@classytic/arc 2.14.0 → 2.14.1

package/dist/{BaseController-DX_T-bDB.mjs → BaseController-Dv60tU83.mjs}

@@ -283,6 +283,36 @@ var BodySanitizer = class {
 	}
 };
 //#endregion
+//#region src/core/fieldRulePredicates.ts
+/**
+* True when the field is allowed to appear in client-readable surfaces
+* (response payloads, `select=` whitelists, `_distinct` queries).
+*
+* Mirror of every read-side gate. Don't reach for `rules.systemManaged`
+* here — that's a write rule.
+*/
+function isFieldReadable(rule) {
+	if (!rule) return true;
+	return rule.hidden !== true;
+}
+/**
+* The set of field names blocked from read-side surfaces (used by
+* `QueryResolver.sanitizeSelectAny` and `BaseCrudController._distinct`).
+*
+* Returns `null` (not an empty array) when there are no rules to apply,
+* so call-sites can early-out without creating empty allocations.
+*/
+function collectReadBlockedFields(schemaOptions) {
+	const fieldRules = schemaOptions?.fieldRules;
+	if (!fieldRules) return null;
+	const blocked = /* @__PURE__ */ new Set();
+	for (const [field, rule] of Object.entries(fieldRules)) {
+		if (!rule) continue;
+		if (!isFieldReadable(rule)) blocked.add(field);
+	}
+	return blocked.size > 0 ? blocked : null;
+}
+//#endregion
 //#region src/core/QueryResolver.ts
 /**
 * QueryResolver - Composable query resolution logic extracted from BaseController.
@@ -419,10 +449,15 @@ var QueryResolver = class {
 		});
 		return sanitized.length > 0 ? sanitized : void 0;
 	}
-	/** Get blocked fields from schema options */
+	/**
+	* Read-side allowlist gate for `select=` / `populate=`.
+	*
+	* Only `hidden: true` blocks. `systemManaged` is a *write* rule and
+	* doesn't gate visibility — see `core/fieldRulePredicates.ts`.
+	*/
 	getBlockedFields(schemaOptions) {
-		const fieldRules = schemaOptions.fieldRules ?? {};
-		return Object.entries(fieldRules).filter(([, rules]) => rules.systemManaged || rules.hidden).map(([field]) => field);
+		const blocked = collectReadBlockedFields(schemaOptions);
+		return blocked ? Array.from(blocked) : [];
 	}
 };
 //#endregion
@@ -873,15 +908,16 @@ var BaseCrudController = class {
 		};
 	}
 	/**
-	* True when `field` is safe to expose via `_distinct`. Mirrors the
-	* `select` allowlist — fields marked `hidden` or `systemManaged` in
-	* `schemaOptions.fieldRules` are NOT exposed (would leak password
-	* hashes, internal flags, etc).
+	* True when `field` is safe to expose via `_distinct`.
+	*
+	* Read-side gate only — only `hidden: true` blocks. `systemManaged`
+	* is a *write* rule (clients can't PATCH the value); the field is
+	* still in every list response, so blocking `_distinct` adds nothing
+	* but inconvenience. See `core/fieldRulePredicates.ts` for the
+	* canonical predicate shared with `QueryResolver`.
 	*/
 	isFieldExposedForRead(field) {
-		const rules = this.schemaOptions.fieldRules?.[field];
-		if (!rules) return true;
-		return !(rules.hidden || rules.systemManaged);
+		return isFieldReadable(this.schemaOptions.fieldRules?.[field]);
 	}
 	/** Execute list query through hooks (extracted for cache revalidation) */
 	async executeListQuery(options, req) {
@@ -1353,4 +1389,4 @@ function TreeMixin(Base) {
 */
 var BaseController = class extends SoftDeleteMixin(TreeMixin(SlugMixin(BulkMixin(BaseCrudController)))) {};
 //#endregion
-export { BulkMixin as a, BodySanitizer as c, SlugMixin as i, AccessControl as l, TreeMixin as n, BaseCrudController as o, SoftDeleteMixin as r, QueryResolver as s, BaseController as t };
+export { BulkMixin as a, collectReadBlockedFields as c, AccessControl as d, SlugMixin as i, isFieldReadable as l, TreeMixin as n, BaseCrudController as o, SoftDeleteMixin as r, QueryResolver as s, BaseController as t, BodySanitizer as u };

package/dist/auth/index.d.mts

@@ -1,4 +1,4 @@
-import { Rt as AuthHelpers, zt as AuthPluginOptions } from "../index-BtW7qYwa.mjs";
+import { Rt as AuthHelpers, zt as AuthPluginOptions } from "../index-Dwc0orNd.mjs";
 import { c as PermissionCheck } from "../fields-COhcH3fk.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-BD5nw6St.mjs";
 import { a as SessionManagerOptions, c as createSessionManager, i as SessionData, n as MemorySessionStoreOptions, o as SessionManagerResult, r as SessionCookieOptions, s as SessionStore, t as MemorySessionStore } from "../sessionManager-C4Le_UB3.mjs";
@@ -191,4 +191,81 @@ interface BetterAuthOpenApiOptions {
  */
 declare function extractBetterAuthOpenApi(authApi: Record<string, unknown>, options?: BetterAuthOpenApiOptions): ExternalOpenApiPaths;
 //#endregion
-export { type AuthPluginOptions, type BetterAuthAdapterOptions, type BetterAuthAdapterResult, type BetterAuthHandler, type BetterAuthOpenApiOptions, MemorySessionStore, type MemorySessionStoreOptions, type SessionCookieOptions, type SessionData, type SessionManagerOptions, type SessionManagerResult, type SessionStore, _default as authPlugin, authPlugin as authPluginFn, createBetterAuthAdapter, createSessionManager, extractBetterAuthOpenApi };
+//#region src/auth/trustedOrigins.d.ts
+/**
+ * `trustedOrigins` ↔ CORS-allowlist union helper.
+ *
+ * Better Auth's `trustedOrigins` (CSRF / origin guard) and Fastify's CORS
+ * `origin` allowlist are independent — a request that survives CORS still
+ * has to pass BA's origin check. When they drift, sign-in throws
+ * `Invalid origin` 401s that don't surface CORS errors in the network
+ * panel.
+ *
+ * Hosts have written the same union by hand in every app, with the same
+ * three corner cases (array → union with canonical URL, `true` → `["*"]`,
+ * `false`/undefined → just the canonical URL). This helper centralises
+ * that rule so a future change happens in one place.
+ *
+ * @example
+ * ```ts
+ * import { betterAuth } from "better-auth";
+ * import { mirrorTrustedOriginsFromCors } from "@classytic/arc/auth";
+ * import config from "#config";
+ *
+ * export const auth = betterAuth({
+ *   secret: config.betterAuth.secret,
+ *   baseURL: process.env.BETTER_AUTH_URL,
+ *   trustedOrigins: mirrorTrustedOriginsFromCors({
+ *     corsOrigins: config.cors.origins,    // string[] | true | false
+ *     canonicalUrl: config.frontend.url,   // FRONTEND_URL — used for email link templates
+ *   }),
+ *   // ...
+ * });
+ * ```
+ *
+ * Why both inputs:
+ * - `canonicalUrl` is the single URL embedded in BA's email templates
+ *   (invitation-accept, password-reset). It MUST be in `trustedOrigins`.
+ * - `corsOrigins` is the browser allowlist. Every entry there is a real
+ *   FE host that may attempt sign-in; missing one yields the silent 401.
+ *
+ * The union dedupes — passing `canonicalUrl` already in `corsOrigins` is
+ * fine and won't duplicate the entry.
+ */
+/**
+ * Shape arc's CORS plugin and most apps use:
+ *   - `string[]` — explicit allowlist
+ *   - `true` — wildcard (`*`)
+ *   - `false` / `undefined` — no extra origins beyond `canonicalUrl`
+ *
+ * Other shapes (regex, predicate function) aren't supported here — pass
+ * an explicit array if you have dynamic logic upstream.
+ */
+type CorsOriginsConfig = readonly string[] | boolean | undefined;
+interface MirrorTrustedOriginsOptions {
+  /**
+   * CORS allowlist as configured for Fastify's CORS plugin.
+   * Most apps read this from a `CORS_ORIGINS` env var (`*` → `true`,
+   * comma-separated → `string[]`).
+   */
+  corsOrigins: CorsOriginsConfig;
+  /**
+   * The single canonical FE URL used for email-link templates
+   * (invitation-accept, password-reset). Must be a trusted origin.
+   * Typically `FRONTEND_URL`.
+   */
+  canonicalUrl: string;
+}
+/**
+ * Compute BA's `trustedOrigins` as the union of `canonicalUrl` and the
+ * CORS allowlist.
+ *
+ * Returns:
+ *   - `["*"]` when `corsOrigins === true` (wildcard CORS).
+ *   - `[canonicalUrl, ...corsOrigins]` deduped when `corsOrigins` is an
+ *     array.
+ *   - `[canonicalUrl]` when `corsOrigins` is `false` / `undefined`.
+ */
+declare function mirrorTrustedOriginsFromCors(options: MirrorTrustedOriginsOptions): string[];
+//#endregion
+export { type AuthPluginOptions, type BetterAuthAdapterOptions, type BetterAuthAdapterResult, type BetterAuthHandler, type BetterAuthOpenApiOptions, type CorsOriginsConfig, MemorySessionStore, type MemorySessionStoreOptions, type MirrorTrustedOriginsOptions, type SessionCookieOptions, type SessionData, type SessionManagerOptions, type SessionManagerResult, type SessionStore, _default as authPlugin, authPlugin as authPluginFn, createBetterAuthAdapter, createSessionManager, extractBetterAuthOpenApi, mirrorTrustedOriginsFromCors };

package/dist/auth/index.mjs

@@ -1029,4 +1029,22 @@ function createSessionManager(options) {
 	};
 }
 //#endregion
-export { MemorySessionStore, authPlugin_default as authPlugin, authPlugin as authPluginFn, createBetterAuthAdapter, createSessionManager, extractBetterAuthOpenApi };
+//#region src/auth/trustedOrigins.ts
+/**
+* Compute BA's `trustedOrigins` as the union of `canonicalUrl` and the
+* CORS allowlist.
+*
+* Returns:
+*   - `["*"]` when `corsOrigins === true` (wildcard CORS).
+*   - `[canonicalUrl, ...corsOrigins]` deduped when `corsOrigins` is an
+*     array.
+*   - `[canonicalUrl]` when `corsOrigins` is `false` / `undefined`.
+*/
+function mirrorTrustedOriginsFromCors(options) {
+	const { corsOrigins, canonicalUrl } = options;
+	if (corsOrigins === true) return ["*"];
+	if (!corsOrigins) return [canonicalUrl];
+	return Array.from(new Set([canonicalUrl, ...corsOrigins]));
+}
+//#endregion
+export { MemorySessionStore, authPlugin_default as authPlugin, authPlugin as authPluginFn, createBetterAuthAdapter, createSessionManager, extractBetterAuthOpenApi, mirrorTrustedOriginsFromCors };

