dist/plugins/tracing-entry.mjs +1 -1
package/dist/presets/filesUpload.d.mts +4 -4
package/dist/presets/filesUpload.mjs +6 -9
package/dist/presets/index.d.mts +1 -1
package/dist/presets/index.mjs +1 -1
package/dist/presets/multiTenant.d.mts +1 -1
package/dist/presets/multiTenant.mjs +2 -2
package/dist/presets/search.d.mts +2 -2
package/dist/presets/search.mjs +6 -8
package/dist/{presets-Z7P5w4gF.mjs → presets-BbkjdPeH.mjs} +6 -28
package/dist/{queryCachePlugin-Bq6bO6vc.mjs → queryCachePlugin-m1XsgAIJ.mjs} +3 -3
package/dist/{redis-stream-xTGxB2bm.d.mts → redis-stream-D6HzR1Z_.d.mts} +1 -1
package/dist/registry/index.d.mts +1 -1
package/dist/registry/index.mjs +2 -2
package/dist/{replyHelpers-ByllIXXV.mjs → replyHelpers-CK-FNO8E.mjs} +3 -21
package/dist/{resourceToTools-CxNmI6xF.mjs → resourceToTools-DLL32us3.mjs} +224 -71
package/dist/{routerShared-BqLRb5l7.mjs → routerShared-DrOa-26E.mjs} +41 -36
package/dist/{schemaIR-Dy2p4MxS.mjs → schemaIR-lYhC2gE5.mjs} +1 -1
package/dist/schemas/index.d.mts +100 -30
package/dist/schemas/index.mjs +86 -29
package/dist/scim/index.d.mts +264 -0
package/dist/scim/index.mjs +963 -0
package/dist/scope/index.d.mts +3 -3
package/dist/scope/index.mjs +4 -4
package/dist/{sse-V7aXc3bW.mjs → sse-Bz-5ZeTt.mjs} +1 -1
package/dist/{store-helpers-Cp4uKC1U.mjs → store-helpers-BkIN9-vu.mjs} +1 -1
package/dist/testing/index.d.mts +2 -8
package/dist/testing/index.mjs +16 -24
package/dist/types/index.d.mts +4 -4
package/dist/{types-D7KpfiL1.d.mts → types-BvqwCCSx.d.mts} +73 -25
package/dist/{types-DDyTPc6y.d.mts → types-CTYvcwHe.d.mts} +195 -1
package/dist/{types-AOD8fxIw.mjs → types-C_s5moIu.mjs} +117 -1
package/dist/{types-BQ9TJQNy.d.mts → types-DQHFc8PM.d.mts} +1 -1
package/dist/utils/index.d.mts +2 -2
package/dist/utils/index.mjs +5 -5
package/dist/{utils-CcYTj09l.mjs → utils-_h9B3c57.mjs} +1269 -1334
package/dist/{versioning-DsglKfM_.d.mts → versioning-DTTvc80y.d.mts} +1 -1
package/package.json +24 -34
package/skills/arc/SKILL.md +147 -51
package/skills/arc/references/agent-auth.md +238 -0
package/skills/arc/references/api-reference.md +187 -0
package/skills/arc/references/auth.md +354 -7
package/skills/arc/references/enterprise-auth.md +94 -0
package/skills/arc/references/events.md +8 -6
package/skills/arc/references/mcp.md +2 -2
package/skills/arc/references/multi-tenancy.md +11 -2
package/skills/arc/references/production.md +10 -9
package/skills/arc/references/scim.md +247 -0
package/skills/arc/references/testing.md +1 -1
package/skills/arc-code-review/SKILL.md +141 -0
package/skills/arc-code-review/references/anti-patterns.md +911 -0
package/skills/arc-code-review/references/arc-cheatsheet.md +380 -0
package/skills/arc-code-review/references/migration-recipes.md +700 -0
package/skills/arc-code-review/references/mongokit-migration.md +386 -0
package/skills/arc-code-review/references/scaffolding.md +230 -0
package/skills/arc-code-review/references/severity.md +127 -0
package/dist/EventTransport-BFQjw9pB.mjs +0 -133
package/dist/EventTransport-CYNUXdCJ.d.mts +0 -293
package/dist/adapters/index.d.mts +0 -3
package/dist/adapters/index.mjs +0 -2
package/dist/adapters-DUUiiimH.mjs +0 -964
package/dist/auth/mongoose.d.mts +0 -191
package/dist/auth/mongoose.mjs +0 -73
package/dist/core-CbcQRIch.mjs +0 -1054
package/dist/errorHandler-BQm8ZxTK.mjs +0 -173
package/dist/errorHandler-DEWmGWPz.d.mts +0 -114
package/dist/errors-D5c-5BJL.mjs +0 -232
package/dist/index-Rg8axYPz.d.mts +0 -370
package/dist/openapi-D7G1V7ex.mjs +0 -557