package/dist/{buildHandler-olo-gt94.mjs → buildHandler-BamHHpH8.mjs}

@@ -195,10 +195,10 @@ function assertBucketFieldAllowed(input) {
 	if (dot > 0) {
 		const a = field.slice(0, dot);
 		if (lookupAliases.has(a)) return;
-		if (blockedFields.has(a)) throw new ArcAggregationConfigError(`Resource "${resourceName}" aggregation "${aggregationName}" dateBucket "${alias}" references field "${field}" whose root "${a}" is marked hidden or systemManaged in schemaOptions.fieldRules. Bucketing on hidden fields would leak temporal info.`);
+		if (blockedFields.has(a)) throw new ArcAggregationConfigError(`Resource "${resourceName}" aggregation "${aggregationName}" dateBucket "${alias}" references field "${field}" whose root "${a}" is blocked from aggregation (\`hidden: true\` or \`aggregable: false\` in schemaOptions.fieldRules). Bucketing hidden fields would leak temporal info.`);
 		return;
 	}
-	if (blockedFields.has(field)) throw new ArcAggregationConfigError(`Resource "${resourceName}" aggregation "${aggregationName}" dateBucket "${alias}" references field "${field}", but the field is marked hidden or systemManaged in schemaOptions.fieldRules. Bucketing on hidden fields would leak temporal info.`);
+	if (blockedFields.has(field)) throw new ArcAggregationConfigError(`Resource "${resourceName}" aggregation "${aggregationName}" dateBucket "${alias}" references field "${field}", but the field is blocked from aggregation (\`hidden: true\` or \`aggregable: false\` in schemaOptions.fieldRules). Bucketing hidden fields would leak temporal info.`);
 }
 /**
 * Map arc's declarative knobs onto repo-core's portable `AggExecutionHints`.
@@ -307,13 +307,34 @@ function collectLookupAliases(lookups) {
 	for (const lookup of lookups) aliases.add(lookup.as ?? lookup.from);
 	return aliases;
 }
+/**
+* Collect fields that aggregation MUST NOT reference.
+*
+* Default rule: only `hidden: true` blocks. `hidden` means the field is
+* omitted from list/get responses, so exposing it via aggregation would
+* leak data the client can't otherwise see. `systemManaged` is a write
+* rule (server stamps the value, clients can't PATCH it) — those fields
+* are still visible per-row, so aggregating them leaks nothing.
+*
+* Two opt-in overrides via `ArcFieldRule.aggregable`:
+*   - `aggregable: false` — explicit deny on a visible field (rare; use
+*     when the per-row value is fine but the across-row distribution is
+*     itself sensitive).
+*   - `aggregable: true` — explicit allow, even on a `hidden` field
+*     (escape hatch — caller asserts cardinality leak isn't a concern).
+*/
 function collectBlockedFields(schemaOptions) {
 	const blocked = /* @__PURE__ */ new Set();
 	const fieldRules = schemaOptions?.fieldRules;
 	if (!fieldRules) return blocked;
 	for (const [field, rules] of Object.entries(fieldRules)) {
 		if (!rules) continue;
-		if (rules.hidden || rules.systemManaged) blocked.add(field);
+		if (rules.aggregable === true) continue;
+		if (rules.aggregable === false) {
+			blocked.add(field);
+			continue;
+		}
+		if (rules.hidden) blocked.add(field);
 	}
 	return blocked;
 }
@@ -348,10 +369,10 @@ function assertFieldAllowed(context, ref, input) {
 	if (dot > 0) {
 		const alias = ref.slice(0, dot);
 		if (lookupAliases.has(alias)) return;
-		if (blockedFields.has(alias)) throw new ArcAggregationConfigError(`Resource "${resourceName}" aggregation "${aggregationName}" references field "${ref}" in ${context} whose root "${alias}" is marked hidden or systemManaged in schemaOptions.fieldRules. Aggregating hidden fields would leak cardinality information.`);
+		if (blockedFields.has(alias)) throw new ArcAggregationConfigError(`Resource "${resourceName}" aggregation "${aggregationName}" references field "${ref}" in ${context} whose root "${alias}" is blocked from aggregation (\`hidden: true\` or \`aggregable: false\` in schemaOptions.fieldRules). Aggregating hidden fields would leak cardinality information.`);
 		return;
 	}
-	if (blockedFields.has(ref)) throw new ArcAggregationConfigError(`Resource "${resourceName}" aggregation "${aggregationName}" references field "${ref}" in ${context}, but the field is marked hidden or systemManaged in schemaOptions.fieldRules. Aggregating hidden fields would leak cardinality information.`);
+	if (blockedFields.has(ref)) throw new ArcAggregationConfigError(`Resource "${resourceName}" aggregation "${aggregationName}" references field "${ref}" in ${context}, but the field is blocked from aggregation (\`hidden: true\` or \`aggregable: false\` in schemaOptions.fieldRules). Aggregating hidden fields would leak cardinality information.`);
 }
 function extractTenantFilter(tenantOptions) {
 	const out = {};

package/dist/cli/commands/describe.d.mts

@@ -1,4 +1,4 @@
-import { V as ResourceDefinition, ft as RouteSchemaOptions, rt as RateLimitConfig } from "../../index-BtW7qYwa.mjs";
+import { V as ResourceDefinition, ft as RouteSchemaOptions, rt as RateLimitConfig } from "../../index-Dwc0orNd.mjs";
 
 //#region src/cli/commands/describe.d.ts
 interface DescribedResource {

package/dist/cli/commands/docs.mjs

@@ -1,5 +1,5 @@
 import { t as ResourceRegistry } from "../../ResourceRegistry-CTERg_2x.mjs";
-import { t as buildOpenApiSpec } from "../../openapi-noXno2CV.mjs";
+import { t as buildOpenApiSpec } from "../../openapi-BHXhoX8O.mjs";
 import { dirname, resolve } from "node:path";
 import { pathToFileURL } from "node:url";
 import { mkdirSync, writeFileSync } from "node:fs";

package/dist/core/index.d.mts

@@ -1,3 +1,3 @@
-import { $t as SoftDeleteMixin, B as defineResource, Ct as AggregationConfig, Dt as AggregationMaterializedResult, Et as AggregationMaterializedContext, Ot as AggregationRateLimit, Qt as SoftDeleteExt, St as AggregationCacheConfig, Tt as AggregationIndexHint, V as ResourceDefinition, Zt as BaseController, _n as BodySanitizerConfig, an as BulkMixin, bt as AggMeasureInput, cn as QueryResolver, en as TreeExt, gn as BodySanitizer, hn as ListResult, in as BulkExt, kt as AggregationsMap, ln as QueryResolverConfig, nn as SlugExt, on as BaseControllerOptions, rn as SlugMixin, sn as BaseCrudController, tn as TreeMixin, vn as AccessControl, wt as AggregationDateRangeRequirement, xt as AggMeasureShorthand, yn as AccessControlConfig } from "../index-BtW7qYwa.mjs";
-import { C as MAX_FILTER_DEPTH, D as MutationOperation, E as MUTATION_OPERATIONS, O as RESERVED_QUERY_PARAMS, S as HookPhase, T as MAX_SEARCH_LENGTH, _ as DEFAULT_TENANT_FIELD, a as getControllerScope, b as HOOK_PHASES, c as createCrudRouter, d as CRUD_OPERATIONS, f as CrudOperation, g as DEFAULT_SORT, h as DEFAULT_MAX_LIMIT, i as getControllerContext, k as SYSTEM_FIELDS, l as createPermissionMiddleware, m as DEFAULT_LIMIT, n as createFastifyHandler, o as sendControllerResponse, p as DEFAULT_ID_FIELD, r as createRequestContext, s as defineResourceVariants, t as createCrudHandlers, u as defineAggregation, v as DEFAULT_UPDATE_METHOD, w as MAX_REGEX_LENGTH, x as HookOperation, y as HOOK_OPERATIONS } from "../index-Ds61mrJE.mjs";
-export { AccessControl, AccessControlConfig, AggMeasureInput, AggMeasureShorthand, AggregationCacheConfig, AggregationConfig, AggregationDateRangeRequirement, AggregationIndexHint, AggregationMaterializedContext, AggregationMaterializedResult, AggregationRateLimit, AggregationsMap, BaseController, BaseControllerOptions, BaseCrudController, BodySanitizer, BodySanitizerConfig, BulkExt, BulkMixin, CRUD_OPERATIONS, CrudOperation, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, HookOperation, HookPhase, ListResult, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MutationOperation, QueryResolver, QueryResolverConfig, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, SlugExt, SlugMixin, SoftDeleteExt, SoftDeleteMixin, TreeExt, TreeMixin, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineAggregation, defineResource, defineResourceVariants, getControllerContext, getControllerScope, sendControllerResponse };
+import { $t as SoftDeleteMixin, B as defineResource, Ct as AggregationConfig, Dt as AggregationMaterializedResult, Et as AggregationMaterializedContext, Ot as AggregationRateLimit, Qt as SoftDeleteExt, St as AggregationCacheConfig, Tt as AggregationIndexHint, V as ResourceDefinition, Zt as BaseController, _n as BodySanitizerConfig, an as BulkMixin, bt as AggMeasureInput, cn as QueryResolver, en as TreeExt, gn as BodySanitizer, hn as ListResult, in as BulkExt, kt as AggregationsMap, ln as QueryResolverConfig, nn as SlugExt, on as BaseControllerOptions, rn as SlugMixin, sn as BaseCrudController, tn as TreeMixin, vn as AccessControl, wt as AggregationDateRangeRequirement, xt as AggMeasureShorthand, yn as AccessControlConfig } from "../index-Dwc0orNd.mjs";
+import { A as MAX_SEARCH_LENGTH, C as DEFAULT_UPDATE_METHOD, D as HookPhase, E as HookOperation, M as MutationOperation, N as RESERVED_QUERY_PARAMS, O as MAX_FILTER_DEPTH, P as SYSTEM_FIELDS, S as DEFAULT_TENANT_FIELD, T as HOOK_PHASES, _ as CrudOperation, a as createRequestContext, b as DEFAULT_MAX_LIMIT, c as sendControllerResponse, d as getEntityQuery, f as defineResourceVariants, g as CRUD_OPERATIONS, h as defineAggregation, i as createFastifyHandler, j as MUTATION_OPERATIONS, k as MAX_REGEX_LENGTH, l as getEntityId, m as createPermissionMiddleware, n as isFieldReadable, o as getControllerContext, p as createCrudRouter, r as createCrudHandlers, s as getControllerScope, t as collectReadBlockedFields, u as getEntityIdField, v as DEFAULT_ID_FIELD, w as HOOK_OPERATIONS, x as DEFAULT_SORT, y as DEFAULT_LIMIT } from "../index-D1-Kp_dP.mjs";
+export { AccessControl, AccessControlConfig, AggMeasureInput, AggMeasureShorthand, AggregationCacheConfig, AggregationConfig, AggregationDateRangeRequirement, AggregationIndexHint, AggregationMaterializedContext, AggregationMaterializedResult, AggregationRateLimit, AggregationsMap, BaseController, BaseControllerOptions, BaseCrudController, BodySanitizer, BodySanitizerConfig, BulkExt, BulkMixin, CRUD_OPERATIONS, CrudOperation, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, HookOperation, HookPhase, ListResult, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, MutationOperation, QueryResolver, QueryResolverConfig, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, SlugExt, SlugMixin, SoftDeleteExt, SoftDeleteMixin, TreeExt, TreeMixin, collectReadBlockedFields, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineAggregation, defineResource, defineResourceVariants, getControllerContext, getControllerScope, getEntityId, getEntityIdField, getEntityQuery, isFieldReadable, sendControllerResponse };