/package/dist/{HookSystem-CGsMd6oK.mjs → HookSystem-Iiebom92.mjs} +0 -0
/package/dist/{actionPermissions-sUUKDhtP.mjs → actionPermissions-CyUkQu6O.mjs} +0 -0
/package/dist/{caching-CheW3m-S.mjs → caching-SM8gghN6.mjs} +0 -0
/package/dist/{constants-BhY1OHoH.mjs → constants-Cxde4rpC.mjs} +0 -0
/package/dist/{elevation-BQQXZ_VR.d.mts → elevation-BXOWoGCF.d.mts} +0 -0
/package/dist/{keys-CARyUjiR.mjs → keys-CGcCbNyu.mjs} +0 -0
/package/dist/{loadResources-CPpkyKfM.mjs → loadResources-DBMQg_Aj.mjs} +0 -0
/package/dist/{memory-DikHSvWa.mjs → memory-UBydS5ku.mjs} +0 -0
/package/dist/{metrics-Csh4nsvv.mjs → metrics-Qnvwc-LQ.mjs} +0 -0
/package/dist/{pluralize-CWP6MB39.mjs → pluralize-DQgqgifU.mjs} +0 -0
/package/dist/{registry-D63ee7fl.mjs → registry-I-ogLgL9.mjs} +0 -0
/package/dist/{requestContext-C5XeK3VA.mjs → requestContext-SSaaTgW8.mjs} +0 -0
/package/dist/{schemaConverter-B0oKLuqI.mjs → schemaConverter-De34B1ZG.mjs} +0 -0
/package/dist/{typeGuards-CcFZXgU7.mjs → typeGuards-BzkXkvVv.mjs} +0 -0
/package/dist/{types-DV9WDfeg.mjs → types-D57iXYb8.mjs} +0 -0
/package/dist/{versioning-CGPjkqAg.mjs → versioning-BUrT5aP4.mjs} +0 -0

package/dist/auth/index.mjs CHANGED Viewed

@@ -1,7 +1,7 @@
-import { _ as requireTeamMembership, m as requireOrgRole, p as requireOrgMembership } from "../permissions-gd_aUWrR.mjs";
-import { n as normalizeRoles, t as getUserRoles } from "../types-DV9WDfeg.mjs";
-import { t as ArcError } from "../errors-D5c-5BJL.mjs";
-import { n as extractBetterAuthOpenApi } from "../betterAuthOpenApi-DwxtK3uG.mjs";
+import { d as createDomainError, l as UnauthorizedError, p as isArcError, t as ArcError } from "../errors-j4aJm1Wg.mjs";
+import { _ as requireOrgMembership, v as requireOrgRole, x as requireTeamMembership } from "../permissions-ohQyv50e.mjs";
+import { n as normalizeRoles, t as getUserRoles } from "../types-D57iXYb8.mjs";
+import { n as extractBetterAuthOpenApi } from "../betterAuthOpenApi--M_i87dQ.mjs";
 import { createHmac, randomUUID, timingSafeEqual } from "node:crypto";
 import fp from "fastify-plugin";
 //#region src/auth/authPlugin.ts
@@ -88,17 +88,17 @@ const authPlugin = async (fastify, opts = {}) => {
 				const token = resolveToken(request);
 				if (token) {
 					const decoded = jwtContext.verify(token);
-					if (decoded.type === "refresh") throw new Error("Refresh tokens cannot be used for authentication");
-					if (strictTokenType && decoded.type !== "access") throw new Error("Invalid token type: expected access token");
+					if (decoded.type === "refresh") throw createDomainError("arc.auth.invalid_token_type", "Refresh tokens cannot be used for authentication", 401);
+					if (strictTokenType && decoded.type !== "access") throw createDomainError("arc.auth.invalid_token_type", "Invalid token type: expected access token", 401);
 					user = decoded;
 				}
-			} else throw new Error("No authenticator configured. Provide auth.authenticate function or auth.jwt.secret.");
-			if (!user) throw new Error("Authentication required");
+			} else throw createDomainError("arc.auth.misconfigured", "No authenticator configured. Provide auth.authenticate function or auth.jwt.secret.", 500);
+			if (!user) throw new UnauthorizedError("Authentication required");
 			if (isRevoked) try {
-				if (await isRevoked(user)) throw new Error("Token has been revoked");
+				if (await isRevoked(user)) throw createDomainError("arc.auth.token_revoked", "Token has been revoked", 401);