package/dist/core/index.mjs

@@ -1,5 +1,5 @@
 import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "../constants-Cxde4rpC.mjs";
-import { a as BulkMixin, c as BodySanitizer, i as SlugMixin, l as AccessControl, n as TreeMixin, o as BaseCrudController, r as SoftDeleteMixin, s as QueryResolver, t as BaseController } from "../BaseController-DX_T-bDB.mjs";
+import { a as BulkMixin, c as collectReadBlockedFields, d as AccessControl, i as SlugMixin, l as isFieldReadable, n as TreeMixin, o as BaseCrudController, r as SoftDeleteMixin, s as QueryResolver, t as BaseController, u as BodySanitizer } from "../BaseController-Dv60tU83.mjs";
 import { _ as getControllerContext, g as createRequestContext, h as createFastifyHandler, m as createCrudHandlers, v as getControllerScope, y as sendControllerResponse } from "../routerShared-DrOa-26E.mjs";
-import { a as createPermissionMiddleware, i as createCrudRouter, n as defineResource, o as defineAggregation, r as ResourceDefinition, t as defineResourceVariants } from "../core-DECn6zaU.mjs";
-export { AccessControl, BaseController, BaseCrudController, BodySanitizer, BulkMixin, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, QueryResolver, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, SlugMixin, SoftDeleteMixin, TreeMixin, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineAggregation, defineResource, defineResourceVariants, getControllerContext, getControllerScope, sendControllerResponse };
+import { a as defineResource, c as createPermissionMiddleware, i as defineResourceVariants, l as defineAggregation, n as getEntityIdField, o as ResourceDefinition, r as getEntityQuery, s as createCrudRouter, t as getEntityId } from "../core-DEdN6zKD.mjs";
+export { AccessControl, BaseController, BaseCrudController, BodySanitizer, BulkMixin, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, QueryResolver, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, SlugMixin, SoftDeleteMixin, TreeMixin, collectReadBlockedFields, createCrudHandlers, createCrudRouter, createFastifyHandler, createPermissionMiddleware, createRequestContext, defineAggregation, defineResource, defineResourceVariants, getControllerContext, getControllerScope, getEntityId, getEntityIdField, getEntityQuery, isFieldReadable, sendControllerResponse };

package/dist/{core-DECn6zaU.mjs → core-DEdN6zKD.mjs}

@@ -1,7 +1,7 @@
 import { s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS } from "./constants-Cxde4rpC.mjs";
 import { arcLog } from "./logger/index.mjs";
 import { A as assertValidConfig, l as getDefaultCrudSchemas } from "./utils-_h9B3c57.mjs";
-import { t as BaseController } from "./BaseController-DX_T-bDB.mjs";
+import { t as BaseController } from "./BaseController-Dv60tU83.mjs";
 import { t as applyPresets } from "./presets-BbkjdPeH.mjs";
 import { n as convertRouteSchema, t as convertOpenApiSchemas } from "./schemaConverter-De34B1ZG.mjs";
 import { t as hasEvents } from "./typeGuards-BzkXkvVv.mjs";
@@ -121,7 +121,7 @@ function createCustomRoutes(fastify, routes, controller, options) {
 * @param options    - Router configuration
 */
 function createCrudRouter(fastify, controller, options = {}) {
-	const { tag = "Resource", schemas = {}, permissions = {}, middlewares = {}, routeGuards = [], routes: customRoutes = [], disableDefaultRoutes = false, disabledRoutes = [], resourceName = "unknown", schemaOptions, rateLimit, pipe: pipeline, fields: fieldPermissions, updateMethod = DEFAULT_UPDATE_METHOD } = options;
+	const { tag = "Resource", schemas = {}, permissions = {}, middlewares = {}, routeGuards = [], routes: customRoutes = [], disableDefaultRoutes = false, disabledRoutes = [], resourceName = "unknown", schemaOptions, rateLimit, pipe: pipeline, fields: fieldPermissions, updateMethod = DEFAULT_UPDATE_METHOD, idField } = options;
 	const rateLimitConfig = buildRateLimitConfig(rateLimit);
 	const resourceHasQueryCache = fastify.hasDecorator("queryCache") && controller && typeof controller._cacheConfig !== "undefined" && controller._cacheConfig !== void 0;
 	const pluginMw = resolveRouterPluginMw(fastify, Boolean(resourceHasQueryCache));
@@ -131,7 +131,8 @@ function createCrudRouter(fastify, controller, options = {}) {
 		permissions,
 		hooks: fastify.arc?.hooks,
 		events: fastify.events,
-		fields: fieldPermissions
+		fields: fieldPermissions,
+		idField
 	});
 	const mw = {
 		list: middlewares.list ?? [],
@@ -926,15 +927,17 @@ function buildResourcePlugin(resource) {
 				rateLimit: resource.rateLimit,
 				updateMethod: resource.updateMethod,
 				pipe: resource.pipe,
-				fields: resource.fields
+				fields: resource.fields,
+				idField: resource.idField
 			});
 			if (resource.actions && Object.keys(resource.actions).length > 0) {
-				const { createActionRouter } = await import("./createActionRouter-CBxLLbn3.mjs").then((n) => n.n);
+				const { createActionRouter } = await import("./createActionRouter-S3MLVYot.mjs").then((n) => n.n);
 				createActionRouter(typedInstance, {
 					...normalizeActionsToRouterConfig(resource.actions, resource.actionPermissions, resource.tag, resource.permissions, resource.name, typedInstance.log),
 					resourceName: resource.name,
 					fields: resource.fields,
 					schemaOptions: resource.schemaOptions,
+					idField: resource.idField,
 					permissions: resource.permissions,
 					routeGuards: resource.routeGuards,
 					pipeline: resource.pipe,
@@ -942,7 +945,7 @@ function buildResourcePlugin(resource) {
 				});
 			}
 			if (resource.aggregations && Object.keys(resource.aggregations).length > 0) {
-				const { createAggregationRouter } = await import("./createAggregationRouter-CRIBv4sC.mjs");
+				const { createAggregationRouter } = await import("./createAggregationRouter-Bk-58SbZ.mjs");
 				const repoForAgg = resource.controller?.repository;
 				const buildOptions = (req) => {
 					return resource.controller?.tenantRepoOptions?.(req) ?? {};
@@ -1293,6 +1296,7 @@ function validateDefineResourceConfig(config) {
 	validatePermissionsShape(config);
 	validateCustomRoutePermissions(config);
 	validateActionsShape(config);
+	warnRedundantFieldRules(config);
 }
 /** Permissions must be `PermissionCheck` functions, not arbitrary values. */
 function validatePermissionsShape(config) {
@@ -1308,6 +1312,33 @@ function validateCustomRoutePermissions(config) {
 	for (const route of config.routes ?? []) if (typeof route.permissions !== "function") throw new Error(`[Arc] Resource '${config.name}' route ${route.method} ${route.path}: permissions is required and must be a PermissionCheck function.`);
 }
 /**
+* Surface common field-rule misconfigurations at boot — non-fatal,
+* just a `console.warn` so hosts notice and clean up.
+*
+* Catches:
+*   1. `immutable: true` + `immutableAfterCreate: true` — `immutable`
+*      already covers `immutableAfterCreate`. Picking both signals the
+*      author wasn't sure which to use.
+*   2. `systemManaged: true` + `readonly: true` — both are write rules
+*      and `BodySanitizer` strips on either; the second flag is dead.
+*   3. `hidden: true` + `aggregable: false` — `hidden` already blocks
+*      aggregation; `aggregable: false` is redundant.
+*
+* NOT a hard error — write-rule overlap is harmless at runtime, just
+* noisy in code review.
+*/
+function warnRedundantFieldRules(config) {
+	const fieldRules = config.schemaOptions?.fieldRules;
+	if (!fieldRules) return;
+	for (const [field, rule] of Object.entries(fieldRules)) {
+		if (!rule) continue;
+		const r = rule;
+		if (r.immutable === true && r.immutableAfterCreate === true) console.warn(`[Arc] Resource '${config.name}' fieldRules.${field}: \`immutable: true\` already implies \`immutableAfterCreate: true\` — drop the second flag.`);
+		if (r.systemManaged === true && r.readonly === true) console.warn(`[Arc] Resource '${config.name}' fieldRules.${field}: \`systemManaged\` and \`readonly\` both strip writes — pick one (\`systemManaged\` is the canonical name).`);
+		if (r.hidden === true && r.aggregable === false) console.warn(`[Arc] Resource '${config.name}' fieldRules.${field}: \`hidden: true\` already blocks aggregation — \`aggregable: false\` is redundant.`);
+	}
+}
+/**
 * Actions (v2.8) — name must not collide with CRUD ops; handler +
 * permissions must have the right shapes. Fail at boot so production
 * never ships a misconfigured action endpoint.
@@ -1396,4 +1427,70 @@ function defineResourceVariants(base, variants) {
 	return out;
 }
 //#endregion
-export { createPermissionMiddleware as a, createCrudRouter as i, defineResource as n, defineAggregation as o, ResourceDefinition as r, defineResourceVariants as t };
+//#region src/core/entityHelpers.ts
+/**
+* Per-request entity helpers — read the resource binding (idField + the
+* URL `:id` value) off `req.arc`.
+*
+* Action handlers receive their `id` argument as the raw URL `:id` value.
+* When the resource declares a custom `idField` (`slug`, `reportId`, …)
+* that's NOT the document `_id`, a naive `Model.findById(id)` silently
+* returns null. The historical footgun was a `findById(id)` typo where
+* the handler author hadn't realised that `:id` resolves to the friendly
+* handle.
+*
+* `getEntityQuery(req)` produces the canonical filter shape so handlers
+* compose lookups with no resource-config recall:
+*
+* ```ts
+* actions: {
+*   archive: {
+*     handler: async (id, data, req) => {
+*       const doc = await Model.findOne(getEntityQuery(req));
+*       if (!doc) throw new NotFoundError("Order");
+*       // ...
+*     },
+*   },
+* }
+* ```
+*
+* The router populates `req.arc.idField` and `req.arc.entityId` before
+* invoking the handler — these helpers are zero-cost reads.
+*/
+/**
+* Read the resource's configured `idField` for the current request.
+* Falls back to the framework default (`_id`) when the route hasn't
+* bound an idField — keeps handlers safe to author without checking
+* the resource config.
+*/
+function getEntityIdField(req) {
+	return req.arc?.idField ?? "_id";
+}
+/**
+* Read the URL `:id` path param value as the resource handle.
+* Returns `undefined` when the route has no `:id` segment (collection
+* routes) — handlers that need the entity must be on row routes.
+*/
+function getEntityId(req) {
+	if (req.arc?.entityId !== void 0) return req.arc.entityId;
+	return req.params?.id;
+}
+/**
+* Compose a `findOne` filter that resolves the current request's
+* entity, regardless of whether the resource binds `_id` or a custom
+* field. Idiomatic shape for arc action handlers.
+*
+* ```ts
+* const doc = await Model.findOne(getEntityQuery(req));
+* ```
+*
+* Returns `{}` when the route has no entity context (collection routes
+* or tests bypassing the router) — caller decides what that means.
+*/
+function getEntityQuery(req) {
+	const id = getEntityId(req);
+	if (id === void 0) return {};
+	return { [getEntityIdField(req)]: id };
+}
+//#endregion
+export { defineResource as a, createPermissionMiddleware as c, defineResourceVariants as i, defineAggregation as l, getEntityIdField as n, ResourceDefinition as o, getEntityQuery as r, createCrudRouter as s, getEntityId as t };

package/dist/{createActionRouter-CBxLLbn3.mjs → createActionRouter-S3MLVYot.mjs}

@@ -1,4 +1,5 @@
 import { t as __exportAll } from "./chunk-BpYLSNr0.mjs";
+import "./constants-Cxde4rpC.mjs";
 import { f as createError } from "./errors-j4aJm1Wg.mjs";
 import { a as buildAuthMiddlewareForPermissions, c as buildPreHandlerChain, f as resolveRouterPluginMw, l as buildRateLimitConfig, n as buildActionPipelineHandler, p as selectPluginMw, r as buildArcDecorator, t as buildActionPermissionMw, u as resolvePipelineSteps, y as sendControllerResponse } from "./routerShared-DrOa-26E.mjs";
 import { n as schemaIRToJsonSchemaBranch, t as normalizeSchemaIR } from "./schemaIR-lYhC2gE5.mjs";
@@ -16,7 +17,7 @@ var createActionRouter_exports = /* @__PURE__ */ __exportAll({
 * (keyed by `body.action` at request time).
 */
 function createActionRouter(fastify, config) {
-	const { tag, resourceName = tag ?? "action", actions, actionPermissions = {}, actionSchemas = {}, globalAuth, onError, fields: fieldPermissions, schemaOptions, permissions: resourcePermissions, routeGuards = [], pipeline, rateLimit } = config;
+	const { tag, resourceName = tag ?? "action", actions, actionPermissions = {}, actionSchemas = {}, globalAuth, onError, fields: fieldPermissions, schemaOptions, idField = "_id", permissions: resourcePermissions, routeGuards = [], pipeline, rateLimit } = config;
 	const actionEnum = Object.keys(actions);
 	if (actionEnum.length === 0) {
 		fastify.log.warn("[createActionRouter] No actions defined, skipping route creation");
@@ -43,7 +44,8 @@ function createActionRouter(fastify, config) {
 		permissions: resourcePermissions,
 		hooks: fastify.arc?.hooks,
 		events: fastify.events,
-		fields: fieldPermissions
+		fields: fieldPermissions,
+		idField
 	});
 	const authMw = buildAuthMiddlewareForPermissions(fastify, actionEnum.map((name) => actionPermissions[name] ?? globalAuth));
 	const pluginMw = resolveRouterPluginMw(fastify, false);
@@ -69,6 +71,11 @@ function createActionRouter(fastify, config) {
 		handler: async (req, reply) => {
 			const { action, ...data } = req.body;
 			const { id } = req.params;
+			const reqWithExtras = req;
+			reqWithExtras.arc = {
+				...reqWithExtras.arc ?? {},
+				entityId: id
+			};
 			const handler = wrappedHandlers.get(action);
 			if (!handler) throw createError(400, `Invalid action '${action}'. Valid actions: ${actionEnum.join(", ")}`, { validActions: actionEnum });
 			try {

package/dist/{createAggregationRouter-CRIBv4sC.mjs → createAggregationRouter-Bk-58SbZ.mjs}

@@ -1,6 +1,6 @@
 import { f as createError, l as UnauthorizedError, r as ForbiddenError } from "./errors-j4aJm1Wg.mjs";
 import { c as buildPreHandlerChain, f as resolveRouterPluginMw, i as buildAuthMiddleware, l as buildRateLimitConfig, p as selectPluginMw, r as buildArcDecorator } from "./routerShared-DrOa-26E.mjs";
-import { r as validateAggregations, t as buildAggregationHandler } from "./buildHandler-olo-gt94.mjs";
+import { r as validateAggregations, t as buildAggregationHandler } from "./buildHandler-BamHHpH8.mjs";
 //#region src/core/aggregation/createAggregationRouter.ts
 /**
 * Register one Fastify route per aggregation. No-op when the map is

package/dist/{createApp-XX2-N0Yd.mjs → createApp-BarYhXCZ.mjs}

@@ -393,9 +393,10 @@ async function registerOne(parent, resource) {
 	try {
 		await parent.register(resource.toPlugin());
 	} catch (err) {
-		const msg = err instanceof Error ? err.message : String(err);
-		parent.log.error(`Failed to register resource "${name}": ${msg}`);
-		throw new Error(`Resource "${name}" failed to register: ${msg}. Check the resource definition, adapter, and permissions.`, { cause: err });
+		const rawMsg = err instanceof Error ? err.message : String(err);
+		const stripped = rawMsg.replace(new RegExp(`^Resource "${name}"\\s*`), "").replace(/\.+\s*$/, "");
+		parent.log.error(`Failed to register resource "${name}": ${rawMsg}`);
+		throw new Error(`Resource "${name}" failed to register — ${stripped}.`, { cause: err });
 	}
 }
 /**

package/dist/docs/index.d.mts

@@ -1,4 +1,4 @@
-import { p as RegistryEntry } from "../index-BtW7qYwa.mjs";
+import { p as RegistryEntry } from "../index-Dwc0orNd.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-BD5nw6St.mjs";
 import { FastifyPluginAsync } from "fastify";
 

package/dist/docs/index.mjs

@@ -1,5 +1,5 @@
 import { t as getUserRoles } from "../types-D57iXYb8.mjs";
-import { n as openApiPlugin, r as openapi_default, t as buildOpenApiSpec } from "../openapi-noXno2CV.mjs";
+import { n as openApiPlugin, r as openapi_default, t as buildOpenApiSpec } from "../openapi-BHXhoX8O.mjs";
 import fp from "fastify-plugin";
 //#region src/docs/scalar.ts
 const scalarPlugin = async (fastify, opts = {}) => {

package/dist/factory/index.d.mts

@@ -1,4 +1,4 @@
-import { a as CustomPluginAuthOption, c as RawBodyOptions, d as ResourceLike, f as ResourceModule, i as CustomAuthenticatorOption, l as UnderPressureOptions, n as BetterAuthOption, o as JwtAuthOption, p as loadResources, r as CreateAppOptions, s as MultipartOptions, t as AuthOption, u as LoadResourcesOptions } from "../types-BvqwCCSx.mjs";
+import { a as CustomPluginAuthOption, c as RawBodyOptions, d as ResourceLike, f as ResourceModule, i as CustomAuthenticatorOption, l as UnderPressureOptions, n as BetterAuthOption, o as JwtAuthOption, p as loadResources, r as CreateAppOptions, s as MultipartOptions, t as AuthOption, u as LoadResourcesOptions } from "../types-NGtx3uxV.mjs";
 import { FastifyInstance } from "fastify";
 
 //#region src/factory/createApp.d.ts

package/dist/factory/index.mjs

@@ -1,4 +1,4 @@
-import { a as edgePreset, c as testingPreset, i as developmentPreset, n as createApp, o as getPreset, s as productionPreset, t as ArcFactory } from "../createApp-XX2-N0Yd.mjs";
+import { a as edgePreset, c as testingPreset, i as developmentPreset, n as createApp, o as getPreset, s as productionPreset, t as ArcFactory } from "../createApp-BarYhXCZ.mjs";
 import { t as loadResources } from "../loadResources-DBMQg_Aj.mjs";
 //#region src/factory/edge.ts
 /**

package/dist/hooks/index.d.mts

@@ -1,2 +1,2 @@
-import { An as afterUpdate, Cn as HookOperation, Dn as HookSystemOptions, En as HookSystem, Fn as defineHook, Mn as beforeDelete, Nn as beforeUpdate, On as afterCreate, Pn as createHookSystem, Sn as HookHandler, Tn as HookRegistration, bn as DefineHookOptions, jn as beforeCreate, kn as afterDelete, wn as HookPhase, xn as HookContext } from "../index-BtW7qYwa.mjs";
+import { An as afterUpdate, Cn as HookOperation, Dn as HookSystemOptions, En as HookSystem, Fn as defineHook, Mn as beforeDelete, Nn as beforeUpdate, On as afterCreate, Pn as createHookSystem, Sn as HookHandler, Tn as HookRegistration, bn as DefineHookOptions, jn as beforeCreate, kn as afterDelete, wn as HookPhase, xn as HookContext } from "../index-Dwc0orNd.mjs";
 export { type DefineHookOptions, type HookContext, type HookHandler, type HookOperation, type HookPhase, type HookRegistration, HookSystem, type HookSystemOptions, afterCreate, afterDelete, afterUpdate, beforeCreate, beforeDelete, beforeUpdate, createHookSystem, defineHook };

package/dist/{index-Dz5IKsrE.d.mts → index-Bt0F3nJj.d.mts}

@@ -1,4 +1,4 @@
-import { $ as OpenApiSchemas, S as QueryParserInterface, Wt as AnyRecord, Yt as UserLike, at as ResourceConfig, b as ParsedQuery } from "./index-BtW7qYwa.mjs";
+import { $ as OpenApiSchemas, S as QueryParserInterface, Wt as AnyRecord, Yt as UserLike, at as ResourceConfig, b as ParsedQuery } from "./index-Dwc0orNd.mjs";
 import { n as ErrorMapper } from "./errorHandler-DFr45ZG4.mjs";
 import { HttpError, errorContractSchema as errorContractSchema$1, errorDetailSchema as errorDetailSchema$1 } from "@classytic/repo-core/errors";
 import { FastifyInstance, FastifyReply, FastifyRequest, RouteHandlerMethod } from "fastify";