 			} catch (revokeErr) {
-				if (revokeErr instanceof Error && revokeErr.message === "Token has been revoked") throw revokeErr;
-				throw new Error("Token revocation check failed");
+				if (isArcError(revokeErr) && revokeErr.code === "arc.auth.token_revoked") throw revokeErr;
+				throw createDomainError("arc.auth.revocation_check_failed", "Token revocation check failed", 401);
 			}
 			const reqRecord = request;
 			reqRecord.user = user;
@@ -126,11 +126,20 @@ const authPlugin = async (fastify, opts = {}) => {
 				await onFailure(request, reply, error);
 				return;
 			}
+			if (isArcError(error)) {
+				const message = exposeAuthErrors ? error.message : "Authentication required";
+				reply.code(error.statusCode).send({
+					code: error.code,
+					message,
+					status: error.statusCode
+				});
+				return;
+			}
 			const message = exposeAuthErrors ? error.message : "Authentication required";
 			reply.code(401).send({
-				success: false,
-				error: "Unauthorized",
-				message
+				code: "arc.unauthorized",
+				message,
+				status: 401
 			});
 		}
 	};
@@ -193,7 +202,7 @@ const authPlugin = async (fastify, opts = {}) => {
 	* App calls this after validating credentials (login, OAuth, etc.)
 	*/
 	const issueTokens = (payload, options) => {
-		if (!jwtContext) throw new Error("JWT not configured. Provide auth.jwt.secret to use issueTokens.");
+		if (!jwtContext) throw createDomainError("arc.auth.misconfigured", "JWT not configured. Provide auth.jwt.secret to use issueTokens.", 500);
 		const accessTtl = options?.expiresIn ?? accessExpiresIn;
 		const refreshTtl = options?.refreshExpiresIn ?? refreshExpiresIn;
 		const accessToken = jwtContext.sign({
@@ -228,9 +237,9 @@ const authPlugin = async (fastify, opts = {}) => {
 	* App calls this in refresh endpoint
 	*/
 	const verifyRefreshToken = (token) => {
-		if (!jwtContext) throw new Error("JWT not configured. Provide auth.jwt.secret to use verifyRefreshToken.");
+		if (!jwtContext) throw createDomainError("arc.auth.misconfigured", "JWT not configured. Provide auth.jwt.secret to use verifyRefreshToken.", 500);
 		const decoded = fastify.jwt.verify(token, { ...refreshSecret !== jwtConfig?.secret ? { key: refreshSecret } : {} });
-		if (decoded.type !== "refresh") throw new Error("Invalid token type: expected refresh token");
+		if (decoded.type !== "refresh") throw createDomainError("arc.auth.invalid_token_type", "Invalid token type: expected refresh token", 401);
 		return decoded;
 	};
 	/**
@@ -246,9 +255,9 @@ const authPlugin = async (fastify, opts = {}) => {
 			const user = reqRecord[userProperty] ?? reqRecord.user;
 			if (!user) {
 				reply.code(401).send({
-					success: false,
-					error: "Unauthorized",
-					message: "No user context"
+					code: "arc.unauthorized",
+					message: "No user context",
+					status: 401
 				});
 				return;
 			}
@@ -256,9 +265,9 @@ const authPlugin = async (fastify, opts = {}) => {
 			if (allowedRoles.length === 1 && allowedRoles[0] === "*") return;
 			if (!allowedRoles.some((role) => userRoles.includes(role))) {
 				reply.code(403).send({
-					success: false,
-					error: "Forbidden",
-					message: `Requires one of: ${allowedRoles.join(", ")}`
+					code: "arc.forbidden",
+					message: `Requires one of: ${allowedRoles.join(", ")}`,
+					status: 403
 				});
 				return;
 			}
@@ -334,65 +343,84 @@ async function sendFetchResponse(response, reply) {
 	}
 }
 /**
-* Try to get session via Better Auth's direct JS API.