package/dist/{index-Ds61mrJE.d.mts → index-D1-Kp_dP.d.mts}

@@ -1,4 +1,4 @@
-import { C as RequestContext, Ct as AggregationConfig, F as FastifyWithDecorators, T as CrudRouterOptions, V as ResourceDefinition, Wt as AnyRecord, _t as IControllerResponse, at as ResourceConfig, gt as IController, q as CrudController, vt as IRequestContext } from "./index-BtW7qYwa.mjs";
+import { C as RequestContext, Ct as AggregationConfig, F as FastifyWithDecorators, K as ArcFieldRule, L as RequestWithExtras, T as CrudRouterOptions, V as ResourceDefinition, Wt as AnyRecord, _t as IControllerResponse, at as ResourceConfig, ft as RouteSchemaOptions, gt as IController, q as CrudController, vt as IRequestContext } from "./index-Dwc0orNd.mjs";
 import { i as RequestScope } from "./types-CTYvcwHe.mjs";
 import { c as PermissionCheck } from "./fields-COhcH3fk.mjs";
 import { FastifyReply, FastifyRequest, RouteHandlerMethod } from "fastify";
@@ -159,6 +159,34 @@ type VariantsResult<TDoc, V extends VariantsMap<TDoc>> = { [K in keyof V]: Resou
  */
 declare function defineResourceVariants<TDoc extends AnyRecord = AnyRecord, V extends VariantsMap<TDoc> = VariantsMap<TDoc>>(base: Omit<ResourceConfig<TDoc>, "name" | "prefix">, variants: V): VariantsResult<TDoc, V>;
 //#endregion
+//#region src/core/entityHelpers.d.ts
+/**
+ * Read the resource's configured `idField` for the current request.
+ * Falls back to the framework default (`_id`) when the route hasn't
+ * bound an idField — keeps handlers safe to author without checking
+ * the resource config.
+ */
+declare function getEntityIdField(req: RequestWithExtras): string;
+/**
+ * Read the URL `:id` path param value as the resource handle.
+ * Returns `undefined` when the route has no `:id` segment (collection
+ * routes) — handlers that need the entity must be on row routes.
+ */
+declare function getEntityId(req: RequestWithExtras): string | undefined;
+/**
+ * Compose a `findOne` filter that resolves the current request's
+ * entity, regardless of whether the resource binds `_id` or a custom
+ * field. Idiomatic shape for arc action handlers.
+ *
+ * ```ts
+ * const doc = await Model.findOne(getEntityQuery(req));
+ * ```
+ *
+ * Returns `{}` when the route has no entity context (collection routes
+ * or tests bypassing the router) — caller decides what that means.
+ */
+declare function getEntityQuery(req: RequestWithExtras): Record<string, string>;
+//#endregion
 //#region src/core/fastifyAdapter.d.ts
 /**
  * Create IRequestContext from Fastify request
@@ -227,4 +255,22 @@ declare function createCrudHandlers<TDoc>(controller: IController<TDoc>): {
   delete: (req: FastifyRequest, reply: FastifyReply) => Promise<void>;
 };
 //#endregion
-export { MAX_FILTER_DEPTH as C, MutationOperation as D, MUTATION_OPERATIONS as E, RESERVED_QUERY_PARAMS as O, HookPhase as S, MAX_SEARCH_LENGTH as T, DEFAULT_TENANT_FIELD as _, getControllerScope as a, HOOK_PHASES as b, createCrudRouter as c, CRUD_OPERATIONS as d, CrudOperation as f, DEFAULT_SORT as g, DEFAULT_MAX_LIMIT as h, getControllerContext as i, SYSTEM_FIELDS as k, createPermissionMiddleware as l, DEFAULT_LIMIT as m, createFastifyHandler as n, sendControllerResponse as o, DEFAULT_ID_FIELD as p, createRequestContext as r, defineResourceVariants as s, createCrudHandlers as t, defineAggregation as u, DEFAULT_UPDATE_METHOD as v, MAX_REGEX_LENGTH as w, HookOperation as x, HOOK_OPERATIONS as y };
+//#region src/core/fieldRulePredicates.d.ts
+/**
+ * True when the field is allowed to appear in client-readable surfaces
+ * (response payloads, `select=` whitelists, `_distinct` queries).
+ *
+ * Mirror of every read-side gate. Don't reach for `rules.systemManaged`
+ * here — that's a write rule.
+ */
+declare function isFieldReadable(rule: ArcFieldRule | undefined): boolean;
+/**
+ * The set of field names blocked from read-side surfaces (used by
+ * `QueryResolver.sanitizeSelectAny` and `BaseCrudController._distinct`).
+ *
+ * Returns `null` (not an empty array) when there are no rules to apply,
+ * so call-sites can early-out without creating empty allocations.
+ */
+declare function collectReadBlockedFields(schemaOptions: RouteSchemaOptions | undefined): Set<string> | null;
+//#endregion
+export { MAX_SEARCH_LENGTH as A, DEFAULT_UPDATE_METHOD as C, HookPhase as D, HookOperation as E, MutationOperation as M, RESERVED_QUERY_PARAMS as N, MAX_FILTER_DEPTH as O, SYSTEM_FIELDS as P, DEFAULT_TENANT_FIELD as S, HOOK_PHASES as T, CrudOperation as _, createRequestContext as a, DEFAULT_MAX_LIMIT as b, sendControllerResponse as c, getEntityQuery as d, defineResourceVariants as f, CRUD_OPERATIONS as g, defineAggregation as h, createFastifyHandler as i, MUTATION_OPERATIONS as j, MAX_REGEX_LENGTH as k, getEntityId as l, createPermissionMiddleware as m, isFieldReadable as n, getControllerContext as o, createCrudRouter as p, createCrudHandlers as r, getControllerScope as s, collectReadBlockedFields as t, getEntityIdField as u, DEFAULT_ID_FIELD as v, HOOK_OPERATIONS as w, DEFAULT_SORT as x, DEFAULT_LIMIT as y };

package/dist/{index-BtW7qYwa.d.mts → index-Dwc0orNd.d.mts}

@@ -541,7 +541,12 @@ declare class QueryResolver {
    * Validates lookup structure to prevent injection.
    */
   private sanitizeLookups;
-  /** Get blocked fields from schema options */
+  /**
+   * Read-side allowlist gate for `select=` / `populate=`.
+   *
+   * Only `hidden: true` blocks. `systemManaged` is a *write* rule and
+   * doesn't gate visibility — see `core/fieldRulePredicates.ts`.
+   */
   private getBlockedFields;
 }
 //#endregion
@@ -817,10 +822,13 @@ declare class BaseCrudController<TDoc = AnyRecord, TRepository extends Repositor
     exists: boolean;
   }>>;
   /**
-   * True when `field` is safe to expose via `_distinct`. Mirrors the
-   * `select` allowlist — fields marked `hidden` or `systemManaged` in
-   * `schemaOptions.fieldRules` are NOT exposed (would leak password
-   * hashes, internal flags, etc).
+   * True when `field` is safe to expose via `_distinct`.
+   *
+   * Read-side gate only — only `hidden: true` blocks. `systemManaged`
+   * is a *write* rule (clients can't PATCH the value); the field is
+   * still in every list response, so blocking `_distinct` adds nothing
+   * but inconvenience. See `core/fieldRulePredicates.ts` for the
+   * canonical predicate shared with `QueryResolver`.
    */
   protected isFieldExposedForRead(field: string): boolean;
   /** Execute list query through hooks (extracted for cache revalidation) */
@@ -1947,6 +1955,32 @@ interface ArcFieldRule extends FieldRule {
    */
   preserveForElevated?: boolean;
   hidden?: boolean;
+  /**
+   * Aggregation visibility override. By default, only `hidden: true`
+   * blocks a field from `groupBy` / `measures.field` / `sort` / `dateBuckets`
+   * — that's the genuine cardinality-leak guard (the value is omitted from
+   * list/get responses, so exposing it via aggregation would reveal data
+   * the client can't otherwise see).
+   *
+   * `systemManaged: true` does **not** block aggregation — it's a write
+   * rule, not a visibility rule. Server-stamped fields like `createdAt`,
+   * `status`, or plugin-generated handles are visible in every list
+   * response and should aggregate freely.
+   *
+   * Use this flag to override the default:
+   *
+   * - `aggregable: false` — explicit deny, even on visible fields. Useful
+   *   when a value is exposed per-row but the cardinality across rows is
+   *   itself sensitive (e.g. `email` is visible in `get/:id` to admins
+   *   but you don't want a public-readable agg of email distributions).
+   * - `aggregable: true` — escape hatch on `hidden` fields. Lets you
+   *   aggregate a hidden column when you're sure cardinality leakage
+   *   isn't a concern (e.g. `internalScore` hidden from list, but a
+   *   committee-only `byScore` agg is fine).
+   *
+   * Defaults to `undefined` (use the `hidden`-only rule).
+   */
+  aggregable?: boolean;
   /** String minimum length — auto-maps to OpenAPI `minLength` and MCP tool schema */
   minLength?: number;
   /** String maximum length — auto-maps to OpenAPI `maxLength` and MCP tool schema */
@@ -2837,13 +2871,33 @@ interface FastifyRequestExtras {
 }
 interface RequestWithExtras extends FastifyRequest {
   /**
-   * Arc metadata — set by createCrudRouter. Contains resource configuration
-   * and schema options.
+   * Arc metadata — set by createCrudRouter / createActionRouter / etc.
+   * Contains resource configuration and runtime resolution of the URL
+   * `:id` path param into the resource's `idField`.
    */
   arc?: {
     resourceName?: string;
     schemaOptions?: RouteSchemaOptions;
     permissions?: ResourcePermissions;
+    /**
+     * The configured `idField` for this resource (e.g. `_id`, `slug`,
+     * `reportId`). Set by routers that bind a path `:id` segment so
+     * handlers can compose the right query without remembering the
+     * resource-config detail.
+     *
+     * Use `getEntityQuery(req)` for the canonical
+     * `{ [idField]: entityId }` filter shape — saves the action handler
+     * from a typo class where `Model.findById(id)` silently fails when
+     * `idField !== "_id"`.
+     */
+    idField?: string;
+    /**
+     * The current request's `:id` path-param value, surfaced verbatim.
+     * For most resources this equals `req.params.id`; we mirror it on
+     * `req.arc` so middleware that doesn't have a typed `params` shape
+     * can still read the entity handle.
+     */
+    entityId?: string;
   };
   context?: Record<string, unknown>;
   _policyFilters?: Record<string, unknown>;
@@ -2958,6 +3012,13 @@ interface CrudRouterOptions {
   rateLimit?: RateLimitConfig | false;
   /** PreHandler guards applied to every route (CRUD + custom + preset). */
   routeGuards?: RouteHandlerMethod[];
+  /**
+   * Resource's bound `idField` (`_id`, `slug`, `reportId`, …). Surfaces on
+   * `req.arc.idField` for every CRUD route so handlers + middleware can
+   * compose `findOne` filters via `getEntityQuery(req)` without
+   * re-reading resource config. Defaults to `_id`.
+   */
+  idField?: string;
 }
 //#endregion
 //#region src/types/query.d.ts