-* Returns null if the API method is not available (older Better Auth versions).
+* Resolve the current session via Better Auth's direct JS API.
+*
+* Throws `ArcError(BETTER_AUTH_API_MISSING)` when `auth.api.getSession` is
+* absent — this surfaces immediately and clearly when an integrator passes a
+* stub handler instead of a real `betterAuth()` instance.
 */
-async function tryDirectGetSession(auth, headers) {
+async function getSessionDirect(auth, headers) {
 	const api = auth.api;
-	if (!api || typeof api.getSession !== "function") return null;
-	try {
-		const result = await api.getSession({ headers });
-		if (result?.user) return result;
-		return null;
-	} catch {
-		return null;
-	}
+	if (!api || typeof api.getSession !== "function") throw new ArcError("Better Auth instance is missing `api.getSession` — arc 2.13+ requires the in-process API map. Pass a real `betterAuth()` instance or supply an `api: { getSession }` stub.", {
+		code: "BETTER_AUTH_API_MISSING",
+		statusCode: 500
+	});
+	const result = await api.getSession({ headers });
+	return result?.user ? result : null;
 }
 /**
-* Try to get active org member via direct JS API.
-* Returns roles array or null if not available.
+* Read a method from `auth.api` — supports both the flat shape that real
+* `betterAuth()` instances expose (`api.getActiveMember`) and the nested
+* shape some test mocks / older builds use (`api.organization.getActiveMember`).
+*
+* Real Better Auth 1.6.x flattens every plugin endpoint onto the top-level
+* `api` object. The nested form is kept as a fallback for hand-rolled stubs.
 */
-async function tryDirectGetActiveMember(auth, headers) {
-	const getActiveMember = auth.api?.organization?.getActiveMember;
-	if (typeof getActiveMember !== "function") return null;
+function pickApiMethod(auth, name, group) {
+	const api = auth.api;
+	if (!api) return void 0;
+	const flat = api[name];
+	if (typeof flat === "function") return flat;
+	if (group) {
+		const nested = api[group]?.[name];
+		if (typeof nested === "function") return nested;
+	}
+}
+/** Resolve org roles for the active member (session.activeOrganizationId path). */
+async function getActiveMemberRoles(auth, headers) {
+	const fn = pickApiMethod(auth, "getActiveMember", "organization");
+	if (!fn) return null;
 	try {
-		const memberData = await getActiveMember({ headers });
-		if (memberData) return extractRolesFromMembership(memberData);
-		return null;
+		const memberData = await fn({ headers });
+		return memberData ? extractRolesFromMembership(memberData) : null;
 	} catch {
 		return null;
 	}
 }
 /**
-* Look up member role by explicit organizationId (query param).
+* Resolve org roles for an explicit organizationId.
 *
-* Better Auth's `getActiveMemberRole` endpoint accepts an `organizationId`
-* query parameter, bypassing the session's `activeOrganizationId`.
-* This is essential for API key auth where the synthetic session has no
-* active organization set — callers pass org context via `x-organization-id` header.
+* Required for API key auth where the synthetic session lacks
+* `activeOrganizationId` — callers pass org context via the
+* `x-organization-id` header.
 */
-async function tryDirectGetMemberRole(auth, headers, organizationId) {
-	const getActiveMemberRole = auth.api?.organization?.getActiveMemberRole;
-	if (typeof getActiveMemberRole !== "function") return null;
+async function getMemberRolesByOrg(auth, headers, organizationId) {
+	const fn = pickApiMethod(auth, "getActiveMemberRole", "organization");
+	if (!fn) return null;
 	try {
-		const result = await getActiveMemberRole({
+		const result = await fn({
 			headers,
 			query: { organizationId }
 		});
-		if (result?.role) return normalizeRoles(result.role);
-		return null;
+		return result?.role ? normalizeRoles(result.role) : null;
 	} catch {
 		return null;
 	}
 }
 /**
-* Try to list teams via direct JS API.