package/dist/index.d.mts

@@ -1,8 +1,8 @@
-import { $t as SoftDeleteMixin, A as RequestIdOptions, B as defineResource, C as RequestContext, Ct as AggregationConfig, D as HealthCheck, Dt as AggregationMaterializedResult, E as GracefulShutdownOptions, Et as AggregationMaterializedContext, F as FastifyWithDecorators, Gt as ApiResponse, J as CrudRouteKey, Kt as ArcRequest, L as RequestWithExtras, N as FastifyRequestExtras, O as HealthOptions, Ot as AggregationRateLimit, P as FastifyWithAuth, Q as MiddlewareConfig, Qt as SoftDeleteExt, S as QueryParserInterface, St as AggregationCacheConfig, T as CrudRouterOptions, Tt as AggregationIndexHint, V as ResourceDefinition, Wt as AnyRecord, X as EventDefinition, Xt as UserOrganization, Y as CrudSchemas, Z as FieldRule, Zt as BaseController, _t as IControllerResponse, a as InferAdapterDoc, an as BulkMixin, at as ResourceConfig, bt as AggMeasureInput, c as TypedController, d as PaginationResult, dn as ArcDeleteResult, en as TreeExt, et as PresetFunction, f as IntrospectionData, fn as ArcGetResult, ft as RouteSchemaOptions, g as ArcInternalMetadata, gt as IController, h as ResourceMetadata, hn as ListResult, i as ValidationResult, in as BulkExt, k as IntrospectionPluginOptions, kt as AggregationsMap, l as TypedRepository, m as RegistryStats, mn as ArcUpdateResult, mt as ControllerLike, n as ConfigError, nn as SlugExt, nt as PresetResult, o as InferDocType, on as BaseControllerOptions, p as RegistryEntry, pn as ArcListResult, q as CrudController, qt as JWTPayload, r as ValidateOptions, rn as SlugMixin, rt as RateLimitConfig, s as InferResourceDoc, sn as BaseCrudController, t as RouteHandlerMethod, tn as TreeMixin, u as TypedResourceConfig, un as ArcCreateResult, vt as IRequestContext, w as ServiceContext, wt as AggregationDateRangeRequirement, xt as AggMeasureShorthand, y as OwnershipCheck, yt as RouteHandler, zt as AuthPluginOptions } from "./index-BtW7qYwa.mjs";
+import { $t as SoftDeleteMixin, A as RequestIdOptions, B as defineResource, C as RequestContext, Ct as AggregationConfig, D as HealthCheck, Dt as AggregationMaterializedResult, E as GracefulShutdownOptions, Et as AggregationMaterializedContext, F as FastifyWithDecorators, Gt as ApiResponse, J as CrudRouteKey, Kt as ArcRequest, L as RequestWithExtras, N as FastifyRequestExtras, O as HealthOptions, Ot as AggregationRateLimit, P as FastifyWithAuth, Q as MiddlewareConfig, Qt as SoftDeleteExt, S as QueryParserInterface, St as AggregationCacheConfig, T as CrudRouterOptions, Tt as AggregationIndexHint, V as ResourceDefinition, Wt as AnyRecord, X as EventDefinition, Xt as UserOrganization, Y as CrudSchemas, Z as FieldRule, Zt as BaseController, _t as IControllerResponse, a as InferAdapterDoc, an as BulkMixin, at as ResourceConfig, bt as AggMeasureInput, c as TypedController, d as PaginationResult, dn as ArcDeleteResult, en as TreeExt, et as PresetFunction, f as IntrospectionData, fn as ArcGetResult, ft as RouteSchemaOptions, g as ArcInternalMetadata, gt as IController, h as ResourceMetadata, hn as ListResult, i as ValidationResult, in as BulkExt, k as IntrospectionPluginOptions, kt as AggregationsMap, l as TypedRepository, m as RegistryStats, mn as ArcUpdateResult, mt as ControllerLike, n as ConfigError, nn as SlugExt, nt as PresetResult, o as InferDocType, on as BaseControllerOptions, p as RegistryEntry, pn as ArcListResult, q as CrudController, qt as JWTPayload, r as ValidateOptions, rn as SlugMixin, rt as RateLimitConfig, s as InferResourceDoc, sn as BaseCrudController, t as RouteHandlerMethod, tn as TreeMixin, u as TypedResourceConfig, un as ArcCreateResult, vt as IRequestContext, w as ServiceContext, wt as AggregationDateRangeRequirement, xt as AggMeasureShorthand, y as OwnershipCheck, yt as RouteHandler, zt as AuthPluginOptions } from "./index-Dwc0orNd.mjs";
 import { a as applyFieldWritePermissions, c as PermissionCheck, d as UserBase, i as applyFieldReadPermissions, l as PermissionContext, n as FieldPermissionMap, o as fields, t as FieldPermission, u as PermissionResult } from "./fields-COhcH3fk.mjs";
-import { C as MAX_FILTER_DEPTH, D as MutationOperation, E as MUTATION_OPERATIONS, O as RESERVED_QUERY_PARAMS, S as HookPhase, T as MAX_SEARCH_LENGTH, _ as DEFAULT_TENANT_FIELD, a as getControllerScope, b as HOOK_PHASES, d as CRUD_OPERATIONS, f as CrudOperation, g as DEFAULT_SORT, h as DEFAULT_MAX_LIMIT, k as SYSTEM_FIELDS, m as DEFAULT_LIMIT, p as DEFAULT_ID_FIELD, s as defineResourceVariants, u as defineAggregation, v as DEFAULT_UPDATE_METHOD, w as MAX_REGEX_LENGTH, x as HookOperation, y as HOOK_OPERATIONS } from "./index-Ds61mrJE.mjs";
+import { A as MAX_SEARCH_LENGTH, C as DEFAULT_UPDATE_METHOD, D as HookPhase, E as HookOperation, M as MutationOperation, N as RESERVED_QUERY_PARAMS, O as MAX_FILTER_DEPTH, P as SYSTEM_FIELDS, S as DEFAULT_TENANT_FIELD, T as HOOK_PHASES, _ as CrudOperation, b as DEFAULT_MAX_LIMIT, f as defineResourceVariants, g as CRUD_OPERATIONS, h as defineAggregation, j as MUTATION_OPERATIONS, k as MAX_REGEX_LENGTH, s as getControllerScope, v as DEFAULT_ID_FIELD, w as HOOK_OPERATIONS, x as DEFAULT_SORT, y as DEFAULT_LIMIT } from "./index-D1-Kp_dP.mjs";
 import { A as requireRoles, C as allOf, E as denyAll, M as when, O as requireAuth, S as createOrgPermissions, T as anyOf, a as presets_d_exports, c as readOnly, d as requireOrgRole, f as requireScopeContext, i as ownerWithAdminBypass, k as requireOwnership, l as requireOrgInScope, m as requireTeamMembership, n as authenticated, o as publicRead, p as requireServiceScope, r as fullPublic, s as publicReadAdminWrite, t as adminOnly, u as requireOrgMembership, v as DynamicPermissionMatrix, w as allowPublic, x as createDynamicPermissionMatrix, y as DynamicPermissionMatrixConfig } from "./index-BTqLEvhu.mjs";
-import { ct as NotFoundError, ht as createDomainError, it as ArcError, mt as ValidationError, pt as UnauthorizedError, st as ForbiddenError, t as getUserId } from "./index-Dz5IKsrE.mjs";
+import { ct as NotFoundError, ht as createDomainError, it as ArcError, mt as ValidationError, pt as UnauthorizedError, st as ForbiddenError, t as getUserId } from "./index-Bt0F3nJj.mjs";
 
 //#region src/index.d.ts
 declare const version: string;

package/dist/index.mjs

@@ -1,11 +1,11 @@
 import { a as DEFAULT_SORT, c as HOOK_OPERATIONS, d as MAX_REGEX_LENGTH, f as MAX_SEARCH_LENGTH, h as SYSTEM_FIELDS, i as DEFAULT_MAX_LIMIT, l as HOOK_PHASES, m as RESERVED_QUERY_PARAMS, n as DEFAULT_ID_FIELD, o as DEFAULT_TENANT_FIELD, p as MUTATION_OPERATIONS, r as DEFAULT_LIMIT, s as DEFAULT_UPDATE_METHOD, t as CRUD_OPERATIONS, u as MAX_FILTER_DEPTH } from "./constants-Cxde4rpC.mjs";
 import { d as createDomainError, i as NotFoundError, l as UnauthorizedError, r as ForbiddenError, t as ArcError, u as ValidationError } from "./errors-j4aJm1Wg.mjs";
 import { t as getUserId } from "./utils-_h9B3c57.mjs";
-import { a as BulkMixin, i as SlugMixin, n as TreeMixin, o as BaseCrudController, r as SoftDeleteMixin, t as BaseController } from "./BaseController-DX_T-bDB.mjs";
+import { a as BulkMixin, i as SlugMixin, n as TreeMixin, o as BaseCrudController, r as SoftDeleteMixin, t as BaseController } from "./BaseController-Dv60tU83.mjs";
 import { C as allowPublic, D as requireAuth, O as requireOwnership, S as allOf, T as denyAll, _ as requireOrgMembership, a as presets_exports, b as requireServiceScope, c as readOnly, d as applyFieldWritePermissions, f as fields, g as requireOrgInScope, h as createOrgPermissions, i as ownerWithAdminBypass, j as when, k as requireRoles, m as createDynamicPermissionMatrix, n as authenticated, o as publicRead, r as fullPublic, s as publicReadAdminWrite, t as adminOnly, u as applyFieldReadPermissions, v as requireOrgRole, w as anyOf, x as requireTeamMembership, y as requireScopeContext } from "./permissions-ohQyv50e.mjs";
 import { v as getControllerScope } from "./routerShared-DrOa-26E.mjs";
-import { n as defineResource, o as defineAggregation, r as ResourceDefinition, t as defineResourceVariants } from "./core-DECn6zaU.mjs";
+import { a as defineResource, i as defineResourceVariants, l as defineAggregation, o as ResourceDefinition } from "./core-DEdN6zKD.mjs";
 //#region src/index.ts
-const version = "2.14.0";
+const version = "2.14.1";
 //#endregion
 export { ArcError, BaseController, BaseCrudController, BulkMixin, CRUD_OPERATIONS, DEFAULT_ID_FIELD, DEFAULT_LIMIT, DEFAULT_MAX_LIMIT, DEFAULT_SORT, DEFAULT_TENANT_FIELD, DEFAULT_UPDATE_METHOD, ForbiddenError, HOOK_OPERATIONS, HOOK_PHASES, MAX_FILTER_DEPTH, MAX_REGEX_LENGTH, MAX_SEARCH_LENGTH, MUTATION_OPERATIONS, NotFoundError, RESERVED_QUERY_PARAMS, ResourceDefinition, SYSTEM_FIELDS, SlugMixin, SoftDeleteMixin, TreeMixin, UnauthorizedError, ValidationError, adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, authenticated, createDomainError, createDynamicPermissionMatrix, createOrgPermissions, defineAggregation, defineResource, defineResourceVariants, denyAll, fields, fullPublic, getControllerScope, getUserId, ownerWithAdminBypass, presets_exports as permissions, publicRead, publicReadAdminWrite, readOnly, requireAuth, requireOrgInScope, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireScopeContext, requireServiceScope, requireTeamMembership, version, when };

package/dist/integrations/index.d.mts

@@ -1,7 +1,7 @@
 import { a as WebSocketMessage, i as WebSocketClient, o as WebSocketPluginOptions } from "../websocket-ChC2rqe1.mjs";
 import { EventGatewayOptions } from "./event-gateway.mjs";
 import { JobDefinition, JobDispatchOptions, JobDispatcher, JobMeta, JobsPluginOptions, QueueStats } from "./jobs.mjs";
-import { c as McpResourceConfig, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler } from "../types-DQHFc8PM.mjs";
+import { c as McpResourceConfig, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler } from "../types-C6ONJ_Z2.mjs";
 import { StreamlinePluginOptions, WorkflowLike, WorkflowRunLike } from "./streamline.mjs";
 import { WebhookDeliveryRecord, WebhookManager, WebhookPluginOptions, WebhookStore, WebhookSubscription } from "./webhooks.mjs";
 export { type BetterAuthHandler, type CallToolResult, type CreateMcpServerConfig, type CrudOperation, type EventGatewayOptions, type JobDefinition, type JobDispatchOptions, type JobDispatcher, type JobMeta, type JobsPluginOptions, type McpAuthResult, type McpPluginOptions, type McpResourceConfig, type PromptDefinition, type QueueStats, type StreamlinePluginOptions, type ToolAnnotations, type ToolContext, type ToolDefinition, type WebSocketClient, type WebSocketMessage, type WebSocketPluginOptions, type WebhookDeliveryRecord, type WebhookManager, type WebhookPluginOptions, type WebhookStore, type WebhookSubscription, type WorkflowLike, type WorkflowRunLike };

package/dist/integrations/mcp/index.d.mts

@@ -1,5 +1,5 @@
-import { V as ResourceDefinition } from "../../index-BtW7qYwa.mjs";
-import { a as McpAuthResolver, c as McpResourceConfig, d as SessionEntry, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler, u as PromptResult } from "../../types-DQHFc8PM.mjs";
+import { V as ResourceDefinition } from "../../index-Dwc0orNd.mjs";
+import { a as McpAuthResolver, c as McpResourceConfig, d as SessionEntry, f as ToolAnnotations, i as CrudOperation, l as PromptDefinition, m as ToolDefinition, n as CallToolResult, o as McpAuthResult, p as ToolContext, r as CreateMcpServerConfig, s as McpPluginOptions, t as BetterAuthHandler, u as PromptResult } from "../../types-C6ONJ_Z2.mjs";
 import { FastifyPluginAsync } from "fastify";
 import { z } from "zod";
 

package/dist/integrations/mcp/index.mjs

@@ -1,4 +1,4 @@
-import { n as fieldRulesToZod, r as createMcpServer, t as resourceToTools } from "../../resourceToTools-DLL32us3.mjs";
+import { n as fieldRulesToZod, r as createMcpServer, t as resourceToTools } from "../../resourceToTools-CZ-ZhS7v.mjs";
 import { createHash, randomUUID } from "node:crypto";
 import fp from "fastify-plugin";
 //#region src/integrations/mcp/defineTool.ts

package/dist/integrations/mcp/testing.d.mts

@@ -1,4 +1,4 @@
-import { o as McpAuthResult, s as McpPluginOptions } from "../../types-DQHFc8PM.mjs";
+import { o as McpAuthResult, s as McpPluginOptions } from "../../types-C6ONJ_Z2.mjs";
 