+* List teams the current user is a member of. Used to validate
+* `activeTeamId` against the membership set before binding it to scope.
+*
+* Better Auth 1.6+ exposes this as `auth.api.listUserTeams` (path:
+* `/organization/list-user-teams`). Older 1.5.x exposed
+* `auth.api.listTeams` — kept as a fallback so stubs/older versions still
+* work.
 */
-async function tryDirectListTeams(auth, headers) {
-	const listTeams = auth.api?.organization?.listTeams;
-	if (typeof listTeams !== "function") return null;
+async function listTeamsDirect(auth, headers) {
+	const fn = pickApiMethod(auth, "listUserTeams", "organization") ?? pickApiMethod(auth, "listTeams", "organization");
+	if (!fn) return null;
 	try {
-		const result = await listTeams({ headers });
+		const result = await fn({ headers });
 		const teams = Array.isArray(result) ? result : result?.teams;
 		return Array.isArray(teams) ? teams : null;
 	} catch {
@@ -432,61 +460,6 @@ function extractRolesFromMembership(membership) {
 	}
 	return [];
 }
-/** Match an organization membership entry against the active org id */
-function membershipMatchesOrg(membership, activeOrgId) {
-	return [
-		normalizeId(membership.organizationId),
-		normalizeId(membership.orgId),
-		normalizeId(membership.id),
-		normalizeId(membership.organization?._id),
-		normalizeId(membership.organization?.id),
-		normalizeId(membership.organization?.organizationId)
-	].filter(Boolean).includes(activeOrgId);
-}
-/**
-* Resolve org roles with fallback chain:
-* 1) GET /organization/get-active-member (requires activeOrganizationId in session)
-* 2) GET /organization/get-active-member-role?organizationId=... (explicit org — works for API key auth)
-* 3) GET /organization/list (fallback for type mismatch/legacy ID storage)
-*/
-async function resolveOrgRoles(auth, protocol, host, normalizedBase, headers, activeOrgId) {
-	const memberUrl = `${protocol}://${host}${normalizedBase}/organization/get-active-member`;
-	const memberRequest = new Request(memberUrl, {
-		method: "GET",
-		headers
-	});
-	const memberResponse = await auth.handler(memberRequest);
-	if (memberResponse.ok) {
-		const memberData = await memberResponse.json();
-		if (memberData) return extractRolesFromMembership(memberData);
-	}
-	const roleUrl = `${protocol}://${host}${normalizedBase}/organization/get-active-member-role?organizationId=${encodeURIComponent(activeOrgId)}`;
-	const roleRequest = new Request(roleUrl, {
-		method: "GET",
-		headers
-	});
-	const roleResponse = await auth.handler(roleRequest);
-	if (roleResponse.ok) {
-		const roleData = await roleResponse.json();
-		if (roleData?.role) return normalizeRoles(roleData.role);
-	}
-	const listUrl = `${protocol}://${host}${normalizedBase}/organization/list`;
-	const listRequest = new Request(listUrl, {
-		method: "GET",
-		headers
-	});
-	const listResponse = await auth.handler(listRequest);
-	if (!listResponse.ok) return null;
-	const listData = await listResponse.json();
-	const memberships = Array.isArray(listData) ? listData : listData?.organizations ?? listData?.data ?? [];
-	if (!Array.isArray(memberships)) return null;
-	const target = memberships.find((entry) => {
-		if (!entry || typeof entry !== "object") return false;
-		return membershipMatchesOrg(entry, activeOrgId);
-	});
-	if (!target) return null;
-	return extractRolesFromMembership(target);
-}
 /**
 * Create a Better Auth adapter for Arc/Fastify.
 *
@@ -527,33 +500,13 @@ function createBetterAuthAdapter(options) {
 	*/
 	const authenticate = async (request, reply) => {
 		try {
-			const protocol = request.protocol ?? "http";
-			const host = request.hostname ?? "localhost";
 			const headers = buildHeaders(request);
-			let sessionData = null;
-			sessionData = await tryDirectGetSession(auth, headers);
-			if (!sessionData) {
-				const sessionUrl = `${protocol}://${host}${normalizedBase}/get-session`;
-				const sessionRequest = new Request(sessionUrl, {
-					method: "GET",
-					headers
-				});
-				const sessionResponse = await auth.handler(sessionRequest);
-				if (!sessionResponse.ok) {
-					reply.code(401).send({
-						success: false,
-						error: "Unauthorized",
-						message: "Invalid or expired session"
-					});
-					return;
-				}
-				sessionData = await sessionResponse.json();
-			}
+			const sessionData = await getSessionDirect(auth, headers);
 			if (!sessionData?.user) {
 				reply.code(401).send({
-					success: false,
-					error: "Unauthorized",
-					message: "No active session"
+					code: "arc.unauthorized",
+					message: "Invalid or expired session",
+					status: 401
 				});
 				return;
 			}
@@ -572,9 +525,8 @@ function createBetterAuthAdapter(options) {
 				const session = sessionData.session;
 				const activeOrgId = session?.activeOrganizationId || request.headers["x-organization-id"];
 				if (activeOrgId) {
-					let orgRoles = await tryDirectGetActiveMember(auth, headers);
-					if (!orgRoles) orgRoles = await tryDirectGetMemberRole(auth, headers, activeOrgId);
-					if (!orgRoles) orgRoles = await resolveOrgRoles(auth, protocol, host, normalizedBase, headers, activeOrgId);
+					let orgRoles = await getActiveMemberRoles(auth, headers);
+					if (!orgRoles) orgRoles = await getMemberRolesByOrg(auth, headers, activeOrgId);
 					if (orgRoles) {
 						const scope = {
 							kind: "member",
@@ -585,21 +537,7 @@ function createBetterAuthAdapter(options) {
 						};
 						const activeTeamId = session?.activeTeamId;
 						if (activeTeamId) {
-							let teams = await tryDirectListTeams(auth, headers);
-							if (!teams) {
-								const teamsUrl = `${protocol}://${host}${normalizedBase}/organization/list-teams`;
-								const teamsRequest = new Request(teamsUrl, {
-									method: "GET",
-									headers
-								});
-								const teamsResponse = await auth.handler(teamsRequest);
-								if (teamsResponse.ok) {
-									const teamsData = await teamsResponse.json();
-									const teamsList = Array.isArray(teamsData) ? teamsData : teamsData?.teams;
-									teams = Array.isArray(teamsList) ? teamsList : [];
-								}
-							}
-							if (teams?.some((t) => normalizeId(t.id) === activeTeamId)) scope.teamId = activeTeamId;
+							if ((await listTeamsDirect(auth, headers))?.some((t) => normalizeId(t.id) === activeTeamId)) scope.teamId = activeTeamId;
 						}
 						req.scope = scope;
 					}
@@ -608,9 +546,9 @@ function createBetterAuthAdapter(options) {
 		} catch (err) {
 			const message = exposeAuthErrors ? err instanceof Error ? err.message : String(err) : "Authentication required";
 			reply.code(401).send({
-				success: false,
-				error: "Unauthorized",
-				message
+				code: "arc.unauthorized",
+				message,
+				status: 401
 			});
 		}
 	};
@@ -625,17 +563,7 @@ function createBetterAuthAdapter(options) {
 	const optionalAuthenticate = async (request, _reply) => {
 		try {
 			const headers = buildHeaders(request);
-			let sessionData = null;
-			sessionData = await tryDirectGetSession(auth, headers);
-			if (!sessionData) {
-				const sessionUrl = `${request.protocol ?? "http"}://${request.hostname ?? "localhost"}${normalizedBase}/get-session`;
-				const sessionRequest = new Request(sessionUrl, {
-					method: "GET",
-					headers
-				});
-				const sessionResponse = await auth.handler(sessionRequest);
-				if (sessionResponse.ok) sessionData = await sessionResponse.json();
-			}
+			const sessionData = await getSessionDirect(auth, headers);
 			if (!sessionData?.user) return;
 			const req = request;
 			req.user = sessionData.user;
@@ -651,9 +579,8 @@ function createBetterAuthAdapter(options) {