 //#region src/integrations/mcp/testing.d.ts
 interface TestMcpClientOptions {

package/dist/integrations/mcp/testing.mjs

@@ -1,4 +1,4 @@
-import { r as createMcpServer, t as resourceToTools } from "../../resourceToTools-DLL32us3.mjs";
+import { r as createMcpServer, t as resourceToTools } from "../../resourceToTools-CZ-ZhS7v.mjs";
 //#region src/integrations/mcp/testing.ts
 /**
 * @classytic/arc/mcp/testing — MCP Test Utilities

package/dist/middleware/index.d.mts

@@ -1,4 +1,4 @@
-import { I as MiddlewareHandler, L as RequestWithExtras, Q as MiddlewareConfig } from "../index-BtW7qYwa.mjs";
+import { I as MiddlewareHandler, L as RequestWithExtras, Q as MiddlewareConfig } from "../index-Dwc0orNd.mjs";
 import { RouteHandlerMethod } from "fastify";
 
 //#region src/middleware/middleware.d.ts

package/dist/{openapi-noXno2CV.mjs → openapi-BHXhoX8O.mjs}

@@ -1,7 +1,7 @@
 import { t as getUserRoles } from "./types-D57iXYb8.mjs";
 import { n as convertRouteSchema } from "./schemaConverter-De34B1ZG.mjs";
 import { t as resolveActionPermission } from "./actionPermissions-CyUkQu6O.mjs";
-import { t as buildActionBodySchema } from "./createActionRouter-CBxLLbn3.mjs";
+import { t as buildActionBodySchema } from "./createActionRouter-S3MLVYot.mjs";
 import fp from "fastify-plugin";
 //#region src/docs/openapi/canonical-schemas.ts
 /**

package/dist/org/index.d.mts

@@ -1,4 +1,4 @@
-import { yt as RouteHandler } from "../index-BtW7qYwa.mjs";
+import { yt as RouteHandler } from "../index-Dwc0orNd.mjs";
 import { d as UserBase } from "../fields-COhcH3fk.mjs";
 import { InvitationAdapter, InvitationDoc, MemberDoc, OrgAdapter, OrgDoc, OrgPermissionStatement, OrgRole, OrganizationPluginOptions } from "./types.mjs";
 import { FastifyPluginAsync, RouteHandlerMethod } from "fastify";

package/dist/pipeline/index.d.mts

@@ -1,4 +1,4 @@
-import { At as Guard, Ft as PipelineContext, It as PipelineStep, Lt as Transform, Mt as NextFunction, Nt as OperationFilter, Pt as PipelineConfig, _t as IControllerResponse, jt as Interceptor } from "../index-BtW7qYwa.mjs";
+import { At as Guard, Ft as PipelineContext, It as PipelineStep, Lt as Transform, Mt as NextFunction, Nt as OperationFilter, Pt as PipelineConfig, _t as IControllerResponse, jt as Interceptor } from "../index-Dwc0orNd.mjs";
 
 //#region src/pipeline/guard.d.ts
 interface GuardOptions {

package/dist/plugins/index.d.mts

@@ -1,4 +1,4 @@
-import { En as HookSystem, Q as MiddlewareConfig, Wt as AnyRecord, ft as RouteSchemaOptions, lt as RouteDefinition, tt as PresetHook, z as ResourceRegistry } from "../index-BtW7qYwa.mjs";
+import { En as HookSystem, Q as MiddlewareConfig, Wt as AnyRecord, ft as RouteSchemaOptions, lt as RouteDefinition, tt as PresetHook, z as ResourceRegistry } from "../index-Dwc0orNd.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-BD5nw6St.mjs";
 import { a as MetricsCollector, c as metricsPlugin, d as ssePlugin, f as CachingOptions, h as cachingPlugin, i as MetricEntry, l as SSEOptions, m as _default$1, n as _default$7, o as MetricsOptions, p as CachingRule, r as versioningPlugin, s as _default$4, t as VersioningOptions, u as _default$6 } from "../versioning-DTTvc80y.mjs";
 import { i as errorHandlerPlugin, n as ErrorMapper, r as defaultIsDuplicateKeyError, t as ErrorHandlerOptions } from "../errorHandler-DFr45ZG4.mjs";

package/dist/plugins/tracing-entry.mjs

@@ -58,7 +58,7 @@ try {
 function createTracerProvider(options) {
 	if (!isAvailable || !NodeTracerProvider || !BatchSpanProcessor || !OTLPTraceExporter) return null;
 	const { serviceName = "@classytic/arc", serviceVersion, exporterUrl = "http://localhost:4318/v1/traces" } = options;
-	const resolvedVersion = serviceVersion ?? "2.14.0";
+	const resolvedVersion = serviceVersion ?? "2.14.1";
 	const exporter = new OTLPTraceExporter({ url: exporterUrl });
 	const provider = new NodeTracerProvider({ resource: { attributes: {
 		"service.name": serviceName,

package/dist/presets/filesUpload.d.mts

@@ -1,4 +1,4 @@
-import { nt as PresetResult } from "../index-BtW7qYwa.mjs";
+import { nt as PresetResult } from "../index-Dwc0orNd.mjs";
 import { i as RequestScope } from "../types-CTYvcwHe.mjs";
 import { c as PermissionCheck } from "../fields-COhcH3fk.mjs";
 import { a as StorageReadResult, i as StorageReadRange, n as StorageContext, o as StorageUploadInput, r as StorageFile, t as Storage } from "../storage-Dfzt4VTl.mjs";

package/dist/presets/index.d.mts

@@ -1,4 +1,4 @@
-import { Wt as AnyRecord, _t as IControllerResponse, at as ResourceConfig, d as PaginationResult, nt as PresetResult, vt as IRequestContext } from "../index-BtW7qYwa.mjs";
+import { Wt as AnyRecord, _t as IControllerResponse, at as ResourceConfig, d as PaginationResult, nt as PresetResult, vt as IRequestContext } from "../index-Dwc0orNd.mjs";
 import { FilesUploadPresetOptions, FilesUploadPresetPermissions, FilesUploadPresetRoutes, filesUploadPreset } from "./filesUpload.mjs";
 import { MultiTenantOptions, TenantFieldSpec, multiTenantPreset } from "./multiTenant.mjs";
 import { SearchHandler, SearchPresetOptions, SearchRouteConfig, searchPreset } from "./search.mjs";

package/dist/presets/multiTenant.d.mts

@@ -1,4 +1,4 @@
-import { J as CrudRouteKey, nt as PresetResult } from "../index-BtW7qYwa.mjs";
+import { J as CrudRouteKey, nt as PresetResult } from "../index-Dwc0orNd.mjs";
 
 //#region src/presets/multiTenant.d.ts
 /**

package/dist/presets/search.d.mts

@@ -1,4 +1,4 @@
-import { lt as RouteDefinition, nt as PresetResult, pt as ControllerHandler, ut as RouteMcpConfig } from "../index-BtW7qYwa.mjs";
+import { lt as RouteDefinition, nt as PresetResult, pt as ControllerHandler, ut as RouteMcpConfig } from "../index-Dwc0orNd.mjs";
 import { c as PermissionCheck } from "../fields-COhcH3fk.mjs";
 
 //#region src/presets/search.d.ts

package/dist/registry/index.d.mts

@@ -1,4 +1,4 @@
-import { R as RegisterOptions, k as IntrospectionPluginOptions, z as ResourceRegistry } from "../index-BtW7qYwa.mjs";
+import { R as RegisterOptions, k as IntrospectionPluginOptions, z as ResourceRegistry } from "../index-Dwc0orNd.mjs";
 import { FastifyPluginAsync } from "fastify";
 
 //#region src/registry/introspectionPlugin.d.ts

package/dist/{resourceToTools-DLL32us3.mjs → resourceToTools-CZ-ZhS7v.mjs}

@@ -1,9 +1,9 @@
 import { p as isArcError } from "./errors-j4aJm1Wg.mjs";
-import { t as BaseController } from "./BaseController-DX_T-bDB.mjs";
+import { t as BaseController } from "./BaseController-Dv60tU83.mjs";
 import { L as normalizePermissionResult } from "./permissions-ohQyv50e.mjs";
 import { t as executePipeline } from "./pipe-Zr0KXjQe.mjs";
 import { u as resolvePipelineSteps } from "./routerShared-DrOa-26E.mjs";
-import { n as executeAggregation, r as validateAggregations } from "./buildHandler-olo-gt94.mjs";
+import { n as executeAggregation, r as validateAggregations } from "./buildHandler-BamHHpH8.mjs";
 import { t as resolveActionPermission } from "./actionPermissions-CyUkQu6O.mjs";
 import { i as shouldRejectAdditionalProperties, r as schemaIRToZodShape, t as normalizeSchemaIR } from "./schemaIR-lYhC2gE5.mjs";
 import { t as pluralize } from "./pluralize-DQgqgifU.mjs";

package/dist/testing/index.d.mts

@@ -1,5 +1,5 @@
-import { V as ResourceDefinition, Wt as AnyRecord } from "../index-BtW7qYwa.mjs";
-import { d as ResourceLike, r as CreateAppOptions } from "../types-BvqwCCSx.mjs";
+import { V as ResourceDefinition, Wt as AnyRecord } from "../index-Dwc0orNd.mjs";
+import { d as ResourceLike, r as CreateAppOptions } from "../types-NGtx3uxV.mjs";
 import { StorageContractSetup, StorageContractSetupResult, runStorageContract } from "./storageContract.mjs";
 import { FastifyInstance, FastifyServerOptions } from "fastify";
 import { Mock } from "vitest";

package/dist/testing/index.mjs

@@ -1073,7 +1073,7 @@ function pickDefaultAuth(authMode, callerAuth) {
 	};
 }
 async function createTestApp(options = {}) {
-	const { createApp } = await import("../createApp-XX2-N0Yd.mjs").then((n) => n.r);
+	const { createApp } = await import("../createApp-BarYhXCZ.mjs").then((n) => n.r);
 	const { resources = [], db = "in-memory", connectMongoose = false, authMode = "jwt", defaultOrgId, plugins, auth: callerAuth, ...appOptions } = options;
 	let dbHandle;
 	let dbUri;