 			if (orgEnabled) {
 				const activeOrgId = sessionData.session?.activeOrganizationId || request.headers["x-organization-id"];
 				if (activeOrgId) {
-					let orgRoles = await tryDirectGetActiveMember(auth, headers);
-					if (!orgRoles) orgRoles = await tryDirectGetMemberRole(auth, headers, activeOrgId);
-					if (!orgRoles) orgRoles = await resolveOrgRoles(auth, request.protocol ?? "http", request.hostname ?? "localhost", normalizedBase, headers, activeOrgId);
+					let orgRoles = await getActiveMemberRoles(auth, headers);
+					if (!orgRoles) orgRoles = await getMemberRolesByOrg(auth, headers, activeOrgId);
 					if (orgRoles) req.scope = {
 						kind: "member",
 						userId: optUserId,
@@ -684,7 +611,7 @@ function createBetterAuthAdapter(options) {
 		if (!fastify.hasDecorator("authenticate")) fastify.decorate("authenticate", authenticate);
 		if (!fastify.hasDecorator("optionalAuthenticate")) fastify.decorate("optionalAuthenticate", optionalAuthenticate);
 		if (!extractedOpenApi && openapiOpt !== false && auth.api && typeof auth.api === "object") {
-			const { extractBetterAuthOpenApi } = await import("../betterAuthOpenApi-DwxtK3uG.mjs").then((n) => n.t);
+			const { extractBetterAuthOpenApi } = await import("../betterAuthOpenApi--M_i87dQ.mjs").then((n) => n.t);
 			extractedOpenApi = extractBetterAuthOpenApi(auth.api, {
 				basePath,
 				userFields
@@ -1006,18 +933,17 @@ function createSessionManager(options) {
 		const session = request.session;
 		if (!session) {
 			reply.code(401).send({
-				success: false,
-				error: "Unauthorized",
-				message: "Authentication required"
+				code: "arc.unauthorized",
+				message: "Authentication required",
+				status: 401
 			});
 			return;
 		}
 		if (Date.now() - session.updatedAt > freshAgeMs) {
 			reply.code(403).send({
-				success: false,
-				error: "SessionNotFresh",
+				code: "arc.forbidden",
 				message: "Session is not fresh. Please re-authenticate to perform this action.",
-				code: "SESSION_NOT_FRESH"
+				status: 403
 			});
 			return;
 		}
@@ -1028,9 +954,9 @@ function createSessionManager(options) {
 			const signedValue = parseCookies(typeof cookieHeader === "string" ? cookieHeader : void 0).get(cookieName);
 			if (!signedValue) {
 				reply.code(401).send({
-					success: false,
-					error: "Unauthorized",
-					message: "No session cookie"
+					code: "arc.unauthorized",
+					message: "No session cookie",
+					status: 401
 				});
 				return;
 			}
@@ -1038,9 +964,9 @@ function createSessionManager(options) {
 			if (!sessionId) {
 				reply.header("Set-Cookie", buildClearCookieHeader(cookieName, cookieOptions));
 				reply.code(401).send({
-					success: false,
-					error: "Unauthorized",
-					message: "Invalid session"
+					code: "arc.unauthorized",
+					message: "Invalid session",
+					status: 401
 				});
 				return;
 			}
@@ -1048,9 +974,9 @@ function createSessionManager(options) {
 			if (!session) {
 				reply.header("Set-Cookie", buildClearCookieHeader(cookieName, cookieOptions));
 				reply.code(401).send({
-					success: false,
-					error: "Unauthorized",
-					message: "Session expired or revoked"
+					code: "arc.unauthorized",
+					message: "Session expired or revoked",
+					status: 401
 				});
 				return;
 			}
@@ -1058,9 +984,9 @@ function createSessionManager(options) {
 				await store.delete(sessionId);
 				reply.header("Set-Cookie", buildClearCookieHeader(cookieName, cookieOptions));
 				reply.code(401).send({
-					success: false,
-					error: "Unauthorized",
-					message: "Session expired"
+					code: "arc.unauthorized",
+					message: "Session expired",
+					status: 401
 				});
 				return;
 			}

package/dist/{betterAuthOpenApi-DwxtK3uG.mjs → betterAuthOpenApi--M_i87dQ.mjs} RENAMED Viewed

@@ -1,5 +1,5 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
-import { a as toJsonSchema } from "./schemaConverter-B0oKLuqI.mjs";
+import { a as toJsonSchema } from "./schemaConverter-De34B1ZG.mjs";
 //#region src/auth/betterAuthOpenApi.ts
 var betterAuthOpenApi_exports = /* @__PURE__ */ __exportAll({ extractBetterAuthOpenApi: () => extractBetterAuthOpenApi });
 /**