package/dist/types/index.d.mts

@@ -1,4 +1,4 @@
-import { $ as OpenApiSchemas, A as RequestIdOptions, Bt as Authenticator, C as RequestContext, D as HealthCheck, E as GracefulShutdownOptions, F as FastifyWithDecorators, G as ActionsMap, Gt as ApiResponse, H as ActionDefinition, Ht as JwtContext, I as MiddlewareHandler, J as CrudRouteKey, Jt as ObjectId, K as ArcFieldRule, Kt as ArcRequest, L as RequestWithExtras, M as EventsDecorator, N as FastifyRequestExtras, O as HealthOptions, P as FastifyWithAuth, Q as MiddlewareConfig, Rt as AuthHelpers, S as QueryParserInterface, T as CrudRouterOptions, U as ActionEntry, Ut as TokenPair, Vt as AuthenticatorContext, W as ActionHandlerFn, Wt as AnyRecord, X as EventDefinition, Xt as UserOrganization, Y as CrudSchemas, Yt as UserLike, Z as FieldRule, _ as ControllerQueryOptions, _t as IControllerResponse, a as InferAdapterDoc, at as ResourceConfig, b as ParsedQuery, c as TypedController, ct as ResourcePermissions, d as PaginationResult, dt as RouteMethod, et as PresetFunction, f as IntrospectionData, ft as RouteSchemaOptions, g as ArcInternalMetadata, gt as IController, h as ResourceMetadata, ht as FastifyHandler, i as ValidationResult, it as ResourceCacheConfig, j as ArcDecorator, k as IntrospectionPluginOptions, l as TypedRepository, lt as RouteDefinition, m as RegistryStats, mt as ControllerLike, n as ConfigError, nt as PresetResult, o as InferDocType, on as BaseControllerOptions, ot as ResourceHookContext, p as RegistryEntry, pt as ControllerHandler, q as CrudController, qt as JWTPayload, r as ValidateOptions, rt as RateLimitConfig, s as InferResourceDoc, st as ResourceHooks, t as RouteHandlerMethod, tt as PresetHook, u as TypedResourceConfig, ut as RouteMcpConfig, v as LookupOption, vt as IRequestContext, w as ServiceContext, x as PopulateOption, y as OwnershipCheck, yt as RouteHandler, zt as AuthPluginOptions } from "../index-BtW7qYwa.mjs";
+import { $ as OpenApiSchemas, A as RequestIdOptions, Bt as Authenticator, C as RequestContext, D as HealthCheck, E as GracefulShutdownOptions, F as FastifyWithDecorators, G as ActionsMap, Gt as ApiResponse, H as ActionDefinition, Ht as JwtContext, I as MiddlewareHandler, J as CrudRouteKey, Jt as ObjectId, K as ArcFieldRule, Kt as ArcRequest, L as RequestWithExtras, M as EventsDecorator, N as FastifyRequestExtras, O as HealthOptions, P as FastifyWithAuth, Q as MiddlewareConfig, Rt as AuthHelpers, S as QueryParserInterface, T as CrudRouterOptions, U as ActionEntry, Ut as TokenPair, Vt as AuthenticatorContext, W as ActionHandlerFn, Wt as AnyRecord, X as EventDefinition, Xt as UserOrganization, Y as CrudSchemas, Yt as UserLike, Z as FieldRule, _ as ControllerQueryOptions, _t as IControllerResponse, a as InferAdapterDoc, at as ResourceConfig, b as ParsedQuery, c as TypedController, ct as ResourcePermissions, d as PaginationResult, dt as RouteMethod, et as PresetFunction, f as IntrospectionData, ft as RouteSchemaOptions, g as ArcInternalMetadata, gt as IController, h as ResourceMetadata, ht as FastifyHandler, i as ValidationResult, it as ResourceCacheConfig, j as ArcDecorator, k as IntrospectionPluginOptions, l as TypedRepository, lt as RouteDefinition, m as RegistryStats, mt as ControllerLike, n as ConfigError, nt as PresetResult, o as InferDocType, on as BaseControllerOptions, ot as ResourceHookContext, p as RegistryEntry, pt as ControllerHandler, q as CrudController, qt as JWTPayload, r as ValidateOptions, rt as RateLimitConfig, s as InferResourceDoc, st as ResourceHooks, t as RouteHandlerMethod, tt as PresetHook, u as TypedResourceConfig, ut as RouteMcpConfig, v as LookupOption, vt as IRequestContext, w as ServiceContext, x as PopulateOption, y as OwnershipCheck, yt as RouteHandler, zt as AuthPluginOptions } from "../index-Dwc0orNd.mjs";
 import { i as RequestScope } from "../types-CTYvcwHe.mjs";
 import { c as PermissionCheck, d as UserBase, l as PermissionContext, u as PermissionResult } from "../fields-COhcH3fk.mjs";
 import { n as ElevationOptions, t as ElevationEvent } from "../elevation-BXOWoGCF.mjs";

package/dist/{types-DQHFc8PM.d.mts → types-C6ONJ_Z2.d.mts}

@@ -1,4 +1,4 @@
-import { V as ResourceDefinition } from "./index-BtW7qYwa.mjs";
+import { V as ResourceDefinition } from "./index-Dwc0orNd.mjs";
 import { z } from "zod";
 
 //#region src/integrations/mcp/types.d.ts

package/dist/{types-BvqwCCSx.d.mts → types-NGtx3uxV.d.mts}

@@ -1,5 +1,5 @@
 import { r as CacheStore } from "./interface-beEtJyWM.mjs";
-import { Bt as Authenticator } from "./index-BtW7qYwa.mjs";
+import { Bt as Authenticator } from "./index-Dwc0orNd.mjs";
 import { n as ElevationOptions } from "./elevation-BXOWoGCF.mjs";
 import { a as EventTransport } from "./EventTransport-CT_52aWU.mjs";
 import { t as ExternalOpenApiPaths } from "./externalPaths-BD5nw6St.mjs";

package/dist/utils/index.d.mts

@@ -1,2 +1,2 @@
-import { $ as ValidateOptions, A as ArcQueryParserOptions, B as CompensationResult, C as keysetListResponse, D as queryParams, E as paginationSchema, F as defineGuard, G as CircuitBreakerError, H as defineCompensation, I as defineErrorMapper, J as CircuitBreakerStats, K as CircuitBreakerOptions, L as CompensationDefinition, M as handleRaw, N as Guard, O as responses, P as GuardConfig, Q as ConfigError, R as CompensationError, S as getListQueryParams, T as offsetListResponse, U as withCompensation, V as CompensationStep, W as CircuitBreaker, X as createCircuitBreaker, Y as CircuitState, Z as createCircuitBreakerRegistry, _ as bareListResponse, _t as isArcError, a as TransitionConfig, at as ConflictError, b as errorDetailSchema, c as JsonSchemaTarget, ct as NotFoundError, d as isJsonSchema, dt as RateLimitError, et as ValidationResult, f as isZodSchema, ft as ServiceUnavailableError, g as aggregateListResponse, gt as createError, h as JsonSchema, ht as createDomainError, i as StateMachine, it as ArcError, j as createQueryParser, k as ArcQueryParser, l as convertOpenApiSchemas, lt as OrgAccessDeniedError, m as scheduleBackground, mt as ValidationError, n as EventsDecorator, nt as formatValidationErrors, o as createStateMachine, ot as ErrorOptions, p as toJsonSchema, pt as UnauthorizedError, q as CircuitBreakerRegistry, r as hasEvents, rt as validateResourceConfig, s as simpleEqualityMatcher, st as ForbiddenError, t as getUserId, tt as assertValidConfig, u as convertRouteSchema, ut as OrgRequiredError, v as deleteResponse, w as listResponse, x as getDefaultCrudSchemas, y as errorContractSchema, z as CompensationHooks } from "../index-Dz5IKsrE.mjs";
+import { $ as ValidateOptions, A as ArcQueryParserOptions, B as CompensationResult, C as keysetListResponse, D as queryParams, E as paginationSchema, F as defineGuard, G as CircuitBreakerError, H as defineCompensation, I as defineErrorMapper, J as CircuitBreakerStats, K as CircuitBreakerOptions, L as CompensationDefinition, M as handleRaw, N as Guard, O as responses, P as GuardConfig, Q as ConfigError, R as CompensationError, S as getListQueryParams, T as offsetListResponse, U as withCompensation, V as CompensationStep, W as CircuitBreaker, X as createCircuitBreaker, Y as CircuitState, Z as createCircuitBreakerRegistry, _ as bareListResponse, _t as isArcError, a as TransitionConfig, at as ConflictError, b as errorDetailSchema, c as JsonSchemaTarget, ct as NotFoundError, d as isJsonSchema, dt as RateLimitError, et as ValidationResult, f as isZodSchema, ft as ServiceUnavailableError, g as aggregateListResponse, gt as createError, h as JsonSchema, ht as createDomainError, i as StateMachine, it as ArcError, j as createQueryParser, k as ArcQueryParser, l as convertOpenApiSchemas, lt as OrgAccessDeniedError, m as scheduleBackground, mt as ValidationError, n as EventsDecorator, nt as formatValidationErrors, o as createStateMachine, ot as ErrorOptions, p as toJsonSchema, pt as UnauthorizedError, q as CircuitBreakerRegistry, r as hasEvents, rt as validateResourceConfig, s as simpleEqualityMatcher, st as ForbiddenError, t as getUserId, tt as assertValidConfig, u as convertRouteSchema, ut as OrgRequiredError, v as deleteResponse, w as listResponse, x as getDefaultCrudSchemas, y as errorContractSchema, z as CompensationHooks } from "../index-Bt0F3nJj.mjs";
 export { ArcError, ArcQueryParser, ArcQueryParserOptions, CircuitBreaker, CircuitBreakerError, CircuitBreakerOptions, CircuitBreakerRegistry, CircuitBreakerStats, CircuitState, CompensationDefinition, CompensationError, CompensationHooks, CompensationResult, CompensationStep, ConfigError, ConflictError, ErrorOptions, EventsDecorator, ForbiddenError, Guard, GuardConfig, JsonSchema, JsonSchemaTarget, NotFoundError, OrgAccessDeniedError, OrgRequiredError, RateLimitError, ServiceUnavailableError, StateMachine, TransitionConfig, UnauthorizedError, ValidateOptions, ValidationError, ValidationResult, aggregateListResponse, assertValidConfig, bareListResponse, convertOpenApiSchemas, convertRouteSchema, createCircuitBreaker, createCircuitBreakerRegistry, createDomainError, createError, createQueryParser, createStateMachine, defineCompensation, defineErrorMapper, defineGuard, deleteResponse, errorContractSchema, errorDetailSchema, formatValidationErrors, getDefaultCrudSchemas, getListQueryParams, getUserId, handleRaw, hasEvents, isArcError, isJsonSchema, isZodSchema, keysetListResponse, listResponse, offsetListResponse, paginationSchema, queryParams, responses, scheduleBackground, simpleEqualityMatcher, toJsonSchema, validateResourceConfig, withCompensation };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@classytic/arc",
-  "version": "2.14.0",
+  "version": "2.14.1",
   "description": "Resource-oriented backend framework for Fastify - clean, minimal, powerful, tree-shakable",
   "type": "module",
   "exports": {